tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Rename of logtext and report functions, upcoming year change

This commit is contained in:
mboelen 2015-12-21 21:17:15 +01:00
parent 83a44827e0
commit d16b38eff8
46 changed files with 2028 additions and 1975 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
CHANGELOG
View File

@ -30,20 +30,22 @@
Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes
checking for /etc/login.defs [AUTH-9408]. Merged password check on Solaris into AUTH-9228.
PAM settings are now analyzed, including:
New plugin is introduced to analyze PAM settings. It including items like:
- Two-factor authentication methods
- Minimum password length, password strength and protection status against brute force cracking
- Password history
report option: auth_failed_logins_logged
Report option: auth_failed_logins_logged
* Compliance
------------
Added new compliance_standards option to default.prf, to define if compliance testing should be performed, and for which standards.
Added new compliance_standards option to default.prf. This defines if compliance testing should be performed in future, and for which standards.
Right now these (partial) standards are included:
Right now these standards can be selected:
- CIS benchmarks
- HIPAA
- ISO27001/ISO27002
- PCI-DSS
- PCI DSS
* DNS and Name services
-----------------------
@ -53,23 +55,47 @@
* Firewalls
-----------
IPFW firewall on FreeBSD test improved
Don't show pflogd status on screen when pf is not available
Test for IPFW firewall on FreeBSD has been improved and status of pflogd will no longer be displayed on screen when pf is not available.
New test FIRE-4532 now supports detection of the Mac OS X application firewall. Also the status of application firewalls is audited now.
* Hardware
----------
Detection of firewire is enhanced (both ohci and core detected).
* Malware
---------
ESET and LMD (Linux Malware Detect) is now recognized as a malware scanner. Discovered malware scanners are now also logged to the report.
ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report.
* Mount points
--------------
FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.
* Networking
------------
NETW-3004 now collects network interface names from most common operating systems.
* Operating systems
-------------------
Improved support for Debian 8 systems.
Improved support for Debian 8 systems. Detection for VMware release has been added.
Boot loader exception is not longer displayed when only a subset of tests is performed.
FreeBSD systems can now use service command to gather information about enabled services.
Support for boot loader detection on Mac OS X
* Passwords
-----------
AUTH-9286 change has been extended to both capture minimum and password age.
* Software
----------
Log when vulnerable software packages were found
* SSH
-----
Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition.
Special thanks to: Kamil Boratyński
* UEFI and Secure Boot
----------------------
Initial support to test UEFI settings, including Secure Boot option
@ -86,10 +112,12 @@
[AUTH-9204] Exclude NIS entries to avoid false positives
[AUTH-9230] Removed test as it was merged into AUTH-9228
[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD.
[BOOT-5106] New test to test boot loader on Mac OS X
[BOOT-5180] Only gets executed if runlevel 2 is found
[CONT-8108] New test to test for Docker file permissions
[FILE-6410] Added /var/lib/locatedb as search path
[HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox
[PKGS-7308] Split package name and version for RPM based package manager
[MALW-3278] New test to detect LMD (Linux Malware Detect)
[SHLL-6230] Test for umask values in shell configuration files (e.g. rc files)
[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running
@ -99,22 +127,28 @@
[DigitsOnly] New function to extract only numbers from a text string
[DisplayManual] New function to show text on screen without any markup
[ExitCustom] New function to allow program to exit with a different exit code, depending on outcome
[GetHostID] If no MAC address is found, use SSH keys for creation of a host identifier
[IsWordWritable] Changed return codes for easier usage of the function
[LogText] Replaces the older logtext function
[Report] Replaces the older report function
[ReportSuggestion] Allows two additional parameters to store details (text and external reference to a solution)
[ReportWarning] Like ReportSuggestion() has additional parameters
[ShowComplianceFinding] Display compliance findings
[ShowSymlinkPath] Ensure readlink is available
* General improvements
----------------------
- When using pentest mode, it will continue without any delays (=quick mode)
- Data uploads: provide help when self-signed certificates are used
- Improved output for tests which before showed results as a warning, while actually are just suggestions
- Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any
custom scripting you want to apply
- Tool tips are displayed, to make Lynis even easier to use
- PID file has additional checks, including cleanups
- When using pentest mode, it will continue without any delays (=quick mode).
- Data uploads: provide help when self-signed certificates are used.
- Improved output for tests which before showed results as a warning, while actually are just suggestions.
- Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply.
- Preparations to allow compressing the Lynis report file and enhance uploads.
- Tool tips are displayed, to make Lynis even easier to use.
- PID file has additional checks, including cleanups.
* Plugins
---------
[PAM] New plugin available in all versions of Lynis
[PLGN-2804] Limit report output of EXT file systems to 1 item per line
--------------------------------------------------------------
@ -1937,4 +1971,4 @@
================================================================================
Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

2
CONTRIBUTORS
View File

@ -37,4 +37,4 @@
================================================================================
Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

2
FAQ
View File

@ -95,4 +95,4 @@
================================================================================
Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

2
INSTALL
View File

@ -45,4 +45,4 @@
================================================================================
Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

2
README
View File

@ -136,4 +136,4 @@
================================================================================
Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

136
include/tests_accounting
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -31,12 +31,12 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /var/account/acct ]; then
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
logtext "Result: /var/account/acct available"
LogText "Result: /var/account/acct available"
AddHP 3 3
else
Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW
logtext "Result: No accounting information available"
logtext "Remark: Possibly there is another location where the accounting data is stored"
LogText "Result: No accounting information available"
LogText "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting"
AddHP 2 3
fi
@ -49,23 +49,23 @@
# Notes : /var/log/pacct (Slackware)
Register --test-no ACCT-9622 --os Linux --weight L --network NO --description "Check for available Linux accounting information"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check accounting information"
LogText "Test: Check accounting information"
if [ -f /var/account/pacct ]; then
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
logtext "Result: /var/account/pacct available"
LogText "Result: /var/account/pacct available"
AddHP 3 3
elif [ -f /var/log/account/pacct ]; then
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
logtext "Result: /var/log/account/pacct available"
LogText "Result: /var/log/account/pacct available"
AddHP 3 3
elif [ -f /var/log/pacct ]; then
Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN
logtext "Result: /var/log/pacct available"
LogText "Result: /var/log/pacct available"
AddHP 3 3
else
Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW
logtext "Result: No accounting information available (/var/account/pacct, /var/log/account/pact nor /var/log/pact exist)"
logtext "Remark: Possibly there is another location where the accounting data is stored"
LogText "Result: No accounting information available (/var/account/pacct, /var/log/account/pact nor /var/log/pact exist)"
LogText "Remark: Possibly there is another location where the accounting data is stored"
ReportSuggestion ${TEST_NO} "Enable process accounting"
AddHP 2 3
fi
@ -77,30 +77,30 @@
# Description : Check sysstat accounting data
Register --test-no ACCT-9626 --os Linux --weight L --network NO --description "Check for sysstat accounting data"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check /etc/default/sysstat presence"
LogText "Test: check /etc/default/sysstat presence"
if [ -f /etc/default/sysstat ]; then
logtext "Result: /etc/default/sysstat found"
LogText "Result: /etc/default/sysstat found"
FIND=`grep "^ENABLED" /etc/default/sysstat | grep -i true`
if [ ! "${FIND}" = "" ]; then
logtext "Result: sysstat enabled via /etc/default/sysstat"
LogText "Result: sysstat enabled via /etc/default/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN
else
logtext "Result: sysstat disabled via /etc/default/sysstat"
LogText "Result: sysstat disabled via /etc/default/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)"
fi
elif [ -f /etc/cron.d/sysstat ]; then
FIND=`grep -v '^[[:space:]]*\(#\|$\)' /etc/cron.d/sysstat`
if [ ! "${FIND}" = "" ]; then
logtext "Result: sysstat enabled via /etc/cron.d/sysstat"
LogText "Result: sysstat enabled via /etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN
else
logtext "Result: sysstat disabled via /etc/cron.d/sysstat"
LogText "Result: sysstat disabled via /etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)"
fi
else
logtext "Result: sysstat not found via /etc/default/sysstat or /etc/cron.d/sysstat"
LogText "Result: sysstat not found via /etc/default/sysstat or /etc/cron.d/sysstat"
Display --indent 2 --text "- Checking sysstat accounting data" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (no results)"
fi
@ -113,24 +113,24 @@
if [ ! "${AUDITDBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9628 --os Linux --weight L --network NO --description "Check for auditd"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check auditd status"
LogText "Test: Check auditd status"
# Should not get kauditd
IsRunning auditd
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: auditd running"
LogText "Result: auditd running"
Display --indent 2 --text "- Checking auditd" --result ENABLED --color GREEN
AUDITD_RUNNING=1
report "audit_daemon_running=1"
report "audit_trail_tool[]=auditd"
Report "audit_daemon_running=1"
Report "audit_trail_tool[]=auditd"
AddHP 4 4
else
logtext "Result: auditd not active"
LogText "Result: auditd not active"
Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE
if [ ! "${VMTYPE}" = "openvz" ]; then
ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
fi
AUDITD_RUNNING=0
report "audit_daemon_running=0"
Report "audit_daemon_running=0"
AddHP 0 1
fi
fi
@ -142,21 +142,21 @@
if [ ! "${AUDITDBINARY}" = "" -a ! "${AUDITCTLBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --description "Check for auditd rules"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking auditd rules"
LogText "Test: Checking auditd rules"
FIND=`${AUDITCTLBINARY} -l | grep -v "No rules"`
if [ "${FIND}" = "" ]; then
logtext "Result: auditd rules empty"
LogText "Result: auditd rules empty"
Display --indent 4 --text "- Checking audit rules" --result SUGGESTION --color YELLOW
AddHP 0 2
ReportSuggestion ${TEST_NO} "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules"
else
logtext "Result: found auditd rules"
LogText "Result: found auditd rules"
Display --indent 4 --text "- Checking audit rules" --result OK --color GREEN
# Log audit daemon rules
FIND=`${AUDITCTLBINARY} -l | sed 's/ /!space!/g'`
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Output: ${I}"
LogText "Output: ${I}"
done
fi
fi
@ -168,20 +168,20 @@
if [ ! "${AUDITDBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking auditd configuration file"
LogText "Test: Checking auditd configuration file"
for I in ${AUDITD_CONF_LOCS}; do
if [ -f ${I}/auditd.conf ]; then
AUDITD_CONF_FILE="${I}/auditd.conf"
logtext "Result: Found ${I}/auditd.conf"
LogText "Result: Found ${I}/auditd.conf"
else
logtext "Result: ${I}/auditd.conf not found"
LogText "Result: ${I}/auditd.conf not found"
fi
done
# Check if we discovered the configuration file. It should be there is the binaries are available and process is running
if [ ! "${AUDITD_CONF_FILE}" = "" ]; then
Display --indent 4 --text "- Checking audit configuration file" --result OK --color GREEN
else
logtext "Result: could not find auditd configuration file"
LogText "Result: could not find auditd configuration file"
Display --indent 4 --text "- Checking audit configuration file" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file"
fi
@ -194,22 +194,22 @@
if [ ! "${AUDITDBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 -a ! "${AUDITD_CONF_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd log file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking auditd log file"
LogText "Test: Checking auditd log file"
FIND=`grep "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: log file is defined"
logtext "Defined value: ${FIND}"
LogText "Result: log file is defined"
LogText "Defined value: ${FIND}"
if [ -f ${FIND} ]; then
logtext "Result: log file ${FIND} exists on disk"
LogText "Result: log file ${FIND} exists on disk"
Display --indent 4 --text "- Checking auditd log file" --result FOUND --color GREEN
report "logfile[]=${FIND}"
Report "logfile[]=${FIND}"
else
logtext "Result: can't find log file ${FIND} on disk"
LogText "Result: can't find log file ${FIND} on disk"
Display --indent 4 --text "- Checking auditd log file" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Check auditd log file location"
fi
else
logtext "Result: no log file found"
LogText "Result: no log file found"
Display --indent 4 --text "- Checking auditd log file" --result WARNING --color RED
ReportWarning ${TEST_NO} "L" "Auditd log file is defined but can not be found on disk"
fi
@ -223,23 +223,23 @@
if [ ${SKIPTEST} -eq 0 ]; then
FILE="/lib/snoopy.so"
if [ -f ${FILE} ]; then
logtext "Result: found ${FILE}"
LogText "Result: found ${FILE}"
Display --indent 2 --text "- Checking Snoopy" --result FOUND --color GREEN
if [ -f /etc/ld.so.preload ]; then
logtext "Result: found /etc/ld.so.preload, testing if snoopy.so is listed"
LogText "Result: found /etc/ld.so.preload, testing if snoopy.so is listed"
FIND=`grep ${FILE} /etc/ld.so.preload`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found snoopy in ld.so.preload"
logtext "Output: ${FIND}"
LogText "Result: found snoopy in ld.so.preload"
LogText "Output: ${FIND}"
Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN
report "audit_trail_tool[]=snoopy"
Report "audit_trail_tool[]=snoopy"
else
Display --indent 6 --text "- Library in ld.so.preload" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Snoopy is installed but not loaded via /etc/ld.so.preload"
AddHP 3 3
fi
else
logtext "Result: /etc/ld.so.preload does not exist"
LogText "Result: /etc/ld.so.preload does not exist"
Display --indent 6 --text "- Library in ld.so.preload" --result "UNKNOWN" --color PURPLE
ReportException "${TEST_NO}:1" "Unsure how Snoopy might be loaded as ld.so.preload does not exist"
fi
@ -252,14 +252,14 @@
# Description : Check Solaris audit daemon presence
Register --test-no ACCT-9650 --os Solaris --weight L --network NO --description "Check Solaris audit daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check if audit daemon is running"
LogText "Test: check if audit daemon is running"
IsRunning auditd
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: Solaris audit daemon is running"
LogText "Result: Solaris audit daemon is running"
SOLARIS_AUDITD_RUNNING=1
Display --indent 2 --text "- Checking Solaris audit daemon status" --result RUNNING --color GREEN
else
logtext "Result: Solaris audit daemon is not running"
LogText "Result: Solaris audit daemon is not running"
Display --indent 2 --text "- Checking Solaris audit daemon status" --result "NOT RUNNING" --color YELLOW
fi
fi
@ -271,10 +271,10 @@
if [ -x /usr/bin/svcs -a ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9652 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check auditd SMF status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check if auditd service is enabled and online"
LogText "Test: check if auditd service is enabled and online"
FIND=`/usr/bin/svcs svc:/system/auditd:default | grep "^online"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: auditd service is online"
LogText "Result: auditd service is online"
Display --indent 4 --text "- Checking Solaris audit daemon status" --result ONLINE --color GREEN
else
Display --indent 4 --text "- Checking Solaris audit daemon status" --result "NOT ONLINE" --color YELLOW
@ -289,17 +289,17 @@
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9654 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in /etc/system"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check if BSM is enabled in /etc/system"
LogText "Test: check if BSM is enabled in /etc/system"
if [ -f /etc/system ]; then
FIND=`grep 'set c2audit:audit_load = 1' /etc/system`
if [ ! "${FIND}" = "" ]; then
logtext "Result: BSM is enabled in /etc/system"
LogText "Result: BSM is enabled in /etc/system"
Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result ENABLED --color GREEN
else
Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result "NOT FOUND" --color YELLOW
fi
else
logtext "Result: /etc/system does not exist"
LogText "Result: /etc/system does not exist"
fi
fi
#
@ -310,18 +310,18 @@
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9656 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check if c2audit module is active"
LogText "Test: check if c2audit module is active"
if [ -x /usr/sbin/modinfo ]; then
FIND=`/usr/sbin/modinfo | grep c2audit`
if [ ! "${FIND}" = "" ]; then
logtext "Result: c2audit found in modinfo output"
LogText "Result: c2audit found in modinfo output"
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result ENABLED --color GREEN
else
logtext "Result: c2audit not found in modinfo output"
LogText "Result: c2audit not found in modinfo output"
Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "NOT FOUND" --color YELLOW
fi
else
logtext "Result: /usr/sbin/modinfo does not exist, skipping test"
LogText "Result: /usr/sbin/modinfo does not exist, skipping test"
fi
fi
#
@ -332,28 +332,28 @@
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9660 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check location of audit events"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check /etc/security/audit_control for event logging location"
LogText "Test: check /etc/security/audit_control for event logging location"
if [ -f /etc/security/audit_control ]; then
logtext "Result: file /etc/security/audit_control found"
LogText "Result: file /etc/security/audit_control found"
FIND=`grep "^dir" /etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found location ${FIND}"
logtext "Test: Checking if location is a valid directory"
LogText "Result: found location ${FIND}"
LogText "Test: Checking if location is a valid directory"
if [ -d ${FIND} ]; then
logtext "Result: location ${FIND} is valid"
LogText "Result: location ${FIND} is valid"
Display --indent 4 --text "- Checking Solaris audit location" --result FOUND --color GREEN
else
logtext "Result: location ${FIND} does not exist"
LogText "Result: location ${FIND} does not exist"
Display --indent 4 --text "- Checking Solaris audit location" --result "NOT FOUND" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is available"
fi
else
logtext "Result: unknown event location"
LogText "Result: unknown event location"
Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW
ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is properly configured"
fi
else
logtext "Result: could not find /etc/security/audit_control"
LogText "Result: could not find /etc/security/audit_control"
Display --indent 4 --text "- Checking Solaris audit location" --result SKIPPED --color YELLOW
fi
fi
@ -365,15 +365,15 @@
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Solaris auditing stats"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check auditing statistics"
LogText "Test: Check auditing statistics"
if [ -x /usr/sbin/auditstat ]; then
FIND=`/usr/sbin/auditstat | tr -s ' ' ','`
for I in ${FIND}; do
logtext "Output: ${I}"
LogText "Output: ${I}"
done
Display --indent 4 --text "- Checking Solaris audit statistics" --result DONE --color GREEN
else
logtext "Result: /usr/sbin/auditstat not found, skipping test"
LogText "Result: /usr/sbin/auditstat not found, skipping test"
Display --indent 4 --text "- Checking Solaris audit statistics" --result SKIPPED --color YELLOW
fi
fi
@ -385,4 +385,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen / CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen / CISOfy - https://cisofy.com

448
include/tests_authentication
View File

File diff suppressed because it is too large Load Diff

71
include/tests_banners
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -31,29 +31,29 @@
# Description : Check FreeBSD COPYRIGHT banner file
Register --test-no BANN-7113 --os FreeBSD --weight L --network NO --description "Check COPYRIGHT banner file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT"
LogText "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT"
if [ -f /COPYRIGHT ]; then
Display --indent 2 --text "- /COPYRIGHT" --result FOUND --color GREEN
if [ -s /COPYRIGHT ]; then
logtext "Result: /COPYRIGHT available and contains text"
LogText "Result: /COPYRIGHT available and contains text"
else
logtext "Result: /COPYRIGHT available, but empty"
LogText "Result: /COPYRIGHT available, but empty"
fi
else
Display --indent 2 --text "- /COPYRIGHT" --result "NOT FOUND" --color WHITE
logtext "Result: /COPYRIGHT not found"
LogText "Result: /COPYRIGHT not found"
fi
if [ -f /etc/COPYRIGHT ]; then
Display --indent 2 --text "- /etc/COPYRIGHT" --result FOUND --color GREEN
if [ -s /etc/COPYRIGHT ]; then
logtext "Result: /etc/COPYRIGHT available and contains text"
LogText "Result: /etc/COPYRIGHT available and contains text"
else
logtext "Result: /etc/COPYRIGHT available, but empty"
LogText "Result: /etc/COPYRIGHT available, but empty"
fi
else
Display --indent 2 --text "- /etc/COPYRIGHT" --result "NOT FOUND" --color WHITE
logtext "Result: /etc/COPYRIGHT not found"
LogText "Result: /etc/COPYRIGHT not found"
fi
fi
#
@ -63,25 +63,24 @@
# Description : Check MOTD banner file
Register --test-no BANN-7119 --weight L --network NO --description "Check MOTD banner file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Testing existence /etc/motd"
LogText "Test: Testing existence /etc/motd"
if [ -f /etc/motd ]; then
logtext "Result: file /etc/motd exists"
LogText "Result: file /etc/motd exists"
Display --indent 2 --text "- /etc/motd" --result FOUND --color GREEN
if [ ! -L /etc/motd ]; then
IsWorldWritable /etc/motd
if [ $? -eq 1 ]; then
if IsWorldWritable /etc/motd; then
Display --indent 4 --text "- /etc/motd permissions" --result WARNING --color RED
logtext "Result: /etc/motd is world writable. Users can change this file!"
LogText "Result: /etc/motd is world writable. Users can change this file!"
ReportWarning ${TEST_NO} "H" "/etc/motd is world writable"
else
Display --indent 4 --text "- /etc/motd permissions" --result OK --color GREEN
logtext "Result: /etc/motd is not world writable."
LogText "Result: /etc/motd is not world writable."
fi
else
logtext "Result: file /etc/motd is symlink"
LogText "Result: file /etc/motd is symlink"
fi
else
logtext "Result: File /etc/motd not found"
LogText "Result: File /etc/motd not found"
Display --indent 2 --text "- /etc/motd" --result "NOT FOUND" --color WHITE
fi
fi
@ -95,21 +94,21 @@
Register --test-no BANN-7122 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check /etc/motd banner file contents"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: Checking file /etc/motd contents for legal key words"
LogText "Test: Checking file /etc/motd contents for legal key words"
for I in ${LEGAL_BANNER_STRINGS}; do
FIND=`grep -i "${I}" /etc/motd`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found string '${I}'"
LogText "Result: found string '${I}'"
N=`expr ${N} + 1`
fi
done
# Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then
logtext "Result: Found ${N} key words, to warn unauthorized users"
LogText "Result: Found ${N} key words, to warn unauthorized users"
Display --indent 4 --text "- /etc/motd contents" --result OK --color GREEN
AddHP 2 2
else
logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
Display --indent 4 --text "- /etc/motd contents" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add legal banner to /etc/motd, to warn unauthorized users"
AddHP 0 1
@ -122,17 +121,17 @@
# Description : Check issue banner file
Register --test-no BANN-7124 --weight L --network NO --description "Check issue banner file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking file /etc/issue"
LogText "Test: Checking file /etc/issue"
if [ -f /etc/issue ]; then
# Check for symlink
if [ -L /etc/issue ]; then
logtext "Result: file /etc/issue exists (symlink)"
LogText "Result: file /etc/issue exists (symlink)"
Display --indent 2 --text "- /etc/issue" --result SYMLINK --color GREEN
else
Display --indent 2 --text "- /etc/issue" --result FOUND --color GREEN
fi
else
logtext "Result: file /etc/issue does not exist"
LogText "Result: file /etc/issue does not exist"
Display --indent 2 --text "- /etc/issue" --result "NOT FOUND" --color WHITE
fi
fi
@ -146,21 +145,21 @@
Register --test-no BANN-7126 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check issue banner file contents"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: Checking file /etc/issue contents for legal key words"
LogText "Test: Checking file /etc/issue contents for legal key words"
for I in ${LEGAL_BANNER_STRINGS}; do
FIND=`grep -i "${I}" /etc/issue`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found string '${I}'"
LogText "Result: found string '${I}'"
N=`expr ${N} + 1`
fi
done
# Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then
logtext "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users"
LogText "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users"
Display --indent 4 --text "- /etc/issue contents" --result OK --color GREEN
AddHP 2 2
else
logtext "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased"
LogText "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased"
Display --indent 4 --text "- /etc/issue contents" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add a legal banner to /etc/issue, to warn unauthorized users"
AddHP 0 1
@ -173,18 +172,18 @@
# Description : Check issue.net banner file
Register --test-no BANN-7128 --weight L --network NO --description "Check issue.net banner file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking file /etc/issue.net"
LogText "Test: Checking file /etc/issue.net"
if [ -f /etc/issue.net ]; then
# Check for symlink
if [ -L /etc/issue.net ]; then
logtext "Result: file /etc/issue.net exists (symlink)"
LogText "Result: file /etc/issue.net exists (symlink)"
Display --indent 2 --text "- /etc/issue.net" --result SYMLINK --color GREEN
else
logtext "Result: file /etc/issue.net exists"
LogText "Result: file /etc/issue.net exists"
Display --indent 2 --text "- /etc/issue.net" --result FOUND --color GREEN
fi
else
logtext "Result: file /etc/issue.net does not exist"
LogText "Result: file /etc/issue.net does not exist"
Display --indent 2 --text "- /etc/issue.net" --result "NOT FOUND" --color WHITE
fi
fi
@ -198,21 +197,21 @@
Register --test-no BANN-7130 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check issue.net banner file contents"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: Checking file /etc/issue.net contents for legal key words"
LogText "Test: Checking file /etc/issue.net contents for legal key words"
for I in ${LEGAL_BANNER_STRINGS}; do
FIND=`grep -i "${I}" /etc/issue.net`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found string '${I}'"
LogText "Result: found string '${I}'"
N=`expr ${N} + 1`
fi
done
# Check if we have 5 or more key words
if [ ${N} -gt 4 ]; then
logtext "Result: Found ${N} key words, to warn unauthorized users"
LogText "Result: Found ${N} key words, to warn unauthorized users"
Display --indent 4 --text "- /etc/issue.net contents" --result OK --color GREEN
AddHP 2 2
else
logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
LogText "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
Display --indent 4 --text "- /etc/issue.net contents" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users"
AddHP 0 1
@ -226,4 +225,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

241
include/tests_boot_services
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -36,16 +36,16 @@
Register --test-no BOOT-5102 --os AIX --weight L --network NO --root-only YES --description "Check for AIX boot device"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
logtext "Test: Query bootinfo for AIX boot device"
LogText "Test: Query bootinfo for AIX boot device"
if [ -x /usr/sbin/bootinfo ]; then
FIND=`/usr/sbin/bootinfo -b`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found boot device ${FIND}"
LogText "Result: found boot device ${FIND}"
Display --indent 2 --text "- Checking boot device (bootinfo)" --result FOUND --color GREEN
BOOT_LOADER="ROS"
BOOT_LOADER_FOUND=1
else
logtext "Result: no data received from bootinfo, most likely boot device not found"
LogText "Result: no data received from bootinfo, most likely boot device not found"
#Display --indent 4 --text "- Checking boot device (bootinfo)" --result "NOT FOUND" --color YELLOW
#ReportSuggestion ${TEST_NO} "Only use root (not sudo account) to query properly boot device"
fi
@ -80,11 +80,11 @@
SERVICE_MANAGER="systemd"
;;
*)
logtext "Found ${SHORTNAME} but unclear what service manager this is"
LogText "Found ${SHORTNAME} but unclear what service manager this is"
;;
esac
else
logtext "Result: Could not find linked file ${sFILE}"
LogText "Result: Could not find linked file ${sFILE}"
fi
else
FIND=`echo ${FILE} | grep "/systemd"`
@ -93,7 +93,7 @@
fi
fi
else
logtext "Result: /proc/1/cmdline does not link to a binary on disk"
LogText "Result: /proc/1/cmdline does not link to a binary on disk"
fi
fi
# Continue testing if we didn't find it yet
@ -107,7 +107,7 @@
fi
;;
*)
logtext "Result: unknown service manager"
LogText "Result: unknown service manager"
esac
if [ "${SERVICE_MANAGER}" = "unknown" ]; then
Display --indent 2 --text "- Service Manager" --result "UNKNOWN" --color YELLOW
@ -124,7 +124,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
FileExists /System/Library/CoreServices/boot.efi
if [ ${FILE_FOUND} -eq 1 ]; then
logtext "Result: found Mac OS X boot.efi file"
LogText "Result: found Mac OS X boot.efi file"
BOOT_LOADER="MacOS-boot-EFI"
BOOT_LOADER_FOUND=1
fi
@ -141,39 +141,39 @@
Linux)
UEFI_TESTS_PERFORMED=1
# Check if UEFI is available in this boot
logtext "Test: checking if UEFI is used"
LogText "Test: checking if UEFI is used"
if [ -d /sys/firmware/efi ]; then
logtext "Result: system booted in UEFI mode"
LogText "Result: system booted in UEFI mode"
UEFI_BOOTED=1
else
logtext "Result: UEFI not used, can't find /sys/firmware/efi directory"
LogText "Result: UEFI not used, can't find /sys/firmware/efi directory"
fi
# Test if Secure Boot is enabled
logtext "Test: determine if Secure Boot is used"
LogText "Test: determine if Secure Boot is used"
if [ -d /sys/firmware/efi/efivars ]; then
FIND=`ls /sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
logtext "Test: checking file ${I}"
LogText "Test: checking file ${I}"
J=`od -An -t u1 ${I} | awk '{ print $5 }'`
if [ "${J}" = "1" ]; then
logtext "Result: found SecureBoot file with enabled status"
LogText "Result: found SecureBoot file with enabled status"
UEFI_BOOTED_SECURE=1
else
logtext "Result: system not booted with Secure Boot (status 0 in file ${I})"
LogText "Result: system not booted with Secure Boot (status 0 in file ${I})"
fi
done
fi
else
logtext "Result: system not booted with Secure Boot (no SecureBoot file found)"
LogText "Result: system not booted with Secure Boot (no SecureBoot file found)"
fi
;;
#MacOS)
# Mac OS ioreg -l -p IODeviceTree | grep firmware-abi
#;;
*)
logtext "Result: no test implemented yet to test for UEFI on this platform"
LogText "Result: no test implemented yet to test for UEFI on this platform"
;;
esac
if [ ${UEFI_BOOTED} -eq 1 ]; then
@ -198,7 +198,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
FOUND=0
logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)"
LogText "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)"
if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then
FOUND=1
BOOT_LOADER="GRUB"
@ -220,21 +220,21 @@
elif [ -f /boot/grub2/grub.cfg ]; then
GRUBCONFFILE="/boot/grub2/grub.cfg"
fi
logtext "Result: found GRUB2 configuration file (${GRUBCONFFILE})"
LogText "Result: found GRUB2 configuration file (${GRUBCONFFILE})"
fi
# Some OSes like Gentoo do not have /boot mounted by default
if [ -d /boot ]; then
if [ "`ls /boot/* 2> /dev/null`" = "" -a ! "${GRUB2INSTALLBINARY}" = "" ]; then
BOOT_LOADER_FOUND=1
logtext "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted"
LogText "Result: found empty /boot, however with GRUB2 binary installed. Best guess is that GRUB2 is actually installed, but /boot not mounted"
Display --indent 2 --text "- Checking presence GRUB2" --result "POSSIBLE MATCH" --color YELLOW
ReportManual "${TEST_NO}:01"
fi
fi
if [ ${FOUND} -eq 0 ]; then
logtext "Result: no GRUB configuration file found."
LogText "Result: no GRUB configuration file found."
fi
fi
#
@ -246,7 +246,7 @@
Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for GRUB boot password"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
LogText "Found file ${GRUBCONFFILE}, proceeding with tests."
FileIsReadable ${GRUBCONFFILE}
if [ ${CANREAD} -eq 1 ]; then
FIND=`grep 'password --md5' ${GRUBCONFFILE} | grep -v '^#'`
@ -262,16 +262,16 @@
fi
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking for password protection" --result OK --color GREEN
logtext "Result: GRUB has password protection."
LogText "Result: GRUB has password protection."
AddHP 4 4
else
Display --indent 4 --text "- Checking for password protection" --result WARNING --color RED
logtext "Result: Didn't find hashed password line in GRUB boot file!"
LogText "Result: Didn't find hashed password line in GRUB boot file!"
ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)"
AddHP 0 2
fi
else
logtext "Result: Can not read ${GRUBCONFFILE} (no permission)"
LogText "Result: Can not read ${GRUBCONFFILE} (no permission)"
fi
fi
#
@ -283,12 +283,12 @@
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then
logtext "Result: found boot1, boot2 and loader files in /boot"
LogText "Result: found boot1, boot2 and loader files in /boot"
Display --indent 2 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN
BOOT_LOADER="FreeBSD"
BOOT_LOADER_FOUND=1
else
logtext "Result: Not all expected files found in /boot"
LogText "Result: Not all expected files found in /boot"
fi
fi
#
@ -300,12 +300,12 @@
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then
logtext "Result: found NetBSD secondary bootstrap"
LogText "Result: found NetBSD secondary bootstrap"
Display --indent 2 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN
BOOT_LOADER="NetBSD"
BOOT_LOADER_FOUND=1
else
logtext "Result: NetBSD secondary bootstrap not found"
LogText "Result: NetBSD secondary bootstrap not found"
ReportException "${TEST_NO}:1" "No boot loader found on NetBSD"
fi
fi
@ -319,32 +319,32 @@
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
LILOCONFFILE="/etc/lilo.conf"
logtext "Test: checking for presence LILO configuration file"
LogText "Test: checking for presence LILO configuration file"
if [ -f ${LILOCONFFILE} ]; then
FileIsReadable ${LILOCONFFILE}
if [ ${CANREAD} -eq 1 ]; then
BOOT_LOADER="LILO"
BOOT_LOADER_FOUND=1
Display --indent 2 --text "- Checking presence LILO" --result "OK" --color GREEN
logtext "Checking password option LILO"
LogText "Checking password option LILO"
FIND=`${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | grep -v "^#"`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Password option presence " --result "WARNING" --color RED
logtext "Result: no password set for LILO. Bootloader is unprotected to"
logtext "dropping to single user mode or unauthorized access to devices/data."
LogText "Result: no password set for LILO. Bootloader is unprotected to"
LogText "dropping to single user mode or unauthorized access to devices/data."
ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader"
AddHP 0 2
else
Display --indent 4 --text "- Password option presence " --result "OK" --color GREEN
logtext "Result: LILO password option set"
LogText "Result: LILO password option set"
AddHP 4 4
fi
else
logtext "Result: can not read ${LILOCONFFILE} (no permission)"
LogText "Result: can not read ${LILOCONFFILE} (no permission)"
fi
else
logtext "Result: LILO configuration file not found"
LogText "Result: LILO configuration file not found"
fi
fi
#
@ -356,12 +356,12 @@
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
if [ -f /etc/silo.conf ]; then
logtext "Result: Found SILO configuration file (/etc/silo.conf)"
LogText "Result: Found SILO configuration file (/etc/silo.conf)"
Display --indent 2 --text "- Checking boot loader SILO" --result FOUND --color GREEN
BOOT_LOADER="SILO"
BOOT_LOADER_FOUND=1
else
logtext "Result: no SILO configuration file found."
LogText "Result: no SILO configuration file found."
fi
fi
#
@ -375,10 +375,10 @@
# if [ -f /etc/silo.conf -a -x /sbin/silo ]; then
# FIND=`/sbin/silo | grep "appears to be valid"`
# if [ ! "${FIND}" = "" ]; then
# logtext "Result: Found SILO configuration file (/etc/silo.conf)"
# LogText "Result: Found SILO configuration file (/etc/silo.conf)"
# Display --indent 6 --text "- Checking SILO consistency" --result OK --color GREEN
# else
# logtext "Result: no positive result received from silo binary"
# LogText "Result: no positive result received from silo binary"
# ReportWarning ${TEST_NO} "Possible issue with boot loader (SILO)"
# Display --indent 6 --text "- Checking SILO consistency" --result WARNING --color RED
# fi
@ -392,14 +392,14 @@
Register --test-no BOOT-5155 --weight L --network NO --description "Check for YABOOT boot loader configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
logtext "Test: Check for /etc/yaboot.conf"
LogText "Test: Check for /etc/yaboot.conf"
if [ -f /etc/yaboot.conf ]; then
logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)"
LogText "Result: Found YABOOT configuration file (/etc/yaboot.conf)"
Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN
BOOT_LOADER="YABOOT"
BOOT_LOADER_FOUND=1
else
logtext "Result: no YABOOT configuration file found."
LogText "Result: no YABOOT configuration file found."
fi
fi
#
@ -429,16 +429,16 @@
ReportWarning ${TEST_NO} "M" "System can be booted into single user mode without password"
else
Display --indent 4 --text "- Checking boot option" --result OK --color GREEN
logtext "Ok, boot option is enabled."
LogText "Ok, boot option is enabled."
fi
else
Display --indent 2 --text "- Checking /etc/boot.conf" --result "NOT FOUND" --color YELLOW
logtext "Result: no /etc/boot.conf found. When using the default boot loader, physical"
logtext "access to the server can be used to possibly enter single user mode."
LogText "Result: no /etc/boot.conf found. When using the default boot loader, physical"
LogText "access to the server can be used to possibly enter single user mode."
ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time."
fi
if [ ${FOUND} -eq 1 ]; then
logtext "Result: found OpenBSD boot loader"
LogText "Result: found OpenBSD boot loader"
BOOT_LOADER="OpenBSD"
BOOT_LOADER_FOUND=1
fi
@ -462,22 +462,22 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${SERVICEBINARY}" = "" ]; then
# FreeBSD (Ask services(8) for enabled services)
logtext "Searching for services at startup (service)"
LogText "Searching for services at startup (service)"
FIND=`${SERVICEBINARY} -e | sed 's|^.*\/||' | sort`
else
# FreeBSD (Read /etc/rc.conf file for enabled services)
logtext "Searching for services at startup (rc.conf)"
LogText "Searching for services at startup (rc.conf)"
FIND=`egrep -v -i '^#|none' /etc/rc.conf | egrep -i '_enable.*(yes|on|1)' | sort | awk -F= '{ print $1 }' | sed 's/_enable//'`
fi
N=0
for I in ${FIND}; do
logtext "Found service (service/rc.conf): ${I}"
report "boottask[]=${I}"
LogText "Found service (service/rc.conf): ${I}"
Report "boottask[]=${I}"
N=`expr ${N} + 1`
done
Display --indent 2 --text "- Checking services at startup (service/rc.conf)" --result "DONE" --color GREEN
Display --indent 6 --text "Result: found $N services/options set"
logtext "Found $N services/options to run at startup"
LogText "Found $N services/options to run at startup"
fi
#
#################################################################################
@ -488,59 +488,59 @@
Register --test-no BOOT-5177 --os Linux --weight L --network NO --description "Check for Linux boot and running services"
if [ ${SKIPTEST} -eq 0 ]; then
CHECKED=0
logtext "Test: checking presence systemctl binary"
LogText "Test: checking presence systemctl binary"
# Determine if we have systemctl on board
if [ ! "${SYSTEMCTLBINARY}" = "" ]; then
logtext "Result: systemctl binary found, trying that to discover information"
LogText "Result: systemctl binary found, trying that to discover information"
# Running services
logtext "Searching for running services (systemctl services only)"
LogText "Searching for running services (systemctl services only)"
FIND=`${SYSTEMCTLBINARY} --full --type=service | awk '{ if ($4=="running") { print $1 } }' | awk -F. '{ print $1 }'`
N=0
report "running_service_tool=systemctl"
Report "running_service_tool=systemctl"
for I in ${FIND}; do
logtext "Found running service: ${I}"
report "running_service[]=${I}"
LogText "Found running service: ${I}"
Report "running_service[]=${I}"
N=`expr ${N} + 1`
done
logtext "Note: Run systemctl --full --type=service to see all services"
LogText "Note: Run systemctl --full --type=service to see all services"
Display --indent 2 --text "- Check running services (systemctl)" --result "DONE" --color GREEN
Display --indent 8 --text "Result: found $N running services"
logtext "Result: Found $N enabled services"
LogText "Result: Found $N enabled services"
# Services at boot
logtext "Searching for enabled services (systemctl services only)"
LogText "Searching for enabled services (systemctl services only)"
FIND=`${SYSTEMCTLBINARY} list-unit-files --type=service | awk '{ if ($2=="enabled") { print $1 } }' | awk -F. '{ print $1 }'`
N=0
report "boot_service_tool=systemctl"
Report "boot_service_tool=systemctl"
for I in ${FIND}; do
logtext "Found enabled service at boot: ${I}"
report "boot_service[]=${I}"
LogText "Found enabled service at boot: ${I}"
Report "boot_service[]=${I}"
N=`expr ${N} + 1`
done
logtext "Note: Run systemctl list-unit-files --type=service to see all services"
LogText "Note: Run systemctl list-unit-files --type=service to see all services"
Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "DONE" --color GREEN
Display --indent 8 --text "Result: found $N enabled services"
logtext "Result: Found $N running services"
LogText "Result: Found $N running services"
else
logtext "Result: systemctl binary not found, checking chkconfig binary"
LogText "Result: systemctl binary not found, checking chkconfig binary"
if [ ! "${CHKCONFIGBINARY}" = "" ]; then
logtext "Result: chkconfig binary found, trying that to discover information"
logtext "Searching for services at startup (chkconfig, runlevel 3 and 5)"
LogText "Result: chkconfig binary found, trying that to discover information"
LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
FIND=`${CHKCONFIGBINARY} --list | egrep '3:on|5:on' | awk '{ print $1 }'`
N=0
report "boot_service_tool=chkconfig"
Report "boot_service_tool=chkconfig"
for I in ${FIND}; do
logtext "Found service (at boot, runlevel 3 or 5): ${I}"
report "boot_service[]=${I}"
LogText "Found service (at boot, runlevel 3 or 5): ${I}"
Report "boot_service[]=${I}"
N=`expr ${N} + 1`
done
logtext "Suggestion: Run chkconfig --list to see all services and disable unneeded services"
LogText "Suggestion: Run chkconfig --list to see all services and disable unneeded services"
Display --indent 2 --text "- Check services at startup (chkconfig)" --result "DONE" --color GREEN
Display --indent 8 --text "Result: found $N services"
logtext "Result: Found $N services at startup"
LogText "Result: Found $N services at startup"
else
logtext "Result: both systemctl and chkconfig not found. Skipping this test"
LogText "Result: both systemctl and chkconfig not found. Skipping this test"
fi
fi
fi
@ -555,24 +555,24 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Runlevel check
sRUNLEVEL=`${RUNLEVELBINARY} | grep "N [0-9]" | awk '{ print $2} '`
logtext "Result: found runlevel ${sRUNLEVEL}"
LogText "Result: found runlevel ${sRUNLEVEL}"
if [ "${sRUNLEVEL}" = "2" ]; then
logtext "Result: performing find in /etc/rc2.d as runlevel 2 is found"
LogText "Result: performing find in /etc/rc2.d as runlevel 2 is found"
FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
logtext "Found service (at boot, runlevel 2): ${I}"
LogText "Found service (at boot, runlevel 2): ${I}"
N=`expr ${N} + 1`
done
Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE
Display --indent 4 --text "Result: found $N services"
logtext "Result: found $N services"
LogText "Result: found $N services"
fi
elif [ "${sRUNLEVEL}" = "" ]; then
ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup"
else
logtext "Result: skipping further actions"
LogText "Result: skipping further actions"
fi
fi
#
@ -585,45 +585,43 @@
FOUND=0
CHECKDIRS="/etc/init.d /etc/rc.d /etc/rcS.d"
logtext "Result: checking /etc/init.d scripts for writable bit"
LogText "Result: checking /etc/init.d scripts for writable bit"
for I in ${CHECKDIRS}; do
logtext "Test: checking if directory ${I} exists"
LogText "Test: checking if directory ${I} exists"
if [ -d ${I} ]; then
logtext "Result: directory ${I} found"
logtext "Test: checking for available files in directory"
LogText "Result: directory ${I} found"
LogText "Test: checking for available files in directory"
FIND=`find ${I} -type f -print`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found files in directory, checking permissions now"
LogText "Result: found files in directory, checking permissions now"
for J in ${FIND}; do
logtext "Test: checking permissions of file ${J}"
IsWorldWritable ${J}
if [ $? -eq 1 ]; then
logtext "Result: warning, file ${J} is world writable"
LogText "Test: checking permissions of file ${J}"
if IsWorldWritable ${J}; then
LogText "Result: warning, file ${J} is world writable"
FOUND=1
else
logtext "Result: good, file ${J} not world writable"
LogText "Result: good, file ${J} not world writable"
fi
done
else
logtext "Result: found no files in directory."
LogText "Result: found no files in directory."
fi
else
logtext "Result: directory ${I} not found. Skipping.."
LogText "Result: directory ${I} not found. Skipping.."
fi
done
# /etc/rc[0-6].d
for NO in 0 1 2 3 4 5 6; do
logtext "Test: Checking /etc/rc${NO}.d scripts for writable bit"
LogText "Test: Checking /etc/rc${NO}.d scripts for writable bit"
if [ -d /etc/rc${NO}.d ]; then
FIND=`find /etc/rc${NO}.d -type f -print`
for I in ${FIND}; do
IsWorldWritable ${I}
if [ $? -eq 1 ]; then
logtext "Result: warning, file ${I} is world writable"
if IsWorldWritable ${I}; then
LogText "Result: warning, file ${I} is world writable"
FOUND=1
else
logtext "Result: good, file ${I} not world writable"
LogText "Result: good, file ${I} not world writable"
fi
done
fi
@ -633,14 +631,13 @@
CHECKFILES="/etc/rc /etc/rc.local /etc/rc.d/rc.sysinit"
for I in ${CHECKFILES}; do
if [ -f ${I} ]; then
logtext "Test: Checking ${I} file for writable bit"
IsWorldWritable ${I}
if [ $? -eq 1 ]; then
LogText "Test: Checking ${I} file for writable bit"
if IsWorldWritable ${I}; then
ReportWarning ${TEST_NO} "H" "Found writable startup script ${I}"
FOUND=1
logtext "Result: warning, file ${I} is world writable"
LogText "Result: warning, file ${I} is world writable"
else
logtext "Result: good, file ${I} not world writable"
LogText "Result: good, file ${I} not world writable"
fi
fi
done
@ -649,7 +646,7 @@
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Check startup files (permissions)" --result "WARNING" --color RED
ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-"
logtext "Result: found one or more scripts which are possibly writable by other users"
LogText "Result: found one or more scripts which are possibly writable by other users"
AddHP 0 3
else
Display --indent 2 --text "- Check startup files (permissions)" --result "OK" --color GREEN
@ -689,8 +686,8 @@
if [ ! "${SYSCTLBINARY}" = "" ]; then
TIME_BOOT=`${SYSCTLBINARY} -n kern.boottime`
TIME_NOW=`date "+%s"`
logtext "Boot time: ${TIME_BOOT}"
logtext "Current time: ${TIME_NOW}"
LogText "Boot time: ${TIME_BOOT}"
LogText "Current time: ${TIME_NOW}"
if [ ! "${TIME_BOOT}" = "" -a ! "${TIME_NOW}" = "" ]; then
UPTIME_IN_SECS=`expr ${TIME_NOW} - ${TIME_BOOT}`
else
@ -721,12 +718,12 @@
if [ ! "${FIND}" = "" ]; then
UPTIME_IN_SECS="${FIND}"
UPTIME_IN_DAYS=`expr ${UPTIME_IN_SECS} / 60 / 60 / 24`
logtext "Uptime (in seconds): ${UPTIME_IN_SECS}"
logtext "Uptime (in days): ${UPTIME_IN_DAYS}"
report "uptime_in_seconds=${UPTIME_IN_SECS}"
report "uptime_in_days=${UPTIME_IN_DAYS}"
LogText "Uptime (in seconds): ${UPTIME_IN_SECS}"
LogText "Uptime (in days): ${UPTIME_IN_DAYS}"
Report "uptime_in_seconds=${UPTIME_IN_SECS}"
Report "uptime_in_days=${UPTIME_IN_DAYS}"
else
logtext "Result: no uptime information available"
LogText "Result: no uptime information available"
fi
fi
#
@ -737,36 +734,36 @@
Register --test-no BOOT-5260 --weight L --network NO --description "Check single user mode for systemd"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if file exists
logtext "Test: Searching /usr/lib/systemd/system/rescue.service"
LogText "Test: Searching /usr/lib/systemd/system/rescue.service"
if [ -f /usr/lib/systemd/system/rescue.service ]; then
logtext "Result: file /usr/lib/systemd/system/rescue.service"
logtext "Test: checking presence sulogin for single user mode"
LogText "Result: file /usr/lib/systemd/system/rescue.service"
LogText "Test: checking presence sulogin for single user mode"
FIND=`egrep "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" /usr/lib/systemd/system/rescue.service`
if [ ! "${FIND}" = "" ]; then
FOUND=1
logtext "Result: found sulogin, so single user is protected"
LogText "Result: found sulogin, so single user is protected"
AddHP 3 3
else
logtext "Result: did not find sulogin in rescue.service"
LogText "Result: did not find sulogin in rescue.service"
AddHP 1 3
Display --indent 2 --text "- Checking sulogin in rescue.service" --result "NOT FOUND" --color YELLOW
ReportSuggestion "${TEST_NO}" "Protect rescue.service by using sulogin"
fi
else
logtext "Result: file /usr/lib/systemd/system/rescue.service does not exist"
LogText "Result: file /usr/lib/systemd/system/rescue.service does not exist"
fi
fi
#
#################################################################################
#
report "boot_loader=${BOOT_LOADER}"
report "boot_uefi_booted=${UEFI_BOOTED}"
report "boot_uefi_booted_secure=${UEFI_BOOTED_SECURE}"
report "service_manager=${SERVICE_MANAGER}"
Report "boot_loader=${BOOT_LOADER}"
Report "boot_uefi_booted=${UEFI_BOOTED}"
Report "boot_uefi_booted_secure=${UEFI_BOOTED_SECURE}"
Report "service_manager=${SERVICE_MANAGER}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

57
include/tests_containers
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -31,7 +31,7 @@
if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8004 --os Solaris --weight L --network NO --description "Query running Solaris zones"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: query zoneadm to list all running zones"
LogText "Test: query zoneadm to list all running zones"
FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
if [ ! "${FIND}" = "" ]; then
N=0
@ -39,13 +39,13 @@
N=`expr ${N} + 1`
ZONEID=`echo ${I} | cut -d ':' -f1`
ZONENAME=`echo ${I} | cut -d ':' -f2`
logtext "Result: found zone ${ZONENAME} (running)"
report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
LogText "Result: found zone ${ZONENAME} (running)"
Report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done
logtext "Result: total of ${N} running zones"
LogText "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
else
logtext "Result: no running zones found"
LogText "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
fi
fi
@ -62,7 +62,7 @@
#for I in ${FIND}; do
#XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
#XENGUESTID=`echo ${I} | cut -d ':' -f2`
#logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
#LogText "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
#done
#fi
#
@ -74,8 +74,8 @@
if [ ${SKIPTEST} -eq 0 ]; then
IsRunning "docker -d"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found Docker daemon running"
report "docker_daemon_running=1"
LogText "Result: found Docker daemon running"
Report "docker_daemon_running=1"
DOCKER_DAEMON_RUNNING=1
Display --indent 4 --text "- Docker"
Display --indent 6 --text "- Docker daemon" --result RUNNING --color GREEN
@ -91,20 +91,20 @@
Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
logtext "Test: Check for any warnings"
LogText "Test: Check for any warnings"
FIND=`${DOCKERBINARY} info 2>&1 | grep "^WARNING:" | cut -d " " -f 2- | sed 's/ /:space:/g'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found warning(s) in output"
LogText "Result: found warning(s) in output"
for I in ${FIND}; do
J=`echo ${I} | sed 's/:space:/ /g'`
logtext "Output: ${J}"
LogText "Output: ${J}"
COUNT=`expr ${COUNT} + 1`
done
Display --indent 8 --text "- Docker info output (warnings)" --result "${COUNT}" --color RED
ReportSuggestion "${TEST_NO}" "Run 'docker info' to see warnings applicable to Docker daemon"
AddHP 3 4
else
logtext "Result: no warnings found from 'docker info' output"
LogText "Result: no warnings found from 'docker info' output"
Display --indent 8 --text "- Docker info output (warnings)" --result "NONE" --color GREEN
AddHP 1 1
fi
@ -121,16 +121,16 @@
Display --indent 6 --text "- Containers"
# Check total of containers
logtext "Test: checking total amount of Docker containers"
LogText "Test: checking total amount of Docker containers"
DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'`
if [ "${DOCKER_CONTAINERS_TOTAL}" = "" ]; then
DOCKER_CONTAINERS_TOTAL=0
fi
logtext "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers"
LogText "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers"
DOCKER_CONTAINERS_TOTAL2=`${DOCKERBINARY} ps -a 2> /dev/null | grep -v "CONTAINER" | wc -l`
logtext "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers"
LogText "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers"
if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then
logtext "Result: difference detected, which is unexpected"
LogText "Result: difference detected, which is unexpected"
ReportSuggestion "${TEST_NO}" "Test output of both 'docker ps -a' and 'docker info', to determine why they report a different amount of containers"
Display --indent 8 --text "- Total containers" --result "UNKNOWN" --color RED
else
@ -141,11 +141,11 @@
DOCKER_CONTAINERS_RUNNING=`${DOCKERBINARY} ps 2> /dev/null | grep -v "CONTAINER" | wc -l`
Display --indent 8 --text "- Running containers" --result "${DOCKER_CONTAINERS_RUNNING}" --color GREEN
if [ ${DOCKER_CONTAINERS_RUNNING} -gt 0 ]; then
logtext "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active"
report "docker_containers_running=${DOCKER_CONTAINERS_RUNNING}"
LogText "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active"
Report "docker_containers_running=${DOCKER_CONTAINERS_RUNNING}"
else
logtext "Result: no active containers"
report "docker_containers_running=0"
LogText "Result: no active containers"
Report "docker_containers_running=0"
fi
# Check if there aren't too many unused containers on the system
@ -156,7 +156,7 @@
Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color RED
AddHP 0 2
else
logtext "Result: found ${DOCKER_CONTAINERS_UNUSED} unused containers"
LogText "Result: found ${DOCKER_CONTAINERS_UNUSED} unused containers"
Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color YELLOW
AddHP 1 1
fi
@ -173,16 +173,15 @@
if [ ${SKIPTEST} -eq 0 ]; then
NOT_WORLD_WRITABLE="/var/run/docker.sock"
for I in ${NOT_WORLD_WRITABLE}; do
logtext "Test: Check ${I}"
LogText "Test: Check ${I}"
if [ -f ${I} ]; then
logtext "Result: file ${I} found, permissions will be tested"
IsWorldWritable ${I}
if [ $? -eq 1 ]; then
logtext "Result: file is writable by others, which is a security risk (e.g. privilege escalation)"
LogText "Result: file ${I} found, permissions will be tested"
if IsWorldWritable ${I}; then
LogText "Result: file is writable by others, which is a security risk (e.g. privilege escalation)"
ReportWarning "${TEST_NO}" "Docker file is world writable" "${I}" "-"
DOCKER_FILE_PERMISSIONS_WARNINGS=`expr ${DOCKER_FILE_PERMISSIONS_WARNINGS} + 1`
else
logtext "Result: file is not writable by others, which is fine"
LogText "Result: file is not writable by others, which is fine"
fi
fi
done
@ -202,4 +201,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, CISOfy - https://cisofy.com

22
include/tests_crypto
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), CISOfy
# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com), CISOfy
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -34,32 +34,32 @@
if [ -d ${I} ]; then
FileIsReadable ${I}
if [ ${CANREAD} -eq 1 ]; then
logtext "Result: found directory ${I}"
LogText "Result: found directory ${I}"
# Search for CRT files
sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null`
for J in ${sFINDCRTS}; do
FileIsReadable ${J}
if [ ${CANREAD} -eq 1 ]; then
logtext "Test: checking certificate ${J}"
LogText "Test: checking certificate ${J}"
# Check certificate where 'end date' has been expired
FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?`
if [ "${FIND}" = "0" ]; then
logtext "Result: certificate ${J} seems to be correct and still valid"
report "valid_certificate[]=${J}|unknown entity|"
LogText "Result: certificate ${J} seems to be correct and still valid"
Report "valid_certificate[]=${J}|unknown entity|"
else
FOUNDPROBLEM=1
logtext "Result: certificate ${J} has been expired"
report "expired_certificate[]=${J}|unknown entity|"
LogText "Result: certificate ${J} has been expired"
Report "expired_certificate[]=${J}|unknown entity|"
fi
else
logtext "Result: can not read file ${J} (no permission)"
LogText "Result: can not read file ${J} (no permission)"
fi
done
else
logtext "Result: can not read path ${I} (no permission)"
LogText "Result: can not read path ${I} (no permission)"
fi
else
logtext "Result: SSL path ${I} does not exist"
LogText "Result: SSL path ${I} does not exist"
fi
done
@ -78,4 +78,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

10
include/tests_custom.template
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -58,17 +58,17 @@
# If everything is fine, perform test
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: checking something"
LogText "Test: checking something"
if [ ${FOUND} -eq 0 ]; then
Display --indent 4 --text "- Performing custom test" --result OK --color GREEN
logtext "Result: the test result looks great!"
LogText "Result: the test result looks great!"
# Optional: create a suggestion after a specific finding
#ReportSuggestion "${TEST_NO}" "This is my suggestion to improve the system even further."
else
Display --indent 4 --text "- Performing custom test" --result WARNING --color RED
logtext "Result: this test had a bad result :("
LogText "Result: this test had a bad result :("
# Throw a warning to the screen and report
ReportWarning ${TEST_NO} "M" "This is a warning message"
fi
@ -82,4 +82,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

30
include/tests_databases
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Copyright 2007-2016, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -38,10 +38,10 @@
FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- MySQL process status" --result "NOT FOUND" --color WHITE
logtext "Result: MySQL process not active"
LogText "Result: MySQL process not active"
else
Display --indent 2 --text "- MySQL process status" --result "FOUND" --color GREEN
logtext "Result: MySQL is active"
LogText "Result: MySQL is active"
MYSQL_RUNNING=1
fi
fi
@ -70,21 +70,21 @@
if [ ! "${MYSQLCLIENTBINARY}" = "" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking MySQL root password"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Trying to login to local MySQL server without password"
LogText "Test: Trying to login to local MySQL server without password"
FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
logtext "Result: Login succeeded, no MySQL root password set!"
LogText "Result: Login succeeded, no MySQL root password set!"
ReportWarning ${TEST_NO} "H" "No MySQL root password set"
ReportSuggestion ${TEST_NO} "Use mysqladmin to set a MySQL root password (mysqladmin -u root -p password MYPASSWORD)"
Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED
AddHP 0 5
else
logtext "Result: Login did not succeed, so a MySQL root password is set"
LogText "Result: Login did not succeed, so a MySQL root password is set"
Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN
AddHP 2 2
fi
else
logtext "Test skipped, MySQL daemon not running or no MySQL client available"
LogText "Test skipped, MySQL daemon not running or no MySQL client available"
fi
#
#################################################################################
@ -96,10 +96,10 @@
FIND=`${PSBINARY} ax | grep "postgres:" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- PostgreSQL processes status" --result "NOT FOUND" --color WHITE
logtext "Result: PostgreSQL process not active"
LogText "Result: PostgreSQL process not active"
else
Display --indent 2 --text "- PostgreSQL processes status" --result "FOUND" --color GREEN
logtext "Result: PostgreSQL is active"
LogText "Result: PostgreSQL is active"
POSTGRESQL_RUNNING=1
fi
fi
@ -121,10 +121,10 @@
FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Oracle processes status" --result "NOT FOUND" --color WHITE
logtext "Result: Oracle process(es) not active"
LogText "Result: Oracle process(es) not active"
else
Display --indent 2 --text "- Oracle processes status" --result "FOUND" --color GREEN
logtext "Result: Oracle is active"
LogText "Result: Oracle is active"
ORACLE_RUNNING=1
fi
fi
@ -142,13 +142,13 @@
#
#################################################################################
#
report "mysql_running=${MYSQL_RUNNING}"
report "oracle_running=${ORACLE_RUNNING}"
report "postgresql_running=${POSTGRESQL_RUNNING}"
Report "mysql_running=${MYSQL_RUNNING}"
Report "oracle_running=${ORACLE_RUNNING}"
Report "postgresql_running=${POSTGRESQL_RUNNING}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2016, Michael Boelen - www.rootkit.nl - The Netherlands

78
include/tests_file_integrity
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -29,14 +29,14 @@
# Description : Check if AFICK is installed
Register --test-no FINT-4310 --weight L --network NO --description "AFICK availability"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking AFICK binary"
LogText "Test: Checking AFICK binary"
if [ ! "${AFICKBINARY}" = "" ]; then
logtext "Result: AFICK is installed (${AFICKBINARY})"
LogText "Result: AFICK is installed (${AFICKBINARY})"
FILE_INT_TOOL="afick"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AFICK" --result FOUND --color GREEN
else
logtext "Result: AFICK is not installed"
LogText "Result: AFICK is not installed"
fi
fi
#
@ -46,14 +46,14 @@
# Description : Check if AIDE is installed
Register --test-no FINT-4314 --weight L --network NO --description "AIDE availability"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking AIDE binary"
LogText "Test: Checking AIDE binary"
if [ ! "${AIDEBINARY}" = "" ]; then
logtext "Result: AIDE is installed (${AIDEBINARY})"
LogText "Result: AIDE is installed (${AIDEBINARY})"
FILE_INT_TOOL="aide"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AIDE" --result FOUND --color GREEN
else
logtext "Result: AIDE is not installed"
LogText "Result: AIDE is not installed"
fi
fi
#
@ -65,17 +65,17 @@
Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check AIDE configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
AIDE_CONFIG_LOCS="/etc /etc/aide /usr/local/etc"
logtext "Test: search for aide.conf in ${AIDE_CONFIG_LOCS}"
LogText "Test: search for aide.conf in ${AIDE_CONFIG_LOCS}"
for I in ${AIDE_CONFIG_LOCS}; do
if [ -f ${I}/aide.conf ]; then
logtext "Result: found aide.conf in directory ${I}"
LogText "Result: found aide.conf in directory ${I}"
AIDECONFIG="${I}/aide.conf"
fi
done
if [ "${AIDECONFIG}" = "" ]; then
Display --indent 6 --text "- AIDE config file" --result "NOT FOUND" --color YELLOW
else
logtext "Checking configuration file ${AIDECONFIG} for errors"
LogText "Checking configuration file ${AIDECONFIG} for errors"
FIND=`${AIDEBINARY} --config=${AIDECONFIG} -D; echo $?`
if [ "${FIND}" = "0" ]; then
Display --indent 6 --text "- AIDE config file" --result FOUND --color GREEN
@ -96,16 +96,16 @@
FIND=`${GREPBINARY} "^Checksums" ${AIDECONFIG}`
FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"`
if [ "${FIND}" = "" ]; then
logtext "Result: Unclear how AIDE is dealing with checksums"
LogText "Result: Unclear how AIDE is dealing with checksums"
Display --indent 6 --text "- AIDE config (Checksums)" --result UNKNOWN --color YELLOW
else
if [ "${FIND2}" = "" ]; then
logtext "Result: No SHA256 or SHA512 found for creating checksums"
LogText "Result: No SHA256 or SHA512 found for creating checksums"
Display --indent 6 --text "- AIDE config (Checksum)" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Use SHA256 or SHA512 to create checksums in AIDE"
AddHP 1 3
else
logtext "Result: Found SHA256 or SHA512 found for creating checksums"
LogText "Result: Found SHA256 or SHA512 found for creating checksums"
Display --indent 6 --text "- AIDE config (Checksum)" --result OK --color GREEN
AddHP 2 2
fi
@ -118,14 +118,14 @@
# Description : Check if Osiris is installed
Register --test-no FINT-4318 --weight L --network NO --description "Osiris availability"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking Osiris binary"
LogText "Test: Checking Osiris binary"
if [ ! "${OSIRISBINARY}" = "" ]; then
logtext "Result: Osiris is installed (${OSIRISBINARY})"
LogText "Result: Osiris is installed (${OSIRISBINARY})"
FILE_INT_TOOL="osiris"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Osiris" --result FOUND --color GREEN
else
logtext "Result: Osiris is not installed"
LogText "Result: Osiris is not installed"
fi
fi
#
@ -135,14 +135,14 @@
# Description : Check if Samhain is installed
Register --test-no FINT-4322 --weight L --network NO --description "Samhain availability"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking Samhain binary"
LogText "Test: Checking Samhain binary"
if [ ! "${SAMHAINBINARY}" = "" ]; then
logtext "Result: Samhain is installed (${SAMHAINBINARY})"
LogText "Result: Samhain is installed (${SAMHAINBINARY})"
FILE_INT_TOOL="samhain"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Samhain" --result FOUND --color GREEN
else
logtext "Result: Samhain is not installed"
LogText "Result: Samhain is not installed"
fi
fi
#
@ -152,14 +152,14 @@
# Description : Check if Tripwire is installed
Register --test-no FINT-4326 --weight L --network NO --description "Tripwire availability"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking Tripwire binary"
LogText "Test: Checking Tripwire binary"
if [ ! "${TRIPWIREBINARY}" = "" ]; then
logtext "Result: Tripwire is installed (${TRIPWIREBINARY})"
LogText "Result: Tripwire is installed (${TRIPWIREBINARY})"
FILE_INT_TOOL="tripwire"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN
else
logtext "Result: Tripwire is not installed"
LogText "Result: Tripwire is not installed"
fi
fi
#
@ -169,15 +169,15 @@
# Description : Check if OSSEC system integrity tool is running
Register --test-no FINT-4328 --weight L --network NO --description "OSSEC syscheck daemon running"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking if OSSEC syscheck daemon is running"
LogText "Test: Checking if OSSEC syscheck daemon is running"
IsRunning ossec-syscheckd
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: syscheck (OSSEC) installed"
LogText "Result: syscheck (OSSEC) installed"
FILE_INT_TOOL="ossec-syscheck"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN
else
logtext "Result: syscheck (OSSEC) not installed"
LogText "Result: syscheck (OSSEC) not installed"
fi
fi
#
@ -188,14 +188,14 @@
# Note : Usually on BSD and similar
Register --test-no FINT-4330 --weight L --network NO --description "mtree availability"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking mtree binary"
LogText "Test: Checking mtree binary"
if [ ! "${MTREEBINARY}" = "" ]; then
logtext "Result: mtree is installed (${MTREEBINARY})"
LogText "Result: mtree is installed (${MTREEBINARY})"
FILE_INT_TOOL="mtree"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- mtree" --result FOUND --color GREEN
else
logtext "Result: mtree is not installed"
LogText "Result: mtree is not installed"
fi
fi
#
@ -209,7 +209,7 @@
Display --indent 4 --text "- lfd (CSF)" --result FOUND --color GREEN
IsRunning 'lfd '
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: lfd daemon is running (CSF)"
LogText "Result: lfd daemon is running (CSF)"
Display --indent 6 --text "- Daemon status" --result RUNNING --color GREEN
FILE_INT_TOOL="csf-lfd"
FILE_INT_TOOL_FOUND=1
@ -225,18 +225,18 @@
# LFD configuration parameters
ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}`
if [ ! "${ENABLED}" = "" ]; then
logtext "Result: lfd service is configured to run"
LogText "Result: lfd service is configured to run"
Display --indent 6 --text "- Configuration status" --result ENABLED --color GREEN
else
logtext "Result: lfd service is configured NOT to run"
LogText "Result: lfd service is configured NOT to run"
Display --indent 6 --text "- Configuration status" --result DISABLED --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
logtext "Result: lfd directory watching is enabled (value: ${ENABLED})"
LogText "Result: lfd directory watching is enabled (value: ${ENABLED})"
Display --indent 6 --text "- Temporary directory watches" --result ENABLED --color GREEN
else
logtext "Result: lfd directory watching is disabled"
LogText "Result: lfd directory watching is disabled"
Display --indent 6 --text "- Temporary directory watches" --result DISABLED --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
@ -253,13 +253,13 @@
# Description : Check if at least one file integrity tool is installed
Register --test-no FINT-4350 --weight L --network NO --description "File integrity software installed"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check if at least on file integrity tool is available/installed"
LogText "Test: Check if at least on file integrity tool is available/installed"
if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then
logtext "Result: found at least one file integrity tool"
LogText "Result: found at least one file integrity tool"
Display --indent 2 --text "- Checking presence integrity tool" --result FOUND --color GREEN
AddHP 5 5
else
logtext "Result: No file integrity tools found"
LogText "Result: No file integrity tools found"
Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files"
AddHP 0 5
@ -269,10 +269,10 @@
#################################################################################
#
report "file_integrity_tool=${FILE_INT_TOOL}"
report "file_integrity_tool_installed=${FILE_INT_TOOL_FOUND}"
Report "file_integrity_tool=${FILE_INT_TOOL}"
Report "file_integrity_tool_installed=${FILE_INT_TOOL_FOUND}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016 Michael Boelen, CISOfy - https://cisofy.com

18
include/tests_file_permissions
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -27,15 +27,15 @@
Register --test-no FILE-7524 --weight L --network NO --description "Perform file permissions check"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Starting file permissions check"
logtext "Test: Checking file permissions"
logtext "Using profile ${PROFILE} for baseline."
LogText "Test: Checking file permissions"
LogText "Using profile ${PROFILE} for baseline."
FIND=`egrep '^permfile:|^permdir:' ${PROFILE} | cut -d: -f2`
for I in ${FIND}; do
logtext "Checking ${I}"
LogText "Checking ${I}"
CheckFilePermissions ${I}
logtext " Expected permissions: ${PROFILEVALUE}"
logtext " Actual permissions: ${FILEVALUE}"
logtext " Result: $PERMS"
LogText " Expected permissions: ${PROFILEVALUE}"
LogText " Actual permissions: ${FILEVALUE}"
LogText " Result: $PERMS"
if [ "${PERMS}" = "FILE_NOT_FOUND" ]; then
Display --indent 4 --text "${I}" --result "NOT FOUND" --color WHITE
elif [ "${PERMS}" = "OK" ]; then
@ -44,7 +44,7 @@
Display --indent 4 --text "${I}" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Incorrect permissions for file ${I}"
else
logtext "UNKNOWN status for file"
LogText "UNKNOWN status for file"
fi
done
fi
@ -56,4 +56,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, CISOfy - https://cisofy.com

188
include/tests_filesystems
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -36,25 +36,25 @@
Display --indent 2 --text "- Checking mount points"
SEPARATED_FILESYTEMS="/home /tmp /var"
for I in ${SEPARATED_FILESYTEMS}; do
logtext "Test: Checking if ${I} is mounted separately or mounted on / file system"
LogText "Test: Checking if ${I} is mounted separately or mounted on / file system"
if [ -L ${I} ]; then
logtext "Result: ${I} is a symlink. Manual check required to determine exact file system"
LogText "Result: ${I} is a symlink. Manual check required to determine exact file system"
Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE
elif [ -d ${I} ]; then
logtext "Result: directory ${I} exists"
LogText "Result: directory ${I} exists"
FIND=`mount | grep "${I}"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${I} as a separated mount point"
LogText "Result: found ${I} as a separated mount point"
Display --indent 4 --text "- Checking ${I} mount point" --result OK --color GREEN
AddHP 10 10
else
logtext "Result: ${I} not found in mount list. Directory most likely stored on / file system"
LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system"
Display --indent 4 --text "- Checking ${I} mount point" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separated partition"
AddHP 9 10
fi
else
logtext "Result: directory ${I} does not exist"
LogText "Result: directory ${I} does not exist"
fi
done
fi
@ -67,7 +67,7 @@
if [ ! "${VGDISPLAYBINARY}" = "" -o ! "${LSVGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6311 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking LVM volume groups"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for LVM volume groups"
LogText "Test: Checking for LVM volume groups"
case ${OS} in
AIX)
FIND=`${LSVGBINARY} -o`
@ -80,15 +80,15 @@
;;
esac
if [ ! "${FIND}" = "" ]; then
logtext "Result: found one or more volume groups"
LogText "Result: found one or more volume groups"
for I in ${FIND}; do
logtext "Found LVM volume group: ${I}"
report "lvm_volume_group[]=${I}"
LogText "Found LVM volume group: ${I}"
Report "lvm_volume_group[]=${I}"
done
LVM_VG_USED=1
Display --indent 2 --text "- Checking LVM volume groups" --result FOUND --color GREEN
else
logtext "Result: no LVM volume groups found"
LogText "Result: no LVM volume groups found"
Display --indent 2 --text "- Checking LVM volume groups" --result NONE --color WHITE
fi
fi
@ -100,7 +100,7 @@
if [ ${LVM_VG_USED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6312 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking LVM volumes"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for LVM volumes"
LogText "Test: Checking for LVM volumes"
case ${OS} in
AIX)
ACTIVE_VG_LIST=`${LSVGBINARY} -o`
@ -114,14 +114,14 @@
;;
esac
if [ ! "${FIND}" = "" ]; then
logtext "Result: found one or more volumes"
LogText "Result: found one or more volumes"
for I in ${FIND}; do
logtext "Found LVM volume: ${I}"
report "lvm_volume[]=${I}"
LogText "Found LVM volume: ${I}"
Report "lvm_volume[]=${I}"
done
Display --indent 4 --text "- Checking LVM volumes" --result FOUND --color GREEN
else
logtext "Result: no LVM volume groups found"
LogText "Result: no LVM volume groups found"
Display --indent 4 --text "- Checking LVM volumes" --result NONE --color WHITE
fi
fi
@ -140,19 +140,19 @@
# Description : Checking Linux EXT2, EXT3, EXT4 file systems
Register --test-no FILE-6323 --os Linux --weight L --network NO --description "Checking EXT file systems"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for Linux EXT file systems"
LogText "Test: Checking for Linux EXT file systems"
FIND=`mount -t ext2,ext3,ext4 | awk '{ print $3","$5 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found one or more EXT file systems"
LogText "Result: found one or more EXT file systems"
for I in ${FIND}; do
FILESYSTEM=`echo ${I} | cut -d ',' -f1`
FILETYPE=`echo ${I} | cut -d ',' -f2`
logtext "File system: ${FILESYSTEM} (type: ${FILETYPE})"
report "file_systems_ext[]=${FILESYSTEM}|${FILETYPE}|"
LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})"
Report "file_systems_ext[]=${FILESYSTEM}|${FILETYPE}|"
done
else
logtext "Result: no EXT file systems found"
report "file_systems_ext[]=none"
LogText "Result: no EXT file systems found"
Report "file_systems_ext[]=none"
fi
fi
#
@ -163,17 +163,17 @@
if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6329 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking FFS/UFS file systems"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Query /etc/fstab for available FFS/UFS mount points"
LogText "Test: Query /etc/fstab for available FFS/UFS mount points"
FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result NONE --color WHITE
logtext "Result: unable to find any single mount point (FFS/UFS)"
LogText "Result: unable to find any single mount point (FFS/UFS)"
else
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result FOUND --color GREEN
report "filesystem[]=ufs"
Report "filesystem[]=ufs"
for I in ${FIND}; do
logtext "FFS/UFS mount found: ${I}"
report "mountpoint_ufs[]=${I}"
LogText "FFS/UFS mount found: ${I}"
Report "mountpoint_ufs[]=${I}"
done
fi
fi
@ -184,17 +184,17 @@
# Description : Query all ZFS mounts from /etc/fstab
Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --description "Checking ZFS file systems"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Query /etc/fstab for available ZFS mount points"
LogText "Test: Query /etc/fstab for available ZFS mount points"
FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result NONE --color WHITE
logtext "Result: unable to find any single mount point (ZFS)"
LogText "Result: unable to find any single mount point (ZFS)"
else
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result FOUND --color GREEN
report "filesystem[]=zfs"
Report "filesystem[]=zfs"
for I in ${FIND}; do
logtext "ZFS mount found: ${I}"
report "mountpoint_zfs[]=${I}"
LogText "ZFS mount found: ${I}"
Report "mountpoint_zfs[]=${I}"
done
fi
fi
@ -207,14 +207,14 @@
Register --test-no FILE-6332 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap partitions"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: query swap partitions from /etc/fstab file"
LogText "Test: query swap partitions from /etc/fstab file"
# Check if third field contains 'swap'
FIND=`awk '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | grep -v "^#"`
for I in ${FIND}; do
FOUND=1
REAL=""
UUID=""
logtext "Swap partition found: ${I}"
LogText "Swap partition found: ${I}"
# YYY Add a test if partition is not a normal partition (e.g. UUID=)
# Can be ^/dev/mapper/vg-name_lv-name
# Can be ^/dev/partition
@ -223,24 +223,24 @@
HAS_UUID=`echo ${I} | grep "^UUID="`
if [ ! "${HAS_UUID}" = "" ]; then
UUID=`echo ${HAS_UUID} | awk -F= '{ print $2 }'`
logtext "Result: Using ${UUID} as UUID"
LogText "Result: Using ${UUID} as UUID"
if [ ! "${BLKIDBINARYx}" = "" ]; then
FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'`
if [ ! "${FIND2}" = "" ]; then
REAL="${FIND2}"
fi
else
logtext "Result: blkid binary not found, trying by checking device listing"
LogText "Result: blkid binary not found, trying by checking device listing"
sFILE=""
if [ -L /dev/disk/by-uuid/${UUID} ]; then
logtext "Result: found disk via /dev/disk/by-uuid listing"
LogText "Result: found disk via /dev/disk/by-uuid listing"
ShowSymlinkPath /dev/disk/by-uuid/${UUID}
if [ ! "${sFILE}" = "" ]; then
REAL="${sFILE}"
logtext "Result: disk is ${REAL}"
LogText "Result: disk is ${REAL}"
fi
else
logtext "Result: no symlink found to /dev/disk/by-uuid/${UUID}"
LogText "Result: no symlink found to /dev/disk/by-uuid/${UUID}"
fi
fi
fi
@ -248,13 +248,13 @@
if [ "${REAL}" = "" ]; then
REAL="${I}"
fi
report "swap_partition[]=${I},${REAL},"
Report "swap_partition[]=${I},${REAL},"
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN
else
Display --indent 2 --text "- Query swap partitions (fstab)" --result NONE --color YELLOW
logtext "Result: no swap partitions found in /etc/fstab"
LogText "Result: no swap partitions found in /etc/fstab"
fi
fi
#
@ -268,18 +268,18 @@
Register --test-no FILE-6336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap mount options"
if [ ${SKIPTEST} -eq 0 ]; then
# Swap partitions should be mounted with 'sw' or 'swap'
logtext "Test: check swap partitions with incorrect mount options"
LogText "Test: check swap partitions with incorrect mount options"
#FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab`
FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN
logtext "Result: all swap partitions have correct options (sw or swap)"
LogText "Result: all swap partitions have correct options (sw or swap)"
else
Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
#ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})"
ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options"
logtext "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)"
LogText "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)"
fi
fi
#
@ -290,25 +290,25 @@
if [ -d /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --description "Searching for old files in /tmp"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for old files in /tmp"
LogText "Test: Searching for old files in /tmp"
# Search for files only in /tmp, with an access time older than X days
FIND=`find /tmp -type f -atime +${TMP_OLD_DAYS} 2> /dev/null | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN
logtext "Result: no files found in /tmp which are older than 3 months"
LogText "Result: no files found in /tmp which are older than 3 months"
else
Display --indent 2 --text "- Checking for old files in /tmp" --result FOUND --color RED
N=0
for I in ${FIND}; do
FILE=`echo ${I} | sed 's/!space!/ /g'`
logtext "Old temporary file: ${FILE}"
LogText "Old temporary file: ${FILE}"
N=`expr ${N} + 1`
done
logtext "Result: found old files in /tmp, which were not modified in the last ${TMP_OLD_DAYS} days"
logtext "Advice: check and clean up unused files in /tmp. Old files can fill up a disk or contain"
logtext "private information and should be deleted it not being used actively. Use a tool like lsof to"
logtext "see which programs possibly are using a particular file. Some systems can cleanup temporary"
logtext "directories by setting a boot option."
LogText "Result: found old files in /tmp, which were not modified in the last ${TMP_OLD_DAYS} days"
LogText "Advice: check and clean up unused files in /tmp. Old files can fill up a disk or contain"
LogText "private information and should be deleted it not being used actively. Use a tool like lsof to"
LogText "see which programs possibly are using a particular file. Some systems can cleanup temporary"
LogText "directories by setting a boot option."
ReportSuggestion ${TEST_NO} "Check ${N} files in /tmp which are older than ${TMP_OLD_DAYS} days"
fi
fi
@ -323,29 +323,29 @@
#for I in ${SKELDIRS}; do
#
# logtext "Searching skel directory ${I}"
# LogText "Searching skel directory ${I}"
#
# if [ -d ${I} ]; then
# logtext "Result: Directory found, scanning for unsafe file permissions"
# LogText "Result: Directory found, scanning for unsafe file permissions"
# FIND=`ls -A ${I} | wc -l | sed 's/ //g'`
# if [ ! "${FIND}" = "0" ]; then
# FIND=`find ${I} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)`
# if [ "${FIND}" = "" ]; then
# Display --indent 2 --text "- Checking skel file permissions (${I})" --result OK --color GREEN
# logtext "Result: Directory seems to be ok, no files found with read/write/execute bit set."
# logtext "Status: OK"
# LogText "Result: Directory seems to be ok, no files found with read/write/execute bit set."
# LogText "Status: OK"
# else
# Display --indent 2 --text "- Checking skel file permissions (${I})" --result WARNING --color RED
# logtext "Result: The following files do have non restrictive permissions: ${FIND}"
# LogText "Result: The following files do have non restrictive permissions: ${FIND}"
# ReportSuggestion ${TEST_NO} "Remove the read, write or execute bit from these files (chmod o-rwx)"
# fi
# else
# Display --indent 2 --text "- Checking skel file permissions (${I})" --result EMPTY --color WHITE
# logtext "Directory ${I} is empty, no scan performed"
# LogText "Directory ${I} is empty, no scan performed"
# fi
# else
# Display --indent 2 --text "- Checking skel file permissions (${I})" --result "NOT FOUND" --color WHITE
# logtext "Result: Skel directory (${I}) not found"
# LogText "Result: Skel directory (${I}) not found"
# fi
#done
#
@ -360,7 +360,7 @@
FIND=`ls -l / | tr -s ' ' | awk -F" " '{ if ( $8 == "tmp" || $9 == "tmp" ) { print $1 } }' | cut -c 10`
if [ "${FIND}" = "t" -o "${FIND}" = "T" ]; then
Display --indent 2 --text "- Checking /tmp sticky bit" --result OK --color GREEN
logtext "Result: Sticky bit (${FIND}) found on /tmp directory"
LogText "Result: Sticky bit (${FIND}) found on /tmp directory"
AddHP 3 3
else
Display --indent 2 --text "- Checking /tmp sticky bit" --result WARNING --color RED
@ -369,7 +369,7 @@
AddHP 0 3
fi
else
logtext "Result: Sticky bit test (on /tmp) skipped. Possible reason: missing or symlinked directory, or test skipped."
LogText "Result: Sticky bit test (on /tmp) skipped. Possible reason: missing or symlinked directory, or test skipped."
fi
#
#################################################################################
@ -385,14 +385,14 @@
Register --test-no FILE-6368 --os Linux --weight L --network NO --root-only YES --description "Checking ACL support on root file system"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: Checking acl option on root file system"
LogText "Test: Checking acl option on root file system"
FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | grep acl`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found ACL option"
LogText "Result: found ACL option"
FOUND=1
else
logtext "Result: mount point probably mounted with defaults"
logtext "Test: Checking device which holds root file system"
LogText "Result: mount point probably mounted with defaults"
LogText "Test: Checking device which holds root file system"
# Get device on which root file system is mounted. Use /dev/root if it exists, or
# else check output of mount
if [ -b /dev/root ]; then
@ -404,28 +404,28 @@
fi
# Trying to determine default mount options from EXT2/EXT3/EXT4 file systems
if [ ! "${FIND1}" = "" ]; then
logtext "Result: found ${FIND1}"
logtext "Test: Checking default options on ${FIND1}"
LogText "Result: found ${FIND1}"
LogText "Test: Checking default options on ${FIND1}"
FIND2=`${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | grep "^Default mount options" | grep "acl"`
if [ ! "${FIND2}" = "" ]; then
logtext "Result: found ACL option in default mount options"
LogText "Result: found ACL option in default mount options"
FOUND=1
else
logtext "Result: no ACL option found in default mount options list"
LogText "Result: no ACL option found in default mount options list"
fi
else
logtext "Result: No file system found with root file system"
LogText "Result: No file system found with root file system"
fi
fi
if [ ${FOUND} -eq 0 ]; then
logtext "Result: ACL option NOT enabled on root file system"
logtext "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option"
logtext "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file"
LogText "Result: ACL option NOT enabled on root file system"
LogText "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option"
LogText "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file"
Display --indent 2 --text "- ACL support root file system" --result DISABLED --color YELLOW
AddHP 0 1
else
logtext "Result: ACL option enabled on root file system"
LogText "Result: ACL option enabled on root file system"
Display --indent 2 --text "- ACL support root file system" --result ENABLED --color GREEN
AddHP 3 3
fi
@ -445,14 +445,14 @@
NOSUID=`echo ${FIND} | awk '{ if ($1=="nosuid") { print "YES" } else { print "NO" } }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: mount system / is configured with options: ${FIND}"
LogText "Result: mount system / is configured with options: ${FIND}"
if [ "${FIND}" = "defaults" ]; then
Display --indent 2 --text "- Mount options of /" --result OK --color GREEN
else
Display --indent 2 --text "- Mount options of /" --result "NON DEFAULT" --color YELLOW
fi
else
logtext "Result: no mount point / or expected options found"
LogText "Result: no mount point / or expected options found"
fi
fi
fi
@ -487,42 +487,42 @@
IN_FSTAB=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print "FOUND" } }'`
if [ ! "${IN_FSTAB}" = "" ]; then
FOUND_FLAGS=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' | sed 's/,/ /g'`
logtext "File system: ${FILESYSTEM}"
logtext "Expected flags: ${EXPECTED_FLAGS}"
logtext "Found flags: ${FOUND_FLAGS}"
LogText "File system: ${FILESYSTEM}"
LogText "Expected flags: ${EXPECTED_FLAGS}"
LogText "Found flags: ${FOUND_FLAGS}"
PARTIALLY_HARDENED=0
FULLY_HARDENED=1
for FLAG in ${EXPECTED_FLAGS}; do
FLAG_AVAILABLE=`echo ${FOUND_FLAGS} | grep ${FLAG}`
if [ "${FLAG_AVAILABLE}" = "" ]; then
logtext "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}"
LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}"
FULLY_HARDENED=0
else
logtext "Result: GOOD, found mount option ${FLAG} on file system ${FILESYSTEM}"
LogText "Result: GOOD, found mount option ${FLAG} on file system ${FILESYSTEM}"
PARTIALLY_HARDENED=1
fi
done
if [ ${FULLY_HARDENED} -eq 1 ]; then
logtext "Result: marked ${FILESYSTEM} as fully hardenened"
LogText "Result: marked ${FILESYSTEM} as fully hardenened"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN
AddHP 5 5
elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then
logtext "Result: marked ${FILESYSTEM} as fully hardenened"
LogText "Result: marked ${FILESYSTEM} as fully hardenened"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW
AddHP 4 5
else
if [ "${FOUND_FLAGS}" = "defaults" ]; then
logtext "Result: marked ${FILESYSTEM} options as default (non hardened)"
LogText "Result: marked ${FILESYSTEM} options as default (non hardened)"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW
AddHP 3 5
else
logtext "Result: marked ${FILESYSTEM} options as non default (unclear about hardening)"
LogText "Result: marked ${FILESYSTEM} options as non default (unclear about hardening)"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW
AddHP 4 5
fi
fi
else
logtext "Result: file system ${FILESYSTEM} not found in /etc/fstab"
LogText "Result: file system ${FILESYSTEM} not found in /etc/fstab"
fi
done
fi
@ -564,23 +564,23 @@
if [ ! "${LOCATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6410 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Checking Locate database"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking locate database"
LogText "Test: Checking locate database"
FOUND=0
LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locate/locatedb /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database"
for I in ${LOCATE_DBS}; do
if [ -f ${I} ]; then
logtext "Result: locate database found (${I})"
LogText "Result: locate database found (${I})"
FOUND=1
LOCATE_DB="${I}"
else
logtext "Result: file ${I} not found"
LogText "Result: file ${I} not found"
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking Locate database" --result FOUND --color GREEN
report "locate_db=${LOCATE_DB}"
Report "locate_db=${LOCATE_DB}"
else
logtext "Result: database not found"
LogText "Result: database not found"
Display --indent 2 --text "- Checking Locate database" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
fi
@ -622,4 +622,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

104
include/tests_firewalls
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -41,9 +41,9 @@
IPTABLES_ACTIVE=1
IPTABLES_MODULE_ACTIVE=1
Display --indent 2 --text "- Checking iptables kernel module" --result FOUND --color GREEN
logtext "Result: Found iptables in loaded kernel modules"
LogText "Result: Found iptables in loaded kernel modules"
for I in ${FIND}; do
logtext "Found module: ${I}"
LogText "Found module: ${I}"
done
else
Display --indent 2 --text "- Checking iptables kernel module" --result "NOT FOUND" --color WHITE
@ -62,24 +62,24 @@
# tests, when using iptables --list
if [ ! "${LINUXCONFIGFILE}" = "" ]; then
if [ -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then
logtext "Result: found kernel configuration file (${LINUXCONFIGFILE})"
LogText "Result: found kernel configuration file (${LINUXCONFIGFILE})"
FIND=`${tCATCMD} ${LINUXCONFIGFILE} | grep -v '^#' | grep "CONFIG_IP_NF_IPTABLES" | head -n 1`
if [ ! "${FIND}" = "" ]; then
HAVEMOD=`echo ${FIND} | cut -d '=' -f2`
# Do not use iptables if it's compiled as a module (=m), since we already tested for it in the
# active list.
if [ "${HAVEMOD}" = "y" ]; then
logtext "Result: iptables available as a module in the configuration"
LogText "Result: iptables available as a module in the configuration"
IPTABLES_ACTIVE=1
IPTABLES_INKERNEL_ACTIVE=1
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="iptables"
Display --indent 2 --text "- Checking iptables in config file" --result FOUND --color GREEN
else
logtext "Result: no iptables found in Linux kernel config file"
LogText "Result: no iptables found in Linux kernel config file"
fi
else
logtext "Result: no Linux configuration file found"
LogText "Result: no Linux configuration file found"
Display --indent 2 --text "- Checking iptables in config file" --result "NOT FOUND" --color WHITE
fi
fi
@ -99,11 +99,11 @@
FIREWALL_ACTIVE=1
if [ ${FIND} -le 10 ]; then
# Firewall is active, but clearly needs configuration
logtext "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
LogText "Result: iptables ruleset seems to be empty (found ${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED
ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active"
else
logtext "Result: one or more rules are available (${FIND} rules)"
LogText "Result: one or more rules are available (${FIND} rules)"
Display --indent 4 --text "- Checking for empty ruleset" --result OK --color GREEN
fi
fi
@ -119,16 +119,16 @@
FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | awk '{ if ($2=="0") print $1 }' | xargs`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking for unused rules" --result OK --color GREEN
logtext "Result: There are no unused rules present"
LogText "Result: There are no unused rules present"
else
Display --indent 4 --text "- Checking for unused rules" --result FOUND --color YELLOW
logtext "Result: Found one or more possible unused rules"
logtext "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
logtext "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
logtext "Output: iptables rule numbers: ${FIND}"
LogText "Result: Found one or more possible unused rules"
LogText "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
LogText "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
LogText "Output: iptables rule numbers: ${FIND}"
#ReportWarning ${TEST_NO} "L" "Found possible unused iptables rules ($FIND)"
ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used"
logtext "Tip: iptables --list --numeric --line-numbers --verbose"
LogText "Tip: iptables --list --numeric --line-numbers --verbose"
fi
fi
#
@ -142,18 +142,18 @@
PFFOUND=0; PFLOGDFOUND=0
# Check status with pfctl
logtext "Test: checking pf status via pfctl"
LogText "Test: checking pf status via pfctl"
if [ ! "${PFCTLBINARY}" = "" ]; then
FIND=`${PFCTLBINARY} -sa 2>&1 | grep "^Status" | head -1 | awk '{ print $2 }'`
if [ "${FIND}" = "Enabled" ]; then
Display --indent 2 --text "- Checking pf status (pfctl)" --result ENABLED --color GREEN
logtext "Result: pf is enabled"
LogText "Result: pf is enabled"
PFFOUND=1
AddHP 3 3
else
if [ "${FIND}" = "Disabled" ]; then
Display --indent 2 --text "- Checking pf status (pfctl)" --result DISABLED --color RED
logtext "Result: pf is disabled"
LogText "Result: pf is disabled"
AddHP 0 3
else
Display --indent 2 --text "- Checking pf status (pfctl)" --result UNKNOWN --color YELLOW
@ -165,27 +165,27 @@
# If we didn't find the status to be enabled, stop searching
if [ ${PFFOUND} -eq 0 ]; then
# Check for pf kernel module (FreeBSD and similar)
logtext "Test: searching for pf kernel module"
LogText "Test: searching for pf kernel module"
if [ ! "${KLDSTATBINARY}" = "" ]; then
FIND=`${KLDSTATBINARY} | grep 'pf.ko'`
if [ "${FIND}" = "" ]; then
logtext "Result: Can not find pf KLD"
LogText "Result: Can not find pf KLD"
else
logtext "Result: pf KLD loaded"
LogText "Result: pf KLD loaded"
PFFOUND=1
fi
else
logtext "Result: no kldstat binary, skipping this part"
LogText "Result: no kldstat binary, skipping this part"
fi
IsRunning pflogd
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found pflog daemon in process list"
LogText "Result: found pflog daemon in process list"
Display --indent 4 --text "- Checking pflogd status" --result ACTIVE --color GREEN
PFFOUND=1
PFLOGDFOUND=1
else
logtext "Result: pflog daemon not found in process list"
LogText "Result: pflog daemon not found in process list"
fi
fi
@ -193,7 +193,7 @@
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="pf"
else
logtext "Result: pf not running on this system"
LogText "Result: pf not running on this system"
fi
fi
#
@ -204,23 +204,23 @@
if [ ${PFFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4520 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check pf configuration consistency"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check /etc/pf.conf"
LogText "Test: check /etc/pf.conf"
# Test for warnings (-n don't load the rules)
if [ -f /etc/pf.conf ]; then
logtext "Result: /etc/pf.conf exists"
LogText "Result: /etc/pf.conf exists"
# Check results from pfctl
PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | grep -i 'warning'`
if [ "${PFWARNINGS}" = "" ]; then
Display --indent 4 --text "- Checking pf configuration consistency" --result OK --color GREEN
logtext "Result: no pf filter warnings found"
LogText "Result: no pf filter warnings found"
else
Display --indent 4 --text "- Checking pf configuration consistency" --result WARNING --color RED
logtext "Result: found one or more warnings in the pf filter rules"
LogText "Result: found one or more warnings in the pf filter rules"
ReportWarning ${TEST_NO} "H" "Found one or more warnings in pf configuration file"
ReportSuggestion ${TEST_NO} "Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
fi
else
logtext "Result: /etc/pf.conf does NOT exist"
LogText "Result: /etc/pf.conf does NOT exist"
fi
fi
#
@ -236,14 +236,14 @@
Register --test-no FIRE-4524 --weight L --network NO --description "Check for CSF presence"
if [ ${SKIPTEST} -eq 0 ]; then
FILE="/etc/csf/csf.conf"
logtext "Test: check ${FILE}"
LogText "Test: check ${FILE}"
if [ -f ${FILE} ]; then
logtext "Result: ${FILE} exists"
LogText "Result: ${FILE} exists"
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="csf"
Display --indent 2 --text "- Checking CSF status (configuration file)" --result FOUND --color GREEN
else
logtext "Result: ${FILE} does NOT exist"
LogText "Result: ${FILE} does NOT exist"
fi
fi
#
@ -257,12 +257,12 @@
FIND=`${IPFBINARY} -n -V | grep "^Running" | awk '{ print $2 }'`
if [ "${FIND}" = "yes" ]; then
Display --indent 4 --text "- Checking ipf status" --result RUNNING --color GREEN
logtext "Result: ipf is enabled and running"
LogText "Result: ipf is enabled and running"
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipf"
else
Display --indent 4 --text "- Checking ipf status" --result "NOT RUNNING" --color YELLOW
logtext "Result: ipf is not running"
LogText "Result: ipf is not running"
fi
fi
#
@ -277,20 +277,20 @@
FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'`
if [ "${FIND}" = "1" ]; then
Display --indent 2 --text "- Checking IPFW status" --result RUNNING --color GREEN
logtext "Result: IPFW is running for IPv4"
LogText "Result: IPFW is running for IPv4"
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipfw"
IPFW_ENABLED=`service -e | grep -o ipfw`
if [ "${IPFW_ENABLED}" = "ipfw" ]; then
Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result YES --color GREEN
logtext "Result: IPFW is enabled at start-up for IPv4"
LogText "Result: IPFW is enabled at start-up for IPv4"
else
Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW
logtext "Result: IPFW is disabled at start-up for IPv4"
LogText "Result: IPFW is disabled at start-up for IPv4"
fi
else
Display --indent 2 --text "- Checking IPFW status" --result "NOT RUNNING" --color YELLOW
logtext "Result: IPFW is not running for IPv4"
LogText "Result: IPFW is not running for IPv4"
fi
else
Display --indent 2 --text "- Checking IPFW" --result SKIPPED --color YELLOW
@ -309,13 +309,13 @@
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking Mac OS X: Application Firewall" --result ENABLED --color GREEN
AddHP 3 3
logtext "Result: application firewall of Mac OS X is enabled"
LogText "Result: application firewall of Mac OS X is enabled"
APPLICATION_FIREWALL_ACTIVE=1
report "app_fw[]=macosx-app-fw"
Report "app_fw[]=macosx-app-fw"
else
Display --indent 2 --text "- Checking IPFW" --result DISABLED --color YELLOW
AddHP 1 3
logtext "Result: application firewall of Mac OS X is disabled"
LogText "Result: application firewall of Mac OS X is disabled"
fi
fi
#
@ -327,16 +327,16 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${FIREWALL_ACTIVE} -eq 1 ]; then
Display --indent 2 --text "- Checking host based firewall" --result ACTIVE --color GREEN
logtext "Result: host based firewall or packet filter is active"
report "manual[]=Verify if there is a formal process for testing and applying firewall rules"
report "manual[]=Verify all traffic is filtered the right way between the different security zones"
report "manual[]=Verify if a list is available with all required services"
LogText "Result: host based firewall or packet filter is active"
Report "manual[]=Verify if there is a formal process for testing and applying firewall rules"
Report "manual[]=Verify all traffic is filtered the right way between the different security zones"
Report "manual[]=Verify if a list is available with all required services"
# YYY Solaris ipf (determine default policy)
report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic"
Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic"
AddHP 5 5
else
Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW
logtext "Result: no host based firewall/packet filter found or configured"
LogText "Result: no host based firewall/packet filter found or configured"
ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic"
AddHP 0 5
fi
@ -346,13 +346,13 @@
#
# Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks.
report "firewall_installed=${FIREWALL_ACTIVE}"
report "firewall_active=${FIREWALL_ACTIVE}"
report "firewall_software=${FIREWALL_SOFTWARE}"
Report "firewall_installed=${FIREWALL_ACTIVE}"
Report "firewall_active=${FIREWALL_ACTIVE}"
Report "firewall_software=${FIREWALL_SOFTWARE}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

58
include/tests_hardening
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -26,13 +26,13 @@
# Notes : No suggestion for hardening compilers, as HRDN-7222 will take care of that
Register --test-no HRDN-7220 --weight L --network NO --description "Check if one or more compilers are installed"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check if one or more compilers can be found on the system"
LogText "Test: Check if one or more compilers can be found on the system"
if [ ${COMPILER_INSTALLED} -eq 0 ]; then
logtext "Result: no compilers found"
LogText "Result: no compilers found"
Display --indent 4 --text "- Installed compiler(s)" --result "NOT FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'"
LogText "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'"
Display --indent 4 --text "- Installed compiler(s)" --result "FOUND" --color RED
AddHP 1 3
fi
@ -44,18 +44,17 @@
# Description : Check for permissions of installed compilers
Register --test-no HRDN-7222 --weight L --network NO --description "Check compiler permissions"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check if one or more compilers can be found on the system"
LogText "Test: Check if one or more compilers can be found on the system"
HARDEN_COMPILERS_NEEDED=0
if [ ${COMPILER_INSTALLED} -eq 0 ]; then
logtext "Result: no compilers found"
LogText "Result: no compilers found"
else
# as
if [ ! "${ASBINARY}" = "" ]; then
logtext "Test: Check file permissions for as (Assembler)"
IsWorldExecutable ${ASBINARY}
if [ $? -eq 1 ]; then
logtext "Binary: found ${ASBINARY} (world executable)"
report "compiler[]=${ASBINARY}"
LogText "Test: Check file permissions for as (Assembler)"
if IsWorldExecutable ${ASBINARY}; then
LogText "Binary: found ${ASBINARY} (world executable)"
Report "compiler[]=${ASBINARY}"
AddHP 2 3
HARDEN_COMPILERS_NEEDED=1
else
@ -64,11 +63,10 @@
fi
# gcc
if [ ! "${GCCBINARY}" = "" ]; then
logtext "Test: Check file permissions for GCC compiler"
IsWorldExecutable ${GCCBINARY}
if [ $? -eq 1 ]; then
logtext "Binary: found ${GCCBINARY} (world executable)"
report "compiler[]=${GCCBINARY}"
LogText "Test: Check file permissions for GCC compiler"
if IsWorldExecutable ${GCCBINARY}; then
LogText "Binary: found ${GCCBINARY} (world executable)"
Report "compiler[]=${GCCBINARY}"
AddHP 2 3
HARDEN_COMPILERS_NEEDED=1
else
@ -77,7 +75,7 @@
fi
# Report suggestion is one or more compilers can be better hardened
if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then
logtext "Result: at least one compiler could be better hardened by restricting executable access to root or group only"
LogText "Result: at least one compiler could be better hardened by restricting executable access to root or group only"
ReportSuggestion ${TEST_NO} "Harden compilers like restricting access to root user only"
fi
@ -96,13 +94,13 @@
# Description : Check for installed malware scanners
Register --test-no HRDN-7230 --weight L --network NO --description "Check for malware scanner"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check if a malware scanner is installed"
LogText "Test: Check if a malware scanner is installed"
if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
logtext "Result: found at least one malware scanner"
LogText "Result: found at least one malware scanner"
Display --indent 4 --text "- Installed malware scanner" --result "FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: no malware scanner found"
LogText "Result: no malware scanner found"
Display --indent 4 --text "- Installed malware scanner" --result "NOT FOUND" --color RED
ReportSuggestion ${TEST_NO} "Harden the system by installing at least one malware scanner, to perform periodic file system scans"
AddHP 1 3
@ -111,21 +109,21 @@
#
#################################################################################
#
# logtext "--------------------------------------------------------------------"
# logtext "| System part | Preferred value | Actual value | Points |"
# logtext "| [!] Compiler installed | 0 | [${COMPILER_INSTALLED}] | x |"
# logtext "| [V] Malware scanner installed | 1 | [x] | x |"
# logtext "| [V] Packet filter enabled | 1 | [x] | x |"
# logtext "--------------------------------------------------------------------"
# logtext "| [!]: Hardening possible, [V]: Hardening performed, [ ]: Unknown "
# logtext "--------------------------------------------------------------------"
# LogText "--------------------------------------------------------------------"
# LogText "| System part | Preferred value | Actual value | Points |"
# LogText "| [!] Compiler installed | 0 | [${COMPILER_INSTALLED}] | x |"
# LogText "| [V] Malware scanner installed | 1 | [x] | x |"
# LogText "| [V] Packet filter enabled | 1 | [x] | x |"
# LogText "--------------------------------------------------------------------"
# LogText "| [!]: Hardening possible, [V]: Hardening performed, [ ]: Unknown "
# LogText "--------------------------------------------------------------------"
#
#################################################################################
#
report "compiler_installed=${COMPILER_INSTALLED}"
Report "compiler_installed=${COMPILER_INSTALLED}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

28
include/tests_homedirs
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -33,14 +33,14 @@
Register --test-no HOME-9302 --weight L --network NO --description "Create list with home directories"
if [ ${SKIPTEST} -eq 0 ]; then
# Read sixth field of /etc/passwd
logtext "Test: query /etc/passwd to obtain home directories"
LogText "Test: query /etc/passwd to obtain home directories"
FIND=`${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | sort -u`
for I in ${FIND}; do
if [ -d ${I} ]; then
logtext "Result: found home directory: ${I} (directory exists)"
report "home_directory[]=${I}"
LogText "Result: found home directory: ${I} (directory exists)"
Report "home_directory[]=${I}"
else
logtext "Result: found home directory: ${I} (directory does not exist)"
LogText "Result: found home directory: ${I} (directory does not exist)"
fi
done
fi
@ -60,18 +60,18 @@
fi
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking shell history files" --result OK --color GREEN
logtext "Result: Ok, history files are type 'file'."
LogText "Result: Ok, history files are type 'file'."
else
Display --indent 2 --text "- Checking shell history files" --result WARNING --color RED
logtext "Result: the following files seem to be of the wrong file type:"
logtext "Output: ${FIND}"
logtext "Info: above files could be redirected files to avoid logging and should be investigated"
LogText "Result: the following files seem to be of the wrong file type:"
LogText "Output: ${FIND}"
LogText "Info: above files could be redirected files to avoid logging and should be investigated"
ReportWarning ${TEST_NO} "M" "Incorrect file type found for shell history file"
fi
logtext "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful."
LogText "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful."
else
Display --indent 2 --text "- Checking shell history files" --result SKIPPED --color WHITE
logtext "Result: Homedirs is empty, test will be skipped"
LogText "Result: Homedirs is empty, test will be skipped"
fi
fi
#
@ -94,9 +94,9 @@
if [ ${SKIPTEST} -eq 0 ]; then
IGNORE_HOME_DIRS=`grep "^config:ignore_home_dir:" ${PROFILE} | awk -F: '{ print $3 }'`
if [ "${IGNORE_HOME_DIRS}" = "" ]; then
logtext "Result: IGNORE_HOME_DIRS empty, no paths excluded"
LogText "Result: IGNORE_HOME_DIRS empty, no paths excluded"
else
logtext "Output: ${IGNORE_HOME_DIRS}"
LogText "Output: ${IGNORE_HOME_DIRS}"
fi
fi
#
@ -107,4 +107,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

24
include/tests_insecure_services
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -32,14 +32,14 @@
Register --test-no INSE-8002 --weight L --network NO --description "Check for enabled inet daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Check running processes
logtext "Test: Searching for active inet daemon"
LogText "Test: Searching for active inet daemon"
IsRunning inetd
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: inetd is running"
LogText "Result: inetd is running"
Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN
INETD_ACTIVE=1
else
logtext "Result: inetd is NOT running"
LogText "Result: inetd is NOT running"
Display --indent 2 --text "- Checking inetd status" --result "NOT ACTIVE" --color GREEN
fi
fi
@ -52,12 +52,12 @@
Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for enabled inet daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Check configuration file
logtext "Test: Searching for file ${INETD_CONFIG_FILE}"
LogText "Test: Searching for file ${INETD_CONFIG_FILE}"
if [ -f ${INETD_CONFIG_FILE} ]; then
logtext "Result: ${INETD_CONFIG_FILE} exists"
LogText "Result: ${INETD_CONFIG_FILE} exists"
Display --indent 4 --text "- Checking inetd.conf" --result FOUND --color WHITE
else
logtext "Result: ${INETD_CONFIG_FILE} does not exist"
LogText "Result: ${INETD_CONFIG_FILE} does not exist"
Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE
fi
fi
@ -70,7 +70,7 @@
Register --test-no INSE-8006 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check configuration of inetd when disabled"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002)
logtext "Test: check if all services are disabled if inetd is disabled"
LogText "Test: check if all services are disabled if inetd is disabled"
FIND=`grep -v "^#" ${INETD_CONFIG_FILE} | grep -v "^$"`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking inetd.conf services" --result OK --color GREEN
@ -87,14 +87,14 @@
if [ ${INETD_ACTIVE} -eq 1 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8016 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for telnet via inetd"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking telnet presence in inetd configuration"
LogText "Test: checking telnet presence in inetd configuration"
FIND=`grep "^telnet" ${INETD_CONFIG_FILE}`
if [ "${FIND}" = "" ]; then
logtext "Result: telnet not enabled in ${INETD_CONFIG_FILE}"
LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)" --result "NOT FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: telnet enabled in ${INETD_CONFIG_FILE}"
LogText "Result: telnet enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)" --result WARNING --color RED
ReportSuggestion "${TEST_NO}" "Disable telnet in inetd configuration and use SSH instead"
AddHP 1 3
@ -108,4 +108,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

246
include/tests_kernel
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -35,56 +35,56 @@
Register --test-no KRNL-5622 --os Linux --weight L --network NO --description "Determine Linux default run level"
if [ ${SKIPTEST} -eq 0 ]; then
# Checking if we can find the systemd default target
logtext "Test: Checking for systemd default.target"
LogText "Test: Checking for systemd default.target"
if [ -L /etc/systemd/system/default.target ]; then
logtext "Result: symlink found"
LogText "Result: symlink found"
if [ ! "${READLINKBINARY}" = "" ]; then
FIND=`${READLINKBINARY} /etc/systemd/system/default.target`
if [ "${FIND}" = "" ]; then
logtext "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
ReportException "${TEST_NO}:01"
else
FIND2=`echo ${FIND} | egrep "runlevel5|graphical"`
if [ ! "${FIND2}" = "" ]; then
logtext "Result: Found match on runlevel5/graphical"
LogText "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
report "linux_default_runlevel=5"
Report "linux_default_runlevel=5"
else
logtext "Result: No match found on runlevel, defaulting to runlevel 3"
LogText "Result: No match found on runlevel, defaulting to runlevel 3"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
report "linux_default_runlevel=3"
Report "linux_default_runlevel=3"
fi
fi
else
logtext "Result: No readlink binary, can't determine where symlink is pointing to"
LogText "Result: No readlink binary, can't determine where symlink is pointing to"
Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW
fi
else
logtext "Result: no systemd found, so trying inittab"
logtext "Test: Checking /etc/inittab"
LogText "Result: no systemd found, so trying inittab"
LogText "Test: Checking /etc/inittab"
if [ -f /etc/inittab ]; then
logtext "Result: file /etc/inittab found"
logtext "Test: Checking default Linux run level"
LogText "Result: file /etc/inittab found"
LogText "Test: Checking default Linux run level"
FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking default runlevel" --result UNKNOWN --color YELLOW
logtext "Result: Can't determine default run level from /etc/inittab"
LogText "Result: Can't determine default run level from /etc/inittab"
else
Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN
logtext "Found default run level '${FIND}'"
report "linux_default_runlevel=${FIND}"
LogText "Found default run level '${FIND}'"
Report "linux_default_runlevel=${FIND}"
fi
else
logtext "Result: file /etc/inittab not found"
LogText "Result: file /etc/inittab not found"
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then
logtext "Test: Checking run level with who -r, for Debian based systems"
LogText "Test: Checking run level with who -r, for Debian based systems"
FIND=`who -r | awk '{ if ($1=="run-level") { print $2 } }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Found default run level '${FIND}'"
report "linux_default_runlevel=${FIND}"
LogText "Result: Found default run level '${FIND}'"
Report "linux_default_runlevel=${FIND}"
Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN
else
logtext "Result: Can't determine default run level from who -r"
LogText "Result: Can't determine default run level from who -r"
Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW
fi
fi
@ -101,37 +101,37 @@
Register --test-no KRNL-5677 --os Linux --weight L --network NO --description "Check CPU options and support"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking CPU support (NX/PAE)"
logtext "Test: Checking /proc/cpuinfo"
LogText "Test: Checking /proc/cpuinfo"
if [ -f /proc/cpuinfo ]; then
logtext "Result: found /proc/cpuinfo"
logtext "Test: Checking CPU options (XD/NX/PAE)"
LogText "Result: found /proc/cpuinfo"
LogText "Test: Checking CPU options (XD/NX/PAE)"
FIND_PAE_NX=`grep " pae " /proc/cpuinfo | grep " nx "`
FIND_PAE=`grep " pae " /proc/cpuinfo`
FIND_NX=`grep " nx " /proc/cpuinfo`
FOUND=0
if [ ! "${FIND_PAE_NX}" = "" ]; then
logtext "PAE: Yes"
logtext "NX: Yes"
LogText "PAE: Yes"
LogText "NX: Yes"
CPU_PAE=1
CPU_NX=1
logtext "Result: PAE or No eXecute option(s) both found"
report "cpu_pae=1"
report "cpu_nx=1"
LogText "Result: PAE or No eXecute option(s) both found"
Report "cpu_pae=1"
Report "cpu_nx=1"
FOUND=1
else
if [ ! "${FIND_PAE}" = "" -a "${FIND_NX}" = "" ]; then
report "cpu_pae=1"
logtext "Result: found PAE"
Report "cpu_pae=1"
LogText "Result: found PAE"
CPU_PAE=1
FOUND=1
else
if [ ! "${FIND_NX}" = "" -a "${FIND_PAE}" = "" ]; then
report "cpu_nx=1"
logtext "Result: found No eXecute"
Report "cpu_nx=1"
LogText "Result: found No eXecute"
CPU_NX=1
FOUND=1
else
logtext "Result: found no CPU options enabled (PAE or NX bit)"
LogText "Result: found no CPU options enabled (PAE or NX bit)"
fi
fi
fi
@ -143,7 +143,7 @@
fi
else
Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result SKIPPED --color YELLOW
logtext "Result: /proc/cpuinfo not found"
LogText "Result: /proc/cpuinfo not found"
fi
fi
#
@ -162,12 +162,12 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Kernel number (and suffix)
LINUX_KERNEL_RELEASE=`uname -r`
report "linux_kernel_release=${LINUX_KERNEL_RELEASE}"
logtext "Result: found kernel release ${LINUX_KERNEL_RELEASE}"
Report "linux_kernel_release=${LINUX_KERNEL_RELEASE}"
LogText "Result: found kernel release ${LINUX_KERNEL_RELEASE}"
# Type and build date
LINUX_KERNEL_VERSION=`uname -v`
report "linux_kernel_version=${LINUX_KERNEL_VERSION}"
logtext "Result: found kernel version ${LINUX_KERNEL_VERSION}"
Report "linux_kernel_version=${LINUX_KERNEL_VERSION}"
LogText "Result: found kernel version ${LINUX_KERNEL_VERSION}"
Display --indent 2 --text "- Checking kernel version and release" --result DONE --color GREEN
fi
#
@ -178,21 +178,21 @@
Register --test-no KRNL-5723 --os Linux --weight L --network NO --description "Determining if Linux kernel is monolithic"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then
logtext "Test: checking if kernel is monolithic or modular"
LogText "Test: checking if kernel is monolithic or modular"
# Checking if any modules are loaded
FIND=`${LSMODBINARY} | grep -v "^Module" | wc -l | tr -s ' ' | tr -d ' '`
Display --indent 2 --text "- Checking kernel type" --result DONE --color GREEN
if [ "${FIND}" = "0" ]; then
logtext "Result: Found monolithic kernel"
report "linux_kernel_type=monolithic"
LogText "Result: Found monolithic kernel"
Report "linux_kernel_type=monolithic"
MONOLITHIC_KERNEL=1
else
logtext "Result: Found modular kernel"
report "linux_kernel_type=modular"
LogText "Result: Found modular kernel"
Report "linux_kernel_type=modular"
MONOLITHIC_KERNEL=0
fi
else
logtext "Test skipped, lsmod binary not found or /proc/modules can not be opened"
LogText "Test skipped, lsmod binary not found or /proc/modules can not be opened"
fi
fi
#
@ -206,20 +206,20 @@
FIND=`lsmod | awk '{ if ($1!="Module") print $1 }' | sort`
Display --indent 2 --text "- Checking loaded kernel modules" --result DONE --color GREEN
if [ ! "${FIND}" = "" ]; then
logtext "Loaded modules according lsmod:"
LogText "Loaded modules according lsmod:"
N=0
for I in ${FIND}; do
logtext "Loaded module: ${I}"
report "loaded_kernel_module[]=${I}"
LogText "Loaded module: ${I}"
Report "loaded_kernel_module[]=${I}"
N=`expr ${N} + 1`
done
Display --indent 6 --text "Found ${N} active modules"
else
logtext "Result: no loaded modules found"
logtext "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel"
LogText "Result: no loaded modules found"
LogText "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel"
fi
else
logtext "Test skipped, lsmod binary not found or /proc/modules can not be opened"
LogText "Test skipped, lsmod binary not found or /proc/modules can not be opened"
fi
fi
#
@ -232,19 +232,19 @@
CHECKFILE="/boot/config-`uname -r`"
if [ -f ${CHECKFILE} ]; then
LINUXCONFIGFILE="${CHECKFILE}"
logtext "Result: found config (${LINUXCONFIGFILE})"
LogText "Result: found config (${LINUXCONFIGFILE})"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result FOUND --color GREEN
elif [ -f /proc/config.gz ]; then
LINUXCONFIGFILE="${CHECKFILE}"
LINUXCONFIGFILE_ZIPPED=1
logtext "Result: found config: /proc/config.gz (compressed)"
LogText "Result: found config: /proc/config.gz (compressed)"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result FOUND --color GREEN
else
logtext "Result: no Linux kernel configuration file found in /boot"
LogText "Result: no Linux kernel configuration file found in /boot"
Display --indent 2 --text "- Checking Linux kernel configuration file" --result "NOT FOUND" --color WHITE
fi
if [ ! "${LINUXCONFIGFILE}" = "" ]; then
report "linux_config_file=${LINUXCONFIGFILE}"
Report "linux_config_file=${LINUXCONFIGFILE}"
fi
fi
#
@ -262,14 +262,14 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi
if [ ! "${GREPTOOL}" = "" ]; then
logtext "Test: Checking the default I/O kernel scheduler"
LogText "Test: Checking the default I/O kernel scheduler"
LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | awk -F= '{ print $2 }' | sed s/\"//g`
if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then
logtext "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'"
LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result FOUND --color GREEN
report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}"
Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}"
else
logtext "Result: no default i/o kernel scheduler found"
LogText "Result: no default i/o kernel scheduler found"
Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "NOT FOUND" --color WHITE
fi
else
@ -284,27 +284,27 @@
Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking active kernel modules"
logtext "Test: Active kernel modules (KLDs)"
logtext "Description: View all active kernel modules (including kernel)"
logtext "Test: Checking modules"
LogText "Test: Active kernel modules (KLDs)"
LogText "Description: View all active kernel modules (including kernel)"
LogText "Test: Checking modules"
if [ -f /sbin/kldstat ]; then
FIND=`kldstat | grep -v 'Name' | tr -s ' ' | cut -d ' ' -f6`
if [ $? -eq 0 ]; then
logtext "Loaded modules according kldstat:"
LogText "Loaded modules according kldstat:"
N=0
for I in ${FIND}; do
logtext "Loaded module: ${I}"
report "loaded_kernel_module[]=${I}"
LogText "Loaded module: ${I}"
Report "loaded_kernel_module[]=${I}"
N=`expr ${N} + 1`
done
Display --indent 4 --text "Found ${N} kernel modules" --result DONE --color GREEN
else
Display --indent 4 --text "Test failed" --result WARNING --color RED
logtext "Result: Problem with executing kldstat"
LogText "Result: Problem with executing kldstat"
fi
else
echo "[ ${WHITE}SKIPPED${NORMAL} ]"
logtext "Result: no results, can't find /sbin/kldstat"
LogText "Result: no results, can't find /sbin/kldstat"
fi
fi
#
@ -314,16 +314,16 @@
# Description : Checking Solaris load modules
Register --test-no KRNL-5770 --os Solaris --weight L --network NO --description "Checking active kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching loaded kernel modules"
LogText "Test: searching loaded kernel modules"
FIND=`modinfo -c -w | grep -v "UNLOADED" | grep LOADED | awk '{ print $3 }' | sort`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
logtext "Found module: ${I}"
report "loaded_kernel_module[]=${I}"
LogText "Found module: ${I}"
Report "loaded_kernel_module[]=${I}"
done
Display --indent 2 --text "- Checking Solaris active kernel modules" --result DONE --color GREEN
else
logtext "Result: no output"
LogText "Result: no output"
Display --indent 2 --text "- Checking Solaris active kernel modules" --result UNKNOWN --color YELLOW
fi
fi
@ -335,38 +335,38 @@
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking availability new Linux kernel"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching apt-cache, to determine if a newer kernel is available"
LogText "Test: Searching apt-cache, to determine if a newer kernel is available"
if [ -x /usr/bin/apt-cache ]; then
logtext "Result: found /usr/bin/apt-cache"
logtext "Test: checking readlink location of /vmlinuz"
LogText "Result: found /usr/bin/apt-cache"
LogText "Test: checking readlink location of /vmlinuz"
FINDKERNFILE=`readlink -f /vmlinuz`
logtext "Output: readlink reported file ${FINDKERNFILE}"
logtext "Test: checking package from dpkg -S"
LogText "Output: readlink reported file ${FINDKERNFILE}"
LogText "Test: checking package from dpkg -S"
FINDKERNEL=`dpkg -S ${FINDKERNFILE} 2> /dev/null | awk -F : '{print $1}'`
logtext "Output: dpkg -S reported package ${FINDKERNEL}"
logtext "Test: Using apt-cache policy to determine if there is an update available"
LogText "Output: dpkg -S reported package ${FINDKERNEL}"
LogText "Test: Using apt-cache policy to determine if there is an update available"
FINDINST=`apt-cache policy ${FINDKERNEL} | egrep 'Installed' | cut -d ':' -f2 | tr -d ' '`
FINDCAND=`apt-cache policy ${FINDKERNEL} | egrep 'Candidate' | cut -d ':' -f2 | tr -d ' '`
logtext "Kernel installed: ${FINDINST}"
logtext "Kernel candidate: ${FINDCAND}"
LogText "Kernel installed: ${FINDINST}"
LogText "Kernel candidate: ${FINDCAND}"
if [ "${FINDINST}" = "" ]; then
Display --indent 2 --text "- Checking for available kernel update" --result UNKNOWN --color YELLOW
logtext "Result: Exception occured, no output from apt-cache policy"
LogText "Result: Exception occured, no output from apt-cache policy"
ReportException "${TEST_NO}:01"
logtext "Exception: apt-cache policy did not return an installed kernel version"
LogText "Exception: apt-cache policy did not return an installed kernel version"
ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty"
else
if [ "${FINDINST}" = "${FINDCAND}" ]; then
Display --indent 2 --text "- Checking for available kernel update" --result OK --color GREEN
logtext "Result: no kernel update available"
LogText "Result: no kernel update available"
else
Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
logtext "Result: kernel update available according 'apt-cache policy'."
LogText "Result: kernel update available according 'apt-cache policy'."
ReportSuggestion ${TEST_NO} "Determine priority for available kernel update"
fi
fi
else
logtext "Result: could NOT find /usr/bin/apt-cache, skipped other tests."
LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests."
fi
fi
#
@ -376,50 +376,50 @@
# Description : Checking core dumps configuration (Linux)
Register --test-no KRNL-5820 --os Linux --weight L --network NO --description "Checking core dumps configuration"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking presence /etc/security/limits.conf"
LogText "Test: Checking presence /etc/security/limits.conf"
if [ -f /etc/security/limits.conf ]; then
logtext "Result: file /etc/security/limits.conf exists"
logtext "Test: Checking if core dumps are disabled in /etc/security/limits.conf"
LogText "Result: file /etc/security/limits.conf exists"
LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf"
FIND1=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'`
FIND2=`grep -v "^#" /etc/security/limits.conf | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'`
if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then
logtext "Result: core dumps (soft or hard) are enabled"
LogText "Result: core dumps (soft or hard) are enabled"
Display --indent 2 --text "- Checking core dumps configuration" --result ENABLED --color YELLOW
AddSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system"
AddHP 1 2
else
logtext "Result: core dumps (soft and hard) are both disabled"
LogText "Result: core dumps (soft and hard) are both disabled"
Display --indent 2 --text "- Checking core dumps configuration" --result DISABLED --color GREEN
CORE_DUMPS_DISABLED=1
AddHP 3 3
fi
# Sysctl option
logtext "Test: Checking sysctl value of fs.suid_dumpable"
LogText "Test: Checking sysctl value of fs.suid_dumpable"
FIND=`${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | awk '{ if ($1=="fs.suid_dumpable") { print $3 } }'`
if [ "${FIND}" = "" ]; then
logtext "Result: value ${FIND} found"
LogText "Result: value ${FIND} found"
else
logtext "Result: sysctl key fs.suid_dumpable not found"
LogText "Result: sysctl key fs.suid_dumpable not found"
fi
if [ "${FIND}" = "2" ]; then
logtext "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)"
LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)"
Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN
AddHP 1 1
elif [ "${FIND}" = "1" ]; then
logtext "Result: all programs can perform core dumps (value 1, for debugging)"
LogText "Result: all programs can perform core dumps (value 1, for debugging)"
Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW
ReportSuggestion ${TEST_NO} "Determine if really all binaries need to be able to core dump"
AddHP 0 1
else
logtext "Result: found default option, some programs can dump (not processes which need to change credentials)"
LogText "Result: found default option, some programs can dump (not processes which need to change credentials)"
Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color YELLOW
AddHP 1 1
fi
# Check ulimit settings and harden it
# echo 'ulimit -S -c 0 > /dev/null 2>&1' >> /etc/profile
else
logtext "Result: file /etc/security/limits.conf does not exist, skipping test"
LogText "Result: file /etc/security/limits.conf does not exist, skipping test"
fi
fi
#
@ -438,31 +438,31 @@
if [ ${SKIPTEST} -eq 0 ]; then
REBOOT_NEEDED=2
FILE="/var/run/reboot-required.pkgs"
logtext "Test: Checking presence ${FILE}"
LogText "Test: Checking presence ${FILE}"
if [ -f ${FILE} ]; then
logtext "Result: file ${FILE} exists"
LogText "Result: file ${FILE} exists"
FIND=`cat ${FILE}`
if [ "${FIND}" = "" ]; then
logtext "Result: No reboot needed (file empty)"
LogText "Result: No reboot needed (file empty)"
REBOOT_NEEDED=0
else
PKGSCOUNT=`cat ${FILE} | wc -l`
logtext "Result: reboot is needed, related to ${PKGSCOUNT} packages"
LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages"
for I in ${FIND}; do
logtext "Package: ${I}"
LogText "Package: ${I}"
done
REBOOT_NEEDED=1
fi
else
logtext "Result: file ${FILE} not found"
LogText "Result: file ${FILE} not found"
fi
# Check if /boot exists
if [ -d /boot ]; then
logtext "Result: /boot exists, performing more tests from here"
LogText "Result: /boot exists, performing more tests from here"
FIND=`ls /boot/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
if [ -f /boot/vmlinuz -a ! -L /boot/vmlinuz ]; then
logtext "Result: found /boot/vmlinuz (not symlinked)"
LogText "Result: found /boot/vmlinuz (not symlinked)"
NEXTLINE=0
FINDVERSION=""
for I in `file /boot/vmlinuz-linux`; do
@ -476,40 +476,40 @@
if [ ! "${FINDVERSION}" = "" ]; then
CURRENT_KERNEL=`uname -r`
if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then
logtext "Result: reboot needed, as current kernel is different than the one loaded"
LogText "Result: reboot needed, as current kernel is different than the one loaded"
REBOOT_NEEDED=1
fi
else
ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data"
fi
elif [ -f /boot/vmlinuz-linux ]; then
logtext "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)"
logtext "Test: checking kernel version on disk"
LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)"
LogText "Test: checking kernel version on disk"
VERSION_ON_DISK=`file -b /boot/vmlinuz-linux | awk '{ if ($1=="Linux" && $7=="version") { print $8 }}'`
if [ ! "${VERSION_ON_DISK}" = "" ]; then
logtext "Result: found version ${VERSION_ON_DISK}"
LogText "Result: found version ${VERSION_ON_DISK}"
ACTIVE_KERNEL=`uname -r`
logtext "Result: active kernel version ${ACTIVE_KERNEL}"
LogText "Result: active kernel version ${ACTIVE_KERNEL}"
if [ "${VERSION_ON_DISK}" = "${ACTIVE_KERNEL}" ]; then
REBOOT_NEEDED=0
logtext "Result: no reboot needed, active kernel is the same version as the one on disk"
LogText "Result: no reboot needed, active kernel is the same version as the one on disk"
else
REBOOT_NEEDED=1
logtext "Result: reboot needed, as there is a difference between active kernel and the one on disk"
LogText "Result: reboot needed, as there is a difference between active kernel and the one on disk"
fi
else
logtext "Result: could not find the version on disk"
LogText "Result: could not find the version on disk"
ReportException "${TEST_NO}:4" "Could not find the kernel version from /boot/vmlinux-linux"
fi
else
if [ -L /boot/vmlinuz ]; then
logtext "Result: found symlink of /boot/vmlinuz, skipping file"
LogText "Result: found symlink of /boot/vmlinuz, skipping file"
else
logtext "Result: /boot/vmlinuz not on disk, trying to find /boot/vmlinuz*"
LogText "Result: /boot/vmlinuz not on disk, trying to find /boot/vmlinuz*"
fi
# Extra current kernel version and replace dashes to allow numeric sort later on
MYKERNEL=`uname -r | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's/-/./g'`
logtext "Result: using ${MYKERNEL} as my kernel version (stripped)"
LogText "Result: using ${MYKERNEL} as my kernel version (stripped)"
FIND=`ls /boot/vmlinuz* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
# Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers)
@ -528,14 +528,14 @@
for I in ${KERNELS}; do
# Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist)
if [ ${FOUND_KERNEL} -eq 1 -a ! "${MYKERNEL}" = "${I}" ]; then
logtext "Result: found a kernel (${I}) later than running one (${MYKERNEL})"
LogText "Result: found a kernel (${I}) later than running one (${MYKERNEL})"
REBOOT_NEEDED=1
fi
if [ "${MYKERNEL}" = "${I}" ]; then
FOUND_KERNEL=1
logtext "Result: Found ${I} (= our kernel)"
LogText "Result: Found ${I} (= our kernel)"
else
logtext "Result: Found ${I}"
LogText "Result: Found ${I}"
fi
done
# Check if we at least found the kernel on disk
@ -544,7 +544,7 @@
else
# If we are not sure yet reboot it needed, but we found running kernel as last one on disk, we run latest kernel
if [ ${REBOOT_NEEDED} -eq 2 ]; then
logtext "Result: we found our kernel on disk as last entry, so seems to be up-to-date"
LogText "Result: we found our kernel on disk as last entry, so seems to be up-to-date"
REBOOT_NEEDED=0
fi
fi
@ -552,10 +552,10 @@
fi
# No files in /boot
else
logtext "Result: Skipping this test, as there are no files in /boot"
LogText "Result: Skipping this test, as there are no files in /boot"
fi
else
logtext "Result: /boot does not exist"
LogText "Result: /boot does not exist"
fi
# Display discovered status
@ -578,4 +578,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, CISOfy - https://cisofy.com

10
include/tests_kernel_hardening
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -39,17 +39,17 @@
tFINDcurvalue=`${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null`
if [ ! "${tFINDcurvalue}" = "" ]; then
if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then
logtext "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
LogText "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result OK --color GREEN
AddHP ${tFINDhp} ${tFINDhp}
else
logtext "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"
LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"
Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED
AddHP 0 ${tFINDhp}
N=1
fi
else
logtext "Result: key ${tFINDkey} does not exist on this machine"
LogText "Result: key ${tFINDkey} does not exist on this machine"
fi
done
@ -66,4 +66,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

14
include/tests_ldap
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -36,10 +36,10 @@
IsRunning slapd
if [ ${RUNNING} -eq 0 ]; then
Display --indent 2 --text "- Checking OpenLDAP instance" --result "NOT FOUND" --color WHITE
logtext "Result: No running slapd process found."
LogText "Result: No running slapd process found."
else
Display --indent 2 --text "- Checking OpenLDAP instance" --result FOUND --color GREEN
logtext "Result: Found running slapd process"
LogText "Result: Found running slapd process"
SLAPDFOUND=1
SLAPD_RUNNING=1
fi
@ -52,13 +52,13 @@
if [ ${SLAPD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LDAP-2224 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check presence slapd.conf"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching slapd.conf"
LogText "Test: Searching slapd.conf"
for I in ${SLAPD_CONF_LOCS}; do
if [ -f ${I}/slapd.conf ]; then
logtext "Result: found ${I}/slapd.conf"
LogText "Result: found ${I}/slapd.conf"
SLAPD_CONF_LOCATION="${I}/slapd.conf"
else
logtext "Result: ${I} does not contain slapd.conf"
LogText "Result: ${I} does not contain slapd.conf"
fi
done
# Check if we found a valid location
@ -101,4 +101,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

162
include/tests_logging
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -38,17 +38,17 @@
# Description : Check for a running syslog daemon
Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a logging daemon"
LogText "Test: Searching for a logging daemon"
FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking for a running log daemon" --result WARNING --color RED
logtext "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured."
ReportWarning ${TEST_NO} "H" "No syslog daemon found"
AddHP 0 3
else
Display --indent 2 --text "- Checking for a running log daemon" --result OK --color GREEN
logtext "Result: Found a logging daemon"
LogText "Result: Found a logging daemon"
SYSLOG_DAEMON_PRESENT=1
SYSLOG_DAEMON_RUNNING=1
AddHP 3 3
@ -61,15 +61,15 @@
# Description : Check for a running syslog-ng daemon
Register --test-no LOGG-2132 --weight L --network NO --description "Check for running syslog-ng daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for syslog-ng daemon in process list"
LogText "Test: Searching for syslog-ng daemon in process list"
IsRunning syslog-ng
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: Found syslog-ng in process list"
LogText "Result: Found syslog-ng in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result FOUND --color GREEN
SYSLOG_DAEMON_PRESENT=1
SYSLOG_NG_RUNNING=1
else
logtext "Result: Syslog-ng NOT found in process list"
LogText "Result: Syslog-ng NOT found in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result "NOT FOUND" --color WHITE
fi
fi
@ -83,10 +83,10 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${SYSLOGNGBINARY} -s; echo $?`
if [ "${FIND}" = "0" ]; then
logtext "Result: Syslog-NG configuration file seems to be consistent"
LogText "Result: Syslog-NG configuration file seems to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result OK --color GREEN
else
logtext "Result: Syslog-NG configuration file seems NOT to be consistent"
LogText "Result: Syslog-NG configuration file seems NOT to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result WARNING --color RED
ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file"
ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
@ -99,7 +99,7 @@
# Description : Check for a running systemd-journal daemon
Register --test-no LOGG-2136 --weight L --network NO --description "Check for running systemd journal daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for systemd journal daemon in process list"
LogText "Test: Searching for systemd journal daemon in process list"
IsRunning systemd-journal
if [ ${RUNNING} -eq 1 ]; then
Display --indent 4 --text "- Checking systemd journal status" --result FOUND --color GREEN
@ -115,15 +115,15 @@
# Description : Check for a running metalog daemon
Register --test-no LOGG-2210 --weight L --network NO --description "Check for running metalog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for metalog daemon in process list"
LogText "Test: Searching for metalog daemon in process list"
IsRunning metalog
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: Found metalog in process list"
LogText "Result: Found metalog in process list"
Display --indent 4 --text "- Checking Metalog status" --result FOUND --color GREEN
SYSLOG_DAEMON_PRESENT=1
METALOG_RUNNING=1
else
logtext "Result: metalog NOT found in process list"
LogText "Result: metalog NOT found in process list"
Display --indent 4 --text "- Checking Metalog status" --result "NOT FOUND" --color WHITE
fi
fi
@ -134,15 +134,15 @@
# Description : Check for a running rsyslog daemon
Register --test-no LOGG-2230 --weight L --network NO --description "Check for running RSyslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for RSyslog daemon in process list"
LogText "Test: Searching for RSyslog daemon in process list"
IsRunning rsyslogd
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: Found rsyslogd in process list"
LogText "Result: Found rsyslogd in process list"
Display --indent 4 --text "- Checking RSyslog status" --result FOUND --color GREEN
SYSLOG_DAEMON_PRESENT=1
RSYSLOG_RUNNING=1
else
logtext "Result: rsyslogd NOT found in process list"
LogText "Result: rsyslogd NOT found in process list"
Display --indent 4 --text "- Checking RSyslog status" --result "NOT FOUND" --color WHITE
fi
fi
@ -153,15 +153,15 @@
# Description : Check for a running RFC 3195 compliant daemon (syslog via TCP)
Register --test-no LOGG-2240 --weight L --network NO --description "Check for running RFC 3195 compliant daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list"
LogText "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list"
IsRunning rfc3195d
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: Found rfc3195d in process list"
LogText "Result: Found rfc3195d in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result FOUND --color GREEN
SYSLOG_DAEMON_PRESENT=1
RFC3195D_RUNNING=1
else
logtext "Result: rfc3195d NOT found in process list"
LogText "Result: rfc3195d NOT found in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "NOT FOUND" --color WHITE
fi
fi
@ -176,21 +176,21 @@
# * This test should be below all other logging daemons
Register --test-no LOGG-2138 --os Linux --weight L --network NO --description "Checking kernel logger daemon on Linux"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching kernel logger daemon (klogd)"
LogText "Test: Searching kernel logger daemon (klogd)"
if [ ${RSYSLOG_RUNNING} -eq 0 -a ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ]; then
# Search for klogd, but ignore other lines related to klogd (like dd with input/output file)
#FIND=`${PSBINARY} ax | grep "klogd" | grep -v "dd" | grep -v "grep"`
IsRunning klogd
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: klogd running"
LogText "Result: klogd running"
Display --indent 4 --text "- Checking klogd" --result FOUND --color GREEN
else
logtext "Result: No klogd found"
LogText "Result: No klogd found"
Display --indent 4 --text "- Checking klogd" --result "NOT FOUND" --color RED
ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files"
fi
else
logtext "Result: test skipped, because other facility is being used to log kernel messages"
LogText "Result: test skipped, because other facility is being used to log kernel messages"
fi
fi
#
@ -200,15 +200,15 @@
# Description : Check for minilogd presence on Linux systems
Register --test-no LOGG-2142 --os Linux --weight L --network NO --description "Checking minilog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Result: Checking for unkilled minilogd instances"
LogText "Result: Checking for unkilled minilogd instances"
# Search for minilogd. It shouldn't be running normally, if another syslog daemon is started
IsRunning minilogd
if [ ${RUNNING} -eq 0 ]; then
Display --indent 4 --text "- Checking minilogd instances" --result "NOT FOUND" --color WHITE
logtext "Result: No minilogd is running"
LogText "Result: No minilogd is running"
else
Display --indent 4 --text "- Checking minilogd instances" --result WARNING --color RED
logtext "Result: minilogd found in process list"
LogText "Result: minilogd found in process list"
# minilogd daemon seems to be running
ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running"
fi
@ -220,28 +220,28 @@
# Description : Check for logrotate (/etc/logrotate.conf and logrotate.d)
Register --test-no LOGG-2146 --weight L --os Linux --network NO --description "Checking logrotate.conf and logrotate.d"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for /etc/logrotate.conf"
LogText "Test: Checking for /etc/logrotate.conf"
if [ -f /etc/logrotate.conf ]; then
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="logrotate"
logtext "Result: /etc/logrotate.conf found (file)"
LogText "Result: /etc/logrotate.conf found (file)"
else
logtext "Result: /etc/logrotate.conf NOT found"
LogText "Result: /etc/logrotate.conf NOT found"
fi
logtext "Test: Checking for /etc/logrotate.d (directory)"
LogText "Test: Checking for /etc/logrotate.d (directory)"
if [ -d /etc/logrotate.d ]; then
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="logrotate"
logtext "Result: /etc/logrotate.d found"
LogText "Result: /etc/logrotate.d found"
else
logtext "Result: /etc/logrotate.conf found"
LogText "Result: /etc/logrotate.conf found"
fi
if [ ${LOGROTATE_CONFIG_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking logrotate presence" --result OK --color GREEN
logtext "Result: logrotate configuration found"
LogText "Result: logrotate configuration found"
else
Display --indent 2 --text "- Checking logrotate presence" --result WARNING --color RED
logtext "Result: No logrotate configuration found"
LogText "Result: No logrotate configuration found"
ReportSuggestion ${TEST_NO} "Check if files are properly rotated by a some tool instead of logrotate"
fi
fi
@ -253,14 +253,14 @@
if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking logrotated files"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking which files are rotated with logrotate and if they exist"
LogText "Test: Checking which files are rotated with logrotate and if they exist"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort -u | awk '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'`
if [ "${FIND}" = "" ]; then
logtext "Result: nothing found"
LogText "Result: nothing found"
else
logtext "Result: found one or more files which are rotated via logrotate"
LogText "Result: found one or more files which are rotated via logrotate"
for I in ${FIND}; do
logtext "Output: ${I}"
LogText "Output: ${I}"
done
fi
fi
@ -272,18 +272,18 @@
if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking which directories can be found in logrotate configuration"
LogText "Test: Checking which directories can be found in logrotate configuration"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort -u | awk '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | sort -u`
if [ "${FIND}" = "" ]; then
logtext "Result: nothing found"
LogText "Result: nothing found"
else
logtext "Result: found one or more directories (via logrotate configuration)"
LogText "Result: found one or more directories (via logrotate configuration)"
for I in ${FIND}; do
if [ -d ${I} ]; then
logtext "Directory found: ${I}"
report "log_directory[]=${I}"
LogText "Directory found: ${I}"
Report "log_directory[]=${I}"
else
logtext "Directory could not be found: ${I}"
LogText "Directory could not be found: ${I}"
fi
done
fi
@ -297,32 +297,32 @@
Register --test-no LOGG-2152 --weight L --os Solaris --network NO --description "Checking loghost"
if [ ${SKIPTEST} -eq 0 ]; then
# Try local hosts file
logtext "Result: Checking for loghost in /etc/inet/hosts"
LogText "Result: Checking for loghost in /etc/inet/hosts"
FIND=`grep loghost /etc/inet/hosts | grep -v "^#"`
if [ ! "${FIND}" = "" ]; then
SOLARIS_LOGHOST_FOUND=1
logtext "Result: Found loghost entry in /etc/inet/hosts"
LogText "Result: Found loghost entry in /etc/inet/hosts"
else
logtext "Result: No loghost entry found in /etc/inet/hosts"
LogText "Result: No loghost entry found in /etc/inet/hosts"
# Try name resolving if no entry is present in local host file
logtext "Result: Checking for loghost via name resolving"
LogText "Result: Checking for loghost via name resolving"
FIND=`getent hosts loghost | grep loghost`
if [ ! "${FIND}" = "" ]; then
SOLARIS_LOGHOST_FOUND=1
logtext "Result: name resolving was succesful"
logtext "Output: ${FIND}"
LogText "Result: name resolving was succesful"
LogText "Output: ${FIND}"
else
logtext "Result: name resolving didn't find results"
LogText "Result: name resolving didn't find results"
fi
fi
if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then
logtext "Result: loghost entry found and most likely used to send syslog messages"
LogText "Result: loghost entry found and most likely used to send syslog messages"
Display --indent 2 --text "- Checking loghost entry" --result OK --color GREEN
else
Display --indent 2 --text "- Checking loghost entry" --result WARNING --color RED
logtext "Result: No loghost entry found"
LogText "Result: No loghost entry found"
ReportWarning ${TEST_NO} "L" "No loghost entry found"
ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services"
fi
@ -342,20 +342,20 @@
SYSLOGD_CONF="/etc/syslog.conf"
fi
if [ -f ${SYSLOGD_CONF} ]; then
logtext "Test: check if logs are also logged to a remote logging host"
LogText "Test: check if logs are also logged to a remote logging host"
FIND=`egrep "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: remote logging enabled"
LogText "Result: remote logging enabled"
AddHP 5 5
Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN
else
logtext "Result: no remote logging found"
LogText "Result: no remote logging found"
ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection"
AddHP 1 3
Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
fi
else
logtext "Result: test skipped, file ${SYSLOGD_CONF} not found"
LogText "Result: test skipped, file ${SYSLOGD_CONF} not found"
fi
fi
#
@ -366,7 +366,7 @@
if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Result: /etc/newsyslog.conf found"
LogText "Result: /etc/newsyslog.conf found"
Display --indent 2 --text "- Checking /etc/newsyslog.conf" --result FOUND --color GREEN
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="newsyslog"
@ -379,14 +379,14 @@
if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking directories in /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: parsing directories from /etc/newsyslog.conf file"
LogText "Test: parsing directories from /etc/newsyslog.conf file"
FIND=`awk '/^\// { print $1 }' /etc/newsyslog.conf | sed 's/\/*[a-zA-Z_.-]*$//g' | sort -u`
for I in ${FIND}; do
if [ -d ${I} ]; then
logtext "Result: Directory ${I} found and exists"
report "log_directory[]=${I}"
LogText "Result: Directory ${I} found and exists"
Report "log_directory[]=${I}"
else
logtext "Result: Item ${I} is not a directory"
LogText "Result: Item ${I} is not a directory"
fi
done
Display --indent 4 --text "- Checking log directories (newsyslog.conf)" --result DONE --color GREEN
@ -399,13 +399,13 @@
if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking files specified /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: parsing files from /etc/newsyslog.conf file"
LogText "Test: parsing files from /etc/newsyslog.conf file"
FIND=`awk '/^\// { print $1 }' /etc/newsyslog.conf | sort -u`
for I in ${FIND}; do
if [ -f ${I} ]; then
logtext "Result: File ${I} found and exists"
LogText "Result: File ${I} found and exists"
else
logtext "Result: Item ${I} is not a file"
LogText "Result: Item ${I} is not a file"
fi
done
Display --indent 4 --text "- Checking log files (newsyslog.conf)" --result DONE --color GREEN
@ -417,13 +417,13 @@
# Description : Search available log paths
Register --test-no LOGG-2170 --weight L --network NO --description "Checking log paths"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching log paths"
LogText "Test: Searching log paths"
for I in ${LOG_FILES_LOCS}; do
if [ -d ${I} ]; then
logtext "Result: directory ${I} exists"
report "log_directory[]=${I}"
LogText "Result: directory ${I} exists"
Report "log_directory[]=${I}"
else
logtext "Result: directory ${I} can't be found"
LogText "Result: directory ${I} can't be found"
fi
done
Display --indent 2 --text "- Checking log directories (static list)" --result DONE --color GREEN
@ -435,16 +435,16 @@
# Description : Search open log file
Register --test-no LOGG-2180 --weight L --network NO --description "Checking open log files"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking open log files with lsof"
LogText "Test: checking open log files with lsof"
if [ ! "${LSOFBINARY}" = "" ]; then
FIND=`${LSOFBINARY} -n 2>&1 | grep "log$" | egrep -v "WARNING|Output information" | awk '{ if ($5=="REG") { print $9 } }' | sort -u | grep -v "^$"`
for I in ${FIND}; do
logtext "Found logfile: ${I}"
report "open_logfile[]=${I}"
LogText "Found logfile: ${I}"
Report "open_logfile[]=${I}"
done
Display --indent 2 --text "- Checking open log files" --result DONE --color GREEN
else
logtext "Result: lsof not installed, skipping test"
LogText "Result: lsof not installed, skipping test"
Display --indent 2 --text "- Checking open log files" --result SKIPPED --color YELLOW
# Add suggestion
fi
@ -457,18 +457,18 @@
if [ ! "${LSOFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2190 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking deleted files in file table"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking deleted files but are still in use"
LogText "Test: checking deleted files but are still in use"
FIND=`${LSOFBINARY} -n +L 1 2>&1 | egrep -v "WARNING|Output information" | awk '{ if ($5=="REG") { print $10 } }' | grep -v "^$" | sort -u`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found one or more files which are deleted, but still in use"
LogText "Result: found one or more files which are deleted, but still in use"
for I in ${FIND}; do
logtext "Found deleted file: ${I}"
report "deleted_file[]=${I}"
LogText "Found deleted file: ${I}"
Report "deleted_file[]=${I}"
done
Display --indent 2 --text "- Checking deleted files in use" --result "FILES FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check what deleted files are still in use and why."
else
logtext "Result: no deleted files found"
LogText "Result: no deleted files found"
Display --indent 2 --text "- Checking deleted files in use" --result DONE --color GREEN
fi
fi
@ -476,11 +476,11 @@
#################################################################################
#
report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}"
report "log_rotation_tool=${LOGROTATE_TOOL}"
Report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}"
Report "log_rotation_tool=${LOGROTATE_TOOL}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

56
include/tests_mac_frameworks
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -30,11 +30,11 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${AASTATUSBINARY}" = "" ]; then
APPARMORFOUND=0
logtext "Result: aa-status binary not found, AppArmor not installed"
LogText "Result: aa-status binary not found, AppArmor not installed"
Display --indent 2 --text "- Checking presence AppArmor" --result "NOT FOUND" --color WHITE
else
APPARMORFOUND=1
logtext "Result: aa-status binary found, AppArmor is installed"
LogText "Result: aa-status binary found, AppArmor is installed"
Display --indent 2 --text "- Checking presence AppArmor" --result FOUND --color GREEN
fi
fi
@ -56,20 +56,20 @@
FIND=`${AASTATUSBINARY} > /dev/null; echo $?`
if [ ${FIND} -eq 0 ]; then
MAC_FRAMEWORK_ACTIVE=1
logtext "Result: AppArmor is enabled and a policy is loaded"
LogText "Result: AppArmor is enabled and a policy is loaded"
Display --indent 4 --text "- Checking AppArmor status" --result "ENABLED" --color GREEN
elif [ ${FIND} -eq 4 ]; then
logtext "Result: Can not determine status, most likely due to lacking permissions"
LogText "Result: Can not determine status, most likely due to lacking permissions"
Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED
elif [ ${FIND} -eq 3 ]; then
logtext "Result: Can not check control files"
LogText "Result: Can not check control files"
Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED
elif [ ${FIND} -eq 2 ]; then
logtext "Result: AppArmor is enabled, but no policy is loaded"
LogText "Result: AppArmor is enabled, but no policy is loaded"
ReportSuggestion ${TEST_NO} "Disable AppArmor or load a policy"
Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN
elif [ ${FIND} -eq 1 ]; then
logtext "Result: AppArmor is disabled"
LogText "Result: AppArmor is disabled"
Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW
else
Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED
@ -84,12 +84,12 @@
# Description : Check SELINUX for installation
Register --test-no MACF-6232 --weight L --network NO --description "Check SELINUX presence"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking if we have sestatus binary"
LogText "Test: checking if we have sestatus binary"
if [ ! "${SESTATUSBINARY}" = "" ]; then
logtext "Result: found sestatus binary (${SESTATUSBINARY})"
LogText "Result: found sestatus binary (${SESTATUSBINARY})"
Display --indent 2 --text "- Checking presence SELinux" --result "FOUND" --color GREEN
else
logtext "Result: sestatus binary NOT found"
LogText "Result: sestatus binary NOT found"
Display --indent 2 --text "- Checking presence SELinux" --result "NOT FOUND" --color WHITE
fi
fi
@ -105,26 +105,26 @@
FIND=`${SESTATUSBINARY} | grep "^SELinux status" | awk '{ print $3 }'`
if [ "${FIND}" = "enabled" ]; then
MAC_FRAMEWORK_ACTIVE=1
logtext "Result: SELinux framework is enabled"
report "selinux_status=1"
LogText "Result: SELinux framework is enabled"
Report "selinux_status=1"
SELINUXFOUND=1
Display --indent 4 --text "- Checking SELinux status" --result "ENABLED" --color GREEN
FIND=`${SESTATUSBINARY} | grep "^Current mode" | awk '{ print $3 }'`
report "selinux_mode=${FIND}"
Report "selinux_mode=${FIND}"
FIND2=`${SESTATUSBINARY} | grep "^Mode from config file" | awk '{ print $5 }'`
logtext "Result: current SELinux mode is ${FIND}"
logtext "Result: mode configured in config file is ${FIND2}"
LogText "Result: current SELinux mode is ${FIND}"
LogText "Result: mode configured in config file is ${FIND2}"
if [ "${FIND}" = "${FIND2}" ]; then
logtext "Result: Current SELinux mode is the same as in config file."
LogText "Result: Current SELinux mode is the same as in config file."
Display --indent 6 --text "- Checking current mode and config file" --result "OK" --color GREEN
else
logtext "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
Display --indent 6 --text "- Checking current mode and config file" --result "WARNING" --color RED
fi
Display --indent 8 --text "Current SELinux mode: ${FIND}"
else
logtext "Result: SELinux framework is disabled"
LogText "Result: SELinux framework is disabled"
Display --indent 4 --text "- Checking SELinux status" --result "DISABLED" --color YELLOW
fi
fi
@ -139,18 +139,18 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ -e /dev/grsec ]; then
GRSECFOUND=1
logtext "Result: grsecurity available (/dev/grsec found)"
LogText "Result: grsecurity available (/dev/grsec found)"
else
logtext "Result: grsecurity not present (/dev/grsec not found)"
LogText "Result: grsecurity not present (/dev/grsec not found)"
fi
# Check Linux kernel configuration
if [ ! "${LINUXCONFIGFILE}" = "" -a -f "${LINUXCONFIGFILE}" ]; then
FIND=`${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE}`
if [ ! "${FIND}" = "" ]; then
logtext "Result: grsecurity available (in kernel config)"
LogText "Result: grsecurity available (in kernel config)"
GRSECFOUND=1
else
logtext "Result: no grsecurity found in kernel config"
LogText "Result: no grsecurity found in kernel config"
fi
fi
# Found grsecurity?
@ -171,22 +171,22 @@
if [ ${MAC_FRAMEWORK_ACTIVE} -eq 1 ]; then
Display --indent 2 --text "- Checking for implemented MAC framework" --result OK --color GREEN
AddHP 3 3
logtext "Result: found implemented MAC framework"
LogText "Result: found implemented MAC framework"
else
Display --indent 2 --text "- Checking for implemented MAC framework" --result NONE --color YELLOW
AddHP 2 3
logtext "Result: found no implemented MAC framework"
LogText "Result: found no implemented MAC framework"
fi
fi
#
#################################################################################
#
report "framework_grsecurity=${GRSECFOUND}"
report "framework_selinux=${SELINUXFOUND}"
Report "framework_grsecurity=${GRSECFOUND}"
Report "framework_selinux=${SELINUXFOUND}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

54
include/tests_mail_messaging
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -36,15 +36,15 @@
# Description : Check Exim process status
Register --test-no MAIL-8802 --weight L --network NO --description "Check Exim status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check Exim status"
LogText "Test: check Exim status"
IsRunning exim
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running Exim process"
LogText "Result: found running Exim process"
Display --indent 2 --text "- Checking Exim status" --result RUNNING --color GREEN
EXIM_RUNNING=1
SMTP_DAEMON="exim"
else
logtext "Result: no running Exim processes found"
LogText "Result: no running Exim processes found"
Display --indent 2 --text "- Checking Exim status" --result "NOT FOUND" --color WHITE
fi
fi
@ -56,18 +56,18 @@
# Notes : qmgr and pickup run under postfix uid, without full path to binary
Register --test-no MAIL-8814 --weight L --network NO --description "Check postfix process status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check Postfix status"
LogText "Test: check Postfix status"
# Some other processes also use master, therefore it should include both master and postfix
FIND1=`${PSBINARY} ax | grep "master" | grep "postfix" | grep -v "grep"`
#FIND2=`${PSBINARY} ax | grep "qmgr" | grep "postfix" | grep -v "grep"`
#FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"`
if [ ! "${FIND1}" = "" ]; then
logtext "Result: found running Postfix process"
LogText "Result: found running Postfix process"
Display --indent 2 --text "- Checking Postfix status" --result RUNNING --color GREEN
POSTFIX_RUNNING=1
SMTP_DAEMON="postfix"
else
logtext "Result: no running Postfix processes found"
LogText "Result: no running Postfix processes found"
Display --indent 2 --text "- Checking Postfix status" --result "NOT FOUND" --color WHITE
fi
fi
@ -82,8 +82,8 @@
Display --indent 2 --text "- Checking Postfix configuration" --result FOUND --color GREEN
POSTFIX_CONFIGDIR=`${POSTCONFBINARY} 2> /dev/null | grep '^config_directory' | awk '{ print $3 }'`
POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf"
logtext "Postfix configuration directory: ${POSTFIX_CONFIGDIR}"
logtext "Postfix configuration file: ${POSTFIX_CONFIGFILE}"
LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}"
LogText "Postfix configuration file: ${POSTFIX_CONFIGFILE}"
fi
#
#################################################################################
@ -93,7 +93,7 @@
if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MAIL-8818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration: banner"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking Postfix banner"
LogText "Test: Checking Postfix banner"
FIND1=`${POSTCONFBINARY} 2> /dev/null | grep '^smtpd_banner' | grep 'postfix'`
FIND2=`${POSTCONFBINARY} 2> /dev/null | grep '^smtpd_banner' | grep '$mail_name'`
FIND3=`${POSTCONFBINARY} 2> /dev/null | grep '^mail_name' | grep -i 'postfix'`
@ -111,7 +111,7 @@
fi
if [ ${SHOWWARNING} -eq 1 ]; then
Display --indent 4 --text "- Checking Postfix banner" --result WARNING --color RED
logtext "Result: found mail_name in SMTP banner, and/or mail_name contains 'Postfix'."
LogText "Result: found mail_name in SMTP banner, and/or mail_name contains 'Postfix'."
ReportWarning ${TEST_NO} "L" "Found mail_name in SMTP banner, and/or mail_name contains 'Postfix'"
ReportSuggestion ${TEST_NO} "You are adviced to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
fi
@ -123,16 +123,16 @@
# Description : Check Dovecot process
Register --test-no MAIL-8838 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dovecot process"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check dovecot status"
LogText "Test: check dovecot status"
IsRunning dovecot
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running dovecot process"
LogText "Result: found running dovecot process"
Display --indent 2 --text "- Checking Dovecot status" --result RUNNING --color GREEN
DOVECOT_RUNNING=1
IMAP_DAEMON="dovecot"
POP3_DAEMON="dovecot"
else
logtext "Result: dovecot not found"
LogText "Result: dovecot not found"
Display --indent 2 --text "- Checking Dovecot status" --result "NOT FOUND" --color WHITE
fi
fi
@ -143,15 +143,15 @@
# Description : Check Qmail process status
Register --test-no MAIL-8860 --weight L --network NO --description "Check Qmail status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check Qmail status"
LogText "Test: check Qmail status"
IsRunning qmail-smtpd
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running Qmail process"
LogText "Result: found running Qmail process"
Display --indent 2 --text "- Checking Qmail status" --result RUNNING --color GREEN
QMAIL_RUNNING=1
SMTP_DAEMON="qmail"
else
logtext "Result: no running Qmail processes found"
LogText "Result: no running Qmail processes found"
Display --indent 2 --text "- Checking Qmail status" --result "NOT FOUND" --color WHITE
fi
fi
@ -162,15 +162,15 @@
# Description : Check Sendmail process status
Register --test-no MAIL-8880 --weight L --network NO --description "Check Sendmail status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check sendmail status"
LogText "Test: check sendmail status"
IsRunning sendmail
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found running Sendmail process"
LogText "Result: found running Sendmail process"
Display --indent 2 --text "- Checking Sendmail status" --result RUNNING --color GREEN
SENDMAIL_RUNNING=1
SMTP_DAEMON="sendmail"
else
logtext "Result: no running Sendmail processes found"
LogText "Result: no running Sendmail processes found"
Display --indent 2 --text "- Checking Sendmail status" --result "NOT FOUND" --color WHITE
fi
fi
@ -182,15 +182,15 @@
if [ ! "${SMTPCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check OpenSMTPD status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check smtpd status"
LogText "Test: check smtpd status"
FIND=`${PSBINARY} ax | egrep "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found running smtpd process"
LogText "Result: found running smtpd process"
Display --indent 2 --text "- Checking OpenSMTPD status" --result RUNNING --color GREEN
OPENSMTPD_RUNNING=1
SMTP_DAEMON="opensmtpd"
else
logtext "Result: smtpd not found"
LogText "Result: smtpd not found"
Display --indent 2 --text "- Checking OpenSMTPD status" --result "NOT FOUND" --color WHITE
fi
fi
@ -198,13 +198,13 @@
#################################################################################
#
report "imap_daemon=${IMAP_DAEMON}"
report "pop3_daemon=${POP3_DAEMON}"
report "smtp_daemon=${SMTP_DAEMON}"
Report "imap_daemon=${IMAP_DAEMON}"
Report "pop3_daemon=${POP3_DAEMON}"
Report "smtp_daemon=${SMTP_DAEMON}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

76
include/tests_malware
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -36,15 +36,15 @@
# Description : Check for installed tool (chkrootkit)
Register --test-no MALW-3275 --weight L --network NO --description "Check for chkrootkit"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence chkrootkit"
LogText "Test: checking presence chkrootkit"
if [ ! "${CHKROOTKITBINARY}" = "" ]; then
Display --indent 2 --text "- Checking chkrootkit" --result "FOUND" --color GREEN
logtext "Result: Found ${CHKROOTKITBINARY}"
LogText "Result: Found ${CHKROOTKITBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
report "malware_scanner[]=chkrootkit"
Report "malware_scanner[]=chkrootkit"
else
logtext "Result: chkrootkit not found"
LogText "Result: chkrootkit not found"
fi
fi
#
@ -54,15 +54,15 @@
# Description : Check for installed tool (Rootkit Hunter)
Register --test-no MALW-3276 --weight L --network NO --description "Check for Rootkit Hunter"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence Rootkit Hunter"
LogText "Test: checking presence Rootkit Hunter"
if [ ! "${RKHUNTERBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Rootkit Hunter" --result "FOUND" --color GREEN
logtext "Result: Found ${RKHUNTERBINARY}"
LogText "Result: Found ${RKHUNTERBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
report "malware_scanner[]=rkhunter"
Report "malware_scanner[]=rkhunter"
else
logtext "Result: Rootkit Hunter not found"
LogText "Result: Rootkit Hunter not found"
fi
fi
#
@ -72,15 +72,15 @@
# Description : Check for installed tool (Linux Malware Detect or LMD)
Register --test-no MALW-3278 --weight L --network NO --description "Check for LMD"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence LMD"
LogText "Test: checking presence LMD"
if [ ! "${LMDBINARY}" = "" ]; then
Display --indent 2 --text "- Checking LMD (Linux Malware Detect)" --result "FOUND" --color GREEN
logtext "Result: Found ${LMDBINARY}"
LogText "Result: Found ${LMDBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
report "malware_scanner[]=lmd"
Report "malware_scanner[]=lmd"
else
logtext "Result: LMD not found"
LogText "Result: LMD not found"
fi
fi
#
@ -93,20 +93,20 @@
FOUND=0
# ESET security products
logtext "Test: checking process esets_daemon"
LogText "Test: checking process esets_daemon"
IsRunning esets_daemon
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
Display --indent 2 --text "- Checking ESET daemon" --result "FOUND" --color GREEN
logtext "Result: found ESET security product"
LogText "Result: found ESET security product"
ESET_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
report "malware_scanner[]=eset"
Report "malware_scanner[]=eset"
fi
# McAfee products
logtext "Test: checking process cma or cmdagent (McAfee)"
LogText "Test: checking process cma or cmdagent (McAfee)"
# cma is too generic to match on, so we want to ensure that it is related to McAfee first
if [ -x /opt/McAfee/cma/bin/cma ]; then
IsRunning cma
@ -118,20 +118,20 @@
if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN
logtext "Result: Found McAfee"
LogText "Result: Found McAfee"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
report "malware_scanner[]=mcafee"
Report "malware_scanner[]=mcafee"
fi
# Sophos savscand/SophosScanD
logtext "Test: checking process savscand"
LogText "Test: checking process savscand"
IsRunning savscand
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1
fi
logtext "Test: checking process SophosScanD"
LogText "Test: checking process SophosScanD"
IsRunning SophosScanD
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
@ -139,13 +139,13 @@
fi
if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN
logtext "Result: Found Sophos"
LogText "Result: Found Sophos"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
report "malware_scanner[]=sophos"
Report "malware_scanner[]=sophos"
fi
if [ ${FOUND} -eq 0 ]; then
logtext "Result: no commercial anti-virus tools found"
LogText "Result: no commercial anti-virus tools found"
AddHP 0 3
fi
fi
@ -156,15 +156,15 @@
# Description : Check if clamscan is installed
Register --test-no MALW-3282 --weight L --network NO --description "Check for clamscan"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence clamscan"
LogText "Test: checking presence clamscan"
if [ ! "${CLAMSCANBINARY}" = "" ]; then
Display --indent 2 --text "- Checking ClamAV scanner" --result "FOUND" --color GREEN
logtext "Result: Found ${CLAMSCANBINARY}"
LogText "Result: Found ${CLAMSCANBINARY}"
MALWARE_SCANNER_INSTALLED=1
CLAMSCAN_INSTALLED=1
AddHP 2 2
else
logtext "Result: clamscan couldn't be found"
LogText "Result: clamscan couldn't be found"
fi
fi
#
@ -174,15 +174,15 @@
# Description : Check running clamd process
Register --test-no MALW-3284 --weight L --network NO --description "Check for clamd"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking running ClamAV daemon (clamd)"
LogText "Test: checking running ClamAV daemon (clamd)"
IsRunning clamd
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking ClamAV daemon" --result "FOUND" --color GREEN
logtext "Result: found running clamd process"
LogText "Result: found running clamd process"
MALWARE_SCANNER_INSTALLED=1
CLAMD_RUNNING=1
else
logtext "Result: clamd not running"
LogText "Result: clamd not running"
fi
fi
#
@ -193,16 +193,16 @@
if [ ${CLAMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for freshclam"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking running freshclam daemon"
LogText "Test: checking running freshclam daemon"
IsRunning freshclam
if [ ${RUNNING} -eq 1 ]; then
FRESHCLAM_DAEMON_RUNNING=1
Display --indent 4 --text "- Checking freshclam" --result "FOUND" --color GREEN
logtext "Result: found running freshclam process"
LogText "Result: found running freshclam process"
AddHP 2 2
else
Display --indent 4 --text "- Checking freshclam" --result "SUGGESTION" --color YELLOW
logtext "Result: freshclam is not running"
LogText "Result: freshclam is not running"
ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
fi
fi
@ -216,13 +216,13 @@
if [ ${SKIPTEST} -eq 0 ]; then
CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'`
if [ ! "${CLAMSCANBINARY}" = "" ]; then
logtext "Result: Found ClamXav clamscan installed"
LogText "Result: Found ClamXav clamscan installed"
Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN
MALWARE_SCANNER_INSTALLED=1
CLAMSCAN_INSTALLED=1
AddHP 3 3
else
logtext "Result: ClamXav malware scanner not found"
LogText "Result: ClamXav malware scanner not found"
AddHP 0 3
fi
fi
@ -231,17 +231,17 @@
#
# Check if we found any of the ClamAV components
if [ ${CLAMSCAN_INSTALLED} -eq 1 -o ${CLAMD_RUNNING} -eq 1 -o ${FRESHCLAM_DAEMON_RUNNING} -eq 1 ]; then
report "malware_scanner[]=clamav"
Report "malware_scanner[]=clamav"
fi
#
#################################################################################
#
report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"
Report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

38
include/tests_memory_processes
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -27,16 +27,16 @@
Register --test-no PROC-3602 --os Linux --weight L --network NO --description "Checking /proc/meminfo for memory details"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /proc/meminfo ]; then
logtext "Result: found /proc/meminfo"
LogText "Result: found /proc/meminfo"
Display --indent 2 --text "- Checking /proc/meminfo" --result FOUND --color GREEN
FIND=`awk '/^MemTotal/ { print $2, $3 }' /proc/meminfo`
MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'`
MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'`
logtext "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
report "memory_size=${MEMORY_SIZE}"
report "memory_units=${MEMORY_UNITS}"
LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
Report "memory_size=${MEMORY_SIZE}"
Report "memory_units=${MEMORY_UNITS}"
else
logtext "Result: /proc/meminfo file not found on this system"
LogText "Result: /proc/meminfo file not found on this system"
fi
fi
#
@ -46,17 +46,17 @@
# Description : Query /proc/meminfo
Register --test-no PROC-3604 --os Solaris --weight L --network NO --description "Query prtconf for memory details"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching /usr/sbin/prtconf"
LogText "Test: Searching /usr/sbin/prtconf"
if [ -x /usr/sbin/prtconf ]; then
Display --indent 2 --text "- Querying prtconf for installed memory" --result DONE --color GREEN
MEMORY_SIZE=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f3`
MEMORY_UNITS=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f4`
logtext "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
report "memory_size=${MEMORY_SIZE}"
report "memory_units=${MEMORY_UNITS}"
LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
Report "memory_size=${MEMORY_SIZE}"
Report "memory_units=${MEMORY_UNITS}"
else
Display --indent 2 --text "- Querying prtconf for installed memory" --result SKIPPED --color WHITE
logtext "Result: /usr/sbin/prtconf not found"
LogText "Result: /usr/sbin/prtconf not found"
fi
fi
#
@ -74,11 +74,11 @@
FIND=`${PSBINARY} x -o pid,wchan,stat,comm | awk '{ if ($3 ~ /Z|X/) print $1 }' | xargs`
fi
if [ "${FIND}" = "" ]; then
logtext "Result: no zombie processes found"
LogText "Result: no zombie processes found"
Display --indent 2 --text "- Searching for dead/zombie processes" --result OK --color GREEN
else
logtext "Result: found one or more dead or zombie processes"
logtext "Output: PIDs ${FIND}"
LogText "Result: found one or more dead or zombie processes"
LogText "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for dead/zombie processes" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes"
fi
@ -98,12 +98,12 @@
FIND=`${PSBINARY} x -o pid,wchan,stat,comm | awk '{ if ($3=="D") print $1 }' | xargs`
fi
if [ "${FIND}" = "" ]; then
logtext "Result: No processes were waiting for IO requests to be handled first"
LogText "Result: No processes were waiting for IO requests to be handled first"
Display --indent 2 --text "- Searching for IO waiting processes" --result OK --color GREEN
else
logtext "Result: found one or more processes which were waiting to get IO requests handled first"
logtext "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured."
logtext "Output: PIDs ${FIND}"
LogText "Result: found one or more processes which were waiting to get IO requests handled first"
LogText "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured."
LogText "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for IO waiting processes" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests"
fi
@ -116,4 +116,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

230
include/tests_nameservices
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -39,17 +39,17 @@
# Description : Check main domain (domain <domain name> in /etc/resolv.conf)
Register --test-no NAME-4016 --weight L --network NO --description "Check /etc/resolv.conf default domain"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check /etc/resolv.conf for default domain"
LogText "Test: check /etc/resolv.conf for default domain"
if [ -f /etc/resolv.conf ]; then
logtext "Result: /etc/resolv.conf found"
LogText "Result: /etc/resolv.conf found"
FIND=`awk '/^domain/ { print $2 }' /etc/resolv.conf`
if [ "${FIND}" = "" ]; then
logtext "Result: no default domain found"
LogText "Result: no default domain found"
Display --indent 2 --text "- Checking default DNS search domain" --result NONE --color WHITE
else
logtext "Result: found default domain"
logtext "Output: ${FIND}"
report "resolv_conf_domain=${FIND}"
LogText "Result: found default domain"
LogText "Output: ${FIND}"
Report "resolv_conf_domain=${FIND}"
Display --indent 2 --text "- Checking default DNS search domain" --result FOUND --color GREEN
RESOLV_DOMAINNAME="${FIND}"
fi
@ -64,41 +64,41 @@
Register --test-no NAME-4018 --weight L --network NO --description "Check /etc/resolv.conf search domains"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: check /etc/resolv.conf for search domains"
LogText "Test: check /etc/resolv.conf for search domains"
if [ -f /etc/resolv.conf ]; then
logtext "Result: /etc/resolv.conf found"
LogText "Result: /etc/resolv.conf found"
FIND=`awk '/^search/ { print $2 }' /etc/resolv.conf`
if [ "${FIND}" = "" ]; then
logtext "Result: no search domains found, default domain is being used"
LogText "Result: no search domains found, default domain is being used"
else
for I in ${FIND}; do
logtext "Found search domain: ${I}"
report "resolv_conf_search_domain[]=${I}"
LogText "Found search domain: ${I}"
Report "resolv_conf_search_domain[]=${I}"
N=`expr ${N} + 1`
done
# Warn if we have more than 6 search domains, which is maximum in most resolvers
if [ ${N} -gt 6 ]; then
logtext "Result: Found ${N} search domains"
LogText "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains" --result WARNING --color YELLOW
ReportWarning ${TEST_NO} "L" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
else
logtext "Result: Found ${N} search domains"
LogText "Result: Found ${N} search domains"
Display --indent 2 --text "- Checking search domains" --result FOUND --color GREEN
fi
fi
else
logtext "Result: /etc/resolv.conf does not exist, skipping test"
LogText "Result: /etc/resolv.conf does not exist, skipping test"
Display --indent 2 --text "- Checking search domains" --result "NOT FOUND" --color YELLOW
fi
# Check amount of search domains (max 1)
FIND=`grep -c "^search" /etc/resolv.conf`
if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
else
logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
LogText "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
fi
fi
#
@ -108,24 +108,24 @@
# Description : Check non default resolv.conf options
Register --test-no NAME-4020 --weight L --network NO --description "Check non default options"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check /etc/resolv.conf for non default options"
LogText "Test: check /etc/resolv.conf for non default options"
if [ -f /etc/resolv.conf ]; then
logtext "Result: /etc/resolv.conf found"
LogText "Result: /etc/resolv.conf found"
FIND=`grep "^options" /etc/resolv.conf | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
logtext "Result: no specific other options configured in /etc/resolv.conf"
LogText "Result: no specific other options configured in /etc/resolv.conf"
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NONE" --color WHITE
else
for I in ${FIND}; do
logtext "Found option: ${I}"
report "resolv_conf_option[]=${I}"
LogText "Found option: ${I}"
Report "resolv_conf_option[]=${I}"
#rotate --> add performance tune point
#timeout <3 --> add performe tune point
done
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "FOUND" --color GREEN
fi
else
logtext "Result: /etc/resolv.conf not found, test skipped"
LogText "Result: /etc/resolv.conf not found, test skipped"
Display --indent 2 --text "- Checking /etc/resolv.conf options" --result "NOT FOUND" --color YELLOW
fi
fi
@ -137,7 +137,7 @@
Register --test-no NAME-4024 --os Solaris --weight L --network NO --description "Solaris uname -n output"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`uname -n`
logtext "Result: 'uname -n' returned ${FIND}"
LogText "Result: 'uname -n' returned ${FIND}"
Display --indent 2 --text "- Checking uname -n output" --result DONE --color GREEN
fi
#
@ -148,14 +148,14 @@
# Notes : If a system is standalone, /etc/nodename should contain a system name only, not FQDN
Register --test-no NAME-4026 --os Solaris --weight L --network NO --description "Check /etc/nodename"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking /etc/nodename"
LogText "Test: checking /etc/nodename"
if [ -f /etc/nodename ]; then
logtext "Result: file /etc/nodename exists"
LogText "Result: file /etc/nodename exists"
FIND=`cat /etc/nodename`
logtext "Output: ${FIND}"
LogText "Output: ${FIND}"
Display --indent 2 --text "- Checking /etc/nodename" --result "DONE" --color GREEN
else
logtext "Result: file /etc/nodename could not be found"
LogText "Result: file /etc/nodename could not be found"
Display --indent 2 --text "- Checking /etc/nodename" --result "NONE FOUND" --color YELLOW
fi
fi
@ -169,49 +169,49 @@
if [ ${SKIPTEST} -eq 0 ]; then
DOMAINNAME=""
# NIS
#logtext "Test: Checking file /etc/domainname"
#LogText "Test: Checking file /etc/domainname"
#if [ -f /etc/domainname ]; then
# logtext "Result: file /etc/domainname exists"
# LogText "Result: file /etc/domainname exists"
# FIND2=`cat /etc/domainname`
# if [ ! "${FIND}" = "" ]; then
# logtext "Found domain name: ${FIND}"
# LogText "Found domain name: ${FIND}"
# DOMAINNAME="${FIND}"
# else
# logtext "Result: no domain name found in file"
# LogText "Result: no domain name found in file"
# fi
# else
# logtext "Result: file /etc/domainname does not exist"
# LogText "Result: file /etc/domainname does not exist"
#fi
logtext "Test: Checking if dnsdomainname command is available"
LogText "Test: Checking if dnsdomainname command is available"
if [ ! "${DNSDOMAINNAMEBINARY}" = "" ]; then
FIND2=`${DNSDOMAINNAMEBINARY} 2> /dev/null`
if [ ! "${FIND2}" = "" ]; then
logtext "Result: dnsdomainname command returned a value"
logtext "Found domain name: ${FIND2}"
LogText "Result: dnsdomainname command returned a value"
LogText "Found domain name: ${FIND2}"
DOMAINNAME="${FIND2}"
else
logtext "Result: dnsdomainname command returned no value"
LogText "Result: dnsdomainname command returned no value"
fi
else
logtext "Result: dnsdomainname binary not found, skip specific test"
LogText "Result: dnsdomainname binary not found, skip specific test"
fi
# If files and commands can't be found, use defined value from resolv.conf
if [ "${DOMAINNAME}" = "" ]; then
if [ ! "${RESOLV_DOMAINNAME}" = "" ]; then
logtext "Result: using domain name from /etc/resolv.conf"
LogText "Result: using domain name from /etc/resolv.conf"
DOMAINNAME=${RESOLV_DOMAINNAME}
else
logtext "Result: using domain name from FQDN hostname"
LogText "Result: using domain name from FQDN hostname"
#DOMAINNAME=${FQDN#${HOSTNAME}.}
DOMAINNAME=`echo ${FQDN} | cut -d . -f2-`
fi
fi
if [ ! "${DOMAINNAME}" = "" ]; then
logtext "Result: found domain name"
report "domainname=${DOMAINNAME}"
LogText "Result: found domain name"
Report "domainname=${DOMAINNAME}"
Display --indent 2 --text "- Searching DNS domain name" --result "FOUND" --color GREEN
Display --indent 6 --text "Domain name: ${DOMAINNAME}"
else
@ -226,14 +226,14 @@
# Description : Check name service caching daemon (NSCD) status
Register --test-no NAME-4032 --weight L --network NO --description "Check nscd status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking nscd status"
LogText "Test: checking nscd status"
IsRunning nscd
if [ ${RUNNING} -eq 1 ]; then
NAME_CACHE_USED=1
logtext "Result: nscd is running"
LogText "Result: nscd is running"
Display --indent 2 --text "- Checking nscd status" --result RUNNING --color GREEN
else
logtext "Result: nscd is not running"
LogText "Result: nscd is not running"
Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE
fi
fi
@ -244,15 +244,15 @@
# Description : Check name service caching daemon (Unbound) status
Register --test-no NAME-4034 --weight L --network NO --description "Check Unbound status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking Unbound (unbound) status"
LogText "Test: checking Unbound (unbound) status"
IsRunning unbound
if [ ${RUNNING} -eq 1 ]; then
UNBOUND_RUNNING=1
NAME_CACHE_USED=1
logtext "Result: Unbound daemon is running"
LogText "Result: Unbound daemon is running"
Display --indent 2 --text "- Checking Unbound status" --result RUNNING --color GREEN
else
logtext "Result: Unbound daemon is not running"
LogText "Result: Unbound daemon is not running"
Display --indent 2 --text "- Checking Unbound status" --result "NOT FOUND" --color WHITE
fi
fi
@ -266,20 +266,20 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`which unbound-checkconf`
if [ ! "${FIND}" = "" ]; then
logtext "Test: running unbound-checkconf"
LogText "Test: running unbound-checkconf"
# Don't capture any output, just gather exit code (0 is fine, otherwise bad)
FIND=`unbound-checkconf > /dev/null 2>&1`
if [ $? -eq 0 ]; then
UNBOUND_CONFIG_OK=1
logtext "Result: Configuration is fine"
LogText "Result: Configuration is fine"
Display --indent 2 --text "- Checking configuration file" --result OK --color GREEN
else
logtext "Result: Unbound daemon is not running"
LogText "Result: Unbound daemon is not running"
Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW
ReportWarning "${TEST_NO}" "L" "Found Unbound configuration file issues (run unbound-checkconf)"
fi
else
logtext "Result: skipped, can't find unbound-checkconf utility"
LogText "Result: skipped, can't find unbound-checkconf utility"
fi
fi
#
@ -289,14 +289,14 @@
# Description : Check if BIND is running
Register --test-no NAME-4202 --weight L --network NO --description "Check BIND status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for running BIND instance"
LogText "Test: Checking for running BIND instance"
IsRunning named
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found BIND process"
LogText "Result: found BIND process"
Display --indent 2 --text "- Checking BIND status" --result "FOUND" --color GREEN
BIND_RUNNING=1
else
logtext "Result: BIND not running"
LogText "Result: BIND not running"
Display --indent 2 --text "- Checking BIND status" --result "NOT FOUND" --color WHITE
fi
fi
@ -308,11 +308,11 @@
if [ ${BIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search BIND configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Search BIND configuration file"
LogText "Test: Search BIND configuration file"
for I in ${BIND_CONFIG_LOCS}; do
if [ -f ${I}/named.conf ]; then
BIND_CONFIG_LOCATION="${I}/named.conf"
logtext "Result: found configuration file (${BIND_CONFIG_LOCATION})"
LogText "Result: found configuration file (${BIND_CONFIG_LOCATION})"
fi
done
if [ ! "${BIND_CONFIG_LOCATION}" = "" ]; then
@ -329,20 +329,20 @@
if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4206 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BIND configuration consistency"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching for named-checkconf binary"
LogText "Test: searching for named-checkconf binary"
if [ ! "${NAMEDCHECKCONFBINARY}" = "" ]; then
logtext "Result: named-checkconf is installed"
LogText "Result: named-checkconf is installed"
FIND=`${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?`
if [ "${FIND}" = "0" ]; then
logtext "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine"
LogText "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine"
Display --indent 4 --text "- Checking BIND configuration consistency" --result "OK" --color GREEN
else
logtext "Result: possible errors found in ${BIND_CONFIG_LOCATION}"
LogText "Result: possible errors found in ${BIND_CONFIG_LOCATION}"
Display --indent 4 --text "- Checking BIND configuration consistency" --result WARNING --color RED
ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file"
fi
else
logtext "Result: named-checkconf not found, skipping test"
LogText "Result: named-checkconf not found, skipping test"
fi
fi
#
@ -360,14 +360,14 @@
if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check DNS banner"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Trying to determine version from banner"
LogText "Test: Trying to determine version from banner"
FIND=`${DIGBINARY} @localhost version.bind chaos txt | grep "^version.bind" | grep TXT | egrep "[0-9].[0-9].[0-9]*"`
if [ "${FIND}" = "" ]; then
logtext "Result: no useful information in banner found"
LogText "Result: no useful information in banner found"
Display --indent 4 --text "- Checking BIND version in banner" --result "OK" --color GREEN
AddHP 2 2
else
logtext "Result: possible BIND version available in version banner"
LogText "Result: possible BIND version available in version banner"
Display --indent 4 --text "- Checking BIND version in banner" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "Found BIND version in banner"
ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file"
@ -402,14 +402,14 @@
# Description : Check if PowerDNS is running
Register --test-no NAME-4230 --weight L --network NO --description "Check PowerDNS status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for running PowerDNS instance"
LogText "Test: Checking for running PowerDNS instance"
IsRunning pdns_server
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found PowerDNS process"
LogText "Result: found PowerDNS process"
Display --indent 2 --text "- Checking PowerDNS status" --result "RUNNING" --color GREEN
POWERDNS_RUNNING=1
else
logtext "Result: PowerDNS not running"
LogText "Result: PowerDNS not running"
Display --indent 2 --text "- Checking PowerDNS status" --result "NOT FOUND" --color WHITE
fi
fi
@ -421,11 +421,11 @@
if [ ${POWERDNS_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search PowerDNS configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Search PowerDNS configuration file"
LogText "Test: Search PowerDNS configuration file"
for I in ${POWERDNS_CONFIG_LOCS}; do
if [ -f ${I}/pdns.conf ]; then
POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf"
logtext "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})"
LogText "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})"
fi
done
if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then
@ -451,15 +451,15 @@
if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PowerDNS backends"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for PowerDNS backends"
LogText "Test: Checking for PowerDNS backends"
FIND=`awk -F= '/^launch/ { print $2 }' ${POWERDNS_AUTH_CONFIG_LOCATION}`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
logtext "Found backend: ${I}"
LogText "Found backend: ${I}"
done
Display --indent 4 --text "- Checking PowerDNS backends" --result "FOUND" --color GREEN
else
logtext "Result: no PowerDNS backends found"
LogText "Result: no PowerDNS backends found"
Display --indent 4 --text "- Checking PowerDNS backends" --result "NOT FOUND" --color YELLOW
fi
fi
@ -471,24 +471,24 @@
if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PowerDNS authoritive status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for PowerDNS master status"
LogText "Test: Checking for PowerDNS master status"
FIND=`grep "^master=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}`
if [ ! "${FIND}" = "" ]; then
logtext "Found master=yes in configuration file"
LogText "Found master=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive master: YES"
POWERDNS_AUTH_MASTER=1
else
logtext "Result: most likely not master (no master=yes)"
LogText "Result: most likely not master (no master=yes)"
Display --indent 4 --text "- PowerDNS authoritive master: NO"
fi
logtext "Test: Checking for PowerDNS slave status"
LogText "Test: Checking for PowerDNS slave status"
FIND=`grep "^slave=yes" ${POWERDNS_AUTH_CONFIG_LOCATION}`
if [ ! "${FIND}" = "" ]; then
logtext "Found slave=yes in configuration file"
LogText "Found slave=yes in configuration file"
Display --indent 4 --text "- PowerDNS authoritive slave: YES"
POWERDNS_AUTH_SLAVE=1
else
logtext "Result: most likely not slave (no slave=yes)"
LogText "Result: most likely not slave (no slave=yes)"
Display --indent 4 --text "- PowerDNS authoritive slave: NO"
fi
fi
@ -499,21 +499,21 @@
# Description : Check NIS ypbind daemon status
Register --test-no NAME-4304 --weight L --network NO --description "Check NIS ypbind status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking status of ypbind daemon"
LogText "Test: Checking status of ypbind daemon"
IsRunning ypbind
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: ypbind is running"
LogText "Result: ypbind is running"
Display --indent 2 --text "- Checking ypbind status" --result "FOUND" --color GREEN
YPBIND_RUNNING=1
IsRunning ypldap
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: ypldap is running"
LogText "Result: ypldap is running"
Display --indent 2 --text "- Checking ypldap status" --result "FOUND" --color GREEN
else
ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
fi
else
logtext "Result: ypbind is not active"
LogText "Result: ypbind is not active"
Display --indent 2 --text "- Checking ypbind status" --result "NOT FOUND" --color WHITE
fi
fi
@ -526,58 +526,58 @@
if [ ${YPBIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NIS domain"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking `domainname` for NIS domain value"
LogText "Test: Checking `domainname` for NIS domain value"
FIND=`${DOMAINNAMEBINARY} | grep -v "(none)"`
if [ ! "${FIND}" = "" ]; then
logtext "Value: ${FIND}"
LogText "Value: ${FIND}"
NISDOMAIN="${FIND}"
else
logtext "Result: no NIS domain found in command output"
LogText "Result: no NIS domain found in command output"
fi
# Solaris / Linux style
logtext "Test: Checking file /etc/defaultdomain"
LogText "Test: Checking file /etc/defaultdomain"
if [ -f /etc/defaultdomain ]; then
logtext "Result: file /etc/defaultdomain exists"
LogText "Result: file /etc/defaultdomain exists"
FIND2=`cat /etc/defaultdomain`
if [ ! "${FIND2}" = "" ]; then
logtext "Output: ${FIND2}"
LogText "Output: ${FIND2}"
NISDOMAIN="${FIND2}"
else
logtext "Result: no NIS domain found in file"
LogText "Result: no NIS domain found in file"
fi
fi
# Red Hat style
logtext "Test: checking /etc/sysconfig/network"
LogText "Test: checking /etc/sysconfig/network"
if [ -f /etc/sysconfig/network ]; then
logtext "Result: file /etc/sysconfig/network exists"
logtext "Test: checking NISDOMAIN value in file"
LogText "Result: file /etc/sysconfig/network exists"
LogText "Test: checking NISDOMAIN value in file"
FIND3=`grep "^NISDOMAIN" /etc/sysconfig/network | awk -F= '{ print $2 }' | sed 's/"//g'`
if [ ! "${FIND3}" = "" ]; then
logtext "Found NIS domain: ${FIND3}"
LogText "Found NIS domain: ${FIND3}"
NISDOMAIN="${FIND3}"
else
logtext "Result: No NIS domain found in file"
LogText "Result: No NIS domain found in file"
fi
else
logtext "Result: file /etc/sysconfig/network does not exist"
LogText "Result: file /etc/sysconfig/network does not exist"
fi
if [ ! "${SYSCTLBINARY}" = "" ]; then
# Check sysctl (e.g. FreeBSD)
logtext "Test: checking sysctl for kern.domainname"
LogText "Test: checking sysctl for kern.domainname"
FIND=`${SYSCTLBINARY} -a 2>&1 | grep "^kern.domainname" | awk -F: '{ print $2 }' | sed 's/ //g' | grep -v "^$"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found NIS domain via sysctl"
LogText "Result: found NIS domain via sysctl"
NISDOMAIN="${FIND}"
fi
fi
# Check if we found any NIS domain
if [ ! "${NISDOMAIN}" = "" ]; then
logtext "Found NIS domain: ${NISDOMAIN}"
report "nisdomain=${NISDOMAIN}"
LogText "Found NIS domain: ${NISDOMAIN}"
Report "nisdomain=${NISDOMAIN}"
Display --indent 4 --text "- Checking NIS domain" --result "FOUND" --color GREEN
else
logtext "Result: No NIS domain found"
LogText "Result: No NIS domain found"
Display --indent 4 --text "- Checking NIS domain" --result "UNKNOWN" --color YELLOW
fi
fi
@ -592,20 +592,20 @@
# Description : Check /etc/hosts configuration
Register --test-no NAME-4402 --weight L --network NO --description "Check duplicate line in /etc/hosts"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check duplicate line in /etc/hosts"
LogText "Test: check duplicate line in /etc/hosts"
if [ -f /etc/hosts ]; then
sFIND=`egrep -v '^(#|$)' /etc/hosts | awk '{ print $1, $2 }' | sort | uniq -d`
if [ "${sFIND}" = "" ]; then
logtext "Result: OK, no duplicate lines found"
LogText "Result: OK, no duplicate lines found"
Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result OK --color GREEN
else
logtext "Found duplicate line: ${sFIND}"
logtext "Result: found duplicate line"
LogText "Found duplicate line: ${sFIND}"
LogText "Result: found duplicate line"
Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result SUGGESTION --color YELLOW
ReportSuggestion "${TEST_NO}" "Remove duplicate lines in /etc/hosts"
fi
else
logtext "Result: /etc/hosts not found, test skipped"
LogText "Result: /etc/hosts not found, test skipped"
Display --indent 4 --text "Searching duplicate line" --result "SKIPPED" --color YELLOW
fi
fi
@ -617,17 +617,17 @@
if [ ! "${HOSTNAME}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check /etc/hosts contains an entry for this server name"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check /etc/hosts contains an entry for this server name"
LogText "Test: Check /etc/hosts contains an entry for this server name"
if [ -f /etc/hosts ]; then
sFIND=`egrep -v '^(#|$|^::1\s|localhost)' /etc/hosts | grep ${HOSTNAME}`
if [ "${sFIND}" != "" ]; then
logtext "Result: Found entry for ${HOSTNAME} in /etc/hosts"
LogText "Result: Found entry for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result OK --color GREEN
else
logtext "Result: No entry found for ${HOSTNAME} in /etc/hosts"
LogText "Result: No entry found for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result SUGGESTION --color YELLOW
ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving"
logtext "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections"
LogText "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections"
fi
fi
fi
@ -639,15 +639,15 @@
if [ ! "${HOSTNAME}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check server hostname mapping"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check server hostname not locally mapped in /etc/hosts"
LogText "Test: Check server hostname not locally mapped in /etc/hosts"
sFIND=`egrep -v '^(#|$)' /etc/hosts | egrep '(localhost|^::1\s)' | grep -w ${HOSTNAME}`
if [ ! "${sFIND}" = "" ]; then
logtext "Result: Found this server hostname mapped to a local address"
LogText "Result: Found this server hostname mapped to a local address"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW
logtext "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface."
LogText "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface."
ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system"
else
logtext "Result: this server hostname is not mapped to a local address"
LogText "Result: this server hostname is not mapped to a local address"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result OK --color GREEN
fi
fi
@ -660,4 +660,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

108
include/tests_networking
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -34,16 +34,16 @@
Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking configured nameservers"
logtext "Test: Checking /etc/resolv.conf file"
LogText "Test: Checking /etc/resolv.conf file"
if [ -f /etc/resolv.conf ]; then
logtext "Result: Found /etc/resolv.conf file"
LogText "Result: Found /etc/resolv.conf file"
FIND=`grep '^nameserver' /etc/resolv.conf | tr -d '\t' | sed 's/nameserver*//g' | uniq`
if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Testing nameservers"
logtext "Test: Querying nameservers"
LogText "Test: Querying nameservers"
for I in ${FIND}; do
logtext "Found nameserver: ${I}"
report "nameserver[]=${I}"
LogText "Found nameserver: ${I}"
Report "nameserver[]=${I}"
# Check if a local resolver is available (like DNSMasq)
if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "0.0.0.0" ]; then
LOCAL_DNSRESOLVER_FOUND=1
@ -54,18 +54,18 @@
DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?`
if [ "${DNSRESPONSE}" = "0" ]; then
Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN
logtext "Nameserver ${I} seems to respond to queries from this host."
LogText "Nameserver ${I} seems to respond to queries from this host."
# Count responsive nameservers
NUMBERACTIVENS=`expr ${NUMBERACTIVENS} + 1`
else
Display --indent 8 --text "Nameserver: ${I}" --result "NO RESPONSE" --color RED
logtext "Result: nameserver ${I} does NOT respond"
logtext "Exit-code from dig: ${DNSRESPONSE}"
LogText "Result: nameserver ${I} does NOT respond"
LogText "Exit-code from dig: ${DNSRESPONSE}"
ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond"
fi
else
logtext "Result: Nameserver test for ${I} skipped, 'dig' not installed"
LogText "Result: Nameserver test for ${I} skipped, 'dig' not installed"
Display --indent 6 --text "Nameserver: ${I}" --result SKIPPED --color YELLOW
fi
done
@ -83,22 +83,22 @@
if [ ! "${DIGBINARY}" = "" ]; then
if [ ${NUMBERACTIVENS} -lt 2 ]; then
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result WARNING --color RED
logtext "Result: less than 2 responsive nameservers found"
LogText "Result: less than 2 responsive nameservers found"
ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers"
logtext "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
LogText "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible"
AddHP 1 2
else
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result OK --color GREEN
logtext "Result: found at least 2 responsive nameservers"
LogText "Result: found at least 2 responsive nameservers"
AddHP 3 3
fi
else
Display --indent 4 --text "- Minimal of 2 responsive nameservers" --result SKIPPED --color YELLOW
logtext "Result: dig not installed, test can't be fully performed"
LogText "Result: dig not installed, test can't be fully performed"
fi
else
logtext "Result: Test most likely skipped due having local resolver in /etc/resolv.conf"
LogText "Result: Test most likely skipped due having local resolver in /etc/resolv.conf"
fi
#
#################################################################################
@ -109,16 +109,16 @@
if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --description "Find default gateway (route)"
if [ $SKIPTEST -eq 0 ]; then
logtext "Test: Searching default gateway(s)"
LogText "Test: Searching default gateway(s)"
FIND=`${NETSTATBINARY} -rn | egrep "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
logtext "Result: Found default gateway ${I}"
report "default_gateway[]=${I}"
LogText "Result: Found default gateway ${I}"
Report "default_gateway[]=${I}"
done
Display --indent 2 --text "- Checking default gateway" --result DONE --color GREEN
else
logtext "Result: No default gateway found"
LogText "Result: No default gateway found"
Display --indent 2 --text "- Checking default gateway" --result "NONE FOUND" --color WHITE
fi
fi
@ -156,9 +156,9 @@
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
NETWORK_INTERFACES="${NETWORK_INTERFACES}|${I}"
logtext "Found network interface: ${I}"
LogText "Found network interface: ${I}"
N=`expr ${N} + 1`
report "network_interface[]=${I}"
Report "network_interface[]=${I}"
done
else
ReportException "${TEST_NO}:1" "No interfaces found on this system (OS=${OS})"
@ -184,7 +184,7 @@
FIND=`${IFCONFIGBINARY} -a | ${GREPBINARY} "HWaddr" | awk '{ if ($4=="HWaddr") print $5 }' | sort -u`
else
if [ ! "${IPBINARY}" = "" ]; then
logtext "Test: Using ip binary to gather hardware addresses"
LogText "Test: Using ip binary to gather hardware addresses"
FIND=`${IPBINARY} link | ${GREPBINARY} "link/ether" | ${AWKBINARY} '{ print $2 }'`
else
ReportException "${TEST_NO}:2" "Missing ifconfig or ip command to collect hardware address (MAC)"
@ -210,9 +210,9 @@
esac
N=0
for I in ${FIND}; do
logtext "Found MAC address: ${I}"
LogText "Found MAC address: ${I}"
N=`expr ${N} + 1`
report "network_mac_address[]=${I}"
Report "network_mac_address[]=${I}"
done
fi
#
@ -239,7 +239,7 @@
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }'`
else
if [ ! "${IPBINARY}" = "" ]; then
logtext "Test: Using ip binary to gather IP addresses"
LogText "Test: Using ip binary to gather IP addresses"
FIND=`${IPBINARY} addr | ${AWKBINARY} '{ if ($1=="inet") { print $2 }}' | sed 's/\/.*//'`
FIND2=`${IPBINARY} addr | ${AWKBINARY} '{ if ($1=="inet6") { print $2 }}' | sed 's/\/.*//'`
else
@ -260,22 +260,22 @@
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
;;
*)
logtext "Result: no support yet for this OS (${OS}) to find IP address information. You can help improving this test by submitting your details."
LogText "Result: no support yet for this OS (${OS}) to find IP address information. You can help improving this test by submitting your details."
ReportException "${TEST_NO}:1" "IP address information test not implemented for this operating system"
;;
esac
N=0
# IPv4
for I in ${FIND}; do
logtext "Found IPv4 address: ${I}"
LogText "Found IPv4 address: ${I}"
N=`expr ${N} + 1`
report "network_ipv4_address[]=${I}"
Report "network_ipv4_address[]=${I}"
done
# IPv6
for I in ${FIND2}; do
logtext "Found IPv6 address: ${I}"
LogText "Found IPv6 address: ${I}"
N=`expr ${N} + 1`
report "network_ipv6_address[]=${I}"
Report "network_ipv6_address[]=${I}"
done
fi
@ -353,20 +353,20 @@
esac
# Retrieve information from sockstat, when available
logtext "Test: Retrieving sockstat information to find listening ports"
LogText "Test: Retrieving sockstat information to find listening ports"
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
N=`expr ${N} + 1`
logtext "Found listening info: ${I}"
report "network_listen_port[]=${I}"
LogText "Found listening info: ${I}"
Report "network_listen_port[]=${I}"
done
fi
if [ ! "${FIND2}" = "" ]; then
for I in ${FIND2}; do
N=`expr ${N} + 1`
logtext "Found listening info: ${I}"
report "network_listen_port[]=${I}"
LogText "Found listening info: ${I}"
Report "network_listen_port[]=${I}"
done
fi
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
@ -385,18 +385,18 @@
if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking promiscuous interfaces (BSD)"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking promiscuous interfaces (FreeBSD)"
LogText "Test: Checking promiscuous interfaces (FreeBSD)"
FIND=`${IFCONFIGBINARY} | grep PROMISC | cut -d ':' -f1`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Promiscuous interfaces: ${FIND}"
LogText "Result: Promiscuous interfaces: ${FIND}"
for I in ${FIND}; do
ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}`
if [ "${ISWHITELISTED}" = "" ]; then
FOUNDPROMISC=1
ReportWarning ${TEST_NO} "H" "Found promiscuous interface (${I})"
logtext "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
else
logtext "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
fi
done
fi
@ -404,7 +404,7 @@
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN
logtext "Result: No promiscuous interfaces found"
LogText "Result: No promiscuous interfaces found"
else
Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED
fi
@ -418,20 +418,20 @@
if [ ! "${IFCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking promiscuous interfaces (Linux)"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking promiscuous interfaces (Linux)"
LogText "Test: Checking promiscuous interfaces (Linux)"
NETWORK=`${IFCONFIGBINARY} | grep Link | tr -s ' ' | cut -d ' ' -f1`
if [ ! "${NETWORK}" = "" ]; then
for I in ${NETWORK}; do
FIND=`${IFCONFIGBINARY} ${I} | grep PROMISC`
if [ ! "${FIND}" = "" ]; then
logtext "Result: Promiscuous interface: ${I}"
LogText "Result: Promiscuous interface: ${I}"
ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}`
if [ "${ISWHITELISTED}" = "" ]; then
FOUNDPROMISC=1
ReportWarning ${TEST_NO} "H" "Found promiscuous interface (${I})"
logtext "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
else
logtext "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
fi
fi
done
@ -440,7 +440,7 @@
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces" --result OK --color GREEN
logtext "Result: No promiscuous interfaces found"
LogText "Result: No promiscuous interfaces found"
else
Display --indent 2 --text "- Checking promiscuous interfaces" --result WARNING --color RED
fi
@ -456,16 +456,16 @@
# Test : NETW-3024
# Description : Netstat/socktstat compare (FreeBSD)
# echo -n " - Comparing output sockstat and netstat"
# logtext "Comparing output of sockstat and netstat"
# LogText "Comparing output of sockstat and netstat"
# NETSTATOUTPUT=`netstat -an | grep -v 'TIME_WAIT' | grep -v 'ESTABLISHED' | grep -v 'SYN_SENT' | grep -v 'CLOSE_WAIT' | grep -v 'LAST_ACK' | grep -v 'SYN_RECV' | grep -v 'CLOSING' | cut -c 1-44 | grep '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | grep -v '*' | sort -u`
#
# if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then
# ShowResult OK
# else
# echo "[ ${BAD}Warning!${NORMAL} ]"
# logtext "WARNING!"
# logtext "Sockstat tested output: ${SOCKSTAT}"
# logtext "Netstat tested output: ${NETSTAT}"
# LogText "WARNING!"
# LogText "Sockstat tested output: ${SOCKSTAT}"
# LogText "Netstat tested output: ${NETSTAT}"
# fi
#
#################################################################################
@ -477,16 +477,16 @@
if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking connections in WAIT state"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Using netstat for check for connections in WAIT state"
LogText "Test: Using netstat for check for connections in WAIT state"
FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'`
if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
logtext "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
LogText "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
Display --indent 2 --text "- Checking waiting connections" --result WARNING --color YELLOW
ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})"
else
Display --indent 2 --text "- Checking waiting connections" --result OK --color GREEN
logtext "Result: ${FIND} connections are in WAIT state"
LogText "Result: ${FIND} connections are in WAIT state"
fi
fi
#
@ -508,9 +508,9 @@
#################################################################################
#
report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

72
include/tests_php
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -42,18 +42,18 @@
# Description : Check php.ini presence
Register --test-no PHP-2211 --weight L --network NO --description "Check php.ini presence"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for presence php.ini"
LogText "Test: Checking for presence php.ini"
PHPINIFILE=""
PHPINI_ALLFILES=""
for I in ${PHPINILOCS}; do
logtext "Test: checking presence ${I}"
LogText "Test: checking presence ${I}"
if [ -f ${I} ]; then
PHPINIFILE=${I}
logtext "Result: Found php.ini file (${PHPINIFILE})"
logtext "Note: Adding file to php.ini array"
LogText "Result: Found php.ini file (${PHPINIFILE})"
LogText "Note: Adding file to php.ini array"
PHPINI_ALLFILES="${PHPINI_ALLFILES} ${PHPINIFILE}"
else
logtext "Result: file ${I} not found"
LogText "Result: file ${I} not found"
fi
done
@ -61,12 +61,12 @@
for I in ${PHPINIDIRS}; do
tFILES=`ls ${I}/*.ini 2>/dev/null`
if [ "${tFILES}" = "" ]; then
logtext "Result: no files found for ${I}"
LogText "Result: no files found for ${I}"
else
logtext "Result: found files in location ${I}, checking"
LogText "Result: found files in location ${I}, checking"
for I in ${tFILES}; do
if [ -f ${I} ]; then
logtext "Result: file ${I} exists, adding to php.ini array"
LogText "Result: file ${I} exists, adding to php.ini array"
PHPINI_ALLFILES="${PHPINI_ALLFILES} ${I}"
fi
done
@ -75,11 +75,11 @@
if [ ! "${PHPINIFILE}" = "" ]; then
Display --indent 2 --text "- Checking PHP" --result "FOUND" --color GREEN
logtext "Result: using single file ${PHPINIFILE} for main php.ini tests"
logtext "Result: using php.ini array ${PHPINI_ALLFILES} for further tests"
LogText "Result: using single file ${PHPINIFILE} for main php.ini tests"
LogText "Result: using php.ini array ${PHPINI_ALLFILES} for further tests"
else
Display --indent 2 --text "- Checking PHP" --result "NOT FOUND" --color WHITE
logtext "Result: no php.ini file found"
LogText "Result: no php.ini file found"
fi
fi
#
@ -92,31 +92,31 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PHPINI_ALLFILES}; do
logtext "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}"
LogText "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}"
FIND=`grep "^disable_functions.*=" ${I}`
if [ "${FIND}" = "" ]; then
logtext "Result: ${I}: disabled_functions not found"
LogText "Result: ${I}: disabled_functions not found"
else
logtext "Result: ${I}: found disabled_functions"
LogText "Result: ${I}: found disabled_functions"
FOUND=1
fi
FIND=`grep "^suhosin.executor.func.blacklist=" ${I}`
if [ "${FIND}" = "" ]; then
logtext "Result: ${I}: suhosin.executor.func.blacklist not found"
LogText "Result: ${I}: suhosin.executor.func.blacklist not found"
else
logtext "Result: ${I}: found suhosin.executor.func.blacklist"
LogText "Result: ${I}: found suhosin.executor.func.blacklist"
FOUND=1
fi
done
if [ ${FOUND} -eq 0 ]; then
logtext "Result: all PHP functions can be executed"
LogText "Result: all PHP functions can be executed"
Display --indent 4 --text "- Checking PHP disabled functions" --result "NONE" --color YELLOW
ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions"
logtext "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)"
LogText "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)"
AddHP 0 1
else
logtext "Result: one or more PHP functions are disabled/blacklisted"
LogText "Result: one or more PHP functions are disabled/blacklisted"
Display --indent 4 --text "- Checking PHP disabled functions" --result "FOUND" --color GREEN
AddHP 3 3
fi
@ -146,17 +146,17 @@
fi
Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP register_globals option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP register_globals option"
LogText "Test: Checking PHP register_globals option"
FIND=`egrep -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | grep -v '^;'`
if [ ! "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking register_globals option" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
logtext "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
LogText "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
AddHP 1 2
else
Display --indent 4 --text "- Checking register_globals option" --result OK --color GREEN
logtext "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value."
LogText "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value."
ReportManual ${TEST_NO}:01
AddHP 2 2
fi
@ -170,17 +170,17 @@
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP expose_php option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking expose_php option"
LogText "Test: Checking expose_php option"
FIND=`egrep -i 'expose_php.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking expose_php option" --result ON --color RED
ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers."
ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off"
report "Result: expose_php option is turned on, which can expose useful information for an attacker"
Report "Result: expose_php option is turned on, which can expose useful information for an attacker"
AddHP 1 2
else
Display --indent 4 --text "- Checking expose_php option" --result OFF --color GREEN
logtext "Result: Found 'expose_php' in disabled state (0, no, or off)"
LogText "Result: Found 'expose_php' in disabled state (0, no, or off)"
AddHP 2 2
fi
#YYY Check through all files
@ -194,16 +194,16 @@
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP enable_dl option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP enable_dl option"
LogText "Test: Checking PHP enable_dl option"
FIND=`egrep -i 'enable_dl.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking enable_dl option" --result ON --color YELLOW
report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP"
Report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP"
AddHP 0 1
else
Display --indent 4 --text "- Checking enable_dl option" --result OFF --color GREEN
logtext "Result: Found 'enable_dl' in disabled state (0, no, or off)"
LogText "Result: Found 'enable_dl' in disabled state (0, no, or off)"
AddHP 2 2
fi
#YYY Check through all files
@ -217,16 +217,16 @@
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_fopen option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP allow_url_fopen option"
LogText "Test: Checking PHP allow_url_fopen option"
FIND=`egrep -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_fopen option" --result ON --color YELLOW
report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
Report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
AddHP 0 1
else
Display --indent 4 --text "- Checking allow_url_fopen option" --result OFF --color GREEN
logtext "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)"
LogText "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)"
AddHP 2 2
fi
#YYY Check through all files
@ -240,16 +240,16 @@
if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_include option"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking PHP allow_url_include option"
LogText "Test: Checking PHP allow_url_include option"
FIND=`egrep -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | grep -v '^;'`
if [ "${FIND}" = "" ]; then
Display --indent 4 --text "- Checking allow_url_include option" --result ON --color YELLOW
report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"
Report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"
ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
AddHP 0 1
else
Display --indent 4 --text "- Checking allow_url_include option" --result OFF --color GREEN
logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
LogText "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
AddHP 2 2
fi
fi
@ -261,4 +261,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

366
include/tests_ports_packages
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -36,17 +36,17 @@
FIND=`pkg -N 2>&1; echo $?`
if [ "${FIND}" = "0" ]; then
Display --indent 4 --text "- Searching packages with pkg" --result FOUND --color GREEN
report "package_manager[]=pkg"
Report "package_manager[]=pkg"
PACKAGE_MGR_PKG=1
logtext "Result: Found pkg"
logtext "Test: Querying pkg to get package list"
LogText "Result: Found pkg"
LogText "Test: Querying pkg to get package list"
Display --indent 6 --text "- Querying pkg for installed packages"
logtext "Output:"; logtext "-----"
LogText "Output:"; LogText "-----"
SPACKAGES=`/usr/sbin/pkg query %n,%v`
for J in ${SPACKAGES}; do
sPKG_NAME=`echo ${J} | cut -d ',' -f1`
sPKG_VERSION=`echo ${J} | cut -d ',' -f2`
logtext "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
done
fi
@ -61,20 +61,20 @@
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 4 --text "- Checking pkg_info" --result FOUND --color GREEN
logtext "Result: Found pkg_info"
report "package_manager[]=pkg_info"
logtext "Test: Querying pkg_info to get package list"
LogText "Result: Found pkg_info"
Report "package_manager[]=pkg_info"
LogText "Test: Querying pkg_info to get package list"
Display --indent 6 --text "- Querying pkg_info for installed packages"
logtext "Output:"; logtext "-----"
LogText "Output:"; LogText "-----"
SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'`
for J in ${SPACKAGES}; do
N=`expr ${N} + 1`
sPKG_NAME=`echo ${J} | cut -d ',' -f1`
sPKG_VERSION=`echo ${J} | cut -d ',' -f2`
logtext "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
done
report "installed_packages=${N}"
Report "installed_packages=${N}"
fi
#
#################################################################################
@ -85,18 +85,18 @@
Register --test-no PKGS-7304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Gentoo packages"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching emerge" --result FOUND --color GREEN
logtext "Result: Found Gentoo emerge"
report "package_manager[]=emerge"
logtext "Test: Querying portage to get package list"
LogText "Result: Found Gentoo emerge"
Report "package_manager[]=emerge"
LogText "Test: Querying portage to get package list"
Display --indent 4 --text "- Querying portage for installed packages"
logtext "Output:"; logtext "-----"
LogText "Output:"; LogText "-----"
GPACKAGES=`equery l '*' | sed -e 's/[.*]//g'`
for J in ${GPACKAGES}; do
logtext "Found package ${J}"
LogText "Found package ${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
done
else
logtext "Result: emerge can NOT be found on this system"
LogText "Result: emerge can NOT be found on this system"
fi
#
#
@ -108,19 +108,19 @@
Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Solaris packages"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching pkginfo" --result FOUND --color GREEN
logtext "Result: Found Solaris pkginfo"
report "package_manager[]=pkginfo"
logtext "Test: Querying pkginfo to get package list"
LogText "Result: Found Solaris pkginfo"
Report "package_manager[]=pkginfo"
LogText "Test: Querying pkginfo to get package list"
Display --indent 4 --text "- Querying pkginfo for installed packages"
logtext "Output:"; logtext "-----"
LogText "Output:"; LogText "-----"
# Strip SUNW from strings
SPACKAGES=`/usr/bin/pkginfo -i | tr -s ' ' | cut -d ' ' -f2 | sed "s#^SUNW##"`
for J in ${SPACKAGES}; do
logtext "Found package ${J}"
LogText "Found package ${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
done
else
logtext "Result: pkginfo can NOT be found on this system"
LogText "Result: pkginfo can NOT be found on this system"
fi
#
#################################################################################
@ -132,28 +132,28 @@
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 4 --text "- Searching RPM package manager" --result FOUND --color GREEN
logtext "Result: Found rpm binary (${RPMBINARY})"
report "package_manager[]=rpm"
logtext "Test: Querying 'rpm -qa' to get package list"
LogText "Result: Found rpm binary (${RPMBINARY})"
Report "package_manager[]=rpm"
LogText "Test: Querying 'rpm -qa' to get package list"
Display --indent 6 --text "- Querying RPM package manager"
logtext "Output:"; logtext "--------"
LogText "Output:"; LogText "--------"
SPACKAGES=`${RPMBINARY} -qa --queryformat "%{NAME},%{VERSION}-%{RELEASE}.%{ARCH}\n" 2> /dev/null | sort`
if [ "${SPACKAGES}" = "" ]; then
logtext "Result: RPM binary available, but package list seems to be empty"
logtext "Info: looks like the rpm binary is installed, but not used for package installation"
LogText "Result: RPM binary available, but package list seems to be empty"
LogText "Info: looks like the rpm binary is installed, but not used for package installation"
ReportSuggestion "${TEST_NO}" "Check RPM database as RPM binary available but does not reveal any packages"
else
for J in ${SPACKAGES}; do
N=`expr ${N} + 1`
PACKAGE_NAME=`echo ${J} | awk -F, '{print $1}'`
PACKAGE_VERSION=`echo ${J} | awk -F, '{print $2}'`
logtext "Found package: ${J}"
LogText "Found package: ${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION},"
done
report "installed_packages=${N}"
Report "installed_packages=${N}"
fi
else
logtext "Result: RPM binary NOT found on this system, test skipped"
LogText "Result: RPM binary NOT found on this system, test skipped"
fi
#
#################################################################################
@ -165,24 +165,24 @@
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 4 --text "- Searching pacman package manager" --result FOUND --color GREEN
logtext "Result: Found pacman binary (${PACMANBINARY})"
report "package_manager[]=pacman"
logtext "Test: Querying 'pacman -Q' to get package list"
LogText "Result: Found pacman binary (${PACMANBINARY})"
Report "package_manager[]=pacman"
LogText "Test: Querying 'pacman -Q' to get package list"
Display --indent 6 --text "- Querying pacman package manager"
logtext "Output:"; logtext "--------"
LogText "Output:"; LogText "--------"
SPACKAGES=`${PACMANBINARY} -Q | sort | sed 's/ /,/g'`
if [ "${SPACKAGES}" = "" ]; then
logtext "Result: pacman binary available, but package list seems to be empty"
logtext "Info: looks like the pacman binary is installed, but not used for package installation"
LogText "Result: pacman binary available, but package list seems to be empty"
LogText "Info: looks like the pacman binary is installed, but not used for package installation"
else
for J in ${SPACKAGES}; do
N=`expr ${N} + 1`
PACKAGE_NAME=`echo ${J} | awk -F, '{ print $1 }'`
PACKAGE_VERSION=`echo ${J} | awk -F, '{ print $2 }'`
logtext "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
done
report "installed_packages=${N}"
Report "installed_packages=${N}"
fi
fi
#
@ -198,8 +198,8 @@
if [ ! "${FIND}" = "" ]; then
FIND=`checkupdates`
for I in ${FIND}; do
logtext "Result: update available for ${I}"
report "available_update[]=${I}"
LogText "Result: update available for ${I}"
Report "available_update[]=${I}"
FOUND=1
done
if [ ${FOUND} -eq 1 ]; then
@ -209,10 +209,10 @@
Display --indent 4 --text "- Searching update status (checkupdates)" --result "UP-TO-DATE" --color GREEN
fi
else
logtext "Result: skipping this test, can't find checkupdates binary"
LogText "Result: skipping this test, can't find checkupdates binary"
fi
else
logtext "Result: pacman binary NOT found on this system, test skipped"
LogText "Result: pacman binary NOT found on this system, test skipped"
fi
#
#################################################################################
@ -225,23 +225,23 @@
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
# Check configuration options (options start with a capital)
logtext "Test: searching configured options in ${PACMANCONF}"
LogText "Test: searching configured options in ${PACMANCONF}"
FIND=`grep "^[A-Z]" ${PACMANCONF} | sort -u | sed 's/ /:space:/g'`
for I in ${FIND}; do
PMOPTION=`echo ${I} | sed 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $1 }'`
PMVALUE=`echo ${I} | sed 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $2 }'`
logtext "Result: found option ${PMOPTION} configured with value ${PMVALUE}"
report "pacman_option[]=${PMOPTION}:${PMVALUE}:"
LogText "Result: found option ${PMOPTION} configured with value ${PMVALUE}"
Report "pacman_option[]=${PMOPTION}:${PMVALUE}:"
done
# Check software repositories
logtext "Test: checking available repositories"
LogText "Test: checking available repositories"
FIND=`grep "^\[.*\]$" ${PACMANCONF} | tr -d '[]'`
for I in ${FIND}; do
COUNT=`expr ${COUNT} + 1`
report "package_repository[]=${I}"
Report "package_repository[]=${I}"
done
logtext "Result: found ${COUNT} repositories"
LogText "Result: found ${COUNT} repositories"
fi
#
#################################################################################
@ -258,10 +258,10 @@
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
N=`expr ${N} + 1`
logtext "Installed package: ${I}"
LogText "Installed package: ${I}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
done
report "installed_packages=${N}"
Report "installed_packages=${N}"
else
# Could not find any installed packages
ReportException ${TEST_NO} "No installed packages found with Zypper"
@ -277,19 +277,19 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${ZYPPERBINARY} pchk | grep "(0 security patches)"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: No security updates found with Zypper"
LogText "Result: No security updates found with Zypper"
Display --indent 2 --text "- Using Zypper to obtain vulnerable packages" --result NONE --color GREEN
else
Display --indent 2 --text "- Using Zypper to obtain vulnerabilities" --result WARNING --color RED
logtext "Result: Zypper found one or more installed packages which are vulnerable."
LogText "Result: Zypper found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages installed"
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
FIND=`${ZYPPERBINARY} lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | sed 's/:$//' | grep -v "^$" | sort -u`
logtext "List of vulnerable packages/version:"
LogText "List of vulnerable packages/version:"
for I in ${FIND}; do
VULNERABLE_PACKAGES_FOUND=1
report "vulnerable_package[]=${I}"
logtext "Vulnerable package: ${I}"
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
@ -305,22 +305,22 @@
if [ ${SKIPTEST} -eq 0 ]; then
N=0
Display --indent 4 --text "- Searching dpkg package manager" --result FOUND --color GREEN
logtext "Result: Found dpkg binary"
report "package_manager[]=dpkg"
logtext "Test: Querying dpkg -l to get package list"
LogText "Result: Found dpkg binary"
Report "package_manager[]=dpkg"
LogText "Test: Querying dpkg -l to get package list"
Display --indent 6 --text "- Querying package manager"
logtext "Output:"
LogText "Output:"
SPACKAGES=`dpkg -l 2>/dev/null | grep "^ii" | tr -s ' ' | tr ' ' ',' | sort`
for J in ${SPACKAGES}; do
N=`expr ${N} + 1`
PACKAGE_NAME=`echo ${J} | cut -d ',' -f2`
PACKAGE_VERSION=`echo ${J} | cut -d ',' -f3`
logtext "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done
report "installed_packages=${N}"
Report "installed_packages=${N}"
else
logtext "Result: dpkg can NOT be found on this system, test skipped"
LogText "Result: dpkg can NOT be found on this system, test skipped"
fi
#
#################################################################################
@ -332,23 +332,23 @@
Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search unpurged packages on system"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: Querying dpkg -l to get unpurged packages"
LogText "Test: Querying dpkg -l to get unpurged packages"
SPACKAGES=`dpkg -l 2>/dev/null | grep "^rc" | cut -d ' ' -f3 | sort`
if [ "${SPACKAGES}" = "" ]; then
Display --indent 4 --text "- Query unpurged packages" --result NONE --color GREEN
logtext "Result: no packages found with left overs"
LogText "Result: no packages found with left overs"
else
Display --indent 4 --text "- Query unpurged packages" --result FOUND --color YELLOW
logtext "Result: found one or more packages with left over configuration files, cron jobs etc"
logtext "Output:"
LogText "Result: found one or more packages with left over configuration files, cron jobs etc"
LogText "Output:"
for J in ${SPACKAGES}; do
N=`expr ${N} + 1`
logtext "Found unpurged package: ${J}"
LogText "Found unpurged package: ${J}"
done
ReportSuggestion ${TEST_NO} "Purge old/removed packages (${N} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
fi
else
logtext "Result: dpkg can NOT be found on this system, test skipped"
LogText "Result: dpkg can NOT be found on this system, test skipped"
fi
#
#################################################################################
@ -364,10 +364,10 @@
FIND=`/usr/local/sbin/portsclean -n -DD | grep 'Delete' | wc -l | tr -d ' '`
if [ ${FIND} -eq 0 ]; then
Display --indent 2 --text "- Checking presence old distfiles" --result OK --color GREEN
logtext "Result: no unused distfiles found"
LogText "Result: no unused distfiles found"
else
Display --indent 2 --text "- Checking presence old distfiles" --result WARNING --color YELLOW
logtext "Result: found ${FIND} unused distfiles"
LogText "Result: found ${FIND} unused distfiles"
ReportSuggestion ${TEST_NO} "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD."
fi
fi
@ -381,24 +381,24 @@
Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsecan utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSECANBINARY}" = "" ]; then
logtext "Result: debsecan utility is installed"
LogText "Result: debsecan utility is installed"
Display --indent 4 --text "- debsecan utility" --result "FOUND" --color GREEN
AddHP 3 3
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="debsecan"
FIND=`find /etc/cron* -name debsecan`
if [ ! ${FIND} = "" ]; then
logtext "Result: cron job is configured for debsecan"
LogText "Result: cron job is configured for debsecan"
Display --indent 6 --text "- debsecan cron job" --result "FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: no cron job is configured for debsecan"
LogText "Result: no cron job is configured for debsecan"
Display --indent 4 --text "- debsecan cron job" --result "NOT FOUND" --color YELLOW
AddHP 1 3
ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled"
fi
else
logtext "Result: debsecan is not installed."
LogText "Result: debsecan is not installed."
Display --indent 4 --text "- debsecan utility" --result "NOT FOUND" --color YELLOW
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages."
@ -414,23 +414,23 @@
Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsums utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSUMSBINARY}" = "" ]; then
logtext "Result: debsums utility is installed"
LogText "Result: debsums utility is installed"
Display --indent 4 --text "- debsums utility" --result "FOUND" --color GREEN
AddHP 1 1
# Check in /etc/cron.hourly, daily, weekly, monthly etc
COUNT=`find /etc/cron* -name debsums | wc -l`
if [ ${COUNT} -gt 0 ]; then
logtext "Result: Cron job is configured for debsums utility."
LogText "Result: Cron job is configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: Cron job is not configured for debsums utility."
LogText "Result: Cron job is not configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "NOT FOUND" --color YELLOW
AddHP 1 3
ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job."
fi
else
logtext "Result: debsums utility is not installed."
LogText "Result: debsums utility is not installed."
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database."
fi
@ -444,16 +444,16 @@
Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query portmaster for port upgrades"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: Querying portmaster for possible port upgrades"
LogText "Test: Querying portmaster for possible port upgrades"
UPACKAGES=`/usr/local/sbin/portmaster -L | grep "version available" | awk '{ print $5 }'`
for J in ${UPACKAGES}; do
N=`expr ${N} + 1`
logtext "Upgrade available (new version): ${J}"
report "upgrade_available[]=${J}"
LogText "Upgrade available (new version): ${J}"
Report "upgrade_available[]=${J}"
done
report "upgrade_available_count=${N}"
Report "upgrade_available_count=${N}"
if [ ${N} -eq 0 ]; then
logtext "Result: no upgrades found"
LogText "Result: no upgrades found"
Display --indent 2 --text "- Checking portmaster for updates" --result NONE --color GREEN
else
Display --indent 2 --text "- Checking portmaster for updates" --result FOUND --color YELLOW
@ -472,18 +472,18 @@
if [ -f /var/db/pkg/pkgs-vulnerabilities ]; then
FIND=`/usr/sbin/pkg_admin audit`
if [ "${FIND}" = "" ]; then
logtext "Result: pkg audit results are clean"
LogText "Result: pkg audit results are clean"
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result NONE --color GREEN
AddHP 2 2
else
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result WARNING --color RED
logtext "Result: pkg_admin audit found one or more installed packages which are vulnerable."
LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
logtext "List of vulnerable packages/version:"
LogText "List of vulnerable packages/version:"
for I in `/usr/sbin/pkg_admin audit | awk '{ print $2 }' | sort -u`; do
VULNERABLE_PACKAGES_FOUND=1
report "vulnerable_package[]=${I}"
logtext "Vulnerable package: ${I}"
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
@ -495,7 +495,7 @@
fi
else
Display --indent 2 --text "- pkg_admin audit not installed" --result "NOT FOUND" --color WHITE
logtext "Result: pkg_admin audit not installed, skipping this vulnerability test."
LogText "Result: pkg_admin audit not installed, skipping this vulnerability test."
fi
fi
#
@ -511,28 +511,28 @@
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="pkg audit"
if [ "${FIND}" = "" ]; then
logtext "Result: pkg audit results are clean"
LogText "Result: pkg audit results are clean"
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN
else
logtext "Result: ${FIND}"
LogText "Result: ${FIND}"
VULNERABLE_PACKAGES_FOUND=1
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result FOUND --color YELLOW
ReportSuggestion ${TEST_NO} "Check output of pkg audit"
#Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED
#logtext "Result: pkg audit found one or more installed packages which are vulnerable."
#LogText "Result: pkg audit found one or more installed packages which are vulnerable."
#ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
#ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
#logtext "List of vulnerable packages/version:"
#LogText "List of vulnerable packages/version:"
#for I in `/usr/sbin/pkg audit -F | grep "Affected package" | cut -d ' ' -f3 | sort -u`; do
# report "vulnerable_package[]=${I}"
# logtext "Vulnerable package: ${I}"
# Report "vulnerable_package[]=${I}"
# LogText "Vulnerable package: ${I}"
# # Decrease hardening points for every found vulnerable package
# AddHP 1 2
#done
fi
else
Display --indent 2 --text "- pkg audit not installed" --result "NOT FOUND" --color WHITE
logtext "Result: pkg audit not installed, skipping this vulnerability test."
LogText "Result: pkg audit not installed, skipping this vulnerability test."
fi
fi
#
@ -547,18 +547,18 @@
PACKAGE_AUDIT_TOOL_FOUND=1
FIND=`/usr/local/sbin/portaudit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'`
if [ "${FIND}" = "" ]; then
logtext "Result: Portaudit results are clean"
LogText "Result: Portaudit results are clean"
Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result NONE --color GREEN
else
Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result WARNING --color RED
logtext "Result: Portaudit found one or more installed packages which are vulnerable."
LogText "Result: Portaudit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
logtext "List of vulnerable packages/version:"
LogText "List of vulnerable packages/version:"
for I in `/usr/local/sbin/portaudit | grep "Affected package" | cut -d ' ' -f3 | sort -u`; do
VULNERABLE_PACKAGES_FOUND=1
report "vulnerable_package[]=${I}"
logtext "Vulnerable package: ${I}"
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
@ -572,15 +572,15 @@
if [ ! "${YUMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --description "Check for YUM package Update management"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: YUM package update management"
LogText "Test: YUM package update management"
sFIND=`${YUMBINARY} repolist 2>/dev/null | grep repolist | sed 's/ //g' | sed 's/[,.]//g' | awk -F ":" '{print $2}'`
if [ "$(echo ${sFIND} | egrep "^[0-9]+$")" -a "${sFIND}" = "0" ]; then
logtext "Result: YUM package update management failed"
LogText "Result: YUM package update management failed"
Display --indent 2 --text "- Checking YUM package management consistency" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "YUM is not properly configured or registered for this platform (no repolist found)"
#ReportSuggestion ${TEST_NO} "Check YUM registration for repository configuration (repolist)"
else
logtext "Result: YUM repository available (${sFIND})"
LogText "Result: YUM repository available (${sFIND})"
Display --indent 2 --text "- Checking YUM package management consistency" --result OK --color GREEN
fi
fi
@ -593,35 +593,35 @@
Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for YUM utils package"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -x /usr/bin/package-cleanup ]; then
logtext "Result: found YUM utils package (/usr/bin/package-cleanup)"
LogText "Result: found YUM utils package (/usr/bin/package-cleanup)"
# Check for duplicates
logtext "Test: Checking for duplicate packages"
LogText "Test: Checking for duplicate packages"
FIND=`/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
logtext "Result: No duplicate packages found"
LogText "Result: No duplicate packages found"
Display --indent 2 --text "- Checking package database duplicates" --result OK --color GREEN
else
logtext "Result: One or more duplicate packages found"
LogText "Result: One or more duplicate packages found"
Display --indent 2 --text "- Checking package database duplicates" --result WARNING --color RED
ReportWarning ${TEST_NO} "L" "Found one or more duplicate packages installed"
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems"
fi
# Check for package database problems
logtext "Test: Checking for database problems"
LogText "Test: Checking for database problems"
FIND=`/usr/bin/package-cleanup --problems > /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
logtext "Result: No package database problems found"
LogText "Result: No package database problems found"
Display --indent 2 --text "- Checking package database for problems" --result OK --color GREEN
else
logtext "Result: One or more problems found in package database"
LogText "Result: One or more problems found in package database"
Display --indent 2 --text "- Checking package database for problems" --result WARNING --color RED
ReportWarning ${TEST_NO} "L" "Found one or more problems in the package database"
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems"
fi
else
Display --indent 2 --text "- yum-utils package not installed" --result SUGGESTION --color YELLOW
logtext "Result: YUM utils package not found"
LogText "Result: YUM utils package not found"
ReportSuggestion ${TEST_NO} "Install package 'yum-utils' for better consistency checking of the package database"
fi
fi
@ -638,7 +638,7 @@
Register --test-no PKGS-7386 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for YUM security package"
if [ ${SKIPTEST} -eq 0 ]; then
DO_TEST=0
logtext "Test: Determining if yum-security package installed"
LogText "Test: Determining if yum-security package installed"
# Check for built-in --security option
if [ ${DO_TEST} -eq 0 ]; then
@ -647,9 +647,9 @@
SearchItem "\-\-security" "/usr/share/yum-cli/cli.py"
if [ ${ITEM_FOUND} -eq 1 ]; then
DO_TEST=1
logtext "Result: found built-in security in yum"
LogText "Result: found built-in security in yum"
else
logtext "Result: did not find --security in /usr/share/yum-cli/cli.py"
LogText "Result: did not find --security in /usr/share/yum-cli/cli.py"
fi
fi
fi
@ -660,9 +660,9 @@
SearchItem "^enabled=1$" "/etc/yum/pluginconf.d/security.conf"
if [ ${ITEM_FOUND} -eq 1 ]; then
DO_TEST=1
logtext "Result: found enabled plugin"
LogText "Result: found enabled plugin"
else
logtext "Result: plugin NOT enabled in /etc/yum/pluginconf.d/security.conf"
LogText "Result: plugin NOT enabled in /etc/yum/pluginconf.d/security.conf"
fi
fi
fi
@ -671,7 +671,7 @@
if [ ${DO_TEST} -eq 0 ]; then
FIND=`rpm -q yum-security yum-plugin-security | grep -v "not installed"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found yum-plugin-security package"
LogText "Result: found yum-plugin-security package"
DO_TEST=1
fi
fi
@ -680,25 +680,25 @@
if [ ${DO_TEST} -eq 1 ]; then
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="yum-security"
logtext "Test: Checking for vulnerable packages"
LogText "Test: Checking for vulnerable packages"
FIND2=`/usr/bin/yum list-sec security | awk '{ if($2=="security" || $2~"Sec") print $3","$5 }'`
if [ "${FIND2}" = "" ]; then
logtext "Result: no vulnerable packages found"
LogText "Result: no vulnerable packages found"
Display --indent 2 --text "- Checking missing security packages" --result OK --color GREEN
else
logtext "Result: found vulnerable package(s)"
LogText "Result: found vulnerable package(s)"
Display --indent 2 --text "- Checking missing security packages" --result WARNING --color RED
for I in ${FIND2}; do
VULNERABLE_PACKAGES_FOUND=1
report "vulnerable_package[]=${I}"
logtext "Vulnerable package: ${I}"
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
AddHP 1 2
done
ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Use 'yum --security update' to update your system"
fi
else
logtext "Result: yum-security package not found"
LogText "Result: yum-security package not found"
Display --indent 2 --text "- Checking missing security packages" --result SKIPPED --color YELLOW
ReportSuggestion ${TEST_NO} "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)"
fi
@ -717,7 +717,7 @@
SearchItem "^gpgenabled=1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
SearchItem "^gpgcheck=1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
if [ ${FOUND} -eq 1 ]; then
logtext "Result: GPG check is enabled"
LogText "Result: GPG check is enabled"
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result OK --color GREEN
else
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result DISABLED --color RED
@ -736,33 +736,33 @@
FOUND=0
if [ ! "${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY}" = "yes" ]; then
if [ -f /etc/apt/sources.list ]; then
logtext "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
FIND=`egrep "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | grep -v '#' | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list file" --result OK --color GREEN
logtext "Result: Found security repository in /etc/apt/sources.list"
LogText "Result: Found security repository in /etc/apt/sources.list"
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Output: ${I}"
LogText "Output: ${I}"
done
fi
fi
if [ -d /etc/apt/sources.list.d ]; then
logtext "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
FIND=`egrep -r "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list.d | grep -v '#' | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result OK --color GREEN
logtext "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d"
LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d"
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Output: ${I}"
LogText "Output: ${I}"
done
fi
fi
if [ ${FOUND} -eq 1 ]; then
logtext "Result: security repository was found"
LogText "Result: security repository was found"
AddHP 3 3
else
Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result WARNING --color RED
@ -770,7 +770,7 @@
AddHP 0 3
fi
else
logtext "Skipped as option is set to ignore security repository"
LogText "Skipped as option is set to ignore security repository"
fi
fi
#
@ -781,13 +781,13 @@
if [ "${LINUX_VERSION}" = "Ubuntu" -a -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Ubuntu database consistency"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Package database consistency by running apt-get check"
LogText "Test: Package database consistency by running apt-get check"
FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?`
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Checking APT package database" --result OK --color GREEN
logtext "Result: package database seems to be consistent."
LogText "Result: package database seems to be consistent."
else
logtext "Result: package database is most likely NOT consistent"
LogText "Result: package database is most likely NOT consistent"
Display --indent 2 --text "- Checking APT package database" --result WARNING --color RED
ReportWarning ${TEST_NO} "M" "apt-get check returned a non successful exit code."
ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check."
@ -804,35 +804,35 @@
VULNERABLE_PACKAGES_FOUND=0
SCAN_PERFORMED=0
# Update the repository, outdated repositories don't give much information
logtext "Action: updating repository with apt-get"
LogText "Action: updating repository with apt-get"
/usr/bin/apt-get -q=2 update
logtext "Result: apt-get finished"
logtext "Test: Checking if /usr/lib/update-notifier/apt-check exists"
LogText "Result: apt-get finished"
LogText "Test: Checking if /usr/lib/update-notifier/apt-check exists"
if [ -x /usr/lib/update-notifier/apt-check ]; then
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="apt-check"
logtext "Result: found /usr/lib/update-notifier/apt-check"
logtext "Test: checking if any of the updates contain security updates"
LogText "Result: found /usr/lib/update-notifier/apt-check"
LogText "Test: checking if any of the updates contain security updates"
# apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only
FIND=`/usr/lib/update-notifier/apt-check 2>&1 | awk -F\; '{ print $2 }'`
# Check if we get the proper line back and amount of security patches available
if [ "${FIND}" = "" ]; then
logtext "Result: did not find security updates line"
LogText "Result: did not find security updates line"
ReportSuggestion ${TEST_NO} "Check if system is up-to-date, security updates test (apt-check) gives an unexpected result"
ReportException "${TEST_NO}:1" "Apt-check did not provide any result"
else
if [ "${FIND}" = "0" ]; then
logtext "Result: no vulnerable packages found via apt-check"
LogText "Result: no vulnerable packages found via apt-check"
SCAN_PERFORMED=1
else
VULNERABLE_PACKAGES_FOUND=1
SCAN_PERFORMED=1
logtext "Result: found ${FIND} security updates via apt-check"
LogText "Result: found ${FIND} security updates via apt-check"
AddHP 0 25
fi
fi
else
logtext "Result: apt-check (update-notifier-common) not found"
LogText "Result: apt-check (update-notifier-common) not found"
fi
# Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
@ -841,12 +841,12 @@
if [ ! "${FIND}" = "" ]; then
VULNERABLE_PACKAGES_FOUND=1
SCAN_PERFORMED=1
logtext "Result: found vulnerable package(s) via apt-get (-security channel)"
LogText "Result: found vulnerable package(s) via apt-get (-security channel)"
PACKAGE_AUDIT_TOOL="apt-get"
PACKAGE_AUDIT_TOOL_FOUND=1
for I in ${FIND}; do
logtext "Found vulnerable package: ${I}"
report "vulnerable_package[]=${I}"
LogText "Found vulnerable package: ${I}"
Report "vulnerable_package[]=${I}"
done
fi
if [ ${SCAN_PERFORMED} -eq 1 ]; then
@ -856,11 +856,11 @@
Display --indent 2 --text "- Checking vulnerable packages" --result WARNING --color RED
else
Display --indent 2 --text "- Checking vulnerable packages" --result OK --color GREEN
logtext "Result: no vulnerable packages found"
LogText "Result: no vulnerable packages found"
fi
else
Display --indent 2 --text "- Checking vulnerable packages (apt-get only)" --result DONE --color GREEN
logtext "Result: test not fully executed (missing apt-check output)"
LogText "Result: test not fully executed (missing apt-check output)"
fi
fi
#
@ -877,36 +877,36 @@
# Multiple ways to do this. Some require extra packages to be installed,
# others require potential firewall ports to be open, outbound. This is the
# "most friendly" way.
logtext "Action: updating portage with emerge-webrsync"
LogText "Action: updating portage with emerge-webrsync"
/usr/bin/emerge-webrsync --quiet 2> /dev/null
logtext "Result: emerge-webrsync finished"
logtext "Test: checking if /usr/bin/glsa-check exists"
LogText "Result: emerge-webrsync finished"
LogText "Test: checking if /usr/bin/glsa-check exists"
if [ -x /usr/bin/glsa-check ]; then
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="glsa-check"
logtext "Result: found /usr/bin/glsa-check"
logtext "Test: checking if there are any vulnerable packages"
LogText "Result: found /usr/bin/glsa-check"
LogText "Test: checking if there are any vulnerable packages"
# glsa-check reports the GLSA date/ID string, not the vulnerable package.
FIND=`/usr/bin/glsa-check -t all 2>&1 | grep -v "This system is affected by the following GLSAs:" | grep -v "This system is not affected by any of the listed GLSAs" | wc -l`
if [ "${FIND}" = "" ]; then
logtext "Result: unexpected result: wc should report 0 if no vulnerable packages are found."
logtext "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result"
LogText "Result: unexpected result: wc should report 0 if no vulnerable packages are found."
LogText "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result"
ReportException "${TEST_NO}:1" "glsa-check did not provide any result, which is unexpected"
else
if [ "${FIND}" = "0" ]; then
logtext "Result; no vulnerable packages found via glsa-check"
LogText "Result; no vulnerable packages found via glsa-check"
Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result OK --color GREEN
else
VULNERABLE_PACKAGES_FOUND=1
Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result FOUND --color RED
logtext "Result: found ${FIND} security updates with glsa-check"
LogText "Result: found ${FIND} security updates with glsa-check"
ReportWarning "${TEST_NO}" "H" "Found ${FIND} security update(s) with glsa-check."
logtext "Notes: Run 'glsa-check -t all' to see which GLSA(s) were identified."
LogText "Notes: Run 'glsa-check -t all' to see which GLSA(s) were identified."
AddHP 0 25
fi
fi
else
logtext "Result: glsa-check tool not found"
LogText "Result: glsa-check tool not found"
ReportSuggestion ${TEST_NO} "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks."
fi
fi
@ -918,26 +918,26 @@
if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --description "Check for Ubuntu updates"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking /usr/bin/apt-show-versions"
LogText "Test: checking /usr/bin/apt-show-versions"
if [ -x /usr/bin/apt-show-versions ]; then
logtext "Result: found /usr/bin/apt-show-versions"
logtext "Test: Checking packages which can be upgraded via apt-show-versions"
LogText "Result: found /usr/bin/apt-show-versions"
LogText "Test: Checking packages which can be upgraded via apt-show-versions"
FIND=`/usr/bin/apt-show-versions -u | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
logtext "Result: no packages found which can be upgraded"
LogText "Result: no packages found which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages" --result NONE --color GREEN
AddHP 3 3
else
logtext "Result: found one or more packages which can be upgraded"
LogText "Result: found one or more packages which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages" --result FOUND --color YELLOW
# output: program/repository upgradeable from version X to Y
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "${I}"
LogText "${I}"
done
fi
else
logtext "Result: /usr/bin/apt-show-versions not found"
LogText "Result: /usr/bin/apt-show-versions not found"
Display --indent 2 --text "- Checking upgradeable packages" --result SKIPPED --color WHITE
ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
fi
@ -950,15 +950,15 @@
# Description : Check package audit tool
Register --test-no PKGS-7398 --weight L --network YES --description "Check for package audit tool"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking for package audit tool"
LogText "Test: checking for package audit tool"
if [ ${PACKAGE_AUDIT_TOOL_FOUND} -eq 0 ]; then
Display --indent 2 --text "- Checking package audit tool" --result NONE --color RED
ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages"
logtext "Result: no package audit tool found"
LogText "Result: no package audit tool found"
else
Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN
Display --indent 4 --text "Found: ${PACKAGE_AUDIT_TOOL}"
logtext "Result: found package audit tool: ${PACKAGE_AUDIT_TOOL}"
LogText "Result: found package audit tool: ${PACKAGE_AUDIT_TOOL}"
fi
fi
#
@ -980,17 +980,17 @@
if [ ${SKIPTEST} -eq 0 ]; then
KERNELS=0
if [ ! "${RPMBINARY}" = "" ]; then
logtext "Test: Checking how many kernel packages are installed"
LogText "Test: Checking how many kernel packages are installed"
KERNELS=`rpm -q kernel 2> /dev/null | wc -l`
if [ ${KERNELS} -eq 0 ]; then
logtext "Result: found no kernels from rpm -q kernel output, which is unexpected"
LogText "Result: found no kernels from rpm -q kernel output, which is unexpected"
ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output"
elif [ ${KERNELS} -gt 5 ]; then
logtext "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)"
AddHP 4 5
else
logtext "Result: found ${KERNELS} on the system, which is fine"
LogText "Result: found ${KERNELS} on the system, which is fine"
AddHP 1 1
fi
fi
@ -1000,16 +1000,16 @@
#
if [ ! "${INSTALLED_PACKAGES}" = "" ]; then
report "installed_packages_array=${INSTALLED_PACKAGES}"
Report "installed_packages_array=${INSTALLED_PACKAGES}"
fi
report "package_audit_tool=${PACKAGE_AUDIT_TOOL}"
report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}"
report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}"
Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}"
Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}"
Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

88
include/tests_printers_spools
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -38,22 +38,22 @@
# Description : Check printcap file consistency
Register --test-no PRNT-2302 --os FreeBSD --weight L --network NO --description "Check for available accounting information"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching /usr/sbin/chkprintcap"
LogText "Test: Searching /usr/sbin/chkprintcap"
if [ ! -f /usr/sbin/chkprintcap ]; then
Display --indent 2 --text "- Checking chkprintcap" --result "NOT FOUND" --color WHITE
logtext "Result: /usr/sbin/chkprintcap NOT found, test skipped."
LogText "Result: /usr/sbin/chkprintcap NOT found, test skipped."
else
logtext "Result: /usr/sbin/chkprintcap found"
LogText "Result: /usr/sbin/chkprintcap found"
FIND=`/usr/sbin/chkprintcap > /dev/null ; echo $?`
# Only an exit code of zero should come back. Use string instead of integer, due unexpected trash
if [ "${FIND}" = "0" ]; then
Display --indent 2 --text "- Integrity check of printcap file" --result OK --color GREEN
logtext "Result: chkprintcap did NOT gave any warnings"
LogText "Result: chkprintcap did NOT gave any warnings"
else
Display --indent 2 --text "- Integrity check of printcap file" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Run chkprintcap manually to test printcap file"
logtext "Output from chkprintcap: ${FIND}"
logtext "Run chkprintcap and check the /etc/printcap file."
LogText "Output from chkprintcap: ${FIND}"
LogText "Run chkprintcap and check the /etc/printcap file."
fi
fi
fi
@ -64,16 +64,16 @@
# Description : Check cupsd status
Register --test-no PRNT-2304 --weight L --network NO --description "Check cupsd status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking cupsd status"
LogText "Test: Checking cupsd status"
#FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd`
IsRunning cupsd
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking cups daemon" --result RUNNING --color GREEN
logtext "Result: cups daemon running"
LogText "Result: cups daemon running"
CUPSD_RUNNING=1; PRINTING_DAEMON="cups"
else
Display --indent 2 --text "- Checking cups daemon" --result "NOT FOUND" --color WHITE
logtext "Result: cups daemon not running, cups daemon tests skipped"
LogText "Result: cups daemon not running, cups daemon tests skipped"
fi
fi
#
@ -84,21 +84,21 @@
if [ ${CUPSD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PRNT-2306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching cupsd configuration file"
LogText "Test: Searching cupsd configuration file"
for I in ${CUPSD_CONFIG_LOCS}; do
if [ -f ${I}/cupsd.conf ]; then
CUPSD_CONFIG_FILE="${I}/cupsd.conf"
logtext "Result: found ${CUPSD_CONFIG_FILE}"
LogText "Result: found ${CUPSD_CONFIG_FILE}"
fi
done
if [ ! "${CUPSD_CONFIG_FILE}" = "" ]; then
Display --indent 2 --text "- Checking CUPS configuration file" --result OK --color GREEN
logtext "Result: configuration file found (${CUPSD_CONFIG_FILE})"
LogText "Result: configuration file found (${CUPSD_CONFIG_FILE})"
CUPSD_FOUND=1
else
Display --indent 2 --text "- Checking CUPS configuration file" --result "NOT FOUND" --color RED
logtext "Result: configuration file not found"
logtext "Development: no CUPS configuration file found"
LogText "Result: configuration file not found"
LogText "Development: no CUPS configuration file found"
fi
fi
#
@ -110,9 +110,9 @@
if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd configuration file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking CUPS configuration file permissions"
LogText "Test: Checking CUPS configuration file permissions"
FIND=`ls -l ${CUPSD_CONFIG_FILE} | cut -c 2-10`
logtext "Result: found ${FIND}"
LogText "Result: found ${FIND}"
if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then
Display --indent 4 --text "- File permissions" --result "OK" --color GREEN
AddHP 1 1
@ -132,11 +132,11 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# Checking network addresses
logtext "Test: Checking CUPS daemon listening network addresses"
LogText "Test: Checking CUPS daemon listening network addresses"
FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep -v "/" | awk '{ print $2 }'`
N=0
for I in ${FIND}; do
logtext "Found network address: ${I}"
LogText "Found network address: ${I}"
N=`expr ${N} + 1`
FOUND=1
done
@ -147,33 +147,33 @@
# Check if daemon is only running on localhost
if [ ${N} -eq 1 ]; then
if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then
logtext "Result: CUPS daemon only running on localhost"
LogText "Result: CUPS daemon only running on localhost"
AddHP 2 2
else
logtext "Result: CUPS daemon running on one or more interfaces (not limited to localhost)"
LogText "Result: CUPS daemon running on one or more interfaces (not limited to localhost)"
ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to listen on the network"
AddHP 1 2
fi
else
logtext "Result: CUPS daemon is running on several network addresses"
LogText "Result: CUPS daemon is running on several network addresses"
ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to run on several network addresses"
AddHP 1 2
fi
# Checking sockets
logtext "Test: Checking cups daemon listening sockets"
LogText "Test: Checking cups daemon listening sockets"
FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep "/" | awk '{ print $2 }'`
for I in ${FIND}; do
logtext "Found socket address: ${I}"
LogText "Found socket address: ${I}"
N=`expr ${N} + 1`
done
if [ ${N} -eq 0 ]; then
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "NONE" --color WHITE
logtext "Result: no addresses found on which CUPS daemon is listening"
LogText "Result: no addresses found on which CUPS daemon is listening"
else
Display --indent 2 --text "- Checking CUPS addresses/sockets" --result "FOUND" --color GREEN
logtext "Result: CUPS daemon is listening on network/socket"
LogText "Result: CUPS daemon is listening on network/socket"
fi
fi
#
@ -183,15 +183,15 @@
# Description : Check lpd status
Register --test-no PRNT-2314 --weight L --network NO --description "Check lpd status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking lpd status"
LogText "Test: Checking lpd status"
IsRunning lpd
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking lp daemon" --result RUNNING --color GREEN
logtext "Result: lp daemon running"
LogText "Result: lp daemon running"
LPD_RUNNING=1; PRINTING_DAEMON="lp"
else
Display --indent 2 --text "- Checking lp daemon" --result "NOT RUNNING" --color WHITE
logtext "Result: lp daemon not running"
LogText "Result: lp daemon not running"
AddHP 4 4
fi
fi
@ -214,21 +214,21 @@
# Description : Check /etc/qconfig file
Register --test-no PRNT-2316 --os AIX --weight L --network NO --description "Checking /etc/qconfig file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking /etc/qconfig"
LogText "Test: Checking /etc/qconfig"
QDAEMON_CONFIG_FILE="/etc/qconfig"
FileIsReadable ${QDAEMON_CONFIG_FILE}
if [ ${CANREAD} -eq 1 ]; then
FIND=`grep -v "^\*" ${QDAEMON_CONFIG_FILE} | egrep "backend|device"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
Display --indent 2 --text "- Checking /etc/qconfig file" --result FOUND --color GREEN
QDAEMON_CONFIG_ENABLED=1
else
logtext "Result: ${QDAEMON_CONFIG_FILE} is empty. No printers are defined"
LogText "Result: ${QDAEMON_CONFIG_FILE} is empty. No printers are defined"
Display --indent 2 --text "- Checking /etc/qconfig file" --result EMPTY --color WHITE
fi
else
logtext "Result: Can not read ${QDAEMON_CONFIG_FILE} (no permission)"
LogText "Result: Can not read ${QDAEMON_CONFIG_FILE} (no permission)"
fi
fi
#
@ -238,19 +238,19 @@
# Description : Check qdaemon printer spooler status
Register --test-no PRNT-2418 --os AIX --weight L --network NO --description "Checking qdaemon printer spooler status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking qdaemon status"
LogText "Test: Checking qdaemon status"
IsRunning qdaemon
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: qdaemon daemon running"
LogText "Result: qdaemon daemon running"
Display --indent 2 --text "- Checking qdaemon daemon" --result RUNNING --color GREEN
QDAEMON_RUNNING=1; PRINTING_DAEMON="qdaemon"
else
if [ ${QDAEMON_CONFIG_ENABLED} -eq 1 ]; then
logtext "Result: qdaemon daemon not running"
LogText "Result: qdaemon daemon not running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "NOT RUNNING" --color RED
ReportSuggestion ${TEST_NO} "Activate print spooler daemon (qdaemon) in order to process print jobs"
else
logtext "Result: qdaemon daemon not running"
LogText "Result: qdaemon daemon not running"
Display --indent 2 --text "- Checking qdaemon daemon" --result "NOT RUNNING" --color WHITE
fi
fi
@ -262,7 +262,7 @@
# Description : Checking old print jobs
Register --test-no PRNT-2420 --os AIX --weight L --network NO --description "Checking old print jobs"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking old print jobs"
LogText "Test: Checking old print jobs"
DirectoryExists /var/spool/lpd/qdir
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
FIND=`find /var/spool/lpd/qdir -type f -mtime +1 2> /dev/null | sed 's/ /!space!/g'`
@ -270,15 +270,15 @@
N=0
for I in ${FIND}; do
FILE=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found old print job: ${FILE}"
LogText "Found old print job: ${FILE}"
N=`expr ${N} + 1`
done
logtext "Result: Found ${N} old print jobs in /var/spool/lpd/qdir"
LogText "Result: Found ${N} old print jobs in /var/spool/lpd/qdir"
Display --indent 4 --text "- Checking old print jobs" --result FOUND --color YELLOW
ReportSuggestion ${TEST_NO} "Check old print jobs in /var/spool/lpd/qdir to prevent new jobs from being processed"
logtext "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed"
LogText "Risk: Failed or defunct print jobs can occupy a lot of space and in some cases, prevent new jobs from being processed"
else
logtext "Result: Old print jobs not found in /var/spool/lpd/qdir"
LogText "Result: Old print jobs not found in /var/spool/lpd/qdir"
Display --indent 4 --text "- Checking old print jobs" --result "NONE" --color GREEN
fi
fi
@ -287,10 +287,10 @@
#################################################################################
#
report "printing_daemon=${PRINTING_DAEMON}"
Report "printing_daemon=${PRINTING_DAEMON}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

100
include/tests_scheduling
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -38,59 +38,59 @@
if [ -f /etc/crontab ]; then
FindCronJob /etc/crontab
for I in ${sCRONJOBS}; do
logtext "Found cronjob (/etc/crontab): ${I}"
report "cronjob[]=${I}"
LogText "Found cronjob (/etc/crontab): ${I}"
Report "cronjob[]=${I}"
done
fi
CRON_DIRS="/etc/cron.d"
for I in ${CRON_DIRS}; do
logtext "Test: checking directory ${I}"
LogText "Test: checking directory ${I}"
if [ -d ${I} ]; then
FileIsReadable ${I}
if [ ${CANREAD} -eq 1 ]; then
logtext "Result: found directory ${I}"
logtext "Test: searching files in ${I}"
LogText "Result: found directory ${I}"
LogText "Test: searching files in ${I}"
FIND=`find ${I} -type f -print`
if [ "${FIND}" = "" ]; then
logtext "Result: no files found in ${I}"
LogText "Result: no files found in ${I}"
else
logtext "Result: found one or more files in ${I}. Analyzing files.."
LogText "Result: found one or more files in ${I}. Analyzing files.."
for J in ${FIND}; do
FindCronJob ${J}
for K in ${sCRONJOBS}; do
logtext "Result: Found cronjob (${I}): ${K}"
LogText "Result: Found cronjob (${I}): ${K}"
done
done
logtext "Result: done with analyzing files in ${I}"
LogText "Result: done with analyzing files in ${I}"
fi
else
logtext "Result: can not read file or directory ${I}"
LogText "Result: can not read file or directory ${I}"
fi
else
logtext "Result: directory ${I} does not exist"
LogText "Result: directory ${I} does not exist"
fi
done
CRON_DIRS="/etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly"
for I in ${CRON_DIRS}; do
logtext "Test: checking directory ${I}"
LogText "Test: checking directory ${I}"
if [ -d ${I} ]; then
logtext "Result: found directory ${I}"
logtext "Test: searching files in ${I}"
LogText "Result: found directory ${I}"
LogText "Test: searching files in ${I}"
FIND=`find ${I} -type f -print | grep -v ".placeholder"`
if [ "${FIND}" = "" ]; then
logtext "Result: no files found in ${I}"
LogText "Result: no files found in ${I}"
else
logtext "Result: found one or more files in ${I}. Analyzing files.."
LogText "Result: found one or more files in ${I}. Analyzing files.."
for J in ${FIND}; do
logtext "Result: Found cronjob (${I}): ${J}"
report "cronjob[]=${J}"
LogText "Result: Found cronjob (${I}): ${J}"
Report "cronjob[]=${J}"
done
logtext "Result: done with analyzing files in ${I}"
LogText "Result: done with analyzing files in ${I}"
fi
else
logtext "Result: directory ${I} does not exist"
LogText "Result: directory ${I} does not exist"
fi
done
@ -101,8 +101,8 @@
for I in ${FIND}; do
FindCronJob ${I}
for J in ${sCRONJOBS}; do
logtext "Found cronjob (/var/spool/cron/crontabs): ${I} (${J})"
report "cronjob[]=${I}"
LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${J})"
Report "cronjob[]=${I}"
done
done
else
@ -111,8 +111,8 @@
for I in ${FIND}; do
FindCronJob ${I}
for J in ${sCRONJOBS}; do
logtext "Found cronjob (/var/spool/cron): ${I} (${J})"
logtext "cronjob[]=${I}"
LogText "Found cronjob (/var/spool/cron): ${I} (${J})"
LogText "cronjob[]=${I}"
done
done
fi
@ -121,11 +121,11 @@
# Anacron
if [ "${OS}" = "Linux" ]; then
if [ -f /etc/anacrontab ]; then
logtext "Test: checking anacrontab"
LogText "Test: checking anacrontab"
sANACRONJOBS=`egrep '^([0-9@])' /etc/anacrontab | tr '\t' ' ' | tr -s ' ' | tr ' ' ','`
for J in ${sANACRONJOBS}; do
logtext "Found anacron job (/etc/anacrontab): ${J}"
report "cronjob[]=${J}"
LogText "Found anacron job (/etc/anacrontab): ${J}"
Report "cronjob[]=${J}"
done
fi
fi
@ -139,14 +139,14 @@
# Description : Check atd status
Register --test-no SCHD-7718 --weight L --network NO --description "Check at users"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking atd status"
LogText "Test: Checking atd status"
FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: at daemon active"
LogText "Result: at daemon active"
Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN
ATD_RUNNING=1
else
logtext "Result: at daemon not active"
LogText "Result: at daemon not active"
Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE
fi
fi
@ -169,46 +169,46 @@
Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;;
OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;;
SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;;
*) AT_UNKNOWN=1; logtext "Test skipped, files for at unknown" ;;
*) AT_UNKNOWN=1; LogText "Test skipped, files for at unknown" ;;
esac
if [ ${AT_UNKNOWN} -eq 0 ]; then
logtext "Test: checking for file ${AT_ALLOW}"
LogText "Test: checking for file ${AT_ALLOW}"
if [ -f ${AT_ALLOW} ]; then
FileIsReadable ${AT_ALLOW}
if [ ${CANREAD} -eq 1 ]; then
logtext "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs"
LogText "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs"
FIND=`cat ${AT_ALLOW} | sort`
if [ "${FIND}" = "" ]; then
logtext "Result: File empty, no users are allowed to schedule at jobs"
LogText "Result: File empty, no users are allowed to schedule at jobs"
else
for I in ${FIND}; do
logtext "Allowed at user: ${I}"
LogText "Allowed at user: ${I}"
done
fi
else
logtext "Result: can not read ${AT_ALLOW} (no permission)"
LogText "Result: can not read ${AT_ALLOW} (no permission)"
fi
else
logtext "Result: file ${AT_ALLOW} does not exist"
logtext "Test: checking for file ${AT_DENY}"
LogText "Result: file ${AT_ALLOW} does not exist"
LogText "Test: checking for file ${AT_DENY}"
if [ -f ${AT_DENY} ]; then
FileIsReadable ${AT_DENY}
if [ ${CANREAD} -eq 1 ]; then
logtext "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs"
LogText "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs"
FIND=`cat ${AT_DENY} | sort`
if [ "${FIND}" = "" ]; then
logtext "Result: file is empty, no users are denied access to schedule jobs"
LogText "Result: file is empty, no users are denied access to schedule jobs"
else
for I in ${FIND}; do
logtext "Denied at user: ${I}"
LogText "Denied at user: ${I}"
done
fi
else
logtext "Result: can not read ${AT_DENY} (no permission)"
LogText "Result: can not read ${AT_DENY} (no permission)"
fi
else
logtext "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist"
logtext "Note: only root can schedule at jobs"
LogText "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist"
LogText "Note: only root can schedule at jobs"
AddHP 1 1
fi
fi
@ -225,17 +225,17 @@
if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at jobs"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check scheduled at jobs"
LogText "Test: Check scheduled at jobs"
FIND=`atq | grep -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found one or more jobs"
LogText "Result: found one or more jobs"
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found at job: ${I}"
LogText "Found at job: ${I}"
done
Display --indent 4 --text "- Checking at jobs" --result FOUND --color GREEN
else
logtext "Result: no pending at jobs"
LogText "Result: no pending at jobs"
Display --indent 4 --text "- Checking at jobs" --result NONE --color GREEN
fi
fi
@ -247,4 +247,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

170
include/tests_shells
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -46,18 +46,18 @@
# Description : check all console TTYs in which root user can enter single user mode without password
Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --description "Check console TTYs"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking console TTYs"
LogText "Test: Checking console TTYs"
FIND=`egrep '^console' /etc/ttys | grep -v 'insecure'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking console TTYs" --result OK --color GREEN
logtext "Result: console is secured against single user mode without password."
LogText "Result: console is secured against single user mode without password."
else
Display --indent 2 --text "- Checking console TTYs" --result WARNING --color RED
logtext "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!"
logtext "Output /etc/ttys:"
logtext "${FIND}"
LogText "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!"
LogText "Output /etc/ttys:"
LogText "${FIND}"
ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys"
logtext "Possible solution: Change the console line from 'secure' to 'insecure'."
LogText "Possible solution: Change the console line from 'secure' to 'insecure'."
fi
fi
#
@ -67,27 +67,27 @@
# Description : which shells are available according /etc/shells
Register --test-no SHLL-6211 --weight L --network NO --description "Checking available and valid shells"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for /etc/shells"
LogText "Test: Searching for /etc/shells"
if [ -f /etc/shells ]; then
logtext "Result: Found /etc/shells file"
logtext "Test: Reading available shells from /etc/shells"
LogText "Result: Found /etc/shells file"
LogText "Test: Reading available shells from /etc/shells"
SSHELLS=`grep "^/" /etc/shells`
CSSHELLS=0; CSSHELLS_ALL=0
Display --indent 2 --text "- Checking shells from /etc/shells"
for I in ${SSHELLS}; do
CSSHELLS_ALL=`expr ${CSSHELLS_ALL} + 1`
report "available_shell[]=${I}"
Report "available_shell[]=${I}"
# YYY add check for symlinked shells
if [ -f ${I} ]; then
logtext "Found installed shell: ${I}"
LogText "Found installed shell: ${I}"
CSSHELLS=`expr ${CSSHELLS} + 1`
else
logtext "Shell ${I} not installed. Probably a dummy or non existing shell."
LogText "Shell ${I} not installed. Probably a dummy or non existing shell."
fi
done
Display --indent 4 --text "Result: found ${CSSHELLS_ALL} shells (valid shells: ${CSSHELLS})."
else
logtext "Result: /etc/shells not found, skipping test"
LogText "Result: /etc/shells not found, skipping test"
fi
fi
#
@ -97,18 +97,18 @@
# Description : check for idle session killing tools or settings
Register --test-no SHLL-6220 --weight L --network NO --description "Checking available and valid shells"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Search for session timeout tools or settings in shell"
LogText "Test: Search for session timeout tools or settings in shell"
IsRunning timeoutd
if [ ${RUNNING} -eq 1 ]; then
IDLE_TIMEOUT=1
logtext "Result: found timeoutd process to kill idle sesions"
report="session_timeout_method=timeout daemon"
LogText "Result: found timeoutd process to kill idle sesions"
Report="session_timeout_method=timeout daemon"
fi
IsRunning autolog
if [ ${RUNNING} -eq 1 ]; then
IDLE_TIMEOUT=1
logtext "Result: found autolog process to kill idle sesions"
report="session_timeout_method[]=autolog"
LogText "Result: found autolog process to kill idle sesions"
Report="session_timeout_method[]=autolog"
fi
if [ -f /etc/profile ]; then
@ -119,40 +119,40 @@
if [ ! "${FIND}" = "" ]; then
N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do
logtext "Output: ${I}"
report "session_timeout_value[]=${I}"
LogText "Output: ${I}"
Report "session_timeout_value[]=${I}"
N=`expr ${N} + 1`
done
if [ ${N} -eq 1 ]; then
logtext "Result: found TMOUT value configured in /etc/profile"
LogText "Result: found TMOUT value configured in /etc/profile"
else
logtext "Result: found several TMOUT values configured in /etc/profile"
LogText "Result: found several TMOUT values configured in /etc/profile"
fi
report "session_timeout_method[]=profile"
Report "session_timeout_method[]=profile"
else
logtext "Result: could not find TMOUT setting in /etc/profile"
LogText "Result: could not find TMOUT setting in /etc/profile"
fi
if [ ! "${FIND2}" = "" ]; then
N=0;
for I in ${FIND2}; do
logtext "Output: ${I}"
LogText "Output: ${I}"
if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then
N=`expr ${N} + 1`
fi
done
if [ ${N} -gt 0 ]; then
logtext "Result: found readonly setting in /etc/profile (readonly or typeset -r)"
report "session_timeout_set_readonly=1"
LogText "Result: found readonly setting in /etc/profile (readonly or typeset -r)"
Report "session_timeout_set_readonly=1"
else
logtext "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)"
report "session_timeout_set_readonly=0"
LogText "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)"
Report "session_timeout_set_readonly=0"
fi
else
logtext "Result: could not find export, readonly or typeset -r in /etc/profile"
LogText "Result: could not find export, readonly or typeset -r in /etc/profile"
fi
else
logtext "Result: skip /etc/profile test, file not available on this system"
LogText "Result: skip /etc/profile test, file not available on this system"
fi
if [ -d /etc/profile.d ]; then
@ -166,41 +166,41 @@
if [ ! "${FIND}" = "" ]; then
N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do
logtext "Output: ${I}"
report "session_timeout_value[]=${I}"
LogText "Output: ${I}"
Report "session_timeout_value[]=${I}"
N=`expr ${N} + 1`
done
if [ ${N} -eq 1 ]; then
logtext "Result: found TMOUT value configured in one of the files in /etc/profile.d directory"
LogText "Result: found TMOUT value configured in one of the files in /etc/profile.d directory"
else
logtext "Result: found several TMOUT values configured in one of the files in /etc/profile.d directory"
LogText "Result: found several TMOUT values configured in one of the files in /etc/profile.d directory"
fi
report "session_timeout_method[]=profile"
Report "session_timeout_method[]=profile"
else
logtext "Result: could not find TMOUT setting in /etc/profile.d/*.sh"
LogText "Result: could not find TMOUT setting in /etc/profile.d/*.sh"
fi
# Check for readonly
if [ ! "${FIND2}" = "" ]; then
N=0;
for I in ${FIND2}; do
logtext "Output: ${I}"
LogText "Output: ${I}"
if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then
N=`expr ${N} + 1`
fi
done
if [ ${N} -gt 0 ]; then
logtext "Result: found readonly setting in /etc/profile (readonly or typeset -r)"
report "session_timeout_set_readonly=1"
LogText "Result: found readonly setting in /etc/profile (readonly or typeset -r)"
Report "session_timeout_set_readonly=1"
else
logtext "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)"
report "session_timeout_set_readonly=0"
LogText "Result: NO readonly setting found in /etc/profile (readonly or typeset -r)"
Report "session_timeout_set_readonly=0"
fi
else
logtext "Result: could not find export, readonly or typeset -r in /etc/profile"
LogText "Result: could not find export, readonly or typeset -r in /etc/profile"
fi
fi
else
logtext "Result: skip /etc/profile.d directory test, directory not available on this system"
LogText "Result: skip /etc/profile.d directory test, directory not available on this system"
fi
if [ ${IDLE_TIMEOUT} -eq 1 ]; then
@ -225,21 +225,21 @@
for FILE in ${SHELL_CONFIG_FILES}; do
FIND=""
if [ -f ${FILE} ]; then
logtext "Result: file ${FILE} exists"
LogText "Result: file ${FILE} exists"
FOUND=1
FIND=`grep umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | grep -v "^$" | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
logtext "Result: did not find umask configured in ${FILE}"
LogText "Result: did not find umask configured in ${FILE}"
Display --indent 4 --text "- Checking default umask in ${FILE}" --result NONE --color YELLOW
else
for UMASKVALUE in ${FIND}; do
logtext "Result: found umask ${UMASKVALUE} in ${FILE}"
LogText "Result: found umask ${UMASKVALUE} in ${FILE}"
case ${UMASKVALUE} in
027|0027|077|0077)
logtext "Result: umask ${UMASKVALUE} is considered a properly hardened value"
LogText "Result: umask ${UMASKVALUE} is considered a properly hardened value"
;;
*)
logtext "Result: umask ${UMASKVALUE} can be hardened "
LogText "Result: umask ${UMASKVALUE} can be hardened "
HARDENING_POSSIBLE=1
;;
esac
@ -253,12 +253,12 @@
fi
fi
else
logtext "Result: file ${FILE} not found"
LogText "Result: file ${FILE} not found"
fi
done
#if [ ${FOUND} -eq 1 ]; then
# if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
# logtext "Result: all shell files found, contain a proper umask"
# LogText "Result: all shell files found, contain a proper umask"
# Display --indent 4 --text "- Default umask" --result OK --color GREEN
# fi
#fi
@ -272,117 +272,117 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
#Display --indent 2 --text "- Testing for Shellshock vulnerability"
logtext "Test: Check if bash is in the list of shells."
LogText "Test: Check if bash is in the list of shells."
if [ -f /etc/shells ]; then
logtext "Test: checking for bash shell in /etc/shells"
LogText "Test: checking for bash shell in /etc/shells"
FIND=`egrep '(/usr)?(/local)?/bin/bash' /etc/shells | grep -v "^#" | head -1`
else
logtext "Test: checking if bash is available via which command"
LogText "Test: checking if bash is available via which command"
FIND=`which bash 2> /dev/null | head -1`
fi
logtext "Result: command revealed ${FIND} as output"
LogText "Result: command revealed ${FIND} as output"
if [ ! "${FIND}" = "" ]; then
if [ -x "${FIND}" -a ! -L "${FIND}" ]; then
logtext "Result: found ${FIND} as a valid shell"
LogText "Result: found ${FIND} as a valid shell"
SHELLSHOCK_TMP=`mktemp /tmp/lynis-shellshock-test.XXXXXXXXXX` || exit 1
# CVE-2014-6271
logtext "Test: Check for first exploit (CVE-2014-6271)"
LogText "Test: Check for first exploit (CVE-2014-6271)"
echo "env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c \"echo test\" 2>&1 | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
logtext "Output: ${VULNERABLE}"
logtext "Result: Vulnerable to original shellshock (CVE-2014-6271)"
LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to original shellshock (CVE-2014-6271)"
Display --indent 2 --text "- Shellshock: CVE-2014-6271 (original shellshocker)" --result "WARNING" --color RED
FOUND=1
else
logtext "Result: Not vulnerable to original shellshock (CVE-2014-6271)"
LogText "Result: Not vulnerable to original shellshock (CVE-2014-6271)"
#Display --indent 4 --text "- CVE-2014-6271 (original shellshocker)" --result "OK" --color GREEN
fi
# CVE-2014-6277 (disabled, as this test was giving too much false positives)
# CVE-2014-6278
logtext "Test: Check for CVE-2014-6278"
LogText "Test: Check for CVE-2014-6278"
echo "shellshocker='() { echo vulnerable; }' bash -c shellshocker 2>/dev/null | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
logtext "Output: ${VULNERABLE}"
logtext "Result: Vulnerable to CVE-2014-6278"
LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to CVE-2014-6278"
Display --indent 2 --text "- Shellshock: CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "WARNING" --color RED
FOUND=1
else
logtext "Result: Not vulnerable to CVE-2014-6278"
LogText "Result: Not vulnerable to CVE-2014-6278"
#Display --indent 4 --text "- CVE-2014-6278 (Florian's patch, lcamtuf bug #2)" --result "OK" --color GREEN
fi
# CVE-2014-7169
logtext "Test: Check for taviso bug CVE-2014-7169"
LogText "Test: Check for taviso bug CVE-2014-7169"
echo "(cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ \"\$(cat echo 2> /dev/null)\" == \"nonvuln\" ]] && echo \"vulnerable\" 2> /dev/null) | grep ' vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
logtext "Output: ${VULNERABLE}"
logtext "Result: Vulnerable to taviso bug (CVE-2014-7169)"
LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to taviso bug (CVE-2014-7169)"
Display --indent 2 --text "- Shellshock: CVE-2014-7169 (taviso bug)" --result "WARNING" --color RED
FOUND=1
else
logtext "Result: Not vulnerable to taviso bug (CVE-2014-7169)"
LogText "Result: Not vulnerable to taviso bug (CVE-2014-7169)"
#Display --indent 4 --text "- CVE-2014-7169 (taviso bug)" --result "OK" --color GREEN
fi
# CVE-2014-7186
logtext "Test: Check for CVE-2014-7186"
LogText "Test: Check for CVE-2014-7186"
echo "(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
logtext "Output: ${VULNERABLE}"
logtext "Result: Vulnerable to CVE-2014-7186"
LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to CVE-2014-7186"
Display --indent 2 --text "- Shellshock: CVE-2014-7186 redir_stack bug" --result "WARNING" --color RED
FOUND=1
else
logtext "Result: Not vulnerable to CVE-2014-7186"
LogText "Result: Not vulnerable to CVE-2014-7186"
#Display --indent 4 --text "- CVE-2014-7186 redir_stack bug" --result "OK" --color GREEN
fi
# CVE-2014-7187
logtext "Test: Check for CVE-2014-7187"
LogText "Test: Check for CVE-2014-7187"
echo "((for x in {1..200}; do echo \"for x$x in ; do :\"; done; for x in {1..200}; do echo done; done) | bash || echo \"vulnerable\") | grep 'vulnerable'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
logtext "Output: ${VULNERABLE}"
logtext "Result: Vulnerable to CVE-2014-7187"
LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to CVE-2014-7187"
Display --indent 2 --text "- Shellshock: CVE-2014-7187 nested loops off by one bug" --result "WARNING" --color RED
FOUND=1
else
logtext "Result: Not vulnerable to CVE-2014-7187"
LogText "Result: Not vulnerable to CVE-2014-7187"
#Display --indent 4 --text "- CVE-2014-7187 nested loops off by one bug" --result "OK" --color GREEN
fi
# CVE-2014-////
logtext "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)"
LogText "Test: Check for bug Exploit #3 - shellshocker.net (no CVE)"
echo "env X=' () { }; echo hello' bash -c 'date'| grep 'hello'" > ${SHELLSHOCK_TMP}
VULNERABLE=`${FIND} ${SHELLSHOCK_TMP} 2> /dev/null`
rm -f ${SHELLSHOCK_TMP}
if [ ! "${VULNERABLE}" = "" ]; then
logtext "Output: ${VULNERABLE}"
logtext "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)"
LogText "Output: ${VULNERABLE}"
LogText "Result: Vulnerable to CVE-2014-//// (exploit #3 on shellshocker.net)"
Display --indent 2 --text "- Shellshock: Exploit #3 on shellshocker.net (no CVE)" --result "WARNING" --color RED
FOUND=1
else
logtext "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)"
LogText "Result: Not vulnerable to exploit #3 on shellshocker.net (no CVE)"
#Display --indent 4 --text "- Exploit#3 on shellshocker.net (no CVE)" --result "OK" --color GREEN
fi
else
logtext "Result: bash binary found, but not executable, or it is symlinked"
LogText "Result: bash binary found, but not executable, or it is symlinked"
fi
else
logtext "Result: could not find bash to be a valid shell"
LogText "Result: could not find bash to be a valid shell"
fi
if [ ${FOUND} -eq 1 ]; then
@ -396,11 +396,11 @@
#################################################################################
#
report "session_timeout_enabled=${IDLE_TIMEOUT}"
Report "session_timeout_enabled=${IDLE_TIMEOUT}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy - http://cisofy.com
# Lynis - Copyright 2007-2016, CISOfy - http://cisofy.com

24
include/tests_snmp
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -30,15 +30,15 @@
# Description : Check for a running SNMP daemon
Register --test-no SNMP-3302 --weight L --network NO --description "Check for running SNMP daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a SNMP daemon"
LogText "Test: Searching for a SNMP daemon"
# Check running processes
IsRunning snmpd
if [ ${RUNNING} -eq 1 ]; then
SNMP_DAEMON_RUNNING=1
logtext "Result: SNMP daemon is running"
LogText "Result: SNMP daemon is running"
Display --indent 2 --text "- Checking running SNMP daemon" --result FOUND --color GREEN
else
logtext "Result: No running SNMP daemon found"
LogText "Result: No running SNMP daemon found"
Display --indent 2 --text "- Checking running SNMP daemon" --result "NOT FOUND" --color WHITE
fi
fi
@ -50,18 +50,18 @@
if [ ${SNMP_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SNMP-3304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SNMP daemon file location"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching for snmpd.conf file"
LogText "Test: searching for snmpd.conf file"
for I in ${SNMP_DAEMON_CONFIG_LOCS}; do
if [ -f "${I}/snmpd.conf" ]; then
logtext "Result: ${I}/snmpd.conf exists"
LogText "Result: ${I}/snmpd.conf exists"
SNMPD_DAEMON_CONFIG="${I}/snmpd.conf"
fi
done
if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then
logtext "Result: No snmpd configuration found"
LogText "Result: No snmpd configuration found"
Display --indent 4 --text "- Checking SNMP configuration" --result "NOT FOUND" --color WHITE
else
logtext "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}"
LogText "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}"
Display --indent 4 --text "- Checking SNMP configuration" --result "FOUND" --color GREEN
fi
fi
@ -74,12 +74,12 @@
Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SNMP communities"
if [ ${SKIPTEST} -eq 0 ]; then
WARN=0
logtext "Test: reading active snmp communities"
LogText "Test: reading active snmp communities"
FIND=`${AWKBINARY} '/^com2sec/ { print $4 }' ${SNMPD_DAEMON_CONFIG}`
for I in ${FIND}; do
logtext "Output: ${I}"
LogText "Output: ${I}"
if [ "${I}" = "public" -o "${I}" = "private" ]; then
logtext "Result: found easy guessable snmp community string (${I})"
LogText "Result: found easy guessable snmp community string (${I})"
WARN=1
AddHP 1 3
fi
@ -102,4 +102,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016 Michael Boelen, CISOfy - https://cisofy.com

16
include/tests_solaris
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -26,15 +26,15 @@
# Description : Check if Stop-A is disabled
# Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Searching for a SSH daemon"
# LogText "Test: Searching for a SSH daemon"
# # Check running processes
# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"`
# if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1
# logtext "Result: Stop-A is disabled"
# LogText "Result: Stop-A is disabled"
# Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN
# else
# logtext "Result: Stop-A is NOT disabled"
# LogText "Result: Stop-A is NOT disabled"
# Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE
# fi
# fi
@ -45,15 +45,15 @@
# Description : Check if vold is disabled, to disallow unaudited mounts
# Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Searching for a SSH daemon"
# LogText "Test: Searching for a SSH daemon"
# # Check running processes
# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"`
# if [ ! "${FIND}" = "" ]; then
# SSH_DAEMON_RUNNING=1
# logtext "Result: Stop-A is disabled"
# LogText "Result: Stop-A is disabled"
# Display --indent 2 --text "- Checking running SSH daemon" --result FOUND --color GREEN
# else
# logtext "Result: Stop-A is NOT disabled"
# LogText "Result: Stop-A is NOT disabled"
# Display --indent 2 --text "- Checking running SSH daemon" --result "NOT FOUND" --color WHITE
# fi
# fi
@ -66,4 +66,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

92
include/tests_squid
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -35,16 +35,16 @@
# programs.
Register --test-no SQD-3602 --weight L --network NO --description "Check for running Squid daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a Squid daemon"
LogText "Test: Searching for a Squid daemon"
FOUND=0
# Check running processes
FIND=`${PSBINARY} ax | egrep "(squid|squid3) " | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
SQUID_DAEMON_RUNNING=1
logtext "Result: Squid daemon is running"
LogText "Result: Squid daemon is running"
Display --indent 2 --text "- Checking running Squid daemon" --result FOUND --color GREEN
else
logtext "Result: No running Squid daemon found"
LogText "Result: No running Squid daemon found"
Display --indent 2 --text "- Checking running Squid daemon" --result "NOT FOUND" --color WHITE
fi
fi
@ -56,24 +56,24 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3604 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid daemon file location"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching for squid.conf or squid3.conf file"
LogText "Test: searching for squid.conf or squid3.conf file"
for I in ${SQUID_DAEMON_CONFIG_LOCS}; do
# Checking squid.conf
if [ -f "${I}/squid.conf" ]; then
logtext "Result: ${I}/squid.conf exists"
LogText "Result: ${I}/squid.conf exists"
SQUID_DAEMON_CONFIG="${I}/squid.conf"
fi
# Checking squid3.conf
if [ -f "${I}/squid3.conf" ]; then
logtext "Result: ${I}/squid3.conf exists"
LogText "Result: ${I}/squid3.conf exists"
SQUID_DAEMON_CONFIG="${I}/squid3.conf"
fi
done
if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then
logtext "Result: No Squid configuration file found"
LogText "Result: No Squid configuration file found"
Display --indent 4 --text "- Searching Squid configuration file" --result "NOT FOUND" --color YELLOW
else
logtext "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}"
LogText "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching Squid configuration" --result FOUND --color GREEN
fi
fi
@ -86,7 +86,7 @@
Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${SQUIDBINARY}" = "" ]; then
logtext "Result: Squid binary found (${SQUIDBINARY})"
LogText "Result: Squid binary found (${SQUIDBINARY})"
# Skip check if a setuid/setgid bit is found
FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print`
if [ "${FIND}" = "" ]; then
@ -94,11 +94,11 @@
Display --indent 4 --text "- Checking Squid version" --result "FOUND" --color GREEN
SQUID_VERSION="${FIND2}"
else
logtext "Result: test skipped for security reasons, setuid/setgid bit set"
LogText "Result: test skipped for security reasons, setuid/setgid bit set"
Display --indent 4 --text "- Checking Squid version" --result "SKIPPED" --color RED
fi
else
logtext "Result: no Squid binary found"
LogText "Result: no Squid binary found"
fi
fi
#
@ -109,12 +109,12 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
FIND=`grep -v "^#" ${SQUID_DAEMON_CONFIG} | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found Squid option: ${I}"
report "squid_option=${I}"
LogText "Found Squid option: ${I}"
Report "squid_option=${I}"
done
Display --indent 4 --text "- Checking defined Squid options" --result "DONE" --color GREEN
fi
@ -126,16 +126,16 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)`
if [ ! "${FIND}" = "" ]; then
logtext "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
Display --indent 4 --text "- Checking Squid configuration file permissions" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
ReportWarning ${TEST_NO} "M" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
AddHP 0 2
else
logtext "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions"
LogText "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions"
Display --indent 4 --text "- Checking Squid configuration file permissions" --result OK --color GREEN
AddHP 2 2
fi
@ -154,16 +154,16 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid authentication methods"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check auth_param option for authentication methods"
LogText "Test: check auth_param option for authentication methods"
FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
logtext "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)"
LogText "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)"
Display --indent 6 --text "- Checking Squid authentication methods" --result "NONE" --color YELLOW
else
Display --indent 6 --text "- Checking Squid authentication methods" --result "FOUND" --color GREEN
for I in ${FIND}; do
logtext "Result: found authentication method ${I}"
report "squid_auth_method=${I}"
LogText "Result: found authentication method ${I}"
Report "squid_auth_method=${I}"
done
fi
fi
@ -175,17 +175,17 @@
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check external Squid authentication"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check external_acl_type option for external authentication helpers"
LogText "Test: check external_acl_type option for external authentication helpers"
FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND}" = "" ]; then
logtext "No external_acl_type found"
LogText "No external_acl_type found"
Display --indent 6 --text "- Checking Squid external authentication methods" --result "NONE" --color YELLOW
else
Display --indent 6 --text "- Checking Squid external authentication methods" --result "FOUND" --color GREEN
for I in ${FIND}; do
logtext "Result: found external authentication method helper"
logtext "Output: ${FIND}"
#report "squid_external_acl_type=TRUE"
LogText "Result: found external authentication method helper"
LogText "Output: ${FIND}"
#Report "squid_external_acl_type=TRUE"
done
fi
fi
@ -198,19 +198,19 @@
Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid access control lists"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: checking ACLs"
LogText "Test: checking ACLs"
FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
logtext "Result: No ACLs found"
LogText "Result: No ACLs found"
Display --indent 6 --text "- Checking Access Control Lists" --result "NONE" --color RED
else
for I in ${FIND}; do
N=`expr ${N} + 1`
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found ACL: ${I}"
#report "squid_acl=${I}"
LogText "Found ACL: ${I}"
#Report "squid_acl=${I}"
done
logtext "Result: Found ${N} ACLs"
LogText "Result: Found ${N} ACLs"
Display --indent 6 --text "- Checking Access Control Lists" --result "${N} ACLs FOUND" --color GREEN
fi
fi
@ -223,30 +223,30 @@
Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid safe ports"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: checking ACL Safe_ports http_access option"
LogText "Test: checking ACL Safe_ports http_access option"
FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"`
if [ "${FIND}" = "" ]; then
logtext "Result: no Safe_ports found"
LogText "Result: no Safe_ports found"
Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
else
logtext "Result: checking ACL safe ports"
LogText "Result: checking ACL safe ports"
FIND2=`grep "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | awk '{ print $4 }'`
if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "NONE FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
AddHP 0 1
else
logtext "Result: Safe_ports found"
LogText "Result: Safe_ports found"
for I in ${FIND}; do
logtext "Found safe port: ${I}"
LogText "Found safe port: ${I}"
done
Display --indent 6 --text "- Checking ACL 'Safe_ports' ports" --result "FOUND" --color GREEN
AddHP 1 1
fi
#SQUID_DAEMON_UNSAFE_PORTS_LIST
for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
logtext "Test: Checking port ${I} in Safe_ports list"
LogText "Test: Checking port ${I} in Safe_ports list"
FIND2=`grep -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN
@ -274,16 +274,16 @@
Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid reply_body_max_size option"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: checking option reply_body_max_size"
LogText "Test: checking option reply_body_max_size"
FIND=`grep "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
if [ "${FIND}" = "" ]; then
logtext "Result: option reply_body_max_size not configured"
LogText "Result: option reply_body_max_size not configured"
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "NONE" --color RED
AddHP 1 2
ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests."
else
logtext "Result: option reply_body_max_size configured"
logtext "Output: ${FIND}"
LogText "Result: option reply_body_max_size configured"
LogText "Output: ${FIND}"
Display --indent 6 --text "- Checking option: reply_body_max_size" --result "FOUND" --color GREEN
AddHP 2 2
fi
@ -304,13 +304,13 @@
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`grep "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | grep " on"`
if [ "${FIND}" = "" ]; then
logtext "Result: option httpd_suppress_version_string not configured"
LogText "Result: option httpd_suppress_version_string not configured"
Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "NOT FOUND" --color YELLOW
AddHP 1 2
ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
else
logtext "Result: option httpd_suppress_version_string configured"
logtext "Output: ${FIND}"
LogText "Result: option httpd_suppress_version_string configured"
LogText "Output: ${FIND}"
Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "FOUND" --color GREEN
AddHP 2 2
fi
@ -323,4 +323,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016 Michael Boelen, CISOfy - https://cisofy.com

54
include/tests_ssh
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -33,7 +33,7 @@
# Description : Check for a running SSH daemon
Register --test-no SSH-7402 --weight L --network NO --description "Check for running SSH daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a SSH daemon"
LogText "Test: Searching for a SSH daemon"
IsRunning sshd
if [ ${RUNNING} -eq 1 ]; then
SSH_DAEMON_RUNNING=1
@ -51,29 +51,29 @@
Register --test-no SSH-7404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH daemon file location"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: searching for sshd_config file"
LogText "Test: searching for sshd_config file"
for I in ${SSH_DAEMON_CONFIG_LOCS}; do
if [ -f "${I}/sshd_config" ]; then
logtext "Result: ${I}/sshd_config exists"
LogText "Result: ${I}/sshd_config exists"
if [ ${FOUND} -eq 1 ]; then
ReportException "${TEST_NO}:01"
logtext "Result: we already had found another sshd_config file. Using this new file then."
LogText "Result: we already had found another sshd_config file. Using this new file then."
fi
FileIsReadable ${I}/sshd_config
if [ ${CANREAD} -eq 1 ]; then
FOUND=1
SSH_DAEMON_CONFIG="${I}/sshd_config"
else
logtext "Result: can not read ${I}/sshd_config file (no permission)"
LogText "Result: can not read ${I}/sshd_config file (no permission)"
fi
fi
done
if [ "${SSH_DAEMON_CONFIG}" = "" ]; then
logtext "Result: No sshd configuration found"
LogText "Result: No sshd configuration found"
Display --indent 4 --text "- Searching SSH configuration" --result "NOT FOUND" --color YELLOW
ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found"
else
logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
LogText "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching SSH configuration" --result FOUND --color GREEN
fi
fi
@ -85,7 +85,7 @@
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH specific defined options"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking specific defined options in ${SSH_DAEMON_CONFIG}"
LogText "Test: Checking specific defined options in ${SSH_DAEMON_CONFIG}"
## SSHOPTIONS scheme:
## <OptionName>:<ExpectedValue>,<MediumScoreValue>,<WeakValue>:<TestType>
##
@ -130,11 +130,11 @@
TESTTYPE=`echo ${I} | cut -d ':' -f3`
RESULT="NONE"
FOUNDVALUE=`awk -v OPT="${OPTIONNAME}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_CONFIG}`
logtext "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_CONFIG}"
LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_CONFIG}"
if [ ! "${FOUNDVALUE}" = "" ]; then
logtext "Result: Option ${OPTIONNAME} found in ${SSH_DAEMON_CONFIG}"
logtext "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}"
LogText "Result: Option ${OPTIONNAME} found in ${SSH_DAEMON_CONFIG}"
LogText "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}"
if [ "${TESTTYPE}" = "=" ]; then
if [ "${FOUNDVALUE}" = "${EXPECTEDVALUE}" ]; then
@ -185,27 +185,27 @@
if [ "${RESULT}" = "GOOD" ]; then
logtext "Result: SSH option ${OPTIONNAME} is configured very well"
LogText "Result: SSH option ${OPTIONNAME} is configured very well"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result OK --color GREEN
AddHP 3 3
elif [ "${RESULT}" = "MIDSCORED" ]; then
logtext "Result: SSH option ${OPTIONNAME} is configured reasonably"
LogText "Result: SSH option ${OPTIONNAME} is configured reasonably"
ReportSuggestion ${TEST_NO} "Consider hardening of SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "MEDIUM" --color YELLOW
AddHP 1 3
elif [ "${RESULT}" = "WEAK" ]; then
logtext "Result: SSH option ${OPTIONNAME} is in a weak configuruation state and should be fixed"
LogText "Result: SSH option ${OPTIONNAME} is in a weak configuruation state and should be fixed"
#ReportWarning ${TEST_NO} "M" "Unsafe configured SSH option: ${OPTIONNAME}"
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result WARNING --color RED
AddHP 0 3
elif [ "${RESULT}" = "UNKNOWN" ]; then
logtext "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)"
LogText "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result DEFAULT --color WHITE
#ReportException "SSH-7408:01" "Unknown SSH option"
report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|"
Report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|"
else
logtext "Result: Option ${OPTIONNAME} not found in ${SSH_DAEMON_CONFIG}"
LogText "Result: Option ${OPTIONNAME} not found in ${SSH_DAEMON_CONFIG}"
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "NOT FOUND" --color WHITE
fi
@ -224,30 +224,30 @@
# AllowUsers
FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: AllowUsers set, with value ${FIND}"
LogText "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- SSH option: AllowUsers" --result FOUND --color GREEN
FOUND=1
else
logtext "Result: AllowUsers is not set"
LogText "Result: AllowUsers is not set"
Display --indent 4 --text "- SSH option: AllowUsers" --result "NOT FOUND" --color WHITE
fi
# AllowGroups
FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: AllowUsers set ${FIND}"
LogText "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- SSH option: AllowGroups" --result FOUND --color GREEN
FOUND=1
else
logtext "Result: AllowGroups is not set"
LogText "Result: AllowGroups is not set"
Display --indent 4 --text "- SSH option: AllowGroups" --result "NOT FOUND" --color WHITE
fi
if [ ${FOUND} -eq 1 ]; then
logtext "Result: SSH is limited to a specific set of users, which is good"
LogText "Result: SSH is limited to a specific set of users, which is good"
AddHP 2 2
else
logtext "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine."
LogText "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine."
AddHP 0 1
fi
fi
@ -255,11 +255,11 @@
#################################################################################
#
report "ssh_daemon_running=${SSH_DAEMON_RUNNING}"
#report "ssh_daemon_port=${SSH_DAEMON_PORT}"
Report "ssh_daemon_running=${SSH_DAEMON_RUNNING}"
#Report "ssh_daemon_port=${SSH_DAEMON_PORT}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

38
include/tests_storage
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -29,7 +29,7 @@
Register --test-no STRG-1840 --os Linux --weight L --network NO --description "Check if USB storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
@ -37,53 +37,53 @@
FIND2=`egrep -r "^blacklist usb[-_]storage" /etc/modprobe.d/*`
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
logtext "Result: found usb-storage driver in disabled state (blacklisted)"
LogText "Result: found usb-storage driver in disabled state (blacklisted)"
fi
else
logtext "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it."
LogText "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it."
fi
fi
if [ -f /etc/modprobe.conf ]; then
FIND=`egrep "install usb[-_]storage /bin/(false|true)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"`
if [ ! "${FIND}" = "" ]; then
FOUND=1
logtext "Result: found usb-storage driver in disabled state"
LogText "Result: found usb-storage driver in disabled state"
fi
fi
if [ ${FOUND} -eq 0 ]; then
logtext "Result: usb-storage driver is not explicitly disabled"
LogText "Result: usb-storage driver is not explicitly disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE
ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
AddHP 2 3
else
logtext "Result: usb-storage driver is disabled"
LogText "Result: usb-storage driver is disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "DISABLED" --color GREEN
AddHP 3 3
fi
logtext "Test: Checking USB devices authorization to connect to the system"
LogText "Test: Checking USB devices authorization to connect to the system"
FOUND=0
USBDEVICESPATH="/sys/bus/usb/devices/usb"
for device in "${USBDEVICESPATH}"*; do
if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then
if [ `cat "${device}/authorized_default"` -eq 1 ]; then
FOUND=1
logtext "Test: ${device} is authorized by default"
LogText "Test: ${device} is authorized by default"
elif [ `cat "${device}/authorized"` -eq 1 ]; then
FOUND=1
logtext "Test: ${device} is authorized for now"
LogText "Test: ${device} is authorized for now"
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
logtext "Result: Some USB devices are authorized by default or temporary to connect to the system"
LogText "Result: Some USB devices are authorized by default or temporary to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "ENABLED" --color RED
ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft"
AddHP 0 3
else
logtext "Result: None USB devices are authorized by default or temporary to connect to the system"
LogText "Result: None USB devices are authorized by default or temporary to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "DISABLED" --color GREEN
AddHP 3 3
fi
@ -98,7 +98,7 @@
Register --test-no STRG-1846 --os Linux --weight L --network NO --description "Check if firewire storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
LogText "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
@ -106,10 +106,10 @@
FIND2=`egrep "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.d/* | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
logtext "Result: found firewire ohci driver in disabled state"
LogText "Result: found firewire ohci driver in disabled state"
fi
else
logtext "Result: skipping /etc/modprobe.d, directory found but no files in it"
LogText "Result: skipping /etc/modprobe.d, directory found but no files in it"
fi
fi
if [ -f /etc/modprobe.conf ]; then
@ -117,18 +117,18 @@
FIND2=`egrep -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.conf | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
logtext "Result: found firewire ohci driver in disabled state"
LogText "Result: found firewire ohci driver in disabled state"
fi
fi
if [ ${FOUND} -eq 0 ]; then
logtext "Result: firewire ohci driver is not explicitly disabled"
LogText "Result: firewire ohci driver is not explicitly disabled"
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "NOT DISABLED" --color WHITE
ReportSuggestion ${TEST_NO} "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft"
# after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u
AddHP 2 3
else
logtext "Result: firewire ohci driver is disabled"
LogText "Result: firewire ohci driver is disabled"
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "DISABLED" --color GREEN
AddHP 3 3
fi
@ -141,4 +141,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy, Michael Boelen - https://cisofy.com
# Lynis - Copyright 2007-2016, CISOfy, Michael Boelen - https://cisofy.com

48
include/tests_storage_nfs
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -32,10 +32,10 @@
if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check rpcinfo registered programs"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking rpcinfo registered programs"
LogText "Test: Checking rpcinfo registered programs"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | tr -s ' ' ','`
for I in ${FIND}; do
logtext "rpcinfo: ${I}"
LogText "rpcinfo: ${I}"
done
Display --indent 2 --text "- Query rpc registered programs" --result "DONE" --color GREEN
fi
@ -47,10 +47,10 @@
if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking NFS registered versions"
LogText "Test: Checking NFS registered versions"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $2 } }' | uniq | sort`
for I in ${FIND}; do
logtext "Found version: ${I}"
LogText "Found version: ${I}"
done
Display --indent 2 --text "- Query NFS versions" --result "DONE" --color GREEN
fi
@ -62,23 +62,23 @@
if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking NFS registered protocols"
LogText "Test: Checking NFS registered protocols"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort`
for I in ${FIND}; do
logtext "Found protocol: ${I}"
LogText "Found protocol: ${I}"
done
if [ "${FIND}" = "" ]; then
logtext "Output: no NFS protocols found"
LogText "Output: no NFS protocols found"
fi
# Check port number
logtext "Test: Checking NFS registered ports"
LogText "Test: Checking NFS registered ports"
FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort`
for I in ${FIND}; do
logtext "Found port: ${I}"
LogText "Found port: ${I}"
done
if [ "${FIND}" = "" ]; then
logtext "Output: no NFS port number found"
LogText "Output: no NFS port number found"
fi
Display --indent 2 --text "- Query NFS protocols" --result "DONE" --color GREEN
fi
@ -89,13 +89,13 @@
# Description : Check for running NFS daemons
Register --test-no STRG-1920 --weight L --network NO --description "Checking NFS daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking running NFS daemon"
LogText "Test: Checking running NFS daemon"
FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
logtext "Output: NFS daemon is not running"
LogText "Output: NFS daemon is not running"
Display --indent 2 --text "- Check running NFS daemon" --result "NOT FOUND" --color WHITE
else
logtext "Output: NFS daemon is running"
LogText "Output: NFS daemon is running"
Display --indent 2 --text "- Check running NFS daemon" --result "FOUND" --color GREEN
NFS_DAEMON_RUNNING=1
fi
@ -115,22 +115,22 @@
if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking NFS exports"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check /etc/exports"
LogText "Test: check /etc/exports"
if [ -f /etc/exports ]; then
logtext "Result: /etc/exports exists"
LogText "Result: /etc/exports exists"
FIND=`grep -v "^$" /etc/exports | grep -v "^#" | sed 's/ /!space!/g'`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
I=`echo ${I} | sed 's/!space!/ /g'`
logtext "Found line: ${I}"
LogText "Found line: ${I}"
done
else
logtext "Result: /etc/exports does not contain exported file systems"
LogText "Result: /etc/exports does not contain exported file systems"
NFS_EXPORTS_EMPTY=1
fi
Display --indent 4 --text "- Checking /etc/exports" --result "FOUND" --color GREEN
else
logtext "Result: file /etc/exports does not exist"
LogText "Result: file /etc/exports does not exist"
Display --indent 4 --text "- Checking /etc/exports" --result "NOT FOUND" --color WHITE
fi
fi
@ -144,7 +144,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then
Display --indent 6 --text "- Checking empty /etc/exports" --result SUGGESTION --color YELLOW
logtext "Result: /etc/exports seems to have no exported file systems"
LogText "Result: /etc/exports seems to have no exported file systems"
ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
fi
fi
@ -156,15 +156,15 @@
if [ ${NFS_DAEMON_RUNNING} -eq 1 -a ${NFS_EXPORTS_EMPTY} -eq 0 -a ! "${SHOWMOUNTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check client access to nfs share"
if [ ${SKIPTEST} -eq 0 ]; then
#logtext "Test: "
#LogText "Test: "
sFIND=`${SHOWMOUNTBINARY} -e | awk '{ print $2 }' | sed '1d'| grep "\*"`
if [ "${sFIND}" != "" ]; then
logtext "Result: all client are allowed to access a NFS share in /etc/exports"
LogText "Result: all client are allowed to access a NFS share in /etc/exports"
Display --indent 4 --text "- Checking NFS client access" --result "ALL CLIENTS" --color YELLOW
ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports"
AddHP 2 3
else
logtext "Result: only some clients are allowed to access a NFS share"
LogText "Result: only some clients are allowed to access a NFS share"
Display --indent 4 --text "- Checking NFS client access" --result OK --color GREEN
AddHP 3 3
fi
@ -177,4 +177,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

164
include/tests_time
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -47,7 +47,7 @@
Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client"
if [ ${SKIPTEST} -eq 0 ]; then
# Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate), Chrony, systemd-timesyncd
logtext "Test: Searching for a running NTP daemon or available client"
LogText "Test: Searching for a running NTP daemon or available client"
FOUND=0
if [ -f /etc/chrony.conf ]; then
@ -70,7 +70,7 @@
if [ ! "${FIND}" = "" ]; then
FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1
NTP_DAEMON="ntpd"
logtext "Result: found running NTP daemon in process list"
LogText "Result: found running NTP daemon in process list"
Display --indent 2 --text "- NTP daemon found: ntpd" --result FOUND --color GREEN
fi
@ -92,7 +92,7 @@
SYSTEMD_NTP_ENABLED=1
fi
else
logtext "Result: time sychronization not performed according timedatectl command"
LogText "Result: time sychronization not performed according timedatectl command"
fi
fi
@ -101,18 +101,18 @@
CRONTAB_FILES="/etc/anacrontab /etc/crontab"
for I in ${CRONTAB_FILES}; do
if [ -f ${I} ]; then
logtext "Test: checking for ntpdate or rdate in crontab file ${I}"
LogText "Test: checking for ntpdate or rdate in crontab file ${I}"
FIND=`${EGREPBINARY} "ntpdate|rdate" ${I} | grep -v '^#'`
if [ ! "${FIND}" = "" ]; then
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate reference in crontab file ${I}"
LogText "Result: found ntpdate or rdate reference in crontab file ${I}"
else
#Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate reference found in crontab file ${I}"
LogText "Result: no ntpdate or rdate reference found in crontab file ${I}"
fi
else
logtext "Result: crontab file ${I} not found"
LogText "Result: crontab file ${I} not found"
fi
done
@ -126,44 +126,44 @@
FIND=`ls ${I} | grep -v FIFO`
if [ ! "${FIND}" = "" ]; then
for J in ${FIND}; do
logtext "Test: checking for ntpdate or rdate in ${I}/${J}"
LogText "Test: checking for ntpdate or rdate in ${I}/${J}"
FIND2=`${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | grep -v "^#"`
if [ ! "${FIND2}" = "" ]; then
logtext "Positive match found: ${FIND2}"
LogText "Positive match found: ${FIND2}"
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
fi
done
else
logtext "Result: ${I} is empty, skipping search in directory"
LogText "Result: ${I} is empty, skipping search in directory"
fi
fi
done
if [ ${FOUND_IN_CRON} -eq 1 ]; then
Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate in cron directory"
LogText "Result: found ntpdate or rdate in cron directory"
else
#Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate found in cron directories"
LogText "Result: no ntpdate or rdate found in cron directories"
fi
# Checking if ntpdate is performed by event
logtext "Test: checking for file /etc/network/if-up.d/ntpdate"
LogText "Test: checking for file /etc/network/if-up.d/ntpdate"
if [ -f /etc/network/if-up.d/ntpdate ]; then
logtext "Result: found ntpdate action when network interface comes up"
LogText "Result: found ntpdate action when network interface comes up"
FOUND=1
NTP_CONFIG_TYPE_EVENTBASED=1
Display --indent 2 --text "- Checking event based ntpdate (if-up)" --result FOUND --color GREEN
else
logtext "Result: file /etc/network/if-up.d/ntpdate does not exist"
LogText "Result: file /etc/network/if-up.d/ntpdate does not exist"
fi
# Configuration file for *BSD
if [ -f /etc/rc.conf ]; then
logtext "Test: Checking if ntpdate is enabled at startup in *BSD"
LogText "Test: Checking if ntpdate is enabled at startup in *BSD"
FIND=`grep 'ntpdate_enable="YES"' /etc/rc.conf`
if [ ! "${FIND}" = "" ]; then
logtext "Result: ntpdate is enabled in rc.conf"
LogText "Result: ntpdate is enabled in rc.conf"
FOUND=1
NTP_CONFIG_TYPE_STARTUP=1
# Only show suggestion when ntpdate is enabled, however ntpd is not running
@ -171,22 +171,22 @@
ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is adviced to run it at least daily or use a NTP daemon"
fi
else
logtext "Result: ntpdate is not enabled in rc.conf"
LogText "Result: ntpdate is not enabled in rc.conf"
fi
fi
if [ ${FOUND} -eq 0 ]; then
if [ ${ISVIRTUALMACHINE} -eq 1 ]; then
logtext "Result: Skipping display warning, as virtual machines usually don't need time synchronization in the VM itself"
LogText "Result: Skipping display warning, as virtual machines usually don't need time synchronization in the VM itself"
else
Display --indent 2 --text "- Checking for a running NTP daemon or client" --result WARNING --color RED
logtext "Result: Could not find a NTP daemon or client"
LogText "Result: Could not find a NTP daemon or client"
ReportSuggestion ${TEST_NO} "Use NTP daemon or NTP client to prevent time issues."
AddHP 0 2
fi
else
Display --indent 2 --text "- Checking for a running NTP daemon or client" --result OK --color GREEN
logtext "Result: Found a time syncing daemon/client."
LogText "Result: Found a time syncing daemon/client."
AddHP 3 3
fi
fi
@ -198,10 +198,10 @@
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! "${TIMEDATECTL}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check systemd NTP time synchronization status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check the status of time synchronization via timedatectl"
LogText "Test: Check the status of time synchronization via timedatectl"
FIND=`${TIMEDATECTL} status | grep "NTP sychronized: yes"`
if [ "${FIND}" = "" ]; then
logtext "Result: time not synchronized via NTP"
LogText "Result: time not synchronized via NTP"
ReportSuggestion "${TEST_NO}" "Check timedatectl output. Sychronization via NTP is enabled, but status reflects it is not synchronized"
fi
fi
@ -213,11 +213,11 @@
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check active NTP associations ID's"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking for NTP association ID's from ntpq peers list"
LogText "Test: Checking for NTP association ID's from ntpq peers list"
FIND=`${NTPQBINARY} -p -n | grep "No association ID's returned"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking valid association ID's" --result FOUND --color GREEN
logtext "Result: Found one or more association ID's"
LogText "Result: Found one or more association ID's"
else
Display --indent 2 --text "- Checking valid association ID's" --result WARNING --color RED
ReportSuggestion ${TEST_NO} "Check ntp.conf for properly configured NTP servers and a correctly functioning name service."
@ -232,28 +232,28 @@
Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check peers with stratum value of 16"
if [ ${SKIPTEST} -eq 0 ]; then
N=0
logtext "Test: Checking stratum 16 sources from ntpq peers list"
LogText "Test: Checking stratum 16 sources from ntpq peers list"
FIND=`${NTPQBINARY} -p -n | awk '{ if ($3=="16") { print $1 } }'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking high stratum ntp peers" --result OK --color GREEN
logtext "Result: All peers are lower than stratum 16"
LogText "Result: All peers are lower than stratum 16"
else
for I in ${FIND}; do
logtext "Found stratum 16 peer: ${I}"
LogText "Found stratum 16 peer: ${I}"
FIND2=`egrep "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE}`
if [ "${FIND2}" = "" ]; then
N=`expr ${N} + 1`
else
logtext "Output: host ${I} ignored by profile"
LogText "Output: host ${I} ignored by profile"
fi
done
# Check if one or more high stratum time servers are found
if [ ${N} -eq 0 ]; then
Display --indent 2 --text "- Checking high stratum ntp peers" --result OK --color GREEN
logtext "Result: all non local servers are lower than stratum 16, or whitelisted within the scan profile"
LogText "Result: all non local servers are lower than stratum 16, or whitelisted within the scan profile"
else
Display --indent 2 --text "- Checking high stratum ntp peers" --result WARNING --color RED
logtext "Result: Found one or more high stratum (16) peers)"
LogText "Result: Found one or more high stratum (16) peers)"
ReportSuggestion ${TEST_NO} "Check ntpq peers output"
ReportWarning ${TEST_NO} "L" "Found one or more stratum 16 peers"
fi
@ -269,16 +269,16 @@
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check unreliable NTP peers"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking unreliable ntp peers"
LogText "Test: Checking unreliable ntp peers"
FIND=`${NTPQBINARY} -p -n | egrep "^(-|#)" | awk '{ print $1 }' | sed 's/^-//g'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking unreliable ntp peers" --result NONE --color GREEN
logtext "Result: No unreliable peers found"
LogText "Result: No unreliable peers found"
else
Display --indent 2 --text "- Checking unreliable ntp peers" --result FOUND --color YELLOW
logtext "Result: Found one or more unreliable peers (marked with a minus or dash sign)"
LogText "Result: Found one or more unreliable peers (marked with a minus or dash sign)"
for I in ${FIND}; do
logtext "Unreliable peer: ${I}"
LogText "Unreliable peer: ${I}"
done
ReportSuggestion ${TEST_NO} "Check ntpq peers output for unreliable ntp peers and correct/replace them"
fi
@ -291,17 +291,17 @@
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3124 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check selected time source"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking selected time source"
LogText "Test: Checking selected time source"
FIND=`${NTPQBINARY} -p -n | grep '^*' | awk '{ if ($4=="l") { print $1 } }'`
FIND2=`${NTPQBINARY} -p -n | grep '^*' | awk '{ print $1 }'`
if [ "${FIND}" = "" -a ! "${FIND2}" = "" ]; then
Display --indent 2 --text "- Checking selected time source" --result OK --color GREEN
FIND2=`echo ${FIND2} | sed 's/*//g'`
logtext "Result: Found selected time source (value: ${FIND2})"
LogText "Result: Found selected time source (value: ${FIND2})"
else
Display --indent 2 --text "- Checking selected time source" --result WARNING --color RED
logtext "Result: Found local source as selected time source. This could indicate that no external sources are available to sync with."
logtext "Local source: ${FIND}"
LogText "Result: Found local source as selected time source. This could indicate that no external sources are available to sync with."
LogText "Local source: ${FIND}"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for selected time source"
fi
fi
@ -313,18 +313,18 @@
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check preffered time source"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking preferred time source"
LogText "Test: Checking preferred time source"
FIND=`${NTPQBINARY} -p -n | grep '^+' | awk '{ print $1 }'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking time source candidates" --result NONE --color YELLOW
logtext "Result: No other time source candidates found"
LogText "Result: No other time source candidates found"
ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates"
else
Display --indent 2 --text "- Checking time source candidates" --result OK --color GREEN
logtext "Result: Found one or more candidates to synchronize time with."
LogText "Result: Found one or more candidates to synchronize time with."
for I in ${FIND}; do
I=`echo ${I} | sed 's/+//g'`
logtext "Candidate found: ${I}"
LogText "Candidate found: ${I}"
done
fi
fi
@ -336,18 +336,18 @@
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP falsetickers"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking preferred time source"
LogText "Test: Checking preferred time source"
FIND=`${NTPQBINARY} -p -n | grep '^x'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking falsetickers" --result OK --color GREEN
logtext "Result: No falsetickers found (items preceeding with an 'x')"
LogText "Result: No falsetickers found (items preceeding with an 'x')"
else
Display --indent 2 --text "- Checking falsetickers" --result NONE --color YELLOW
logtext "Result: Found one or more falsetickers (items preceeding with an 'x')"
LogText "Result: Found one or more falsetickers (items preceeding with an 'x')"
for I in ${FIND}; do
I=`echo ${I} | sed 's/x//g'`
logtext "Falseticker found: ${I}"
report "ntp_falseticker=${I}"
LogText "Falseticker found: ${I}"
Report "ntp_falseticker=${I}"
done
ReportSuggestion ${TEST_NO} "Check ntpq peers output for falsetickers"
fi
@ -360,16 +360,16 @@
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP protocol version"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking NTP protocol version (ntpq -c ntpversion)"
LogText "Test: Checking NTP protocol version (ntpq -c ntpversion)"
FIND=`${NTPQBINARY} -c ntpversion | awk '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Checking NTP version" --result UNKNOWN --color YELLOW
logtext "Result: No NTP version found"
LogText "Result: No NTP version found"
ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version"
else
Display --indent 2 --text "- Checking NTP version" --result FOUND --color GREEN
logtext "Result: Found NTP version ${FIND}"
report "ntp_version=${FIND}"
LogText "Result: Found NTP version ${FIND}"
Report "ntp_version=${FIND}"
fi
fi
#
@ -394,19 +394,19 @@
FILE="/etc/ntp/step-tickers"
if [ -f ${FILE} ]; then
if [ -z ${FILE} ]; then
logtext "Result: ${FILE} is empty. The step-tickers contain no configured NTP servers"
LogText "Result: ${FILE} is empty. The step-tickers contain no configured NTP servers"
Display --indent 2 --text "- Checking NTP step-tickers file" --result "EMPTY FILE" --color YELLOW
ReportSuggestion ${TEST_NO} "Use step-rickers file for quicker time synchronization"
else
logtext "Result: /etc/ntp/step-tickers is not empty, which is fine"
LogText "Result: /etc/ntp/step-tickers is not empty, which is fine"
Display --indent 2 --text "- Checking NTP step-tickers file" --result "OK" --color GREEN
sFIND=`${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf | ${GREPBINARY} -v '127.127.1.0'`
for I in ${sFIND}; do
FIND=`${GREPBINARY} ^${I} ${FILE} | wc -l`
if [ ${FIND} -gt 0 ]; then
logtext "Result: $I exist in ${FILE}"
LogText "Result: $I exist in ${FILE}"
else
logtext "Result: ${I} does NOT exist in ${FILE}"
LogText "Result: ${I} does NOT exist in ${FILE}"
FOUND=1
fi
done
@ -416,14 +416,14 @@
AddHP 3 4
else
Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result OK --color GREEN
logtext "Result: all time servers are in step-tickers file"
LogText "Result: all time servers are in step-tickers file"
AddHP 4 4
fi
fi
logtext "Information: step-tickers is used by ntpdate where as ntp.conf is the configuration file for the ntpd daemon. ntpdate is initially run to set the clock before ntpd to make sure time is within 1000 sec."
logtext "Risk: ntp will not run at boot if the time difference between the server and client by more then 1000 sec."
LogText "Information: step-tickers is used by ntpdate where as ntp.conf is the configuration file for the ntpd daemon. ntpdate is initially run to set the clock before ntpd to make sure time is within 1000 sec."
LogText "Risk: ntp will not run at boot if the time difference between the server and client by more then 1000 sec."
else
logtext "Result: test skipped because ${FILE} not found"
LogText "Result: test skipped because ${FILE} not found"
fi
fi
#
@ -437,23 +437,49 @@ wait_for_keypress
#
#################################################################################
#
report "ntp_config_found=${NTP_CONFIG_FOUND}"
report "ntp_config_type_daemon=${NTP_CONFIG_TYPE_DAEMON}"
report "ntp_config_type_eventbased=${NTP_CONFIG_TYPE_EVENTBASED}"
report "ntp_config_type_scheduled=${NTP_CONFIG_TYPE_SCHEDULED}"
report "ntp_config_type_startup=${NTP_CONFIG_TYPE_STARTUP}"
report "ntp_daemon=${NTP_DAEMON}"
report "ntp_daemon_running=${NTP_DAEMON_RUNNING}"
# Test : TIME-3170
# Description : Check file permissions and ownership of configuration files
# Notes : Files should be owned by root, or the user running
# Group owner should have only read access
# Other should preferably have no access, or read-only at max
FILE_ARRAY="/etc/chrony.conf /etc/inet/ntp.conf /etc/ntp.conf /usr/local/etc/ntp.conf"
Register --test-no TIME-3170 --weight L --network NO --description "Check configuration files"
if [ ${SKIPTEST} -eq 0 ]; then
for FILE in ${FILE_ARRAY}; do
if [ -f ${FILE} ]; then
LogText "Result: found ${FILE}"
if IsWorldWritable ${FILE}; then
echo $?
echo "File ${FILE} is writable!!!!"
fi
Report "ntp_config_file[]=${FILE}"
fi
done
fi
#
#################################################################################
#
Report "ntp_config_found=${NTP_CONFIG_FOUND}"
Report "ntp_config_type_daemon=${NTP_CONFIG_TYPE_DAEMON}"
Report "ntp_config_type_eventbased=${NTP_CONFIG_TYPE_EVENTBASED}"
Report "ntp_config_type_scheduled=${NTP_CONFIG_TYPE_SCHEDULED}"
Report "ntp_config_type_startup=${NTP_CONFIG_TYPE_STARTUP}"
Report "ntp_daemon=${NTP_DAEMON}"
Report "ntp_daemon_running=${NTP_DAEMON_RUNNING}"
#
#################################################################################
#
# OS Time daemons Configuration file
# --------------------------------------------
# AIX xntpd /etc/ntp.conf
# HP
# Linux ntpd /etc/ntp.conf
# chrony /etc/chrony.conf
# OpenBSD ntpd /etc/ntpd.conf
# Solaris xntpd /etc/inet/ntp.conf
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

48
include/tests_tooling
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -42,28 +42,28 @@
# Cfengine
if [ ! "${CFAGENTBINARY}" = "" ]; then
logtext "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})"
LogText "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})"
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
report "automation_tool_running[]=cf-agent"
Report "automation_tool_running[]=cf-agent"
Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN
fi
OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin"
for I in ${OTHER_CFENGINE_LOCATIONS}; do
if [ -d ${I} ]; then
if [ -f ${I}/cf-agent ]; then
logtext "Result: found CFEngine agent (cf-agent) in ${I}"
LogText "Result: found CFEngine agent (cf-agent) in ${I}"
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
report "automation_tool_running[]=cf-agent"
Report "automation_tool_running[]=cf-agent"
Display --indent 4 --text "Found: CFEngine (cf-agent)" --result FOUND --color GREEN
fi
IsRunning "cf-server"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found CFEngine server"
LogText "Result: found CFEngine server"
AUTOMATION_TOOL_FOUND=1
CFENGINE_SERVER_RUNNING=1
report "automation_tool_running[]=cf-server"
Report "automation_tool_running[]=cf-server"
Display --indent 4 --text "Found: CFEngine (cf-server)" --result FOUND --color GREEN
fi
fi
@ -76,57 +76,57 @@
if [ -f ${I}/chef-client ]; then
CHEFCLIENTBINARY="${I}/chef-client"
AUTOMATION_TOOL_FOUND=1
report "automation_tool_running[]=chef-client"
Report "automation_tool_running[]=chef-client"
Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN
logtext "Result: found chef-client (chef client daemon) in ${I}"
LogText "Result: found chef-client (chef client daemon) in ${I}"
fi
if [ -f ${I}/erchef ]; then
CHEFSERVERBINARY="${I}/erchef"
logtext "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})"
LogText "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})"
AUTOMATION_TOOL_FOUND=1
report "automation_tool_running[]=chef-server"
Report "automation_tool_running[]=chef-server"
Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN
logtext "Result: found erchef (chef server daemon) in ${I}"
LogText "Result: found erchef (chef server daemon) in ${I}"
fi
fi
done
# Puppet
if [ ! "${PUPPETBINARY}" = "" ]; then
logtext "Result: Puppet is installed (${PUPPETBINARY})"
LogText "Result: Puppet is installed (${PUPPETBINARY})"
AUTOMATION_TOOL_FOUND=1
report "automation_tool_running[]=puppet-agent"
Report "automation_tool_running[]=puppet-agent"
Display --indent 4 --text "Found: Puppet (agent)" --result FOUND --color GREEN
fi
IsRunning "puppet master"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found puppet master"
LogText "Result: found puppet master"
PUPPET_MASTER_RUNNING=1
report "automation_tool_running[]=puppet-master"
Report "automation_tool_running[]=puppet-master"
Display --indent 4 --text "Found: Puppet (master)" --result FOUND --color GREEN
fi
# SaltStack
if [ ! "${SALTMINIONBINARY}" = "" ]; then
logtext "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})"
LogText "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})"
AUTOMATION_TOOL_FOUND=1
SALT_MINION_RUNNING=1
report "automation_tool_running[]=saltstack-minion"
Report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result FOUND --color GREEN
fi
if [ ! "${SALTMASTERBINARY}" = "" ]; then
logtext "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1
report "automation_tool_running[]=saltstack-minion"
Report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN
else
IsRunning "salt-master"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found SaltStack (master)"
LogText "Result: found SaltStack (master)"
AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1
report "automation_tool_running[]=saltstack-master"
Report "automation_tool_running[]=saltstack-master"
Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN
fi
fi
@ -150,10 +150,10 @@
#
#################################################################################
#
report "automation_tool_present=${AUTOMATION_TOOL_FOUND}"
Report "automation_tool_present=${AUTOMATION_TOOL_FOUND}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

8
include/tests_virtualization
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -32,9 +32,9 @@
# # check memory driver file
# # check LKM list
# # check vmware tools
# logtext "Test: checking VMware tools daemon presence"
# LogText "Test: checking VMware tools daemon presence"
# if [ ! "${VMWARETOOLSBINARY}" = "" ]; then
# logtext "Result: VMware tools binary found"
# LogText "Result: VMware tools binary found"
# VMWARE_GUEST=1
# Display --indent 4 --text "- Checking VMware tools daemon" --result FOUND --color GREEN
# else
@ -50,4 +50,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

126
include/tests_webservers
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -58,14 +58,14 @@
if [ "${HTTPDBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE
else
logtext "Test: Scanning for Apache binary"
LogText "Test: Scanning for Apache binary"
IS_APACHE=`${HTTPDBINARY} -v 2> /dev/null | egrep '[aA]pache'`
if [ "${IS_APACHE}" = "" ]; then
logtext "Result: ${HTTPDBINARY} is not Apache"
LogText "Result: ${HTTPDBINARY} is not Apache"
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE
else
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "FOUND" --color GREEN
logtext "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon"
LogText "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon"
APACHE_INSTALLED=1
fi
fi
@ -91,7 +91,7 @@
APACHE_TEST=`${HTTPDBINARY} -V 2> /dev/null | grep "\-D SERVER_CONFIG_FILE=" | sed 's/[ ]-D SERVER_CONFIG_FILE=//' | tr -d '"' | tr -d ' ' | tr -d '[:cntrl:]'`
if [ "${APACHE_TEST}" = "" ]; then
logtext "Result: Can't find the configuration file, so skipping some Apache related tests"
LogText "Result: Can't find the configuration file, so skipping some Apache related tests"
else
# We found a possible match. Checking if it's valid filename. If not, we need to add a prefix
if [ -f ${APACHE_TEST} ]; then
@ -106,9 +106,9 @@
if [ -f ${APACHE_TESTFILE} ]; then
APACHE_CONFIGFILE="${APACHE_TESTFILE}"
Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
logtext "Result: Configuration file found (${APACHE_CONFIGFILE})"
LogText "Result: Configuration file found (${APACHE_CONFIGFILE})"
else
logtext "Result: File or directory ${APACHE_CONFIGFILE} does not exist"
LogText "Result: File or directory ${APACHE_CONFIGFILE} does not exist"
Display --indent 6 --text "[Notice] possible directory/file parts found, but still unsure what the real configuration file is. Skipping some Apache related tests"
ReportException "${TEST_NO}:1" "Found some unknown directory or file references in Apache configuration"
fi
@ -139,7 +139,7 @@
# Check every configuration file
for I in `cat ${TMPFILE}`; do
logtext "Apache config file: ${I}"
LogText "Apache config file: ${I}"
FileIsReadable ${I}
if [ ${CANREAD} -eq 1 ]; then
@ -158,7 +158,7 @@
fi
done
else
logtext "Result: can not read configuration file with this user ID"
LogText "Result: can not read configuration file with this user ID"
ReportException "${TEST_NO}:1" "Can not read configuration file $I"
fi
done
@ -166,13 +166,13 @@
# Log all virtual hosts we found
for J in ${tVHOSTS}; do
if [ ! -z ${J} ]; then
logtext "Virtual host: ${J}"
report "apache_vhost_name[]=${J}"
LogText "Virtual host: ${J}"
Report "apache_vhost_name[]=${J}"
fi
done
# Show number of vhosts if we found any
logtext "Result: found ${cVHOSTS} virtual hosts"
LogText "Result: found ${cVHOSTS} virtual hosts"
if [ ${cVHOSTS} -gt 0 ]; then
Display --indent 6 --text "Info: Found ${cVHOSTS} virtual hosts"
else
@ -204,15 +204,15 @@
# if [ ! "${SERVERTOKENSTEST}" = "" ]; then
# Display --indent 4 --text "- Checking option ServerTokens" --result FOUND --color WHITE
# SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '`
# logtext "Option ServerTokens found: ${SERVERTOKENSTEST}"
# LogText "Option ServerTokens found: ${SERVERTOKENSTEST}"
# SERVERTOKENSEXPECTED=`grep 'apache' ${PROFILE} | grep 'ServerTokens' | cut -d ':' -f3`
# if [ "${SERVERTOKENSEXPECTED}" = "${SERVERTOKENSTEST}" ]; then
# logtext "Result: Value from configuration file yielded the same output as in template"
# LogText "Result: Value from configuration file yielded the same output as in template"
# SERVERTOKENSFOUND=1
# else
# logtext "Result: Value of ServerTokens within active configuration is different than from used template."
# logtext "Found: ${SERVERTOKENSTEST}"
# logtext "Expected: ${SERVERTOKENSEXPECTED}"
# LogText "Result: Value of ServerTokens within active configuration is different than from used template."
# LogText "Found: ${SERVERTOKENSTEST}"
# LogText "Expected: ${SERVERTOKENSEXPECTED}"
# fi
# else
# Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE
@ -220,7 +220,7 @@
#
# else
# # File does not exist, skipping
# logtext "File ${APACHE_CONFIGFILE} does not exist, so skipping tests on this file"
# LogText "File ${APACHE_CONFIGFILE} does not exist, so skipping tests on this file"
# fi
# done
#
@ -244,14 +244,14 @@
#Register --test-no HTTP-6630 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining all loaded Apache modules"
#if [ ${SKIPTEST} -eq 0 ]; then
# Testing Debian style
#logtext "Test: searching loaded/enabled Apache modules"
#LogText "Test: searching loaded/enabled Apache modules"
#apachectl -t -D DUMP_MODULES 2>&1 | egrep -v "(Loaded Modules|Syntax OK)" | sed 's/(\(shared\|static\))//' | sed 's/ //'
#for I in ${APACHE_MODULES_ENABLED_LOCS}; do
#logtext "Test: checking ${I}"
#LogText "Test: checking ${I}"
#if [ -d ${I} ]; then
#FIND=`grep -r LoadModule ${I}/* | grep -v "^#" | awk '{ print $2":"$3 }'`
#else
#logtext "Result: ${I} does not exist"
#LogText "Result: ${I} does not exist"
#fi
#done
#fi
@ -263,15 +263,15 @@
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6632 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining all available Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching available Apache modules"
LogText "Test: searching available Apache modules"
N=0
for I in ${APACHE_MODULES_LOCS}; do
DirectoryExists ${I}
if [ ${DIRECTORY_FOUND} -eq 1 ]; then
FIND=`find ${I} -name mod_* -print | sort`
for J in ${FIND}; do
report "apache_module[]=${J}"
logtext "Result: found Apache module ${J}"
Report "apache_module[]=${J}"
LogText "Result: found Apache module ${J}"
N=`expr ${N} + 1`
done
fi
@ -373,14 +373,14 @@
# Description : Search for nginx process
Register --test-no HTTP-6702 --weight L --network NO --description "Check nginx process"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching running nginx process"
LogText "Test: searching running nginx process"
FIND=`${PSBINARY} ax | grep "/nginx" | grep "master" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found running nginx process(es)"
LogText "Result: found running nginx process(es)"
Display --indent 2 --text "- Checking nginx" --result FOUND --color GREEN
NGINX_RUNNING=1
else
logtext "Result: no running nginx process found"
LogText "Result: no running nginx process found"
Display --indent 2 --text "- Checking nginx" --result "NOT FOUND" --color WHITE
fi
fi
@ -392,19 +392,19 @@
if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching nginx configuration file"
LogText "Test: searching nginx configuration file"
for I in ${NGINX_CONF_LOCS}; do
if [ -f ${I}/nginx.conf ]; then
NGINX_CONF_LOCATION="${I}/nginx.conf"
logtext "Found file ${NGINX_CONF_LOCATION}"
LogText "Found file ${NGINX_CONF_LOCATION}"
fi
done
if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then
logtext "Result: found nginx configuration file"
report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
LogText "Result: found nginx configuration file"
Report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
Display --indent 4 --text "- Searching nginx configuration file" --result FOUND --color GREEN
else
logtext "Result: no nginx configuration file found"
LogText "Result: no nginx configuration file found"
Display --indent 2 --text "- Searching nginx configuration file" --result "NOT FOUND" --color WHITE
fi
fi
@ -429,8 +429,8 @@
# Ensure that we are parsing normal files
if [ -f ${J} ]; then
N=`expr ${N} + 1`
logtext "Result: found Nginx configuration file ${J}"
report "nginx_sub_conf_file=${J}"
LogText "Result: found Nginx configuration file ${J}"
Report "nginx_sub_conf_file=${J}"
FileIsReadable ${J}
if [ ${CANREAD} -eq 1 ]; then
FIND3=`sed -e 's/^[ ]*//' ${J} | grep -v "^#" | grep -v "^$" | sed 's/[ ]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}`
@ -445,14 +445,14 @@
SORTFILE=`sort -u ${TMPFILE} | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"`
for I in ${SORTFILE}; do
I=`echo ${I} | sed 's/:space:/ /g'`
report "nginx_config_option=${I}";
Report "nginx_config_option=${I}";
done
# Remove unsorted file for next tests
if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi
if [ ${N} -eq 0 ]; then
logtext "Result: no nginx include statements found"
LogText "Result: no nginx include statements found"
else
Display --indent 6 --text "- Found nginx includes" --result "${N} FOUND" --color GREEN
fi
@ -466,7 +466,7 @@
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check discovered nginx configuration settings"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: start parsing all discovered nginx options"
LogText "Test: start parsing all discovered nginx options"
Display --indent 4 --text "- Parsing configuration options"
ParseNginx
fi
@ -481,7 +481,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
NGINX_SSL_SUGGESTION=0
if [ ${NGINX_SSL_ON} -eq 1 ]; then
logtext "Result: SSL is configured in nginx on one or more virtual hosts"
LogText "Result: SSL is configured in nginx on one or more virtual hosts"
Display --indent 6 --text "- SSL configured" --result "YES" --color GREEN
AddHP 5 5
# Cipher tests
@ -513,13 +513,13 @@
fi
else
logtext "Result: No SSL configuration found"
LogText "Result: No SSL configuration found"
Display --indent 6 --text "- SSL configured" --result "NO" --color RED
NGINX_SSL_SUGGESTION=1
AddHP 1 5
fi
if [ ${NGINX_SSL_SUGGESTION} -eq 1 ]; then
logtext "Result: one or more parts of the nginx configuration could be enhanced regarding SSL"
LogText "Result: one or more parts of the nginx configuration could be enhanced regarding SSL"
ReportSuggestion ${TEST_NO} "Configure SSL in nginx for protection of sensitive data and privacy"
fi
fi
@ -545,11 +545,11 @@
# Access log disabled
if [ ${NGINX_ACCESS_LOG_DISABLED} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
logtext "Result: found one or more virtual hosts which have their access log disabled"
LogText "Result: found one or more virtual hosts which have their access log disabled"
Display --indent 8 --text "- Disabled access logging" --result "YES" --color RED
AddHP 2 3
else
logtext "Result: no virtual hosts found which have their access log disabled"
LogText "Result: no virtual hosts found which have their access log disabled"
Display --indent 8 --text "- Disabled access logging" --result "NO" --color GREEN
AddHP 3 3
fi
@ -591,11 +591,11 @@
# Access log in debug mode
if [ ${NGINX_ERROR_LOG_DEBUG} -eq 1 ]; then
NGINX_LOG_SUGGESTION=1
logtext "Result: found one or more virtual hosts which have their error log in debug mode"
LogText "Result: found one or more virtual hosts which have their error log in debug mode"
Display --indent 8 --text "- Debugging mode on error_log" --result "YES" --color RED
AddHP 2 3
else
logtext "Result: no virtual hosts found which have their access log disabled"
LogText "Result: no virtual hosts found which have their access log disabled"
Display --indent 8 --text "- Debugging mode on error_log" --result "NO" --color GREEN
AddHP 3 3
fi
@ -614,17 +614,17 @@
# Register --test-no HTTP-67xx --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx virtual hosts"
# if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# logtext "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}"
# LogText "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}"
# FIND=`grep "proxy_pass" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/proxy_pass//g' | tr -d ';'`
# for I in ${FIND}; do
# logtext "Found reverse proxy configuration for: ${I}"
# LogText "Found reverse proxy configuration for: ${I}"
# N=`expr ${N} + 1`
# done
# if [ ${N} -eq 0 ]; then
# logtext "Result: no reverse proxying functionality found"
# LogText "Result: no reverse proxying functionality found"
# Display --indent 4 --text "- Searching reverse proxy functionality" --result "NOT FOUND" --color WHITE
# else
# logtext "Result: found ${N} addresses for which nginx will be a reverse proxy"
# LogText "Result: found ${N} addresses for which nginx will be a reverse proxy"
# Display --indent 4 --text "- Searching reverse proxy functionality" --result "${N} FOUND" --color GREEN
# fi
# fi
@ -638,19 +638,19 @@
# Register --test-no HTTP-67xx --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx virtual hosts"
# if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# logtext "Test: searching nginx virtual hosts"
# LogText "Test: searching nginx virtual hosts"
# FIND=`grep "server_name" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/server_name//g' | tr -d ';'`
# for I in ${FIND}; do
# if [ "${I}" = "_" ]; then I="Default virtual host"; fi
# logtext "Found virtual host: ${I}"
# report "nginx_vhost_name[]=${I}"
# LogText "Found virtual host: ${I}"
# Report "nginx_vhost_name[]=${I}"
# N=`expr ${N} + 1`
# done
# if [ ${N} -eq 0 ]; then
# logtext "Result: no virtual hosts found"
# LogText "Result: no virtual hosts found"
# Display --indent 4 --text "- Searching virtual hosts" --result "NOT FOUND" --color WHITE
# else
# logtext "Result: found ${N} virtual hosts"
# LogText "Result: found ${N} virtual hosts"
# Display --indent 4 --text "- Searching virtual hosts" --result "${N} FOUND" --color GREEN
# fi
# fi
@ -662,27 +662,27 @@
if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6720 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Nginx log files"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking directories for files with log file definitions"
LogText "Test: Checking directories for files with log file definitions"
for I in ${NGINX_CONF_LOCS}; do
logtext "Test: Checking ${I}"
LogText "Test: Checking ${I}"
if [ -d ${I} ]; then
logtext "Result: Directory ${I} exists, so will be used as search path"
LogText "Result: Directory ${I} exists, so will be used as search path"
FIND=`find ${I} -type f -exec grep access_log \{\} \; | grep -v "#" | awk '{ if($1=="access_log") { print $2 } }' | sed 's/;$//g' | sort -u`
if [ "${FIND}" = "" ]; then
logtext "Result: no log files found"
LogText "Result: no log files found"
else
logtext "Result: found one or more log files"
LogText "Result: found one or more log files"
for I in ${FIND}; do
if [ -f ${I} ]; then
logtext "Found log file: ${I}"
report "log_file=${I}"
LogText "Found log file: ${I}"
Report "log_file=${I}"
else
logtext "Found non existing log file: ${I}"
LogText "Found non existing log file: ${I}"
fi
done
fi
else
logtext "Result: directory ${I} not found, skipping search in this directory."
LogText "Result: directory ${I} not found, skipping search in this directory."
fi
done
fi
@ -704,4 +704,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com

6
lynis
View File

@ -5,7 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2015 Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Copyright 2007-2016 Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -32,7 +32,7 @@
PROGRAM_author="Michael Boelen, CISOfy"
PROGRAM_author_contact="lynis-dev@cisofy.com"
PROGRAM_website="https://cisofy.com"
PROGRAM_copyright="Copyright 2007-2015 - ${PROGRAM_author}, ${PROGRAM_website}"
PROGRAM_copyright="Copyright 2007-2016 - ${PROGRAM_author}, ${PROGRAM_website}"
PROGRAM_license="${PROGRAM_name} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software."
@ -897,4 +897,4 @@
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com