tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into freebsd-services

This commit is contained in:
Roland Smith 2015-09-16 20:29:51 +02:00
parent 1bb5b4b0a6 ba32017eea
commit f11783dbdf
67 changed files with 2199 additions and 1694 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

251
CHANGELOG
View File

@ -8,60 +8,206 @@
Author: Michael Boelen (michael.boelen@cisofy.com)
Description: Security and system auditing tool
Website: https://cisofy.com/lynis/
GitHub: https://github.com/CISOfy/Lynis
GitHub: https://github.com/CISOfy/lynis
Support policy: See section 'Support' (README file);
Support policy: See section 'Support' in README file
Commercial support and plugins available via CISOfy
https://cisofy.com
Documentation: See web site, README, FAQ and CHANGELOG file
================================================================================
= Lynis 2.1.0 (2015-04-16) =
= Lynis 2.1.2 =
General:
---------
Screen output has been improved to provide additional information.
This is an major release, which includes both new features and enhancements to existing tests.
OS support:
------------
CUPS detection on Mac OS has been improved. AIX systems will now use csum
utility to create host ID. Group check have been altered on AIX, to include
the -n ALL. Core dump check on Linux is extended to check for actual values
as well.
* Operating systems
Improved support for Debian 8
Don't show boot loader exception when a subset of tests is performed
Software:
----------
McAfee detection has been extended by detecting a running cma binary.
Improved detection of pf firewall on BSD and Mac OS. Security patch checking
with zypper extended.
* Screen output
Improved output for tests which before showed results as a warning, while actually are just suggestions
Session timeout:
-----------------
Tests to determine shell time out setting have been extended to account for
AIX, HP-UX and other platforms. It will now determine also if variable is
exported as a readonly variable. Related compliance section PCI DSS 8.1.8
has been extended.
* Virtual machines
Detection of virtual machines extended with vmtoolsd detection
Documentation:
---------------
- New document: Getting started with Lynis
https://cisofy.com/documentation/lynis/get-started/
* Mount points
FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.
Plugins (Enterprise):
----------------------
- Update to file integrity plugin
Changes to PLGN-2606 (capabilities check)
* Docker
Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker
- New configuration plugins:
PLGN-4802 (SSH settings)
PLGN-4804 (login.defs)
* UEFI and Secure Boot
Initial support to test UEFI settings, including Secure Boot option
Options boot_uefi_booted and boot_uefi_booted_secure added to report file
Download link: https://cisofy.com/download/lynis/
* Authentication
Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes
checking for /etc/login.defs [AUTH-9408]
report option: auth_failed_logins_logged
**** ^ NEEDS more tests ###################################
* DNS and Name services
Support added for Unbound DNS caching tool [NAME-4034]
Configuration check for Unbound [NAME-4036]
Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used
* Firewalls
IPFW firewall on FreeBSD test improved
* Individual tests
BOOT-5180 now only gets executed if runlevel 2 is found
AUTH-9328 show correct message when no umask is found in /etc/profile, including correct logging entries
AUTH-9204 now excludes NIS entries to avoid false positives
TIME-3104 Only shows suggestion now on FreeBSD if ntpdate is configured, yet ntpd isn't running
FILE-6410 Added /var/lib/locatedb as search path
Don't wait when using pentest mode in quick mode
Data uploads: provide help when self-signed certificates are used
8888888888888888888888888
implement base64
8888888888888888888888888
* Plugins
---------
[PLGN-2804] Limit report output of EXT file systems to 1 item per line
--------------------------------------------------------------
= Lynis 2.1.1 (2015-07-22) =
This release adds a lot of improvements, with focus on performance, and
additional support for common Linux distributions and external utilities.
We recommend to use this latest version.
* Operating system enhancements
-------------------------------
Support for systems like CentOS, openSUSE, Slackware is improved.
* Performance
-------------
Performance tuning has been applied, to speed up execution of the audit on
systems with many files. This also includes code cleanups.
* Automatic updates
-------------------
Initial work on an automatic updater has been implemented. This way Lynis
can be scheduled for automatic updating from a trusted source.
* Internal functions
--------------------
Not all systems have readlink, or the -f option of readlink. The
ShowSymlinkPath function has been extended with a Python based check, which
is often available.
* Software support
------------------
Apache module directory /usr/lib64/apache has been added, which is used on
openSUSE.
Support for Chef has been added.
Added tests for CSF's lfd utility for integrity monitoring on directories and
files. Related tests are FINT-4334 and FINT-4336.
Added support for Chrony time daemon and timesync daemon. Additionally NTP
sychronization status is checked when it is enabled.
Improved single user mode protection on the rescue.service file.
* Other
-------
Check for user permissions has been extended.
Python binary is now detected, to help with symlink detection.
Several new legal terms have been added, which are used for usage in banners.
In several files old tests have been removed, to further clean up the code.
* Bug fixes
---------
Nginx test showed error when access_log had multiple parameters.
Tests using locate won't be performed if not present.
Fix false positive match on Squid unsafe ports [SQD-3624].
The hardening index is now also inserted into the report if it is not displayed
on screen.
* Functions
---------
Added AddSystemGroup function
* New tests
---------
Several new tests have been added:
[PKGS-7366] Scan for debsecan utility on Debian systems
[PKGS-7410] Determine amount of installed kernel packages
[TIME-3106] Check synchronization status of NTP on systemd based systems
[CONT-8102] Docker daemon status and gather basic details
[CONT-8104] Check docker info for any Docker warnings
[CONT-8106] Check total, running and unused Docker containers
* Plugins
---------
[PLGN-2602] Disabled by default, as it may be too slow for some machines
[PLGN-3002] Extended with /sbin/nologin
* Documentation
---------------
A new document has been created to help with the process of upgrading Lynis.
It is available at https://cisofy.com/documentation/lynis/upgrading/
--------------------------------------------------------------
= Lynis 2.1.0 (2015-04-16) =
* General
---------
Screen output has been improved to provide additional information.
* OS support
------------
CUPS detection on Mac OS has been improved. AIX systems will now use csum
utility to create host ID. Group check have been altered on AIX, to include
the -n ALL. Core dump check on Linux is extended to check for actual values
as well.
* Software
----------
McAfee detection has been extended by detecting a running cma binary.
Improved detection of pf firewall on BSD and Mac OS. Security patch checking
with zypper extended.
* Session timeout
-----------------
Tests to determine shell time out setting have been extended to account for
AIX, HP-UX and other platforms. It will now determine also if variable is
exported as a readonly variable. Related compliance section PCI DSS 8.1.8
has been extended.
* Documentation
---------------
- New document: Getting started with Lynis
https://cisofy.com/documentation/lynis/get-started/
* Plugins (Enterprise)
----------------------
- Update to file integrity plugin
Changes to PLGN-2606 (capabilities check)
- New configuration plugins:
PLGN-4802 (SSH settings)
PLGN-4804 (login.defs)
Download link: https://cisofy.com/download/lynis/
--------------------------------------------------------------
= Lynis 2.0.0 (2015-02-25) =
@ -835,7 +981,7 @@
- Added Squid test: reply_body_max_size option [SQD-3630]
- Added /etc/init.d/rc and /etc/init.d/rcS to umask test [AUTH-9328]
- Check PHP option allow_url_include [PHP-2378]
Changes:
- Extended possible Squid configuration file locations
- Added additional sysctl keys to default profile
@ -1012,7 +1158,7 @@
- nginx configuration file check [HTTP-6704]
- Exim status check [MAIL-8802]
- Postfix status check [MAIL-8814]
Changes:
- atd needs to run before testing at files [SCHD-7720]
- Removed Solaris OS requirement from logrotate test [LOGG-2148]
@ -1022,7 +1168,7 @@
- Binary scan optimized and partially combined with other check
- Only perform iptables tests if kernel module is active
- Don't show message when /etc/shells can't be found [SHLL-6211]
- Check /var/spool/cron/crontabs first, if it exists [SCHD-7704]
- Check /var/spool/cron/crontabs first, if it exists [SCHD-7704]
- Renumbered FreeBSD test SHLL-7225 [SHLL-6202]
- Renumbered malware test MALW-3292 [HRDN-7230]
- Improved grep on process status [PRNT-2304]
@ -1212,10 +1358,10 @@
New:
- New test: Passwordless Solaris accounts test [AUTH-9254]
- New test: AFICK file integrity [FINT-4310]
- New test: AIDE file integrity [FINT-4314]
- New test: Osiris file integrity [FINT-4318]
- New test: Samhain file integrity [FINT-4322]
- New test: Tripwire file integrity [FINT-4326]
- New test: AIDE file integrity [FINT-4314]
- New test: Osiris file integrity [FINT-4318]
- New test: Samhain file integrity [FINT-4322]
- New test: Tripwire file integrity [FINT-4326]
- New tests: NIS and NIS+ authentication test [AUTH-9240/42]
- Initial support added for AFICK, AIDE, Osiris, Samhain, Tripwire
@ -1241,12 +1387,12 @@
- New test: Promiscuous network interfaces (Linux) [NETW-3015]
- Report option 'bootloader' added to several tests
- Added readlink binary check
Changes:
- Extended file check (IsWorldWritable) for symlinks
- Show result if no default gateway is found [NETW-3001]
- Added /usr/local/etc to sudoers test [AUTH-9250]
- Improved FreeBSD banner output [BANN-7113]
- Improved FreeBSD banner output [BANN-7113]
- Removed incorrect line at promiscuous interface test [NETW-3014]
- Fix: Show only once the GRUB test output [BOOT-5121]
- Fix: Typo in NTP test [TIME-3104]
@ -1294,7 +1440,7 @@
- New test: checking for heavy IO waiting processes [PROC-3614]
- Initial HP-UX support (untested)
- Initial AIX support (untested)
- Added iptables binary check
- Added iptables binary check
- Added dig check, for DNS related tests
- Added option --no-colors to remove all colors from screen output
- Added option --reverse-colors for optimizing output at light backgrounds
@ -1314,7 +1460,7 @@
- Several tests have their warning reporting improved
- Improved SuSE Linux detection
- Improved syslog-ng detection
- Adjusted README with link to online (extended) documentation
- Adjusted README with link to online (extended) documentation
--
@ -1324,7 +1470,7 @@
- New test: Check writable startup scripts [BOOT-5184]
- New test: Syslog-NG consistency check [LOGG-2134]
- New test: Check yum-utils package and scanning package database [PKGS-7384]
- New test: Test for empty ruleset when iptables is loaded [FIRE-4512]
- New test: Test for empty ruleset when iptables is loaded [FIRE-4512]
- New test: Check for expired SSL certificates [CRYP-7902]
- New test: Check for LDAP authentication support [AUTH-9238]
- New test: Read available crontab/cron files [SCHD-7704]
@ -1363,7 +1509,7 @@
* 1.1.5 (2008-06-10)
New:
- Assigned ID to Apache configuration file test [HTTP-6624]
- Assigned ID to Apache configuration file test [HTTP-6624]
- Added pause_between_tests to profile file, to regulate the speed of a scan
- Assigned ID to dpkg test and solved issue with colon in package names [PKG-7345]
- Assigned ID to Solaris package test [PKG-7306]
@ -1646,12 +1792,12 @@
--
* 1.0.3 (2007-11-19)
New:
- Added check for sockstat
- Test: added test for GRUB and password option
- Test: query listening ports (sockstat)
Changes:
- Fixed NTPd check (bug)
- Extended help for 'double installed package' check (BSD systems, pkg_info)
@ -1703,7 +1849,7 @@
Changes:
- [bug] Changed skel directory check
- Fixed display Apache configuration file
--
* 1.0.0 (2007-11-08)
@ -1752,4 +1898,3 @@
================================================================================
Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

39
CONTRIBUTIONS.md Normal file
View File

@ -0,0 +1,39 @@
# Contributions
## Pull Requests
We welcome any contribution to improve Lynis. Contributions to the Lynis project can
be submitted as a pull request. The upstream project can be found in our [GitHub repository](https://github.com/CISOfy/lynis).
By submitting a [Pull Request](https://help.github.com/articles/using-pull-requests/)
to this repository, you agree that you:
1. Own the contribution that you are providing or have obtained permission from
the contribution owner
2. Allow your contribution to be licensed under the license of the target
project (GPLv3)
3. Allow your contribution to be freely distributed to the Lynis community
4. Allow the project the [Unlimited Rights](#Unlimited-Rights) to your contribution
If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com)
## Unlimited Rights
Our project is licensed under GPLv3. By providing a contribution to the project, it
will be used for the purpose of the project. Unlimited rights includes the rights to
use, modify, reproduce, release, perform, display, or disclose computer software or
computer software documentation in whole or in part, in any manner and for any
purpose whatsoever, and to have or authorize others to do so.
If you want to be named in as a contributor in the CONTRIBUTOR file, then include
this notition in your pull request. Preferred format: Full Name, with optional the
company name and/or your e-mail address).
## Developer Guidelines
To ensure all pull requests can be easily checked and merged, here are some tips:
* Your code should work on other platforms running the bourne shell (/bin/sh), not just BASH.
* Properly document your code where needed. Besides the 'what', focus on explaining the 'why'.
* Check the log information (lynis.log) of your new test or changed code, so that it provides helpful details for others.
* Most variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1)

19
CONTRIBUTORS
View File

@ -1,24 +1,35 @@
================================================================================
Lynis - CONTRIBUTIONS
Lynis - CONTRIBUTORS
================================================================================
The Lynis project is very thankful for the following individuals who
contributed to the project. They invested time and effort to report issues
and send in related patches to improve the software and other components.
contributed to the project.
================================================================================
Want to contribute as well? Here are some suggestions:
[+] Patches, bug fixes and suggestions
- Create new tests for your favorite software packages
- Report (unexpected) screen errors
- Share missing results and findings
- Check for grammar issues
Create a pull request at GitHub --> https://github.com/CISOfy/lynis
[+] Contributors
------------------------------------------
Alexander Lobodzinski
Bodine Wilson
Brian Ginsbach
C.J. Adams-Collier, US
Charlie Heselton, US
Dave Vehrs
Kamil Boratyński, Poland
Mikko Lehtisalo, Finland
Steve Bosek, France
Thomas Siebel, Germany

27
FAQ
View File

@ -7,9 +7,11 @@
Author: Michael Boelen (michael.boelen@cisofy.com)
Description: Security and system auditing tool
Website: https://cisofy.com/lynis/
Web site: https://cisofy.com/lynis/
GitHub: https://github.com/CISOfy/lynis
Support address: lynis-dev@cisofy.com
Development: May 2007 - Now
Suppor: See README file and https://cisofy.com/support/
Support: See README file and https://cisofy.com/support/
Documentation: See web site, README, FAQ and CHANGELOG file
================================================================================
@ -18,9 +20,9 @@
-------------------------------
Q: I don't understand the program (output), what to do?
A: Keep reading this FAQ, then continue with reading the README file, followed
by the log file (default: /var/log/lynis.log). After those sources, check
the documentation on the website.
A: Keep reading this FAQ. Also useful are the README file and the log file
(default: /var/log/lynis.log). Or check out the documentation on the
website: https://cisofy.com/support/
Q: I can't find any configuration file for Lynis, where is it?
A: There isn't one (currently), since all options are available as command
@ -30,11 +32,10 @@
Q: Why is there no port/package for my operating system?
A: Because there is no maintainer for it yet. If you have the time to keep
the port/package current for your preferred operating system, fill in the
contact form to notify me and confirm no one else is working on it.
the port/package current for your preferred operating system, let us know.
Q: What to do with the report files?
A: The output could be used for monitoring (baseline checks). For user of the
A: The output could be used for monitoring (baseline checks). For users of the
Lynis Enterprise Suite, they will be used to upload data.
@ -42,7 +43,7 @@
[+] Bugs or issues
-------------------------------
Q: Where can I report an issue or bug?
A: Use the developer e-mail address lynis-dev@cisofy.com
A: GitHub, or use the developer e-mail address lynis-dev@cisofy.com
@ -57,7 +58,7 @@
have a dark background, so it gives extra attention to the message. However
if you have a white background (for example Mac OS X), you can run Lynis
with --no-colors to strip colors or --reverse-colors to reverse the color
scheme. Another option is to change your terminal colors within Mac OS.
scheme. Another option is to change your terminal colors within Mac OS.
Q: Some tests take very long to finish, what to do?
A: Use a second console (or connection) and check the output of ps/lsof etc,
@ -72,12 +73,12 @@
invoke Lynis (example: bash lynis -c).
Q: One or more tests are giving incorrect output. How to solve that?
A: Check the log file. If that also has incorrect data, fill in the contact
form and describe the issue.
A: Check the log file. If that also has incorrect data, let us know via GitHub
or the developer e-mail address.
Q: The program takes long to complete and also uses too much resources. Can it
be tuned?
A: The time it takes to complete is depends on the amount of tests to run.
A: The time it takes to complete depends on the amount of tests to run.
However the resources it take can be slighty lowered by increasing the
pause_between_tests profile option. Keep in mind this increases the total
length of the scan to complete.

31
README
View File

@ -15,11 +15,14 @@
================================================================================
== The website contains up-to-date documentation ==
*** NOTE ***
The website contains the latest documentation
See https://cisofy.com/documentation/lynis/
[+] Introduction
-------------------------------
@ -29,7 +32,8 @@
Some of the (future) features and usage options:
- System and security audit checks
- File Integrity Assessment
- Compliance testing
- File integrity monitoring
- System and file forensics
- Usage of templates/baselines (reporting and monitoring)
- Extended debugging features
@ -45,7 +49,7 @@
- License: GPL v3
- Language: Shell script
- Author: Michael Boelen, CISOfy
- Website: https://cisofy.com
- Web site: https://cisofy.com
- Required permissions: root preferred, not needed
- Other requirements: write access to /tmp
@ -90,8 +94,11 @@
-------------------------------
If you have input to improve Lynis, let us know via:
- GitHub - https://github.com/CISOfy/lynis
- E-mail - lynis-dev@cisofy.com
* GitHub - https://github.com/CISOfy/lynis
* E-mail - lynis-dev@cisofy.com
Contributions are appreciated and can be done via GitHub. See CONTRIBUTIONS.md
for more information about how to submit them.
[+] Support
@ -99,15 +106,11 @@
Lynis is tested on the most common operating systems. The documentation (README,
FAQ) and the debugging information in the log file should cover most questions and
problems. Bugs can be reported by filling in the contact form at rootkit.nl, or by
sending an e-mail.
problems. Bugs can be reported via GitHub, or sending an e-mail to the lynis-dev
address above.
NOTE: User related questions should not be asked via the contact form. Read the
documentation, the website resources and the log file for answers to common problems.
Commercial support is available under strict conditions and depends on the request.
For more information fill in the contact form and describe what kind of service is
requested.
Commercial support is available and provided by CISOfy. For more information use
the contact address on https://cisofy.com/contact/.
@ -119,7 +122,7 @@
this tool we have a commercial version available. Lynis Enterprise Suite uses
Lynis to audit systems, but also provides malware scanning, intrusion detection
and has additional guidance. For all features, please see our website:
http://cisofy.com/lynis-enterprise/
https://cisofy.com/lynis-enterprise/

49
README.md
View File

@ -3,22 +3,27 @@ lynis
Lynis - Security auditing and hardening tool, for Unix based systems
Lynis is an security auditing and hardening tool for Unix derivatives like Linux, BSD and Solaris. It performs
an in-depth security scan on the system to detect software and security issues. Besides information related to
security, it will also scan for general system information, installed packages, and possible configuration
issues.
Lynis is a security auditing for Unix derivatives like Linux, BSD, and Solaris. It performs an in-depth security scan on the system to detect software and security issues. Besides information related to security, it will also scan for general system information, vulnerable software packages, and possible configuration issues.
We believe software should be simple, updated on a regular basis and open. You should be able to trust, understand,
and even alter the software. Many agree with us, as the software is being used by thousands every day to protect
their systems.
We believe software should be simple, updated on a regular basis and open. You should be able to trust, understand, and even alter the software. Many agree with us, as the software is being used by thousands every day to protect their systems.
The software is aimed at assisting with automated auditing, configuration management, software patch management,
penetration testing, vulnerability management, and malware scanning of Unix-based systems.
Main goals:
- Security auditing (automated)
- Compliance testing (e.g. PCI-DSS, HIPAA)
- Vulnerability testing
The software aims to also assist with:
- Configuration management
- Software patch management
- System hardening
- Penetration testing
- Malware scanning
- Intrusion detection
License:
- GPLv3
Main audience:
Typical users of the software:
- System administrators
- Auditors
- Security officers
@ -27,25 +32,23 @@ Main audience:
## First run
Clone or download the project files. No compilation or installation is required.
Execute: ./lynis audit system
By default
If you want to run the software as root, we suggest to alter the ownership of the files.
1. Clone or download the project files. No compilation or installation is required.
2. Execute: `./lynis audit system`
If you want to run the software as root, we suggest altering the ownership of the files. Use chown -R and
chgrp -R to recursively alter the owner and group.
## Documentation
See for full documentation https://cisofy.com/documentation/lynis/
Full documentation: https://cisofy.com/documentation/lynis/
## Flexibility
For people who want to expand tests, it is suggested to use the tests_custom file (template in include directory).
If you want to create your own tests, use the 'tests_custom' file (template available in 'include' directory).
Plugins are another possibility to customize, although their main goal is collecting data.
## Enterprise options
This software component has additional options and support available for companies. If you want to perform more
tests and centrally manage them, consider the purchase of a license.
## Enterprise version
This software is also available as part of an enterprise suite. It includes additional functionality (plugins, centralized system, reporting, dashboard), and supports.
## Support
Got an improvement to share? Create an issue in the tracker on GitHub or send us an e-mail: lynis-dev@cisofy.com
## Contribute
Got an improvement? Create it as an issue in the tracker on GitHub or send us an e-mail: lynis-dev@cisofy.com
More details can be found at [Contributors Guide](https://github.com/CISOfy/lynis/blob/master/CONTRIBUTIONS.md)

3
db/fileperms.db
View File

@ -9,11 +9,10 @@
# 5) file group owner
# 6) operating system, or systems
# 7) operating system special
# 8)
# 8)
#
#==================================================
file:/etc/group:644:root:root:Linux:
file:/etc/gshadow:400:root:root:Linux:
file:/etc/passwd:644:root:root:Linux:
file:/etc/shadow:400:root:root:Linux:

2
db/integrity.db
View File

@ -1,3 +1,3 @@
#version=2008062800
#binary:string:|NOT:
ifconfig:PROMISC::
ifconfig:PROMISC::

8
debian/README.Debian vendored
View File

@ -1,20 +1,20 @@
lynis for Debian
----------------
When execute Lynis from Debian menu, the program runs with the following
When execute Lynis from Debian menu, the program runs with the following
parameter:
lynis --no-colors
It makes a full system check, with the default profile file
It makes a full system check, with the default profile file
(/etc/lynis/default.prf). Please adjust this config file with your needs.
For better perform, launch Lynis from a terminal, as root user, with your best
configuration.
Lynis can be executed directly:
# lynis -c
or
# lynis -c
or
# lynis
After Lynis runs the system check, it creates the following two files with the

4
debian/rules vendored
View File

@ -12,13 +12,13 @@ clean:
dh_testdir
dh_testroot
rm -f build-stamp
dh_clean
dh_clean
install: build
dh_testdir
dh_testroot
dh_prep
dh_prep
# Add here commands to install the package into debian/lynis.
install -D -m 0755 $(CURDIR)/lynis $(CURDIR)/debian/lynis/usr/sbin/lynis

46
default.prf
View File

@ -122,7 +122,7 @@ sysctl:kernel.use-nx:0:1:XXX:
[network]
sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address:
sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing:
sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing:
sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing:
sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects:
@ -149,9 +149,9 @@ sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack:
sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps:
sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects:
sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing:
sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing:
sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing:
sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing:
[security]
#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level:
@ -270,8 +270,8 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
#
#################################################################################
# Amount of connections in WAIT state before reporting it as a warning
#config:connections_max_wait_state:50:
# Amount of connections in WAIT state before reporting it as a suggestion
#config:connections_max_wait_state:5000:
# Skip security repository check for Debian based systems
#config:debian_skip_security_repository:yes:
@ -308,6 +308,38 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
#config:custom_url_prepend:https://your-domain.example.org/control-info/:
#config:custom_url_append:/:
#################################################################################
#
# Automatic Updating
# -------------------
#
# These settings are required when using the lynis update functionality.
# By specifying local paths and your update server, the tool can do an update
# check, compare versions and download a new version.
#
#################################################################################
# Local directory (without slash at end) where lynis directory will be installed
# Note: do not add full path to lynis, as subdirectory is part of tarball
#config:update_local_directory:/usr/local:
# Full path to local file. Change local path if Lynis is installed on a different place
#config:update_local_version_info:/usr/local/lynis/client-version:
# Download information
# -----------------------------
# Protocol to use: http, https
#config:update_server_protocol:http:
# Address of update server
#config:update_server_address:192.168.1.125:
# Path to last stable release
#config:update_latest_version_download:/files/lynis-latest.tar.gz:
# Last part of URL (file to gather)
#config:update_latest_version_info:/files/lynis-latest-version:
#################################################################################
#
# Lynis Enterprise
@ -322,7 +354,7 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
# Provide options to cURL when uploading data. Common options include:
# -k or --insecure --> use HTTPS, but skip certificate check (e.g. self-signed)
# --proxy [http://]proxyserver:8080 --> use HTTP/HTTPS proxy
# --proxy [http://]proxyserver:8080 --> use HTTP/HTTPS proxy
# --socks5 proxyserver:8080 --> use SOCKS proxy
#config:upload_options:-k:
@ -330,4 +362,4 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
#config:group:[group name]:
#config:group:test:
#EOF
#EOF

2
extras/README
View File

@ -6,4 +6,4 @@
- Integrity checks and tools
- Development tools
================================================================================
================================================================================

4
extras/build-lynis.sh
View File

@ -364,7 +364,7 @@ Exit
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
echo -n "- Cleaning up OpenBSD package build... "
echo -n "- Cleaning up OpenBSD package build... "
if [ -f openbsd/+CONTENTS ]; then rm openbsd/+CONTENTS; fi
echo "DONE"
OPENBSD_CONTENTS="openbsd/+CONTENTS"
@ -377,7 +377,7 @@ Exit
for I in ${PACKAGE_LIST_FILES}; do
echo -n "${I} "
#FULLNAME=`cat files.dat | grep ":file:include:
#FULLNAME=`cat files.dat | grep ":file:include:
#echo "${FULLNAME}" >> ${OPENBSD_CONTENTS}
echo "${I}" >> ${OPENBSD_CONTENTS}
FILE="../${I}"

42
extras/lynis.spec
View File

@ -3,6 +3,8 @@
# Lynis spec file
# -----------------
#
# This file helps to create your custom RPM package of Lynis.
#
# Usage:
# - Adjust version number (Version:)
# - Check if you have the directories in your home directory (or adjust topdir)
@ -12,9 +14,9 @@
#
#################################################################################
#
# (c) 2014 Michael Boelen
# Copyright 2015 CISOfy
#
# Website: http://cisofy.com/
# Documentation: https://cisofy.com/documentation/lynis/upgrading/
#
#################################################################################
@ -27,30 +29,32 @@
Summary: Security and system auditing tool.
Name: lynis
Version: 1.6.2
Version: 2.1.1
Release: 1
License: GPL
Group: Applications/System
Source: lynis-%{version}.tar.gz
BuildRoot: /tmp/lynis-root
URL: http://cisofy.com/
Vendor: CISOfy / Michael Boelen
Packager: Michael Boelen <michael@rootkit.nl>
URL: https://cisofy.com/
Vendor: CISOfy
Packager: Michael Boelen <michael.boelen@cisofy.com>
BuildArch: noarch
%description
Lynis is a security tool to audit and harden Unix/Linux based systems. It scans a
system and provides the user with suggestion and warnings regarding taken security
measures. Examples include:
- Security enhancements
- Logging and auditing options
- Banner identification
- Software availability
- Missing security patches
Lynis is an security auditing and hardening tool for Unix derivatives like Linux, BSD
and Solaris. It performs an in-depth security scan on the system to detect software
and security issues. Besides information related to security, it will also scan for
general system information, installed packages, and possible
configuration issues.
This software is aimed at assisting with automated auditing, configuration management,
software patch management, penetration testing, vulnerability management, and malware
scanning of Unix-based systems.
Lynis is released as a GPLv3 licensed project and free for everyone to use.
Commercial support and extensions are available.
See http://cisofy.com for a full description and documentation.
See https://cisofy.com for a full description and documentation.
%prep
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT"
@ -84,11 +88,6 @@ install plugins/* ${RPM_BUILD_ROOT}%{_pluginsdir}
install -d ${RPM_BUILD_ROOT}%{_dbdir}
install db/* ${RPM_BUILD_ROOT}%{_dbdir}
# Patch default paths (not required for 1.1.2+)
#sed -i -e 's#INCLUDEDIR="include"#INCLUDEDIR="%{_includedir}"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis
#sed -i -e 's#PROFILE="default.prf"#PROFILE="/etc/lynis/default.prf"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis
%clean
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT"
@ -111,6 +110,9 @@ install db/* ${RPM_BUILD_ROOT}%{_dbdir}
#%attr(644, root, root) %{_plugindir}/*
%changelog
* Wed May 13 2015 Michael Boelen - 1.1.9-1
- Changed website address, version bump
* Sun Sep 14 2014 Michael Boelen - 1.1.8-1
- Changed permissions with regards of pentest option

39
include/binaries
View File

@ -14,7 +14,8 @@
#
#################################################################################
#
# Check which tools are installed
# * Check which binaries and tools are installed
# * With the results a customized scan can be performed for every single system.
#
#################################################################################
#
@ -25,23 +26,18 @@
#################################################################################
#
if [ ${CHECK_BINARIES} -eq 1 ]; then
InsertSection "System Tools"
#
#################################################################################
#
InsertSection "System Tools"
Display --indent 2 --text "- Scanning available tools..."
logtext "Start scanning for available audit binaries and tools..."
Display --indent 2 --text "- Scanning available tools..."
logtext "Start scanning for available audit binaries and tools..."
# Test : FILE-7502
# Description : Check all system binaries
# Notes : Always perform test, dependency for many other tests
Register --test-no FILE-7502 --weight L --network NO --description "Check all system binaries"
#if [ ${SKIPTEST} -eq 0 ]; then
# Test : FILE-7502
# Description : Check all system binaries
# Notes : Always perform test, dependency for many other tests
Register --test-no FILE-7502 --weight L --network NO --description "Check all system binaries"
BINARY_PATHS_FOUND=""; N=0
Display --indent 2 --text "- Checking system binaries..."
logtext "Status: Starting binary scan..."
for SCANDIR in ${BINPATHS}; do
for SCANDIR in ${BIN_PATHS}; do
logtext "Test: Check if directory exists"
ORGPATH=""
if [ -d ${SCANDIR} ]; then
@ -78,7 +74,6 @@
N=`expr ${N} + 1`
BINARY="${SCANDIR}/${I}"
DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} "
logtext "Binary: ${BINARY}"
# Optimized, much quicker (limited file access needed)
case ${I} in
aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; logtext " Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
@ -98,8 +93,11 @@
comm) COMMBINARY="${BINARY}"; logtext " Found known binary: comm (file compare) - ${BINARY}" ;;
csum) CSUMFOUND=1; CSUMBINARY="${BINARY}"; logtext " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;;
curl) CURLFOUND=1; CURLBINARY="${BINARY}"; logtext " Found known binary: curl (browser) - ${BINARY}" ;;
debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (package vulnerability checking) - ${BINARY}" ;;
debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (package integrity checking) - ${BINARY}" ;;
dig) if [ -f ${BINARY} ]; then DIGFOUND=1; DIGBINARY=${BINARY}; logtext " Found known binary: dig (network/dns tool) - ${BINARY}"; fi ;;
dnsdomainname) DNSDOMAINNAMEFOUND=1; DNSDOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: dnsdomainname (DNS domain) - ${BINARY}" ;;
docker) if [ -f ${BINARY} ]; then DOCKERBINARY="${BINARY}"; logtext " Found known binary: docker (container technology) - ${BINARY}"; fi ;;
domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
dpkg) DPKGBINARY="${BINARY}"; logtext " Found known binary: dpkg (package management) - ${BINARY}" ;;
egrep) EGREPFOUND=1; EGREPBINARY=${BINARY}; logtext " Found known binary: egrep (text search) - ${BINARY}" ;;
@ -145,7 +143,7 @@
openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; logtext "Found ${BINARY} (version ${OPENSSLVERSION})" ;;
pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; logtext " Found known binary: pacman (package manager) - ${BINARY}" ;;
perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; logtext "Found ${BINARY} (version ${PERLVERSION})" ;;
php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language) - ${BINARY} (version ${PHPVERSION})" ;;
php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language intrepreter) - ${BINARY} (version ${PHPVERSION})" ;;
pkg_admin) PKGADMINBINARY="${BINARY}"; logtext " Found known binary: pkg_admin (software package administration) - ${BINARY}" ;;
postconf) POSTCONFFOUND=1; POSTCONFBINARY="${BINARY}"; logtext " Found known binary: postconf (postfix configuration) - ${BINARY}" ;;
postfix) POSTFIXFOUND=1; POSTFIXBINARY="${BINARY}"; logtext " Found known binary: postfix (postfix binary) - ${BINARY}" ;;
@ -154,6 +152,7 @@
ps) PSFOUND=1; PSBINARY="${BINARY}"; logtext " Found known binary: ps (process listing) - ${BINARY}" ;;
puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; logtext " Found known binary: puppet (automation tooling) - ${BINARY}" ;;
puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; logtext " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;;
python) PYTHONBINARY="${BINARY}"; logtext " Found known binary: python (programming language intepreter) - ${BINARY}" ;;
readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; logtext " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; logtext " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;;
@ -204,13 +203,11 @@
logtext "Discovered directories: ${BINARY_PATHS_FOUND}"
report "binary_paths=${BINARY_PATHS_FOUND}"
BINARY_SCAN_FINISHED=1
#fi
logtext "Result: found ${N} binaries"
report "binaries_count=${N}"
logtext "Result: found ${N} binaries"
report "binaries_count=${N}"
else
logtext "Result: checking binaries skipped in this mode"
logtext "Result: checking of binaries skipped in this mode"
fi
#

104
include/consts
View File

@ -18,42 +18,19 @@
#################################################################################
#
# Program information
# Paths where system and program binaries are located
# Includes Sun Solaris dirs
BINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \
BIN_PATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \
/usr/local/libexec /usr/libexec /usr/sfw/bin /usr/sfw/sbin \
/usr/sfw/libexec /opt/sfw/bin /opt/sfw/sbin /opt/sfw/libexec \
/usr/xpg4/bin /usr/css/bin /usr/ucb /usr/X11R6/bin /usr/X11R7/bin \
/usr/pkg/bin /usr/pkg/sbin"
ETC_PATHS="/etc /usr/local/etc"
# Do not use specific language, fall back to default
# Some tools with translated strings are very hard to parse
unset LANG
#
#################################################################################
#
# Deprecated
#
#################################################################################
#
HOME_HISTORY_AUDIT_TITLE="Incorrect history file types"
HOME_HISTORY_AUDIT_DESCRIPTION=""
HOME_HISTORY_LOG_TITLE="History files type check"
HOME_HISTORY_LOG_DESCRIPTION="History files type check"
HOME_HISTORY_LOG_TEXT="History files are normally of the type 'file'. Symbolic links and other types can be riskful"
HOME_PATH_LOG_MESSAGE="A single dot in the PATH variable of a user can be a risk, while executing commands in for example a home directory."
USER_PASSWD_DOUBLEUID_AUDIT_TITLE="Non unique UIDs"
USER_PASSWD_DOUBLEUID_AUDIT_DESCRIPTION="Non unique UIDs in passwd file"
USER_PASSWD_DOUBLEUID_AUDIT_TEXT="Non unique UIDs can riskful for the system or part of a configuration mistake"
KERNEL_ACTIVE_MODULES_TITLE="Active kernel modules (KLDs)"
KERNEL_ACTIVE_MODULES_DESCRIPTION="View all active kernel modules (including kernel)"
KERNEL_ACTIVE_MODULES_TEXT="Displays the loaded kernel modules in memory. Make sure to check the integrity of the kld tools."
#
#################################################################################
#
@ -64,6 +41,7 @@ unset LANG
# == Variable initializing ==
#
AUDITORNAME=""
AUTH_FAILED_LOGINS_LOGGED=0
PROFILE=""
REPORTFILE=""
AFICKBINARY=""
@ -77,6 +55,7 @@ unset LANG
CONTROL_URL_PREPEND=""
CUSTOM_URL_APPEND=""
CUSTOM_URL_PREPEND=""
DOCKER_DAEMON_RUNNING=0
FILEVALUE=""
FIND=""
FIREWALL_ACTIVE=0
@ -93,6 +72,7 @@ unset LANG
LYNIS_COMPLIANCE_TESTS=0
MACHINEID=""
MALWARE_SCANNER_INSTALLED=0
NAME_CACHE_USED=0
NGINX_ACCESS_LOG_DISABLED=0
NGINX_ACCESS_LOG_MISSING=0
NGINX_ALIAS_FOUND=0
@ -129,6 +109,7 @@ unset LANG
SCAN_TEST_HEAVY=""; SCAN_TEST_MEDIUM=""; SCAN_TEST_LOW=""
SESTATUSBINARY=""
SERVICE_MANAGER=""
SHOW_PROGRAM_DETAILS=1
SHOW_REPORT=1
SKIPPED_TESTS_ROOTONLY=""
SSHKEYSCANBINARY=""
@ -137,37 +118,42 @@ unset LANG
TEST_SKIP_ALWAYS=""
TESTS_EXECUTED=""
TESTS_SKIPPED=""
TOTAL_SUGGESTIONS=0
TOTAL_WARNINGS=0
TRIPWIREBINARY=""
UEFI_BOOTED=0
UEFI_BOOTED_SECURE=0
UNBOUND_RUNNING=0
UPLOAD_OPTIONS=""
UPDATE_CHECK_SKIPPED=0
VALUE=""
VMTYPE=""
#
#################################################################################
#
# == Options ==
# * Options
#
# Option Description
# --------------------------------------------------------------------------
CRONJOB=0 # Run as a cronjob
CTESTS_PERFORMED=0 # Number of tests which are performed
#################################################################################
#
CRONJOB=0 # Run as a cronjob
CTESTS_PERFORMED=0 # Number of tests which are performed
DEBUG=0 # Debugging mode (to screen)
HPPOINTS=0 # Number of hardening points
HPTOTAL=0 # Maximum number of hardening points
LOG_INCORRECT_OS=1 # Log tests with incorrect OS
NEVERBREAK=0 # Don't wait for user input
LOG_INCORRECT_OS=1 # Log tests with incorrect OS
NEVERBREAK=0 # Don't wait for user input
PENTESTINGMODE=0 # Try tests without root privileges
QUICKMODE=0 # Don't wait for user input
QUIET=0 # Show normal messages and warnings as well
SHOW_TOOL_TIPS=1 # Show inline tool tips (default true)
SKIPLOGTEST=0 # Skip logging for one test
SKIP_UPGRADE_TEST=0 # Skip upgrade test
TESTS_TO_PERFORM="" # Which tests only to perform
TEST_PAUSE_TIME=0 # Default pause time
TOTAL_TESTS=0 # Total amount of tests (counter)
QUICKMODE=0 # Don't wait for user input
QUIET=0 # Show normal messages and warnings as well
SHOW_TOOL_TIPS=1 # Show inline tool tips (default true)
SKIPLOGTEST=0 # Skip logging for one test
SKIP_UPGRADE_TEST=0 # Skip upgrade test
TESTS_TO_PERFORM="" # Which tests only to perform
TEST_PAUSE_TIME=0 # Default pause time
TOTAL_TESTS=0 # Total amount of tests (counter)
UPLOAD_DATA=0 # Upload of data to central node
VIEWHELP=0 # Show help
VIEWUPDATEINFO=0 # View program/database version
WRONGOPTION=0 # A wrong option is used
VIEWHELP=0 # Show help
WRONGOPTION=0 # A wrong option is used
#
#################################################################################
#
@ -176,24 +162,24 @@ unset LANG
#
#################################################################################
#
# Colors
# * Colors
#
# For improved display
#
#################################################################################
#
# Color name Description
# --------------------------------------------------------------------------
NORMAL=""
WARNING="" # Bad (red)
SECTION="" # Section (yellow)
NOTICE="" # Notice (yellow)
OK="" # Ok (green)
BAD="" # Bad (red)
NORMAL=""
WARNING="" # Bad (red)
SECTION="" # Section (yellow)
NOTICE="" # Notice (yellow)
OK="" # Ok (green)
BAD="" # Bad (red)
# Real color names
YELLOW="" # Yellow
WHITE="" # White
GREEN="" # Green
RED="" # Red
# Normal color names
YELLOW=""
WHITE=""
GREEN=""
RED=""
PURPLE=""
MAGENTA=""
BROWN=""

36
include/data_upload
View File

@ -90,7 +90,21 @@ output "Settings file: ${SETTINGS_FILE}"
if [ -f ${REPORTFILE} ]; then
output "${WHITE}Report file found.${NORMAL} Starting with connectivity check.."
# Quit if license is not valid, to reduce load on both client and server.
UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL}`
UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null`
EXITCODE=$?
if [ ${EXITCODE} -gt 0 ]; then
if [ ${EXITCODE} -eq 60 ]; then
echo "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}"
echo "If you want to accept a self-signed certificate, use the -k option in the profile."
echo "Example: ${WHITE}config:upload_options:-k:${NORMAL}"
logtext "Result: found self-signed certificate, however cURL -k option not used."
else
output "${RED}Error: ${NORMAL}cURL exited with code ${EXITCODE}"
logtext "Result: cURL exited with code ${EXITCODE}"
fi
logtext "Result: quitting, can't check license"
ExitFatal
fi
UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}'`
if [ "${UPLOAD_CODE}" = "100" ]; then
output "${WHITE}License is valid${NORMAL}"
@ -110,7 +124,7 @@ output "Settings file: ${SETTINGS_FILE}"
echo "Key: ${LICENSE_KEY}"
output "Debug information: ${UPLOAD}"
# Quit
ExitClean
ExitFatal
fi
# Extract the hostid from the parse file
HOSTID=`cat ${REPORTFILE} | grep "^hostid=" | awk -F= '{ print $2 }'`
@ -119,23 +133,27 @@ output "Settings file: ${SETTINGS_FILE}"
# Try to connect
output "Uploading data.."
logtext "Command used: ${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${UPLOAD_URL}`
if [ $? -gt 0 ]; then
UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${UPLOAD_URL} 2> /dev/null`
EXITCODE=$?
if [ ${EXITCODE} -gt 0 ]; then
#UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'`
#output "Output code from upload: ${UPLOAD_CODE}"
output "${RED}Error occurred, please check documentation for code ${UPLOAD_CODE}.${NORMAL}"
output "Debug:"
output ${UPLOAD}
echo "${RED}Error: ${NORMAL}Error occurred, cURL ended during the upload of the report data."
echo "Related exit code: ${EXITCODE}"
echo "Check the last section of the log file for the exact command used, for further troubleshooting"
echo "Debug:"
echo ${UPLOAD}
# Quit
ExitClean
fi
else
echo "${RED}Fatal error${NORMAL}: No hostid found in report file. Can not upload report file."
echo "${RED}Error${NORMAL}: No hostid found in report file. Can not upload report file."
# Quit
ExitClean
ExitFatal
fi
else
output "${YELLOW}No report file found to upload.${NORMAL}"
ExitFatal
fi
#

184
include/functions
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015 - Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# https://cisofy.com
# Copyright 2007-2015, Michael Boelen - CISOfy (michael.boelen@cisofy.com)
# Website: https://cisofy.com
#
# This software is licensed under GPL, version 3. See LICENSE file for
# usage of this software.
@ -20,14 +20,16 @@
# Function Description
# ----------------------- -------------------------------------------------
# AddHP Add Hardening points to plot a graph later
# AddSystemGroup Adds a system to a group
# CheckFilePermissions Check file permissions
# CheckUpdates Determine if a new version of Lynis is available
# counttests Count number of performed tests
# Debug Display additional information on the screen (not suited for cronjob)
# DirectoryExists Check if a directory exists on the disk
# Display Output text to screen with colors and identation
# ExitClean Stop the program (cleanly)
# ExitFatal Stop the program (cleanly), with fatal
# ExitClean Stop the program (cleanly), with exit code 0
# ExitCustom Stop the program (cleanly), with custom exit code
# ExitFatal Stop the program (cleanly), with exit code 1
# FileExists Check if a file exists on the disk
# FileIsEmpty Check if a file is empty
# FileIsReadable Check if a file is readable or directory accessible
@ -50,6 +52,7 @@
# ShowSymlinkPath Show a path behind a symlink
# ViewCategories Display tests categories
# logtext Log text strings to logfile, prefixed with date/time
# report Add string of data to report file
#
#################################################################################
@ -62,6 +65,19 @@
logtext "Hardening: assigned ${HPADD} hardening points (max for this item: ${HPADDMAX}), current: ${HPPOINTS}, total: ${HPTOTAL}"
}
################################################################################
# Name : AddSystemGroup
# Description : Adds a system to a group, which can be used for categorizing
# Returns : <nothing>
################################################################################
AddSystemGroup()
{
report "system_group[]=$1"
}
# Check file permissions
# Parameter 1 is file/dir
# Result: FILE_NOT_FOUND | OK | BAD
@ -74,10 +90,10 @@
# If 'file' is an directory, use -d
if [ -d ${CHECKFILE} ]; then
FILEVALUE=`ls -d -l ${CHECKFILE} | cut -c 2-10`
PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3`
PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3`
else
FILEVALUE=`ls -l ${CHECKFILE} | cut -c 2-10`
PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3`
PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3`
fi
if [ "${FILEVALUE}" = "${PROFILEVALUE}" ]; then PERMS="OK"; else PERMS="BAD"; fi
fi
@ -117,7 +133,6 @@
# Check updates
CheckUpdates()
{
# Possible improvement: determine if host binary exists YYY
PROGRAM_LV="0000000000"; DB_MALWARE_LV="0000000000"; DB_FILEPERMS_LV="0000000000"
LYNIS_LV_RECORD="lynis-latest-version.cisofy.com."
FIND=`which dig 2> /dev/null`
@ -236,6 +251,18 @@
exit 0
}
# Clean exit with custom code
ExitCustom()
{
RemovePIDFile
# Exit with the exit code given, otherwise use 1
if [ $# -eq 1 ]; then
exit $1
else
exit 1
fi
}
# Clean exit (removing temp files, PID files), with error code 1
ExitFatal()
{
@ -337,8 +364,6 @@
fi
fi
# YYY check group ownership (just in case)
# Check if we have the read bit
if [ "${OTHERPERMS}" = "r" ]; then
CANREAD=1
@ -577,25 +602,101 @@
logtext "Test: Determine if this system is a virtual machine"
# 0 = no, 1 = yes, 2 = unknown
ISVIRTUALMACHINE=2; VMTYPE="unknown"; VMFULLTYPE="Unknown"
SHORT=""
# Trying systemd
if [ "${SHORT}" = "" -a ! "${SYSTEMCTLBINARY}" = "" ]; then
logtext "Test: trying to guess virtualization technology with systemctl"
FIND=`${SYSTEMCTLBINARY} | grep "^Virtualization=" | awk -F= '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
SHORT="${FIND}"
# facter
if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/facter ]; then
case "`facter is_virtual`" in
"true")
SHORT=`facter virtual`
logtext "Result: found ${SHORT}"
;;
"false")
logtext "Result: facter says this machine is not a virtual"
;;
esac
else
logtext "Result: facter utility not found"
fi
else
logtext "Result: skipped facter test, as we already found machine type"
fi
# systemd
if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/systemd-detect-virt ]; then
logtext "Test: trying to guess virtualization technology with systemd-detect-virt"
FIND=`/usr/bin/systemd-detect-virt`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${FIND}"
SHORT="${FIND}"
fi
else
logtext "Result: systemd-detect-virt not found"
fi
else
logtext "Result: skipped systemd test, as we already found machine type"
fi
# lscpu
# Values: VMware
if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/lscpu ]; then
logtext "Test: trying to guess virtualization with lscpu"
FIND=`lscpu | grep "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${FIND}"
SHORT="${FIND}"
else
logtext "Result: can't find hypervisor vendor with lscpu"
fi
else
logtext "Result: lscpu not found"
fi
else
logtext "Result: skipped lscpu test, as we already found machine type"
fi
# dmidecode
# Values: VMware Virtual Platform / VirtualBox
if [ "${SHORT}" = "" ]; then
if [ -x /usr/sbin/dmidecode ]; then
logtext "Test: trying to guess virtualization with dmidecode"
FIND=`dmidecode -s system-product-name | awk '{ print $1 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${FIND}"
SHORT="${FIND}"
else
logtext "Result: can't find product name with dmidecode"
fi
else
logtext "Result: dmidecode not found"
fi
else
logtext "Result: skipped dmidecode test, as we already found machine type"
fi
# lshw
if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/lshw ]; then
SHORT=`lshw -quiet -class system | awk '{ if ($1=="product:") { print $2 }}'`
logtext "Test: trying to guess virtualization with lshw"
FIND=`lshw -quiet -class system | awk '{ if ($1=="product:") { print $2 }}'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${FIND}"
SHORT="${FIND}"
fi
else
logtext "Result: lshw not found"
fi
else
logtext "Result: skipped lshw test, as we already found machine type"
fi
# Other options
# SaltStack: salt-call grains.get virtual
# < needs snippet >
# Try common guest processes
if [ "${SHORT}" = "" ]; then
logtext "Test: trying to guess virtual machine type by running processes"
@ -603,33 +704,49 @@
# VMware
IsRunning vmware-guestd
if [ ${RUNNING} -eq 1 ]; then SHORT="vmware"; fi
IsRunning vmtoolsd
if [ ${RUNNING} -eq 1 ]; then SHORT="vmware"; fi
# VirtualBox based on guest services
IsRunning vboxguest-service
if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi
IsRunning VBoxClient
if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi
else
logtext "Result: skipped processes test, as we already found platform"
fi
# Amazon EC2
if [ "${SHORT}" = "" ]; then
logtext "Test: checking specific files for Amazon"
if [ -f /etc/ec2_version -a ! -z /etc/ec2_version ]; then SHORT="amazon-ec2"; fi
if [ -f /etc/ec2_version -a ! -z /etc/ec2_version ]; then
SHORT="amazon-ec2"
else
logtext "Result: system not hosted on Amazon"
fi
else
logtext "Result: skipped Amazon EC2 test, as we already found platform"
fi
# sysctl values
if [ "${SHORT}" = "" ]; then
logtext "Test: trying to guess virtual machine type by sysctl keys"
# FreeBSD: hw.hv_vendor (remains empty for VirtualBox)
# NetBSD: machdep.dmi.system-product
# OpenBSD: hw.product
SHORT=`sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }'`
FIND=`sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
SHORT="${FIND}"
fi
else
logtext "Result: skipped sysctl test, as we already found platform"
fi
# Check if we catched some string along all tests
if [ ! "${SHORT}" = "" ]; then
# Lowercase and see if we found a match
SHORT=`echo ${SHORT} | tr [[:upper:]] [[:lower:]]`
SHORT=`echo ${SHORT} | awk '{ print $1 }' | tr [[:upper:]] [[:lower:]]`
case ${SHORT} in
amazon-ec2) ISVIRTUALMACHINE=1; VMTYPE="amazon-ec2"; VMFULLTYPE="Amazon AWS EC2 Instance" ;;
@ -637,7 +754,7 @@
docker) ISVIRTUALMACHINE=1; VMTYPE="docker"; VMFULLTYPE="Docker container" ;;
kvm) ISVIRTUALMACHINE=1; VMTYPE="kvm"; VMFULLTYPE="KVM" ;;
lxc) ISVIRTUALMACHINE=1; VMTYPE="lxc"; VMFULLTYPE="Linux Containers" ;;
lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers" ;;
lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers)" ;;
microsoft) ISVIRTUALMACHINE=1; VMTYPE="microsoft"; VMFULLTYPE="Microsoft Virtual PC" ;;
openvz) ISVIRTUALMACHINE=1; VMTYPE="openvz"; VMFULLTYPE="OpenVZ" ;;
oracle|virtualbox) ISVIRTUALMACHINE=1; VMTYPE="virtualbox"; VMFULLTYPE="Oracle VM VirtualBox" ;;
@ -656,9 +773,11 @@
logtext "Result: found virtual machine (type: ${VMTYPE}, ${VMFULLTYPE})"
report "vm=1"
report "vmtype=${VMTYPE}"
elif [ ${ISVIRTUALMACHINE} -eq 2 ]; then
elif [ ${ISVIRTUALMACHINE} -eq 2 ]; then
logtext "Result: unknown if this system is a virtual machine"
report "vm=2"
else
logtext "Result: system seems to be non-virtual"
fi
}
@ -778,6 +897,8 @@
NGINX_ACCESS_LOG_DISABLED=1
else
if [ ! "${VALUE}" = "" ]; then
# If multiple values follow, select first one
VALUE=`echo ${VALUE} | awk '{ print $1 }'`
if [ ! -f ${VALUE} ]; then
logtext "Result: could not find referenced log file ${VALUE} in nginx configuration"
NGINX_ACCESS_LOG_MISSING=1
@ -807,12 +928,12 @@
NGINX_EXPIRES_FOUND=1
;;
error_log)
# YYY Check if debug is appended
# Check if debug is appended
FIND=`echo ${VALUE} | awk '{ if ($2=="debug") { print 1 } else { print 0 }}'`
if [ ${FIND} -eq 1 ]; then
NGINX_ERROR_LOG_DEBUG=1
fi
# YYY Check if file exists
# Check if log file exists
FILE=`echo ${VALUE} | awk '{ print $1 }'`
if [ ! "${FILE}" = "" ]; then
if [ ! -f ${FILE} ]; then
@ -1023,7 +1144,7 @@
if [ ! "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Skipped by configuration"; fi
fi
# Skip if test is not in the list
# Skip if test is not in the list
if [ ${SKIPTEST} -eq 0 -a ! "${TESTS_TO_PERFORM}" = "" ]; then
FIND=`echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}"`
if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi
@ -1109,7 +1230,7 @@
{
if [ $1 = "" ]; then TESTID="UNKNOWN"; fi
# Status: OK, WARNING, NEUTRAL, SUGGESTION
# Impact: HIGH, SEVERE, LOW,
# Impact: HIGH, SEVERE, LOW,
#report "result[]=TESTID-${TESTID},STATUS-$2,IMPACT-$3,MESSAGE-$4-"
# Reset ID before next test
TESTID=""
@ -1118,6 +1239,7 @@
# Log suggestions to report file
ReportSuggestion()
{
TOTAL_SUGGESTIONS=`expr ${TOTAL_SUGGESTIONS} + 1`
# 2 parameters
# <ID> <suggestion text>
report "suggestion[]=$1|$2|"
@ -1127,6 +1249,7 @@
# Log warning to report file
ReportWarning()
{
TOTAL_WARNINGS=`expr ${TOTAL_WARNINGS} + 1`
# 3 parameters
# <ID> <priority/impact> <warning text>
if [ "$2" = "L" -o "$2" = "M" -o "$2" = "H" ]; then
@ -1283,6 +1406,7 @@
SYMLINK_USE_READLINK=1
logtext "Note: Using real readlink binary to determine symlinks"
tFILE=`${READLINKBINARY} -f ${sFILE}`
logtext "Result: readlink shows ${tFILE} as output"
fi
fi
# Check if we can find the file now
@ -1292,6 +1416,14 @@
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to file ${sFILE}"
FOUNDPATH=1
elif [ -b ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to block device ${sFILE}"
FOUNDPATH=1
elif [ -c ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to character device ${sFILE}"
FOUNDPATH=1
elif [ -d ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to directory ${sFILE}"

3
include/helper_audit_dockerfile
View File

@ -4,7 +4,6 @@ if [ $# -eq 0 ]; then
Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}"
Display --text " "; Display --text " "
ExitFatal
else
FILE=`echo $1 | egrep "^http|https"`
@ -18,7 +17,7 @@ if [ $# -eq 0 ]; then
if [ -f ${TMP_FILE} ]; then
rm -f ${TMP_FILE}
fi
Dislpay --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}"
Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}"
ExitFatal
fi
else

266
include/helper_update Normal file
View File

@ -0,0 +1,266 @@
#!/bin/sh
######################################################################
#
# Helper program to support automatic updates of Lynis
#
######################################################################
#
# Options:
# ---------
# 1) lynis update info - Show version information (external)
# 2) lynis update release - Check and install new release (internal)
#
# How to use:
# ------------
# Run option 1 to know about current and latest release information.
# Run option 2 to query internal server for possible upgrade of Lynis.
#
# Steps for updating to new release:
# 1) Run Lynis with: lynis update release
# 2) Lynis will use this helper and check the profile
# 3) The configured web server will be queried (lynis-latest-version)
# 4) The contents of this file will be compared with a local file
# 5) If there is a difference, download package
# 6) Check paths and extract files
# 7) Quit program
#
# Suggested documentation if you want to use this functionality:
# https://cisofy.com/documentation/lynis/upgrading/
#
######################################################################
LOCAL_VERSION="-"
SERVER_VERSION=""
PERFORM_UPGRADE=0
WGET_EXISTS=`which wget 2> /dev/null`
CURL_EXISTS=`which curl 2> /dev/null`
FETCH_EXISTS=`which fetch 2> /dev/null`
# Update version
if [ "$1" = "release" ]; then
if [ "${UPDATE_SERVER_PROTOCOL}" = "" ] ; then
Display --indent 2 --text "Error: Unknown protocol, please specify (http, https) in profile (update_server_protocol)"
ExitFatal
fi
if [ "${UPDATE_SERVER_ADDRESS}" = "" ] ; then
Display --indent 2 --text "Error: Unknown download address, please specify in profile (update_server_address)"
ExitFatal
fi
if [ "${UPDATE_LATEST_VERSION_DOWNLOAD}" = "" ] ; then
Display --indent 2 --text "Error: No URL to latest download has been specifiedrsion on the server, please specify in profile (update_latest_version_download)"
ExitFatal
fi
if [ "${UPDATE_LATEST_VERSION_INFO}" = "" ] ; then
Display --indent 2 --text "Error: No URL has been specified to know the latest version on the server, please specify in profile (update_latest_version_info)"
ExitFatal
fi
if [ "${UPDATE_LOCAL_DIRECTORY}" = "" ] ; then
Display --indent 2 --text "Error: No local directory has been specified to store Lynis files. Please specify in profile (update_local_directory)"
ExitFatal
else
if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then
Display --indent 2 --text "Error: Directory ${UPDATE_LOCAL_DIRECTORY} does not exist"
ExitFatal
fi
fi
if [ "${UPDATE_LOCAL_VERSION_INFO}" = "" ] ; then
Display --indent 2 --text "Error: No data file has been specified to determine local Lynis version, please specify in profile (update_local_version_info)"
ExitFatal
fi
if [ ! -f ${UPDATE_LOCAL_VERSION_INFO} ]; then
Display --indent 2 --text "Note: local data file ${UPDATE_LOCAL_VERSION_INFO} does not exist. It will be created after updating. (update_local_version_info)"
else
LOCAL_VERSION=`cat ${UPDATE_LOCAL_VERSION_INFO}`
fi
# Normal update
FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_INFO}"
TMP_FILE=`mktemp /tmp/audit.XXXXXXXXXX`
if [ "${TMP_FILE}" = "" ]; then
Display --indent 2 --text "Could not create a temporary file in /tmp with mktemp. Aborting.."
ExitFatal
fi
Display --indent 2 --text "${CYAN}[Phase 1] Downloading details${NORMAL}"
if [ ! "${WGET_EXISTS}" = "" ]; then
logtext "Using wget to download release information"
LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}"
wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
elif [ ! "${CURL_EXISTS}" = "" ]; then
logtext "Using curl to download release information"
LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}"
curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
else
Display --indent 2 --text "No download tool available to perform download"
ExitFatal
fi
if [ ! "${TMP_FILE}" = "" ]; then
if [ -f ${TMP_FILE} ]; then
SERVER_VERSION=`cat ${TMP_FILE}`
rm -f ${TMP_FILE}
fi
else
Display --indent 2 --text "Temporary file variable is empty, which is unexpected. Aborting.."
ExitFatal
fi
# Determine if downloading meta data was successful
if [ ${EXIT_CODE} -eq 0 ]; then
if [ "${SERVER_VERSION}" = "" ]; then
Display --indent 2 --text "No version found on the server. Aborting.."
ExitFatal
else
Display --indent 2 --text "Version found on server: ${SERVER_VERSION}"
Display --indent 2 --text "Local version found: ${LOCAL_VERSION}"
fi
else
Display --indent 2 --text "${RED}Error: ${WHITE}Download utility returned an unexpected error code.${NORMAL} Aborting.."
Display --indent 2 --text "Error code: ${EXIT_CODE}"
Display --indent 2 --text "Suggested command: ${LAST_COMMAND_HELP}"
ExitFatal
fi
#==========================================================================================================================================
Display --indent 2 --text " "
Display --indent 2 --text "${CYAN}[Phase 2] Compare results${NORMAL}"
if [ ! "${LOCAL_VERSION}" = "${SERVER_VERSION}" ]; then
Display --indent 2 --text "Different version available, moving to upgrade phase"
PERFORM_UPGRADE=1
else
Display --indent 2 --text "${GREEN}No upgrade needed${NORMAL}"
fi
# Go to phase 3 if upgrade is needed
if [ ${PERFORM_UPGRADE} -eq 1 ]; then
FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_DOWNLOAD}"
Display --indent 2 --text " "
Display --indent 2 --text "[Phase 3] Downloading latest release"
Display --indent 2 --text "Download location: ${FULLPATH}"
if [ ! "${WGET_EXISTS}" = "" ]; then
logtext "Using wget to download latest release"
LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}"
wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
elif [ ! "${CURL_EXISTS}" = "" ]; then
logtext "Using curl to download latest release"
LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}"
curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
fi
if [ ${EXIT_CODE} -eq 0 ]; then
if [ -f ${TMP_FILE} ]; then
Display --indent 2 --text "Download successful"
# Extract the file to the related path, with 'lynis' appended
# Note: by default the tarball includes 'lynis' as directory
if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then
Display --indent 2 --text "Error: directory ${UPDATE_LOCAL_DIRECTORY} does not exist"
ExitFatal
fi
Display --indent 2 --text "Extracting latest version to path ${UPDATE_LOCAL_DIRECTORY}"
if [ ! -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then
Display --indent 2 --text "Creating 'lynis' directory in ${UPDATE_LOCAL_DIRECTORY}"
mkdir ${UPDATE_LOCAL_DIRECTORY}/lynis
if [ $? -gt 0 ]; then
Display --indent 2 --text "Error: could not create directory ${UPDATE_LOCAL_DIRECTORY}/lynis"
ExitFatal
fi
fi
if [ -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then
Display --indent 2 --text "Extracting files to ${UPDATE_LOCAL_DIRECTORY}"
tar xzf ${TMP_FILE} -C ${UPDATE_LOCAL_DIRECTORY}
if [ $? -eq 0 ]; then
# Check if we can find the Lynis binary (in the created 'lynis' directory)
if [ -f ${UPDATE_LOCAL_DIRECTORY}/lynis/lynis ]; then
# If version was downloaded, update local version
echo ${SERVER_VERSION} > ${UPDATE_LOCAL_VERSION_INFO}
else
Display --indent 2 --text "Error: could not find downloaded file on disk"
fi
else
Display --indent 2 --text "Error: File extraction failed"
ExitFatal
fi
else
Display --indent 2 --text "Error: could not find lynis directory"
fi
else
Display --indent 2 --text "Error: could not find downloaded file on disk"
ExitFatal
fi
else
Display --indent 2 --text "Error: could not download latest release"
Display --indent 2 --text "Suggestion: ${LAST_COMMAND_HELP}"
ExitFatal
fi
fi
# Removing temp file
logtext "Action: Removing temporary file ${TMP_FILE}"
if [ "${TMP_FILE}" = "" ]; then
if [ -f ${TMP_FILE} ]; then
rm -f ${TMP_FILE}
fi
fi
Display --indent 2 --text " "
Display --indent 2 --text "Done"
Display --indent 2 --text " "
ExitClean
# Update check
elif [ "$1" = "info" ]; then
# CV - Current Version
PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'`
PROGRAM_LV=0
CheckUpdates
# Reset everything if we can't determine our current version or the latest
# available version (due lack of internet connectivity for example)
if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then
# Set both to safe values
PROGRAM_AC=0; PROGRAM_LV=0
fi
echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} =="
echo ""
echo " Version : ${PROGRAM_version}"
echo -n " Status : "
if [ ${PROGRAM_LV} -eq 0 ]; then
echo "${RED}Unknown${NORMAL}";
elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
echo "${YELLOW}Outdated${NORMAL}";
echo " Current version : ${PROGRAM_AC}"
echo " Latest version : ${PROGRAM_LV}"
else
echo "${GREEN}Up-to-date${NORMAL}"
fi
echo " Release date : ${PROGRAM_releasedate}"
echo " Update location : ${PROGRAM_website}"
echo ""; echo ""
echo "${PROGRAM_copyright}"
echo ""
# Quit program
ExitClean
else
Display --indent 2 --text "${RED}Error: ${WHITE}Unknown parameter $1.${NORMAL} Aborting.."
ExitFatal
fi
# The End

33
include/parameters
View File

@ -23,6 +23,7 @@
PARAMCOUNT=$#
while [ $# -ge 1 ]; do
case $1 in
# Helpers first
audit)
CHECK_BINARIES=0
RUN_HELPERS=1
@ -63,6 +64,28 @@
#break
;;
# Helpers first
update)
CHECK_BINARIES=0
RUN_HELPERS=1
HELPER="update"
RUN_PLUGINS=0
RUN_TESTS=0
SHOW_PROGRAM_DETAILS=0
if [ ! $2 = "" ]; then
shift
HELPER_PARAMS="$1 $2"
break
else
Display --text "${RED}Error: ${WHITE}Need a target for update${NORMAL}"
Display --text " "
Display --text "Examples:"
Display --text "lynis update info"
Display --text "lynis update release"
ExitFatal
fi
;;
# Assign auditor to report
--auditor)
shift
@ -102,7 +125,9 @@
# View program/database information
--check-update | --check-updates | --info)
VIEWUPDATEINFO=1
echo "This option is deprecated"
echo "Use: lynis update info"
ExitClean
;;
# License key for Lynis Enterprise
@ -144,11 +169,11 @@
LASTCHAR=`echo $1 | awk '{ print substr($0, length($0))}'`
if [ "${LASTCHAR}" = "/" ]; then
echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}"
ExitFatal
ExitCustom 65
fi
if [ ! -d ${PLUGINDIR} ]; then
echo "${RED}Error:${WHITE} invalid plugin directory ${PLUGINDIR}${NORMAL}"
ExitFatal
ExitCustom 66
fi
;;
@ -238,4 +263,4 @@
done
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

54
include/profiles
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -15,23 +15,6 @@
#################################################################################
#
# Read profile/template
#
#################################################################################
#
#YYY Enable check when profile files are complete and completely documented
# Check if default profile is used
if [ "${PROFILE}" = "defaultXXX.prf" ]; then
echo ""
echo " ==============================================================================="
echo " ${WARNING}Warning${NORMAL}: ${WHITE}Default profile is used.${NORMAL}"
echo " Default profile contains only a small amount of options and settings."
echo " Consult the documentation to create a custom profile!"
echo ""
echo " [ ${WHITE}Press [ENTER] to continue with the default profile or [CTRL] + C to stop${NORMAL} ]"
echo " ==============================================================================="
wait_for_keypress
fi
#
#################################################################################
#
@ -40,7 +23,7 @@
FIND=`cat ${PROFILE} | grep '^config:' | sed 's/ /!space!/g'`
for I in ${FIND}; do
OPTION=`echo ${I} | cut -d ':' -f2`
VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'`
VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'`
logtext "Profile option set: ${OPTION} (with value ${VALUE})"
@ -120,7 +103,6 @@
# Profile name
profile_name)
# YYY dummy
PROFILE_NAME="${VALUE}"
;;
@ -147,6 +129,36 @@
if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi
;;
# Server IP or hostname
update_server_address)
UPDATE_SERVER_ADDRESS="${VALUE}"
;;
# Protocol (http, https)
update_server_protocol)
UPDATE_SERVER_PROTOCOL="${VALUE}"
;;
# File path to tarball on server
update_latest_version_download)
UPDATE_LATEST_VERSION_DOWNLOAD="${VALUE}"
;;
# File path to information file
update_latest_version_info)
UPDATE_LATEST_VERSION_INFO="${VALUE}"
;;
# Local directory where lynis directory will be placed
update_local_directory)
UPDATE_LOCAL_DIRECTORY="${VALUE}"
;;
# Local file to maintain current version
update_local_version_info)
UPDATE_LOCAL_VERSION_INFO="${VALUE}"
;;
# Options during upload of data
upload_options)
UPLOAD_OPTIONS="${VALUE}"

49
include/report
View File

@ -19,17 +19,6 @@
#################################################################################
#
# Only show overview if not running in quiet mode
if [ ${QUIET} -eq 0 ]; then
echo ""; echo "================================================================================"
echo ""; echo " -[ ${WHITE}${PROGRAM_name} ${PROGRAM_version} Results${NORMAL} ]-"
echo "";
if [ ${SHOW_REPORT} -eq 1 ]; then
logtextbreak
#
#################################################################################
#
@ -87,7 +76,18 @@
HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
logtext "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
logtext "Hardening strength: ${HIDESCRIPTION}"
report "hardening_index=${HPINDEX}"
# Only show overview if not running in quiet mode
if [ ${QUIET} -eq 0 ]; then
echo ""; echo "================================================================================"
echo ""; echo " -[ ${WHITE}${PROGRAM_name} ${PROGRAM_version} Results${NORMAL} ]-"
echo "";
if [ ${SHOW_REPORT} -eq 1 ]; then
logtextbreak
#
#################################################################################
@ -107,7 +107,7 @@
if [ "${SWARNINGS}" = "" ]; then
echo " ${OK}No warnings${NORMAL}"; echo ""
else
echo " ${WARNING}Warnings${NORMAL}:"
echo " ${WARNING}Warnings${NORMAL} (${TOTAL_WARNINGS}):"
echo " ${WHITE}----------------------------${NORMAL}"
for WARNING in ${SWARNINGS}; do
SHOWWARNING=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: //'`
@ -129,7 +129,7 @@
if [ "${SSUGGESTIONS}" = "" ]; then
echo " ${OK}No suggestions${NORMAL}"; echo ""
else
echo " ${YELLOW}Suggestions${NORMAL}:"
echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):"
echo " ${WHITE}----------------------------${NORMAL}"
for SUGGESTION in ${SSUGGESTIONS}; do
SHOWSUGGESTION=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: //'`
@ -169,9 +169,10 @@
echo ""
echo " ${SECTION}Lynis Modules${NORMAL}:"
echo " - Heuristics Check [${WHITE}NA${NORMAL}] - Security Audit [${GREEN}V${NORMAL}]"
if [ ${LYNIS_COMPLIANCE_TESTS} -eq 1 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi
echo " - Compliance Tests [${COMPLIANCE}${NORMAL}] - Vulnerability Scan [${GREEN}V${NORMAL}]"
if [ ${LYNIS_COMPLIANCE_TESTS} -eq 1 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${YELLOW}NA"; fi
echo " - Compliance Tests [${COMPLIANCE}${NORMAL}]"
echo " - Security Audit [${GREEN}V${NORMAL}]"
echo " - Vulnerability Scan [${GREEN}V${NORMAL}]"
echo ""
echo " ${SECTION}Files${NORMAL}:"
echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}"
@ -224,21 +225,15 @@
echo "================================================================================"
fi
if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then
echo " Tip: Disable all tests which are not relevant or are too strict for the"
echo " purpose of this particular machine. This will remove unwanted suggestions"
echo " and also boost the hardening index. Each test should be properly analyzed"
echo " to see if the related risks can be accepted, before disabling the test."
echo "================================================================================"
fi
echo ""; echo ""
fi
fi
# Report data, even if it is not displayed on screen
report "hardening_index=${HPINDEX}"
if [ ${QUIET} -eq 0 ]; then
echo " ${PROGRAM_name} ${PROGRAM_version}"

62
include/tests_accounting
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -126,7 +126,9 @@
else
logtext "Result: auditd not active"
Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE
ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
if [ ! "${VMTYPE}" = "openvz" ]; then
ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
fi
AUDITD_RUNNING=0
report "audit_daemon_running=0"
AddHP 0 1
@ -226,7 +228,7 @@
if [ -f /etc/ld.so.preload ]; then
logtext "Result: found /etc/ld.so.preload, testing if snoopy.so is listed"
FIND=`grep ${FILE} /etc/ld.so.preload`
if [ !"${FIND}" = "" ]; then
if [ ! "${FIND}" = "" ]; then
logtext "Result: found snoopy in ld.so.preload"
logtext "Output: ${FIND}"
Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN
@ -324,15 +326,6 @@
fi
#
#################################################################################
#
# Test : ACCT-9658
# Description : Check required audit files in /etc/security
#if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no ACCT-9658 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check required audit files"
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#
#################################################################################
#
# Test : ACCT-9662
# Description : Check location for audit events
@ -351,12 +344,13 @@
Display --indent 4 --text "- Checking Solaris audit location" --result FOUND --color GREEN
else
logtext "Result: location ${FIND} does not exist"
# YYY perform manual audit
Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW
Display --indent 4 --text "- Checking Solaris audit location" --result "NOT FOUND" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is available"
fi
else
logtext "Result: unknown event location"
Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW
ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is properly configured"
fi
else
logtext "Result: could not find /etc/security/audit_control"
@ -365,22 +359,6 @@
fi
#
#################################################################################
#
# Test : ACCT-96xx
# Description : Check which events are audited
#if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no ACCT-96xx --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : ACCT-96xx
# Description : Check user specific event auditing
#if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no ACCT-96xx --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check user specific event auditing"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : ACCT-9672
# Description : check auditstat
@ -403,28 +381,8 @@
#################################################################################
#
# Test : ACCT-9680
# Description : Check if required packages are installed
#if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list"
#if [ ${SKIPTEST} -eq 0 ]; then
#
# Solaris 10 packages
# bash-3.00# pkginfo | egrep 'SUNWcar|SUNWcsr|SUNWcsu|SUNWhea|SUNWman'
#system SUNWcar Core Architecture, (Root)
#system SUNWcsr Core Solaris, (Root)
#system SUNWcsu Core Solaris, (Usr)
#system SUNWhea SunOS Header Files
#system SUNWman On-Line Manual Pages
#
#################################################################################
#
# Check psacct package (ac, lastcomm, accton, sa)
# Check auditd (auditctl, ausearch, aureport)
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen / CISOfy - https://cisofy.com

336
include/tests_authentication
View File

@ -31,11 +31,12 @@
# Test : AUTH-9204
# Description : Check users with UID zero (0)
# Notes : Ignores :0: in file if match is in NIS related line
Register --test-no AUTH-9204 --weight L --network NO --description "Check users with an UID of zero"
if [ ${SKIPTEST} -eq 0 ]; then
# Search accounts with UID 0
logtext "Test: Searching accounts with UID 0"
FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^:0:0:::' | cut -d ":" -f1,3 | grep ':0'`
FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0'`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED
logtext "Result: Found more than one administrator accounts"
@ -58,10 +59,8 @@
#
# Test : AUTH-9208
# Description : Check non-unique accounts
Register --test-no AUTH-9208 --weight L --network NO --description "Check non-unique accounts"
Register --test-no AUTH-9208 --weight L --network NO --description "Check non-unique accounts in passwd file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: ${USER_PASSWD_DOUBLEUID_AUDIT_TITLE}"
logtext "Description: ${USER_PASSWD_DOUBLEUID_AUDIT_DESCRIPTION}"
logtext "Test: Checking for non-unique accounts"
if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then
PASSWD_FILE="/etc/master.passwd"
@ -84,7 +83,7 @@
Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE
logtext "Result: test skipped, ${PASSWD_FILE} file not available"
fi
logtext "Remarks: ${USER_PASSWD_DOUBLEUID_AUDIT_TEXT}"
logtext "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake"
fi
#
#################################################################################
@ -250,27 +249,6 @@
fi
#
#################################################################################
#
# # Test : AUTH-9229
# # Description : Check AIX password file consistency
# # Notes : Read only mode?
# if [ -x /usr/bin/usrck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9229 --os AIX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking password file consistency (usrck)"
# FIND=`/usr/bin/usrck -n ALL 2>; echo $?`
# if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
# logtext "Result: usrck finished didn't find problems"
# else
# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
# logtext "Result: usrck found one or more errors/warnings in the password file."
# ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file"
# ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues."
# fi
# fi
#
#################################################################################
#
# Test : AUTH-9230
# Description : Check Solaris password file consistency
@ -291,47 +269,6 @@
fi
#
#################################################################################
#
# # Test : AUTH-9231
# # Description : Check HP-UX password file consistency
# # Notes : Read only mode?
# if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9231 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking password file consistency (pwck)"
# FIND=`/usr/sbin/pwck 2> /dev/null; echo $?`
# if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
# logtext "Result: pwck finished didn't find problems"
# else
# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
# logtext "Result: pwck found one or more errors/warnings in the password file."
# ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
# ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
# fi
# fi
#
#################################################################################
#
# # Test : AUTH-9232
# # Description : Check HP-UX group file consistency
# if [ -x /usr/sbin/grpck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9232 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking group file consistency (grpck)"
# FIND=`/usr/sbin/grpck 2> /dev/null; echo $?`
# if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking group file consistency" --result OK --color GREEN
# logtext "Result: grpck finished didn't find problems"
# else
# Display --indent 2 --text "- Checking group file consistency" --result WARNING --color RED
# logtext "Result: grpck found one or more errors/warnings in the group file."
# ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file"
# ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues."
# fi
# fi
#
#################################################################################
#
# Test : AUTH-9234
# Description : Query user accounts
@ -434,23 +371,6 @@
fi
#
#################################################################################
#
# Test : AUTH-9244
# Description : Query NIS servers
#Register --test-no AUTH-9244 --weight L --network NO --description "Query NIS servers"
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#
#################################################################################
#
# Test : AUTH-9246
# Description : Query NIS active
#Register --test-no AUTH-9246 --weight L --network NO --description "Query active NIS servers"
#if [ ${SKIPTEST} -eq 0 ]; then
#if
#grep '^+' /etc/passwd /etc/group
#
#################################################################################
#
# Test : AUTH-9250
# Description : Check for sudoers file
@ -470,7 +390,6 @@
if [ ${FOUND} -eq 1 ]; then
logtext "Result: sudoers file found (${SUDOERS_FILE})"
Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN
# YYY add more tests to audit sudoers file
else
logtext "Result: sudoers file NOT found"
Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW
@ -515,65 +434,9 @@
fi
#
#################################################################################
#
# # Test : AUTH-9255
# # Description : Solaris test for unique UIDs
# Register --test-no AUTH-9255 --os Solaris --weight L --network NO --description "Solaris unique UIDs"
# if [ ${SKIPTEST} -eq 0 ]; then
# FIND=`logins -d | awk '{ print $1 }'`
# if [ "${FIND}" = "" ]; then
# logtext "Result: no duplicate accounts found, all accounts have an unique ID"
# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result OK --color GREEN
# else
# for I in ${FIND}; do
# ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})"
# done
# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result WARNING --color RED
# fi
# fi
#
#################################################################################
#
# Test : AUTH-9260 [T]
# Description : Search for account lockout on Linux
# Notes : lib directory should be fixed
# Register --test-no AUTH-9260 --os Linux --weight L --network NO --description "Checking account lockout"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: searching for /lib/security/pam_tally.so"
# if [ -f /lib/security/pam_tally.so ]; then
# logtext "Result: /lib/security/pam_tally.so found"
# AddHP 1 1
# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result FOUND --color GREEN
# if [ -f /etc/pam.d/system-auth ]; then
# logtext "Test: search for enable pam_tally module in system-auth, with a deny value higher than zero"
# FIND=`grep "account required" /etc/pam.d/system-auth | grep "pam_tally.so" | grep "deny=" | grep -v "deny=0"`
# if [ "${FIND}" = "" ]; then
# logtext "Result: pam_tally properly configured"
# logtext "Output: ${FIND}"
# AddHP 1 1
# Display --indent 4 --text "- Checking lockout policy" --result FOUND --color GREEN
# else
# logtext "Result: pam_tally not (properly) configured"
# logtext "Output: ${FIND}"
# Display --indent 4 --text "- Checking lockout policy" --result SUGGESTION --color YELLOW
# AddHP 0 1
# ReportSuggestion ${TEST_NO} "Configure pam_tally in system-auth: account required /lib/security/pam_tally.so deny=3 no_magic_root reset"
# fi
# else
# logtext "Result: skipped, /etc/pam.d/system-auth not found"
# fi
# else
# logtext "Result: /lib/security/pam_tally.so not found"
# AddHP 0 1
# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result "SUGGESTION" --color YELLOW
# ReportSuggestion ${TEST_NO} "Install a PAM module for account lockout to counter brute force attacks"
# fi
#
#################################################################################
#
# Test : AUTH-9262
# Description : Search for PAM password strength testing libraries
# Notes : YYY (combine with other PAM modules)
Register --test-no AUTH-9262 --weight L --network NO --description "Checking presence password strength testing tools (PAM)"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
@ -708,11 +571,6 @@
fi
#
#################################################################################
#
# Test : AUTH-9270
# Description : Audit PAM configuration files
#
#################################################################################
#
# Test : AUTH-9278
# Description : Search LDAP support in PAM files
@ -732,7 +590,6 @@
else
logtext "Result: LDAP module not found"
Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE
# YYY display message when ldap is enabled in /etc/passwd, but not found in PAM
fi
else
logtext "Result: file /etc/pam.d/common-auth not found, skipping test"
@ -815,7 +672,6 @@
logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
# YYY check if LDAP is used with password policies
logtext "Result: password aging limits are not configured"
Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW
ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base"
@ -829,15 +685,10 @@
fi
#
#################################################################################
#
# Test : AUTH-9292
# Description : Check locked accounts (exclamation mark as first char in second column)
#
#################################################################################
#
# Test : AUTH-9304
# Description : Check if single user mode login is properly configured in Solaris
# Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d (YYY)
# Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d
Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if file exists (Solaris 10 does not have this file by default)
@ -938,18 +789,11 @@
AddHP 2 2
fi
else
# YYY
logtext "Result: No inittab or init file found, unsure if system is protected"
fi
fi
#
#################################################################################
#
# Test : AUTH-9322
# Description : Authentication time restrictions
# /etc/security/time.conf
#
#################################################################################
#
# Test : AUTH-9328
# Description : Check default umask in common files
@ -967,10 +811,12 @@
logtext "Test: Checking umask value in /etc/profile"
FIND=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }'`
FIND2=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }' | wc -l`
#FIND2=`egrep "^([[:space:]])([[:tab:]])*umask" /etc/profile | awk '{ print $2 }' | wc -l`
WEAK_UMASK=0
FOUND_UMASK=0
if [ "${FIND2}" = "1" ]; then
if [ "${FIND2}" = "0" ]; then
logtext "Result: did not find umask in /etc/profile"
#YYY possibly weak umask
elif [ "${FIND2}" = "1" ]; then
logtext "Result: found umask (prefixed with spaces)"
FOUND_UMASK=1
if [ ! "${FIND}" = "077" -a ! "${FIND}" = "027" ]; then
@ -981,7 +827,7 @@
fi
# Found more than 1 umask value in profile
else
logtext "Result: found several umask values configured in /etc/profile"
logtext "Result: found multiple umask values configured in /etc/profile"
FOUND_UMASK=1
for I in ${FIND}; do
if [ ! "${I}" = "077" -a ! "${I}" = "027" ]; then
@ -1018,7 +864,7 @@
logtext "Test: Checking umask entries in /etc/passwd (pam_umask)"
if [ -f /etc/passwd ]; then
logtext "Result: file /etc/passwd exists"
logtext "Test: Checking umask value in /etc/profile"
logtext "Test: Checking umask value in /etc/passwd"
FIND=`grep "umask=" /etc/passwd`
if [ "${FIND}" = "" ]; then
ReportManual "AUTH-9328:03"
@ -1027,11 +873,10 @@
logtext "Result: file /etc/passwd does not exist"
fi
# /etc/login.defs
logtext "Test: Checking /etc/login.defs"
if [ -f /etc/login.defs ]; then
logtext "Result: file /etc/profile exists"
logtext "Result: file /etc/login.defs exists"
logtext "Test: Checking umask value in /etc/login.defs"
FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
@ -1075,8 +920,7 @@
logtext "Result: file /etc/init.d/functions does not exist"
fi
# /etc/init.d/rc [T]
# Always needed? (YYY)
# /etc/init.d/rc
logtext "Test: Checking /etc/init.d/rc"
if [ -f /etc/init.d/rc ]; then
logtext "Result: file /etc/init.d/rc exists"
@ -1101,8 +945,43 @@
logtext "Result: file /etc/init.d/rc does not exist"
fi
# /etc/init.d/rcS [T]
# Always needed? (YYY)
# FreeBSD
if [ -f /etc/login.conf ]; then
FOUND=0
WEAK_UMASK=0
logtext "Result: file /etc/login.conf exists"
FIND=`cat /etc/login.conf | grep "umask" | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'`
if [ ! "${FIND}" = "" ]; then
for UMASK_VALUE in ${FIND}; do
case ${UMASK_VALUE} in
027|0027|077|0077)
logtext "Result: found umask value ${VALUE}, which is fine"
AddHP 2 2
FOUND=1
;;
*)
AddHP 0 2
FOUND=1
WEAK_UMASK=1
logtext "Result: found umask value ${VALUE}, which can be more strict"
;;
esac
done
fi
if [ ${FOUND} -eq 1 ]; then
if [ ${WEAK_UMASK} -eq 0 ]; then
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result OK --color GREEN
else
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027"
fi
else
logtext "Result: no umask setting found in /etc/login.conf, which is unexpected"
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result NONE --color YELLOW
fi
fi
# /etc/init.d/rcS
logtext "Test: Checking /etc/init.d/rcS"
if [ -f /etc/init.d/rcS ]; then
logtext "Result: file /etc/init.d/rcS exists"
@ -1187,36 +1066,6 @@
fi
#
#################################################################################
#
# Test : AUTH-9342 [T]
# Description : AIX account locking
# Notes : /usr/sbin/lsuser -a logretries ALL
# should return ${ACCOUNT_MAX_RETRIES} or less for each user, but not 0
#
#################################################################################
#
# Test : AUTH-9344 [T]
# Description : HP-UX account locking
# Notes : grep :u_maxtries# /tcb/files/auth/system/default
# should return ${ACCOUNT_MAX_RETRIES} or less, but not 0
#
#################################################################################
#
# Test : AUTH-9348 [T]
# Description : Delay time after each failed login
# Notes : This control counters brute force attacking by delaying each
# attempt, while giving normal users to try typing in their
# account details after a reasonable delay
# Should return ${ACCOUNT_DELAY_TIME} or more
# (4 seconds would be good)
# AIX
# grep "logindelay" /etc/security/login.cfg
# Linux
# grep "FAIL_DELAY" /etc/login.defs
# HP-UX
# grep ":t_logdelay#" /tcb/files/auth/system/default
#
#################################################################################
#
# Test : AUTH-9402
# Description : Query LDAP authentication support
@ -1238,31 +1087,6 @@
fi
#
#################################################################################
#
# Test : AUTH-9404
# Description : Check LDAP client configuration
# if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: checking ldap.conf locations"
# for I in ${LDAP_CONF_LOCATIONS}; do
# logtext "Test: checking ${I}"
# if [ -f ${I} ]; then
# logtext "Result: file ${I} exists"
# logtext "Test: checking LDAP servers in file ${I}"
# FIND2=`egrep "^host " ${I} | awk '{ print $2 }'`
# for I in ${FIND2}; do
# Display --indent 6 --text "LDAP server: ${I}"
# logtext "Result: found LDAP server ${I}"
# # YYY check if host(s) are reachable/respond to queries
# done
# else
# logtext "Result: ${I} does NOT exist"
# fi
# done
# fi
#
#################################################################################
#
# Test : AUTH-9406
# Description : Check LDAP servers in client configuration
@ -1273,13 +1097,14 @@
for I in ${LDAP_CONF_LOCATIONS}; do
logtext "Test: checking ${I}"
if [ -f ${I} ]; then
logtext "Result: file ${I} exists"
logtext "Result: file ${I} exists, LDAP being used"
LDAP_CLIENT_CONFIG_FILE="${I}"
logtext "Test: checking LDAP servers in file ${I}"
FIND2=`egrep "^host " ${I} | awk '{ print $2 }'`
for I in ${FIND2}; do
Display --indent 6 --text "LDAP server: ${I}"
logtext "Result: found LDAP server ${I}"
# YYY check if host(s) are reachable/respond to queries
report "ldap_server[]=${I}"
done
else
logtext "Result: ${I} does NOT exist"
@ -1289,44 +1114,39 @@
#
#################################################################################
#
# Test : AUTH-92xx
# Description : login.access checks
#Register --test-no AUTH-92xx --weight L --network NO --description "login.access checks"
#
#################################################################################
#
# pam_unix.so
# pam_cracklib.so
# pam_pwcheck.so
# pam_env.so
# pam_xauth.so
# pam_tally.so
# pam_wheel.so
# pam_limits.so
# pam_nologin.so
# pam_deny.so
# pam_securetty.so
# pam_time.so
# pam_access.so
# pam_listfile.so
# pam_lastlog.so
# pam_warn.so
# pam_console.so
# pam_resmgr.so
# pam_devperm.so
#
#################################################################################
#
# sudoers: Check for potential harmful commands like vi, echo, cat
# Test : AUTH-9408
# Description : Logging of failed login attempts
if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Logging of failed login attempts via /etc/login.defs"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking FAILLOG_ENAB option in /etc/login.defs "
FIND=`grep "^FAILLOG_ENAB" /etc/login.defs | awk '{ if ($1=="FAILLOG_ENAB") { print $2 } }'`
# Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value)
if [ "${FIND}" = "yes" ]; then
AUTH_FAILED_LOGINS_LOGGED=1
logtext "Result: failed login attempts are logged in /var/log/faillog"
Display --indent 2 --text "- Logging failed login attempts" --result ENABLED --color GREEN
AddHP 3 3
else
logtext "Result: failed login attempts are not logged"
Display --indent 2 --text "- Logging failed login attempts" --result DISABLED --color YELLOW
#ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog"
AddHP 0 1
fi
fi
#
#################################################################################
#
report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}"
report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then
report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"
fi
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

22
include/tests_banners
View File

@ -23,7 +23,7 @@
#################################################################################
#
BANNER_FILES="/etc/issue /etc/issue.net /etc/motd"
LEGAL_BANNER_STRINGS="access authorized legal monitor owner policy policies private prohibited restricted this unauthorized"
LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence intrusion law legal monitor owner policy policies private prohibited restricted subject terms this unauthorized"
#
#################################################################################
#
@ -221,29 +221,9 @@
#
#################################################################################
#
# /etc/dt/config/*/Xresources
# /etc/default/telnetd (telnet without TCP wrappers)
# /etc/default/ftpd (ftp without TCP wrappers)
# /etc/ftpd/banner.msg (ftp without TCP wrappers on Solaris)
# /etc/ftpaccess (HP-UX)
# /etc/ftpmotd (AIX)
# /etc/ftpaccess.ctl (AIX)
# /etc/security/login.cfg (AIX)
# /etc/X11/xdm/Xresources
# /etc/X11/xdm/kdmrc
# /etc/X11/gdm/gdm
# /etc/vsftpd.conf
#
#################################################################################
#
wait_for_keypress
#
#################################################################################
#
# Notes:
# HPUX: /etc/copyright
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

152
include/tests_boot_services
View File

@ -24,6 +24,7 @@
#
BOOT_LOADER="unknown"
BOOT_LOADER_FOUND=0
BOOT_LOADER_SEARCHED=0
GRUB_VERSION=0
SERVICE_MANAGER="unknown"
#
@ -34,6 +35,7 @@
# Notes : The AIX bootstrap is called as software ROS. Bootstrap contains IPL (Initial Program loader)
Register --test-no BOOT-5102 --os AIX --weight L --network NO --root-only YES --description "Check for AIX boot device"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
logtext "Test: Query bootinfo for AIX boot device"
if [ -x /usr/sbin/bootinfo ]; then
FIND=`/usr/sbin/bootinfo -b`
@ -49,7 +51,6 @@
fi
fi
fi
#
#################################################################################
#
@ -61,6 +62,7 @@
# upstart - Used by Debian/Ubuntu
Register --test-no BOOT-5104 --weight L --network NO --description "Determine service manager"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
case ${OS} in
"Linux")
if [ -f /proc/1/cmdline ]; then
@ -115,11 +117,72 @@
fi
#
#################################################################################
#
# Test : BOOT-5116
# Description : Check if system is booted in UEFI mode
Register --test-no BOOT-5116 --weight L --network NO --root-only YES --description "Check if system is booted in UEFI mode"
if [ ${SKIPTEST} -eq 0 ]; then
UEFI_TESTS_PERFORMED=0
case ${OS} in
Linux)
UEFI_TESTS_PERFORMED=1
# Check if UEFI is available in this boot
logtext "Test: checking if UEFI is used"
if [ -d /sys/firmware/efi ]; then
logtext "Result: system booted in UEFI mode"
UEFI_BOOTED=1
else
logtext "Result: UEFI not used, can't find /sys/firmware/efi directory"
fi
# Test if Secure Boot is enabled
logtext "Test: determine if Secure Boot is used"
if [ -d /sys/firmware/efi/efivars ]; then
FIND=`ls /sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
logtext "Test: checking file ${I}"
J=`od -An -t u1 ${I} | awk '{ print $5 }'`
if [ "${J}" = "1" ]; then
logtext "Result: found SecureBoot file with enabled status"
UEFI_BOOTED_SECURE=1
else
logtext "Result: system not booted with Secure Boot (status 0 in file ${I})"
fi
done
fi
else
logtext "Result: system not booted with Secure Boot (no SecureBoot file found)"
fi
;;
#MacOS)
# Mac OS ioreg -l -p IODeviceTree | grep firmware-abi
#;;
*)
logtext "Result: no test implemented yet to test for UEFI on this platform"
;;
esac
if [ ${UEFI_BOOTED} -eq 1 ]; then
Display --indent 2 --text "- Checking UEFI boot" --result ENABLED --color GREEN
if [ ${UEFI_BOOTED_SECURE} -eq 1 ]; then
Display --indent 2 --text "- Checking Secure Boot" --result ENABLED --color GREEN
else
Display --indent 2 --text "- Checking Secure Boot" --result DISABLED --color YELLOW
fi
else
if [ ${UEFI_TESTS_PERFORMED} -eq 1 ]; then
Display --indent 2 --text "- Checking UEFI boot" --result DISABLED --color GREEN
fi
fi
fi
#
#################################################################################
#
# Test : BOOT-5121
# Description : Check for GRUB boot loader
Register --test-no BOOT-5121 --weight L --network NO --description "Check for GRUB boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
FOUND=0
logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)"
if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then
@ -127,7 +190,7 @@
BOOT_LOADER="GRUB"
BOOT_LOADER_FOUND=1
GRUB_VERSION=1
Display --indent 4 --text "- Checking presence GRUB" --result "OK" --color GREEN
Display --indent 2 --text "- Checking presence GRUB" --result "OK" --color GREEN
if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
fi
@ -137,16 +200,13 @@
BOOT_LOADER="GRUB2"
BOOT_LOADER_FOUND=1
GRUB_VERSION=2
Display --indent 4 --text "- Checking presence GRUB2" --result FOUND --color GREEN
Display --indent 2 --text "- Checking presence GRUB2" --result FOUND --color GREEN
if [ -f /boot/grub/grub.cfg ]; then
GRUBCONFFILE="/boot/grub/grub.cfg"
elif [ -f /boot/grub2/grub.cfg ]; then
GRUBCONFFILE="/boot/grub2/grub.cfg"
fi
logtext "Result: found GRUB2 configuration file (${GRUBCONFFILE})"
# YYY password check, when documentation of GRUB2 project is improved
# YYY Add check permission check (600)
fi
# Some OSes like Gentoo do not have /boot mounted by default
@ -207,6 +267,7 @@
# Description : Check for FreeBSD boot loader
Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then
logtext "Result: found boot1, boot2 and loader files in /boot"
Display --indent 2 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN
@ -223,6 +284,7 @@
# Description : Check for NetBSD boot loader
Register --test-no BOOT-5126 --os NetBSD --weight L --network NO --description "Check for NetBSD boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then
logtext "Result: found NetBSD secondary bootstrap"
Display --indent 2 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN
@ -241,6 +303,7 @@
# Notes : password= or password =
Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
LILOCONFFILE="/etc/lilo.conf"
logtext "Test: checking for presence LILO configuration file"
if [ -f ${LILOCONFFILE} ]; then
@ -263,7 +326,6 @@
logtext "Result: LILO password option set"
AddHP 4 4
fi
#YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf)
else
logtext "Result: can not read ${LILOCONFFILE} (no permission)"
fi
@ -278,6 +340,7 @@
# Description : Check for SILO boot loader
Register --test-no BOOT-5142 --weight L --network NO --description "Check SPARC Improved boot loader (SILO)"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
if [ -f /etc/silo.conf ]; then
logtext "Result: Found SILO configuration file (/etc/silo.conf)"
Display --indent 2 --text "- Checking boot loader SILO" --result FOUND --color GREEN
@ -314,11 +377,11 @@
# Description : Check for YABOOT boot loader
Register --test-no BOOT-5155 --weight L --network NO --description "Check for YABOOT boot loader configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
logtext "Test: Check for /etc/yaboot.conf"
if [ -f /etc/yaboot.conf ]; then
logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)"
Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN
#YYY add permission check
BOOT_LOADER="YABOOT"
BOOT_LOADER_FOUND=1
else
@ -333,6 +396,7 @@
# More info : Only OpenBSD
Register --test-no BOOT-5159 --os OpenBSD --weight L --network NO --description "Check for OpenBSD boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
FOUND=0
# Boot files
# /usr/mdec/biosboot: first stage bootstrap
@ -370,7 +434,7 @@
#
#################################################################################
#
if [ ${BOOT_LOADER_FOUND} -eq 0 ]; then
if [ ${BOOT_LOADER_FOUND} -eq 0 -a ${BOOT_LOADER_SEARCHED} -eq 1 ]; then
# Your boot loader is not detected. Want to help supporting it, see the README
ReportException "BOOTLOADER" "No boot loader found"
Display --indent 4 --text "- Boot loader" --result "NONE FOUND" --color RED
@ -403,11 +467,6 @@
fi
#
#################################################################################
#
# Test : BOOT-5166
# Description : Check for /etc/rc.local file (and contents)
#
#################################################################################
#
# Test : BOOT-5177
# Description : Check for Linux boot services (systemd and chkconfig)
@ -473,50 +532,18 @@
fi
#
#################################################################################
#
# Test : BOOT-5178
# Description : Check for Linux boot services (Red Hat style)
# if [ ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no BOOT-5178 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for unneeded Linux boot services (Red Hat style)"
# if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# N=`expr ${N} + 1`
#* mctrans (if selinux is NOT enabled)
#* restorecond (if selinux is NOT enabled) --> and is it really needed?
#
# if profile is server, warn if found:
#* pcscd (if profile=server)
#* avahi-daemon
# Redhat: /etc/sysconfig/network
# check if NOZEROCONF=yes is available
#
#* xfs (if /usr/bin/startx is not found)
#
#if [ ! -f /etc/mdadm.conf -a ! -f /etc/mdadm/mdadm.conf ]; then
#* mdmonitor
#
#
#* firstboot
# Display warning if [ ! -f /etc/reconfigSys ]
# AND "RUN_FIRSTBOOT=YES" is NOT in /etc/sysconfig/firstboot
#
#* acpid
# Display warning if no modules are loaded (lsmod | grep -i acpi)
#
#
# fi
#
#################################################################################
#
# Test : BOOT-5180
# Description : Check for Linux boot services (Debian style)
# Notes : Debian 8+ shows runlevel 5
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)"
if [ ${SKIPTEST} -eq 0 ]; then
# YYY runlevel check
sRUNLEVEL=`${RUNLEVELBINARY} | grep "N 2"`
if [ ! "${sRUNLEVEL}" = "" ]; then
# Runlevel check
sRUNLEVEL=`${RUNLEVELBINARY} | grep "N [0-9]" | awk '{ print $2} '`
logtext "Result: found runlevel ${sRUNLEVEL}"
if [ "${sRUNLEVEL}" = "2" ]; then
logtext "Result: performing find in /etc/rc2.d as runlevel 2 is found"
FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort`
if [ ! "${FIND}" = "" ]; then
N=0
@ -526,10 +553,12 @@
done
Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE
Display --indent 4 --text "Result: found $N services"
logtext "Found $N services"
logtext "Result: found $N services"
fi
else
elif [ "${sRUNLEVEL}" = "" ]; then
ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup"
else
logtext "Result: skipping further actions"
fi
fi
#
@ -615,16 +644,6 @@
fi
#
#################################################################################
#
# Add autostart services, like from KDE/Gnome
# Test : BOOT-5102
# Description : Check for tasks which are autostarted via /etc/inittab
#Register --test-no BOOT-5102 --weight L --network NO --description "Check inittab for services"
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#YYY check against static list?
#
#################################################################################
#
# Test : BOOT-5202
# Description : Check uptime of system
@ -708,7 +727,7 @@
if [ -f /usr/lib/systemd/system/rescue.service ]; then
logtext "Result: file /usr/lib/systemd/system/rescue.service"
logtext "Test: checking presence sulogin for single user mode"
FIND=`egrep "^ExecStart=-(/usr)?/sbin/sulogin" /usr/lib/systemd/system/rescue.service`
FIND=`egrep "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" /usr/lib/systemd/system/rescue.service`
if [ ! "${FIND}" = "" ]; then
FOUND=1
logtext "Result: found sulogin, so single user is protected"
@ -727,8 +746,9 @@
#################################################################################
#
report "boot_loader=${BOOT_LOADER}"
report "boot_uefi_booted=${UEFI_BOOTED}"
report "boot_uefi_booted_secure=${UEFI_BOOTED_SECURE}"
report "service_manager=${SERVICE_MANAGER}"
wait_for_keypress

169
include/tests_containers Normal file
View File

@ -0,0 +1,169 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Containers, Zones, Jails
#
#################################################################################
#
InsertSection "Containers"
#
#################################################################################
#
# Test : CONT-8004
# Description : Query running Solaris zones
if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8004 --os Solaris --weight L --network NO --description "Query running Solaris zones"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: query zoneadm to list all running zones"
FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
N=`expr ${N} + 1`
ZONEID=`echo ${I} | cut -d ':' -f1`
ZONENAME=`echo ${I} | cut -d ':' -f2`
logtext "Result: found zone ${ZONENAME} (running)"
report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done
logtext "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
else
logtext "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
fi
fi
#
#################################################################################
#
# Test : CONT-1906
# Description : Query running Xen zones
#if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no CONT-1906 --weight L --network NO --description "Query Xen guests"
#if [ ${SKIPTEST} -eq 0 ]; then
# Show Xen guests
#FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'`
#for I in ${FIND}; do
#XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
#XENGUESTID=`echo ${I} | cut -d ':' -f2`
#logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
#done
#fi
#
#################################################################################
#
# Test : CONT-8102
# Description : Checking Docker daemon status and basic information for later tests
Register --test-no CONT-8102 --weight L --network NO --description "Checking Docker status and information"
if [ ${SKIPTEST} -eq 0 ]; then
IsRunning "docker -d"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found Docker daemon running"
report "docker_daemon_running=1"
DOCKER_DAEMON_RUNNING=1
Display --indent 4 --text "- Docker"
Display --indent 6 --text "- Docker daemon" --result RUNNING --color GREEN
fi
fi
#
#################################################################################
#
# Test : CONT-8104
# Description : Checking Docker info for any warnings
# Notes : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory
if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
logtext "Test: Check for any warnings"
FIND=`${DOCKERBINARY} info 2>&1 | grep "^WARNING:" | cut -d " " -f 2- | sed 's/ /:space:/g'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found warning(s) in output"
for I in ${FIND}; do
J=`echo ${I} | sed 's/:space:/ /g'`
logtext "Output: ${J}"
COUNT=`expr ${COUNT} + 1`
done
Display --indent 8 --text "- Docker info output (warnings)" --result "${COUNT}" --color RED
ReportSuggestion "${TEST_NO}" "Run 'docker info' to see warnings applicable to Docker daemon"
AddHP 3 4
else
logtext "Result: no warnings found from 'docker info' output"
Display --indent 8 --text "- Docker info output (warnings)" --result "NONE" --color GREEN
AddHP 1 1
fi
fi
#
#################################################################################
#
# Test : CONT-8106
# Description : Checking Docker containers (basic stats)
# Notes : Hardening points are awarded, if there aren't a lot of stopped containers
if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather basic stats from Docker"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 6 --text "- Containers"
# Check total of containers
logtext "Test: checking total amount of Docker containers"
DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'`
if [ "${DOCKER_CONTAINERS_TOTAL}" = "" ]; then
DOCKER_CONTAINERS_TOTAL=0
fi
logtext "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers"
DOCKER_CONTAINERS_TOTAL2=`${DOCKERBINARY} ps -a 2> /dev/null | grep -v "CONTAINER" | wc -l`
logtext "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers"
if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then
logtext "Result: difference detected, which is unexpected"
ReportSuggestion "${TEST_NO}" "Test output of both 'docker ps -a' and 'docker info', to determine why they report a different amount of containers"
Display --indent 8 --text "- Total containers" --result "UNKNOWN" --color RED
else
Display --indent 8 --text "- Total containers" --result "${DOCKER_CONTAINERS_TOTAL}" --color WHITE
fi
# Check running instances
DOCKER_CONTAINERS_RUNNING=`${DOCKERBINARY} ps 2> /dev/null | grep -v "CONTAINER" | wc -l`
Display --indent 8 --text "- Running containers" --result "${DOCKER_CONTAINERS_RUNNING}" --color GREEN
if [ ${DOCKER_CONTAINERS_RUNNING} -gt 0 ]; then
logtext "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active"
report "docker_containers_running=${DOCKER_CONTAINERS_RUNNING}"
else
logtext "Result: no active containers"
report "docker_containers_running=0"
fi
# Check if there aren't too many unused containers on the system
if [ ${DOCKER_CONTAINERS_TOTAL} -gt 0 ]; then
DOCKER_CONTAINERS_UNUSED=`expr ${DOCKER_CONTAINERS_TOTAL} - ${DOCKER_CONTAINERS_RUNNING}`
if [ ${DOCKER_CONTAINERS_UNUSED} -gt 10 ]; then
ReportSuggestion "${TEST_NO}" "More than 10 unused containers found on the system. Clean up old containers by using output of 'docker ps -a' command"
Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color RED
AddHP 0 2
else
logtext "Result: found ${DOCKER_CONTAINERS_UNUSED} unused containers"
Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color YELLOW
AddHP 1 1
fi
fi
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

7
include/tests_crypto
View File

@ -29,7 +29,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUNDPROBLEM=0
# Check profile for paths to check
sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3`
sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3`
for I in ${sSSL_PATHS}; do
if [ -d ${I} ]; then
FileIsReadable ${I}
@ -50,7 +50,6 @@
FOUNDPROBLEM=1
logtext "Result: certificate ${J} has been expired"
report "expired_certificate[]=${J}|unknown entity|"
#YYY Dump more information to log file
fi
else
logtext "Result: can not read file ${J} (no permission)"
@ -65,9 +64,9 @@
done
if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking SSL certificate expiration" --result OK --color GREEN
Display --indent 2 --text "- Checking for expired SSL certificates" --result NONE --color GREEN
else
Display --indent 2 --text "- Checking SSL certificate expiration" --result WARNING --color RED
Display --indent 2 --text "- Checking for expired SSL certificates" --result FOUND --color RED
ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
fi
fi

48
include/tests_custom.template
View File

@ -29,25 +29,51 @@
#################################################################################
#
# Test : CUST-0010
# Author : Your name <e-mail address>
# Description : Check for something interesting - template
# This test first checks if OpenSSL binary was found
if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "My description"
# Or you could use this one without any dependencies
# Register --test-no CUST-0010 --weight L --network NO --description "My description"
# Notes : This test first checks if OpenSSL binary was found
# * Prerequisites Check
# -----------------------
#
# Check first if any dependency. If it doesn't meet, the test will be skipped after registration (SKIPTEST == 1)
#
# Examples:
# -f /etc/file = Test if file exists
# -d /var/run/mydirectory = Test if directory exists
# ${MYVARIABLE} -eq 1 = Test if variable is set to 1
# "${MYVARIABLE}" = "Value" = Test if variable is equal to specific value
if [ -f /etc/myfile ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# * Registration of Test
# ------------------------
#
# Register the test, with custom ID CUST-0010, and only execute it when the prerequisites were met
Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Description of what this test does"
# Or we could use this test without any dependencies
# Register --test-no CUST-0010 --weight L --network NO --description "Description of what this test does"
# If everything is fine, perform test
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: checking something"
ReportWarning ${TEST_NO} "M" "Test warning"
if [ ${FOUND} -eq 0 ]; then
Display --indent 4 --text "- Performing custom test 1" --result OK --color GREEN
logtext "Result: the test looks great!"
Display --indent 4 --text "- Performing custom test" --result OK --color GREEN
logtext "Result: the test result looks great!"
# Optional: create a suggestion after a specific finding
#ReportSuggestion "${TEST_NO}" "This is my suggestion to improve the system even further."
else
Display --indent 4 --text "- Performing custom test 1" --result WARNING --color RED
logtext "Result: hmm bad result of this test :("
ReportSuggestion ${TEST_NO} "This could be better!"
Display --indent 4 --text "- Performing custom test" --result WARNING --color RED
logtext "Result: this test had a bad result :("
# Throw a warning to the screen and report
ReportWarning ${TEST_NO} "M" "This is a warning message"
fi
fi
#
#################################################################################
#

2
include/tests_databases
View File

@ -79,7 +79,7 @@
Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED
AddHP 0 5
else
logtext "Result: Login did not succeed, so a MySQL root password is set"
logtext "Result: Login did not succeed, so a MySQL root password is set"
Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN
AddHP 2 2
fi

71
include/tests_file_integrity
View File

@ -14,6 +14,8 @@
#
#################################################################################
#
CSF_CONFIG="/etc/csf/csf.conf"
FILE_INT_TOOL=""
FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found
#
#################################################################################
@ -30,11 +32,11 @@
logtext "Test: Checking AFICK binary"
if [ ! "${AFICKBINARY}" = "" ]; then
logtext "Result: AFICK is installed (${AFICKBINARY})"
FILE_INT_TOOL="afick"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AFICK" --result FOUND --color GREEN
else
logtext "Result: AFICK is not installed"
Display --indent 4 --text "- AFICK" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -47,11 +49,11 @@
logtext "Test: Checking AIDE binary"
if [ ! "${AIDEBINARY}" = "" ]; then
logtext "Result: AIDE is installed (${AIDEBINARY})"
FILE_INT_TOOL="aide"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AIDE" --result FOUND --color GREEN
else
logtext "Result: AIDE is not installed"
Display --indent 4 --text "- AIDE" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -92,7 +94,7 @@
Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --description "AIDE configuration: Checksums (SHA256 or SHA512)"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${GREPBINARY} "^Checksums" ${AIDECONFIG}`
FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"`
FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"`
if [ "${FIND}" = "" ]; then
logtext "Result: Unclear how AIDE is dealing with checksums"
Display --indent 6 --text "- AIDE config (Checksums)" --result UNKNOWN --color YELLOW
@ -119,11 +121,11 @@
logtext "Test: Checking Osiris binary"
if [ ! "${OSIRISBINARY}" = "" ]; then
logtext "Result: Osiris is installed (${OSIRISBINARY})"
FILE_INT_TOOL="osiris"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Osiris" --result FOUND --color GREEN
else
logtext "Result: Osiris is not installed"
Display --indent 4 --text "- Osiris" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -136,11 +138,11 @@
logtext "Test: Checking Samhain binary"
if [ ! "${SAMHAINBINARY}" = "" ]; then
logtext "Result: Samhain is installed (${SAMHAINBINARY})"
FILE_INT_TOOL="samhain"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Samhain" --result FOUND --color GREEN
else
logtext "Result: Samhain is not installed"
Display --indent 4 --text "- Samhain" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -153,11 +155,11 @@
logtext "Test: Checking Tripwire binary"
if [ ! "${TRIPWIREBINARY}" = "" ]; then
logtext "Result: Tripwire is installed (${TRIPWIREBINARY})"
FILE_INT_TOOL="tripwire"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN
else
logtext "Result: Tripwire is not installed"
Display --indent 4 --text "- Tripwire" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -170,10 +172,12 @@
logtext "Test: Checking if OSSEC syscheck daemon is running"
IsRunning ossec-syscheckd
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: syscheck (OSSEC) installed"
FILE_INT_TOOL="ossec-syscheck"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN
else
Display --indent 4 --text "- OSSEC (syscheck)" --result "NOT FOUND" --color WHITE
logtext "Result: syscheck (OSSEC) not installed"
fi
fi
#
@ -187,11 +191,59 @@
logtext "Test: Checking mtree binary"
if [ ! "${MTREEBINARY}" = "" ]; then
logtext "Result: mtree is installed (${MTREEBINARY})"
FILE_INT_TOOL="mtree"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- mtree" --result FOUND --color GREEN
else
logtext "Result: mtree is not installed"
Display --indent 4 --text "- mtree" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : FINT-4334
# Description : Check if LFD is used (part of CSF suite)
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd daemon status"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- lfd (CSF)" --result FOUND --color GREEN
IsRunning 'lfd '
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: lfd daemon is running (CSF)"
Display --indent 6 --text "- Daemon status" --result RUNNING --color GREEN
FILE_INT_TOOL="csf-lfd"
FILE_INT_TOOL_FOUND=1
else
Display --indent 6 --text "- Daemon status" --result "NOT RUNNING" --color YELLOW
fi
fi
# Test : FINT-4336
# Description : Check if LFD is enabled (part of CSF suite)
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd configuration status"
if [ ${SKIPTEST} -eq 0 ]; then
# LFD configuration parameters
ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}`
if [ ! "${ENABLED}" = "" ]; then
logtext "Result: lfd service is configured to run"
Display --indent 6 --text "- Configuration status" --result ENABLED --color GREEN
else
logtext "Result: lfd service is configured NOT to run"
Display --indent 6 --text "- Configuration status" --result DISABLED --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
logtext "Result: lfd directory watching is enabled (value: ${ENABLED})"
Display --indent 6 --text "- Temporary directory watches" --result ENABLED --color GREEN
else
logtext "Result: lfd directory watching is disabled"
Display --indent 6 --text "- Temporary directory watches" --result DISABLED --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
Display --indent 6 --text "- Directory/File watches" --result ENABLED --color GREEN
else
Display --indent 6 --text "- Directory/File watches" --result DISABLED --color YELLOW
fi
fi
#
@ -209,7 +261,7 @@
else
logtext "Result: No file integrity tools found"
Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Install a file integrity tool"
ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files"
AddHP 0 5
fi
fi
@ -217,6 +269,7 @@
#################################################################################
#
report "file_integrity_tool=${FILE_INT_TOOL}"
report "file_integrity_tool_installed=${FILE_INT_TOOL_FOUND}"
wait_for_keypress

6
include/tests_file_permissions
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -56,4 +56,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

182
include/tests_filesystems
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -209,23 +209,46 @@
FOUND=0
logtext "Test: query swap partitions from /etc/fstab file"
# Check if third field contains 'swap'
FIND=`awk '{ if ($3=="swap") print $1 }' /etc/fstab`
FIND=`awk '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | grep -v "^#"`
for I in ${FIND}; do
FOUND=1
REAL=""
UUID=""
logtext "Swap partition found: ${I}"
# YYY Add a test if partition is not a normal partition (e.g. UUID=)
# Can be ^/dev/mapper/vg-name_lv-name
# Can be ^/dev/partition
# Can be ^UUID=uuid --> /dev/disk/by-uuid/<uuid>
# if [ ! "${BLKIDBINARY}" = "" ]; then
# FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'`
# else
# logtext "Result: blkid binary not found, trying by checking device listing"
# if [ -f /dev/disk/by-uuid/${UUID} ]; then
# logtext "Result: found disk via /dev/disk/by-uuid listing"
# fi
# fi
report "swap_partition[]=${I}"
HAS_UUID=`echo ${I} | grep "^UUID="`
if [ ! "${HAS_UUID}" = "" ]; then
UUID=`echo ${HAS_UUID} | awk -F= '{ print $2 }'`
logtext "Result: Using ${UUID} as UUID"
if [ ! "${BLKIDBINARYx}" = "" ]; then
FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'`
if [ ! "${FIND2}" = "" ]; then
REAL="${FIND2}"
fi
else
logtext "Result: blkid binary not found, trying by checking device listing"
sFILE=""
if [ -L /dev/disk/by-uuid/${UUID} ]; then
logtext "Result: found disk via /dev/disk/by-uuid listing"
ShowSymlinkPath /dev/disk/by-uuid/${UUID}
if [ ! "${sFILE}" = "" ]; then
REAL="${sFILE}"
logtext "Result: disk is ${REAL}"
fi
else
logtext "Result: no symlink found to /dev/disk/by-uuid/${UUID}"
fi
fi
fi
# Set real device
if [ "${REAL}" = "" ]; then
REAL="${I}"
fi
report "swap_partition[]=${I},${REAL},"
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN
@ -239,18 +262,20 @@
#
# Test : FILE-6336
# Description : Check swap mount options
# Examples : [partition] swap swap defaults 0 0
# [partition] none swap sw 0 0
if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap mount options"
if [ ${SKIPTEST} -eq 0 ]; then
# Swap partitions should be mounted with 'sw' or 'swap'
logtext "Test: check swap partitions with incorrect mount options"
#FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab`
FIND=`awk '{ if ($3=="swap" && $4~/sw/) { print $1 }}' /etc/fstab`
FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN
logtext "Result: all swap partitions have correct options (sw or swap)"
else
Display --indent 2 --text "- Testing swap partitions" --result WARNING --color RED
Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
#ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})"
ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options"
@ -272,7 +297,7 @@
Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN
logtext "Result: no files found in /tmp which are older than 3 months"
else
Display --indent 2 --text "- Checking for old files in /tmp" --result WARNING --color RED
Display --indent 2 --text "- Checking for old files in /tmp" --result FOUND --color RED
N=0
for I in ${FIND}; do
FILE=`echo ${I} | sed 's/!space!/ /g'`
@ -297,7 +322,7 @@
#SKELDIRS="/etc/skel /usr/share/skel"
#for I in ${SKELDIRS}; do
#
#
# logtext "Searching skel directory ${I}"
#
# if [ -d ${I} ]; then
@ -435,76 +460,75 @@
#################################################################################
#
# Test : FILE-6374
# Description : Check /boot mount options for Linux
# Notes : Expecting nodev,noexec,nosuid
# Description : Check mount options for Linux
# Notes : This test determines if the mount point exists. If it does not exist as mount point, yet it is an directory,
# you might consider to make it a separate mount point with restrictions.
#
# Depending on the primary goals of a machine, some mount points might be too restrictive. Before applying any
# mount flags, test them on a similar or cloned test system.
#
# ---------------------------------------------------------
# Mount point nodev noexec nosuid
# /boot v v v
# /home v v
# /tmp v v v
# /var v
# /var/log v v v
# /var/log/audit v v v
# ---------------------------------------------------------
FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /home:nodev,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /tmp:nodev,noexec,nosuid"
Register --test-no FILE-6374 --os Linux --weight L --network NO --description "Checking /boot mount options"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/fstab ]; then
HARDENED=0
FIND=`echo /etc/fstab | awk '{ if ($2=="/boot") { print $4 } }'`
NODEV=`echo ${FIND} | awk '{ if ($1=="nodev") { print "YES" } else { print "NO" } }'`
NOEXEC=`echo ${FIND} | awk '{ if ($1=="noexec") { print "YES" } else { print "NO" } }'`
NOSUID=`echo ${FIND} | awk '{ if ($1=="nosuid") { print "YES" } else { print "NO" } }'`
if [ "${NODEV}" = "YES" -a "${NOEXEC}" = "YES" -a "${NOSUID}" = "YES" ]; then HARDENED=1; fi
if [ ! "${FIND}" = "" ]; then
logtext "Result: mount system /boot is configured with options: ${FIND}"
if [ ${HARDENED} -eq 1 ]; then
logtext "Result: marked /boot options as hardenened"
Display --indent 2 --text "- Mount options of /boot" --result HARDENED --color GREEN
AddHP 5 5
else
if [ "${FIND}" = "defaults" ]; then
logtext "Result: marked /boot options as default (non hardened)"
Display --indent 2 --text "- Mount options of /boot" --result DEFAULT --color RED
AddHP 3 5
else
logtext "Result: marked /boot options as non default (unclear about hardening)"
Display --indent 2 --text "- Mount options of /boot" --result "NON DEFAULT" --color YELLOW
for I in ${FILESYSTEMS_TO_CHECK}; do
FILESYSTEM=`echo ${I} | cut -d: -f1`
EXPECTED_FLAGS=`echo ${I} | cut -d: -f2 | sed 's/,/ /g'`
IN_FSTAB=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print "FOUND" } }'`
if [ ! "${IN_FSTAB}" = "" ]; then
FOUND_FLAGS=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' | sed 's/,/ /g'`
logtext "File system: ${FILESYSTEM}"
logtext "Expected flags: ${EXPECTED_FLAGS}"
logtext "Found flags: ${FOUND_FLAGS}"
PARTIALLY_HARDENED=0
FULLY_HARDENED=1
for FLAG in ${EXPECTED_FLAGS}; do
FLAG_AVAILABLE=`echo ${FOUND_FLAGS} | grep ${FLAG}`
if [ "${FLAG_AVAILABLE}" = "" ]; then
logtext "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}"
FULLY_HARDENED=0
else
logtext "Result: GOOD, found mount option ${FLAG} on file system ${FILESYSTEM}"
PARTIALLY_HARDENED=1
fi
done
if [ ${FULLY_HARDENED} -eq 1 ]; then
logtext "Result: marked ${FILESYSTEM} as fully hardenened"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN
AddHP 5 5
elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then
logtext "Result: marked ${FILESYSTEM} as fully hardenened"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW
AddHP 4 5
else
if [ "${FOUND_FLAGS}" = "defaults" ]; then
logtext "Result: marked ${FILESYSTEM} options as default (non hardened)"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW
AddHP 3 5
else
logtext "Result: marked ${FILESYSTEM} options as non default (unclear about hardening)"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW
AddHP 4 5
fi
fi
else
logtext "Result: file system ${FILESYSTEM} not found in /etc/fstab"
fi
else
logtext "Result: no mount point /boot or expected options found"
fi
done
fi
fi
#
#################################################################################
#
# Test : FILE-XXXX
# Description : Check /home mount options for Linux
# Notes : Expecting nodev,nosuid
#
#################################################################################
#
# Test : FILE-XXXX
# Description : Check /var mount options for Linux
# Notes : Expecting nosuid
#
#################################################################################
#
# Test : FILE-XXXX
# Description : Check /var/log mount options for Linux
# Notes : Expecting nodev,noexec,nosuid
#
#################################################################################
#
# Test : FILE-XXXX
# Description : Check /var/log/audit mount options for Linux
# Notes : Expecting nodev,noexec,nosuid
#
#################################################################################
#
# Test : FILE-XXXX
# Description : Check /tmp mount options for Linux
# Notes : Expecting nodev,noexec,nosuid
#
#################################################################################
#
#
#################################################################################
#
# Test : FILE-6378
# Description : Check for nodirtime option
@ -538,11 +562,11 @@
# or /var/cache/locate/locatedb
# FreeBSD /var/db/locate.database
if [ ! "${LOCATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6410 --os Linux --weight L --network NO --description "Checking Locate database"
Register --test-no FILE-6410 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Checking Locate database"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking locate database"
FOUND=0
LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database"
LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locate/locatedb /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database"
for I in ${LOCATE_DBS}; do
if [ -f ${I} ]; then
logtext "Result: locate database found (${I})"
@ -598,4 +622,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

41
include/tests_firewalls
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -30,10 +30,6 @@
#
#################################################################################
#
# YYY Improvement needed for iptables to check if kernel modules are used or not.
# If they are not used and iptables is not found in configuration, no checks should be performed.
#
# Test : FIRE-4511
# Description : Check iptables kernel module
Register --test-no FIRE-4511 --os Linux --weight L --network NO --description "Check iptables kernel module"
@ -124,7 +120,7 @@
Display --indent 4 --text "- Checking for unused rules" --result OK --color GREEN
logtext "Result: There are no unused rules present"
else
Display --indent 4 --text "- Checking for unused rules" --result WARNING --color YELLOW
Display --indent 4 --text "- Checking for unused rules" --result FOUND --color YELLOW
logtext "Result: Found one or more possible unused rules"
logtext "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
logtext "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
@ -189,7 +185,6 @@
PFLOGDFOUND=1
else
logtext "Result: pflog daemon not found in process list"
Display --indent 4 --text "- Checking pflogd status" --result "NOT FOUND" --color YELLOW
fi
fi
@ -198,7 +193,6 @@
FIREWALL_SOFTWARE="pf"
else
logtext "Result: pf not running on this system"
Display --indent 2 --text "- Checking pf" --result "NOT FOUND" --color WHITE
fi
fi
#
@ -274,7 +268,34 @@
#################################################################################
#
# Test : FIRE-4530
# Description : Check ipfw
# Description : Check IPFW (FreeBSD)
Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --description "Check IPFW status"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${SYSCTLBINARY}" = "" ]; then
# For now, only check for IPv4.
FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'`
if [ "${FIND}" = "1" ]; then
Display --indent 2 --text "- Checking IPFW status" --result RUNNING --color GREEN
logtext "Result: IPFW is running for IPv4"
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipfw"
IPFW_ENABLED=`service -e | grep -o ipfw`
if [ "${IPFW_ENABLED}" = "ipfw" ]; then
Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result YES --color GREEN
logtext "Result: IPFW is enabled at start-up for IPv4"
else
Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW
logtext "Result: IPFW is disabled at start-up for IPv4"
fi
else
Display --indent 2 --text "- Checking IPFW status" --result "NOT RUNNING" --color YELLOW
logtext "Result: IPFW is not running for IPv4"
fi
else
Display --indent 2 --text "- Checking IPFW" --result SKIPPED --color YELLOW
ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)"
fi
fi
#
#################################################################################
#

2
include/tests_hardening
View File

@ -55,6 +55,7 @@
IsWorldExecutable ${ASBINARY}
if [ $? -eq 1 ]; then
logtext "Binary: found ${ASBINARY} (world executable)"
report "compiler[]=${ASBINARY}"
AddHP 2 3
HARDEN_COMPILERS_NEEDED=1
else
@ -67,6 +68,7 @@
IsWorldExecutable ${GCCBINARY}
if [ $? -eq 1 ]; then
logtext "Binary: found ${GCCBINARY} (world executable)"
report "compiler[]=${GCCBINARY}"
AddHP 2 3
HARDEN_COMPILERS_NEEDED=1
else

52
include/tests_hardening_tools
View File

@ -1,52 +0,0 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# InsertSection "Hardening tools"
#
#################################################################################
#
# Checking Solaris Security Toolkit (Jass)
# Test : HRDN-7402
# Description : Check jass hardening
# Register --test-no HRDN-7402 --weight L --network NO --description "Check jass hardening"
# if [ ${SKIPTEST} -eq 0 ]; then
# if [ -d /opt/SUNWjass -o -d /var/opt/SUNWjass ]; then
# logtext "Result: found Solaris Security Toolkit (Jass hardening tool)"
# fi
#
#
#################################################################################
#
# Test : HRDN-7410
# Description : Check tiger hardening tool
#
#################################################################################
#
# Test : HRDN-7420
# Description : Check Bastille Unix hardening tool
#
#################################################################################
#
# Checking Solaris Security Toolkit (ASET)
# - Automated Security Enhancement Tool
# AddHP 3 3
#wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands

22
include/tests_homedirs
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -28,7 +28,6 @@
#
#################################################################################
#
# Test : HOME-9302
# Description : Create list with home directories
Register --test-no HOME-9302 --weight L --network NO --description "Create list with home directories"
@ -69,7 +68,7 @@
logtext "Info: above files could be redirected files to avoid logging and should be investigated"
ReportWarning ${TEST_NO} "M" "Incorrect file type found for shell history file"
fi
logtext "Remarks: ${HOME_HISTORY_LOG_TEXT}"
logtext "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful."
else
Display --indent 2 --text "- Checking shell history files" --result SKIPPED --color WHITE
logtext "Result: Homedirs is empty, test will be skipped"
@ -100,19 +99,6 @@
logtext "Output: ${IGNORE_HOME_DIRS}"
fi
fi
#YYY
#echo -n " - Checking PATH variable vulnerabilities"
#
#FIND=`find ${HOMEDIRS} -name * | grep -r 'PATH=' | egrep '=.:|:.:|:.;' | grep -v 'CDPATH'`
#if [ "${FIND}" = "" ]
# then
# logtext "Result: Ok, no special things found in the PATH variable"
# else
# echo "[ ${WARNING}WARNING${NORMAL} ]"
# logtext "Warning: Probably found \".\" in the PATH. Details: ${FIND}"
#fi
#
#
#################################################################################
#
@ -121,4 +107,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

15
include/tests_insecure_services
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -37,7 +37,6 @@
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: inetd is running"
Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN
#YYY perform manual check
INETD_ACTIVE=1
else
logtext "Result: inetd is NOT running"
@ -61,8 +60,6 @@
logtext "Result: ${INETD_CONFIG_FILE} does not exist"
Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE
fi
# YYY immutable bit could be set
# YYY permission check (already set in profile)
fi
#
#################################################################################
@ -106,15 +103,9 @@
#
#################################################################################
#
# Check telnet in /etc/xinetd.conf
# Check telnet in /etc/xinetd/*
# Check running telnet daemon (telnetd)
# rshd rlogin rexec
# /etc/hosts.equiv
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

26
include/tests_kernel
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -49,7 +49,7 @@
logtext "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
report "linux_default_runlevel=5"
else
else
logtext "Result: No match found on runlevel, defaulting to runlevel 3"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
report "linux_default_runlevel=3"
@ -252,6 +252,8 @@
#
# Test : KRNL-5730
# Description : Checking default I/O kernel scheduler
# Notes : This test could be extended with testing some of the specific devices like disks
# cat /sys/block/sda/queue/scheduler
PREQS_MET="NO"
if [ ! "${LINUXCONFIGFILE}" = "" ]; then
if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi
@ -276,18 +278,14 @@
fi
#
#################################################################################
#
# YYY Check for kernel options
#
#################################################################################
#
# Test : KRNL-5745
# Description : Checking FreeBSD loaded kernel modules
Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking active kernel modules"
logtext "Test: ${KERNEL_ACTIVE_MODULES_TITLE}"
logtext "Description: ${KERNEL_ACTIVE_MODULES_DESCRIPTION}"
logtext "Test: Active kernel modules (KLDs)"
logtext "Description: View all active kernel modules (including kernel)"
logtext "Test: Checking modules"
if [ -f /sbin/kldstat ]; then
FIND=`kldstat | grep -v 'Name' | tr -s ' ' | cut -d ' ' -f6`
@ -340,7 +338,6 @@
logtext "Test: Searching apt-cache, to determine if a newer kernel is available"
if [ -x /usr/bin/apt-cache ]; then
logtext "Result: found /usr/bin/apt-cache"
# YYY Test for presence /usr/bin/apt-cache and dpkg
logtext "Test: checking readlink location of /vmlinuz"
FINDKERNFILE=`readlink -f /vmlinuz`
logtext "Output: readlink reported file ${FINDKERNFILE}"
@ -381,7 +378,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking presence /etc/security/limits.conf"
if [ -f /etc/security/limits.conf ]; then
logtext "Result: file /etc/security/limits.conf exists"
logtext "Result: file /etc/security/limits.conf exists"
logtext "Test: Checking if core dumps are disabled in /etc/security/limits.conf"
FIND1=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'`
FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'`
@ -443,7 +440,7 @@
FILE="/var/run/reboot-required.pkgs"
logtext "Test: Checking presence ${FILE}"
if [ -f ${FILE} ]; then
logtext "Result: file ${FILE} exists"
logtext "Result: file ${FILE} exists"
FIND=`cat ${FILE}`
if [ "${FIND}" = "" ]; then
logtext "Result: No reboot needed (file empty)"
@ -516,7 +513,8 @@
FIND=`ls /boot/vmlinuz* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
# Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers)
KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
# Remove generic. and huge. for Slackware machines
KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
elif [ ! `ls /boot/kernel* 2> /dev/null` = "" ]; then
# Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers)
# Examples:
@ -580,4 +578,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

6
include/tests_kernel_hardening
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -66,4 +66,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

6
include/tests_ldap
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -101,4 +101,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

14
include/tests_logging
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -36,7 +36,6 @@
# Test : LOGG-2130
# Description : Check for a running syslog daemon
# Notes : Log which syslog daemon is found YYY
Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a logging daemon"
@ -274,7 +273,7 @@
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking which directories can be found in logrotate configuration"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq`
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | sort | uniq`
if [ "${FIND}" = "" ]; then
logtext "Result: nothing found"
else
@ -285,7 +284,6 @@
report "log_directory[]=${I}"
else
logtext "Directory could not be found: ${I}"
# YYY strip more parts of the name, until it can be found (and stop at /)
fi
done
fi
@ -477,12 +475,6 @@
#
#################################################################################
#
#
# Rsyslogd checks
#
#
#################################################################################
#
report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}"
report "log_rotation_tool=${LOGROTATE_TOOL}"

28
include/tests_mac_frameworks
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -48,11 +48,11 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${AASTATUSBINARY}" = "" ]; then
# Checking AppArmor status
#0 if apparmor is enabled and policy is loaded.
#1 if apparmor is not enabled/loaded.
#2 if apparmor is enabled but no policy is loaded.
#3 if control files are not available
#4 if apparmor status can't be read
# 0 if apparmor is enabled and policy is loaded.
# 1 if apparmor is not enabled/loaded.
# 2 if apparmor is enabled but no policy is loaded.
# 3 if control files are not available
# 4 if apparmor status can't be read
FIND=`${AASTATUSBINARY} > /dev/null; echo $?`
if [ ${FIND} -eq 0 ]; then
MAC_FRAMEWORK_ACTIVE=1
@ -71,7 +71,7 @@
elif [ ${FIND} -eq 1 ]; then
logtext "Result: AppArmor is disabled"
Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW
else
else
Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED
ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected"
fi
@ -119,7 +119,7 @@
Display --indent 6 --text "- Checking current mode and config file" --result "OK" --color GREEN
else
logtext "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
Display --indent 6 --text "- Checking current mode and config file" --result "WARNING" --color RED
fi
Display --indent 8 --text "Current SELinux mode: ${FIND}"
@ -187,14 +187,6 @@ report "framework_selinux=${SELINUXFOUND}"
wait_for_keypress
# To implement:
# FMAC (OpenSolaris, MAC)
# LSM (Linux Security Modules)
# TrustedBSD (MAC)
# RSBAC (RBAC)
# Apple sandbox technology
# PAX
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

66
include/tests_mail_messaging
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -50,29 +50,6 @@
fi
#
#################################################################################
#
# Test : MAIL-8804
# Description : Check Exim configuration
#if [ ${EXIM_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no MAIL-8804 --weight L --network NO --description "Check Exim configuration"
#if [ ${SKIPTEST} -eq 0 ]; then
# if [ ! "${EXIMBINARY}" = "" ]; then
# logtext "Test: Searching Exim configuration file"
# FIND=`${EXIMBINARY} -d | grep "configuration file is" | sed 's/configuration file is//'`
# if [ ! "${FIND}" = "" ]; then
# Display --indent 2 --text "- Checking Exim configuration" --result FOUND --color GREEN
# Display --indent 4 --text "Result: configuration file is ${FIND}"
# logtext "Result: found Exim"
# logtext "Result: configuration file is ${FIND}"
# else
# Display --indent 2 --text "- Checking Exim configuration" --result WARNING --color RED
# logtext "Couldn't find the Exim configuration file, however Exim seems to be installed."
# fi
# else
# logtext "Exim binary not found, no tests performed"
# fi
#
#################################################################################
#
# Test : MAIL-8814
# Description : Check Postfix process
@ -161,26 +138,6 @@
fi
#
#################################################################################
#
# Test : MAIL-8842
# Description : Check Dovecot logging locations
#Register --test-no MAIL-8842 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dovecot logging locations"
#if [ ${SKIPTEST} -eq 0 ]; then
# ParseDovecot
# CONF="/etc/dovecot/dovecot.conf"
# FIND=`cat ${CONF} | grep "^log_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'`
# if [ ! "${FIND}" = "" ]; then
# logtext "Result: output for error messages = ${FIND}"
# fi
#
# FIND=`cat ${CONF} | grep "^log_info_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'`
# if [ ! "${FIND}" = "" ]; then
# logtext "Result: output for informational messages = ${FIND}"
# fi
#
# fi
#
#################################################################################
#
# Test : MAIL-8860
# Description : Check Qmail process status
@ -239,23 +196,6 @@
fi
#
#################################################################################
#
# Test : MAIL-xxxx
# Description : Check if outgoing mail is obscured (increased privacy)
#Register --test-no MAIL-xxxx --weight L --network NO --description "Check XXX"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
#YYY Add support for mail, procmail
#YYY Add support for MUAs: Thunderbird, Kmail, Evolution
# Other software : Cyrus-IMAP, Amavisd-new, SpamAssassin, Fetchmail, Procmail, maildrop
#- Dovecot : \'/usr/local/etc/dovecot.conf\'
#- For Sendmail : \'/var/mail/sendmail.cf\'
#- Fetchmail : \'~/.fetchmailrc\' (not only root)
#- Cyrus-IMAP : \'/usr/local/etc/imapd.conf\' for parameters and \'/usr/local/etc/cyrus.conf\' for the services launched
#
#################################################################################
#
report "imap_daemon=${IMAP_DAEMON}"
@ -267,4 +207,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

78
include/tests_malware
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), The Netherlands
# Web site: http://cisofy.com
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -23,7 +23,9 @@
#################################################################################
#
CLAMD_RUNNING=0
MCAFEE_SCANNER_RUNNING=0
MALWARE_SCANNER_INSTALLED=0
SOPHOS_SCANNER_RUNNING=0
#
#################################################################################
#
@ -45,7 +47,7 @@
#################################################################################
#
# Test : MALW-3276
# Description : Check for installed tool (Rootkit Hunter)
# Description : Check for installed tool (Rootkit Hunter)
Register --test-no MALW-3276 --weight L --network NO --description "Check for Rootkit Hunter"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence Rootkit Hunter"
@ -66,27 +68,36 @@
Register --test-no MALW-3280 --weight L --network NO --description "Check if anti-virus tool is installed"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
MCAFEE_RUNNING=0
logtext "Test: checking process cma or cmdagent (McAfee)"
# cma is too generic to match on, so we want to ensure that it is related to McAfee first
if [ -x /opt/McAfee/cma/bin/cma ]; then
IsRunning cma
if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi
if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
else
IsRunning cmdagent
if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi
if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
fi
if [ ${MCAFEE_RUNNING} -eq 1 ]; then
if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN
logtext "Result: Found McAfee"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
fi
# Sophos savscand/SophosScanD
logtext "Test: checking process savscand"
IsRunning savscand
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1;
fi
logtext "Test: checking process SophosScanD"
IsRunning SophosScanD
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1;
fi
if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN
logtext "Result: Found Sophos"
MALWARE_SCANNER_INSTALLED=1
@ -114,7 +125,6 @@
logtext "Result: clamscan couldn't be found"
fi
fi
#
#################################################################################
#
@ -156,26 +166,20 @@
#
#################################################################################
#
# Test : MALW-3288
# Description : Check for ClamXav (Mac OS X)
#
#################################################################################
#
Register --test-no MALW-3288 --weight L --network NO --description "Check for ClamXav"
# Test : MALW-3288
# Description : Check for ClamXav (Mac OS X)
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for ClamXav"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then
CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'`
if [ ! "${CLAMSCANBINARY}" = "" ]; then
logtext "Result: Found ClamXav clamscan installed"
Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN
MALWARE_SCANNER_INSTALLED=1
AddHP 3 3
else
logtext "Result: ClamXav malware scanner not found"
AddHP 0 3
fi
CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'`
if [ ! "${CLAMSCANBINARY}" = "" ]; then
logtext "Result: Found ClamXav clamscan installed"
Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN
MALWARE_SCANNER_INSTALLED=1
AddHP 3 3
else
logtext "Result: could not find ClamXav location"
logtext "Result: ClamXav malware scanner not found"
AddHP 0 3
fi
fi
#
@ -185,28 +189,6 @@
# Description : Check for LMD
#
#################################################################################
#
# Test : MALW-3292
# Description : Check if at least one malware scanner is installed
# Register --test-no MALW-3292 --weight L --network NO --description "Check for at least one malware scanner"
# if [ ${SKIPTEST} -eq 0 ]; then
# if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
# logtext "Result: At least one malware scanner is installed"
# Display --indent 2 --text "- Checking presence malware scanner" --result "FOUND" --color GREEN
# #AddHP 3 3
# else
# logtext "Result: No malware scanners found"
# Display --indent 2 --text "- Checking presence malware scanner" --result "NOT FOUND" --color YELLOW
# ReportSuggestion ${TEST_NO} "Install at least one malware scanner to perform periodic integrity tests on the system"
# #AddHP 0 3
# fi
# fi
#
#################################################################################
#
# Other projects: maldetect (rfxn)
#
#################################################################################
#
report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"

21
include/tests_memory_processes
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -64,7 +64,7 @@
#
# Test : PROC-3612
# Description : Searching for dead and zombie processes
# Notes : Don't perform test on Solaris
# Notes : Don't perform test on Solaris
if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dead or zombie processes"
if [ ${SKIPTEST} -eq 0 ]; then
@ -110,23 +110,10 @@
fi
#
#################################################################################
#
# Ubuntu test: dead processes
# who -d
#
#################################################################################
#
# Test : PROC-3624
# Description : Check shared memory (ipcs -m)
# Notes : if it's empty, check /dev/shm and warn if any files are left behind
#Register --test-no PROC-3614 --os Linux --weight L --network NO --description "Check shared memory"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

65
include/tests_nameservices
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -30,6 +30,7 @@
POWERDNS_AUTH_CONFIG_LOCATION=""
POWERDNS_AUTH_MASTER=0
POWERDNS_AUTH_SLAVE=0
UNBOUND_CONFIG_OK=0
YPBIND_RUNNING=0
#
#################################################################################
@ -93,7 +94,7 @@
# Check amount of search domains (max 1)
FIND=`cat /etc/resolv.conf | grep "^search" | wc -l | tr -s ' ' | tr -d ' '`
if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
else
@ -228,12 +229,57 @@
logtext "Test: checking nscd status"
IsRunning nscd
if [ ${RUNNING} -eq 1 ]; then
NAME_CACHE_USED=1
logtext "Result: nscd is running"
Display --indent 2 --text "- Checking nscd status" --result RUNNING --color GREEN
else
logtext "Result: nscd is not running"
Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE
#YYY show performance suggestion if LDAP is used
fi
fi
#
#################################################################################
#
# Test : NAME-4034
# Description : Check name service caching daemon (Unbound) status
Register --test-no NAME-4034 --weight L --network NO --description "Check Unbound status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking Unbound (unbound) status"
IsRunning unbound
if [ ${RUNNING} -eq 1 ]; then
UNBOUND_RUNNING=1
NAME_CACHE_USED=1
logtext "Result: Unbound daemon is running"
Display --indent 2 --text "- Checking Unbound status" --result RUNNING --color GREEN
else
logtext "Result: Unbound daemon is not running"
Display --indent 2 --text "- Checking Unbound status" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : NAME-4036
# Description : Checking Unbound configuration file
if [ ${UNBOUND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4036 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Unbound configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`which unbound-checkconf`
if [ ! "${FIND}" = "" ]; then
logtext "Test: running unbound-checkconf"
# Don't capture any output, just gather exit code (0 is fine, otherwise bad)
FIND=`unbound-checkconf > /dev/null 2>&1`
if [ $? -eq 0 ]; then
UNBOUND_CONFIG_OK=1
logtext "Result: Configuration is fine"
Display --indent 2 --text "- Checking configuration file" --result OK --color GREEN
else
logtext "Result: Unbound daemon is not running"
Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW
ReportWarning "${TEST_NO}" "L" "Found Unbound configuration file issues (run unbound-checkconf)"
fi
else
logtext "Result: skipped, can't find unbound-checkconf utility"
fi
fi
#
@ -263,7 +309,6 @@
Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search BIND configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Search BIND configuration file"
#YYY add chrooted environments
for I in ${BIND_CONFIG_LOCS}; do
if [ -f ${I}/named.conf ]; then
BIND_CONFIG_LOCATION="${I}/named.conf"
@ -377,7 +422,6 @@
Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search PowerDNS configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Search PowerDNS configuration file"
#YYY add chrooted environments
for I in ${POWERDNS_CONFIG_LOCS}; do
if [ -f ${I}/pdns.conf ]; then
POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf"
@ -522,7 +566,7 @@
fi
fi
# Check if we found any NIS domain
if [ ! "${NISDOMAIN}" = "" ]; then
if [ ! "${NISDOMAIN}" = "" ]; then
logtext "Found NIS domain: ${NISDOMAIN}"
report "nisdomain=${NISDOMAIN}"
Display --indent 4 --text "- Checking NIS domain" --result "FOUND" --color GREEN
@ -569,7 +613,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check /etc/hosts contains an entry for this server name"
if [ -f /etc/hosts ]; then
sFIND=`cat /etc/hosts | egrep -v '^(#|$|::1|localhost)' | grep ${HOSTNAME}`
sFIND=`cat /etc/hosts | egrep -v '^(#|$|^::1\s|localhost)' | grep ${HOSTNAME}`
if [ "${sFIND}" != "" ]; then
logtext "Result: Found entry for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result OK --color GREEN
@ -590,7 +634,7 @@
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check server hostname mapping"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check server hostname not locally mapped in /etc/hosts"
sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|::1)' | grep ${HOSTNAME}`
sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|^::1\s)' | grep -w ${HOSTNAME}`
if [ ! "${sFIND}" = "" ]; then
logtext "Result: Found this server hostname mapped to a local address"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW
@ -605,8 +649,9 @@
#################################################################################
#
report ="name_cache_used=${NAME_CACHE_USED}"
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

33
include/tests_networking
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -29,7 +29,7 @@
#
#################################################################################
#
# Test : NETW-2704 (YYY move to nameservices section)
# Test : NETW-2704
# Description : Basic nameserver configuration tests (connectivity)
Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests"
if [ ${SKIPTEST} -eq 0 ]; then
@ -44,7 +44,7 @@
for I in ${FIND}; do
logtext "Found nameserver: ${I}"
report "nameserver[]=${I}"
# Check if a local resolver is available (like DNSMasq)
# Check if a local resolver is available (like DNSMasq)
if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "0.0.0.0" ]; then
LOCAL_DNSRESOLVER_FOUND=1
fi
@ -200,7 +200,7 @@
case ${OS} in
AIX)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
# IPv6 support in AIX? (YYY)
FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
;;
DragonFly|FreeBSD|NetBSD)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
@ -447,16 +447,17 @@
# Test : NETW-3028
# Description : Checking for many waiting connections
# Type : Performance
# Notes : It is common to see a healthy web server seeing to have several thousands of TCP connections in WAIT state
if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking connections in WAIT state"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Using netstat for check for connections in WAIT state"
FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'`
if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="100"; fi
if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
logtext "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
Display --indent 2 --text "- Checking waiting connections" --result WARNING --color YELLOW
ReportWarning ${TEST_NO} "H" "Found too much connections in WAIT state (${FIND})"
ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})"
else
Display --indent 2 --text "- Checking waiting connections" --result OK --color GREEN
logtext "Result: ${FIND} connections are in WAIT state"
@ -472,8 +473,6 @@
IsRunning dhclient
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE
#YYY report if system type is server, that it is running with DHCP client, might be a badly configured machine
#report "manual[]=System is running DHCP client"
DHCP_CLIENT_RUNNING=1
else
Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE
@ -481,20 +480,6 @@
fi
#
#################################################################################
#
# Test : NETW-3060
# Description : Check if IPv6 is configured AND used
# /etc/modprobe.d (add 'install ipv6 /bin/true' if IPv6 isn't used)
# or
# aliased (/etc/modprobe.d/aliases?): alias net-pf-10 off ipv6 (to disable)
#Register --test-no NETW-3060 --weight L --network NO --description "Checking IPv6 connectivity"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Linux: net.ipv4.ip_always_defrag
#
#################################################################################
#
report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
@ -502,4 +487,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

30
include/tests_php
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -252,37 +252,13 @@
logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
AddHP 2 2
fi
#YYY Check through all files
fi
#
#################################################################################
#
# Disable/use functions:
# safe_mode (only for PHP5?)
# open_basedir (limits access to defined directory, comparable with chrooting)
# disable_classes
# session.save_path
# session.referer_check
# upload_tmp_dir
# file_uploads Off, if possible
# Set display_errors to Off
# Set log_errors to On and define error_log (with value Syslog or a filename)
#
#################################################################################
#
# mod_suexec
# suPHP (/etc/suphp.conf)
#
#################################################################################
#
# Test : PHP-2388
# Description : Check php version number
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

129
include/tests_ports_packages
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -78,35 +78,6 @@
fi
#
#################################################################################
#
# Temporary disabled due false positives
# Packages like docbook, gcc, automake report multiple installed versions
# # Test : PKGS-7303
# # Description : Query FreeBSD pkg_info
# if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD for double installed packages"
# if [ ${SKIPTEST} -eq 0 ]; then
# SDOUBLEINSTALLED=`pkg_info | sort | sed -e 's/-[0-9].*$//' | uniq -c | grep -v '^[[:space:]]*1' | tr -s ' ' | cut -d ' ' -f3`
# if [ "${SDOUBLEINSTALLED}" = "" ]; then
# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result OK --color GREEN
# logtext "Ok, no packages show up twice or more in the package listing."
# else
# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result WARNING --color RED
# for J in ${SDOUBLEINSTALLED}; do
# ReportWarning ${TEST_NO} "M" "Found probably incorrect installed package (${J})"
# logtext "This package ${J} is visible twice or more in the pkg_info listing."
# ReportSuggestion ${TEST_NO} "(FreeBSD) run pkgdb -F and check this manually."
# ReportSuggestion ${TEST_NO} "(OpenBSD) check dependencies to see if one of the double "
# logtext "installed packages is unneeded."
# report "double_installed_package[]=${J}"
# done
# fi
# else
# Display --indent 4 --text "- Searching pkg_info" --result "NOT FOUND" --color WHITE
# logtext "Result: pkg_info can NOT be found on this system"
# fi
#
#################################################################################
#
# Test : PKGS-7304
# Description : Gentoo packages
@ -152,7 +123,6 @@
logtext "Result: pkginfo can NOT be found on this system"
fi
#
#
#################################################################################
#
# Test : PKGS-7308
@ -202,7 +172,6 @@
if [ "${SPACKAGES}" = "" ]; then
logtext "Result: pacman binary available, but package list seems to be empty"
logtext "Info: looks like the pacman binary is installed, but not used for package installation"
#YYY ReportException?
else
for J in ${SPACKAGES}; do
N=`expr ${N} + 1`
@ -380,7 +349,7 @@
fi
#
#################################################################################
#
# Test : PKGS-7348
# Description : Show unneeded distfiles if present
# Notes : Portsclean seems to be gone from the ports, so no suggestion or warning is
@ -402,9 +371,67 @@
fi
#
#################################################################################
#
# Test : PKGS-7366
# Description : Checking if debsecan is installed and enabled on Debian systems
if [ ! "${DEBSECANBINARY}" = "" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsecan utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSECANBINARY}" = "" ]; then
logtext "Result: debsecan utility is installed"
Display --indent 4 --text "- debsecan utility" --result "FOUND" --color GREEN
AddHP 3 3
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="debsecan"
FIND=`find /etc/cron* -name debsecan`
if [ ! ${FIND} = "" ]; then
logtext "Result: cron job is configured for debsecan"
Display --indent 6 --text "- debsecan cron job" --result "FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: no cron job is configured for debsecan"
Display --indent 4 --text "- debsecan cron job" --result "NOT FOUND" --color YELLOW
AddHP 1 3
ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled"
fi
else
logtext "Result: debsecan is not installed."
Display --indent 4 --text "- debsecan utility" --result "NOT FOUND" --color YELLOW
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages."
fi
fi
#
#################################################################################
#
# Test : PKGS-7370
# Description : Check debsums output
# Description : Checking debsums installation status and presence in cron job
# Note : Run this only when it is a DPKG based system
if [ ! "${DPKGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsums utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSUMSBINARY}" = "" ]; then
logtext "Result: debsums utility is installed"
Display --indent 4 --text "- debsums utility" --result "FOUND" --color GREEN
AddHP 1 1
# Check in /etc/cron.hourly, daily, weekly, monthly etc
COUNT=`find /etc/cron* -name debsums | wc -l`
if [ ${COUNT} -gt 0 ]; then
logtext "Result: Cron job is configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: Cron job is not configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "NOT FOUND" --color YELLOW
AddHP 1 3
ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job."
fi
else
logtext "Result: debsums utility is not installed."
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database."
fi
fi
#
#################################################################################
#
@ -482,7 +509,6 @@
if [ "${FIND}" = "" ]; then
logtext "Result: pkg audit results are clean"
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN
# Don't check yet, output of found vulnerable packages unclear (YYY)
else
logtext "Result: ${FIND}"
#Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED
@ -834,7 +860,7 @@
SCAN_PERFORMED=0
# Update portage.
# Multiple ways to do this. Some require extra packages to be installed,
# others require potential firewall ports to be open, outbound. This is the
# others require potential firewall ports to be open, outbound. This is the
# "most friendly" way.
logtext "Action: updating portage with emerge-webrsync"
/usr/bin/emerge-webrsync --quiet 2> /dev/null
@ -933,9 +959,30 @@
#
#################################################################################
#
# check for popularity-contest (Debian/Ubuntu)
# check for yum-changelog
# Test : PKGS-7410
# Description : Count number of installed kernel packages
Register --test-no PKGS-7410 --weight L --network NO --description "Count installed kernel packages"
if [ ${SKIPTEST} -eq 0 ]; then
KERNELS=0
if [ ! "${RPMBINARY}" = "" ]; then
logtext "Test: Checking how many kernel packages are installed"
KERNELS=`rpm -q kernel 2> /dev/null | wc -l`
if [ ${KERNELS} -eq 0 ]; then
logtext "Result: found no kernels from rpm -q kernel output, which is unexpected"
ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output"
elif [ ${KERNELS} -gt 5 ]; then
logtext "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)"
AddHP 4 5
else
logtext "Result: found ${KERNELS} on the system, which is fine"
AddHP 1 1
fi
fi
fi
#
#################################################################################
#
if [ ! "${INSTALLED_PACKAGES}" = "" ]; then
report "installed_packages_array=${INSTALLED_PACKAGES}"
@ -949,4 +996,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

2
include/tests_printers_spools
View File

@ -293,4 +293,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

26
include/tests_scheduling
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -139,16 +139,16 @@
# Description : Check atd status
Register --test-no SCHD-7718 --weight L --network NO --description "Check at users"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking atd status"
FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: at daemon active"
Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN
ATD_RUNNING=1
else
logtext "Result: at daemon not active"
Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE
fi
logtext "Test: Checking atd status"
FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
logtext "Result: at daemon active"
Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN
ATD_RUNNING=1
else
logtext "Result: at daemon not active"
Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE
fi
fi
#
#################################################################################
@ -247,4 +247,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

94
include/tests_shells
View File

@ -57,16 +57,9 @@
logtext "Output /etc/ttys:"
logtext "${FIND}"
ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys"
#ReportSuggestion ${TEST_NO} "Change the console line from 'secure' to 'insecure'."
logtext "Possible solution: Change the console line from 'secure' to 'insecure'."
fi
fi
#
#################################################################################
#
# Test : SHLL-6214
# Description : check for idle session killing tools (timeoutd)
#
#################################################################################
#
@ -221,40 +214,55 @@
#
#################################################################################
#
# Test : SHLL-6236
# Description : Check /etc/profile
#
#################################################################################
#
# Test : SHLL-6240
# Description : Check default umask
# Register --test-no SHLL-6240 --weight L --network NO --description "Check default umask"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking /etc/profile"
# if [ -f /etc/profile ]; then
# FIND=`grep "^umask" | awk '{ print $2 }'`
# if [ "${FIND}" = "" ]; then
# logtext "Result: xxx"
# Display --indent 2 --text "- Checking default umask" --result OK --color GREEN
# else
# logtext "Result: xxx"
# Display --indent 2 --text "- Checking default umask" --result WARNING --color RED
# #ReportWarning ${TEST_NO} "M" "xxx"
# #ReportSuggestion ${TEST_NO} "xxx"
# fi
# fi
# fi
#
#################################################################################
#
# Test : SHLL-6250
# Description : Check /etc/bash.bashrc
# Register --test-no SHLL-6250 --weight L --network NO --description "Check default umask"
# if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : SHLL-6230
# Description : Check for umask values in shell configurations
SHELL_CONFIG_FILES="/etc/bashrc /etc/bash.bashrc /etc/csh.cshrc /etc/profile"
Register --test-no SHLL-6230 --weight H --network NO --description "Perform umask check for shell configurations"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
HARDENING_POSSIBLE=0
Display --indent 2 --text "- Checking default umask values"
for FILE in ${SHELL_CONFIG_FILES}; do
FIND=""
if [ -f ${FILE} ]; then
logtext "Result: file ${FILE} exists"
FOUND=1
FIND=`grep umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | grep -v "^$" | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
logtext "Result: did not find umask configured in ${FILE}"
Display --indent 4 --text "- Checking default umask in ${FILE}" --result NONE --color YELLOW
else
for UMASKVALUE in ${FIND}; do
logtext "Result: found umask ${UMASKVALUE} in ${FILE}"
case ${UMASKVALUE} in
027|0027|077|0077)
logtext "Result: umask ${UMASKVALUE} is considered a properly hardened value"
;;
*)
logtext "Result: umask ${UMASKVALUE} can be hardened "
HARDENING_POSSIBLE=1
;;
esac
done
if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
Display --indent 4 --text "- Checking default umask in ${FILE}" --result OK --color GREEN
AddHP 3 3
else
Display --indent 4 --text "- Checking default umask in ${FILE}" --result WEAK --color YELLOW
AddHP 1 3
fi
fi
else
logtext "Result: file ${FILE} not found"
fi
done
#if [ ${FOUND} -eq 1 ]; then
# if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
# logtext "Result: all shell files found, contain a proper umask"
# Display --indent 4 --text "- Default umask" --result OK --color GREEN
# fi
#fi
fi
#
#################################################################################
#
@ -395,4 +403,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy & Michael Boelen - http://cisofy.com - The Netherlands
# Lynis - Copyright 2007-2015, CISOfy - http://cisofy.com

6
include/tests_solaris
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), The Netherlands
# Web site: http://cisofy.com
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -66,4 +66,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

61
include/tests_squid
View File

@ -103,15 +103,6 @@
fi
#
#################################################################################
#
# # Test : SQD-3608
# # Description : Check Squid build options
# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SQD-3608 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
# if [ ${SKIPTEST} -eq 0 ]; then
# fi
#
#################################################################################
#
# Test : SQD-3610
# Description : Check Squid configuration options
@ -129,15 +120,6 @@
fi
#
#################################################################################
#
# # Test : SQD-3612
# # Description : Check Squid additional configuration files
# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SQD-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check additional Squid configuration files"
# if [ ${SKIPTEST} -eq 0 ]; then
# fi
#
#################################################################################
#
# Test : SQD-3613
# Description : Check Squid configuration options
@ -265,7 +247,7 @@
#SQUID_DAEMON_UNSAFE_PORTS_LIST
for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
logtext "Test: Checking port ${I} in Safe_ports list"
FIND2=`grep "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
FIND2=`grep -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN
AddHP 1 1
@ -315,7 +297,6 @@
#
#################################################################################
#
# Test : SQD-3680
# Description : Check httpd_suppress_version_string
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@ -338,46 +319,6 @@
#################################################################################
#
# Squid
#Hardening:
# $1 $3
# acl snmp_community
# acl maxconn
# acl max_user_ip
#
# follow_x_forwarded_for
#Read cache_peer host type(sibling/parent) proxyport icpport options (if set, icp_access should be set as well)
#Read cache_peer_domain
#Read cache_peer_access
#Read icp_access
#Read icp_port
#Read htcp_access
#Read htcp_port
#Read http_port
#Read https_port
#Read cache_dir
#Read access_log
#Read coredump_dir
#Read quick_abort_min / max /pct
#
# Memory tuning
#Read cache_mem
#Read maximum_object_size_in_memory
#Read maximum_object_size
#Read cache_swap_low
#Read cache_swap_high
# Security
#cache_effective_user
# off
#forwarded_for
#wccp
#
#################################################################################
#
wait_for_keypress
#

82
include/tests_ssh
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -79,28 +79,6 @@
fi
#
#################################################################################
#
# # Test : SSH-7406
# # Description : Check for a running SSH daemon
# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --description "SSH daemon listening port"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Searching for a SSH daemon"
# CheckOption "^Port " ${SSH_DAEMON_CONFIG}
# if [ ${FOUND} -eq 1 ]; then
# FIND=`echo ${FIND} | awk '{ if ($1=="Port") { print $2 }}'`
# # Check if this output is numeric and usuable for later (e.g. in netstat output)
# Display --indent 2 --text "- Checking SSH listening port" --result FOUND --color GREEN
# logtext "Result: setting port number to ${FIND}"
# SSH_DAEMON_PORT="${FIND}"
# else
# Display --indent 2 --text "- Checking SSH listening port" --result "NOT FOUND" --color WHITE
# logtext "Result: setting port to default number, as no other port has been configured"
# SSH_DAEMON_PORT="22"
# fi
# fi
#
#################################################################################
#
# Test : SSH-7408
# Description : Check SSH specific defined options
@ -202,32 +180,6 @@
fi
#
#################################################################################
#
# Test : SSH-7418
# Description : Check SSH Port option
# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SSH-7418 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Port"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: check allowed SSH protocol versions"
# FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Port" | awk '{ if ($2!="22") { print $2 } }'`
# if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
# logtext "Result: Protocol option is set to allow SSH protocol version 1"
# Display --indent 4 --text "- SSH option: Protocol" --result WARNING --color RED
# ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed"
# AddHP 0 3
# else
# if [ "${FIND}" = "2" ]; then
# logtext "Result: only protocol 2 is allowed"
# Display --indent 4 --text "- SSH option: Protocol" --result OK --color GREEN
# AddHP 3 3
# else
# logtext "Result: value of Protocol is unknown (not defined)"
# Display --indent 4 --text "- SSH option: Protocol" --result DEFAULT --color WHITE
# fi
# fi
# fi
#
#################################################################################
#
# Test : SSH-7440
# Description : AllowUsers / AllowGroups
@ -269,33 +221,7 @@
#
#################################################################################
#
# Test : SSH-7464
# Description : HashKnownHosts
#if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no SSH-7464 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: HashKnownHosts"
#if [ ${SKIPTEST} -eq 0 ]; then
# /etc/ssh/ssh_config
# ReportSuggestion ${TEST_NO} "HashKnownHosts option can migitate worm attacks"
#AddHP 2 2
#fi
#
#################################################################################
#
# Test : SSH-7480
# Description : AllowUsers / AllowGroups
# Goal : Scan SSH daemon
#if [ ! ${SSHKEYSCANBINARY} = "" -a ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no SSH-7480 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups"
#if [ ${SKIPTEST} -eq 0 ]; then
# First determine what port the local instance of SSH daemon is running on. If unknown, use port 22
# FIND=`${SSHKEYSCANBINARY} localhost 2>&1 | grep OpenSSH | egrep -i "bsd|debian|ubuntu|redhat"`
#
#################################################################################
#
# sshd -T can provide additional insights
#
#################################################################################
#
report "ssh_daemon_running=${SSH_DAEMON_RUNNING}"
#report "ssh_daemon_port=${SSH_DAEMON_PORT}"
@ -303,4 +229,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

26
include/tests_storage
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -33,7 +33,7 @@
if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
FIND=`grep -r "install usb-storage /bin/true" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"`
FIND=`grep -r "install usb-storage /bin/\(false\|true\)" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"`
FIND2=`egrep -r "^blacklist (usb_storage|usb-storage)" /etc/modprobe.d/*`
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
@ -44,7 +44,7 @@
fi
fi
if [ -f /etc/modprobe.conf ]; then
FIND=`grep "install usb-storage /bin/true" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"`
FIND=`grep "install usb-storage /bin/\(false\|true\)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"`
if [ ! "${FIND}" = "" ]; then
FOUND=1
logtext "Result: found usb-storage driver in disabled state"
@ -66,6 +66,7 @@
#
# Test : STRG-1846
# Description : Check for disabled firewire storage
# Explanation : Best option is to use the install function, or else drivers can still be loaded manually
Register --test-no STRG-1846 --os Linux --weight L --network NO --description "Check if firewire storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
@ -73,8 +74,8 @@
if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
FIND1=`egrep "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
FIND2=`egrep "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
FIND1=`egrep "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
FIND2=`egrep "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
logtext "Result: found firewire ohci driver in disabled state"
@ -84,8 +85,8 @@
fi
fi
if [ -f /etc/modprobe.conf ]; then
FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
FIND2=`egrep -r "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
FIND2=`egrep -r "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
logtext "Result: found firewire ohci driver in disabled state"
@ -108,15 +109,8 @@
#################################################################################
#
# NetBSD: amd (auto mount daemon)
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, CISOfy, Michael Boelen - https://cisofy.com

12
include/tests_storage_nfs
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -59,7 +59,7 @@
#
# Test : STRG-1906
# Description : Check nfs protocols (TCP/UDP) and port in rpcinfo
if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking NFS registered protocols"
@ -114,7 +114,7 @@
# Description : Check NFS exports
if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking NFS exports"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check /etc/exports"
if [ -f /etc/exports ]; then
logtext "Result: /etc/exports exists"
@ -139,7 +139,7 @@
#
# Test : STRG-1928
# Description : Check for empty exports file while NFS is running
if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then
@ -177,4 +177,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

47
include/tests_tcpwrappers
View File

@ -1,47 +0,0 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# TCP Wrappers
# Run after: NFS checks
#
#################################################################################
#
#
#################################################################################
#
# InsertSection "TCP Wrappers"
#
#################################################################################
#
# Test : TCPW-xxxx (YYY move to nameservices section)
# Description : Basic nameserver configuration tests (connectivity)
# Register --test-no TCPW-xxxx --weight L --network YES --description "Basic nameserver configuration tests"
# if [ ${SKIPTEST} -eq 0 ]; then
# Display --indent 2 --text "- Checking configured nameservers"
# logtext "Test: Checking /etc/resolv.conf file"
# Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN
# ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
# ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond"
# fi
#
#################################################################################
#
#wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands

81
include/tests_time
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -22,6 +22,7 @@
#
#################################################################################
#
CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs"
NTP_DAEMON=""
NTP_DAEMON_RUNNING=0
NTP_CONFIG_FOUND=0
@ -29,9 +30,8 @@
NTP_CONFIG_TYPE_SCHEDULED=0
NTP_CONFIG_TYPE_EVENTBASED=0
NTP_CONFIG_TYPE_STARTUP=0
# Specific for ntpd
NTPD_RUNNING=0
CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs"
NTPD_RUNNING=0 # Specific for ntpd
SYSTEMD_NTP_ENABLED=0
#
#################################################################################
#
@ -46,10 +46,25 @@
fi
Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client"
if [ ${SKIPTEST} -eq 0 ]; then
# Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate)
# Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate), Chrony, systemd-timesyncd
logtext "Test: Searching for a running NTP daemon or available client"
FOUND=0
if [ -f /etc/chrony.conf ]; then
IsRunning chronyd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd"
Display --indent 2 --text "- NTP daemon found: chronyd" --result FOUND --color GREEN
fi
fi
# Check time daemon (eg DragonFly BSD)
IsRunning dntpd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN
fi
# Check running processes
FIND=`${PSBINARY} ax | grep "ntpd" | grep -v "dntpd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
@ -66,19 +81,18 @@
Display --indent 2 --text "- NTP daemon found: timed" --result FOUND --color GREEN
fi
# Check time daemon (eg DragonFly BSD)
IsRunning dntpd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN
fi
# Check timedate daemon (systemd)
if [ ! "${TIMEDATECTL}" = "" ]; then
FIND=`${TIMEDATECTL} status | grep "NTP enabled: yes"`
if [ ! "${FIND}" = "" ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timedated"
Display --indent 2 --text "- NTP daemon found: timedated" --result "FOUND" --color GREEN
# Check for systemd-timesyncd
if [ -f /etc/systemd/timesyncd.conf ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "FOUND" --color GREEN
SYSTEMD_NTP_ENABLED=1
fi
else
logtext "Result: time sychronization not performed according timedatectl command"
fi
fi
@ -94,18 +108,14 @@
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate reference in crontab file ${I}"
else
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE
#Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate reference found in crontab file ${I}"
fi
else
logtext "Result: crontab file ${I} not found"
fi
fi
done
##########################
# To do: test on Solaris #
##########################
# Don't run check in cron job directory on Solaris
# /etc/cron.d/FIFO is a special file and test get stuck at this file
FOUND_IN_CRON=0
@ -133,11 +143,10 @@
Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate in cron directory"
else
Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE
#Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate found in cron directories"
fi
# Checking if ntpdate is performed by event
logtext "Test: checking for file /etc/network/if-up.d/ntpdate"
if [ -f /etc/network/if-up.d/ntpdate ]; then
@ -155,10 +164,12 @@
FIND=`grep 'ntpdate_enable="YES"' /etc/rc.conf`
if [ ! "${FIND}" = "" ]; then
logtext "Result: ntpdate is enabled in rc.conf"
# Mark system having a NTP client, but remind user to improve it
FOUND=1
NTP_CONFIG_TYPE_STARTUP=1
ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is adviced to run it at least daily or use a NTP daemon"
# Only show suggestion when ntpdate is enabled, however ntpd is not running
if [ ${NTP_DAEMON_RUNNING} -eq 0 ]; then
ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is adviced to run it at least daily or use a NTP daemon"
fi
else
logtext "Result: ntpdate is not enabled in rc.conf"
fi
@ -181,6 +192,21 @@
fi
#
#################################################################################
#
# Test : TIME-3106
# Description : Check status of systemd time synchronization
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! "${TIMEDATECTL}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check systemd NTP time synchronization status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check the status of time synchronization via timedatectl"
FIND=`${TIMEDATECTL} status | grep "NTP sychronized: yes"`
if [ "${FIND}" = "" ]; then
logtext "Result: time not synchronized via NTP"
ReportSuggestion "${TEST_NO}" "Check timedatectl output. Sychronization via NTP is enabled, but status reflects it is not synchronized"
fi
fi
#
#################################################################################
#
# Test : TIME-3112
# Description : Check for valid associations from ntpq peers list
@ -331,7 +357,6 @@
#
# Test : TIME-3136
# Description : Check ntpq reported ntp version (Linux)
# Notes : Test could be improved by checking every host (YYY)
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP protocol version"
if [ ${SKIPTEST} -eq 0 ]; then
@ -404,6 +429,8 @@
#
#################################################################################
#
# For VMs check ntpd.conf : tinker panic 0
#
wait_for_keypress
@ -429,4 +456,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

78
include/tests_tooling
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -16,6 +16,8 @@
#
AUTOMATION_TOOL_FOUND=0
AUTOMATION_TOOL_RUNNING=""
CFENGINE_AGENT_FOUND=0
CFENGINE_SERVER_RUNNING=0
BACKUP_AGENT_FOUND=0
PUPPET_MASTER_RUNNING=0
SALT_MASTER_RUNNING=0
@ -40,22 +42,67 @@
# Cfengine
if [ ! "${CFAGENTBINARY}" = "" ]; then
logtext "Result: Cfengine (cfagent) is installed (${CFAGENTBINARY})"
logtext "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})"
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
report "automation_tool_running[]=cf-agent"
Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN
fi
OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin"
for I in ${OTHER_CFENGINE_LOCATIONS}; do
if [ -d ${I} ]; then
if [ -f ${I}/cf-agent ]; then
logtext "Result: found CFEngine agent (cf-agent) in ${I}"
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
report "automation_tool_running[]=cf-agent"
Display --indent 4 --text "Found: CFEngine (cf-agent)" --result FOUND --color GREEN
fi
IsRunning "cf-server"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found CFEngine server"
AUTOMATION_TOOL_FOUND=1
CFENGINE_SERVER_RUNNING=1
report "automation_tool_running[]=cf-server"
Display --indent 4 --text "Found: CFEngine (cf-server)" --result FOUND --color GREEN
fi
fi
done
# Chef
CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin"
for I in ${CHEF_LOCATIONS}; do
if [ -d ${I} ]; then
if [ -f ${I}/chef-client ]; then
CHEFCLIENTBINARY="${I}/chef-client"
AUTOMATION_TOOL_FOUND=1
report "automation_tool_running[]=chef-client"
Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN
logtext "Result: found chef-client (chef client daemon) in ${I}"
fi
if [ -f ${I}/erchef ]; then
CHEFSERVERBINARY="${I}/erchef"
logtext "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})"
AUTOMATION_TOOL_FOUND=1
report "automation_tool_running[]=chef-server"
Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN
logtext "Result: found erchef (chef server daemon) in ${I}"
fi
fi
done
# Puppet
if [ ! "${PUPPETBINARY}" = "" ]; then
logtext "Result: Puppet is installed (${PUPPETBINARY})"
AUTOMATION_TOOL_FOUND=1
report "automation_tool_running[]=puppet-agent"
Display --indent 4 --text "Found: Puppet (agent)" --result FOUND --color GREEN
fi
IsRunning "puppet master"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found puppet master"
PUPPET_MASTER_RUNNING=1
report "automation_tool_running[]=puppet"
report "automation_tool_running[]=puppet-master"
Display --indent 4 --text "Found: Puppet (master)" --result FOUND --color GREEN
fi
@ -64,19 +111,24 @@
logtext "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})"
AUTOMATION_TOOL_FOUND=1
SALT_MINION_RUNNING=1
report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result FOUND --color GREEN
fi
if [ ! "${SALTMASTERBINARY}" = "" ]; then
logtext "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
AUTOMATION_TOOL_FOUND=1
Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN
fi
IsRunning "salt-master"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found SaltStack (master)"
SALT_MASTER_RUNNING=1
report "automation_tool_running[]=saltstack-master"
Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN
report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN
else
IsRunning "salt-master"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found SaltStack (master)"
AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1
report "automation_tool_running[]=saltstack-master"
Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN
fi
fi
if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then
@ -98,9 +150,7 @@
#
#################################################################################
#
report "puppet_master=${PUPPET_MASTER_RUNNING}"
report "salt_master=${SALT_MASTER_RUNNING}"
report "salt_minion=${SALT_MINION_RUNNING}"
report "automation_tool_present=${AUTOMATION_TOOL_FOUND}"
wait_for_keypress

56
include/tests_virtualization
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -22,49 +22,6 @@
#
#################################################################################
#
# Test : VIRT-1902
# Description : Query running Solaris zones
if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no VIRT-1902 --os Solaris --weight L --network NO --description "Query running Solaris zones"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: query zoneadm to list all running zones"
FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
N=`expr ${N} + 1`
ZONEID=`echo ${I} | cut -d ':' -f1`
ZONENAME=`echo ${I} | cut -d ':' -f2`
logtext "Result: found zone ${ZONENAME} (running)"
report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done
logtext "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
else
logtext "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
fi
fi
#
#################################################################################
#
# Test : VIRT-1906
# Description : Query running Xen zones
#if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no VIRT-1906 --weight L --network NO --description "Query Xen guests"
#if [ ${SKIPTEST} -eq 0 ]; then
# Show Xen guests
#FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'`
#for I in ${FIND}; do
#XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
#XENGUESTID=`echo ${I} | cut -d ':' -f2`
#logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
#done
#fi
#
#################################################################################
#
# # Test : VIRT-1920
# # Description : Checking VMware
# Register --test-no VIRT-1920 --weight L --network NO --description "Checking VMware guest status"
@ -72,9 +29,9 @@
# # Initialise
# VMWARE_GUEST=0
# Display --indent 2 --text "- Checking VMware guest status"
# #YYY check memory driver file
# #YYY check LKM list
# #YYY check vmware tools
# # check memory driver file
# # check LKM list
# # check vmware tools
# logtext "Test: checking VMware tools daemon presence"
# if [ ! "${VMWARETOOLSBINARY}" = "" ]; then
# logtext "Result: VMware tools binary found"
@ -89,9 +46,8 @@
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

43
include/tests_webservers
View File

@ -5,8 +5,8 @@
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -50,9 +50,13 @@
# Test : HTTP-6622
# Description : Test for Apache installation
# Notes : Do not run on NetBSD, -v is unknown option for httpd binary
# On OpenBSD do not run /usr/sbin/httpd with -v: builtin non-Apache
if [ ! "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Apache presence"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then
HTTPDBINARY=""
fi
if [ "${HTTPDBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE
else
@ -194,9 +198,9 @@
# # Configuration specific tests
# SERVERTOKENSFOUND=0
# APACHE_CONFIGFILES="${APACHE_CONFIGFILE} /usr/local/etc/apache22/extra/httpd-default.conf /etc/apache2/sysconfig.d/global.conf"
#
#
# for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do
# if [ -f ${APACHE_CONFIGFILE} ]; then
# if [ -f ${APACHE_CONFIGFILE} ]; then
# # Check if option ServerTokens is configured
# SERVERTOKENSTEST=`cat ${APACHE_CONFIGFILE} | grep ServerTokens | grep -v '^#'`
# if [ ! "${SERVERTOKENSTEST}" = "" ]; then
@ -215,17 +219,17 @@
# else
# Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE
# fi
#
#
# else
# # File does not exist, skipping
# logtext "File ${APACHE_CONFIGFILE} does not exist, so skipping tests on this file"
# fi
# done
#
#
# # Display results from checks
# if [ ${SERVERTOKENSFOUND} -eq 1 ]; then
# Display --indent 6 --text "- Value of ServerTokens" --result OK --color GREEN
# else
# else
# Display --indent 6 --text "- Value of ServerTokens" --result WARNING --color RED
# ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template"
# fi
@ -391,19 +395,16 @@
Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching nginx configuration file"
#YYY warning if multiple nginx.conf files are found
for I in ${NGINX_CONF_LOCS}; do
if [ -f ${I}/nginx.conf ]; then
NGINX_CONF_LOCATION="${I}/nginx.conf"
logtext "Found file ${NGINX_CONF_LOCATION}"
fi
done
#YYY strings /usr/sbin/nginx | grep "conf$"
if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then
logtext "Result: found nginx configuration file"
report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
Display --indent 4 --text "- Searching nginx configuration file" --result FOUND --color GREEN
#FIND=`cat ${NGINX_CONF_LOCATION} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}`
else
logtext "Result: no nginx configuration file found"
Display --indent 2 --text "- Searching nginx configuration file" --result "NOT FOUND" --color WHITE
@ -415,25 +416,26 @@
# Test : HTTP-6706
# Description : Search for includes within nginx configuration file
# Notes : Daemon nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for additional nginx configuration files"
if [ ${SKIPTEST} -eq 0 ]; then
# Remove temp file
if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
N=0
cat ${NGINX_CONF_LOCATION} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}
# Search for included configuration files (may include directories and wild cards)
FIND=`grep "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'`
for I in ${FIND}; do
FIND2=`${LSBINARY} ${I} 2>/dev/null`
for J in ${FIND2}; do
# Double check if we are dealing with a file
# Ensure that we are parsing normal files
if [ -f ${J} ]; then
N=`expr ${N} + 1`
logtext "Result: found Nginx configuration file ${J}"
report "nginx_sub_conf_file=${J}"
FileIsReadable ${J}
if [ ${CANREAD} -eq 1 ]; then
FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}`
FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}`
else
ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable"
fi
@ -442,14 +444,14 @@
done
# Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx
SORTFILE=`cat ${TMPFILE2} | sort | uniq | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"`
for I in ${SORTFILE}; do
SORTFILE=`cat ${TMPFILE} | sort | uniq | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"`
for I in ${SORTFILE}; do
I=`echo ${I} | sed 's/:space:/ /g'`
report "nginx_config_option=${I}";
done
done
# Remove unsorted file for next tests
if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi
if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi
if [ ${N} -eq 0 ]; then
logtext "Result: no nginx include statements found"
@ -693,11 +695,6 @@
# Description : Nginx: Check for server_tokens off in configuration files
#
#################################################################################
#
# Scan for websites
#/etc/apache2/sites-available
#
#################################################################################
#
# Remove temp file (double check)
@ -709,4 +706,4 @@ wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - cisofy.com - The Netherlands
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

40
include/tool_tips Normal file
View File

@ -0,0 +1,40 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Hints and Tips
#
#################################################################################
#
# Only show tips when enabled
if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then
# Bash completion support
if [ ! "${ETC_PATHS}" = "" ]; then
for I in ${ETC_PATHS}; do
if [ -d ${I}/bash-completion.d ]; then
if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then
Display "This system has a bash_completition directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis"
fi
fi
done
fi
fi
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

166
lynis
View File

@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2015 Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Website: https://cisofy.com
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -22,9 +22,9 @@
#
# Program information
PROGRAM_name="Lynis"
PROGRAM_version="2.1.1"
PROGRAM_releasedate="19 April 2015"
PROGRAM_author="CISOfy"
PROGRAM_version="2.1.2"
PROGRAM_releasedate="13 September 2015"
PROGRAM_author="Michael Boelen, CISOfy"
PROGRAM_author_contact="lynis-dev@cisofy.com"
PROGRAM_website="https://cisofy.com"
PROGRAM_copyright="Copyright 2007-2015 - ${PROGRAM_author}, ${PROGRAM_website}"
@ -103,12 +103,17 @@
# Check if owner of both files is root user, or the same user which is running Lynis (for pentester mode)
# Consts
if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="consts"; fi
if [ ! "${MYID}" = "${OWNER2ID}" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="consts"; fi
if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then
if [ ! "${MYID}" = "${OWNER2ID}" ]; then
ISSUE=1; SHOWPERMERROR=1; FILE="consts"
fi
fi
# Functions
if [ ! "${OWNER2}" = "root" -a ! "${OWNER2ID}" = "0" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="functions"; fi
if [ ! "${MYID}" = "${OWNER2ID}" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="functions"; fi
if [ ! "${OWNER2}" = "root" -a ! "${OWNER2ID}" = "0" ]; then
if [ ! "${MYID}" = "${OWNER2ID}" ]; then
ISSUE=1; SHOWPERMERROR=1; FILE="functions"
fi
fi
if [ ${SHOWPERMERROR} -eq 1 ]; then
echo ""
echo "[!] Change ownership of ${INCLUDEDIR}/${FILE} to 'root' or similar (found: ${OWNER} with UID ${OWNERID})."
@ -129,7 +134,7 @@
echo ""
echo " Why do I see this error?"
echo " -------------------------------"
echo " This error is a protection mechanism, to prevent root user from executing user created files."
echo " This is a protection mechanism, to prevent the root user from executing user created files."
echo ""; echo ""
echo " What can I do?"
echo " ---------------------"
@ -221,55 +226,6 @@
# CV - Current Version
PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'`
PROGRAM_LV=0
#DB_MALWARE_CV=`grep "^#version=" ${DBDIR}/malware.db | cut -d '=' -f2`
#DB_FILEPERMS_CV=`grep "^#version=" ${DBDIR}/fileperms.db | cut -d '=' -f2`
# Number of signatures
#DB_MALWARE_IC=`grep -v "^#" ${DBDIR}/malware.db | wc -l | tr -s ' ' | tr -d ' '`
if [ ${VIEWUPDATEINFO} -eq 1 ]; then
CheckUpdates
# Reset everything if we can't determine our current version or the latest
# available version (due lack of internet connectivity for example)
if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then
# Set both to safe values
PROGRAM_AC=0; PROGRAM_LV=0
#DB_MALWARE_LV=0; DB_MALWARE_CV=0
#DB_FILEPERMS_LV=0; DB_FILEPERMS_CV=0
fi
echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} =="; echo ""
echo " Version : ${PROGRAM_version}"
echo -n " Status : "
if [ ${PROGRAM_LV} -eq 0 ]; then
echo "${RED}Unknown${NORMAL}";
elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
echo "${YELLOW}Outdated${NORMAL}";
echo " Current version : ${PROGRAM_AC}"
echo " Latest version : ${PROGRAM_LV}"
else
echo "${GREEN}Up-to-date${NORMAL}"
fi
echo " Release date : ${PROGRAM_releasedate}"
echo " Update location : ${PROGRAM_website}"
# echo ""
# echo " == ${WHITE}Plugins${NORMAL} =="
# echo ""
# echo " == ${WHITE}Databases${NORMAL} =="
# echo " Current Latest Status"
# echo " -----------------------------------------------------------------------------"
# echo -n " Malware : ${DB_MALWARE_CV} ${DB_MALWARE_LV} "
# if [ ${DB_MALWARE_LV} -gt ${DB_MALWARE_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi
# echo -n " File perms : ${DB_FILEPERMS_CV} ${DB_FILEPERMS_LV} "
# if [ ${DB_FILEPERMS_LV} -gt ${DB_FILEPERMS_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi
echo ""; echo ""
echo "${PROGRAM_copyright}"; echo ""
# Quit program
ExitClean
fi
#
#################################################################################
#
@ -320,7 +276,7 @@
if [ "${PROFILE}" = "" ]; then
echo "${RED}Fatal error: ${WHITE}No profile defined and could not find default profile${NORMAL}"
echo "Search paths used --> ${tPROFILE_TARGETS}"
ExitFatal
ExitCustom 66
fi
# Initialize and check profile file, auditor name, log file and report file
if [ ! -r ${PROFILE} ]; then echo "Fatal error: Can't open profile file (${PROFILE})"; exit 1; fi
@ -334,8 +290,22 @@
#
#################################################################################
#
# Check if there is already a PID file (incorrect termination of previous instance)
if [ -f lynis.pid -o -f /var/run/lynis.pid ]; then
# Decide where to write our PID file. For unprivileged users this will be in their home directory, or /tmp if their
# home directory isn't set. For root it will be /var/run, or the current workign directory if /var/run doesn't exist.
MYHOMEDIR=`echo ~ 2> /dev/null`
if [ "${MYHOMEDIR}" = "" ]; then MYHOMEDIR="/tmp"; fi
if [ ${PRIVILEGED} -eq 0 ]; then
PIDFILE="${MYHOMEDIR}/lynis.pid"
elif [ -d /var/run ]; then
PIDFILE="/var/run/lynis.pid"
else
PIDFILE="./lynis.pid"
fi
# Check if there is already a PID file in any of the locations (incorrect termination of previous instance)
if [ -f "${MYHOMEDIR}/lynis.pid" -o -f "./lynis.pid" -o -f "/var/run/lynis.pid" ]; then
echo ""
echo " ${WARNING}Warning${NORMAL}: ${WHITE}PID file exists, probably another Lynis process is running.${NORMAL}"
echo " ------------------------------------------------------------------------------"
@ -349,26 +319,24 @@
echo " ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${NORMAL}"
echo ""
wait_for_keypress
if [ -f lynis.pid ]; then rm -f lynis.pid; fi
if [ -f /var/run/lynis.pid ]; then rm -f /var/run/lynis.pid; fi
#YYY Display function not working yet from here, due to OS detection
#Display --indent 2 --text "- Deleting old PID file..." --result DONE --color GREEN
# Deleting any stale PID files that might exist.
# Note: Display function does not work yet at this point
if [ -f "${MYHOMEDIR}/lynis.pid" ]; then rm -f "${MYHOMEDIR}/lynis.pid"; fi
if [ -f "./lynis.pid" ]; then rm -f "./lynis.pid"; fi
if [ -f "/var/run/lynis.pid" ]; then rm -f "/var/run/lynis.pid"; fi
fi
# Create new PID file (use work directory if /var/run is not available)
if [ ${PRIVILEGED} -eq 0 ]; then
# Store it in home directory of user
MYHOMEDIR=`echo ~`
if [ "${MYHOMEDIR}" = "" ]; then HOMEDIR="/tmp"; fi
PIDFILE="${MYHOMEDIR}/lynis.pid"
elif [ -d /var/run ]; then
PIDFILE="/var/run/lynis.pid"
else
PIDFILE="lynis.pid"
fi
# Ensure symlink attack is not possible, by confirming there is no symlink of the file already
OURPID=`echo $$`
echo ${OURPID} > ${PIDFILE}
chmod 600 ${PIDFILE}
if [ -L ${PIDFILE} ]; then
echo "Found symlinked PID file (${PIDFILE}), quitting"
ExitFatal
else
# Create new PID file writable only by owner
echo "${OURPID}" > ${PIDFILE}
chmod 600 ${PIDFILE}
fi
#
#################################################################################
#
@ -389,8 +357,11 @@
echo " audit system : Perform security scan"
echo " audit dockerfile <file> : Analyze Dockerfile"
echo ""
echo " ${GREEN}update${NORMAL}"
echo " update info : Show update details"
echo " update release : Update Lynis release"
echo ""
echo ""
echo " ${WHITE}Scan options:${NORMAL}"
echo " --auditor \"<name>\" : Auditor name"
echo " --dump-options : See all available options"
@ -407,7 +378,6 @@
echo " --reverse-colors : Optimize color display for light backgrounds"
echo ""
echo " ${WHITE}Misc options:${NORMAL}"
echo " --check-update : Check for updates"
echo " --debug : Debug logging to screen"
echo " --view-manpage (--man) : View man page"
echo " --version (-V) : Display version number and quit"
@ -431,7 +401,7 @@
# Cleanup PID file if we drop out earlier
RemovePIDFile
# Exit with exit code 1
exit 1
exit 64
fi
#
#################################################################################
@ -459,7 +429,7 @@
echo ""
echo " ###################################################################"
echo "${NORMAL}"; echo ""
if [ ${NEVERBREAK} -eq 0 ]; then read void; fi
if [ ${QUICKMODE} -eq 0 ]; then read void; fi
fi
#
#################################################################################
@ -524,13 +494,13 @@
#
#################################################################################
#
if [ ${QUIET} -eq 0 ]; then
if [ ${QUIET} -eq 0 -a ${SHOW_PROGRAM_DETAILS} -eq 1 ]; then
echo ""
echo " ---------------------------------------------------"
echo " Program version: ${PROGRAM_version}"
echo " Operating system: ${OS}"
echo " Operating system name: ${OS_NAME}"
echo " Operating system version: ${OS_VERSION}"
echo " Operating system version: ${OS_VERSION}"
if [ ! "${OS_MODE}" = "" ]; then echo " Operating system mode: ${OS_MODE}"; fi
echo " Kernel version: ${OS_KERNELVERSION}"
echo " Hardware platform: ${HARDWARE}"
@ -541,7 +511,6 @@
echo " Report file: ${REPORTFILE}"
echo " Report version: ${REPORT_version}"
echo " Plugin directory: ${PLUGINDIR}"
#echo " Database directory: ${DBDIR}"
echo " ---------------------------------------------------"
fi
@ -564,9 +533,7 @@
logtext "-----------------------------------------------------"
logtext "Include directory: ${INCLUDEDIR}"
logtext "Plugin directory: ${PLUGINDIR}"
logtext "Database directory: ${DBDIR}"
logtextbreak
#wait_for_keypress
#
#################################################################################
@ -761,13 +728,11 @@
logtext "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
filesystems storage storage_nfs \
nameservices ports_packages networking printers_spools \
mail_messaging firewalls \
webservers ssh snmp databases ldap php squid logging \
insecure_services banners scheduling accounting \
time crypto virtualization mac_frameworks file_integrity hardening_tools tooling \
malware file_permissions homedirs kernel_hardening hardening"
filesystems storage storage_nfs nameservices ports_packages networking printers_spools \
mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
insecure_services banners scheduling accounting time crypto virtualization containers \
mac_frameworks file_integrity tooling malware file_permissions homedirs \
kernel_hardening hardening"
else
INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}"
logtext "Info: only performing tests from categories: ${TESTS_CATEGORY_TO_PERFORM}"
@ -829,12 +794,12 @@
#################################################################################
#
if [ ${RUN_HELPERS} -eq 1 ]; then
InsertPluginSection "Audit Module"
if [ ! "${HELPER}" = "" ]; then
logtext "Helper tool is $HELPER"
if [ -f ${INCLUDEDIR}/helper_${HELPER} ]; then
SafePerms ${INCLUDEDIR}/helper_${HELPER}
logtext "Running helper tool ${HELPER} with params: ${HELPER_PARAMS}"
InsertPluginSection "Helper: ${HELPER}"
. ${INCLUDEDIR}/helper_${HELPER} ${HELPER_PARAMS}
else
echo "Error, could not find helper"
@ -856,6 +821,9 @@
# Show report
if [ -f ${INCLUDEDIR}/report ]; then SafePerms ${INCLUDEDIR}/report; . ${INCLUDEDIR}/report; fi
# Show tool tips
if [ -f ${INCLUDEDIR}/hints_tips ]; then SafePerms ${INCLUDEDIR}/hints_tips; . ${INCLUDEDIR}/hints_tips; fi
logtext "================================================================================"
logtext "Tests performed: ${CTESTS_PERFORMED}"
logtext "Total tests: ${TOTAL_TESTS}"
@ -883,7 +851,11 @@
logtext "================================================================================"
# Clean exit (Delete PID file)
ExitClean
if [ ${TOTAL_WARNINGS} -gt 0 ]; then
ExitCustom 78
else
ExitClean
fi
# The End

87
lynis.8
View File

@ -1,28 +1,28 @@
.TH Lynis 8 "30 January 2015" "1.17" "Unix System Administrator's Manual"
.TH Lynis 8 "10 September 2015" "1.19" "Unix System Administrator's Manual"
.SH "NAME"
\fB
\fB
\fB
Lynis \fP\- Run an system and security audit on the system
Lynis \fP\- System and security auditing tool
\fB
.SH "SYNOPSIS"
.nf
.fam C
\fBlynis\fP \-\-check-all(\-c) [other options]
\fBlynis\fP [scan mode] [other options]
.fam T
.fi
.SH "DESCRIPTION"
\fBLynis\fP is an auditing tool for Unix (specialists). It checks the system
and software configuration and logs all the found information into a log file
for debugging purposes, and in a report file suitable to create fancy looking
auditing reports.
\fBLynis\fP can be run as a cronjob, or from the command line. It needs to have
full access to the system, so running it as root (or with sudo rights) is
required.
\fBLynis\fP is a security auditing tool for Linux and Unix systems. It checks
the system and software configurations, to determine any improvements.
All details are logged in a log file. Findings and other data is stored in a
report file, which can be used to create auditing reports.
\fBLynis\fP can be run as a cronjob, or from the command line. Lynis prefers
root permissions (or sudo), so it can access all parts of the system, however it
not required (see pentest mode).
.PP
The following system areas may be checked:
.IP
@ -30,27 +30,34 @@ The following system areas may be checked:
.IP
\- Configuration files
.IP
\- Common files by software packages
\- Files part of software packages
.IP
\- Directories and files related to logging and auditing
.SH "FIRST TIME USAGE"
When running \fBLynis\fP for the first time, run: lynis audit system --quick
.SH "SCAN MODES"
.IP audit system
Performs a system audit, which is the most common audit.
For more scan modes, see the helper utilities.
.SH "OPTIONS"
.TP
.B \-\-auditor <full name>
Define the name of the auditor/pen-tester. When a full name is used, add double
quotes, like "Your Name".
.TP
.B \-\-checkall (or \-c)
\fBLynis\fP performs a full check of the system, printing out the results of
each test to stdout. Additional information will be saved into a log file
(default is /var/log/lynis.log).
(default is /var/log/lynis.log). This option invokes scan mode "audit system".
.IP
In case the outcome of a scan needs to be automated, use the report file.
.TP
.B \-\-check\-update (or \-\-info)
Show program, database and update information.
.TP
.B \-\-cronjob
Perform automatic scan with cron safe options (no colors, no questions, no
breaks).
@ -115,14 +122,42 @@ with others. When running Lynis without any parameters, help will be shown and
the program will exit.
.RE
.PP
.SH "BUGS"
Discovered a bug? Please report them via e-mail (lynis-dev@cisofy.com) or via GitHub: https://github.com/CISOfy/Lynis
.RE
.PP
.SH "LICENSING"
Lynis is licensed with the GPL v3 license and under development by CISOfy and Michael Boelen. Plugins have their own license.
.RE
.PP
.SH "CONTACT INFORMATION"
.SH "HELPERS"
Lynis has special helpers to do certain tasks. This way the framework of Lynis is
used, while at the same time storing most of the functionality in a separated
file. This speeds up execution and keeps the code clean.
Support and project related questions are addressed via https://cisofy.com/support/.
.B audit
Run audit on the system or on other targets
.B update
Run updater utility
To use a helper, run Lynis followed by the helper name.
.SH "EXIT CODES"
Lynis uses exit codes to signal any invoking script. Currently the following codes are used:
.IP 0
Program exited normally, nothing found
.IP 1
Fatal error
.IP 64
An unknown parameter is used, or incomplete
.IP 65
Incorrect data encountered
.IP 66
Can't open file or directory
.IP 78
Lynis found 1 or more warnings or configurations errors
.SH "BUGS"
Bugs can be reported via GitHub at https://github.com/CISOfy/lynis
.SH "DOCUMENTATION"
Supporting documentation can be found via https://cisofy.com/documentation/lynis/
.SH "LICENSING"
Lynis is licensed as GPL v3, written by Michael Boelen. Development is supported by CISOfy. Plugins may have their own license.
.SH "CONTACT INFORMATION"
Support requests and project related questions can be addressed via e-mail: lynis-dev@cisofy.com.