tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added MALW-3290, Trend Micro malware agent detection, added agent and rootkit scanner status

This commit is contained in:
Michael Boelen 2021-07-27 10:44:08 +02:00
parent a836d0d5fb
commit c74bc10db8
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
1 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
include/tests_malware
View File

@ -37,9 +37,12 @@
KASPERSKY_SCANNER_RUNNING=0 KASPERSKY_SCANNER_RUNNING=0
MCAFEE_SCANNER_RUNNING=0 MCAFEE_SCANNER_RUNNING=0
MALWARE_SCANNER_INSTALLED=0 MALWARE_SCANNER_INSTALLED=0
MALWARE_DAEMON_RUNNING=0
ROOTKIT_SCANNER_FOUND=0
SOPHOS_SCANNER_RUNNING=0 SOPHOS_SCANNER_RUNNING=0
SYMANTEC_SCANNER_RUNNING=0 SYMANTEC_SCANNER_RUNNING=0
SYNOLOGY_DAEMON_RUNNING=0 SYNOLOGY_DAEMON_RUNNING=0
TRENDMICRO_DSA_DAEMON_RUNNING=0
# #
################################################################################# #################################################################################
# #
@ -52,6 +55,7 @@
Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${CHKROOTKITBINARY}" LogText "Result: Found ${CHKROOTKITBINARY}"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
ROOTKIT_SCANNER_FOUND=1
AddHP 2 2 AddHP 2 2
Report "malware_scanner[]=chkrootkit" Report "malware_scanner[]=chkrootkit"
else else
@ -70,6 +74,7 @@
Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${RKHUNTERBINARY}" LogText "Result: Found ${RKHUNTERBINARY}"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
ROOTKIT_SCANNER_FOUND=1
AddHP 2 2 AddHP 2 2
Report "malware_scanner[]=rkhunter" Report "malware_scanner[]=rkhunter"
else else
@ -108,6 +113,7 @@
if IsRunning "com.avast.daemon"; then if IsRunning "com.avast.daemon"; then
FOUND=1 FOUND=1
AVAST_DAEMON_RUNNING=1 AVAST_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Avast daemon" --result "${STATUS_FOUND}" --color GREEN; fi if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Avast daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Avast security product" LogText "Result: found Avast security product"
@ -119,6 +125,7 @@
if IsRunning "avqmd"; then if IsRunning "avqmd"; then
FOUND=1 FOUND=1
AVIRA_DAEMON_RUNNING=1 AVIRA_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Avira daemon" --result "${STATUS_FOUND}" --color GREEN; fi if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Avira daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Avira security product" LogText "Result: found Avira security product"
@ -130,6 +137,7 @@
if IsRunning "bdagentd" || IsRunning "epagd"; then if IsRunning "bdagentd" || IsRunning "epagd"; then
FOUND=1 FOUND=1
BITDEFENDER_DAEMON_RUNNING=1 BITDEFENDER_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Bitdefender security product" LogText "Result: found Bitdefender security product"
@ -154,6 +162,7 @@
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} CylancePROTECT" --result "${STATUS_FOUND}" --color GREEN; fi if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} CylancePROTECT" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found CylancePROTECT service" LogText "Result: found CylancePROTECT service"
AVAST_DAEMON_RUNNING=1 AVAST_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=cylance-protect" Report "malware_scanner[]=cylance-protect"
fi fi
@ -163,6 +172,7 @@
if IsRunning "esets_daemon"; then if IsRunning "esets_daemon"; then
FOUND=1 FOUND=1
ESET_DAEMON_RUNNING=1 ESET_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found ESET security product" LogText "Result: found ESET security product"
@ -181,6 +191,7 @@
FOUND=1 FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Kaspersky" --result "${STATUS_FOUND}" --color GREEN; fi if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Kaspersky" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found Kaspersky" LogText "Result: Found Kaspersky"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=kaspersky" Report "malware_scanner[]=kaspersky"
fi fi
@ -197,6 +208,7 @@
FOUND=1 FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} McAfee" --result "${STATUS_FOUND}" --color GREEN; fi if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} McAfee" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found McAfee" LogText "Result: Found McAfee"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=mcafee" Report "malware_scanner[]=mcafee"
fi fi
@ -215,6 +227,7 @@
if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Sophos" --result "${STATUS_FOUND}" --color GREEN; fi if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Sophos" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found Sophos" LogText "Result: Found Sophos"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=sophos" Report "malware_scanner[]=sophos"
fi fi
@ -235,6 +248,7 @@
if [ ${SYMANTEC_SCANNER_RUNNING} -eq 1 ]; then if [ ${SYMANTEC_SCANNER_RUNNING} -eq 1 ]; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Symantec" --result "${STATUS_FOUND}" --color GREEN; fi if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Symantec" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found one or more Symantec components" LogText "Result: found one or more Symantec components"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
FOUND=1 FOUND=1
Report "malware_scanner[]=symantec" Report "malware_scanner[]=symantec"
@ -245,18 +259,33 @@
if IsRunning "synoavd"; then if IsRunning "synoavd"; then
FOUND=1 FOUND=1
SYNOLOGY_DAEMON_RUNNING=1 SYNOLOGY_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Synology Antivirus Essential" --result "${STATUS_FOUND}" --color GREEN; fi if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Synology Antivirus Essential" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Synology Antivirus Essential" LogText "Result: found Synology Antivirus Essential"
Report "malware_scanner[]=synoavd" Report "malware_scanner[]=synoavd"
fi fi
# Trend Micro Anti Malware for Linux
# Typically ds_agent is running as well, the Deep Security Agent
LogText "Test: checking process ds_agent to test for Trend Micro Deep Anti Malware component"
if IsRunning "ds_am"; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Trend Micro Anti Malware" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Trend Micro Anti Malware component"
FOUND=1
MALWARE_SCANNER_INSTALLED=1
MALWARE_DAEMON_RUNNING=1
TRENDMICRO_DSA_DAEMON_RUNNING=1
Report "malware_scanner[]=trend-micro-am"
fi
# TrendMicro (macOS) # TrendMicro (macOS)
LogText "Test: checking process TmccMac to test for Trend Micro anti-virus (macOS)" LogText "Test: checking process TmccMac to test for Trend Micro anti-virus (macOS)"
if IsRunning "TmccMac"; then if IsRunning "TmccMac"; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Trend Micro anti-virus" --result "${STATUS_FOUND}" --color GREEN; fi if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Trend Micro anti-virus" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Trend Micro component" LogText "Result: found Trend Micro component"
FOUND=1 FOUND=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=trend-micro-av" Report "malware_scanner[]=trend-micro-av"
fi fi
@ -298,6 +327,7 @@
if IsRunning "clamd"; then if IsRunning "clamd"; then
Display --indent 2 --text "- ${GEN_CHECKING} ClamAV daemon" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- ${GEN_CHECKING} ClamAV daemon" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found running clamd process" LogText "Result: found running clamd process"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
CLAMD_RUNNING=1 CLAMD_RUNNING=1
else else
@ -354,6 +384,31 @@
# #
################################################################################# #################################################################################
# #
# Test : MALW-3290
# Description : Presence of malware scanners
Register --test-no MALW-3290 --weight L --network NO --category security --description "Presence of for malware detection"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${MALWARE_SCANNER_INSTALLED} -eq 0 ]; then
Display --indent 2 --text "- Malware software components" --result "${STATUS_NOT_FOUND}" --color YELLOW
else
Display --indent 2 --text "- Malware software components" --result "${STATUS_FOUND}" --color GREEN
if [ ${MALWARE_DAEMON_RUNNING} -eq 0 ]; then
Display --indent 4 --text "- Active agent" --result "${STATUS_NOT_FOUND}" --color WHITE
else
Display --indent 4 --text "- Active agent" --result "${STATUS_FOUND}" --color GREEN
fi
if [ ${ROOTKIT_SCANNER_FOUND} -eq 0 ]; then
Display --indent 4 --text "- Rootkit scanner" --result "${STATUS_NOT_FOUND}" --color WHITE
else
Display --indent 4 --text "- Rootkit scanner" --result "${STATUS_FOUND}" --color GREEN
fi
fi
fi
#
#################################################################################
#
Report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}" Report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"