tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-04-08 17:15:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Initial import

Browse Source
This commit is contained in:
mboelen 2014-08-26 17:33:55 +02:00
commit c0ae2e217b
72 changed files with 18157 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1529
CHANGELOG Normal file
View File

File diff suppressed because it is too large Load Diff

27
CONTRIBUTORS Normal file
View File

@ -0,0 +1,27 @@
================================================================================
Lynis - CONTRIBUTIONS
================================================================================
The Lynis project is very thankful for the following individuals who
contributed to the project by reporting issues or sending in patches.
================================================================================
[+] Patches, bug fixes and suggestions
------------------------------------------
Brian Ginsbach
C.J. Adams-Collier, US
Dave Vehrs
Steve Bosek, France
Thomas Siebel, Germany
================================================================================
Lynis - Copyright 2007-2014, Michael Boelen - The Netherlands
http://cisofy.com

92
FAQ Normal file
View File

@ -0,0 +1,92 @@
================================================================================
Lynis - Frequently Asked Questions
================================================================================
Author: Michael Boelen (michael@rootkit.nl)
Description: Security and system auditing tool
Website: http://cisofy.com/lynis/
http://www.rootkit.nl/projects/lynis.html
Development start: May 2007
Support policy: See section 'Support' (README file)
Documentation: See web site, README, FAQ and CHANGELOG file
================================================================================
[+] General
-------------------------------
Q: I don't understand the program (output), what to do?
A: Keep reading this FAQ, then continue with reading the README file, followed
by the log file (default: /var/log/lynis.log). After those sources, check
the documentation on the website.
Q: I can't find any configuration file for Lynis, where is it?
A: There isn't one (currently), since all options are available as command
parameters. Specific options to control the audit/security scan can be set
or adjusted by changing the 'profile' file you are using (don't use
default.prf for your own custom options, but make a copy of it).
Q: Why is there no port/package for my operating system?
A: Because there is no maintainer for it yet. If you have the time to keep
the port/package current for your preferred operating system, fill in the
contact form to notify me and confirm no one else is working on it.
Q: What to do with the report files?
A: The output could be used for monitoring (baseline checks). For user of the
Lynis Enterprise Suite, they will be used to upload data.
[+] Usage problems
-------------------------------
Q: Lynis hangs while testing the group files (grpck)
A: Run the grpck command manually. It will most likely need user input, to
repair incorrect groups.
Q: Lynis doesn't display all messages on a white background
A: White text is used for general (and important) messages. Most terminals
have a dark background, so it gives extra attention to the message. However
if you have a white background (for example Mac OS X), you can run Lynis
with --no-colors to strip colors or --reverse-colors to reverse the color
scheme. Another option is to change your terminal colors within Mac OS.
Q: Some tests take very long to finish, what to do?
A: Use a second console (or connection) and check the output of ps/lsof etc,
to see the status of the active subroutine. If a specific test hangs for a
very long time, try to kill that specific process (ie grpck) and see if
Lynis continues. Afterwards, run the command manually to see the cause.
Check the log file for additional information, when possible.
Q: When running Lynis, it shows me the usage help even while using correct
parameters, why?
A: This can happen with alternative shells. Try using a different shell to
invoke Lynis (example: bash lynis -c).
Q: One or more tests are giving incorrect output. How to solve that?
A: Check the log file. If that also has incorrect data, fill in the contact
form and describe the issue.
Q: The program takes long to complete and also uses too much resources. Can it
be tuned?
A: The time it takes to complete is depends on the amount of tests to run.
However the resources it take can be slighty lowered by increasing the
pause_between_tests profile option. Keep in mind this increases the total
length of the scan to complete.
[+] Network related issues
-------------------------------
Q: Lynis reports promiscuous interfaces, but they are needed for normal operation,
how can I hide this warning?
A: Whitelist the interface in the profile file (if_promisc).
================================================================================
Lynis - Copyright 2007-2014, Michael Boelen - The Netherlands
http://cisofy.com

49
INSTALL Normal file
View File

@ -0,0 +1,49 @@
================================================================================
Lynis - Installation instructions
================================================================================
Author: Michael Boelen (michael@rootkit.nl)
Description: Security and system auditing tool
Web site: http://www.rootkit.nl/projects/lynis.html
Support policy: See section 'Support'
Documentation: See web site, README, FAQ and CHANGELOG file
================================================================================
[+] Run directly
-------------------------------
Lynis can be executed directly (unpack tarball, enter lynis directory).
# sh lynis
or
# ./lynis
Make sure you have root privileges.
[+] Installation
-------------------------------
If you want to install Lynis, see the README file (section: Installation) for
more tips about how to install or create a custom package.
[+] Documentation
-------------------------------
Documentation about Lynis can be found in the man page (man lynis, or
lynis --man-page), README file and website. Also the FAQ file covers some
often asked questions.
================================================================================
Lynis - Copyright 2007-2014, Michael Boelen - The Netherlands
http://cisofy.com

674
LICENSE Normal file
View File

@ -0,0 +1,674 @@
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
<program> Copyright (C) <year> <name of author>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
<http://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
<http://www.gnu.org/philosophy/why-not-lgpl.html>.

136
README Normal file
View File

@ -0,0 +1,136 @@
================================================================================
Lynis - README
================================================================================
Author: Michael Boelen (michael@rootkit.nl)
Description: Security and system auditing tool
Web site: http://cisofy.com/lynis/
http://www.rootkit.nl/projects/lynis.html
Development start: May 2007
Support policy: See section 'Support'
Documentation: See web site, README, FAQ and CHANGELOG file
================================================================================
== Web site contains up-to-date documentation ==
See http://www.rootkit.nl/files/lynis-documentation.html
[+] Introduction
-------------------------------
Lynis is an auditing tool which tests and gathers (security) information from
Unix based systems. The audience for this tool are security and system
auditors, network specialists and system maintainers.
Some of the (future) features and usage options:
- System and security audit checks
- File Integrity Assessment
- System and file forensics
- Usage of templates/baselines (reporting and monitoring)
- Extended debugging features
Everyone is free to use Lynis under the conditions of the GPL v3 license (see
LICENSE file).
========================
Quick facts
========================
- Name: Lynis
- Type: audit, security, forensics tool
- License: GPL v3
- Language: Shell script
- Author: Michael Boelen
- Web site: http://www.rootkit.nl
- Required permissions: root or equivalent
- Other requirements: write access to /var/log and /tmp
[+] Installation
-------------------------------
Lynis doesn't have to be installed, so it can be used directly from a
(removable) disk. If you want the program to be installed, use one of the
following methods:
- Create a custom directory (ie. /usr/local/lynis) and unpack the tarball
(tar xfvz lynis-version.tar.gz) into this directory.
- Create a RPM package by using the lynis.spec file (see web site)
run 'rpmbuild -ta lynis-version.tar.gz' (= build RPM package)
run 'rpm -ivh <filename>' (= install RPM package)
See online documentation for detailed instructions.
[+] Supported systems
-------------------------------
Since the complexity of auditing different systems and platforms, Lynis is
developed on BSD and Linux.
This tool is tested or confirmed to work with at least:
AIX, Linux, FreeBSD, OpenBSD, Mac OS X, Solaris. See website for the full
list of tested operating systems.
[+] Usage
-------------------------------
See online documentation for more information about using Lynis.
[+] Development
-------------------------------
If you have input to improve Lynis, let me know via the contact details (e-mail).
[+] Support
-------------------------------
Lynis is tested on the most common operating systems. The documentation (README,
FAQ) and the debugging information in the log file should cover most questions and
problems. Bugs can be reported by filling in the contact form at rootkit.nl, or by
sending an e-mail.
NOTE: User related questions should not be asked via the contact form. Read the
documentation, the website resources and the log file for answers to common problems.
Commercial support is available under strict conditions and depends on the request.
For more information fill in the contact form and describe what kind of service is
requested.
[+] Upgrade to Lynis Enterprise
-------------------------------
Individuals and companies which use this software for more than 10 systems, should
consider the value of this tool. Get the Lynis Enterprise Suite, to support the
development of open source software.
[+] Thanks
-------------------------------
Thanks to the community for using and supporting open source software and my tools
in particular. Many comments, bugs/patches and questions are the key to success
and motivation in developing tools like this.
A special thanks to anyone who donated a book or valuable suggestions in the past!
================================================================================
Lynis - Copyright 2007-2014, Michael Boelen - The Netherlands
http://cisofy.com

19
db/fileperms.db Normal file
View File

@ -0,0 +1,19 @@
#version=2008053000
#
# Field definitions
# ===============================
# 1) file | dir
# 2) file name
# 3) file permissions
# 4) file owner
# 5) file group owner
# 6) operating system, or systems
# 7) operating system special
# 8)
#
#==================================================
file:/etc/group:644:root:root:Linux:
file:/etc/gshadow:400:root:root:Linux:
file:/etc/passwd:644:root:root:Linux:
file:/etc/shadow:400:root:root:Linux:

2
db/hints.db Normal file
View File

@ -0,0 +1,2 @@
#version=20091015
100:Did you know? Lynis has a --cronjob option for optimized output while running on scheduled times.:

3
db/integrity.db Normal file
View File

@ -0,0 +1,3 @@
#version=2008062800
#binary:string:|NOT:
ifconfig:PROMISC::

4
db/malware-susp.db Normal file
View File

@ -0,0 +1,4 @@
#version=2009101500
vuln.txt:::
crack*:::
exploit*:::

44
db/malware.db Normal file
View File

@ -0,0 +1,44 @@
#version=2008062700
/bin/.log:::Apache worm:::
/bin/.login:::Login backdoor:::
/tmp/.../r:::W55808A:::
/tmp/.../a:::W55808A:::
/usr/share/.aPa:::APAKIT
/usr/lib/.ark?:::ARK:::
/dev/ptyxx/.log:::ARK:::
/dev/ptyxx/.file:::ARK:::
/usr/sbin/arobia:::Beastkit:::
/usr/sbin/idrun:::Beastkit:::
/usr/lib/elm/arobia/elm:::Beastkit:::
/usr/lib/elm/arobia/elm/hk:::Beastkit:::
/usr/lib/elm/arobia/elm/hk.pub:::Beastkit:::
/usr/lib/elm/arobia/elm/sc:::Beastkit:::
/usr/lib/elm/arobia/elm/sd.pp:::Beastkit:::
/usr/lib/elm/arobia/elm/sdco:::Beastkit:::
/usr/lib/elm/arobia/elm/srsd:::Beastkit:::
/tmp/.cinik:::Cinik:::
/dev/mdev:::Dannyboy:::
/usr/lib/libX.a:::Dannyboy:::
/usr/bin/duarawkz/loginpass:::Duarawkz:::
/dev/dev/gaskit/sshd/sshdd:::Gaskit:::
/proc/knark/pids:::Knark:::
/var/lock/subsys/...datafile.../...datafile.../in.smbd.log:::Ohhara:::
/dev/.oz/.nap/rkit/terror:::Oz:::
/usr/man/man5/..%%/.dir/scannah/asus:::Shutdown:::
/usr/man/man5/..%%/.dir/see:::Shutdown:::
/usr/man/man5/..%%/.dir/nscd:::Shutdown:::
/usr/man/man5/..%%/.dir/alpd:::Shutdown:::
/etc/rc.d/rc.local%%:::Shutdown:::
/tmp/.a:::Scalper:::
/tmp/.uua:::Scalper:::
/tmp/.bugtraq:::Slapper:::
/tmp/.uubugtraq:::Slapper:::
/tmp/.bugtraq.c:::Slapper:::
/tmp/httpd:::Slapper:::
/tmp/.unlock:::Slapper:::
/tmp/update:::Slapper:::
/tmp/.cinik:::Slapper:::
/tmp/.b:::Slapper:::
/usr/man/.sman/sk:::Superkit:::
/usr/lib/.tbd:::TBD:::
/sbin/.login:::Login backdoor:::

2
db/sbl.db Normal file
View File

@ -0,0 +1,2 @@
#version=2008052800
php:5.2.5

293
default.prf Normal file
View File

@ -0,0 +1,293 @@
#################################################################################
#
# Lynis scan profile
#
# This is the default profile and is used as a baseline when testing systems and
# applications. Since there are generally no "best" options, Lynis will assume
# some default values.
#
# All empty lines or with the # prefix will be skipped
#
# This is the default profile and contains default values. You are encouraged to
# copy this file and use it's base for custom audit profiles.
#
#################################################################################
[configuration]
# Profile name, will be used as title/description
config:profile_name:Default Audit Template:
# Number of seconds to pause between every test (0 is no pause)
config:pause_between_tests:0:
# Show inline tips about the tool
config:show_tool_tips:1:
#################################################################################
#
# Testing options
# ---------------
#
#################################################################################
# ** Scan type (how deep test has to be, light, normal or full) **
#
# config:test_scan_mode:light|normal|full:
# ** Skip one or more specific tests **
# (always ignores scan mode and will make sure the test is skipped)
#
# config:test_skip_always:AAAA-1234 BBBB-5678 CCCC-9012:
# ** Define the role(s) of a machine **
# Values: desktop|server (default: server)
#
#config:machine_role:server:
#################################################################################
#
# Plugins
# ---------------
# Define which plugins are enabled (nothing happens if plugin isn't available)
#
#################################################################################
# plugin=security_malware
# plugin=security_rootkit
# plugin=fileperms
plugin=docker
plugin=file-integrity
plugin=files
plugin=filesystems
plugin=firewalls
plugin=processes
plugin=software
plugin=system-integrity
#################################################################################
#
# Sysctl options
# ---------------
# sysctl:<Sysctl Key>:<Expected Value>:<Hardening Points>:<Description>:
#
# Sysctl key = name
# Expected value = value of sysctl key
# Hardening points = Number of hardening points. For most keys 1 HP will be suitable
# Description = Text description of key
#
#################################################################################
[processes]
#sysctl:kern.randompid:1234:1:Increase the next PID with an amount close to the given value:
sysctl:security.bsd.see_other_gids:0:1:Disable display of processes of other groups:
sysctl:security.bsd.see_other_uids:0:1:Disable display of processes of other users:
[kernel]
sysctl:kern.sugid_coredump:0:1:XXX:
sysctl:kernel.core_setuid_ok:0:1:XXX:
sysctl:kernel.core_uses_pid:1:1:XXX:
sysctl:kernel.ctrl-alt-del:0:1:XXX:
sysctl:kernel.exec-shield-randomize:1:1:XXX:
sysctl:kernel.exec-shield:1:1:XXX:
sysctl:kernel.sysrq:0:1:Disable magic SysRQ:
sysctl:kernel.use-nx:0:1:XXX:
[network]
sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address:
sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing:
sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing:
sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.inet.tcp.blackhole:2:1:Do not sent RST but drop traffic:
sysctl:net.inet.udp.blackhole:1:1:Do not sent RST but drop traffic:
sysctl:net.inet6.icmp6.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
sysctl:net.inet6.ip6.redirect:0:1:Disable sending ICMP redirect routing redirects:
sysctl:net.ipv4.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv4.conf.all.accept_source_route:0:1:Disable IP source routing:
sysctl:net.ipv4.conf.all.bootp_relay:0:1:Do not relay BOOTP packets:
sysctl:net.ipv4.conf.all.forwarding:0:1:Disable IP source routing:
sysctl:net.ipv4.conf.all.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
sysctl:net.ipv4.conf.all.mc_forwarding:0:1:Disable IP source routing:
sysctl:net.ipv4.conf.all.proxy_arp:0:1:Do not relay ARP packets:
sysctl:net.ipv4.conf.all.rp_filter:1:1:Enforce ingress/egress filtering for packets:
sysctl:net.ipv4.conf.all.send_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv4.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv4.conf.default.accept_source_route:0:1:Disable IP source routing:
sysctl:net.ipv4.conf.default.log_martians:1:1:Log all packages for which the host does not have a path back to the source:
sysctl:net.ipv4.icmp_echo_ignore_broadcasts:1:1:Ignore ICMP packets directed to broadcast address:
sysctl:net.ipv4.icmp_ignore_bogus_error_responses:1:1:Ignore
#sysctl:net.ipv4.ip_forward:0:1:Do not forward traffic:
sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack:
sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps:
sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects:
sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing:
sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing:
[security]
#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level:
#security.jail.jailed: 0
#security.jail.jail_max_af_ips: 255
#security.jail.mount_allowed: 0
#security.jail.chflags_allowed: 0
#security.jail.allow_raw_sockets: 0
#security.jail.enforce_statfs: 2
#security.jail.sysvipc_allowed: 0
#security.jail.socket_unixiproute_only: 1
#security.jail.set_hostname_allowed: 1
#security.bsd.suser_enabled: 1
#security.bsd.unprivileged_proc_debug: 1
#security.bsd.conservative_signals: 1
#security.bsd.unprivileged_read_msgbuf: 1
#security.bsd.hardlink_check_gid: 0
#security.bsd.hardlink_check_uid: 0
#security.bsd.unprivileged_get_quota: 0
#################################################################################
#
# Apache options
# columns: (1)apache : (2)option : (3)value
#
#################################################################################
apache:ServerTokens:Prod:
#################################################################################
#
# OpenLDAP options
# columns: (1)openldap : (2)file : (3)option : (4)expected value(s)
#
#################################################################################
openldap:slapd.conf:permissions:640-600:
openldap:slapd.conf:owner:ldap-root:
#################################################################################
#
# SSL certificates
#
#################################################################################
# Locations where to search for SSL certificates
ssl:certificates:/etc/pki /etc/ssl /usr/local/share/ca-certificates /var/www:
#################################################################################
#
# NTP options
#
#################################################################################
# Ignore some stratum 16 hosts (for example when running as time source itself)
#ntp:ignore_stratum_16_peer:127.0.0.1:
#ntp:ignore_stratum_16_peer:1.2.3.4:
#################################################################################
#
# File/directories permissions (currently not used yet)
#
#################################################################################
# Scan for exact file name match
#[scanfiles]
#scanfile:/etc/rc.conf:FreeBSD configuration:
# Scan for exact directory name match
#[scandirs]
#scandir:/etc:/etc directory:
#################################################################################
#
# permfile
# ---------------
# permfile:file name:file permissions:owner:group:action:
# Action = NOTICE or WARN
# Examples:
# permfile:/etc/test1.dat:600:root:wheel:NOTICE:
# permfile:/etc/test1.dat:640:root:-:WARN:
#
#################################################################################
#permfile:/etc/inetd.conf:rw-------:root:-:WARN:
#permfile:/etc/fstab:rw-r--r--:root:-:WARN:
permfile:/etc/lilo.conf:rw-------:root:-:WARN:
#################################################################################
#
# permdir
# ---------------
# permdir:directory name:file permissions:owner:group:action when permissions are different:
#
#################################################################################
permdir:/root/.ssh:rwx------:root:-:WARN:
# Scan for a program/binary in BINPATHs
#scanbinary:Rootkit Hunter:rkhunter:
#################################################################################
#
# Audit customizing
# -----------------
#
# Most options can contain 'yes' or 'no'.
#
#################################################################################
# Amount of connections in WAIT state before reporting it as a warning
#config:connections_max_wait_state:50:
# Skip security repository check for Debian based systems
#config:debian_skip_security_repository:yes:
# Debug mode (for debugging purposes, extra data logged to screen)
#config:debug:yes:
# Skip the FreeBSD portaudit test
#config:freebsd_skip_portaudit:yes:
# Ignore some specific home directories
# One directory per line; directories will be skipped for home directory specific
# checks, like file permissions, SSH and other configuration files
#config:ignore_home_dir:/home/user:
# Do not log tests with another guest operating system (default: yes)
#config:log_tests_incorrect_os:no:
# Define if available NTP daemon is configured as a server or client on the network
# values: server or client (default: client)
#config:ntpd_role:client:
# Allow promiscuous interfaces
# <option>:<promiscuous interface name>:<description>:
#if_promisc:pflog0:pf log daemon interface:
# Skip Lynis upgrade availability test (default: no)
#config:skip_upgrade_test:yes:
#################################################################################
#
# Lynis Enterprise
# -----------------
#
#################################################################################
# Add your Lynis Enterprise license key here
#config:license_key:[Your license key]:
#config:group:[group name]:
#config:group:test:
#EOF

9
dev/README Normal file
View File

@ -0,0 +1,9 @@
================================================================================
This directory contains tools for:
- Easy building customized packages
- Integrity checks and tools
- Development tools
================================================================================

114
dev/TODO Normal file
View File

@ -0,0 +1,114 @@
================================================================================
Lynis - To Do
================================================================================
Author: Michael Boelen (michael@rootkit.nl)
Description: Security and system auditing tool
Website: http://www.rootkit.nl/projects/lynis.html
Support policy: See section 'Support' (README file)
Documentation: See web site, README, FAQ and CHANGELOG file
================================================================================
[+] Open issues
-------------------------------
[+] Project
-------------------------------
[+] General
-------------------------------
- Activate warning when default profile is being used
- Add list of manual audit items, depending on performed tests
- Replace awk instances with ${AWKBINARY}
[+] Forensics
-------------------------------
- Add MD5/SHA1 database
[+] Generic Tests
-------------------------------
- NFS: Check if there is no localhost line in the /etc/export file
- Check /etc/crontab entries (permissions, locations)
- Search for all setuid/setgid files and compare against baseline
- Skel: Red Hat files are hidden, check with ls -al?
- Add MacOS X test for /tmp dir (or redirect location of symlink)
- Samba: make sure it does listen only at one interface (not at WAN)
- Cleanup some tests by combining options (like NETW-3006)
- Check for latest versions of programs
- Check if multiple users have group '0'
- When using --quiet, use long warnings instead of default lines
- Don't show section headers when using --tests
- Show Last logon dates for user accounts
- Show passwords 30 days or older / trivial passwords / password shadowing
- Show duplicate usernames, UIDs and GIDs
- System wide policies including: default files creation mask, login timeout intervals, lockout durations...
- Permissions on selected sensitive files / directories
[+] Applications
-------------------------------
- Debian/Ubuntu: check if apt-listbugs is installed
[+] Databases
-------------------------------
- Warn if MySQL is running on a network interface
- Check for empty root login
- Check Oracle things (tm)
[+] Programming languages/interfaces
-------------------------------
- Paranoid option: set binaries to 750 for perl, python, ruby, cc, gcc, *cc* etc
[+] DNS
-------------------------------
- Bind: check if version is disabled
[+] Firewalls
-------------------------------
- iptables: show chain numbers when rules are unused
[+] Shell/interface/X
-------------------------------
- Check for autolog or timeoutd package
[+] MTA
-------------------------------
- Sendmail: check banner, check file permissions of configuration files
- Exim: check banner
- SMTP (if running): check if a version shows up in banner
[+] Printers/spools
-------------------------------
- Printcap consistency check for Linux/Solaris/MacOS
[+] Tomcat
-------------------------------
- Check if iptables has rules for port 8080, 8009, 8443
- Check if /WEB-INF/ and /META-INF/ are denied in httpd.conf
[+] Reporting
-------------------------------
- Add possibility to mail directly (instead of log to file)
- Find audit templates for reporting (direct post to webserver?)
- Allow bonus points, however check a maximum index score of 100
================================================================================
Lynis - Copyright 2007-2013, Michael Boelen - The Netherlands
http://www.rootkit.nl

138
dev/build-lynis.sh Executable file
View File

@ -0,0 +1,138 @@
#!/bin/sh
#########################################################################
#
# Builds Lynis distribution
#
# Usage: this script creates Lynis builds
#
# *** NOTE ***
# This script is not fully functional yet, several options like digital
# signing, RPM/DEB package creation are missing.
#
#########################################################################
#
# Options:
# Umask used when creating files/directories
OPTION_UMASK="027"
# Directory name used to create package related directories (like /usr/local/include/lynis)
OPTION_PACKAGE_DIRNAME="lynis"
# Binary to test
OPTION_BINARY_FILE="../lynis"
#
#########################################################################
#
# Functions:
# Clean temporary files up
CleanUp()
{
if [ ! ${TMPDIR} = "" -a -d ${TMPDIR} ]; then
rm -rf ${TMPDIR}
fi
}
#
#########################################################################
#
# Clean files up if we get interrupted
trap CleanUp INT
#
#########################################################################
#
# Set umask
echo -n "- Setting umask to ${OPTION_UMASK} "
umask ${OPTION_UMASK}
if [ $? -eq 0 ]; then
echo "OK"
else
echo "BAD"
exit 1
fi
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Build root
echo -n "- Creating BUILDROOT "
TMPDIR=`mktemp -d /tmp/lynis-BUILDROOT.XXXX`
if [ $? -eq 0 ]; then
echo "OK"
echo " BUILDROOT: ${TMPDIR}"
else
echo "BAD"
exit 1
fi
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Test script for errors
echo -n "- Test Lynis script "
# Is file there?
if [ ! -f ${OPTION_BINARY_FILE} ]; then echo "BAD (can't find ${OPTION_BINARY_FILE})"; exit 1; fi
# Check script
FIND=`sh -n ${OPTION_BINARY_FILE} ; echo $?`
if [ $FIND -eq 0 ]; then
echo "OK"
else
echo "BAD"
fi
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Create SHA1 hashes
echo -n "- Create SHA1 hashes "
SHA1HASH_LYNIS=`grep -v '^#' ${OPTION_BINARY_FILE} | sha1`
echo "DONE"
echo " Lynis (SHA1): ${SHA1HASH_LYNIS}"
# Add hashes to script
echo -n "- Injecting SHA1 hash into Lynis script "
echo "-NOT DONE-"
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
echo -n "- Cleaning up OpenBSD package build... "
if [ -f openbsd/+CONTENTS ]; then rm openbsd/+CONTENTS; fi
echo "DONE"
OPENBSD_CONTENTS="openbsd/+CONTENTS"
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
echo -n "- Creating MD5 hashes..."
PACKAGE_LIST_FILES=`cat files.dat | grep "^file:" | cut -d ':' -f3`
for I in ${PACKAGE_LIST_FILES}; do
echo -n "${I} "
#FULLNAME=`cat files.dat | grep ":file:include:
#echo "${FULLNAME}" >> ${OPENBSD_CONTENTS}
echo "${I}" >> ${OPENBSD_CONTENTS}
FILE="../${I}"
MD5HASH=`md5 -q ${FILE}`
echo "@md5 ${MD5HASH}" >> ${OPENBSD_CONTENTS}
echo "@size 0000" >> ${OPENBSD_CONTENTS}
done
echo ""
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
echo -n "- Cleaning up... "
# Clean up our mess
CleanUp
echo "DONE"
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# The End!

4
dev/check-lynis.sh Executable file
View File

@ -0,0 +1,4 @@
#!/bin/sh
# Check for double ID numbers
grep -r Register .. | awk '{ if($2=="Register") { print $4 } }' | sort | uniq -c | awk '{ if ($1!=1) { print $2 } }'

33
dev/files.dat Normal file
View File

@ -0,0 +1,33 @@
file/dir:type:filename:prefix:filename
file:doc:CHANGELOG:CHANGELOG
file:doc:FAQ:FAQ
file:doc:INSTALL:INSTALL
file:doc:LICENSE:LICENSE
file:doc:README:README
file:doc:TODO:TODO
file:example:default.prf:default.prf
file:bin:lynis:/usr/bin:lynis
file:man:lynis.8:lynis.8
dir:extra:contrib:contrib
dir:include:include::/usr/local:include
file:include:include/functions:/usr/local:include/lynis/functions
file:include:include/osdetection:/usr/local:include/lynis/osdetection
file:include:include/consts:/usr/local:include/lynis/consts
file:include:include/parameters:/usr/local:include/lynis/parameters
file:include:include/profiles:/usr/local:include/lynis/profiles
file:include:include/tests_ports_packages:/usr/local:include/lynis/tests_ports_packages
file:include:include/tests_boot_services:/usr/local:include/lynis/tests_boot_services
file:include:include/tests_filesystems:/usr/local:include/lynis/tests_filesystems
file:include:include/tests_networking:/usr/local:include/lynis/tests_networking
file:include:include/tests_memory_processes:/usr/local:include/lynis/tests_memory_processes
file:include:include/tests_kernel:/usr/local:include/lynis/tests_kernel
file:include:include/tests_logging:/usr/local:include/lynis/tests_logging
file:include:include/tests_authentication:/usr/local:include/lynis/tests_authentication
file:include:include/tests_firewalls:/usr/local:include/lynis/tests_firewalls
file:include:include/tests_homedirs:/usr/local:include/lynis/tests_homedirs
file:include:include/tests_shells:/usr/local:include/lynis/tests_shells
file:include:include/tests_printers_spools:/usr/local:include/lynis/tests_printers_spools
file:include:include/tests_file_integrity:/usr/local:include/lynis/tests_file_integrity
file:include:include/tests_accounting:/usr/local:include/lynis/tests_accounting
file:include:include/tests_banners:/usr/local:include/lynis/tests_banners
file:include:include/tests_mail_messaging:/usr/local:include/lynis/tests_mail_messaging

90
dev/openbsd/+CONTENTS Normal file
View File

@ -0,0 +1,90 @@
CHANGELOG
@md5 7e0ad05581d32d6051a3e22ef297e81d
@size 0000
FAQ
@md5 b1e44a42bad55941868a743b24d01d8b
@size 0000
INSTALL
@md5 a1574195ee66d7cf8b9947de2cce6ab4
@size 0000
LICENSE
@md5 d32239bcb673463ab874e80d47fae504
@size 0000
README
@md5 d46ffad53300d044ba02a037a7255ee8
@size 0000
TODO
@md5 3486e35f6c705d8ea1e34c4a66ec7046
@size 0000
default.prf
@md5 63e7765073d12b3b177a3587e3a4d6e4
@size 0000
lynis
@md5 aab4c29e3f3dbcbf71b320b476b91c94
@size 0000
lynis.8
@md5 604d717b4671972f7d53350f6efd1f10
@size 0000
include/functions
@md5 cc8fd64fc868251453e54305ebd71b58
@size 0000
include/osdetection
@md5 92fa7e249e65271a450bbb523cd36ce9
@size 0000
include/consts
@md5 a39c3101c95bde6556374e4d8d4992d7
@size 0000
include/parameters
@md5 4d983d717a62276b4e7df8b04b423ca2
@size 0000
include/profiles
@md5 1781be3989c4f42aeb77656a7885bedd
@size 0000
include/tests_ports_packages
@md5 d1754a6365ff04acbfacbb0208e2bb57
@size 0000
include/tests_boot_services
@md5 746100f95e83097ab3f52f2a0287980b
@size 0000
include/tests_filesystems
@md5 b5257d89440fa06f170dfb9bd35cb5fe
@size 0000
include/tests_networking
@md5 0b4d329f118a1845abce2af6b7b19b25
@size 0000
include/tests_memory_processes
@md5 b0e1df62f87bfc08bea1c21f4762c0ff
@size 0000
include/tests_kernel
@md5 2ca3f7ec1924854e1076bebbdc654928
@size 0000
include/tests_logging
@md5 9993368b9616248195ef350b470a7768
@size 0000
include/tests_authentication
@md5 18b810aa4a87fde400b2da127edd2d04
@size 0000
include/tests_firewalls
@md5 c12c6014b844595f866a76545c8c9893
@size 0000
include/tests_homedirs
@md5 44760dd3a0ca3a8c665356b2c2028fc9
@size 0000
include/tests_shells
@md5 489667c1fb7c12c3fa3dcef19ce45ebb
@size 0000
include/tests_printers_spools
@md5 3c151550ff48df8e913b0b74a4fd1f2b
@size 0000
include/tests_file_integrity
@md5 794ad1c924b23d0a808035961f47023c
@size 0000
include/tests_accounting
@md5 1808a389d1b5ba8c6e708978839eb3d1
@size 0000
include/tests_banners
@md5 6449b7069a4a08b83daa685e100b316e
@size 0000
include/tests_mail_messaging
@md5 8424dab66b29ea5270bccbfc9dbd4cb2
@size 0000

166
include/binaries Normal file
View File

@ -0,0 +1,166 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Check which tools are installed
#
#################################################################################
#
COMPILER_INSTALLED=0
IDLE_SESSION_KILLER_INSTALLED=0
MALWARE_SCANNER_INSTALLED=0
#
#################################################################################
#
InsertSection "System Tools"
#
#################################################################################
#
Display --indent 2 --text "- Scanning available tools..."
logtext "Start scanning for available audit binaries and tools..."
# Test : FILE-7502
# Description : Check all system binaries
# Notes : Always perform test, dependency for many other tests
Register --test-no FILE-7502 --weight L --network NO --description "Check all system binaries"
#if [ ${SKIPTEST} -eq 0 ]; then
SCANNEDPATHS=""; N=0
Display --indent 2 --text "- Checking system binaries..."
logtext "Status: Starting binary scan..."
for SCANDIR in ${BINPATHS}; do
logtext "Test: Checking binaries in directory ${SCANDIR}"
if [ -d ${SCANDIR} ]; then
Display --indent 4 --text "- Checking ${SCANDIR}... " --result FOUND --color GREEN
SCANNEDPATHS="${SCANNEDPATHS}, ${SCANDIR}"
logtext "Directory ${SCANDIR} exists. Starting directory scanning..."
FIND=`ls ${SCANDIR}`
for I in ${FIND}; do
N=`expr ${N} + 1`
BINARY="${SCANDIR}/${I}"
logtext "Binary: ${BINARY}"
# Optimized, much quicker (limited file access needed)
case ${I} in
aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; logtext " Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
afick.pl) AFICKFOUND=1; AFICKBINARY=${BINARY}; logtext " Found known binary: afick (file integrity checker) - ${BINARY}" ;;
aide) AIDEFOUND=1; AIDEBINARY=${BINARY}; logtext " Found known binary: aide (file integrity checker) - ${BINARY}" ;;
apache2) if [ -f ${BINARY} ]; then HTTPDFOUND=1; HTTPDBINARY=${BINARY}; logtext " Found known binary: apache2 (web server) - ${BINARY}"; fi ;;
auditd) AUDITDFOUND=1; AUDITDBINARY=${BINARY}; logtext " Found known binary: auditd (audit framework) - ${BINARY}" ;;
awk) if [ -f ${BINARY} ]; then AWKFOUND=1; AWKBINARY=${BINARY}; logtext " Found known binary: awk (string tool) - ${BINARY}"; fi ;;
dig) DIGFOUND=1; DIGBINARY=${BINARY}; logtext " Found known binary: dig (nameservice tool) - ${BINARY}" ;;
as) ASFOUND=1; ASBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: as (compiler) - ${BINARY}" ;;
auditctl) AUDITCTLFOUND=1; AUDITCTLBINARY="${BINARY}"; logtext " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;;
autolog) AUTOLOGFOUND=1; AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; logtext " Found known binary: autolog (idle session killer) - ${BINARY}" ;;
chkconfig) CHKCONFIGFOUND=1; CHKCONFIGBINARY=${BINARY}; logtext " Found known binary: chkconfig (administration tool) - ${BINARY}" ;;
clamscan) CLAMSCANFOUND=1; CLAMSCANBINARY=${BINARY}; logtext " Found known binary: clamscan (AV scanner) - ${BINARY}" ;;
cfagent) CFAGENTFOUND=1; CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; logtext " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;;
chkrootkit) CHKROOTKITFOUND=1; CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;;
curl) CURLFOUND=1; CURLBINARY="${BINARY}"; logtext " Found known binary: curl (browser) - ${BINARY}" ;;
dig) if [ -f ${BINARY} ]; then DIGFOUND=1; DIGBINARY=${BINARY}; logtext " Found known binary: dig (network/dns tool) - ${BINARY}"; fi ;;
dnsdomainname) DNSDOMAINNAMEFOUND=1; DNSDOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: dnsdomainname (DNS domain) - ${BINARY}" ;;
domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
egrep) EGREPFOUND=1; EGREPBINARY=${BINARY}; logtext " Found known binary: egrep (text search) - ${BINARY}" ;;
exim) EXIMFOUND=1; EXIMBINARY="${BINARY}"; EXIMVERSION=`${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs`; logtext "Found ${BINARY} (version ${EXIMVERSION})" ;;
find) FINDFOUND=1; FINDBINARY="${BINARY}"; logtext " Found known binary: find (search tool) - ${BINARY}" ;;
g++) GPLUSPLUSFOUND=1; GPLUSPLUSBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: g++ (compiler) - ${BINARY}" ;;
# additional file check due to existance /usr/libexec/gcc (directory)
gcc) if [ -f ${BINARY} ]; then GCCBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: gcc (compiler) - ${BINARY}"; fi ;;
grep) GREPFOUND=1; GREPBINARY=${BINARY}; logtext " Found known binary: grep (text search) - ${BINARY}" ;;
httpd2-prefork) HTTPDFOUND=1; HTTPDBINARY=${BINARY}; logtext " Found known binary: apache2 (web server) - ${BINARY}" ;;
lvdisplay) LVDISPLAYBINARY="${BINARY}"; logtext " Found known binary: lvdisplay (LVM tool) - ${BINARY}" ;;
named-checkconf) NAMEDCHECKCONFIGFOUND=1; NAMEDCHECKCONFBINARY="${BINARY}"; logtext " Found known binary: named-checkconf (BIND configuration analyzer) - ${BINARY}" ;;
grpck) GRPCKFOUND=1; GRPCKBINARY="${BINARY}"; logtext " Found known binary: grpck (consistency checker) - ${BINARY}" ;;
httpd) if [ -f ${BINARY} ]; then HTTPDFOUND=1; HTTPDBINARY="${BINARY}"; logtext " Found known binary: httpd (web server) - ${BINARY}"; fi ;;
ip) IPFOUND=1; IPBINARY="${BINARY}"; logtext " Found known binary: ip (IP configuration) - ${BINARY}" ;;
ipf) IPFFOUND=1; IPFBINARY="${BINARY}"; logtext " Found known binary: ipf (firewall) - ${BINARY}" ;;
ifconfig) IFCONFIGFOUND=1; IFCONFIGBINARY="${BINARY}"; logtext " Found known binary: ipconfig (IP configuration) - ${BINARY}" ;;
iptables) if [ -f ${BINARY} ]; then IPTABLESFOUND=1; IPTABLESBINARY="${BINARY}"; logtext " Found known binary: iptables (firewall) - ${BINARY}"; fi ;;
kldstat) KLDSTATFOUND=1; KLDSTATBINARY="${BINARY}"; logtext " Found known binary: kldstat (kernel modules) - ${BINARY}" ;;
kstat) KSTATFOUND=1; KSTATBINARY="${BINARY}"; logtext " Found known binary: kstat (kernel statistics) - ${BINARY}" ;;
locate) LOCATEFOUND=1; LOCATEBINARY="${BINARY}"; logtext " Found known binary: locate (file database) - ${BINARY}" ;;
logrotate) LOGROTATEFOUND=1; LOGROTATEBINARY="${BINARY}"; logtext " Found known binary: logrotate (log rotation tool) - ${BINARY}" ;;
ls) LSFOUND=1; LSBINARY="${BINARY}"; logtext " Found known binary: ls (file listing) - ${BINARY}" ;;
lsattr) LSATTRFOUND=1; LSATTRBINARY="${BINARY}"; logtext " Found known binary: lsattr (file attributes) - ${BINARY}" ;;
lsmod) LSMODFOUND=1; LSMODBINARY="${BINARY}"; logtext " Found known binary: lsmod (kernel modules) - ${BINARY}" ;;
lsof) LSOFFOUND=1; LSOFBINARY="${BINARY}"; logtext " Found known binary: lsof (open files) - ${BINARY}" ;;
lynx) LYNXFOUND=1; LYNXBINARY="${BINARY}"; LYNXVERSION=`${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3`; logtext "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;;
md5) MD5FOUND=1; MD5BINARY="${BINARY}"; logtext " Found ${BINARY}" ;;
md5sum) MD5FOUND=1; MD5BINARY="${BINARY}"; logtext " Found ${BINARY}" ;;
mtree) MTREEFOUND=1; MTREEBINARY="${BINARY}"; logtext " Found known binary: mtree (mapping directory tree) - ${BINARY}" ;;
mysql) MYSQLCLIENTFOUND=1; MYSQLCLIENTBINARY="${BINARY}"; MYSQLCLIENTVERSION=`${BINARY} -V | awk '{ if ($4=="Distrib") { print $5 }}' | sed 's/,//g'` ; logtext "Found ${BINARY} (version: ${MYSQLCLIENTVERSION})" ;;
netstat) NETSTATFOUND=1; NETSTATBINARY="${BINARY}"; logtext " Found ${BINARY}" ;;
nmap) NMAPFOUND=1; NMAPBINARY="${BINARY}"; NMAPVERSION=`${BINARY} -V | grep "^Nmap version" | awk '{ print $3 }'`; logtext "Found ${BINARY} (version ${NMAPVERSION})" ;;
ntpq) NTPQFOUND=1; NTPQBINARY="${BINARY}"; logtext " Found known binary ntpq (time daemon client) - ${BINARY}" ;;
osiris) OSIRISFOUND=1; OSIRISBINARY="${BINARY}"; logtext " Found known binary: osiris - ${BINARY}" ;;
openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; logtext "Found ${BINARY} (version ${OPENSSLVERSION})" ;;
pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; logtext " Found known binary: pacman (package manager) - ${BINARY}" ;;
perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; logtext "Found ${BINARY} (version ${PERLVERSION})" ;;
php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language) - ${BINARY} (version ${PHPVERSION})" ;;
postconf) POSTCONFFOUND=1; POSTCONFBINARY="${BINARY}"; logtext " Found known binary: postconf (postfix configuration) - ${BINARY}" ;;
postfix) POSTFIXFOUND=1; POSTFIXBINARY="${BINARY}"; logtext " Found known binary: postfix (postfix binary) - ${BINARY}" ;;
prelink) PRELINKFOUND=1; PRELINKBINARY="${BINARY}"; logtext " Found known binary: prelink (system optimizer) - ${BINARY}" ;;
pfctl) PFCTLFOUND=1; PFCTLBINARY="${BINARY}"; logtext " Found known binary: pfctl (client to pf firewall) - ${BINARY}" ;;
ps) PSFOUND=1; PSBINARY="${BINARY}"; logtext " Found known binary: ps (process listing) - ${BINARY}" ;;
puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; logtext " Found known binary: puppet (automation tooling) - ${BINARY}" ;;
puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; logtext " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;;
readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; logtext " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
rpcinfo) RPCINFOFOUND=1; RPCINFOBINARY="${BINARY}"; logtext " Found known binary: rpcinfo (RPC information) - ${BINARY}" ;;
rpm) RPMFOUND=1; RPMBINARY="${BINARY}"; logtext " Found known binary: rpm (package manager) - ${BINARY}" ;;
runlevel) RUNLEVELFOUND=1; RUNLEVELBINARY="${BINARY}"; logtext " Found known binary: runlevel (system utility) - ${BINARY}" ;;
samhain) SAMHAINFOUND=1; SAMHAINBINARY="${BINARY}"; logtext " Found known binary: samhain (integrity tool) - ${BINARY}" ;;
sestatus) SESTATUSFOUND=1; SESTATUSBINARY="${BINARY}"; logtext " Found known binary: sestatus (SELinux client) - ${BINARY}" ;;
slocate) LOCATEFOUND=1; LOCATEBINARY="${BINARY}"; logtext " Found known binary: slocate (file database) - ${BINARY}" ;;
smbd) SMBDFOUND=1; SMBDBINARY="${BINARY}"; if [ "${OS}" = "MacOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=`${BINARY} -V | grep "^Version" | awk '{ print $2 }'`; fi; logtext "Found ${BINARY} (version ${SMBDVERSION})" ;;
showmount) SHOWMOUNTFOUND=1; SHOWMOUNTBINARY="${BINARY}"; logtext " Found known binary: showmount (NFS mounts) - ${BINARY}" ;;
sockstat) SOCKSTATFOUND=1; SOCKSTATBINARY="${BINARY}"; logtext " Found known binary: sockstat (open network sockets) - ${BINARY}" ;;
squid) SQUIDFOUND=1; SQUIDBINARY="${BINARY}"; logtext " Found known binary: squid (proxy) - ${BINARY}" ;;
sshd) SSHDFOUND=1; SSHDBINARY="${BINARY}"; SSHDVERSION=`${BINARY} -t -d 2>&1 | head -n 1 | awk '{ print $4 }' | cut -d '_' -f2 | xargs`; logtext "Found ${BINARY} (version ${SSHDVERSION})" ;;
stat) STATFOUND=1; STATBINARY="${BINARY}"; logtext " Found known binary: stat (file information) - ${BINARY}" ;;
strings) STRINGSFOUND=1; STRINGSBINARY="${BINARY}"; logtext " Found known binary: strings (text strings search) - ${BINARY}" ;;
sha1|sha1sum|shasum) SHA1SUMFOUND=1; SHA1SUMBINARY="${BINARY}"; logtext " Found known binary: sha1/sha1sum/shasum (crypto hashing) - ${BINARY}" ;;
ssh-keyscan) SSHKEYSCANFOUND=1; SSHKEYSCANBINARY="${BINARY}"; logtext " Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;;
sysctl) SYSCTLFOUND=1; SYSCTLBINARY="${BINARY}"; logtext " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;;
syslog-ng) SYSLOGNGFOUND=1; SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=`${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'`; logtext "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;;
systemctl) SYSTEMCTLFOUND=1; SYSTEMCTLBINARY="${BINARY}"; logtext " Found known binary: systemctl (client to systemd) - ${BINARY}" ;;
tripwire) TRIPWIREFOUND=1; TRIPWIREBINARY="${BINARY}"; logtext " Found known binary: tripwire (file integrity) - ${BINARY}" ;;
tune2fs) TUNE2FSFOUND=1; TUNE2FSBINARY="${BINARY}"; logtext " Found known binary: tune2fs (file system tool) - ${BINARY}" ;;
vgdisplay) VGDISPLAYFOUND=1; VGDISPLAYBINARY="${BINARY}"; logtext " Found known binary: vgdisplay (LVM tool) - ${BINARY}" ;;
vmtoolsd) VMWARETOOLSFOUND=1; VMWARETOOLSDBINARY="${BINARY}"; logtext " Found known binary: vmtoolsd (VMWare tools) - ${BINARY}" ;;
wget) WGETFOUND=1; WGETBINARY="${BINARY}"; WGETVERSION=`${BINARY} -V | grep "^GNU Wget" | awk '{ print $3 }'`; logtext "Found ${BINARY} (version ${WGETVERSION})" ;;
yum) YUMFOUND=1; YUMBINARY="${BINARY}"; logtext " Found known binary: yum (package manager) - ${BINARY}" ;;
zypper) ZYPPERFOUND=1; ZYPPERBINARY="${BINARY}"; logtext " Found known binary: zypper (package manager) - ${BINARY}" ;;
esac
done
else
Display --indent 4 --text "- Checking ${SCANDIR}... " --result "NOT FOUND" --color WHITE
logtext "Directory ${SCANDIR} does NOT exist."
fi
logtextbreak
done
SCANNEDPATHS=`echo ${SCANNEDPATHS} | sed 's/^, //g'`
logtext "Discovered directories: ${SCANNEDPATHS}"
#fi
logtext "Result: found ${N} binaries"
report "binaries_count=${N}"
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

182
include/consts Normal file
View File

@ -0,0 +1,182 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# This software is licensed under GPL, version 3. See LICENSE file for
# usage of this software.
#
#################################################################################
#
# Consts
#
#################################################################################
#
# Program information
# Paths where system and program binaries are located
# Includes Sun Solaris dirs
BINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \
/usr/local/libexec /usr/libexec /usr/sfw/bin /usr/sfw/sbin \
/usr/sfw/libexec /opt/sfw/bin /opt/sfw/sbin /opt/sfw/libexec \
/usr/xpg4/bin /usr/css/bin /usr/ucb /usr/X11R6/bin /usr/X11R7/bin"
# Do not use specific language, fall back to default
unset LANG
#
#################################################################################
#
# Deprecated
#
#################################################################################
#
HOME_HISTORY_AUDIT_TITLE="Incorrect history file types"
HOME_HISTORY_AUDIT_DESCRIPTION=""
HOME_HISTORY_LOG_TITLE="History files type check"
HOME_HISTORY_LOG_DESCRIPTION="History files type check"
HOME_HISTORY_LOG_TEXT="History files are normally of the type 'file'. Symbolic links and other types can be riskful"
HOME_PATH_LOG_MESSAGE="A single dot in the PATH variable of a user can be a risk, while executing commands in for example a home directory."
USER_PASSWD_DOUBLEUID_AUDIT_TITLE="Non unique UIDs"
USER_PASSWD_DOUBLEUID_AUDIT_DESCRIPTION="Non unique UIDs in passwd file"
USER_PASSWD_DOUBLEUID_AUDIT_TEXT="Non unique UIDs can riskful for the system or part of a configuration mistake"
KERNEL_ACTIVE_MODULES_TITLE="Active kernel modules (KLDs)"
KERNEL_ACTIVE_MODULES_DESCRIPTION="View all active kernel modules (including kernel)"
KERNEL_ACTIVE_MODULES_TEXT="Displays the loaded kernel modules in memory. Make sure to check the integrity of the kld tools."
#
#################################################################################
#
# Initialize defaults
#
#################################################################################
#
# == Variable initializing ==
#
AUDITORNAME=""
PROFILE=""
REPORTFILE=""
AFICKBINARY=""
AIDEBINARY=""
AASTATUSBINARY=""
CHKROOTKITBINARY=""
CHKCONFIGBINARY=""
FILEVALUE=""
FIND=""
GRPCKBINARY=""
GROUP_NAME=""
IPTABLESBINARY=""
LINUX_VERSION=""
LINUXCONFIGFILE=""
LOGFILE=""
NGINX_ACCESS_LOG_DISABLED=0
NGINX_ACCESS_LOG_MISSING=0
NGINX_ALIAS_FOUND=0
NGINX_ALLOW_FOUND=0
NGINX_DENY_FOUND=0
NGINX_ERROR_LOG_DEBUG=0
NGINX_ERROR_LOG_MISSING=0
NGINX_EXPIRES_FOUND=0
NGINX_FASTCGI_FOUND=0
NGINX_FASTCGI_PARAMS_FOUND=0
NGINX_FASTCGI_PASS_FOUND=0
NGINX_LISTEN_FOUND=0
NGINX_LOCATION_FOUND=0
NGINX_SSL_CIPHERS=0
NGINX_SSL_ON=0
NGINX_SSL_PREFER_SERVER_CIPHERS=0
NGINX_SSL_PROTOCOLS=0
NGINX_RETURN_FOUND=0
NGINX_ROOT_FOUND=0
OS=""; OS_MODE=""
OS_REDHAT_OR_CLONE=0
OSIRISBINARY=""
PIDFILE=""
PFFOUND=0
PROFILEVALUE=""
RKHUNTERBINARY=""
RPMBINARY=""
SAMHAINBINARY=""
SCAN_TEST_HEAVY=""; SCAN_TEST_MEDIUM=""; SCAN_TEST_LOW=""
SESTATUSBINARY=""
SSHKEYSCANBINARY=""
SSHKEYSCANFOUND=0
SYSLOGNGBINARY=""
TEST_SKIP_ALWAYS=""
TESTS_EXECUTED=""
TESTS_SKIPPED=""
TRIPWIREBINARY=""
UPDATE_CHECK_SKIPPED=0
VALUE=""
#
#################################################################################
#
# == Options ==
#
# Option Description
# --------------------------------------------------------------------------
CRONJOB=0 # Run as a cronjob
CTESTS_PERFORMED=0 # Number of tests which are performed
DEBUG=0 # Debugging mode (to screen)
HPPOINTS=0 # Number of hardening points
HPTOTAL=0 # Maximum number of hardening points
LOG_INCORRECT_OS=1 # Log tests with incorrect OS
NEVERBREAK=0 # Don't wait for user input
QUICKMODE=0 # Don't wait for user input
QUIET=0 # Show normal messages and warnings as well
SHOW_TOOL_TIPS=1 # Show inline tool tips (default true)
SKIPLOGTEST=0 # Skip logging for one test
SKIP_UPGRADE_TEST=0 # Skip upgrade test
TESTS_TO_PERFORM="" # Which tests only to perform
TEST_PAUSE_TIME=0 # Default pause time
TOTAL_TESTS=0 # Total amount of tests (counter)
UPLOAD_DATA=0 # Upload of data to central node
VIEWHELP=0 # Show help
VIEWUPDATEINFO=0 # View program/database version
WRONGOPTION=0 # A wrong option is used
#
#################################################################################
#
# Installed packages and other settings
COMPILER_INSTALLED=0
#
#################################################################################
#
# Colors
#
#################################################################################
#
# Color name Description
# --------------------------------------------------------------------------
NORMAL=""
WARNING="" # Bad (red)
SECTION="" # Section (yellow)
NOTICE="" # Notice (yellow)
OK="" # Ok (green)
BAD="" # Bad (red)
# Real color names
YELLOW="" # Yellow
WHITE="" # White
GREEN="" # Green
RED="" # Red
PURPLE=""
MAGENTA=""
BROWN=""
CYAN=""
BLUE=""
#
#################################################################################
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

110
include/data_upload Normal file
View File

@ -0,0 +1,110 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@cisofy.com), The Netherlands
# Web site: http://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Data upload
#
#################################################################################
#
# logtextbreak
PROGRAM_VERSION="101"
DATA_SERVER="https://cisofy.com"
# Additional options to curl
CURL_OPTIONS=""
SETTINGS_FILE="${PROFILE}"
#DEBUG=1
# Only output text to stdout if DEBUG mode is not used
output()
{
if [ ${DEBUG} -eq 1 ]; then echo "$1"; fi
}
#####################################################################################
#
# SYSTEM CHECKS
#
#####################################################################################
output "Lynis Enterprise data uploader starting"
output "Settings file: ${SETTINGS_FILE}"
# Check if we can find curl
# Suggestion: If you want to keep the system hardened, copying the binary from a trusted source is a good alternative.
# Restrict access to this binary to the user who is running this script.
if [ "${CURLBINARY}" = "" ]; then
echo "Fatal: can't find curl binary. Please install the related package or put the binary in the PATH. Quitting.."
exit 1
fi
# Extra the license key from the settings file
if [ "${LICENSE_KEY}" = "" ]; then
echo "Fatal: no license key found. Quitting.."
exit 1
else
output "License key = ${LICENSE_KEY}"
fi
#####################################################################################
#
# JOB CONTROL
#
#####################################################################################
# Check report file
if [ -f ${REPORTFILE} ]; then
output "${WHITE}Report file found.${NORMAL} Starting with connectivity check.."
# Quit if license is not valid, to reduce load on both client and server.
UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${DATA_SERVER}/license/`
UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}'`
if [ "${UPLOAD_CODE}" = "100" ]; then
output "${WHITE}License is valid{$NORMAL}"
else
echo "${RED}Fatal error: provided license key is unknown or invalid.${NORMAL}"
output "Debug information: ${UPLOAD}"
# Quit
ExitClean
fi
# Extract the hostid from the parse file
HOSTID=`cat ${REPORTFILE} | grep "^hostid=" | awk -F= '{ print $2 }'`
if [ ! "${HOSTID}" = "" ]; then
output "${WHITE}Found hostid: ${HOSTID}${NORMAL}"
# Try to connect
output "Uploading data.."
UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${DATA_SERVER}/upload/`
UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'`
output "Output code from upload: ${UPLOAD_CODE}"
if [ "${UPLOAD_CODE}" = "100" ]; then
output "${GREEN}Data uploaded successfully${NORMAL}"
else
echo "${RED}Error occured, please check documentation for code ${UPLOAD_CODE}.${NORMAL}"
output "Debug:"
output ${UPLOAD}
# Quit
ExitClean
fi
else
echo "${RED}Fatal error${NORMAL}: No hostid found in report file. Can not upload report file."
# Quit
ExitClean
fi
else
output "${YELLOW}No report file found to upload.${NORMAL}"
fi
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

974
include/functions Normal file
View File

@ -0,0 +1,974 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# This software is licensed under GPL, version 3. See LICENSE file for
# usage of this software.
#
#################################################################################
#
# Functions
#
#################################################################################
#
# Function Description
# ----------------------- -------------------------------------------------
# AddHP Add Hardening points to plot a graph later
# CheckFilePermissions Check file permissions
# CheckUpdates Determine if a new version of Lynis is available
# counttests Count number of performed tests
# Debug Display additional information on the screen (not suited for cronjob)
# DirectoryExists Check if a directory exists on the disk
# Display Output text to screen with colors and identation
# ExitClean Stop the program (cleanly)
# ExitFatal Stop the program (cleanly), with fatal
# FileExists Check if a file exists on the disk
# GetHostID Retrieve an unique ID for this host
# InsertSection Insert a section block
# InsertPluginSection Insert a section block for plugins
# IsRunning Check if a process is running
# ParseNginx Parse nginx configuration lines
# ReportException Add an exception to the report file (for debugging purposes)
# ReportSuggestion Add a suggestion to report file
# ReportWarning Add a warning and priority to report file
# Register Register a test (for logging and execution)
# SafePerms Check if a directory has safe permissions
# SearchItem Search a string in a file
# ViewCategories Display tests categories
# logtext Log text strings to logfile, prefixed with date/time
#
#################################################################################
# Add Hardening Points
AddHP()
{
HPADD=$1; HPADDMAX=$2
HPPOINTS=`expr ${HPPOINTS} + ${HPADD}`
HPTOTAL=`expr ${HPTOTAL} + ${HPADDMAX}`
logtext "Hardening: assigned ${HPADD} hardening points (max for this item: ${HPADDMAX}), current: ${HPPOINTS}, total: ${HPTOTAL}"
}
# Check file permissions
# Parameter 1 is file/dir
# Result: FILE_NOT_FOUND | OK | BAD
CheckFilePermissions()
{
CHECKFILE=$1
if [ ! -d $CHECKFILE -a ! -f $CHECKFILE ]; then
PERMS="FILE_NOT_FOUND"
else
# If 'file' is an directory, use -d
if [ -d ${CHECKFILE} ]; then
FILEVALUE=`ls -d -l ${CHECKFILE} | cut -c 2-10`
PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3`
else
FILEVALUE=`ls -l ${CHECKFILE} | cut -c 2-10`
PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3`
fi
if [ "${FILEVALUE}" = "${PROFILEVALUE}" ]; then PERMS="OK"; else PERMS="BAD"; fi
fi
}
################################################################################
# Name : CheckItem()
# Description : Check if a specific item exists in the report
# Returns : <nothing>
################################################################################
CheckItem()
{
ITEM_FOUND=0
if [ $# -eq 2 ]; then
# Don't search in /dev/null, it's too empty there
if [ ! "${REPORTFILE}" = "/dev/null" ]; then
# Check if we can find the main type (with or without brackets)
logtext "Test: search string $2 in earlier discovered results"
FIND=`egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2"`
if [ ! "${FIND}" = "" ]; then
ITEM_FOUND=1
logtext "Result: found string"
else
logtext "Result: search string NOT found"
fi
else
logtext "Skipping search, as /dev/null is being used"
fi
else
ReportException ${TEST_NO} "Error in function call to CheckItem"
fi
}
# Check updates
CheckUpdates()
{
# Possible improvement: determine if host binary exists YYY
PROGRAM_LV="0000000000"; DB_MALWARE_LV="0000000000"; DB_FILEPERMS_LV="0000000000"
FIND=`which dig 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
PROGRAM_LV=`dig +short -t txt lynis-lv.rootkit.nl 2> /dev/null | sed 's/[".]//g'`
#DB_MALWARE_LV=`dig +short -t txt lynis-mw.rootkit.nl 2> /dev/null | sed 's/[".]//g'`
#DB_FILEPERMS_LV=`dig +short -t txt lynis-fp.rootkit.nl 2> /dev/null | sed 's/[".]//g'`
else
FIND=`which host 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
PROGRAM_LV=`host -t txt lynis-lv.rootkit.nl | awk '{ if ($1=="lynis-lv.rootkit.nl" && $3=="text") { print $4 }}' | sed 's/"//g'`
if [ "${PROGRAM_LV}" = "" ]; then PROGRAM_LV=0; fi
else
logtext "Result: dig and host not installed, update check skipped"
UPDATE_CHECK_SKIPPED=1
fi
fi
}
# Count the number of performed tests
counttests()
{
CTESTS_PERFORMED=`expr ${CTESTS_PERFORMED} + 1`
}
# Determine if a directory exists
DirectoryExists()
{
DIRECTORY_FOUND=0
logtext "Test: checking if directory $1 exists"
if [ -d $1 ]; then
logtext "Result: directory exists"
DIRECTORY_FOUND=1
else
logtext "Result: directory NOT found"
fi
}
# More information on the screen
Debug()
{
if [ ${DEBUG} -eq 1 ]; then echo "DEBUG: $1"; fi
}
# Display text
Display()
{
INDENT=0; TEXT=""; RESULT=""; COLOR=""
while [ $# -ge 1 ]; do
case $1 in
--color)
shift
case $1 in
GREEN) COLOR=$GREEN ;;
RED) COLOR=$RED ;;
WHITE) COLOR=$WHITE ;;
YELLOW) COLOR=$YELLOW ;;
esac
;;
--indent)
shift
INDENT=$1
;;
--no-break | --nobreak | -nb)
ECHOCMD="echo -en"
;;
--result)
shift
RESULT=$1
;;
--text)
shift
TEXT=$1
;;
*)
echo "INVALID OPTION (Display): $1"
exit 1
;;
esac
# Go to next parameter
shift
done
if [ "${RESULT}" = "" ]; then
RESULTPART=""
else
if [ ${CRONJOB} -eq 0 ]; then
RESULTPART=" [ ${COLOR}${RESULT}${NORMAL} ]"
else
RESULTPART=" [ ${RESULT} ]"
fi
fi
if [ ! "${TEXT}" = "" ]; then
# Show warnings always, and other messages if no quiet is being used
if [ ${QUIET} -eq 0 -o "${RESULT}" = "WARNING" ]; then
# Display
LINESIZE=`echo "${TEXT}" | wc -c | tr -d ' '`
SPACES=`expr 62 - ${INDENT} - ${LINESIZE}`
if [ ${CRONJOB} -eq 0 ]; then
${ECHOCMD} "\033[${INDENT}C${TEXT}\033[${SPACES}C${RESULTPART}"
else
echo "${TEXT}${RESULTPART}"
fi
fi
fi
}
# Clean exit (removing temp files, PID files)
ExitClean()
{
RemovePIDFile
exit 0
}
# Clean exit (removing temp files, PID files), with error code 1
ExitFatal()
{
RemovePIDFile
exit 1
}
# Determine if a file exists
FileExists()
{
FILE_FOUND=0
logtext "Test: checking if file $1 exists"
if [ -f $1 ]; then
logtext "Result: file exists"
FILE_FOUND=1
else
logtext "Result: file NOT found"
fi
}
# Get Host ID
GetHostID()
{
HOSTID="-"
if [ ! "${SHA1SUMBINARY}" = "" ]; then
case "${OS}" in
"AIX")
FIND=`entstat en0 2>/dev/null | grep "Hardware Address" | awk -F ": " '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'`
else
ReportException "GetHostID" "No MAC address returned on AIX"
fi
;;
"DragonFly" | "FreeBSD")
FIND=`${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
if [ ! "${FIND}" = "" ]; then
HOSTID=`echo ${FIND} | sha1`
else
ReportException "GetHostID" "No MAC address returned on DragonFly or FreeBSD"
fi
;;
"Linux")
if [ ! "${IPBINARY}" = "" ]; then
# Define preferred interfaces
#PREFERRED_INTERFACES="eth0 eth1 eth2 enp0s25"
# Determine if we have ETH0 at all (not all Linux distro have this, e.g. Arch)
HASETH0=`${IFCONFIGBINARY} | grep "^eth0"`
# Check if we can find it with HWaddr on the line
FIND=`${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]'`
# If nothing found, then try first for alternative interface. Else other versions of ifconfig (e.g. Slackware/Arch)
if [ "${FIND}" = "" ]; then
FIND=`${IFCONFIGBINARY} 2> /dev/null | grep HWaddr`
if [ "${FIND}" = "" ]; then
# If possible directly address eth0 to avoid risking gathering the incorrect MAC address.
# If not, then falling back to getting first interface. Better than nothing.
if [ ! "${HASETH0}" = "" ]; then
FIND=`${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
else
FIND=`${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]'`
if [ "${FIND}" = "" ]; then
report "exception[]=No eth0 found (and no ether was found)"
else
logtext "Result: No eth0 found (ether found), using first network interface to determine hostid"
fi
fi
else
FIND=`${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]'`
report "exception[]=No eth0 found (but HWaddr was found), using first network interface to determine hostid"
fi
fi
if [ ! "${HASETH0}" = "" ]; then
# Now determine the MAC with the ip command
FIND2=`${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
else
# Forcing them to be the same. Unreliable to test with ip while knowing eth0 does not exist.
# Additionally usually lo0 will show up first, making test not worth doing.
FIND2="${FIND}"
fi
# Check if both commands give the same data
if [ "${FIND}" = "${FIND2}" ]; then
HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'`
logtext "Result: Found HostID: ${HOSTID}"
else
report "exception[]=Can't create HOSTID, receiving different output from commands"
logtext "Debug: output FIND (ifconfig): ${FIND}"
logtext "Debug: output FIND2 (ip): ${FIND2}"
fi
else
report "exception[]=Can't create HOSTID, command ip not found"
fi
;;
"MacOS")
FIND=`${IFCONFIGBINARY} en0 | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
if [ ! "${FIND}" = "" ]; then
HOSTID=`echo ${FIND} | shasum | awk '{ print $1 }'`
else
ReportException "GetHostID" "No MAC address returned on Mac OS"
fi
;;
"NetBSD")
FIND=`${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
if [ ! "${FIND}" = "" ]; then
HOSTID=`echo ${FIND} | sha1`
else
ReportException "GetHostID" "No MAC address returned on NetBSD"
fi
;;
"OpenBSD")
FIND=`${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
if [ ! "${FIND}" = "" ]; then
HOSTID=`echo ${FIND} | sha1`
else
ReportException "GetHostID" "No MAC address returned on OpenBSD"
fi
;;
"Solaris")
INTERFACES_TO_TEST="e1000g1 net0"
FOUND=0
for I in ${INTERFACES_TO_TEST}; do
FIND=`${IFCONFIGBINARY} -a | grep "^${I}"`
if [ ! "${FIND}" = "" ]; then
FOUND=1; logtext "Found interface ${I} on Solaris"
fi
done
if [ ${FOUND} -eq 1 ]; then
FIND=`${IFCONFIGBINARY} ${I} | grep ether | awk '{ if ($1=="ether") { print $2 }}'`
HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'`
else
ReportException "GetHostID" "No interface found op Solaris to create HostID"
fi
;;
*)
ReportException "GetHostID" "Can't create HOSTID as OS is not supported by this function"
;;
esac
else
report "exception[]=No SHA1/SHA1SUM binary found to create HOSTID"
fi
}
# Insert section block
InsertSection()
{
if [ ${QUIET} -eq 0 ]; then
echo ""
echo "[+] ${SECTION}$1${NORMAL}"
echo "------------------------------------"
fi
logtextbreak
logtext "Action: Performing tests from category: $1"
}
# Insert section block for plugins
InsertPluginSection()
{
if [ ${QUIET} -eq 0 ]; then
echo ""
echo "[+] ${MAGENTA}$1${NORMAL}"
echo "------------------------------------"
fi
logtext "Action: Performing plugin tests"
}
# Is a process running?
# Returns: RUNNING
IsRunning()
{
RUNNING=0
FIND=`${PSBINARY} ax | egrep "( |/)$1" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
RUNNING=1
logtext "IsRunning: process '$1' found (${FIND})"
else
logtext "IsRunning: process '$1' not found"
fi
}
# Function IsWorldExecutable
IsWorldExecutable()
{
sFILE=$1
FileIsWorldExecutable=""
SYMLINK=0
# Check for symlink
if [ -L ${sFILE} ]; then
if [ ! "${READLINKBINARY}" = "" ]; then
tFILE=`${READLINKBINARY} ${sFILE}`
# Check if we can find the file now
if [ -f ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to ${sFILE}"
SYMLINK=1
else
# Check the full path of the symlink, strip the filename, copy the path and linked filename together
tDIR=`echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}'`
tFILE="${tDIR}/${tFILE}"
if [ -f ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, seems to be ${sFILE}"
SYMLINK=1
fi
fi
fi
fi
# Only check the file if it isn't a symlink (after previous check)
if [ -f ${sFILE} -a ! -L ${sFILE} ]; then
FINDVAL=`ls -l ${sFILE} | cut -c 10`
if [ "${FINDVAL}" = "x" ]; then FileIsWorldExecutable="TRUE"; else FileIsWorldExecutable="FALSE"; fi
else
FileIsWorldExecutable="NOSUCHFILE"
fi
}
# Function IsWorldWritable
IsWorldWritable()
{
sFILE=$1
FileIsWorldWritable=""
# Check for symlink
if [ -L ${sFILE} ]; then
if [ ! "${READLINKBINARY}" = "" ]; then
tFILE=`${READLINKBINARY} ${sFILE}`
# Check if we can find the file now
if [ -f ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to ${sFILE}"
SYMLINK=1
else
# Check the full path of the symlink, strip the filename, copy the path and linked filename together
tDIR=`echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}'`
tFILE="${tDIR}/${tFILE}"
if [ -f ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, seems to be ${sFILE}"
SYMLINK=1
fi
fi
fi
fi
# Only check the file if it isn't a symlink (after previous check)
if [ -f ${sFILE} -a ! -L ${sFILE} ]; then
FINDVAL=`ls -l ${sFILE} | cut -c 9`
if [ "${FINDVAL}" = "w" ]; then FileIsWorldWritable="TRUE"; else FileIsWorldWritable="FALSE"; fi
else
FileIsWorldWritable="NOSUCHFILE"
fi
}
# Function logtext (redirect data ($1) to log file)
logtext()
{
if [ ! "${LOGFILE}" = "" ]; then
CDATE=`date "+[%H:%M:%S]"`
echo "${CDATE} $1" >> ${LOGFILE}
fi
}
################################################################################
# Name : logtextbreak()
# Description : Add a separator to log file between sections, tests etc
# Returns : <nothing>
logtextbreak()
{
if [ ! "${LOGFILE}" = "" ]; then
CDATE=`date "+[%H:%M:%S]"`
echo "${CDATE} ===---------------------------------------------------------------===" >> ${LOGFILE}
fi
}
################################################################################
# Name : Maid()
# Description : Cleanup service
# Returns : <nothing>
Maid()
{
echo ""; echo "Interrupt detected."
# Remove PID
RemovePIDFile
# Clean up temp files
if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
if [ ! "${TMPFILE2}" = "" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
Display --text "Cleaning up..." --result DONE --color GREEN
# Exit with exit code 1
exit 1
}
# Parse nginx configuration lines
ParseNginx()
{
FIND=`cat ${REPORTFILE} | grep "^nginx_config_option=" | awk -F= '{ if ($1=="nginx_config_option") { print $2 }}' | sed 's/ /:space:/g'`
for I in ${FIND}; do
I=`echo ${I} | sed 's/:space:/ /g' | sed 's/;$//'`
OPTION=`echo ${I} | awk '{ print $1 }'`
VALUE=`echo ${I}| cut -d' ' -f2-`
logtext "Result: found option ${OPTION} with parameters ${VALUE}"
case ${OPTION} in
access_log)
if [ "${VALUE}" = "off" ]; then
logtext "Result: found logging disabled for one virtual host"
NGINX_ACCESS_LOG_DISABLED=1
else
if [ ! -f ${VALUE} ]; then
logtext "Result: could not find referenced log file ${VALUE} in nginx configuration"
NGINX_ACCESS_LOG_MISSING=1
fi
fi
;;
# Headers
add_header)
;;
alias)
NGINX_ALIAS_FOUND=1
;;
allow)
NGINX_ALLOW_FOUND=1
;;
autoindex)
;;
deny)
NGINX_DENY_FOUND=1
;;
expires)
NGINX_EXPIRES_FOUND=1
;;
error_log)
# YYY Check if debug is appended
FIND=`echo ${VALUE} | awk '{ if ($2=="debug") { print 1 } else { print 0 }}'`
if [ ${FIND} -eq 1 ]; then
NGINX_ERROR_LOG_DEBUG=1
fi
# YYY Check if file exists
FILE=`echo ${VALUE} | awk '{ print $1 }'`
if [ ! "${FILE}" = "" ]; then
if [ ! -f ${FILE} ]; then
NGINX_ERROR_LOG_MISSING=1
fi
else
logtext "Warning: did not find a filename after error_log in nginx configuration"
fi
;;
error_page)
;;
fastcgi_intercept_errors)
;;
fastcgi_param)
NGINX_FASTCGI_FOUND=1
NGINX_FASTCGI_PARAMS_FOUND=1
;;
fastcgi_pass)
NGINX_FASTCGI_FOUND=1
NGINX_FASTCGI_PASS_FOUND=1
;;
fastcgi_pass_header)
;;
index)
;;
keepalive_timeout)
;;
listen)
NGINX_LISTEN_FOUND=1
# Test for ssl on listen statement
FIND_SSL=`echo ${VALUE} | grep ssl`
if [ ! "${FIND_SSL}" = "" ]; then NGINX_SSL_ON=1; fi
;;
location)
NGINX_LOCATION_FOUND=1
;;
return)
NGINX_RETURN_FOUND=1
;;
root)
NGINX_ROOT_FOUND=1
;;
server_name)
;;
ssl)
if [ "${VALUE}" = "on" ]; then NGINX_SSL_ON=1; fi
;;
ssl_certificate)
logtext "Found SSL certificate in nginx configuration"
;;
ssl_certificate_key)
;;
ssl_ciphers)
NGINX_SSL_CIPHERS=1
;;
ssl_prefer_server_ciphers)
if [ "${VALUE}" = "on" ]; then NGINX_SSL_PREFER_SERVER_CIPHERS=1; fi
;;
ssl_protocols)
;;
ssl_session_cache)
;;
ssl_session_timeout)
;;
types)
;;
*)
logtext "Found unknown option ${OPTION} in nginx configuration"
;;
esac
done
}
# Function to determine what the real file location is
RealFilename()
{
sFILE=$1
FileIsWorldExecutable=""
SYMLINK=0
# Check for symlink
if [ -L ${sFILE} ]; then
if [ ! "${READLINKBINARY}" = "" ]; then
tFILE=`${READLINKBINARY} ${sFILE}`
# Check if we can find the file now
if [ -f ${tFILE} ]; then
rFILE="${tFILE}"
logtext "Result: symlink found, pointing to ${sFILE}"
SYMLINK=1
else
# Check the full path of the symlink, strip the filename, copy the path and linked filename together
tDIR=`echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}'`
tFILE="${tDIR}/${tFILE}"
if [ -f ${tFILE} ]; then
rFILE="${tFILE}"
logtext "Result: symlink found, seems to be ${sFILE}"
fi
fi
fi
else
# No symlinke
rFILE="${sFILE}"
fi
}
################################################################################
# Name : Register()
# Description : Register a test and see if it has to be run
# Returns : SKIPTEST (0 or 1)
Register()
{
# Do not insert a log break, if previous test was not logged
if [ ${SKIPLOGTEST} -eq 0 ]; then logtextbreak; fi
SKIPTEST=0; SKIPLOGTEST=0; TEST_NEED_OS=""; PREQS_MET=""
TEST_NEED_NETWORK=""; TEST_NEED_PLATFORM=""
TOTAL_TESTS=`expr ${TOTAL_TESTS} + 1`
while [ $# -ge 1 ]; do
case $1 in
--description)
shift
TEST_DESCRIPTION=$1
;;
--platform)
shift
TEST_NEED_PLATFORM=$1
;;
--network)
shift
TEST_NEED_NETWORK=$1
;;
--os)
shift
TEST_NEED_OS=$1
;;
--preqs-met)
shift
PREQS_MET=$1
;;
--test-no)
shift
TEST_NO=$1
;;
--weight)
shift
TEST_WEIGHT=$1
;;
*)
echo "INVALID OPTION (Register): $1"
exit 1
;;
esac
# Go to next parameter
shift
done
# Skip test if it's configured in profile
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`echo "${TEST_SKIP_ALWAYS}" | grep "${TEST_NO}"`
if [ ! "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Skipped by configuration"; fi
fi
# Skip if test is not in the list
if [ ${SKIPTEST} -eq 0 -a ! "${TESTS_TO_PERFORM}" = "" ]; then
FIND=`echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}"`
if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi
fi
# Do not run scans which have a higher intensity than what we prefer
if [ ${SKIPTEST} -eq 0 -a "${TEST_WEIGHT}" = "H" -a "${SCAN_TEST_HEAVY}" = "NO" ]; then SKIPTEST=1; SKIPREASON="Test to system intensive for scan mode (H)"; fi
if [ ${SKIPTEST} -eq 0 -a "${TEST_WEIGHT}" = "M" -a "${SCAN_TEST_MEDIUM}" = "NO" ]; then SKIPTEST=1; SKIPREASON="Test to system intensive for scan mode (M)"; fi
# Skip test if OS is different than requested
if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_NEED_OS}" -a ! "${OS}" = "${TEST_NEED_OS}" ]; then
SKIPTEST=1; SKIPREASON="Incorrect guest OS (${TEST_NEED_OS} only)"
if [ ${LOG_INCORRECT_OS} -eq 0 ]; then
SKIPLOGTEST=1
fi
fi
# Check for correct hardware platform
if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi
# Not all prerequisites met, like missing tool
if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; SKIPREASON="Prerequisities not met (ie missing tool, other type of Linux distribution)"; fi
# Skip test?
if [ ${SKIPTEST} -eq 0 ]; then
# First wait X seconds (depending pause_between_tests)
if [ ${TEST_PAUSE_TIME} -gt 0 ]; then sleep ${TEST_PAUSE_TIME}; fi
# Increase counter for every registered test which is performed
counttests
if [ ${SKIPLOGTEST} -eq 0 ]; then logtext "Performing test ID ${TEST_NO} ($TEST_DESCRIPTION)"; fi
TESTS_EXECUTED="${TEST_NO}|${TESTS_EXECUTED}"
else
if [ ${SKIPLOGTEST} -eq 0 ]; then logtext "Skipped test ${TEST_NO} ($TEST_DESCRIPTION)"; fi
if [ ${SKIPLOGTEST} -eq 0 ]; then logtext "Reason to skip: ${SKIPREASON}"; fi
TESTS_SKIPPED="${TEST_NO}|${TESTS_SKIPPED}"
fi
}
# Remove PID file
RemovePIDFile()
{
# Test if PIDFILE is defined, before checking file presence
if [ ! "${PIDFILE}" = "" ]; then
if [ -f ${PIDFILE} ]; then
rm -f $PIDFILE;
logtext "PID file removed (${PIDFILE})"
else
logtext "PID file not found (${PIDFILE})"
fi
fi
}
# Dump to report file
report()
{
echo "$1" >> ${REPORTFILE}
}
# Log exceptions
ReportException()
{
# 1 parameters
# <ID>:<2 char numeric>|text|
report "exception_event[]=$1|$2|"
logtext "Exception: test has an exceptional event ($1) with text $2"
}
# Log manual actions to report file
ReportManual()
{
# 1 parameters
# <ID>:<2 char numeric>
report "manual_event[]=$1"
logtext "Manual: one or more manual actions are required for further testing of this control/plugin"
}
# Report data (TESTID STATUS IMPACT MESSAGE)
ReportResult()
{
if [ $1 = "" ]; then TESTID="UNKNOWN"; fi
# Status: OK, WARNING, NEUTRAL, SUGGESTION
# Impact: HIGH, SEVERE, LOW,
#report "result[]=TESTID-${TESTID},STATUS-$2,IMPACT-$3,MESSAGE-$4-"
# Reset ID before next test
TESTID=""
}
# Log suggestions to report file
ReportSuggestion()
{
# 2 parameters
# <ID> <suggestion text>
report "suggestion[]=$1|$2|"
logtext "Suggestion: $2 [$1]"
}
# Log warning to report file
ReportWarning()
{
# 3 parameters
# <ID> <priority/impact> <warning text>
if [ "$2" = "L" -o "$2" = "M" -o "$2" = "H" ]; then
# old style warning
report "warning[]=$1|$3|"
logtext "Warning: $3 [$1]"
else
# new style warning
report "warning[]=$1|$2|"
logtext "Warning: $2 [test:$1]"
fi
}
SafePerms()
{
PERMS_OK=0
logtext "Checking permissions of $1"
if [ $# -eq 1 ]; then
# Check file permissions
if [ ! -f "$1" ]; then
logtext "Fatal error: file $1 does not exist. Quitting."
echo "Fatal error: file $1 does not exist"
ExitFatal
else
PERMS=`ls -l $1`
# Owner permissions
OWNER=`echo ${PERMS} | awk -F" " '{ print $3 }'`
if [ ! "${OWNER}" = "root" ]; then
echo "Fatal error: file $1 should be owned by user 'root' (found: ${OWNER})"
ExitFatal
fi
# Group permissions
GROUP=`echo ${PERMS} | awk -F" " '{ print $4 }'`
if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" ]; then
echo "Fatal error: group owner of directory $1 should be owned by root user, or related group"
ExitFatal
fi
# Other permissions
OTHER_PERMS=`echo ${PERMS} | cut -c8-10`
if [ ! "${OTHER_PERMS}" = "---" ]; then
echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied."
ExitFatal
fi
# Set PERMS_OK to 1 if no fatal errors occurred
PERMS_OK=1
logtext "File permissions are OK"
fi
else
logtext "Fatal error: invalid amount of parameters when calling function SafePerms()"
echo "Invalid amount of parameters for function SafePerms()"
ExitFatal
fi
}
################################################################################
# Name : SearchItem()
# Description : Search if a specific string exists in in a file
# Parameters : $1 = search string
# : $2 = file
# Returns : <nothing>
################################################################################
SearchItem()
{
ITEM_FOUND=0
if [ $# -eq 2 ]; then
# Don't search in /dev/null, it's too empty there
if [ -f $2 ]; then
# Check if we can find the main type (with or without brackets)
logtext "Test: search string $1 in file $2"
FIND=`egrep "$1" $2`
if [ ! "${FIND}" = "" ]; then
ITEM_FOUND=1
logtext "Result: found string"
logtext "Full string: ${FILE}"
else
logtext "Result: search string NOT found"
fi
else
logtext "Skipping search, file does not exist"
ReportException ${TEST_NO} "Test is trying to search for a string in nonexistent file"
fi
else
ReportException ${TEST_NO} "Error in function call to CheckItem"
fi
}
# Show result code
ShowResult()
{
case $1 in
OK)
echo "[ ${OK}OK${NORMAL} ]"
;;
WARNING)
echo "[ ${WARNING}WARNING${NORMAL} ]"
# log the warning to our log file
#logtext "Warning: $2"
# add the warning to our report file
#report "warning=$2"
;;
esac
}
ViewCategories()
{
if [ ! "${INCLUDEDIR}" = "" ]; then
InsertSection "Available test categories"
for I in `ls ${INCLUDEDIR}/tests_* | xargs -n 1 basename | sed 's/tests_//' | grep -v "custom.template"`; do
echo " - ${I}"
done
fi
echo ""
exit 0
}
# Wait for [ENTER] or manually break
wait_for_keypress()
{
if [ ! ${QUICKMODE} -eq 1 ]; then
echo ""; echo "[ ${WHITE}Press [ENTER] to continue, or [CTRL]+C to stop${NORMAL} ]"
read void
fi
}
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

376
include/osdetection Normal file
View File

@ -0,0 +1,376 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# This software is licensed under GPL, version 3. See LICENSE file for
# usage of this software.
#
#################################################################################
#
# Operating System detection
#
#################################################################################
#
# Check operating system
case `uname` in
# IBM AIX
AIX)
OS="AIX"
OS_NAME="AIX"
OS_VERSION=`oslevel`
OS_FULLNAME="AIX ${OS_VERSION}"
CPU=`uname -p`
HARDWARE=`uname -M`
FIND_BINARIES="whereis -b"
SYSCTL_READKEY=""
;;
# Mac OS X
Darwin)
OS="MacOS"
if [ -x /usr/bin/sw_vers ]; then
OS_NAME=`/usr/bin/sw_vers -productName`
OS_VERSION=`/usr/bin/sw_vers -productVersion`
OS_FULLNAME="${OS_NAME} ${OS_VERSION}"
else
# Fall back to pretty safe name
OS_NAME="Mac OS X"
OS_FULLNAME=`uname -s -r`
OS_VERSION=`uname -r`
fi
HARDWARE=`uname -m`
HOMEDIRS="/Users"
FIND_BINARIES="whereis"
OS_KERNELVERSION=`uname -r`
SYSCTL_READKEY=""
;;
# DragonFly BSD
DragonFly)
OS="DragonFly"
OS_NAME="DragonFly BSD"
OS_FULLNAME=`uname -s -r`
OS_VERSION=`uname -r`
HARDWARE=`uname -m`
HOMEDIRS="/home /root"
FIND_BINARIES="whereis -q -a -b"
OS_KERNELVERSION=`uname -i`
SYSCTL_READKEY="sysctl -n"
;;
# FreeBSD
FreeBSD)
OS="FreeBSD"
OS_NAME="FreeBSD"
OS_FULLNAME=`uname -s -r`
OS_VERSION=`uname -r`
HARDWARE=`uname -m`
HOMEDIRS="/home /root"
FIND_BINARIES="whereis -q -a -b"
OS_KERNELVERSION=`uname -i`
SYSCTL_READKEY="sysctl -n"
# TrueOS
if [ -f /etc/defaults/trueos ]; then
OS_NAME="TrueOS"
logtext "Result: found TrueOS file, system is completely based on FreeBSD though. Only adjusting OS name."
fi
;;
# HP-UX
HP-UX)
OS="HP-UX"
OS_NAME="HP-UX"
OS_FULLNAME=`uname -s -r`
OS_VERSION=`uname -r`
HARDWARE=`uname -m`
FIND_BINARIES="whereis -b"
SYSCTL_READKEY=""
;;
# Linux
Linux)
OS="Linux"
OS_NAME="Linux"
OS_FULLNAME=""
OS_VERSION=`uname -r`
LINUX_VERSION=""
HARDWARE=`uname -m`
HOMEDIRS="/home"
FIND_BINARIES="whereis -b"
OS_KERNELVERSION=`uname -r`
# Amazon
if [ -e "/etc/system-release" ]; then
FIND=`grep "Amazon" /etc/system-release`
if [ ! "${FIND}" = "" ]; then
OS_REDHAT_OR_CLONE=1
OS_FULLNAME=`cat /etc/system-release | grep "^Amazon"`
OS_VERSION=`grep "^Amazon" /etc/system-release | awk '{ if ($4=="release") { print $5 } }'`
LINUX_VERSION="Amazon"
fi
fi
# Arch Linux
if [ -e "/etc/arch-release" ]; then
OS_FULLNAME="Arch Linux"
OS_VERSION="Unknown"
LINUX_VERSION="Arch Linux"
fi
# Chakra Linux
if [ -e "/etc/chakra-release" ]; then
OS_FULLNAME=`cat /etc/chakra-release | grep "^Chakra"`
OS_VERSION=`cat /etc/chakra-release | grep "^Chakra" | awk '{ if ($3=="release") { print $4 }}'`
LINUX_VERSION="Chakra Linux"
fi
# Cobalt
if [ -e "/etc/cobalt-release" ]; then OS_FULLNAME=`cat /etc/cobalt-release`; fi
# CPUBuilders Linux
if [ -e "/etc/cpub-release" ]; then OS_FULLNAME=`cat /etc/cpub-release`; fi
# Debian/Ubuntu (***) - Set first to Debian
if [ -e "/etc/debian_version" ]; then
OS_VERSION=`cat /etc/debian_version`
OS_FULLNAME="Debian ${OS_VERSION}"
LINUX_VERSION="Debian"
fi
# /etc/lsb-release does not exist on Debian
if [ -e "/etc/debian_version" -a -e /etc/lsb-release ]; then
OS_VERSION=`cat /etc/debian_version`
FIND=`grep "^DISTRIB_ID=" /etc/lsb-release | cut -d '=' -f2 | sed 's/"//g'`
if [ "${FIND}" = "Ubuntu" ]; then
OS_VERSION=`grep "^DISTRIB_RELEASE=" /etc/lsb-release | cut -d '=' -f2`
OS_FULLNAME="Ubuntu ${OS_VERSION}"
LINUX_VERSION="Ubuntu"
elif [ "${FIND}" = "elementary OS" ]; then
LINUX_VERSION="elementary OS"
OS_VERSION=`grep "^DISTRIB_RELEASE=" /etc/lsb-release | cut -d '=' -f2`
OS_FULLNAME=`grep "^DISTRIB_DESCRIPTION=" /etc/lsb-release | cut -d '=' -f2 | sed 's/"//g'`
else
# Catch all, in case it's unclear what specific release this is.
OS_FULLNAME="Debian ${OS_VERSION}"
LINUX_VERSION="Debian"
fi
# Ubuntu test (optional) `cat /proc/version | grep "[Uu]buntu"`
fi
# E-smith
if [ -e "/etc/e-smith-release" ]; then OS_FULLNAME=`cat /etc/e-smith-release`; fi
# Gentoo
if [ -e "/etc/gentoo-release" ]; then OS_FULLNAME=`cat /etc/gentoo-release | awk '{ print $5 }' | cut -d '.' -f1,2`; fi
# Red Hat and others
if [ -e "/etc/redhat-release" ]; then
OS_REDHAT_OR_CLONE=1
# CentOS
FIND=`grep "CentOS" /etc/redhat-release`
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=`cat /etc/redhat-release | grep "CentOS"`
LINUX_VERSION="CentOS"
OS_VERSION="${OS_FULLNAME}"
fi
# ClearOS
FIND=`grep "ClearOS" /etc/redhat-release`
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=`cat /etc/redhat-release | grep "ClearOS"`
LINUX_VERSION="ClearOS"
OS_VERSION="${OS_FULLNAME}"
fi
# Fedora
FIND=`grep "Fedora" /etc/redhat-release`
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=`cat /etc/redhat-release | grep "Fedora"`
OS_VERSION="${OS_FULLNAME}"
LINUX_VERSION="Fedora"
fi
# Mageia (has also /etc/megaia-release)
FIND=`grep "Mageia" /etc/redhat-release`
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=`cat /etc/redhat-release | grep "^Mageia"`
OS_VERSION=`grep "^Mageia" /etc/redhat-release | awk '{ if ($2=="release") { print $3 } }'`
LINUX_VERSION="Mageia"
fi
# Oracle Enterprise Linux
FIND=`grep "Enterprise Linux Enterprise Linux Server" /etc/redhat-release`
if [ ! "${FIND}" = "" ]; then
LINUX_VERSION="Oracle Enterprise Linux";
OS_FULLNAME=`cat /etc/redhat-release | grep "Enterprise Linux"`;
OS_VERSION="${OS_FULLNAME}";
fi
# Oracle Enterprise Linux
if [ -e /etc/oracle-release ]; then
FIND=`grep "Oracle Linux Server" /etc/oracle-release`
if [ ! "${FIND}" = "" ]; then
LINUX_VERSION="Oracle Enterprise Linux";
OS_FULLNAME=`cat /etc/oracle-release | grep "Oracle Linux"`;
OS_VERSION="${OS_FULLNAME}";
fi
fi
# Oracle VM Server
if [ -e /etc/ovs-release ]; then
FIND=`grep "Oracle VM" /etc/ovs-release`
if [ ! "${FIND}" = "" ]; then
LINUX_VERSION="Oracle VM Server";
OS_FULLNAME=`cat /etc/ovs-release | grep "Oracle VM"`;
OS_VERSION="${OS_FULLNAME}";
fi
fi
# Red Hat
FIND=`grep "Red Hat" /etc/redhat-release`
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=`cat /etc/redhat-release | grep "Red Hat"`
OS_VERSION="${OS_FULLNAME}"
LINUX_VERSION="Red Hat"
fi
# Scientific
FIND=`grep "Scientific" /etc/redhat-release`
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=`cat /etc/redhat-release | grep "^Scientific"`
OS_VERSION=`grep "^Scientific" /etc/redhat-release | awk '{ if ($3=="release") { print $4 } }'`
LINUX_VERSION="Scientific"
fi
fi
# PCLinuxOS
if [ -f /etc/pclinuxos-release ]; then
FIND=`grep "^PCLinuxOS" /etc/pclinuxos-release`
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME="PCLinuxOS Linux"
LINUX_VERSION="PCLinuxOS"
OS_VERSION=`grep "^PCLinuxOS" /etc/pclinuxos-release | awk '{ if ($2=="release") { print $3 } }'`
fi
fi
# Sabayon Linux
if [ -f /etc/sabayon-edition ]; then
FIND=`grep "Sabayon Linux" /etc/sabayon-edition`
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME="Sabayon Linux"
LINUX_VERSION="Sabayon"
OS_VERSION=`cat /etc/sabayon-edition | awk '{ print $3 }'`
fi
fi
if [ -f /etc/SLOX-release ]; then
OS_FULLNAME=`cat /etc/SLOX-release | grep "SuSE Linux"`
LINUX_VERSION="SuSE"
fi
# Slackware
if [ -f /etc/slackware-version ]; then
LINUX_VERSION="Slackware"
OS_VERSION=`grep "^Slackware" /etc/slackware-version | awk '{ if ($1=="Slackware") { print $2 } }'`
OS_FULLNAME="Slackware Linux ${OS_VERSION}"
fi
# SuSE
if [ -e "/etc/SuSE-release" ]; then
OS_VERSION=`cat /etc/SuSE-release | head -n 1`;
LINUX_VERSION="SuSE";
fi
# Turbo Linux
if [ -e "/etc/turbolinux-release" ]; then OS_FULLNAME=`cat /etc/turbolinux-release`; fi
# YellowDog
if [ -e "/etc/yellowdog-release" ]; then OS_FULLNAME=`cat /etc/yellowdog-release`; fi
# ===================================================================
# Set OS name to the discovered Linux version
if [ ! "${LINUX_VERSION}" = "" -a "${OS_NAME}" = "Linux" ]; then
OS_NAME="${LINUX_VERSION}"
fi
# If Linux version (full name) is unknown, use uname value
if [ "${OS_FULLNAME}" = "" ]; then OS_FULLNAME=`uname -s -r`; fi
SYSCTL_READKEY="sysctl -n"
;;
# NetBSD
NetBSD)
OS="NetBSD"
OS_NAME="NetBSD"
OS_FULLNAME=`uname -s -r`
OS_KERNELVERSION=`uname -v`
OS_VERSION=`uname -r`
HARDWARE=`uname -m`
FIND_BINARIES="whereis"
SYSCTL_READKEY=""
;;
# OpenBSD
OpenBSD)
OS="OpenBSD"
OS_NAME="OpenBSD"
OS_FULLNAME=`uname -s -r`
OS_KERNELVERSION=`uname -v`
OS_VERSION=`uname -r`
HARDWARE=`uname -m`
FIND_BINARIES="whereis"
SYSCTL_READKEY=""
;;
# Solaris / OpenSolaris
SunOS)
OS="Solaris"
OS_NAME="Sun Solaris"
OS_FULLNAME=`uname -s -r`
OS_VERSION=`uname -r`
HARDWARE=`uname -m`
if [ -x /usr/bin/isainfo ]; then
# Returns 32, 64
OS_MODE=`/usr/bin/isainfo -b`
fi
SYSCTL_READKEY=""
;;
# Unknown or unsupported systems
*)
echo "[ ${WARNING}WARNING${NORMAL} ]"
echo "${WARNING}Error${NORMAL}: ${WHITE}Unknown OS found. No support available for this OS or platform...${NORMAL}"
echo "Please consult the README/documentation for more information."
exit 1
;;
esac
# Set correct echo binary and parameters after detecting operating system
case ${OS} in
"AIX") ECHOCMD="echo" ;;
"MacOS") ECHOCMD="echo" ;;
"Solaris") ECHOCMD="echo" ;;
"Linux")
# Check if dash is used (Debian/Ubuntu)
DEFAULT_SHELL=`ls -l /bin/sh | awk -F'>' '{print $2}'`
case ${DEFAULT_SHELL} in
" dash") ECHOCMD="/bin/echo -e" ;;
*) ECHOCMD="echo -e" ;;
esac
;;
*) ECHOCMD="echo -e" ;;
esac
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

184
include/parameters Normal file
View File

@ -0,0 +1,184 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Parameter checks
#
#################################################################################
#
# Check number of parameters submitted (at least one is needed)
PARAMCOUNT=$#
while [ $# -ge 1 ]; do
case $1 in
# Assign auditor to report
--auditor)
shift
AUDITORNAME=$1
;;
# Perform tests
-c | --check-all | --checkall)
CHECK=1
;;
# Cronjob support
--cronjob | --cron)
CRONJOB=1;
# Use some defaults (-c, -Q, no colors)
CHECK=1; QUICKMODE=1; NEVERBREAK=1
# Get rid of the colors
NORMAL=""; WARNING=""; SECTION=""; NOTICE=""; OK=""; BAD=""; CYAN=""; MAGENTA=""; PURPLE=""; YELLOW=""; WHITE=""; GREEN=""; RED=""
;;
# Perform tests with additional debugging information on screen
--debug)
DEBUG=1
;;
# View help
--help | -h)
VIEWHELP=1
;;
# View program/database information
--check-update | --info)
VIEWUPDATEINFO=1
;;
# License key for Lynis Enterprise
--license-key)
shift
LICENSE_KEY=$1
;;
# Adjust default logfile location
--logfile | --log-file)
shift
LOGFILE=$1
;;
# Don't use colors
--no-colors)
NORMAL=""; WARNING=""; SECTION=""; NOTICE=""; OK=""; BAD=""; CYAN=""; MAGENTA=""; PURPLE=""; YELLOW=""; WHITE=""; GREEN=""; RED=""
;;
# Disable logging
--no-log | --nolog)
LOGFILE="/dev/null"
;;
# Define a custom profile file
--profile)
shift
PROFILE=$1
;;
# Define a custom plugin directory
--plugin-dir)
shift
PLUGINDIR=$1
LASTCHAR=`echo $1 | awk '{ print substr($0, length($0))}'`
if [ "${LASTCHAR}" = "/" ]; then
echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}"
ExitFatal
fi
if [ ! -d ${PLUGINDIR} ]; then
echo "${RED}Error:${WHITE} invalid plugin directory ${PLUGINDIR}${NORMAL}"
ExitFatal
fi
;;
# Quiet mode
-q | --quiet)
QUIET=1
# Run non-interactive
QUICKMODE=1
;;
# Non-interactive mode
-Q | --quick)
QUICKMODE=1
;;
# Strip the colors which aren't clearly visible on light backgrounds
--reverse-colors)
#NORMAL="";
SECTION="${NORMAL}";
NOTICE="${NORMAL}";
#OK="";
#BAD="";
CYAN="${NORMAL}";
GREEN="${NORMAL}";
YELLOW="${NORMAL}";
WHITE="${NORMAL}";
PURPLE="${NORMAL}";
#GREEN="";
#RED=""
;;
# Only scan these tests
--tests)
shift
TESTS_TO_PERFORM=$1
;;
# Scan one or more categories only
--tests-category)
shift
TESTS_CATEGORY_TO_PERFORM=$1
;;
# Lynis Enterprise: upload data to central node
--upload)
UPLOAD_DATA=1
;;
# Version number
-V | --version)
echo "${PROGRAM_version}"
exit 0
;;
--view-categories | --list-categories | --show-categories)
ViewCategories
exit 0
;;
# View man page
--view-manpage | --man)
if [ -f lynis.8 ]; then
nroff -man lynis.8
exit 0
else
echo "Error: man page file not found (lynis.8)"
echo "If you are running an installed version of Lynis, use 'man lynis'"
exit 1
fi
;;
# Drop out when using wrong option(s)
*)
# Wrong option used, we bail out later
WRONGOPTION=1
WRONGOPTION_value=$1
;;
esac
shift
done
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

186
include/profiles Normal file
View File

@ -0,0 +1,186 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Read profile/template
#
#################################################################################
#
#YYY Enable check when profile files are complete and completely documented
# Check if default profile is used
if [ "${PROFILE}" = "defaultXXX.prf" ]; then
echo ""
echo " ==============================================================================="
echo " ${WARNING}Warning${NORMAL}: ${WHITE}Default profile is used.${NORMAL}"
echo " Default profile contains only a small amount of options and settings."
echo " Consult the documentation to create a custom profile!"
echo ""
echo " [ ${WHITE}Press [ENTER] to continue with the default profile or [CTRL] + C to stop${NORMAL} ]"
echo " ==============================================================================="
wait_for_keypress
fi
#
#################################################################################
#
Display --indent 2 --text "- Checking profile file (${PROFILE})..."
logtext "Reading profile/configuration ${PROFILE}"
FIND=`cat ${PROFILE} | grep '^config:' | sed 's/ /!space!/g'`
for I in ${FIND}; do
OPTION=`echo ${I} | cut -d ':' -f2`
VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'`
logtext "Profile option set: ${OPTION} (with value ${VALUE})"
case ${OPTION} in
# Maximum number of WAITing connections
connections_max_wait_state)
OPTIONS_CONN_MAX_WAIT_STATE="${VALUE}"
;;
# Do not check security repository in sources.list (Debian/Ubuntu)
debian_skip_security_repository)
OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY="${VALUE}"
;;
debug)
if [ "${VALUE}" = "yes" -o "${VALUE}" = "true" ]; then
DEBUG=1
fi
;;
# Skip FreeBSD port audit
freebsd_skip_portaudit)
logtext "Option set: Skip FreeBSD portaudit"
OPTION_FREEBSD_SKIP_PORTAUDIT="${VALUE}"
;;
# Lynis Enterprise: group name
group)
GROUP_NAME="${VALUE}"
;;
# Lynis Enterprise license key
license_key)
LICENSE_KEY="${VALUE}"
;;
# Do (not) log tests if they have an different operating system
log_tests_incorrect_os)
logtext "Option set: No logging for incorrect OS"
if [ "${VALUE}" = "no" ]; then LOG_INCORRECT_OS=0; else LOG_INCORRECT_OS=1; fi
;;
# What type of machine we are scanning (eg. desktop, server, server with storage)
machine_role)
MACHINE_ROLE="${VALUE}"
;;
# Define if any found NTP daemon instance is configured as a server or client
ntpd_role)
NTPD_ROLE="${VALUE}"
;;
# How much seconds to wait between tests
pause_between_tests)
TEST_PAUSE_TIME="${VALUE}"
;;
# Profile name
profile_name)
# YYY dummy
;;
# Inline tips about tool
show_tool_tips)
SHOW_TOOL_TIPS="${VALUE}"
;;
# Tests to always skip (useful for false positives or problematic tests)
test_skip_always)
TEST_SKIP_ALWAYS="${VALUE}"
logtext "Tests to be skipped: ${VALUE}"
;;
# Do not check the latest version on the internet
skip_upgrade_test)
if [ "${VALUE}" = "yes" -o "${VALUE}" = "YES" ]; then SKIP_UPGRADE_TEST=1; else SKIP_UPGRADE_TEST=0; fi
;;
# Define what kind of scan we are performing
test_scan_mode)
if [ "${VALUE}" = "light" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="NO"; SCAN_TEST_HEAVY="NO"; fi
if [ "${VALUE}" = "normal" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="NO"; fi
if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi
;;
# Catch all bad options and bail out
*)
logtext "Unknown option ${OPTION} (with value: ${VALUE})"
echo "Fatal error: found errors in profile"
echo "Unknown option '${OPTION}' found (with value: ${VALUE})"
RemovePIDFile
exit 1
;;
esac
done
#
#################################################################################
#
# Add group name to report
if [ ! "${GROUP_NAME}" = "" ]; then
report "group=${GROUP_NAME}"
fi
#
#################################################################################
#
# Plugins
#
#################################################################################
#
#FIND=`cat ${PROFILE} | grep '^plugin_enable=' | sed 's/ /!space!/g'`
#for I in ${FIND}; do
# PLUGIN=`echo ${I} | cut -d '=' -f2`
# if [ -f "${PLUGINDIR}/${PLUGIN}" ]; then
# logtext "Found plugin: ${PLUGIN}"
# # XXX - enable plugin
# else
# logtext "Couldn't find plugin: ${PLUGIN} (${PLUGINDIR}/${PLUGIN})"
# fi
#done
#
#################################################################################
#
# Set default values (only if not configured in profile)
if [ "${MACHINE_ROLE}" = "" ]; then
MACHINE_ROLE="server"
logtext "Set option to default value: MACHINE_ROLE --> ${MACHINE_ROLE}"
fi
if [ "${NTPD_ROLE}" = "" ]; then
NTPD_ROLE="client"
logtext "Set option to default value: NTPD_ROLE --> ${NTPD_ROLE}"
fi
#
#################################################################################
#
logtextbreak
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - cisofy.com - The Netherlands

223
include/report Normal file
View File

@ -0,0 +1,223 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Report
#
#################################################################################
#
logtextbreak
#if [ ${QUIET} -eq 0 ]; then
# echo ""
# echo " ---------------------------------------------------"
# echo " Program version: ${PROGRAM_version}"
# echo " Operating system: ${OS_NAME}"
# echo " Operating system version: ${OS_VERSION}"
# if [ ! "${OS_MODE}" = "" ]; then echo " Operating system mode: ${OS_MODE}"; fi
# echo " Kernel version: ${OS_KERNELVERSION}"
# echo " Hardware platform: ${HARDWARE}"
# echo " Hostname: ${HOSTNAME}"
# echo " Auditor: ${AUDITORNAME}"
# echo " Profile: ${PROFILE}"
# echo " Log file: ${LOGFILE}"
# echo " Report file: ${REPORTFILE}"
# echo " Report version: ${REPORT_version}"
# echo " ---------------------------------------------------"
# fi
#
#################################################################################
#
# Hardening Index
# Define approximately how strong a machine has been hardened
#
#################################################################################
#
# If no hardening has been found, set value to 1
if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
HPINDEX=`expr $HPPOINTS \* 100 / $HPTOTAL`
HPAOBLOCKS=`expr $HPPOINTS \* 20 / $HPTOTAL`
# Set color related to rating
if [ ${HPINDEX} -lt 50 ]; then
HPCOLOR="${RED}"
HIDESCRIPTION="System has not or a low amount been hardened"
fi
if [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
HPCOLOR="${YELLOW}"
HIDESCRIPTION="System has been hardened, but could use additional hardening"
fi
if [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be decent hardened"
fi
if [ ${HPINDEX} -gt 89 ]; then
HPCOLOR="${GREEN}"
HIDESCRIPTION="System seem to be well hardened"
fi
case ${HPAOBLOCKS} in
0) HPBLOCKS="#"; HPEMPTY=" " ;;
1) HPBLOCKS="#"; HPEMPTY=" " ;;
2) HPBLOCKS="##"; HPEMPTY=" " ;;
3) HPBLOCKS="###"; HPEMPTY=" " ;;
4) HPBLOCKS="####"; HPEMPTY=" " ;;
5) HPBLOCKS="#####"; HPEMPTY=" " ;;
6) HPBLOCKS="######"; HPEMPTY=" " ;;
7) HPBLOCKS="#######"; HPEMPTY=" " ;;
8) HPBLOCKS="########"; HPEMPTY=" " ;;
9) HPBLOCKS="#########"; HPEMPTY=" " ;;
10) HPBLOCKS="##########"; HPEMPTY=" " ;;
11) HPBLOCKS="###########"; HPEMPTY=" " ;;
12) HPBLOCKS="############"; HPEMPTY=" " ;;
13) HPBLOCKS="#############"; HPEMPTY=" " ;;
14) HPBLOCKS="##############"; HPEMPTY=" " ;;
15) HPBLOCKS="###############"; HPEMPTY=" " ;;
16) HPBLOCKS="################"; HPEMPTY=" " ;;
17) HPBLOCKS="#################"; HPEMPTY=" " ;;
18) HPBLOCKS="##################"; HPEMPTY=" " ;;
19) HPBLOCKS="###################"; HPEMPTY=" " ;;
20) HPBLOCKS="####################"; HPEMPTY="" ;;
esac
HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
logtext "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
logtext "Hardening strength: ${HIDESCRIPTION}"
report "hardening_index=${HPINDEX}"
#
#################################################################################
#
# Show test results overview
#
#################################################################################
#
# Only show overview if not running in quiet mode
if [ ${QUIET} -eq 0 ]; then
echo ""; echo "================================================================================"
echo ""; echo " -[ ${WHITE}${PROGRAM_name} ${PROGRAM_version} Results${NORMAL} ]-"
echo "";
# Show warnings from logfile
SWARNINGS=`cat ${LOGFILE} | grep -i 'warning:' | sed 's/ /!space!/g'`
if [ "${SWARNINGS}" = "" ]; then
echo " ${OK}No warnings${NORMAL}"; echo ""
else
echo " ${WARNING}Warnings${NORMAL}:"
echo " ${WHITE}----------------------------${NORMAL}"
for WARNING in ${SWARNINGS}; do
SHOWWARNING=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: //'`
ADDLINK=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: \(.*\)\[//' | sed 's/\]//'`
echo " ${WHITE}- ${SHOWWARNING}${NORMAL}"
echo " http://cisofy.com/controls/${ADDLINK}/"
echo ""
done
fi
# Show suggestions from logfile
SSUGGESTIONS=`grep -i 'suggestion:' ${LOGFILE} | sed 's/ /!space!/g'`
if [ "${SSUGGESTIONS}" = "" ]; then
echo " ${OK}No suggestions${NORMAL}"; echo ""
else
echo " ${YELLOW}Suggestions${NORMAL}:"
echo " ${WHITE}----------------------------${NORMAL}"
for SUGGESTION in ${SSUGGESTIONS}; do
SHOWSUGGESTION=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: //'`
ADDLINK=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: \(.*\)\[//' | sed 's/\]//'`
echo " - ${SHOWSUGGESTION}"
echo " http://cisofy.com/controls/${ADDLINK}/"
done
echo ""
fi
if [ ! "${SWARNINGS}" = "" -o ! "${SSUGGESTIONS}" = "" ]; then
echo " ${CYAN}Follow-up${NORMAL}:"
echo " ${WHITE}----------------------------${NORMAL}"
echo " ${WHITE}-${NORMAL} Check the logfile (less $LOGFILE)"
echo " ${WHITE}-${NORMAL} Read security controls texts (http://cisofy.com)"
echo " ${WHITE}-${NORMAL} Use --upload to upload data (Lynis Enterprise users)"
echo ""
fi
echo "================================================================================"
echo " ${WHITE}Lynis Scanner (details)${NORMAL}:"
echo ""
echo " ${CYAN}Hardening index${NORMAL} : ${WHITE}${HPINDEX}${NORMAL} ${HPGRAPH}"
echo " ${CYAN}Tests performed${NORMAL} : ${WHITE}${CTESTS_PERFORMED}${NORMAL}"
echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"
echo ""
echo " ${SECTION}Lynis Modules${NORMAL}:"
# Heuristics will be implemented later
echo " - Heuristics Check [${WHITE}NA${NORMAL}] - Security Audit [${GREEN}V${NORMAL}] - Vulnerability Scan [${GREEN}V${NORMAL}]"
echo ""
echo " ${SECTION}Compliance Checks${NORMAL}:"
# Compliance checks and status will be marked in upcoming releases
echo " - HIPAA [${WHITE}NA${NORMAL}] - PCI [${WHITE}NA${NORMAL}] - SOx [${WHITE}NA${NORMAL}] "
echo ""
echo " ${SECTION}Files${NORMAL}:"
echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}"
echo " - Report data : ${WHITE}${REPORTFILE}${NORMAL}"
echo "================================================================================"
if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
echo " ${NOTICE}Notice: ${WHITE}${PROGRAM_name} update available${NORMAL}"
echo " Current version : ${WHITE}${PROGRAM_AC}${NORMAL} Latest version : ${WHITE}${PROGRAM_LV}${NORMAL}"
echo "================================================================================"
else
###########################################################################################
#
# Software quality program
# Only provide this hint when the tool is at the latest version
#
###########################################################################################
if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then
# Determine if the quality of the program can be increased by filtering out the exceptions
FIND=`${GREPBINARY} "^exception" ${REPORTFILE}`
if [ ! "${FIND}" = "" ]; then
echo ""
echo " ${RED}Exceptions found${NORMAL}"
echo " ${WHITE}Some exceptional events or information was found!${NORMAL}"
echo ""
echo " ${CYAN}What to do:${NORMAL}"
echo " You can help improving Lynis by providing your report file."
echo " Go to http://cisofy.com/contact/ and send your file to the e-mail address listed"
echo ""
echo "================================================================================"
fi
fi
fi
if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then
echo " Tip: Disable all tests which are not relevant or are too strict for the"
echo " purpose of this particular machine. This will remove unwanted suggestions"
echo " and also boost the hardening index. Each test should be properly analyzed"
echo " to see if the related risks can be accepted, before disabling the test."
echo "================================================================================"
fi
echo " ${PROGRAM_name} ${PROGRAM_version}"
echo " ${PROGRAM_copyright}"
echo " ${WHITE}${PROGRAM_extrainfo}${NORMAL}"
echo "================================================================================"
echo ""; echo ""
fi
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - cisofy.com - The Netherlands

398
include/tests_accounting Normal file
View File

@ -0,0 +1,398 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
InsertSection "Accounting"
#
#################################################################################
#
AUDITD_CONF_LOCS="/etc /etc/audit"
AUDITD_CONF_FILE=""
AUDITD_RUNNING=0
SOLARIS_AUDITD_RUNNING=0
#
#################################################################################
#
# Test : ACCT-2754
# Description : Check availability FreeBSD accounting data
Register --test-no ACCT-2754 --os FreeBSD --weight L --network NO --description "Check for available FreeBSD accounting information"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /var/account/acct ]; then
Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN
logtext "Result: /var/account/acct available"
AddHP 3 3
else
Display --indent 2 --text "- Checking accounting information..." --result "NOT FOUND" --color YELLOW
logtext "Result: No accounting information available"
logtext "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting"
AddHP 2 3
fi
fi
#
#################################################################################
#
# Test : ACCT-9622
# Description : Check availability Linux accounting data
# Notes : /var/log/pacct (Slackware)
Register --test-no ACCT-9622 --os Linux --weight L --network NO --description "Check for available Linux accounting information"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check accounting information"
if [ -f /var/account/pacct ]; then
Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN
logtext "Result: /var/account/pacct available"
AddHP 3 3
elif [ -f /var/log/account/pacct ]; then
Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN
logtext "Result: /var/log/account/pacct available"
AddHP 3 3
elif [ -f /var/log/pacct ]; then
Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN
logtext "Result: /var/log/pacct available"
AddHP 3 3
else
Display --indent 2 --text "- Checking accounting information... " --result "NOT FOUND" --color YELLOW
logtext "Result: No accounting information available (/var/account/pacct does not exist)"
logtext "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting"
AddHP 2 3
fi
fi
#
#################################################################################
#
# Test : ACCT-9626
# Description : Check sysstat accounting data
Register --test-no ACCT-9626 --os Linux --weight L --network NO --description "Check for sysstat accounting data"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check /etc/default/sysstat presence"
if [ -f /etc/default/sysstat ]; then
logtext "Result: /etc/default/sysstat found"
FIND=`grep "^ENABLED" /etc/default/sysstat | grep -i true`
if [ ! "${FIND}" = "" ]; then
logtext "Result: sysstat enabled via /etc/default/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN
else
logtext "Result: sysstat disabled via /etc/default/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)"
fi
elif [ -f /etc/cron.d/sysstat ]; then
FIND=`grep -v '^[[:space:]]*\(#\|$\)' /etc/cron.d/sysstat`
if [ ! "${FIND}" = "" ]; then
logtext "Result: sysstat enabled via /etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN
else
logtext "Result: sysstat disabled via /etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)"
fi
else
logtext "Result: sysstat not found via /etc/default/sysstat or /etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (no results)"
fi
fi
#
#################################################################################
#
# Test : ACCT-9628
# Description : Check auditd status
if [ ! "${AUDITDBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9628 --os Linux --weight L --network NO --description "Check for auditd"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check auditd status"
FIND=`${PSBINARY} ax | grep "auditd" | grep -v "grep" | grep -v "kauditd"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: auditd running"
Display --indent 2 --text "- Checking auditd" --result ENABLED --color GREEN
AUDITD_RUNNING=1
report "audit_deamon_running=1"
AddHP 4 4
else
logtext "Result: auditd not active"
Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE
ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
AUDITD_RUNNING=0
report "audit_deamon_running=0"
AddHP 0 1
fi
fi
#
#################################################################################
#
# Test : ACCT-9630
# Description : Check auditd rules
if [ ! "${AUDITDBINARY}" = "" -a ! "${AUDITCTLBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd rules"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking auditd rules"
FIND=`${AUDITCTLBINARY} -l | grep -v "No rules"`
if [ "${FIND}" = "" ]; then
logtext "Result: auditd rules empty"
Display --indent 4 --text "- Checking audit rules" --result SUGGESTION --color YELLOW
AddHP 0 2
ReportSuggestion ${TEST_NO} "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules"
else
logtext "Result: found auditd rules"
Display --indent 4 --text "- Checking audit rules" --result OK --color GREEN
# Log audit daemon rules
FIND=`${AUDITCTLBINARY} -l | sed 's/ /!space!/g'`
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Output: ${I}"
done
fi
fi
#
#################################################################################
#
# Test : ACCT-9632
# Description : Check auditd configuration file
if [ ! "${AUDITDBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking auditd configuration file"
for I in ${AUDITD_CONF_LOCS}; do
if [ -f ${I}/auditd.conf ]; then
AUDITD_CONF_FILE="${I}/auditd.conf"
logtext "Result: Found ${I}/auditd.conf"
else
logtext "Result: ${I}/auditd.conf not found"
fi
done
# Check if we discovered the configuration file. It should be there is the binaries are available and process is running
if [ ! "${AUDITD_CONF_FILE}" = "" ]; then
Display --indent 4 --text "- Checking audit configuration file" --result OK --color GREEN
else
logtext "Result: could not find auditd configuration file"
Display --indent 4 --text "- Checking audit configuration file" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file"
fi
fi
#
#################################################################################
#
# Test : ACCT-9634
# Description : Check auditd log file
if [ ! "${AUDITDBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 -a ! "${AUDITD_CONF_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd log file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking auditd log file"
FIND=`grep "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: log file is defined"
logtext "Defined value: ${FIND}"
if [ -f ${FIND} ]; then
logtext "Result: log file ${FIND} exists on disk"
Display --indent 4 --text "- Checking auditd log file" --result FOUND --color GREEN
report "logfile[]=${FIND}"
else
logtext "Result: can't find log file ${FIND} on disk"
Display --indent 4 --text "- Checking auditd log file" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Check auditd log file location"
fi
else
logtext "Result: no log file found"
Display --indent 4 --text "- Checking auditd log file" --result WARNING --color RED
ReportWarning ${TEST_NO} "L" "Auditd log file is defined but can not be found on disk"
fi
fi
#
#################################################################################
#
# Test : ACCT-9650
# Description : Check Solaris audit daemon presence
Register --test-no ACCT-9650 --os Solaris --weight L --network NO --description "Check Solaris audit daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check if audit daemon is running"
FIND=`${PSBINARY} ax | grep "/auditd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Solaris audit daemon is running"
SOLARIS_AUDITD_RUNNING=1
Display --indent 2 --text "- Checking Solaris audit daemon status" --result RUNNING --color GREEN
else
logtext "Result: Solaris audit daemon is not running"
Display --indent 2 --text "- Checking Solaris audit daemon status" --result "NOT RUNNING" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : ACCT-9652
# Description : Check Solaris auditd service status
if [ -x /usr/bin/svcs -a ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9652 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check auditd SMF status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check if auditd service is enabled and online"
FIND=`/usr/bin/svcs svc:/system/auditd:default | grep "^online"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: auditd service is online"
Display --indent 4 --text "- Checking Solaris audit daemon status" --result ONLINE --color GREEN
else
Display --indent 4 --text "- Checking Solaris audit daemon status" --result WARNING --color YELLOW
# YYY
fi
fi
#
#################################################################################
#
# Test : ACCT-9654
# Description : Check Solaris Basic Security Mode (BSM) in /etc/system
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9654 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in /etc/system"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check if BSM is enabled in /etc/system"
if [ -f /etc/system ]; then
FIND=`grep 'set c2audit:audit_load = 1' /etc/system`
if [ ! "${FIND}" = "" ]; then
logtext "Result: BSM is enabled in /etc/system"
Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result ENABLED --color GREEN
else
Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result "NOT FOUND" --color YELLOW
fi
else
logtext "Result: /etc/system does not exist"
fi
fi
#
#################################################################################
#
# Test : ACCT-9656
# Description : Check Solaris BSM (c2audit) module status
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9656 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check if c2audit module is active"
if [ -x /usr/sbin/modinfo ]; then
FIND=`/usr/sbin/modinfo | grep c2audit`
if [ ! "${FIND}" = "" ]; then
logtext "Result: c2audit found in modinfo output"
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result ENABLED --color GREEN
else
logtext "Result: c2audit not found in modinfo output"
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "NOT FOUND" --color YELLOW
fi
else
logtext "Result: /usr/sbin/modinfo does not exist, skipping test"
fi
fi
#
#################################################################################
#
# Test : ACCT-9658
# Description : Check required audit files in /etc/security
#if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no ACCT-9658 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check required audit files"
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#
#################################################################################
#
# Test : ACCT-9662
# Description : Check location for audit events
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9660 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check location of audit events"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check /etc/security/audit_control for event logging location"
if [ -f /etc/security/audit_control ]; then
logtext "Result: file /etc/security/audit_control found"
FIND=`grep "^dir" /etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found location ${FIND}"
logtext "Test: Checking if location is a valid directory"
if [ -d ${FIND} ]; then
logtext "Result: location ${FIND} is valid"
Display --indent 4 --text "- Checking Solaris audit location" --result FOUND --color GREEN
else
logtext "Result: location ${FIND} does not exist"
# YYY perform manual audit
Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW
fi
else
logtext "Result: unknown event location"
Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW
fi
else
logtext "Result: could not find /etc/security/audit_control"
Display --indent 4 --text "- Checking Solaris audit location" --result SKIPPED --color YELLOW
fi
fi
#
#################################################################################
#
# Test : ACCT-9662
# Description : Check which events are audited
#if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no ACCT-9660 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : ACCT-9664
# Description : Check user specific event auditing
#if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : ACCT-9672
# Description : check auditstat
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Solaris auditing stats"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check auditing statistics"
if [ -x /usr/sbin/auditstat ]; then
FIND=`/usr/sbin/auditstat | tr -s ' ' ','`
for I in ${FIND}; do
logtext "Output: ${I}"
done
Display --indent 4 --text "- Checking Solaris audit statistics" --result DONE --color GREEN
else
logtext "Result: /usr/sbin/auditstat not found, skipping test"
Display --indent 4 --text "- Checking Solaris audit statistics" --result SKIPPED --color YELLOW
fi
fi
#
#################################################################################
#
# Test : ACCT-9680
# Description : Check if required packages are installed
#if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list"
#if [ ${SKIPTEST} -eq 0 ]; then
#
# Solaris 10 packages
# bash-3.00# pkginfo | egrep 'SUNWcar|SUNWcsr|SUNWcsu|SUNWhea|SUNWman'
#system SUNWcar Core Architecture, (Root)
#system SUNWcsr Core Solaris, (Root)
#system SUNWcsu Core Solaris, (Usr)
#system SUNWhea SunOS Header Files
#system SUNWman On-Line Manual Pages
#
#################################################################################
#
# Check psacct package (ac, lastcomm, accton, sa)
# Check auditd (auditctl, ausearch, aureport)
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - http://cisofy.com - The Netherlands

1325
include/tests_authentication Normal file
View File

File diff suppressed because it is too large Load Diff

250
include/tests_banners Normal file
View File

@ -0,0 +1,250 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Banners and identification
#
#################################################################################
#
InsertSection "Banners and identification"
# Display --indent 2 --text "- Checking banners..."
#
#################################################################################
#
BANNER_FILES="/etc/issue /etc/issue.net /etc/motd"
LEGAL_BANNER_STRINGS="access authorized legal monitor owner policy policies private prohibited restricted this unauthorized"
#
#################################################################################
#
# Test : BANN-7113
# Description : Check FreeBSD COPYRIGHT banner file
Register --test-no BANN-7113 --os FreeBSD --weight L --network NO --description "Check COPYRIGHT banner file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT"
if [ -f /COPYRIGHT ]; then
Display --indent 2 --text "- /COPYRIGHT" --result FOUND --color GREEN
if [ -s /COPYRIGHT ]; then
logtext "Result: /COPYRIGHT available and contains text"
else
logtext "Result: /COPYRIGHT available, but empty"
fi
else
Display --indent 2 --text "- /COPYRIGHT" --result "NOT FOUND" --color WHITE
logtext "Result: /COPYRIGHT not found"
fi
if [ -f /etc/COPYRIGHT ]; then
Display --indent 2 --text "- /etc/COPYRIGHT" --result FOUND --color GREEN
if [ -s /etc/COPYRIGHT ]; then
logtext "Result: /etc/COPYRIGHT available and contains text"
else
logtext "Result: /etc/COPYRIGHT available, but empty"
fi
else
Display --indent 2 --text "- /etc/COPYRIGHT" --result "NOT FOUND" --color WHITE
logtext "Result: /etc/COPYRIGHT not found"
fi
fi
#
#################################################################################
#
# Test : BANN-7119
# Description : Check MOTD banner file
Register --test-no BANN-7119 --weight L --network NO --description "Check MOTD banner file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Testing existence /etc/motd"
if [ -f /etc/motd ]; then
logtext "Result: file /etc/motd exists"
Display --indent 2 --text "- /etc/motd..." --result FOUND --color GREEN
if [ ! -L /etc/motd ]; then
IsWorldWritable /etc/motd
if [ "${FileIsWorldWritable}" = "TRUE" ]; then
Display --indent 4 --text "- /etc/motd permissions..." --result WARNING --color RED
logtext "Result: /etc/motd is world writable. Users can change this file!"
ReportWarning ${TEST_NO} "H" "/etc/motd is world writable"
else
Display --indent 4 --text "- /etc/motd permissions..." --result OK --color GREEN
logtext "Result: /etc/motd is not world writable."
fi
else
logtext "Result: file /etc/motd is symlink"
fi
else
logtext "Result: File /etc/motd not found"
Display --indent 2 --text "- /etc/motd..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : BANN-7122
# Description : Check motd file to see if it contains some form of message
# to discourage unauthorized users to leave the system alone
if [ -f /etc/motd -a ! -L /etc/motd ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BANN-7122 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check /etc/motd banner file contents"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: Checking file /etc/motd contents for legal key words"
for I in ${LEGAL_BANNER_STRINGS}; do
FIND=`grep -i "${I}" /etc/motd`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found string '${I}'"
N=`expr ${N} + 1`
fi
done
# Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then
logtext "Result: Found ${N} key words, to warn unauthorized users"
Display --indent 4 --text "- /etc/motd contents..." --result OK --color GREEN
AddHP 2 2
else
logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
Display --indent 4 --text "- /etc/motd contents..." --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add legal banner to /etc/motd, to warn unauthorized users"
AddHP 0 1
fi
fi
#
#################################################################################
#
# Test : BANN-7124
# Description : Check issue banner file
Register --test-no BANN-7124 --weight L --network NO --description "Check issue banner file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking file /etc/issue"
if [ -f /etc/issue ]; then
# Check for symlink
if [ -L /etc/issue ]; then
logtext "Result: file /etc/issue exists (symlink)"
Display --indent 2 --text "- /etc/issue..." --result SYMLINK --color GREEN
else
Display --indent 2 --text "- /etc/issue..." --result FOUND --color GREEN
fi
else
logtext "Result: file /etc/issue does not exist"
Display --indent 2 --text "- /etc/issue..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : BANN-7126
# Description : Check issue file to see if it contains some form of message
# to discourage unauthorized users to leave the system alone
if [ -f /etc/issue ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BANN-7126 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check issue banner file contents"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: Checking file /etc/issue contents for legal key words"
for I in ${LEGAL_BANNER_STRINGS}; do
FIND=`grep -i "${I}" /etc/issue`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found string '${I}'"
N=`expr ${N} + 1`
fi
done
# Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then
logtext "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users"
Display --indent 4 --text "- /etc/issue contents..." --result OK --color GREEN
AddHP 2 2
else
logtext "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased"
Display --indent 4 --text "- /etc/issue contents..." --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add a legal banner to /etc/issue, to warn unauthorized users"
AddHP 0 1
fi
fi
#
#################################################################################
#
# Test : BANN-7128
# Description : Check issue.net banner file
Register --test-no BANN-7128 --weight L --network NO --description "Check issue.net banner file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking file /etc/issue.net"
if [ -f /etc/issue.net ]; then
# Check for symlink
if [ -L /etc/issue.net ]; then
logtext "Result: file /etc/issue.net exists (symlink)"
Display --indent 2 --text "- /etc/issue.net..." --result SYMLINK --color GREEN
else
logtext "Result: file /etc/issue.net exists"
Display --indent 2 --text "- /etc/issue.net..." --result FOUND --color GREEN
fi
else
logtext "Result: file /etc/issue.net does not exist"
Display --indent 2 --text "- /etc/issue.net..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : BANN-7130
# Description : Check issue.net file to see if it contains some form of message
# to discourage unauthorized users to leave the system alone
if [ -f /etc/issue.net ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BANN-7130 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check issue.net banner file contents"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: Checking file /etc/issue.net contents for legal key words"
for I in ${LEGAL_BANNER_STRINGS}; do
FIND=`grep -i "${I}" /etc/issue.net`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found string '${I}'"
N=`expr ${N} + 1`
fi
done
# Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then
logtext "Result: Found ${N} key words, to warn unauthorized users"
Display --indent 4 --text "- /etc/issue.net contents..." --result OK --color GREEN
AddHP 2 2
else
logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
Display --indent 4 --text "- /etc/issue.net contents..." --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users"
AddHP 0 1
fi
fi
#
#################################################################################
#
# /etc/dt/config/*/Xresources
# /etc/default/telnetd (telnet without TCP wrappers)
# /etc/default/ftpd (ftp without TCP wrappers)
# /etc/ftpd/banner.msg (ftp without TCP wrappers on Solaris)
# /etc/ftpaccess (HP-UX)
# /etc/ftpmotd (AIX)
# /etc/ftpaccess.ctl (AIX)
# /etc/security/login.cfg (AIX)
# /etc/X11/xdm/Xresources
# /etc/X11/xdm/kdmrc
# /etc/X11/gdm/gdm
# /etc/vsftpd.conf
#
#################################################################################
#
wait_for_keypress
#
#################################################################################
#
# Notes:
# HPUX: /etc/copyright
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

522
include/tests_boot_services Normal file
View File

@ -0,0 +1,522 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Category: Boot and services
#
#################################################################################
#
InsertSection "Boot and services"
#
#################################################################################
#
Display --indent 2 --text "- Checking boot loaders"
BOOT_LOADER="Unknown"
#
#################################################################################
#
# Test : BOOT-5121
# Description : Check for GRUB boot loader
Register --test-no BOOT-5121 --weight L --network NO --description "Check for GRUB boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)..."
if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then
FOUND=1
BOOT_LOADER="GRUB"
Display --indent 4 --text "- Checking presence GRUB... " --result "OK" --color GREEN
if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'`
FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'`
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking for password protection..." --result WARNING --color RED
logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!"
logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them."
logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!"
logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access."
ReportWarning ${TEST_NO} "M" "No password set on GRUB bootloader"
logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password"
AddHP 0 2
else
Display --indent 6 --text "- Checking for password protection..." --result OK --color GREEN
logtext "Result: GRUB has password protection."
AddHP 4 4
fi
fi
# GRUB2 configuration file
if [ -f /boot/grub/grub.cfg ]; then
FOUND=1
BOOT_LOADER="GRUB2"
Display --indent 4 --text "- Checking presence GRUB2... " --result FOUND --color GREEN
logtext "Result: found GRUB2 configuration file (/boot/grub/grub.cfg)"
# YYY password check, when documentation of GRUB2 project is improved
# YYY Add check permission check (600)
ReportManual "${TEST_NO}:01"
fi
if [ ${FOUND} -eq 0 ]; then
Display --indent 4 --text "- Checking presence GRUB... " --result "NOT FOUND" --color WHITE
logtext "Result: no GRUB configuration file found."
fi
fi
#
#################################################################################
#
# Test : BOOT-5124
# Description : Check for FreeBSD boot loader
Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then
logtext "Result: found boot1, boot2 and loader files in /boot"
Display --indent 4 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN
BOOT_LOADER="FreeBSD"
else
logtext "Result: Not all expected files found in /boot"
Display --indent 4 --text "- Checking presence FreeBSD loader" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : BOOT-5126
# Description : Check for NetBSD boot loader
Register --test-no BOOT-5126 --os NetBSD --weight L --network NO --description "Check for NetBSD boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then
logtext "Result: found NetBSD secondary bootstrap"
Display --indent 4 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN
BOOT_LOADER="NetBSD"
else
logtext "Result: NetBSD secondary bootstrap not found"
Display --indent 4 --text "- Checking presence FreeBSD loader" --result "NOT FOUND" --color YELLOW
ReportException "${TEST_NO}:1" "No boot loader found on NetBSD"
fi
fi
#
#################################################################################
#
# Test : BOOT-5139
# Description : Check for LILO boot loader
# Notes : password= or password =
Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking for presence LILO configuration file..."
if [ -f /etc/lilo.conf ]; then
BOOT_LOADER="LILO"
Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN
logtext "Checking password option LILO..."
FIND=`cat /etc/lilo.conf | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"`
if [ "${FIND}" = "" ]; then
Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED
logtext "Result: no password set for LILO. Bootloader is unprotected to"
logtext "dropping to single user mode or unauthorized access to devices/data."
ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader"
AddHP 0 2
else
Display --indent 6 --text "- Password option presence " --result "OK" --color GREEN
logtext "Result: LILO password option set"
AddHP 4 4
fi
#YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf)
else
Display --indent 4 --text "- Checking presence LILO... " --result "NOT FOUND" --color WHITE
logtext "Result: LILO configuration file not found"
fi
fi
#
#################################################################################
#
# Test : BOOT-5142
# Description : Check for SILO boot loader
Register --test-no BOOT-5142 --weight L --network NO --description "Check SPARC Improved boot loader (SILO)"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/silo.conf ]; then
logtext "Result: Found SILO configuration file (/etc/silo.conf)"
Display --indent 4 --text "- Checking boot loader SILO" --result FOUND --color GREEN
BOOT_LOADER="SILO"
else
logtext "Result: no SILO configuration file found."
Display --indent 4 --text "- Checking boot loader SILO" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : BOOT-5144
# Description : Check for SILO boot loader consistency
# Notes : To be tested on Gentoo
# Register --test-no BOOT-5144 --weight L --network NO --description "Check SPARC Improved boot loader (SILO)"
# if [ ${SKIPTEST} -eq 0 ]; then
# if [ -f /etc/silo.conf -a -x /sbin/silo ]; then
# FIND=`/sbin/silo | grep "appears to be valid"`
# if [ ! "${FIND}" = "" ]; then
# logtext "Result: Found SILO configuration file (/etc/silo.conf)"
# Display --indent 6 --text "- Checking SILO consistency" --result OK --color GREEN
# else
# logtext "Result: no positive result received from silo binary"
# ReportWarning ${TEST_NO} "Possible issue with boot loader (SILO)"
# Display --indent 6 --text "- Checking SILO consistency" --result WARNING --color RED
# fi
# fi
# fi
#
#################################################################################
#
# Test : BOOT-5155
# Description : Check for YABOOT boot loader
Register --test-no BOOT-5155 --weight L --network NO --description "Check for YABOOT boot loader configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check for /etc/yaboot.conf"
if [ -f /etc/yaboot.conf ]; then
logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)"
Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN
#YYY add permission check
BOOT_LOADER="YABOOT"
else
logtext "Result: no YABOOT configuration file found."
Display --indent 4 --text "- Checking boot loader YABOOT" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : BOOT-5159
# Description : Check for OpenBSD boot loader
# More info : only OpenBSD && i386 platform
Register --test-no BOOT-5159 --os OpenBSD --platform i386 --weight L --network NO --description "Check for OpenBSD i386 boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/boot.conf ]; then
Display --indent 2 --text "- Checking /etc/boot.conf..." --result "FOUND" --color GREEN
FIND=`grep '^boot' /etc/boot.conf`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking boot option..." --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
ReportWarning ${TEST_NO} "M" "System can be booted into single user mode without password"
else
Display --indent 4 --text "- Checking boot option..." --result OK --color GREEN
logtext "Ok, boot option is enabled."
fi
else
Display --indent 2 --text "- Checking /etc/boot.conf..." --result "NOT FOUND" --color YELLOW
logtext "Result: no /etc/boot.conf found. When using the default boot loader, physical"
logtext "access to the server can be used to possibly enter single user mode."
ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time."
fi
fi
#
#################################################################################
#
# Test : BOOT-5165
# Description : Check for FreeBSD boot services
Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot services"
if [ ${SKIPTEST} -eq 0 ]; then
# FreeBSD (Read /etc/rc.conf file for enabled services)
logtext "Searching for services at startup (rc.conf)..."
FIND=`egrep -v -i '^#|none' /etc/rc.conf | egrep -i '_enable.*(yes|on|1)' | sort | awk -F= '{ print $1 }' | sed 's/_enable//'`
N=0
for I in ${FIND}; do
logtext "Found service (rc.conf): ${I}"
report "boottask[]=${I}"
N=`expr ${N} + 1`
done
Display --indent 2 --text "- Checking services at startup (rc.conf)..." --result "DONE" --color GREEN
Display --indent 6 --text "Result: found $N services/options set"
logtext "Found $N services/options to run at startup"
fi
#
#################################################################################
#
# Test : BOOT-5166
# Description : Check for /etc/rc.local file (and contents)
#
#################################################################################
#
# Test : BOOT-5177
# Description : Check for Linux boot services (systemd and chkconfig)
# Notes : We skip using chkconfig if systemd is being used.
Register --test-no BOOT-5177 --os Linux --weight L --network NO --description "Check for Linux boot and running services"
if [ ${SKIPTEST} -eq 0 ]; then
CHECKED=0
logtext "Test: checking presence systemctl binary"
# Determine if we have systemctl on board
if [ ! "${SYSTEMCTLBINARY}" = "" ]; then
logtext "Result: systemctl binary found, trying that to discover information"
# Running services
logtext "Searching for running services (systemctl services only)"
FIND=`${SYSTEMCTLBINARY} --full --type=service | awk '{ if ($4=="running") { print $1 } }' | awk -F. '{ print $1 }'`
N=0
report "running_service_tool=systemctl"
for I in ${FIND}; do
logtext "Found running service: ${I}"
report "running_service[]=${I}"
N=`expr ${N} + 1`
done
logtext "Suggestion: Run systemctl --full --type=service to see all services"
Display --indent 2 --text "- Check running services (systemctl)... " --result "DONE" --color GREEN
Display --indent 8 --text "Result: found $N running services"
logtext "Result: Found $N enabled services"
# Services at boot
logtext "Searching for enabled services (systemctl services only)"
FIND=`${SYSTEMCTLBINARY} list-unit-files --type=service | awk '{ if ($2=="enabled") { print $1 } }' | awk -F. '{ print $1 }'`
N=0
report "boot_service_tool=systemctl"
for I in ${FIND}; do
logtext "Found enabled service at boot: ${I}"
report "boot_service[]=${I}"
N=`expr ${N} + 1`
done
logtext "Suggestion: Run systemctl list-unit-files --type=service to see all services"
Display --indent 2 --text "- Check enabled services at boot (systemctl)... " --result "DONE" --color GREEN
Display --indent 8 --text "Result: found $N enabled services"
logtext "Result: Found $N running services"
else
logtext "Result: systemctl binary not found, checking chkconfig binary"
if [ ! "${CHKCONFIGBINARY}" = "" ]; then
logtext "Result: chkconfig binary found, trying that to discover information"
logtext "Searching for services at startup (chkconfig, runlevel 3 and 5)... "
FIND=`${CHKCONFIGBINARY} --list | egrep '3:on|5:on' | awk '{ print $1 }'`
N=0
report "boot_service_tool=chkconfig"
for I in ${FIND}; do
logtext "Found service (at boot, runlevel 3 or 5): ${I}"
report "boot_service[]=${I}"
N=`expr ${N} + 1`
done
logtext "Suggestion: Run chkconfig --list to see all services and disable unneeded services"
Display --indent 2 --text "- Check services at startup (chkconfig)... " --result "DONE" --color GREEN
Display --indent 8 --text "Result: found $N services"
logtext "Result: Found $N services at startup"
else
logtext "Result: both systemctl and chkconfig not found. Skipping this test"
fi
fi
fi
#
#################################################################################
#
# Test : BOOT-5178
# Description : Check for Linux boot services (Red Hat style)
# if [ ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no BOOT-5178 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for unneeded Linux boot services (Red Hat style)"
# if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# N=`expr ${N} + 1`
#* mctrans (if selinux is NOT enabled)
#* restorecond (if selinux is NOT enabled) --> and is it really needed?
#
# if profile is server, warn if found:
#* pcscd (if profile=server)
#* avahi-daemon
# Redhat: /etc/sysconfig/network
# check if NOZEROCONF=yes is available
#
#* xfs (if /usr/bin/startx is not found)
#
#if [ ! -f /etc/mdadm.conf -a ! -f /etc/mdadm/mdadm.conf ]; then
#* mdmonitor
#
#
#* firstboot
# Display warning if [ ! -f /etc/reconfigSys ]
# AND "RUN_FIRSTBOOT=YES" is NOT in /etc/sysconfig/firstboot
#
#* acpid
# Display warning if no modules are loaded (lsmod | grep -i acpi)
#
#
# fi
#
#################################################################################
#
# Test : BOOT-5180
# Description : Check for Linux boot services (Debian style)
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)"
if [ ${SKIPTEST} -eq 0 ]; then
# YYY runlevel check
sRUNLEVEL=`${RUNLEVELBINARY} | grep "N 2"`
if [ ! "${sRUNLEVEL}" = "" ]; then
FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
logtext "Found service (at boot, runlevel 2): ${I}"
N=`expr ${N} + 1`
done
Display --indent 2 --text "- Check services at startup (rc2.d)... " --result "DONE" --color WHITE
Display --indent 4 --text "Result: found $N services"
logtext "Found $N services"
fi
else
ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup"
fi
fi
#
#################################################################################
#
# Test : BOOT-5184
# Description : Check world writable startup scripts
Register --test-no BOOT-5184 --os Linux --weight L --network NO --description "Check permissions for boot files/scripts"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
CHECKDIRS="/etc/init.d /etc/rc.d /etc/rcS.d"
logtext "Result: checking /etc/init.d scripts for writable bit"
for I in ${CHECKDIRS}; do
logtext "Test: checking if directory ${I} exists"
if [ -d ${I} ]; then
logtext "Result: directory ${I} found"
logtext "Test: checking for available files in directory"
FIND=`find ${I} -type f -print`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found files in directory, checking permissions now"
for J in ${FIND}; do
logtext "Test: checking permissions of file ${J}"
IsWorldWritable ${J}
if [ "${FileIsWorldWritable}" = "TRUE" ]; then
ReportWarning ${TEST_NO} "H" "Found writable startup script ${J}"
logtext "Result: warning, file ${J} is world writable"
FOUND=1
else
logtext "Result: good, file ${J} not world writable"
fi
done
else
logtext "Result: found no files in directory."
fi
else
logtext "Result: directory ${I} not found. Skipping.."
fi
done
# /etc/rc[0-6].d
for NO in 0 1 2 3 4 5 6; do
logtext "Test: Checking /etc/rc${NO}.d scripts for writable bit"
if [ -d /etc/rc${NO}.d ]; then
FIND=`find /etc/rc${NO}.d -type f -print`
for I in ${FIND}; do
IsWorldWritable ${I}
if [ "${FileIsWorldWritable}" = "TRUE" ]; then
ReportWarning ${TEST_NO} "H" "Found writable startup script ${I}"
logtext "Result: warning, file ${I} is world writable"
FOUND=1
else
logtext "Result: good, file ${I} not world writable"
fi
done
fi
done
# Other files
CHECKFILES="/etc/rc /etc/rc.local /etc/rc.d/rc.sysinit"
for I in ${CHECKFILES}; do
if [ -f ${I} ]; then
logtext "Test: Checking ${I} file for writable bit"
IsWorldWritable ${I}
if [ "${FileIsWorldWritable}" = "TRUE" ]; then
ReportWarning ${TEST_NO} "H" "Found writable startup script ${I}"
FOUND=1
logtext "Result: warning, file ${I} is world writable"
else
logtext "Result: good, file ${I} not world writable"
fi
fi
done
# Check results
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Check startup files (permissions)... " --result "WARNING" --color RED
ReportWarning ${TEST_NO} "H" "One or more startup files can be overwritten by all users"
ReportSuggestion ${TEST_NO} "Check startup scripts for world write access and change permissions if needed"
logtext "Result: found one or more scripts which are possibly writable by other users"
AddHP 0 3
else
Display --indent 2 --text "- Check startup files (permissions)... " --result "OK" --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
#
# Add autostart services, like from KDE/Gnome
# Test : BOOT-5102
# Description : Check for tasks which are autostarted via /etc/inittab
#Register --test-no BOOT-5102 --weight L --network NO --description "Check inittab for services"
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#YYY check against static list?
#
#################################################################################
#
# Test : BOOT-5202
# Description : Check uptime of system
Register --test-no BOOT-5202 --weight L --network NO --description "Check uptime of system"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
FIND=""
case "${OS}" in
Linux)
# Idle time, not real uptime
if [ -f /proc/uptime ]; then
FIND=`cat /proc/uptime | cut -d ' ' -f1 | cut -d '.' -f1`
else
Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW
ReportException "${TEST_NO}:1" "No uptime test available for this operating system (/proc/uptime missing)"
fi
;;
Solaris)
if [ ! "${KSTATBINARY}" = "" ]; then
FIND=`${KSTATBINARY} -p unix:0:system_misc:snaptime | grep "^unix" | awk '{print $2}' | cut -d "." -f1`
else
Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW
ReportException "${TEST_NO}:2" "No uptime test available for this operating system (kstat missing)"
fi
;;
*)
Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW
# Want to help improving Lynis? Share your operating system and a way to determine the uptime (in seconds)
ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system"
;;
esac
if [ ! "${FIND}" = "" ]; then
UPTIME_IN_SECS="${FIND}"
UPTIME_IN_DAYS=`expr ${UPTIME_IN_SECS} / 60 / 60 / 24`
logtext "Uptime (in seconds): ${UPTIME_IN_SECS}"
logtext "Uptime (in days): ${UPTIME_IN_DAYS}"
else
logtext "Result: no uptime information available"
fi
fi
#
#################################################################################
#
report "boot_loader=${BOOT_LOADER}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

72
include/tests_crypto Normal file
View File

@ -0,0 +1,72 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Cryptography
#
#################################################################################
#
InsertSection "Cryptography"
#
#################################################################################
#
# Test : CRYP-7902
# Description : check for expired SSL certificates
if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check expire date of SSL certificates"
if [ ${SKIPTEST} -eq 0 ]; then
FOUNDPROBLEM=0
# Check profile for paths to check
sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3`
for I in ${sSSL_PATHS}; do
if [ -d ${I} ]; then
logtext "Result: found directory ${I}"
# Search for CRT files
sFINDCRTS=`find ${I} -name "*.crt" -type f -print`
for J in ${sFINDCRTS}; do
logtext "Test: checking certificate ${J}"
# Check certificate where 'end date' has been expired
FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?`
if [ "${FIND}" = "0" ]; then
logtext "Result: certificate ${J} seems to be correct and still valid"
report "valid_certificate[]=${J}|unknown entity|"
else
FOUNDPROBLEM=1
logtext "Result: certificate ${J} has been expired"
report "expired_certificate[]=${J}"
#YYY Dump more information to log file
fi
done
else
logtext "Result: SSL path ${I} does not exist"
fi
done
if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking SSL certificate expiration..." --result OK --color GREEN
else
Display --indent 2 --text "- Checking SSL certificate expiration..." --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "One or more SSL certificates expired"
fi
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

59
include/tests_custom.template Normal file
View File

@ -0,0 +1,59 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Here could you insert your own custom checks
#
# Tips:
# - Make sure to use each test ID only once in Register function
# - Use big steps in numbering, so you can easily put tests in between
# - Want to improve Lynis? Share your checks!
#
#################################################################################
#
# This has already been inserted, but you might reuse it to split your tests
# InsertSection "Custom Checks"
#
#################################################################################
#
# Test : CUST-0010
# Description : Check for something interesting - template
# This test first checks if OpenSSL binary was found
if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "My description"
# Or you could use this one without any dependencies
# Register --test-no CUST-0010 --weight L --network NO --description "My description"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: checking something"
ReportWarning ${TEST_NO} "M" "Test warning"
if [ ${FOUND} -eq 0 ]; then
Display --indent 4 --text "- Performing custom test 1..." --result OK --color GREEN
logtext "Result: the test looks great!"
else
Display --indent 4 --text "- Performing custom test 1..." --result WARNING --color RED
logtext "Result: hmm bad result of this test :("
ReportSuggestion ${TEST_NO} "This could be better!"
fi
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

154
include/tests_databases Normal file
View File

@ -0,0 +1,154 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Databases
#
#################################################################################
#
# Status of database processes
MYSQL_RUNNING=0
ORACLE_RUNNING=0
POSTGRESQL_RUNNING=0
# Paths to DATADIR
sMYSQLDBPATHS="/var/lib/mysql"
# Paths to my.cnf
sMYCNFLOCS="/etc/mysql/my.cnf /usr/etc/my.cnf"
#
#################################################################################
#
InsertSection "Databases"
# Test : DBS-1804
# Description : Check if MySQL is being used
Register --test-no DBS-1804 --weight L --network NO --description "Checking active MySQL process"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- MySQL process status..." --result "NOT FOUND" --color WHITE
logtext "Result: MySQL process not active"
else
Display --indent 2 --text "- MySQL process status..." --result "FOUND" --color GREEN
logtext "Result: MySQL is active"
MYSQL_RUNNING=1
fi
fi
#
#################################################################################
#
# Test : DBS-1808
# Description : Check MySQL data directory
#Register --test-no DBS-1808 --weight L --network NO --description "Checking MySQL data directory"
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#
#################################################################################
#
# Test : DBS-1812
# Description : Check data directory permissions
#Register --test-no DBS-1812 --weight L --network NO --description "Checking MySQL data directory permissions"
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#
#################################################################################
#
# Test : DBS-1816
# Description : Check empty MySQL root password
# Notes : Only perform test when MySQL is running and client is available
if [ ! "${MYSQLCLIENTBINARY}" = "" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking MySQL root password"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Trying to login to local MySQL server without password"
FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
logtext "Result: Login succeeded, no MySQL root password set!"
ReportWarning ${TEST_NO} "H" "No MySQL root password set"
ReportSuggestion ${TEST_NO} "Use mysqladmin to set a MySQL root password (mysqladmin -u root -p password MYPASSWORD)"
Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED
AddHP 0 5
else
logtext "Result: Login did not succeed, so a MySQL root password is set"
Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN
AddHP 2 2
fi
else
logtext "Test skipped, MySQL daemon not running or no MySQL client available"
fi
#
#################################################################################
#
# Test : DBS-1826
# Description : Check if PostgreSQL is being used
Register --test-no DBS-1826 --weight L --network NO --description "Checking active PostgreSQL processes"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | grep "postgres:" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- PostgreSQL processes status..." --result "NOT FOUND" --color WHITE
logtext "Result: PostgreSQL process not active"
else
Display --indent 2 --text "- PostgreSQL processes status..." --result "FOUND" --color GREEN
logtext "Result: PostgreSQL is active"
POSTGRESQL_RUNNING=1
fi
fi
#
#################################################################################
#
# Test : DBS-1840
# Description : Check if Oracle is being used
# Notes : tnslsnr: Oracle listener
# pmon: process monitor
# smon: system monitor
# dbwr: database writer
# lgwr: log writer
# arch: archiver (optional)
# ckpt: checkpoint (optional)
# reco: recovery (optional)
Register --test-no DBS-1840 --weight L --network NO --description "Checking active Oracle processes"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Oracle processes status..." --result "NOT FOUND" --color WHITE
logtext "Result: Oracle process(es) not active"
else
Display --indent 2 --text "- Oracle processes status..." --result "FOUND" --color GREEN
logtext "Result: Oracle is active"
ORACLE_RUNNING=1
fi
fi
#
#################################################################################
#
# Test : DBS-1842
# Description : Check Oracle home paths from oratab
#Register --test-no DBS-1842 --weight L --network NO --description "Checking Oracle home paths"
#if [ ${SKIPTEST} -eq 0 ]; then
# if [ -f /etc/oratab ]; then
# FIND=`cat /etc/oratab | grep -v "#" | awk -F: "{ print $2 }"`
# fi
#fi
#
#################################################################################
#
report "mysql_running=${MYSQL_RUNNING}"
report "oracle_running=${ORACLE_RUNNING}"
report "postgresql_running=${POSTGRESQL_RUNNING}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

217
include/tests_file_integrity Normal file
View File

@ -0,0 +1,217 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found
#
#################################################################################
#
InsertSection "Software: file integrity"
Display --indent 2 --text "- Checking file integrity tools..."
# Test : FINT-4310
# Description : Check if AFICK is installed
Register --test-no FINT-4310 --weight L --network NO --description "AFICK availability"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking AFICK binary"
if [ ! "${AFICKBINARY}" = "" ]; then
logtext "Result: AFICK is installed (${AFICKBINARY})"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AFICK..." --result FOUND --color GREEN
else
logtext "Result: AFICK is not installed"
Display --indent 4 --text "- AFICK..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : FINT-4314
# Description : Check if AIDE is installed
Register --test-no FINT-4314 --weight L --network NO --description "AIDE availability"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking AIDE binary"
if [ ! "${AIDEBINARY}" = "" ]; then
logtext "Result: AIDE is installed (${AIDEBINARY})"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AIDE..." --result FOUND --color GREEN
else
logtext "Result: AIDE is not installed"
Display --indent 4 --text "- AIDE..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : FINT-4315
# Description : Check AIDE configuration file
if [ ! "${AIDEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check AIDE configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
AIDE_CONFIG_LOCS="/etc /etc/aide /usr/local/etc"
logtext "Test: search for aide.conf in ${AIDE_CONFIG_LOCS}"
for I in ${AIDE_CONFIG_LOCS}; do
if [ -f ${I}/aide.conf ]; then
logtext "Result: found aide.conf in directory ${I}"
AIDECONFIG="${I}/aide.conf"
fi
done
if [ "${AIDECONFIG}" = "" ]; then
Display --indent 6 --text "- AIDE config file" --result "NOT FOUND" --color YELLOW
else
Display --indent 6 --text "- AIDE config file" --result FOUND --color GREEN
fi
fi
#
#################################################################################
#
# Test : FINT-4316
# Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
if [ ! "${AIDEBINARY}" = "" -a ! "${AIDECONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --description "AIDE configuration: Checksums (SHA256 or SHA512)"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${GREPBINARY} "^Checksums" ${AIDECONFIG}`
FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"`
if [ "${FIND}" = "" ]; then
logtext "Result: Unclear how AIDE is dealing with checksums"
Display --indent 6 --text "- AIDE config (Checksums)" --result UNKNOWN --color YELLOW
else
if [ "${FIND2}" = "" ]; then
logtext "Result: No SHA256 or SHA512 found for creating checksums"
Display --indent 6 --text "- AIDE config (Checksum)" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Use SHA256 or SHA512 to create checksums in AIDE"
AddHP 1 3
else
logtext "Result: Found SHA256 or SHA512 found for creating checksums"
Display --indent 6 --text "- AIDE config (Checksum)" --result OK --color GREEN
AddHP 2 2
fi
fi
fi
#
#################################################################################
#
# Test : FINT-4318
# Description : Check if Osiris is installed
Register --test-no FINT-4318 --weight L --network NO --description "Osiris availability"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking Osiris binary"
if [ ! "${OSIRISBINARY}" = "" ]; then
logtext "Result: Osiris is installed (${OSIRISBINARY})"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Osiris..." --result FOUND --color GREEN
else
logtext "Result: Osiris is not installed"
Display --indent 4 --text "- Osiris..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : FINT-4322
# Description : Check if Samhain is installed
Register --test-no FINT-4322 --weight L --network NO --description "Samhain availability"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking Samhain binary"
if [ ! "${SAMHAINBINARY}" = "" ]; then
logtext "Result: Samhain is installed (${SAMHAINBINARY})"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Samhain..." --result FOUND --color GREEN
else
logtext "Result: Samhain is not installed"
Display --indent 4 --text "- Samhain..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : FINT-4326
# Description : Check if Tripwire is installed
Register --test-no FINT-4326 --weight L --network NO --description "Tripwire availability"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking Tripwire binary"
if [ ! "${TRIPWIREBINARY}" = "" ]; then
logtext "Result: Tripwire is installed (${TRIPWIREBINARY})"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Tripwire..." --result FOUND --color GREEN
else
logtext "Result: Tripwire is not installed"
Display --indent 4 --text "- Tripwire..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : FINT-4328
# Description : Check if OSSEC system integrity tool is running
Register --test-no FINT-4328 --weight L --network NO --description "OSSEC syscheck daemon running"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking if OSSEC syscheck daemon is running"
IsRunning ossec-syscheckd
if [ ${RUNNING} -eq 1 ]; then
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- OSSEC (syscheck)..." --result FOUND --color GREEN
else
Display --indent 4 --text "- OSSEC (syscheck)..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : FINT-4330
# Description : Check if mtree is installed
# Note : Usually on BSD and similar
Register --test-no FINT-4330 --weight L --network NO --description "mtree availability"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking mtree binary"
if [ ! "${MTREEBINARY}" = "" ]; then
logtext "Result: mtree is installed (${MTREEBINARY})"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- mtree..." --result FOUND --color GREEN
else
logtext "Result: mtree is not installed"
Display --indent 4 --text "- mtree..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : FINT-4350
# Description : Check if at least one file integrity tool is installed
Register --test-no FINT-4350 --weight L --network NO --description "File integrity software installed"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check if at least on file integrity tool is available/installed"
if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then
logtext "Result: found at least one file integrity tool"
Display --indent 2 --text "- Checking presence integrity tool..." --result FOUND --color GREEN
AddHP 5 5
else
logtext "Result: No file integrity tools found"
Display --indent 2 --text "- Checking presence integrity tool..." --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Install a file integrity tool"
AddHP 0 5
fi
fi
#
#################################################################################
#
report "file_integrity_installed=${FILE_INT_TOOL_FOUND}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

59
include/tests_file_permissions Normal file
View File

@ -0,0 +1,59 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# File permissions
#
#################################################################################
#
InsertSection "System Tools"
#
#################################################################################
#
# Test : FILE-7524
# Description : Perform file permissions check
Register --test-no FILE-7524 --weight L --network NO --description "Perform file permissions check"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Starting file permissions check..."
logtext "Test: Checking file permissions"
logtext "Using profile ${PROFILE} for baseline."
FIND=`cat ${PROFILE} | egrep '^permfile:|^permdir:' | cut -d: -f2`
for I in ${FIND}; do
logtext "Checking ${I}"
CheckFilePermissions ${I}
logtext " Expected permissions: ${PROFILEVALUE}"
logtext " Actual permissions: ${FILEVALUE}"
logtext " Result: $PERMS"
if [ "${PERMS}" = "FILE_NOT_FOUND" ]; then
Display --indent 4 --text "${I}" --result "NOT FOUND" --color WHITE
elif [ "${PERMS}" = "OK" ]; then
Display --indent 4 --text "${I}" --result OK --color GREEN
elif [ "${PERMS}" = "BAD" ]; then
Display --indent 4 --text "${I}" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Incorrect permissions for file ${I}"
else
logtext "UNKNOWN status for file"
fi
done
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

565
include/tests_filesystems Normal file
View File

@ -0,0 +1,565 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# File systems
#
#################################################################################
#
# Number of days to mark a file as old
TMP_OLD_DAYS=90
LVM_VG_USED=0
#
#################################################################################
#
InsertSection "File systems"
#
#################################################################################
#
# Test : FILE-6310
# Description : Checking if /tmp and /home are separated from /
# Goal : Users should not be able to fill their home directory or
# temporary directory and creating a Denial of Service
Register --test-no FILE-6310 --weight L --network NO --description "Checking /tmp and /home directory"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking mount points"
SEPARATED_FILESYTEMS="/home /tmp"
for I in ${SEPARATED_FILESYTEMS}; do
logtext "Test: Checking if ${I} is mounted separately or mounted on / file system"
if [ -L ${I} ]; then
logtext "Result: ${I} is a symlink. Manual check required to determine exact file system"
Display --indent 4 --text "- Checking ${I} mount point..." --result SYMLINK --color WHITE
elif [ -d ${I} ]; then
logtext "Result: directory ${I} exists"
FIND=`mount | grep "${I}"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${I} as a separated mount point"
Display --indent 4 --text "- Checking ${I} mount point..." --result OK --color GREEN
else
logtext "Result: ${I} not found in mount list. Directory most likely stored on / file system"
Display --indent 4 --text "- Checking ${I} mount point..." --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separated partition"
fi
else
logtext "Result: directory ${I} does not exist"
fi
done
fi
#
#################################################################################
#
# YYY Checking Physical Volumes
#
#################################################################################
#
# Test : FILE-6311
# Description : Checking LVM Volume Groups
# Notes : No volume groups found is sent to STDERR for unclear reasons. Filtering both STDERR redirecting and grep.
if [ ! "${VGDISPLAYBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6311 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking LVM volume groups"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for LVM volume groups"
FIND=`${VGDISPLAYBINARY} 2> /dev/null | grep -v "No volume groups found" | grep "VG Name" | awk '{ print $3 }' | sort`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found one or more volume groups"
for I in ${FIND}; do
logtext "Found LVM volume group: ${I}"
report "lvm_volume_group[]=${I}"
done
LVM_VG_USED=1
Display --indent 2 --text "- Checking LVM volume groups..." --result FOUND --color GREEN
else
logtext "Result: no LVM volume groups found"
Display --indent 2 --text "- Checking LVM volume groups..." --result NONE --color WHITE
fi
fi
#
#################################################################################
#
# Test : FILE-6312
# Description : Checking LVM volumes
if [ ! "${LVDISPLAYBINARY}" = "" -a ${LVM_VG_USED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6312 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking LVM volumes"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for LVM volumes"
FIND=`${LVDISPLAYBINARY} | grep -v "No volume groups found" | grep "LV Name" | awk '{ print $3 }' | sort`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found one or more volumes"
for I in ${FIND}; do
logtext "Found LVM volume: ${I}"
report "lvm_volume[]=${I}"
done
Display --indent 4 --text "- Checking LVM volumes..." --result FOUND --color GREEN
else
logtext "Result: no LVM volume groups found"
Display --indent 4 --text "- Checking LVM volumes..." --result NONE --color WHITE
fi
fi
#
#################################################################################
#
# Test : FILE-6316
# Description : Checking /etc/fstab file permissions
#Register --test-no FILE-6316 --os Linux --weight L --network NO --description "Checking /etc/fstab"
#if [ ${SKIPTEST} -eq 0 ]; then
# 644
#
#################################################################################
#
# Test : FILE-6323
# Description : Checking Linux EXT2, EXT3, EXT4 file systems
Register --test-no FILE-6323 --os Linux --weight L --network NO --description "Checking EXT file systems"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for Linux EXT file systems"
FIND=`mount -t ext2,ext3,ext4 | awk '{ print $3","$5 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found one or more EXT file systems"
for I in ${FIND}; do
FILESYSTEM=`echo ${I} | cut -d ',' -f1`
FILETYPE=`echo ${I} | cut -d ',' -f2`
logtext "File system: ${FILESYSTEM} (type: ${FILETYPE})"
done
fi
fi
#
#################################################################################
#
# Test : FILE-6329
# Description : Query all FFS/UFS mounts from /etc/fstab
if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6329 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking FFS/UFS file systems"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Query /etc/fstab for available FFS/UFS mount points"
FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)..." --result NONE --color WHITE
logtext "Result: unable to find any single mount point (FFS/UFS)"
else
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)..." --result FOUND --color GREEN
report "filesystem[]=ufs"
for I in ${FIND}; do
logtext "FFS/UFS mount found: ${I}"
report "mountpoint_ufs[]=${I}"
done
fi
fi
#
#################################################################################
#
# Test : FILE-6330
# Description : Query all ZFS mounts from /etc/fstab
Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --description "Checking ZFS file systems"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Query /etc/fstab for available ZFS mount points"
FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Querying ZFS mount points (mount -p)..." --result NONE --color WHITE
logtext "Result: unable to find any single mount point (ZFS)"
else
Display --indent 2 --text "- Querying ZFS mount points (mount -p)..." --result FOUND --color GREEN
report "filesystem[]=zfs"
for I in ${FIND}; do
logtext "ZFS mount found: ${I}"
report "mountpoint_zfs[]=${I}"
done
fi
fi
#
#################################################################################
#
# Test : FILE-6332
# Description : Check swap partitions
if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6332 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap partitions"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: query swap partitions from /etc/fstab file"
# Check if third field contains 'swap'
FIND=`awk '{ if ($3=="swap") print $1 }' /etc/fstab`
for I in ${FIND}; do
FOUND=1
logtext "Swap partition found: ${I}"
# YYY add test if partition is not a normal partition (e.g. UUID=)
report "swap_partition[]=${I}"
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Query swap partitions (fstab)..." --result OK --color GREEN
else
Display --indent 2 --text "- Query swap partitions (fstab)..." --result WARNING --color YELLOW
ReportWarning ${TEST_NO} "L" "No swap partion found in /etc/fstab"
logtext "Result: no swap partitions found in /etc/fstab"
fi
fi
#
#################################################################################
#
# Test : FILE-6336
# Description : Check swap mount options
if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap mount options"
if [ ${SKIPTEST} -eq 0 ]; then
# Swap partitions should be mounted with 'sw'
logtext "Test: check swap partitions with incorrect mount options"
FIND=`awk '{ if ($3=="swap" && $4 !~ "sw") print $1 }' /etc/fstab`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Testing swap partitions..." --result OK --color GREEN
logtext "Result: all swap partitions have correct options (=sw)"
else
Display --indent 2 --text "- Testing swap partitions..." --result WARNING --color RED
logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})"
ReportSuggestion ${TEST_NO} "Check your /etc/fstab file. Swap parition usually have 'sw' in the options field (4th)."
fi
fi
#
#################################################################################
#
# Test : FILE-6354
# Description : Search files within /tmp which are older than 3 months
if [ -d /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --description "Searching for old files in /tmp"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for old files in /tmp..."
# Search for files only in /tmp, with an access time older than X days
FIND=`find /tmp -type f -atime +${TMP_OLD_DAYS} | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for old files in /tmp..." --result OK --color GREEN
logtext "Result: no files found in /tmp which are older than 3 months"
else
Display --indent 2 --text "- Checking for old files in /tmp..." --result WARNING --color RED
N=0
for I in ${FIND}; do
FILE=`echo ${I} | sed 's/!space!/ /g'`
logtext "Old temporary file: ${FILE}"
N=`expr ${N} + 1`
done
logtext "Result: found old files in /tmp, which were not modified in the last ${TMP_OLD_DAYS} days"
logtext "Advice: check and clean up unused files in /tmp. Old files can fill up a disk or contain"
logtext "private information and should be deleted it not being used actively. Use a tool like lsof to"
logtext "see which programs possibly are using a particular file. Some systems can cleanup temporary"
logtext "directories by setting a boot option."
ReportWarning ${TEST_NO} "L" "Found ${N} files in /tmp which are older than ${TMP_OLD_DAYS} days"
ReportSuggestion ${TEST_NO} "Clean up unused files in /tmp"
fi
fi
#
#################################################################################
#
# Test: scan the skel directory for bad permissions
# Reason: bad permissions on these files will give new created users the same permissions
#YYY enable skel test
# Several differences between operating systems are present
#SKELDIRS="/etc/skel /usr/share/skel"
#for I in ${SKELDIRS}; do
#
# logtext "Searching skel directory ${I}..."
#
# if [ -d ${I} ]; then
# logtext "Result: Directory found, scanning for unsafe file permissions"
# FIND=`ls -A ${I} | wc -l | sed 's/ //g'`
# if [ ! "${FIND}" = "0" ]; then
# FIND=`find ${I} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)`
# if [ "${FIND}" = "" ]; then
# Display --indent 2 --text "- Checking skel file permissions (${I})..." --result OK --color GREEN
# logtext "Result: Directory seems to be ok, no files found with read/write/execute bit set."
# logtext "Status: OK"
# else
# Display --indent 2 --text "- Checking skel file permissions (${I})..." --result WARNING --color RED
# logtext "Result: The following files do have non restrictive permissions: ${FIND}"
# ReportSuggestion ${TEST_NO} "Remove the read, write or execute bit from these files (chmod o-rwx)"
# fi
# else
# Display --indent 2 --text "- Checking skel file permissions (${I})..." --result EMPTY --color WHITE
# logtext "Directory ${I} is empty, no scan performed"
# fi
# else
# Display --indent 2 --text "- Checking skel file permissions (${I})..." --result "NOT FOUND" --color WHITE
# logtext "Result: Skel directory (${I}) not found"
# fi
#done
#
#################################################################################
#
# Test : FILE-6362
# Description : Check for sticky bit on /tmp
if [ -d /tmp -a ! -L /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6362 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /tmp sticky bit"
if [ ${SKIPTEST} -eq 0 ]; then
# Depending on OS, number of field with 'tmp' differs
FIND=`ls -l / | tr -s ' ' | awk -F" " '{ if ( $8 == "tmp" || $9 == "tmp" ) { print $1 } }' | cut -c 10`
if [ "${FIND}" = "t" -o "${FIND}" = "T" ]; then
Display --indent 2 --text "- Checking /tmp sticky bit..." --result OK --color GREEN
logtext "Result: Sticky bit (${FIND}) found on /tmp directory"
AddHP 3 3
else
Display --indent 2 --text "- Checking /tmp sticky bit..." --result WARNING --color RED
ReportWarning ${TEST_NO} "H" "No sticky bit found on /tmp directory, which can be dangerous!"
ReportSuggestion ${TEST_NO} "Consult documentation and place the sticky bit, to prevent users deleting (by other owned) files in the /tmp directory."
AddHP 0 3
fi
else
logtext "Result: Sticky bit test (on /tmp) skipped. Possible reason: missing or symlinked directory, or test skipped."
fi
#
#################################################################################
#
# Test : FILE-6366
# Description : Check for noatime option
# More info : especially useful for profile 'desktop' and 'server-storage'
#
#################################################################################
#
# Test : FILE-6368
# Description : Checking Linux root file system ACL support
Register --test-no FILE-6368 --os Linux --weight L --network NO --description "Checking ACL support on root file system"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: Checking acl option on root file system"
FIND=`mount | ${AWKBINARY} '{ if ($3=="/") { print $6 } }' | grep acl`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found ACL option"
FOUND=1
else
logtext "Result: mount point probably mounted with defaults"
logtext "Test: Checking device which holds root file system"
# Get device on which root file system is mounted. Use /dev/root if it exists, or
# else check output of mount
if [ -b /dev/root ]; then
FIND1="/dev/root"
else
FIND1=`mount | grep ' / ' | awk '{ print $1 }' | sed 's/rootfs//'`
fi
if [ ! "${FIND1}" = "" ]; then
logtext "Result: found ${FIND1}"
logtext "Test: Checking default options on ${FIND1}"
FIND2=`${TUNE2FSBINARY} -l ${FIND1} | grep "^Default mount options" | grep "acl"`
if [ ! "${FIND2}" = "" ]; then
logtext "Result: found ACL option in default mount options"
FOUND=1
else
logtext "Result: no ACL option found in default mount options list"
fi
else
logtext "Result: No file system found with root file system"
fi
fi
if [ ${FOUND} -eq 0 ]; then
logtext "Result: ACL option NOT enabled on root file system"
logtext "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option"
logtext "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file"
Display --indent 2 --text "- ACL support root file system..." --result DISABLED --color YELLOW
AddHP 0 1
else
logtext "Result: ACL option enabled on root file system"
Display --indent 2 --text "- ACL support root file system..." --result ENABLED --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
#
# Test : FILE-6372
# Description : Check / mount options for Linux
# Notes :
Register --test-no FILE-6372 --os Linux --weight L --network NO --description "Checking / mount options"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/fstab ]; then
FIND=`echo /etc/fstab | awk '{ if ($2=="/") { print $4 } }'`
NODEV=`echo ${FIND} | awk '{ if ($1=="nodev") { print "YES" } else { print "NO" } }'`
NOEXEC=`echo ${FIND} | awk '{ if ($1=="noexec") { print "YES" } else { print "NO" } }'`
NOSUID=`echo ${FIND} | awk '{ if ($1=="nosuid") { print "YES" } else { print "NO" } }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: mount system / is configured with options: ${FIND}"
if [ "${FIND}" = "defaults" ]; then
Display --indent 2 --text "- Mount options of /..." --result OK --color GREEN
else
Display --indent 2 --text "- Mount options of /..." --result "NON DEFAULT" --color YELLOW
fi
else
logtext "Result: no mount point / or expected options found"
fi
fi
fi
#
#################################################################################
#
# Test : FILE-6374
# Description : Check /boot mount options for Linux
# Notes : Expecting nodev,noexec,nosuid
Register --test-no FILE-6374 --os Linux --weight L --network NO --description "Checking /boot mount options"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/fstab ]; then
HARDENED=0
FIND=`echo /etc/fstab | awk '{ if ($2=="/boot") { print $4 } }'`
NODEV=`echo ${FIND} | awk '{ if ($1=="nodev") { print "YES" } else { print "NO" } }'`
NOEXEC=`echo ${FIND} | awk '{ if ($1=="noexec") { print "YES" } else { print "NO" } }'`
NOSUID=`echo ${FIND} | awk '{ if ($1=="nosuid") { print "YES" } else { print "NO" } }'`
if [ "${NODEV}" = "YES" -a "${NOEXEC}" = "YES" -a "${NOSUID}" = "YES" ]; then HARDENED=1; fi
if [ ! "${FIND}" = "" ]; then
logtext "Result: mount system /boot is configured with options: ${FIND}"
if [ ${HARDENED} -eq 1 ]; then
logtext "Result: marked /boot options as hardenened"
Display --indent 2 --text "- Mount options of /boot..." --result HARDENED --color GREEN
AddHP 5 5
else
if [ "${FIND}" = "defaults" ]; then
logtext "Result: marked /boot options as default (non hardened)"
Display --indent 2 --text "- Mount options of /boot..." --result DEFAULT --color RED
AddHP 3 5
else
logtext "Result: marked /boot options as non default (unclear about hardening)"
Display --indent 2 --text "- Mount options of /boot..." --result "NON DEFAULT" --color YELLOW
AddHP 4 5
fi
fi
else
logtext "Result: no mount point /boot or expected options found"
fi
fi
fi
#
#################################################################################
#
# Test : FILE-XXXX
# Description : Check /home mount options for Linux
# Notes : Expecting nodev,nosuid
#
#################################################################################
#
# Test : FILE-XXXX
# Description : Check /var mount options for Linux
# Notes : Expecting nosuid
#
#################################################################################
#
# Test : FILE-XXXX
# Description : Check /var/log mount options for Linux
# Notes : Expecting nodev,noexec,nosuid
#
#################################################################################
#
# Test : FILE-XXXX
# Description : Check /var/log/audit mount options for Linux
# Notes : Expecting nodev,noexec,nosuid
#
#################################################################################
#
# Test : FILE-XXXX
# Description : Check /tmp mount options for Linux
# Notes : Expecting nodev,noexec,nosuid
#
#################################################################################
#
#
#################################################################################
#
# Test : FILE-6378
# Description : Check for nodirtime option
#
#################################################################################
#
# Test : FILE-6380
# Description : Check for relatime
#
#################################################################################
#
# Test : FILE-6390
# Description : Check writeback/journalling mode (ext3)
# More info : data=writeback | data=ordered | data=journal
#
#################################################################################
#
# Test : FILE-6394
# Description : Check vm.swappiness (Linux)
#
#################################################################################
#
# Test : FILE-6398
# Description : Check if JBD (Journal Block Device) driver is loaded
#
#################################################################################
#
# Test : FILE-6410
# Description : Checking locate database (file index)
# Notes : Linux /var/lib/mlocate/mlocate.db or /var/lib/slocate/slocate.db
# or /var/cache/locate/locatedb
# FreeBSD /var/db/locate.database
if [ ! "${LOCATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6410 --os Linux --weight L --network NO --description "Checking Locate database"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking locate database"
FOUND=0
LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database"
for I in ${LOCATE_DBS}; do
if [ -f ${I} ]; then
logtext "Result: locate database found (${I})"
FOUND=1
LOCATE_DB="${I}"
else
logtext "Result: file ${I} not found"
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking Locate database..." --result FOUND --color GREEN
report "locate_db=${LOCATE_DB}"
else
logtext "Result: database not found"
Display --indent 2 --text "- Checking Locate database..." --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
fi
fi
#
#################################################################################
#
# Test : FILE-6412
# Description : Checking age of locate database
#
#################################################################################
#
# Test : FILE-6420
# Description : Check automount process
#
#################################################################################
#
# Test : FILE-6422
# Description : Check automount maps (files or for example LDAP based)
# Notes : Warn when automounter is running
#
#################################################################################
#
# Test : FILE-6424
# Description : Check automount map files
#
#################################################################################
#
# Test : FILE-6425
# Description : Check mounted files systems via automounter
# Notes : Warn when no systems are mounted?
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

296
include/tests_firewalls Normal file
View File

@ -0,0 +1,296 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Firewalls
#
#################################################################################
#
InsertSection "Software: firewalls"
#
#################################################################################
#
IPTABLES_ACTIVE=0
IPTABLES_INKERNEL_ACTIVE=0
IPTABLES_MODULE_ACTIVE=0
FIREWALL_ACTIVE=0
FIREWALL_SOFTWARE=""
#
#################################################################################
#
# YYY Improvement needed for iptables to check if kernel modules are used or not.
# If they are not used and iptables is not found in configuration, no checks should be performed.
#
# Test : FIRE-4511
# Description : Check iptables kernel module
Register --test-no FIRE-4511 --os Linux --weight L --network NO --description "Check iptables kernel module"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`lsmod | awk '{ print $1 }' | grep "^ip*_tables"`
if [ ! "${FIND}" = "" ]; then
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="iptables"
IPTABLES_ACTIVE=1
IPTABLES_MODULE_ACTIVE=1
Display --indent 2 --text "- Checking iptables kernel module" --result FOUND --color GREEN
logtext "Result: Found iptables in loaded kernel modules"
for I in ${FIND}; do
logtext "Found module: ${I}"
done
else
Display --indent 2 --text "- Checking iptables kernel module" --result "NOT FOUND" --color WHITE
# If we can't find an active module, try to find the Linux configuration file and check that
if [ -f /proc/config.gz ]; then
LINUXCONFIGFILE="/proc/config.gz"; tCATCMD="zcat";
fi
sLINUXCONFIGFILE="/boot/config-`uname -r`"
if [ -f ${sLINUXCONFIGFILE} ]; then
LINUXCONFIGFILE=${sLINUXCONFIGFILE}; tCATCMD="cat";
fi
# If we have a kernel configuration file, use it for testing
# Do not perform test if we already found it in kernel module list, to avoid triggered it in the upcoming
# tests, when using iptables --list
if [ ! "${LINUXCONFIGFILE}" = "" -a -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then
logtext "Result: found kernel configuration file (${LINUXCONFIGFILE})"
FIND=`${tCATCMD} ${LINUXCONFIGFILE} | grep -v '^#' | grep "CONFIG_IP_NF_IPTABLES" | head -n 1`
if [ ! "${FIND}" = "" ]; then
HAVEMOD=`echo ${FIND} | cut -d '=' -f2`
# Do not use iptables if it's compiled as a module (=m), since we already tested for it in the
# active list.
if [ "${HAVEMOD}" = "y" ]; then
logtext "Result: iptables available as a module in the configuration"
IPTABLES_ACTIVE=1
IPTABLES_INKERNEL_ACTIVE=1
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="iptables"
Display --indent 2 --text "- Checking iptables in config file" --result FOUND --color GREEN
else
logtext "Result: no iptables found in Linux kernel config file"
fi
else
logtext "Result: no Linux configuration file found"
Display --indent 2 --text "- Checking iptables in config file" --result "NOT FOUND" --color WHITE
fi
fi
fi
fi
#
#################################################################################
#
# Test : FIRE-4512
# Description : Check iptables for empty ruleset
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check iptables for empty ruleset"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPTABLESBINARY} --list --numeric | egrep -v "^(Chain|target|$)" | wc -l | tr -d ' '`
if [ "${FIND}" = "0" ]; then
# Firewall is active, but clearly needs configuration
FIREWALL_ACTIVE=1
logtext "Result: iptables ruleset is empty"
Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED
ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active"
ReportSuggestion ${TEST_NO} "Disable iptables kernel module if not used or make sure rules are being used"
else
logtext "Result: one or more rules are available"
Display --indent 4 --text "- Checking for empty ruleset" --result OK --color GREEN
fi
fi
#
#################################################################################
#
# Test : FIRE-4513
# Description : Check iptables for unused rules
if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check iptables for unused rules"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | awk '{ if ($2=="0") print $1 }' | xargs`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking for unused rules" --result OK --color GREEN
logtext "Result: There are no unused rules present"
else
Display --indent 4 --text "- Checking for unused rules" --result WARNING --color YELLOW
logtext "Result: Found one or more possible unused rules"
logtext "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
logtext "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
logtext "Output: iptables rule numbers: ${FIND}"
#ReportWarning ${TEST_NO} "L" "Found possible unused iptables rules ($FIND)"
ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used"
logtext "Tip: iptables --list --numeric --line-numbers --verbose"
fi
fi
#
#################################################################################
#
# Test : FIRE-4518
# Description : Checking status of pf firewall components
Register --test-no FIRE-4518 --weight L --network NO --description "Check pf firewall components"
if [ ${SKIPTEST} -eq 0 ]; then
PFFOUND=0; PFLOGDFOUND=0
# Check status with pfctl
logtext "Test: checking pf status via pfctl"
if [ ! "${PFCTLBINARY}" = "" ]; then
FIND=`${PFCTLBINARY} -sa 2>&1 | grep "^Status" | head -1 | awk '{ print $2 }'`
if [ "${FIND}" = "Enabled" ]; then
Display --indent 2 --text "- Checking pf status (pfctl)" --result ENABLED --color GREEN
logtext "Result: pf is enabled"
PFFOUND=1
AddHP 3 3
else
if [ "${FIND}" = "Disabled" ]; then
Display --indent 2 --text "- Checking pf status (pfctl)" --result DISABLED --color RED
logtext "Result: pf is disabled"
AddHP 0 3
else
Display --indent 2 --text "- Checking pf status (pfctl)" --result UNKNOWN --color YELLOW
ReportException ${TEST_NO} "Unknown status of pf firewall"
fi
fi
fi
# If we didn't find the status to be enabled, stop searching
if [ ${PFFOUND} -eq 1 ]; then
# Check for pf kernel module (FreeBSD and similar)
logtext "Test: searching for pf kernel module"
if [ ! "${KLDSTATBINARY}" = "" ]; then
FIND=`${KLDSTATBINARY} | grep 'pf.ko'`
if [ "${FIND}" = "" ]; then
logtext "Result: Can not find pf KLD"
else
logtext "Result: pf KLD loaded"
PFFOUND=1
fi
else
logtext "Result: no kldstat binary, skipping this part"
fi
IsRunning pflogd
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found pflog daemon in process list"
Display --indent 4 --text "- Checking pflogd status" --result ACTIVE --color GREEN
PFFOUND=1
PFLOGDFOUND=1
else
logtext "Result: pflog daemon not found in process list"
Display --indent 4 --text "- Checking pflogd status" --result "NOT FOUND" --color YELLOW
fi
fi
if [ ${PFFOUND} -eq 1 ]; then
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="pf"
else
logtext "Result: pf not running on this system"
Display --indent 2 --text "- Checking pf" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : FIRE-4520
# Description : Check pf configuration consistency
if [ ${PFFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4520 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check pf configuration consistency"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check /etc/pf.conf"
# Test for warnings (-n don't load the rules)
if [ -f /etc/pf.conf ]; then
logtext "Result: /etc/pf.conf exists"
# Check results from pfctl
PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | grep -i 'warning'`
if [ "${PFWARNINGS}" = "" ]; then
Display --indent 4 --text "- Checking pf configuration consistency" --result OK --color GREEN
logtext "Result: no pf filter warnings found"
else
Display --indent 4 --text "- Checking pf configuration consistency" --result WARNING --color RED
logtext "Result: found one or more warnings in the pf filter rules"
ReportWarning ${TEST_NO} "H" "Found one or more warnings in pf configuration file"
ReportSuggestion ${TEST_NO} "Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
fi
else
logtext "Result: /etc/pf.conf does NOT exist"
fi
fi
#
#################################################################################
#
# Test : FIRE-4522
# Description : Check ipchains
#
#################################################################################
#
# Test : FIRE-4526
# Description : Check ipf (Solaris)
if [ ! "${IPFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4526 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check ipf status"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IPFBINARY} -n -V | grep "^Running" | awk '{ print $2 }'`
if [ "${FIND}" = "yes" ]; then
Display --indent 4 --text "- Checking ipf status" --result RUNNING --color GREEN
logtext "Result: ipf is enabled and running"
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipf"
else
Display --indent 4 --text "- Checking ipf status" --result "NOT RUNNING" --color YELLOW
logtext "Result: ipf is not running"
fi
fi
#
#################################################################################
#
# Test : FIRE-4530
# Description : Check ipfw
#
#################################################################################
#
# Test : FIRE-4590
# Description : Check if at least one firewall if active
Register --test-no FIRE-4590 --weight L --network NO --description "Check firewall status"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${FIREWALL_ACTIVE} -eq 1 ]; then
Display --indent 2 --text "- Checking host based firewall" --result ACTIVE --color GREEN
logtext "Result: host based firewall or packet filter is active"
#YYY add manual item to report
report "manual[]=Verify if there is a formal process for testing and applying firewall rules"
report "manual[]=verify all traffic is filtered the right way between the different security zones"
report "manual[]=verify if a list is available with all required services"
# YYY Solaris ipf (determine default policy)
report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic"
AddHP 5 5
else
Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW
logtext "Result: no host based firewall/packet filter found or configured"
ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic"
AddHP 0 5
fi
fi
#
#################################################################################
#
# Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks.
report "firewall_installed=${FIREWALL_ACTIVE}"
report "firewall_active=${FIREWALL_ACTIVE}"
report "firewall_software=${FIREWALL_SOFTWARE}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

140
include/tests_hardening Normal file
View File

@ -0,0 +1,140 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
InsertSection "Hardening"
# COMPILER_INSTALLED is initialised before
HARDEN_COMPILERS_NEEDED=0
#
#################################################################################
#
# Test : HRDN-7220
# Description : Check for installed compilers
Register --test-no HRDN-7220 --weight L --network NO --description "Check if one or more compilers are installed"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check if one or more compilers can be found on the system"
if [ ${COMPILER_INSTALLED} -eq 0 ]; then
logtext "Result: no compilers found"
Display --indent 4 --text "- Installed compiler(s)..." --result "NOT FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'"
Display --indent 4 --text "- Installed compiler(s)..." --result "FOUND" --color RED
ReportSuggestion ${TEST_NO} "Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed"
AddHP 1 3
fi
fi
#
#################################################################################
#
# Test : HRDN-7222
# Description : Check for permissions of installed compilers
Register --test-no HRDN-7222 --weight L --network NO --description "Check compiler permissions"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check if one or more compilers can be found on the system"
HARDEN_COMPILERS_NEEDED=0
if [ ${COMPILER_INSTALLED} -eq 0 ]; then
logtext "Result: no compilers found"
else
# as
if [ ! "${ASBINARY}" = "" ]; then
logtext "Test: Check file permissions for as (Assembler)"
IsWorldExecutable ${ASBINARY}
if [ ${SYMLINK} -eq 0 ]; then
logtext "Binary: ${ASBINARY} (world executable: ${FileIsWorldExecutable})"
else
logtext "Binary: ${GCCBINARY} (symlinked to: ${sFILE}) (world executable: ${FileIsWorldExecutable})"
fi
if [ ${FileIsWorldExecutable} = "TRUE" ]; then
AddHP 2 3
HARDEN_COMPILERS_NEEDED=1
else
AddHP 3 3
fi
fi
# gcc
if [ ! "${GCCBINARY}" = "" ]; then
logtext "Test: Check file permissions for GCC compiler"
IsWorldExecutable ${GCCBINARY}
if [ ${SYMLINK} -eq 0 ]; then
logtext "Binary: ${GCCBINARY} (world executable: ${FileIsWorldExecutable})"
else
logtext "Binary: ${GCCBINARY} (symlinked to: ${sFILE}) (world executable: ${FileIsWorldExecutable})"
fi
if [ ${FileIsWorldExecutable} = "TRUE" ]; then
AddHP 2 3
HARDEN_COMPILERS_NEEDED=1
else
AddHP 3 3
fi
fi
# Report suggestion is one or more compilers can be better hardened
if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then
logtext "Result: at least one compiler could be better hardened by restricting executable access to root or group only"
ReportSuggestion ${TEST_NO} "Harden compilers and restrict access to world"
fi
#YYY check if compilers have a specific group (like compiler, or NOT root/wheel)
# Display --indent 4 --text "- Installed compiler(s)..." --result "FOUND" --color RED
# /usr/bin/*cc*
# /usr/bin/*++*
# /usr/bin/ld
# (and 700 or 750 permissions)
fi
fi
#
#################################################################################
#
# Test : HRDN-7230
# Description : Check for installed malware scanners
Register --test-no HRDN-7230 --weight L --network NO --description "Check for malware scanner"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check if one or more compilers can be found on the system"
if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
logtext "Result: found at least one malware scanner"
Display --indent 4 --text "- Installed malware scanner..." --result "FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: no malware scanner found"
Display --indent 4 --text "- Installed malware scanner..." --result "NOT FOUND" --color RED
ReportSuggestion ${TEST_NO} "Harden the system by installing one or malware scanners to perform periodic file system scans"
AddHP 1 3
fi
fi
#
#################################################################################
#
# logtext "--------------------------------------------------------------------"
# logtext "| System part | Preferred value | Actual value | Points |"
# logtext "| [!] Compiler installed | 0 | [${COMPILER_INSTALLED}] | x |"
# logtext "| [V] Malware scanner installed | 1 | [x] | x |"
# logtext "| [V] Packet filter enabled | 1 | [x] | x |"
# logtext "--------------------------------------------------------------------"
# logtext "| [!]: Hardening possible, [V]: Hardening performed, [ ]: Unknown "
# logtext "--------------------------------------------------------------------"
#
#################################################################################
#
report "compiler_installed=${COMPILER_INSTALLED}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

52
include/tests_hardening_tools Normal file
View File

@ -0,0 +1,52 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# InsertSection "Hardening tools"
#
#################################################################################
#
# Checking Solaris Security Toolkit (Jass)
# Test : HRDN-7402
# Description : Check jass hardening
# Register --test-no HRDN-7402 --weight L --network NO --description "Check jass hardening"
# if [ ${SKIPTEST} -eq 0 ]; then
# if [ -d /opt/SUNWjass -o -d /var/opt/SUNWjass ]; then
# logtext "Result: found Solaris Security Toolkit (Jass hardening tool)"
# fi
#
#
#################################################################################
#
# Test : HRDN-7410
# Description : Check tiger hardening tool
#
#################################################################################
#
# Test : HRDN-7420
# Description : Check Bastille Unix hardening tool
#
#################################################################################
#
# Checking Solaris Security Toolkit (ASET)
# - Automated Security Enhancement Tool
# AddHP 3 3
#wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

125
include/tests_homedirs Normal file
View File

@ -0,0 +1,125 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Home directories
#
#################################################################################
#
InsertSection "Home directories"
#
#################################################################################
#
# Ignore some top level directories (not the sub directories below)
IGNORE_HOME_DIRS="/bin /boot /cdrom /dev /etc /home /lib /lib64 /media /mnt
/opt /proc /sbin /selinux /srv /sys /tmp /usr /var"
#
#################################################################################
#
# Test : HOME-9302
# Description : Create list with home directories
Register --test-no HOME-9302 --weight L --network NO --description "Create list with home directories"
if [ ${SKIPTEST} -eq 0 ]; then
# Read sixth field of /etc/passwd
logtext "Test: query /etc/passwd to obtain home directories"
FIND=`${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | sort | uniq`
for I in ${FIND}; do
if [ -d ${I} ]; then
logtext "Result: found home directory: ${I} (directory exists)"
report "home_directory[]=${I}"
else
logtext "Result: found home directory: ${I} (directory does not exist)"
fi
done
fi
#
#################################################################################
#
# Test : HOME-9310
# Description : Check for suspicious shell history files
Register --test-no HOME-9310 --weight L --network NO --description "Checking for suspicious shell history files"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${HOMEDIRS}" = "" ]; then
if [ "${OS}" = "Solaris" ]; then
# Solaris doesn't support -maxdepth
FIND=`find ${HOMEDIRS} -name ".*history" -not -type f -print`
else
FIND=`find ${HOMEDIRS} -maxdepth 1 -name ".*history" -not -type f -print`
fi
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking shell history files... " --result OK --color GREEN
logtext "Result: Ok, history files are type 'file'."
else
Display --indent 2 --text "- Checking shell history files... " --result WARNING --color RED
logtext "Result: the following files seem to be of the wrong file type:"
logtext "Output: ${FIND}"
logtext "Info: above files could be redirected files to avoid logging and should be investigated"
ReportWarning ${TEST_NO} "M" "Incorrect file type found for shell history file"
fi
logtext "Remarks: ${HOME_HISTORY_LOG_TEXT}"
else
Display --indent 2 --text "- Checking shell history files... " --result SKIPPED --color WHITE
logtext "Result: Homedirs is empty, test will be skipped"
fi
fi
#
#################################################################################
#
# Test : HOME-9314
# Description : Check if non local paths are found in PATH, which can be a risk, but also bad for performance
# (like searching on a filer, instead of local disk)
#Register --test-no HOME-9314 --weight L --network NO --description "Create list with home directories"
#
#################################################################################
#
# Test : HOME-9350
# Description : Scan home directories for specific files, used in different tests later
# Notes : For performance reasons we combine the scanning of different files, so inode caching is used
# as much as possible for every find command
# Profile opt : ignore_home_dir (multiple lines allowed), ignores home directory
if [ ! "${REPORTFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collecting information from home directories"
if [ ${SKIPTEST} -eq 0 ]; then
IGNORE_HOME_DIRS=`grep "^config:ignore_home_dir:" ${PROFILE} | awk -F: '{ print $3 }'`
if [ "${IGNORE_HOME_DIRS}" = "" ]; then
logtext "Result: IGNORE_HOME_DIRS empty, no paths excluded"
else
logtext "Output: ${IGNORE_HOME_DIRS}"
fi
fi
#YYY
#echo -n " - Checking PATH variable vulnerabilities... "
#
#FIND=`find ${HOMEDIRS} -name * | grep -r 'PATH=' | egrep '=.:|:.:|:.;' | grep -v 'CDPATH'`
#if [ "${FIND}" = "" ]
# then
# logtext "Result: Ok, no special things found in the PATH variable"
# else
# echo "[ ${WARNING}WARNING${NORMAL} ]"
# logtext "Warning: Probably found \".\" in the PATH. Details: ${FIND}"
#fi
#
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

117
include/tests_insecure_services Normal file
View File

@ -0,0 +1,117 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Unsecure services
#
#################################################################################
#
InsertSection "Insecure services"
#
#################################################################################
#
INETD_ACTIVE=0
INETD_CONFIG_FILE="/etc/inetd.conf"
#
#################################################################################
#
# Test : INSE-8002
# Description : Check for inetd status
Register --test-no INSE-8002 --weight L --network NO --description "Check for enabled inet daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Check running processes
logtext "Test: Searching for active inet daemon..."
FIND=`${PSBINARY} ax | grep "inetd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: inetd is running"
Display --indent 2 --text "- Checking inetd status..." --result ACTIVE --color GREEN
#YYY perform manual check
INETD_ACTIVE=1
else
logtext "Result: inetd is NOT running"
Display --indent 2 --text "- Checking inetd status..." --result "NOT ACTIVE" --color GREEN
fi
fi
#
#################################################################################
#
# Test : INSE-8004
# Description : Check for inetd configuration file
if [ ${INETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for enabled inet daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Check configuration file
logtext "Test: Searching for file ${INETD_CONFIG_FILE}..."
if [ -f ${INETD_CONFIG_FILE} ]; then
logtext "Result: ${INETD_CONFIG_FILE} exists"
Display --indent 4 --text "- Checking inetd.conf..." --result FOUND --color WHITE
else
logtext "Result: ${INETD_CONFIG_FILE} does not exist"
Display --indent 4 --text "- Checking inetd.conf..." --result "NOT FOUND" --color WHITE
fi
# YYY immutable bit could be set
# YYY permission check (already set in profile)
fi
#
#################################################################################
#
# Test : INSE-8006
# Description : Check for inetd configuration file contents if inetd is NOT active
if [ ${INETD_ACTIVE} -eq 0 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8006 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for disabled inet daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002)
logtext "Test: check if all services are disabled if inetd is disabled"
FIND=`cat ${INETD_CONFIG_FILE} | grep -v "^#" | grep -v "^$"`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking inetd.conf services..." --result OK --color GREEN
else
Display --indent 4 --text "- Checking inetd.conf services..." --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}"
fi
fi
#
#################################################################################
#
# Test : INSE-8016
# Description : Check for telnet enabled via inetd
if [ ${INETD_ACTIVE} -eq 1 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8016 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for telnet via inetd"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking telnet presence in inetd configuration"
FIND=`grep "^telnet" ${INETD_CONFIG_FILE}`
if [ "${FIND}" = "" ]; then
logtext "Result: telnet not enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)..." --result FOUND --color GREEN
else
logtext "Result: telnet enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)..." --result WARNING --color RED
fi
fi
#
#################################################################################
#
# Check telnet in /etc/xinetd.conf
# Check telnet in /etc/xinetd/*
# Check running telnet daemon (telnetd)
# rshd rlogin rexec
# /etc/hosts.equiv
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

458
include/tests_kernel Normal file
View File

@ -0,0 +1,458 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Kernel
#
#################################################################################
#
InsertSection "Kernel"
#
#################################################################################
#
CORE_DUMPS_DISABLED=0
CPU_PAE=0
CPU_NX=0
#
#################################################################################
#
# Test : KRNL-5622
# Description : Check default run level on Linux machines
Register --test-no KRNL-5622 --os Linux --weight L --network NO --description "Determine Linux default run level"
if [ ${SKIPTEST} -eq 0 ]; then
# Checking if we can find the systemd default target
logtext "Test: Checking for systemd default.target"
if [ -L /etc/systemd/system/default.target ]; then
logtext "Result: symlink found"
if [ ! "${READLINKBINARY}" = "" ]; then
FIND=`${READLINKBINARY} /etc/systemd/system/default.target`
if [ "${FIND}" = "" ]; then
logtext "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
ReportException "${TEST_NO}:01"
else
FIND2=`echo ${FIND} | egrep "runlevel5|graphical"`
if [ ! "${FIND2}" = "" ]; then
logtext "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel..." --result "runlevel 5" --color GREEN
report "linux_default_runlevel=5"
else
logtext "Result: No match found on runlevel, defaulting to runlevel 3"
Display --indent 2 --text "- Checking default runlevel..." --result "runlevel 3" --color GREEN
report "linux_default_runlevel=3"
fi
fi
else
logtext "Result: No readlink binary, can't determine where symlink is pointing to"
Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW
fi
else
logtext "Result: no systemd found, so trying inittab"
logtext "Test: Checking /etc/inittab"
if [ -f /etc/inittab ]; then
logtext "Result: file /etc/inittab found"
logtext "Test: Checking default Linux run level..."
FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking default runlevel" --result UNKNOWN --color YELLOW
logtext "Result: Can't determine default run level from /etc/inittab"
else
Display --indent 2 --text "- Checking default run level..." --result "${FIND}" --color GREEN
logtext "Found default run level '${FIND}'"
report "linux_default_runlevel=${FIND}"
fi
else
logtext "Result: file /etc/inittab not found"
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then
logtext "Test: Checking run level with who -r, for Debian based systems"
FIND=`who -r | awk '{ if ($1=="run-level") { print $2 } }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Found default run level '${FIND}'"
report "linux_default_runlevel=${FIND}"
Display --indent 2 --text "- Checking default run level..." --result "RUNLEVEL ${FIND}" --color GREEN
else
logtext "Result: Can't determine default run level from who -r"
Display --indent 2 --text "- Checking default run level..." --result UNKNOWN --color YELLOW
fi
fi
fi
fi
fi
#
#################################################################################
#
# Test : KRNL-5677
# Description : Check CPU options and support (PAE, No eXecute, eXecute Disable)
# More info : pae and nx bit are both visible on AMD and Intel CPU's if supported
Register --test-no KRNL-5677 --os Linux --weight L --network NO --description "Check CPU options and support"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking CPU support (NX/PAE)"
logtext "Test: Checking /proc/cpuinfo..."
if [ -f /proc/cpuinfo ]; then
logtext "Result: found /proc/cpuinfo"
logtext "Test: Checking CPU options (XD/NX/PAE)..."
FIND_PAE_NX=`cat /proc/cpuinfo | grep " pae " | grep " nx "`
FIND_PAE=`cat /proc/cpuinfo | grep " pae "`
FIND_NX=`cat /proc/cpuinfo | grep " nx "`
FOUND=0
if [ ! "${FIND_PAE_NX}" = "" ]; then
logtext "PAE: Yes"
logtext "NX: Yes"
CPU_PAE=1
CPU_NX=1
logtext "Result: PAE or No eXecute option(s) both found"
report "cpu_pae=1"
report "cpu_nx=1"
FOUND=1
else
if [ ! "${FIND_PAE}" = "" -a "${FIND_NX}" = "" ]; then
report "cpu_pae=1"
logtext "Result: found PAE"
CPU_PAE=1
FOUND=1
else
if [ ! "${FIND_NX}" = "" -a "${FIND_PAE}" = "" ]; then
report "cpu_nx=1"
logtext "Result: found No eXecute"
CPU_NX=1
FOUND=1
else
logtext "Result: found no CPU options enabled (PAE or NX bit)"
fi
fi
fi
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result FOUND --color GREEN
else
Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result NONE --color YELLOW
ReportSuggestion ${TEST_NO} "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support"
fi
else
Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result SKIPPED --color YELLOW
logtext "Result: /proc/cpuinfo not found"
fi
fi
#
#################################################################################
#
# Test : KRNL-5680
# Description : Check if installed kernel has PAE support
# Dependency : KRNL-5677
# More info : RedHat/CentOS/Fedora uses the package name 'kernel-PAE'
#
#################################################################################
#
# Test : KRNL-5695
# Description : Determining Linux kernel version and release number
Register --test-no KRNL-5695 --os Linux --weight L --network NO --description "Determine Linux kernel version and release number"
if [ ${SKIPTEST} -eq 0 ]; then
# Kernel number (and suffix)
LINUX_KERNEL_RELEASE=`uname -r`
report "linux_kernel_release=${LINUX_KERNEL_RELEASE}"
logtext "Result: found kernel release ${LINUX_KERNEL_RELEASE}"
# Type and build date
LINUX_KERNEL_VERSION=`uname -v`
report "linux_kernel_version=${LINUX_KERNEL_VERSION}"
logtext "Result: found kernel version ${LINUX_KERNEL_VERSION}"
Display --indent 2 --text "- Checking kernel version and release" --result DONE --color GREEN
fi
#
#################################################################################
#
# Test : KRNL-5723
# Description : Check if Linux is build as a monolithic kernel or not
Register --test-no KRNL-5723 --os Linux --weight L --network NO --description "Determining if Linux kernel is monolithic"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${LSMODBINARY}" = "" ]; then
logtext "Test: checking if kernel is monolithic or modular"
# Checking if any modules are loaded
FIND=`${LSMODBINARY} | grep -v "^Module" | wc -l | tr -s ' ' | tr -d ' '`
Display --indent 2 --text "- Checking kernel type" --result DONE --color GREEN
if [ "${FIND}" = "0" ]; then
logtext "Result: Found monolithic kernel"
report "linux_kernel_type=monolithic"
MONOLITHIC_KERNEL=1
else
logtext "Result: Found modular kernel"
report "linux_kernel_type=modular"
MONOLITHIC_KERNEL=0
fi
else
logtext "Test skipped, no lsmod binary found"
# Exception?
fi
fi
#
#################################################################################
#
# Test : KRNL-5726
# Description : Checking Linux loaded kernel modules
Register --test-no KRNL-5726 --os Linux --weight L --network NO --description "Checking Linux loaded kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${LSMODBINARY}" = "" ]; then
FIND=`lsmod | awk '{ if ($1!="Module") print $1 }' | sort`
Display --indent 2 --text "- Checking loaded kernel modules" --result DONE --color GREEN
if [ ! "${FIND}" = "" ]; then
logtext "Loaded modules according lsmod:"
N=0
for I in ${FIND}; do
logtext "Loaded module: ${I}"
report "loaded_kernel_module[]=${I}"
N=`expr ${N} + 1`
done
Display --indent 6 --text "Found ${N} active modules"
else
logtext "Result: no loaded modules found"
logtext "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel"
fi
else
logtext "Test skipped, no lsmod binary found"
# Exception?
fi
fi
#
#################################################################################
#
# Test : KRNL-5728
# Description : Checking for available Linux kernel configuration file in /boot
Register --test-no KRNL-5728 --os Linux --weight L --network NO --description "Checking Linux kernel config"
if [ ${SKIPTEST} -eq 0 ]; then
LINUXCONFIGFILE="/boot/config-`uname -r`"
if [ -f ${LINUXCONFIGFILE} ]; then
logtext "Result: found config (${LINUXCONFIGFILE})"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result FOUND --color GREEN
else
logtext "Result: no Linux kernel configuration file found in /boot"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : KRNL-5730
# Description : Checking default I/O kernel scheduler
PREQS_MET="NO"
if [ ! "${LINUXCONFIGFILE}" = "" ]; then
if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi
fi
Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking disk I/O kernel scheduler"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking the default I/O kernel scheduler"
LINUX_KERNEL_IOSCHED=`${GREPBINARY} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | awk -F= '{ print $2 }' | sed s/\"//g`
if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then
logtext "Result: found [${LINUX_KERNEL_IOSCHED}]"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result FOUND --color GREEN
report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}"
else
logtext "Result: no default i/o kernel scheduler found"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# YYY Check for kernel options
#
#################################################################################
#
# Test : KRNL-5745
# Description : Checking FreeBSD loaded kernel modules
Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking active kernel modules..."
logtext "Test: ${KERNEL_ACTIVE_MODULES_TITLE}"
logtext "Description: ${KERNEL_ACTIVE_MODULES_DESCRIPTION}"
logtext "Action: Checking modules"
if [ -f /sbin/kldstat ]; then
FIND=`kldstat | grep -v 'Name' | tr -s ' ' | cut -d ' ' -f6`
if [ $? -eq 0 ]; then
logtext "Loaded modules according kldstat:"
N=0
for I in ${FIND}; do
logtext "Loaded module: ${I}"
report "loaded_kernel_module[]=${I}"
N=`expr ${N} + 1`
done
Display --indent 4 --text "Found ${N} kernel modules" --result DONE --color GREEN
else
Display --indent 4 --text "Test failed" --result WARNING --color RED
logtext "Result: Problem with executing kldstat"
fi
else
echo "[ ${WHITE}SKIPPED${NORMAL} ]"
logtext "Result: no results, can't find /sbin/kldstat"
fi
fi
#
#################################################################################
#
# Test : KRNL-5770
# Description : Checking Solaris load modules
Register --test-no KRNL-5770 --os Solaris --weight L --network NO --description "Checking active kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching loaded kernel modules"
FIND=`modinfo -c -w | grep -v "UNLOADED" | grep LOADED | awk '{ print $3 }' | sort`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
logtext "Found module: ${I}"
report "loaded_kernel_module[]=${I}"
done
Display --indent 2 --text "- Checking Solaris active kernel modules" --result DONE --color GREEN
else
logtext "Result: no output"
Display --indent 2 --text "- Checking Solaris active kernel modules" --result UNKNOWN --color YELLOW
fi
fi
#
#################################################################################
#
# Test : KRNL-5788
# Description : Checking availability new kernel
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking availability new Linux kernel"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching apt-cache, to determine if a newer kernel is available"
if [ -x /usr/bin/apt-cache ]; then
logtext "Result: found /usr/bin/apt-cache"
# YYY Test for presence /usr/bin/apt-cache and dpkg
logtext "Test: checking readlink location of /vmlinuz"
FINDKERNFILE=`readlink -f /vmlinuz`
logtext "Output: readlink reported file ${FINDKERNFILE}"
logtext "Test: checking package from dpkg -S"
FINDKERNEL=`dpkg -S ${FINDKERNFILE} 2> /dev/null | awk -F : '{print $1}'`
logtext "Output: dpkg -S reported package ${FINDKERNEL}"
logtext "Test: Using apt-cache policy to determine if there is an update available"
FINDINST=`apt-cache policy ${FINDKERNEL} | egrep 'Installed' | cut -d ':' -f2 | tr -d ' '`
FINDCAND=`apt-cache policy ${FINDKERNEL} | egrep 'Candidate' | cut -d ':' -f2 | tr -d ' '`
logtext "Kernel installed: ${FINDINST}"
logtext "Kernel candidate: ${FINDCAND}"
if [ "${FINDINST}" = "" ]; then
Display --indent 2 --text "- Checking for available kernel update... " --result UNKNOWN --color YELLOW
logtext "Result: Exception occured, no output from apt-cache policy"
ReportException "${TEST_NO}:01"
logtext "Exception: apt-cache policy did not return an installed kernel version"
ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty"
else
if [ "${FINDINST}" = "${FINDCAND}" ]; then
Display --indent 2 --text "- Checking for available kernel update... " --result OK --color GREEN
logtext "Result: no kernel update available"
else
Display --indent 2 --text "- Checking for available kernel update... " --result "UPDATE AVAILABLE" --color YELLOW
logtext "Result: kernel update available according 'apt-cache policy'."
ReportSuggestion ${TEST_NO} "Determine priority for available kernel update"
fi
fi
else
logtext "Result: could NOT find /usr/bin/apt-cache, skipped other tests."
fi
fi
#
#################################################################################
#
# Test : KRNL-5820
# Description : Checking core dumps configuration (Linux)
Register --test-no KRNL-5820 --os Linux --weight L --network NO --description "Checking core dumps configuration"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking presence /etc/security/limits.conf"
if [ -f /etc/security/limits.conf ]; then
logtext "Result: file /etc/security/limits.conf exists"
logtext "Test: Checking if core dumps are disabled in /etc/security/limits.conf"
FIND1=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core") { print "soft core enabled" } }'`
FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core") { print "hard core enabled" } }'`
if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then
logtext "Result: core dumps (soft or hard) are enabled"
Display --indent 2 --text "- Checking core dumps configuration... " --result ENABLED --color YELLOW
#YYY suggestion
AddHP 1 2
else
logtext "Result: core dumps (soft and hard) are both disabled"
Display --indent 2 --text "- Checking core dumps configuration... " --result DISABLED --color GREEN
CORE_DUMPS_DISABLED=1
AddHP 3 3
fi
# Sysctl option
logtext "Test: Checking sysctl value of fs.suid_dumpable"
FIND=`${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | awk '{ if ($1=="fs.suid_dumpable") { print $3 } }'`
if [ "${FIND}" = "" ]; then
logtext "Result: value ${FIND} found"
else
logtext "Result: sysctl key fs.suid_dumpable not found"
fi
if [ "${FIND}" = "2" ]; then
logtext "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)"
Display --indent 4 --text "- Checking setuid core dumps configuration... " --result PROTECTED --color GREEN
AddHP 1 1
elif [ "${FIND}" = "1" ]; then
logtext "Result: all programs can perform core dumps (value 1, for debugging)"
Display --indent 2 --text "- Checking setuid core dumps configuration... " --result DEBUG --color YELLOW
ReportSuggestion ${TEST_NO} "Determine if really all binaries need to be able to core dump"
AddHP 0 1
else
logtext "Result: found default option, some programs can dump (not processes which need to change credentials)"
Display --indent 4 --text "- Checking setuid core dumps configuration... " --result DEFAULT --color YELLOW
AddHP 1 1
fi
# Check ulimit settings and harden it
# echo 'ulimit -S -c 0 > /dev/null 2>&1' >> /etc/profile
else
logtext "Result: file /etc/security/limits.conf does not exist, skipping test"
fi
fi
#
#################################################################################
#
# Test : KRNL-5826
# Description : Checking core dumps configuration (Solaris)
#Register --test-no KRNL-5826 --os Linux --weight L --network NO --description "Checking core dumps configuration"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : KRNL-5830
# Description : Check if system needs a reboot (Debian based)
Register --test-no KRNL-5830 --weight L --network NO --description "Checking core dumps configuration"
if [ ${SKIPTEST} -eq 0 ]; then
FILE="/var/run/reboot-required.pkgs"
logtext "Test: Checking presence ${FILE}"
if [ -f ${FILE} ]; then
logtext "Result: file ${FILE} exists"
FIND=`cat ${FILE}`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Check if reboot is needed" --result NO --color GREEN
AddHP 5 5
else
PKGSCOUNT=`cat ${FILE} | wc -l`
Display --indent 2 --text "- Check if reboot is needed" --result YES --color RED
ReportWarning ${TEST_NO} "H" "Reboot of system is needed"
logtext "Result: reboot is needed, related to ${PKGSCOUNT} packages"
for I in ${FIND}; do
logtext "Package: ${I}"
done
AddHP 0 5
fi
else
logtext "Result: file ${FILE} not found, skipping further testing"
fi
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - http://cisofy.com - The Netherlands

69
include/tests_kernel_hardening Normal file
View File

@ -0,0 +1,69 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Kernel
#
#################################################################################
#
InsertSection "Kernel Hardening"
#
#################################################################################
#
# Test : KRNL-6000
# Description : Check sysctl parameters
# Sysctl : net.ipv4.icmp_ingore_bogus_error_responses (=1)
if [ ! "${SYSCTL_READKEY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sysctl key pairs in scan profile"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 2 --text "- Comparing sysctl key pairs with scan profile..."
FIND=`grep "^sysctl:" ${PROFILE} | sed 's/ /:space:/g'`
for I in ${FIND}; do
tFINDkey=`echo ${I} | awk -F: '{ print $2 }'`
tFINDexpvalue=`echo ${I} | awk -F: '{ print $3 }'`
tFINDhp=`echo ${I} | awk -F: '{ print $4 }' | grep "[0-9]"`
tFINDdesc=`echo ${I} | awk -F: '{ print $5 }' | sed 's/:space:/ /g'`
tFINDcurvalue=`${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null`
if [ ! "${tFINDcurvalue}" = "" ]; then
if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then
logtext "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result OK --color GREEN
AddHP ${tFINDhp} ${tFINDhp}
else
logtext "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED
AddHP 0 ${tFINDhp}
N=1
fi
else
logtext "Result: key ${tFINDkey} does not exist on this machine"
fi
done
# Add suggestion if one or more sysctls have a different value than scan profile
if [ ${N} -eq 1 ]; then
ReportSuggestion ${TEST_NO} "One or more sysctl values differ from the scan profile and could be tweaked"
fi
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - http://cisofy.com - The Netherlands

105
include/tests_ldap Normal file
View File

@ -0,0 +1,105 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# LDAP Services
#
#################################################################################
#
InsertSection "LDAP Services"
#
#################################################################################
#
SLAPD_CONF_LOCS="/etc/ldap /etc/openldap /usr/local/etc/openldap"
SLAPD_CONF_LOCATION=""
SLAPD_RUNNING=0
#
#################################################################################
#
# Test : LDAP-2219
# Description : Check running OpenLDAP instance
Register --test-no LDAP-2219 --weight L --network NO --description "Check running OpenLDAP instance"
if [ ${SKIPTEST} -eq 0 ]; then
#YYY add additional slash
FIND=`${PSBINARY} ax | grep "slapd" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking OpenLDAP instance..." --result "NOT FOUND" --color WHITE
logtext "Result: No running slapd process found."
else
Display --indent 2 --text "- Checking OpenLDAP instance..." --result FOUND --color GREEN
logtext "Result: Found running slapd process"
SLAPDFOUND=1
SLAPD_RUNNING=1
fi
fi
#
#################################################################################
#
# Test : LDAP-2224
# Description : Search slapd.conf
if [ ${SLAPD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LDAP-2224 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check presence slapd.conf"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching slapd.conf"
for I in ${SLAPD_CONF_LOCS}; do
if [ -f ${I}/slapd.conf ]; then
logtext "Result: found ${I}/slapd.conf"
SLAPD_CONF_LOCATION="${I}/slapd.conf"
else
logtext "Result: ${I} does not contain slapd.conf"
fi
done
# Check if we found a valid location
if [ ! "${SLAPD_CONF_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking slapd.conf..." --result FOUND --color GREEN
else
Display --indent 4 --text "- Checking slapd.conf..." --result "NOT FOUND" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : LDAP-2228
# Description : Check OpenLDAP slapd.conf file permissions
#
#################################################################################
#
# Test : LDAP-2232
# Description : Check OpenLDAP ownership on files/directories
#
#################################################################################
#
# Test : LDAP-2236
# Description : Check OpenLDAP database permissions
#
#################################################################################
#
# Test : LDAP-2240
# Description : Check OpenLDAP unencrypted RootDN password
#
#################################################################################
#
# Test : LDAP-2244
# Description : Check for LDAP configured client (and inform about LDAPS)
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

482
include/tests_logging Normal file
View File

@ -0,0 +1,482 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Logging and related files
#
#################################################################################
#
LOG_FILES_LOCS="/var/log /var/adm"
LOGROTATE_CONFIG_FOUND=0
LOGROTATE_TOOL=""
METALOG_RUNNING=0
RFC3195D_RUNNING=0
RSYSLOG_RUNNING=0
SOLARIS_LOGHOST_FOUND=0
SYSLOG_DAEMON_PRESENT=0
SYSLOG_DAEMON_RUNNING=0
SYSLOG_NG_RUNNING=0
#YYY (extend support for systemd journal)
SYSTEMD_JOURNAL_RUNNING=0
#
#################################################################################
#
InsertSection "Logging and files"
# Test : LOGG-2130
# Description : Check for a running syslog daemon
# Notes : Log which syslog daemon is found YYY
Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a logging daemon... "
FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for a running log daemon..." --result WARNING --color RED
logtext "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured."
ReportWarning ${TEST_NO} "H" "No syslog daemon found"
AddHP 0 3
else
Display --indent 2 --text "- Checking for a running log daemon..." --result OK --color GREEN
logtext "Result: Found a logging daemon"
SYSLOG_DAEMON_PRESENT=1
SYSLOG_DAEMON_RUNNING=1
AddHP 3 3
fi
fi
#
#################################################################################
#
# Test : LOGG-2132
# Description : Check for a running syslog-ng daemon
Register --test-no LOGG-2132 --weight L --network NO --description "Check for running syslog-ng daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for syslog-ng daemon in process list... "
FIND=`${PSBINARY} ax | grep "/syslog-ng" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Found syslog-ng in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result FOUND --color GREEN
SYSLOG_DAEMON_PRESENT=1
SYSLOG_NG_RUNNING=1
else
logtext "Result: Syslog-ng NOT found in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : LOGG-2134
# Description : Check for Syslog-NG configuration file consistency
if [ ! "${SYSLOGNGBINARY}" = "" -a ${SYSLOG_NG_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2134 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Syslog-NG configuration file consistency"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSLOGNGBINARY} -s; echo $?`
if [ "${FIND}" = "0" ]; then
logtext "Result: Syslog-NG configuration file seems to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result OK --color GREEN
else
logtext "Result: Syslog-NG configuration file seems NOT to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result WARNING --color RED
ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file"
ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
fi
fi
#
#################################################################################
#
# Test : LOGG-2210
# Description : Check for a running metalog daemon
Register --test-no LOGG-2210 --weight L --network NO --description "Check for running metalog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for metalog daemon in process list... "
FIND=`${PSBINARY} ax | grep "metalog" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Found metalog in process list"
Display --indent 4 --text "- Checking Metalog status" --result FOUND --color GREEN
SYSLOG_DAEMON_PRESENT=1
METALOG_RUNNING=1
else
logtext "Result: metalog NOT found in process list"
Display --indent 4 --text "- Checking Metalog status" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : LOGG-2230
# Description : Check for a running rsyslog daemon
Register --test-no LOGG-2230 --weight L --network NO --description "Check for running RSyslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for RSyslog daemon in process list... "
FIND=`${PSBINARY} ax | grep "rsyslogd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Found rsyslogd in process list"
Display --indent 4 --text "- Checking RSyslog status" --result FOUND --color GREEN
SYSLOG_DAEMON_PRESENT=1
RSYSLOG_RUNNING=1
else
logtext "Result: rsyslogd NOT found in process list"
Display --indent 4 --text "- Checking RSyslog status" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : LOGG-2240
# Description : Check for a running RFC 3195 compliant daemon (syslog via TCP)
Register --test-no LOGG-2240 --weight L --network NO --description "Check for running RFC 3195 compliant daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list... "
FIND=`${PSBINARY} ax | grep "rfc3195d" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Found rfc3195d in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result FOUND --color GREEN
SYSLOG_DAEMON_PRESENT=1
RFC3195D_RUNNING=1
else
logtext "Result: rfc3195d NOT found in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : LOGG-2138
# Description : Check for kernel log daemon (klogd) presence on Linux systems
# Notes : When using rsyslog, this process is not needed. In combination
# with syslog-ng, klogd is still an addition to it, since it
# captures kernel related events and send them to syslog-ng.
# This test should be below all other logging daemons
Register --test-no LOGG-2138 --os Linux --weight L --network NO --description "Checking kernel logger daemon on Linux"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching kernel logger daemon (klogd)"
if [ ${RSYSLOG_RUNNING} -eq 0 ]; then
# Search for klogd, but ignore other lines related to klogd (like dd with input/output file)
FIND=`${PSBINARY} ax | grep "klogd" | grep -v "dd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: klogd running"
Display --indent 4 --text "- Checking klogd" --result FOUND --color GREEN
else
logtext "Result: No klogd found"
Display --indent 4 --text "- Checking klogd" --result "NOT FOUND" --color RED
ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files"
ReportSuggestion ${TEST_NO} "Check why klogd is not running"
fi
else
logtext "Result: test skipped, because rsyslogd is being used"
fi
fi
#
#################################################################################
#
# Test : LOGG-2142
# Description : Check for minilogd presence on Linux systems
Register --test-no LOGG-2142 --os Linux --weight L --network NO --description "Checking minilog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Result: Checking for unkilled minilogd instances.."
# Search for minilogd. It shouldn't be running normally, if another syslog daemon is started
FIND=`${PSBINARY} ax | grep "minilogd" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking minilogd instances" --result "NOT FOUND" --color WHITE
logtext "Result: No minilogd is running.."
else
Display --indent 4 --text "- Checking minilogd instances" --result WARNING --color RED
logtext "Result: minilogd found in process list"
# minilogd daemon seems to be running..
ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running"
ReportSuggestion ${TEST_NO} "Check minilogd is active and if other syslog daemons are started up properly"
fi
fi
#
#################################################################################
#
# Test : LOGG-2146
# Description : Check for logrotate (/etc/logrotate.conf and logrotate.d)
Register --test-no LOGG-2146 --weight L --os Linux --network NO --description "Checking logrotate.conf and logrotate.d"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for /etc/logrotate.conf"
if [ -f /etc/logrotate.conf ]; then
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="logrotate"
logtext "Result: /etc/logrotate.conf found (file)"
else
logtext "Result: /etc/logrotate.conf NOT found"
fi
logtext "Test: Checking for /etc/logrotate.d (directory)"
if [ -d /etc/logrotate.d ]; then
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="logrotate"
logtext "Result: /etc/logrotate.d found"
else
logtext "Result: /etc/logrotate.conf found"
fi
if [ ${LOGROTATE_CONFIG_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking logrotate presence" --result OK --color GREEN
logtext "Result: logrotate configuration found"
else
Display --indent 2 --text "- Checking logrotate presence" --result WARNING --color RED
logtext "Result: No logrotate configuration found"
ReportWarning ${TEST_NO} "L" "No logrotate configuration has been found"
ReportSuggestion ${TEST_NO} "Check if files are properly rotated by a some tool instead of logrotate"
fi
fi
#
#################################################################################
#
# Test : LOGG-2148
# Description : Checking log files rotated with logrotate
if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking logrotated files"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking which files are rotated with logrotate and if they exist"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'`
if [ "${FIND}" = "" ]; then
logtext "Result: nothing found"
else
logtext "Result: found one or more files which are rotated via logrotate"
for I in ${FIND}; do
logtext "Output: ${I}"
done
fi
fi
#
#################################################################################
#
# Test : LOGG-2150
# Description : Checking log directories rotated with logrotate
if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking which directories can be found in logrotate configuration"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq`
if [ "${FIND}" = "" ]; then
logtext "Result: nothing found"
else
logtext "Result: found one or more directories (via logrotate configuration)"
for I in ${FIND}; do
if [ -d ${I} ]; then
logtext "Directory found: ${I}"
report "log_directory[]=${I}"
else
logtext "Directory could not be found: ${I}"
# YYY strip more parts of the name, until it can be found (and stop at /)
fi
done
fi
fi
#
#################################################################################
#
# Test : LOGG-2152
# Description : Check for Solaris 'loghost' entry in /etc/inet/hosts, or
# succesful resolving via DNS or any other name service.
Register --test-no LOGG-2152 --weight L --os Solaris --network NO --description "Checking loghost"
if [ ${SKIPTEST} -eq 0 ]; then
# Try local hosts file
logtext "Result: Checking for loghost in /etc/inet/hosts"
FIND=`grep loghost /etc/inet/hosts | grep -v "^#"`
if [ ! "${FIND}" = "" ]; then
SOLARIS_LOGHOST_FOUND=1
logtext "Result: Found loghost entry in /etc/inet/hosts"
else
logtext "Result: No loghost entry found in /etc/inet/hosts"
# Try name resolving if no entry is present in local host file
logtext "Result: Checking for loghost via name resolving"
FIND=`getent hosts loghost | grep loghost`
if [ ! "${FIND}" = "" ]; then
SOLARIS_LOGHOST_FOUND=1
logtext "Result: name resolving was succesful"
logtext "Output: ${FIND}"
else
logtext "Result: name resolving didn't find results"
fi
fi
if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then
logtext "Result: loghost entry found and most likely used to send syslog messages"
Display --indent 2 --text "- Checking loghost entry" --result OK --color GREEN
else
Display --indent 2 --text "- Checking loghost entry" --result WARNING --color RED
logtext "Result: No loghost entry found"
ReportWarning ${TEST_NO} "L" "No loghost entry found"
ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services"
fi
fi
#
#################################################################################
#
# Test : LOGG-2154
# Description : Check to see if remote logging is enabled
# Notes : prevent lines showing up with commands in it (like |mail)
if [ ${SYSLOG_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2154 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking syslog configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then
SYSLOGD_CONF="/etc/syslog-ng/syslog-ng.conf"
else
SYSLOGD_CONF="/etc/syslog.conf"
fi
if [ -f ${SYSLOGD_CONF} ]; then
logtext "Test: check if logs are also logged to a remote logging host"
FIND=`egrep "@[a-zA-Z0-9]" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: remote logging enabled"
AddHP 5 5
Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN
else
logtext "Result: no remote logging found"
ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection"
AddHP 1 3
Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
fi
else
logtext "Result: test skipped, file ${SYSLOGD_CONF} not found"
fi
fi
#
#################################################################################
#
# Test : LOGG-2160
# Description : Check for /etc/newsyslog.conf (FreeBSD/OpenBSD)
if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Result: /etc/newsyslog.conf found"
Display --indent 2 --text "- Checking /etc/newsyslog.conf" --result FOUND --color GREEN
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="newsyslog"
fi
#
#################################################################################
#
# Test : LOGG-2162
# Description : Check for directories in /etc/newsyslog.conf
if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: parsing directories from /etc/newsyslog.conf file"
FIND=`cat /etc/newsyslog.conf | sort | uniq | grep "^/" | awk '{ print $1 }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq`
for I in ${FIND}; do
if [ -d ${I} ]; then
logtext "Result: Directory ${I} found and exists"
report "log_directory[]=${I}"
else
logtext "Result: Item ${I} is not a directory"
fi
done
Display --indent 4 --text "- Checking log directories (newsyslog.conf)" --result DONE --color GREEN
fi
#
#################################################################################
#
# Test : LOGG-2164
# Description : Check for files in /etc/newsyslog.conf
if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: parsing directories from /etc/newsyslog.conf file"
FIND=`cat /etc/newsyslog.conf | sort | uniq | grep "^/" | awk '{ print $1 }'`
for I in ${FIND}; do
if [ -f ${I} ]; then
logtext "Result: File ${I} found and exists"
else
logtext "Result: Item ${I} is not a file"
fi
done
Display --indent 4 --text "- Checking log files (newsyslog.conf)" --result DONE --color GREEN
fi
#
#################################################################################
#
# Test : LOGG-2170
# Description : Search available log paths
Register --test-no LOGG-2170 --weight L --network NO --description "Checking log paths"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching log paths"
for I in ${LOG_FILES_LOCS}; do
if [ -d ${I} ]; then
logtext "Result: directory ${I} exists"
report "log_directory[]=${I}"
else
logtext "Result: directory ${I} can't be found"
fi
done
Display --indent 2 --text "- Checking log directories (static list)" --result DONE --color GREEN
fi
#
#################################################################################
#
# Test : LOGG-2180
# Description : Search open log file
Register --test-no LOGG-2180 --weight L --network NO --description "Checking open log files"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking open log files with lsof"
if [ ! "${LSOFBINARY}" = "" ]; then
FIND=`${LSOFBINARY} -n 2>&1 | grep "log$" | egrep -v "WARNING|Output information" | awk '{ if ($5=="REG") { print $9 } }' | sort | uniq | grep -v "^$"`
for I in ${FIND}; do
logtext "Found logfile: ${I}"
report "open_logfile[]=${I}"
done
Display --indent 2 --text "- Checking open log files" --result DONE --color GREEN
else
logtext "Result: lsof not installed, skipping test"
Display --indent 2 --text "- Checking open log files" --result SKIPPED --color YELLOW
# Add suggestion
fi
fi
#
#################################################################################
#
# Test : LOGG-2190
# Description : Checking deleted files
if [ ! "${LSOFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2190 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking deleted files in file table"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking deleted files but are still in use"
FIND=`${LSOFBINARY} -n +L 1 2>&1 | egrep -v "WARNING|Output information" | awk '{ if ($5=="REG") { print $10 } }' | grep -v "^$"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found one or more files which are deleted, but still in use"
for I in ${FIND}; do
logtext "Found deleted file: ${I}"
report "deleted_file[]=${I}"
done
Display --indent 2 --text "- Checking deleted files in use" --result "FILES FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check what deleted files are still in use and why."
else
logtext "Result: no deleted files found"
Display --indent 2 --text "- Checking deleted files in use" --result DONE --color GREEN
fi
fi
#
#################################################################################
#
#
# Rsyslogd checks
#
#
#################################################################################
#
report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}"
report "log_rotation_tool=${LOGROTATE_TOOL}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

188
include/tests_mac_frameworks Normal file
View File

@ -0,0 +1,188 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
APPARMORFOUND=0 # Set default for test MACF-6208
GRSECFOUND=0 # grsecurity
MAC_FRAMEWORK_ACTIVE=0 # Default no MAC framework active
RBAC_FRAMEWORK_ACTIVE=0 # Default no RBAC framework active
SELINUXFOUND=0
InsertSection "Security frameworks"
#
#################################################################################
#
# Test : MACF-6204
# Description : Check if AppArmor is installed
Register --test-no MACF-6204 --weight L --network NO --description "Check AppArmor presence"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${AASTATUSBINARY}" = "" ]; then
APPARMORFOUND=0
logtext "Result: aa-status binary not found, AppArmor not installed"
Display --indent 2 --text "- Checking presence AppArmor" --result "NOT FOUND" --color WHITE
else
APPARMORFOUND=1
logtext "Result: aa-status binary found, AppArmor is installed"
Display --indent 2 --text "- Checking presence AppArmor" --result FOUND --color GREEN
fi
fi
#
#################################################################################
#
# Test : MACF-6208
# Description : Check AppArmor active status
if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check if AppArmor is enabled"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${AASTATUSBINARY}" = "" ]; then
# Checking AppArmor status
FIND=`${AASTATUSBINARY} > /dev/null; echo $?`
#0 if apparmor is enabled and policy is loaded.
#1 if apparmor is not enabled/loaded.
#2 if apparmor is enabled but no policy is loaded.
if [ ${FIND} -eq 0 ]; then
MAC_FRAMEWORK_ACTIVE=1
logtext "Result: AppArmor is enabled and a policy is loaded"
Display --indent 4 --text "- Checking AppArmor status" --result "ENABLED" --color GREEN
elif [ ${FIND} -eq 2 ]; then
logtext "Result: AppArmor is enabled, but no policy is loaded"
ReportSuggestion ${TEST_NO} "Disable AppArmor or load a policy"
Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN
elif [ ${FIND} -eq 1 ]; then
Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW
fi
fi
fi
#
#################################################################################
#
# Test : MACF-6232
# Description : Check SELINUX for installation
Register --test-no MACF-6232 --weight L --network NO --description "Check SELINUX presence"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking if we have sestatus binary"
if [ ! "${SESTATUSBINARY}" = "" ]; then
logtext "Result: found sestatus binary (${SESTATUSBINARY})"
Display --indent 2 --text "- Checking presence SELinux" --result "FOUND" --color GREEN
else
logtext "Result: sestatus binary NOT found"
Display --indent 2 --text "- Checking presence SELinux" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : MACF-6234
# Description : Check SELINUX status
if [ ! "${SESTATUSBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SELINUX status"
if [ ${SKIPTEST} -eq 0 ]; then
# Status: Enabled/Disabled
FIND=`${SESTATUSBINARY} | grep "^SELinux status" | awk '{ print $3 }'`
if [ "${FIND}" = "enabled" ]; then
MAC_FRAMEWORK_ACTIVE=1
logtext "Result: SELinux framework is enabled"
report "selinux_status=1"
SELINUXFOUND=1
Display --indent 4 --text "- Checking SELinux status" --result "ENABLED" --color GREEN
FIND=`${SESTATUSBINARY} | grep "^Current mode" | awk '{ print $3 }'`
report "selinux_mode=${FIND}"
FIND2=`${SESTATUSBINARY} | grep "^Mode from config file" | awk '{ print $5 }'`
logtext "Result: current SELinux mode is ${FIND}"
logtext "Result: mode configured in config file is ${FIND2}"
if [ "${FIND}" = "${FIND2}" ]; then
logtext "Result: Current SELinux mode is the same as in config file."
Display --indent 6 --text "- Checking current mode and config file" --result "OK" --color GREEN
else
logtext "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
Display --indent 6 --text "- Checking current mode and config file" --result "WARNING" --color RED
fi
Display --indent 8 --text "Current SELinux mode: ${FIND}"
else
logtext "Result: SELinux framework is disabled"
Display --indent 4 --text "- Checking SELinux status" --result "DISABLED" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : RBAC-6272
# Description : Check if grsecurity is installed
# Notes : Solaris doesn't support test -e
if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no RBAC-6272 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check grsecurity presence"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -e /dev/grsec ]; then
GRSECFOUND=1
logtext "Result: grsecurity available (/dev/grsec found)"
else
logtext "Result: grsecurity not present (/dev/grsec not found)"
fi
# Check Linux kernel configuration
if [ ! "${LINUXCONFIGFILE}" = "" -a -f "${LINUXCONFIGFILE}" ]; then
FIND=`${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE}`
if [ ! "${FIND}" = "" ]; then
logtext "Result: grsecurity available (in kernel config)"
GRSECFOUND=1
else
logtext "Result: no grsecurity found in kernel config"
fi
fi
# Found grsecurity?
if [ ${GRSECFOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking presence grsecurity" --result FOUND --color GREEN
AddHP 3 3
else
Display --indent 2 --text "- Checking presence grsecurity" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : MACF-6290
# Description : Check if at least one MAC framework is implemented
Register --test-no MACF-6290 --weight L --network NO --description "Check for implemented MAC framework"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${MAC_FRAMEWORK_ACTIVE} -eq 1 ]; then
Display --indent 2 --text "- Checking for implemented MAC framework" --result OK --color GREEN
AddHP 3 3
logtext "Result: found implemented MAC framework"
else
Display --indent 2 --text "- Checking for implemented MAC framework" --result NONE --color YELLOW
AddHP 2 3
logtext "Result: found no implemented MAC framework"
fi
fi
#
#################################################################################
#
report "framework_grsecurity=${GRSECFOUND}"
report "framework_selinux=${SELINUXFOUND}"
wait_for_keypress
# To implement:
# FMAC (OpenSolaris, MAC)
# LSM (Linux Security Modules)
# TrustedBSD (MAC)
# RSBAC (RBAC)
# Apple sandbox technology
# PAX
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

269
include/tests_mail_messaging Normal file
View File

@ -0,0 +1,269 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# E-mail and messaging
#
#################################################################################
#
InsertSection "Software: e-mail and messaging"
#
#################################################################################
#
DOVECOT_RUNNING=0
EXIM_RUNNING=0
SMTP_DAEMON=""
POSTFIX_RUNNING=0
QMAIL_RUNNING=0
SENDMAIL_RUNNING=0
SMTPD_RUNNING=0
#
#################################################################################
#
# Test : MAIL-8802
# Description : Check Exim process status
Register --test-no MAIL-8802 --weight L --network NO --description "Check Exim status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check Exim status"
IsRunning exim
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running Exim process"
Display --indent 2 --text "- Checking Exim status..." --result RUNNING --color GREEN
EXIM_RUNNING=1
SMTP_DAEMON="exim"
else
logtext "Result: no running Exim processes found"
Display --indent 2 --text "- Checking Exim status..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : MAIL-8804
# Description : Check Exim configuration
#if [ ${EXIM_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no MAIL-8804 --weight L --network NO --description "Check Exim configuration"
#if [ ${SKIPTEST} -eq 0 ]; then
# if [ ! "${EXIMBINARY}" = "" ]; then
# logtext "Test: Searching Exim configuration file..."
# FIND=`${EXIMBINARY} -d | grep "configuration file is" | sed 's/configuration file is//'`
# if [ ! "${FIND}" = "" ]; then
# Display --indent 2 --text "- Checking Exim configuration..." --result FOUND --color GREEN
# Display --indent 4 --text "Result: configuration file is ${FIND}"
# logtext "Result: found Exim"
# logtext "Result: configuration file is ${FIND}"
# else
# Display --indent 2 --text "- Checking Exim configuration..." --result WARNING --color RED
# logtext "Couldn't find the Exim configuration file, however Exim seems to be installed."
# fi
# else
# logtext "Exim binary not found, no tests performed"
# fi
#
#################################################################################
#
# Test : MAIL-8814
# Description : Check Postfix process
# Notes : qmgr and pickup run under postfix uid, without full path to binary
Register --test-no MAIL-8814 --weight L --network NO --description "Check postfix process status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check Postfix status"
# Some other processes also use master, therefore it should include both master and postfix
FIND1=`${PSBINARY} ax | grep "master" | grep "postfix" | grep -v "grep"`
FIND2=`${PSBINARY} ax | grep "qmgr" | grep "postfix" | grep -v "grep"`
FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"`
if [ ! "${FIND1}" = "" -a ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then
logtext "Result: found running Postfix process"
Display --indent 2 --text "- Checking Postfix status..." --result RUNNING --color GREEN
POSTFIX_RUNNING=1
SMTP_DAEMON="postfix"
else
logtext "Result: no running Postfix processes found"
Display --indent 2 --text "- Checking Postfix status..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : MAIL-8816
# Description : Check Postfix configuration
if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking Postfix configuration..." --result FOUND --color GREEN
POSTFIX_CONFIGDIR=`${POSTCONFBINARY} | grep '^config_directory' | awk '{ print $3 }'`
POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf"
logtext "Postfix configuration directory: ${POSTFIX_CONFIGDIR}"
logtext "Postfix configuration file: ${POSTFIX_CONFIGFILE}"
fi
#
#################################################################################
#
# Test : MAIL-8818
# Description : Check Postfix configuration
if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MAIL-8818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration: banner"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking Postfix banner"
FIND1=`${POSTCONFBINARY} | grep '^smtpd_banner' | grep 'postfix'`
FIND2=`${POSTCONFBINARY} | grep '^smtpd_banner' | grep '$mail_name'`
FIND3=`${POSTCONFBINARY} | grep '^mail_name' | grep -i 'postfix'`
#YYY Check if OS name shows up in banner
#FIND4=`${POSTCONFBINARY} | grep '^smtpd_banner' | egrep "${OS}|${LINUX_VERSION}`
SHOWWARNING=0
if [ ! "${FIND1}" = "" ]; then
SHOWWARNING=1
else
if [ ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then
SHOWWARNING=1
else
Display --indent 4 --text "- Checking Postfix banner..." --result OK --color GREEN
fi
fi
if [ ${SHOWWARNING} -eq 1 ]; then
Display --indent 4 --text "- Checking Postfix banner..." --result WARNING --color RED
logtext "Result: found mail_name in SMTP banner, and/or mail_name contains 'Postfix'."
ReportWarning ${TEST_NO} "L" "Found mail_name in SMTP banner, and/or mail_name contains 'Postfix'"
ReportSuggestion ${TEST_NO} "You are adviced to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
fi
fi
#
#################################################################################
#
# Test : MAIL-8838
# Description : Check Dovecot process
Register --test-no MAIL-8838 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dovecot process"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check dovecot status"
IsRunning dovecot
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running dovecot process"
Display --indent 2 --text "- Checking Dovecot status..." --result RUNNING --color GREEN
DOVECOT_RUNNING=1
IMAP_DAEMON="dovecot"
POP3_DAEMON="dovecot"
else
logtext "Result: dovecot not found"
Display --indent 2 --text "- Checking Dovecot status..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : MAIL-8842
# Description : Check Dovecot logging locations
#Register --test-no MAIL-8842 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dovecot logging locations"
#if [ ${SKIPTEST} -eq 0 ]; then
# ParseDovecot
# CONF="/etc/dovecot/dovecot.conf"
# FIND=`cat ${CONF} | grep "^log_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'`
# if [ ! "${FIND}" = "" ]; then
# logtext "Result: output for error messages = ${FIND}"
# fi
#
# FIND=`cat ${CONF} | grep "^log_info_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'`
# if [ ! "${FIND}" = "" ]; then
# logtext "Result: output for informational messages = ${FIND}"
# fi
#
# fi
#
#################################################################################
#
# Test : MAIL-8860
# Description : Check Qmail process status
Register --test-no MAIL-8860 --weight L --network NO --description "Check Qmail status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check Qmail status"
IsRunning qmail-smtpd
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running Qmail process"
Display --indent 2 --text "- Checking Qmail status..." --result RUNNING --color GREEN
QMAIL_RUNNING=1
SMTP_DAEMON="sendmail"
else
logtext "Result: no running Qmail processes found"
Display --indent 2 --text "- Checking Qmail status..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : MAIL-8880
# Description : Check Sendmail process status
Register --test-no MAIL-8880 --weight L --network NO --description "Check Sendmail status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check sendmail status"
IsRunning sendmail
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running Sendmail process"
Display --indent 2 --text "- Checking Sendmail status..." --result RUNNING --color GREEN
SENDMAIL_RUNNING=1
SMTP_DAEMON="sendmail"
else
logtext "Result: no running Sendmail processes found"
Display --indent 2 --text "- Checking Sendmail status..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : MAIL-8920
# Description : Check OpenBSD smtpd process status
Register --test-no MAIL-8920 --os OpenBSD --weight L --network NO --description "Check smtpd status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check smtpd status"
FIND=`${PSBINARY} ax | grep "/smtpd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found running smtpd process"
Display --indent 2 --text "- Checking OpenBSD smtpd status..." --result RUNNING --color GREEN
SMTPD_RUNNING=1
SMTP_DAEMON="smtpd"
else
logtext "Result: smtpd not found"
Display --indent 2 --text "- Checking OpenBSD smtpd status..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : MAIL-xxxx
# Description : Check if outgoing mail is obscured (increased privacy)
#Register --test-no MAIL-xxxx --weight L --network NO --description "Check XXX"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
#YYY Add support for mail, procmail
#YYY Add support for MUAs: Thunderbird, Kmail, Evolution
# Other software : Cyrus-IMAP, Amavisd-new, SpamAssassin, Fetchmail, Procmail, maildrop
#- Dovecot : \'/usr/local/etc/dovecot.conf\'
#- For Sendmail : \'/var/mail/sendmail.cf\'
#- Fetchmail : \'~/.fetchmailrc\' (not only root)
#- Cyrus-IMAP : \'/usr/local/etc/imapd.conf\' for parameters and \'/usr/local/etc/cyrus.conf\' for the services launched
#
#################################################################################
#
report "imap_daemon=${IMAP_DAEMON}"
report "pop3_daemon=${POP3_DAEMON}"
report "smtp_daemon=${SMTP_DAEMON}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

185
include/tests_malware Normal file
View File

@ -0,0 +1,185 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Malware scanners
#
#################################################################################
#
InsertSection "Software: Malware scanners"
#
#################################################################################
#
CLAMD_RUNNING=0
MALWARE_SCANNER_INSTALLED=0
#
#################################################################################
#
# Test : MALW-3275
# Description : Check for installed tool (chkrootkit)
Register --test-no MALW-3275 --weight L --network NO --description "Check for chkrootkit"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence chkrootkit"
if [ ! "${CHKROOTKITBINARY}" = "" ]; then
Display --indent 2 --text "- Checking chkrootkit..." --result "FOUND" --color GREEN
logtext "Result: Found ${CHKROOTKITBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
else
Display --indent 2 --text "- Checking chkrootkit..." --result "NOT FOUND" --color WHITE
logtext "Result: chkrootkit not found"
fi
fi
#
#################################################################################
#
# Test : MALW-3276
# Description : Check for installed tool (Rootkit Hunter)
Register --test-no MALW-3276 --weight L --network NO --description "Check for Rootkit Hunter"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence Rootkit Hunter"
if [ ! "${RKHUNTERBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Rootkit Hunter..." --result "FOUND" --color GREEN
logtext "Result: Found ${RKHUNTERBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
else
Display --indent 2 --text "- Checking Rootkit Hunter..." --result "NOT FOUND" --color WHITE
logtext "Result: Rootkit Hunter not found"
fi
fi
#
#################################################################################
#
# Test : MALW-3280
# Description : Check if an anti-virus tool is installed
Register --test-no MALW-3280 --weight L --network NO --description "Check for clamscan"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: checking process cmdagent (McAfee)"
IsRunning cmdagent
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN
logtext "Result: Found McAfee"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
fi
logtext "Test: checking process SophosScanD"
IsRunning SophosScanD
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN
logtext "Result: Found Sophos"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
fi
if [ ${FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking commercial anti-virus scanners" --result "NONE FOUND" --color WHITE
logtext "Result: no commercial anti-virus tool found"
AddHP 0 3
fi
fi
#
#################################################################################
#
# Test : MALW-3282
# Description : Check if clamscan is installed
Register --test-no MALW-3282 --weight L --network NO --description "Check for clamscan"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence clamscan"
if [ ! "${CLAMSCANBINARY}" = "" ]; then
Display --indent 2 --text "- Checking ClamAV scanner..." --result "FOUND" --color GREEN
logtext "Result: Found ${CLAMSCANBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
else
Display --indent 2 --text "- Checking ClamAV scanner..." --result "NOT FOUND" --color WHITE
logtext "Result: clamscan couldn't be found"
fi
fi
#
#################################################################################
#
# Test : MALW-3284
# Description : Check running clamd process
Register --test-no MALW-3284 --weight L --network NO --description "Check for clamd"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking running ClamAV daemon (clamd)"
FIND=`${PSBINARY} ax | grep "/clamd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking ClamAV daemon..." --result "FOUND" --color GREEN
logtext "Result: found running clamd process"
MALWARE_SCANNER_INSTALLED=1
CLAMD_RUNNING=1
else
Display --indent 2 --text "- Checking ClamAV daemon..." --result "NOT FOUND" --color WHITE
logtext "Result: clamd not running"
fi
fi
#
#################################################################################
#
# Test : MALW-3286
# Description : Check running freshclam if clamd process is running
if [ ${CLAMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for freshclam"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking running freshclam daemon"
FIND=`${PSBINARY} ax | grep "/freshclam" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking freshclam..." --result "FOUND" --color GREEN
logtext "Result: found running freshclam process"
AddHP 2 2
else
Display --indent 4 --text "- Checking freshclam..." --result "SUGGESTION" --color YELLOW
logtext "Result: freshclam is not running"
ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
fi
fi
#
#################################################################################
#
# Test : MALW-3292
# Description : Check if at least one malware scanner is installed
# Register --test-no MALW-3292 --weight L --network NO --description "Check for at least one malware scanner"
# if [ ${SKIPTEST} -eq 0 ]; then
# if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
# logtext "Result: At least one malware scanner is installed"
# Display --indent 2 --text "- Checking presence malware scanner..." --result "FOUND" --color GREEN
# #AddHP 3 3
# else
# logtext "Result: No malware scanners found"
# Display --indent 2 --text "- Checking presence malware scanner..." --result "NOT FOUND" --color YELLOW
# ReportSuggestion ${TEST_NO} "Install at least one malware scanner to perform periodic integrity tests on the system"
# #AddHP 0 3
# fi
# fi
#
#################################################################################
#
# Other projects: maldetect (rfxn)
#
#################################################################################
#
report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

132
include/tests_memory_processes Normal file
View File

@ -0,0 +1,132 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Memory and processes
#
#################################################################################
#
InsertSection "Memory and processes"
#
#################################################################################
#
# Test : PROC-3602
# Description : Query /proc/meminfo
Register --test-no PROC-3602 --os Linux --weight L --network NO --description "Checking /proc/meminfo for memory details"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /proc/meminfo ]; then
logtext "Result: found /proc/meminfo"
Display --indent 2 --text "- Checking /proc/meminfo... " --result FOUND --color GREEN
FIND=`cat /proc/meminfo | grep "^MemTotal" | tr -s ' ' | awk '{ print $2" "$3 }'`
MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'`
MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'`
logtext "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
report "memory_size=${MEMORY_SIZE}"
report "memory_units=${MEMORY_UNITS}"
else
logtext "Result: /proc/meminfo file not found on this system"
fi
fi
#
#################################################################################
#
# Test : PROC-3604
# Description : Query /proc/meminfo
Register --test-no PROC-3604 --os Solaris --weight L --network NO --description "Query prtconf for memory details"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching /usr/sbin/prtconf"
if [ -x /usr/sbin/prtconf ]; then
Display --indent 2 --text "- Querying prtconf for installed memory..." --result DONE --color GREEN
MEMORY_SIZE=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f3`
MEMORY_UNITS=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f4`
logtext "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
report "memory_size=${MEMORY_SIZE}"
report "memory_units=${MEMORY_UNITS}"
else
Display --indent 2 --text "- Querying prtconf for installed memory..." --result SKIPPED --color WHITE
logtext "Result: /usr/sbin/prtconf not found"
fi
fi
#
#################################################################################
#
# Test : PROC-3612
# Description : Searching for dead and zombie processes
# Notes : Don't perform test on Solaris
if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dead or zombie processes"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OS}" = "AIX" ]; then
FIND=`${PSBINARY} -Ae -o pid,wchan,stat,comm | awk '{ if ($3 ~ /Z|X/) print $1 }' | xargs`
else
FIND=`${PSBINARY} x -o pid,wchan,stat,comm | awk '{ if ($3 ~ /Z|X/) print $1 }' | xargs`
fi
if [ "${FIND}" = "" ]; then
logtext "Result: no zombie processes found"
Display --indent 2 --text "- Searching for dead/zombie processes..." --result OK --color GREEN
else
logtext "Result: found one or more dead or zombie processes"
logtext "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for dead/zombie processes..." --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes"
fi
fi
#
#################################################################################
#
# Test : PROC-3614
# Description : Searching for heavy IO based waiting processes
# Notes : Don't perform test on Solaris
if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PROC-3614 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check heavy IO waiting based processes"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OS}" = "AIX" ]; then
FIND=`${PSBINARY} -Ae -o pid,wchan,stat,comm | awk '{ if ($3=="D") print $1 }' | xargs`
else
FIND=`${PSBINARY} x -o pid,wchan,stat,comm | awk '{ if ($3=="D") print $1 }' | xargs`
fi
if [ "${FIND}" = "" ]; then
logtext "Result: No processes were waiting for IO requests to be handled first"
Display --indent 2 --text "- Searching for IO waiting processes..." --result OK --color GREEN
else
logtext "Result: found one or more processes which were waiting to get IO requests handled first"
logtext "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured."
logtext "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for IO waiting processes..." --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests"
fi
fi
#
#################################################################################
#
# Ubuntu test: dead processes
# who -d
#
#################################################################################
#
# Test : PROC-3624
# Description : Check shared memory (ipcs -m)
# Notes : if it's empty, check /dev/shm and warn if any files are left behind
#Register --test-no PROC-3614 --os Linux --weight L --network NO --description "Check shared memory"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

607
include/tests_nameservices Normal file
View File

@ -0,0 +1,607 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Name services
#
#################################################################################
#
InsertSection "Software: name services"
#
#################################################################################
#
BIND_RUNNING=0
BIND_CONFIG_LOCS="/etc /etc/bind /usr/local/etc"
BIND_CONFIG_LOCATIONS=""
POWERDNS_RUNNING=0
POWERDNS_CONFIG_LOCS="/etc/powerdns /usr/local/etc"
POWERDNS_AUTH_CONFIG_LOCATION=""
POWERDNS_AUTH_MASTER=0
POWERDNS_AUTH_SLAVE=0
YPBIND_RUNNING=0
#
#################################################################################
#
# Test : NAME-4016
# Description : Check main domain (domain <domain name> in /etc/resolv.conf)
Register --test-no NAME-4016 --weight L --network NO --description "Check /etc/resolv.conf default domain"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check /etc/resolv.conf for default domain"
if [ -f /etc/resolv.conf ]; then
logtext "Result: /etc/resolv.conf found"
FIND=`cat /etc/resolv.conf | grep "^domain" | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
logtext "Result: no default domain found"
Display --indent 2 --text "- Checking default DNS search domain..." --result NONE --color WHITE
else
logtext "Result: found default domain"
logtext "Output: ${FIND}"
report "resolv_conf_domain=${FIND}"
Display --indent 2 --text "- Checking default DNS search domain..." --result FOUND --color GREEN
RESOLV_DOMAINNAME="${FIND}"
fi
fi
fi
#
#################################################################################
#
# Test : NAME-4018
# Description : Check search domains in /etc/resolv.conf
# Notes : Maximum of one search keyword is allowed in /etc/resolv.conf
Register --test-no NAME-4018 --weight L --network NO --description "Check /etc/resolv.conf search domains"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: check /etc/resolv.conf for search domains"
if [ -f /etc/resolv.conf ]; then
logtext "Result: /etc/resolv.conf found"
FIND=`cat /etc/resolv.conf | grep "^search" | sed 's/^search //'`
if [ "${FIND}" = "" ]; then
logtext "Result: no search domains found, default domain is being used"
else
for I in ${FIND}; do
logtext "Found search domain: ${I}"
report "resolv_conf_search_domain[]=${I}"
N=`expr ${N} + 1`
done
# Warn if we have more than 6 search domains, which is maximum in most resolvers
if [ ${N} -gt 6 ]; then
logtext "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains..." --result WARNING --color YELLOW
ReportWarning ${TEST_NO} "L" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
else
logtext "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains..." --result FOUND --color GREEN
fi
fi
else
logtext "Result: /etc/resolv.conf does not exist, skipping test"
Display --indent 2 --text "- Checking search domains..." --result "NOT FOUND" --color YELLOW
fi
# Check amount of search domains (max 1)
FIND=`cat /etc/resolv.conf | grep "^search" | wc -l | tr -s ' ' | tr -d ' '`
if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
Display --indent 4 --text "- Checking search domains lines..." --result "CONFIG ERROR" --color YELLOW
ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
else
logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
fi
fi
#
#################################################################################
#
# Test : NAME-4020
# Description : Check non default resolv.conf options
Register --test-no NAME-4020 --weight L --network NO --description "Check non default options"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check /etc/resolv.conf for non default options"
if [ -f /etc/resolv.conf ]; then
logtext "Result: /etc/resolv.conf found"
FIND=`grep "^options" /etc/resolv.conf | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
logtext "Result: no specific other options configured in /etc/resolv.conf"
Display --indent 2 --text "- Checking /etc/resolv.conf options..." --result "NONE" --color WHITE
else
for I in ${FIND}; do
logtext "Found option: ${I}"
report "resolv_conf_option[]=${I}"
#rotate --> add performance tune point
#timeout <3 --> add performe tune point
done
Display --indent 2 --text "- Checking /etc/resolv.conf options..." --result "FOUND" --color GREEN
fi
else
logtext "Result: /etc/resolv.conf not found, test skipped"
Display --indent 2 --text "- Checking /etc/resolv.conf options..." --result "NOT FOUND" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : NAME-4024
# Description : Check Solaris uname -n output
Register --test-no NAME-4024 --os Solaris --weight L --network NO --description "Solaris uname -n output"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`uname -n`
logtext "Result: 'uname -n' returned ${FIND}"
Display --indent 2 --text "- Checking uname -n output..." --result DONE --color GREEN
fi
#
#################################################################################
#
# Test : NAME-4026
# Description : Check Solaris /etc/nodename
# Notes : If a system is standalone, /etc/nodename should contain a system name only, not FQDN
Register --test-no NAME-4026 --os Solaris --weight L --network NO --description "Check /etc/nodename"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking /etc/nodename"
if [ -f /etc/nodename ]; then
logtext "Result: file /etc/nodename exists"
FIND=`cat /etc/nodename`
logtext "Output: ${FIND}"
Display --indent 2 --text "- Checking /etc/nodename..." --result "DONE" --color GREEN
else
logtext "Result: file /etc/nodename could not be found"
Display --indent 2 --text "- Checking /etc/nodename..." --result "NONE FOUND" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : NAME-4028
# Description : Check DNS domain name
# To Do : grep ^DOMAINNAME /etc/conf.d/domainname (remove "'s)
Register --test-no NAME-4028 --weight L --network NO --description "Check domain name"
if [ ${SKIPTEST} -eq 0 ]; then
DOMAINNAME=""
# NIS
#logtext "Test: Checking file /etc/domainname"
#if [ -f /etc/domainname ]; then
# logtext "Result: file /etc/domainname exists"
# FIND2=`cat /etc/domainname`
# if [ ! "${FIND}" = "" ]; then
# logtext "Found domain name: ${FIND}"
# DOMAINNAME="${FIND}"
# else
# logtext "Result: no domain name found in file"
# fi
# else
# logtext "Result: file /etc/domainname does not exist"
#fi
logtext "Test: Checking if dnsdomainname command is available"
if [ ! "${DNSDOMAINNAMEBINARY}" = "" ]; then
FIND2=`${DNSDOMAINNAMEBINARY} 2> /dev/null`
if [ ! "${FIND2}" = "" ]; then
logtext "Result: dnsdomainname command returned a value"
logtext "Found domain name: ${FIND2}"
DOMAINNAME="${FIND2}"
else
logtext "Result: dnsdomainname command returned no value"
fi
else
logtext "Result: dnsdomainname binary not found, skip specific test"
fi
# If files and commands can't be found, use defined value from resolv.conf
if [ "${DOMAINNAME}" = "" ]; then
if [ ! "${RESOLV_DOMAINNAME}" = "" ]; then
logtext "Result: using domain name from /etc/resolv.conf"
DOMAINNAME=${RESOLV_DOMAINNAME}
else
logtext "Result: using domain name from FQDN hostname"
DOMAINNAME=${FQDN#${HOSTNAME}.}
fi
fi
if [ ! "${DOMAINNAME}" = "" ]; then
logtext "Result: found domain name"
report "domainname=${DOMAINNAME}"
Display --indent 2 --text "- Searching DNS domain name..." --result "FOUND" --color GREEN
Display --indent 6 --text "Domain name: ${DOMAINNAME}"
else
Display --indent 2 --text "- Searching DNS domain name..." --result "UNKNOWN" --color YELLOW
ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name"
fi
fi
#
#################################################################################
#
# Test : NAME-4032
# Description : Check name service caching daemon (NSCD) status
Register --test-no NAME-4032 --weight L --network NO --description "Check nscd status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking nscd status"
FIND=`${PSBINARY} ax | grep "nscd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: nscd is running"
Display --indent 2 --text "- Checking nscd status..." --result RUNNING --color GREEN
else
logtext "Result: nscd is not running"
Display --indent 2 --text "- Checking nscd status..." --result "NOT FOUND" --color WHITE
#YYY show performance suggestion if LDAP is used
fi
fi
#
#################################################################################
#
# Test : NAME-4202
# Description : Check if BIND is running
Register --test-no NAME-4202 --weight L --network NO --description "Check BIND status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for running BIND instance"
FIND=`${PSBINARY} ax | grep "/named" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found BIND process"
Display --indent 2 --text "- Checking BIND status..." --result "FOUND" --color GREEN
BIND_RUNNING=1
else
logtext "Result: BIND not running"
Display --indent 2 --text "- Checking BIND status..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : NAME-4204
# Description : Check configuration file of BIND
if [ ${BIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search BIND configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Search BIND configuration file"
#YYY add chrooted environments
for I in ${BIND_CONFIG_LOCS}; do
if [ -f ${I}/named.conf ]; then
BIND_CONFIG_LOCATION="${I}/named.conf"
logtext "Result: found configuration file (${BIND_CONFIG_LOCATION})"
fi
done
if [ ! "${BIND_CONFIG_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking BIND configuration file..." --result "FOUND" --color GREEN
else
Display --indent 4 --text "- Checking BIND configuration file..." --result "NOT FOUND" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : NAME-4206
# Description : Check BIND configuration file consistency
if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4206 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BIND configuration consistency"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching for named-checkconf binary"
if [ ! "${NAMEDCHECKCONFBINARY}" = "" ]; then
logtext "Result: named-checkconf is installed"
FIND=`${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?`
if [ "${FIND}" = "0" ]; then
logtext "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine"
Display --indent 4 --text "- Checking BIND configuration consistency..." --result "OK" --color GREEN
else
logtext "Result: possible errors found in ${BIND_CONFIG_LOCATION}"
Display --indent 4 --text "- Checking BIND configuration consistency..." --result WARNING --color RED
ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file"
fi
else
logtext "Result: named-checkconf not found, skipping test"
fi
fi
#
#################################################################################
#
# Test : NAME-4208
# Description : Check DNS server type (master, slave, caching, forwarding)
#Register --test-no NAME-4050 --weight L --network NO --description "Check nscd status"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : NAME-4210
# Description : Check if we can determine useful information from banner
if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check DNS banner"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Trying to determine version from banner"
FIND=`${DIGBINARY} @localhost version.bind chaos txt | grep "^version.bind" | grep TXT | egrep "[0-9].[0-9].[0-9]*"`
if [ "${FIND}" = "" ]; then
logtext "Result: no useful information in banner found"
Display --indent 4 --text "- Checking BIND version in banner ..." --result "OK" --color GREEN
AddHP 2 2
else
logtext "Result: possible BIND version available in version banner"
Display --indent 4 --text "- Checking BIND version in banner..." --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Found BIND version in banner"
ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file"
AddHP 0 2
fi
fi
#
#################################################################################
#
# Test : NAME-4212
# Description : Check version option in BIND configuration
#if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check DNS banner"
#
#################################################################################
#
# Test : NAME-4220
# Description : Check if we can perform a zone transfer of primary domain
#Register --test-no NAME-4220 --weight L --network NO --description "Check zone transfer"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : NAME-4222
# Description : Check if we can perform a zone transfer of PTR (of primary domain)
#Register --test-no NAME-4222 --weight L --network NO --description "Check zone transfer"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : NAME-4230
# Description : Check if PowerDNS is running
Register --test-no NAME-4230 --weight L --network NO --description "Check PowerDNS status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for running PowerDNS instance"
FIND=`${PSBINARY} ax | grep "/pdns_server" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found PowerDNS process"
Display --indent 2 --text "- Checking PowerDNS status..." --result "RUNNING" --color GREEN
POWERDNS_RUNNING=1
else
logtext "Result: PowerDNS not running"
Display --indent 2 --text "- Checking PowerDNS status..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : NAME-4232
# Description : Check PowerDNS configuration file
if [ ${POWERDNS_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search PowerDNS configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Search PowerDNS configuration file"
#YYY add chrooted environments
for I in ${POWERDNS_CONFIG_LOCS}; do
if [ -f ${I}/pdns.conf ]; then
POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf"
logtext "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})"
fi
done
if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then
Display --indent 4 --text "- Checking PowerDNS configuration file..." --result "FOUND" --color GREEN
else
Display --indent 4 --text "- Checking PowerDNS configuration file..." --result "NOT FOUND" --color YELLOW
fi
fi
#
#################################################################################
#
# # Test : NAME-4234
# # Description : Check PowerDNS configuration file consistency
# if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no NAME-4234 --weight L --network NO --description "Check PowerDNS configuration consistency"
# if [ ${SKIPTEST} -eq 0 ]; then
# fi
#
#################################################################################
#
# Test : NAME-4236
# Description : Check PowerDNS server backends
if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PowerDNS backends"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for PowerDNS backends"
FIND=`cat ${POWERDNS_AUTH_CONFIG_LOCATION} | grep "^launch" | awk -F= '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
logtext "Found backend: ${I}"
done
Display --indent 4 --text "- Checking PowerDNS backends..." --result "FOUND" --color GREEN
else
logtext "Result: no PowerDNS backends found"
Display --indent 4 --text "- Checking PowerDNS backends..." --result "NOT FOUND" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : NAME-4238
# Description : Check PowerDNS authoritive status
if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PowerDNS authoritive status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for PowerDNS master status"
FIND=`cat ${POWERDNS_AUTH_CONFIG_LOCATION} | grep "^master=yes"`
if [ ! "${FIND}" = "" ]; then
logtext "Found master=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive master: YES"
POWERDNS_AUTH_MASTER=1
else
logtext "Result: most likely not master (no master=yes)"
Display --indent 4 --text "- PowerDNS authoritive master: NO"
fi
logtext "Test: Checking for PowerDNS slave status"
FIND=`cat ${POWERDNS_AUTH_CONFIG_LOCATION} | grep "^slave=yes"`
if [ ! "${FIND}" = "" ]; then
logtext "Found slave=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive slave: YES"
POWERDNS_AUTH_SLAVE=1
else
logtext "Result: most likely not slave (no slave=yes)"
Display --indent 4 --text "- PowerDNS authoritive slave: NO"
fi
fi
#
#################################################################################
#
# Test : NAME-4302
# Description : Check NIS ypbind daemon status
Register --test-no NAME-4304 --weight L --network NO --description "Check NIS ypbind status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking status of ypbind daemon"
FIND=`${PSBINARY} ax | grep "ypbind" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: ypbind is running"
Display --indent 2 --text "- Checking ypbind status..." --result "FOUND" --color GREEN
YPBIND_RUNNING=1
ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
else
logtext "Result: ypbind is not active"
Display --indent 2 --text "- Checking ypbind status..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : NAME-4306
# Description : Check NIS domain
# Notes : FreeBSD: sysctl kern.domainname
if [ ${YPBIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NIS domain"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking `domainname` for NIS domain value"
FIND=`${DOMAINNAMEBINARY} | grep -v "(none)"`
if [ ! "${FIND}" = "" ]; then
logtext "Value: ${FIND}"
NISDOMAIN="${FIND}"
else
logtext "Result: no NIS domain found in command output"
fi
# Solaris / Linux style
logtext "Test: Checking file /etc/defaultdomain"
if [ -f /etc/defaultdomain ]; then
logtext "Result: file /etc/defaultdomain exists"
FIND2=`cat /etc/defaultdomain`
if [ ! "${FIND2}" = "" ]; then
logtext "Output: ${FIND2}"
NISDOMAIN="${FIND2}"
else
logtext "Result: no NIS domain found in file"
fi
fi
# Red Hat style
logtext "Test: checking /etc/sysconfig/network"
if [ -f /etc/sysconfig/network ]; then
logtext "Result: file /etc/sysconfig/network exists"
logtext "Test: checking NISDOMAIN value in file"
FIND3=`grep "^NISDOMAIN" /etc/sysconfig/network | awk -F= '{ print $2 }' | sed 's/"//g'`
if [ ! "${FIND3}" = "" ]; then
logtext "Found NIS domain: ${FIND3}"
NISDOMAIN="${FIND3}"
else
logtext "Result: No NIS domain found in file"
fi
else
logtext "Result: file /etc/sysconfig/network does not exist"
fi
# Check sysctl (e.g. FreeBSD)
logtext "Test: checking sysctl for kern.domainname"
FIND=`sysctl -a 2>&1 | grep "^kern.domainname" | awk -F: '{ print $2 }' | sed 's/ //g' | grep -v "^$"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found NIS domain via sysctl"
NISDOMAIN="${FIND}"
fi
# Check if we found any NIS domain
if [ ! "${NISDOMAIN}" = "" ]; then
logtext "Found NIS domain: ${NISDOMAIN}"
report "nisdomain=${NISDOMAIN}"
Display --indent 4 --text "- Checking NIS domain..." --result "FOUND" --color GREEN
else
logtext "Result: No NIS domain found"
Display --indent 4 --text "- Checking NIS domain..." --result "UNKNOWN" --color YELLOW
fi
fi
#
#################################################################################
#
if [ -f /etc/hosts ]; then
Display --indent 2 --text "- Checking /etc/hosts"
fi
# Test : NAME-4402
# Description : Check /etc/hosts configuration
Register --test-no NAME-4402 --weight L --network NO --description "Check duplicate line in /etc/hosts"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check duplicate line in /etc/hosts"
if [ -f /etc/hosts ]; then
sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | uniq -d`
if [ "${sFIND}" = "" ]; then
logtext "Result: OK, no duplicate lines found"
Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result OK --color GREEN
else
logtext "Found duplicate line: ${sFIND}"
logtext "Result: found duplicate line"
Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "L" "Remove duplicate lines in /etc/hosts"
fi
else
logtext "Result: /etc/hosts not found, test skipped"
Display --indent 4 --text "Searching duplicate line..." --result "SKIPPED" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : NAME-4404
# Description : Check /etc/hosts contains an entry for this server name
Register --test-no NAME-4404 --weight L --network NO --description "Check /etc/hosts contains an entry for this server name"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check /etc/hosts contains an entry for this server name"
if [ -f /etc/hosts ]; then
sFIND=`cat /etc/hosts | egrep -v '^(#|$|::1|localhost)' | grep ${HOSTNAME}`
if [ "${sFIND}" != "" ]; then
logtext "Result: Found entry for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result OK --color GREEN
else
logtext "Result: No entry found for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving"
logtext "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections"
fi
fi
fi
#
#################################################################################
#
# Test : NAME-4406
# Description : Check server hostname mapping
Register --test-no NAME-4406 --weight L --network NO --description "Check server hostname mapping"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check server hostname not locally mapped in /etc/hosts"
sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|::1)' | grep ${HOSTNAME}`
if [ ! "${sFIND}" = "" ]; then
logtext "Result: Found this server hostname mapped to a local address"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW
logtext "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface."
ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system"
else
logtext "Result: this server hostname is not mapped to a local address"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result OK --color GREEN
fi
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

450
include/tests_networking Normal file
View File

@ -0,0 +1,450 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Networking
#
#################################################################################
#
FOUNDPROMISC=0 # Promiscuous interfaces
LOCAL_DNSRESOLVER_FOUND=0 # Local DNS resolver
NUMBERACTIVENS=0 # Number of active nameservers
DHCP_CLIENT_RUNNING=0 # DHCP client availability
#
#################################################################################
#
InsertSection "Networking"
#
#################################################################################
#
# Test : NETW-2704 (YYY move to nameservices section)
# Description : Basic nameserver configuration tests (connectivity)
Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking configured nameservers..."
logtext "Test: Checking /etc/resolv.conf file"
if [ -f /etc/resolv.conf ]; then
logtext "Result: Found /etc/resolv.conf file"
FIND=`grep '^nameserver' /etc/resolv.conf | tr -d '\t' | sed 's/nameserver*//g'`
if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Testing nameservers..."
logtext "Test: Querying nameservers"
for I in ${FIND}; do
logtext "Found nameserver: ${I}"
report "nameserver[]=${I}"
# Check if a local resolver is available (like DNSMasq)
if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "0.0.0.0" ]; then
LOCAL_DNSRESOLVER_FOUND=1
fi
if [ ! "${DIGBINARY}" = "" ]; then
# See if we can query something at the nameserver
# 0=good, other=bad
DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?`
if [ "${DNSRESPONSE}" = "0" ]; then
Display --indent 8 --text "Nameserver: ${I}..." --result OK --color GREEN
logtext "Nameserver ${I} seems to respond to queries from this host."
# Count responsive nameservers
NUMBERACTIVENS=`expr ${NUMBERACTIVENS} + 1`
else
Display --indent 8 --text "Nameserver: ${I}..." --result "NO RESPONSE" --color RED
logtext "Result: nameserver ${I} does NOT respond"
logtext "Exit-code from dig: ${DNSRESPONSE}"
ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond"
fi
else
logtext "Result: Nameserver test for ${I} skipped, 'dig' not installed"
Display --indent 6 --text "Nameserver: ${I}... " --result SKIPPED --color YELLOW
fi
done
fi
fi
fi
#
#################################################################################
#
# Test : NETW-2705
# Description : Basic nameserver configuration tests (connectivity)
if [ ${LOCAL_DNSRESOLVER_FOUND} -eq 0 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network YES --description "Check availability two nameservers"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DIGBINARY}" = "" ]; then
if [ ${NUMBERACTIVENS} -lt 2 ]; then
Display --indent 4 --text "- Minimal of 2 responsive nameservers..." --result WARNING --color RED
logtext "Result: less than 2 responsive nameservers found"
ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers"
logtext "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible"
AddHP 1 2
else
Display --indent 4 --text "- Minimal of 2 responsive nameservers..." --result OK --color GREEN
logtext "Result: found at least 2 responsive nameservers"
AddHP 3 3
fi
else
Display --indent 4 --text "- Minimal of 2 responsive nameservers..." --result SKIPPED --color YELLOW
logtext "Result: dig not installed, test can't be fully performed"
fi
else
logtext "Result: Test most likely skipped due having local resolver in /etc/resolv.conf"
fi
#
#################################################################################
#
# Test : NETW-3001
# Description : Find default gateway (route)
# More info : BSD: ^default Linux: 0.0.0.0
Register --test-no NETW-3001 --weight L --network NO --description "Find default gateway (route)"
if [ $SKIPTEST -eq 0 ]; then
logtext "Test: Searching default gateway(s)..."
FIND=`netstat -rn | egrep "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
logtext "Result: Found default gateway ${I}"
report "default_gateway[]=${I}"
done
Display --indent 2 --text "- Checking default gateway..." --result DONE --color GREEN
else
logtext "Result: No default gateway found"
Display --indent 2 --text "- Checking default gateway..." --result "NONE FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : NETW-3004
# Description : Find available network interfaces on FreeBSD and others
if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search available network interfaces on FreeBSD and others"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${IFCONFIGBINARY} -l`
N=0
for I in ${FIND}; do
logtext "Found network interface: ${I}"
N=`expr ${N} + 1`
report "network_interface[]=${I}"
done
fi
#
#################################################################################
#
# Test : NETW-3006
# Description : Get network MAC addresses
Register --test-no NETW-3006 --weight L --network NO --description "Get network MAC addresses"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""
case ${OS} in
AIX)
FIND=`lscfg -vl ent* | fgrep "Network Address" | cut -d"." -f14 | awk '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }'`
;;
DragonFly|FreeBSD)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="ether") print $2 }' | sort | uniq`
;;
Linux)
FIND=`${IFCONFIGBINARY} -a | grep "HWaddr" | awk '{ if ($4=="HWaddr") print $5 }' | sort | uniq`
;;
MacOS)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="lladdr" || $1=="ether") print $2 }' | sort | uniq`
;;
NetBSD)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="address:") print $2 }' | sort | uniq`
;;
OpenBSD)
FIND=`${IFCONFIGBINARY} -A | awk '{ if ($1=="lladdr") print $2 }' | sort | uniq`
;;
Solaris)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="ether") print $2 }' | sort | uniq`
;;
*)
# Having a system currently unsupported? Share your details to determine MAC information
ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find MAC information"
;;
esac
N=0
for I in ${FIND}; do
logtext "Found MAC address: ${I}"
N=`expr ${N} + 1`
report "network_mac_address[]=${I}"
done
fi
#
#################################################################################
#
# Test : NETW-3008
# Description : Get network IPv4/6 addresses
Register --test-no NETW-3008 --weight L --network NO --description "Get network IP addresses"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""; FIND2=""
case ${OS} in
AIX)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
# IPv6 support in AIX? (YYY)
;;
DragonFly|FreeBSD|NetBSD)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
;;
Linux)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }' | cut -d ':' -f2`
# Version which works for multiple types of ifconfig (e.g. Slackware)
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }'`
;;
MacOS)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
;;
OpenBSD)
FIND=`${IFCONFIGBINARY} -A | awk '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -A | awk '{ if ($1=="inet6") print $2 }'`
;;
Solaris)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
;;
*)
logtext "Warning: no support yet for this OS (${OS}) to find IP address information"
ReportException "${TEST_NO}:1" "IP address information test not implemented for this operating system"
;;
esac
N=0
# IPv4
for I in ${FIND}; do
logtext "Found IPv4 address: ${I}"
N=`expr ${N} + 1`
report "network_ipv4_address[]=${I}"
done
# IPv6
for I in ${FIND2}; do
logtext "Found IPv6 address: ${I}"
N=`expr ${N} + 1`
report "network_ipv6_address[]=${I}"
done
fi
#
#################################################################################
#
# Test : NETW-3012
# Description : Check listening ports
Register --test-no NETW-3012 --weight L --network NO --description "Check listening ports"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=""; FIND2=""
N=0
case ${OS} in
DragonFly|FreeBSD)
if [ ! "${SOCKSTATBINARY}" = "" ]; then
FIND=`${SOCKSTATBINARY} | awk '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | sort | uniq`
# To strip off IP's: sed 's/|.*:/|/'
else
FIND=""
fi
FIND2=""
;;
Linux)
# UDP
FIND=`netstat -nlp | grep "^udp" | awk '{ print $4"|"$1"|"$6"|" }' | sed 's:|[0-9]*/:|:'`
# TCP
FIND2=`netstat -nlp | grep "^tcp" | awk '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | sed 's:|[0-9]*/:|:'`
;;
NetBSD)
if [ ! "${SOCKSTATBINARY}" = "" ]; then
FIND=`${SOCKSTATBINARY} | awk '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | sort | uniq`
else
FIND=""
fi
FIND2=""
;;
*)
# Got this exception? Provide your details and output of netstat or any other tool to determine this information.
ReportException "${TEST_NO}:1" "Unclear what method to use, to determine listening port information"
;;
esac
# Retrieve information from sockstat, when available
logtext "Test: Retrieving sockstat information to find listening ports..."
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
N=`expr ${N} + 1`
logtext "Found listening info: ${I}"
report "network_listen_port=${I}"
done
fi
if [ ! "${FIND2}" = "" ]; then
for I in ${FIND2}; do
N=`expr ${N} + 1`
logtext "Found listening info: ${I}"
report "network_listen_port=${I}"
done
fi
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
Display --indent 2 --text "- Getting listening ports (TCP/UDP)..." --result SKIPPED --color YELLOW
else
Display --indent 2 --text "- Getting listening ports (TCP/UDP)..." --result DONE --color GREEN
Display --indent 6 --text "* Found ${N} ports"
fi
fi
#
#################################################################################
#
# Test : NETW-3014
# Description : Checking promiscuous interfaces (BSD)
# Note : FreeBSD and others
if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking promiscuous interfaces (BSD)"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking promiscuous interfaces (FreeBSD)..."
FIND=`${IFCONFIGBINARY} | grep PROMISC | cut -d ':' -f1`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Promiscuous interfaces: ${FIND}"
for I in ${FIND}; do
ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}`
if [ "${ISWHITELISTED}" = "" ]; then
FOUNDPROMISC=1
ReportWarning ${TEST_NO} "H" "Found promiscuous interface (${I})"
logtext "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
else
logtext "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
fi
done
fi
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces..." --result OK --color GREEN
logtext "Result: No promiscuous interfaces found"
else
Display --indent 2 --text "- Checking promiscuous interfaces..." --result WARNING --color RED
fi
fi
#
#################################################################################
#
# Test : NETW-3015
# Description : Checking promiscuous interfaces (Linux)
# Note : Linux
Register --test-no NETW-3015 --os Linux --weight L --network NO --description "Checking promiscuous interfaces (Linux)"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking promiscuous interfaces (Linux)"
NETWORK=`${IFCONFIGBINARY} | grep Link | tr -s ' ' | cut -d ' ' -f1`
if [ ! "${NETWORK}" = "" ]; then
for I in ${NETWORK}; do
FIND=`${IFCONFIGBINARY} ${I} | grep PROMISC`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Promiscuous interface: ${I}"
ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}`
if [ "${ISWHITELISTED}" = "" ]; then
FOUNDPROMISC=1
ReportWarning ${TEST_NO} "H" "Found promiscuous interface (${I})"
logtext "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
else
logtext "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
fi
fi
done
fi
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces..." --result OK --color GREEN
logtext "Result: No promiscuous interfaces found"
else
Display --indent 2 --text "- Checking promiscuous interfaces..." --result WARNING --color RED
fi
fi
#
#################################################################################
#
# Test : NETW-3020
# Description : Checking multipath configuration (Solaris)
#
#################################################################################
#
# Test : NETW-3024
# Description : Netstat/socktstat compare (FreeBSD)
# echo -n " - Comparing output sockstat and netstat... "
# logtext "Comparing output of sockstat and netstat... "
# NETSTATOUTPUT=`netstat -an | grep -v 'TIME_WAIT' | grep -v 'ESTABLISHED' | grep -v 'SYN_SENT' | grep -v 'CLOSE_WAIT' | grep -v 'LAST_ACK' | grep -v 'SYN_RECV' | grep -v 'CLOSING' | cut -c 1-44 | grep '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | grep -v '*' | sort | uniq`
#
# if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then
# ShowResult OK
# else
# echo "[ ${BAD}Warning!${NORMAL} ]"
# logtext "WARNING!"
# logtext "Sockstat tested output: ${SOCKSTAT}"
# logtext "Netstat tested output: ${NETSTAT}"
# fi
#
#################################################################################
#
# Test : NETW-3028
# Description : Checking for many waiting connections
# Type : Performance
Register --test-no NETW-3028 --weight L --network NO --description "Checking connections in WAIT state"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Using netstat for check for connections in WAIT state..."
FIND=`netstat -an | grep WAIT | wc -l | awk '{ print $1 }'`
if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="100"; fi
logtext "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
Display --indent 2 --text "- Checking waiting connections..." --result WARNING --color YELLOW
ReportWarning ${TEST_NO} "H" "Found too much connections in WAIT state (${FIND})"
else
Display --indent 2 --text "- Checking waiting connections..." --result OK --color GREEN
logtext "Result: ${FIND} connections are in WAIT state"
fi
fi
#
#################################################################################
#
# Test : NETW-3030
# Description : Checking for DHCP client
Register --test-no NETW-3030 --weight L --network NO --description "Checking DHCP client status"
if [ ${SKIPTEST} -eq 0 ]; then
IsRunning dhclient
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking status DHCP client..." --result RUNNING --color WHITE
#YYY report if system type is server, that it is running with DHCP client, might be a badly configured machine
#report "manual[]=System is running DHCP client"
DHCP_CLIENT_RUNNING=1
else
Display --indent 2 --text "- Checking status DHCP client..." --result "NOT ACTIVE" --color WHITE
fi
fi
#
#################################################################################
#
# Test : NETW-3060
# Description : Check if IPv6 is configured AND used
# /etc/modprobe.d (add 'install ipv6 /bin/true' if IPv6 isn't used)
# or
# aliased (/etc/modprobe.d/aliases?): alias net-pf-10 off ipv6 (to disable)
#Register --test-no NETW-3060 --weight L --network NO --description "Checking IPv6 connectivity"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Linux: net.ipv4.ip_always_defrag
#
#################################################################################
#
report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

281
include/tests_php Normal file
View File

@ -0,0 +1,281 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Software: PHP
#
#################################################################################
#
InsertSection "Software: PHP"
# Possible locations of php.ini
PHPINILOCS="/etc/php.ini \
/etc/php/cgi-php5/php.ini /etc/php/cli-php5/php.ini /etc/php/apache2-php5/php.ini \
/etc/php/apache2-php5.4/php.ini /etc/php/apache2-php5.5/php.ini \
/etc/php5/cgi/php.ini \
/etc/php5/cli/php.ini \
/etc/php5/cli-php5.4/php.ini /etc/php5/cli-php5.5/php.ini /etc/php5/cli-php5.6/php.ini \
/etc/php5/apache2/php.ini \
/private/etc/php.ini \
/var/www/conf/php.ini \
/usr/local/etc/php.ini /usr/local/lib/php.ini"
PHPINIDIRS="/etc/php5/conf.d"
#
#################################################################################
#
# Test : PHP-2211
# Description : Check php.ini presence
Register --test-no PHP-2211 --weight L --network NO --description "Check php.ini presence"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for presence php.ini"
PHPINIFILE=""
PHPINI_ALLFILES=""
for I in ${PHPINILOCS}; do
logtext "Test: checking presence ${I}"
if [ -f ${I} ]; then
PHPINIFILE=${I}
logtext "Result: Found php.ini file (${PHPINIFILE})"
logtext "Note: Adding file to php.ini array"
PHPINI_ALLFILES="${PHPINI_ALLFILES} ${PHPINIFILE}"
else
logtext "Result: file ${I} not found"
fi
done
# Check all known locations
for I in ${PHPINIDIRS}; do
tFILES=`ls ${I}/*.ini 2>/dev/null`
if [ "${tFILES}" = "" ]; then
logtext "Result: no files found for ${I}"
else
logtext "Result: found files in location ${I}, checking.."
for I in ${tFILES}; do
if [ -f ${I} ]; then
logtext "Result: file ${I} exists, adding to php.ini array"
PHPINI_ALLFILES="${PHPINI_ALLFILES} ${I}"
fi
done
fi
done
if [ ! "${PHPINIFILE}" = "" ]; then
Display --indent 2 --text "- Checking PHP..." --result "FOUND" --color GREEN
logtext "Result: using single file ${PHPINIFILE} for main php.ini tests"
logtext "Result: using php.ini array ${PHPINI_ALLFILES} for further tests"
else
Display --indent 2 --text "- Checking PHP..." --result "NOT FOUND" --color WHITE
logtext "Result: no php.ini file found"
fi
fi
#
#################################################################################
#
# Test : PHP-2320
# Description : Check php disable functions option
if [ ! "${PHPINI_ALLFILES}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP disabled functions"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PHPINI_ALLFILES}; do
logtext "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}"
FIND=`grep "^disable_functions.*=" ${I}`
if [ "${FIND}" = "" ]; then
logtext "Result: ${I}: disabled_functions not found"
else
logtext "Result: ${I}: found disabled_functions"
FOUND=1
fi
FIND=`grep "^suhosin.executor.func.blacklist=" ${I}`
if [ "${FIND}" = "" ]; then
logtext "Result: ${I}: suhosin.executor.func.blacklist not found"
else
logtext "Result: ${I}: found suhosin.executor.func.blacklist"
FOUND=1
fi
done
if [ ${FOUND} -eq 0 ]; then
logtext "Result: all PHP functions can be executed"
Display --indent 4 --text "- Checking PHP disabled functions..." --result "NONE" --color YELLOW
ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions"
logtext "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)"
AddHP 0 1
else
logtext "Result: one or more PHP functions are disabled/blacklisted"
Display --indent 4 --text "- Checking PHP disabled functions..." --result "FOUND" --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
#
# Test : PHP-2368
# Description : Check php register_globals option
# Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed)
if [ ! "${PHPINIFILE}" = "" -a ! "${PHPVERSION}" = "" ]; then
FIND=`echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])"`
if [ "${FIND}" = "" ]; then
PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals"
else
PREQS_MET="YES"; Debug "Found PHP version 4 or up to 5.3 (${FIND}) which we are going to scan"
fi
else
Debug "Skipping test: php.ini not found, or PHP version empty"
Debug "php.ini: ${PHPINIFILE}"
Debug "version: ${PHPVERSION}"
fi
Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP register_globals option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP register_globals option.."
FIND=`cat ${PHPINIFILE} | egrep -i 'register_globals.*(on|yes|1)' | grep -v '^;'`
if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking register_globals option..." --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
logtext "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
AddHP 1 2
else
Display --indent 4 --text "- Checking register_globals option..." --result OK --color GREEN
logtext "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value."
ReportManual ${TEST_NO}:01
AddHP 2 2
fi
fi
#
#################################################################################
#
# Test : PHP-2372
# Description : Check php expose_php option
# Notes : Extend test to check all PHP files YYY
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP expose_php option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking expose_php option.."
FIND=`cat ${PHPINIFILE} | egrep -i 'expose_php.*(off|no|0)' | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking expose_php option..." --result ON --color RED
ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers."
ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off"
report "Result: expose_php option is turned on, which can expose useful information for an attacker"
AddHP 1 2
else
Display --indent 4 --text "- Checking expose_php option..." --result OFF --color GREEN
logtext "Result: Found 'expose_php' in disabled state (0, no, or off)"
AddHP 2 2
fi
#YYY Check through all files
fi
#
#################################################################################
#
# Test : PHP-2374
# Description : Check PHP enable_dl option
# Notes : Extend test to check all PHP files YYY
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP enable_dl option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP enable_dl option.."
FIND=`cat ${PHPINIFILE} | egrep -i 'enable_dl.*(off|no|0)' | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking enable_dl option..." --result ON --color YELLOW
report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP"
AddHP 0 1
else
Display --indent 4 --text "- Checking enable_dl option..." --result OFF --color GREEN
logtext "Result: Found 'enable_dl' in disabled state (0, no, or off)"
AddHP 2 2
fi
#YYY Check through all files
fi
#
#################################################################################
#
# Test : PHP-2376
# Description : Check PHP allow_url_fopen option
# Notes : Extend test to check all PHP files YYY
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_fopen option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP allow_url_fopen option.."
FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_fopen.*(off|no|0)' | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_fopen option..." --result ON --color YELLOW
report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
AddHP 0 1
else
Display --indent 4 --text "- Checking allow_url_fopen option..." --result OFF --color GREEN
logtext "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)"
AddHP 2 2
fi
#YYY Check through all files
fi
#
#################################################################################
#
# Test : PHP-2378
# Description : Check PHP allow_url_include option
# Notes : Extend test to check all PHP files YYY
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_include option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP allow_url_include option.."
FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_include.*(off|no|0)' | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_include option..." --result ON --color YELLOW
report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
AddHP 0 1
else
Display --indent 4 --text "- Checking allow_url_include option..." --result OFF --color GREEN
logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
AddHP 2 2
fi
#YYY Check through all files
fi
#
#################################################################################
#
# Disable/use functions:
# safe_mode (only for PHP5?)
# open_basedir (limits access to defined directory, comparable with chrooting)
# disable_classes
# session.save_path
# session.referer_check
# upload_tmp_dir
# file_uploads Off, if possible
# Set display_errors to Off
# Set log_errors to On and define error_log (with value Syslog or a filename)
#
#################################################################################
#
# mod_suexec
# suPHP (/etc/suphp.conf)
#
#################################################################################
#
# Test : PHP-2388
# Description : Check php version number
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

797
include/tests_ports_packages Normal file
View File

@ -0,0 +1,797 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Ports and packages
#
#################################################################################
#
InsertSection "Ports and packages"
PACKAGE_MGR_PKG=0
PKG_AUDIT_TOOL_FOUND=0
#
#################################################################################
#
Display --indent 2 --text "- Searching package managers..."
# Test : PKGS-7301
# Description : Query FreeBSD pkg
if [ -x /usr/sbin/pkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query NetBSD pkg"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`pkg -N 2>&1; echo $?`
if [ "${FIND}" = "0" ]; then
Display --indent 4 --text "- Searching packages with pkg..." --result FOUND --color GREEN
report "package_manager[]=pkg"
PACKAGE_MGR_PKG=1
#logtext "Result: Found pkg"
#logtext "Test: Querying pkg to get package list..."
#Display --indent 6 --text "- Querying pkg for installed packages..."
#logtext "Output:"; logtext "-----"
#SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'`
#for J in ${SPACKAGES}; do
# sPKG_NAME=`echo ${J} | cut -d ',' -f1`
# sPKG_VERSION=`echo ${J} | cut -d ',' -f2`
# logtext "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
# report "installed_package[]=${sPKG_NAME}|${sPKG_VERSION}|"
#done
else
Display --indent 4 --text "- Searching pkg..." --result "NOT INSTALLED" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : PKGS-7302
# Description : Query FreeBSD/NetBSD pkg_info
if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD/NetBSD pkg_info"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 4 --text "- Checking pkg_info..." --result FOUND --color GREEN
logtext "Result: Found pkg_info"
report "package_manager[]=pkg_info"
logtext "Test: Querying pkg_info to get package list..."
Display --indent 6 --text "- Querying pkg_info for installed packages..."
logtext "Output:"; logtext "-----"
SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'`
for J in ${SPACKAGES}; do
N=`expr ${N} + 1`
sPKG_NAME=`echo ${J} | cut -d ',' -f1`
sPKG_VERSION=`echo ${J} | cut -d ',' -f2`
logtext "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
report "installed_package[]=${sPKG_NAME}|${sPKG_VERSION}|"
done
report "installed_packages=${N}"
fi
#
#################################################################################
#
# Temporary disabled due false positives
# Packages like docbook, gcc, automake report multiple installed versions
# # Test : PKGS-7303
# # Description : Query FreeBSD pkg_info
# if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD for double installed packages"
# if [ ${SKIPTEST} -eq 0 ]; then
# SDOUBLEINSTALLED=`pkg_info | sort | sed -e 's/-[0-9].*$//' | uniq -c | grep -v '^[[:space:]]*1' | tr -s ' ' | cut -d ' ' -f3`
# if [ "${SDOUBLEINSTALLED}" = "" ]; then
# Display --indent 6 --text "- Querying pkg_info for double installed packages..." --result OK --color GREEN
# logtext "Ok, no packages show up twice or more in the package listing."
# else
# Display --indent 6 --text "- Querying pkg_info for double installed packages..." --result WARNING --color RED
# for J in ${SDOUBLEINSTALLED}; do
# ReportWarning ${TEST_NO} "M" "Found probably incorrect installed package (${J})"
# logtext "This package ${J} is visible twice or more in the pkg_info listing."
# ReportSuggestion ${TEST_NO} "(FreeBSD) run pkgdb -F and check this manually."
# ReportSuggestion ${TEST_NO} "(OpenBSD) check dependencies to see if one of the double "
# logtext "installed packages is unneeded."
# report "double_installed_package[]=${J}"
# done
# fi
# else
# Display --indent 4 --text "- Searching pkg_info..." --result "NOT FOUND" --color WHITE
# logtext "Result: pkg_info can NOT be found on this system"
# fi
#
#################################################################################
#
# Test : PKGS-7306
# Description : Solaris packages
if [ -x /usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Solaris packages"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching pkginfo..." --result FOUND --color GREEN
logtext "Result: Found Solaris pkginfo"
report "package_manager[]=pkginfo"
logtext "Test: Querying pkginfo to get package list"
Display --indent 4 --text "- Querying pkginfo for installed packages..."
logtext "Output:"; logtext "-----"
# Strip SUNW from strings
SPACKAGES=`/usr/bin/pkginfo -i | tr -s ' ' | cut -d ' ' -f2 | sed "s#^SUNW##"`
for J in ${SPACKAGES}; do
logtext "Found package ${J}"
report "installed_package[]=${J}||"
done
else
logtext "Result: pkginfo can NOT be found on this system"
fi
#
#
#################################################################################
#
# Test : PKGS-7308
# Description : RPM package based systems
if [ ! "${RPMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with RPM"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 4 --text "- Searching RPM package manager..." --result FOUND --color GREEN
logtext "Result: Found rpm binary (${RPMBINARY})"
report "package_manager[]=rpm"
logtext "Test: Querying 'rpm -qa' to get package list"
Display --indent 6 --text "- Querying RPM package manager..."
logtext "Output:"; logtext "--------"
SPACKAGES=`${RPMBINARY} -qa | sort`
if [ "${SPACKAGES}" = "" ]; then
logtext "Result: RPM binary available, but package list seems to be empty"
logtext "Info: looks like the rpm binary is installed, but not used for package installation"
else
for J in ${SPACKAGES}; do
N=`expr ${N} + 1`
logtext "Found package: ${J}"
report "installed_package[]=${J}||"
done
report "installed_packages=${N}"
fi
else
logtext "Result: RPM binary NOT found on this system, test skipped"
fi
#
#################################################################################
#
# Test : PKGS-7310
# Description : pacman package based systems
if [ ! "${PACMANBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with pacman"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 4 --text "- Searching pacman package manager..." --result FOUND --color GREEN
logtext "Result: Found pacman binary (${PACMANBINARY})"
report "package_manager[]=pacman"
logtext "Test: Querying 'pacman -Q' to get package list"
Display --indent 6 --text "- Querying pacman package manager..."
logtext "Output:"; logtext "--------"
SPACKAGES=`${PACMANBINARY} -Q | sort | sed 's/ /,/g'`
if [ "${SPACKAGES}" = "" ]; then
logtext "Result: pacman binary available, but package list seems to be empty"
logtext "Info: looks like the pacman binary is installed, but not used for package installation"
#YYY ReportException?
else
for J in ${SPACKAGES}; do
N=`expr ${N} + 1`
PACKAGE_NAME=`echo ${J} | awk -F, '{ print $1 }'`
PACKAGE_VERSION=`echo ${J} | awk -F, '{ print $2 }'`
logtext "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
report "installed_package[]=${PACKAGE_NAME}|${PACKAGE_VERSION}|"
done
report "installed_packages=${N}"
fi
else
logtext "Result: pacman binary NOT found on this system, test skipped"
fi
#
#################################################################################
#
# Test : PKGS-7312
# Description : HP-UX packages
# Notes : swlist -l fileset (|grep patch) / print_manifest
#
#################################################################################
#
# Test : PKGS-7316
# Description : AIX patches
# Notes : /usr/sbin/instfix -c -i | cut -d":" -f1
#
#################################################################################
#
# Test : PKGS-7328
# Description : Check installed packages with Zypper
if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Zypper for installed packages"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
FIND=`${ZYPPERBINARY} se -i | awk '{ if ($1=="i") { print $3 } }'`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
N=`expr ${N} + 1`
logtext "Installed package: ${I}"
report "installed_package[]=${I}|-|"
done
report "installed_packages=${N}"
else
# Could not find any installed packages
ReportException ${TEST_NO} "No installed packages found with Zypper"
fi
fi
#
#################################################################################
#
# Test : PKGS-7330
# Description : Check vulnerable packages with Zypper
if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Zypper for vulnerable packages"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${ZYPPERBINARY} lp | ${AWKBINARY} '{ if ($7=="security") { if ($11=="update") { print $13 } else { print $11 } } }' | sed 's/:$//' | grep -v "^$" | sort | uniq`
if [ "${FIND}" = "" ]; then
logtext "Result: No security updates found with Zypper"
Display --indent 2 --text "- Using Zypper to obtain vulnerabile packages" --result NONE --color GREEN
else
Display --indent 2 --text "- Using Zypper to obtain vulnerabilities" --result WARNING --color RED
logtext "Result: Zypper found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages installed"
logtext "List of vulnerable packages/version:"
for I in ${FIND}; do
report "vulnerable_package[]=${I}"
logtext "Vulnerable package: ${I}"
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
fi
fi
#
#################################################################################
#
# Test : PKGS-7345
# Description : Debian package based systems (dpkg)
if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying dpkg"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 4 --text "- Searching dpkg package manager" --result FOUND --color GREEN
logtext "Result: Found dpkg binary"
report "package_manager[]=dpkg"
logtext "Test: Querying dpkg -l to get package list"
Display --indent 6 --text "- Querying package manager..."
logtext "Output:"
SPACKAGES=`dpkg -l 2>/dev/null | grep "^ii" | tr -s ' ' | tr ' ' '#' | sort`
for J in ${SPACKAGES}; do
N=`expr ${N} + 1`
PACKAGE_NAME=`echo ${J} | cut -d '#' -f2`
PACKAGE_VERSION=`echo ${J} | cut -d '#' -f3`
logtext "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
report "installed_package[]=${PACKAGE_NAME}|${PACKAGE_VERSION}|"
done
report "installed_packages=${N}"
else
logtext "Result: dpkg can NOT be found on this system, test skipped"
fi
#
#################################################################################
#
# Test : PKGS-7346
# Description : Check packages which are removed, but still own configuration files, cron jobs etc
# Notes : Cleanup: for pkg in `dpkg -l | grep "^rc" | cut -d' ' -f3`; do aptitude purge ${pkg}; done
if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search unpurged packages on system"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: Querying dpkg -l to get unpurged packages"
SPACKAGES=`dpkg -l 2>/dev/null | grep "^rc" | cut -d ' ' -f3 | sort`
if [ "${SPACKAGES}" = "" ]; then
Display --indent 4 --text "- Query unpurged packages" --result NONE --color GREEN
logtext "Result: no packages found with left overs"
else
Display --indent 4 --text "- Query unpurged packages" --result FOUND --color YELLOW
logtext "Result: found one or more packages with left over configuration files, cron jobs etc"
logtext "Output:"
for J in ${SPACKAGES}; do
N=`expr ${N} + 1`
logtext "Found unpurged package: ${J}"
done
ReportSuggestion ${TEST_NO} "Purge old/removed packages (${N} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
fi
else
logtext "Result: dpkg can NOT be found on this system, test skipped"
fi
#
#################################################################################
# Test : PKGS-7348
# Description : Show unneeded distfiles if present
# Notes : Portsclean seems to be gone from the ports, so no suggestion or warning is
# issued when it's missing.
# Add portmaster --clean-distfiles-all
Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --description "Check for old distfiles"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/local/sbin/portsclean ]; then
FIND=`/usr/local/sbin/portsclean -n -DD | grep 'Delete' | wc -l | tr -d ' '`
if [ ${FIND} -eq 0 ]; then
Display --indent 2 --text "- Checking presence old distfiles" --result OK --color GREEN
logtext "Result: no unused distfiles found"
else
Display --indent 2 --text "- Checking presence old distfiles" --result WARNING --color YELLOW
logtext "Result: found ${FIND} unused distfiles"
ReportSuggestion ${TEST_NO} "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD."
fi
fi
fi
#
#################################################################################
#
# Test : PKGS-7378
# Description : Query FreeBSD portmaster for available port upgrades
if [ -x /usr/local/sbin/portmaster ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query portmaster for port upgrades"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: Querying portmaster for possible port upgrades"
UPACKAGES=`/usr/local/sbin/portmaster -L | grep "version available" | awk '{ print $5 }'`
for J in ${UPACKAGES}; do
N=`expr ${N} + 1`
logtext "Upgrade available (new version): ${J}"
report "upgrade_available[]=${J}"
done
report "upgrade_available_count=${N}"
if [ ${N} -eq 0 ]; then
logtext "Result: no upgrades found"
Display --indent 2 --text "- Checking portmaster for updates" --result NONE --color GREEN
else
Display --indent 2 --text "- Checking portmaster for updates" --result FOUND --color YELLOW
fi
fi
#
#################################################################################
#
# Test : PKGS-7380
# Description : Check for vulnerable NetBSD packages (with pkg_admin)
Register --test-no PKGS-7381 --os NetBSD --weight L --network NO --description "Check for vulnerable NetBSD packages"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/sbin/pkg_admin ]; then
FIND=`/usr/sbin/pkg_admin audit`
PKG_AUDIT_TOOL_FOUND=1
PKG_AUDIT_TOOL="pkg_admin audit"
if [ "${FIND}" = "" ]; then
logtext "Result: pkg audit results are clean"
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result NONE --color GREEN
AddHP 2 2
else
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result WARNING --color RED
logtext "Result: pkg_admin audit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
logtext "List of vulnerable packages/version:"
for I in `/usr/sbin/pkg_admin audit | awk '{ print $2 }' | sort | uniq`; do
report "vulnerable_package[]=${I}"
logtext "Vulnerable package: ${I}"
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
fi
else
Display --indent 2 --text "- pkg_admin audit not installed" --result "NOT FOUND" --color WHITE
logtext "Result: pkg_admin audit not installed, skipping this vulnerability test."
fi
fi
#
#################################################################################
#
# Test : PKGS-7381
# Description : Check for vulnerable FreeBSD packages (with pkg)
Register --test-no PKGS-7381 --os FreeBSD --weight L --network NO --description "Check for vulnerable FreeBSD packages"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/sbin/pkg ]; then
FIND=`/usr/sbin/pkg audit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'`
PKG_AUDIT_TOOL_FOUND=1
PKG_AUDIT_TOOL="pkg audit"
if [ "${FIND}" = "" ]; then
logtext "Result: pkg audit results are clean"
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN
# Don't check yet, output of found vulnerable packages unclear (YYY)
else
logtext "Result: ${FIND}"
#Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages..." --result WARNING --color RED
#logtext "Result: pkg audit found one or more installed packages which are vulnerable."
#ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
#ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
#logtext "List of vulnerable packages/version:"
#for I in `/usr/sbin/pkg audit -F | grep "Affected package" | cut -d ' ' -f3 | sort | uniq`; do
# report "vulnerable_package[]=${I}"
# logtext "Vulnerable package: ${I}"
# # Decrease hardening points for every found vulnerable package
# AddHP 1 2
#done
fi
else
Display --indent 2 --text "- pkg audit not installed" --result "NOT FOUND" --color WHITE
logtext "Result: pkg audit not installed, skipping this vulnerability test."
fi
fi
#
#################################################################################
#
# Test : PKGS-7382
# Description : Check for vulnerable FreeBSD packages
Register --test-no PKGS-7382 --os FreeBSD --weight L --network NO --description "Check for vulnerable FreeBSD packages"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/local/sbin/portaudit ]; then
PKG_AUDIT_TOOL_FOUND=1
FIND=`/usr/local/sbin/portaudit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'`
if [ "${FIND}" = "" ]; then
logtext "Result: Portaudit results are clean"
Display --indent 2 --text "- Checking portaudit to obtain vulnerabile packages" --result NONE --color GREEN
else
Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result WARNING --color RED
logtext "Result: Portaudit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
logtext "List of vulnerable packages/version:"
for I in `/usr/local/sbin/portaudit | grep "Affected package" | cut -d ' ' -f3 | sort | uniq`; do
report "vulnerable_package[]=${I}"
logtext "Vulnerable package: ${I}"
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
fi
else
# Don't advice portaudit anymore, as pkg audit is the replacement (pkgng)
logtext "Result: Portaudit not installed, can't perform vulnerability test."
fi
fi
#
#################################################################################
#
# Test : PKGS-7383
# Description : Check for YUM package Update management
if [ ! "${YUMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --description "Check for YUM package Update management"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: YUM package update management"
sFIND=`${YUMBINARY} repolist 2>/dev/null | grep repolist | sed 's/ //g' | sed 's/[,.]//g' | awk -F ":" '{print $2}'`
if [ "$(echo ${sFIND} | egrep "^[0-9]+$")" -a "${sFIND}" = "0" ]; then
logtext "Result: YUM package update management failed"
Display --indent 2 --text "- Checking YUM package management consistency" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "YUM is not properly configured or registered for this platform (no repolist found)"
#ReportSuggestion ${TEST_NO} "Check YUM registration for repository configuration (repolist)"
else
logtext "Result: YUM repository available (${sFIND})"
Display --indent 2 --text "- Checking YUM package management consistency" --result OK --color GREEN
fi
fi
#
#################################################################################
#
# Test : PKGS-7384
# Description : Search for YUM utils package
if [ ! "${YUMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for YUM utils package"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/bin/package-cleanup ]; then
logtext "Result: found YUM utils package (/usr/bin/package-cleanup)"
# Check for duplicates
logtext "Test: Checking for duplicate packages"
FIND=`/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
logtext "Result: No duplicate packages found"
Display --indent 2 --text "- Checking package database duplicates" --result OK --color GREEN
else
logtext "Result: One or more duplicate packages found"
Display --indent 2 --text "- Checking package database duplicates" --result WARNING --color RED
ReportWarning ${TEST_NO} "L" "Found one or more duplicate packages installed"
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems"
fi
# Check for package database problems
logtext "Test: Checking for database problems"
FIND=`/usr/bin/package-cleanup --problems > /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
logtext "Result: No package database problems found"
Display --indent 2 --text "- Checking package database for problems" --result OK --color GREEN
else
logtext "Result: One or more problems found in package database"
Display --indent 2 --text "- Checking package database for problems" --result WARNING --color RED
ReportWarning ${TEST_NO} "L" "Found one or more problems in the package database"
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems"
fi
else
Display --indent 2 --text "- yum-utils package not installed" --result SUGGESTION --color YELLOW
logtext "Result: YUM utils package not found"
ReportSuggestion ${TEST_NO} "Install package 'yum-utils' for better consistency checking of the package database"
fi
fi
#
#################################################################################
#
# Test : PKGS-7386
# Description : Search for YUM security package
# Notes : This test does not apply to CentOS and clones, as --security is not available
if [ -x /usr/bin/yum ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7386 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for YUM security package"
if [ ${SKIPTEST} -eq 0 ]; then
DO_TEST=0
logtext "Test: Determining if yum-security package installed"
FileExists /etc/yum/pluginconf.d/security.conf
if [ ${FILE_FOUND} -eq 1 ]; then
SearchItem "^enabled=1$" "/etc/yum/pluginconf.d/security.conf"
if [ ${ITEM_FOUND} -eq 1 ]; then
DO_TEST=1
fi
else
# Check if it's installed as package (this is old style)
FIND=`rpm -q yum-security yum-plugin-security | grep -v "not installed"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found yum-plugin-security package"
DO_TEST=1
fi
fi
# If we have the module of yum active, continue.
if [ ${DO_TEST} -eq 1 ]; then
PKG_AUDIT_TOOL_FOUND=1
PKG_AUDIT_TOOL="yum-security"
logtext "Test: Checking for vulnerable packages"
FIND2=`/usr/bin/yum list-sec security | awk '{ if($2=="security") print $3","$5 }'`
if [ "${FIND2}" = "" ]; then
logtext "Result: no vulnerable packages found"
Display --indent 2 --text "- Checking missing security packages" --result OK --color GREEN
else
logtext "Result: found vulnerable package(s)"
Display --indent 2 --text "- Checking missing security packages" --result WARNING --color RED
for I in ${FIND2}; do
report "vulnerable_package[]=${I}"
logtext "Vulnerable package: ${I}"
AddHP 1 2
done
ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Use 'yum --security update' to update your system"
fi
else
logtext "Result: yum-security package not found"
Display --indent 2 --text "- Checking missing security packages" --result SKIPPED --color YELLOW
ReportSuggestion ${TEST_NO} "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)"
fi
fi
#
#################################################################################
#
# Test : PKGS-7387
# Description : Search for YUM GPG check
if [ -x /usr/bin/yum ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for GPG signing in YUM security package"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
FileExists /etc/yum.conf
if [ ${FILE_FOUND} -eq 1 ]; then
SearchItem "^gpgenabled=1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
SearchItem "^gpgcheck=1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
if [ ${FOUND} -eq 1 ]; then
logtext "Result: GPG check is enabled"
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result OK --color GREEN
else
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result DISABLED --color RED
ReportWarning ${TEST_NO} "M" "No GPG signing option found in yum.conf"
fi
fi
fi
#
#################################################################################
#
# Test : PKGS-7388
# Description : Check security repository in Debian/ubuntu apt sources.list file
Register --test-no PKGS-7388 --os Linux --weight L --network NO --description "Check security repository in Debian/ubuntu apt sources.list file"
if [ $SKIPTEST -eq 0 ]; then
FOUND=0
if [ -f /etc/apt/sources.list -o -d /etc/apt/sources.list.d ]; then
if [ ! "${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY}" = "yes" ]; then
if [ -f /etc/apt/sources.list ]; then
logtext "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
FIND=`egrep "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | grep -v '#' | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list file" --result OK --color GREEN
logtext "Result: Found security repository in /etc/apt/sources.list"
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Output: ${I}"
done
fi
fi
if [ -d /etc/apt/sources.list.d ]; then
logtext "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
FIND=`egrep "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list.d/* | grep -v '#' | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result OK --color GREEN
logtext "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d"
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Output: ${I}"
done
fi
fi
if [ ${FOUND} -eq 1 ]; then
logtext "Result: security repository was found"
AddHP 3 3
else
Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory"
AddHP 0 3
fi
else
logtext "Skipped as option is set to ignore security repository"
fi
else
logtext "Result: skipping test as sources.list or sources.list.d is not found"
fi
fi
#
#################################################################################
#
# Test : PKGS-7390
# Description : Check Ubuntu database consistency
if [ "${LINUX_VERSION}" = "Ubuntu" -a -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Ubuntu database consistency"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Package database consistency by running apt-get check"
FIND=`/usr/bin/apt-get -q=2 check; echo $?`
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking APT package database..." --result OK --color GREEN
logtext "Result: package database seems to be consistent."
else
logtext "Result: package database is most likely NOT consistent"
Display --indent 2 --text "- Checking APT package database..." --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "apt-get check returned a non successful exit code."
ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check."
fi
fi
#
#################################################################################
#
# Test : PKGS-7392
# Description : Check Debian/Ubuntu vulnerable packages
if [ -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --description "Check for Debian/Ubuntu security updates"
if [ ${SKIPTEST} -eq 0 ]; then
VULNERABLE_PACKAGES_FOUND=0
SCAN_PERFORMED=0
# Update the repository, outdated repositories don't give much information
logtext "Action: updating repository with apt-get"
/usr/bin/apt-get -q=2 update
logtext "Result: apt-get finished"
logtext "Action: Checking if /usr/lib/update-notifier/apt-check exists"
if [ -x /usr/lib/update-notifier/apt-check ]; then
PKG_AUDIT_TOOL_FOUND=1
PKG_AUDIT_TOOL="apt-check"
logtext "Result: found /usr/lib/update-notifier/apt-check"
logtext "Action: checking if any of the updates contain security updates"
FIND=`/usr/lib/update-notifier/apt-check --human-readable | grep "are security updates" | awk -F" " '{ print $1 }'`
# Check if we get the proper line back and amount of security patches available
if [ "${FIND}" = "" ]; then
logtext "Result: did not find security updates line"
ReportSuggestion ${TEST_NO} "Check if system is up-to-date, security updates test gives an unexpected result"
else
if [ "${FIND}" = "0" ]; then
logtext "Result: no vulnerable packages found via apt-check"
SCAN_PERFORMED=1
else
VULNERABLE_PACKAGES_FOUND=1
SCAN_PERFORMED=1
logtext "Result: found ${FIND} security updates via apt-check"
AddHP 0 25
fi
fi
else
logtext "Result: apt-check (update-notifier-common) not found"
fi
# Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
# Show packages which would be upgraded and match 'security' in repository name
FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort | uniq`
if [ ! "${FIND}" = "" ]; then
#Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED
VULNERABLE_PACKAGES_FOUND=1
SCAN_PERFORMED=1
logtext "Result: found vulnerable package(s) via apt-get (-security channel)"
PKG_AUDIT_TOOL="apt-get"
PKG_AUDIT_TOOL_FOUND=1
for I in ${FIND}; do
logtext "Found vulnerable package: ${I}"
report "vulnerable_package[]=${I}"
done
fi
if [ ${SCAN_PERFORMED} -eq 1 ]; then
if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then
ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades"
Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED
else
Display --indent 2 --text "- Checking vulnerable packages..." --result OK --color GREEN
logtext "Result: no vulnerable packages found"
fi
else
Display --indent 2 --text "- Checking vulnerable packages (apt-get only)..." --result DONE --color GREEN
logtext "Result: test not fully executed (missing apt-check output)"
fi
fi
#
#################################################################################
#
# Test : PKGS-7394
# Description : Check Ubuntu upgradeable packages
if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --description "Check for Ubuntu updates"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking /usr/bin/apt-show-versions"
if [ -x /usr/bin/apt-show-versions ]; then
logtext "Result: found /usr/bin/apt-show-versions"
logtext "Test: Checking packages which can be upgraded via apt-show-versions"
FIND=`/usr/bin/apt-show-versions -u | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
logtext "Result: no packages found which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages..." --result NONE --color GREEN
AddHP 3 3
else
logtext "Result: found one or more packages which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages..." --result FOUND --color YELLOW
# output: program/repository upgradeable from version X to Y
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "${I}"
done
fi
else
logtext "Result: /usr/bin/apt-show-versions not found"
Display --indent 2 --text "- Checking upgradeable packages..." --result SKIPPED --color WHITE
ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
fi
fi
#
#################################################################################
#
# Test : PKGS-7398
# Description : Check package audit tool
Register --test-no PKGS-7398 --weight L --network YES --description "Check for package audit tool"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking for package audit tool"
if [ ${PKG_AUDIT_TOOL_FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking package audit tool..." --result NONE --color RED
ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages"
logtext "Result: no package audit tool found"
else
Display --indent 2 --text "- Checking package audit tool..." --result INSTALLED --color GREEN
Display --indent 4 --text "Found: ${PKG_AUDIT_TOOL}"
logtext "Result: found package audit tool: ${PKG_AUDIT_TOOL}"
fi
fi
#
#################################################################################
#
# check for popularity-contest (Debian/Ubuntu)
# check for yum-changelog
report "pkg_audit_tool=${PKG_AUDIT_TOOL}"
report "pkg_audit_tool_found=${PKG_AUDIT_TOOL_FOUND}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

215
include/tests_printers_spools Normal file
View File

@ -0,0 +1,215 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Printers and spools
#
#################################################################################
#
CUPSD_CONFIG_LOCS="/etc/cups /usr/local/etc/cups"
CUPSD_CONFIG_FILE=""
CUPSD_RUNNING=0
CUPSD_FOUND=0
LPD_RUNNING=0
PRINTING_DAEMON=""
#
#################################################################################
#
InsertSection "Printers and Spools"
#
#################################################################################
#
# Test : PRNT-2302
# Description : Check printcap file consistency
Register --test-no PRNT-2302 --os FreeBSD --weight L --network NO --description "Check for available accounting information"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching /usr/sbin/chkprintcap"
if [ ! -f /usr/sbin/chkprintcap ]; then
Display --indent 2 --text "- Checking chkprintcap..." --result "NOT FOUND" --color WHITE
logtext "Result: /usr/sbin/chkprintcap NOT found, test skipped."
else
logtext "Result: /usr/sbin/chkprintcap found"
FIND=`/usr/sbin/chkprintcap > /dev/null ; echo $?`
# Only an exit code of zero should come back. Use string instead of integer, due unexpected trash
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Integrity check of printcap file" --result OK --color GREEN
logtext "Result: chkprintcap did NOT gave any warnings"
else
Display --indent 2 --text "- Integrity check of printcap file" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Run chkprintcap manually to test printcap file"
logtext "Output from chkprintcap: ${FIND}"
logtext "Run chkprintcap and check the /etc/printcap file."
fi
fi
fi
#
#################################################################################
#
# Test : PRNT-2304
# Description : Check cupsd status
Register --test-no PRNT-2304 --weight L --network NO --description "Check cupsd status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking cupsd status"
FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking cups daemon..." --result RUNNING --color GREEN
logtext "Result: cups daemon running"
CUPSD_RUNNING=1; PRINTING_DAEMON="cups"
else
Display --indent 2 --text "- Checking cups daemon..." --result "NOT FOUND" --color WHITE
logtext "Result: cups daemon not running, cups daemon tests skipped"
fi
fi
#
#################################################################################
#
# Test : PRNT-2306
# Description : Check CUPSd configuration file
if [ ${CUPSD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PRNT-2306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching cupsd configuration file"
for I in ${CUPSD_CONFIG_LOCS}; do
if [ -f ${I}/cupsd.conf ]; then
CUPSD_CONFIG_FILE="${I}/cupsd.conf"
logtext "Result: found ${CUPSD_CONFIG_FILE}"
fi
done
if [ ! "${CUPSD_CONFIG_FILE}" = "" ]; then
Display --indent 2 --text "- Checking CUPS configuration file..." --result OK --color GREEN
logtext "Result: configuration file found (${CUPSD_CONFIG_FILE})"
CUPSD_FOUND=1
else
Display --indent 2 --text "- Checking CUPS configuration file..." --result "NOT FOUND" --color RED
logtext "Result: configuration file not found"
logtext "Development: no CUPS configuration file found"
fi
fi
#
#################################################################################
#
# Test : PRNT-2307
# Description : Check CUPSd configuration file permissions
if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd configuration file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking CUPS configuration file permissions"
FIND=`ls -l ${CUPSD_CONFIG_FILE} | cut -c 2-10`
logtext "Result: found ${FIND}"
if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" ]; then
Display --indent 4 --text "- File permissions" --result "OK" --color GREEN
AddHP 1 1
else
Display --indent 4 --text "- File permissions" --result "WARNING" --color RED
ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict."
AddHP 1 2
fi
fi
#
#################################################################################
#
# Test : PRNT-2308
# Description : Check CUPS daemon network configuration
if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd network configuration"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# Checking network addresses
logtext "Test: Checking CUPS daemon listening network addresses"
FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep -v "/" | awk '{ print $2 }'`
N=0
for I in ${FIND}; do
logtext "Found network address: ${I}"
N=`expr ${N} + 1`
FOUND=1
done
if [ ${FOUND} -eq 0 ]; then
ReportException "${TEST_NO}:1" "No listen statement found in CUPS configuration file"
fi
# Check if daemon is only running on localhost
if [ ${N} -eq 1 ]; then
if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then
logtext "Result: CUPS daemon only running on localhost"
AddHP 2 2
else
logtext "Result: CUPS daemon running on one or more interfaces (not limited to localhost)"
ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to listen on the network"
AddHP 1 2
fi
else
logtext "Result: CUPS daemon is running on several network addresses"
ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to run on several network addresses"
AddHP 1 2
fi
# Checking sockets
logtext "Test: Checking cups daemon listening sockets"
FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep "/" | awk '{ print $2 }'`
for I in ${FIND}; do
logtext "Found socket address: ${I}"
N=`expr ${N} + 1`
done
if [ ${N} -eq 0 ]; then
Display --indent 2 --text "- Checking CUPS addresses/sockets..." --result "NONE" --color WHITE
logtext "Result: no addresses found on which CUPS daemon is listening"
else
Display --indent 2 --text "- Checking CUPS addresses/sockets..." --result "FOUND" --color GREEN
logtext "Result: CUPS daemon is listening on network/socket"
fi
fi
#
#################################################################################
#
# Test : PRNT-2314
# Description : Check lpd status
Register --test-no PRNT-2314 --weight L --network NO --description "Check lpd status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking lpd status"
IsRunning lpd
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking lp daemon" --result RUNNING --color GREEN
logtext "Result: lp daemon running"
LPD_RUNNING=1; PRINTING_DAEMON="lp"
else
Display --indent 2 --text "- Checking lp daemon" --result "NOT RUNNING" --color WHITE
logtext "Result: lp daemon not running"
AddHP 4 4
fi
fi
#
#################################################################################
#
# Test : PRNT-23xx
# Description : Test Linux printcap file
#if [ ${CUPSD_RUNNING} -eq 1 -a ! "${CUPSD_CONFIG_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no PRNT-23xx--preqs-met ${PREQS_MET} --weight L --network NO --description "Check cupsd address configuration"
#if [ ${SKIPTEST} -eq 0 ]; then
#if [ "${OS}" = "Linux" ]; then
# echo " - Testing printcap file... [Test not implemented yet]"
# # Check printcap with checkpc command
#fi
#
#################################################################################
#
report "printing_daemon=${PRINTING_DAEMON}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

234
include/tests_scheduling Normal file
View File

@ -0,0 +1,234 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Scheduled tasks
#
#################################################################################
#
InsertSection "Scheduled tasks"
#
#################################################################################
#
ATD_RUNNING=0
#
#################################################################################
#
# Test : SCHD-7704
# Description : Check crontab / cronjobs
Register --test-no SCHD-7704 --weight L --network NO --description "Check crontab/cronjobs"
if [ ${SKIPTEST} -eq 0 ]; then
FindCronJob()
{
sCRONJOBS=`egrep '^([0-9*])' $1 | tr '\t' ' ' | tr -s ' ' | tr ' ' ','`
}
if [ -f /etc/crontab ]; then
FindCronJob /etc/crontab
for I in ${sCRONJOBS}; do
logtext "Found cronjob (/etc/crontab): ${I}"
report "cronjob[]=${I}"
done
fi
CRON_DIRS="/etc/cron.d"
for I in ${CRON_DIRS}; do
logtext "Test: checking directory ${I}"
if [ -d ${I} ]; then
logtext "Result: found directory ${I}"
logtext "Test: searching files in ${I}"
FIND=`find ${I} -type f -print`
if [ "${FIND}" = "" ]; then
logtext "Result: no files found in ${I}"
else
logtext "Result: found one or more files in ${I}. Analyzing files.."
for J in ${FIND}; do
FindCronJob ${J}
for K in ${sCRONJOBS}; do
logtext "Result: Found cronjob (${I}): ${K}"
done
done
logtext "Result: done with analyzing files in ${I}"
fi
else
logtext "Result: directory ${I} does not exist"
fi
done
CRON_DIRS="/etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly"
for I in ${CRON_DIRS}; do
logtext "Test: checking directory ${I}"
if [ -d ${I} ]; then
logtext "Result: found directory ${I}"
logtext "Test: searching files in ${I}"
FIND=`find ${I} -type f -print | grep -v ".placeholder"`
if [ "${FIND}" = "" ]; then
logtext "Result: no files found in ${I}"
else
logtext "Result: found one or more files in ${I}. Analyzing files.."
for J in ${FIND}; do
logtext "Result: Found cronjob (${I}): ${J}"
report "cronjob[]=${J}"
done
logtext "Result: done with analyzing files in ${I}"
fi
else
logtext "Result: directory ${I} does not exist"
fi
done
# /var/spool/cron/* and /var/spool/cron/crontabs/*
# Search only in one tree, to avoid searching the tree twice
if [ -d /var/spool/cron/crontabs ]; then
FIND=`find /var/spool/cron/crontabs -type f -print`
for I in ${FIND}; do
FindCronJob ${I}
for J in ${sCRONJOBS}; do
logtext "Found cronjob (/var/spool/cron/crontabs): ${I} (${J})"
report "cronjob[]=${I}"
done
done
else
if [ -d /var/spool/cron ]; then
FIND=`find /var/spool/cron -type f -print`
for I in ${FIND}; do
FindCronJob ${I}
for J in ${sCRONJOBS}; do
logtext "Found cronjob (/var/spool/cron): ${I} (${J})"
logtext "cronjob[]=${I}"
done
done
fi
fi
# Anacron
if [ "${OS}" = "Linux" ]; then
if [ -f /etc/anacrontab ]; then
logtext "Test: checking anacrontab"
sANACRONJOBS=`egrep '^([0-9@])' /etc/anacrontab | tr '\t' ' ' | tr -s ' ' | tr ' ' ','`
for J in ${sANACRONJOBS}; do
logtext "Found anacron job (/etc/anacrontab): ${J}"
report "cronjob[]=${J}"
done
fi
fi
Display --indent 2 --text "- Checking crontab/cronjob" --result DONE --color GREEN
fi
#
#################################################################################
#
# Test : SCHD-7718
# Description : Check atd status
Register --test-no SCHD-7718 --weight L --network NO --description "Check at users"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking atd status"
FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: at daemon active"
Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN
ATD_RUNNING=1
else
logtext "Result: at daemon not active"
Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE
fi
fi
#
#################################################################################
#
# Test : SCHD-7720
# Description : Check at users
# Notes : if at.allow exists, only users listed can schedule at jobs
# if at.allow does not exist, but at.deny does, everyone
# except the listed ones can schedule jobs. If both can't be
# found, only root can schedule jobs.
if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SCHD-7720 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at users"
if [ ${SKIPTEST} -eq 0 ]; then
AT_UNKNOWN=0
case ${OS} in
FreeBSD) AT_ALLOW="/var/at/at.allow"; AT_DENY="/var/at/at.deny" ;;
HPUX) AT_ALLOW="/usr/lib/cron/at.allow"; AT_DENY="/usr/lib/cron/at.deny" ;;
Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;;
OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;;
SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;;
*) AT_UNKNOWN=1; logtext "Test skipped, files for at unknown" ;;
esac
if [ ${AT_UNKNOWN} -eq 0 ]; then
logtext "Test: checking for file ${AT_ALLOW}"
if [ -f ${AT_ALLOW} ]; then
logtext "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs"
FIND=`cat ${AT_ALLOW} | sort`
if [ "${FIND}" = "" ]; then
logtext "Result: File empty, no users are allowed to schedule at jobs"
else
for I in ${FIND}; do
logtext "Allowed at user: ${I}"
done
fi
else
logtext "Result: file ${AT_ALLOW} does not exist"
logtext "Test: checking for file ${AT_DENY}"
if [ -f ${AT_DENY} ]; then
logtext "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs"
FIND=`cat ${AT_DENY} | sort`
if [ "${FIND}" = "" ]; then
logtext "Result: file is empty, no users are denied access to schedule jobs"
else
for I in ${FIND}; do
logtext "Denied at user: ${I}"
done
fi
else
logtext "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist"
logtext "Note: only root can schedule at jobs"
fi
fi
Display --indent 4 --text "- Checking at users" --result DONE --color GREEN
else
Display --indent 4 --text "- Checking at users" --result SKIPPED --color YELLOW
fi
fi
#
#################################################################################
#
# Test : SCHD-7724
# Description : Check scheduled at jobs
if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at jobs"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check scheduled at jobs"
FIND=`atq | grep -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found one or more jobs"
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found at job: ${I}"
done
Display --indent 4 --text "- Checking at jobs" --result FOUND --color GREEN
else
logtext "Result: no pending at jobs"
Display --indent 4 --text "- Checking at jobs" --result NONE --color GREEN
fi
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

216
include/tests_shells Normal file
View File

@ -0,0 +1,216 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Shells
#
#################################################################################
#
IDLE_TIMEOUT=0
InsertSection "Shells"
#
#################################################################################
#
# bash
# Files (interactive login shells): /etc/profile $HOME/.bash_profile
# $HOME/.bash_login $HOME/.profile
# Files (interactive non-login shells): $HOME/.bash_rc
# csh/tcsh
# Files: /etc/csh.cshrc /etc/csh.login
# zsh
# Files: /etc/zshenv /etc/zsh/zshenv $HOME/.zshenv /etc/zprofile
# /etc/zsh/zprofile $HOME/.zprofile /etc/zshrc /etc/zsh/zshrc
# $ZDOTDIR/.zshrc /etc/zlogin /etc/zsh/zlogin
SHELL_LOGIN_FILES="/etc/csh.cshrc /etc/csh.login /etc/zshenv /etc/zsh/zshenv
/etc/zprofile /etc/zsh/zprofile /etc/zshrc /etc/zsh/zshrc
/etc/zlogin /etc/zsh/zlogin"
#
#################################################################################
#
# Test : SHLL-6202
# Description : check all console TTYs in which root user can enter single user mode without password
Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --description "Check console TTYs"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking console TTYs..."
FIND=`cat /etc/ttys | egrep '^console' | grep -v 'insecure'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking console TTYs... " --result OK --color GREEN
logtext "Result: console is secured against single user mode without password."
else
Display --indent 2 --text "- Checking console TTYs... " --result WARNING --color RED
logtext "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!"
logtext "Output /etc/ttys:"
logtext "${FIND}"
ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys"
#ReportSuggestion ${TEST_NO} "Change the console line from 'secure' to 'insecure'."
fi
fi
#
#################################################################################
#
# Test : SHLL-6214
# Description : check for idle session killing tools (timeoutd)
#
#################################################################################
#
# Test : SHLL-6211
# Description : which shells are available according /etc/shells
Register --test-no SHLL-6211 --weight L --network NO --description "Checking available and valid shells"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for /etc/shells..."
if [ -f /etc/shells ]; then
logtext "Result: Found /etc/shells file"
logtext "Test: Reading available shells from /etc/shells"
SSHELLS=`cat /etc/shells | grep "^/"`
CSSHELLS=0; CSSHELLS_ALL=0
Display --indent 2 --text "- Checking shells from /etc/shells..."
for I in ${SSHELLS}; do
CSSHELLS_ALL=`expr ${CSSHELLS_ALL} + 1`
report "available_shell[]=${I}"
# YYY add check for symlinked shells
if [ -f ${I} ]; then
logtext "Found installed shell: ${I}"
CSSHELLS=`expr ${CSSHELLS} + 1`
else
logtext "Shell ${I} not installed. Probably a dummy or non existing shell."
fi
done
Display --indent 4 --text "Result: found ${CSSHELLS_ALL} shells (valid shells: ${CSSHELLS})."
else
logtext "Result: /etc/shells not found, skipping test"
fi
fi
#
#################################################################################
#
# Test : SHLL-6220
# Description : check for idle session killing tools or settings
Register --test-no SHLL-6220 --weight L --network NO --description "Checking available and valid shells"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Search for session timeout tools or settings in shell"
IsRunning timeoutd
if [ ${RUNNING} -eq 1 ]; then
IDLE_TIMEOUT=1
logtext "Result: found timeoutd process to kill idle sesions"
report="session_timeout_method=timeout daemon"
fi
IsRunning autolog
if [ ${RUNNING} -eq 1 ]; then
IDLE_TIMEOUT=1
logtext "Result: found autolog process to kill idle sesions"
report="session_timeout_method[]=autolog"
fi
if [ -f /etc/profile ]; then
FIND=`cat /etc/profile | grep '\(export[ \t]*\)\?TMOUT=' | tr -d ' ' | tr -d '\t' | grep -v "^#" | sed 's/export//' | sed 's/#.*//'`
if [ ! "${FIND}" = "" ]; then
N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do
logtext "Output: ${I}"
N=`expr ${N} + 1`
done
if [ ${N} -eq 1 ]; then
logtext "Result: found TMOUT value configured in /etc/profile"
else
logtext "Result: found several TMOUT values configured in /etc/profile"
fi
report "session_timeout_method[]=profile"
else
logtext "Result: could not find TMOUT setting in /etc/profile"
fi
else
logtext "Result: skip /etc/profile test, file not available on this system"
fi
if [ -d /etc/profile.d ]; then
FIND=`cat /etc/profile.d/*.sh 2> /dev/null | grep '\(export[ \t]*\)\?TMOUT=' | tr -d ' ' | tr -d '\t' | grep -v "^#" | sed 's/export//' | sed 's/#.*//'`
if [ ! "${FIND}" = "" ]; then
N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do
logtext "Output: ${I}"
N=`expr ${N} + 1`
done
if [ ${N} -eq 1 ]; then
logtext "Result: found TMOUT value configured in one of the files in /etc/profile.d directory"
else
logtext "Result: found several TMOUT values configured in one of the files in /etc/profile.d directory"
fi
report "session_timeout_method[]=profile"
else
logtext "Result: could not find TMOUT setting in /etc/profile.d/*.sh"
fi
else
logtext "Result: skip /etc/profile.d directory test, directory not available on this system"
fi
if [ ${IDLE_TIMEOUT} -eq 1 ]; then
Display --indent 4 --text "- Session timeout settings/tools" --result "FOUND" --color GREEN
AddHP 3 3
else
Display --indent 4 --text "- Session timeout settings/tools" --result "NONE" --color YELLOW
AddHP 1 3
fi
fi
#
#################################################################################
#
# Test : SHLL-6236
# Description : Check /etc/profile
#
#################################################################################
#
# Test : SHLL-6240
# Description : Check default umask
# Register --test-no SHLL-6240 --weight L --network NO --description "Check default umask"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking /etc/profile..."
# if [ -f /etc/profile ]; then
# FIND=`grep "^umask" | awk '{ print $2 }'`
# if [ "${FIND}" = "" ]; then
# logtext "Result: xxx"
# Display --indent 2 --text "- Checking default umask... " --result OK --color GREEN
# else
# logtext "Result: xxx"
# Display --indent 2 --text "- Checking default umask... " --result WARNING --color RED
# #ReportWarning ${TEST_NO} "M" "xxx"
# #ReportSuggestion ${TEST_NO} "xxx"
# fi
# fi
# fi
#
#################################################################################
#
# Test : SHLL-6250
# Description : Check /etc/bash.bashrc
# Register --test-no SHLL-6250 --weight L --network NO --description "Check default umask"
# if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
report "session_timeout_enabled=${IDLE_TIMEOUT}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

105
include/tests_snmp Normal file
View File

@ -0,0 +1,105 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# SNMP
#
#################################################################################
#
SNMP_DAEMON_CONFIG_LOCS="/etc/snmp"
SNMP_DAEMON_CONFIG=""
SNMP_DAEMON_RUNNING=0
#
#################################################################################
#
InsertSection "SNMP Support"
# Test : SNMP-3302
# Description : Check for a running SNMP daemon
Register --test-no SNMP-3302 --weight L --network NO --description "Check for running SNMP daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a SNMP daemon..."
# Check running processes
FIND=`${PSBINARY} ax | grep "snmpd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
SNMP_DAEMON_RUNNING=1
logtext "Result: SNMP daemon is running"
Display --indent 2 --text "- Checking running SNMP daemon..." --result FOUND --color GREEN
else
logtext "Result: No running SNMP daemon found"
Display --indent 2 --text "- Checking running SNMP daemon..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : SNMP-3304
# Description : Determine SNMP daemon configuration file location
if [ ${SNMP_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SNMP-3304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SNMP daemon file location"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Action: searching for snmpd.conf file"
for I in ${SNMP_DAEMON_CONFIG_LOCS}; do
if [ -f "${I}/snmpd.conf" ]; then
logtext "Result: ${I}/snmpd.conf exists"
SNMPD_DAEMON_CONFIG="${I}/snmpd.conf"
fi
done
if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then
logtext "Result: No snmpd configuration found"
Display --indent 4 --text "- Checking SNMP configuration..." --result "NOT FOUND" --color WHITE
else
logtext "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}"
Display --indent 4 --text "- Checking SNMP configuration..." --result "FOUND" --color GREEN
fi
fi
#
#################################################################################
#
# Test : SNMP-3306
# Description : Determine SNMP communities
if [ ! "${SNMPD_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SNMP communities"
if [ ${SKIPTEST} -eq 0 ]; then
WARN=0
logtext "Test: reading active snmp communities"
FIND=`cat ${SNMPD_DAEMON_CONFIG} | grep "^com2sec" | ${AWKBINARY} '{ print $4 }'`
for I in ${FIND}; do
logtext "Output: ${I}"
if [ "${I}" = "public" -o "${I}" = "private" ]; then
logtext "Result: found easy guessable snmp community string (${I})"
WARN=1
AddHP 1 3
fi
done
# Check status of test
if [ ${WARN} -eq 0 ]; then
Display --indent 2 --text "- Checking SNMP community strings..." --result OK --color GREEN
AddHP 2 2
else
Display --indent 2 --text "- Checking SNMP community strings..." --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Found easy guessable SNMP community string"
fi
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

69
include/tests_solaris Normal file
View File

@ -0,0 +1,69 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Solaris
#
#################################################################################
#
InsertSection "Solaris"
#
#################################################################################
#
# Test : SOL-xxxx
# Description : Check if Stop-A is disabled
# Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Searching for a SSH daemon..."
# # Check running processes
# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"`
# if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1
# logtext "Result: Stop-A is disabled"
# Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN
# else
# logtext "Result: Stop-A is NOT disabled"
# Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE
# fi
# fi
#
#################################################################################
#
# Test : SOL-xxxx
# Description : Check if vold is disabled, to disallow unaudited mounts
# Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Searching for a SSH daemon..."
# # Check running processes
# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"`
# if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1
# logtext "Result: Stop-A is disabled"
# Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN
# else
# logtext "Result: Stop-A is NOT disabled"
# Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE
# fi
# fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

384
include/tests_squid Normal file
View File

@ -0,0 +1,384 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Squid
#
#################################################################################
#
SQUID_DAEMON_CONFIG_LOCS="/etc /etc/squid /etc/squid3 /usr/local/etc/squid /usr/local/squid/etc"
SQUID_DAEMON_CONFIG=""
SQUID_DAEMON_UNSAFE_PORTS_LIST="22 23 25"
SQUID_DAEMON_RUNNING=0
#
#################################################################################
#
InsertSection "Squid Support"
#
#################################################################################
#
# Test : SQD-3602
# Description : Check for a running Squid daemon
# Notes : Search for squid(3) with a space, to avoid SquidGuard and other
# programs.
Register --test-no SQD-3602 --weight L --network NO --description "Check for running Squid daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a Squid daemon..."
FOUND=0
# Check running processes
FIND=`${PSBINARY} ax | egrep "(squid|squid3) " | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
SQUID_DAEMON_RUNNING=1
logtext "Result: Squid daemon is running"
Display --indent 2 --text "- Checking running Squid daemon..." --result FOUND --color GREEN
else
logtext "Result: No running Squid daemon found"
Display --indent 2 --text "- Checking running Squid daemon..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : SQD-3604
# Description : Determine Squid daemon configuration file location
if [ ${SQUID_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3604 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid daemon file location"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Action: searching for squid.conf or squid3.conf file"
for I in ${SQUID_DAEMON_CONFIG_LOCS}; do
# Checking squid.conf
if [ -f "${I}/squid.conf" ]; then
logtext "Result: ${I}/squid.conf exists"
SQUID_DAEMON_CONFIG="${I}/squid.conf"
fi
# Checking squid3.conf
if [ -f "${I}/squid3.conf" ]; then
logtext "Result: ${I}/squid3.conf exists"
SQUID_DAEMON_CONFIG="${I}/squid3.conf"
fi
done
if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then
logtext "Result: No Squid configuration file found"
Display --indent 4 --text "- Searching Squid configuration file..." --result "NOT FOUND" --color YELLOW
else
logtext "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching Squid configuration..." --result FOUND --color GREEN
fi
fi
#
#################################################################################
#
# Test : SQD-3606
# Description : Check Squid version
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${SQUIDBINARY}" = "" ]; then
logtext "Result: Squid binary found (${SQUIDBINARY})"
# Skip check if a setuid/setgid bit is found
FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print`
if [ "${FIND}" = "" ]; then
FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'`
Display --indent 4 --text "- Checking Squid version..." --result "FOUND" --color GREEN
SQUID_VERSION="${FIND2}"
else
logtext "Result: test skipped for security reasons, setuid/setgid bit set"
Display --indent 4 --text "- Checking Squid version..." --result "SKIPPED" --color RED
fi
else
logtext "Result: no Squid binary found"
fi
fi
#
#################################################################################
#
# # Test : SQD-3608
# # Description : Check Squid build options
# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SQD-3608 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
# if [ ${SKIPTEST} -eq 0 ]; then
# fi
#
#################################################################################
#
# Test : SQD-3610
# Description : Check Squid configuration options
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
FIND=`cat ${SQUID_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found Squid option: ${I}"
done
Display --indent 4 --text "- Checking defined Squid options..." --result "DONE" --color GREEN
fi
#
#################################################################################
#
# # Test : SQD-3612
# # Description : Check Squid additional configuration files
# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SQD-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check additional Squid configuration files"
# if [ ${SKIPTEST} -eq 0 ]; then
# fi
#
#################################################################################
#
# Test : SQD-3613
# Description : Check Squid configuration options
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)`
if [ ! "${FIND}" = "" ]; then
logtext "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
Display --indent 4 --text "- Checking Squid configuration file permissions..." --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
ReportWarning ${TEST_NO} "M" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
AddHP 0 2
else
logtext "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions"
Display --indent 4 --text "- Checking Squid configuration file permissions..." --result OK --color GREEN
AddHP 2 2
fi
fi
#
#################################################################################
#
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
Display --indent 4 --text "- Checking Squid access control..."
fi
#
#################################################################################
#
# Test : SQD-3614
# Description : Check Squid authentication
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid authentication methods"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check auth_param option for authentication methods"
FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
logtext "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)"
Display --indent 6 --text "- Checking Squid authentication methods..." --result "NONE" --color YELLOW
else
Display --indent 6 --text "- Checking Squid authentication methods..." --result "FOUND" --color GREEN
for I in ${FIND}; do
logtext "Result: found authentication method ${I}"
report "squid_auth_method=${I}"
done
fi
fi
#
#################################################################################
#
# Test : SQD-3616
# Description : Check external Squid authentication
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check external Squid authentication"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check external_acl_type option for external authentication helpers"
FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND}" = "" ]; then
logtext "No external_acl_type found"
Display --indent 6 --text "- Checking Squid external authentication methods..." --result "NONE" --color YELLOW
else
Display --indent 6 --text "- Checking Squid external authentication methods..." --result "FOUND" --color GREEN
for I in ${FIND}; do
logtext "Result: found external authentication method helper"
logtext "Output: ${FIND}"
#report "squid_external_acl_type=TRUE"
done
fi
fi
#
#################################################################################
#
# Test : SQD-3620
# Description : Check ACLs
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid access control lists"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: checking ACLs"
FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
logtext "Result: No ACLs found"
Display --indent 6 --text "- Checking Access Control Lists..." --result "NONE" --color RED
else
for I in ${FIND}; do
N=`expr ${N} + 1`
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found ACL: ${I}"
#report "squid_acl=${I}"
done
logtext "Result: Found ${N} ACLs"
Display --indent 6 --text "- Checking Access Control Lists..." --result "${N} ACLs FOUND" --color GREEN
fi
fi
#
#################################################################################
#
# Test : SQD-3624 [T]
# Description : Check unsecure ports in Safe_ports list
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid safe ports"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: checking ACL Safe_ports http_access option"
FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"`
if [ "${FIND}" = "" ]; then
logtext "Result: no Safe_ports found"
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option..." --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
else
logtext "Result: checking ACL safe ports"
FIND2=`grep "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | awk '{ print $4 }'`
if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports..." --result "NONE FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
AddHP 0 1
else
logtext "Result: Safe_ports found"
for I in ${FIND}; do
logtext "Found safe port: ${I}"
done
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports..." --result "FOUND" --color GREEN
AddHP 1 1
fi
#SQUID_DAEMON_UNSAFE_PORTS_LIST
for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
logtext "Test: Checking port ${I} in Safe_ports list"
FIND2=`grep "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})..." --result "NOT FOUND" --color GREEN
AddHP 1 1
else
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})..." --result "FOUND" --color RED
ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
AddHP 0 1
fi
done
fi
fi
#
#################################################################################
#
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
Display --indent 4 --text "- Checking Squid Denial of Service tuning options..."
fi
#
#################################################################################
#
# Test : SQD-3630 [T]
# Description : Check reply_body_max_size value
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid reply_body_max_size option"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: checking option reply_body_max_size"
FIND=`grep "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
logtext "Result: option reply_body_max_size not configured"
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "NONE" --color RED
AddHP 1 2
ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests."
else
logtext "Result: option reply_body_max_size configured"
logtext "Output: ${FIND}"
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "FOUND" --color GREEN
AddHP 2 2
fi
fi
#
#################################################################################
#
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
Display --indent 4 --text "- Checking Squid general options..."
fi
#
#################################################################################
#
# Test : SQD-3680
# Description : Check httpd_suppress_version_string
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version suppresion"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`grep "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | grep " on"`
if [ "${FIND}" = "" ]; then
logtext "Result: option httpd_suppress_version_string not configured"
Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "NOT FOUND" --color YELLOW
AddHP 1 2
ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
else
logtext "Result: option httpd_suppress_version_string configured"
logtext "Output: ${FIND}"
Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "FOUND" --color GREEN
AddHP 2 2
fi
fi
#
#################################################################################
#
# Squid
#Hardening:
# $1 $3
# acl snmp_community
# acl maxconn
# acl max_user_ip
#
# follow_x_forwarded_for
#Read cache_peer host type(sibling/parent) proxyport icpport options (if set, icp_access should be set as well)
#Read cache_peer_domain
#Read cache_peer_access
#Read icp_access
#Read icp_port
#Read htcp_access
#Read htcp_port
#Read http_port
#Read https_port
#Read cache_dir
#Read access_log
#Read coredump_dir
#Read quick_abort_min / max /pct
#
# Memory tuning
#Read cache_mem
#Read maximum_object_size_in_memory
#Read maximum_object_size
#Read cache_swap_low
#Read cache_swap_high
# Security
#cache_effective_user
# off
#forwarded_for
#wccp
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

295
include/tests_ssh Normal file
View File

@ -0,0 +1,295 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# SSH
#
#################################################################################
#
SSH_DAEMON_CONFIG_LOCS="/etc /etc/ssh /usr/local/etc/ssh /opt/csw/etc/ssh"
SSH_DAEMON_CONFIG=""
SSH_DAEMON_PORT=""
SSH_DAEMON_RUNNING=0
#
#################################################################################
#
InsertSection "SSH Support"
#
#################################################################################
#
# Test : SSH-7402
# Description : Check for a running SSH daemon
Register --test-no SSH-7402 --weight L --network NO --description "Check for running SSH daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a SSH daemon..."
IsRunning sshd
if [ ${RUNNING} -eq 1 ]; then
SSH_DAEMON_RUNNING=1
Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN
else
Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : SSH-7404
# Description : Determine SSH daemon configuration file location
if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH daemon file location"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Action: searching for sshd_config file"
for I in ${SSH_DAEMON_CONFIG_LOCS}; do
if [ -f "${I}/sshd_config" ]; then
logtext "Result: ${I}/sshd_config exists"
if [ ${FOUND} -eq 1 ]; then
ReportException "${TEST_NO}:01"
logtext "Result: we already had found another sshd_config file. Using this new file then."
fi
FOUND=1
SSH_DAEMON_CONFIG="${I}/sshd_config"
fi
done
if [ "${SSH_DAEMON_CONFIG}" = "" ]; then
logtext "Result: No sshd configuration found"
Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW
else
logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN
fi
fi
#
#################################################################################
#
# # Test : SSH-7406
# # Description : Check for a running SSH daemon
# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --description "SSH daemon listening port"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Searching for a SSH daemon..."
# CheckOption "^Port " ${SSH_DAEMON_CONFIG}
# if [ ${FOUND} -eq 1 ]; then
# FIND=`echo ${FIND} | awk '{ if ($1=="Port") { print $2 }}'`
# # Check if this output is numeric and usuable for later (e.g. in netstat output)
# Display --indent 2 --text "- Checking SSH listening port..." --result FOUND --color GREEN
# logtext "Result: setting port number to ${FIND}"
# SSH_DAEMON_PORT="${FIND}"
# else
# Display --indent 2 --text "- Checking SSH listening port..." --result "NOT FOUND" --color WHITE
# logtext "Result: setting port to default number, as no other port has been configured"
# SSH_DAEMON_PORT="22"
# fi
# fi
#
#################################################################################
#
# Test : SSH-7408
# Description : Check SSH specific defined options
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH defined options"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking all specific defined options in ${SSH_DAEMON_CONFIG}"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found SSH option: ${I}"
done
Display --indent 4 --text "- Checking defined SSH options..." --result "DONE" --color GREEN
fi
#
#################################################################################
#
# Test : SSH-7412
# Description : Check SSH PermitRootLogin option
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7412 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: PermitRootLogin"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check PermitRootLogin option"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'`
if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then
logtext "Result: PermitRootLogin is enabled, root can login directly"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Root can directly login via SSH"
AddHP 0 3
else
# YYY add test for DenyUsers root
if [ "${FIND}" = "no" -o "${FIND}" = "No" ]; then
logtext "Result: PermitRootLogin is disabled. Root can't login directly"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DISABLED --color GREEN
AddHP 3 3
else
logtext "Result: Value of PermitRootLogin is unknown (not defined)"
Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DEFAULT --color WHITE
fi
fi
fi
#
#################################################################################
#
# Test : SSH-7414
# Description : Check SSH Protocol option
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7414 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Protocol"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check allowed SSH protocol versions"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'`
if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
logtext "Result: Protocol option is set to allow SSH protocol version 1"
Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed"
AddHP 0 3
else
if [ "${FIND}" = "2" ]; then
logtext "Result: only protocol 2 is allowed"
Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN
AddHP 3 3
else
logtext "Result: value of Protocol is unknown (not defined)"
Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE
fi
fi
fi
#
#################################################################################
#
# Test : SSH-7416
# Description : Check SSH StrictModes option
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7416 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: StrictModes"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check configured StrictModes option"
FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'`
if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then
logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked"
Display --indent 4 --text "- SSH option: StrictModes..." --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "StrictModes is turned off"
ReportSuggestion ${TEST_NO} "Check StrictModes option in sshd_config"
AddHP 0 3
else
if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then
logtext "Result: StrictModes active, file permissions are checked"
Display --indent 4 --text "- SSH option: StrictModes..." --result OK --color GREEN
AddHP 3 3
else
logtext "Result: value of StrictModes is unknown (not defined)"
Display --indent 4 --text "- SSH option: StrictModes..." --result DEFAULT --color WHITE
fi
fi
fi
#
#################################################################################
#
# Test : SSH-7418
# Description : Check SSH Port option
# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SSH-7418 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Port"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: check allowed SSH protocol versions"
# FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Port" | awk '{ if ($2!="22") { print $2 } }'`
# if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
# logtext "Result: Protocol option is set to allow SSH protocol version 1"
# Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED
# ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed"
# AddHP 0 3
# else
# if [ "${FIND}" = "2" ]; then
# logtext "Result: only protocol 2 is allowed"
# Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN
# AddHP 3 3
# else
# logtext "Result: value of Protocol is unknown (not defined)"
# Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE
# fi
# fi
# fi
#
#################################################################################
#
# Test : SSH-7440
# Description : AllowUsers / AllowGroups
# Goal : Check if only a specific amount of users/groups can log in to the system
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# AllowUsers
FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- SSH option: AllowUsers..." --result FOUND --color GREEN
FOUND=1
else
logtext "Result: AllowUsers is not set"
Display --indent 4 --text "- SSH option: AllowUsers..." --result "NOT FOUND" --color WHITE
fi
# AllowGroups
FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- SSH option: AllowGroups..." --result FOUND --color GREEN
FOUND=1
else
logtext "Result: AllowGroups is not set"
Display --indent 4 --text "- SSH option: AllowGroups..." --result "NOT FOUND" --color WHITE
fi
if [ ${FOUND} -eq 1 ]; then
logtext "Result: SSH is limited to a specific set of users, which is good"
AddHP 2 2
else
logtext "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine."
AddHP 0 1
fi
fi
#
#################################################################################
#
# Test : SSH-7464
# Description : HashKnownHosts
#if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no SSH-7464 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: HashKnownHosts"
#if [ ${SKIPTEST} -eq 0 ]; then
# /etc/ssh/ssh_config
# ReportSuggestion ${TEST_NO} "HashKnownHosts option can migitate worm attacks"
#AddHP 2 2
#fi
#
#################################################################################
#
# Test : SSH-7480
# Description : AllowUsers / AllowGroups
# Goal : Scan SSH daemon
#if [ ! ${SSHKEYSCANBINARY} = "" -a ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no SSH-7480 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups"
#if [ ${SKIPTEST} -eq 0 ]; then
# First determine what port the local instance of SSH daemon is running on. If unknown, use port 22
# FIND=`${SSHKEYSCANBINARY} localhost 2>&1 | grep OpenSSH | egrep -i "bsd|debian|ubuntu|redhat"`
#
#################################################################################
#
# sshd -T can provide additional insights
#
#################################################################################
#
report "ssh_daemon_running=${SSH_DAEMON_RUNNING}"
#report "ssh_daemon_port=${SSH_DAEMON_PORT}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

117
include/tests_storage Normal file
View File

@ -0,0 +1,117 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
InsertSection "Storage"
#
#################################################################################
#
AUTOMOUNTER_DAEMON_RUNNING=0
NFS_DAEMON_RUNNING=0
AUTOMOUNTER_DAEMON_TOOL=""
#
#################################################################################
#
# Test : STRG-1840
# Description : Check for disabled USB storage
Register --test-no STRG-1840 --os Linux --weight L --network NO --description "Check if USB storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2>/dev/null`
if [ ! "${FIND}" = "" ]; then
FIND=`grep -r "install usb-storage /bin/true" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"`
FIND2=`egrep -r "^blacklist (usb_storage|usb-storage)" /etc/modprobe.d/*`
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
logtext "Result: found usb-storage driver in disabled state"
fi
else
logtext "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it."
fi
fi
if [ -f /etc/modprobe.conf ]; then
FIND=`grep "install usb-storage /bin/true" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"`
if [ ! "${FIND}" = "" ]; then
FOUND=1
logtext "Result: found usb-storage driver in disabled state"
fi
fi
if [ ${FOUND} -eq 0 ]; then
logtext "Result: usb-storage driver is not explicitly disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)..." --result "NOT DISABLED" --color WHITE
ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
AddHP 2 3
else
logtext "Result: usb-storage driver is disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)..." --result "DISABLED" --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
#
# Test : STRG-1846
# Description : Check for disabled firewire storage
Register --test-no STRG-1846 --os Linux --weight L --network NO --description "Check if firewire storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d /etc/modprobe.d ]; then
FIND1=`egrep "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
FIND2=`egrep "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
logtext "Result: found firewire ohci driver in disabled state"
fi
fi
if [ -f /etc/modprobe.conf ]; then
FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
FIND2=`egrep -r "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
logtext "Result: found firewire ohci driver in disabled state"
fi
fi
if [ ${FOUND} -eq 0 ]; then
logtext "Result: firewire ohci driver is not explicitly disabled"
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)..." --result "NOT DISABLED" --color WHITE
ReportSuggestion ${TEST_NO} "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft"
# after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u
AddHP 2 3
else
logtext "Result: firewire ohci driver is disabled"
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)..." --result "DISABLED" --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
#
# NetBSD: amd (auto mount daemon)
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

181
include/tests_storage_nfs Normal file
View File

@ -0,0 +1,181 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# NFS
#
#################################################################################
#
InsertSection "NFS"
#
#################################################################################
#
NFS_DAEMON_RUNNING=0
NFS_EXPORTS_EMPTY=0
#
#################################################################################
#
# Test : STRG-1902
# Description : Check rpcinfo
if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check rpcinfo registered programs"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking rpcinfo registered programs"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | tr -s ' ' ','`
for I in ${FIND}; do
logtext "rpcinfo: ${I}"
done
Display --indent 2 --text "- Query rpc registered programs..." --result "DONE" --color GREEN
fi
#
#################################################################################
#
# Test : STRG-1904
# Description : Check nfs versions in rpcinfo
if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking NFS registered versions"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $2 } }' | uniq | sort`
for I in ${FIND}; do
logtext "Found version: ${I}"
done
Display --indent 2 --text "- Query NFS versions..." --result "DONE" --color GREEN
fi
#
#################################################################################
#
# Test : STRG-1906
# Description : Check nfs protocols (TCP/UDP) and port in rpcinfo
if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking NFS registered protocols"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort`
for I in ${FIND}; do
logtext "Found protocol: ${I}"
done
if [ "${FIND}" = "" ]; then
logtext "Output: no NFS protocols found"
fi
# Check port number
logtext "Test: Checking NFS registered ports"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort`
for I in ${FIND}; do
logtext "Found port: ${I}"
done
if [ "${FIND}" = "" ]; then
logtext "Output: no NFS port number found"
fi
Display --indent 2 --text "- Query NFS protocols..." --result "DONE" --color GREEN
fi
#
#################################################################################
#
# Test : STRG-1920
# Description : Check for running NFS daemons
Register --test-no STRG-1920 --weight L --network NO --description "Checking NFS daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking running NFS daemon"
FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
logtext "Output: NFS daemon is not running"
Display --indent 2 --text "- Check running NFS daemon..." --result "NOT FOUND" --color WHITE
else
logtext "Output: NFS daemon is running"
Display --indent 2 --text "- Check running NFS daemon.." --result "FOUND" --color GREEN
NFS_DAEMON_RUNNING=1
fi
fi
#
#################################################################################
#
# Test : STRG-1924
# Description : Check missing nfs in rpcinfo while NFS is running
#Register --test-no STRG-1924 --weight L --network NO --description "Checking NFS daemon"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : STRG-1926
# Description : Check NFS exports
if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking NFS exports"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check /etc/exports"
if [ -f /etc/exports ]; then
logtext "Result: /etc/exports exists"
FIND=`cat /etc/exports | grep -v "^$" | grep -v "^#" | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found line: ${I}"
done
else
logtext "Result: /etc/exports does not contain exported file systems"
NFS_EXPORTS_EMPTY=1
fi
Display --indent 4 --text "- Checking /etc/exports..." --result "FOUND" --color GREEN
else
logtext "Result: file /etc/exports does not exist"
Display --indent 4 --text "- Checking /etc/exports..." --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : STRG-1928
# Description : Check for empty exports file while NFS is running
if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then
Display --indent 6 --text "- Checking empty /etc/exports..." --result SUGGESTION --color YELLOW
logtext "Result: /etc/exports seems to have no exported file systems"
ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
fi
fi
#
#################################################################################
#
# Test : STRG-1930
# Description : Check client access to nfs share
if [ ${NFS_DAEMON_RUNNING} -eq 1 -a ${NFS_EXPORTS_EMPTY} -eq 0 -a ! "${SHOWMOUNTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check client access to nfs share"
if [ ${SKIPTEST} -eq 0 ]; then
#logtext "Test: "
sFIND=`${SHOWMOUNTBINARY} -e | awk '{ print $2 }' | sed '1d'| grep "\*"`
if [ "${sFIND}" != "" ]; then
logtext "Result: all client are allowed to access a NFS share in /etc/exports"
Display --indent 4 --text "- Checking NFS client access..." --result "ALL CLIENTS" --color YELLOW
ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports"
AddHP 2 3
else
logtext "Result: only some clients are allowed to access a NFS share"
Display --indent 4 --text "- Checking NFS client access..." --result OK --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

47
include/tests_tcpwrappers Normal file
View File

@ -0,0 +1,47 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# TCP Wrappers
# Run after: NFS checks
#
#################################################################################
#
#
#################################################################################
#
# InsertSection "TCP Wrappers"
#
#################################################################################
#
# Test : TCPW-xxxx (YYY move to nameservices section)
# Description : Basic nameserver configuration tests (connectivity)
# Register --test-no TCPW-xxxx --weight L --network YES --description "Basic nameserver configuration tests"
# if [ ${SKIPTEST} -eq 0 ]; then
# Display --indent 2 --text "- Checking configured nameservers..."
# logtext "Test: Checking /etc/resolv.conf file"
# Display --indent 8 --text "Nameserver: ${I}..." --result OK --color GREEN
# ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
# ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond"
# fi
#
#################################################################################
#
#wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

428
include/tests_time Normal file
View File

@ -0,0 +1,428 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Time
#
#################################################################################
#
InsertSection "Time and Synchronization"
#
#################################################################################
#
NTP_DAEMON=""
NTP_DAEMON_RUNNING=0
NTP_CONFIG_FOUND=0
NTP_CONFIG_TYPE_DAEMON=0
NTP_CONFIG_TYPE_SCHEDULED=0
NTP_CONFIG_TYPE_EVENTBASED=0
NTP_CONFIG_TYPE_STARTUP=0
# Specific for ntpd
NTPD_RUNNING=0
CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs"
#
#################################################################################
#
# Test : TIME-3104
# Description : Check for a running NTP daemon
if [ -f /sys/hypervisor/type ]; then
# Skip NTP tests if we are in a DomU xen instance YYY
FIND=`cat /sys/hypervisor/type`
if [ "${FIND}" = "xen" ]; then PREQS_MET="NO"; else PREQS_MET="YES"; fi
else
PREQS_MET="YES"
fi
Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client"
if [ ${SKIPTEST} -eq 0 ]; then
# Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate)
logtext "Test: Searching for a running NTP daemon or available client... "
FOUND=0
# Check running processes
FIND=`${PSBINARY} ax | grep "ntpd" | grep -v "dntpd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1
NTP_DAEMON="ntpd"
logtext "Result: found running NTP daemon in process list"
Display --indent 2 --text "- Checking running NTP daemon (ntpd)..." --result FOUND --color GREEN
else
logtext "Result: NTP daemon not found in process list"
Display --indent 2 --text "- Checking running NTP daemon (ntpd)..." --result "NOT FOUND" --color WHITE
fi
# Check time daemon (eg NetBSD)
IsRunning timed
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timed"
Display --indent 2 --text "- Checking running NTP daemon (timed)..." --result FOUND --color GREEN
else
Display --indent 2 --text "- Checking running NTP daemon (timed)..." --result "NOT FOUND" --color WHITE
fi
# Check time daemon (eg DragonFly BSD)
IsRunning dntpd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
Display --indent 2 --text "- Checking running NTP daemon (dntpd)..." --result FOUND --color GREEN
else
Display --indent 2 --text "- Checking running NTP daemon (dntpd)..." --result "NOT FOUND" --color WHITE
fi
# Check crontab for OpenBSD/FreeBSD
# Check anacrontab for Linux
CRONTAB_FILES="/etc/anacrontab /etc/crontab"
for I in ${CRONTAB_FILES}; do
if [ -f ${I} ]; then
logtext "Test: checking for ntpdate or rdate in crontab file ${I}"
FIND=`cat ${I} | ${EGREPBINARY} "ntpdate|rdate" | grep -v '^#'`
if [ ! "${FIND}" = "" ]; then
FOUND=1;
NTP_CONFIG_TYPE_SCHEDULED=1
Display --indent 2 --text "- Checking NTP client in crontab file (${I})..." --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate reference in crontab file ${I}"
else
Display --indent 2 --text "- Checking NTP client in crontab file (${I})..." --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate reference found in crontab file ${I}"
fi
else
logtext "Result: crontab file ${I} not found"
fi
done
##########################
# To do: test on Solaris #
##########################
# Don't run check in cron job directory on Solaris
# /etc/cron.d/FIFO is a special file and test get stuck at this file
FOUND_IN_CRON=0
# Check cron jobs
for I in ${CRON_DIRS}; do
if [ -d ${I} ]; then
FIND=`ls ${I} | grep -v FIFO`
if [ ! "${FIND}" = "" ]; then
for J in ${FIND}; do
logtext "Test: checking for ntpdate or rdate in ${I}/${J}"
FIND2=`${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | grep -v "^#"`
if [ ! "${FIND2}" = "" ]; then
logtext "Positive match found: ${FIND2}"
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
fi
done
else
logtext "Result: ${I} is empty, skipping search in directory"
fi
fi
done
if [ ${FOUND_IN_CRON} -eq 1 ]; then
Display --indent 2 --text "- Checking NTP client in cron files..." --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate in cron directory"
else
Display --indent 2 --text "- Checking NTP client in cron.d files..." --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate found in cron directories"
fi
# Checking if ntpdate is performed by event
logtext "Test: checking for file /etc/network/if-up.d/ntpdate"
if [ -f /etc/network/if-up.d/ntpdate ]; then
logtext "Result: found ntpdate action when network interface comes up"
FOUND=1
NTP_CONFIG_TYPE_EVENTBASED=1
Display --indent 2 --text "- Checking event based ntpdate (if-up)..." --result FOUND --color GREEN
else
logtext "Result: file /etc/network/if-up.d/ntpdate does not exist"
fi
if [ "${OS}" = "FreeBSD" ]; then
logtext "Test: Checking if ntpdate is enabled at startup in FreeBSD"
if [ -f /etc/rc.conf ]; then
FIND=`grep 'ntpdate_enable="YES"' /etc/rc.conf`
if [ ! "${FIND}" = "" ]; then
logtext "Result: ntpdate is enabled in rc.conf"
# Mark system having a NTP client, but remind user to improve it
FOUND=1
NTP_CONFIG_TYPE_STARTUP=1
ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is adviced to run it at least daily or use a NTP daemon"
else
logtext "Result: ntpdate is not enabled in rc.conf"
fi
fi
fi
if [ ${FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking for a running NTP daemon or client" --result WARNING --color RED
logtext "Result: Could not find a NTP daemon or client"
ReportSuggestion ${TEST_NO} "Use NTP daemon or NTP client to prevent time issues."
AddHP 0 2
else
Display --indent 2 --text "- Checking for a running NTP daemon or client" --result OK --color GREEN
logtext "Result: Found a time syncing daemon/client."
AddHP 3 3
fi
fi
#
#################################################################################
#
# Test : TIME-3112
# Description : Check for valid associations from ntpq peers list
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check active NTP associations ID's"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for NTP association ID's from ntpq peers list"
FIND=`${NTPQBINARY} -p -n | grep "No association ID's returned"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking valid association ID's" --result FOUND --color GREEN
logtext "Result: Found one or more association ID's"
else
Display --indent 2 --text "- Checking valid association ID's" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Check ntp.conf for properly configured NTP servers and a correctly functioning name service."
fi
fi
#
#################################################################################
#
# Test : TIME-3116
# Description : Check for stratum 16 peers
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check peers with stratum value of 16"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: Checking stratum 16 sources from ntpq peers list"
FIND=`${NTPQBINARY} -p -n | awk '{ if ($3=="16") { print $1 } }'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking high stratum ntp peers" --result OK --color GREEN
logtext "Result: All peers are lower than stratum 16"
else
for I in ${FIND}; do
logtext "Found stratum 16 peer: ${I}"
FIND2=`egrep "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE}`
if [ "${FIND2}" = "" ]; then
N=`expr ${N} + 1`
else
logtext "Output: host ${I} ignored by profile"
fi
done
# Check if one or more high stratum time servers are found
if [ ${N} -eq 0 ]; then
Display --indent 2 --text "- Checking high stratum ntp peers" --result OK --color GREEN
logtext "Result: all non local servers are lower than stratum 16, or whitelisted within the scan profile"
else
Display --indent 2 --text "- Checking high stratum ntp peers" --result WARNING --color RED
logtext "Result: Found one or more high stratum (16) peers)"
ReportSuggestion ${TEST_NO} "Check ntpq peers output"
ReportWarning ${TEST_NO} "L" "Found one or more stratum 16 peers"
fi
fi
fi
#
#################################################################################
#
# Test : TIME-3120
# Description : Check unreliable peers from peer list
# Notes : Items with # are too far away (network distance)
# Items with - are not chosing due clustering algoritm
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check unreliable NTP peers"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking unreliable ntp peers"
FIND=`${NTPQBINARY} -p -n | egrep "^(-|#)" | awk '{ print $1 }' | sed 's/^-//g'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking unreliable ntp peers" --result NONE --color GREEN
logtext "Result: No unreliable peers found"
else
Display --indent 2 --text "- Checking unreliable ntp peers" --result FOUND --color YELLOW
logtext "Result: Found one or more unreliable peers (marked with a minus or dash sign)"
for I in ${FIND}; do
logtext "Unreliable peer: ${I}"
done
ReportSuggestion ${TEST_NO} "Check ntpq peers output for unreliable ntp peers and correct/replace them"
fi
fi
#
#################################################################################
#
# Test : TIME-3124
# Description : Check selected time source
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3124 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check selected time source"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking selected time source"
FIND=`${NTPQBINARY} -p -n | grep '^*' | awk '{ if ($4=="l") { print $1 } }'`
FIND2=`${NTPQBINARY} -p -n | grep '^*' | awk '{ print $1 }'`
if [ "${FIND}" = "" -a ! "${FIND2}" = "" ]; then
Display --indent 2 --text "- Checking selected time source" --result OK --color GREEN
FIND2=`echo ${FIND2} | sed 's/*//g'`
logtext "Result: Found selected time source (value: ${FIND2})"
else
Display --indent 2 --text "- Checking selected time source" --result WARNING --color RED
logtext "Result: Found local source as selected time source. This could indicate that no external sources are available to sync with."
logtext "Local source: ${FIND}"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for selected time source"
fi
fi
#
#################################################################################
#
# Test : TIME-3128
# Description : Check time source candidates
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check preffered time source"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking preferred time source"
FIND=`${NTPQBINARY} -p -n | grep '^+' | awk '{ print $1 }'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking time source candidates..." --result NONE --color YELLOW
logtext "Result: No other time source candidates found"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates"
else
Display --indent 2 --text "- Checking time source candidates..." --result OK --color GREEN
logtext "Result: Found one or more candidates to synchronize time with."
for I in ${FIND}; do
I=`echo ${I} | sed 's/+//g'`
logtext "Candidate found: ${I}"
done
fi
fi
#
#################################################################################
#
# Test : TIME-3132
# Description : Check ntpq falsetickers
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP falsetickers"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking preferred time source"
FIND=`${NTPQBINARY} -p -n | grep '^x'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking falsetickers..." --result OK --color GREEN
logtext "Result: No falsetickers found (items preceeding with an 'x')"
else
Display --indent 2 --text "- Checking falsetickers..." --result NONE --color YELLOW
logtext "Result: Found one or more falsetickers (items preceeding with an 'x')"
for I in ${FIND}; do
I=`echo ${I} | sed 's/x//g'`
logtext "Falseticker found: ${I}"
report "ntp_falseticker=${I}"
done
ReportSuggestion ${TEST_NO} "Check ntpq peers output for falsetickers"
fi
fi
#
#################################################################################
#
# Test : TIME-3136
# Description : Check ntpq reported ntp version (Linux)
# Notes : Test could be improved by checking every host (YYY)
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP protocol version"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking NTP protocol version (ntpq -c ntpversion)"
FIND=`${NTPQBINARY} -c ntpversion | awk '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking NTP version..." --result UNKNOWN --color YELLOW
logtext "Result: No NTP version found"
ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version"
else
Display --indent 2 --text "- Checking NTP version..." --result FOUND --color GREEN
logtext "Result: Found NTP version ${FIND}"
report "ntp_version=${FIND}"
fi
fi
#
#################################################################################
#
# Test : TIME-3146
# Description : Check /etc/default/ntpdate (Linux)
# Notes : ntpdate-debian binary
#if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no TIME-3146 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check /etc/default/ntpdate"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : TIME-3160
# Description : Check empty NTP step-tickers
# Notes : Mostly applies to Red Hat and clones
if [ "${NTPD_RUNNING}" -eq 1 -a ! "${NTPQBINARY}" = "" -a ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3160 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check empty NTP step-tickers"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
FILE="/etc/ntp/step-tickers"
if [ -f ${FILE} ]; then
if [ -z ${FILE} ]; then
logtext "Result: ${FILE} is empty. The step-tickers contain no configured NTP servers"
Display --indent 2 --text "- Checking NTP step-tickers file" --result "EMPTY FILE" --color YELLOW
ReportSuggestion ${TEST_NO} "Use step-rickers file for quicker time synchronization"
else
logtext "Result: /etc/ntp/step-tickers is not empty, which is fine"
Display --indent 2 --text "- Checking NTP step-tickers file" --result "OK" --color GREEN
sFIND=`${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf | ${GREPBINARY} -v '127.127.1.0'`
for I in ${sFIND}; do
FIND=`${GREPBINARY} ^${I} ${FILE} | wc -l`
if [ ${FIND} -gt 0 ]; then
logtext "Result: $I exist in ${FILE}"
else
logtext "Result: ${I} does NOT exist in ${FILE}"
FOUND=1
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "SOME MISSING" --color YELLOW
ReportSuggestion ${TEST_NO} "Some time servers missing in step-tickers file"
AddHP 3 4
else
Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result OK --color GREEN
logtext "Result: all time servers are in step-tickers file"
AddHP 4 4
fi
fi
logtext "Information: step-tickers is used by ntpdate where as ntp.conf is the configuration file for the ntpd daemon. ntpdate is initially run to set the clock before ntpd to make sure time is within 1000 sec."
logtext "Risk: ntp will not run at boot if the time difference between the server and client by more then 1000 sec."
else
logtext "Result: test skipped because ${FILE} not found"
fi
fi
#
#################################################################################
#
wait_for_keypress
#
#################################################################################
#
report "ntp_config_found=${NTP_CONFIG_FOUND}"
report "ntp_config_type_daemon=${NTP_CONFIG_TYPE_DAEMON}"
report "ntp_config_type_eventbased=${NTP_CONFIG_TYPE_EVENTBASED}"
report "ntp_config_type_scheduled=${NTP_CONFIG_TYPE_SCHEDULED}"
report "ntp_config_type_startup=${NTP_CONFIG_TYPE_STARTUP}"
report "ntp_daemon=${NTP_DAEMON}"
report "ntp_daemon_running=${NTP_DAEMON_RUNNING}"
# OS Time daemons Configuration file
# --------------------------------------------
# AIX xntpd /etc/ntp.conf
# HP
# Linux ntpd /etc/ntp.conf
# OpenBSD ntpd /etc/ntpd.conf
# Solaris xntpd /etc/inet/ntp.conf
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

78
include/tests_tooling Normal file
View File

@ -0,0 +1,78 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
AUTOMATION_TOOL_FOUND=0
BACKUP_AGENT_FOUND=0
#
#################################################################################
#
InsertSection "Software: System tooling"
PUPPET_MASTER_RUNNING=0
#
#################################################################################
#
# Automation
#
#################################################################################
#
# Test : TOOL-5002
# Description : Check if automation tools are found
Register --test-no TOOL-5002 --weight L --network NO --description "Checking for automation tools"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking automation tooling..."
# Cfengine
if [ ! "${CFAGENTBINARY}" = "" ]; then
logtext "Result: Cfengine (cfagent) is installed (${CFAGENTBINARY})"
AUTOMATION_TOOL_FOUND=1
Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN
fi
# Puppet
if [ ! "${PUPPETBINARY}" = "" ]; then
logtext "Result: Puppet is installed (${PUPPETBINARY})"
AUTOMATION_TOOL_FOUND=1
Display --indent 4 --text "Found: Puppet (agent)" --result FOUND --color GREEN
fi
IsRunning "puppet master"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found puppet master"
PUPPET_MASTER_RUNNING=1
Display --indent 4 --text "Found: Puppet (master)" --result FOUND --color GREEN
fi
if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Automation tooling" --result FOUND --color GREEN
else
Display --indent 2 --text "- Automation tooling" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management"
fi
fi
#
#################################################################################
#
# Backup tools
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

97
include/tests_virtualization Normal file
View File

@ -0,0 +1,97 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Virtualization
#
#################################################################################
#
InsertSection "Virtualization"
#
#################################################################################
#
# Test : VIRT-1902
# Description : Query running Solaris zones
if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no VIRT-1902 --os Solaris --weight L --network NO --description "Query running Solaris zones"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: query zoneadm to list all running zones"
FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
N=`expr ${N} + 1`
ZONEID=`echo ${I} | cut -d ':' -f1`
ZONENAME=`echo ${I} | cut -d ':' -f2`
logtext "Result: found zone ${ZONENAME} (running)"
report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done
logtext "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones..." --result "FOUND ${N} zones" --color GREEN
else
logtext "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones..." --result NONE --color WHITE
fi
fi
#
#################################################################################
#
# Test : VIRT-1906
# Description : Query running Xen zones
#if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no VIRT-1906 --weight L --network NO --description "Query Xen guests"
#if [ ${SKIPTEST} -eq 0 ]; then
# Show Xen guests
#FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'`
#for I in ${FIND}; do
#XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
#XENGUESTID=`echo ${I} | cut -d ':' -f2`
#logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
#done
#fi
#
#################################################################################
#
# # Test : VIRT-1920
# # Description : Checking VMware
# Register --test-no VIRT-1920 --weight L --network NO --description "Checking VMware guest status"
# if [ ${SKIPTEST} -eq 0 ]; then
# # Initialise
# VMWARE_GUEST=0
# Display --indent 2 --text "- Checking VMware guest status..."
# #YYY check memory driver file
# #YYY check LKM list
# #YYY check vmware tools
# logtext "Test: checking VMware tools daemon presence"
# if [ ! "${VMWARETOOLSBINARY}" = "" ]; then
# logtext "Result: VMware tools binary found"
# VMWARE_GUEST=1
# Display --indent 4 --text "- Checking VMware tools daemon" --result FOUND --color GREEN
# else
# Display --indent 4 --text "- Checking VMware tools daemon" --result "NOT FOUND" --color WHITE
# fi
#
# fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

695
include/tests_webservers Normal file
View File

@ -0,0 +1,695 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Software: webserver
#
#################################################################################
#
InsertSection "Software: webserver"
#
#################################################################################
#
# Reset Apache status
APACHE_INSTALLED=0
APACHE_MODULES_ENABLED_LOCS="/etc/apache2/mods-enabled"
APACHE_MODULES_LOCS="/etc/httpd/modules /opt/local/apache2/modules /usr/lib/apache2/modules /usr/lib/httpd/modules /usr/local/libexec/apache /usr/local/libexec/apache22 /usr/lib64/apache2/modules /usr/lib64/httpd/modules"
NGINX_RUNNING=0
NGINX_CONF_LOCS="/etc/nginx /usr/local/etc/nginx /usr/local/nginx/conf"
NGINX_CONF_LOCATION=""
#
#################################################################################
#
sTEST_APACHE_TARGETS="/etc/apache /etc/apache2 /etc/httpd /usr/local/apache /usr/local/apache2 \
/usr/local/etc/apache /usr/local/etc/apache2 /usr/local/etc/apache22 \
/usr/pkg/etc/httpd /etc/sysconfig/apache2"
if [ "${OS}" = "AIX" ]; then
RANDOMSTRING1=`echo lynis-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')`; RANDOMSTRING2=`echo lynis2-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')`
TMPFILE="/tmp/${RANDOMSTRING1}"; TMPFILE2="/tmp/${RANDOMSTRING2}"
echo "" > ${TMPFILE}; echo "" > ${TMPFILE2}
else
TMPFILE=`mktemp /tmp/lynis.XXXXXXXXXX` || exit 1
TMPFILE2=`mktemp /tmp/lynis2.XXXXXXXXXX` || exit 1
fi
#
#################################################################################
#
# Test : HTTP-6622
# Description : Test for Apache installation
# Notes : Do not run on NetBSD, -v is unknown option for httpd binary
if [ ! "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Apache presence"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${HTTPDBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE
else
logtext "Test: Scanning for Apache binary..."
IS_APACHE=`${HTTPDBINARY} -v | egrep '[aA]pache'`
if [ "${IS_APACHE}" = "" ]; then
logtext "Result: ${HTTPDBINARY} is not Apache"
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE
else
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "FOUND" --color GREEN
logtext "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon"
APACHE_INSTALLED=1
fi
fi
fi
#
#################################################################################
#
# Test : HTTP-6624
# Description : Testing main Apache configuration file
# Notes : Do not run on NetBSD, -V is unknown option for httpd binary
if [ ${APACHE_INSTALLED} -eq 1 ]; then
if [ ! "${OS}" = "NetBSD" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
else
PREQS_MET="NO"
fi
Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing main Apache configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
APACHE_CONFIGFILE=""
APACHE_TEST=`${HTTPDBINARY} -V | grep "\-D SERVER_CONFIG_FILE=" | sed 's/[ ]-D SERVER_CONFIG_FILE=//' | tr -d '"' | tr -d ' '`
if [ "${APACHE_TEST}" = "" ]; then
Display --indent 6 --text "Result: Can't find the configuration file, so skipping some Apache related tests"
else
# We found a possible match. Checking if it's valid filename. If not, we need to add a prefix
if [ -f ${APACHE_TEST} ]; then
APACHE_CONFIGFILE="${APACHE_TEST}"
Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
else
# Probably the prefix is missing, so we are going to search that
APACHE_HTTPDROOT=`${HTTPDBINARY} -V | grep "\-D HTTPD_ROOT=" | sed 's/[ ]-D HTTPD_ROOT=//' | tr -d '"' | tr -d ' '`
#echo "Apache root prefix: ${APACHE_HTTPDROOT}"
#echo "Complete path to configuration file: ${APACHE_HTTPDROOT}/${APACHE_TEST}"
APACHE_TESTFILE="${APACHE_HTTPDROOT}/${APACHE_TEST}"
if [ -f ${APACHE_TESTFILE} ]; then
APACHE_CONFIGFILE="${APACHE_TESTFILE}"
Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
logtext "Result: Configuration file found (${APACHE_CONFIGFILE})"
else
logtext "Exception: File or directory ${APACHE_CONFIGFILE} does not exist"
Display --indent 6 --text "[Notice] possible directory/file parts found, but still unsure what the real configuration file is. Skipping some Apache related tests"
ReportException "${TEST_NO}:1" "Found some unknown directory or file references in Apache configuration"
fi
fi
fi
fi
#
#################################################################################
#
# Test : HTTP-6626
# Description : Testing other Apache configuration files
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6626 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing other Apache configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
#Display --indent 4 --text "- Searching Apache virtual hosts..."
for I in ${sTEST_APACHE_TARGETS}; do
if [ -d ${I} ]; then
find ${I} -name "*.conf" -print >> ${TMPFILE2}
fi
done
# Sort unsorted list, save it in temp file and then remove unsorted list
if [ -f ${TMPFILE2} ]; then
sort ${TMPFILE2} | uniq >> ${TMPFILE}
rm -f ${TMPFILE2}
fi
cVHOSTS=0; tVHOSTS=""
# Check every configuration file
for I in `cat ${TMPFILE}`; do
logtext "Apache config file: ${I}"
# Search Virtual Hosts
for J in `cat ${I} | grep "ServerName" | grep -v "^#" | awk '{ if ($1=="ServerName") print $2 }'`; do
if [ ! -z ${J} ]; then
tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=`expr ${cVHOSTS} + 1`
fi
done
# Search Server aliases
for J in `cat ${I} | grep "ServerAlias" | grep -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do
if [ ! -z ${J} ]; then
tVHOSTS="${tVHOSTS} ${J}"
cVHOSTS=`expr ${cVHOSTS} + 1`
fi
done
done
# Log all virtual hosts we found
for J in ${tVHOSTS}; do
if [ ! -z ${J} ]; then
logtext "Virtual host: ${J}"
report "apache_vhost_name[]=${J}"
fi
done
# Show number of vhosts if we found any
logtext "Result: found ${cVHOSTS} virtual hosts"
if [ ${cVHOSTS} -gt 0 ]; then
Display --indent 6 --text "Info: Found ${cVHOSTS} virtual hosts"
else
Display --indent 6 --text "Info: No virtual hosts found"
fi
fi
# Remove temp files
if [ -f ${TMPFILE} -a ! "${TMPFILE}" = "" ]; then
rm -f ${TMPFILE}
fi
if [ ! "${TMPFILE2}" = "" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
#
#################################################################################
#
# Test : HTTP-6628
# Description : Testing other Apache configuration files
#if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no HTTP-6628 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing other Apache configuration file"
#if [ ${SKIPTEST} -eq 0 ]; then
# # Configuration specific tests
# SERVERTOKENSFOUND=0
# APACHE_CONFIGFILES="${APACHE_CONFIGFILE} /usr/local/etc/apache22/extra/httpd-default.conf /etc/apache2/sysconfig.d/global.conf"
#
# for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do
# if [ -f ${APACHE_CONFIGFILE} ]; then
# # Check if option ServerTokens is configured
# SERVERTOKENSTEST=`cat ${APACHE_CONFIGFILE} | grep ServerTokens | grep -v '^#'`
# if [ ! "${SERVERTOKENSTEST}" = "" ]; then
# Display --indent 4 --text "- Checking option ServerTokens..." --result FOUND --color WHITE
# SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '`
# logtext "Option ServerTokens found: ${SERVERTOKENSTEST}"
# SERVERTOKENSEXPECTED=`cat ${PROFILE} | grep 'apache' | grep 'ServerTokens' | cut -d ':' -f3`
# if [ "${SERVERTOKENSEXPECTED}" = "${SERVERTOKENSTEST}" ]; then
# logtext "Result: Value from configuration file yielded the same output as in template"
# SERVERTOKENSFOUND=1
# else
# logtext "Warning: Value of ServerTokens within active configuration is different than from used template."
# logtext "Found: ${SERVERTOKENSTEST}"
# logtext "Expected: ${SERVERTOKENSEXPECTED}"
# fi
# else
# Display --indent 4 --text "- Checking option ServerTokens..." --result "NOT FOUND" --color WHITE
# fi
#
# else
# # File does not exist, skipping
# logtext "File ${APACHE_CONFIGFILE} does not exist, so skipping tests on this file"
# fi
# done
#
# # Display results from checks
# if [ ${SERVERTOKENSFOUND} -eq 1 ]; then
# Display --indent 6 --text "- Value of ServerTokens..." --result OK --color GREEN
# else
# Display --indent 6 --text "- Value of ServerTokens..." --result WARNING --color RED
# ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template"
# fi
# fi
# fi
# fi
#
#################################################################################
#
# Test : HTTP-6630
# Description : Search for all loaded modules
#if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no HTTP-6630 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining all loaded Apache modules"
#if [ ${SKIPTEST} -eq 0 ]; then
# Testing Debian style
#logtext "Test: searching loaded/enabled Apache modules"
#apachectl -t -D DUMP_MODULES 2>&1 | egrep -v "(Loaded Modules|Syntax OK)" | sed 's/(\(shared\|static\))//' | sed 's/ //'
#for I in ${APACHE_MODULES_ENABLED_LOCS}; do
#logtext "Test: checking ${I}"
#if [ -d ${I} ]; then
#FIND=`grep -r LoadModule ${I}/* | grep -v "^#" | awk '{ print $2":"$3 }'`
#else
#logtext "Result: ${I} does not exist"
#fi
#done
#fi
#
#################################################################################
#
# Test : HTTP-6632
# Description : Search for available Apache modules
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6632 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining all available Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching available Apache modules"
N=0
for I in ${APACHE_MODULES_LOCS}; do
DirectoryExists ${I}
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
FIND=`find ${I} -name mod_* -print | sort`
for J in ${FIND}; do
report "apache_module[]=${J}"
logtext "Result: found Apache module ${J}"
N=`expr ${N} + 1`
done
fi
done
if [ ${N} -eq 0 ]; then
Display --indent 4 --text "* Loadable modules" --result "NONE" --color WHITE
ReportException "${TEST_NO}:1" "No loadable Apache modules found"
else
Display --indent 4 --text "* Loadable modules" --result "FOUND" --color GREEN
Display --indent 8 --text "- Found ${N} loadable modules"
fi
fi
#
#################################################################################
#
# Test : HTTP-6640
# Description : Search for special Apache modules: evasive
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6640 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
CheckItem "apache_module" "/mod_evasive20.so"
if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result FOUND --color GREEN
AddHP 3 3
else
Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "NOT FOUND" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache mod_evasive to guard webserver against DoS/brute force attempts"
fi
fi
#
#################################################################################
#
# Test : HTTP-6641
# Description : Search for special Apache modules: Quality of Service
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6641 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
CheckItem "apache_module" "/mod_qos.so"
if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "mod_qos: anti-Slowloris" --result FOUND --color GREEN
AddHP 3 3
else
Display --indent 10 --text "mod_qos: anti-Slowloris" --result "NOT FOUND" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache mod_qos to guard webserver against Slowloris attacks"
fi
fi
#
#################################################################################
#
# Test : HTTP-6642
# Description : Search for special Apache modules: Spamhaus
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6642 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
CheckItem "apache_module" "/mod_spamhaus.so"
if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result FOUND --color GREEN
AddHP 3 3
else
Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result "NOT FOUND" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache mod_spamhaus to guard webserver against spammers"
fi
fi
#
#################################################################################
#
# Test : HTTP-6643
# Description : Search for special Apache modules: security
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6643 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
CheckItem "apache_module" "/mod_security2.so"
if [ ${ITEM_FOUND} -eq 1 ]; then
Display --indent 10 --text "ModSecurity: web application firewall" --result FOUND --color GREEN
AddHP 3 3
else
Display --indent 10 --text "ModSecurity: web application firewall" --result "NOT FOUND" --color WHITE
AddHP 2 3
ReportSuggestion ${TEST_NO} "Install Apache modsecurity to guard webserver against web application attacks"
fi
# Extend test with nginx?
fi
#
#################################################################################
#
# Test : HTTP-6660
# Description : Search for "TraceEnable off" in configuration files
#
#################################################################################
#
# Test : HTTP-6702
# Description : Search for nginx process
Register --test-no HTTP-6702 --weight L --network NO --description "Check nginx process"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching running nginx process"
FIND=`${PSBINARY} ax | grep "/nginx" | grep "master" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found running nginx process(es)"
Display --indent 2 --text "- Checking nginx" --result FOUND --color GREEN
NGINX_RUNNING=1
else
logtext "Result: no running nginx process found"
Display --indent 2 --text "- Checking nginx" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : HTTP-6704
# Description : Search for nginx configuration file
if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching nginx configuration file"
#YYY warning if multiple nginx.conf files are found
for I in ${NGINX_CONF_LOCS}; do
if [ -f ${I}/nginx.conf ]; then
NGINX_CONF_LOCATION="${I}/nginx.conf"
logtext "Found file ${NGINX_CONF_LOCATION}"
fi
done
#YYY strings /usr/sbin/nginx | grep "conf$"
if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then
logtext "Result: found nginx configuration file"
report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
Display --indent 4 --text "- Searching nginx configuration file" --result FOUND --color GREEN
#FIND=`cat ${NGINX_CONF_LOCATION} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}`
else
logtext "Result: no nginx configuration file found"
Display --indent 2 --text "- Searching nginx configuration file" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : HTTP-6706
# Description : Search for includes within nginx configuration file
# Notes : Daemon nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for additional nginx configuration files"
if [ ${SKIPTEST} -eq 0 ]; then
# Remove temp file
if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
N=0
# Search for included configuration files (may include directories and wild cards)
FIND=`grep "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'`
for I in ${FIND}; do
FIND2=`${LSBINARY} ${I} 2>/dev/null`
for J in ${FIND2}; do
# Double check if we are dealing with a file
if [ -f ${J} ]; then
N=`expr ${N} + 1`
logtext "Result: found Nginx configuration file ${J}"
report "nginx_sub_conf_file=${J}"
FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}`
fi
done
done
# Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx
SORTFILE=`cat ${TMPFILE2} | sort | uniq | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"`
for I in ${SORTFILE}; do
I=`echo ${I} | sed 's/:space:/ /g'`
report "nginx_config_option=${I}";
done
# Remove unsorted file for next tests
if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi
if [ ${N} -eq 0 ]; then
logtext "Result: no nginx include statements found"
else
Display --indent 6 --text "- Found nginx includes" --result "${N} FOUND" --color GREEN
fi
fi
#
#################################################################################
#
# Test : HTTP-6708
# Description : Check discovered nginx configuration settings for further hardering
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check discovered nginx configuration settings"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: start parsing all discovered nginx options"
Display --indent 4 --text "- Parsing configuration options..."
ParseNginx
fi
#
#################################################################################
#
# Test : HTTP-6710
# Description : Check SSL configuration of nginx
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6710 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx SSL configuration settings"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_SSL_SUGGESTION=0
if [ ${NGINX_SSL_ON} -eq 1 ]; then
logtext "Result: SSL is configured in nginx on one or more virtual hosts"
Display --indent 6 --text "- SSL configured" --result "YES" --color GREEN
AddHP 5 5
# Cipher tests
if [ ${NGINX_SSL_CIPHERS} -eq 1 ]; then
Display --indent 8 --text "- Ciphers configured" --result "YES" --color GREEN
else
Display --indent 8 --text "- Ciphers configured" --result "NO" --color RED
NGINX_SSL_SUGGESTION=1
fi
if [ ${NGINX_SSL_PREFER_SERVER_CIPHERS} -eq 1 ]; then
Display --indent 8 --text "- Prefer server ciphers" --result "YES" --color GREEN
else
Display --indent 8 --text "- Prefer server ciphers" --result "NO" --color RED
NGINX_SSL_SUGGESTION=1
fi
if [ ${NGINX_SSL_PROTOCOLS} -eq 1 ]; then
Display --indent 8 --text "- Protocols configured" --result "YES" --color GREEN
else
Display --indent 8 --text "- Protocols configured" --result "NO" --color RED
NGINX_SSL_SUGGESTION=1
fi
else
logtext "Result: No SSL configuration found"
Display --indent 6 --text "- SSL configured" --result "NO" --color RED
NGINX_SSL_SUGGESTION=1
AddHP 1 5
fi
if [ ${NGINX_SSL_SUGGESTION} -eq 1 ]; then
logtext "Result: one or more parts of the nginx configuration could be enhanced regarding SSL"
ReportSuggestion ${TEST_NO} "Configure SSL in nginx for protection of sensitive data and privacy"
fi
fi
#
#################################################################################
#
# Test : HTTP-6712
# Description : Check logging configuration of nginx
# Notes : Daemon of nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx access logging"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
Display --indent 6 --text "- Checking log file configuration..."
# Check for missing access log
if [ ${NGINX_ACCESS_LOG_MISSING} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
Display --indent 8 --text "- Missing log files (access_log)" --result "YES" --color RED
else
Display --indent 8 --text "- Missing log files (access_log)" --result "NO" --color GREEN
fi
# Access log disabled
if [ ${NGINX_ACCESS_LOG_DISABLED} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
logtext "Result: found one or more virtual hosts which have their access log disabled"
Display --indent 8 --text "- Disabled access logging" --result "YES" --color RED
AddHP 2 3
else
logtext "Result: no virtual hosts found which have their access log disabled"
Display --indent 8 --text "- Disabled access logging" --result "NO" --color GREEN
AddHP 3 3
fi
# Report suggestion
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
ReportSuggestion ${TEST_NO} "Check your nginx access log for proper functioning"
fi
fi
#
#################################################################################
#
# Test : HTTP-6714
# Description : Check missing error logs in nginx
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6714 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for missing error logs in nginx"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
# Check for missing access log
if [ ${NGINX_ERROR_LOG_MISSING} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
Display --indent 8 --text "- Missing log files (error_log)" --result "YES" --color RED
else
Display --indent 8 --text "- Missing log files (error_log)" --result "NO" --color GREEN
fi
# Report suggestion
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
ReportSuggestion ${TEST_NO} "Check your nginx error_log statements"
fi
fi
#
#################################################################################
#
# Test : HTTP-6716
# Description : Check debug mode on error log in nginx
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6716 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for debug mode on error log in nginx"
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_LOG_SUGGESTION=0
# Access log in debug mode
if [ ${NGINX_ERROR_LOG_DEBUG} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
logtext "Result: found one or more virtual hosts which have their error log in debug mode"
Display --indent 8 --text "- Debugging mode on error_log" --result "YES" --color RED
AddHP 2 3
else
logtext "Result: no virtual hosts found which have their access log disabled"
Display --indent 8 --text "- Debugging mode on error_log" --result "NO" --color GREEN
AddHP 3 3
fi
# Report suggestion
if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
ReportSuggestion ${TEST_NO} "Check your nginx error_log statements"
fi
fi
#
#################################################################################
#
# Test : HTTP-6712
# Description : Check if nginx is running as a reverse proxy
# Notes : aliases are not counted yet (YYY)
# if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx virtual hosts"
# if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# logtext "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}"
# FIND=`grep "proxy_pass" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/proxy_pass//g' | tr -d ';'`
# for I in ${FIND}; do
# logtext "Found reverse proxy configuration for: ${I}"
# N=`expr ${N} + 1`
# done
# if [ ${N} -eq 0 ]; then
# logtext "Result: no reverse proxying functionality found"
# Display --indent 4 --text "- Searching reverse proxy functionality..." --result "NOT FOUND" --color WHITE
# else
# logtext "Result: found ${N} addresses for which nginx will be a reverse proxy"
# Display --indent 4 --text "- Searching reverse proxy functionality..." --result "${N} FOUND" --color GREEN
# fi
# fi
#
#################################################################################
#
# Test : HTTP-6712
# Description : Search for nginx virtual hosts
# Notes : Test if not aware yet of included configuration files
# if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx virtual hosts"
# if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# logtext "Test: searching nginx virtual hosts"
# FIND=`grep "server_name" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/server_name//g' | tr -d ';'`
# for I in ${FIND}; do
# if [ "${I}" = "_" ]; then I="Default virtual host"; fi
# logtext "Found virtual host: ${I}"
# report "nginx_vhost_name[]=${I}"
# N=`expr ${N} + 1`
# done
# if [ ${N} -eq 0 ]; then
# logtext "Result: no virtual hosts found"
# Display --indent 4 --text "- Searching virtual hosts..." --result "NOT FOUND" --color WHITE
# else
# logtext "Result: found ${N} virtual hosts"
# Display --indent 4 --text "- Searching virtual hosts..." --result "${N} FOUND" --color GREEN
# fi
# fi
#
#################################################################################
#
# Test : HTTP-6720
# Description : Search for Nginx log files
if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6720 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Nginx log files"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking directories for files with log file definitions"
for I in ${NGINX_CONF_LOCS}; do
logtext "Test: Checking ${I}"
if [ -d ${I} ]; then
logtext "Result: Directory ${I} exists, so will be used as search path"
FIND=`find ${I} -exec grep access_log \{\} \; | grep -v "#" | awk '{ if($1=="access_log") { print $2 } }' | sed 's/;$//g' | sort | uniq`
if [ "${FIND}" = "" ]; then
logtext "Result: no log files found"
else
logtext "Result: found one or more log files"
for I in ${FIND}; do
if [ -f ${I} ]; then
logtext "Found log file: ${I}"
report "log_file=${I}"
else
logtext "Found non existing log file: ${I}"
fi
done
fi
else
logtext "Result: directory ${I} not found, skipping search in this directory."
fi
done
fi
#
#################################################################################
#
# Test : HTTP-6740
# Description : Nginx: Check for server_tokens off in configuration files
#
#################################################################################
#
# Scan for websites
#/etc/apache2/sites-available
#
#################################################################################
#
# Remove temp file (double check)
if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
if [ ! "${TMPFILE2}" = "" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - cisofy.com - The Netherlands

748
lynis Executable file
View File

@ -0,0 +1,748 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Lynis is an automated auditing tool for Unix based operating systems.
#
#################################################################################
#
# Program information
PROGRAM_name="Lynis"
PROGRAM_version="1.6.0"
PROGRAM_releasedate="xx August 2014"
PROGRAM_author="Michael Boelen"
PROGRAM_author_contact="michael@cisofy.com"
PROGRAM_website="http://cisofy.com"
PROGRAM_copyright="Copyright 2007-2014 - ${PROGRAM_author}, ${PROGRAM_website}"
PROGRAM_license="${PROGRAM_name} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software."
PROGRAM_extrainfo="Enterprise support and plugins available via CISOfy - http://cisofy.com"
# Release version (beta or final)
PROGRAM_releasetype="final"
# Version number of report files (when format changes in future)
REPORT_version_major="1"; REPORT_version_minor="0"
REPORT_version="${REPORT_version_major}.${REPORT_version_minor}"
#
#################################################################################
#
# Configure Include path and files
#
#################################################################################
# Test from which directories we can use all functions and tests
#################################################################################
#
# Set default to none for later testing
INCLUDEDIR=""
# Default paths to check (CWD as last option, in case we run from standalone)
tINCLUDE_TARGETS="/usr/local/include/lynis /usr/local/lynis/include /usr/share/lynis/include ./include"
for I in ${tINCLUDE_TARGETS}; do if [ -d ${I} ]; then INCLUDEDIR=${I}; fi; done
# Drop out if our include directory can't be found
if [ "${INCLUDEDIR}" = "" ]; then
echo "Fatal error: can't find include directory"
echo "Make sure to execute ${PROGRAM_name} from untarred directory or check your installation."
exit 1
fi
tDB_TARGETS="/usr/local/share/lynis/db /usr/local/lynis/db /usr/share/lynis/db ./db"
for I in ${tDB_TARGETS}; do if [ -d ${I} ]; then DBDIR=${I}; fi; done
#
#################################################################################
#
MYID=""
# Check user. We need root to be able to audit and use all required system tools
# If we encounter Solaris, use that instead
if [ -x /usr/xpg4/bin/id ]; then
MYID=`/usr/xpg4/bin/id -u`
else
MYID=`id -u`
fi
if [ ! ${MYID} -eq 0 ]; then
echo ""; echo ""; echo "Fatal error: Lynis can not be executed with this user ID."
echo ""
echo " * You have to be root (or equivalent) to perform an audit. Please su(do) and try again."
echo ""; echo ""
exit 1
fi
#
#################################################################################
#
# Consts
# (bin paths, text strings, colors)
#
#################################################################################
#
# Perform a basic check for permissions. After including functions, using SafePerms()
PERMS=`ls -l ${INCLUDEDIR}/consts | cut -c 2-10`
PERMS2=`ls -l ${INCLUDEDIR}/functions | cut -c 2-10`
OWNER=`ls -l ${INCLUDEDIR}/consts | awk -F" " '{ print $3 }'`
OWNER2=`ls -l ${INCLUDEDIR}/functions | awk -F" " '{ print $3 }'`
ISSUE=0
# Check permissions of include/consts file
if [ ! "${PERMS}" = "r--------" -a ! "${PERMS}" = "rw-------" ]; then
ISSUE=1
echo "[!] Change file permissions of ${INCLUDEDIR}/consts to 600"
fi
# Check permissions of include/functions file
if [ ! "${PERMS2}" = "r--------" -a ! "${PERMS2}" = "rw-------" ]; then
ISSUE=1
echo "[!] Change file permissions of ${INCLUDEDIR}/functions to 600"
fi
# Check if owner of both files is root user
if [ ! "${OWNER}" = "root" -o ! "${OWNER2}" = "root" ]; then
ISSUE=1
echo "[!] Change ownership of ${INCLUDEDIR}/consts and ${INCLUDEDIR}/functions to 'root'"
fi
if [ ${ISSUE} -eq 0 ]; then
. ${INCLUDEDIR}/consts
. ${INCLUDEDIR}/functions
else
echo ""; echo "";
echo "[X] Security check failed: See action above to correct this issue."
echo " Please change ownership and permissions of the related files and start Lynis again."
echo ""
echo "Related commands:"
echo "chown root ${INCLUDEDIR}/*"
echo "chmod 600 ${INCLUDEDIR}/*"
echo ""; echo "";
exit 1
fi
#
#################################################################################
#
# Traps
#
#################################################################################
#
trap Maid INT
# Use safe umask for the files we create
umask 027
# Drop out on unintialised variables / fatal errors
#set -u
#
#################################################################################
#
# Plugins
#
#################################################################################
#
# Plugin directory test
if [ "${PLUGINDIR}" = "" ]; then
#logtext "Result: Searching for plugindir"
tPLUGIN_TARGETS="/usr/local/lynis/plugins /usr/local/share/lynis/plugins /usr/share/lynis/plugins /etc/lynis/plugins ./plugins"
for I in ${tPLUGIN_TARGETS}; do
if [ -d ${I} ]; then
PLUGINDIR=${I}
Debug "Result: found plugindir ${PLUGINDIR}"
fi
done
fi
# Drop out if our plugin directory can't be found
if [ ! -d ${PLUGINDIR} ]; then
echo "Fatal error: can't find plugin directory ${PLUGINDIR}"
echo "Make sure to execute ${PROGRAM_name} from untarred directory or check your installation."
exit 1
fi
#
#################################################################################
#
# Parameter checks
#
#################################################################################
#
SafePerms ${INCLUDEDIR}/parameters
. ${INCLUDEDIR}/parameters
#
#################################################################################
#
# Program information
#
#################################################################################
#
# CV - Current Version
PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'`
PROGRAM_LV=0
#DB_MALWARE_CV=`grep "^#version=" ${DBDIR}/malware.db | cut -d '=' -f2`
#DB_FILEPERMS_CV=`grep "^#version=" ${DBDIR}/fileperms.db | cut -d '=' -f2`
# Number of signatures
#DB_MALWARE_IC=`grep -v "^#" ${DBDIR}/malware.db | wc -l | tr -s ' ' | tr -d ' '`
if [ ${VIEWUPDATEINFO} -eq 1 ]; then
CheckUpdates
# Reset everything if we can't determine our current version or the latest
# available version (due lack of internet connectivity for example)
if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then
# Set both to safe values
PROGRAM_AC=0
#DB_MALWARE_LV=0; DB_MALWARE_CV=0
#DB_FILEPERMS_LV=0; DB_FILEPERMS_CV=0
fi
echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} =="; echo ""
echo -n " Version : ${PROGRAM_version}"
if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
echo " [ ${YELLOW}Outdated${NORMAL} ]";
else
echo " [ ${GREEN}Up-to-date${NORMAL} ]"
fi
echo " Release date : ${PROGRAM_releasedate}"
echo " Update location : ${PROGRAM_website}"
# echo ""
# echo " == ${WHITE}Plugins${NORMAL} =="
# echo ""
# echo " == ${WHITE}Databases${NORMAL} =="
# echo " Current Latest Status"
# echo " -----------------------------------------------------------------------------"
# echo -n " Malware : ${DB_MALWARE_CV} ${DB_MALWARE_LV} "
# if [ ${DB_MALWARE_LV} -gt ${DB_MALWARE_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi
# echo -n " File perms : ${DB_FILEPERMS_CV} ${DB_FILEPERMS_LV} "
# if [ ${DB_FILEPERMS_LV} -gt ${DB_FILEPERMS_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi
echo ""; echo ""
echo "${PROGRAM_copyright}"; echo ""
# Quit program
ExitClean
fi
#
#################################################################################
#
# Initialize and default settings
#
#################################################################################
#
if [ "${PROGRAM_releasetype}" = "beta" ]; then
echo "${YELLOW}"
echo " #########################################################"
echo " # BETA SOFTWARE #"
echo " #########################################################"
echo ""
echo " Thank you for testing a beta release. Make sure to read"
echo " all available documentation before proceeding and/or"
echo " requesting support. Due the nature of beta releases, it"
echo " is possible new features give unexpected warnings."
echo ""
echo " Press [ENTER] to continue or [CTRL] + C to break"
echo ""
echo " #########################################################"
echo "${NORMAL}"; echo ""
if [ ${NEVERBREAK} -eq 0 ]; then read void; fi
fi
if [ ${QUIET} -eq 0 ]; then
echo ""
echo "${WHITE}[ ${PROGRAM_name} ${PROGRAM_version} ]${NORMAL}"
echo ""
echo "################################################################################"
echo " ${PROGRAM_license}"
echo ""
echo " ${PROGRAM_copyright}"
echo " ${PROGRAM_extrainfo}"
echo "################################################################################"
fi
#
#################################################################################
#
InsertSection "Initializing program"
# Try to find a default profile file, if none is specified
if [ "${PROFILE}" = "" ]; then
tPROFILE_TARGETS="/usr/local/etc/lynis/default.prf /etc/lynis/default.prf ./default.prf"
for I in ${tPROFILE_TARGETS}; do
if [ -f ${I} ]; then PROFILE=${I}; fi
done
fi
# Initialize and check profile file, auditor name, log file and report file
if [ ! -r ${PROFILE} ]; then echo "Fatal error: Can't open profile file (${PROFILE})"; exit 1; fi
if [ "${AUDITORNAME}" = "" ]; then AUDITORNAME="[Unknown]"; fi
if [ "${LOGFILE}" = "" ]; then LOGFILE="/var/log/lynis.log"; fi
if [ "${REPORTFILE}" = "" ]; then REPORTFILE="/var/log/lynis-report.dat"; fi
#
#################################################################################
#
# PID :: Check PID file, to avoid multiple instances running at the same time.
#
#################################################################################
#
# Check if there is already a PID file (incorrect termination of previous instance)
if [ -f lynis.pid -o -f /var/run/lynis.pid ]; then
echo ""
echo " ${WARNING}Warning${NORMAL}: ${WHITE}PID file exists, probably another Lynis process is running.${NORMAL}"
echo " ------------------------------------------------------------------------------"
echo " If you are unsure another Lynis process is running currently, you are adviced "
echo " to stop current process and check the process list first. If you cancelled"
echo " (by using CTRL+C) a previous instance, you can ignore this message."
echo " "
echo " You are adviced to check for temporary files after program completion."
echo " ------------------------------------------------------------------------------"
echo ""
echo " ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${NORMAL}"
echo ""
wait_for_keypress
if [ -f lynis.pid ]; then rm -f lynis.pid; fi
if [ -f /var/run/lynis.pid ]; then rm -f /var/run/lynis.pid; fi
#YYY Display function not working yet from here, due to OS detection
#Display --indent 2 --text "- Deleting old PID file..." --result DONE --color GREEN
fi
# Create new PID file (use work directory if /var/run is not available)
if [ -d /var/run ]; then PIDFILE="/var/run/lynis.pid"; else PIDFILE="lynis.pid"; fi
OURPID=`echo $$`
echo ${OURPID} > ${PIDFILE}
chmod 600 ${PIDFILE}
#
#################################################################################
#
# Check program parameters
#
#################################################################################
#
# Bail out if we didn't get any parameter, or incorrect ones
if [ ${PARAMCOUNT} -eq 0 -o ${WRONGOPTION} -eq 1 -o ${VIEWHELP} -eq 1 ]; then
#echo " =================================================="
echo " ${WHITE}Scan options:${NORMAL}"
echo " --auditor \"<name>\" : Auditor name"
echo " --check-all (-c) : Check system"
echo " --no-log : Don't create a log file"
echo " --profile <profile> : Scan the system with the given profile file"
echo " --quick (-Q) : Quick mode, don't wait for user input"
echo " --tests \"<tests>\" : Run only tests defined by <tests>"
echo " --tests-category \"<category>\" : Run only tests defined by <category>"
echo ""
echo " ${WHITE}Layout options:${NORMAL}"
echo " --no-colors : Don't use colors in output"
echo " --quiet (-q) : No output, except warnings"
echo " --reverse-colors : Optimize color display for light backgrounds"
echo ""
echo " ${WHITE}Misc options:${NORMAL}"
echo " --check-update : Check for updates"
echo " --debug : Debug logging to screen"
echo " --view-manpage (--man) : View man page"
echo " --version (-V) : Display version number and quit"
echo ""
echo " ${GREEN}Enterprise options:${NORMAL}"
echo " --plugin-dir \"<path\"> : Define path of available plugins"
echo " --upload : Upload data to central node"
echo ""
if [ ${WRONGOPTION} -eq 1 ]; then
echo " ${RED}Error${NORMAL}: ${WHITE}Invalid option ${WRONGOPTION_value}!${NORMAL}"
else
if [ ${VIEWHELP} -eq 0 ]; then
echo " ${RED}Error${NORMAL}: ${WHITE}No parameters specified!${NORMAL}"
fi
fi
echo " See man page and documentation for all available options."
echo ""
echo "Exiting.."
# Cleanup PID file if we drop out earlier
RemovePIDFile
# Exit with exit code 1
exit 1
fi
#
#################################################################################
#
# OS Detection
#
#################################################################################
#
SafePerms ${INCLUDEDIR}/osdetection
. ${INCLUDEDIR}/osdetection
Display --indent 2 --text "- Detecting OS... " --result DONE --color GREEN
# Check hostname
case ${OS} in
HP-UX)
HOSTNAME=`hostname` ;;
Solaris)
HOSTNAME=`uname -n` ;;
*)
HOSTNAME=`hostname -s 2> /dev/null` ;;
esac
FQDN=`hostname 2> /dev/null`
if [ "${OS}" = "Linux" -a "${HOSTNAME}" = "${FQDN}" ]; then
FQDN=`hostname -f 2> /dev/null`
fi
#
#################################################################################
#
# Clear log and report files
#
#################################################################################
#
# Clear log file and test if it's writable
logtext "### Starting ${PROGRAM_name} ${PROGRAM_version} with PID ${OURPID}, build date ${PROGRAM_releasedate} ###" > ${LOGFILE}
if [ $? -eq 0 ]; then
Display --indent 2 --text "- Clearing log file (${LOGFILE})... " --result DONE --color GREEN
else
Display --indent 2 --text "- Clearing log file (${LOGFILE})... " --result WARNING --color RED
echo "${WARNING}Fatal error${NORMAL}: problem while writing to log file. Check location and permissions."
RemovePIDFile
exit 1
fi
logtext "### ${PROGRAM_copyright} ###"
# Clear report file (to avoid appending to an existing file)
echo "# ${PROGRAM_name} Report" > ${REPORTFILE}
report "report_version_major=${REPORT_version_major}"
report "report_version_minor=${REPORT_version_minor}"
CDATE=`date "+%F %H:%M:%S"`
report "report_datetime_start=${CDATE}"
report "auditor=${AUDITORNAME}"
report "lynis_version=${PROGRAM_version}"
report "os=${OS}"
report "os_name=${OS_NAME}"
report "os_fullname=${OS_FULLNAME}"
report "os_version=${OS_VERSION}"
if [ "${OS}" = "Linux" ]; then report "linux_version=${LINUX_VERSION}"; fi
report "hostname=${HOSTNAME}"
#
#################################################################################
#
# Show program information to display
#
#################################################################################
#
if [ ${QUIET} -eq 0 ]; then
echo ""
echo " ---------------------------------------------------"
echo " Program version: ${PROGRAM_version}"
echo " Operating system: ${OS}"
echo " Operating system name: ${OS_NAME}"
echo " Operating system version: ${OS_VERSION}"
if [ ! "${OS_MODE}" = "" ]; then echo " Operating system mode: ${OS_MODE}"; fi
echo " Kernel version: ${OS_KERNELVERSION}"
echo " Hardware platform: ${HARDWARE}"
echo " Hostname: ${HOSTNAME}"
echo " Auditor: ${AUDITORNAME}"
echo " Profile: ${PROFILE}"
echo " Log file: ${LOGFILE}"
echo " Report file: ${REPORTFILE}"
echo " Report version: ${REPORT_version}"
echo " Plugin directory: ${PLUGINDIR}"
#echo " Database directory: ${DBDIR}"
echo " ---------------------------------------------------"
fi
logtext "Program version: ${PROGRAM_version}"
logtext "Operating system: ${OS}"
logtext "Operating system name: ${OS_NAME}"
logtext "Operating system version: ${OS_VERSION}"
if [ ! "${OS_MODE}" = "" ]; then logtext "Operating system mode: ${OS_MODE}"; fi
logtext "Kernel version: ${OS_KERNELVERSION}"
logtext "Hardware platform: ${HARDWARE}"
logtext "Hostname: ${HOSTNAME}"
logtext "Auditor: ${AUDITORNAME}"
logtext "Profile: ${PROFILE}"
logtext "Log file: ${LOGFILE}"
logtext "Report file: ${REPORTFILE}"
logtext "Report version: ${REPORT_version}"
logtext "-----------------------------------------------------"
logtext "Include directory: ${INCLUDEDIR}"
logtext "Plugin directory: ${PLUGINDIR}"
logtext "Database directory: ${DBDIR}"
logtextbreak
wait_for_keypress
#
#################################################################################
#
# Read profile/template/plugins
#
#################################################################################
#
SafePerms ${INCLUDEDIR}/profiles
. ${INCLUDEDIR}/profiles
#
#################################################################################
#
# Check for program update (people tend to be lazy and don't perform updates =))
#
#################################################################################
#
logtext "Test: Checking for program update..."
UPDATE_AVAILABLE=0
if [ ${SKIP_UPGRADE_TEST} -eq 1 ]; then
logtext "Upgrade test skipped due profile option set (skip_upgrade_test)"
PROGRAM_LV="${PROGRAM_AC}"
else
CheckUpdates
fi
if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then
Display --indent 2 --text "- Program update status... " --result UNKNOWN --color YELLOW
logtext "Result: Update check failed. No network connection?"
logtext "Info: to perform an automatic update check, outbound DNS connections should be allowed (TXT record)."
# Set both to safe values
PROGRAM_AC=0; PROGRAM_LV=0
else
logtext "Current installed version : ${PROGRAM_AC}"
logtext "Latest stable version : ${PROGRAM_LV}"
if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
# Check if current version is REALLY outdated (10 versions ago)
PROGRAM_MINVERSION=`expr ${PROGRAM_LV} - 10`
logtext "Minimum required version : ${PROGRAM_MINVERSION}"
if [ ${PROGRAM_MINVERSION} -gt ${PROGRAM_AC} ]; then
Display --indent 2 --text "- Program update status... " --result "WARNING" --color RED
logtext "Result: This version is VERY outdated. Newer ${PROGRAM_name} release available!"
ReportWarning "NONE" "Version of Lynis is very old and should be updated"
report "lynis_update_available=1"
UPDATE_AVAILABLE=1
else
Display --indent 2 --text "- Program update status... " --result "UPDATE AVAILABLE" --color YELLOW
logtext "Result: newer ${PROGRAM_name} release available!"
ReportSuggestion "NONE" "Version of Lynis outdated, consider upgrading to the latest version"
report "lynis_update_available=1"
UPDATE_AVAILABLE=1
fi
echo ""
echo " ==============================================================================="
echo " ${NOTICE}${PROGRAM_name} update available${NORMAL}"
echo " ==============================================================================="
echo ""
echo " Current version : ${YELLOW}${PROGRAM_AC}${NORMAL} Latest version : ${GREEN}${PROGRAM_LV}${NORMAL}"
echo ""
echo " ${WHITE}Please update to the latest version for new features, bug fixes, tests"
echo " and baselines.${NORMAL}"
echo ""
echo " http://cisofy.com/downloads/"
echo ""
echo " ==============================================================================="
echo ""
sleep 5
#wait_for_keypress
else
if [ ${UPDATE_CHECK_SKIPPED} -eq 0 ]; then
Display --indent 2 --text "- Program update status... " --result "NO UPDATE" --color GREEN
logtext "No ${PROGRAM_name} update available."
report "lynis_update_available=0"
else
Display --indent 2 --text "- Program update status... " --result "SKIPPED" --color YELLOW
logtext "Update check skipped due to constraints (e.g. missing dig binary)"
report "lynis_update_available=-1"
fi
fi
fi
logtextbreak
#
#################################################################################
#
# Check which binaries are available to the scanning process
if [ -f ${INCLUDEDIR}/binaries ]; then
SafePerms ${INCLUDEDIR}/binaries
. ${INCLUDEDIR}/binaries
fi
#
#################################################################################
#
logtextbreak
InsertPluginSection "Plugins (phase 1)"
logtext "Searching plugins..."
N_PLUGIN=0
N_PLUGIN_ENABLED=0
# Search plugins
FIND=`find ${PLUGINDIR} -type f -name "plugin_[a-z]*" -exec echo \{\} \;`
for I in ${FIND}; do
logtext "Found plugin file: ${I}"
# Double check if output is a valid file name
if [ -f ${I} ]; then
FIND2=`grep "^# PLUGIN_NAME=" ${I} | awk -F= '{ print $2 }'`
if [ ! "${FIND2}" = "" -a ! "${FIND2}" = "[plugin_name]" ]; then
N_PLUGIN=`expr ${N_PLUGIN} + 1`
FIND3=`grep "^plugin=${FIND2}" ${PROFILE}`
if [ ! "${FIND3}" = "" ]; then
logtext "Plugin ${FIND2} is enabled"
# Plugins should have at least a _post part, _pre is optional (future)
PLUGINFILE="${PLUGINDIR}/plugin_${FIND2}_phase1"
if [ -f ${PLUGINFILE} ]; then
PLUGIN_VERSION=`grep "^# PLUGIN_VERSION=" ${I} | awk -F= '{ print $2 }'`
PLUGIN_VERSION_NODOTS=`echo ${PLUGIN_VERSION} | sed 's/.//g'`
FIND4=`ls -l ${PLUGINFILE} | cut -c 2-10`
if [ "${FIND4}" = "rw-r-----" -o "${FIND4}" = "rw-------" -o "${FIND4}" = "r--------" ]; then
logtext "Including plugin file: ${PLUGINFILE} (version: ${PLUGIN_VERSION})"
report "plugin_enabled_phase1[]=${FIND2}|${PLUGIN_VERSION}|"
N_PLUGIN_ENABLED=`expr ${N_PLUGIN_ENABLED} + 1`
#logtext "PLUGIN EXECUTION SKIPPED, STILL EXPERIMENTAL"
Display --indent 2 --text "- ${CYAN}Plugin${NORMAL}: ${WHITE}${FIND2}${NORMAL}"
. ${PLUGINFILE}
logtextbreak
logtext "Result: ${FIND2} plugin (phase 1) finished"
else
logtext "Plugin ${FIND2}: Skipped (bad file permissions, should be 640, 600 or 400)"
fi
else
logtext "Plugin ${FIND2}: Skipped (can't find file ${PLUGINFILE})"
fi
else
logtext "Plugin ${FIND2}: Skipped (not enabled)"
fi
else
logtext "Skipping plugin file ${I} (no valid plugin name found)"
fi
fi
logtext "--"
done
logtext "Plugins finished"
if [ ${N_PLUGIN_ENABLED} -eq 0 ]; then
Display --indent 2 --text "- Plugins enabled " --result "NONE" --color WHITE
report "plugins_enabled=0"
else
report "plugins_enabled=1"
fi
#
#################################################################################
#
# Get host ID
logtextbreak
GetHostID
# Check if result is not empty (no blank, or hash of blank value, or minus)
if [ ! "${HOSTID}" = "-" -a ! "${HOSTID}" = "" -a ! "${HOSTID}" = "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" ]; then
logtext "Info: found valid HostID ${HOSTID}"
report "hostid=${HOSTID}"
else
logtext "Info: no HostID found or invalid one"
fi
#
#################################################################################
#
logtextbreak
# Test sections
if [ "${TESTS_CATEGORY_TO_PERFORM}" = "" ]; then
#YYY insert plugin support
logtext "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
filesystems storage storage_nfs \
nameservices ports_packages networking printers_spools \
mail_messaging firewalls \
webservers ssh snmp databases ldap php squid logging \
insecure_services banners scheduling accounting \
time crypto virtualization mac_frameworks file_integrity hardening_tools tooling \
malware file_permissions homedirs kernel_hardening hardening"
else
INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}"
logtext "Info: only performing tests from categories: ${TESTS_CATEGORY_TO_PERFORM}"
fi
# Include available tests
for INCLUDE_TEST in ${INCLUDE_TESTS}; do
# Test if file exists, then if permissions are correct
if [ -f ${INCLUDEDIR}/tests_${INCLUDE_TEST} ]; then
FIND=`ls -l ${INCLUDEDIR}/tests_${INCLUDE_TEST} | cut -c 2-10`
if [ "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-------" -o "${FIND}" = "r--------" ]; then
. ${INCLUDEDIR}/tests_${INCLUDE_TEST}
else
logtext "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDEDIR}/tests_${INCLUDE_TEST} has bad permissions (should be 640, 600 or 400)"
ReportWarning "NONE" "H" "Invalid permissions on tests file tests_${INCLUDE_TEST}"
# Insert a section and warn user also on screen
InsertSection "General"
Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "SKIPPED" --color RED
fi
else
echo "Error: Can't find file (category: ${INCLUDE_TEST})"
fi
done
#
#################################################################################
#
logtextbreak
InsertSection "Custom Tests"
logtext "Test: Checking for tests_custom file"
# Custom tests
if [ -f ${INCLUDEDIR}/tests_custom ]; then
logtext "Result: tests_custom file found in include directory"
logtext "Test: checking file permissions of tests_custom file"
FIND=`ls -l ${INCLUDEDIR}/tests_custom | cut -c 2-10`
if [ "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-------" -o "${FIND}" = "r--------" ]; then
Display --indent 2 --text "- Start custom tests... "
logtext "Result: file permissions fine, running custom tests"
SafePerms ${INCLUDEDIR}/tests_custom
. ${INCLUDEDIR}/tests_custom
else
logtext "Exception: skipping custom tests, file has bad permissions (should be 640, 600 or 400)"
ReportWarning "NONE" "H" "Invalid permissions on custom tests file"
Display --indent 2 --text "- Running custom tests... " --result "WARNING" --color RED
fi
else
Display --indent 2 --text "- Running custom tests... " --result "NONE" --color WHITE
fi
#
#################################################################################
#
# Show test results overview
#
#################################################################################
#
# Store total performed tests
report "lynis_tests_done=${CTESTS_PERFORMED}"
CDATE=`date "+%F %H:%M:%S"`
report "report_datetime_end=${CDATE}"
# Show report
if [ -f ${INCLUDEDIR}/report ]; then SafePerms ${INCLUDEDIR}/report; . ${INCLUDEDIR}/report; fi
logtext "================================================================================"
logtext "Tests performed: ${CTESTS_PERFORMED}"
logtext "Total tests: ${TOTAL_TESTS}"
logtext "Active plugins: ${N_PLUGIN_ENABLED}"
logtext "Total plugins: ${N_PLUGIN}"
logtext "================================================================================"
logtext "${PROGRAM_name} ${PROGRAM_version}"
logtext "${PROGRAM_copyright}"
logtext "${PROGRAM_extrainfo}"
logtext "Program ended successfully"
report "tests_executed=${TESTS_EXECUTED}"
report "tests_skipped=${TESTS_SKIPPED}"
report "finish=true"
# Upload data
if [ ${UPLOAD_DATA} -eq 1 ]; then
if [ -f ${INCLUDEDIR}/data_upload ]; then
SafePerms ${INCLUDEDIR}/data_upload
. ${INCLUDEDIR}/data_upload
else
echo "Fatal error: can't find upload_data script"
fi
fi
# Clean exit (Delete PID file)
ExitClean
# The End
###########################################################################
##%HASH-SHA1%----------------------------%
###########################################################################
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands

113
lynis.8 Normal file
View File

@ -0,0 +1,113 @@
.TH Lynis 8 "23 February 2014" "1.12" "Unix System Administrator's Manual"
.SH "NAME"
\fB
\fB
\fB
Lynis \fP\- Run an system and security audit on the system
\fB
.SH "SYNOPSIS"
.nf
.fam C
\fBlynis\fP \-\-check-all(\-c) [other options]
.fam T
.fi
.SH "DESCRIPTION"
\fBLynis\fP is an auditing tool for Unix (specialists). It checks the system
and software configuration and logs all the found information into a log file
for debugging purposes, and in a report file suitable to create fancy looking
auditing reports.
\fBLynis\fP can be run as a cronjob, or from the command line. It needs to have
full access to the system, so running it as root (or with sudo rights) is
required.
.PP
The following system areas may be checked:
.IP
\- Boot loader files
.IP
\- Configuration files
.IP
\- Common files by software packages
.IP
\- Directories and files related to logging and auditing
.SH "OPTIONS"
.TP
.B \-\-auditor <full name>
Define the name of the auditor/pen-tester. When a full name is used, add double
quotes, like "Michael Boelen".
.TP
.B \-\-checkall (or \-c)
\fBLynis\fP performs a full check of the system, printing out the results of
each test to stdout. Additional information will be saved into a log file
(default is /var/log/lynis.log).
.IP
In case the outcome of a scan needs to be automated, use the report file.
.TP
.B \-\-check\-update (or \-\-info)
Show program, database and update information
.TP
.B \-\-cronjob
Perform automatic scan with cron safe options (no colors, no questions, no
breaks).
.TP
.B \-\-debug
Display debug information to screen for troubleshooting purposes.
.TP
.B \-\-logfile </path/to/logfile>
Defines location and name of log file, instead of default /var/log/lynis.log.
.TP
.B \-\-no\-colors
Do not use colors for messages, warnings and sections.
.TP
.B \-\-no\-log
Redirect all logging information to /dev/null, prevent sensitive information to
be written to disk.
.TP
.B \-\-plugin\-dir </path/to/plugins>
Define location where plugins can be found.
.TP
.B \-\-quick (\-Q)
Do a quick scan (don't wait for user input)
.TP
.B \-\-quiet (\-q)
Try to run as silent as possible, showing only warnings. This option activates
\-\-quick as well.
.TP
.B \-\-reverse\-colors
Optimize screen output for light backgrounds.
.TP
.B \-\-tests TEST-IDs
Only run the specific test(s). When using multiple tests, add quotes around the
line.
.TP
.B \-\-upload
Upload data to Lynis Enterprise server.
.TP
.B \-\-view\-categories
Display all available test categories
.RE
.PP
.RS
Multiple parameters are allowed, though some parameters can only be used together
with others. When running Lynis without any parameters, help will be shown and
the program will exit.
.RE
.PP
.SH "BUGS"
There are no known bugs. Bugs can be reported directly to author.
.RE
.PP
.SH "LICENSING"
Lynis is licensed under the GPL v3 license and under development by Michael
Boelen.
.RE
.PP
.SH "CONTACT INFORMATION"
Project related questions and comments can be asked via
http://www.rootkit.nl/contact/. Commercial inquiries via http://cisofy.com.

30
plugins/README Normal file
View File

@ -0,0 +1,30 @@
##########################################################################
#
# This directory contains plugins
#
##########################################################################
General notes
---------------
Custom plugins should be added to this directory, so they are included in an
audit.
Notes:
- File permissions of a plugin should be 600, 640 or the least
restrictive 400.
- Each plugin should be enabled in the profile, before it will be used.
- Custom plugins should use a test ID's with a "CUS-" prefix.
A generic example can be found in the custom_plugin.template file, which
includes several code snippets to assist in creating customer plugins.
**************************************************************************
Would your plugin or individual test benefit Lynis and others?
Share and be part of the Free and Open Source Software community!
**************************************************************************

68
plugins/custom_plugin.template Normal file
View File

@ -0,0 +1,68 @@
#!/bin/sh
# -------------------------- CUT THIS SECTION ---------------------------
# This is a template to create a personal plugin
#
# Each plugin should at least have several variables defined with the
# prefix PLUGIN_* (see below)
#
# To add a section header, use the InsertSection function (see below)
#
# -------------------------- CUT THIS SECTION ---------------------------
#########################################################################
#
# * DO NOT REMOVE *
#-----------------------------------------------------
# PLUGIN_AUTHOR=___firstname_lastname_<email>___
# PLUGIN_CATEGORY=[category]
# PLUGIN_DESC=[description]
# PLUGIN_NAME=[plugin_name]
# PLUGIN_REQUIRED_TESTS=
#-----------------------------------------------------
#########################################################################
#
#
#
#########################################################################
#
# Add custom section to screen output
# InsertSection "Personal Plugin"
#
#################################################################################
#
# Test : CUS-0000
# Description : check for an ordinary directory!
# First check if OPENSSLBINARY is known as a prerequisite for this test.
if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CUS-0000 --preqs-met ${PREQS_MET} --weight L --network NO --description "Description of custom test"
# Just do check without any prerequisites
Register --test-no CUS-0000 --weight L --network NO --description "Description of custom test"
if [ ${SKIPTEST} -eq 0 ]; then
FOUNDPROBLEM=0
# Check if a directory exists
if [ -d /my/path ]; then
logtext "Result: log entry for easier debugging or additional information"
else
FOUNDPROBLEM=1
logtext "Result: problem found!"
ReportWarning ${TEST_NO} "M" "This is a test warning line"
fi
if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking xxx..." --result OK --color GREEN
else
Display --indent 2 --text "- Checking xxx..." --result WARNING --color RED
ReportSuggestion ${TEST_NO} "This is a suggestion"
ReportWarning ${TEST_NO} "M" "This is a medium level warning"
fi
fi
#
#################################################################################
#
# Wait for keypress (unless --quick is being used)
wait_for_keypress
#EOF