tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-27 07:44:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Made adjustments to run in non-privileged scans

Browse Source
This commit is contained in:
mboelen 2014-09-09 14:49:37 +02:00
parent 3beae44e92
commit dd2ea3efaf
7 changed files with 447 additions and 406 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
include/tests_authentication
View File

@ -740,13 +740,13 @@
case ${LINUX_VERSION} in case ${LINUX_VERSION} in
"SuSE") "SuSE")
PREQS_MET="YES" PREQS_MET="YES"
FIND=`passwd -a -S | awk '{ if ($2=="P" && $5=="99999") print $1 }'` FIND=`passwd -a -S 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }'`
FIND2=`passwd -a -S | awk '{ if ($2=="NP") print $1 }'` FIND2=`passwd -a -S 2> /dev/null | awk '{ if ($2=="NP") print $1 }'`
;; ;;
*) *)
PREQS_MET="YES" PREQS_MET="YES"
FIND=`passwd --all --status | awk '{ if ($2=="P" && $5=="99999") print $1 }'` FIND=`passwd --all --status 2> /dev/null | awk '{ if ($2=="P" && $5=="99999") print $1 }'`
FIND2=`passwd --all --status | awk '{ if ($2=="NP") print $1 }'` FIND2=`passwd --all --status 2> /dev/null | awk '{ if ($2=="NP") print $1 }'`
;; ;;
esac esac
else else

15
include/tests_boot_services
View File

@ -39,6 +39,8 @@
Display --indent 4 --text "- Checking presence GRUB... " --result "OK" --color GREEN Display --indent 4 --text "- Checking presence GRUB... " --result "OK" --color GREEN
if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
logtext "Found file ${GRUBCONFFILE}, proceeding with tests." logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
FileIsReadable ${GRUBCONFFILE}
if [ ${CANREAD} -eq 1 ]; then
FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'` FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'`
FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'` FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'`
if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
@ -55,6 +57,9 @@
logtext "Result: GRUB has password protection." logtext "Result: GRUB has password protection."
AddHP 4 4 AddHP 4 4
fi fi
else
logtext "Warning: can not read ${GRUBCONFFILE}"
fi
fi fi
# GRUB2 configuration file # GRUB2 configuration file
@ -114,12 +119,15 @@
# Notes : password= or password = # Notes : password= or password =
Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence" Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LILOCONFFILE="/etc/lilo.conf"
logtext "Test: checking for presence LILO configuration file..." logtext "Test: checking for presence LILO configuration file..."
if [ -f /etc/lilo.conf ]; then if [ -f ${LILOCONFFILE} ]; then
FileIsReadable ${LILOCONFFILE}
if [ ${CANREAD} -eq 1 ]; then
BOOT_LOADER="LILO" BOOT_LOADER="LILO"
Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN
logtext "Checking password option LILO..." logtext "Checking password option LILO..."
FIND=`cat /etc/lilo.conf | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"` FIND=`cat ${LILOCONFFILE} | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED
logtext "Result: no password set for LILO. Bootloader is unprotected to" logtext "Result: no password set for LILO. Bootloader is unprotected to"
@ -133,6 +141,9 @@
AddHP 4 4 AddHP 4 4
fi fi
#YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf) #YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf)
else
logtext "Warning: can not access ${LILOCONFFILE}"
fi
else else
Display --indent 4 --text "- Checking presence LILO... " --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking presence LILO... " --result "NOT FOUND" --color WHITE
logtext "Result: LILO configuration file not found" logtext "Result: LILO configuration file not found"

10
include/tests_crypto
View File

@ -32,10 +32,14 @@
sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3` sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3`
for I in ${sSSL_PATHS}; do for I in ${sSSL_PATHS}; do
if [ -d ${I} ]; then if [ -d ${I} ]; then
FileIsReadable ${I}
if [ ${CANREAD} -eq 1 ]; then
logtext "Result: found directory ${I}" logtext "Result: found directory ${I}"
# Search for CRT files # Search for CRT files
sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null` sFINDCRTS=`find ${I} -name "*.crt" -type f -print 2> /dev/null`
for J in ${sFINDCRTS}; do for J in ${sFINDCRTS}; do
FileIsReadable ${J}
if [ ${CANREAD} -eq 1 ]; then
logtext "Test: checking certificate ${J}" logtext "Test: checking certificate ${J}"
# Check certificate where 'end date' has been expired # Check certificate where 'end date' has been expired
FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?` FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?`
@ -48,7 +52,13 @@
report "expired_certificate[]=${J}" report "expired_certificate[]=${J}"
#YYY Dump more information to log file #YYY Dump more information to log file
fi fi
else
logtext "Warning: can not read file ${J}"
fi
done done
else
logtext "Warning: No read access to path ${I}"
fi
else else
logtext "Result: SSL path ${I} does not exist" logtext "Result: SSL path ${I} does not exist"
fi fi

6
include/tests_mail_messaging
View File

@ -82,9 +82,9 @@
logtext "Test: check Postfix status" logtext "Test: check Postfix status"
# Some other processes also use master, therefore it should include both master and postfix # Some other processes also use master, therefore it should include both master and postfix
FIND1=`${PSBINARY} ax | grep "master" | grep "postfix" | grep -v "grep"` FIND1=`${PSBINARY} ax | grep "master" | grep "postfix" | grep -v "grep"`
FIND2=`${PSBINARY} ax | grep "qmgr" | grep "postfix" | grep -v "grep"` #FIND2=`${PSBINARY} ax | grep "qmgr" | grep "postfix" | grep -v "grep"`
FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"` #FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"`
if [ ! "${FIND1}" = "" -a ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then if [ ! "${FIND1}" = "" ]; then
logtext "Result: found running Postfix process" logtext "Result: found running Postfix process"
Display --indent 2 --text "- Checking Postfix status..." --result RUNNING --color GREEN Display --indent 2 --text "- Checking Postfix status..." --result RUNNING --color GREEN
POSTFIX_RUNNING=1 POSTFIX_RUNNING=1

2
include/tests_ports_packages
View File

@ -702,7 +702,7 @@
# Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates) # Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
# Show packages which would be upgraded and match 'security' in repository name # Show packages which would be upgraded and match 'security' in repository name
FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort | uniq` FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort | uniq`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
#Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED #Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED
VULNERABLE_PACKAGES_FOUND=1 VULNERABLE_PACKAGES_FOUND=1

14
include/tests_scheduling
View File

@ -47,6 +47,8 @@
for I in ${CRON_DIRS}; do for I in ${CRON_DIRS}; do
logtext "Test: checking directory ${I}" logtext "Test: checking directory ${I}"
if [ -d ${I} ]; then if [ -d ${I} ]; then
FileIsReadable ${I}
if [ ${CANREAD} -eq 1 ]; then
logtext "Result: found directory ${I}" logtext "Result: found directory ${I}"
logtext "Test: searching files in ${I}" logtext "Test: searching files in ${I}"
FIND=`find ${I} -type f -print` FIND=`find ${I} -type f -print`
@ -62,6 +64,9 @@
done done
logtext "Result: done with analyzing files in ${I}" logtext "Result: done with analyzing files in ${I}"
fi fi
else
logtext "Result: can not read file or directory ${I}"
fi
else else
logtext "Result: directory ${I} does not exist" logtext "Result: directory ${I} does not exist"
fi fi
@ -169,6 +174,8 @@
if [ ${AT_UNKNOWN} -eq 0 ]; then if [ ${AT_UNKNOWN} -eq 0 ]; then
logtext "Test: checking for file ${AT_ALLOW}" logtext "Test: checking for file ${AT_ALLOW}"
if [ -f ${AT_ALLOW} ]; then if [ -f ${AT_ALLOW} ]; then
FileIsReadable ${AT_ALLOW}
if [ ${CANREAD} -eq 1 ]; then
logtext "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs" logtext "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs"
FIND=`cat ${AT_ALLOW} | sort` FIND=`cat ${AT_ALLOW} | sort`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
@ -178,10 +185,14 @@
logtext "Allowed at user: ${I}" logtext "Allowed at user: ${I}"
done done
fi fi
else
logtext "Warning: can not read ${AT_ALLOW}"
fi
else else
logtext "Result: file ${AT_ALLOW} does not exist" logtext "Result: file ${AT_ALLOW} does not exist"
logtext "Test: checking for file ${AT_DENY}" logtext "Test: checking for file ${AT_DENY}"
if [ -f ${AT_DENY} ]; then if [ -f ${AT_DENY} ]; then
if [ -f ${AT_ALLOW} ]; then
logtext "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs" logtext "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs"
FIND=`cat ${AT_DENY} | sort` FIND=`cat ${AT_DENY} | sort`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
@ -191,6 +202,9 @@
logtext "Denied at user: ${I}" logtext "Denied at user: ${I}"
done done
fi fi
else
logtext "Warning: can not read ${AT_DENY}"
fi
else else
logtext "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist" logtext "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist"
logtext "Note: only root can schedule at jobs" logtext "Note: only root can schedule at jobs"

6
include/tests_ssh
View File

@ -59,13 +59,19 @@
ReportException "${TEST_NO}:01" ReportException "${TEST_NO}:01"
logtext "Result: we already had found another sshd_config file. Using this new file then." logtext "Result: we already had found another sshd_config file. Using this new file then."
fi fi
FileIsReadable ${I}/sshd_config
if [ ${CANREAD} -eq 1 ]; then
FOUND=1 FOUND=1
SSH_DAEMON_CONFIG="${I}/sshd_config" SSH_DAEMON_CONFIG="${I}/sshd_config"
else
logtext "Warning: can not read ${I}/sshd_config file"
fi
fi fi
done done
if [ "${SSH_DAEMON_CONFIG}" = "" ]; then if [ "${SSH_DAEMON_CONFIG}" = "" ]; then
logtext "Result: No sshd configuration found" logtext "Result: No sshd configuration found"
Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW
ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found"
else else
logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}" logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN