From d282fbfc9c29d07254e9abf184e5e42ca1e8abbe Mon Sep 17 00:00:00 2001 From: Aneesh Agrawal Date: Mon, 27 Apr 2015 03:07:45 -0400 Subject: [PATCH 001/167] Update check for sulogin under systemd. The default rescue.service unit file was updated in the systemd repo on Jan 23, 2015 to allow for sulogin location variability. --- include/tests_boot_services | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index 35fee381..972855e8 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -702,7 +702,7 @@ if [ -f /usr/lib/systemd/system/rescue.service ]; then logtext "Result: file /usr/lib/systemd/system/rescue.service" logtext "Test: checking presence sulogin for single user mode" - FIND=`egrep "^ExecStart=-(/usr)?/sbin/sulogin" /usr/lib/systemd/system/rescue.service` + FIND=`egrep "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" /usr/lib/systemd/system/rescue.service` if [ ! "${FIND}" = "" ]; then FOUND=1 logtext "Result: found sulogin, so single user is protected" From bfd24585cf880613c63b6bf77437ce85f72569fb Mon Sep 17 00:00:00 2001 From: Aneesh Agrawal Date: Mon, 27 Apr 2015 03:31:43 -0400 Subject: [PATCH 002/167] Pass information about locate prereqs to Register. Prevent the locate test from running spuriously when locate is not present --- include/tests_filesystems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 6d9453da..426bef35 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -538,7 +538,7 @@ # or /var/cache/locate/locatedb # FreeBSD /var/db/locate.database if [ ! "${LOCATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FILE-6410 --os Linux --weight L --network NO --description "Checking Locate database" + Register --test-no FILE-6410 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Checking Locate database" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking locate database" FOUND=0 From 5d7dc80481399c6a5fc6f53f9dacd5ea6b86104d Mon Sep 17 00:00:00 2001 From: Roland Smith Date: Mon, 27 Apr 2015 11:32:09 +0200 Subject: [PATCH 003/167] Initial version of IPFW test (FreeBSD). --- include/tests_firewalls | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 5a529d35..1d3a7061 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -274,7 +274,24 @@ ################################################################################# # # Test : FIRE-4530 - # Description : Check ipfw + # Description : Check ipfw (FreeBSD) + Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --description "Check ipfw status" + if [ ! "${SYSCTLBINARY}" = "" ]; then + # For now, only check for IPv4. + FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` + if [ "${FIND}" = "1" ]; then + Display --indent 4 --text "- Checking ipfw status" --result RUNNING --color GREEN + logtext "Result: ipfw is enabled and running for IPv4" + FIREWALL_ACTIVE=1 + FIREWALL_SOFTWARE="ipfw" + else + Display --indent 4 --text "- Checking ipfw status" --result "NOT RUNNING" --color YELLOW + logtext "Result: ipfw is not running for IPv4" + fi + else + Display --indent 2 --text "- Checking ipfw" --result SKIPPED --color YELLOW + ReportException "${TEST_NO}:4" "No IPFW test available (sysctl missing)" + fi # ################################################################################# # From ded7e95a14207bec2206ae3a896cae074daf87a8 Mon Sep 17 00:00:00 2001 From: Roland Smith Date: Mon, 27 Apr 2015 12:00:58 +0200 Subject: [PATCH 004/167] Check if ipfw is enabled in rc.conf. --- include/tests_firewalls | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 1d3a7061..3e23fb95 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -280,12 +280,20 @@ # For now, only check for IPv4. FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` if [ "${FIND}" = "1" ]; then - Display --indent 4 --text "- Checking ipfw status" --result RUNNING --color GREEN - logtext "Result: ipfw is enabled and running for IPv4" + Display --indent 2 --text "- Checking ipfw status" --result RUNNING --color GREEN + logtext "Result: ipfw is running for IPv4" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipfw" + IPFW_ENABLED=`service -e | grep -o ipfw` + if [ "${IPFW_ENABLED}" = "ipfw" ]; then + Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result YES --color GREEN + logtext "Result: ipfw is enabled at start-up for IPv4" + else + Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW + logtext "Result: ipfw is disabled at start-up for IPv4" + fi else - Display --indent 4 --text "- Checking ipfw status" --result "NOT RUNNING" --color YELLOW + Display --indent 2 --text "- Checking ipfw status" --result "NOT RUNNING" --color YELLOW logtext "Result: ipfw is not running for IPv4" fi else From a0b20fcfe352a913054f3ba95d660142c69402ec Mon Sep 17 00:00:00 2001 From: Roland Smith Date: Mon, 27 Apr 2015 18:26:39 +0200 Subject: [PATCH 005/167] Wrap ipfw test in SKIPTEST block. --- include/tests_firewalls | 42 +++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 3e23fb95..28143f1f 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -276,29 +276,31 @@ # Test : FIRE-4530 # Description : Check ipfw (FreeBSD) Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --description "Check ipfw status" - if [ ! "${SYSCTLBINARY}" = "" ]; then - # For now, only check for IPv4. - FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` - if [ "${FIND}" = "1" ]; then - Display --indent 2 --text "- Checking ipfw status" --result RUNNING --color GREEN - logtext "Result: ipfw is running for IPv4" - FIREWALL_ACTIVE=1 - FIREWALL_SOFTWARE="ipfw" - IPFW_ENABLED=`service -e | grep -o ipfw` - if [ "${IPFW_ENABLED}" = "ipfw" ]; then - Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result YES --color GREEN - logtext "Result: ipfw is enabled at start-up for IPv4" + if [ ${SKIPTEST} -eq 0 ]; then + if [ ! "${SYSCTLBINARY}" = "" ]; then + # For now, only check for IPv4. + FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` + if [ "${FIND}" = "1" ]; then + Display --indent 2 --text "- Checking ipfw status" --result RUNNING --color GREEN + logtext "Result: ipfw is running for IPv4" + FIREWALL_ACTIVE=1 + FIREWALL_SOFTWARE="ipfw" + IPFW_ENABLED=`service -e | grep -o ipfw` + if [ "${IPFW_ENABLED}" = "ipfw" ]; then + Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result YES --color GREEN + logtext "Result: ipfw is enabled at start-up for IPv4" + else + Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW + logtext "Result: ipfw is disabled at start-up for IPv4" + fi else - Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW - logtext "Result: ipfw is disabled at start-up for IPv4" + Display --indent 2 --text "- Checking ipfw status" --result "NOT RUNNING" --color YELLOW + logtext "Result: ipfw is not running for IPv4" fi - else - Display --indent 2 --text "- Checking ipfw status" --result "NOT RUNNING" --color YELLOW - logtext "Result: ipfw is not running for IPv4" + else + Display --indent 2 --text "- Checking ipfw" --result SKIPPED --color YELLOW + ReportException "${TEST_NO}:4" "No IPFW test available (sysctl missing)" fi - else - Display --indent 2 --text "- Checking ipfw" --result SKIPPED --color YELLOW - ReportException "${TEST_NO}:4" "No IPFW test available (sysctl missing)" fi # ################################################################################# From b5636db5878f0c65c4654a78f534eb122f9fc619 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 27 Apr 2015 19:43:04 +0200 Subject: [PATCH 006/167] Change to permissions check --- lynis | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/lynis b/lynis index f8cdc18a..2e07e5f0 100755 --- a/lynis +++ b/lynis @@ -103,12 +103,17 @@ # Check if owner of both files is root user, or the same user which is running Lynis (for pentester mode) # Consts - if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="consts"; fi - if [ ! "${MYID}" = "${OWNER2ID}" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="consts"; fi + if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then + if [ ! "${MYID}" = "${OWNER2ID}" ]; then + ISSUE=1; SHOWPERMERROR=1; FILE="consts" + fi + fi # Functions - if [ ! "${OWNER2}" = "root" -a ! "${OWNER2ID}" = "0" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="functions"; fi - if [ ! "${MYID}" = "${OWNER2ID}" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="functions"; fi - + if [ ! "${OWNER2}" = "root" -a ! "${OWNER2ID}" = "0" ]; then + if [ ! "${MYID}" = "${OWNER2ID}" ]; then + ISSUE=1; SHOWPERMERROR=1; FILE="functions" + fi + fi if [ ${SHOWPERMERROR} -eq 1 ]; then echo "" echo "[!] Change ownership of ${INCLUDEDIR}/${FILE} to 'root' or similar (found: ${OWNER} with UID ${OWNERID})." From aa8410477e2638058a39ca5a230dc617986596e9 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 29 Apr 2015 11:57:30 +0200 Subject: [PATCH 007/167] Performance tuning by removing full listing of binaries from log --- include/binaries | 1 - 1 file changed, 1 deletion(-) diff --git a/include/binaries b/include/binaries index 844027d3..895cff4a 100644 --- a/include/binaries +++ b/include/binaries @@ -78,7 +78,6 @@ N=`expr ${N} + 1` BINARY="${SCANDIR}/${I}" DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} " - logtext "Binary: ${BINARY}" # Optimized, much quicker (limited file access needed) case ${I} in aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; logtext " Found known binary: aa-status (apparmor component) - ${BINARY}" ;; From 2cd57933b64ad64f1ee9d491a787d4b8ec7c4cad Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 29 Apr 2015 11:57:57 +0200 Subject: [PATCH 008/167] Correction of Display function --- include/helper_audit_dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/helper_audit_dockerfile b/include/helper_audit_dockerfile index 3c481914..13174e40 100644 --- a/include/helper_audit_dockerfile +++ b/include/helper_audit_dockerfile @@ -4,7 +4,6 @@ if [ $# -eq 0 ]; then Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}" Display --text " "; Display --text " " - ExitFatal else FILE=`echo $1 | egrep "^http|https"` @@ -18,7 +17,7 @@ if [ $# -eq 0 ]; then if [ -f ${TMP_FILE} ]; then rm -f ${TMP_FILE} fi - Dislpay --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}" + Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}" ExitFatal fi else From 761314df23d6e412c352509ff25de8bcb50fb0d9 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 29 Apr 2015 12:21:52 +0200 Subject: [PATCH 009/167] Move helper text and small adjustment to security error --- lynis | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lynis b/lynis index 2e07e5f0..8e67d668 100755 --- a/lynis +++ b/lynis @@ -134,7 +134,7 @@ echo "" echo " Why do I see this error?" echo " -------------------------------" - echo " This error is a protection mechanism, to prevent root user from executing user created files." + echo " This is a protection mechanism, to prevent the root user from executing user created files." echo ""; echo "" echo " What can I do?" echo " ---------------------" @@ -834,12 +834,12 @@ ################################################################################# # if [ ${RUN_HELPERS} -eq 1 ]; then - InsertPluginSection "Audit Module" if [ ! "${HELPER}" = "" ]; then logtext "Helper tool is $HELPER" if [ -f ${INCLUDEDIR}/helper_${HELPER} ]; then SafePerms ${INCLUDEDIR}/helper_${HELPER} logtext "Running helper tool ${HELPER} with params: ${HELPER_PARAMS}" + InsertPluginSection "Helper: ${HELPER}" . ${INCLUDEDIR}/helper_${HELPER} ${HELPER_PARAMS} else echo "Error, could not find helper" From 70e20d514ca6bb2057cf889171fb165f8b12ad42 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 29 Apr 2015 13:53:40 +0200 Subject: [PATCH 010/167] Ensure that only one value is provided --- include/functions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/functions b/include/functions index 1dc1c1d9..04ccfe13 100644 --- a/include/functions +++ b/include/functions @@ -778,6 +778,8 @@ NGINX_ACCESS_LOG_DISABLED=1 else if [ ! "${VALUE}" = "" ]; then + # If multiple values follow, select first one + VALUE=`echo ${VALUE} | awk '{ print $1 }'` if [ ! -f ${VALUE} ]; then logtext "Result: could not find referenced log file ${VALUE} in nginx configuration" NGINX_ACCESS_LOG_MISSING=1 From 6a0417da8b19d1daec91c15ab4a2e91cf8b8ceee Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 29 Apr 2015 14:20:46 +0200 Subject: [PATCH 011/167] Added Python and updated PHP description --- include/binaries | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/binaries b/include/binaries index 895cff4a..a8fb6425 100644 --- a/include/binaries +++ b/include/binaries @@ -144,7 +144,7 @@ openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; logtext "Found ${BINARY} (version ${OPENSSLVERSION})" ;; pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; logtext " Found known binary: pacman (package manager) - ${BINARY}" ;; perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; logtext "Found ${BINARY} (version ${PERLVERSION})" ;; - php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language) - ${BINARY} (version ${PHPVERSION})" ;; + php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language intrepreter) - ${BINARY} (version ${PHPVERSION})" ;; pkg_admin) PKGADMINBINARY="${BINARY}"; logtext " Found known binary: pkg_admin (software package administration) - ${BINARY}" ;; postconf) POSTCONFFOUND=1; POSTCONFBINARY="${BINARY}"; logtext " Found known binary: postconf (postfix configuration) - ${BINARY}" ;; postfix) POSTFIXFOUND=1; POSTFIXBINARY="${BINARY}"; logtext " Found known binary: postfix (postfix binary) - ${BINARY}" ;; @@ -153,6 +153,7 @@ ps) PSFOUND=1; PSBINARY="${BINARY}"; logtext " Found known binary: ps (process listing) - ${BINARY}" ;; puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; logtext " Found known binary: puppet (automation tooling) - ${BINARY}" ;; puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; logtext " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;; + python) PYTHONBINARY="${BINARY}"; logtext " Found known binary: python (programming language intepreter) - ${BINARY}" ;; readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; logtext " Found known binary: readlink (follows symlinks) - ${BINARY}" ;; rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;; rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; logtext " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;; From 508cf7ac719a621b54fd554b35fb77ca269f073c Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 29 Apr 2015 19:58:13 +0200 Subject: [PATCH 012/167] Added missing space --- include/tests_accounting | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_accounting b/include/tests_accounting index 4228ff28..2b5e5048 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -226,7 +226,7 @@ if [ -f /etc/ld.so.preload ]; then logtext "Result: found /etc/ld.so.preload, testing if snoopy.so is listed" FIND=`grep ${FILE} /etc/ld.so.preload` - if [ !"${FIND}" = "" ]; then + if [ ! "${FIND}" = "" ]; then logtext "Result: found snoopy in ld.so.preload" logtext "Output: ${FIND}" Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN From b2b9f7627a82ebb6426498e6bf345cd176446001 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:20:03 +0200 Subject: [PATCH 013/167] Updates to several sections and point to documentation --- lynis.8 | 47 +++++++++++++++++++++++++++++++---------------- 1 file changed, 31 insertions(+), 16 deletions(-) diff --git a/lynis.8 b/lynis.8 index 38be837d..8de5135f 100644 --- a/lynis.8 +++ b/lynis.8 @@ -1,4 +1,4 @@ -.TH Lynis 8 "30 January 2015" "1.17" "Unix System Administrator's Manual" +.TH Lynis 8 "30 April 2015" "1.18" "Unix System Administrator's Manual" .SH "NAME" @@ -16,13 +16,13 @@ Lynis \fP\- Run an system and security audit on the system .fi .SH "DESCRIPTION" -\fBLynis\fP is an auditing tool for Unix (specialists). It checks the system -and software configuration and logs all the found information into a log file -for debugging purposes, and in a report file suitable to create fancy looking -auditing reports. -\fBLynis\fP can be run as a cronjob, or from the command line. It needs to have -full access to the system, so running it as root (or with sudo rights) is -required. +\fBLynis\fP is a security auditing tool for Linux and Unix systems. It checks +the system and software configurations, to determine any improvements. +All details are logged in a log file. Findings and other data is stored in a +report file, which can be used to create auditing reports. +\fBLynis\fP can be run as a cronjob, or from the command line. Lynis prefers +root permissions (or sudo), so it can access all parts of the system, however it +not required (see pentest mode). .PP The following system areas may be checked: .IP @@ -30,7 +30,7 @@ The following system areas may be checked: .IP \- Configuration files .IP -\- Common files by software packages +\- Files part of software packages .IP \- Directories and files related to logging and auditing .SH "OPTIONS" @@ -39,7 +39,6 @@ The following system areas may be checked: .B \-\-auditor Define the name of the auditor/pen-tester. When a full name is used, add double quotes, like "Your Name". - .TP .B \-\-checkall (or \-c) \fBLynis\fP performs a full check of the system, printing out the results of @@ -48,9 +47,6 @@ each test to stdout. Additional information will be saved into a log file .IP In case the outcome of a scan needs to be automated, use the report file. .TP -.B \-\-check\-update (or \-\-info) -Show program, database and update information. -.TP .B \-\-cronjob Perform automatic scan with cron safe options (no colors, no questions, no breaks). @@ -115,14 +111,33 @@ with others. When running Lynis without any parameters, help will be shown and the program will exit. .RE .PP + +.SH "HELPERS" +Lynis has special helpers to do certain tasks. This way the framework of Lynis is +used, while at the same time storing most of the functionality in a separated +file. This speeds up execution and keeps the code clean. +.TP +.B audit +Run audit on the system or on other targets +.TP +.B update +Run updater utility +.TP +To use a helper, run Lynis followed by the helper name +.RE +.PP .SH "BUGS" -Discovered a bug? Please report them via e-mail (lynis-dev@cisofy.com) or via GitHub: https://github.com/CISOfy/Lynis +Discovered a bug? Please report them via GitHub: https://github.com/CISOfy/lynis +.RE +.PP +.SH "Documentation" +Supporting documentation can be found via https://cisofy.com/documentation/lynis/ .RE .PP .SH "LICENSING" -Lynis is licensed with the GPL v3 license and under development by CISOfy and Michael Boelen. Plugins have their own license. +Lynis is licensed as GPL v3, written by Michael Boelen and supported by CISOfy. Plugins may have their own license. .RE .PP .SH "CONTACT INFORMATION" -Support and project related questions are addressed via https://cisofy.com/support/. +Support requests and project related questions can be addressed via e-mail: lynis-dev@cisofy.com. From 0cc3a69be9bf4f06222c575759f1aab85d14009a Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:23:18 +0200 Subject: [PATCH 014/167] Additions to allow for automatic updates --- default.prf | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/default.prf b/default.prf index c97e55f5..713070f7 100644 --- a/default.prf +++ b/default.prf @@ -308,6 +308,38 @@ permdir:/root/.ssh:rwx------:root:-:WARN: #config:custom_url_prepend:https://your-domain.example.org/control-info/: #config:custom_url_append:/: +################################################################################# +# +# Automatic Updating +# ------------------- +# +# These settings are required when using the lynis update functionality. +# By specifying local paths and your update server, the tool can do an update +# check, compare versions and download a new version. +# +################################################################################# + +# Local directory (without slash at end) where lynis directory will be installed +# Note: do not add full path to lynis, as subdirectory is part of tarball +#config:update_local_directory:/usr/local: +# Full path to local file. Change local path if Lynis is installed on a different place +#config:update_local_version_info:/usr/local/lynis/client-version: + +# Download information +# ----------------------------- +# Protocol to use: http, https +#config:update_server_protocol:http: + +# Address of update server +#config:update_server_address:192.168.1.125: + +# Path to last stable release +#config:update_latest_version_download:/files/lynis-latest.tar.gz: + +# Last part of URL (file to gather) +#config:update_latest_version_info:/files/lynis-latest-version: + + ################################################################################# # # Lynis Enterprise From 1ece78f1a82b140c4e1994694e7f2bf3517cb22f Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:23:47 +0200 Subject: [PATCH 015/167] Set default for showing program details at start --- include/consts | 1 + 1 file changed, 1 insertion(+) diff --git a/include/consts b/include/consts index 077628f9..a46464fa 100644 --- a/include/consts +++ b/include/consts @@ -129,6 +129,7 @@ unset LANG SCAN_TEST_HEAVY=""; SCAN_TEST_MEDIUM=""; SCAN_TEST_LOW="" SESTATUSBINARY="" SERVICE_MANAGER="" + SHOW_PROGRAM_DETAILS=1 SHOW_REPORT=1 SKIPPED_TESTS_ROOTONLY="" SSHKEYSCANBINARY="" From 8ae3cfd5ad56804fa0db67e8af13f9a37299969f Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:25:18 +0200 Subject: [PATCH 016/167] Remove unused variable --- include/consts | 1 - 1 file changed, 1 deletion(-) diff --git a/include/consts b/include/consts index a46464fa..6c4ad85a 100644 --- a/include/consts +++ b/include/consts @@ -167,7 +167,6 @@ unset LANG TOTAL_TESTS=0 # Total amount of tests (counter) UPLOAD_DATA=0 # Upload of data to central node VIEWHELP=0 # Show help - VIEWUPDATEINFO=0 # View program/database version WRONGOPTION=0 # A wrong option is used # ################################################################################# From af1c100f0ec28a9621ceaadca4918079da64e88d Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:27:10 +0200 Subject: [PATCH 017/167] Remove the display of update check, extend help with new helper --- lynis | 59 ++++++----------------------------------------------------- 1 file changed, 6 insertions(+), 53 deletions(-) diff --git a/lynis b/lynis index 8e67d668..46740486 100755 --- a/lynis +++ b/lynis @@ -23,7 +23,7 @@ # Program information PROGRAM_name="Lynis" PROGRAM_version="2.1.1" - PROGRAM_releasedate="19 April 2015" + PROGRAM_releasedate="29 April 2015" PROGRAM_author="CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" @@ -226,55 +226,6 @@ # CV - Current Version PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'` PROGRAM_LV=0 - #DB_MALWARE_CV=`grep "^#version=" ${DBDIR}/malware.db | cut -d '=' -f2` - #DB_FILEPERMS_CV=`grep "^#version=" ${DBDIR}/fileperms.db | cut -d '=' -f2` - - # Number of signatures - #DB_MALWARE_IC=`grep -v "^#" ${DBDIR}/malware.db | wc -l | tr -s ' ' | tr -d ' '` - - if [ ${VIEWUPDATEINFO} -eq 1 ]; then - - CheckUpdates - - # Reset everything if we can't determine our current version or the latest - # available version (due lack of internet connectivity for example) - if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then - # Set both to safe values - PROGRAM_AC=0; PROGRAM_LV=0 - #DB_MALWARE_LV=0; DB_MALWARE_CV=0 - #DB_FILEPERMS_LV=0; DB_FILEPERMS_CV=0 - fi - - echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} =="; echo "" - echo " Version : ${PROGRAM_version}" - echo -n " Status : " - if [ ${PROGRAM_LV} -eq 0 ]; then - echo "${RED}Unknown${NORMAL}"; - elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then - echo "${YELLOW}Outdated${NORMAL}"; - echo " Current version : ${PROGRAM_AC}" - echo " Latest version : ${PROGRAM_LV}" - else - echo "${GREEN}Up-to-date${NORMAL}" - fi - echo " Release date : ${PROGRAM_releasedate}" - echo " Update location : ${PROGRAM_website}" -# echo "" -# echo " == ${WHITE}Plugins${NORMAL} ==" -# echo "" -# echo " == ${WHITE}Databases${NORMAL} ==" -# echo " Current Latest Status" -# echo " -----------------------------------------------------------------------------" -# echo -n " Malware : ${DB_MALWARE_CV} ${DB_MALWARE_LV} " -# if [ ${DB_MALWARE_LV} -gt ${DB_MALWARE_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi -# echo -n " File perms : ${DB_FILEPERMS_CV} ${DB_FILEPERMS_LV} " -# if [ ${DB_FILEPERMS_LV} -gt ${DB_FILEPERMS_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi - echo ""; echo "" - echo "${PROGRAM_copyright}"; echo "" - - # Quit program - ExitClean - fi # ################################################################################# # @@ -394,8 +345,11 @@ echo " audit system : Perform security scan" echo " audit dockerfile : Analyze Dockerfile" echo "" + echo " ${GREEN}update${NORMAL}" + echo " update info : Show update details" + echo " update release : Update Lynis release" + echo "" echo "" - echo " ${WHITE}Scan options:${NORMAL}" echo " --auditor \"\" : Auditor name" echo " --dump-options : See all available options" @@ -412,7 +366,6 @@ echo " --reverse-colors : Optimize color display for light backgrounds" echo "" echo " ${WHITE}Misc options:${NORMAL}" - echo " --check-update : Check for updates" echo " --debug : Debug logging to screen" echo " --view-manpage (--man) : View man page" echo " --version (-V) : Display version number and quit" @@ -529,7 +482,7 @@ # ################################################################################# # - if [ ${QUIET} -eq 0 ]; then + if [ ${QUIET} -eq 0 -a ${SHOW_PROGRAM_DETAILS} -eq 1 ]; then echo "" echo " ---------------------------------------------------" echo " Program version: ${PROGRAM_version}" From 0e581e6ad75a392c0d5f409405b3e132858d3fc6 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:27:36 +0200 Subject: [PATCH 018/167] Initial import of helper for automatic updates --- include/helper_update | 266 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 266 insertions(+) create mode 100644 include/helper_update diff --git a/include/helper_update b/include/helper_update new file mode 100644 index 00000000..60529c4b --- /dev/null +++ b/include/helper_update @@ -0,0 +1,266 @@ +#!/bin/sh + +###################################################################### +# +# Helper program to support automatic updates of Lynis +# +###################################################################### +# +# Options: +# --------- +# 1) lynis update info - Show version information (external) +# 2) lynis update release - Check and install new release (internal) +# +# How to use: +# ------------ +# Run option 1 to know about current and latest release information. +# Run option 2 to query internal server for possible upgrade of Lynis. +# +# Steps for updating to new release: +# 1) Run Lynis with: lynis update release +# 2) Lynis will use this helper and check the profile +# 3) The configured web server will be queried (lynis-latest-version) +# 4) The contents of this file will be compared with a local file +# 5) If there is a difference, download package +# 6) Check paths and extract files +# 7) Quit program +# +# Suggested documentation if you want to use this functionality: +# https://cisofy.com/documentation/lynis/upgrading/ +# +###################################################################### + +LOCAL_VERSION="-" +SERVER_VERSION="" +PERFORM_UPGRADE=0 + +WGET_EXISTS=`which wget 2> /dev/null` +CURL_EXISTS=`which curl 2> /dev/null` +FETCH_EXISTS=`which fetch 2> /dev/null` + +# Update version +if [ "$1" = "release" ]; then + + if [ "${UPDATE_SERVER_PROTOCOL}" = "" ] ; then + Display --indent 2 --text "Error: Unknown protocol, please specify (http, https) in profile (update_server_protocol)" + ExitFatal + fi + + if [ "${UPDATE_SERVER_ADDRESS}" = "" ] ; then + Display --indent 2 --text "Error: Unknown download address, please specify in profile (update_server_address)" + ExitFatal + fi + + if [ "${UPDATE_LATEST_VERSION_DOWNLOAD}" = "" ] ; then + Display --indent 2 --text "Error: No URL to latest download has been specifiedrsion on the server, please specify in profile (update_latest_version_download)" + ExitFatal + fi + + if [ "${UPDATE_LATEST_VERSION_INFO}" = "" ] ; then + Display --indent 2 --text "Error: No URL has been specified to know the latest version on the server, please specify in profile (update_latest_version_info)" + ExitFatal + fi + + if [ "${UPDATE_LOCAL_DIRECTORY}" = "" ] ; then + Display --indent 2 --text "Error: No local directory has been specified to store Lynis files. Please specify in profile (update_local_directory)" + ExitFatal + else + if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then + Display --indent 2 --text "Error: Directory ${UPDATE_LOCAL_DIRECTORY} does not exist" + ExitFatal + fi + fi + + if [ "${UPDATE_LOCAL_VERSION_INFO}" = "" ] ; then + Display --indent 2 --text "Error: No data file has been specified to determine local Lynis version, please specify in profile (update_local_version_info)" + ExitFatal + fi + + if [ ! -f ${UPDATE_LOCAL_VERSION_INFO} ]; then + Display --indent 2 --text "Note: local data file ${UPDATE_LOCAL_VERSION_INFO} does not exist. It will be created after updating. (update_local_version_info)" + else + LOCAL_VERSION=`cat ${UPDATE_LOCAL_VERSION_INFO}` + fi + + # Normal update + FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_INFO}" + TMP_FILE=`mktemp /tmp/audit.XXXXXXXXXX` + if [ "${TMP_FILE}" = "" ]; then + Display --indent 2 --text "Could not create a temporary file in /tmp with mktemp. Aborting.." + ExitFatal + fi + Display --indent 2 --text "${CYAN}[Phase 1] Downloading details${NORMAL}" + if [ ! "${WGET_EXISTS}" = "" ]; then + logtext "Using wget to download release information" + LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}" + wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null + EXIT_CODE=$? + elif [ ! "${CURL_EXISTS}" = "" ]; then + logtext "Using curl to download release information" + LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}" + curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null + EXIT_CODE=$? + else + Display --indent 2 --text "No download tool available to perform download" + ExitFatal + fi + + if [ ! "${TMP_FILE}" = "" ]; then + if [ -f ${TMP_FILE} ]; then + SERVER_VERSION=`cat ${TMP_FILE}` + rm -f ${TMP_FILE} + fi + else + Display --indent 2 --text "Temporary file variable is empty, which is unexpected. Aborting.." + ExitFatal + fi + + # Determine if downloading meta data was successful + if [ ${EXIT_CODE} -eq 0 ]; then + if [ "${SERVER_VERSION}" = "" ]; then + Display --indent 2 --text "No version found on the server. Aborting.." + ExitFatal + else + Display --indent 2 --text "Version found on server: ${SERVER_VERSION}" + Display --indent 2 --text "Local version found: ${LOCAL_VERSION}" + fi + else + Display --indent 2 --text "${RED}Error: ${WHITE}Download utility returned an unexpected error code.${NORMAL} Aborting.." + Display --indent 2 --text "Error code: ${EXIT_CODE}" + Display --indent 2 --text "Suggested command: ${LAST_COMMAND_HELP}" + ExitFatal + fi + +#========================================================================================================================================== + + Display --indent 2 --text " " + Display --indent 2 --text "${CYAN}[Phase 2] Compare results${NORMAL}" + if [ ! "${LOCAL_VERSION}" = "${SERVER_VERSION}" ]; then + Display --indent 2 --text "Different version available, moving to upgrade phase" + PERFORM_UPGRADE=1 + else + Display --indent 2 --text "${GREEN}No upgrade needed${NORMAL}" + fi + + # Go to phase 3 if upgrade is needed + if [ ${PERFORM_UPGRADE} -eq 1 ]; then + FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_DOWNLOAD}" + Display --indent 2 --text " " + Display --indent 2 --text "[Phase 3] Downloading latest release" + Display --indent 2 --text "Download location: ${FULLPATH}" + if [ ! "${WGET_EXISTS}" = "" ]; then + logtext "Using wget to download latest release" + LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}" + wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null + EXIT_CODE=$? + elif [ ! "${CURL_EXISTS}" = "" ]; then + logtext "Using curl to download latest release" + LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}" + curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null + EXIT_CODE=$? + fi + if [ ${EXIT_CODE} -eq 0 ]; then + if [ -f ${TMP_FILE} ]; then + Display --indent 2 --text "Download successful" + # Extract the file to the related path, with 'lynis' appended + # Note: by default the tarball includes 'lynis' as directory + if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then + Display --indent 2 --text "Error: directory ${UPDATE_LOCAL_DIRECTORY} does not exist" + ExitFatal + fi + Display --indent 2 --text "Extracting latest version to path ${UPDATE_LOCAL_DIRECTORY}" + if [ ! -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then + Display --indent 2 --text "Creating 'lynis' directory in ${UPDATE_LOCAL_DIRECTORY}" + mkdir ${UPDATE_LOCAL_DIRECTORY}/lynis + if [ $? -gt 0 ]; then + Display --indent 2 --text "Error: could not create directory ${UPDATE_LOCAL_DIRECTORY}/lynis" + ExitFatal + fi + fi + if [ -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then + Display --indent 2 --text "Extracting files to ${UPDATE_LOCAL_DIRECTORY}" + tar xzf ${TMP_FILE} -C ${UPDATE_LOCAL_DIRECTORY} + if [ $? -eq 0 ]; then + # Check if we can find the Lynis binary (in the created 'lynis' directory) + if [ -f ${UPDATE_LOCAL_DIRECTORY}/lynis/lynis ]; then + # If version was downloaded, update local version + echo ${SERVER_VERSION} > ${UPDATE_LOCAL_VERSION_INFO} + else + Display --indent 2 --text "Error: could not find downloaded file on disk" + fi + else + Display --indent 2 --text "Error: File extraction failed" + ExitFatal + fi + else + Display --indent 2 --text "Error: could not find lynis directory" + fi + else + Display --indent 2 --text "Error: could not find downloaded file on disk" + ExitFatal + fi + else + Display --indent 2 --text "Error: could not download latest release" + Display --indent 2 --text "Suggestion: ${LAST_COMMAND_HELP}" + ExitFatal + fi + fi + + # Removing temp file + logtext "Action: Removing temporary file ${TMP_FILE}" + if [ "${TMP_FILE}" = "" ]; then + if [ -f ${TMP_FILE} ]; then + rm -f ${TMP_FILE} + fi + fi + + Display --indent 2 --text " " + Display --indent 2 --text "Done" + Display --indent 2 --text " " + ExitClean + +# Update check +elif [ "$1" = "info" ]; then + + # CV - Current Version + PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'` + PROGRAM_LV=0 + + CheckUpdates + + # Reset everything if we can't determine our current version or the latest + # available version (due lack of internet connectivity for example) + if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then + # Set both to safe values + PROGRAM_AC=0; PROGRAM_LV=0 + fi + + echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} ==" + echo "" + echo " Version : ${PROGRAM_version}" + echo -n " Status : " + if [ ${PROGRAM_LV} -eq 0 ]; then + echo "${RED}Unknown${NORMAL}"; + elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then + echo "${YELLOW}Outdated${NORMAL}"; + echo " Current version : ${PROGRAM_AC}" + echo " Latest version : ${PROGRAM_LV}" + else + echo "${GREEN}Up-to-date${NORMAL}" + fi + echo " Release date : ${PROGRAM_releasedate}" + echo " Update location : ${PROGRAM_website}" + echo ""; echo "" + echo "${PROGRAM_copyright}" + echo "" + + # Quit program + ExitClean + +else + Display --indent 2 --text "${RED}Error: ${WHITE}Unknown parameter $1.${NORMAL} Aborting.." + ExitFatal +fi + + +# The End From 943b944a13a6602b088ad0b224a9479c6634225d Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:28:05 +0200 Subject: [PATCH 019/167] New profile options for automatic updates --- include/profiles | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/include/profiles b/include/profiles index fea8d412..93176716 100644 --- a/include/profiles +++ b/include/profiles @@ -147,6 +147,36 @@ if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi ;; + # Server IP or hostname + update_server_address) + UPDATE_SERVER_ADDRESS="${VALUE}" + ;; + + # Protocol (http, https) + update_server_protocol) + UPDATE_SERVER_PROTOCOL="${VALUE}" + ;; + + # File path to tarball on server + update_latest_version_download) + UPDATE_LATEST_VERSION_DOWNLOAD="${VALUE}" + ;; + + # File path to information file + update_latest_version_info) + UPDATE_LATEST_VERSION_INFO="${VALUE}" + ;; + + # Local directory where lynis directory will be placed + update_local_directory) + UPDATE_LOCAL_DIRECTORY="${VALUE}" + ;; + + # Local file to maintain current version + update_local_version_info) + UPDATE_LOCAL_VERSION_INFO="${VALUE}" + ;; + # Options during upload of data upload_options) UPLOAD_OPTIONS="${VALUE}" From 22810e58e7949098da1bbbfde3d5232798fabb08 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 30 Apr 2015 01:28:33 +0200 Subject: [PATCH 020/167] Replace existing update check options with new helper utility --- include/parameters | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/include/parameters b/include/parameters index 790fa2f8..2cd372f8 100644 --- a/include/parameters +++ b/include/parameters @@ -23,6 +23,7 @@ PARAMCOUNT=$# while [ $# -ge 1 ]; do case $1 in + # Helpers first audit) CHECK_BINARIES=0 RUN_HELPERS=1 @@ -63,6 +64,28 @@ #break ;; + # Helpers first + update) + CHECK_BINARIES=0 + RUN_HELPERS=1 + HELPER="update" + RUN_PLUGINS=0 + RUN_TESTS=0 + SHOW_PROGRAM_DETAILS=0 + if [ ! $2 = "" ]; then + shift + HELPER_PARAMS="$1 $2" + break + else + Display --text "${RED}Error: ${WHITE}Need a target for update${NORMAL}" + Display --text " " + Display --text "Examples:" + Display --text "lynis update info" + Display --text "lynis update release" + ExitFatal + fi + ;; + # Assign auditor to report --auditor) shift @@ -102,7 +125,9 @@ # View program/database information --check-update | --check-updates | --info) - VIEWUPDATEINFO=1 + echo "This option is deprecated" + echo "Use: lynis update info" + ExitClean ;; # License key for Lynis Enterprise From c37e2eb9eb593aaa7aa78fda36d37fbf1d97317b Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 4 May 2015 13:37:36 +0200 Subject: [PATCH 021/167] Extended Sophos detection --- include/tests_malware | 36 +++++++++++++++--------------------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/include/tests_malware b/include/tests_malware index 6465ab0e..2fe22ba1 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -23,7 +23,9 @@ ################################################################################# # CLAMD_RUNNING=0 + MCAFEE_SCANNER_RUNNING=0 MALWARE_SCANNER_INSTALLED=0 + SOPHOS_SCANNER_RUNNING=0 # ################################################################################# # @@ -66,27 +68,36 @@ Register --test-no MALW-3280 --weight L --network NO --description "Check if anti-virus tool is installed" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - MCAFEE_RUNNING=0 logtext "Test: checking process cma or cmdagent (McAfee)" # cma is too generic to match on, so we want to ensure that it is related to McAfee first if [ -x /opt/McAfee/cma/bin/cma ]; then IsRunning cma - if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi + if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi else IsRunning cmdagent - if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi + if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi fi - if [ ${MCAFEE_RUNNING} -eq 1 ]; then + if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then FOUND=1 Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN logtext "Result: Found McAfee" MALWARE_SCANNER_INSTALLED=1 AddHP 2 2 fi + # Sophos savscand/SophosScanD + logtext "Test: checking process savscand" + IsRunning savscand + if [ ${RUNNING} -eq 1 ]; then + FOUND=1 + SOPHOS_SCANNER_RUNNING=1; + fi logtext "Test: checking process SophosScanD" IsRunning SophosScanD if [ ${RUNNING} -eq 1 ]; then FOUND=1 + SOPHOS_SCANNER_RUNNING=1; + fi + if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN logtext "Result: Found Sophos" MALWARE_SCANNER_INSTALLED=1 @@ -114,7 +125,6 @@ logtext "Result: clamscan couldn't be found" fi fi - # ################################################################################# # @@ -185,22 +195,6 @@ # Description : Check for LMD # ################################################################################# -# - # Test : MALW-3292 - # Description : Check if at least one malware scanner is installed -# Register --test-no MALW-3292 --weight L --network NO --description "Check for at least one malware scanner" -# if [ ${SKIPTEST} -eq 0 ]; then -# if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then -# logtext "Result: At least one malware scanner is installed" -# Display --indent 2 --text "- Checking presence malware scanner" --result "FOUND" --color GREEN -# #AddHP 3 3 -# else -# logtext "Result: No malware scanners found" -# Display --indent 2 --text "- Checking presence malware scanner" --result "NOT FOUND" --color YELLOW -# ReportSuggestion ${TEST_NO} "Install at least one malware scanner to perform periodic integrity tests on the system" -# #AddHP 0 3 -# fi -# fi # ################################################################################# # From 5729189349e1f532f6c81571248b6174a8eef613 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 13 May 2015 14:45:16 +0200 Subject: [PATCH 022/167] Added additional legal words for banners --- include/tests_banners | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_banners b/include/tests_banners index 1bc1bbd0..de60c258 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -23,7 +23,7 @@ ################################################################################# # BANNER_FILES="/etc/issue /etc/issue.net /etc/motd" - LEGAL_BANNER_STRINGS="access authorized legal monitor owner policy policies private prohibited restricted this unauthorized" + LEGAL_BANNER_STRINGS="audit access authori intrusion law legal monitor owner policy policies private prohibited restricted subject terms this unauthorized" # ################################################################################# # From 893e17d982bb8072b5a49d3931b2b99e587a6752 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 13 May 2015 14:45:50 +0200 Subject: [PATCH 023/167] Added new AddSystemGroup function --- include/functions | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/include/functions b/include/functions index 04ccfe13..e412d7c4 100644 --- a/include/functions +++ b/include/functions @@ -20,6 +20,7 @@ # Function Description # ----------------------- ------------------------------------------------- # AddHP Add Hardening points to plot a graph later +# AddSystemGroup Adds a system to a group # CheckFilePermissions Check file permissions # CheckUpdates Determine if a new version of Lynis is available # counttests Count number of performed tests @@ -50,6 +51,7 @@ # ShowSymlinkPath Show a path behind a symlink # ViewCategories Display tests categories # logtext Log text strings to logfile, prefixed with date/time +# report Add string of data to report file # ################################################################################# @@ -62,6 +64,19 @@ logtext "Hardening: assigned ${HPADD} hardening points (max for this item: ${HPADDMAX}), current: ${HPPOINTS}, total: ${HPTOTAL}" } + + ################################################################################ + # Name : AddSystemGroup + # Description : Adds a system to a group, which can be used for categorizing + # Returns : + ################################################################################ + + AddSystemGroup() + { + report "system_group[]=$1" + } + + # Check file permissions # Parameter 1 is file/dir # Result: FILE_NOT_FOUND | OK | BAD From e0f9536761fbfa282ad089554c6f313f32b06a3a Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 13 May 2015 14:50:43 +0200 Subject: [PATCH 024/167] Updated spec file with description, website and documentation link, version bump --- extras/lynis.spec | 42 ++++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/extras/lynis.spec b/extras/lynis.spec index 997a386f..3ff52e7a 100644 --- a/extras/lynis.spec +++ b/extras/lynis.spec @@ -3,6 +3,8 @@ # Lynis spec file # ----------------- # +# This file helps to create your custom RPM package of Lynis. +# # Usage: # - Adjust version number (Version:) # - Check if you have the directories in your home directory (or adjust topdir) @@ -12,9 +14,9 @@ # ################################################################################# # -# (c) 2014 Michael Boelen +# Copyright 2015 CISOfy # -# Website: http://cisofy.com/ +# Documentation: https://cisofy.com/documentation/lynis/upgrading/ # ################################################################################# @@ -27,30 +29,32 @@ Summary: Security and system auditing tool. Name: lynis -Version: 1.6.2 +Version: 2.1.1 Release: 1 License: GPL Group: Applications/System Source: lynis-%{version}.tar.gz BuildRoot: /tmp/lynis-root -URL: http://cisofy.com/ -Vendor: CISOfy / Michael Boelen -Packager: Michael Boelen +URL: https://cisofy.com/ +Vendor: CISOfy +Packager: Michael Boelen BuildArch: noarch %description -Lynis is a security tool to audit and harden Unix/Linux based systems. It scans a -system and provides the user with suggestion and warnings regarding taken security -measures. Examples include: - - Security enhancements - - Logging and auditing options - - Banner identification - - Software availability - - Missing security patches +Lynis is an security auditing and hardening tool for Unix derivatives like Linux, BSD +and Solaris. It performs an in-depth security scan on the system to detect software +and security issues. Besides information related to security, it will also scan for +general system information, installed packages, and possible +configuration issues. + +This software is aimed at assisting with automated auditing, configuration management, +software patch management, penetration testing, vulnerability management, and malware +scanning of Unix-based systems. Lynis is released as a GPLv3 licensed project and free for everyone to use. +Commercial support and extensions are available. -See http://cisofy.com for a full description and documentation. +See https://cisofy.com for a full description and documentation. %prep [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT" @@ -84,11 +88,6 @@ install plugins/* ${RPM_BUILD_ROOT}%{_pluginsdir} install -d ${RPM_BUILD_ROOT}%{_dbdir} install db/* ${RPM_BUILD_ROOT}%{_dbdir} - -# Patch default paths (not required for 1.1.2+) -#sed -i -e 's#INCLUDEDIR="include"#INCLUDEDIR="%{_includedir}"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis -#sed -i -e 's#PROFILE="default.prf"#PROFILE="/etc/lynis/default.prf"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis - %clean [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT" @@ -111,6 +110,9 @@ install db/* ${RPM_BUILD_ROOT}%{_dbdir} #%attr(644, root, root) %{_plugindir}/* %changelog +* Wed May 13 2015 Michael Boelen - 1.1.9-1 +- Changed website address, version bump + * Sun Sep 14 2014 Michael Boelen - 1.1.8-1 - Changed permissions with regards of pentest option From 283e198c231df3b6535414197ba1e592dba0a8e8 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 17 May 2015 23:00:28 +0200 Subject: [PATCH 025/167] Improved detection of blacklisted/disabled modules --- include/tests_storage | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/include/tests_storage b/include/tests_storage index a3b59eae..1ee95589 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -33,7 +33,7 @@ if [ -d /etc/modprobe.d ]; then FIND=`ls /etc/modprobe.d/* 2> /dev/null` if [ ! "${FIND}" = "" ]; then - FIND=`grep -r "install usb-storage /bin/true" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"` + FIND=`grep -r "install usb-storage /bin/(false|true)" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"` FIND2=`egrep -r "^blacklist (usb_storage|usb-storage)" /etc/modprobe.d/*` if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 @@ -44,7 +44,7 @@ fi fi if [ -f /etc/modprobe.conf ]; then - FIND=`grep "install usb-storage /bin/true" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"` + FIND=`grep "install usb-storage /bin/(false|true)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"` if [ ! "${FIND}" = "" ]; then FOUND=1 logtext "Result: found usb-storage driver in disabled state" @@ -66,6 +66,7 @@ # # Test : STRG-1846 # Description : Check for disabled firewire storage + # Explanation : Best option is to use the install function, or else drivers can still be loaded manually Register --test-no STRG-1846 --os Linux --weight L --network NO --description "Check if firewire storage is disabled" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 @@ -73,8 +74,8 @@ if [ -d /etc/modprobe.d ]; then FIND=`ls /etc/modprobe.d/* 2> /dev/null` if [ ! "${FIND}" = "" ]; then - FIND1=`egrep "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"` - FIND2=`egrep "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.d/* | grep "ohci" | grep -v "#"` + FIND1=`egrep "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"` + FIND2=`egrep "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"` if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 logtext "Result: found firewire ohci driver in disabled state" @@ -84,8 +85,8 @@ fi fi if [ -f /etc/modprobe.conf ]; then - FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"` - FIND2=`egrep -r "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.conf | grep "ohci" | grep -v "#"` + FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"` + FIND2=`egrep -r "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.conf | grep "ohci" | grep -v "#"` if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 logtext "Result: found firewire ohci driver in disabled state" @@ -107,6 +108,7 @@ # ################################################################################# # +# Use modprobe --showconfig to test for options # NetBSD: amd (auto mount daemon) @@ -119,4 +121,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, CISOfy, Michael Boelen - https://cisofy.com From 46f9a3dec8a6c6f5cd93ea79b95a208dabc61794 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 17 May 2015 23:01:38 +0200 Subject: [PATCH 026/167] Log file integrity monitoring tool, adding support for lfd (CSF) tool --- include/tests_file_integrity | 65 +++++++++++++++++++++++++++++++++--- 1 file changed, 60 insertions(+), 5 deletions(-) diff --git a/include/tests_file_integrity b/include/tests_file_integrity index d5d7ef1e..0fe987c5 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -14,6 +14,8 @@ # ################################################################################# # + CSF_CONFIG="/etc/csf/csf.conf" + FILE_INT_TOOL="" FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found # ################################################################################# @@ -30,11 +32,11 @@ logtext "Test: Checking AFICK binary" if [ ! "${AFICKBINARY}" = "" ]; then logtext "Result: AFICK is installed (${AFICKBINARY})" + FILE_INT_TOOL="afick" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- AFICK" --result FOUND --color GREEN else logtext "Result: AFICK is not installed" - Display --indent 4 --text "- AFICK" --result "NOT FOUND" --color WHITE fi fi # @@ -47,11 +49,11 @@ logtext "Test: Checking AIDE binary" if [ ! "${AIDEBINARY}" = "" ]; then logtext "Result: AIDE is installed (${AIDEBINARY})" + FILE_INT_TOOL="aide" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- AIDE" --result FOUND --color GREEN else logtext "Result: AIDE is not installed" - Display --indent 4 --text "- AIDE" --result "NOT FOUND" --color WHITE fi fi # @@ -119,11 +121,11 @@ logtext "Test: Checking Osiris binary" if [ ! "${OSIRISBINARY}" = "" ]; then logtext "Result: Osiris is installed (${OSIRISBINARY})" + FILE_INT_TOOL="osiris" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Osiris" --result FOUND --color GREEN else logtext "Result: Osiris is not installed" - Display --indent 4 --text "- Osiris" --result "NOT FOUND" --color WHITE fi fi # @@ -136,11 +138,11 @@ logtext "Test: Checking Samhain binary" if [ ! "${SAMHAINBINARY}" = "" ]; then logtext "Result: Samhain is installed (${SAMHAINBINARY})" + FILE_INT_TOOL="samhain" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Samhain" --result FOUND --color GREEN else logtext "Result: Samhain is not installed" - Display --indent 4 --text "- Samhain" --result "NOT FOUND" --color WHITE fi fi # @@ -153,6 +155,7 @@ logtext "Test: Checking Tripwire binary" if [ ! "${TRIPWIREBINARY}" = "" ]; then logtext "Result: Tripwire is installed (${TRIPWIREBINARY})" + FILE_INT_TOOL="tripwire" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN else @@ -170,10 +173,13 @@ logtext "Test: Checking if OSSEC syscheck daemon is running" IsRunning ossec-syscheckd if [ ${RUNNING} -eq 1 ]; then + logtext "Result: syscheck (OSSEC) installed" + FILE_INT_TOOL="ossec-syscheck" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN else Display --indent 4 --text "- OSSEC (syscheck)" --result "NOT FOUND" --color WHITE + logtext "Result: syscheck (OSSEC) not installed" fi fi # @@ -187,11 +193,59 @@ logtext "Test: Checking mtree binary" if [ ! "${MTREEBINARY}" = "" ]; then logtext "Result: mtree is installed (${MTREEBINARY})" + FILE_INT_TOOL="mtree" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- mtree" --result FOUND --color GREEN else logtext "Result: mtree is not installed" - Display --indent 4 --text "- mtree" --result "NOT FOUND" --color WHITE + fi + fi +# +################################################################################# +# + # Test : FINT-4334 + # Description : Check if LFD is used (part of CSF suite) + if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd daemon status" + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 4 --text "- lfd (CSF)" --result FOUND --color GREEN + IsRunning 'lfd ' + if [ ${RUNNING} -eq 1 ]; then + logtext "Result: lfd daemon is running (CSF)" + Display --indent 6 --text "- Daemon status" --result RUNNING --color GREEN + FILE_INT_TOOL="csf-lfd" + FILE_INT_TOOL_FOUND=1 + else + Display --indent 6 --text "- Daemon status" --result "NOT RUNNING" --color YELLOW + fi + fi + # Test : FINT-4336 + # Description : Check if LFD is enabled (part of CSF suite) + if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd configuration status" + if [ ${SKIPTEST} -eq 0 ]; then + # LFD configuration parameters + ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}` + if [ ! "${ENABLED}" = "" ]; then + logtext "Result: lfd service is configured to run" + Display --indent 6 --text "- Configuration status" --result ENABLED --color GREEN + else + logtext "Result: lfd service is configured NOT to run" + Display --indent 6 --text "- Configuration status" --result DISABLED --color YELLOW + fi + ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'` + if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then + logtext "Result: lfd directory watching is enabled (value: ${ENABLED})" + Display --indent 6 --text "- Temporary directory watches" --result ENABLED --color GREEN + else + logtext "Result: lfd directory watching is disabled" + Display --indent 6 --text "- Temporary directory watches" --result DISABLED --color YELLOW + fi + ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'` + if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then + Display --indent 6 --text "- Directory/File watches" --result ENABLED --color GREEN + else + Display --indent 6 --text "- Directory/File watches" --result DISABLED --color YELLOW fi fi # @@ -217,6 +271,7 @@ ################################################################################# # +report "file_integrity_tool=${FILE_INT_TOOL}" report "file_integrity_tool_installed=${FILE_INT_TOOL_FOUND}" wait_for_keypress From f3bd9ca9ad4266eff8f4ad8d632fe07f8b30cffe Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 17 May 2015 23:22:54 +0200 Subject: [PATCH 027/167] Display only the tools actually found, to keep screen output as clean as possible --- include/tests_file_integrity | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 0fe987c5..7bdc2072 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -160,7 +160,6 @@ Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN else logtext "Result: Tripwire is not installed" - Display --indent 4 --text "- Tripwire" --result "NOT FOUND" --color WHITE fi fi # @@ -178,7 +177,6 @@ FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN else - Display --indent 4 --text "- OSSEC (syscheck)" --result "NOT FOUND" --color WHITE logtext "Result: syscheck (OSSEC) not installed" fi fi @@ -263,7 +261,7 @@ else logtext "Result: No file integrity tools found" Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW - ReportSuggestion ${TEST_NO} "Install a file integrity tool" + ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files" AddHP 0 5 fi fi From 45114e6557ede683308c0031c976921016bcb0c9 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 17:20:58 +0200 Subject: [PATCH 028/167] Chef support added --- include/tests_tooling | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/include/tests_tooling b/include/tests_tooling index 6f8e6150..6d4b9917 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -45,6 +45,25 @@ Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN fi + CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin" + for I in ${CHEF_LOCATIONS}; do + if [ -d ${I} ]; then + if [ -f ${I}/chef-client ]; then + CHEFCLIENTBINARY="${I}/chef-client" + AUTOMATION_TOOL_FOUND=1 + Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN + logtext "Result: found chef-client (chef client daemon) in ${I}" + fi + if [ -f ${I}/erchef ]; then + CHEFSERVERBINARY="${I}/erchef" + logtext "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})" + AUTOMATION_TOOL_FOUND=1 + Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN + logtext "Result: found erchef (chef server daemon) in ${I}" + fi + fi + done + # Puppet if [ ! "${PUPPETBINARY}" = "" ]; then logtext "Result: Puppet is installed (${PUPPETBINARY})" From 1c07e6fa2c92b8e75e4194704360b4d1eba11a4d Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 17:33:51 +0200 Subject: [PATCH 029/167] New test TIME-3106, Chronyd and systemd-timesyncd support --- include/tests_time | 50 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 39 insertions(+), 11 deletions(-) diff --git a/include/tests_time b/include/tests_time index 4e40bace..8937219d 100644 --- a/include/tests_time +++ b/include/tests_time @@ -32,6 +32,7 @@ # Specific for ntpd NTPD_RUNNING=0 CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs" + SYSTEMD_NTP_ENABLED=0 # ################################################################################# # @@ -46,10 +47,24 @@ fi Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client" if [ ${SKIPTEST} -eq 0 ]; then - # Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate) + # Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate), Chrony, systemd-timesyncd logtext "Test: Searching for a running NTP daemon or available client" FOUND=0 + if [ -f /etc/chrony.conf ]; then + IsRunning chronyd + if [ ${RUNNING} -eq 1 ]; then + FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd" + Display --indent 2 --text "- NTP daemon found: chronyd" --result FOUND --color GREEN + fi + + # Check time daemon (eg DragonFly BSD) + IsRunning dntpd + if [ ${RUNNING} -eq 1 ]; then + FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd" + Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN + fi + # Check running processes FIND=`${PSBINARY} ax | grep "ntpd" | grep -v "dntpd" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then @@ -66,19 +81,18 @@ Display --indent 2 --text "- NTP daemon found: timed" --result FOUND --color GREEN fi - # Check time daemon (eg DragonFly BSD) - IsRunning dntpd - if [ ${RUNNING} -eq 1 ]; then - FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd" - Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN - fi - # Check timedate daemon (systemd) if [ ! "${TIMEDATECTL}" = "" ]; then FIND=`${TIMEDATECTL} status | grep "NTP enabled: yes"` if [ ! "${FIND}" = "" ]; then - FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timedated" - Display --indent 2 --text "- NTP daemon found: timedated" --result "FOUND" --color GREEN + # Check for systemd-timesyncd + if [ -f /etc/systemd/timesyncd.conf ]; then + FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd" + Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "FOUND" --color GREEN + SYSTEMD_NTP_ENABLED=1 + fi + else + logtext "Result: time sychronization not performed according timedatectl command" fi fi @@ -137,7 +151,6 @@ logtext "Result: no ntpdate or rdate found in cron directories" fi - # Checking if ntpdate is performed by event logtext "Test: checking for file /etc/network/if-up.d/ntpdate" if [ -f /etc/network/if-up.d/ntpdate ]; then @@ -181,6 +194,21 @@ fi # ################################################################################# +# + # Test : TIME-3106 + # Description : Check status of systemd time synchronization + if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! "${TIMEDATECTL}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check systemd NTP time synchronization status" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Check the status of time synchronization via timedatectl" + FIND=`${TIMEDATECTL} status | grep "NTP sychronized: yes"` + if [ "${FIND}" = "" ]; then + logtext "Result: time not synchronized via NTP" + ReportSuggestion "${TEST_NO}" "Check timedatectl output. Sychronization via NTP is enabled, but status reflects it is not synchronized" + fi + fi +# +################################################################################# # # Test : TIME-3112 # Description : Check for valid associations from ntpq peers list From 7854eeae20cecc13b3b5c4e2dfdb11cdeea63034 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 17:45:41 +0200 Subject: [PATCH 030/167] Chronyd support, finishing test --- include/tests_time | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/include/tests_time b/include/tests_time index 8937219d..8d425fa3 100644 --- a/include/tests_time +++ b/include/tests_time @@ -52,10 +52,11 @@ FOUND=0 if [ -f /etc/chrony.conf ]; then - IsRunning chronyd - if [ ${RUNNING} -eq 1 ]; then - FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd" - Display --indent 2 --text "- NTP daemon found: chronyd" --result FOUND --color GREEN + IsRunning chronyd + if [ ${RUNNING} -eq 1 ]; then + FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd" + Display --indent 2 --text "- NTP daemon found: chronyd" --result FOUND --color GREEN + fi fi # Check time daemon (eg DragonFly BSD) @@ -113,7 +114,7 @@ fi else logtext "Result: crontab file ${I} not found" - fi + fi done ########################## From 3f3ced806e8662f7ebd3c41938fa5140c28a4ec4 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 23:16:45 +0200 Subject: [PATCH 031/167] Changed last line --- include/tests_tooling | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_tooling b/include/tests_tooling index 6d4b9917..ee118c31 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -125,4 +125,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com From ef2b12e218be09e0e0a48f7640edd7701dd95776 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 23:17:08 +0200 Subject: [PATCH 032/167] Added block and character type devices as symlinks --- include/functions | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/functions b/include/functions index e412d7c4..39487967 100644 --- a/include/functions +++ b/include/functions @@ -1300,6 +1300,7 @@ SYMLINK_USE_READLINK=1 logtext "Note: Using real readlink binary to determine symlinks" tFILE=`${READLINKBINARY} -f ${sFILE}` + logtext "Result: readlink shows ${tFILE} as output" fi fi # Check if we can find the file now @@ -1309,6 +1310,14 @@ sFILE="${tFILE}" logtext "Result: symlink found, pointing to file ${sFILE}" FOUNDPATH=1 + elif [ -b ${tFILE} ]; then + sFILE="${tFILE}" + logtext "Result: symlink found, pointing to block device ${sFILE}" + FOUNDPATH=1 + elif [ -c ${tFILE} ]; then + sFILE="${tFILE}" + logtext "Result: symlink found, pointing to character device ${sFILE}" + FOUNDPATH=1 elif [ -d ${tFILE} ]; then sFILE="${tFILE}" logtext "Result: symlink found, pointing to directory ${sFILE}" From 2f0e9f0981fe8ba6306a8b2369c178936b539926 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 23:17:21 +0200 Subject: [PATCH 033/167] Changed last line --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 6921373c..d5a5c8bd 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -1329,4 +1329,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com From 1d1aa3c96676bf350ef459aafb81d978e13dd351 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 23:17:42 +0200 Subject: [PATCH 034/167] Improved kernel detection on Slackware --- include/tests_kernel | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_kernel b/include/tests_kernel index a2ba9e9b..d5a105a7 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -516,7 +516,8 @@ FIND=`ls /boot/vmlinuz* 2> /dev/null` if [ ! "${FIND}" = "" ]; then # Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers) - KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` + # Remove generic. and huge. for Slackware machines + KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` elif [ ! `ls /boot/kernel* 2> /dev/null` = "" ]; then # Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers) # Examples: From b885b9f84f245f1dfc4913ded405e612e563ff9b Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 25 May 2015 23:20:52 +0200 Subject: [PATCH 035/167] Add missing pipe --- include/tests_kernel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_kernel b/include/tests_kernel index d5a105a7..b6c2b2ff 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -517,7 +517,7 @@ if [ ! "${FIND}" = "" ]; then # Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers) # Remove generic. and huge. for Slackware machines - KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` + KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` elif [ ! `ls /boot/kernel* 2> /dev/null` = "" ]; then # Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers) # Examples: From 52b8c3a6a701d0cc3ea9d3507cd4f59153c41daa Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 26 May 2015 11:10:50 +0200 Subject: [PATCH 036/167] Added VMTYPE --- include/consts | 1 + 1 file changed, 1 insertion(+) diff --git a/include/consts b/include/consts index 6c4ad85a..1d80c0b2 100644 --- a/include/consts +++ b/include/consts @@ -142,6 +142,7 @@ unset LANG UPLOAD_OPTIONS="" UPDATE_CHECK_SKIPPED=0 VALUE="" + VMTYPE="" # ################################################################################# # From 1a04109daddb3c264a44d1d98c04b0fe82102972 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 26 May 2015 11:11:15 +0200 Subject: [PATCH 037/167] Extended descriptions --- include/functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/functions b/include/functions index 39487967..2245bc80 100644 --- a/include/functions +++ b/include/functions @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015 - Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2015, Michael Boelen - CISOfy # https://cisofy.com # # This software is licensed under GPL, version 3. See LICENSE file for @@ -27,8 +27,8 @@ # Debug Display additional information on the screen (not suited for cronjob) # DirectoryExists Check if a directory exists on the disk # Display Output text to screen with colors and identation -# ExitClean Stop the program (cleanly) -# ExitFatal Stop the program (cleanly), with fatal +# ExitClean Stop the program (cleanly), with exit code 0 +# ExitFatal Stop the program (cleanly), with exit code 1 # FileExists Check if a file exists on the disk # FileIsEmpty Check if a file is empty # FileIsReadable Check if a file is readable or directory accessible @@ -652,7 +652,7 @@ docker) ISVIRTUALMACHINE=1; VMTYPE="docker"; VMFULLTYPE="Docker container" ;; kvm) ISVIRTUALMACHINE=1; VMTYPE="kvm"; VMFULLTYPE="KVM" ;; lxc) ISVIRTUALMACHINE=1; VMTYPE="lxc"; VMFULLTYPE="Linux Containers" ;; - lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers" ;; + lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers)" ;; microsoft) ISVIRTUALMACHINE=1; VMTYPE="microsoft"; VMFULLTYPE="Microsoft Virtual PC" ;; openvz) ISVIRTUALMACHINE=1; VMTYPE="openvz"; VMFULLTYPE="OpenVZ" ;; oracle|virtualbox) ISVIRTUALMACHINE=1; VMTYPE="virtualbox"; VMFULLTYPE="Oracle VM VirtualBox" ;; From 3c3bb2d0db067a69574d3bcfbd732c197e9c3d56 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 26 May 2015 11:11:42 +0200 Subject: [PATCH 038/167] Do not show auditd suggestion for OpenVZ systems --- include/tests_accounting | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/tests_accounting b/include/tests_accounting index 2b5e5048..d32f4b33 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -126,7 +126,9 @@ else logtext "Result: auditd not active" Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE - ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information" + if [ ! "${VMTYPE}" = "openvz" ]; then + ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information" + fi AUDITD_RUNNING=0 report "audit_daemon_running=0" AddHP 0 1 @@ -427,4 +429,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen / CISOfy - https://cisofy.com From a1095ef9413dcd50964a4d9b42605c7250e19e46 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 26 May 2015 11:12:36 +0200 Subject: [PATCH 039/167] Improved swap detection and added UUID check --- include/tests_filesystems | 43 ++++++++++++++++++++++++++++++--------- 1 file changed, 33 insertions(+), 10 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 6d9453da..6444a645 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -209,23 +209,46 @@ FOUND=0 logtext "Test: query swap partitions from /etc/fstab file" # Check if third field contains 'swap' - FIND=`awk '{ if ($3=="swap") print $1 }' /etc/fstab` + FIND=`awk '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | grep -v "^#"` for I in ${FIND}; do FOUND=1 + REAL="" + UUID="" logtext "Swap partition found: ${I}" # YYY Add a test if partition is not a normal partition (e.g. UUID=) # Can be ^/dev/mapper/vg-name_lv-name # Can be ^/dev/partition + # Can be ^UUID=uuid --> /dev/disk/by-uuid/ - # if [ ! "${BLKIDBINARY}" = "" ]; then - # FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'` - # else - # logtext "Result: blkid binary not found, trying by checking device listing" - # if [ -f /dev/disk/by-uuid/${UUID} ]; then - # logtext "Result: found disk via /dev/disk/by-uuid listing" - # fi - # fi - report "swap_partition[]=${I}" + HAS_UUID=`echo ${I} | grep "^UUID="` + if [ ! "${HAS_UUID}" = "" ]; then + UUID=`echo ${HAS_UUID} | awk -F= '{ print $2 }'` + logtext "Result: Using ${UUID} as UUID" + if [ ! "${BLKIDBINARYx}" = "" ]; then + FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'` + if [ ! "${FIND2}" = "" ]; then + REAL="${FIND2}" + fi + else + logtext "Result: blkid binary not found, trying by checking device listing" + sFILE="" + if [ -L /dev/disk/by-uuid/${UUID} ]; then + logtext "Result: found disk via /dev/disk/by-uuid listing" + ShowSymlinkPath /dev/disk/by-uuid/${UUID} + if [ ! "${sFILE}" = "" ]; then + REAL="${sFILE}" + logtext "Result: disk is ${REAL}" + fi + else + logtext "Result: no symlink found to /dev/disk/by-uuid/${UUID}" + fi + fi + fi + # Set real device + if [ "${REAL}" = "" ]; then + REAL="${I}" + fi + report "swap_partition[]=${I},${REAL}," done if [ ${FOUND} -eq 1 ]; then Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN From c70f3e93cd7a79d7a579158a756ca2122f6ce0e7 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 26 May 2015 11:13:23 +0200 Subject: [PATCH 040/167] Cleanup of screen output, with focus on minimum output --- include/tests_time | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/include/tests_time b/include/tests_time index 8d425fa3..508702c5 100644 --- a/include/tests_time +++ b/include/tests_time @@ -109,7 +109,7 @@ Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN logtext "Result: found ntpdate or rdate reference in crontab file ${I}" else - Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE + #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE logtext "Result: no ntpdate or rdate reference found in crontab file ${I}" fi else @@ -148,7 +148,7 @@ Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN logtext "Result: found ntpdate or rdate in cron directory" else - Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE + #Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE logtext "Result: no ntpdate or rdate found in cron directories" fi @@ -433,6 +433,8 @@ # ################################################################################# # +# For VMs check ntpd.conf : tinker panic 0 +# wait_for_keypress @@ -458,4 +460,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com From bb696a04f12193ec06432fcf8e3312a601935b0d Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 26 May 2015 11:13:47 +0200 Subject: [PATCH 041/167] Improved detection of directories in logrotate --- include/tests_logging | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/tests_logging b/include/tests_logging index 0d8189a9..7346365a 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -274,7 +274,7 @@ Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking which directories can be found in logrotate configuration" - FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq` + FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | sort | uniq` if [ "${FIND}" = "" ]; then logtext "Result: nothing found" else @@ -285,7 +285,6 @@ report "log_directory[]=${I}" else logtext "Directory could not be found: ${I}" - # YYY strip more parts of the name, until it can be found (and stop at /) fi done fi From 30b9b1edd9d9689c59266b2be12f95bc80a334a5 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 11:25:07 +0200 Subject: [PATCH 042/167] Added support for Docker binary --- include/binaries | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/binaries b/include/binaries index a8fb6425..e2569613 100644 --- a/include/binaries +++ b/include/binaries @@ -90,6 +90,9 @@ as) ASFOUND=1; ASBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: as (compiler) - ${BINARY}" ;; auditctl) AUDITCTLFOUND=1; AUDITCTLBINARY="${BINARY}"; logtext " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;; autolog) AUTOLOGFOUND=1; AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; logtext " Found known binary: autolog (idle session killer) - ${BINARY}" ;; + debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (package vulnerability checking) - ${BINARY}" ;; + debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (package integrity checking) - ${BINARY}" ;; + docker) DOCKERBINARY="${BINARY}"; logtext " Found known binary: docker (container technology) - ${BINARY}" ;; chkconfig) CHKCONFIGFOUND=1; CHKCONFIGBINARY=${BINARY}; logtext " Found known binary: chkconfig (administration tool) - ${BINARY}" ;; clamscan) CLAMSCANFOUND=1; CLAMSCANBINARY=${BINARY}; logtext " Found known binary: clamscan (AV scanner) - ${BINARY}" ;; cfagent) CFAGENTFOUND=1; CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; logtext " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;; From fe636c7d6c39332ab359e426a37b079177ef10d3 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 11:25:35 +0200 Subject: [PATCH 043/167] Docker support --- include/consts | 1 + 1 file changed, 1 insertion(+) diff --git a/include/consts b/include/consts index 1d80c0b2..cd85acb9 100644 --- a/include/consts +++ b/include/consts @@ -77,6 +77,7 @@ unset LANG CONTROL_URL_PREPEND="" CUSTOM_URL_APPEND="" CUSTOM_URL_PREPEND="" + DOCKER_DAEMON_RUNNING=0 FILEVALUE="" FIND="" FIREWALL_ACTIVE=0 From 917c790ecc930077cc303aa7192906eb4279da72 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 11:42:31 +0200 Subject: [PATCH 044/167] Changed text --- include/tests_kernel | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index b6c2b2ff..4a5f437a 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -340,7 +340,6 @@ logtext "Test: Searching apt-cache, to determine if a newer kernel is available" if [ -x /usr/bin/apt-cache ]; then logtext "Result: found /usr/bin/apt-cache" - # YYY Test for presence /usr/bin/apt-cache and dpkg logtext "Test: checking readlink location of /vmlinuz" FINDKERNFILE=`readlink -f /vmlinuz` logtext "Output: readlink reported file ${FINDKERNFILE}" @@ -581,4 +580,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands +# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com From f60011eb1b4887c589fa2e985b0486b36e967626 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 11:43:08 +0200 Subject: [PATCH 045/167] Removing tests which were already performed in authentication section. --- include/tests_shells | 48 ++------------------------------------------ 1 file changed, 2 insertions(+), 46 deletions(-) diff --git a/include/tests_shells b/include/tests_shells index cf406602..52550562 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -57,16 +57,9 @@ logtext "Output /etc/ttys:" logtext "${FIND}" ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys" - #ReportSuggestion ${TEST_NO} "Change the console line from 'secure' to 'insecure'." + logtext "Possible solution: Change the console line from 'secure' to 'insecure'." fi fi -# -################################################################################# -# - # Test : SHLL-6214 - # Description : check for idle session killing tools (timeoutd) - - # ################################################################################# # @@ -220,43 +213,6 @@ fi # ################################################################################# -# - # Test : SHLL-6236 - # Description : Check /etc/profile -# -################################################################################# -# - - # Test : SHLL-6240 - # Description : Check default umask -# Register --test-no SHLL-6240 --weight L --network NO --description "Check default umask" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Checking /etc/profile" -# if [ -f /etc/profile ]; then -# FIND=`grep "^umask" | awk '{ print $2 }'` -# if [ "${FIND}" = "" ]; then -# logtext "Result: xxx" -# Display --indent 2 --text "- Checking default umask" --result OK --color GREEN -# else -# logtext "Result: xxx" -# Display --indent 2 --text "- Checking default umask" --result WARNING --color RED -# #ReportWarning ${TEST_NO} "M" "xxx" -# #ReportSuggestion ${TEST_NO} "xxx" -# fi -# fi -# fi -# -################################################################################# -# - # Test : SHLL-6250 - # Description : Check /etc/bash.bashrc -# Register --test-no SHLL-6250 --weight L --network NO --description "Check default umask" -# if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# -# -# -################################################################################# # # Test : SHLL-6290 # Description : Check for Shellshock vulnerability @@ -395,4 +351,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, CISOfy & Michael Boelen - http://cisofy.com - The Netherlands +# Lynis - Copyright 2007-2015, CISOfy - http://cisofy.com From 7f0fbcf359fb3f15735991923b391f44a0345bf1 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 12:34:01 +0200 Subject: [PATCH 046/167] Initial import for container category --- include/tests_containers | 167 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 167 insertions(+) create mode 100644 include/tests_containers diff --git a/include/tests_containers b/include/tests_containers new file mode 100644 index 00000000..d6450c95 --- /dev/null +++ b/include/tests_containers @@ -0,0 +1,167 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Containers, Zones, Jails +# +################################################################################# +# + InsertSection "Containers" +# +################################################################################# +# + # Test : CONT-8004 + # Description : Query running Solaris zones + if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no CONT-8004 --os Solaris --weight L --network NO --description "Query running Solaris zones" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: query zoneadm to list all running zones" + FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'` + if [ ! "${FIND}" = "" ]; then + N=0 + for I in ${FIND}; do + N=`expr ${N} + 1` + ZONEID=`echo ${I} | cut -d ':' -f1` + ZONENAME=`echo ${I} | cut -d ':' -f2` + logtext "Result: found zone ${ZONENAME} (running)" + report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]" + done + logtext "Result: total of ${N} running zones" + Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN + else + logtext "Result: no running zones found" + Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE + fi + fi +# +################################################################################# +# + # Test : CONT-1906 + # Description : Query running Xen zones + #if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + #Register --test-no CONT-1906 --weight L --network NO --description "Query Xen guests" + #if [ ${SKIPTEST} -eq 0 ]; then + # Show Xen guests + #FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'` + #for I in ${FIND}; do + #XENGUESTNAME=`echo ${I} | cut -d ':' -f1` + #XENGUESTID=`echo ${I} | cut -d ':' -f2` + #logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})" + #done + #fi +# +################################################################################# +# + # Test : CONT-8102 + # Description : Checking Docker daemon status and basic information for later tests + Register --test-no CONT-8102 --weight L --network NO --description "Checking Docker status and information" + if [ ${SKIPTEST} -eq 0 ]; then + IsRunning "docker -d" + if [ ${RUNNING} -eq 1 ]; then + logtext "Result: found Docker daemon running" + report "docker_daemon_running=1" + DOCKER_DAEMON_RUNNING=1 + Display --indent 4 --text "- Docker" + Display --indent 6 --text "- Docker daemon" --result RUNNING --color GREEN + fi + fi +# +################################################################################# +# + # Test : CONT-8104 + # Description : Checking Docker info for any warnings + # Notes : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory + if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings" + if [ ${SKIPTEST} -eq 0 ]; then + COUNT=0 + logtext "Test: Check for any warnings" + FIND=`${DOCKERBINARY} info 2>&1 | grep "^WARNING:" | cut -d " " -f 2- | sed 's/ /:space:/g'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: found warning(s) in output" + for I in ${FIND}; do + J=`echo ${I} | sed 's/:space:/ /g'` + logtext "Output: ${J}" + COUNT=`expr ${COUNT} + 1` + done + Display --indent 8 --text "- Docker info output (warnings)" --result "${COUNT}" --color RED + ReportSuggestion "${TEST_NO}" "Run 'docker info' to see warnings applicable to Docker daemon" + AddHP 3 4 + else + logtext "Result: no warnings found from 'docker info' output" + Display --indent 8 --text "- Docker info output (warnings)" --result "NONE" --color GREEN + AddHP 1 1 + fi + fi +# +################################################################################# +# + # Test : CONT-8106 + # Description : Checking Docker containers (basic stats) + # Notes : Hardening points are awarded, if there aren't a lot of stopped containers + if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings" + if [ ${SKIPTEST} -eq 0 ]; then + Display --indent 6 --text "- Containers" + + # Check total of containers + logtext "Test: checking total amount of Docker containers" + DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'` + logtext "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers" + DOCKER_CONTAINERS_TOTAL2=`${DOCKERBINARY} ps -a 2> /dev/null | grep -v "CONTAINER" | wc -l` + logtext "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers" + if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then + logtext "Result: difference detected, which is unexpected" + ReportSuggestion "${TEST_NO}" "Test output of both 'docker ps -a' and 'docker info', to determine why they report a different amount of containers" + Display --indent 8 --text "- Total containers" --result "UNKNOWN" --color RED + else + Display --indent 8 --text "- Total containers" --result "${DOCKER_CONTAINERS_TOTAL}" --color WHITE + fi + + # Check running instances + DOCKER_CONTAINERS_RUNNING=`${DOCKERBINARY} ps | grep -v "CONTAINER" | wc -l` + Display --indent 8 --text "- Running containers" --result "${DOCKER_CONTAINERS_RUNNING}" --color GREEN + if [ ${DOCKER_CONTAINERS_RUNNING} -gt 0 ]; then + logtext "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active" + report "docker_containers_running=${DOCKER_CONTAINERS_RUNNING}" + else + logtext "Result: no active containers" + report "docker_containers_running=0" + fi + + # Check if there aren't too many unused containers on the system + if [ ${DOCKER_CONTAINERS_TOTAL} -gt 0 ]; then + DOCKER_CONTAINERS_UNUSED=`expr ${DOCKER_CONTAINERS_TOTAL} - ${DOCKER_CONTAINERS_RUNNING}` + if [ ${DOCKER_CONTAINERS_UNUSED} -gt 10 ]; then + ReportSuggestion "${TEST_NO}" "More than 10 unused containers found on the system. Clean up old containers by using output of 'docker ps -a' command" + Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color RED + AddHP 0 2 + else + logtext "Result: found ${DOCKER_CONTAINERS_UNUSED} unused containers" + Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color YELLOW + AddHP 1 1 + fi + fi + fi +# +################################################################################# +# + + +wait_for_keypress + +# +#================================================================================ +# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com From 46e6f87fc10c8823da35049f241f28960a1ccea7 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 12:34:19 +0200 Subject: [PATCH 047/167] Added container to test groups --- lynis | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/lynis b/lynis index 46740486..3415692b 100755 --- a/lynis +++ b/lynis @@ -719,13 +719,11 @@ logtext "Info: perform tests from all categories" INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \ - filesystems storage storage_nfs \ - nameservices ports_packages networking printers_spools \ - mail_messaging firewalls \ - webservers ssh snmp databases ldap php squid logging \ - insecure_services banners scheduling accounting \ - time crypto virtualization mac_frameworks file_integrity hardening_tools tooling \ - malware file_permissions homedirs kernel_hardening hardening" + filesystems storage storage_nfs nameservices ports_packages networking printers_spools \ + mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \ + insecure_services banners scheduling accounting time crypto virtualization containers \ + mac_frameworks file_integrity hardening_tools tooling malware file_permissions homedirs \ + kernel_hardening hardening" else INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}" logtext "Info: only performing tests from categories: ${TESTS_CATEGORY_TO_PERFORM}" From d59b180e76d162090c2006c0fef968d36d6691b0 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 12:34:48 +0200 Subject: [PATCH 048/167] Updated release date --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index 3415692b..3ca57f7d 100755 --- a/lynis +++ b/lynis @@ -23,7 +23,7 @@ # Program information PROGRAM_name="Lynis" PROGRAM_version="2.1.1" - PROGRAM_releasedate="29 April 2015" + PROGRAM_releasedate="27 May 2015" PROGRAM_author="CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" From 5f3c47df68eda0fe6808efc65cff2742d62f04df Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 12:35:56 +0200 Subject: [PATCH 049/167] Added debsecan, debsums and kernel package counting --- include/tests_ports_packages | 102 +++++++++++++++++++++++++++++++++-- 1 file changed, 98 insertions(+), 4 deletions(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 30d67f85..23a66584 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -402,9 +402,67 @@ fi # ################################################################################# +# + # Test : PKGS-7366 + # Description : Checking if debsecan is installed and enabled on Debian systems + if [ ! "${DEBSECANBINARY}" = "" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsecan utility" + if [ ${SKIPTEST} -eq 0 ]; then + if [ ! "${DEBSECANBINARY}" = "" ]; then + logtext "Result: debsecan utility is installed" + Display --indent 4 --text "- debsecan utility" --result "FOUND" --color GREEN + AddHP 3 3 + PACKAGE_AUDIT_TOOL_FOUND=1 + PACKAGE_AUDIT_TOOL="debsecan" + FIND=`find /etc/cron* -name debsecan` + if [ ! ${FIND} = "" ]; then + logtext "Result: cron job is configured for debsecan" + Display --indent 6 --text "- debsecan cron job" --result "FOUND" --color GREEN + AddHP 3 3 + else + logtext "Result: no cron job is configured for debsecan" + Display --indent 4 --text "- debsecan cron job" --result "NOT FOUND" --color YELLOW + AddHP 1 3 + ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled" + fi + else + logtext "Result: debsecan is not installed." + Display --indent 4 --text "- debsecan utility" --result "NOT FOUND" --color YELLOW + AddHP 0 2 + ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages." + fi + fi +# +################################################################################# # # Test : PKGS-7370 - # Description : Check debsums output + # Description : Checking debsums installation status and presence in cron job + # Note : Run this only when it is a DPKG based system + if [ ! "${DPKGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsums utility" + if [ ${SKIPTEST} -eq 0 ]; then + if [ ! "${DEBSUMSBINARY}" = "" ]; then + logtext "Result: debsums utility is installed" + Display --indent 4 --text "- debsums utility" --result "FOUND" --color GREEN + AddHP 1 1 + # Check in /etc/cron.hourly, daily, weekly, monthly etc + COUNT=`find /etc/cron* -name debsums | wc -l` + if [ ${COUNT} -gt 0 ]; then + logtext "Result: Cron job is configured for debsums utility." + Display --indent 6 --text "- Cron job for debsums" --result "FOUND" --color GREEN + AddHP 3 3 + else + logtext "Result: Cron job is not configured for debsums utility." + Display --indent 6 --text "- Cron job for debsums" --result "NOT FOUND" --color YELLOW + AddHP 1 3 + ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job." + fi + else + logtext "Result: debsums utility is not installed." + AddHP 0 2 + ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database." + fi + fi # ################################################################################# # @@ -933,9 +991,45 @@ # ################################################################################# # -# check for popularity-contest (Debian/Ubuntu) -# check for yum-changelog - + # Test : PKGS-7410 + # Description : Count number of installed kernel packages + Register --test-no PKGS-7410 --weight L --network NO --description "Count installed kernel packages" + if [ ${SKIPTEST} -eq 0 ]; then + KERNELS=0 + if [ ! "${RPMBINARY}" = "" ]; then + logtext "Test: Checking how many kernel packages are installed" + KERNELS=`rpm -q kernel 2> /dev/null | wc -l` + if [ ${KERNELS} -eq 0 ]; then + logtext "Result: found no kernels from rpm -q kernel output, which is unexpected" + ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output" + elif [ ${KERNELS} -gt 5 ]; then + logtext "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" + ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)" + AddHP 4 5 + else + logtext "Result: found ${KERNELS} on the system, which is fine" + AddHP 1 1 + fi + fi + fi +# +################################################################################# +# + # Test : PKGS-7414 + # Description : Check installonly_limit in yum.conf +# +################################################################################# +# + # Test : PKGS-7416 + # Description : Check for popularity-contest (Debian/Ubuntu) +# +################################################################################# +# + # Test : PKGS-7418 + # Description : Check for yum-changelog +# +################################################################################# +# if [ ! "${INSTALLED_PACKAGES}" = "" ]; then report "installed_packages_array=${INSTALLED_PACKAGES}" From 785ac74f91d6d2f0c6dd8728a28555f897f50333 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 27 May 2015 12:36:34 +0200 Subject: [PATCH 050/167] Moved tests to new container group --- include/tests_virtualization | 47 ++---------------------------------- 1 file changed, 2 insertions(+), 45 deletions(-) diff --git a/include/tests_virtualization b/include/tests_virtualization index c9100bf9..36a3a456 100644 --- a/include/tests_virtualization +++ b/include/tests_virtualization @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -22,49 +22,6 @@ # ################################################################################# # - # Test : VIRT-1902 - # Description : Query running Solaris zones - if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no VIRT-1902 --os Solaris --weight L --network NO --description "Query running Solaris zones" - if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: query zoneadm to list all running zones" - FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'` - if [ ! "${FIND}" = "" ]; then - N=0 - for I in ${FIND}; do - N=`expr ${N} + 1` - ZONEID=`echo ${I} | cut -d ':' -f1` - ZONENAME=`echo ${I} | cut -d ':' -f2` - logtext "Result: found zone ${ZONENAME} (running)" - report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]" - done - logtext "Result: total of ${N} running zones" - Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN - else - logtext "Result: no running zones found" - Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE - fi - fi -# -################################################################################# -# - # Test : VIRT-1906 - # Description : Query running Xen zones - #if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no VIRT-1906 --weight L --network NO --description "Query Xen guests" - #if [ ${SKIPTEST} -eq 0 ]; then - # Show Xen guests - #FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'` - #for I in ${FIND}; do - #XENGUESTNAME=`echo ${I} | cut -d ':' -f1` - #XENGUESTID=`echo ${I} | cut -d ':' -f2` - #logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})" - #done - #fi -# -################################################################################# -# - # # Test : VIRT-1920 # # Description : Checking VMware # Register --test-no VIRT-1920 --weight L --network NO --description "Checking VMware guest status" From 72feac96388b0ed4243a62152667424e8ab074b4 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 11 Jun 2015 13:57:37 +0200 Subject: [PATCH 051/167] Added additional legal words for banner usage --- include/tests_banners | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_banners b/include/tests_banners index de60c258..610f7cae 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -23,7 +23,7 @@ ################################################################################# # BANNER_FILES="/etc/issue /etc/issue.net /etc/motd" - LEGAL_BANNER_STRINGS="audit access authori intrusion law legal monitor owner policy policies private prohibited restricted subject terms this unauthorized" + LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence intrusion law legal monitor owner policy policies private prohibited restricted subject terms this unauthorized" # ################################################################################# # From e13a9087eaeb13d7c33b9392d2d21c0735ae20ef Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 11 Jun 2015 13:57:57 +0200 Subject: [PATCH 052/167] Added compilers to report --- include/tests_hardening | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/tests_hardening b/include/tests_hardening index 592e8b16..713264b9 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -55,6 +55,7 @@ IsWorldExecutable ${ASBINARY} if [ $? -eq 1 ]; then logtext "Binary: found ${ASBINARY} (world executable)" + report "compiler[]=${ASBINARY}" AddHP 2 3 HARDEN_COMPILERS_NEEDED=1 else @@ -67,6 +68,7 @@ IsWorldExecutable ${GCCBINARY} if [ $? -eq 1 ]; then logtext "Binary: found ${GCCBINARY} (world executable)" + report "compiler[]=${GCCBINARY}" AddHP 2 3 HARDEN_COMPILERS_NEEDED=1 else From 0d4b25d3089d1f6f31f5c32689f222c575c96a2c Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 11 Jun 2015 13:58:16 +0200 Subject: [PATCH 053/167] Disable suggestion for this test --- include/tests_filesystems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 6444a645..9b9561a1 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -276,7 +276,7 @@ Display --indent 2 --text "- Testing swap partitions" --result WARNING --color RED logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})" #ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})" - ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options" + #ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options" logtext "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)" fi fi From f0026427bbd884476cc68d2adc6d577ee1cbc79c Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 11 Jun 2015 13:58:30 +0200 Subject: [PATCH 054/167] Textual changes --- include/tests_file_permissions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/tests_file_permissions b/include/tests_file_permissions index a62f27e9..a5f30270 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -56,4 +56,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com From f34e59663f2d1f8a46cc3818831e3a0859904d5b Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 11 Jun 2015 20:50:19 +0200 Subject: [PATCH 055/167] Report hardening index, even when report is not shown --- include/report | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/report b/include/report index 82b69c6b..b211f0e1 100644 --- a/include/report +++ b/include/report @@ -87,7 +87,6 @@ HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]" logtext "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]" logtext "Hardening strength: ${HIDESCRIPTION}" - report "hardening_index=${HPINDEX}" # ################################################################################# @@ -239,6 +238,10 @@ fi + # Report data, even if it is not displayed on screen + report "hardening_index=${HPINDEX}" + + if [ ${QUIET} -eq 0 ]; then echo " ${PROGRAM_name} ${PROGRAM_version}" From b947bb085c0baa34a30aa167efc3002a7248ae3b Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 17 Jun 2015 17:06:51 +0200 Subject: [PATCH 056/167] Changed detection, added examples of fstab entries --- include/tests_filesystems | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 9b9561a1..9b7536e8 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -262,21 +262,23 @@ # # Test : FILE-6336 # Description : Check swap mount options + # Examples : [partition] swap swap defaults 0 0 + # [partition] none swap sw 0 0 if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FILE-6336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap mount options" if [ ${SKIPTEST} -eq 0 ]; then # Swap partitions should be mounted with 'sw' or 'swap' logtext "Test: check swap partitions with incorrect mount options" #FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab` - FIND=`awk '{ if ($3=="swap" && $4~/sw/) { print $1 }}' /etc/fstab` + FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults") { print $1 }}' /etc/fstab` if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN logtext "Result: all swap partitions have correct options (sw or swap)" else - Display --indent 2 --text "- Testing swap partitions" --result WARNING --color RED + Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})" #ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})" - #ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options" + ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options" logtext "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)" fi fi From 7d3053831195a1a700e079ea1373d17a5510866b Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 17 Jun 2015 17:13:44 +0200 Subject: [PATCH 057/167] Added missing bracket --- include/tests_filesystems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 9b7536e8..e302a3e5 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -270,7 +270,7 @@ # Swap partitions should be mounted with 'sw' or 'swap' logtext "Test: check swap partitions with incorrect mount options" #FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab` - FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults") { print $1 }}' /etc/fstab` + FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab` if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN logtext "Result: all swap partitions have correct options (sw or swap)" From c1b4601f7130926b75b22d508be320b1e6eb89b3 Mon Sep 17 00:00:00 2001 From: Alex Kamsteeg Date: Mon, 13 Jul 2015 09:43:04 +0200 Subject: [PATCH 058/167] Update README.md --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 317cda8d..786c895e 100644 --- a/README.md +++ b/README.md @@ -27,9 +27,8 @@ Main audience: ## First run -Clone or download the project files. No compilation or installation is required. - -Execute: ./lynis audit system +1. Clone or download the project files. No compilation or installation is required. +2. Execute: ./lynis audit system By default If you want to run the software as root, we suggest to alter the ownership of the files. From 6dfe906610201c398ea11de9958b5d028cb45edd Mon Sep 17 00:00:00 2001 From: Alex Kamsteeg Date: Mon, 13 Jul 2015 10:49:50 +0200 Subject: [PATCH 059/167] Fixed styling of command in First Run instructions --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 786c895e..16699264 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ Main audience: ## First run 1. Clone or download the project files. No compilation or installation is required. -2. Execute: ./lynis audit system +2. Execute: `./lynis audit system` By default If you want to run the software as root, we suggest to alter the ownership of the files. From e8111a124feff0cbacfdc7ae2f62b58a776f0fbe Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 14 Jul 2015 00:31:59 +0200 Subject: [PATCH 060/167] Increase default minimum amount of connections before alerting --- include/tests_networking | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/tests_networking b/include/tests_networking index ac0d3c43..4188c440 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -447,16 +447,17 @@ # Test : NETW-3028 # Description : Checking for many waiting connections # Type : Performance + # Notes : It is common to see a healthy web server seeing to have several thousands of TCP connections in WAIT state if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking connections in WAIT state" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Using netstat for check for connections in WAIT state" FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'` - if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="100"; fi + if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi logtext "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})." if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then Display --indent 2 --text "- Checking waiting connections" --result WARNING --color YELLOW - ReportWarning ${TEST_NO} "H" "Found too much connections in WAIT state (${FIND})" + ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})" else Display --indent 2 --text "- Checking waiting connections" --result OK --color GREEN logtext "Result: ${FIND} connections are in WAIT state" From be9177407b30214dfb3b40befc21d85c75a0e3f4 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 14 Jul 2015 00:34:05 +0200 Subject: [PATCH 061/167] Updated changelog for upcoming release --- CHANGELOG | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index fbb2dd02..d76e21c5 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -18,6 +18,68 @@ ================================================================================ + = Lynis 2.1.x (2015-xx-xx) = + + This release adds several improvements and in different areas. Support for systems + like CentOS, openSUSE, Slackware is improved. It includes further cleanups of the + code, performance tweaks and more support for common software components. + + Performance: + Performance tuning has been applied, to speed up execution of the audit on + systems with many files. + + Automatic updater: + Initial work on an automatic updater has been implemented. This way Lynis can + be scheduled for updating from a trusted source. + + Internal functions: + As not all systems have readlink, or the -f option of readlink, the + ShowSymlinkPath function has been extended with a Python based check. + + Software support: + Apache module directory /usr/lib64/apache has been added, which is used on openSUSE. + Support for Chef has been added. + + File integrity: + Added tests for CSF's lfd utility for integrity monitoring on directories and + files. Related tests are FINT-4334 and FINT-4336. + + Time sychronization: + Added support for Chrony time daemon and timesync daemon. Additionally NTP + sychronization status is checked when it is enabled. + + Other: + Check for permissions has been extended. + Python binary is now detected, to help with symlink detection. + Several new legal terms, for usage in banners, have been added. + In several files old tests have been removed, to further clean up the code. + The hardening index is inserted into the report, even if it is not displayed on screen. + + Bug fixes: + Nginx test showed error when access_log had multiple parameters + + Functions: + Added AddSystemGroup function + + New tests: + [PKGS-7366] Scan for debsecan utility on Debian systems + [PKGS-7410] Determine amount of installed kernel packages + [TIME-3106] Check synchronization status of NTP on systemd based systems + [CONT-8102] Docker daemon status and gather basic details + [CONT-8104] Check docker info for any Docker warnings + [CONT-8106] Check total, running and unused Docker containers + + Plugins: + [PLGN-2602] Disabled by default, as it may be too slow for some machines + [PLGN-3002] Extended with /sbin/nologin + + Documentation: + A new document has been created to help with the process of upgrading Lynis. + It is available at https://cisofy.com/documentation/lynis/upgrading/ + + -------------------------------------------------------------- + + = Lynis 2.1.0 (2015-04-16) = General: @@ -62,6 +124,7 @@ -------------------------------------------------------------- + = Lynis 2.0.0 (2015-02-25) = From 3caaf0f744dbb7c7fd7f520df60c56ff8d544df9 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 14 Jul 2015 00:34:38 +0200 Subject: [PATCH 062/167] Adjusted connections_max_wait_state --- default.prf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/default.prf b/default.prf index 713070f7..8f79daa5 100644 --- a/default.prf +++ b/default.prf @@ -270,8 +270,8 @@ permdir:/root/.ssh:rwx------:root:-:WARN: # ################################################################################# -# Amount of connections in WAIT state before reporting it as a warning -#config:connections_max_wait_state:50: +# Amount of connections in WAIT state before reporting it as a suggestion +#config:connections_max_wait_state:5000: # Skip security repository check for Debian based systems #config:debian_skip_security_repository:yes: @@ -354,7 +354,7 @@ permdir:/root/.ssh:rwx------:root:-:WARN: # Provide options to cURL when uploading data. Common options include: # -k or --insecure --> use HTTPS, but skip certificate check (e.g. self-signed) -# --proxy [http://]proxyserver:8080 --> use HTTP/HTTPS proxy +# --proxy [http://]proxyserver:8080 --> use HTTP/HTTPS proxy # --socks5 proxyserver:8080 --> use SOCKS proxy #config:upload_options:-k: From 9e3fb6f6c243af72f6feae033fab4ce6c967073f Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 14 Jul 2015 00:40:22 +0200 Subject: [PATCH 063/167] Updated line --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 16699264..b83144c6 100644 --- a/README.md +++ b/README.md @@ -30,9 +30,8 @@ Main audience: 1. Clone or download the project files. No compilation or installation is required. 2. Execute: `./lynis audit system` -By default -If you want to run the software as root, we suggest to alter the ownership of the files. - +If you want to run the software as root, we suggest to alter the ownership of the files. Use chown -R and +chgrp -R to recursively alter the owner and group. ## Documentation See for full documentation https://cisofy.com/documentation/lynis/ From f341b01e4d637771d978de534891f2545fabfce5 Mon Sep 17 00:00:00 2001 From: James White Date: Wed, 15 Jul 2015 11:50:56 +0100 Subject: [PATCH 064/167] Fix false positive matches with unsafe ports on SQD-3624 The grep statement needs to be modified to prevent tagging port values that contains a value in `SQUID_DAEMON_UNSAFE_PORTS_LIST` but aren't actually the listed port. --- include/tests_squid | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_squid b/include/tests_squid index 0ce03159..98a4380c 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -265,7 +265,7 @@ #SQUID_DAEMON_UNSAFE_PORTS_LIST for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do logtext "Test: Checking port ${I} in Safe_ports list" - FIND2=`grep "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` + FIND2=`grep -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` if [ "${FIND2}" = "" ]; then Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN AddHP 1 1 From 5b9c4ad7fda3dce8dab6459aaf41a2bc96ae2386 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 15 Jul 2015 15:26:51 +0200 Subject: [PATCH 065/167] Add contribution rules --- CONTRIBUTIONS.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 CONTRIBUTIONS.md diff --git a/CONTRIBUTIONS.md b/CONTRIBUTIONS.md new file mode 100644 index 00000000..ee21149f --- /dev/null +++ b/CONTRIBUTIONS.md @@ -0,0 +1,31 @@ +# Contributions + +## Pull Requests +Contributions to the Lynis project should be submitted as a pull request. The upstream +project can be found in our [GitHub repository](https://github.com/CISOfy/lynis). + +By submitting a [Pull Request](https://help.github.com/articles/using-pull-requests/) +to this repository, you agree that you: + +1. Own the contribution that you are providing, or have obtained permission from + the contribution owner + +2. Allow your contribution to be licensed under the license of the target + project (GPLv3) + +3. Allow your contribution to be freely distributed to the Lynis community + +4. Allow the project the [Unlimited Rights](#Unlimited-Rights) to your contribution + + +## Unlimited Rights +Our project is licensed under GPLv3. By providing a contribution to the project, it +will be used for the purpose of the project. Unlimited rights includes the rights to +use, modify, reproduce, release, perform, display, or disclose computer software or +computer software documentation in whole or in part, in any manner and for any +purpose whatsoever, and to have or authorize others to do so. + +If you want to be named in as a contributor in the CONTRIBUTOR file, then include +this notition in your pull request (format: Full Name, with optional the company name +and/or your e-mail address). + From 954482440d5b757da936612a8c045c5150604faa Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 15 Jul 2015 15:48:59 +0200 Subject: [PATCH 066/167] Updated readme files --- README | 20 ++++++++++---------- README.md | 26 +++++++++++++++++--------- 2 files changed, 27 insertions(+), 19 deletions(-) diff --git a/README b/README index 5b4dfcbb..105d0a30 100644 --- a/README +++ b/README @@ -29,7 +29,8 @@ Some of the (future) features and usage options: - System and security audit checks - - File Integrity Assessment + - Compliance testing + - File integrity monitoring - System and file forensics - Usage of templates/baselines (reporting and monitoring) - Extended debugging features @@ -93,21 +94,20 @@ - GitHub - https://github.com/CISOfy/lynis - E-mail - lynis-dev@cisofy.com + Contributions are appreciated and can be done via GitHub. See CONTRIBUTIONS.md + for more information about how to submit them. + [+] Support ------------------------------- Lynis is tested on the most common operating systems. The documentation (README, FAQ) and the debugging information in the log file should cover most questions and - problems. Bugs can be reported by filling in the contact form at rootkit.nl, or by - sending an e-mail. + problems. Bugs can be reported via GitHub, or sending an e-mail to the lynis-dev + address above. - NOTE: User related questions should not be asked via the contact form. Read the - documentation, the website resources and the log file for answers to common problems. - - Commercial support is available under strict conditions and depends on the request. - For more information fill in the contact form and describe what kind of service is - requested. + Commercial support is available and provided by CISOfy. For more information use + the contact address on https://cisofy.com/contact/. @@ -119,7 +119,7 @@ this tool we have a commercial version available. Lynis Enterprise Suite uses Lynis to audit systems, but also provides malware scanning, intrusion detection and has additional guidance. For all features, please see our website: - http://cisofy.com/lynis-enterprise/ + https://cisofy.com/lynis-enterprise/ diff --git a/README.md b/README.md index b83144c6..6997db75 100644 --- a/README.md +++ b/README.md @@ -3,22 +3,30 @@ lynis Lynis - Security auditing and hardening tool, for Unix based systems -Lynis is an security auditing and hardening tool for Unix derivatives like Linux, BSD and Solaris. It performs -an in-depth security scan on the system to detect software and security issues. Besides information related to -security, it will also scan for general system information, installed packages, and possible configuration -issues. +Lynis is a security auditing for Unix derivatives like Linux, BSD, and Solaris. It performs an in-depth security scan +on the system to detect software and security issues. Besides information related to security, it will also scan for +general system information, installed packages, and possible configuration issues. We believe software should be simple, updated on a regular basis and open. You should be able to trust, understand, and even alter the software. Many agree with us, as the software is being used by thousands every day to protect their systems. -The software is aimed at assisting with automated auditing, configuration management, software patch management, -penetration testing, vulnerability management, and malware scanning of Unix-based systems. +Main goals: +- Automated security auditing +- Compliance testing +- Vulnerability management + +The software aims to also assist with: +- Configuration management +- Software patch management +- Penetration testing +- Malware scanning +- Intrusion detection License: - GPLv3 -Main audience: +Typical users of the software: - System administrators - Auditors - Security officers @@ -30,11 +38,11 @@ Main audience: 1. Clone or download the project files. No compilation or installation is required. 2. Execute: `./lynis audit system` -If you want to run the software as root, we suggest to alter the ownership of the files. Use chown -R and +If you want to run the software as root, we suggest altering the ownership of the files. Use chown -R and chgrp -R to recursively alter the owner and group. ## Documentation -See for full documentation https://cisofy.com/documentation/lynis/ +Full documentation: https://cisofy.com/documentation/lynis/ ## Flexibility For people who want to expand tests, it is suggested to use the tests_custom file (template in include directory). From c68d20ba2ce54de8d2fd59f8a4b9d107805dd743 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 15 Jul 2015 20:02:15 +0200 Subject: [PATCH 067/167] Minor grammar tweaks --- CONTRIBUTIONS.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CONTRIBUTIONS.md b/CONTRIBUTIONS.md index ee21149f..19a17295 100644 --- a/CONTRIBUTIONS.md +++ b/CONTRIBUTIONS.md @@ -7,7 +7,7 @@ project can be found in our [GitHub repository](https://github.com/CISOfy/lynis) By submitting a [Pull Request](https://help.github.com/articles/using-pull-requests/) to this repository, you agree that you: -1. Own the contribution that you are providing, or have obtained permission from +1. Own the contribution that you are providing or have obtained permission from the contribution owner 2. Allow your contribution to be licensed under the license of the target @@ -26,6 +26,6 @@ computer software documentation in whole or in part, in any manner and for any purpose whatsoever, and to have or authorize others to do so. If you want to be named in as a contributor in the CONTRIBUTOR file, then include -this notition in your pull request (format: Full Name, with optional the company name -and/or your e-mail address). +this notition in your pull request. Preferred format: Full Name, with optional the +company name and/or your e-mail address). From 6857f015000e7890a8d7f4b2a1409c8c8aaf104b Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 16 Jul 2015 17:02:15 +0200 Subject: [PATCH 068/167] Added LDAP configuration file location to report, and code cleanups --- include/tests_authentication | 220 ++--------------------------------- 1 file changed, 8 insertions(+), 212 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index d5a5c8bd..402cc1f6 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -250,27 +250,6 @@ fi # ################################################################################# -# -# # Test : AUTH-9229 -# # Description : Check AIX password file consistency -# # Notes : Read only mode? -# if [ -x /usr/bin/usrck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no AUTH-9229 --os AIX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Checking password file consistency (usrck)" -# FIND=`/usr/bin/usrck -n ALL 2>; echo $?` -# if [ "${FIND}" = "0" ]; then -# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN -# logtext "Result: usrck finished didn't find problems" -# else -# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED -# logtext "Result: usrck found one or more errors/warnings in the password file." -# ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file" -# ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues." -# fi -# fi -# -################################################################################# # # Test : AUTH-9230 # Description : Check Solaris password file consistency @@ -291,47 +270,6 @@ fi # ################################################################################# -# -# # Test : AUTH-9231 -# # Description : Check HP-UX password file consistency -# # Notes : Read only mode? -# if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no AUTH-9231 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Checking password file consistency (pwck)" -# FIND=`/usr/sbin/pwck 2> /dev/null; echo $?` -# if [ "${FIND}" = "0" ]; then -# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN -# logtext "Result: pwck finished didn't find problems" -# else -# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED -# logtext "Result: pwck found one or more errors/warnings in the password file." -# ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file" -# ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues." -# fi -# fi -# -################################################################################# -# -# # Test : AUTH-9232 -# # Description : Check HP-UX group file consistency -# if [ -x /usr/sbin/grpck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no AUTH-9232 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Checking group file consistency (grpck)" -# FIND=`/usr/sbin/grpck 2> /dev/null; echo $?` -# if [ "${FIND}" = "0" ]; then -# Display --indent 2 --text "- Checking group file consistency" --result OK --color GREEN -# logtext "Result: grpck finished didn't find problems" -# else -# Display --indent 2 --text "- Checking group file consistency" --result WARNING --color RED -# logtext "Result: grpck found one or more errors/warnings in the group file." -# ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file" -# ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues." -# fi -# fi -# -################################################################################# # # Test : AUTH-9234 # Description : Query user accounts @@ -434,23 +372,6 @@ fi # ################################################################################# -# - # Test : AUTH-9244 - # Description : Query NIS servers - #Register --test-no AUTH-9244 --weight L --network NO --description "Query NIS servers" - #if [ ${SKIPTEST} -eq 0 ]; then - #fi -# -################################################################################# -# - # Test : AUTH-9246 - # Description : Query NIS active - #Register --test-no AUTH-9246 --weight L --network NO --description "Query active NIS servers" - #if [ ${SKIPTEST} -eq 0 ]; then - #if - #grep '^+' /etc/passwd /etc/group -# -################################################################################# # # Test : AUTH-9250 # Description : Check for sudoers file @@ -515,65 +436,9 @@ fi # ################################################################################# -# -# # Test : AUTH-9255 -# # Description : Solaris test for unique UIDs -# Register --test-no AUTH-9255 --os Solaris --weight L --network NO --description "Solaris unique UIDs" -# if [ ${SKIPTEST} -eq 0 ]; then -# FIND=`logins -d | awk '{ print $1 }'` -# if [ "${FIND}" = "" ]; then -# logtext "Result: no duplicate accounts found, all accounts have an unique ID" -# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result OK --color GREEN -# else -# for I in ${FIND}; do -# ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})" -# done -# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result WARNING --color RED -# fi -# fi -# -################################################################################# -# - # Test : AUTH-9260 [T] - # Description : Search for account lockout on Linux - # Notes : lib directory should be fixed -# Register --test-no AUTH-9260 --os Linux --weight L --network NO --description "Checking account lockout" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: searching for /lib/security/pam_tally.so" -# if [ -f /lib/security/pam_tally.so ]; then -# logtext "Result: /lib/security/pam_tally.so found" -# AddHP 1 1 -# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result FOUND --color GREEN -# if [ -f /etc/pam.d/system-auth ]; then -# logtext "Test: search for enable pam_tally module in system-auth, with a deny value higher than zero" -# FIND=`grep "account required" /etc/pam.d/system-auth | grep "pam_tally.so" | grep "deny=" | grep -v "deny=0"` -# if [ "${FIND}" = "" ]; then -# logtext "Result: pam_tally properly configured" -# logtext "Output: ${FIND}" -# AddHP 1 1 -# Display --indent 4 --text "- Checking lockout policy" --result FOUND --color GREEN -# else -# logtext "Result: pam_tally not (properly) configured" -# logtext "Output: ${FIND}" -# Display --indent 4 --text "- Checking lockout policy" --result SUGGESTION --color YELLOW -# AddHP 0 1 -# ReportSuggestion ${TEST_NO} "Configure pam_tally in system-auth: account required /lib/security/pam_tally.so deny=3 no_magic_root reset" -# fi -# else -# logtext "Result: skipped, /etc/pam.d/system-auth not found" -# fi -# else -# logtext "Result: /lib/security/pam_tally.so not found" -# AddHP 0 1 -# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result "SUGGESTION" --color YELLOW -# ReportSuggestion ${TEST_NO} "Install a PAM module for account lockout to counter brute force attacks" -# fi -# -################################################################################# # # Test : AUTH-9262 # Description : Search for PAM password strength testing libraries - # Notes : YYY (combine with other PAM modules) Register --test-no AUTH-9262 --weight L --network NO --description "Checking presence password strength testing tools (PAM)" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 @@ -708,11 +573,6 @@ fi # ################################################################################# -# - # Test : AUTH-9270 - # Description : Audit PAM configuration files -# -################################################################################# # # Test : AUTH-9278 # Description : Search LDAP support in PAM files @@ -829,11 +689,6 @@ fi # ################################################################################# -# - # Test : AUTH-9292 - # Description : Check locked accounts (exclamation mark as first char in second column) -# -################################################################################# # # Test : AUTH-9304 # Description : Check if single user mode login is properly configured in Solaris @@ -944,12 +799,6 @@ fi # ################################################################################# -# - # Test : AUTH-9322 - # Description : Authentication time restrictions - # /etc/security/time.conf -# -################################################################################# # # Test : AUTH-9328 # Description : Check default umask in common files @@ -1027,7 +876,6 @@ logtext "Result: file /etc/passwd does not exist" fi - # /etc/login.defs logtext "Test: Checking /etc/login.defs" if [ -f /etc/login.defs ]; then @@ -1075,8 +923,7 @@ logtext "Result: file /etc/init.d/functions does not exist" fi - # /etc/init.d/rc [T] - # Always needed? (YYY) + # /etc/init.d/rc logtext "Test: Checking /etc/init.d/rc" if [ -f /etc/init.d/rc ]; then logtext "Result: file /etc/init.d/rc exists" @@ -1101,8 +948,7 @@ logtext "Result: file /etc/init.d/rc does not exist" fi - # /etc/init.d/rcS [T] - # Always needed? (YYY) + # /etc/init.d/rcS logtext "Test: Checking /etc/init.d/rcS" if [ -f /etc/init.d/rcS ]; then logtext "Result: file /etc/init.d/rcS exists" @@ -1187,36 +1033,6 @@ fi # ################################################################################# -# - # Test : AUTH-9342 [T] - # Description : AIX account locking - # Notes : /usr/sbin/lsuser -a logretries ALL - # should return ${ACCOUNT_MAX_RETRIES} or less for each user, but not 0 -# -################################################################################# -# - # Test : AUTH-9344 [T] - # Description : HP-UX account locking - # Notes : grep :u_maxtries# /tcb/files/auth/system/default - # should return ${ACCOUNT_MAX_RETRIES} or less, but not 0 -# -################################################################################# -# - # Test : AUTH-9348 [T] - # Description : Delay time after each failed login - # Notes : This control counters brute force attacking by delaying each - # attempt, while giving normal users to try typing in their - # account details after a reasonable delay - # Should return ${ACCOUNT_DELAY_TIME} or more - # (4 seconds would be good) - # AIX - # grep "logindelay" /etc/security/login.cfg - # Linux - # grep "FAIL_DELAY" /etc/login.defs - # HP-UX - # grep ":t_logdelay#" /tcb/files/auth/system/default -# -################################################################################# # # Test : AUTH-9402 # Description : Query LDAP authentication support @@ -1238,31 +1054,6 @@ fi # ################################################################################# -# - # Test : AUTH-9404 - # Description : Check LDAP client configuration -# if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no AUTH-9404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: checking ldap.conf locations" -# for I in ${LDAP_CONF_LOCATIONS}; do -# logtext "Test: checking ${I}" -# if [ -f ${I} ]; then -# logtext "Result: file ${I} exists" -# logtext "Test: checking LDAP servers in file ${I}" -# FIND2=`egrep "^host " ${I} | awk '{ print $2 }'` -# for I in ${FIND2}; do -# Display --indent 6 --text "LDAP server: ${I}" -# logtext "Result: found LDAP server ${I}" -# # YYY check if host(s) are reachable/respond to queries -# done -# else -# logtext "Result: ${I} does NOT exist" -# fi -# done -# fi -# -################################################################################# # # Test : AUTH-9406 # Description : Check LDAP servers in client configuration @@ -1273,12 +1064,14 @@ for I in ${LDAP_CONF_LOCATIONS}; do logtext "Test: checking ${I}" if [ -f ${I} ]; then - logtext "Result: file ${I} exists" + logtext "Result: file ${I} exists, LDAP being used" + LDAP_CLIENT_CONFIG_FILE="${I}" logtext "Test: checking LDAP servers in file ${I}" FIND2=`egrep "^host " ${I} | awk '{ print $2 }'` for I in ${FIND2}; do Display --indent 6 --text "LDAP server: ${I}" logtext "Result: found LDAP server ${I}" + report "ldap_server[]=${I}" # YYY check if host(s) are reachable/respond to queries done else @@ -1324,6 +1117,9 @@ report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" report "ldap_pam_enabled=${LDAP_PAM_ENABLED}" +if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then + report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}" +fi wait_for_keypress From e06d706c837977f50d2ed93f7827c5595e9dbe79 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 12:20:03 +0200 Subject: [PATCH 069/167] Optimizing code, cleaning up --- include/binaries | 30 ++++++++++++------------------ 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/include/binaries b/include/binaries index e2569613..ab8f67fe 100644 --- a/include/binaries +++ b/include/binaries @@ -14,7 +14,8 @@ # ################################################################################# # -# Check which tools are installed +# * Check which binaries and tools are installed +# * With the results a customized scan can be performed for every single system. # ################################################################################# # @@ -25,19 +26,14 @@ ################################################################################# # if [ ${CHECK_BINARIES} -eq 1 ]; then - InsertSection "System Tools" - # - ################################################################################# - # + InsertSection "System Tools" + Display --indent 2 --text "- Scanning available tools..." + logtext "Start scanning for available audit binaries and tools..." - Display --indent 2 --text "- Scanning available tools..." - logtext "Start scanning for available audit binaries and tools..." - - # Test : FILE-7502 - # Description : Check all system binaries - # Notes : Always perform test, dependency for many other tests - Register --test-no FILE-7502 --weight L --network NO --description "Check all system binaries" - #if [ ${SKIPTEST} -eq 0 ]; then + # Test : FILE-7502 + # Description : Check all system binaries + # Notes : Always perform test, dependency for many other tests + Register --test-no FILE-7502 --weight L --network NO --description "Check all system binaries" BINARY_PATHS_FOUND=""; N=0 Display --indent 2 --text "- Checking system binaries..." logtext "Status: Starting binary scan..." @@ -206,13 +202,11 @@ logtext "Discovered directories: ${BINARY_PATHS_FOUND}" report "binary_paths=${BINARY_PATHS_FOUND}" BINARY_SCAN_FINISHED=1 - #fi - - logtext "Result: found ${N} binaries" - report "binaries_count=${N}" + logtext "Result: found ${N} binaries" + report "binaries_count=${N}" else - logtext "Result: checking binaries skipped in this mode" + logtext "Result: checking of binaries skipped in this mode" fi # From 95d08a735a37d06e23c1bf9d290150c8178ad108 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 12:20:27 +0200 Subject: [PATCH 070/167] Optimizing code, cleaning up --- include/consts | 89 ++++++++++++++++++-------------------------------- 1 file changed, 32 insertions(+), 57 deletions(-) diff --git a/include/consts b/include/consts index cd85acb9..d0d2b2c9 100644 --- a/include/consts +++ b/include/consts @@ -18,10 +18,7 @@ ################################################################################# # -# Program information - # Paths where system and program binaries are located -# Includes Sun Solaris dirs BINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \ /usr/local/libexec /usr/libexec /usr/sfw/bin /usr/sfw/sbin \ /usr/sfw/libexec /opt/sfw/bin /opt/sfw/sbin /opt/sfw/libexec \ @@ -29,31 +26,9 @@ BINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \ /usr/pkg/bin /usr/pkg/sbin" # Do not use specific language, fall back to default +# Some tools with translated strings are very hard to parse unset LANG -# -################################################################################# -# -# Deprecated -# -################################################################################# -# - HOME_HISTORY_AUDIT_TITLE="Incorrect history file types" - HOME_HISTORY_AUDIT_DESCRIPTION="" - - HOME_HISTORY_LOG_TITLE="History files type check" - HOME_HISTORY_LOG_DESCRIPTION="History files type check" - HOME_HISTORY_LOG_TEXT="History files are normally of the type 'file'. Symbolic links and other types can be riskful" - - HOME_PATH_LOG_MESSAGE="A single dot in the PATH variable of a user can be a risk, while executing commands in for example a home directory." - - USER_PASSWD_DOUBLEUID_AUDIT_TITLE="Non unique UIDs" - USER_PASSWD_DOUBLEUID_AUDIT_DESCRIPTION="Non unique UIDs in passwd file" - USER_PASSWD_DOUBLEUID_AUDIT_TEXT="Non unique UIDs can riskful for the system or part of a configuration mistake" - - KERNEL_ACTIVE_MODULES_TITLE="Active kernel modules (KLDs)" - KERNEL_ACTIVE_MODULES_DESCRIPTION="View all active kernel modules (including kernel)" - KERNEL_ACTIVE_MODULES_TEXT="Displays the loaded kernel modules in memory. Make sure to check the integrity of the kld tools." # ################################################################################# # @@ -147,29 +122,29 @@ unset LANG # ################################################################################# # -# == Options == +# * Options # -# Option Description -# -------------------------------------------------------------------------- - CRONJOB=0 # Run as a cronjob - CTESTS_PERFORMED=0 # Number of tests which are performed +################################################################################# +# + CRONJOB=0 # Run as a cronjob + CTESTS_PERFORMED=0 # Number of tests which are performed DEBUG=0 # Debugging mode (to screen) HPPOINTS=0 # Number of hardening points HPTOTAL=0 # Maximum number of hardening points - LOG_INCORRECT_OS=1 # Log tests with incorrect OS - NEVERBREAK=0 # Don't wait for user input + LOG_INCORRECT_OS=1 # Log tests with incorrect OS + NEVERBREAK=0 # Don't wait for user input PENTESTINGMODE=0 # Try tests without root privileges - QUICKMODE=0 # Don't wait for user input - QUIET=0 # Show normal messages and warnings as well - SHOW_TOOL_TIPS=1 # Show inline tool tips (default true) - SKIPLOGTEST=0 # Skip logging for one test - SKIP_UPGRADE_TEST=0 # Skip upgrade test - TESTS_TO_PERFORM="" # Which tests only to perform - TEST_PAUSE_TIME=0 # Default pause time - TOTAL_TESTS=0 # Total amount of tests (counter) + QUICKMODE=0 # Don't wait for user input + QUIET=0 # Show normal messages and warnings as well + SHOW_TOOL_TIPS=1 # Show inline tool tips (default true) + SKIPLOGTEST=0 # Skip logging for one test + SKIP_UPGRADE_TEST=0 # Skip upgrade test + TESTS_TO_PERFORM="" # Which tests only to perform + TEST_PAUSE_TIME=0 # Default pause time + TOTAL_TESTS=0 # Total amount of tests (counter) UPLOAD_DATA=0 # Upload of data to central node - VIEWHELP=0 # Show help - WRONGOPTION=0 # A wrong option is used + VIEWHELP=0 # Show help + WRONGOPTION=0 # A wrong option is used # ################################################################################# # @@ -178,24 +153,24 @@ unset LANG # ################################################################################# # -# Colors +# * Colors +# +# For improved display # ################################################################################# # -# Color name Description -# -------------------------------------------------------------------------- - NORMAL="" - WARNING="" # Bad (red) - SECTION="" # Section (yellow) - NOTICE="" # Notice (yellow) - OK="" # Ok (green) - BAD="" # Bad (red) + NORMAL="" + WARNING="" # Bad (red) + SECTION="" # Section (yellow) + NOTICE="" # Notice (yellow) + OK="" # Ok (green) + BAD="" # Bad (red) - # Real color names - YELLOW="" # Yellow - WHITE="" # White - GREEN="" # Green - RED="" # Red + # Normal color names + YELLOW="" + WHITE="" + GREEN="" + RED="" PURPLE="" MAGENTA="" BROWN="" From afaecd951297d2ad14266448f608668e7621bc50 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 12:21:36 +0200 Subject: [PATCH 071/167] Removing deprecated strings and cleaning up --- include/tests_accounting | 49 ++---------------------------------- include/tests_authentication | 6 ++--- include/tests_homedirs | 2 +- include/tests_kernel | 4 +-- 4 files changed, 7 insertions(+), 54 deletions(-) diff --git a/include/tests_accounting b/include/tests_accounting index d32f4b33..146b7589 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -326,15 +326,6 @@ fi # ################################################################################# -# - # Test : ACCT-9658 - # Description : Check required audit files in /etc/security - #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no ACCT-9658 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check required audit files" - #if [ ${SKIPTEST} -eq 0 ]; then - #fi -# -################################################################################# # # Test : ACCT-9662 # Description : Check location for audit events @@ -367,22 +358,6 @@ fi # ################################################################################# -# - # Test : ACCT-96xx - # Description : Check which events are audited - #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no ACCT-96xx --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list" - #if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# -# - # Test : ACCT-96xx - # Description : Check user specific event auditing - #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no ACCT-96xx --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check user specific event auditing" - #if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# # # Test : ACCT-9672 # Description : check auditstat @@ -405,26 +380,6 @@ ################################################################################# # - # Test : ACCT-9680 - # Description : Check if required packages are installed - #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list" - #if [ ${SKIPTEST} -eq 0 ]; then - # - # Solaris 10 packages - # bash-3.00# pkginfo | egrep 'SUNWcar|SUNWcsr|SUNWcsu|SUNWhea|SUNWman' - #system SUNWcar Core Architecture, (Root) - #system SUNWcsr Core Solaris, (Root) - #system SUNWcsu Core Solaris, (Usr) - #system SUNWhea SunOS Header Files - #system SUNWman On-Line Manual Pages - -# -################################################################################# -# -# Check psacct package (ac, lastcomm, accton, sa) -# Check auditd (auditctl, ausearch, aureport) - wait_for_keypress # diff --git a/include/tests_authentication b/include/tests_authentication index 402cc1f6..442e20ab 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -58,10 +58,8 @@ # # Test : AUTH-9208 # Description : Check non-unique accounts - Register --test-no AUTH-9208 --weight L --network NO --description "Check non-unique accounts" + Register --test-no AUTH-9208 --weight L --network NO --description "Check non-unique accounts in passwd file" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: ${USER_PASSWD_DOUBLEUID_AUDIT_TITLE}" - logtext "Description: ${USER_PASSWD_DOUBLEUID_AUDIT_DESCRIPTION}" logtext "Test: Checking for non-unique accounts" if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PASSWD_FILE="/etc/master.passwd" @@ -84,7 +82,7 @@ Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE logtext "Result: test skipped, ${PASSWD_FILE} file not available" fi - logtext "Remarks: ${USER_PASSWD_DOUBLEUID_AUDIT_TEXT}" + logtext "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake" fi # ################################################################################# diff --git a/include/tests_homedirs b/include/tests_homedirs index 7afe5068..81127eb8 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -69,7 +69,7 @@ logtext "Info: above files could be redirected files to avoid logging and should be investigated" ReportWarning ${TEST_NO} "M" "Incorrect file type found for shell history file" fi - logtext "Remarks: ${HOME_HISTORY_LOG_TEXT}" + logtext "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful." else Display --indent 2 --text "- Checking shell history files" --result SKIPPED --color WHITE logtext "Result: Homedirs is empty, test will be skipped" diff --git a/include/tests_kernel b/include/tests_kernel index 4a5f437a..a7cb4a91 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -286,8 +286,8 @@ Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking active kernel modules" - logtext "Test: ${KERNEL_ACTIVE_MODULES_TITLE}" - logtext "Description: ${KERNEL_ACTIVE_MODULES_DESCRIPTION}" + logtext "Test: Active kernel modules (KLDs)" + logtext "Description: View all active kernel modules (including kernel)" logtext "Test: Checking modules" if [ -f /sbin/kldstat ]; then FIND=`kldstat | grep -v 'Name' | tr -s ' ' | cut -d ' ' -f6` From fd5c968d16d8ac541d4647a9c9ab2caf103a1b68 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 13:44:30 +0200 Subject: [PATCH 072/167] Cleaning up some lines --- include/functions | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/include/functions b/include/functions index 2245bc80..d2db98ce 100644 --- a/include/functions +++ b/include/functions @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen - CISOfy -# https://cisofy.com +# Copyright 2007-2015, Michael Boelen - CISOfy (michael.boelen@cisofy.com) +# Website: https://cisofy.com # # This software is licensed under GPL, version 3. See LICENSE file for # usage of this software. @@ -132,7 +132,6 @@ # Check updates CheckUpdates() { - # Possible improvement: determine if host binary exists YYY PROGRAM_LV="0000000000"; DB_MALWARE_LV="0000000000"; DB_FILEPERMS_LV="0000000000" LYNIS_LV_RECORD="lynis-latest-version.cisofy.com." FIND=`which dig 2> /dev/null` @@ -352,8 +351,6 @@ fi fi - # YYY check group ownership (just in case) - # Check if we have the read bit if [ "${OTHERPERMS}" = "r" ]; then CANREAD=1 @@ -824,12 +821,12 @@ NGINX_EXPIRES_FOUND=1 ;; error_log) - # YYY Check if debug is appended + # Check if debug is appended FIND=`echo ${VALUE} | awk '{ if ($2=="debug") { print 1 } else { print 0 }}'` if [ ${FIND} -eq 1 ]; then NGINX_ERROR_LOG_DEBUG=1 fi - # YYY Check if file exists + # Check if log file exists FILE=`echo ${VALUE} | awk '{ print $1 }'` if [ ! "${FILE}" = "" ]; then if [ ! -f ${FILE} ]; then From 2b1061ef14687d1c1d24c38a73c14bf4f6973d19 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 13:47:44 +0200 Subject: [PATCH 073/167] Added suggestions for Solaris auditing --- include/tests_accounting | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/tests_accounting b/include/tests_accounting index 146b7589..5c3bda3c 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -344,12 +344,13 @@ Display --indent 4 --text "- Checking Solaris audit location" --result FOUND --color GREEN else logtext "Result: location ${FIND} does not exist" - # YYY perform manual audit - Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW + Display --indent 4 --text "- Checking Solaris audit location" --result "NOT FOUND" --color YELLOW + ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is available" fi else logtext "Result: unknown event location" Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW + ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is properly configured" fi else logtext "Result: could not find /etc/security/audit_control" From 8f9a61685457c92bbce9eb095b01cb0ddbfc1033 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 14:26:25 +0200 Subject: [PATCH 074/167] Add more descriptive text to the template --- include/tests_custom.template | 37 +++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/include/tests_custom.template b/include/tests_custom.template index 14c6ae75..900d7711 100644 --- a/include/tests_custom.template +++ b/include/tests_custom.template @@ -29,25 +29,46 @@ ################################################################################# # # Test : CUST-0010 + # Author : Your name # Description : Check for something interesting - template - # This test first checks if OpenSSL binary was found + # Notes : This test first checks if OpenSSL binary was found + + # * Prerequisites check + # + # We check first if a variable is defined (OPENSSLBINARY). + # Other good options to check for: + # -f /etc/file + # -d /var/run/mydirectory + # ${MYVARIABLE} -eq 1 if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "My description" + + # * Test registration + # + # Register the test, with custom ID CUST-0010, and only execute it when the prerequisites were met + Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "My description of what this test does" + # Or you could use this one without any dependencies # Register --test-no CUST-0010 --weight L --network NO --description "My description" + + # If everything is fine, perform test if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 logtext "Test: checking something" - ReportWarning ${TEST_NO} "M" "Test warning" if [ ${FOUND} -eq 0 ]; then - Display --indent 4 --text "- Performing custom test 1" --result OK --color GREEN - logtext "Result: the test looks great!" + Display --indent 4 --text "- Performing custom test" --result OK --color GREEN + logtext "Result: the test result looks great!" + + # Optional: create a suggestion after a specific finding + #ReportSuggestion "${TEST_NO}" "This is my suggestion to improve the system even further." + else - Display --indent 4 --text "- Performing custom test 1" --result WARNING --color RED - logtext "Result: hmm bad result of this test :(" - ReportSuggestion ${TEST_NO} "This could be better!" + Display --indent 4 --text "- Performing custom test" --result WARNING --color RED + logtext "Result: this test had a bad result :(" + # Throw a warning to the screen and report + ReportWarning ${TEST_NO} "M" "This is a warning message" fi fi + # ################################################################################# # From 17c44ced52c7d503e78ab52034d20dcfa010b8d4 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 14:57:57 +0200 Subject: [PATCH 075/167] Include examples and clarify usage --- include/tests_custom.template | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/include/tests_custom.template b/include/tests_custom.template index 900d7711..73cbc9ff 100644 --- a/include/tests_custom.template +++ b/include/tests_custom.template @@ -33,22 +33,27 @@ # Description : Check for something interesting - template # Notes : This test first checks if OpenSSL binary was found - # * Prerequisites check + # * Prerequisites Check + # ----------------------- # - # We check first if a variable is defined (OPENSSLBINARY). - # Other good options to check for: - # -f /etc/file - # -d /var/run/mydirectory - # ${MYVARIABLE} -eq 1 - if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + # Check first if any dependency. If it doesn't meet, the test will be skipped after registration (SKIPTEST == 1) + # + # Examples: + # -f /etc/file = Test if file exists + # -d /var/run/mydirectory = Test if directory exists + # ${MYVARIABLE} -eq 1 = Test if variable is set to 1 + # "${MYVARIABLE}" = "Value" = Test if variable is equal to specific value - # * Test registration + if [ -f /etc/myfile ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + + # * Registration of Test + # ------------------------ # # Register the test, with custom ID CUST-0010, and only execute it when the prerequisites were met - Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "My description of what this test does" + Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Description of what this test does" - # Or you could use this one without any dependencies - # Register --test-no CUST-0010 --weight L --network NO --description "My description" + # Or we could use this test without any dependencies + # Register --test-no CUST-0010 --weight L --network NO --description "Description of what this test does" # If everything is fine, perform test if [ ${SKIPTEST} -eq 0 ]; then From 13c8de88a67e4513c53483f67610e190e54065ee Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 16:27:17 +0200 Subject: [PATCH 076/167] Changes to release version 2.1.1 --- lynis | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/lynis b/lynis index 3ca57f7d..c67b4ac1 100755 --- a/lynis +++ b/lynis @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2015 Michael Boelen, CISOfy (michael.boelen@cisofy.com) -# Website: https://cisofy.com +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -23,7 +23,7 @@ # Program information PROGRAM_name="Lynis" PROGRAM_version="2.1.1" - PROGRAM_releasedate="27 May 2015" + PROGRAM_releasedate="22 July 2015" PROGRAM_author="CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" @@ -305,10 +305,10 @@ echo " ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${NORMAL}" echo "" wait_for_keypress + # Deleting temporary files + # Note: Display function does not work yet at this point if [ -f lynis.pid ]; then rm -f lynis.pid; fi if [ -f /var/run/lynis.pid ]; then rm -f /var/run/lynis.pid; fi - #YYY Display function not working yet from here, due to OS detection - #Display --indent 2 --text "- Deleting old PID file..." --result DONE --color GREEN fi # Create new PID file (use work directory if /var/run is not available) @@ -499,7 +499,6 @@ echo " Report file: ${REPORTFILE}" echo " Report version: ${REPORT_version}" echo " Plugin directory: ${PLUGINDIR}" - #echo " Database directory: ${DBDIR}" echo " ---------------------------------------------------" fi @@ -522,9 +521,7 @@ logtext "-----------------------------------------------------" logtext "Include directory: ${INCLUDEDIR}" logtext "Plugin directory: ${PLUGINDIR}" - logtext "Database directory: ${DBDIR}" logtextbreak - #wait_for_keypress # ################################################################################# From 1775590ba70ce52d6362141e395ecc1e80ddc4fa Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 16:27:39 +0200 Subject: [PATCH 077/167] Updated documentation --- CONTRIBUTORS | 12 +++++++++--- FAQ | 25 +++++++++++++------------ README | 11 +++++++---- 3 files changed, 29 insertions(+), 19 deletions(-) diff --git a/CONTRIBUTORS b/CONTRIBUTORS index f90af8f3..015e55ba 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -1,16 +1,22 @@ ================================================================================ - Lynis - CONTRIBUTIONS + Lynis - CONTRIBUTORS ================================================================================ The Lynis project is very thankful for the following individuals who - contributed to the project. They invested time and effort to report issues - and send in related patches to improve the software and other components. + contributed to the project. ================================================================================ + Want to contribute as well? Here are some suggestions: + + - New tests for your favorite daemons + - Report (unexpected) screen errors + - Missing results + - Check for grammar issues + [+] Patches, bug fixes and suggestions ------------------------------------------ diff --git a/FAQ b/FAQ index 21bad933..858bddfd 100644 --- a/FAQ +++ b/FAQ @@ -7,9 +7,11 @@ Author: Michael Boelen (michael.boelen@cisofy.com) Description: Security and system auditing tool - Website: https://cisofy.com/lynis/ + Web site: https://cisofy.com/lynis/ + GitHub: https://github.com/CISOfy/lynis + Support address: lynis-dev@cisofy.com Development: May 2007 - Now - Suppor: See README file and https://cisofy.com/support/ + Support: See README file and https://cisofy.com/support/ Documentation: See web site, README, FAQ and CHANGELOG file ================================================================================ @@ -18,9 +20,9 @@ ------------------------------- Q: I don't understand the program (output), what to do? - A: Keep reading this FAQ, then continue with reading the README file, followed - by the log file (default: /var/log/lynis.log). After those sources, check - the documentation on the website. + A: Keep reading this FAQ. Also useful are the README file and the log file + (default: /var/log/lynis.log). Or check out the documentation on the + website: https://cisofy.com/support/ Q: I can't find any configuration file for Lynis, where is it? A: There isn't one (currently), since all options are available as command @@ -30,11 +32,10 @@ Q: Why is there no port/package for my operating system? A: Because there is no maintainer for it yet. If you have the time to keep - the port/package current for your preferred operating system, fill in the - contact form to notify me and confirm no one else is working on it. + the port/package current for your preferred operating system, let us know. Q: What to do with the report files? - A: The output could be used for monitoring (baseline checks). For user of the + A: The output could be used for monitoring (baseline checks). For users of the Lynis Enterprise Suite, they will be used to upload data. @@ -42,7 +43,7 @@ [+] Bugs or issues ------------------------------- Q: Where can I report an issue or bug? - A: Use the developer e-mail address lynis-dev@cisofy.com + A: GitHub, or use the developer e-mail address lynis-dev@cisofy.com @@ -72,12 +73,12 @@ invoke Lynis (example: bash lynis -c). Q: One or more tests are giving incorrect output. How to solve that? - A: Check the log file. If that also has incorrect data, fill in the contact - form and describe the issue. + A: Check the log file. If that also has incorrect data, let us know via GitHub + or the developer e-mail address. Q: The program takes long to complete and also uses too much resources. Can it be tuned? - A: The time it takes to complete is depends on the amount of tests to run. + A: The time it takes to complete depends on the amount of tests to run. However the resources it take can be slighty lowered by increasing the pause_between_tests profile option. Keep in mind this increases the total length of the scan to complete. diff --git a/README b/README index 105d0a30..debc1002 100644 --- a/README +++ b/README @@ -15,11 +15,14 @@ ================================================================================ - == The website contains up-to-date documentation == + *** NOTE *** + + The website contains the latest documentation See https://cisofy.com/documentation/lynis/ + [+] Introduction ------------------------------- @@ -46,7 +49,7 @@ - License: GPL v3 - Language: Shell script - Author: Michael Boelen, CISOfy - - Website: https://cisofy.com + - Web site: https://cisofy.com - Required permissions: root preferred, not needed - Other requirements: write access to /tmp @@ -91,8 +94,8 @@ ------------------------------- If you have input to improve Lynis, let us know via: - - GitHub - https://github.com/CISOfy/lynis - - E-mail - lynis-dev@cisofy.com + * GitHub - https://github.com/CISOfy/lynis + * E-mail - lynis-dev@cisofy.com Contributions are appreciated and can be done via GitHub. See CONTRIBUTIONS.md for more information about how to submit them. From 66fb36959339c2b6b4594ca11ffdb0e279164e50 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 16:28:11 +0200 Subject: [PATCH 078/167] Copyright line changes and cleanups --- include/tests_authentication | 41 +------------------- include/tests_banners | 20 ---------- include/tests_boot_services | 58 +---------------------------- include/tests_containers | 1 - include/tests_crypto | 1 - include/tests_insecure_services | 15 ++------ include/tests_kernel | 8 +--- include/tests_kernel_hardening | 6 +-- include/tests_ldap | 6 +-- include/tests_logging | 11 +----- include/tests_mac_frameworks | 24 ++++-------- include/tests_mail_messaging | 66 ++------------------------------- include/tests_malware | 40 +++++++------------- include/tests_memory_processes | 19 ++-------- include/tests_nameservices | 9 ++--- include/tests_networking | 28 +++----------- include/tests_php | 30 ++------------- include/tests_ports_packages | 55 ++------------------------- 18 files changed, 60 insertions(+), 378 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 442e20ab..b00ef5ad 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -389,7 +389,6 @@ if [ ${FOUND} -eq 1 ]; then logtext "Result: sudoers file found (${SUDOERS_FILE})" Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN - # YYY add more tests to audit sudoers file else logtext "Result: sudoers file NOT found" Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW @@ -590,7 +589,6 @@ else logtext "Result: LDAP module not found" Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE - # YYY display message when ldap is enabled in /etc/passwd, but not found in PAM fi else logtext "Result: file /etc/pam.d/common-auth not found, skipping test" @@ -673,7 +671,6 @@ logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs " FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'` if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then - # YYY check if LDAP is used with password policies logtext "Result: password aging limits are not configured" Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base" @@ -690,7 +687,7 @@ # # Test : AUTH-9304 # Description : Check if single user mode login is properly configured in Solaris - # Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d (YYY) + # Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration" if [ ${SKIPTEST} -eq 0 ]; then # Check if file exists (Solaris 10 does not have this file by default) @@ -791,7 +788,6 @@ AddHP 2 2 fi else - # YYY logtext "Result: No inittab or init file found, unsure if system is protected" fi fi @@ -1070,7 +1066,6 @@ Display --indent 6 --text "LDAP server: ${I}" logtext "Result: found LDAP server ${I}" report "ldap_server[]=${I}" - # YYY check if host(s) are reachable/respond to queries done else logtext "Result: ${I} does NOT exist" @@ -1079,38 +1074,6 @@ fi # ################################################################################# -# - # Test : AUTH-92xx - # Description : login.access checks - #Register --test-no AUTH-92xx --weight L --network NO --description "login.access checks" -# -################################################################################# -# -# pam_unix.so -# pam_cracklib.so -# pam_pwcheck.so -# pam_env.so -# pam_xauth.so -# pam_tally.so -# pam_wheel.so -# pam_limits.so -# pam_nologin.so -# pam_deny.so -# pam_securetty.so -# pam_time.so -# pam_access.so -# pam_listfile.so -# pam_lastlog.so -# pam_warn.so -# pam_console.so -# pam_resmgr.so -# pam_devperm.so -# -################################################################################# -# -# sudoers: Check for potential harmful commands like vi, echo, cat -# -################################################################################# # report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" @@ -1123,4 +1086,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_banners b/include/tests_banners index 610f7cae..96e3998e 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -221,29 +221,9 @@ # ################################################################################# # -# /etc/dt/config/*/Xresources -# /etc/default/telnetd (telnet without TCP wrappers) -# /etc/default/ftpd (ftp without TCP wrappers) -# /etc/ftpd/banner.msg (ftp without TCP wrappers on Solaris) -# /etc/ftpaccess (HP-UX) -# /etc/ftpmotd (AIX) -# /etc/ftpaccess.ctl (AIX) -# /etc/security/login.cfg (AIX) -# /etc/X11/xdm/Xresources -# /etc/X11/xdm/kdmrc -# /etc/X11/gdm/gdm -# /etc/vsftpd.conf -# -################################################################################# -# wait_for_keypress -# -################################################################################# -# -# Notes: -# HPUX: /etc/copyright # #================================================================================ # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_boot_services b/include/tests_boot_services index 972855e8..5ce609f8 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -144,9 +144,6 @@ GRUBCONFFILE="/boot/grub2/grub.cfg" fi logtext "Result: found GRUB2 configuration file (${GRUBCONFFILE})" - # YYY password check, when documentation of GRUB2 project is improved - # YYY Add check permission check (600) - fi # Some OSes like Gentoo do not have /boot mounted by default @@ -263,7 +260,6 @@ logtext "Result: LILO password option set" AddHP 4 4 fi - #YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf) else logtext "Result: can not read ${LILOCONFFILE} (no permission)" fi @@ -318,7 +314,6 @@ if [ -f /etc/yaboot.conf ]; then logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)" Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN - #YYY add permission check BOOT_LOADER="YABOOT" BOOT_LOADER_FOUND=1 else @@ -397,11 +392,6 @@ fi # ################################################################################# -# - # Test : BOOT-5166 - # Description : Check for /etc/rc.local file (and contents) -# -################################################################################# # # Test : BOOT-5177 # Description : Check for Linux boot services (systemd and chkconfig) @@ -467,48 +457,13 @@ fi # ################################################################################# -# - # Test : BOOT-5178 - # Description : Check for Linux boot services (Red Hat style) - # if [ ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - # Register --test-no BOOT-5178 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for unneeded Linux boot services (Red Hat style)" - # if [ ${SKIPTEST} -eq 0 ]; then - # N=0 - # N=`expr ${N} + 1` - - #* mctrans (if selinux is NOT enabled) - #* restorecond (if selinux is NOT enabled) --> and is it really needed? - # - # if profile is server, warn if found: - #* pcscd (if profile=server) - #* avahi-daemon - # Redhat: /etc/sysconfig/network - # check if NOZEROCONF=yes is available - # - #* xfs (if /usr/bin/startx is not found) - # - #if [ ! -f /etc/mdadm.conf -a ! -f /etc/mdadm/mdadm.conf ]; then - #* mdmonitor - # - # - #* firstboot - # Display warning if [ ! -f /etc/reconfigSys ] - # AND "RUN_FIRSTBOOT=YES" is NOT in /etc/sysconfig/firstboot - # - #* acpid - # Display warning if no modules are loaded (lsmod | grep -i acpi) - # - # - # fi -# -################################################################################# # # Test : BOOT-5180 # Description : Check for Linux boot services (Debian style) if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)" if [ ${SKIPTEST} -eq 0 ]; then - # YYY runlevel check + # Runlevel check sRUNLEVEL=`${RUNLEVELBINARY} | grep "N 2"` if [ ! "${sRUNLEVEL}" = "" ]; then FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort` @@ -609,16 +564,6 @@ fi # ################################################################################# -# - # Add autostart services, like from KDE/Gnome - # Test : BOOT-5102 - # Description : Check for tasks which are autostarted via /etc/inittab - #Register --test-no BOOT-5102 --weight L --network NO --description "Check inittab for services" - #if [ ${SKIPTEST} -eq 0 ]; then - #fi - #YYY check against static list? -# -################################################################################# # # Test : BOOT-5202 # Description : Check uptime of system @@ -721,7 +666,6 @@ ################################################################################# # - report "boot_loader=${BOOT_LOADER}" report "service_manager=${SERVICE_MANAGER}" diff --git a/include/tests_containers b/include/tests_containers index d6450c95..dcd4d238 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -159,7 +159,6 @@ ################################################################################# # - wait_for_keypress # diff --git a/include/tests_crypto b/include/tests_crypto index ea69bf3c..8db5eb69 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -50,7 +50,6 @@ FOUNDPROBLEM=1 logtext "Result: certificate ${J} has been expired" report "expired_certificate[]=${J}|unknown entity|" - #YYY Dump more information to log file fi else logtext "Result: can not read file ${J} (no permission)" diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 534132ee..f6b5e15d 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -37,7 +37,6 @@ if [ ${RUNNING} -eq 1 ]; then logtext "Result: inetd is running" Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN - #YYY perform manual check INETD_ACTIVE=1 else logtext "Result: inetd is NOT running" @@ -61,8 +60,6 @@ logtext "Result: ${INETD_CONFIG_FILE} does not exist" Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE fi - # YYY immutable bit could be set - # YYY permission check (already set in profile) fi # ################################################################################# @@ -106,15 +103,9 @@ # ################################################################################# # -# Check telnet in /etc/xinetd.conf -# Check telnet in /etc/xinetd/* -# Check running telnet daemon (telnetd) -# rshd rlogin rexec -# /etc/hosts.equiv - wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_kernel b/include/tests_kernel index a7cb4a91..15c84206 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -276,10 +276,6 @@ fi # ################################################################################# -# -# YYY Check for kernel options -# -################################################################################# # # Test : KRNL-5745 # Description : Checking FreeBSD loaded kernel modules diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index 7797fa1a..cc82eb47 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -66,4 +66,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_ldap b/include/tests_ldap index 551fae3a..26c35c0b 100644 --- a/include/tests_ldap +++ b/include/tests_ldap @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -101,4 +101,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_logging b/include/tests_logging index 7346365a..707b6948 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -36,7 +36,6 @@ # Test : LOGG-2130 # Description : Check for a running syslog daemon - # Notes : Log which syslog daemon is found YYY Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Searching for a logging daemon" @@ -476,12 +475,6 @@ # ################################################################################# # -# -# Rsyslogd checks -# -# -################################################################################# -# report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}" report "log_rotation_tool=${LOGROTATE_TOOL}" diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 23e75e5e..4a0bc6dc 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -48,11 +48,11 @@ if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${AASTATUSBINARY}" = "" ]; then # Checking AppArmor status - #0 if apparmor is enabled and policy is loaded. - #1 if apparmor is not enabled/loaded. - #2 if apparmor is enabled but no policy is loaded. - #3 if control files are not available - #4 if apparmor status can't be read + # 0 if apparmor is enabled and policy is loaded. + # 1 if apparmor is not enabled/loaded. + # 2 if apparmor is enabled but no policy is loaded. + # 3 if control files are not available + # 4 if apparmor status can't be read FIND=`${AASTATUSBINARY} > /dev/null; echo $?` if [ ${FIND} -eq 0 ]; then MAC_FRAMEWORK_ACTIVE=1 @@ -187,14 +187,6 @@ report "framework_selinux=${SELINUXFOUND}" wait_for_keypress -# To implement: -# FMAC (OpenSolaris, MAC) -# LSM (Linux Security Modules) -# TrustedBSD (MAC) -# RSBAC (RBAC) -# Apple sandbox technology -# PAX - # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index dc568283..b936dbb8 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -50,29 +50,6 @@ fi # ################################################################################# -# - # Test : MAIL-8804 - # Description : Check Exim configuration - #if [ ${EXIM_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no MAIL-8804 --weight L --network NO --description "Check Exim configuration" - #if [ ${SKIPTEST} -eq 0 ]; then - # if [ ! "${EXIMBINARY}" = "" ]; then - # logtext "Test: Searching Exim configuration file" - # FIND=`${EXIMBINARY} -d | grep "configuration file is" | sed 's/configuration file is//'` - # if [ ! "${FIND}" = "" ]; then - # Display --indent 2 --text "- Checking Exim configuration" --result FOUND --color GREEN - # Display --indent 4 --text "Result: configuration file is ${FIND}" - # logtext "Result: found Exim" - # logtext "Result: configuration file is ${FIND}" - # else - # Display --indent 2 --text "- Checking Exim configuration" --result WARNING --color RED - # logtext "Couldn't find the Exim configuration file, however Exim seems to be installed." - # fi - # else - # logtext "Exim binary not found, no tests performed" - # fi -# -################################################################################# # # Test : MAIL-8814 # Description : Check Postfix process @@ -161,26 +138,6 @@ fi # ################################################################################# -# - # Test : MAIL-8842 - # Description : Check Dovecot logging locations - #Register --test-no MAIL-8842 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dovecot logging locations" - #if [ ${SKIPTEST} -eq 0 ]; then -# ParseDovecot -# CONF="/etc/dovecot/dovecot.conf" -# FIND=`cat ${CONF} | grep "^log_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'` -# if [ ! "${FIND}" = "" ]; then -# logtext "Result: output for error messages = ${FIND}" -# fi -# -# FIND=`cat ${CONF} | grep "^log_info_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'` -# if [ ! "${FIND}" = "" ]; then -# logtext "Result: output for informational messages = ${FIND}" -# fi -# -# fi -# -################################################################################# # # Test : MAIL-8860 # Description : Check Qmail process status @@ -239,23 +196,6 @@ fi # ################################################################################# -# - # Test : MAIL-xxxx - # Description : Check if outgoing mail is obscured (increased privacy) - #Register --test-no MAIL-xxxx --weight L --network NO --description "Check XXX" - #if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# -# - #YYY Add support for mail, procmail - #YYY Add support for MUAs: Thunderbird, Kmail, Evolution - # Other software : Cyrus-IMAP, Amavisd-new, SpamAssassin, Fetchmail, Procmail, maildrop - #- Dovecot : \'/usr/local/etc/dovecot.conf\' - #- For Sendmail : \'/var/mail/sendmail.cf\' - #- Fetchmail : \'~/.fetchmailrc\' (not only root) - #- Cyrus-IMAP : \'/usr/local/etc/imapd.conf\' for parameters and \'/usr/local/etc/cyrus.conf\' for the services launched -# -################################################################################# # report "imap_daemon=${IMAP_DAEMON}" @@ -267,4 +207,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_malware b/include/tests_malware index 2fe22ba1..1462646c 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), The Netherlands -# Web site: http://cisofy.com +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -166,26 +166,20 @@ # ################################################################################# # -# Test : MALW-3288 -# Description : Check for ClamXav (Mac OS X) -# -################################################################################# -# - Register --test-no MALW-3288 --weight L --network NO --description "Check for ClamXav" + # Test : MALW-3288 + # Description : Check for ClamXav (Mac OS X) + if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for ClamXav" if [ ${SKIPTEST} -eq 0 ]; then - if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then - CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'` - if [ ! "${CLAMSCANBINARY}" = "" ]; then - logtext "Result: Found ClamXav clamscan installed" - Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN - MALWARE_SCANNER_INSTALLED=1 - AddHP 3 3 - else - logtext "Result: ClamXav malware scanner not found" - AddHP 0 3 - fi + CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'` + if [ ! "${CLAMSCANBINARY}" = "" ]; then + logtext "Result: Found ClamXav clamscan installed" + Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN + MALWARE_SCANNER_INSTALLED=1 + AddHP 3 3 else - logtext "Result: could not find ClamXav location" + logtext "Result: ClamXav malware scanner not found" + AddHP 0 3 fi fi # @@ -196,12 +190,6 @@ # ################################################################################# # -################################################################################# -# -# Other projects: maldetect (rfxn) -# -################################################################################# -# report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}" diff --git a/include/tests_memory_processes b/include/tests_memory_processes index 4fa64c1c..fda6a32e 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -110,23 +110,10 @@ fi # ################################################################################# -# - # Ubuntu test: dead processes - # who -d -# -################################################################################# -# - # Test : PROC-3624 - # Description : Check shared memory (ipcs -m) - # Notes : if it's empty, check /dev/shm and warn if any files are left behind - #Register --test-no PROC-3614 --os Linux --weight L --network NO --description "Check shared memory" - #if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# # wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_nameservices b/include/tests_nameservices index 38782a8b..6aedd833 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -233,7 +233,6 @@ else logtext "Result: nscd is not running" Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE - #YYY show performance suggestion if LDAP is used fi fi # @@ -263,7 +262,6 @@ Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search BIND configuration file" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Search BIND configuration file" - #YYY add chrooted environments for I in ${BIND_CONFIG_LOCS}; do if [ -f ${I}/named.conf ]; then BIND_CONFIG_LOCATION="${I}/named.conf" @@ -377,7 +375,6 @@ Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search PowerDNS configuration file" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Search PowerDNS configuration file" - #YYY add chrooted environments for I in ${POWERDNS_CONFIG_LOCS}; do if [ -f ${I}/pdns.conf ]; then POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf" @@ -609,4 +606,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_networking b/include/tests_networking index 4188c440..469a22f4 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -29,7 +29,7 @@ # ################################################################################# # - # Test : NETW-2704 (YYY move to nameservices section) + # Test : NETW-2704 # Description : Basic nameserver configuration tests (connectivity) Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests" if [ ${SKIPTEST} -eq 0 ]; then @@ -44,7 +44,7 @@ for I in ${FIND}; do logtext "Found nameserver: ${I}" report "nameserver[]=${I}" - # Check if a local resolver is available (like DNSMasq) + # Check if a local resolver is available (like DNSMasq) if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "0.0.0.0" ]; then LOCAL_DNSRESOLVER_FOUND=1 fi @@ -200,7 +200,7 @@ case ${OS} in AIX) FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'` - # IPv6 support in AIX? (YYY) + FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'` ;; DragonFly|FreeBSD|NetBSD) FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'` @@ -473,8 +473,6 @@ IsRunning dhclient if [ ${RUNNING} -eq 1 ]; then Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE - #YYY report if system type is server, that it is running with DHCP client, might be a badly configured machine - #report "manual[]=System is running DHCP client" DHCP_CLIENT_RUNNING=1 else Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE @@ -482,20 +480,6 @@ fi # ################################################################################# -# - # Test : NETW-3060 - # Description : Check if IPv6 is configured AND used - # /etc/modprobe.d (add 'install ipv6 /bin/true' if IPv6 isn't used) - # or - # aliased (/etc/modprobe.d/aliases?): alias net-pf-10 off ipv6 (to disable) - #Register --test-no NETW-3060 --weight L --network NO --description "Checking IPv6 connectivity" - #if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# -# -# Linux: net.ipv4.ip_always_defrag -# -################################################################################# # report "dhcp_client_running=${DHCP_CLIENT_RUNNING}" @@ -503,4 +487,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_php b/include/tests_php index 8a7db951..d4e842c8 100644 --- a/include/tests_php +++ b/include/tests_php @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -252,37 +252,13 @@ logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)" AddHP 2 2 fi - #YYY Check through all files fi # ################################################################################# # -# Disable/use functions: -# safe_mode (only for PHP5?) -# open_basedir (limits access to defined directory, comparable with chrooting) -# disable_classes -# session.save_path -# session.referer_check -# upload_tmp_dir -# file_uploads Off, if possible -# Set display_errors to Off -# Set log_errors to On and define error_log (with value Syslog or a filename) -# -################################################################################# -# - # mod_suexec - # suPHP (/etc/suphp.conf) -# -################################################################################# -# - # Test : PHP-2388 - # Description : Check php version number -# -################################################################################# -# wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 23a66584..8143113a 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -78,35 +78,6 @@ fi # ################################################################################# -# -# Temporary disabled due false positives -# Packages like docbook, gcc, automake report multiple installed versions -# # Test : PKGS-7303 -# # Description : Query FreeBSD pkg_info -# if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD for double installed packages" -# if [ ${SKIPTEST} -eq 0 ]; then -# SDOUBLEINSTALLED=`pkg_info | sort | sed -e 's/-[0-9].*$//' | uniq -c | grep -v '^[[:space:]]*1' | tr -s ' ' | cut -d ' ' -f3` -# if [ "${SDOUBLEINSTALLED}" = "" ]; then -# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result OK --color GREEN -# logtext "Ok, no packages show up twice or more in the package listing." -# else -# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result WARNING --color RED -# for J in ${SDOUBLEINSTALLED}; do -# ReportWarning ${TEST_NO} "M" "Found probably incorrect installed package (${J})" -# logtext "This package ${J} is visible twice or more in the pkg_info listing." -# ReportSuggestion ${TEST_NO} "(FreeBSD) run pkgdb -F and check this manually." -# ReportSuggestion ${TEST_NO} "(OpenBSD) check dependencies to see if one of the double " -# logtext "installed packages is unneeded." -# report "double_installed_package[]=${J}" -# done -# fi -# else -# Display --indent 4 --text "- Searching pkg_info" --result "NOT FOUND" --color WHITE -# logtext "Result: pkg_info can NOT be found on this system" -# fi -# -################################################################################# # # Test : PKGS-7304 # Description : Gentoo packages @@ -152,7 +123,6 @@ logtext "Result: pkginfo can NOT be found on this system" fi # -# ################################################################################# # # Test : PKGS-7308 @@ -202,7 +172,6 @@ if [ "${SPACKAGES}" = "" ]; then logtext "Result: pacman binary available, but package list seems to be empty" logtext "Info: looks like the pacman binary is installed, but not used for package installation" - #YYY ReportException? else for J in ${SPACKAGES}; do N=`expr ${N} + 1` @@ -380,7 +349,7 @@ fi # ################################################################################# - +# # Test : PKGS-7348 # Description : Show unneeded distfiles if present # Notes : Portsclean seems to be gone from the ports, so no suggestion or warning is @@ -540,7 +509,6 @@ if [ "${FIND}" = "" ]; then logtext "Result: pkg audit results are clean" Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN - # Don't check yet, output of found vulnerable packages unclear (YYY) else logtext "Result: ${FIND}" #Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED @@ -1014,21 +982,6 @@ fi # ################################################################################# -# - # Test : PKGS-7414 - # Description : Check installonly_limit in yum.conf -# -################################################################################# -# - # Test : PKGS-7416 - # Description : Check for popularity-contest (Debian/Ubuntu) -# -################################################################################# -# - # Test : PKGS-7418 - # Description : Check for yum-changelog -# -################################################################################# # if [ ! "${INSTALLED_PACKAGES}" = "" ]; then @@ -1043,4 +996,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com From ba11e87b3cc217afefcedeaeb1085dfa25dea4da Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 17:35:03 +0200 Subject: [PATCH 079/167] Removed hardening tools section --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index c67b4ac1..eaad013c 100755 --- a/lynis +++ b/lynis @@ -719,7 +719,7 @@ filesystems storage storage_nfs nameservices ports_packages networking printers_spools \ mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \ insecure_services banners scheduling accounting time crypto virtualization containers \ - mac_frameworks file_integrity hardening_tools tooling malware file_permissions homedirs \ + mac_frameworks file_integrity tooling malware file_permissions homedirs \ kernel_hardening hardening" else INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}" From afd01ece5d89dd3a1d78e3884d42ad38e129622a Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 17:37:11 +0200 Subject: [PATCH 080/167] Remove incomplete tests, code enhancements --- include/tests_filesystems | 6 +-- include/tests_firewalls | 8 +--- include/tests_homedirs | 20 ++------- include/tests_printers_spools | 2 +- include/tests_scheduling | 26 +++++------ include/tests_solaris | 6 +-- include/tests_squid | 59 ------------------------- include/tests_ssh | 82 ++--------------------------------- include/tests_storage | 12 +---- include/tests_storage_nfs | 6 +-- include/tests_time | 16 +++---- include/tests_tooling | 6 +-- include/tests_virtualization | 11 +++-- include/tests_webservers | 11 ++--- 14 files changed, 50 insertions(+), 221 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index fd879565..28dfab75 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -623,4 +623,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_firewalls b/include/tests_firewalls index 5a529d35..8563d4e0 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -30,10 +30,6 @@ # ################################################################################# # -# YYY Improvement needed for iptables to check if kernel modules are used or not. -# If they are not used and iptables is not found in configuration, no checks should be performed. -# - # Test : FIRE-4511 # Description : Check iptables kernel module Register --test-no FIRE-4511 --os Linux --weight L --network NO --description "Check iptables kernel module" diff --git a/include/tests_homedirs b/include/tests_homedirs index 81127eb8..012cf648 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -28,7 +28,6 @@ # ################################################################################# # - # Test : HOME-9302 # Description : Create list with home directories Register --test-no HOME-9302 --weight L --network NO --description "Create list with home directories" @@ -100,19 +99,6 @@ logtext "Output: ${IGNORE_HOME_DIRS}" fi fi - - #YYY - #echo -n " - Checking PATH variable vulnerabilities" - # - #FIND=`find ${HOMEDIRS} -name * | grep -r 'PATH=' | egrep '=.:|:.:|:.;' | grep -v 'CDPATH'` - #if [ "${FIND}" = "" ] - # then - # logtext "Result: Ok, no special things found in the PATH variable" - # else - # echo "[ ${WARNING}WARNING${NORMAL} ]" - # logtext "Warning: Probably found \".\" in the PATH. Details: ${FIND}" - #fi - # # ################################################################################# # @@ -121,4 +107,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_printers_spools b/include/tests_printers_spools index 5d35ba3d..ec64bc11 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -293,4 +293,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_scheduling b/include/tests_scheduling index 176da013..1b5e23f0 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -139,16 +139,16 @@ # Description : Check atd status Register --test-no SCHD-7718 --weight L --network NO --description "Check at users" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Checking atd status" - FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"` - if [ ! "${FIND}" = "" ]; then - logtext "Result: at daemon active" - Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN - ATD_RUNNING=1 - else - logtext "Result: at daemon not active" - Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE - fi + logtext "Test: Checking atd status" + FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"` + if [ ! "${FIND}" = "" ]; then + logtext "Result: at daemon active" + Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN + ATD_RUNNING=1 + else + logtext "Result: at daemon not active" + Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE + fi fi # ################################################################################# @@ -247,4 +247,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_solaris b/include/tests_solaris index 4b0783af..109bee67 100644 --- a/include/tests_solaris +++ b/include/tests_solaris @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), The Netherlands -# Web site: http://cisofy.com +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -66,4 +66,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_squid b/include/tests_squid index 98a4380c..f6277feb 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -103,15 +103,6 @@ fi # ################################################################################# -# -# # Test : SQD-3608 -# # Description : Check Squid build options -# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no SQD-3608 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version" -# if [ ${SKIPTEST} -eq 0 ]; then -# fi -# -################################################################################# # # Test : SQD-3610 # Description : Check Squid configuration options @@ -129,15 +120,6 @@ fi # ################################################################################# -# -# # Test : SQD-3612 -# # Description : Check Squid additional configuration files -# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no SQD-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check additional Squid configuration files" -# if [ ${SKIPTEST} -eq 0 ]; then -# fi -# -################################################################################# # # Test : SQD-3613 # Description : Check Squid configuration options @@ -315,7 +297,6 @@ # ################################################################################# # - # Test : SQD-3680 # Description : Check httpd_suppress_version_string if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi @@ -338,46 +319,6 @@ ################################################################################# # - -# Squid -#Hardening: -# $1 $3 -# acl snmp_community -# acl maxconn -# acl max_user_ip -# -# follow_x_forwarded_for -#Read cache_peer host type(sibling/parent) proxyport icpport options (if set, icp_access should be set as well) -#Read cache_peer_domain -#Read cache_peer_access -#Read icp_access -#Read icp_port -#Read htcp_access -#Read htcp_port -#Read http_port -#Read https_port -#Read cache_dir -#Read access_log -#Read coredump_dir -#Read quick_abort_min / max /pct -# -# Memory tuning -#Read cache_mem -#Read maximum_object_size_in_memory -#Read maximum_object_size -#Read cache_swap_low -#Read cache_swap_high - -# Security -#cache_effective_user -# off -#forwarded_for - -#wccp -# -################################################################################# -# - wait_for_keypress # diff --git a/include/tests_ssh b/include/tests_ssh index 15fb599c..303af6b6 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -79,28 +79,6 @@ fi # ################################################################################# -# -# # Test : SSH-7406 -# # Description : Check for a running SSH daemon -# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --description "SSH daemon listening port" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: Searching for a SSH daemon" -# CheckOption "^Port " ${SSH_DAEMON_CONFIG} -# if [ ${FOUND} -eq 1 ]; then -# FIND=`echo ${FIND} | awk '{ if ($1=="Port") { print $2 }}'` -# # Check if this output is numeric and usuable for later (e.g. in netstat output) -# Display --indent 2 --text "- Checking SSH listening port" --result FOUND --color GREEN -# logtext "Result: setting port number to ${FIND}" -# SSH_DAEMON_PORT="${FIND}" -# else -# Display --indent 2 --text "- Checking SSH listening port" --result "NOT FOUND" --color WHITE -# logtext "Result: setting port to default number, as no other port has been configured" -# SSH_DAEMON_PORT="22" -# fi -# fi -# -################################################################################# # # Test : SSH-7408 # Description : Check SSH specific defined options @@ -202,32 +180,6 @@ fi # ################################################################################# -# - # Test : SSH-7418 - # Description : Check SSH Port option -# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi -# Register --test-no SSH-7418 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Port" -# if [ ${SKIPTEST} -eq 0 ]; then -# logtext "Test: check allowed SSH protocol versions" -# FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Port" | awk '{ if ($2!="22") { print $2 } }'` -# if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then -# logtext "Result: Protocol option is set to allow SSH protocol version 1" -# Display --indent 4 --text "- SSH option: Protocol" --result WARNING --color RED -# ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed" -# AddHP 0 3 -# else -# if [ "${FIND}" = "2" ]; then -# logtext "Result: only protocol 2 is allowed" -# Display --indent 4 --text "- SSH option: Protocol" --result OK --color GREEN -# AddHP 3 3 -# else -# logtext "Result: value of Protocol is unknown (not defined)" -# Display --indent 4 --text "- SSH option: Protocol" --result DEFAULT --color WHITE -# fi -# fi -# fi -# -################################################################################# # # Test : SSH-7440 # Description : AllowUsers / AllowGroups @@ -269,33 +221,7 @@ # ################################################################################# # - # Test : SSH-7464 - # Description : HashKnownHosts - #if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no SSH-7464 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: HashKnownHosts" - #if [ ${SKIPTEST} -eq 0 ]; then - # /etc/ssh/ssh_config - # ReportSuggestion ${TEST_NO} "HashKnownHosts option can migitate worm attacks" - #AddHP 2 2 - #fi -# -################################################################################# -# - # Test : SSH-7480 - # Description : AllowUsers / AllowGroups - # Goal : Scan SSH daemon - #if [ ! ${SSHKEYSCANBINARY} = "" -a ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no SSH-7480 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups" - #if [ ${SKIPTEST} -eq 0 ]; then - # First determine what port the local instance of SSH daemon is running on. If unknown, use port 22 - # FIND=`${SSHKEYSCANBINARY} localhost 2>&1 | grep OpenSSH | egrep -i "bsd|debian|ubuntu|redhat"` -# -################################################################################# -# - # sshd -T can provide additional insights -# -################################################################################# -# + report "ssh_daemon_running=${SSH_DAEMON_RUNNING}" #report "ssh_daemon_port=${SSH_DAEMON_PORT}" @@ -303,4 +229,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_storage b/include/tests_storage index 1ee95589..796e07d3 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -108,14 +108,6 @@ # ################################################################################# # -# Use modprobe --showconfig to test for options - -# NetBSD: amd (auto mount daemon) - -# -################################################################################# -# - wait_for_keypress diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index 2de8a8e0..2b3d7d6b 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -177,4 +177,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_time b/include/tests_time index 508702c5..5569c804 100644 --- a/include/tests_time +++ b/include/tests_time @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -22,6 +22,7 @@ # ################################################################################# # + CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs" NTP_DAEMON="" NTP_DAEMON_RUNNING=0 NTP_CONFIG_FOUND=0 @@ -29,9 +30,7 @@ NTP_CONFIG_TYPE_SCHEDULED=0 NTP_CONFIG_TYPE_EVENTBASED=0 NTP_CONFIG_TYPE_STARTUP=0 - # Specific for ntpd - NTPD_RUNNING=0 - CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs" + NTPD_RUNNING=0 # Specific for ntpd SYSTEMD_NTP_ENABLED=0 # ################################################################################# @@ -117,10 +116,6 @@ fi done - ########################## - # To do: test on Solaris # - ########################## - # Don't run check in cron job directory on Solaris # /etc/cron.d/FIFO is a special file and test get stuck at this file FOUND_IN_CRON=0 @@ -360,7 +355,6 @@ # # Test : TIME-3136 # Description : Check ntpq reported ntp version (Linux) - # Notes : Test could be improved by checking every host (YYY) if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP protocol version" if [ ${SKIPTEST} -eq 0 ]; then @@ -460,4 +454,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_tooling b/include/tests_tooling index ee118c31..302a28d9 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -125,4 +125,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_virtualization b/include/tests_virtualization index 36a3a456..6c80e081 100644 --- a/include/tests_virtualization +++ b/include/tests_virtualization @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -29,9 +29,9 @@ # # Initialise # VMWARE_GUEST=0 # Display --indent 2 --text "- Checking VMware guest status" -# #YYY check memory driver file -# #YYY check LKM list -# #YYY check vmware tools +# # check memory driver file +# # check LKM list +# # check vmware tools # logtext "Test: checking VMware tools daemon presence" # if [ ! "${VMWARETOOLSBINARY}" = "" ]; then # logtext "Result: VMware tools binary found" @@ -46,9 +46,8 @@ ################################################################################# # - wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_webservers b/include/tests_webservers index b83d93a9..bb5db39d 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -693,11 +693,6 @@ # Description : Nginx: Check for server_tokens off in configuration files # ################################################################################# -# - # Scan for websites - #/etc/apache2/sites-available -# -################################################################################# # # Remove temp file (double check) @@ -709,4 +704,4 @@ wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - cisofy.com - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com From db131518f0d72a52838165854fcc20ce0468c31f Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 17:37:39 +0200 Subject: [PATCH 081/167] Clean up code --- include/parameters | 2 +- include/profiles | 24 +++--------------------- 2 files changed, 4 insertions(+), 22 deletions(-) diff --git a/include/parameters b/include/parameters index 2cd372f8..aadc6700 100644 --- a/include/parameters +++ b/include/parameters @@ -263,4 +263,4 @@ done #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/profiles b/include/profiles index 93176716..1ceb4cd8 100644 --- a/include/profiles +++ b/include/profiles @@ -5,8 +5,8 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -15,23 +15,6 @@ ################################################################################# # # Read profile/template -# -################################################################################# -# - #YYY Enable check when profile files are complete and completely documented - # Check if default profile is used - if [ "${PROFILE}" = "defaultXXX.prf" ]; then - echo "" - echo " ===============================================================================" - echo " ${WARNING}Warning${NORMAL}: ${WHITE}Default profile is used.${NORMAL}" - echo " Default profile contains only a small amount of options and settings." - echo " Consult the documentation to create a custom profile!" - echo "" - echo " [ ${WHITE}Press [ENTER] to continue with the default profile or [CTRL] + C to stop${NORMAL} ]" - echo " ===============================================================================" - wait_for_keypress - fi - # ################################################################################# # @@ -40,7 +23,7 @@ FIND=`cat ${PROFILE} | grep '^config:' | sed 's/ /!space!/g'` for I in ${FIND}; do OPTION=`echo ${I} | cut -d ':' -f2` - VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'` + VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'` logtext "Profile option set: ${OPTION} (with value ${VALUE})" @@ -120,7 +103,6 @@ # Profile name profile_name) - # YYY dummy PROFILE_NAME="${VALUE}" ;; From dd66273f413ebfa493c4e2dfadb3ddd420da6103 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 18:28:34 +0200 Subject: [PATCH 082/167] Removed unused categories --- include/tests_hardening_tools | 52 ----------------------------------- include/tests_tcpwrappers | 47 ------------------------------- 2 files changed, 99 deletions(-) delete mode 100644 include/tests_hardening_tools delete mode 100644 include/tests_tcpwrappers diff --git a/include/tests_hardening_tools b/include/tests_hardening_tools deleted file mode 100644 index c148e9a0..00000000 --- a/include/tests_hardening_tools +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/sh - -################################################################################# -# -# Lynis -# ------------------ -# -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl -# -# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are -# welcome to redistribute it under the terms of the GNU General Public License. -# See LICENSE file for usage of this software. -# -################################################################################# -# -# InsertSection "Hardening tools" -# -################################################################################# -# - # Checking Solaris Security Toolkit (Jass) - # Test : HRDN-7402 - # Description : Check jass hardening - # Register --test-no HRDN-7402 --weight L --network NO --description "Check jass hardening" - # if [ ${SKIPTEST} -eq 0 ]; then - # if [ -d /opt/SUNWjass -o -d /var/opt/SUNWjass ]; then - # logtext "Result: found Solaris Security Toolkit (Jass hardening tool)" - # fi - # -# -################################################################################# -# - # Test : HRDN-7410 - # Description : Check tiger hardening tool -# -################################################################################# -# - # Test : HRDN-7420 - # Description : Check Bastille Unix hardening tool -# -################################################################################# -# - # Checking Solaris Security Toolkit (ASET) - # - Automated Security Enhancement Tool - - # AddHP 3 3 - -#wait_for_keypress - -# -#================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands diff --git a/include/tests_tcpwrappers b/include/tests_tcpwrappers deleted file mode 100644 index ca610165..00000000 --- a/include/tests_tcpwrappers +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh - -################################################################################# -# -# Lynis -# ------------------ -# -# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands -# Web site: http://www.rootkit.nl -# -# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are -# welcome to redistribute it under the terms of the GNU General Public License. -# See LICENSE file for usage of this software. -# -################################################################################# -# -# TCP Wrappers -# Run after: NFS checks -# -################################################################################# -# -# -################################################################################# -# -# InsertSection "TCP Wrappers" -# -################################################################################# -# - # Test : TCPW-xxxx (YYY move to nameservices section) - # Description : Basic nameserver configuration tests (connectivity) -# Register --test-no TCPW-xxxx --weight L --network YES --description "Basic nameserver configuration tests" -# if [ ${SKIPTEST} -eq 0 ]; then -# Display --indent 2 --text "- Checking configured nameservers" -# logtext "Test: Checking /etc/resolv.conf file" -# Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN -# ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)." -# ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond" -# fi -# -################################################################################# -# - -#wait_for_keypress - -# -#================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands From 424f6cccd039ec84b73b93c4f2fd0b9b18fb5829 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 22 Jul 2015 20:34:14 +0200 Subject: [PATCH 083/167] Release 2.1.1 --- CHANGELOG | 185 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 104 insertions(+), 81 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index d76e21c5..db90546e 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -8,119 +8,142 @@ Author: Michael Boelen (michael.boelen@cisofy.com) Description: Security and system auditing tool Website: https://cisofy.com/lynis/ - GitHub: https://github.com/CISOfy/Lynis + GitHub: https://github.com/CISOfy/lynis - Support policy: See section 'Support' (README file); + Support policy: See section 'Support' in README file Commercial support and plugins available via CISOfy - https://cisofy.com Documentation: See web site, README, FAQ and CHANGELOG file ================================================================================ - = Lynis 2.1.x (2015-xx-xx) = - This release adds several improvements and in different areas. Support for systems - like CentOS, openSUSE, Slackware is improved. It includes further cleanups of the - code, performance tweaks and more support for common software components. + = Lynis 2.1.1 (2015-07-22) = - Performance: - Performance tuning has been applied, to speed up execution of the audit on - systems with many files. + This release adds a lot of improvements, with focus on performance, and + additional support for common Linux distributions and external utilities. + We recommend to use this latest version. - Automatic updater: - Initial work on an automatic updater has been implemented. This way Lynis can - be scheduled for updating from a trusted source. + * Operating system enhancements + ------------------------------- + Support for systems like CentOS, openSUSE, Slackware is improved. - Internal functions: - As not all systems have readlink, or the -f option of readlink, the - ShowSymlinkPath function has been extended with a Python based check. + * Performance + ------------- + Performance tuning has been applied, to speed up execution of the audit on + systems with many files. This also includes code cleanups. - Software support: - Apache module directory /usr/lib64/apache has been added, which is used on openSUSE. - Support for Chef has been added. + * Automatic updates + ------------------- + Initial work on an automatic updater has been implemented. This way Lynis + can be scheduled for automatic updating from a trusted source. - File integrity: - Added tests for CSF's lfd utility for integrity monitoring on directories and - files. Related tests are FINT-4334 and FINT-4336. + * Internal functions + -------------------- + Not all systems have readlink, or the -f option of readlink. The + ShowSymlinkPath function has been extended with a Python based check, which + is often available. - Time sychronization: - Added support for Chrony time daemon and timesync daemon. Additionally NTP - sychronization status is checked when it is enabled. + * Software support + ------------------ + Apache module directory /usr/lib64/apache has been added, which is used on + openSUSE. - Other: - Check for permissions has been extended. - Python binary is now detected, to help with symlink detection. - Several new legal terms, for usage in banners, have been added. - In several files old tests have been removed, to further clean up the code. - The hardening index is inserted into the report, even if it is not displayed on screen. + Support for Chef has been added. - Bug fixes: - Nginx test showed error when access_log had multiple parameters + Added tests for CSF's lfd utility for integrity monitoring on directories and + files. Related tests are FINT-4334 and FINT-4336. - Functions: - Added AddSystemGroup function + Added support for Chrony time daemon and timesync daemon. Additionally NTP + sychronization status is checked when it is enabled. - New tests: - [PKGS-7366] Scan for debsecan utility on Debian systems - [PKGS-7410] Determine amount of installed kernel packages - [TIME-3106] Check synchronization status of NTP on systemd based systems - [CONT-8102] Docker daemon status and gather basic details - [CONT-8104] Check docker info for any Docker warnings - [CONT-8106] Check total, running and unused Docker containers + Improved single user mode protection on the rescue.service file. - Plugins: - [PLGN-2602] Disabled by default, as it may be too slow for some machines - [PLGN-3002] Extended with /sbin/nologin + * Other + ------- + Check for user permissions has been extended. + Python binary is now detected, to help with symlink detection. + Several new legal terms have been added, which are used for usage in banners. + In several files old tests have been removed, to further clean up the code. - Documentation: - A new document has been created to help with the process of upgrading Lynis. - It is available at https://cisofy.com/documentation/lynis/upgrading/ + * Bug fixes + --------- + Nginx test showed error when access_log had multiple parameters. + Tests using locate won't be performed if not present. + Fix false positive match on Squid unsafe ports [SQD-3624]. + The hardening index is now also inserted into the report if it is not displayed + on screen. + + * Functions + --------- + Added AddSystemGroup function + + * New tests + --------- + Several new tests have been added: + + [PKGS-7366] Scan for debsecan utility on Debian systems + [PKGS-7410] Determine amount of installed kernel packages + [TIME-3106] Check synchronization status of NTP on systemd based systems + [CONT-8102] Docker daemon status and gather basic details + [CONT-8104] Check docker info for any Docker warnings + [CONT-8106] Check total, running and unused Docker containers + + * Plugins + --------- + + [PLGN-2602] Disabled by default, as it may be too slow for some machines + [PLGN-3002] Extended with /sbin/nologin + + * Documentation + --------------- + A new document has been created to help with the process of upgrading Lynis. + It is available at https://cisofy.com/documentation/lynis/upgrading/ -------------------------------------------------------------- - = Lynis 2.1.0 (2015-04-16) = + = Lynis 2.1.0 (2015-04-16) = - General: - --------- - Screen output has been improved to provide additional information. + * General + --------- + Screen output has been improved to provide additional information. - OS support: - ------------ - CUPS detection on Mac OS has been improved. AIX systems will now use csum - utility to create host ID. Group check have been altered on AIX, to include - the -n ALL. Core dump check on Linux is extended to check for actual values - as well. + * OS support + ------------ + CUPS detection on Mac OS has been improved. AIX systems will now use csum + utility to create host ID. Group check have been altered on AIX, to include + the -n ALL. Core dump check on Linux is extended to check for actual values + as well. - Software: - ---------- - McAfee detection has been extended by detecting a running cma binary. - Improved detection of pf firewall on BSD and Mac OS. Security patch checking - with zypper extended. + * Software + ---------- + McAfee detection has been extended by detecting a running cma binary. + Improved detection of pf firewall on BSD and Mac OS. Security patch checking + with zypper extended. - Session timeout: - ----------------- - Tests to determine shell time out setting have been extended to account for - AIX, HP-UX and other platforms. It will now determine also if variable is - exported as a readonly variable. Related compliance section PCI DSS 8.1.8 - has been extended. + * Session timeout + ----------------- + Tests to determine shell time out setting have been extended to account for + AIX, HP-UX and other platforms. It will now determine also if variable is + exported as a readonly variable. Related compliance section PCI DSS 8.1.8 + has been extended. - Documentation: - --------------- - - New document: Getting started with Lynis - https://cisofy.com/documentation/lynis/get-started/ + * Documentation + --------------- + - New document: Getting started with Lynis + https://cisofy.com/documentation/lynis/get-started/ - Plugins (Enterprise): - ---------------------- - - Update to file integrity plugin - Changes to PLGN-2606 (capabilities check) + * Plugins (Enterprise) + ---------------------- + - Update to file integrity plugin + Changes to PLGN-2606 (capabilities check) - - New configuration plugins: - PLGN-4802 (SSH settings) - PLGN-4804 (login.defs) + - New configuration plugins: + PLGN-4802 (SSH settings) + PLGN-4804 (login.defs) - Download link: https://cisofy.com/download/lynis/ + Download link: https://cisofy.com/download/lynis/ -------------------------------------------------------------- From c998924b51c019f20acff2899a9c6dbb83d1251e Mon Sep 17 00:00:00 2001 From: Mark Ruys Date: Fri, 24 Jul 2015 15:11:39 +0200 Subject: [PATCH 084/167] Fix STRG-1840 (Check for disabled USB storage) --- include/tests_storage | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_storage b/include/tests_storage index 796e07d3..dbae4aca 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -33,7 +33,7 @@ if [ -d /etc/modprobe.d ]; then FIND=`ls /etc/modprobe.d/* 2> /dev/null` if [ ! "${FIND}" = "" ]; then - FIND=`grep -r "install usb-storage /bin/(false|true)" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"` + FIND=`grep -r "install usb-storage /bin/\(false\|true\)" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"` FIND2=`egrep -r "^blacklist (usb_storage|usb-storage)" /etc/modprobe.d/*` if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then FOUND=1 @@ -44,7 +44,7 @@ fi fi if [ -f /etc/modprobe.conf ]; then - FIND=`grep "install usb-storage /bin/(false|true)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"` + FIND=`grep "install usb-storage /bin/\(false\|true\)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"` if [ ! "${FIND}" = "" ]; then FOUND=1 logtext "Result: found usb-storage driver in disabled state" From 25c8567b572f44b2e86a99a084714c115252a830 Mon Sep 17 00:00:00 2001 From: Martijn Pepping Date: Fri, 24 Jul 2015 23:58:50 +0200 Subject: [PATCH 085/167] Fixed an comparison error when Docker is present, but the daemon is not running (or unset). --- include/tests_containers | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/tests_containers b/include/tests_containers index dcd4d238..ce350aee 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -119,6 +119,9 @@ # Check total of containers logtext "Test: checking total amount of Docker containers" DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'` + if [ ${DOCKER_CONTAINERS_TOTAL} -z ]; then + DOCKER_CONTAINERS_TOTAL=0 + fi logtext "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers" DOCKER_CONTAINERS_TOTAL2=`${DOCKERBINARY} ps -a 2> /dev/null | grep -v "CONTAINER" | wc -l` logtext "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers" @@ -131,7 +134,7 @@ fi # Check running instances - DOCKER_CONTAINERS_RUNNING=`${DOCKERBINARY} ps | grep -v "CONTAINER" | wc -l` + DOCKER_CONTAINERS_RUNNING=`${DOCKERBINARY} ps 2> /dev/null | grep -v "CONTAINER" | wc -l` Display --indent 8 --text "- Running containers" --result "${DOCKER_CONTAINERS_RUNNING}" --color GREEN if [ ${DOCKER_CONTAINERS_RUNNING} -gt 0 ]; then logtext "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active" From 919e48001d01d00dce08aaa1714611dfbe5ab922 Mon Sep 17 00:00:00 2001 From: Mark Ruys Date: Mon, 27 Jul 2015 12:38:13 +0200 Subject: [PATCH 086/167] More reliable and often faster check to determine virtualization. --- include/functions | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/include/functions b/include/functions index d2db98ce..ff9591db 100644 --- a/include/functions +++ b/include/functions @@ -590,6 +590,19 @@ # 0 = no, 1 = yes, 2 = unknown ISVIRTUALMACHINE=2; VMTYPE="unknown"; VMFULLTYPE="Unknown" + # Trying facter + if [ -x /usr/bin/facter ]; then + case "`facter is_virtual`" in + "true") + VMTYPE=`facter virtual` + logtext "Result: found virtual machine (type: ${VMTYPE})" + report "vm=1" + report "vmtype=${VMTYPE}" + return ;; + "false") return ;; + esac + fi + SHORT="" # Trying systemd @@ -601,6 +614,13 @@ fi fi + # # dmidecode + # if [ "${SHORT}" = "" ]; then + # if [ -x /usr/sbin/dmidecode ]; then + # SHORT=`dmidecode -s system-product-name` + # fi + # fi + # lshw if [ "${SHORT}" = "" ]; then if [ -x /usr/bin/lshw ]; then From c1533442406ad788c5b55bde4f312b04becd0888 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 19 Aug 2015 15:31:24 +0200 Subject: [PATCH 087/167] Capture self-signed certificates during upload with cURL --- include/data_upload | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/include/data_upload b/include/data_upload index 821deaa9..e5fad676 100644 --- a/include/data_upload +++ b/include/data_upload @@ -119,13 +119,20 @@ output "Settings file: ${SETTINGS_FILE}" # Try to connect output "Uploading data.." logtext "Command used: ${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" - UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${UPLOAD_URL}` - if [ $? -gt 0 ]; then - #UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'` - #output "Output code from upload: ${UPLOAD_CODE}" - output "${RED}Error occurred, please check documentation for code ${UPLOAD_CODE}.${NORMAL}" - output "Debug:" - output ${UPLOAD} + UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${UPLOAD_URL} 2> /dev/null` + EXITCODE=$? + if [ ${EXITCODE} -gt 0 ]; then + if [ ${EXITCODE} -eq 60 ]; then + output "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}" + output "If you want to accept a self-signed certificate, use the -k option in the profile." + output "Example: ${WHITE}config:upload_options:-k:${NORMAL}" + else + #UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'` + #output "Output code from upload: ${UPLOAD_CODE}" + output "${RED}Error occurred, please check documentation for code ${UPLOAD_CODE}.${NORMAL}" + output "Debug:" + output ${UPLOAD} + fi # Quit ExitClean fi From e4e26930b08b50815c8f927674ce5fb8d95c36ba Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 19 Aug 2015 15:32:04 +0200 Subject: [PATCH 088/167] Ensure that Lynis does not wait in quick mode --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index eaad013c..c3ac0843 100755 --- a/lynis +++ b/lynis @@ -417,7 +417,7 @@ echo "" echo " ###################################################################" echo "${NORMAL}"; echo "" - if [ ${NEVERBREAK} -eq 0 ]; then read void; fi + if [ ${QUICKMODE} -eq 0 ]; then read void; fi fi # ################################################################################# From 2e87b8fde91f5a40ec2db1edd1ed22e5ce420cb7 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 19 Aug 2015 15:51:52 +0200 Subject: [PATCH 089/167] Apply additional checks on first cURL command execution --- include/data_upload | 38 +++++++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/include/data_upload b/include/data_upload index e5fad676..577a3dd8 100644 --- a/include/data_upload +++ b/include/data_upload @@ -90,7 +90,18 @@ output "Settings file: ${SETTINGS_FILE}" if [ -f ${REPORTFILE} ]; then output "${WHITE}Report file found.${NORMAL} Starting with connectivity check.." # Quit if license is not valid, to reduce load on both client and server. - UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL}` + UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null` + EXITCODE=$? + if [ ${EXITCODE} -gt 0 ]; then + if [ ${EXITCODE} -eq 60 ]; then + output "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}" + output "If you want to accept a self-signed certificate, use the -k option in the profile." + output "Example: ${WHITE}config:upload_options:-k:${NORMAL}" + else + output "${RED}Error: ${NORMAL}cURL exited with code ${EXITCODE}" + fi + ExitFatal + fi UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}'` if [ "${UPLOAD_CODE}" = "100" ]; then output "${WHITE}License is valid${NORMAL}" @@ -110,7 +121,7 @@ output "Settings file: ${SETTINGS_FILE}" echo "Key: ${LICENSE_KEY}" output "Debug information: ${UPLOAD}" # Quit - ExitClean + ExitFatal fi # Extract the hostid from the parse file HOSTID=`cat ${REPORTFILE} | grep "^hostid=" | awk -F= '{ print $2 }'` @@ -122,27 +133,24 @@ output "Settings file: ${SETTINGS_FILE}" UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${UPLOAD_URL} 2> /dev/null` EXITCODE=$? if [ ${EXITCODE} -gt 0 ]; then - if [ ${EXITCODE} -eq 60 ]; then - output "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}" - output "If you want to accept a self-signed certificate, use the -k option in the profile." - output "Example: ${WHITE}config:upload_options:-k:${NORMAL}" - else - #UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'` - #output "Output code from upload: ${UPLOAD_CODE}" - output "${RED}Error occurred, please check documentation for code ${UPLOAD_CODE}.${NORMAL}" - output "Debug:" - output ${UPLOAD} - fi + #UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'` + #output "Output code from upload: ${UPLOAD_CODE}" + output "${RED}Error: ${NORMAL}Error occurred, cURL ended during the upload of the report data." + output "Related exit code: ${EXITCODE}" + output "Check the last section of the log file for the exact command used, for further troubleshooting" + output "Debug:" + output ${UPLOAD} # Quit ExitClean fi else - echo "${RED}Fatal error${NORMAL}: No hostid found in report file. Can not upload report file." + echo "${RED}Error${NORMAL}: No hostid found in report file. Can not upload report file." # Quit - ExitClean + ExitFatal fi else output "${YELLOW}No report file found to upload.${NORMAL}" + ExitFatal fi # From 8c1e1f29a3f2b926f191983eec1aa716cae26aec Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 19 Aug 2015 16:02:50 +0200 Subject: [PATCH 090/167] Additional logging --- include/data_upload | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/data_upload b/include/data_upload index 577a3dd8..68b07093 100644 --- a/include/data_upload +++ b/include/data_upload @@ -97,9 +97,12 @@ output "Settings file: ${SETTINGS_FILE}" output "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}" output "If you want to accept a self-signed certificate, use the -k option in the profile." output "Example: ${WHITE}config:upload_options:-k:${NORMAL}" + logtext "Result: found self-signed certificate, however not related -k upload option" else output "${RED}Error: ${NORMAL}cURL exited with code ${EXITCODE}" + logtext "Result: cURL exited with code ${EXITCODE}" fi + logtext "Result: quitting, can't check license" ExitFatal fi UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}'` From 0c2a9daef9d4e9bc83faffe9e0b27fe5b4f1da36 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 19 Aug 2015 16:19:14 +0200 Subject: [PATCH 091/167] Show help on screen --- include/data_upload | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/include/data_upload b/include/data_upload index 68b07093..bff4ee83 100644 --- a/include/data_upload +++ b/include/data_upload @@ -94,9 +94,9 @@ output "Settings file: ${SETTINGS_FILE}" EXITCODE=$? if [ ${EXITCODE} -gt 0 ]; then if [ ${EXITCODE} -eq 60 ]; then - output "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}" - output "If you want to accept a self-signed certificate, use the -k option in the profile." - output "Example: ${WHITE}config:upload_options:-k:${NORMAL}" + echo "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}" + echo "If you want to accept a self-signed certificate, use the -k option in the profile." + echo "Example: ${WHITE}config:upload_options:-k:${NORMAL}" logtext "Result: found self-signed certificate, however not related -k upload option" else output "${RED}Error: ${NORMAL}cURL exited with code ${EXITCODE}" @@ -138,11 +138,11 @@ output "Settings file: ${SETTINGS_FILE}" if [ ${EXITCODE} -gt 0 ]; then #UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'` #output "Output code from upload: ${UPLOAD_CODE}" - output "${RED}Error: ${NORMAL}Error occurred, cURL ended during the upload of the report data." - output "Related exit code: ${EXITCODE}" - output "Check the last section of the log file for the exact command used, for further troubleshooting" - output "Debug:" - output ${UPLOAD} + echo "${RED}Error: ${NORMAL}Error occurred, cURL ended during the upload of the report data." + echo "Related exit code: ${EXITCODE}" + echo "Check the last section of the log file for the exact command used, for further troubleshooting" + echo "Debug:" + echo ${UPLOAD} # Quit ExitClean fi From 7bd91675feae33fbc2131ac839798ead438ce2f9 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 19 Aug 2015 16:20:21 +0200 Subject: [PATCH 092/167] Improved debug logging --- include/data_upload | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/data_upload b/include/data_upload index bff4ee83..d7bf1401 100644 --- a/include/data_upload +++ b/include/data_upload @@ -96,8 +96,8 @@ output "Settings file: ${SETTINGS_FILE}" if [ ${EXITCODE} -eq 60 ]; then echo "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}" echo "If you want to accept a self-signed certificate, use the -k option in the profile." - echo "Example: ${WHITE}config:upload_options:-k:${NORMAL}" - logtext "Result: found self-signed certificate, however not related -k upload option" + echo "Example: ${WHITE}config:upload_options:-k:${NORMAL}" + logtext "Result: found self-signed certificate, however cURL -k option not used." else output "${RED}Error: ${NORMAL}cURL exited with code ${EXITCODE}" logtext "Result: cURL exited with code ${EXITCODE}" From cf9b12ca5b1baddfae247a236d2daefc41d92130 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 20 Aug 2015 18:36:07 +0200 Subject: [PATCH 093/167] Version bump --- lynis | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lynis b/lynis index c3ac0843..b81fc1a0 100755 --- a/lynis +++ b/lynis @@ -22,8 +22,8 @@ # # Program information PROGRAM_name="Lynis" - PROGRAM_version="2.1.1" - PROGRAM_releasedate="22 July 2015" + PROGRAM_version="2.1.2" + PROGRAM_releasedate="20 August 2015" PROGRAM_author="CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" From 649f0cfb3c1c1bff7976a11c86a069ffd097d35a Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 20 Aug 2015 18:37:03 +0200 Subject: [PATCH 094/167] Improved BOOT-5180 detection for newer systems like Debian 8 and screen output enhancement --- include/tests_boot_services | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index 5ce609f8..014acc67 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -24,6 +24,7 @@ # BOOT_LOADER="unknown" BOOT_LOADER_FOUND=0 + BOOT_LOADER_SEARCHED=0 GRUB_VERSION=0 SERVICE_MANAGER="unknown" # @@ -34,6 +35,7 @@ # Notes : The AIX bootstrap is called as software ROS. Bootstrap contains IPL (Initial Program loader) Register --test-no BOOT-5102 --os AIX --weight L --network NO --root-only YES --description "Check for AIX boot device" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 logtext "Test: Query bootinfo for AIX boot device" if [ -x /usr/sbin/bootinfo ]; then FIND=`/usr/sbin/bootinfo -b` @@ -61,6 +63,7 @@ # upstart - Used by Debian/Ubuntu Register --test-no BOOT-5104 --weight L --network NO --description "Determine service manager" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 case ${OS} in "Linux") if [ -f /proc/1/cmdline ]; then @@ -120,6 +123,7 @@ # Description : Check for GRUB boot loader Register --test-no BOOT-5121 --weight L --network NO --description "Check for GRUB boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 FOUND=0 logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)" if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then @@ -204,6 +208,7 @@ # Description : Check for FreeBSD boot loader Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then logtext "Result: found boot1, boot2 and loader files in /boot" Display --indent 2 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN @@ -220,6 +225,7 @@ # Description : Check for NetBSD boot loader Register --test-no BOOT-5126 --os NetBSD --weight L --network NO --description "Check for NetBSD boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then logtext "Result: found NetBSD secondary bootstrap" Display --indent 2 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN @@ -238,6 +244,7 @@ # Notes : password= or password = Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 LILOCONFFILE="/etc/lilo.conf" logtext "Test: checking for presence LILO configuration file" if [ -f ${LILOCONFFILE} ]; then @@ -274,6 +281,7 @@ # Description : Check for SILO boot loader Register --test-no BOOT-5142 --weight L --network NO --description "Check SPARC Improved boot loader (SILO)" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 if [ -f /etc/silo.conf ]; then logtext "Result: Found SILO configuration file (/etc/silo.conf)" Display --indent 2 --text "- Checking boot loader SILO" --result FOUND --color GREEN @@ -310,6 +318,7 @@ # Description : Check for YABOOT boot loader Register --test-no BOOT-5155 --weight L --network NO --description "Check for YABOOT boot loader configuration file" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 logtext "Test: Check for /etc/yaboot.conf" if [ -f /etc/yaboot.conf ]; then logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)" @@ -328,6 +337,7 @@ # More info : Only OpenBSD Register --test-no BOOT-5159 --os OpenBSD --weight L --network NO --description "Check for OpenBSD boot loader presence" if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 FOUND=0 # Boot files # /usr/mdec/biosboot: first stage bootstrap @@ -365,7 +375,7 @@ # ################################################################################# # - if [ ${BOOT_LOADER_FOUND} -eq 0 ]; then + if [ ${BOOT_LOADER_FOUND} -eq 0 -a ${BOOT_LOADER_SEARCHED} -eq 1 ]; then # Your boot loader is not detected. Want to help supporting it, see the README ReportException "BOOTLOADER" "No boot loader found" Display --indent 4 --text "- Boot loader" --result "NONE FOUND" --color RED @@ -460,12 +470,15 @@ # # Test : BOOT-5180 # Description : Check for Linux boot services (Debian style) + # Notes : Debian 8+ shows runlevel 5 if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)" if [ ${SKIPTEST} -eq 0 ]; then # Runlevel check - sRUNLEVEL=`${RUNLEVELBINARY} | grep "N 2"` - if [ ! "${sRUNLEVEL}" = "" ]; then + sRUNLEVEL=`${RUNLEVELBINARY} | grep "N [0-9]" | awk '{ print $2} '` + logtext "Result: found runlevel ${sRUNLEVEL}" + if [ "${sRUNLEVEL}" = "2" ]; then + logtext "Result: performing find in /etc/rc2.d as runlevel 2 is found" FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort` if [ ! "${FIND}" = "" ]; then N=0 @@ -475,10 +488,12 @@ done Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE Display --indent 4 --text "Result: found $N services" - logtext "Found $N services" + logtext "Result: found $N services" fi - else + elif [ "${sRUNLEVEL}" = "" ]; then ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup" + else + logtext "Result: skipping further actions" fi fi # From 210ba41a3c2c43041fa4ba40e9e0b0676052a2b8 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 20 Aug 2015 18:46:06 +0200 Subject: [PATCH 095/167] Improved umask detection and logging --- include/tests_authentication | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index b00ef5ad..d4e9463b 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -813,7 +813,9 @@ #FIND2=`egrep "^([[:space:]])([[:tab:]])*umask" /etc/profile | awk '{ print $2 }' | wc -l` WEAK_UMASK=0 FOUND_UMASK=0 - if [ "${FIND2}" = "1" ]; then + if [ "${FIND2}" = "0" ]; then + logtext "Result: did not find umask in /etc/profile" + elif [ "${FIND2}" = "1" ]; then logtext "Result: found umask (prefixed with spaces)" FOUND_UMASK=1 if [ ! "${FIND}" = "077" -a ! "${FIND}" = "027" ]; then @@ -824,7 +826,7 @@ fi # Found more than 1 umask value in profile else - logtext "Result: found several umask values configured in /etc/profile" + logtext "Result: found multiple umask values configured in /etc/profile" FOUND_UMASK=1 for I in ${FIND}; do if [ ! "${I}" = "077" -a ! "${I}" = "027" ]; then @@ -861,7 +863,7 @@ logtext "Test: Checking umask entries in /etc/passwd (pam_umask)" if [ -f /etc/passwd ]; then logtext "Result: file /etc/passwd exists" - logtext "Test: Checking umask value in /etc/profile" + logtext "Test: Checking umask value in /etc/passwd" FIND=`grep "umask=" /etc/passwd` if [ "${FIND}" = "" ]; then ReportManual "AUTH-9328:03" @@ -873,7 +875,7 @@ # /etc/login.defs logtext "Test: Checking /etc/login.defs" if [ -f /etc/login.defs ]; then - logtext "Result: file /etc/profile exists" + logtext "Result: file /etc/login.defs exists" logtext "Test: Checking umask value in /etc/login.defs" FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'` if [ "${FIND}" = "" ]; then From d1ae757240bfe0a8c9e45026e5cc330ae541bcd5 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 20 Aug 2015 18:50:30 +0200 Subject: [PATCH 096/167] Replaced -z for empty string testing --- include/tests_containers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_containers b/include/tests_containers index ce350aee..c8c81fe0 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -119,7 +119,7 @@ # Check total of containers logtext "Test: checking total amount of Docker containers" DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'` - if [ ${DOCKER_CONTAINERS_TOTAL} -z ]; then + if [ "${DOCKER_CONTAINERS_TOTAL}" = "" ]; then DOCKER_CONTAINERS_TOTAL=0 fi logtext "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers" From 3251b4a6a6b7a02d4b2ae23af7cfeba17009d6f3 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 31 Aug 2015 13:22:28 +0200 Subject: [PATCH 097/167] Added full author name --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index b81fc1a0..d49c4bf9 100755 --- a/lynis +++ b/lynis @@ -24,7 +24,7 @@ PROGRAM_name="Lynis" PROGRAM_version="2.1.2" PROGRAM_releasedate="20 August 2015" - PROGRAM_author="CISOfy" + PROGRAM_author="Michael Boelen, CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" PROGRAM_copyright="Copyright 2007-2015 - ${PROGRAM_author}, ${PROGRAM_website}" From 7cb9e364c77cd67caa27081164e4d9588b3b74c4 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 31 Aug 2015 13:23:17 +0200 Subject: [PATCH 098/167] Proper filtering for IPv6 addresses --- include/tests_nameservices | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_nameservices b/include/tests_nameservices index 6aedd833..0a7b8d56 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -566,7 +566,7 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Check /etc/hosts contains an entry for this server name" if [ -f /etc/hosts ]; then - sFIND=`cat /etc/hosts | egrep -v '^(#|$|::1|localhost)' | grep ${HOSTNAME}` + sFIND=`cat /etc/hosts | egrep -v '^(#|$|^::1\s|localhost)' | grep ${HOSTNAME}` if [ "${sFIND}" != "" ]; then logtext "Result: Found entry for ${HOSTNAME} in /etc/hosts" Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result OK --color GREEN @@ -587,7 +587,7 @@ Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check server hostname mapping" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Check server hostname not locally mapped in /etc/hosts" - sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|::1)' | grep ${HOSTNAME}` + sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|^::1\s)' | grep ${HOSTNAME}` if [ ! "${sFIND}" = "" ]; then logtext "Result: Found this server hostname mapped to a local address" Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW From 401bf26c910b4bdf60de7b1fd27f94ed98179378 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 1 Sep 2015 13:37:55 +0200 Subject: [PATCH 099/167] NIS improvement for test --- include/tests_authentication | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index d4e9463b..dd48d80c 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -31,11 +31,12 @@ # Test : AUTH-9204 # Description : Check users with UID zero (0) + # Notes : Ignores :0: in file if match is in NIS related line Register --test-no AUTH-9204 --weight L --network NO --description "Check users with an UID of zero" if [ ${SKIPTEST} -eq 0 ]; then # Search accounts with UID 0 logtext "Test: Searching accounts with UID 0" - FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^:0:0:::' | cut -d ":" -f1,3 | grep ':0'` + FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0'` if [ ! "${FIND}" = "" ]; then Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED logtext "Result: Found more than one administrator accounts" From d4b18129620904b345210b1a1896e4a406ba39d6 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 1 Sep 2015 15:47:32 +0200 Subject: [PATCH 100/167] Changed screen output when finding old files in /tmp --- include/tests_filesystems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 28dfab75..19e44669 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -297,7 +297,7 @@ Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN logtext "Result: no files found in /tmp which are older than 3 months" else - Display --indent 2 --text "- Checking for old files in /tmp" --result WARNING --color RED + Display --indent 2 --text "- Checking for old files in /tmp" --result FOUND --color RED N=0 for I in ${FIND}; do FILE=`echo ${I} | sed 's/!space!/ /g'` From 8cefc0f7b9e948bf3da8a2d1c1abaacbb9b946f8 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 1 Sep 2015 15:49:50 +0200 Subject: [PATCH 101/167] Show different status on screen when expired SSL certificates were found --- include/tests_crypto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_crypto b/include/tests_crypto index 8db5eb69..d883e8b8 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -64,9 +64,9 @@ done if [ ${FOUNDPROBLEM} -eq 0 ]; then - Display --indent 2 --text "- Checking SSL certificate expiration" --result OK --color GREEN + Display --indent 2 --text "- Checking for expired SSL certificates" --result NONE --color GREEN else - Display --indent 2 --text "- Checking SSL certificate expiration" --result WARNING --color RED + Display --indent 2 --text "- Checking for expired SSL certificates" --result FOUND --color RED ReportSuggestion ${TEST_NO} "Check available certificates for expiration" fi fi From 18d97ce60e03e99e19d532c6fcaee01423ed3e26 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 1 Sep 2015 15:50:14 +0200 Subject: [PATCH 102/167] Use different status for unused firewall rules --- include/tests_firewalls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 8563d4e0..81e8dccc 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -120,7 +120,7 @@ Display --indent 4 --text "- Checking for unused rules" --result OK --color GREEN logtext "Result: There are no unused rules present" else - Display --indent 4 --text "- Checking for unused rules" --result WARNING --color YELLOW + Display --indent 4 --text "- Checking for unused rules" --result FOUND --color YELLOW logtext "Result: Found one or more possible unused rules" logtext "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" logtext "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules." From d2aaa9662e269e2e91d05c2e7586e54d53e50da1 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 1 Sep 2015 16:10:16 +0200 Subject: [PATCH 103/167] Changed test description --- include/tests_containers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_containers b/include/tests_containers index c8c81fe0..c1ce3379 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -112,7 +112,7 @@ # Description : Checking Docker containers (basic stats) # Notes : Hardening points are awarded, if there aren't a lot of stopped containers if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings" + Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather basic stats from Docker" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 6 --text "- Containers" From 2577caf66df1d338c8e31e4bf1f7b044ca8a44f4 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 1 Sep 2015 17:40:05 +0200 Subject: [PATCH 104/167] Only show suggestion for ntpdate if ntpd isn't running --- include/tests_time | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/tests_time b/include/tests_time index 5569c804..4184f9b3 100644 --- a/include/tests_time +++ b/include/tests_time @@ -164,10 +164,12 @@ FIND=`grep 'ntpdate_enable="YES"' /etc/rc.conf` if [ ! "${FIND}" = "" ]; then logtext "Result: ntpdate is enabled in rc.conf" - # Mark system having a NTP client, but remind user to improve it FOUND=1 NTP_CONFIG_TYPE_STARTUP=1 - ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is adviced to run it at least daily or use a NTP daemon" + # Only show suggestion when ntpdate is enabled, however ntpd is not running + if [ ${NTP_DAEMON_RUNNING} -eq 0 ]; then + ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is adviced to run it at least daily or use a NTP daemon" + fi else logtext "Result: ntpdate is not enabled in rc.conf" fi From e37446521d31205a59bb23e6768d91b3e8a533c8 Mon Sep 17 00:00:00 2001 From: dataking Date: Tue, 1 Sep 2015 11:50:07 -0700 Subject: [PATCH 105/167] include/tests_filesystems tweak --- include/tests_filesystems | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 19e44669..e2c46e6c 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -297,7 +297,7 @@ Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN logtext "Result: no files found in /tmp which are older than 3 months" else - Display --indent 2 --text "- Checking for old files in /tmp" --result FOUND --color RED + Display --indent 2 --text "- Checking for old files in /tmp" --result WARNING --color RED N=0 for I in ${FIND}; do FILE=`echo ${I} | sed 's/!space!/ /g'` @@ -567,7 +567,7 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking locate database" FOUND=0 - LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database" + LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locate/locatedb /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database" for I in ${LOCATE_DBS}; do if [ -f ${I} ]; then logtext "Result: locate database found (${I})" From 235b228fe29d9b83c5a3c19cbd3ff9ea708a1590 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 3 Sep 2015 11:15:55 +0200 Subject: [PATCH 106/167] Added vmtoolsd detection --- include/functions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/functions b/include/functions index d2db98ce..4d8bd1ce 100644 --- a/include/functions +++ b/include/functions @@ -615,6 +615,8 @@ # VMware IsRunning vmware-guestd if [ ${RUNNING} -eq 1 ]; then SHORT="vmware"; fi + IsRunning vmtoolsd + if [ ${RUNNING} -eq 1 ]; then SHORT="vmware"; fi # VirtualBox based on guest services IsRunning vboxguest-service From f4c2bd52fb8eeec64e7489db5abd365157f2a6a4 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 3 Sep 2015 15:43:33 +0200 Subject: [PATCH 107/167] Ensure that docker is a file, not directory in /usr/libexec --- include/binaries | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/binaries b/include/binaries index ab8f67fe..206f6b12 100644 --- a/include/binaries +++ b/include/binaries @@ -86,9 +86,6 @@ as) ASFOUND=1; ASBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: as (compiler) - ${BINARY}" ;; auditctl) AUDITCTLFOUND=1; AUDITCTLBINARY="${BINARY}"; logtext " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;; autolog) AUTOLOGFOUND=1; AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; logtext " Found known binary: autolog (idle session killer) - ${BINARY}" ;; - debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (package vulnerability checking) - ${BINARY}" ;; - debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (package integrity checking) - ${BINARY}" ;; - docker) DOCKERBINARY="${BINARY}"; logtext " Found known binary: docker (container technology) - ${BINARY}" ;; chkconfig) CHKCONFIGFOUND=1; CHKCONFIGBINARY=${BINARY}; logtext " Found known binary: chkconfig (administration tool) - ${BINARY}" ;; clamscan) CLAMSCANFOUND=1; CLAMSCANBINARY=${BINARY}; logtext " Found known binary: clamscan (AV scanner) - ${BINARY}" ;; cfagent) CFAGENTFOUND=1; CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; logtext " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;; @@ -96,8 +93,11 @@ comm) COMMBINARY="${BINARY}"; logtext " Found known binary: comm (file compare) - ${BINARY}" ;; csum) CSUMFOUND=1; CSUMBINARY="${BINARY}"; logtext " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;; curl) CURLFOUND=1; CURLBINARY="${BINARY}"; logtext " Found known binary: curl (browser) - ${BINARY}" ;; + debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (package vulnerability checking) - ${BINARY}" ;; + debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (package integrity checking) - ${BINARY}" ;; dig) if [ -f ${BINARY} ]; then DIGFOUND=1; DIGBINARY=${BINARY}; logtext " Found known binary: dig (network/dns tool) - ${BINARY}"; fi ;; dnsdomainname) DNSDOMAINNAMEFOUND=1; DNSDOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: dnsdomainname (DNS domain) - ${BINARY}" ;; + docker) if [ -f ${BINARY} ]; then DOCKERBINARY="${BINARY}"; logtext " Found known binary: docker (container technology) - ${BINARY}"; fi ;; domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: domainname (NIS domain) - ${BINARY}" ;; dpkg) DPKGBINARY="${BINARY}"; logtext " Found known binary: dpkg (package management) - ${BINARY}" ;; egrep) EGREPFOUND=1; EGREPBINARY=${BINARY}; logtext " Found known binary: egrep (text search) - ${BINARY}" ;; From d9b7d9a9fd5ab43b3cca6804330ca42e3346c040 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 3 Sep 2015 15:44:10 +0200 Subject: [PATCH 108/167] Combined several potential mount option tests into 1 unit --- include/tests_filesystems | 119 +++++++++++++++++++------------------- 1 file changed, 59 insertions(+), 60 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 19e44669..dedfa556 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -460,76 +460,75 @@ ################################################################################# # # Test : FILE-6374 - # Description : Check /boot mount options for Linux - # Notes : Expecting nodev,noexec,nosuid + # Description : Check mount options for Linux + # Notes : This test determines if the mount point exists. If it does not exist as mount point, yet it is an directory, + # you might consider to make it a separate mount point with restrictions. + # + # Depending on the primary goals of a machine, some mount points might be too restrictive. Before applying any + # mount flags, test them on a similar or cloned test system. + # + # --------------------------------------------------------- + # Mount point nodev noexec nosuid + # /boot v v v + # /home v v + # /tmp v v v + # /var v + # /var/log v v v + # /var/log/audit v v v + # --------------------------------------------------------- + + FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /home:nodev,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /tmp:nodev,noexec,nosuid" Register --test-no FILE-6374 --os Linux --weight L --network NO --description "Checking /boot mount options" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/fstab ]; then - HARDENED=0 - FIND=`echo /etc/fstab | awk '{ if ($2=="/boot") { print $4 } }'` - NODEV=`echo ${FIND} | awk '{ if ($1=="nodev") { print "YES" } else { print "NO" } }'` - NOEXEC=`echo ${FIND} | awk '{ if ($1=="noexec") { print "YES" } else { print "NO" } }'` - NOSUID=`echo ${FIND} | awk '{ if ($1=="nosuid") { print "YES" } else { print "NO" } }'` - if [ "${NODEV}" = "YES" -a "${NOEXEC}" = "YES" -a "${NOSUID}" = "YES" ]; then HARDENED=1; fi - if [ ! "${FIND}" = "" ]; then - logtext "Result: mount system /boot is configured with options: ${FIND}" - if [ ${HARDENED} -eq 1 ]; then - logtext "Result: marked /boot options as hardenened" - Display --indent 2 --text "- Mount options of /boot" --result HARDENED --color GREEN - AddHP 5 5 - else - if [ "${FIND}" = "defaults" ]; then - logtext "Result: marked /boot options as default (non hardened)" - Display --indent 2 --text "- Mount options of /boot" --result DEFAULT --color RED - AddHP 3 5 - else - logtext "Result: marked /boot options as non default (unclear about hardening)" - Display --indent 2 --text "- Mount options of /boot" --result "NON DEFAULT" --color YELLOW + for I in ${FILESYSTEMS_TO_CHECK}; do + FILESYSTEM=`echo ${I} | cut -d: -f1` + EXPECTED_FLAGS=`echo ${I} | cut -d: -f2 | sed 's/,/ /g'` + IN_FSTAB=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print "FOUND" } }'` + if [ ! "${IN_FSTAB}" = "" ]; then + FOUND_FLAGS=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' | sed 's/,/ /g'` + logtext "File system: ${FILESYSTEM}" + logtext "Expected flags: ${EXPECTED_FLAGS}" + logtext "Found flags: ${FOUND_FLAGS}" + PARTIALLY_HARDENED=0 + FULLY_HARDENED=1 + for FLAG in ${EXPECTED_FLAGS}; do + FLAG_AVAILABLE=`echo ${FOUND_FLAGS} | grep ${FLAG}` + if [ "${FLAG_AVAILABLE}" = "" ]; then + logtext "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}" + FULLY_HARDENED=0 + else + logtext "Result: GOOD, found mount option ${FLAG} on file system ${FILESYSTEM}" + PARTIALLY_HARDENED=1 + fi + done + if [ ${FULLY_HARDENED} -eq 1 ]; then + logtext "Result: marked ${FILESYSTEM} as fully hardenened" + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN + AddHP 5 5 + elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then + logtext "Result: marked ${FILESYSTEM} as fully hardenened" + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW AddHP 4 5 + else + if [ "${FOUND_FLAGS}" = "defaults" ]; then + logtext "Result: marked ${FILESYSTEM} options as default (non hardened)" + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW + AddHP 3 5 + else + logtext "Result: marked ${FILESYSTEM} options as non default (unclear about hardening)" + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW + AddHP 4 5 + fi fi + else + logtext "Result: file system ${FILESYSTEM} not found in /etc/fstab" fi - else - logtext "Result: no mount point /boot or expected options found" - fi + done fi fi # ################################################################################# -# - # Test : FILE-XXXX - # Description : Check /home mount options for Linux - # Notes : Expecting nodev,nosuid -# -################################################################################# -# - - # Test : FILE-XXXX - # Description : Check /var mount options for Linux - # Notes : Expecting nosuid -# -################################################################################# -# - # Test : FILE-XXXX - # Description : Check /var/log mount options for Linux - # Notes : Expecting nodev,noexec,nosuid -# -################################################################################# -# - # Test : FILE-XXXX - # Description : Check /var/log/audit mount options for Linux - # Notes : Expecting nodev,noexec,nosuid -# -################################################################################# -# - - # Test : FILE-XXXX - # Description : Check /tmp mount options for Linux - # Notes : Expecting nodev,noexec,nosuid -# -################################################################################# -# -# -################################################################################# # # Test : FILE-6378 # Description : Check for nodirtime option From e1a87794bce6460113935d35a1053bc5a74808db Mon Sep 17 00:00:00 2001 From: Alexander Lobodzinski Date: Thu, 3 Sep 2015 17:20:34 +0200 Subject: [PATCH 109/167] Do not let a hostname that is contained in "localhost" like "cal" trigger a false positive --- include/tests_nameservices | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_nameservices b/include/tests_nameservices index 0a7b8d56..8413e99e 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -587,7 +587,7 @@ Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check server hostname mapping" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Check server hostname not locally mapped in /etc/hosts" - sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|^::1\s)' | grep ${HOSTNAME}` + sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|^::1\s)' | grep -w ${HOSTNAME}` if [ ! "${sFIND}" = "" ]; then logtext "Result: Found this server hostname mapped to a local address" Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW From 12d9b38288c2a41b5bc9e32c1d10bb4f0c102c3e Mon Sep 17 00:00:00 2001 From: squid-cache-object Date: Thu, 3 Sep 2015 14:14:02 -0700 Subject: [PATCH 110/167] Update tests_filesystems --- include/tests_filesystems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index e2c46e6c..8a26e4ac 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -297,7 +297,7 @@ Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN logtext "Result: no files found in /tmp which are older than 3 months" else - Display --indent 2 --text "- Checking for old files in /tmp" --result WARNING --color RED + Display --indent 2 --text "- Checking for old files in /tmp" --result FOUND --color RED N=0 for I in ${FIND}; do FILE=`echo ${I} | sed 's/!space!/ /g'` From 461920ff721e6f956d712c457985ed4c4d9ad312 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sat, 5 Sep 2015 18:41:04 +0200 Subject: [PATCH 111/167] Enabled dmidecode for virtualization detection --- include/functions | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/include/functions b/include/functions index d35150fa..9d815f4e 100644 --- a/include/functions +++ b/include/functions @@ -589,8 +589,9 @@ logtext "Test: Determine if this system is a virtual machine" # 0 = no, 1 = yes, 2 = unknown ISVIRTUALMACHINE=2; VMTYPE="unknown"; VMFULLTYPE="Unknown" + SHORT="" - # Trying facter + # facter if [ -x /usr/bin/facter ]; then case "`facter is_virtual`" in "true") @@ -603,9 +604,7 @@ esac fi - SHORT="" - - # Trying systemd + # systemd if [ "${SHORT}" = "" -a ! "${SYSTEMCTLBINARY}" = "" ]; then logtext "Test: trying to guess virtualization technology with systemctl" FIND=`${SYSTEMCTLBINARY} | grep "^Virtualization=" | awk -F= '{ print $2 }'` @@ -614,12 +613,14 @@ fi fi - # # dmidecode - # if [ "${SHORT}" = "" ]; then - # if [ -x /usr/sbin/dmidecode ]; then - # SHORT=`dmidecode -s system-product-name` - # fi - # fi + # dmidecode + # Values: VMware Virtual Platform / VirtualBox + if [ "${SHORT}" = "" ]; then + logtext "Test: trying to guess virtualization with dmidecode" + if [ -x /usr/sbin/dmidecode ]; then + SHORT=`dmidecode -s system-product-name | awk '{ print $1 }'` + fi + fi # lshw if [ "${SHORT}" = "" ]; then @@ -663,7 +664,7 @@ # Check if we catched some string along all tests if [ ! "${SHORT}" = "" ]; then # Lowercase and see if we found a match - SHORT=`echo ${SHORT} | tr [[:upper:]] [[:lower:]]` + SHORT=`echo ${SHORT} | awk '{ print $1 }' | tr [[:upper:]] [[:lower:]]` case ${SHORT} in amazon-ec2) ISVIRTUALMACHINE=1; VMTYPE="amazon-ec2"; VMFULLTYPE="Amazon AWS EC2 Instance" ;; From 05dd1a6814e3a6518dbc2bef1d73ea609313e149 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sat, 5 Sep 2015 18:51:36 +0200 Subject: [PATCH 112/167] Remove systemctl to detect virtualization, use systemd-detect-virt instead --- include/functions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/functions b/include/functions index 9d815f4e..89e9c662 100644 --- a/include/functions +++ b/include/functions @@ -605,9 +605,9 @@ fi # systemd - if [ "${SHORT}" = "" -a ! "${SYSTEMCTLBINARY}" = "" ]; then - logtext "Test: trying to guess virtualization technology with systemctl" - FIND=`${SYSTEMCTLBINARY} | grep "^Virtualization=" | awk -F= '{ print $2 }'` + if [ "${SHORT}" = "" -a -x /usr/bin/systemd-detect-virt ]; then + logtext "Test: trying to guess virtualization technology with systemd-detect-virt" + FIND=`/usr/bin/systemd-detect-virt` if [ ! "${FIND}" = "" ]; then SHORT="${FIND}" fi From 10a300ddb7bee1c93023ec64c276b158dbad76d7 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 6 Sep 2015 17:38:15 +0200 Subject: [PATCH 113/167] Don't show pf status on screen when it is not available --- include/tests_firewalls | 1 - 1 file changed, 1 deletion(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 7b3fa88e..fdd6106a 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -194,7 +194,6 @@ FIREWALL_SOFTWARE="pf" else logtext "Result: pf not running on this system" - Display --indent 2 --text "- Checking pf" --result "NOT FOUND" --color WHITE fi fi # From 4a354c84796c5eae74053435ccc5ecd718734c34 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 6 Sep 2015 17:42:56 +0200 Subject: [PATCH 114/167] Change ipfw to IPFW, change exeception ID for IPFW test --- include/tests_firewalls | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index fdd6106a..9f620faf 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -269,32 +269,32 @@ ################################################################################# # # Test : FIRE-4530 - # Description : Check ipfw (FreeBSD) - Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --description "Check ipfw status" + # Description : Check IPFW (FreeBSD) + Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --description "Check IPFW status" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${SYSCTLBINARY}" = "" ]; then # For now, only check for IPv4. FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'` if [ "${FIND}" = "1" ]; then - Display --indent 2 --text "- Checking ipfw status" --result RUNNING --color GREEN - logtext "Result: ipfw is running for IPv4" + Display --indent 2 --text "- Checking IPFW status" --result RUNNING --color GREEN + logtext "Result: IPFW is running for IPv4" FIREWALL_ACTIVE=1 FIREWALL_SOFTWARE="ipfw" IPFW_ENABLED=`service -e | grep -o ipfw` if [ "${IPFW_ENABLED}" = "ipfw" ]; then - Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result YES --color GREEN - logtext "Result: ipfw is enabled at start-up for IPv4" + Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result YES --color GREEN + logtext "Result: IPFW is enabled at start-up for IPv4" else Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW - logtext "Result: ipfw is disabled at start-up for IPv4" + logtext "Result: IPFW is disabled at start-up for IPv4" fi else - Display --indent 2 --text "- Checking ipfw status" --result "NOT RUNNING" --color YELLOW - logtext "Result: ipfw is not running for IPv4" + Display --indent 2 --text "- Checking IPFW status" --result "NOT RUNNING" --color YELLOW + logtext "Result: IPFW is not running for IPv4" fi else - Display --indent 2 --text "- Checking ipfw" --result SKIPPED --color YELLOW - ReportException "${TEST_NO}:4" "No IPFW test available (sysctl missing)" + Display --indent 2 --text "- Checking IPFW" --result SKIPPED --color YELLOW + ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)" fi fi # From 98de52e0f88e71f09b78c93859c37fc38c1ca795 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 6 Sep 2015 17:54:18 +0200 Subject: [PATCH 115/167] Added some guidelines for pull requests --- CONTRIBUTIONS.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTIONS.md b/CONTRIBUTIONS.md index 19a17295..34d1d970 100644 --- a/CONTRIBUTIONS.md +++ b/CONTRIBUTIONS.md @@ -1,8 +1,8 @@ # Contributions ## Pull Requests -Contributions to the Lynis project should be submitted as a pull request. The upstream -project can be found in our [GitHub repository](https://github.com/CISOfy/lynis). +We welcome any contribution to improve Lynis. Contributions to the Lynis project can +be submitted as a pull request. The upstream project can be found in our [GitHub repository](https://github.com/CISOfy/lynis). By submitting a [Pull Request](https://help.github.com/articles/using-pull-requests/) to this repository, you agree that you: @@ -17,6 +17,7 @@ to this repository, you agree that you: 4. Allow the project the [Unlimited Rights](#Unlimited-Rights) to your contribution +If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com) ## Unlimited Rights Our project is licensed under GPLv3. By providing a contribution to the project, it @@ -29,3 +30,9 @@ If you want to be named in as a contributor in the CONTRIBUTOR file, then includ this notition in your pull request. Preferred format: Full Name, with optional the company name and/or your e-mail address). +## Developer Guidelines + +To ensure all pull requests can be easily checked and merged, here are some tips: +* Your code should work on other platforms running the bourne shell (/bin/sh), not just BASH. +* Properly document your code where needed. Besides the 'what', focus on explaining the 'why'. +* Check the log information (lynis.log) of your new test or changed code, so that it provides helpful details for others. \ No newline at end of file From 88caa85f594497908865c90c48121520122a2c65 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 6 Sep 2015 21:37:26 +0200 Subject: [PATCH 116/167] Added default values for name cachers and Unbound status --- include/consts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/consts b/include/consts index d0d2b2c9..608b5b29 100644 --- a/include/consts +++ b/include/consts @@ -69,6 +69,7 @@ unset LANG LYNIS_COMPLIANCE_TESTS=0 MACHINEID="" MALWARE_SCANNER_INSTALLED=0 + NAME_CACHE_USED=0 NGINX_ACCESS_LOG_DISABLED=0 NGINX_ACCESS_LOG_MISSING=0 NGINX_ALIAS_FOUND=0 @@ -115,6 +116,7 @@ unset LANG TESTS_EXECUTED="" TESTS_SKIPPED="" TRIPWIREBINARY="" + UNBOUND_RUNNING=0 UPLOAD_OPTIONS="" UPDATE_CHECK_SKIPPED=0 VALUE="" From a42e8feac260d9888492f221469043c805f413ab Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 6 Sep 2015 21:38:21 +0200 Subject: [PATCH 117/167] Added Unbound status and configuration check, logging name cacher status to report file --- include/tests_nameservices | 48 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/include/tests_nameservices b/include/tests_nameservices index 8413e99e..5e59f53f 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -30,6 +30,7 @@ POWERDNS_AUTH_CONFIG_LOCATION="" POWERDNS_AUTH_MASTER=0 POWERDNS_AUTH_SLAVE=0 + UNBOUND_CONFIG_OK=0 YPBIND_RUNNING=0 # ################################################################################# @@ -228,6 +229,7 @@ logtext "Test: checking nscd status" IsRunning nscd if [ ${RUNNING} -eq 1 ]; then + NAME_CACHE_USED=1 logtext "Result: nscd is running" Display --indent 2 --text "- Checking nscd status" --result RUNNING --color GREEN else @@ -237,6 +239,51 @@ fi # ################################################################################# +# + # Test : NAME-4034 + # Description : Check name service caching daemon (Unbound) status + Register --test-no NAME-4034 --weight L --network NO --description "Check Unbound status" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: checking Unbound (unbound) status" + IsRunning unbound + if [ ${RUNNING} -eq 1 ]; then + UNBOUND_RUNNING=1 + NAME_CACHE_USED=1 + logtext "Result: Unbound daemon is running" + Display --indent 2 --text "- Checking Unbound status" --result RUNNING --color GREEN + else + logtext "Result: Unbound daemon is not running" + Display --indent 2 --text "- Checking Unbound status" --result "NOT FOUND" --color WHITE + fi + fi +# +################################################################################# +# + # Test : NAME-4036 + # Description : Checking Unbound configuration file + if [ ${UNBOUND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no NAME-4036 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Unbound configuration file" + if [ ${SKIPTEST} -eq 0 ]; then + FIND=`which unbound-checkconf` + if [ ! "${FIND}" = "" ]; then + logtext "Test: running unbound-checkconf" + # Don't capture any output, just gather exit code (0 is fine, otherwise bad) + FIND=`unbound-checkconf > /dev/null 2>&1` + if [ $? -eq 0 ]; then + UNBOUND_CONFIG_OK=1 + logtext "Result: Configuration is fine" + Display --indent 2 --text "- Checking configuration file" --result OK --color GREEN + else + logtext "Result: Unbound daemon is not running" + Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW + ReportWarning "${TEST_NO}" "L" "Found Unbound configuration file issues (run unbound-checkconf)" + fi + else + logtext "Result: skipped, can't find unbound-checkconf utility" + fi + fi +# +################################################################################# # # Test : NAME-4202 # Description : Check if BIND is running @@ -602,6 +649,7 @@ ################################################################################# # +report ="name_cache_used=${NAME_CACHE_USED}" wait_for_keypress # From a9966ac4ba99e20738bd887fe6549e9df7f305f6 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 6 Sep 2015 21:38:56 +0200 Subject: [PATCH 118/167] Extended guidelines --- CONTRIBUTIONS.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CONTRIBUTIONS.md b/CONTRIBUTIONS.md index 34d1d970..ba03583b 100644 --- a/CONTRIBUTIONS.md +++ b/CONTRIBUTIONS.md @@ -35,4 +35,5 @@ company name and/or your e-mail address). To ensure all pull requests can be easily checked and merged, here are some tips: * Your code should work on other platforms running the bourne shell (/bin/sh), not just BASH. * Properly document your code where needed. Besides the 'what', focus on explaining the 'why'. -* Check the log information (lynis.log) of your new test or changed code, so that it provides helpful details for others. \ No newline at end of file +* Check the log information (lynis.log) of your new test or changed code, so that it provides helpful details for others. +* Most variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1) \ No newline at end of file From 0e97f7936fb522c82c0cb1566e01dfa105fe1de4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Boraty=C5=84ski?= Date: Mon, 7 Sep 2015 04:12:58 +0200 Subject: [PATCH 119/167] Wrote 'AUTH-9407' - logging failed login attempts. --- include/tests_authentication | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/include/tests_authentication b/include/tests_authentication index dd48d80c..f8c9b6f4 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -1077,6 +1077,27 @@ fi # ################################################################################# +# + # Test : AUTH-9407 + # Description : Logging failed login attempts + if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no AUTH-9407 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Logging failed login attempts" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking FAILLOG_ENAB option in /etc/login.defs " + FIND=`grep "^FAILLOG_ENAB" /etc/login.defs | awk '{ if ($1=="FAILLOG_ENAB") { print $2 } }'` + if [ "${FIND}" = "" -o "${FIND}" = "no" ]; then + logtext "Result: failed login attempts are not logged" + Display --indent 2 --text "- Logging failed login attempts" --result DISABLED --color YELLOW + ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog" + AddHP 0 1 + else + logtext "Result: failed login attempts are logged in /var/log/faillog" + Display --indent 2 --text "- Logging failed login attempts" --result OK --color GREEN + AddHP 3 3 + fi + fi +# +################################################################################# # report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" From fc27379452e7dc7b64841619d93d023d54c0040e Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 10:13:20 +0200 Subject: [PATCH 120/167] Minor cleaning up and improved comment --- include/tests_webservers | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/include/tests_webservers b/include/tests_webservers index bb5db39d..51a8d528 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -391,19 +391,16 @@ Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx configuration file" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: searching nginx configuration file" - #YYY warning if multiple nginx.conf files are found for I in ${NGINX_CONF_LOCS}; do if [ -f ${I}/nginx.conf ]; then NGINX_CONF_LOCATION="${I}/nginx.conf" logtext "Found file ${NGINX_CONF_LOCATION}" fi done - #YYY strings /usr/sbin/nginx | grep "conf$" if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then logtext "Result: found nginx configuration file" report "nginx_main_conf_file=${NGINX_CONF_LOCATION}" Display --indent 4 --text "- Searching nginx configuration file" --result FOUND --color GREEN - #FIND=`cat ${NGINX_CONF_LOCATION} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}` else logtext "Result: no nginx configuration file found" Display --indent 2 --text "- Searching nginx configuration file" --result "NOT FOUND" --color WHITE @@ -415,7 +412,7 @@ # Test : HTTP-6706 # Description : Search for includes within nginx configuration file # Notes : Daemon nginx should be running, nginx.conf should be found - if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for additional nginx configuration files" if [ ${SKIPTEST} -eq 0 ]; then # Remove temp file @@ -426,14 +423,14 @@ for I in ${FIND}; do FIND2=`${LSBINARY} ${I} 2>/dev/null` for J in ${FIND2}; do - # Double check if we are dealing with a file + # Ensure that we are parsing normal files if [ -f ${J} ]; then N=`expr ${N} + 1` logtext "Result: found Nginx configuration file ${J}" report "nginx_sub_conf_file=${J}" FileIsReadable ${J} if [ ${CANREAD} -eq 1 ]; then - FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}` + FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}` else ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable" fi @@ -442,14 +439,14 @@ done # Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx - SORTFILE=`cat ${TMPFILE2} | sort | uniq | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"` - for I in ${SORTFILE}; do + SORTFILE=`cat ${TMPFILE} | sort | uniq | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"` + for I in ${SORTFILE}; do I=`echo ${I} | sed 's/:space:/ /g'` report "nginx_config_option=${I}"; - done + done # Remove unsorted file for next tests - if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi + if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi if [ ${N} -eq 0 ]; then logtext "Result: no nginx include statements found" From 53840a4cfb6eaa9bf2ecb98b259c57161cee79d3 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 11:17:08 +0200 Subject: [PATCH 121/167] Added variable for logging status of failed logins --- include/consts | 1 + 1 file changed, 1 insertion(+) diff --git a/include/consts b/include/consts index 608b5b29..bddc11eb 100644 --- a/include/consts +++ b/include/consts @@ -39,6 +39,7 @@ unset LANG # == Variable initializing == # AUDITORNAME="" + AUTH_FAILED_LOGINS_LOGGED=0 PROFILE="" REPORTFILE="" AFICKBINARY="" From 5165e57b86ec3ec631d14a3e9c0a1e82a8a426c5 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 11:17:38 +0200 Subject: [PATCH 122/167] Added report option to store logging status of failed logins --- include/tests_authentication | 1 + 1 file changed, 1 insertion(+) diff --git a/include/tests_authentication b/include/tests_authentication index dd48d80c..acf866b2 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -1079,6 +1079,7 @@ ################################################################################# # +report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}" report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" report "ldap_pam_enabled=${LDAP_PAM_ENABLED}" if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then From 84baf688c8003b3da6081bd69729b5460742a5c2 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 11:26:09 +0200 Subject: [PATCH 123/167] Renumber test and search for explicit yes value, log status --- include/tests_authentication | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 79c1b94c..5817263e 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -1078,22 +1078,24 @@ # ################################################################################# # - # Test : AUTH-9407 - # Description : Logging failed login attempts + # Test : AUTH-9408 + # Description : Logging of failed login attempts if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no AUTH-9407 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Logging failed login attempts" + Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Logging of failed login attempts via /etc/login.defs" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking FAILLOG_ENAB option in /etc/login.defs " FIND=`grep "^FAILLOG_ENAB" /etc/login.defs | awk '{ if ($1=="FAILLOG_ENAB") { print $2 } }'` - if [ "${FIND}" = "" -o "${FIND}" = "no" ]; then + # Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value) + if [ "${FIND}" = "yes" ]; then + AUTH_FAILED_LOGINS_LOGGED=1 + logtext "Result: failed login attempts are logged in /var/log/faillog" + Display --indent 2 --text "- Logging failed login attempts" --result ENABLED --color GREEN + AddHP 3 3 + else logtext "Result: failed login attempts are not logged" Display --indent 2 --text "- Logging failed login attempts" --result DISABLED --color YELLOW - ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog" + #ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog" AddHP 0 1 - else - logtext "Result: failed login attempts are logged in /var/log/faillog" - Display --indent 2 --text "- Logging failed login attempts" --result OK --color GREEN - AddHP 3 3 fi fi # From c6d8aaa72e936d7c81df245017f938f2720ed87c Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 12:30:54 +0200 Subject: [PATCH 124/167] Extended suggestions and added Kamil as contributor --- CONTRIBUTORS | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 015e55ba..1352db0d 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -12,19 +12,22 @@ Want to contribute as well? Here are some suggestions: - - New tests for your favorite daemons + - Create new tests for your favorite software packages - Report (unexpected) screen errors - - Missing results + - Share missing results and findings - Check for grammar issues + Create a pull request at GitHub --> https://github.com/CISOfy/lynis -[+] Patches, bug fixes and suggestions + +[+] Contributors ------------------------------------------ Brian Ginsbach C.J. Adams-Collier, US Charlie Heselton, US Dave Vehrs + Kamil Boratyński Mikko Lehtisalo, Finland Steve Bosek, France Thomas Siebel, Germany From 98e27f52c2f334121cadd4461a7f1c0b3d6b34af Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 12:32:26 +0200 Subject: [PATCH 125/167] Added Kamil as contributor --- CONTRIBUTORS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 1352db0d..0a7c2664 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -27,7 +27,7 @@ C.J. Adams-Collier, US Charlie Heselton, US Dave Vehrs - Kamil Boratyński + Kamil Boratyński, Poland Mikko Lehtisalo, Finland Steve Bosek, France Thomas Siebel, Germany From f7ec431a659acae07bcca0feff73888721fa8055 Mon Sep 17 00:00:00 2001 From: Alexander Lobodzinski Date: Mon, 7 Sep 2015 17:31:18 +0200 Subject: [PATCH 126/167] /usr/sbin/httpd on OpenBSD is builtin non-Apache webserver, do not run with -v If Apache is installed it is detected in /usr/local/sbin/httpd nevertheless --- include/tests_webservers | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/tests_webservers b/include/tests_webservers index bb5db39d..35194eea 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -50,9 +50,13 @@ # Test : HTTP-6622 # Description : Test for Apache installation # Notes : Do not run on NetBSD, -v is unknown option for httpd binary + # On OpenBSD do not run /usr/sbin/httpd with -v: builtin non-Apache if [ ! "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Apache presence" if [ ${SKIPTEST} -eq 0 ]; then + if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then + HTTPDBINARY="" + fi if [ "${HTTPDBINARY}" = "" ]; then Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE else From 3cdd9ea949379a8ad06daa06e739d1e65e4a52bc Mon Sep 17 00:00:00 2001 From: Laurent Quillerou Date: Mon, 7 Sep 2015 18:35:07 +0300 Subject: [PATCH 127/167] Delete trailing whitespace --- CHANGELOG | 32 ++++++++++++++++---------------- CONTRIBUTIONS.md | 2 +- FAQ | 2 +- db/fileperms.db | 2 +- db/hints.db | 2 +- db/malware-susp.db | 2 +- db/malware.db | 2 +- db/sbl.db | 2 +- debian/README.Debian | 8 ++++---- debian/rules | 4 ++-- default.prf | 6 +++--- extras/README | 2 +- extras/build-lynis.sh | 4 ++-- include/functions | 8 ++++---- include/tests_crypto | 2 +- include/tests_databases | 2 +- include/tests_file_integrity | 2 +- include/tests_filesystems | 2 +- include/tests_kernel | 6 +++--- include/tests_mac_frameworks | 4 ++-- include/tests_malware | 2 +- include/tests_memory_processes | 2 +- include/tests_nameservices | 4 ++-- include/tests_ports_packages | 2 +- include/tests_storage_nfs | 6 +++--- include/tests_webservers | 10 +++++----- lynis | 2 +- 27 files changed, 62 insertions(+), 62 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index db90546e..147c35b7 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -921,7 +921,7 @@ - Added Squid test: reply_body_max_size option [SQD-3630] - Added /etc/init.d/rc and /etc/init.d/rcS to umask test [AUTH-9328] - Check PHP option allow_url_include [PHP-2378] - + Changes: - Extended possible Squid configuration file locations - Added additional sysctl keys to default profile @@ -1098,7 +1098,7 @@ - nginx configuration file check [HTTP-6704] - Exim status check [MAIL-8802] - Postfix status check [MAIL-8814] - + Changes: - atd needs to run before testing at files [SCHD-7720] - Removed Solaris OS requirement from logrotate test [LOGG-2148] @@ -1108,7 +1108,7 @@ - Binary scan optimized and partially combined with other check - Only perform iptables tests if kernel module is active - Don't show message when /etc/shells can't be found [SHLL-6211] - - Check /var/spool/cron/crontabs first, if it exists [SCHD-7704] + - Check /var/spool/cron/crontabs first, if it exists [SCHD-7704] - Renumbered FreeBSD test SHLL-7225 [SHLL-6202] - Renumbered malware test MALW-3292 [HRDN-7230] - Improved grep on process status [PRNT-2304] @@ -1298,10 +1298,10 @@ New: - New test: Passwordless Solaris accounts test [AUTH-9254] - New test: AFICK file integrity [FINT-4310] - - New test: AIDE file integrity [FINT-4314] - - New test: Osiris file integrity [FINT-4318] - - New test: Samhain file integrity [FINT-4322] - - New test: Tripwire file integrity [FINT-4326] + - New test: AIDE file integrity [FINT-4314] + - New test: Osiris file integrity [FINT-4318] + - New test: Samhain file integrity [FINT-4322] + - New test: Tripwire file integrity [FINT-4326] - New tests: NIS and NIS+ authentication test [AUTH-9240/42] - Initial support added for AFICK, AIDE, Osiris, Samhain, Tripwire @@ -1327,12 +1327,12 @@ - New test: Promiscuous network interfaces (Linux) [NETW-3015] - Report option 'bootloader' added to several tests - Added readlink binary check - + Changes: - Extended file check (IsWorldWritable) for symlinks - Show result if no default gateway is found [NETW-3001] - Added /usr/local/etc to sudoers test [AUTH-9250] - - Improved FreeBSD banner output [BANN-7113] + - Improved FreeBSD banner output [BANN-7113] - Removed incorrect line at promiscuous interface test [NETW-3014] - Fix: Show only once the GRUB test output [BOOT-5121] - Fix: Typo in NTP test [TIME-3104] @@ -1380,7 +1380,7 @@ - New test: checking for heavy IO waiting processes [PROC-3614] - Initial HP-UX support (untested) - Initial AIX support (untested) - - Added iptables binary check + - Added iptables binary check - Added dig check, for DNS related tests - Added option --no-colors to remove all colors from screen output - Added option --reverse-colors for optimizing output at light backgrounds @@ -1400,7 +1400,7 @@ - Several tests have their warning reporting improved - Improved SuSE Linux detection - Improved syslog-ng detection - - Adjusted README with link to online (extended) documentation + - Adjusted README with link to online (extended) documentation -- @@ -1410,7 +1410,7 @@ - New test: Check writable startup scripts [BOOT-5184] - New test: Syslog-NG consistency check [LOGG-2134] - New test: Check yum-utils package and scanning package database [PKGS-7384] - - New test: Test for empty ruleset when iptables is loaded [FIRE-4512] + - New test: Test for empty ruleset when iptables is loaded [FIRE-4512] - New test: Check for expired SSL certificates [CRYP-7902] - New test: Check for LDAP authentication support [AUTH-9238] - New test: Read available crontab/cron files [SCHD-7704] @@ -1449,7 +1449,7 @@ * 1.1.5 (2008-06-10) New: - - Assigned ID to Apache configuration file test [HTTP-6624] + - Assigned ID to Apache configuration file test [HTTP-6624] - Added pause_between_tests to profile file, to regulate the speed of a scan - Assigned ID to dpkg test and solved issue with colon in package names [PKG-7345] - Assigned ID to Solaris package test [PKG-7306] @@ -1732,12 +1732,12 @@ -- * 1.0.3 (2007-11-19) - + New: - Added check for sockstat - Test: added test for GRUB and password option - Test: query listening ports (sockstat) - + Changes: - Fixed NTPd check (bug) - Extended help for 'double installed package' check (BSD systems, pkg_info) @@ -1789,7 +1789,7 @@ Changes: - [bug] Changed skel directory check - Fixed display Apache configuration file - + -- * 1.0.0 (2007-11-08) diff --git a/CONTRIBUTIONS.md b/CONTRIBUTIONS.md index ba03583b..dd032453 100644 --- a/CONTRIBUTIONS.md +++ b/CONTRIBUTIONS.md @@ -36,4 +36,4 @@ To ensure all pull requests can be easily checked and merged, here are some tips * Your code should work on other platforms running the bourne shell (/bin/sh), not just BASH. * Properly document your code where needed. Besides the 'what', focus on explaining the 'why'. * Check the log information (lynis.log) of your new test or changed code, so that it provides helpful details for others. -* Most variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1) \ No newline at end of file +* Most variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1) diff --git a/FAQ b/FAQ index 858bddfd..e0bd9736 100644 --- a/FAQ +++ b/FAQ @@ -58,7 +58,7 @@ have a dark background, so it gives extra attention to the message. However if you have a white background (for example Mac OS X), you can run Lynis with --no-colors to strip colors or --reverse-colors to reverse the color - scheme. Another option is to change your terminal colors within Mac OS. + scheme. Another option is to change your terminal colors within Mac OS. Q: Some tests take very long to finish, what to do? A: Use a second console (or connection) and check the output of ps/lsof etc, diff --git a/db/fileperms.db b/db/fileperms.db index a4bbcf18..327db5ea 100644 --- a/db/fileperms.db +++ b/db/fileperms.db @@ -9,7 +9,7 @@ # 5) file group owner # 6) operating system, or systems # 7) operating system special -# 8) +# 8) # #================================================== file:/etc/group:644:root:root:Linux: diff --git a/db/hints.db b/db/hints.db index 1504cb30..18a7c680 100644 --- a/db/hints.db +++ b/db/hints.db @@ -1,2 +1,2 @@ #version=20091015 -100:Did you know? Lynis has a --cronjob option for optimized output while running on scheduled times.: \ No newline at end of file +100:Did you know? Lynis has a --cronjob option for optimized output while running on scheduled times.: diff --git a/db/malware-susp.db b/db/malware-susp.db index 5c6ace24..6c0c982f 100644 --- a/db/malware-susp.db +++ b/db/malware-susp.db @@ -1,4 +1,4 @@ #version=2009101500 vuln.txt::: crack*::: -exploit*::: \ No newline at end of file +exploit*::: diff --git a/db/malware.db b/db/malware.db index 7844f1f3..28ffcb28 100644 --- a/db/malware.db +++ b/db/malware.db @@ -41,4 +41,4 @@ /tmp/.b:::Slapper::: /usr/man/.sman/sk:::Superkit::: /usr/lib/.tbd:::TBD::: -/sbin/.login:::Login backdoor::: \ No newline at end of file +/sbin/.login:::Login backdoor::: diff --git a/db/sbl.db b/db/sbl.db index 323303b4..d493e510 100644 --- a/db/sbl.db +++ b/db/sbl.db @@ -1,2 +1,2 @@ #version=2008052800 -php:5.2.5 \ No newline at end of file +php:5.2.5 diff --git a/debian/README.Debian b/debian/README.Debian index 60820ff7..8a6f45c5 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -1,20 +1,20 @@ lynis for Debian ---------------- -When execute Lynis from Debian menu, the program runs with the following +When execute Lynis from Debian menu, the program runs with the following parameter: lynis --no-colors -It makes a full system check, with the default profile file +It makes a full system check, with the default profile file (/etc/lynis/default.prf). Please adjust this config file with your needs. For better perform, launch Lynis from a terminal, as root user, with your best configuration. Lynis can be executed directly: -# lynis -c -or +# lynis -c +or # lynis After Lynis runs the system check, it creates the following two files with the diff --git a/debian/rules b/debian/rules index 468f07a6..5ea1eafc 100755 --- a/debian/rules +++ b/debian/rules @@ -12,13 +12,13 @@ clean: dh_testdir dh_testroot rm -f build-stamp - dh_clean + dh_clean install: build dh_testdir dh_testroot - dh_prep + dh_prep # Add here commands to install the package into debian/lynis. install -D -m 0755 $(CURDIR)/lynis $(CURDIR)/debian/lynis/usr/sbin/lynis diff --git a/default.prf b/default.prf index 8f79daa5..3a51832a 100644 --- a/default.prf +++ b/default.prf @@ -122,7 +122,7 @@ sysctl:kernel.use-nx:0:1:XXX: [network] sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address: sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects: -sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: +sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing: sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects: sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing: sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects: @@ -149,9 +149,9 @@ sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack: sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps: sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects: sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: +sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing: sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects: -sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: +sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing: [security] #sysctl:kern.securelevel:1^2^3:1:FreeBSD security level: diff --git a/extras/README b/extras/README index c51df06f..57f42d94 100644 --- a/extras/README +++ b/extras/README @@ -6,4 +6,4 @@ - Integrity checks and tools - Development tools -================================================================================ \ No newline at end of file +================================================================================ diff --git a/extras/build-lynis.sh b/extras/build-lynis.sh index 9d82bcc6..f0f6cc72 100755 --- a/extras/build-lynis.sh +++ b/extras/build-lynis.sh @@ -364,7 +364,7 @@ Exit #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - echo -n "- Cleaning up OpenBSD package build... " + echo -n "- Cleaning up OpenBSD package build... " if [ -f openbsd/+CONTENTS ]; then rm openbsd/+CONTENTS; fi echo "DONE" OPENBSD_CONTENTS="openbsd/+CONTENTS" @@ -377,7 +377,7 @@ Exit for I in ${PACKAGE_LIST_FILES}; do echo -n "${I} " - #FULLNAME=`cat files.dat | grep ":file:include: + #FULLNAME=`cat files.dat | grep ":file:include: #echo "${FULLNAME}" >> ${OPENBSD_CONTENTS} echo "${I}" >> ${OPENBSD_CONTENTS} FILE="../${I}" diff --git a/include/functions b/include/functions index 89e9c662..2e610fe2 100644 --- a/include/functions +++ b/include/functions @@ -89,10 +89,10 @@ # If 'file' is an directory, use -d if [ -d ${CHECKFILE} ]; then FILEVALUE=`ls -d -l ${CHECKFILE} | cut -c 2-10` - PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3` + PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3` else FILEVALUE=`ls -l ${CHECKFILE} | cut -c 2-10` - PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3` + PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3` fi if [ "${FILEVALUE}" = "${PROFILEVALUE}" ]; then PERMS="OK"; else PERMS="BAD"; fi fi @@ -1060,7 +1060,7 @@ if [ ! "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Skipped by configuration"; fi fi - # Skip if test is not in the list + # Skip if test is not in the list if [ ${SKIPTEST} -eq 0 -a ! "${TESTS_TO_PERFORM}" = "" ]; then FIND=`echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}"` if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi @@ -1146,7 +1146,7 @@ { if [ $1 = "" ]; then TESTID="UNKNOWN"; fi # Status: OK, WARNING, NEUTRAL, SUGGESTION - # Impact: HIGH, SEVERE, LOW, + # Impact: HIGH, SEVERE, LOW, #report "result[]=TESTID-${TESTID},STATUS-$2,IMPACT-$3,MESSAGE-$4-" # Reset ID before next test TESTID="" diff --git a/include/tests_crypto b/include/tests_crypto index d883e8b8..7a08962b 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -29,7 +29,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUNDPROBLEM=0 # Check profile for paths to check - sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3` + sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3` for I in ${sSSL_PATHS}; do if [ -d ${I} ]; then FileIsReadable ${I} diff --git a/include/tests_databases b/include/tests_databases index ca2fb24c..80e7405b 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -79,7 +79,7 @@ Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED AddHP 0 5 else - logtext "Result: Login did not succeed, so a MySQL root password is set" + logtext "Result: Login did not succeed, so a MySQL root password is set" Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN AddHP 2 2 fi diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 7bdc2072..03fa0908 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -94,7 +94,7 @@ Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --description "AIDE configuration: Checksums (SHA256 or SHA512)" if [ ${SKIPTEST} -eq 0 ]; then FIND=`${GREPBINARY} "^Checksums" ${AIDECONFIG}` - FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"` + FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"` if [ "${FIND}" = "" ]; then logtext "Result: Unclear how AIDE is dealing with checksums" Display --indent 6 --text "- AIDE config (Checksums)" --result UNKNOWN --color YELLOW diff --git a/include/tests_filesystems b/include/tests_filesystems index ded21fc1..50c7308c 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -322,7 +322,7 @@ #SKELDIRS="/etc/skel /usr/share/skel" #for I in ${SKELDIRS}; do - # + # # logtext "Searching skel directory ${I}" # # if [ -d ${I} ]; then diff --git a/include/tests_kernel b/include/tests_kernel index 15c84206..66241526 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -49,7 +49,7 @@ logtext "Result: Found match on runlevel5/graphical" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN report "linux_default_runlevel=5" - else + else logtext "Result: No match found on runlevel, defaulting to runlevel 3" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN report "linux_default_runlevel=3" @@ -376,7 +376,7 @@ if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking presence /etc/security/limits.conf" if [ -f /etc/security/limits.conf ]; then - logtext "Result: file /etc/security/limits.conf exists" + logtext "Result: file /etc/security/limits.conf exists" logtext "Test: Checking if core dumps are disabled in /etc/security/limits.conf" FIND1=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'` FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'` @@ -438,7 +438,7 @@ FILE="/var/run/reboot-required.pkgs" logtext "Test: Checking presence ${FILE}" if [ -f ${FILE} ]; then - logtext "Result: file ${FILE} exists" + logtext "Result: file ${FILE} exists" FIND=`cat ${FILE}` if [ "${FIND}" = "" ]; then logtext "Result: No reboot needed (file empty)" diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 4a0bc6dc..9b7fa2c2 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -71,7 +71,7 @@ elif [ ${FIND} -eq 1 ]; then logtext "Result: AppArmor is disabled" Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW - else + else Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected" fi @@ -119,7 +119,7 @@ Display --indent 6 --text "- Checking current mode and config file" --result "OK" --color GREEN else logtext "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})." - ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" + ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" Display --indent 6 --text "- Checking current mode and config file" --result "WARNING" --color RED fi Display --indent 8 --text "Current SELinux mode: ${FIND}" diff --git a/include/tests_malware b/include/tests_malware index 1462646c..75517156 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -47,7 +47,7 @@ ################################################################################# # # Test : MALW-3276 - # Description : Check for installed tool (Rootkit Hunter) + # Description : Check for installed tool (Rootkit Hunter) Register --test-no MALW-3276 --weight L --network NO --description "Check for Rootkit Hunter" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: checking presence Rootkit Hunter" diff --git a/include/tests_memory_processes b/include/tests_memory_processes index fda6a32e..b78429db 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -64,7 +64,7 @@ # # Test : PROC-3612 # Description : Searching for dead and zombie processes - # Notes : Don't perform test on Solaris + # Notes : Don't perform test on Solaris if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dead or zombie processes" if [ ${SKIPTEST} -eq 0 ]; then diff --git a/include/tests_nameservices b/include/tests_nameservices index 5e59f53f..5131364b 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -94,7 +94,7 @@ # Check amount of search domains (max 1) FIND=`cat /etc/resolv.conf | grep "^search" | wc -l | tr -s ' ' | tr -d ' '` if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then - logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" + logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)" Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration" else @@ -566,7 +566,7 @@ fi fi # Check if we found any NIS domain - if [ ! "${NISDOMAIN}" = "" ]; then + if [ ! "${NISDOMAIN}" = "" ]; then logtext "Found NIS domain: ${NISDOMAIN}" report "nisdomain=${NISDOMAIN}" Display --indent 4 --text "- Checking NIS domain" --result "FOUND" --color GREEN diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 8143113a..c21db924 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -860,7 +860,7 @@ SCAN_PERFORMED=0 # Update portage. # Multiple ways to do this. Some require extra packages to be installed, - # others require potential firewall ports to be open, outbound. This is the + # others require potential firewall ports to be open, outbound. This is the # "most friendly" way. logtext "Action: updating portage with emerge-webrsync" /usr/bin/emerge-webrsync --quiet 2> /dev/null diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index 2b3d7d6b..1795aeb6 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -59,7 +59,7 @@ # # Test : STRG-1906 # Description : Check nfs protocols (TCP/UDP) and port in rpcinfo - if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking NFS registered protocols" @@ -114,7 +114,7 @@ # Description : Check NFS exports if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking NFS exports" - if [ ${SKIPTEST} -eq 0 ]; then + if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: check /etc/exports" if [ -f /etc/exports ]; then logtext "Result: /etc/exports exists" @@ -139,7 +139,7 @@ # # Test : STRG-1928 # Description : Check for empty exports file while NFS is running - if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports" if [ ${SKIPTEST} -eq 0 ]; then if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then diff --git a/include/tests_webservers b/include/tests_webservers index 51a8d528..b630c7a3 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -194,9 +194,9 @@ # # Configuration specific tests # SERVERTOKENSFOUND=0 # APACHE_CONFIGFILES="${APACHE_CONFIGFILE} /usr/local/etc/apache22/extra/httpd-default.conf /etc/apache2/sysconfig.d/global.conf" -# +# # for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do -# if [ -f ${APACHE_CONFIGFILE} ]; then +# if [ -f ${APACHE_CONFIGFILE} ]; then # # Check if option ServerTokens is configured # SERVERTOKENSTEST=`cat ${APACHE_CONFIGFILE} | grep ServerTokens | grep -v '^#'` # if [ ! "${SERVERTOKENSTEST}" = "" ]; then @@ -215,17 +215,17 @@ # else # Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE # fi -# +# # else # # File does not exist, skipping # logtext "File ${APACHE_CONFIGFILE} does not exist, so skipping tests on this file" # fi # done -# +# # # Display results from checks # if [ ${SERVERTOKENSFOUND} -eq 1 ]; then # Display --indent 6 --text "- Value of ServerTokens" --result OK --color GREEN -# else +# else # Display --indent 6 --text "- Value of ServerTokens" --result WARNING --color RED # ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template" # fi diff --git a/lynis b/lynis index d49c4bf9..575e2e06 100755 --- a/lynis +++ b/lynis @@ -488,7 +488,7 @@ echo " Program version: ${PROGRAM_version}" echo " Operating system: ${OS}" echo " Operating system name: ${OS_NAME}" - echo " Operating system version: ${OS_VERSION}" + echo " Operating system version: ${OS_VERSION}" if [ ! "${OS_MODE}" = "" ]; then echo " Operating system mode: ${OS_MODE}"; fi echo " Kernel version: ${OS_KERNELVERSION}" echo " Hardware platform: ${HARDWARE}" From 429fb62fd71b3044221f6de4d90aaeabfeb43f34 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 17:40:03 +0200 Subject: [PATCH 128/167] Added UEFI_BOOTED --- include/consts | 1 + 1 file changed, 1 insertion(+) diff --git a/include/consts b/include/consts index bddc11eb..d1ea1b7e 100644 --- a/include/consts +++ b/include/consts @@ -117,6 +117,7 @@ unset LANG TESTS_EXECUTED="" TESTS_SKIPPED="" TRIPWIREBINARY="" + UEFI_BOOTED=0 UNBOUND_RUNNING=0 UPLOAD_OPTIONS="" UPDATE_CHECK_SKIPPED=0 From 919995eb5a208a4bae3a531b70302b02cb64729c Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 17:40:26 +0200 Subject: [PATCH 129/167] Added UEFI_BOOTED_SECURE --- include/consts | 1 + 1 file changed, 1 insertion(+) diff --git a/include/consts b/include/consts index d1ea1b7e..aa884190 100644 --- a/include/consts +++ b/include/consts @@ -118,6 +118,7 @@ unset LANG TESTS_SKIPPED="" TRIPWIREBINARY="" UEFI_BOOTED=0 + UEFI_BOOTED_SECURE=0 UNBOUND_RUNNING=0 UPLOAD_OPTIONS="" UPDATE_CHECK_SKIPPED=0 From 1283ccc06161f919bc8c7928e0d7e90647e4d12a Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 17:41:05 +0200 Subject: [PATCH 130/167] Added new test for UEFI detection [BOOT-5116] and storing data in report --- include/tests_boot_services | 62 +++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/include/tests_boot_services b/include/tests_boot_services index 014acc67..982805f5 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -118,6 +118,66 @@ fi # ################################################################################# +# + # Test : BOOT-5116 + # Description : Check if system is booted in UEFI mode + Register --test-no BOOT-5116 --weight L --network NO --root-only YES --description "Check if system is booted in UEFI mode" + if [ ${SKIPTEST} -eq 0 ]; then + UEFI_TESTS_PERFORMED=0 + case ${OS} in + Linux) + UEFI_TESTS_PERFORMED=1 + # Check if UEFI is available in this boot + logtext "Test: checking if UEFI is used" + if [ -d /sys/firmware/efi ]; then + logtext "Result: system booted in UEFI mode" + UEFI_BOOTED=1 + else + logtext "Result: UEFI not used, can't find /sys/firmware/efi directory" + fi + + # Test if Secure Boot is enabled + logtext "Test: determine if Secure Boot is used" + if [ -d /sys/firmware/efi/efivars ]; then + FIND=`ls /sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null` + if [ ! "${FIND}" = "" ]; then + for I in ${FIND}; do + logtext "Test: checking file ${I}" + J=`od -An -t u1 ${I} | awk '{ print $5 }'` + if [ "${J}" = "1" ]; then + logtext "Result: found SecureBoot file with enabled status" + UEFI_BOOTED_SECURE=1 + else + logtext "Result: system not booted with Secure Boot (status 0 in file ${I})" + fi + done + fi + else + logtext "Result: system not booted with Secure Boot (no SecureBoot file found)" + fi + ;; + #MacOS) + # Mac OS ioreg -l -p IODeviceTree | grep firmware-abi + #;; + *) + logtext "Result: no test implemented yet to test for UEFI on this platform" + ;; + esac + if [ ${UEFI_BOOTED} -eq 1 ]; then + Display --indent 2 --text "- Checking UEFI boot" --result ENABLED --color GREEN + if [ ${UEFI_BOOTED_SECURE} -eq 1 ]; then + Display --indent 2 --text "- Checking Secure Boot" --result ENABLED --color GREEN + else + Display --indent 2 --text "- Checking Secure Boot" --result DISABLED --color YELLOW + fi + else + if [ ${UEFI_TESTS_PERFORMED} -eq 1 ]; then + Display --indent 2 --text "- Checking UEFI boot" --result DISABLED --color GREEN + fi + fi + fi +# +################################################################################# # # Test : BOOT-5121 # Description : Check for GRUB boot loader @@ -682,6 +742,8 @@ # report "boot_loader=${BOOT_LOADER}" +report "boot_uefi_booted=${UEFI_BOOTED}" +report "boot_uefi_booted_secure=${UEFI_BOOTED_SECURE}" report "service_manager=${SERVICE_MANAGER}" wait_for_keypress From d23ef2db0ba8ef1b7457e1102092424f78f5ef43 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 17:42:29 +0200 Subject: [PATCH 131/167] Changed screen identation of GRUB2 test --- include/tests_boot_services | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index 982805f5..b913e04b 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -51,7 +51,6 @@ fi fi fi - # ################################################################################# # @@ -191,7 +190,7 @@ BOOT_LOADER="GRUB" BOOT_LOADER_FOUND=1 GRUB_VERSION=1 - Display --indent 4 --text "- Checking presence GRUB" --result "OK" --color GREEN + Display --indent 2 --text "- Checking presence GRUB" --result "OK" --color GREEN if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi fi From e50eef0c1998524583c47a6cf28a89cb683cff78 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 17:43:00 +0200 Subject: [PATCH 132/167] Added hint for possible extension to kernel scheduler --- include/tests_kernel | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/tests_kernel b/include/tests_kernel index 15c84206..d844f4a0 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -252,6 +252,8 @@ # # Test : KRNL-5730 # Description : Checking default I/O kernel scheduler + # Notes : This test could be extended with testing some of the specific devices like disks + # cat /sys/block/sda/queue/scheduler PREQS_MET="NO" if [ ! "${LINUXCONFIGFILE}" = "" ]; then if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi From b83c3fbb10600964963b96c4099867822b56fcb0 Mon Sep 17 00:00:00 2001 From: Laurent Quillerou Date: Mon, 7 Sep 2015 18:52:19 +0300 Subject: [PATCH 133/167] Include main nginx.conf so that it generate nginx_config_option --- include/tests_webservers | 1 + 1 file changed, 1 insertion(+) diff --git a/include/tests_webservers b/include/tests_webservers index b630c7a3..2a0cc79c 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -418,6 +418,7 @@ # Remove temp file if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi N=0 + cat ${NGINX_CONF_LOCATION} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE} # Search for included configuration files (may include directories and wild cards) FIND=`grep "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'` for I in ${FIND}; do From d4f024faa6e2cb3c46f0e62ed44193c649bb7dc2 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 21:07:47 +0200 Subject: [PATCH 134/167] Updated log of changes --- CHANGELOG | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 61 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index db90546e..38073ef6 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -17,6 +17,67 @@ ================================================================================ + = Lynis 2.1.2 = + + This is an major release, which includes both new features and enhancements to existing tests. + + * Operating systems + Improved support for Debian 8 + Don't show boot loader exception when a subset of tests is performed + + * Screen output + Improved output for tests which before showed results as a warning, while actually are just suggestions + + * Virtual machines + Detection of virtual machines extended with vmtoolsd detection + + * Mount points + FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags. + + * Docker + Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker + + * UEFI and Secure Boot + Initial support to test UEFI settings, including Secure Boot option + Options boot_uefi_booted and boot_uefi_booted_secure added to report file + + * Authentication + Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes + checking for /etc/login.defs [AUTH-9408] + + report option: auth_failed_logins_logged + **** ^ NEEDS more tests ################################### + + * DNS and Name services + Support added for Unbound DNS caching tool [NAME-4034] + Configuration check for Unbound [NAME-4036] + Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used + + * Firewalls + IPFW firewall on FreeBSD test improved + + * Individual tests + BOOT-5180 now only gets executed if runlevel 2 is found + AUTH-9328 show correct message when no umask is found in /etc/profile, including correct logging entries + AUTH-9204 now excludes NIS entries to avoid false positives + TIME-3104 Only shows suggestion now on FreeBSD if ntpdate is configured, yet ntpd isn't running + FILE-6410 Added /var/lib/locatedb as search path + + Don't wait when using pentest mode in quick mode + Data uploads: provide help when self-signed certificates are used + + + + 8888888888888888888888888 + implement base64 + 8888888888888888888888888 + + + * Plugins + --------- + [PLGN-2804] Limit report output of EXT file systems to 1 item per line + + -------------------------------------------------------------- = Lynis 2.1.1 (2015-07-22) = @@ -91,7 +152,6 @@ * Plugins --------- - [PLGN-2602] Disabled by default, as it may be too slow for some machines [PLGN-3002] Extended with /sbin/nologin From 1a12d82ed6d71029b2bdb6fa7fa40d2c4d2751dc Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 21:11:51 +0200 Subject: [PATCH 135/167] Removed last newline --- CHANGELOG | 1 - db/fileperms.db | 1 - db/hints.db | 2 +- db/integrity.db | 2 +- db/malware-susp.db | 2 +- db/malware.db | 2 +- db/sbl.db | 2 +- default.prf | 2 +- 8 files changed, 6 insertions(+), 8 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 7d15b294..f53d4435 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1898,4 +1898,3 @@ ================================================================================ Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com - diff --git a/db/fileperms.db b/db/fileperms.db index 327db5ea..1abba213 100644 --- a/db/fileperms.db +++ b/db/fileperms.db @@ -16,4 +16,3 @@ file:/etc/group:644:root:root:Linux: file:/etc/gshadow:400:root:root:Linux: file:/etc/passwd:644:root:root:Linux: file:/etc/shadow:400:root:root:Linux: - diff --git a/db/hints.db b/db/hints.db index 18a7c680..1504cb30 100644 --- a/db/hints.db +++ b/db/hints.db @@ -1,2 +1,2 @@ #version=20091015 -100:Did you know? Lynis has a --cronjob option for optimized output while running on scheduled times.: +100:Did you know? Lynis has a --cronjob option for optimized output while running on scheduled times.: \ No newline at end of file diff --git a/db/integrity.db b/db/integrity.db index 421d8196..4a2ebbaf 100644 --- a/db/integrity.db +++ b/db/integrity.db @@ -1,3 +1,3 @@ #version=2008062800 #binary:string:|NOT: -ifconfig:PROMISC:: +ifconfig:PROMISC:: \ No newline at end of file diff --git a/db/malware-susp.db b/db/malware-susp.db index 6c0c982f..5c6ace24 100644 --- a/db/malware-susp.db +++ b/db/malware-susp.db @@ -1,4 +1,4 @@ #version=2009101500 vuln.txt::: crack*::: -exploit*::: +exploit*::: \ No newline at end of file diff --git a/db/malware.db b/db/malware.db index 28ffcb28..7844f1f3 100644 --- a/db/malware.db +++ b/db/malware.db @@ -41,4 +41,4 @@ /tmp/.b:::Slapper::: /usr/man/.sman/sk:::Superkit::: /usr/lib/.tbd:::TBD::: -/sbin/.login:::Login backdoor::: +/sbin/.login:::Login backdoor::: \ No newline at end of file diff --git a/db/sbl.db b/db/sbl.db index d493e510..323303b4 100644 --- a/db/sbl.db +++ b/db/sbl.db @@ -1,2 +1,2 @@ #version=2008052800 -php:5.2.5 +php:5.2.5 \ No newline at end of file diff --git a/default.prf b/default.prf index 3a51832a..ab167e45 100644 --- a/default.prf +++ b/default.prf @@ -362,4 +362,4 @@ permdir:/root/.ssh:rwx------:root:-:WARN: #config:group:[group name]: #config:group:test: -#EOF +#EOF \ No newline at end of file From 1316fdf38bc498bb3918e6bce782ea7354c5a5e6 Mon Sep 17 00:00:00 2001 From: mboelen Date: Mon, 7 Sep 2015 21:13:12 +0200 Subject: [PATCH 136/167] Changed identation for GRUB2 test --- include/tests_boot_services | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index b913e04b..40f97dce 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -200,7 +200,7 @@ BOOT_LOADER="GRUB2" BOOT_LOADER_FOUND=1 GRUB_VERSION=2 - Display --indent 4 --text "- Checking presence GRUB2" --result FOUND --color GREEN + Display --indent 2 --text "- Checking presence GRUB2" --result FOUND --color GREEN if [ -f /boot/grub/grub.cfg ]; then GRUBCONFFILE="/boot/grub/grub.cfg" elif [ -f /boot/grub2/grub.cfg ]; then From 2d72fe18d3e4f1a7137865c118e9d103699c929c Mon Sep 17 00:00:00 2001 From: Alexander Lobodzinski Date: Tue, 8 Sep 2015 14:19:11 +0200 Subject: [PATCH 137/167] Detect automation with Cfengine 3 --- include/tests_tooling | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/include/tests_tooling b/include/tests_tooling index 302a28d9..a8797263 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -20,6 +20,8 @@ PUPPET_MASTER_RUNNING=0 SALT_MASTER_RUNNING=0 SALT_MINION_RUNNING=0 + CF3_MASTER_RUNNING=0 + CF3_MINION_RUNNING=0 # ################################################################################# # @@ -44,6 +46,24 @@ AUTOMATION_TOOL_FOUND=1 Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN fi + # Cfengine 3 + CF3_LOCATIONS="/var/cfengine/bin" + for I in ${CF3_LOCATIONS}; do + if [ -d ${I} ]; then + if [ -e ${I}/cf-agent ]; then + logtext "Result: found Cfengine3 agent (cf-agent) in ${I}" + AUTOMATION_TOOL_FOUND=1 + Display --indent 4 --text "Found: Cfengine (agent)" --result FOUND --color GREEN + fi + IsRunning "cf-server" + if [ ${RUNNING} -eq 1 ]; then + logtext "Result: found cfengine server" + CF3_MASTER_RUNNING=1 + report "automation_tool_running[]=cf-server" + Display --indent 4 --text "Found: Cfengine (server)" --result FOUND --color GREEN + fi + fi + done CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin" for I in ${CHEF_LOCATIONS}; do From 66ff2a92292552219940857420b7cca830b126ce Mon Sep 17 00:00:00 2001 From: Alexander Lobodzinski Date: Tue, 8 Sep 2015 14:28:24 +0200 Subject: [PATCH 138/167] Fixed typos --- include/tests_tooling | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/include/tests_tooling b/include/tests_tooling index a8797263..3da4d60c 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -20,8 +20,8 @@ PUPPET_MASTER_RUNNING=0 SALT_MASTER_RUNNING=0 SALT_MINION_RUNNING=0 - CF3_MASTER_RUNNING=0 - CF3_MINION_RUNNING=0 + CF3_AGENT_FOUND=0 + CF3_SERVER_RUNNING=0 # ################################################################################# # @@ -53,14 +53,15 @@ if [ -e ${I}/cf-agent ]; then logtext "Result: found Cfengine3 agent (cf-agent) in ${I}" AUTOMATION_TOOL_FOUND=1 - Display --indent 4 --text "Found: Cfengine (agent)" --result FOUND --color GREEN + CF3_AGENT_FOUND=1 + Display --indent 4 --text "Found: Cfengine (cf-agent)" --result FOUND --color GREEN fi IsRunning "cf-server" if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found cfengine server" - CF3_MASTER_RUNNING=1 + logtext "Result: found Cfengine3 server" + CF3_SERVER_RUNNING=1 report "automation_tool_running[]=cf-server" - Display --indent 4 --text "Found: Cfengine (server)" --result FOUND --color GREEN + Display --indent 4 --text "Found: Cfengine (cf-server)" --result FOUND --color GREEN fi fi done @@ -137,6 +138,8 @@ # ################################################################################# # + report "cf3_server=${CF3_SERVER_RUNNING}" + report "cf3_agent=${CF3_AGENT_INSTALLED}" report "puppet_master=${PUPPET_MASTER_RUNNING}" report "salt_master=${SALT_MASTER_RUNNING}" report "salt_minion=${SALT_MINION_RUNNING}" From e9373b59b08711ee483b0b979671741f8dd8480f Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 8 Sep 2015 14:49:42 +0200 Subject: [PATCH 139/167] Cleanup: Don't show pflogd status on screen, when pf is not available --- include/tests_firewalls | 1 - 1 file changed, 1 deletion(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 9f620faf..302fd733 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -185,7 +185,6 @@ PFLOGDFOUND=1 else logtext "Result: pflog daemon not found in process list" - Display --indent 4 --text "- Checking pflogd status" --result "NOT FOUND" --color YELLOW fi fi From 174172eeba5628455edf628bcd76515b09f869d2 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 8 Sep 2015 14:59:25 +0200 Subject: [PATCH 140/167] Simplify: clarify if a particular set of module is not available, instead of showing cross --- include/report | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/include/report b/include/report index b211f0e1..00d10144 100644 --- a/include/report +++ b/include/report @@ -168,9 +168,10 @@ echo "" echo " ${SECTION}Lynis Modules${NORMAL}:" - echo " - Heuristics Check [${WHITE}NA${NORMAL}] - Security Audit [${GREEN}V${NORMAL}]" - if [ ${LYNIS_COMPLIANCE_TESTS} -eq 1 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi - echo " - Compliance Tests [${COMPLIANCE}${NORMAL}] - Vulnerability Scan [${GREEN}V${NORMAL}]" + if [ ${LYNIS_COMPLIANCE_TESTS} -eq 1 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${YELLOW}NA"; fi + echo " - Compliance Tests [${COMPLIANCE}${NORMAL}]" + echo " - Security Audit [${GREEN}V${NORMAL}]" + echo " - Vulnerability Scan [${GREEN}V${NORMAL}]" echo "" echo " ${SECTION}Files${NORMAL}:" echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}" From c47d00a37b036036f6111d35c2e3d5fec1813b4e Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 8 Sep 2015 15:58:38 +0200 Subject: [PATCH 141/167] Added Alexander --- CONTRIBUTORS | 1 + 1 file changed, 1 insertion(+) diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 0a7c2664..1a1e7a13 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -23,6 +23,7 @@ [+] Contributors ------------------------------------------ + Alexander Lobodzinski Brian Ginsbach C.J. Adams-Collier, US Charlie Heselton, US From 5f2ef483f649a39903e80e83dbb6dc1b25c5bb38 Mon Sep 17 00:00:00 2001 From: mboelen Date: Tue, 8 Sep 2015 16:02:41 +0200 Subject: [PATCH 142/167] Improved tests and logging for automation tools --- include/tests_tooling | 72 ++++++++++++++++++++++++------------------- 1 file changed, 40 insertions(+), 32 deletions(-) diff --git a/include/tests_tooling b/include/tests_tooling index 3da4d60c..0ae7f194 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -16,12 +16,12 @@ # AUTOMATION_TOOL_FOUND=0 AUTOMATION_TOOL_RUNNING="" + CFENGINE_AGENT_FOUND=0 + CFENGINE_SERVER_RUNNING=0 BACKUP_AGENT_FOUND=0 PUPPET_MASTER_RUNNING=0 SALT_MASTER_RUNNING=0 SALT_MINION_RUNNING=0 - CF3_AGENT_FOUND=0 - CF3_SERVER_RUNNING=0 # ################################################################################# # @@ -42,36 +42,41 @@ # Cfengine if [ ! "${CFAGENTBINARY}" = "" ]; then - logtext "Result: Cfengine (cfagent) is installed (${CFAGENTBINARY})" + logtext "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})" AUTOMATION_TOOL_FOUND=1 + CFENGINE_AGENT_FOUND=1 + report "automation_tool_running[]=cf-agent" Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN fi - # Cfengine 3 - CF3_LOCATIONS="/var/cfengine/bin" - for I in ${CF3_LOCATIONS}; do + OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin" + for I in ${OTHER_CFENGINE_LOCATIONS}; do if [ -d ${I} ]; then - if [ -e ${I}/cf-agent ]; then - logtext "Result: found Cfengine3 agent (cf-agent) in ${I}" - AUTOMATION_TOOL_FOUND=1 - CF3_AGENT_FOUND=1 - Display --indent 4 --text "Found: Cfengine (cf-agent)" --result FOUND --color GREEN - fi - IsRunning "cf-server" - if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found Cfengine3 server" - CF3_SERVER_RUNNING=1 - report "automation_tool_running[]=cf-server" - Display --indent 4 --text "Found: Cfengine (cf-server)" --result FOUND --color GREEN - fi + if [ -f ${I}/cf-agent ]; then + logtext "Result: found CFEngine agent (cf-agent) in ${I}" + AUTOMATION_TOOL_FOUND=1 + CFENGINE_AGENT_FOUND=1 + report "automation_tool_running[]=cf-agent" + Display --indent 4 --text "Found: CFEngine (cf-agent)" --result FOUND --color GREEN + fi + IsRunning "cf-server" + if [ ${RUNNING} -eq 1 ]; then + logtext "Result: found CFEngine server" + AUTOMATION_TOOL_FOUND=1 + CFENGINE_SERVER_RUNNING=1 + report "automation_tool_running[]=cf-server" + Display --indent 4 --text "Found: CFEngine (cf-server)" --result FOUND --color GREEN + fi fi done + # Chef CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin" for I in ${CHEF_LOCATIONS}; do if [ -d ${I} ]; then if [ -f ${I}/chef-client ]; then CHEFCLIENTBINARY="${I}/chef-client" AUTOMATION_TOOL_FOUND=1 + report "automation_tool_running[]=chef-client" Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN logtext "Result: found chef-client (chef client daemon) in ${I}" fi @@ -79,6 +84,7 @@ CHEFSERVERBINARY="${I}/erchef" logtext "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})" AUTOMATION_TOOL_FOUND=1 + report "automation_tool_running[]=chef-server" Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN logtext "Result: found erchef (chef server daemon) in ${I}" fi @@ -89,13 +95,14 @@ if [ ! "${PUPPETBINARY}" = "" ]; then logtext "Result: Puppet is installed (${PUPPETBINARY})" AUTOMATION_TOOL_FOUND=1 + report "automation_tool_running[]=puppet-agent" Display --indent 4 --text "Found: Puppet (agent)" --result FOUND --color GREEN fi IsRunning "puppet master" if [ ${RUNNING} -eq 1 ]; then logtext "Result: found puppet master" PUPPET_MASTER_RUNNING=1 - report "automation_tool_running[]=puppet" + report "automation_tool_running[]=puppet-master" Display --indent 4 --text "Found: Puppet (master)" --result FOUND --color GREEN fi @@ -104,19 +111,24 @@ logtext "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})" AUTOMATION_TOOL_FOUND=1 SALT_MINION_RUNNING=1 + report "automation_tool_running[]=saltstack-minion" Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result FOUND --color GREEN fi if [ ! "${SALTMASTERBINARY}" = "" ]; then logtext "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})" AUTOMATION_TOOL_FOUND=1 - Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN - fi - IsRunning "salt-master" - if [ ${RUNNING} -eq 1 ]; then - logtext "Result: found SaltStack (master)" SALT_MASTER_RUNNING=1 - report "automation_tool_running[]=saltstack-master" - Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN + report "automation_tool_running[]=saltstack-minion" + Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN + else + IsRunning "salt-master" + if [ ${RUNNING} -eq 1 ]; then + logtext "Result: found SaltStack (master)" + AUTOMATION_TOOL_FOUND=1 + SALT_MASTER_RUNNING=1 + report "automation_tool_running[]=saltstack-master" + Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN + fi fi if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then @@ -138,11 +150,7 @@ # ################################################################################# # - report "cf3_server=${CF3_SERVER_RUNNING}" - report "cf3_agent=${CF3_AGENT_INSTALLED}" - report "puppet_master=${PUPPET_MASTER_RUNNING}" - report "salt_master=${SALT_MASTER_RUNNING}" - report "salt_minion=${SALT_MINION_RUNNING}" + report "automation_tool_present=${AUTOMATION_TOOL_FOUND}" wait_for_keypress From 090bb2d4ebbcc3e932872dc8165076c0a1083e66 Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 9 Sep 2015 20:24:48 +0200 Subject: [PATCH 143/167] Extended virtualization tests and logging --- include/functions | 108 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 87 insertions(+), 21 deletions(-) diff --git a/include/functions b/include/functions index 2e610fe2..efa088f5 100644 --- a/include/functions +++ b/include/functions @@ -592,41 +592,92 @@ SHORT="" # facter - if [ -x /usr/bin/facter ]; then - case "`facter is_virtual`" in - "true") - VMTYPE=`facter virtual` - logtext "Result: found virtual machine (type: ${VMTYPE})" - report "vm=1" - report "vmtype=${VMTYPE}" - return ;; - "false") return ;; - esac + if [ "${SHORT}" = "" ]; then + if [ -x /usr/bin/facter ]; then + case "`facter is_virtual`" in + "true") + SHORT=`facter virtual` + logtext "Result: found ${SHORT}" + ;; + "false") + logtext "Result: facter says this machine is not a virtual" + ;; + esac + else + logtext "Result: facter utility not found" + fi + else + logtext "Result: skipped facter test, as we already found machine type" fi # systemd - if [ "${SHORT}" = "" -a -x /usr/bin/systemd-detect-virt ]; then - logtext "Test: trying to guess virtualization technology with systemd-detect-virt" - FIND=`/usr/bin/systemd-detect-virt` - if [ ! "${FIND}" = "" ]; then - SHORT="${FIND}" + if [ "${SHORT}" = "" ]; then + if [ -x /usr/bin/systemd-detect-virt ]; then + logtext "Test: trying to guess virtualization technology with systemd-detect-virt" + FIND=`/usr/bin/systemd-detect-virt` + if [ ! "${FIND}" = "" ]; then + logtext "Result: found ${FIND}" + SHORT="${FIND}" + fi + else + logtext "Result: systemd-detect-virt not found" fi + else + logtext "Result: skipped systemd test, as we already found machine type" + fi + + # lscpu + # Values: VMware + if [ "${SHORT}" = "" ]; then + if [ -x /usr/bin/lscpu ]; then + logtext "Test: trying to guess virtualization with lscpu" + FIND=`lscpu | grep "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: found ${FIND}" + SHORT="${FIND}" + else + logtext "Result: can't find hypervisor vendor with lscpu" + fi + else + logtext "Result: lscpu not found" + fi + else + logtext "Result: skipped lscpu test, as we already found machine type" fi # dmidecode # Values: VMware Virtual Platform / VirtualBox if [ "${SHORT}" = "" ]; then - logtext "Test: trying to guess virtualization with dmidecode" if [ -x /usr/sbin/dmidecode ]; then - SHORT=`dmidecode -s system-product-name | awk '{ print $1 }'` + logtext "Test: trying to guess virtualization with dmidecode" + FIND=`dmidecode -s system-product-name | awk '{ print $1 }'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: found ${FIND}" + SHORT="${FIND}" + else + logtext "Result: can't find product name with dmidecode" + fi + else + logtext "Result: dmidecode not found" fi + else + logtext "Result: skipped dmidecode test, as we already found machine type" fi # lshw if [ "${SHORT}" = "" ]; then if [ -x /usr/bin/lshw ]; then - SHORT=`lshw -quiet -class system | awk '{ if ($1=="product:") { print $2 }}'` + logtext "Test: trying to guess virtualization with lshw" + FIND=`lshw -quiet -class system | awk '{ if ($1=="product:") { print $2 }}'` + if [ ! "${FIND}" = "" ]; then + logtext "Result: found ${FIND}" + SHORT="${FIND}" + fi + else + logtext "Result: lshw not found" fi + else + logtext "Result: skipped lshw test, as we already found machine type" fi # Try common guest processes @@ -644,12 +695,20 @@ if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi IsRunning VBoxClient if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi + else + logtext "Result: skipped processes test, as we already found platform" fi # Amazon EC2 if [ "${SHORT}" = "" ]; then logtext "Test: checking specific files for Amazon" - if [ -f /etc/ec2_version -a ! -z /etc/ec2_version ]; then SHORT="amazon-ec2"; fi + if [ -f /etc/ec2_version -a ! -z /etc/ec2_version ]; then + SHORT="amazon-ec2" + else + logtext "Result: system not hosted on Amazon" + fi + else + logtext "Result: skipped Amazon EC2 test, as we already found platform" fi # sysctl values @@ -658,7 +717,12 @@ # NetBSD: machdep.dmi.system-product # OpenBSD: hw.product - SHORT=`sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }'` + FIND=`sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }'` + if [ ! "${FIND}" = "" ]; then + SHORT="${FIND}" + fi + else + logtext "Result: skipped sysctl test, as we already found platform" fi # Check if we catched some string along all tests @@ -691,9 +755,11 @@ logtext "Result: found virtual machine (type: ${VMTYPE}, ${VMFULLTYPE})" report "vm=1" report "vmtype=${VMTYPE}" - elif [ ${ISVIRTUALMACHINE} -eq 2 ]; then + elif [ ${ISVIRTUALMACHINE} -eq 2 ]; then logtext "Result: unknown if this system is a virtual machine" report "vm=2" + else + logtext "Result: system seems to be non-virtual" fi } From 8142a221015ee28f59393aa4df74040825cb6feb Mon Sep 17 00:00:00 2001 From: mboelen Date: Wed, 9 Sep 2015 20:25:23 +0200 Subject: [PATCH 144/167] Updated timestamp of build --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index 575e2e06..8cbcb38a 100755 --- a/lynis +++ b/lynis @@ -23,7 +23,7 @@ # Program information PROGRAM_name="Lynis" PROGRAM_version="2.1.2" - PROGRAM_releasedate="20 August 2015" + PROGRAM_releasedate="9 September 2015" PROGRAM_author="Michael Boelen, CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" From 7f4ee7ba5650cfb5345d7a45fc4d533add6448bf Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 08:35:09 +0200 Subject: [PATCH 145/167] Added ExitCustom function and notes for virtualization --- include/functions | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/include/functions b/include/functions index efa088f5..39e63826 100644 --- a/include/functions +++ b/include/functions @@ -28,6 +28,7 @@ # DirectoryExists Check if a directory exists on the disk # Display Output text to screen with colors and identation # ExitClean Stop the program (cleanly), with exit code 0 +# ExitCustom Stop the program (cleanly), with custom exit code # ExitFatal Stop the program (cleanly), with exit code 1 # FileExists Check if a file exists on the disk # FileIsEmpty Check if a file is empty @@ -250,6 +251,18 @@ exit 0 } + # Clean exit with custom code + ExitCustom() + { + RemovePIDFile + # Exit with the exit code given, otherwise use 1 + if [ $# -eq 1 ]; then + exit $1 + else + exit 1 + fi + } + # Clean exit (removing temp files, PID files), with error code 1 ExitFatal() { @@ -680,6 +693,10 @@ logtext "Result: skipped lshw test, as we already found machine type" fi + # Other options + # SaltStack: salt-call grains.get virtual + # < needs snippet > + # Try common guest processes if [ "${SHORT}" = "" ]; then logtext "Test: trying to guess virtual machine type by running processes" @@ -715,6 +732,7 @@ if [ "${SHORT}" = "" ]; then logtext "Test: trying to guess virtual machine type by sysctl keys" + # FreeBSD: hw.hv_vendor (remains empty for VirtualBox) # NetBSD: machdep.dmi.system-product # OpenBSD: hw.product FIND=`sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }'` From a8972b7b7fc993a5e422125f9e27b53a004e231e Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 08:35:40 +0200 Subject: [PATCH 146/167] Changed exit codes when using incorrect parameters --- include/parameters | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/parameters b/include/parameters index aadc6700..b4501f6a 100644 --- a/include/parameters +++ b/include/parameters @@ -169,11 +169,11 @@ LASTCHAR=`echo $1 | awk '{ print substr($0, length($0))}'` if [ "${LASTCHAR}" = "/" ]; then echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}" - ExitFatal + ExitCustom 65 fi if [ ! -d ${PLUGINDIR} ]; then echo "${RED}Error:${WHITE} invalid plugin directory ${PLUGINDIR}${NORMAL}" - ExitFatal + ExitCustom 66 fi ;; From b6c0736d6e4676412a78a5de7371337eb72eb4a0 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 08:35:57 +0200 Subject: [PATCH 147/167] Added counters for suggestions and warnings --- include/consts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/consts b/include/consts index aa884190..22c8c294 100644 --- a/include/consts +++ b/include/consts @@ -116,6 +116,8 @@ unset LANG TEST_SKIP_ALWAYS="" TESTS_EXECUTED="" TESTS_SKIPPED="" + TOTAL_SUGGESTIONS=0 + TOTAL_WARNINGS=0 TRIPWIREBINARY="" UEFI_BOOTED=0 UEFI_BOOTED_SECURE=0 From e7adeb8a6bfef3f276ab90e0c93ddbe38b82d687 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 08:36:26 +0200 Subject: [PATCH 148/167] Changed exit codes for specific events --- lynis | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lynis b/lynis index 8cbcb38a..9fa9e08b 100755 --- a/lynis +++ b/lynis @@ -276,7 +276,7 @@ if [ "${PROFILE}" = "" ]; then echo "${RED}Fatal error: ${WHITE}No profile defined and could not find default profile${NORMAL}" echo "Search paths used --> ${tPROFILE_TARGETS}" - ExitFatal + ExitCustom 66 fi # Initialize and check profile file, auditor name, log file and report file if [ ! -r ${PROFILE} ]; then echo "Fatal error: Can't open profile file (${PROFILE})"; exit 1; fi @@ -389,7 +389,7 @@ # Cleanup PID file if we drop out earlier RemovePIDFile # Exit with exit code 1 - exit 1 + exit 64 fi # ################################################################################# From 7feb7e9a6cf11feb00c78369697f8bc066a71d52 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 09:18:03 +0200 Subject: [PATCH 149/167] Show amount of suggestions and warnings --- include/report | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/report b/include/report index 00d10144..ff24cc44 100644 --- a/include/report +++ b/include/report @@ -106,7 +106,7 @@ if [ "${SWARNINGS}" = "" ]; then echo " ${OK}No warnings${NORMAL}"; echo "" else - echo " ${WARNING}Warnings${NORMAL}:" + echo " ${WARNING}Warnings${NORMAL} (${TOTAL_WARNINGS}):" echo " ${WHITE}----------------------------${NORMAL}" for WARNING in ${SWARNINGS}; do SHOWWARNING=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: //'` @@ -128,7 +128,7 @@ if [ "${SSUGGESTIONS}" = "" ]; then echo " ${OK}No suggestions${NORMAL}"; echo "" else - echo " ${YELLOW}Suggestions${NORMAL}:" + echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):" echo " ${WHITE}----------------------------${NORMAL}" for SUGGESTION in ${SSUGGESTIONS}; do SHOWSUGGESTION=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: //'` From 0db8eca467b7f70dbe3c23d48e6741ec44d39049 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 09:18:20 +0200 Subject: [PATCH 150/167] Count total amount of suggestions and warnings --- include/functions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/functions b/include/functions index 39e63826..dac54cc2 100644 --- a/include/functions +++ b/include/functions @@ -1239,6 +1239,7 @@ # Log suggestions to report file ReportSuggestion() { + TOTAL_SUGGESTIONS=`expr ${TOTAL_SUGGESTIONS} + 1` # 2 parameters # report "suggestion[]=$1|$2|" @@ -1248,6 +1249,7 @@ # Log warning to report file ReportWarning() { + TOTAL_WARNINGS=`expr ${TOTAL_WARNINGS} + 1` # 3 parameters # if [ "$2" = "L" -o "$2" = "M" -o "$2" = "H" ]; then From 04b2a900c174d95e0e8144a6b96d7602230395e3 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 09:18:41 +0200 Subject: [PATCH 151/167] Exit with code 78 when warnings were found --- lynis | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lynis b/lynis index 9fa9e08b..99dfb04b 100755 --- a/lynis +++ b/lynis @@ -836,7 +836,11 @@ logtext "================================================================================" # Clean exit (Delete PID file) - ExitClean + if [ ${TOTAL_WARNINGS} -gt 0 ]; then + ExitCustom 78 + else + ExitClean + fi # The End From 02d735c4e16c0d91fe9a04dcb55c8f18b3983c7d Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 09:31:55 +0200 Subject: [PATCH 152/167] Changed text, markup, added exit codes, and first time usage --- lynis.8 | 68 +++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 44 insertions(+), 24 deletions(-) diff --git a/lynis.8 b/lynis.8 index 8de5135f..742354a8 100644 --- a/lynis.8 +++ b/lynis.8 @@ -1,17 +1,17 @@ -.TH Lynis 8 "30 April 2015" "1.18" "Unix System Administrator's Manual" +.TH Lynis 8 "10 September 2015" "1.19" "Unix System Administrator's Manual" .SH "NAME" \fB \fB \fB -Lynis \fP\- Run an system and security audit on the system +Lynis \fP\- System and security auditing tool \fB .SH "SYNOPSIS" .nf .fam C -\fBlynis\fP \-\-check-all(\-c) [other options] +\fBlynis\fP [scan mode] [other options] .fam T .fi .SH "DESCRIPTION" @@ -33,6 +33,17 @@ The following system areas may be checked: \- Files part of software packages .IP \- Directories and files related to logging and auditing + +.SH "FIRST TIME USAGE" +When running \fBLynis\fP for the first time, run: lynis audit system --quick + +.SH "SCAN MODES" + +.IP audit system +Performs a system audit, which is the most common audit. + +For more scan modes, see the helper utilities. + .SH "OPTIONS" .TP @@ -43,7 +54,7 @@ quotes, like "Your Name". .B \-\-checkall (or \-c) \fBLynis\fP performs a full check of the system, printing out the results of each test to stdout. Additional information will be saved into a log file -(default is /var/log/lynis.log). +(default is /var/log/lynis.log). This option invokes scan mode "audit system". .IP In case the outcome of a scan needs to be automated, use the report file. .TP @@ -111,33 +122,42 @@ with others. When running Lynis without any parameters, help will be shown and the program will exit. .RE .PP - .SH "HELPERS" Lynis has special helpers to do certain tasks. This way the framework of Lynis is used, while at the same time storing most of the functionality in a separated file. This speeds up execution and keeps the code clean. -.TP + .B audit Run audit on the system or on other targets -.TP + .B update Run updater utility -.TP -To use a helper, run Lynis followed by the helper name -.RE -.PP -.SH "BUGS" -Discovered a bug? Please report them via GitHub: https://github.com/CISOfy/lynis -.RE -.PP -.SH "Documentation" -Supporting documentation can be found via https://cisofy.com/documentation/lynis/ -.RE -.PP -.SH "LICENSING" -Lynis is licensed as GPL v3, written by Michael Boelen and supported by CISOfy. Plugins may have their own license. -.RE -.PP -.SH "CONTACT INFORMATION" +To use a helper, run Lynis followed by the helper name. + +.SH "EXIT CODES" +Lynis uses exit codes to signal any invoking script. Currently the following codes are used: +.IP 0 +Program exited normally, nothing found +.IP 1 +Fatal error +.IP 64 +An unknown parameter is used, or incomplete +.IP 65 +Incorrect data encountered +.IP 66 +Can't open file or directory +.IP 78 +Lynis found 1 or more warnings or configurations errors + +.SH "BUGS" +Bugs can be reported via GitHub at https://github.com/CISOfy/lynis + +.SH "DOCUMENTATION" +Supporting documentation can be found via https://cisofy.com/documentation/lynis/ + +.SH "LICENSING" +Lynis is licensed as GPL v3, written by Michael Boelen. Development is supported by CISOfy. Plugins may have their own license. + +.SH "CONTACT INFORMATION" Support requests and project related questions can be addressed via e-mail: lynis-dev@cisofy.com. From 28d9a49a5f2c6728d9f8da4f4e41bdf88c8c2d37 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 19:45:12 +0200 Subject: [PATCH 153/167] Renamed BINPATHS to BIN_PATHS --- include/binaries | 2 +- include/consts | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/include/binaries b/include/binaries index 206f6b12..a27912e1 100644 --- a/include/binaries +++ b/include/binaries @@ -37,7 +37,7 @@ BINARY_PATHS_FOUND=""; N=0 Display --indent 2 --text "- Checking system binaries..." logtext "Status: Starting binary scan..." - for SCANDIR in ${BINPATHS}; do + for SCANDIR in ${BIN_PATHS}; do logtext "Test: Check if directory exists" ORGPATH="" if [ -d ${SCANDIR} ]; then diff --git a/include/consts b/include/consts index 22c8c294..e80baa64 100644 --- a/include/consts +++ b/include/consts @@ -19,12 +19,14 @@ # # Paths where system and program binaries are located -BINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \ +BIN_PATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \ /usr/local/libexec /usr/libexec /usr/sfw/bin /usr/sfw/sbin \ /usr/sfw/libexec /opt/sfw/bin /opt/sfw/sbin /opt/sfw/libexec \ /usr/xpg4/bin /usr/css/bin /usr/ucb /usr/X11R6/bin /usr/X11R7/bin \ /usr/pkg/bin /usr/pkg/sbin" +ETC_PATHS="/etc /usr/local/etc" + # Do not use specific language, fall back to default # Some tools with translated strings are very hard to parse unset LANG From b43bf179546c6465fbbd988ea16c55c8ed8a3831 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 21:04:18 +0200 Subject: [PATCH 154/167] Remove tool tips section from report --- include/report | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/include/report b/include/report index ff24cc44..91856958 100644 --- a/include/report +++ b/include/report @@ -224,16 +224,6 @@ echo "================================================================================" fi - if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then - echo " Tip: Disable all tests which are not relevant or are too strict for the" - echo " purpose of this particular machine. This will remove unwanted suggestions" - echo " and also boost the hardening index. Each test should be properly analyzed" - echo " to see if the related risks can be accepted, before disabling the test." - echo "================================================================================" - fi - - - echo ""; echo "" fi From 81e0dfcb66152e8bbe35c7722cf4a61c12fb6748 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 21:04:50 +0200 Subject: [PATCH 155/167] Add tool tips --- lynis | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lynis b/lynis index 99dfb04b..1266b9dd 100755 --- a/lynis +++ b/lynis @@ -809,6 +809,9 @@ # Show report if [ -f ${INCLUDEDIR}/report ]; then SafePerms ${INCLUDEDIR}/report; . ${INCLUDEDIR}/report; fi + # Show tool tips + if [ -f ${INCLUDEDIR}/hints_tips ]; then SafePerms ${INCLUDEDIR}/hints_tips; . ${INCLUDEDIR}/hints_tips; fi + logtext "================================================================================" logtext "Tests performed: ${CTESTS_PERFORMED}" logtext "Total tests: ${TOTAL_TESTS}" From fa98d9bba299dbbb262a4d3b7bbbbd0d79aeab72 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 21:05:04 +0200 Subject: [PATCH 156/167] Import of tool tips section --- include/tool_tips | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 include/tool_tips diff --git a/include/tool_tips b/include/tool_tips new file mode 100644 index 00000000..ee37fa94 --- /dev/null +++ b/include/tool_tips @@ -0,0 +1,40 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Web site: https://cisofy.com +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Hints and Tips +# +################################################################################# +# + + # Only show tips when enabled + if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then + + # Bash completion support + if [ ! "${ETC_PATHS}" = "" ]; then + for I in ${ETC_PATHS}; do + if [ -d ${I}/bash-completion.d ]; then + if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then + Display "This system has a bash_completition directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis" + fi + fi + done + fi + fi + + +# +#================================================================================ +# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com From 0b9c6132c6958841880d4261144f78eca9f1e4f6 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 21:06:40 +0200 Subject: [PATCH 157/167] Add test [SHLL-6230] to test for umask values in common shell configuration files --- include/tests_shells | 52 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/include/tests_shells b/include/tests_shells index 52550562..1f1cdc21 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -213,6 +213,58 @@ fi # ################################################################################# +# + # Test : SHLL-6230 + # Description : Check for umask values in shell configurations + SHELL_CONFIG_FILES="/etc/bashrc /etc/bash.bashrc /etc/csh.cshrc /etc/profile" + Register --test-no SHLL-6230 --weight H --network NO --description "Perform umask check for shell configurations" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + HARDENING_POSSIBLE=0 + Display --indent 2 --text "- Checking default umask values" + for FILE in ${SHELL_CONFIG_FILES}; do + FIND="" + if [ -f ${FILE} ]; then + logtext "Result: file ${FILE} exists" + FOUND=1 + FIND=`grep umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | grep -v "^$" | awk '{ print $2 }'` + if [ "${FIND}" = "" ]; then + logtext "Result: did not find umask configured in ${FILE}" + Display --indent 4 --text "- Checking default umask in ${FILE}" --result NONE --color YELLOW + else + for UMASKVALUE in ${FIND}; do + logtext "Result: found umask ${UMASKVALUE} in ${FILE}" + case ${UMASKVALUE} in + 027|0027|077|0077) + logtext "Result: umask ${UMASKVALUE} is considered a properly hardened value" + ;; + *) + logtext "Result: umask ${UMASKVALUE} can be hardened " + HARDENING_POSSIBLE=1 + ;; + esac + done + if [ ${HARDENING_POSSIBLE} -eq 0 ]; then + Display --indent 4 --text "- Checking default umask in ${FILE}" --result OK --color GREEN + AddHP 3 3 + else + Display --indent 4 --text "- Checking default umask in ${FILE}" --result WEAK --color YELLOW + AddHP 1 3 + fi + fi + else + logtext "Result: file ${FILE} not found" + fi + done + #if [ ${FOUND} -eq 1 ]; then + # if [ ${HARDENING_POSSIBLE} -eq 0 ]; then + # logtext "Result: all shell files found, contain a proper umask" + # Display --indent 4 --text "- Default umask" --result OK --color GREEN + # fi + #fi + fi +# +################################################################################# # # Test : SHLL-6290 # Description : Check for Shellshock vulnerability From 21d305b68907c71d790785fd2a5581d0d6b6dfe9 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 21:07:06 +0200 Subject: [PATCH 158/167] Add support for testing umask value in /etc/login.conf like FreeBSD systems --- include/tests_authentication | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/include/tests_authentication b/include/tests_authentication index 5817263e..05d37114 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -945,6 +945,41 @@ logtext "Result: file /etc/init.d/rc does not exist" fi + # FreeBSD + if [ -f /etc/login.conf ]; then + FOUND=0 + WEAK_UMASK=0 + logtext "Result: file /etc/login.conf exists" + FIND=`cat /etc/login.conf | grep "umask" | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'` + if [ ! "${FIND}" = "" ]; then + for UMASK_VALUE in ${FIND}; do + case VALUE in ${UMASK_VALUE} + 027|0027|077|0077) + logtext "Result: found umask value ${VALUE}, which is fine" + AddHP 2 2 + FOUND=1 + ;; + *) + AddHP 0 2 + FOUND=1 + WEAK_UMASK=1 + logtext "Result: found umask value ${VALUE}, which can be more strict" + ;; + esac + done + fi + if [ ${FOUND} -eq 1 ]; then + if [ ${WEAK_UMASK} -eq 0 ]; then + Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result OK --color GREEN + else + ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027" + fi + else + logtext "Result: no umask setting found in /etc/login.conf, which is unexpected" + Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result "NONE" --color YELLOW + fi + fi + # /etc/init.d/rcS logtext "Test: Checking /etc/init.d/rcS" if [ -f /etc/init.d/rcS ]; then From 7d0759297ee60245cd5e6126a3a47a889634148c Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 21:42:30 +0200 Subject: [PATCH 159/167] Corrected case function --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 05d37114..ae113f1b 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -953,7 +953,7 @@ FIND=`cat /etc/login.conf | grep "umask" | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'` if [ ! "${FIND}" = "" ]; then for UMASK_VALUE in ${FIND}; do - case VALUE in ${UMASK_VALUE} + case ${UMASK_VALUE} in 027|0027|077|0077) logtext "Result: found umask value ${VALUE}, which is fine" AddHP 2 2 From 78f32c2f2854cab01992c589c5175e98f6454316 Mon Sep 17 00:00:00 2001 From: mboelen Date: Thu, 10 Sep 2015 21:46:23 +0200 Subject: [PATCH 160/167] Added screen output for /etc/login.conf --- include/tests_authentication | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index ae113f1b..251060d1 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -972,11 +972,12 @@ if [ ${WEAK_UMASK} -eq 0 ]; then Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result OK --color GREEN else + Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result WEAK --color YELLOW ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027" fi else logtext "Result: no umask setting found in /etc/login.conf, which is unexpected" - Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result "NONE" --color YELLOW + Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result NONE --color YELLOW fi fi From d2c0e7491edbee618d92b519d9907abc90c22058 Mon Sep 17 00:00:00 2001 From: Alexander Lobodzinski Date: Fri, 11 Sep 2015 14:54:38 +0200 Subject: [PATCH 161/167] In quiet mode, hardening index was not written to log and report files --- include/report | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/include/report b/include/report index 91856958..fb57bd00 100644 --- a/include/report +++ b/include/report @@ -19,17 +19,6 @@ ################################################################################# # - - # Only show overview if not running in quiet mode - if [ ${QUIET} -eq 0 ]; then - echo ""; echo "================================================================================" - echo ""; echo " -[ ${WHITE}${PROGRAM_name} ${PROGRAM_version} Results${NORMAL} ]-" - echo ""; - - - if [ ${SHOW_REPORT} -eq 1 ]; then - - logtextbreak # ################################################################################# # @@ -88,6 +77,18 @@ logtext "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]" logtext "Hardening strength: ${HIDESCRIPTION}" + + # Only show overview if not running in quiet mode + if [ ${QUIET} -eq 0 ]; then + echo ""; echo "================================================================================" + echo ""; echo " -[ ${WHITE}${PROGRAM_name} ${PROGRAM_version} Results${NORMAL} ]-" + echo ""; + + + if [ ${SHOW_REPORT} -eq 1 ]; then + + logtextbreak + # ################################################################################# # From 6fbe0e95c55ac2006d5880bafad1d6386d3c201e Mon Sep 17 00:00:00 2001 From: mboelen Date: Sat, 12 Sep 2015 15:19:21 +0200 Subject: [PATCH 162/167] Changes to comments only --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 251060d1..ad24a432 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -811,11 +811,11 @@ logtext "Test: Checking umask value in /etc/profile" FIND=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }'` FIND2=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }' | wc -l` - #FIND2=`egrep "^([[:space:]])([[:tab:]])*umask" /etc/profile | awk '{ print $2 }' | wc -l` WEAK_UMASK=0 FOUND_UMASK=0 if [ "${FIND2}" = "0" ]; then logtext "Result: did not find umask in /etc/profile" + #YYY possibly weak umask elif [ "${FIND2}" = "1" ]; then logtext "Result: found umask (prefixed with spaces)" FOUND_UMASK=1 From cae5915c476c9a2a7e1d2174a1b036ee027365c6 Mon Sep 17 00:00:00 2001 From: Bodine Wilson Date: Sun, 13 Sep 2015 10:51:39 -0400 Subject: [PATCH 163/167] Fixed a typo and mitigated a symlink attack for a corner case involving PID file creation. --- CONTRIBUTORS | 1 + lynis | 40 +++++++++++++++++++++++----------------- 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 1a1e7a13..53b83795 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -24,6 +24,7 @@ ------------------------------------------ Alexander Lobodzinski + Bodine Wilson Brian Ginsbach C.J. Adams-Collier, US Charlie Heselton, US diff --git a/lynis b/lynis index 1266b9dd..8d3d44b5 100755 --- a/lynis +++ b/lynis @@ -290,8 +290,22 @@ # ################################################################################# # - # Check if there is already a PID file (incorrect termination of previous instance) - if [ -f lynis.pid -o -f /var/run/lynis.pid ]; then + + # Decide where to write our PID file. For unprivileged users this will be in their home directory, or /tmp if their + # home directory isn't set. For root it will be /var/run, or the current workign directory if /var/run doesn't exist. + MYHOMEDIR=`echo ~` + if [ "${MYHOMEDIR}" = "" ]; then MYHOMEDIR="/tmp"; fi + + if [ ${PRIVILEGED} -eq 0 ]; then + PIDFILE="${MYHOMEDIR}/lynis.pid" + elif [ -d /var/run ]; then + PIDFILE="/var/run/lynis.pid" + else + PIDFILE="./lynis.pid" + fi + + # Check if there is already a PID file in any of the locations (incorrect termination of previous instance) + if [ -f "${MYHOMEDIR}/lynis.pid" -o -f "./lynis.pid" -o -f "/var/run/lynis.pid" ]; then echo "" echo " ${WARNING}Warning${NORMAL}: ${WHITE}PID file exists, probably another Lynis process is running.${NORMAL}" echo " ------------------------------------------------------------------------------" @@ -305,26 +319,18 @@ echo " ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${NORMAL}" echo "" wait_for_keypress - # Deleting temporary files + # Deleting any stale PID files that might exist. # Note: Display function does not work yet at this point - if [ -f lynis.pid ]; then rm -f lynis.pid; fi - if [ -f /var/run/lynis.pid ]; then rm -f /var/run/lynis.pid; fi + if [ -f "${MYHOMEDIR}/lynis.pid" ]; then rm -f "${MYHOMEDIR}/lynis.pid"; fi + if [ -f "./lynis.pid" ]; then rm -f "./lynis.pid"; fi + if [ -f "/var/run/lynis.pid" ]; then rm -f "/var/run/lynis.pid"; fi fi - # Create new PID file (use work directory if /var/run is not available) - if [ ${PRIVILEGED} -eq 0 ]; then - # Store it in home directory of user - MYHOMEDIR=`echo ~` - if [ "${MYHOMEDIR}" = "" ]; then HOMEDIR="/tmp"; fi - PIDFILE="${MYHOMEDIR}/lynis.pid" - elif [ -d /var/run ]; then - PIDFILE="/var/run/lynis.pid" - else - PIDFILE="lynis.pid" - fi + # Create new PID file writable only by owner. Decrease the window for symlink attacks. + (umask 077; rm -f ${PIDFILE} ; touch ${PIDFILE}) OURPID=`echo $$` echo ${OURPID} > ${PIDFILE} - chmod 600 ${PIDFILE} + # ################################################################################# # From 7db712c0b2d2726df699156d8c7a7f7543591190 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 13 Sep 2015 17:07:22 +0200 Subject: [PATCH 164/167] Textual changes and link to contributions guide --- README.md | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 6997db75..c7016f7a 100644 --- a/README.md +++ b/README.md @@ -3,22 +3,19 @@ lynis Lynis - Security auditing and hardening tool, for Unix based systems -Lynis is a security auditing for Unix derivatives like Linux, BSD, and Solaris. It performs an in-depth security scan -on the system to detect software and security issues. Besides information related to security, it will also scan for -general system information, installed packages, and possible configuration issues. +Lynis is a security auditing for Unix derivatives like Linux, BSD, and Solaris. It performs an in-depth security scan on the system to detect software and security issues. Besides information related to security, it will also scan for general system information, vulnerable software packages, and possible configuration issues. -We believe software should be simple, updated on a regular basis and open. You should be able to trust, understand, -and even alter the software. Many agree with us, as the software is being used by thousands every day to protect -their systems. +We believe software should be simple, updated on a regular basis and open. You should be able to trust, understand, and even alter the software. Many agree with us, as the software is being used by thousands every day to protect their systems. Main goals: -- Automated security auditing -- Compliance testing -- Vulnerability management +- Security auditing (automated) +- Compliance testing (e.g. PCI-DSS, HIPAA) +- Vulnerability testing The software aims to also assist with: - Configuration management - Software patch management +- System hardening - Penetration testing - Malware scanning - Intrusion detection @@ -45,13 +42,13 @@ chgrp -R to recursively alter the owner and group. Full documentation: https://cisofy.com/documentation/lynis/ ## Flexibility -For people who want to expand tests, it is suggested to use the tests_custom file (template in include directory). +If you want to create your own tests, use the 'tests_custom' file (template available in 'include' directory). Plugins are another possibility to customize, although their main goal is collecting data. -## Enterprise options -This software component has additional options and support available for companies. If you want to perform more -tests and centrally manage them, consider the purchase of a license. +## Enterprise version +This software is also available as part of an enterprise suite. It includes additional functionality (plugins, centralized system, reporting, dashboard), and supports. -## Support -Got an improvement to share? Create an issue in the tracker on GitHub or send us an e-mail: lynis-dev@cisofy.com +## Contribute +Got an improvement? Create it as an issue in the tracker on GitHub or send us an e-mail: lynis-dev@cisofy.com +More details can be found at https://github.com/CISOfy/lynis/CONTRIBUTIONS.md From 19b56631fa598f9eef73483ffd63d23c97b8d161 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 13 Sep 2015 17:17:37 +0200 Subject: [PATCH 165/167] Updated link to contributors guide --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c7016f7a..84c68134 100644 --- a/README.md +++ b/README.md @@ -50,5 +50,5 @@ This software is also available as part of an enterprise suite. It includes addi ## Contribute Got an improvement? Create it as an issue in the tracker on GitHub or send us an e-mail: lynis-dev@cisofy.com -More details can be found at https://github.com/CISOfy/lynis/CONTRIBUTIONS.md +More details can be found at [Contributors Guide](https://github.com/CISOfy/lynis/blog/master/CONTRIBUTIONS.md) From eb6385484c5a2c915c4aa5ef158fa5cf4ba23dbc Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 13 Sep 2015 17:18:13 +0200 Subject: [PATCH 166/167] Updated link to contributors guide --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 84c68134..b7fa2940 100644 --- a/README.md +++ b/README.md @@ -50,5 +50,5 @@ This software is also available as part of an enterprise suite. It includes addi ## Contribute Got an improvement? Create it as an issue in the tracker on GitHub or send us an e-mail: lynis-dev@cisofy.com -More details can be found at [Contributors Guide](https://github.com/CISOfy/lynis/blog/master/CONTRIBUTIONS.md) +More details can be found at [Contributors Guide](https://github.com/CISOfy/lynis/blob/master/CONTRIBUTIONS.md) From ae0e24aace993a4238514e7d2e01f5a6e9a54660 Mon Sep 17 00:00:00 2001 From: mboelen Date: Sun, 13 Sep 2015 21:35:02 +0200 Subject: [PATCH 167/167] Added minor improvements to ensure PID file is correctly written --- lynis | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/lynis b/lynis index 8d3d44b5..87687673 100755 --- a/lynis +++ b/lynis @@ -23,7 +23,7 @@ # Program information PROGRAM_name="Lynis" PROGRAM_version="2.1.2" - PROGRAM_releasedate="9 September 2015" + PROGRAM_releasedate="13 September 2015" PROGRAM_author="Michael Boelen, CISOfy" PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_website="https://cisofy.com" @@ -293,7 +293,7 @@ # Decide where to write our PID file. For unprivileged users this will be in their home directory, or /tmp if their # home directory isn't set. For root it will be /var/run, or the current workign directory if /var/run doesn't exist. - MYHOMEDIR=`echo ~` + MYHOMEDIR=`echo ~ 2> /dev/null` if [ "${MYHOMEDIR}" = "" ]; then MYHOMEDIR="/tmp"; fi if [ ${PRIVILEGED} -eq 0 ]; then @@ -326,10 +326,16 @@ if [ -f "/var/run/lynis.pid" ]; then rm -f "/var/run/lynis.pid"; fi fi - # Create new PID file writable only by owner. Decrease the window for symlink attacks. - (umask 077; rm -f ${PIDFILE} ; touch ${PIDFILE}) + # Ensure symlink attack is not possible, by confirming there is no symlink of the file already OURPID=`echo $$` - echo ${OURPID} > ${PIDFILE} + if [ -L ${PIDFILE} ]; then + echo "Found symlinked PID file (${PIDFILE}), quitting" + ExitFatal + else + # Create new PID file writable only by owner + echo "${OURPID}" > ${PIDFILE} + chmod 600 ${PIDFILE} + fi # #################################################################################