tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-28 16:24:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into freebsd-services

Browse Source
This commit is contained in:
Roland Smith 2015-09-16 20:29:51 +02:00
commit f11783dbdf
67 changed files with 2199 additions and 1694 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

219
CHANGELOG
View File

@ -8,60 +8,206 @@
Author: Michael Boelen (michael.boelen@cisofy.com) Author: Michael Boelen (michael.boelen@cisofy.com)
Description: Security and system auditing tool Description: Security and system auditing tool
Website: https://cisofy.com/lynis/ Website: https://cisofy.com/lynis/
GitHub: https://github.com/CISOfy/Lynis GitHub: https://github.com/CISOfy/lynis
Support policy: See section 'Support' (README file); Support policy: See section 'Support' in README file
Commercial support and plugins available via CISOfy Commercial support and plugins available via CISOfy
https://cisofy.com
Documentation: See web site, README, FAQ and CHANGELOG file Documentation: See web site, README, FAQ and CHANGELOG file
================================================================================ ================================================================================
= Lynis 2.1.0 (2015-04-16) = = Lynis 2.1.2 =
General: This is an major release, which includes both new features and enhancements to existing tests.
---------
Screen output has been improved to provide additional information.
OS support: * Operating systems
------------ Improved support for Debian 8
CUPS detection on Mac OS has been improved. AIX systems will now use csum Don't show boot loader exception when a subset of tests is performed
utility to create host ID. Group check have been altered on AIX, to include
the -n ALL. Core dump check on Linux is extended to check for actual values
as well.
Software: * Screen output
---------- Improved output for tests which before showed results as a warning, while actually are just suggestions
McAfee detection has been extended by detecting a running cma binary.
Improved detection of pf firewall on BSD and Mac OS. Security patch checking
with zypper extended.
Session timeout: * Virtual machines
----------------- Detection of virtual machines extended with vmtoolsd detection
Tests to determine shell time out setting have been extended to account for
AIX, HP-UX and other platforms. It will now determine also if variable is
exported as a readonly variable. Related compliance section PCI DSS 8.1.8
has been extended.
Documentation: * Mount points
--------------- FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.
- New document: Getting started with Lynis
https://cisofy.com/documentation/lynis/get-started/
Plugins (Enterprise): * Docker
---------------------- Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker
- Update to file integrity plugin
Changes to PLGN-2606 (capabilities check)
- New configuration plugins: * UEFI and Secure Boot
PLGN-4802 (SSH settings) Initial support to test UEFI settings, including Secure Boot option
PLGN-4804 (login.defs) Options boot_uefi_booted and boot_uefi_booted_secure added to report file
Download link: https://cisofy.com/download/lynis/ * Authentication
Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes
checking for /etc/login.defs [AUTH-9408]
report option: auth_failed_logins_logged
**** ^ NEEDS more tests ###################################
* DNS and Name services
Support added for Unbound DNS caching tool [NAME-4034]
Configuration check for Unbound [NAME-4036]
Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used
* Firewalls
IPFW firewall on FreeBSD test improved
* Individual tests
BOOT-5180 now only gets executed if runlevel 2 is found
AUTH-9328 show correct message when no umask is found in /etc/profile, including correct logging entries
AUTH-9204 now excludes NIS entries to avoid false positives
TIME-3104 Only shows suggestion now on FreeBSD if ntpdate is configured, yet ntpd isn't running
FILE-6410 Added /var/lib/locatedb as search path
Don't wait when using pentest mode in quick mode
Data uploads: provide help when self-signed certificates are used
8888888888888888888888888
implement base64
8888888888888888888888888
* Plugins
---------
[PLGN-2804] Limit report output of EXT file systems to 1 item per line
-------------------------------------------------------------- --------------------------------------------------------------
= Lynis 2.1.1 (2015-07-22) =
This release adds a lot of improvements, with focus on performance, and
additional support for common Linux distributions and external utilities.
We recommend to use this latest version.
* Operating system enhancements
-------------------------------
Support for systems like CentOS, openSUSE, Slackware is improved.
* Performance
-------------
Performance tuning has been applied, to speed up execution of the audit on
systems with many files. This also includes code cleanups.
* Automatic updates
-------------------
Initial work on an automatic updater has been implemented. This way Lynis
can be scheduled for automatic updating from a trusted source.
* Internal functions
--------------------
Not all systems have readlink, or the -f option of readlink. The
ShowSymlinkPath function has been extended with a Python based check, which
is often available.
* Software support
------------------
Apache module directory /usr/lib64/apache has been added, which is used on
openSUSE.
Support for Chef has been added.
Added tests for CSF's lfd utility for integrity monitoring on directories and
files. Related tests are FINT-4334 and FINT-4336.
Added support for Chrony time daemon and timesync daemon. Additionally NTP
sychronization status is checked when it is enabled.
Improved single user mode protection on the rescue.service file.
* Other
-------
Check for user permissions has been extended.
Python binary is now detected, to help with symlink detection.
Several new legal terms have been added, which are used for usage in banners.
In several files old tests have been removed, to further clean up the code.
* Bug fixes
---------
Nginx test showed error when access_log had multiple parameters.
Tests using locate won't be performed if not present.
Fix false positive match on Squid unsafe ports [SQD-3624].
The hardening index is now also inserted into the report if it is not displayed
on screen.
* Functions
---------
Added AddSystemGroup function
* New tests
---------
Several new tests have been added:
[PKGS-7366] Scan for debsecan utility on Debian systems
[PKGS-7410] Determine amount of installed kernel packages
[TIME-3106] Check synchronization status of NTP on systemd based systems
[CONT-8102] Docker daemon status and gather basic details
[CONT-8104] Check docker info for any Docker warnings
[CONT-8106] Check total, running and unused Docker containers
* Plugins
---------
[PLGN-2602] Disabled by default, as it may be too slow for some machines
[PLGN-3002] Extended with /sbin/nologin
* Documentation
---------------
A new document has been created to help with the process of upgrading Lynis.
It is available at https://cisofy.com/documentation/lynis/upgrading/
--------------------------------------------------------------
= Lynis 2.1.0 (2015-04-16) =
* General
---------
Screen output has been improved to provide additional information.
* OS support
------------
CUPS detection on Mac OS has been improved. AIX systems will now use csum
utility to create host ID. Group check have been altered on AIX, to include
the -n ALL. Core dump check on Linux is extended to check for actual values
as well.
* Software
----------
McAfee detection has been extended by detecting a running cma binary.
Improved detection of pf firewall on BSD and Mac OS. Security patch checking
with zypper extended.
* Session timeout
-----------------
Tests to determine shell time out setting have been extended to account for
AIX, HP-UX and other platforms. It will now determine also if variable is
exported as a readonly variable. Related compliance section PCI DSS 8.1.8
has been extended.
* Documentation
---------------
- New document: Getting started with Lynis
https://cisofy.com/documentation/lynis/get-started/
* Plugins (Enterprise)
----------------------
- Update to file integrity plugin
Changes to PLGN-2606 (capabilities check)
- New configuration plugins:
PLGN-4802 (SSH settings)
PLGN-4804 (login.defs)
Download link: https://cisofy.com/download/lynis/
--------------------------------------------------------------
= Lynis 2.0.0 (2015-02-25) = = Lynis 2.0.0 (2015-02-25) =
@ -1752,4 +1898,3 @@
================================================================================ ================================================================================
Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

39
CONTRIBUTIONS.md Normal file
View File

@ -0,0 +1,39 @@
# Contributions
## Pull Requests
We welcome any contribution to improve Lynis. Contributions to the Lynis project can
be submitted as a pull request. The upstream project can be found in our [GitHub repository](https://github.com/CISOfy/lynis).
By submitting a [Pull Request](https://help.github.com/articles/using-pull-requests/)
to this repository, you agree that you:
1. Own the contribution that you are providing or have obtained permission from
the contribution owner
2. Allow your contribution to be licensed under the license of the target
project (GPLv3)
3. Allow your contribution to be freely distributed to the Lynis community
4. Allow the project the [Unlimited Rights](#Unlimited-Rights) to your contribution
If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com)
## Unlimited Rights
Our project is licensed under GPLv3. By providing a contribution to the project, it
will be used for the purpose of the project. Unlimited rights includes the rights to
use, modify, reproduce, release, perform, display, or disclose computer software or
computer software documentation in whole or in part, in any manner and for any
purpose whatsoever, and to have or authorize others to do so.
If you want to be named in as a contributor in the CONTRIBUTOR file, then include
this notition in your pull request. Preferred format: Full Name, with optional the
company name and/or your e-mail address).
## Developer Guidelines
To ensure all pull requests can be easily checked and merged, here are some tips:
* Your code should work on other platforms running the bourne shell (/bin/sh), not just BASH.
* Properly document your code where needed. Besides the 'what', focus on explaining the 'why'.
* Check the log information (lynis.log) of your new test or changed code, so that it provides helpful details for others.
* Most variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1)

19
CONTRIBUTORS
View File

@ -1,24 +1,35 @@
================================================================================ ================================================================================
Lynis - CONTRIBUTIONS Lynis - CONTRIBUTORS
================================================================================ ================================================================================
The Lynis project is very thankful for the following individuals who The Lynis project is very thankful for the following individuals who
contributed to the project. They invested time and effort to report issues contributed to the project.
and send in related patches to improve the software and other components.
================================================================================ ================================================================================
Want to contribute as well? Here are some suggestions:
[+] Patches, bug fixes and suggestions - Create new tests for your favorite software packages
- Report (unexpected) screen errors
- Share missing results and findings
- Check for grammar issues
Create a pull request at GitHub --> https://github.com/CISOfy/lynis
[+] Contributors
------------------------------------------ ------------------------------------------
Alexander Lobodzinski
Bodine Wilson
Brian Ginsbach Brian Ginsbach
C.J. Adams-Collier, US C.J. Adams-Collier, US
Charlie Heselton, US Charlie Heselton, US
Dave Vehrs Dave Vehrs
Kamil Boratyński, Poland
Mikko Lehtisalo, Finland Mikko Lehtisalo, Finland
Steve Bosek, France Steve Bosek, France
Thomas Siebel, Germany Thomas Siebel, Germany

25
FAQ
View File

@ -7,9 +7,11 @@
Author: Michael Boelen (michael.boelen@cisofy.com) Author: Michael Boelen (michael.boelen@cisofy.com)
Description: Security and system auditing tool Description: Security and system auditing tool
Website: https://cisofy.com/lynis/ Web site: https://cisofy.com/lynis/
GitHub: https://github.com/CISOfy/lynis
Support address: lynis-dev@cisofy.com
Development: May 2007 - Now Development: May 2007 - Now
Suppor: See README file and https://cisofy.com/support/ Support: See README file and https://cisofy.com/support/
Documentation: See web site, README, FAQ and CHANGELOG file Documentation: See web site, README, FAQ and CHANGELOG file
================================================================================ ================================================================================
@ -18,9 +20,9 @@
------------------------------- -------------------------------
Q: I don't understand the program (output), what to do? Q: I don't understand the program (output), what to do?
A: Keep reading this FAQ, then continue with reading the README file, followed A: Keep reading this FAQ. Also useful are the README file and the log file
by the log file (default: /var/log/lynis.log). After those sources, check (default: /var/log/lynis.log). Or check out the documentation on the
the documentation on the website. website: https://cisofy.com/support/
Q: I can't find any configuration file for Lynis, where is it? Q: I can't find any configuration file for Lynis, where is it?
A: There isn't one (currently), since all options are available as command A: There isn't one (currently), since all options are available as command
@ -30,11 +32,10 @@
Q: Why is there no port/package for my operating system? Q: Why is there no port/package for my operating system?
A: Because there is no maintainer for it yet. If you have the time to keep A: Because there is no maintainer for it yet. If you have the time to keep
the port/package current for your preferred operating system, fill in the the port/package current for your preferred operating system, let us know.
contact form to notify me and confirm no one else is working on it.
Q: What to do with the report files? Q: What to do with the report files?
A: The output could be used for monitoring (baseline checks). For user of the A: The output could be used for monitoring (baseline checks). For users of the
Lynis Enterprise Suite, they will be used to upload data. Lynis Enterprise Suite, they will be used to upload data.
@ -42,7 +43,7 @@
[+] Bugs or issues [+] Bugs or issues
------------------------------- -------------------------------
Q: Where can I report an issue or bug? Q: Where can I report an issue or bug?
A: Use the developer e-mail address lynis-dev@cisofy.com A: GitHub, or use the developer e-mail address lynis-dev@cisofy.com
@ -72,12 +73,12 @@
invoke Lynis (example: bash lynis -c). invoke Lynis (example: bash lynis -c).
Q: One or more tests are giving incorrect output. How to solve that? Q: One or more tests are giving incorrect output. How to solve that?
A: Check the log file. If that also has incorrect data, fill in the contact A: Check the log file. If that also has incorrect data, let us know via GitHub
form and describe the issue. or the developer e-mail address.
Q: The program takes long to complete and also uses too much resources. Can it Q: The program takes long to complete and also uses too much resources. Can it
be tuned? be tuned?
A: The time it takes to complete is depends on the amount of tests to run. A: The time it takes to complete depends on the amount of tests to run.
However the resources it take can be slighty lowered by increasing the However the resources it take can be slighty lowered by increasing the
pause_between_tests profile option. Keep in mind this increases the total pause_between_tests profile option. Keep in mind this increases the total
length of the scan to complete. length of the scan to complete.

31
README
View File

@ -15,11 +15,14 @@
================================================================================ ================================================================================
== The website contains up-to-date documentation == *** NOTE ***
The website contains the latest documentation
See https://cisofy.com/documentation/lynis/ See https://cisofy.com/documentation/lynis/
[+] Introduction [+] Introduction
------------------------------- -------------------------------
@ -29,7 +32,8 @@
Some of the (future) features and usage options: Some of the (future) features and usage options:
- System and security audit checks - System and security audit checks
- File Integrity Assessment - Compliance testing
- File integrity monitoring
- System and file forensics - System and file forensics
- Usage of templates/baselines (reporting and monitoring) - Usage of templates/baselines (reporting and monitoring)
- Extended debugging features - Extended debugging features
@ -45,7 +49,7 @@
- License: GPL v3 - License: GPL v3
- Language: Shell script - Language: Shell script
- Author: Michael Boelen, CISOfy - Author: Michael Boelen, CISOfy
- Website: https://cisofy.com - Web site: https://cisofy.com
- Required permissions: root preferred, not needed - Required permissions: root preferred, not needed
- Other requirements: write access to /tmp - Other requirements: write access to /tmp
@ -90,8 +94,11 @@
------------------------------- -------------------------------
If you have input to improve Lynis, let us know via: If you have input to improve Lynis, let us know via:
- GitHub - https://github.com/CISOfy/lynis * GitHub - https://github.com/CISOfy/lynis
- E-mail - lynis-dev@cisofy.com * E-mail - lynis-dev@cisofy.com
Contributions are appreciated and can be done via GitHub. See CONTRIBUTIONS.md
for more information about how to submit them.
[+] Support [+] Support
@ -99,15 +106,11 @@
Lynis is tested on the most common operating systems. The documentation (README, Lynis is tested on the most common operating systems. The documentation (README,
FAQ) and the debugging information in the log file should cover most questions and FAQ) and the debugging information in the log file should cover most questions and
problems. Bugs can be reported by filling in the contact form at rootkit.nl, or by problems. Bugs can be reported via GitHub, or sending an e-mail to the lynis-dev
sending an e-mail. address above.
NOTE: User related questions should not be asked via the contact form. Read the Commercial support is available and provided by CISOfy. For more information use
documentation, the website resources and the log file for answers to common problems. the contact address on https://cisofy.com/contact/.
Commercial support is available under strict conditions and depends on the request.
For more information fill in the contact form and describe what kind of service is
requested.
@ -119,7 +122,7 @@
this tool we have a commercial version available. Lynis Enterprise Suite uses this tool we have a commercial version available. Lynis Enterprise Suite uses
Lynis to audit systems, but also provides malware scanning, intrusion detection Lynis to audit systems, but also provides malware scanning, intrusion detection
and has additional guidance. For all features, please see our website: and has additional guidance. For all features, please see our website:
http://cisofy.com/lynis-enterprise/ https://cisofy.com/lynis-enterprise/

49
README.md
View File

@ -3,22 +3,27 @@ lynis
Lynis - Security auditing and hardening tool, for Unix based systems Lynis - Security auditing and hardening tool, for Unix based systems
Lynis is an security auditing and hardening tool for Unix derivatives like Linux, BSD and Solaris. It performs Lynis is a security auditing for Unix derivatives like Linux, BSD, and Solaris. It performs an in-depth security scan on the system to detect software and security issues. Besides information related to security, it will also scan for general system information, vulnerable software packages, and possible configuration issues.
an in-depth security scan on the system to detect software and security issues. Besides information related to
security, it will also scan for general system information, installed packages, and possible configuration
issues.
We believe software should be simple, updated on a regular basis and open. You should be able to trust, understand, We believe software should be simple, updated on a regular basis and open. You should be able to trust, understand, and even alter the software. Many agree with us, as the software is being used by thousands every day to protect their systems.
and even alter the software. Many agree with us, as the software is being used by thousands every day to protect
their systems.
The software is aimed at assisting with automated auditing, configuration management, software patch management, Main goals:
penetration testing, vulnerability management, and malware scanning of Unix-based systems. - Security auditing (automated)
- Compliance testing (e.g. PCI-DSS, HIPAA)
- Vulnerability testing
The software aims to also assist with:
- Configuration management
- Software patch management
- System hardening
- Penetration testing
- Malware scanning
- Intrusion detection
License: License:
- GPLv3 - GPLv3
Main audience: Typical users of the software:
- System administrators - System administrators
- Auditors - Auditors
- Security officers - Security officers
@ -27,25 +32,23 @@ Main audience:
## First run ## First run
Clone or download the project files. No compilation or installation is required. 1. Clone or download the project files. No compilation or installation is required.
2. Execute: `./lynis audit system`
Execute: ./lynis audit system
By default
If you want to run the software as root, we suggest to alter the ownership of the files.
If you want to run the software as root, we suggest altering the ownership of the files. Use chown -R and
chgrp -R to recursively alter the owner and group.
## Documentation ## Documentation
See for full documentation https://cisofy.com/documentation/lynis/ Full documentation: https://cisofy.com/documentation/lynis/
## Flexibility ## Flexibility
For people who want to expand tests, it is suggested to use the tests_custom file (template in include directory). If you want to create your own tests, use the 'tests_custom' file (template available in 'include' directory).
Plugins are another possibility to customize, although their main goal is collecting data. Plugins are another possibility to customize, although their main goal is collecting data.
## Enterprise options ## Enterprise version
This software component has additional options and support available for companies. If you want to perform more This software is also available as part of an enterprise suite. It includes additional functionality (plugins, centralized system, reporting, dashboard), and supports.
tests and centrally manage them, consider the purchase of a license.
## Support ## Contribute
Got an improvement to share? Create an issue in the tracker on GitHub or send us an e-mail: lynis-dev@cisofy.com Got an improvement? Create it as an issue in the tracker on GitHub or send us an e-mail: lynis-dev@cisofy.com
More details can be found at [Contributors Guide](https://github.com/CISOfy/lynis/blob/master/CONTRIBUTIONS.md)

1
db/fileperms.db
View File

@ -16,4 +16,3 @@ file:/etc/group:644:root:root:Linux:
file:/etc/gshadow:400:root:root:Linux: file:/etc/gshadow:400:root:root:Linux:
file:/etc/passwd:644:root:root:Linux: file:/etc/passwd:644:root:root:Linux:
file:/etc/shadow:400:root:root:Linux: file:/etc/shadow:400:root:root:Linux:

38
default.prf
View File

@ -270,8 +270,8 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
# #
################################################################################# #################################################################################
# Amount of connections in WAIT state before reporting it as a warning # Amount of connections in WAIT state before reporting it as a suggestion
#config:connections_max_wait_state:50: #config:connections_max_wait_state:5000:
# Skip security repository check for Debian based systems # Skip security repository check for Debian based systems
#config:debian_skip_security_repository:yes: #config:debian_skip_security_repository:yes:
@ -308,6 +308,38 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
#config:custom_url_prepend:https://your-domain.example.org/control-info/: #config:custom_url_prepend:https://your-domain.example.org/control-info/:
#config:custom_url_append:/: #config:custom_url_append:/:
#################################################################################
#
# Automatic Updating
# -------------------
#
# These settings are required when using the lynis update functionality.
# By specifying local paths and your update server, the tool can do an update
# check, compare versions and download a new version.
#
#################################################################################
# Local directory (without slash at end) where lynis directory will be installed
# Note: do not add full path to lynis, as subdirectory is part of tarball
#config:update_local_directory:/usr/local:
# Full path to local file. Change local path if Lynis is installed on a different place
#config:update_local_version_info:/usr/local/lynis/client-version:
# Download information
# -----------------------------
# Protocol to use: http, https
#config:update_server_protocol:http:
# Address of update server
#config:update_server_address:192.168.1.125:
# Path to last stable release
#config:update_latest_version_download:/files/lynis-latest.tar.gz:
# Last part of URL (file to gather)
#config:update_latest_version_info:/files/lynis-latest-version:
################################################################################# #################################################################################
# #
# Lynis Enterprise # Lynis Enterprise
@ -322,7 +354,7 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
# Provide options to cURL when uploading data. Common options include: # Provide options to cURL when uploading data. Common options include:
# -k or --insecure --> use HTTPS, but skip certificate check (e.g. self-signed) # -k or --insecure --> use HTTPS, but skip certificate check (e.g. self-signed)
# --proxy [http://]proxyserver:8080 --> use HTTP/HTTPS proxy # --proxy [http://]proxyserver:8080 --> use HTTP/HTTPS proxy
# --socks5 proxyserver:8080 --> use SOCKS proxy # --socks5 proxyserver:8080 --> use SOCKS proxy
#config:upload_options:-k: #config:upload_options:-k:

42
extras/lynis.spec
View File

@ -3,6 +3,8 @@
# Lynis spec file # Lynis spec file
# ----------------- # -----------------
# #
# This file helps to create your custom RPM package of Lynis.
#
# Usage: # Usage:
# - Adjust version number (Version:) # - Adjust version number (Version:)
# - Check if you have the directories in your home directory (or adjust topdir) # - Check if you have the directories in your home directory (or adjust topdir)
@ -12,9 +14,9 @@
# #
################################################################################# #################################################################################
# #
# (c) 2014 Michael Boelen # Copyright 2015 CISOfy
# #
# Website: http://cisofy.com/ # Documentation: https://cisofy.com/documentation/lynis/upgrading/
# #
################################################################################# #################################################################################
@ -27,30 +29,32 @@
Summary: Security and system auditing tool. Summary: Security and system auditing tool.
Name: lynis Name: lynis
Version: 1.6.2 Version: 2.1.1
Release: 1 Release: 1
License: GPL License: GPL
Group: Applications/System Group: Applications/System
Source: lynis-%{version}.tar.gz Source: lynis-%{version}.tar.gz
BuildRoot: /tmp/lynis-root BuildRoot: /tmp/lynis-root
URL: http://cisofy.com/ URL: https://cisofy.com/
Vendor: CISOfy / Michael Boelen Vendor: CISOfy
Packager: Michael Boelen <michael@rootkit.nl> Packager: Michael Boelen <michael.boelen@cisofy.com>
BuildArch: noarch BuildArch: noarch
%description %description
Lynis is a security tool to audit and harden Unix/Linux based systems. It scans a Lynis is an security auditing and hardening tool for Unix derivatives like Linux, BSD
system and provides the user with suggestion and warnings regarding taken security and Solaris. It performs an in-depth security scan on the system to detect software
measures. Examples include: and security issues. Besides information related to security, it will also scan for
- Security enhancements general system information, installed packages, and possible
- Logging and auditing options configuration issues.
- Banner identification
- Software availability This software is aimed at assisting with automated auditing, configuration management,
- Missing security patches software patch management, penetration testing, vulnerability management, and malware
scanning of Unix-based systems.
Lynis is released as a GPLv3 licensed project and free for everyone to use. Lynis is released as a GPLv3 licensed project and free for everyone to use.
Commercial support and extensions are available.
See http://cisofy.com for a full description and documentation. See https://cisofy.com for a full description and documentation.
%prep %prep
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT" [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT"
@ -84,11 +88,6 @@ install plugins/* ${RPM_BUILD_ROOT}%{_pluginsdir}
install -d ${RPM_BUILD_ROOT}%{_dbdir} install -d ${RPM_BUILD_ROOT}%{_dbdir}
install db/* ${RPM_BUILD_ROOT}%{_dbdir} install db/* ${RPM_BUILD_ROOT}%{_dbdir}
# Patch default paths (not required for 1.1.2+)
#sed -i -e 's#INCLUDEDIR="include"#INCLUDEDIR="%{_includedir}"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis
#sed -i -e 's#PROFILE="default.prf"#PROFILE="/etc/lynis/default.prf"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis
%clean %clean
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT" [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT"
@ -111,6 +110,9 @@ install db/* ${RPM_BUILD_ROOT}%{_dbdir}
#%attr(644, root, root) %{_plugindir}/* #%attr(644, root, root) %{_plugindir}/*
%changelog %changelog
* Wed May 13 2015 Michael Boelen - 1.1.9-1
- Changed website address, version bump
* Sun Sep 14 2014 Michael Boelen - 1.1.8-1 * Sun Sep 14 2014 Michael Boelen - 1.1.8-1
- Changed permissions with regards of pentest option - Changed permissions with regards of pentest option

39
include/binaries
View File

@ -14,7 +14,8 @@
# #
################################################################################# #################################################################################
# #
# Check which tools are installed # * Check which binaries and tools are installed
# * With the results a customized scan can be performed for every single system.
# #
################################################################################# #################################################################################
# #
@ -25,23 +26,18 @@
################################################################################# #################################################################################
# #
if [ ${CHECK_BINARIES} -eq 1 ]; then if [ ${CHECK_BINARIES} -eq 1 ]; then
InsertSection "System Tools" InsertSection "System Tools"
# Display --indent 2 --text "- Scanning available tools..."
################################################################################# logtext "Start scanning for available audit binaries and tools..."
#
Display --indent 2 --text "- Scanning available tools..." # Test : FILE-7502
logtext "Start scanning for available audit binaries and tools..." # Description : Check all system binaries
# Notes : Always perform test, dependency for many other tests
# Test : FILE-7502 Register --test-no FILE-7502 --weight L --network NO --description "Check all system binaries"
# Description : Check all system binaries
# Notes : Always perform test, dependency for many other tests
Register --test-no FILE-7502 --weight L --network NO --description "Check all system binaries"
#if [ ${SKIPTEST} -eq 0 ]; then
BINARY_PATHS_FOUND=""; N=0 BINARY_PATHS_FOUND=""; N=0
Display --indent 2 --text "- Checking system binaries..." Display --indent 2 --text "- Checking system binaries..."
logtext "Status: Starting binary scan..." logtext "Status: Starting binary scan..."
for SCANDIR in ${BINPATHS}; do for SCANDIR in ${BIN_PATHS}; do
logtext "Test: Check if directory exists" logtext "Test: Check if directory exists"
ORGPATH="" ORGPATH=""
if [ -d ${SCANDIR} ]; then if [ -d ${SCANDIR} ]; then
@ -78,7 +74,6 @@
N=`expr ${N} + 1` N=`expr ${N} + 1`
BINARY="${SCANDIR}/${I}" BINARY="${SCANDIR}/${I}"
DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} " DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} "
logtext "Binary: ${BINARY}"
# Optimized, much quicker (limited file access needed) # Optimized, much quicker (limited file access needed)
case ${I} in case ${I} in
aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; logtext " Found known binary: aa-status (apparmor component) - ${BINARY}" ;; aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; logtext " Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
@ -98,8 +93,11 @@
comm) COMMBINARY="${BINARY}"; logtext " Found known binary: comm (file compare) - ${BINARY}" ;; comm) COMMBINARY="${BINARY}"; logtext " Found known binary: comm (file compare) - ${BINARY}" ;;
csum) CSUMFOUND=1; CSUMBINARY="${BINARY}"; logtext " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;; csum) CSUMFOUND=1; CSUMBINARY="${BINARY}"; logtext " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;;
curl) CURLFOUND=1; CURLBINARY="${BINARY}"; logtext " Found known binary: curl (browser) - ${BINARY}" ;; curl) CURLFOUND=1; CURLBINARY="${BINARY}"; logtext " Found known binary: curl (browser) - ${BINARY}" ;;
debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (package vulnerability checking) - ${BINARY}" ;;
debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (package integrity checking) - ${BINARY}" ;;
dig) if [ -f ${BINARY} ]; then DIGFOUND=1; DIGBINARY=${BINARY}; logtext " Found known binary: dig (network/dns tool) - ${BINARY}"; fi ;; dig) if [ -f ${BINARY} ]; then DIGFOUND=1; DIGBINARY=${BINARY}; logtext " Found known binary: dig (network/dns tool) - ${BINARY}"; fi ;;
dnsdomainname) DNSDOMAINNAMEFOUND=1; DNSDOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: dnsdomainname (DNS domain) - ${BINARY}" ;; dnsdomainname) DNSDOMAINNAMEFOUND=1; DNSDOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: dnsdomainname (DNS domain) - ${BINARY}" ;;
docker) if [ -f ${BINARY} ]; then DOCKERBINARY="${BINARY}"; logtext " Found known binary: docker (container technology) - ${BINARY}"; fi ;;
domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: domainname (NIS domain) - ${BINARY}" ;; domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
dpkg) DPKGBINARY="${BINARY}"; logtext " Found known binary: dpkg (package management) - ${BINARY}" ;; dpkg) DPKGBINARY="${BINARY}"; logtext " Found known binary: dpkg (package management) - ${BINARY}" ;;
egrep) EGREPFOUND=1; EGREPBINARY=${BINARY}; logtext " Found known binary: egrep (text search) - ${BINARY}" ;; egrep) EGREPFOUND=1; EGREPBINARY=${BINARY}; logtext " Found known binary: egrep (text search) - ${BINARY}" ;;
@ -145,7 +143,7 @@
openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; logtext "Found ${BINARY} (version ${OPENSSLVERSION})" ;; openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; logtext "Found ${BINARY} (version ${OPENSSLVERSION})" ;;
pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; logtext " Found known binary: pacman (package manager) - ${BINARY}" ;; pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; logtext " Found known binary: pacman (package manager) - ${BINARY}" ;;
perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; logtext "Found ${BINARY} (version ${PERLVERSION})" ;; perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; logtext "Found ${BINARY} (version ${PERLVERSION})" ;;
php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language) - ${BINARY} (version ${PHPVERSION})" ;; php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language intrepreter) - ${BINARY} (version ${PHPVERSION})" ;;
pkg_admin) PKGADMINBINARY="${BINARY}"; logtext " Found known binary: pkg_admin (software package administration) - ${BINARY}" ;; pkg_admin) PKGADMINBINARY="${BINARY}"; logtext " Found known binary: pkg_admin (software package administration) - ${BINARY}" ;;
postconf) POSTCONFFOUND=1; POSTCONFBINARY="${BINARY}"; logtext " Found known binary: postconf (postfix configuration) - ${BINARY}" ;; postconf) POSTCONFFOUND=1; POSTCONFBINARY="${BINARY}"; logtext " Found known binary: postconf (postfix configuration) - ${BINARY}" ;;
postfix) POSTFIXFOUND=1; POSTFIXBINARY="${BINARY}"; logtext " Found known binary: postfix (postfix binary) - ${BINARY}" ;; postfix) POSTFIXFOUND=1; POSTFIXBINARY="${BINARY}"; logtext " Found known binary: postfix (postfix binary) - ${BINARY}" ;;
@ -154,6 +152,7 @@
ps) PSFOUND=1; PSBINARY="${BINARY}"; logtext " Found known binary: ps (process listing) - ${BINARY}" ;; ps) PSFOUND=1; PSBINARY="${BINARY}"; logtext " Found known binary: ps (process listing) - ${BINARY}" ;;
puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; logtext " Found known binary: puppet (automation tooling) - ${BINARY}" ;; puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; logtext " Found known binary: puppet (automation tooling) - ${BINARY}" ;;
puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; logtext " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;; puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; logtext " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;;
python) PYTHONBINARY="${BINARY}"; logtext " Found known binary: python (programming language intepreter) - ${BINARY}" ;;
readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; logtext " Found known binary: readlink (follows symlinks) - ${BINARY}" ;; readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; logtext " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;; rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; logtext " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;; rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; logtext " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;;
@ -204,13 +203,11 @@
logtext "Discovered directories: ${BINARY_PATHS_FOUND}" logtext "Discovered directories: ${BINARY_PATHS_FOUND}"
report "binary_paths=${BINARY_PATHS_FOUND}" report "binary_paths=${BINARY_PATHS_FOUND}"
BINARY_SCAN_FINISHED=1 BINARY_SCAN_FINISHED=1
#fi logtext "Result: found ${N} binaries"
report "binaries_count=${N}"
logtext "Result: found ${N} binaries"
report "binaries_count=${N}"
else else
logtext "Result: checking binaries skipped in this mode" logtext "Result: checking of binaries skipped in this mode"
fi fi
# #

102
include/consts
View File

@ -18,42 +18,19 @@
################################################################################# #################################################################################
# #
# Program information
# Paths where system and program binaries are located # Paths where system and program binaries are located
# Includes Sun Solaris dirs BIN_PATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \
BINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \
/usr/local/libexec /usr/libexec /usr/sfw/bin /usr/sfw/sbin \ /usr/local/libexec /usr/libexec /usr/sfw/bin /usr/sfw/sbin \
/usr/sfw/libexec /opt/sfw/bin /opt/sfw/sbin /opt/sfw/libexec \ /usr/sfw/libexec /opt/sfw/bin /opt/sfw/sbin /opt/sfw/libexec \
/usr/xpg4/bin /usr/css/bin /usr/ucb /usr/X11R6/bin /usr/X11R7/bin \ /usr/xpg4/bin /usr/css/bin /usr/ucb /usr/X11R6/bin /usr/X11R7/bin \
/usr/pkg/bin /usr/pkg/sbin" /usr/pkg/bin /usr/pkg/sbin"
ETC_PATHS="/etc /usr/local/etc"
# Do not use specific language, fall back to default # Do not use specific language, fall back to default
# Some tools with translated strings are very hard to parse
unset LANG unset LANG
#
#################################################################################
#
# Deprecated
#
#################################################################################
#
HOME_HISTORY_AUDIT_TITLE="Incorrect history file types"
HOME_HISTORY_AUDIT_DESCRIPTION=""
HOME_HISTORY_LOG_TITLE="History files type check"
HOME_HISTORY_LOG_DESCRIPTION="History files type check"
HOME_HISTORY_LOG_TEXT="History files are normally of the type 'file'. Symbolic links and other types can be riskful"
HOME_PATH_LOG_MESSAGE="A single dot in the PATH variable of a user can be a risk, while executing commands in for example a home directory."
USER_PASSWD_DOUBLEUID_AUDIT_TITLE="Non unique UIDs"
USER_PASSWD_DOUBLEUID_AUDIT_DESCRIPTION="Non unique UIDs in passwd file"
USER_PASSWD_DOUBLEUID_AUDIT_TEXT="Non unique UIDs can riskful for the system or part of a configuration mistake"
KERNEL_ACTIVE_MODULES_TITLE="Active kernel modules (KLDs)"
KERNEL_ACTIVE_MODULES_DESCRIPTION="View all active kernel modules (including kernel)"
KERNEL_ACTIVE_MODULES_TEXT="Displays the loaded kernel modules in memory. Make sure to check the integrity of the kld tools."
# #
################################################################################# #################################################################################
# #
@ -64,6 +41,7 @@ unset LANG
# == Variable initializing == # == Variable initializing ==
# #
AUDITORNAME="" AUDITORNAME=""
AUTH_FAILED_LOGINS_LOGGED=0
PROFILE="" PROFILE=""
REPORTFILE="" REPORTFILE=""
AFICKBINARY="" AFICKBINARY=""
@ -77,6 +55,7 @@ unset LANG
CONTROL_URL_PREPEND="" CONTROL_URL_PREPEND=""
CUSTOM_URL_APPEND="" CUSTOM_URL_APPEND=""
CUSTOM_URL_PREPEND="" CUSTOM_URL_PREPEND=""
DOCKER_DAEMON_RUNNING=0
FILEVALUE="" FILEVALUE=""
FIND="" FIND=""
FIREWALL_ACTIVE=0 FIREWALL_ACTIVE=0
@ -93,6 +72,7 @@ unset LANG
LYNIS_COMPLIANCE_TESTS=0 LYNIS_COMPLIANCE_TESTS=0
MACHINEID="" MACHINEID=""
MALWARE_SCANNER_INSTALLED=0 MALWARE_SCANNER_INSTALLED=0
NAME_CACHE_USED=0
NGINX_ACCESS_LOG_DISABLED=0 NGINX_ACCESS_LOG_DISABLED=0
NGINX_ACCESS_LOG_MISSING=0 NGINX_ACCESS_LOG_MISSING=0
NGINX_ALIAS_FOUND=0 NGINX_ALIAS_FOUND=0
@ -129,6 +109,7 @@ unset LANG
SCAN_TEST_HEAVY=""; SCAN_TEST_MEDIUM=""; SCAN_TEST_LOW="" SCAN_TEST_HEAVY=""; SCAN_TEST_MEDIUM=""; SCAN_TEST_LOW=""
SESTATUSBINARY="" SESTATUSBINARY=""
SERVICE_MANAGER="" SERVICE_MANAGER=""
SHOW_PROGRAM_DETAILS=1
SHOW_REPORT=1 SHOW_REPORT=1
SKIPPED_TESTS_ROOTONLY="" SKIPPED_TESTS_ROOTONLY=""
SSHKEYSCANBINARY="" SSHKEYSCANBINARY=""
@ -137,37 +118,42 @@ unset LANG
TEST_SKIP_ALWAYS="" TEST_SKIP_ALWAYS=""
TESTS_EXECUTED="" TESTS_EXECUTED=""
TESTS_SKIPPED="" TESTS_SKIPPED=""
TOTAL_SUGGESTIONS=0
TOTAL_WARNINGS=0
TRIPWIREBINARY="" TRIPWIREBINARY=""
UEFI_BOOTED=0
UEFI_BOOTED_SECURE=0
UNBOUND_RUNNING=0
UPLOAD_OPTIONS="" UPLOAD_OPTIONS=""
UPDATE_CHECK_SKIPPED=0 UPDATE_CHECK_SKIPPED=0
VALUE="" VALUE=""
VMTYPE=""
# #
################################################################################# #################################################################################
# #
# == Options == # * Options
# #
# Option Description #################################################################################
# -------------------------------------------------------------------------- #
CRONJOB=0 # Run as a cronjob CRONJOB=0 # Run as a cronjob
CTESTS_PERFORMED=0 # Number of tests which are performed CTESTS_PERFORMED=0 # Number of tests which are performed
DEBUG=0 # Debugging mode (to screen) DEBUG=0 # Debugging mode (to screen)
HPPOINTS=0 # Number of hardening points HPPOINTS=0 # Number of hardening points
HPTOTAL=0 # Maximum number of hardening points HPTOTAL=0 # Maximum number of hardening points
LOG_INCORRECT_OS=1 # Log tests with incorrect OS LOG_INCORRECT_OS=1 # Log tests with incorrect OS
NEVERBREAK=0 # Don't wait for user input NEVERBREAK=0 # Don't wait for user input
PENTESTINGMODE=0 # Try tests without root privileges PENTESTINGMODE=0 # Try tests without root privileges
QUICKMODE=0 # Don't wait for user input QUICKMODE=0 # Don't wait for user input
QUIET=0 # Show normal messages and warnings as well QUIET=0 # Show normal messages and warnings as well
SHOW_TOOL_TIPS=1 # Show inline tool tips (default true) SHOW_TOOL_TIPS=1 # Show inline tool tips (default true)
SKIPLOGTEST=0 # Skip logging for one test SKIPLOGTEST=0 # Skip logging for one test
SKIP_UPGRADE_TEST=0 # Skip upgrade test SKIP_UPGRADE_TEST=0 # Skip upgrade test
TESTS_TO_PERFORM="" # Which tests only to perform TESTS_TO_PERFORM="" # Which tests only to perform
TEST_PAUSE_TIME=0 # Default pause time TEST_PAUSE_TIME=0 # Default pause time
TOTAL_TESTS=0 # Total amount of tests (counter) TOTAL_TESTS=0 # Total amount of tests (counter)
UPLOAD_DATA=0 # Upload of data to central node UPLOAD_DATA=0 # Upload of data to central node
VIEWHELP=0 # Show help VIEWHELP=0 # Show help
VIEWUPDATEINFO=0 # View program/database version WRONGOPTION=0 # A wrong option is used
WRONGOPTION=0 # A wrong option is used
# #
################################################################################# #################################################################################
# #
@ -176,24 +162,24 @@ unset LANG
# #
################################################################################# #################################################################################
# #
# Colors # * Colors
#
# For improved display
# #
################################################################################# #################################################################################
# #
# Color name Description
# --------------------------------------------------------------------------
NORMAL="" NORMAL=""
WARNING="" # Bad (red) WARNING="" # Bad (red)
SECTION="" # Section (yellow) SECTION="" # Section (yellow)
NOTICE="" # Notice (yellow) NOTICE="" # Notice (yellow)
OK="" # Ok (green) OK="" # Ok (green)
BAD="" # Bad (red) BAD="" # Bad (red)
# Real color names # Normal color names
YELLOW="" # Yellow YELLOW=""
WHITE="" # White WHITE=""
GREEN="" # Green GREEN=""
RED="" # Red RED=""
PURPLE="" PURPLE=""
MAGENTA="" MAGENTA=""
BROWN="" BROWN=""

36
include/data_upload
View File

@ -90,7 +90,21 @@ output "Settings file: ${SETTINGS_FILE}"
if [ -f ${REPORTFILE} ]; then if [ -f ${REPORTFILE} ]; then
output "${WHITE}Report file found.${NORMAL} Starting with connectivity check.." output "${WHITE}Report file found.${NORMAL} Starting with connectivity check.."
# Quit if license is not valid, to reduce load on both client and server. # Quit if license is not valid, to reduce load on both client and server.
UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL}` UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null`
EXITCODE=$?
if [ ${EXITCODE} -gt 0 ]; then
if [ ${EXITCODE} -eq 60 ]; then
echo "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}"
echo "If you want to accept a self-signed certificate, use the -k option in the profile."
echo "Example: ${WHITE}config:upload_options:-k:${NORMAL}"
logtext "Result: found self-signed certificate, however cURL -k option not used."
else
output "${RED}Error: ${NORMAL}cURL exited with code ${EXITCODE}"
logtext "Result: cURL exited with code ${EXITCODE}"
fi
logtext "Result: quitting, can't check license"
ExitFatal
fi
UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}'` UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}'`
if [ "${UPLOAD_CODE}" = "100" ]; then if [ "${UPLOAD_CODE}" = "100" ]; then
output "${WHITE}License is valid${NORMAL}" output "${WHITE}License is valid${NORMAL}"
@ -110,7 +124,7 @@ output "Settings file: ${SETTINGS_FILE}"
echo "Key: ${LICENSE_KEY}" echo "Key: ${LICENSE_KEY}"
output "Debug information: ${UPLOAD}" output "Debug information: ${UPLOAD}"
# Quit # Quit
ExitClean ExitFatal
fi fi
# Extract the hostid from the parse file # Extract the hostid from the parse file
HOSTID=`cat ${REPORTFILE} | grep "^hostid=" | awk -F= '{ print $2 }'` HOSTID=`cat ${REPORTFILE} | grep "^hostid=" | awk -F= '{ print $2 }'`
@ -119,23 +133,27 @@ output "Settings file: ${SETTINGS_FILE}"
# Try to connect # Try to connect
output "Uploading data.." output "Uploading data.."
logtext "Command used: ${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" logtext "Command used: ${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${UPLOAD_URL}` UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${UPLOAD_URL} 2> /dev/null`
if [ $? -gt 0 ]; then EXITCODE=$?
if [ ${EXITCODE} -gt 0 ]; then
#UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'` #UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'`
#output "Output code from upload: ${UPLOAD_CODE}" #output "Output code from upload: ${UPLOAD_CODE}"
output "${RED}Error occurred, please check documentation for code ${UPLOAD_CODE}.${NORMAL}" echo "${RED}Error: ${NORMAL}Error occurred, cURL ended during the upload of the report data."
output "Debug:" echo "Related exit code: ${EXITCODE}"
output ${UPLOAD} echo "Check the last section of the log file for the exact command used, for further troubleshooting"
echo "Debug:"
echo ${UPLOAD}
# Quit # Quit
ExitClean ExitClean
fi fi
else else
echo "${RED}Fatal error${NORMAL}: No hostid found in report file. Can not upload report file." echo "${RED}Error${NORMAL}: No hostid found in report file. Can not upload report file."
# Quit # Quit
ExitClean ExitFatal
fi fi
else else
output "${YELLOW}No report file found to upload.${NORMAL}" output "${YELLOW}No report file found to upload.${NORMAL}"
ExitFatal
fi fi
# #

176
include/functions
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015 - Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Copyright 2007-2015, Michael Boelen - CISOfy (michael.boelen@cisofy.com)
# https://cisofy.com # Website: https://cisofy.com
# #
# This software is licensed under GPL, version 3. See LICENSE file for # This software is licensed under GPL, version 3. See LICENSE file for
# usage of this software. # usage of this software.
@ -20,14 +20,16 @@
# Function Description # Function Description
# ----------------------- ------------------------------------------------- # ----------------------- -------------------------------------------------
# AddHP Add Hardening points to plot a graph later # AddHP Add Hardening points to plot a graph later
# AddSystemGroup Adds a system to a group
# CheckFilePermissions Check file permissions # CheckFilePermissions Check file permissions
# CheckUpdates Determine if a new version of Lynis is available # CheckUpdates Determine if a new version of Lynis is available
# counttests Count number of performed tests # counttests Count number of performed tests
# Debug Display additional information on the screen (not suited for cronjob) # Debug Display additional information on the screen (not suited for cronjob)
# DirectoryExists Check if a directory exists on the disk # DirectoryExists Check if a directory exists on the disk
# Display Output text to screen with colors and identation # Display Output text to screen with colors and identation
# ExitClean Stop the program (cleanly) # ExitClean Stop the program (cleanly), with exit code 0
# ExitFatal Stop the program (cleanly), with fatal # ExitCustom Stop the program (cleanly), with custom exit code
# ExitFatal Stop the program (cleanly), with exit code 1
# FileExists Check if a file exists on the disk # FileExists Check if a file exists on the disk
# FileIsEmpty Check if a file is empty # FileIsEmpty Check if a file is empty
# FileIsReadable Check if a file is readable or directory accessible # FileIsReadable Check if a file is readable or directory accessible
@ -50,6 +52,7 @@
# ShowSymlinkPath Show a path behind a symlink # ShowSymlinkPath Show a path behind a symlink
# ViewCategories Display tests categories # ViewCategories Display tests categories
# logtext Log text strings to logfile, prefixed with date/time # logtext Log text strings to logfile, prefixed with date/time
# report Add string of data to report file
# #
################################################################################# #################################################################################
@ -62,6 +65,19 @@
logtext "Hardening: assigned ${HPADD} hardening points (max for this item: ${HPADDMAX}), current: ${HPPOINTS}, total: ${HPTOTAL}" logtext "Hardening: assigned ${HPADD} hardening points (max for this item: ${HPADDMAX}), current: ${HPPOINTS}, total: ${HPTOTAL}"
} }
################################################################################
# Name : AddSystemGroup
# Description : Adds a system to a group, which can be used for categorizing
# Returns : <nothing>
################################################################################
AddSystemGroup()
{
report "system_group[]=$1"
}
# Check file permissions # Check file permissions
# Parameter 1 is file/dir # Parameter 1 is file/dir
# Result: FILE_NOT_FOUND | OK | BAD # Result: FILE_NOT_FOUND | OK | BAD
@ -117,7 +133,6 @@
# Check updates # Check updates
CheckUpdates() CheckUpdates()
{ {
# Possible improvement: determine if host binary exists YYY
PROGRAM_LV="0000000000"; DB_MALWARE_LV="0000000000"; DB_FILEPERMS_LV="0000000000" PROGRAM_LV="0000000000"; DB_MALWARE_LV="0000000000"; DB_FILEPERMS_LV="0000000000"
LYNIS_LV_RECORD="lynis-latest-version.cisofy.com." LYNIS_LV_RECORD="lynis-latest-version.cisofy.com."
FIND=`which dig 2> /dev/null` FIND=`which dig 2> /dev/null`
@ -236,6 +251,18 @@
exit 0 exit 0
} }
# Clean exit with custom code
ExitCustom()
{
RemovePIDFile
# Exit with the exit code given, otherwise use 1
if [ $# -eq 1 ]; then
exit $1
else
exit 1
fi
}
# Clean exit (removing temp files, PID files), with error code 1 # Clean exit (removing temp files, PID files), with error code 1
ExitFatal() ExitFatal()
{ {
@ -337,8 +364,6 @@
fi fi
fi fi
# YYY check group ownership (just in case)
# Check if we have the read bit # Check if we have the read bit
if [ "${OTHERPERMS}" = "r" ]; then if [ "${OTHERPERMS}" = "r" ]; then
CANREAD=1 CANREAD=1
@ -577,25 +602,101 @@
logtext "Test: Determine if this system is a virtual machine" logtext "Test: Determine if this system is a virtual machine"
# 0 = no, 1 = yes, 2 = unknown # 0 = no, 1 = yes, 2 = unknown
ISVIRTUALMACHINE=2; VMTYPE="unknown"; VMFULLTYPE="Unknown" ISVIRTUALMACHINE=2; VMTYPE="unknown"; VMFULLTYPE="Unknown"
SHORT="" SHORT=""
# Trying systemd # facter
if [ "${SHORT}" = "" -a ! "${SYSTEMCTLBINARY}" = "" ]; then if [ "${SHORT}" = "" ]; then
logtext "Test: trying to guess virtualization technology with systemctl" if [ -x /usr/bin/facter ]; then
FIND=`${SYSTEMCTLBINARY} | grep "^Virtualization=" | awk -F= '{ print $2 }'` case "`facter is_virtual`" in
if [ ! "${FIND}" = "" ]; then "true")
SHORT="${FIND}" SHORT=`facter virtual`
logtext "Result: found ${SHORT}"
;;
"false")
logtext "Result: facter says this machine is not a virtual"
;;
esac
else
logtext "Result: facter utility not found"
fi fi
else
logtext "Result: skipped facter test, as we already found machine type"
fi
# systemd
if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/systemd-detect-virt ]; then
logtext "Test: trying to guess virtualization technology with systemd-detect-virt"
FIND=`/usr/bin/systemd-detect-virt`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${FIND}"
SHORT="${FIND}"
fi
else
logtext "Result: systemd-detect-virt not found"
fi
else
logtext "Result: skipped systemd test, as we already found machine type"
fi
# lscpu
# Values: VMware
if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/lscpu ]; then
logtext "Test: trying to guess virtualization with lscpu"
FIND=`lscpu | grep "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${FIND}"
SHORT="${FIND}"
else
logtext "Result: can't find hypervisor vendor with lscpu"
fi
else
logtext "Result: lscpu not found"
fi
else
logtext "Result: skipped lscpu test, as we already found machine type"
fi
# dmidecode
# Values: VMware Virtual Platform / VirtualBox
if [ "${SHORT}" = "" ]; then
if [ -x /usr/sbin/dmidecode ]; then
logtext "Test: trying to guess virtualization with dmidecode"
FIND=`dmidecode -s system-product-name | awk '{ print $1 }'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${FIND}"
SHORT="${FIND}"
else
logtext "Result: can't find product name with dmidecode"
fi
else
logtext "Result: dmidecode not found"
fi
else
logtext "Result: skipped dmidecode test, as we already found machine type"
fi fi
# lshw # lshw
if [ "${SHORT}" = "" ]; then if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/lshw ]; then if [ -x /usr/bin/lshw ]; then
SHORT=`lshw -quiet -class system | awk '{ if ($1=="product:") { print $2 }}'` logtext "Test: trying to guess virtualization with lshw"
FIND=`lshw -quiet -class system | awk '{ if ($1=="product:") { print $2 }}'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found ${FIND}"
SHORT="${FIND}"
fi
else
logtext "Result: lshw not found"
fi fi
else
logtext "Result: skipped lshw test, as we already found machine type"
fi fi
# Other options
# SaltStack: salt-call grains.get virtual
# < needs snippet >
# Try common guest processes # Try common guest processes
if [ "${SHORT}" = "" ]; then if [ "${SHORT}" = "" ]; then
logtext "Test: trying to guess virtual machine type by running processes" logtext "Test: trying to guess virtual machine type by running processes"
@ -603,33 +704,49 @@
# VMware # VMware
IsRunning vmware-guestd IsRunning vmware-guestd
if [ ${RUNNING} -eq 1 ]; then SHORT="vmware"; fi if [ ${RUNNING} -eq 1 ]; then SHORT="vmware"; fi
IsRunning vmtoolsd
if [ ${RUNNING} -eq 1 ]; then SHORT="vmware"; fi
# VirtualBox based on guest services # VirtualBox based on guest services
IsRunning vboxguest-service IsRunning vboxguest-service
if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi
IsRunning VBoxClient IsRunning VBoxClient
if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi
else
logtext "Result: skipped processes test, as we already found platform"
fi fi
# Amazon EC2 # Amazon EC2
if [ "${SHORT}" = "" ]; then if [ "${SHORT}" = "" ]; then
logtext "Test: checking specific files for Amazon" logtext "Test: checking specific files for Amazon"
if [ -f /etc/ec2_version -a ! -z /etc/ec2_version ]; then SHORT="amazon-ec2"; fi if [ -f /etc/ec2_version -a ! -z /etc/ec2_version ]; then
SHORT="amazon-ec2"
else
logtext "Result: system not hosted on Amazon"
fi
else
logtext "Result: skipped Amazon EC2 test, as we already found platform"
fi fi
# sysctl values # sysctl values
if [ "${SHORT}" = "" ]; then if [ "${SHORT}" = "" ]; then
logtext "Test: trying to guess virtual machine type by sysctl keys" logtext "Test: trying to guess virtual machine type by sysctl keys"
# FreeBSD: hw.hv_vendor (remains empty for VirtualBox)
# NetBSD: machdep.dmi.system-product # NetBSD: machdep.dmi.system-product
# OpenBSD: hw.product # OpenBSD: hw.product
SHORT=`sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }'` FIND=`sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }'`
if [ ! "${FIND}" = "" ]; then
SHORT="${FIND}"
fi
else
logtext "Result: skipped sysctl test, as we already found platform"
fi fi
# Check if we catched some string along all tests # Check if we catched some string along all tests
if [ ! "${SHORT}" = "" ]; then if [ ! "${SHORT}" = "" ]; then
# Lowercase and see if we found a match # Lowercase and see if we found a match
SHORT=`echo ${SHORT} | tr [[:upper:]] [[:lower:]]` SHORT=`echo ${SHORT} | awk '{ print $1 }' | tr [[:upper:]] [[:lower:]]`
case ${SHORT} in case ${SHORT} in
amazon-ec2) ISVIRTUALMACHINE=1; VMTYPE="amazon-ec2"; VMFULLTYPE="Amazon AWS EC2 Instance" ;; amazon-ec2) ISVIRTUALMACHINE=1; VMTYPE="amazon-ec2"; VMFULLTYPE="Amazon AWS EC2 Instance" ;;
@ -637,7 +754,7 @@
docker) ISVIRTUALMACHINE=1; VMTYPE="docker"; VMFULLTYPE="Docker container" ;; docker) ISVIRTUALMACHINE=1; VMTYPE="docker"; VMFULLTYPE="Docker container" ;;
kvm) ISVIRTUALMACHINE=1; VMTYPE="kvm"; VMFULLTYPE="KVM" ;; kvm) ISVIRTUALMACHINE=1; VMTYPE="kvm"; VMFULLTYPE="KVM" ;;
lxc) ISVIRTUALMACHINE=1; VMTYPE="lxc"; VMFULLTYPE="Linux Containers" ;; lxc) ISVIRTUALMACHINE=1; VMTYPE="lxc"; VMFULLTYPE="Linux Containers" ;;
lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers" ;; lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers)" ;;
microsoft) ISVIRTUALMACHINE=1; VMTYPE="microsoft"; VMFULLTYPE="Microsoft Virtual PC" ;; microsoft) ISVIRTUALMACHINE=1; VMTYPE="microsoft"; VMFULLTYPE="Microsoft Virtual PC" ;;
openvz) ISVIRTUALMACHINE=1; VMTYPE="openvz"; VMFULLTYPE="OpenVZ" ;; openvz) ISVIRTUALMACHINE=1; VMTYPE="openvz"; VMFULLTYPE="OpenVZ" ;;
oracle|virtualbox) ISVIRTUALMACHINE=1; VMTYPE="virtualbox"; VMFULLTYPE="Oracle VM VirtualBox" ;; oracle|virtualbox) ISVIRTUALMACHINE=1; VMTYPE="virtualbox"; VMFULLTYPE="Oracle VM VirtualBox" ;;
@ -656,9 +773,11 @@
logtext "Result: found virtual machine (type: ${VMTYPE}, ${VMFULLTYPE})" logtext "Result: found virtual machine (type: ${VMTYPE}, ${VMFULLTYPE})"
report "vm=1" report "vm=1"
report "vmtype=${VMTYPE}" report "vmtype=${VMTYPE}"
elif [ ${ISVIRTUALMACHINE} -eq 2 ]; then elif [ ${ISVIRTUALMACHINE} -eq 2 ]; then
logtext "Result: unknown if this system is a virtual machine" logtext "Result: unknown if this system is a virtual machine"
report "vm=2" report "vm=2"
else
logtext "Result: system seems to be non-virtual"
fi fi
} }
@ -778,6 +897,8 @@
NGINX_ACCESS_LOG_DISABLED=1 NGINX_ACCESS_LOG_DISABLED=1
else else
if [ ! "${VALUE}" = "" ]; then if [ ! "${VALUE}" = "" ]; then
# If multiple values follow, select first one
VALUE=`echo ${VALUE} | awk '{ print $1 }'`
if [ ! -f ${VALUE} ]; then if [ ! -f ${VALUE} ]; then
logtext "Result: could not find referenced log file ${VALUE} in nginx configuration" logtext "Result: could not find referenced log file ${VALUE} in nginx configuration"
NGINX_ACCESS_LOG_MISSING=1 NGINX_ACCESS_LOG_MISSING=1
@ -807,12 +928,12 @@
NGINX_EXPIRES_FOUND=1 NGINX_EXPIRES_FOUND=1
;; ;;
error_log) error_log)
# YYY Check if debug is appended # Check if debug is appended
FIND=`echo ${VALUE} | awk '{ if ($2=="debug") { print 1 } else { print 0 }}'` FIND=`echo ${VALUE} | awk '{ if ($2=="debug") { print 1 } else { print 0 }}'`
if [ ${FIND} -eq 1 ]; then if [ ${FIND} -eq 1 ]; then
NGINX_ERROR_LOG_DEBUG=1 NGINX_ERROR_LOG_DEBUG=1
fi fi
# YYY Check if file exists # Check if log file exists
FILE=`echo ${VALUE} | awk '{ print $1 }'` FILE=`echo ${VALUE} | awk '{ print $1 }'`
if [ ! "${FILE}" = "" ]; then if [ ! "${FILE}" = "" ]; then
if [ ! -f ${FILE} ]; then if [ ! -f ${FILE} ]; then
@ -1118,6 +1239,7 @@
# Log suggestions to report file # Log suggestions to report file
ReportSuggestion() ReportSuggestion()
{ {
TOTAL_SUGGESTIONS=`expr ${TOTAL_SUGGESTIONS} + 1`
# 2 parameters # 2 parameters
# <ID> <suggestion text> # <ID> <suggestion text>
report "suggestion[]=$1|$2|" report "suggestion[]=$1|$2|"
@ -1127,6 +1249,7 @@
# Log warning to report file # Log warning to report file
ReportWarning() ReportWarning()
{ {
TOTAL_WARNINGS=`expr ${TOTAL_WARNINGS} + 1`
# 3 parameters # 3 parameters
# <ID> <priority/impact> <warning text> # <ID> <priority/impact> <warning text>
if [ "$2" = "L" -o "$2" = "M" -o "$2" = "H" ]; then if [ "$2" = "L" -o "$2" = "M" -o "$2" = "H" ]; then
@ -1283,6 +1406,7 @@
SYMLINK_USE_READLINK=1 SYMLINK_USE_READLINK=1
logtext "Note: Using real readlink binary to determine symlinks" logtext "Note: Using real readlink binary to determine symlinks"
tFILE=`${READLINKBINARY} -f ${sFILE}` tFILE=`${READLINKBINARY} -f ${sFILE}`
logtext "Result: readlink shows ${tFILE} as output"
fi fi
fi fi
# Check if we can find the file now # Check if we can find the file now
@ -1292,6 +1416,14 @@
sFILE="${tFILE}" sFILE="${tFILE}"
logtext "Result: symlink found, pointing to file ${sFILE}" logtext "Result: symlink found, pointing to file ${sFILE}"
FOUNDPATH=1 FOUNDPATH=1
elif [ -b ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to block device ${sFILE}"
FOUNDPATH=1
elif [ -c ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to character device ${sFILE}"
FOUNDPATH=1
elif [ -d ${tFILE} ]; then elif [ -d ${tFILE} ]; then
sFILE="${tFILE}" sFILE="${tFILE}"
logtext "Result: symlink found, pointing to directory ${sFILE}" logtext "Result: symlink found, pointing to directory ${sFILE}"

3
include/helper_audit_dockerfile
View File

@ -4,7 +4,6 @@ if [ $# -eq 0 ]; then
Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}" Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}"
Display --text " "; Display --text " " Display --text " "; Display --text " "
ExitFatal ExitFatal
else else
FILE=`echo $1 | egrep "^http|https"` FILE=`echo $1 | egrep "^http|https"`
@ -18,7 +17,7 @@ if [ $# -eq 0 ]; then
if [ -f ${TMP_FILE} ]; then if [ -f ${TMP_FILE} ]; then
rm -f ${TMP_FILE} rm -f ${TMP_FILE}
fi fi
Dislpay --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}" Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}"
ExitFatal ExitFatal
fi fi
else else

266
include/helper_update Normal file
View File

@ -0,0 +1,266 @@
#!/bin/sh
######################################################################
#
# Helper program to support automatic updates of Lynis
#
######################################################################
#
# Options:
# ---------
# 1) lynis update info - Show version information (external)
# 2) lynis update release - Check and install new release (internal)
#
# How to use:
# ------------
# Run option 1 to know about current and latest release information.
# Run option 2 to query internal server for possible upgrade of Lynis.
#
# Steps for updating to new release:
# 1) Run Lynis with: lynis update release
# 2) Lynis will use this helper and check the profile
# 3) The configured web server will be queried (lynis-latest-version)
# 4) The contents of this file will be compared with a local file
# 5) If there is a difference, download package
# 6) Check paths and extract files
# 7) Quit program
#
# Suggested documentation if you want to use this functionality:
# https://cisofy.com/documentation/lynis/upgrading/
#
######################################################################
LOCAL_VERSION="-"
SERVER_VERSION=""
PERFORM_UPGRADE=0
WGET_EXISTS=`which wget 2> /dev/null`
CURL_EXISTS=`which curl 2> /dev/null`
FETCH_EXISTS=`which fetch 2> /dev/null`
# Update version
if [ "$1" = "release" ]; then
if [ "${UPDATE_SERVER_PROTOCOL}" = "" ] ; then
Display --indent 2 --text "Error: Unknown protocol, please specify (http, https) in profile (update_server_protocol)"
ExitFatal
fi
if [ "${UPDATE_SERVER_ADDRESS}" = "" ] ; then
Display --indent 2 --text "Error: Unknown download address, please specify in profile (update_server_address)"
ExitFatal
fi
if [ "${UPDATE_LATEST_VERSION_DOWNLOAD}" = "" ] ; then
Display --indent 2 --text "Error: No URL to latest download has been specifiedrsion on the server, please specify in profile (update_latest_version_download)"
ExitFatal
fi
if [ "${UPDATE_LATEST_VERSION_INFO}" = "" ] ; then
Display --indent 2 --text "Error: No URL has been specified to know the latest version on the server, please specify in profile (update_latest_version_info)"
ExitFatal
fi
if [ "${UPDATE_LOCAL_DIRECTORY}" = "" ] ; then
Display --indent 2 --text "Error: No local directory has been specified to store Lynis files. Please specify in profile (update_local_directory)"
ExitFatal
else
if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then
Display --indent 2 --text "Error: Directory ${UPDATE_LOCAL_DIRECTORY} does not exist"
ExitFatal
fi
fi
if [ "${UPDATE_LOCAL_VERSION_INFO}" = "" ] ; then
Display --indent 2 --text "Error: No data file has been specified to determine local Lynis version, please specify in profile (update_local_version_info)"
ExitFatal
fi
if [ ! -f ${UPDATE_LOCAL_VERSION_INFO} ]; then
Display --indent 2 --text "Note: local data file ${UPDATE_LOCAL_VERSION_INFO} does not exist. It will be created after updating. (update_local_version_info)"
else
LOCAL_VERSION=`cat ${UPDATE_LOCAL_VERSION_INFO}`
fi
# Normal update
FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_INFO}"
TMP_FILE=`mktemp /tmp/audit.XXXXXXXXXX`
if [ "${TMP_FILE}" = "" ]; then
Display --indent 2 --text "Could not create a temporary file in /tmp with mktemp. Aborting.."
ExitFatal
fi
Display --indent 2 --text "${CYAN}[Phase 1] Downloading details${NORMAL}"
if [ ! "${WGET_EXISTS}" = "" ]; then
logtext "Using wget to download release information"
LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}"
wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
elif [ ! "${CURL_EXISTS}" = "" ]; then
logtext "Using curl to download release information"
LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}"
curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
else
Display --indent 2 --text "No download tool available to perform download"
ExitFatal
fi
if [ ! "${TMP_FILE}" = "" ]; then
if [ -f ${TMP_FILE} ]; then
SERVER_VERSION=`cat ${TMP_FILE}`
rm -f ${TMP_FILE}
fi
else
Display --indent 2 --text "Temporary file variable is empty, which is unexpected. Aborting.."
ExitFatal
fi
# Determine if downloading meta data was successful
if [ ${EXIT_CODE} -eq 0 ]; then
if [ "${SERVER_VERSION}" = "" ]; then
Display --indent 2 --text "No version found on the server. Aborting.."
ExitFatal
else
Display --indent 2 --text "Version found on server: ${SERVER_VERSION}"
Display --indent 2 --text "Local version found: ${LOCAL_VERSION}"
fi
else
Display --indent 2 --text "${RED}Error: ${WHITE}Download utility returned an unexpected error code.${NORMAL} Aborting.."
Display --indent 2 --text "Error code: ${EXIT_CODE}"
Display --indent 2 --text "Suggested command: ${LAST_COMMAND_HELP}"
ExitFatal
fi
#==========================================================================================================================================
Display --indent 2 --text " "
Display --indent 2 --text "${CYAN}[Phase 2] Compare results${NORMAL}"
if [ ! "${LOCAL_VERSION}" = "${SERVER_VERSION}" ]; then
Display --indent 2 --text "Different version available, moving to upgrade phase"
PERFORM_UPGRADE=1
else
Display --indent 2 --text "${GREEN}No upgrade needed${NORMAL}"
fi
# Go to phase 3 if upgrade is needed
if [ ${PERFORM_UPGRADE} -eq 1 ]; then
FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_DOWNLOAD}"
Display --indent 2 --text " "
Display --indent 2 --text "[Phase 3] Downloading latest release"
Display --indent 2 --text "Download location: ${FULLPATH}"
if [ ! "${WGET_EXISTS}" = "" ]; then
logtext "Using wget to download latest release"
LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}"
wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
elif [ ! "${CURL_EXISTS}" = "" ]; then
logtext "Using curl to download latest release"
LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}"
curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null
EXIT_CODE=$?
fi
if [ ${EXIT_CODE} -eq 0 ]; then
if [ -f ${TMP_FILE} ]; then
Display --indent 2 --text "Download successful"
# Extract the file to the related path, with 'lynis' appended
# Note: by default the tarball includes 'lynis' as directory
if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then
Display --indent 2 --text "Error: directory ${UPDATE_LOCAL_DIRECTORY} does not exist"
ExitFatal
fi
Display --indent 2 --text "Extracting latest version to path ${UPDATE_LOCAL_DIRECTORY}"
if [ ! -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then
Display --indent 2 --text "Creating 'lynis' directory in ${UPDATE_LOCAL_DIRECTORY}"
mkdir ${UPDATE_LOCAL_DIRECTORY}/lynis
if [ $? -gt 0 ]; then
Display --indent 2 --text "Error: could not create directory ${UPDATE_LOCAL_DIRECTORY}/lynis"
ExitFatal
fi
fi
if [ -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then
Display --indent 2 --text "Extracting files to ${UPDATE_LOCAL_DIRECTORY}"
tar xzf ${TMP_FILE} -C ${UPDATE_LOCAL_DIRECTORY}
if [ $? -eq 0 ]; then
# Check if we can find the Lynis binary (in the created 'lynis' directory)
if [ -f ${UPDATE_LOCAL_DIRECTORY}/lynis/lynis ]; then
# If version was downloaded, update local version
echo ${SERVER_VERSION} > ${UPDATE_LOCAL_VERSION_INFO}
else
Display --indent 2 --text "Error: could not find downloaded file on disk"
fi
else
Display --indent 2 --text "Error: File extraction failed"
ExitFatal
fi
else
Display --indent 2 --text "Error: could not find lynis directory"
fi
else
Display --indent 2 --text "Error: could not find downloaded file on disk"
ExitFatal
fi
else
Display --indent 2 --text "Error: could not download latest release"
Display --indent 2 --text "Suggestion: ${LAST_COMMAND_HELP}"
ExitFatal
fi
fi
# Removing temp file
logtext "Action: Removing temporary file ${TMP_FILE}"
if [ "${TMP_FILE}" = "" ]; then
if [ -f ${TMP_FILE} ]; then
rm -f ${TMP_FILE}
fi
fi
Display --indent 2 --text " "
Display --indent 2 --text "Done"
Display --indent 2 --text " "
ExitClean
# Update check
elif [ "$1" = "info" ]; then
# CV - Current Version
PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'`
PROGRAM_LV=0
CheckUpdates
# Reset everything if we can't determine our current version or the latest
# available version (due lack of internet connectivity for example)
if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then
# Set both to safe values
PROGRAM_AC=0; PROGRAM_LV=0
fi
echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} =="
echo ""
echo " Version : ${PROGRAM_version}"
echo -n " Status : "
if [ ${PROGRAM_LV} -eq 0 ]; then
echo "${RED}Unknown${NORMAL}";
elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
echo "${YELLOW}Outdated${NORMAL}";
echo " Current version : ${PROGRAM_AC}"
echo " Latest version : ${PROGRAM_LV}"
else
echo "${GREEN}Up-to-date${NORMAL}"
fi
echo " Release date : ${PROGRAM_releasedate}"
echo " Update location : ${PROGRAM_website}"
echo ""; echo ""
echo "${PROGRAM_copyright}"
echo ""
# Quit program
ExitClean
else
Display --indent 2 --text "${RED}Error: ${WHITE}Unknown parameter $1.${NORMAL} Aborting.."
ExitFatal
fi
# The End

33
include/parameters
View File

@ -23,6 +23,7 @@
PARAMCOUNT=$# PARAMCOUNT=$#
while [ $# -ge 1 ]; do while [ $# -ge 1 ]; do
case $1 in case $1 in
# Helpers first
audit) audit)
CHECK_BINARIES=0 CHECK_BINARIES=0
RUN_HELPERS=1 RUN_HELPERS=1
@ -63,6 +64,28 @@
#break #break
;; ;;
# Helpers first
update)
CHECK_BINARIES=0
RUN_HELPERS=1
HELPER="update"
RUN_PLUGINS=0
RUN_TESTS=0
SHOW_PROGRAM_DETAILS=0
if [ ! $2 = "" ]; then
shift
HELPER_PARAMS="$1 $2"
break
else
Display --text "${RED}Error: ${WHITE}Need a target for update${NORMAL}"
Display --text " "
Display --text "Examples:"
Display --text "lynis update info"
Display --text "lynis update release"
ExitFatal
fi
;;
# Assign auditor to report # Assign auditor to report
--auditor) --auditor)
shift shift
@ -102,7 +125,9 @@
# View program/database information # View program/database information
--check-update | --check-updates | --info) --check-update | --check-updates | --info)
VIEWUPDATEINFO=1 echo "This option is deprecated"
echo "Use: lynis update info"
ExitClean
;; ;;
# License key for Lynis Enterprise # License key for Lynis Enterprise
@ -144,11 +169,11 @@
LASTCHAR=`echo $1 | awk '{ print substr($0, length($0))}'` LASTCHAR=`echo $1 | awk '{ print substr($0, length($0))}'`
if [ "${LASTCHAR}" = "/" ]; then if [ "${LASTCHAR}" = "/" ]; then
echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}" echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}"
ExitFatal ExitCustom 65
fi fi
if [ ! -d ${PLUGINDIR} ]; then if [ ! -d ${PLUGINDIR} ]; then
echo "${RED}Error:${WHITE} invalid plugin directory ${PLUGINDIR}${NORMAL}" echo "${RED}Error:${WHITE} invalid plugin directory ${PLUGINDIR}${NORMAL}"
ExitFatal ExitCustom 66
fi fi
;; ;;
@ -238,4 +263,4 @@
done done
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

52
include/profiles
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -15,23 +15,6 @@
################################################################################# #################################################################################
# #
# Read profile/template # Read profile/template
#
#################################################################################
#
#YYY Enable check when profile files are complete and completely documented
# Check if default profile is used
if [ "${PROFILE}" = "defaultXXX.prf" ]; then
echo ""
echo " ==============================================================================="
echo " ${WARNING}Warning${NORMAL}: ${WHITE}Default profile is used.${NORMAL}"
echo " Default profile contains only a small amount of options and settings."
echo " Consult the documentation to create a custom profile!"
echo ""
echo " [ ${WHITE}Press [ENTER] to continue with the default profile or [CTRL] + C to stop${NORMAL} ]"
echo " ==============================================================================="
wait_for_keypress
fi
# #
################################################################################# #################################################################################
# #
@ -120,7 +103,6 @@
# Profile name # Profile name
profile_name) profile_name)
# YYY dummy
PROFILE_NAME="${VALUE}" PROFILE_NAME="${VALUE}"
;; ;;
@ -147,6 +129,36 @@
if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi
;; ;;
# Server IP or hostname
update_server_address)
UPDATE_SERVER_ADDRESS="${VALUE}"
;;
# Protocol (http, https)
update_server_protocol)
UPDATE_SERVER_PROTOCOL="${VALUE}"
;;
# File path to tarball on server
update_latest_version_download)
UPDATE_LATEST_VERSION_DOWNLOAD="${VALUE}"
;;
# File path to information file
update_latest_version_info)
UPDATE_LATEST_VERSION_INFO="${VALUE}"
;;
# Local directory where lynis directory will be placed
update_local_directory)
UPDATE_LOCAL_DIRECTORY="${VALUE}"
;;
# Local file to maintain current version
update_local_version_info)
UPDATE_LOCAL_VERSION_INFO="${VALUE}"
;;
# Options during upload of data # Options during upload of data
upload_options) upload_options)
UPLOAD_OPTIONS="${VALUE}" UPLOAD_OPTIONS="${VALUE}"

49
include/report
View File

@ -19,17 +19,6 @@
################################################################################# #################################################################################
# #
# Only show overview if not running in quiet mode
if [ ${QUIET} -eq 0 ]; then
echo ""; echo "================================================================================"
echo ""; echo " -[ ${WHITE}${PROGRAM_name} ${PROGRAM_version} Results${NORMAL} ]-"
echo "";
if [ ${SHOW_REPORT} -eq 1 ]; then
logtextbreak
# #
################################################################################# #################################################################################
# #
@ -87,7 +76,18 @@
HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]" HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
logtext "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]" logtext "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
logtext "Hardening strength: ${HIDESCRIPTION}" logtext "Hardening strength: ${HIDESCRIPTION}"
report "hardening_index=${HPINDEX}"
# Only show overview if not running in quiet mode
if [ ${QUIET} -eq 0 ]; then
echo ""; echo "================================================================================"
echo ""; echo " -[ ${WHITE}${PROGRAM_name} ${PROGRAM_version} Results${NORMAL} ]-"
echo "";
if [ ${SHOW_REPORT} -eq 1 ]; then
logtextbreak
# #
################################################################################# #################################################################################
@ -107,7 +107,7 @@
if [ "${SWARNINGS}" = "" ]; then if [ "${SWARNINGS}" = "" ]; then
echo " ${OK}No warnings${NORMAL}"; echo "" echo " ${OK}No warnings${NORMAL}"; echo ""
else else
echo " ${WARNING}Warnings${NORMAL}:" echo " ${WARNING}Warnings${NORMAL} (${TOTAL_WARNINGS}):"
echo " ${WHITE}----------------------------${NORMAL}" echo " ${WHITE}----------------------------${NORMAL}"
for WARNING in ${SWARNINGS}; do for WARNING in ${SWARNINGS}; do
SHOWWARNING=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: //'` SHOWWARNING=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: //'`
@ -129,7 +129,7 @@
if [ "${SSUGGESTIONS}" = "" ]; then if [ "${SSUGGESTIONS}" = "" ]; then
echo " ${OK}No suggestions${NORMAL}"; echo "" echo " ${OK}No suggestions${NORMAL}"; echo ""
else else
echo " ${YELLOW}Suggestions${NORMAL}:" echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):"
echo " ${WHITE}----------------------------${NORMAL}" echo " ${WHITE}----------------------------${NORMAL}"
for SUGGESTION in ${SSUGGESTIONS}; do for SUGGESTION in ${SSUGGESTIONS}; do
SHOWSUGGESTION=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: //'` SHOWSUGGESTION=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: //'`
@ -169,9 +169,10 @@
echo "" echo ""
echo " ${SECTION}Lynis Modules${NORMAL}:" echo " ${SECTION}Lynis Modules${NORMAL}:"
echo " - Heuristics Check [${WHITE}NA${NORMAL}] - Security Audit [${GREEN}V${NORMAL}]" if [ ${LYNIS_COMPLIANCE_TESTS} -eq 1 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${YELLOW}NA"; fi
if [ ${LYNIS_COMPLIANCE_TESTS} -eq 1 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi echo " - Compliance Tests [${COMPLIANCE}${NORMAL}]"
echo " - Compliance Tests [${COMPLIANCE}${NORMAL}] - Vulnerability Scan [${GREEN}V${NORMAL}]" echo " - Security Audit [${GREEN}V${NORMAL}]"
echo " - Vulnerability Scan [${GREEN}V${NORMAL}]"
echo "" echo ""
echo " ${SECTION}Files${NORMAL}:" echo " ${SECTION}Files${NORMAL}:"
echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}" echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}"
@ -224,21 +225,15 @@
echo "================================================================================" echo "================================================================================"
fi fi
if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then
echo " Tip: Disable all tests which are not relevant or are too strict for the"
echo " purpose of this particular machine. This will remove unwanted suggestions"
echo " and also boost the hardening index. Each test should be properly analyzed"
echo " to see if the related risks can be accepted, before disabling the test."
echo "================================================================================"
fi
echo ""; echo "" echo ""; echo ""
fi fi
fi fi
# Report data, even if it is not displayed on screen
report "hardening_index=${HPINDEX}"
if [ ${QUIET} -eq 0 ]; then if [ ${QUIET} -eq 0 ]; then
echo " ${PROGRAM_name} ${PROGRAM_version}" echo " ${PROGRAM_name} ${PROGRAM_version}"

62
include/tests_accounting
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -126,7 +126,9 @@
else else
logtext "Result: auditd not active" logtext "Result: auditd not active"
Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE
ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information" if [ ! "${VMTYPE}" = "openvz" ]; then
ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
fi
AUDITD_RUNNING=0 AUDITD_RUNNING=0
report "audit_daemon_running=0" report "audit_daemon_running=0"
AddHP 0 1 AddHP 0 1
@ -226,7 +228,7 @@
if [ -f /etc/ld.so.preload ]; then if [ -f /etc/ld.so.preload ]; then
logtext "Result: found /etc/ld.so.preload, testing if snoopy.so is listed" logtext "Result: found /etc/ld.so.preload, testing if snoopy.so is listed"
FIND=`grep ${FILE} /etc/ld.so.preload` FIND=`grep ${FILE} /etc/ld.so.preload`
if [ !"${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: found snoopy in ld.so.preload" logtext "Result: found snoopy in ld.so.preload"
logtext "Output: ${FIND}" logtext "Output: ${FIND}"
Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN
@ -324,15 +326,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : ACCT-9658
# Description : Check required audit files in /etc/security
#if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no ACCT-9658 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check required audit files"
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#
#################################################################################
# #
# Test : ACCT-9662 # Test : ACCT-9662
# Description : Check location for audit events # Description : Check location for audit events
@ -351,12 +344,13 @@
Display --indent 4 --text "- Checking Solaris audit location" --result FOUND --color GREEN Display --indent 4 --text "- Checking Solaris audit location" --result FOUND --color GREEN
else else
logtext "Result: location ${FIND} does not exist" logtext "Result: location ${FIND} does not exist"
# YYY perform manual audit Display --indent 4 --text "- Checking Solaris audit location" --result "NOT FOUND" --color YELLOW
Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is available"
fi fi
else else
logtext "Result: unknown event location" logtext "Result: unknown event location"
Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW
ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is properly configured"
fi fi
else else
logtext "Result: could not find /etc/security/audit_control" logtext "Result: could not find /etc/security/audit_control"
@ -365,22 +359,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : ACCT-96xx
# Description : Check which events are audited
#if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no ACCT-96xx --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Test : ACCT-96xx
# Description : Check user specific event auditing
#if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no ACCT-96xx --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check user specific event auditing"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
# #
# Test : ACCT-9672 # Test : ACCT-9672
# Description : check auditstat # Description : check auditstat
@ -403,28 +381,8 @@
################################################################################# #################################################################################
# #
# Test : ACCT-9680
# Description : Check if required packages are installed
#if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list"
#if [ ${SKIPTEST} -eq 0 ]; then
#
# Solaris 10 packages
# bash-3.00# pkginfo | egrep 'SUNWcar|SUNWcsr|SUNWcsu|SUNWhea|SUNWman'
#system SUNWcar Core Architecture, (Root)
#system SUNWcsr Core Solaris, (Root)
#system SUNWcsu Core Solaris, (Usr)
#system SUNWhea SunOS Header Files
#system SUNWman On-Line Manual Pages
#
#################################################################################
#
# Check psacct package (ac, lastcomm, accton, sa)
# Check auditd (auditctl, ausearch, aureport)
wait_for_keypress wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen / CISOfy - https://cisofy.com

336
include/tests_authentication
View File

@ -31,11 +31,12 @@
# Test : AUTH-9204 # Test : AUTH-9204
# Description : Check users with UID zero (0) # Description : Check users with UID zero (0)
# Notes : Ignores :0: in file if match is in NIS related line
Register --test-no AUTH-9204 --weight L --network NO --description "Check users with an UID of zero" Register --test-no AUTH-9204 --weight L --network NO --description "Check users with an UID of zero"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Search accounts with UID 0 # Search accounts with UID 0
logtext "Test: Searching accounts with UID 0" logtext "Test: Searching accounts with UID 0"
FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^:0:0:::' | cut -d ":" -f1,3 | grep ':0'` FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0'`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED
logtext "Result: Found more than one administrator accounts" logtext "Result: Found more than one administrator accounts"
@ -58,10 +59,8 @@
# #
# Test : AUTH-9208 # Test : AUTH-9208
# Description : Check non-unique accounts # Description : Check non-unique accounts
Register --test-no AUTH-9208 --weight L --network NO --description "Check non-unique accounts" Register --test-no AUTH-9208 --weight L --network NO --description "Check non-unique accounts in passwd file"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: ${USER_PASSWD_DOUBLEUID_AUDIT_TITLE}"
logtext "Description: ${USER_PASSWD_DOUBLEUID_AUDIT_DESCRIPTION}"
logtext "Test: Checking for non-unique accounts" logtext "Test: Checking for non-unique accounts"
if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then
PASSWD_FILE="/etc/master.passwd" PASSWD_FILE="/etc/master.passwd"
@ -84,7 +83,7 @@
Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE
logtext "Result: test skipped, ${PASSWD_FILE} file not available" logtext "Result: test skipped, ${PASSWD_FILE} file not available"
fi fi
logtext "Remarks: ${USER_PASSWD_DOUBLEUID_AUDIT_TEXT}" logtext "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake"
fi fi
# #
################################################################################# #################################################################################
@ -250,27 +249,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# # Test : AUTH-9229
# # Description : Check AIX password file consistency
# # Notes : Read only mode?
# if [ -x /usr/bin/usrck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9229 --os AIX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking password file consistency (usrck)"
# FIND=`/usr/bin/usrck -n ALL 2>; echo $?`
# if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
# logtext "Result: usrck finished didn't find problems"
# else
# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
# logtext "Result: usrck found one or more errors/warnings in the password file."
# ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file"
# ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues."
# fi
# fi
#
#################################################################################
# #
# Test : AUTH-9230 # Test : AUTH-9230
# Description : Check Solaris password file consistency # Description : Check Solaris password file consistency
@ -291,47 +269,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# # Test : AUTH-9231
# # Description : Check HP-UX password file consistency
# # Notes : Read only mode?
# if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9231 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking password file consistency (pwck)"
# FIND=`/usr/sbin/pwck 2> /dev/null; echo $?`
# if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
# logtext "Result: pwck finished didn't find problems"
# else
# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
# logtext "Result: pwck found one or more errors/warnings in the password file."
# ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
# ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
# fi
# fi
#
#################################################################################
#
# # Test : AUTH-9232
# # Description : Check HP-UX group file consistency
# if [ -x /usr/sbin/grpck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9232 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking group file consistency (grpck)"
# FIND=`/usr/sbin/grpck 2> /dev/null; echo $?`
# if [ "${FIND}" = "0" ]; then
# Display --indent 2 --text "- Checking group file consistency" --result OK --color GREEN
# logtext "Result: grpck finished didn't find problems"
# else
# Display --indent 2 --text "- Checking group file consistency" --result WARNING --color RED
# logtext "Result: grpck found one or more errors/warnings in the group file."
# ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file"
# ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues."
# fi
# fi
#
#################################################################################
# #
# Test : AUTH-9234 # Test : AUTH-9234
# Description : Query user accounts # Description : Query user accounts
@ -434,23 +371,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : AUTH-9244
# Description : Query NIS servers
#Register --test-no AUTH-9244 --weight L --network NO --description "Query NIS servers"
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#
#################################################################################
#
# Test : AUTH-9246
# Description : Query NIS active
#Register --test-no AUTH-9246 --weight L --network NO --description "Query active NIS servers"
#if [ ${SKIPTEST} -eq 0 ]; then
#if
#grep '^+' /etc/passwd /etc/group
#
#################################################################################
# #
# Test : AUTH-9250 # Test : AUTH-9250
# Description : Check for sudoers file # Description : Check for sudoers file
@ -470,7 +390,6 @@
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
logtext "Result: sudoers file found (${SUDOERS_FILE})" logtext "Result: sudoers file found (${SUDOERS_FILE})"
Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN
# YYY add more tests to audit sudoers file
else else
logtext "Result: sudoers file NOT found" logtext "Result: sudoers file NOT found"
Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW
@ -515,65 +434,9 @@
fi fi
# #
################################################################################# #################################################################################
#
# # Test : AUTH-9255
# # Description : Solaris test for unique UIDs
# Register --test-no AUTH-9255 --os Solaris --weight L --network NO --description "Solaris unique UIDs"
# if [ ${SKIPTEST} -eq 0 ]; then
# FIND=`logins -d | awk '{ print $1 }'`
# if [ "${FIND}" = "" ]; then
# logtext "Result: no duplicate accounts found, all accounts have an unique ID"
# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result OK --color GREEN
# else
# for I in ${FIND}; do
# ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})"
# done
# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result WARNING --color RED
# fi
# fi
#
#################################################################################
#
# Test : AUTH-9260 [T]
# Description : Search for account lockout on Linux
# Notes : lib directory should be fixed
# Register --test-no AUTH-9260 --os Linux --weight L --network NO --description "Checking account lockout"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: searching for /lib/security/pam_tally.so"
# if [ -f /lib/security/pam_tally.so ]; then
# logtext "Result: /lib/security/pam_tally.so found"
# AddHP 1 1
# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result FOUND --color GREEN
# if [ -f /etc/pam.d/system-auth ]; then
# logtext "Test: search for enable pam_tally module in system-auth, with a deny value higher than zero"
# FIND=`grep "account required" /etc/pam.d/system-auth | grep "pam_tally.so" | grep "deny=" | grep -v "deny=0"`
# if [ "${FIND}" = "" ]; then
# logtext "Result: pam_tally properly configured"
# logtext "Output: ${FIND}"
# AddHP 1 1
# Display --indent 4 --text "- Checking lockout policy" --result FOUND --color GREEN
# else
# logtext "Result: pam_tally not (properly) configured"
# logtext "Output: ${FIND}"
# Display --indent 4 --text "- Checking lockout policy" --result SUGGESTION --color YELLOW
# AddHP 0 1
# ReportSuggestion ${TEST_NO} "Configure pam_tally in system-auth: account required /lib/security/pam_tally.so deny=3 no_magic_root reset"
# fi
# else
# logtext "Result: skipped, /etc/pam.d/system-auth not found"
# fi
# else
# logtext "Result: /lib/security/pam_tally.so not found"
# AddHP 0 1
# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result "SUGGESTION" --color YELLOW
# ReportSuggestion ${TEST_NO} "Install a PAM module for account lockout to counter brute force attacks"
# fi
#
#################################################################################
# #
# Test : AUTH-9262 # Test : AUTH-9262
# Description : Search for PAM password strength testing libraries # Description : Search for PAM password strength testing libraries
# Notes : YYY (combine with other PAM modules)
Register --test-no AUTH-9262 --weight L --network NO --description "Checking presence password strength testing tools (PAM)" Register --test-no AUTH-9262 --weight L --network NO --description "Checking presence password strength testing tools (PAM)"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
@ -708,11 +571,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : AUTH-9270
# Description : Audit PAM configuration files
#
#################################################################################
# #
# Test : AUTH-9278 # Test : AUTH-9278
# Description : Search LDAP support in PAM files # Description : Search LDAP support in PAM files
@ -732,7 +590,6 @@
else else
logtext "Result: LDAP module not found" logtext "Result: LDAP module not found"
Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE
# YYY display message when ldap is enabled in /etc/passwd, but not found in PAM
fi fi
else else
logtext "Result: file /etc/pam.d/common-auth not found, skipping test" logtext "Result: file /etc/pam.d/common-auth not found, skipping test"
@ -815,7 +672,6 @@
logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs " logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'` FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
# YYY check if LDAP is used with password policies
logtext "Result: password aging limits are not configured" logtext "Result: password aging limits are not configured"
Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW
ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base" ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base"
@ -829,15 +685,10 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : AUTH-9292
# Description : Check locked accounts (exclamation mark as first char in second column)
#
#################################################################################
# #
# Test : AUTH-9304 # Test : AUTH-9304
# Description : Check if single user mode login is properly configured in Solaris # Description : Check if single user mode login is properly configured in Solaris
# Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d (YYY) # Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d
Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration" Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check if file exists (Solaris 10 does not have this file by default) # Check if file exists (Solaris 10 does not have this file by default)
@ -938,18 +789,11 @@
AddHP 2 2 AddHP 2 2
fi fi
else else
# YYY
logtext "Result: No inittab or init file found, unsure if system is protected" logtext "Result: No inittab or init file found, unsure if system is protected"
fi fi
fi fi
# #
################################################################################# #################################################################################
#
# Test : AUTH-9322
# Description : Authentication time restrictions
# /etc/security/time.conf
#
#################################################################################
# #
# Test : AUTH-9328 # Test : AUTH-9328
# Description : Check default umask in common files # Description : Check default umask in common files
@ -967,10 +811,12 @@
logtext "Test: Checking umask value in /etc/profile" logtext "Test: Checking umask value in /etc/profile"
FIND=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }'` FIND=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }'`
FIND2=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }' | wc -l` FIND2=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }' | wc -l`
#FIND2=`egrep "^([[:space:]])([[:tab:]])*umask" /etc/profile | awk '{ print $2 }' | wc -l`
WEAK_UMASK=0 WEAK_UMASK=0
FOUND_UMASK=0 FOUND_UMASK=0
if [ "${FIND2}" = "1" ]; then if [ "${FIND2}" = "0" ]; then
logtext "Result: did not find umask in /etc/profile"
#YYY possibly weak umask
elif [ "${FIND2}" = "1" ]; then
logtext "Result: found umask (prefixed with spaces)" logtext "Result: found umask (prefixed with spaces)"
FOUND_UMASK=1 FOUND_UMASK=1
if [ ! "${FIND}" = "077" -a ! "${FIND}" = "027" ]; then if [ ! "${FIND}" = "077" -a ! "${FIND}" = "027" ]; then
@ -981,7 +827,7 @@
fi fi
# Found more than 1 umask value in profile # Found more than 1 umask value in profile
else else
logtext "Result: found several umask values configured in /etc/profile" logtext "Result: found multiple umask values configured in /etc/profile"
FOUND_UMASK=1 FOUND_UMASK=1
for I in ${FIND}; do for I in ${FIND}; do
if [ ! "${I}" = "077" -a ! "${I}" = "027" ]; then if [ ! "${I}" = "077" -a ! "${I}" = "027" ]; then
@ -1018,7 +864,7 @@
logtext "Test: Checking umask entries in /etc/passwd (pam_umask)" logtext "Test: Checking umask entries in /etc/passwd (pam_umask)"
if [ -f /etc/passwd ]; then if [ -f /etc/passwd ]; then
logtext "Result: file /etc/passwd exists" logtext "Result: file /etc/passwd exists"
logtext "Test: Checking umask value in /etc/profile" logtext "Test: Checking umask value in /etc/passwd"
FIND=`grep "umask=" /etc/passwd` FIND=`grep "umask=" /etc/passwd`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
ReportManual "AUTH-9328:03" ReportManual "AUTH-9328:03"
@ -1027,11 +873,10 @@
logtext "Result: file /etc/passwd does not exist" logtext "Result: file /etc/passwd does not exist"
fi fi
# /etc/login.defs # /etc/login.defs
logtext "Test: Checking /etc/login.defs" logtext "Test: Checking /etc/login.defs"
if [ -f /etc/login.defs ]; then if [ -f /etc/login.defs ]; then
logtext "Result: file /etc/profile exists" logtext "Result: file /etc/login.defs exists"
logtext "Test: Checking umask value in /etc/login.defs" logtext "Test: Checking umask value in /etc/login.defs"
FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'` FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
@ -1075,8 +920,7 @@
logtext "Result: file /etc/init.d/functions does not exist" logtext "Result: file /etc/init.d/functions does not exist"
fi fi
# /etc/init.d/rc [T] # /etc/init.d/rc
# Always needed? (YYY)
logtext "Test: Checking /etc/init.d/rc" logtext "Test: Checking /etc/init.d/rc"
if [ -f /etc/init.d/rc ]; then if [ -f /etc/init.d/rc ]; then
logtext "Result: file /etc/init.d/rc exists" logtext "Result: file /etc/init.d/rc exists"
@ -1101,8 +945,43 @@
logtext "Result: file /etc/init.d/rc does not exist" logtext "Result: file /etc/init.d/rc does not exist"
fi fi
# /etc/init.d/rcS [T] # FreeBSD
# Always needed? (YYY) if [ -f /etc/login.conf ]; then
FOUND=0
WEAK_UMASK=0
logtext "Result: file /etc/login.conf exists"
FIND=`cat /etc/login.conf | grep "umask" | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'`
if [ ! "${FIND}" = "" ]; then
for UMASK_VALUE in ${FIND}; do
case ${UMASK_VALUE} in
027|0027|077|0077)
logtext "Result: found umask value ${VALUE}, which is fine"
AddHP 2 2
FOUND=1
;;
*)
AddHP 0 2
FOUND=1
WEAK_UMASK=1
logtext "Result: found umask value ${VALUE}, which can be more strict"
;;
esac
done
fi
if [ ${FOUND} -eq 1 ]; then
if [ ${WEAK_UMASK} -eq 0 ]; then
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result OK --color GREEN
else
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result WEAK --color YELLOW
ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027"
fi
else
logtext "Result: no umask setting found in /etc/login.conf, which is unexpected"
Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result NONE --color YELLOW
fi
fi
# /etc/init.d/rcS
logtext "Test: Checking /etc/init.d/rcS" logtext "Test: Checking /etc/init.d/rcS"
if [ -f /etc/init.d/rcS ]; then if [ -f /etc/init.d/rcS ]; then
logtext "Result: file /etc/init.d/rcS exists" logtext "Result: file /etc/init.d/rcS exists"
@ -1187,36 +1066,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : AUTH-9342 [T]
# Description : AIX account locking
# Notes : /usr/sbin/lsuser -a logretries ALL
# should return ${ACCOUNT_MAX_RETRIES} or less for each user, but not 0
#
#################################################################################
#
# Test : AUTH-9344 [T]
# Description : HP-UX account locking
# Notes : grep :u_maxtries# /tcb/files/auth/system/default
# should return ${ACCOUNT_MAX_RETRIES} or less, but not 0
#
#################################################################################
#
# Test : AUTH-9348 [T]
# Description : Delay time after each failed login
# Notes : This control counters brute force attacking by delaying each
# attempt, while giving normal users to try typing in their
# account details after a reasonable delay
# Should return ${ACCOUNT_DELAY_TIME} or more
# (4 seconds would be good)
# AIX
# grep "logindelay" /etc/security/login.cfg
# Linux
# grep "FAIL_DELAY" /etc/login.defs
# HP-UX
# grep ":t_logdelay#" /tcb/files/auth/system/default
#
#################################################################################
# #
# Test : AUTH-9402 # Test : AUTH-9402
# Description : Query LDAP authentication support # Description : Query LDAP authentication support
@ -1238,31 +1087,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : AUTH-9404
# Description : Check LDAP client configuration
# if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: checking ldap.conf locations"
# for I in ${LDAP_CONF_LOCATIONS}; do
# logtext "Test: checking ${I}"
# if [ -f ${I} ]; then
# logtext "Result: file ${I} exists"
# logtext "Test: checking LDAP servers in file ${I}"
# FIND2=`egrep "^host " ${I} | awk '{ print $2 }'`
# for I in ${FIND2}; do
# Display --indent 6 --text "LDAP server: ${I}"
# logtext "Result: found LDAP server ${I}"
# # YYY check if host(s) are reachable/respond to queries
# done
# else
# logtext "Result: ${I} does NOT exist"
# fi
# done
# fi
#
#################################################################################
# #
# Test : AUTH-9406 # Test : AUTH-9406
# Description : Check LDAP servers in client configuration # Description : Check LDAP servers in client configuration
@ -1273,13 +1097,14 @@
for I in ${LDAP_CONF_LOCATIONS}; do for I in ${LDAP_CONF_LOCATIONS}; do
logtext "Test: checking ${I}" logtext "Test: checking ${I}"
if [ -f ${I} ]; then if [ -f ${I} ]; then
logtext "Result: file ${I} exists" logtext "Result: file ${I} exists, LDAP being used"
LDAP_CLIENT_CONFIG_FILE="${I}"
logtext "Test: checking LDAP servers in file ${I}" logtext "Test: checking LDAP servers in file ${I}"
FIND2=`egrep "^host " ${I} | awk '{ print $2 }'` FIND2=`egrep "^host " ${I} | awk '{ print $2 }'`
for I in ${FIND2}; do for I in ${FIND2}; do
Display --indent 6 --text "LDAP server: ${I}" Display --indent 6 --text "LDAP server: ${I}"
logtext "Result: found LDAP server ${I}" logtext "Result: found LDAP server ${I}"
# YYY check if host(s) are reachable/respond to queries report "ldap_server[]=${I}"
done done
else else
logtext "Result: ${I} does NOT exist" logtext "Result: ${I} does NOT exist"
@ -1289,44 +1114,39 @@
# #
################################################################################# #################################################################################
# #
# Test : AUTH-92xx # Test : AUTH-9408
# Description : login.access checks # Description : Logging of failed login attempts
#Register --test-no AUTH-92xx --weight L --network NO --description "login.access checks" if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Logging of failed login attempts via /etc/login.defs"
################################################################################# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Checking FAILLOG_ENAB option in /etc/login.defs "
# pam_unix.so FIND=`grep "^FAILLOG_ENAB" /etc/login.defs | awk '{ if ($1=="FAILLOG_ENAB") { print $2 } }'`
# pam_cracklib.so # Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value)
# pam_pwcheck.so if [ "${FIND}" = "yes" ]; then
# pam_env.so AUTH_FAILED_LOGINS_LOGGED=1
# pam_xauth.so logtext "Result: failed login attempts are logged in /var/log/faillog"
# pam_tally.so Display --indent 2 --text "- Logging failed login attempts" --result ENABLED --color GREEN
# pam_wheel.so AddHP 3 3
# pam_limits.so else
# pam_nologin.so logtext "Result: failed login attempts are not logged"
# pam_deny.so Display --indent 2 --text "- Logging failed login attempts" --result DISABLED --color YELLOW
# pam_securetty.so #ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog"
# pam_time.so AddHP 0 1
# pam_access.so fi
# pam_listfile.so fi
# pam_lastlog.so
# pam_warn.so
# pam_console.so
# pam_resmgr.so
# pam_devperm.so
#
#################################################################################
#
# sudoers: Check for potential harmful commands like vi, echo, cat
# #
################################################################################# #################################################################################
# #
report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}"
report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}" report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
report "ldap_pam_enabled=${LDAP_PAM_ENABLED}" report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then
report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"
fi
wait_for_keypress wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

22
include/tests_banners
View File

@ -23,7 +23,7 @@
################################################################################# #################################################################################
# #
BANNER_FILES="/etc/issue /etc/issue.net /etc/motd" BANNER_FILES="/etc/issue /etc/issue.net /etc/motd"
LEGAL_BANNER_STRINGS="access authorized legal monitor owner policy policies private prohibited restricted this unauthorized" LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence intrusion law legal monitor owner policy policies private prohibited restricted subject terms this unauthorized"
# #
################################################################################# #################################################################################
# #
@ -221,29 +221,9 @@
# #
################################################################################# #################################################################################
# #
# /etc/dt/config/*/Xresources
# /etc/default/telnetd (telnet without TCP wrappers)
# /etc/default/ftpd (ftp without TCP wrappers)
# /etc/ftpd/banner.msg (ftp without TCP wrappers on Solaris)
# /etc/ftpaccess (HP-UX)
# /etc/ftpmotd (AIX)
# /etc/ftpaccess.ctl (AIX)
# /etc/security/login.cfg (AIX)
# /etc/X11/xdm/Xresources
# /etc/X11/xdm/kdmrc
# /etc/X11/gdm/gdm
# /etc/vsftpd.conf
#
#################################################################################
#
wait_for_keypress wait_for_keypress
#
#################################################################################
#
# Notes:
# HPUX: /etc/copyright
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

152
include/tests_boot_services
View File

@ -24,6 +24,7 @@
# #
BOOT_LOADER="unknown" BOOT_LOADER="unknown"
BOOT_LOADER_FOUND=0 BOOT_LOADER_FOUND=0
BOOT_LOADER_SEARCHED=0
GRUB_VERSION=0 GRUB_VERSION=0
SERVICE_MANAGER="unknown" SERVICE_MANAGER="unknown"
# #
@ -34,6 +35,7 @@
# Notes : The AIX bootstrap is called as software ROS. Bootstrap contains IPL (Initial Program loader) # Notes : The AIX bootstrap is called as software ROS. Bootstrap contains IPL (Initial Program loader)
Register --test-no BOOT-5102 --os AIX --weight L --network NO --root-only YES --description "Check for AIX boot device" Register --test-no BOOT-5102 --os AIX --weight L --network NO --root-only YES --description "Check for AIX boot device"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
logtext "Test: Query bootinfo for AIX boot device" logtext "Test: Query bootinfo for AIX boot device"
if [ -x /usr/sbin/bootinfo ]; then if [ -x /usr/sbin/bootinfo ]; then
FIND=`/usr/sbin/bootinfo -b` FIND=`/usr/sbin/bootinfo -b`
@ -49,7 +51,6 @@
fi fi
fi fi
fi fi
# #
################################################################################# #################################################################################
# #
@ -61,6 +62,7 @@
# upstart - Used by Debian/Ubuntu # upstart - Used by Debian/Ubuntu
Register --test-no BOOT-5104 --weight L --network NO --description "Determine service manager" Register --test-no BOOT-5104 --weight L --network NO --description "Determine service manager"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
case ${OS} in case ${OS} in
"Linux") "Linux")
if [ -f /proc/1/cmdline ]; then if [ -f /proc/1/cmdline ]; then
@ -115,11 +117,72 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : BOOT-5116
# Description : Check if system is booted in UEFI mode
Register --test-no BOOT-5116 --weight L --network NO --root-only YES --description "Check if system is booted in UEFI mode"
if [ ${SKIPTEST} -eq 0 ]; then
UEFI_TESTS_PERFORMED=0
case ${OS} in
Linux)
UEFI_TESTS_PERFORMED=1
# Check if UEFI is available in this boot
logtext "Test: checking if UEFI is used"
if [ -d /sys/firmware/efi ]; then
logtext "Result: system booted in UEFI mode"
UEFI_BOOTED=1
else
logtext "Result: UEFI not used, can't find /sys/firmware/efi directory"
fi
# Test if Secure Boot is enabled
logtext "Test: determine if Secure Boot is used"
if [ -d /sys/firmware/efi/efivars ]; then
FIND=`ls /sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
for I in ${FIND}; do
logtext "Test: checking file ${I}"
J=`od -An -t u1 ${I} | awk '{ print $5 }'`
if [ "${J}" = "1" ]; then
logtext "Result: found SecureBoot file with enabled status"
UEFI_BOOTED_SECURE=1
else
logtext "Result: system not booted with Secure Boot (status 0 in file ${I})"
fi
done
fi
else
logtext "Result: system not booted with Secure Boot (no SecureBoot file found)"
fi
;;
#MacOS)
# Mac OS ioreg -l -p IODeviceTree | grep firmware-abi
#;;
*)
logtext "Result: no test implemented yet to test for UEFI on this platform"
;;
esac
if [ ${UEFI_BOOTED} -eq 1 ]; then
Display --indent 2 --text "- Checking UEFI boot" --result ENABLED --color GREEN
if [ ${UEFI_BOOTED_SECURE} -eq 1 ]; then
Display --indent 2 --text "- Checking Secure Boot" --result ENABLED --color GREEN
else
Display --indent 2 --text "- Checking Secure Boot" --result DISABLED --color YELLOW
fi
else
if [ ${UEFI_TESTS_PERFORMED} -eq 1 ]; then
Display --indent 2 --text "- Checking UEFI boot" --result DISABLED --color GREEN
fi
fi
fi
#
#################################################################################
# #
# Test : BOOT-5121 # Test : BOOT-5121
# Description : Check for GRUB boot loader # Description : Check for GRUB boot loader
Register --test-no BOOT-5121 --weight L --network NO --description "Check for GRUB boot loader presence" Register --test-no BOOT-5121 --weight L --network NO --description "Check for GRUB boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
FOUND=0 FOUND=0
logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)" logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)"
if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then
@ -127,7 +190,7 @@
BOOT_LOADER="GRUB" BOOT_LOADER="GRUB"
BOOT_LOADER_FOUND=1 BOOT_LOADER_FOUND=1
GRUB_VERSION=1 GRUB_VERSION=1
Display --indent 4 --text "- Checking presence GRUB" --result "OK" --color GREEN Display --indent 2 --text "- Checking presence GRUB" --result "OK" --color GREEN
if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
fi fi
@ -137,16 +200,13 @@
BOOT_LOADER="GRUB2" BOOT_LOADER="GRUB2"
BOOT_LOADER_FOUND=1 BOOT_LOADER_FOUND=1
GRUB_VERSION=2 GRUB_VERSION=2
Display --indent 4 --text "- Checking presence GRUB2" --result FOUND --color GREEN Display --indent 2 --text "- Checking presence GRUB2" --result FOUND --color GREEN
if [ -f /boot/grub/grub.cfg ]; then if [ -f /boot/grub/grub.cfg ]; then
GRUBCONFFILE="/boot/grub/grub.cfg" GRUBCONFFILE="/boot/grub/grub.cfg"
elif [ -f /boot/grub2/grub.cfg ]; then elif [ -f /boot/grub2/grub.cfg ]; then
GRUBCONFFILE="/boot/grub2/grub.cfg" GRUBCONFFILE="/boot/grub2/grub.cfg"
fi fi
logtext "Result: found GRUB2 configuration file (${GRUBCONFFILE})" logtext "Result: found GRUB2 configuration file (${GRUBCONFFILE})"
# YYY password check, when documentation of GRUB2 project is improved
# YYY Add check permission check (600)
fi fi
# Some OSes like Gentoo do not have /boot mounted by default # Some OSes like Gentoo do not have /boot mounted by default
@ -207,6 +267,7 @@
# Description : Check for FreeBSD boot loader # Description : Check for FreeBSD boot loader
Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot loader presence" Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then
logtext "Result: found boot1, boot2 and loader files in /boot" logtext "Result: found boot1, boot2 and loader files in /boot"
Display --indent 2 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN Display --indent 2 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN
@ -223,6 +284,7 @@
# Description : Check for NetBSD boot loader # Description : Check for NetBSD boot loader
Register --test-no BOOT-5126 --os NetBSD --weight L --network NO --description "Check for NetBSD boot loader presence" Register --test-no BOOT-5126 --os NetBSD --weight L --network NO --description "Check for NetBSD boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then
logtext "Result: found NetBSD secondary bootstrap" logtext "Result: found NetBSD secondary bootstrap"
Display --indent 2 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN Display --indent 2 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN
@ -241,6 +303,7 @@
# Notes : password= or password = # Notes : password= or password =
Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence" Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
LILOCONFFILE="/etc/lilo.conf" LILOCONFFILE="/etc/lilo.conf"
logtext "Test: checking for presence LILO configuration file" logtext "Test: checking for presence LILO configuration file"
if [ -f ${LILOCONFFILE} ]; then if [ -f ${LILOCONFFILE} ]; then
@ -263,7 +326,6 @@
logtext "Result: LILO password option set" logtext "Result: LILO password option set"
AddHP 4 4 AddHP 4 4
fi fi
#YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf)
else else
logtext "Result: can not read ${LILOCONFFILE} (no permission)" logtext "Result: can not read ${LILOCONFFILE} (no permission)"
fi fi
@ -278,6 +340,7 @@
# Description : Check for SILO boot loader # Description : Check for SILO boot loader
Register --test-no BOOT-5142 --weight L --network NO --description "Check SPARC Improved boot loader (SILO)" Register --test-no BOOT-5142 --weight L --network NO --description "Check SPARC Improved boot loader (SILO)"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
if [ -f /etc/silo.conf ]; then if [ -f /etc/silo.conf ]; then
logtext "Result: Found SILO configuration file (/etc/silo.conf)" logtext "Result: Found SILO configuration file (/etc/silo.conf)"
Display --indent 2 --text "- Checking boot loader SILO" --result FOUND --color GREEN Display --indent 2 --text "- Checking boot loader SILO" --result FOUND --color GREEN
@ -314,11 +377,11 @@
# Description : Check for YABOOT boot loader # Description : Check for YABOOT boot loader
Register --test-no BOOT-5155 --weight L --network NO --description "Check for YABOOT boot loader configuration file" Register --test-no BOOT-5155 --weight L --network NO --description "Check for YABOOT boot loader configuration file"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
logtext "Test: Check for /etc/yaboot.conf" logtext "Test: Check for /etc/yaboot.conf"
if [ -f /etc/yaboot.conf ]; then if [ -f /etc/yaboot.conf ]; then
logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)" logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)"
Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN
#YYY add permission check
BOOT_LOADER="YABOOT" BOOT_LOADER="YABOOT"
BOOT_LOADER_FOUND=1 BOOT_LOADER_FOUND=1
else else
@ -333,6 +396,7 @@
# More info : Only OpenBSD # More info : Only OpenBSD
Register --test-no BOOT-5159 --os OpenBSD --weight L --network NO --description "Check for OpenBSD boot loader presence" Register --test-no BOOT-5159 --os OpenBSD --weight L --network NO --description "Check for OpenBSD boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
BOOT_LOADER_SEARCHED=1
FOUND=0 FOUND=0
# Boot files # Boot files
# /usr/mdec/biosboot: first stage bootstrap # /usr/mdec/biosboot: first stage bootstrap
@ -370,7 +434,7 @@
# #
################################################################################# #################################################################################
# #
if [ ${BOOT_LOADER_FOUND} -eq 0 ]; then if [ ${BOOT_LOADER_FOUND} -eq 0 -a ${BOOT_LOADER_SEARCHED} -eq 1 ]; then
# Your boot loader is not detected. Want to help supporting it, see the README # Your boot loader is not detected. Want to help supporting it, see the README
ReportException "BOOTLOADER" "No boot loader found" ReportException "BOOTLOADER" "No boot loader found"
Display --indent 4 --text "- Boot loader" --result "NONE FOUND" --color RED Display --indent 4 --text "- Boot loader" --result "NONE FOUND" --color RED
@ -403,11 +467,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : BOOT-5166
# Description : Check for /etc/rc.local file (and contents)
#
#################################################################################
# #
# Test : BOOT-5177 # Test : BOOT-5177
# Description : Check for Linux boot services (systemd and chkconfig) # Description : Check for Linux boot services (systemd and chkconfig)
@ -473,50 +532,18 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : BOOT-5178
# Description : Check for Linux boot services (Red Hat style)
# if [ ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no BOOT-5178 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for unneeded Linux boot services (Red Hat style)"
# if [ ${SKIPTEST} -eq 0 ]; then
# N=0
# N=`expr ${N} + 1`
#* mctrans (if selinux is NOT enabled)
#* restorecond (if selinux is NOT enabled) --> and is it really needed?
#
# if profile is server, warn if found:
#* pcscd (if profile=server)
#* avahi-daemon
# Redhat: /etc/sysconfig/network
# check if NOZEROCONF=yes is available
#
#* xfs (if /usr/bin/startx is not found)
#
#if [ ! -f /etc/mdadm.conf -a ! -f /etc/mdadm/mdadm.conf ]; then
#* mdmonitor
#
#
#* firstboot
# Display warning if [ ! -f /etc/reconfigSys ]
# AND "RUN_FIRSTBOOT=YES" is NOT in /etc/sysconfig/firstboot
#
#* acpid
# Display warning if no modules are loaded (lsmod | grep -i acpi)
#
#
# fi
#
#################################################################################
# #
# Test : BOOT-5180 # Test : BOOT-5180
# Description : Check for Linux boot services (Debian style) # Description : Check for Linux boot services (Debian style)
# Notes : Debian 8+ shows runlevel 5
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)" Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# YYY runlevel check # Runlevel check
sRUNLEVEL=`${RUNLEVELBINARY} | grep "N 2"` sRUNLEVEL=`${RUNLEVELBINARY} | grep "N [0-9]" | awk '{ print $2} '`
if [ ! "${sRUNLEVEL}" = "" ]; then logtext "Result: found runlevel ${sRUNLEVEL}"
if [ "${sRUNLEVEL}" = "2" ]; then
logtext "Result: performing find in /etc/rc2.d as runlevel 2 is found"
FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort` FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
N=0 N=0
@ -526,10 +553,12 @@
done done
Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE
Display --indent 4 --text "Result: found $N services" Display --indent 4 --text "Result: found $N services"
logtext "Found $N services" logtext "Result: found $N services"
fi fi
else elif [ "${sRUNLEVEL}" = "" ]; then
ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup" ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup"
else
logtext "Result: skipping further actions"
fi fi
fi fi
# #
@ -615,16 +644,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Add autostart services, like from KDE/Gnome
# Test : BOOT-5102
# Description : Check for tasks which are autostarted via /etc/inittab
#Register --test-no BOOT-5102 --weight L --network NO --description "Check inittab for services"
#if [ ${SKIPTEST} -eq 0 ]; then
#fi
#YYY check against static list?
#
#################################################################################
# #
# Test : BOOT-5202 # Test : BOOT-5202
# Description : Check uptime of system # Description : Check uptime of system
@ -708,7 +727,7 @@
if [ -f /usr/lib/systemd/system/rescue.service ]; then if [ -f /usr/lib/systemd/system/rescue.service ]; then
logtext "Result: file /usr/lib/systemd/system/rescue.service" logtext "Result: file /usr/lib/systemd/system/rescue.service"
logtext "Test: checking presence sulogin for single user mode" logtext "Test: checking presence sulogin for single user mode"
FIND=`egrep "^ExecStart=-(/usr)?/sbin/sulogin" /usr/lib/systemd/system/rescue.service` FIND=`egrep "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" /usr/lib/systemd/system/rescue.service`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1 FOUND=1
logtext "Result: found sulogin, so single user is protected" logtext "Result: found sulogin, so single user is protected"
@ -727,8 +746,9 @@
################################################################################# #################################################################################
# #
report "boot_loader=${BOOT_LOADER}" report "boot_loader=${BOOT_LOADER}"
report "boot_uefi_booted=${UEFI_BOOTED}"
report "boot_uefi_booted_secure=${UEFI_BOOTED_SECURE}"
report "service_manager=${SERVICE_MANAGER}" report "service_manager=${SERVICE_MANAGER}"
wait_for_keypress wait_for_keypress

169
include/tests_containers Normal file
View File

@ -0,0 +1,169 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Containers, Zones, Jails
#
#################################################################################
#
InsertSection "Containers"
#
#################################################################################
#
# Test : CONT-8004
# Description : Query running Solaris zones
if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8004 --os Solaris --weight L --network NO --description "Query running Solaris zones"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: query zoneadm to list all running zones"
FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
N=`expr ${N} + 1`
ZONEID=`echo ${I} | cut -d ':' -f1`
ZONENAME=`echo ${I} | cut -d ':' -f2`
logtext "Result: found zone ${ZONENAME} (running)"
report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done
logtext "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
else
logtext "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
fi
fi
#
#################################################################################
#
# Test : CONT-1906
# Description : Query running Xen zones
#if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no CONT-1906 --weight L --network NO --description "Query Xen guests"
#if [ ${SKIPTEST} -eq 0 ]; then
# Show Xen guests
#FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'`
#for I in ${FIND}; do
#XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
#XENGUESTID=`echo ${I} | cut -d ':' -f2`
#logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
#done
#fi
#
#################################################################################
#
# Test : CONT-8102
# Description : Checking Docker daemon status and basic information for later tests
Register --test-no CONT-8102 --weight L --network NO --description "Checking Docker status and information"
if [ ${SKIPTEST} -eq 0 ]; then
IsRunning "docker -d"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found Docker daemon running"
report "docker_daemon_running=1"
DOCKER_DAEMON_RUNNING=1
Display --indent 4 --text "- Docker"
Display --indent 6 --text "- Docker daemon" --result RUNNING --color GREEN
fi
fi
#
#################################################################################
#
# Test : CONT-8104
# Description : Checking Docker info for any warnings
# Notes : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory
if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
logtext "Test: Check for any warnings"
FIND=`${DOCKERBINARY} info 2>&1 | grep "^WARNING:" | cut -d " " -f 2- | sed 's/ /:space:/g'`
if [ ! "${FIND}" = "" ]; then
logtext "Result: found warning(s) in output"
for I in ${FIND}; do
J=`echo ${I} | sed 's/:space:/ /g'`
logtext "Output: ${J}"
COUNT=`expr ${COUNT} + 1`
done
Display --indent 8 --text "- Docker info output (warnings)" --result "${COUNT}" --color RED
ReportSuggestion "${TEST_NO}" "Run 'docker info' to see warnings applicable to Docker daemon"
AddHP 3 4
else
logtext "Result: no warnings found from 'docker info' output"
Display --indent 8 --text "- Docker info output (warnings)" --result "NONE" --color GREEN
AddHP 1 1
fi
fi
#
#################################################################################
#
# Test : CONT-8106
# Description : Checking Docker containers (basic stats)
# Notes : Hardening points are awarded, if there aren't a lot of stopped containers
if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather basic stats from Docker"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 6 --text "- Containers"
# Check total of containers
logtext "Test: checking total amount of Docker containers"
DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'`
if [ "${DOCKER_CONTAINERS_TOTAL}" = "" ]; then
DOCKER_CONTAINERS_TOTAL=0
fi
logtext "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers"
DOCKER_CONTAINERS_TOTAL2=`${DOCKERBINARY} ps -a 2> /dev/null | grep -v "CONTAINER" | wc -l`
logtext "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers"
if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then
logtext "Result: difference detected, which is unexpected"
ReportSuggestion "${TEST_NO}" "Test output of both 'docker ps -a' and 'docker info', to determine why they report a different amount of containers"
Display --indent 8 --text "- Total containers" --result "UNKNOWN" --color RED
else
Display --indent 8 --text "- Total containers" --result "${DOCKER_CONTAINERS_TOTAL}" --color WHITE
fi
# Check running instances
DOCKER_CONTAINERS_RUNNING=`${DOCKERBINARY} ps 2> /dev/null | grep -v "CONTAINER" | wc -l`
Display --indent 8 --text "- Running containers" --result "${DOCKER_CONTAINERS_RUNNING}" --color GREEN
if [ ${DOCKER_CONTAINERS_RUNNING} -gt 0 ]; then
logtext "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active"
report "docker_containers_running=${DOCKER_CONTAINERS_RUNNING}"
else
logtext "Result: no active containers"
report "docker_containers_running=0"
fi
# Check if there aren't too many unused containers on the system
if [ ${DOCKER_CONTAINERS_TOTAL} -gt 0 ]; then
DOCKER_CONTAINERS_UNUSED=`expr ${DOCKER_CONTAINERS_TOTAL} - ${DOCKER_CONTAINERS_RUNNING}`
if [ ${DOCKER_CONTAINERS_UNUSED} -gt 10 ]; then
ReportSuggestion "${TEST_NO}" "More than 10 unused containers found on the system. Clean up old containers by using output of 'docker ps -a' command"
Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color RED
AddHP 0 2
else
logtext "Result: found ${DOCKER_CONTAINERS_UNUSED} unused containers"
Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color YELLOW
AddHP 1 1
fi
fi
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

5
include/tests_crypto
View File

@ -50,7 +50,6 @@
FOUNDPROBLEM=1 FOUNDPROBLEM=1
logtext "Result: certificate ${J} has been expired" logtext "Result: certificate ${J} has been expired"
report "expired_certificate[]=${J}|unknown entity|" report "expired_certificate[]=${J}|unknown entity|"
#YYY Dump more information to log file
fi fi
else else
logtext "Result: can not read file ${J} (no permission)" logtext "Result: can not read file ${J} (no permission)"
@ -65,9 +64,9 @@
done done
if [ ${FOUNDPROBLEM} -eq 0 ]; then if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking SSL certificate expiration" --result OK --color GREEN Display --indent 2 --text "- Checking for expired SSL certificates" --result NONE --color GREEN
else else
Display --indent 2 --text "- Checking SSL certificate expiration" --result WARNING --color RED Display --indent 2 --text "- Checking for expired SSL certificates" --result FOUND --color RED
ReportSuggestion ${TEST_NO} "Check available certificates for expiration" ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
fi fi
fi fi

48
include/tests_custom.template
View File

@ -29,25 +29,51 @@
################################################################################# #################################################################################
# #
# Test : CUST-0010 # Test : CUST-0010
# Author : Your name <e-mail address>
# Description : Check for something interesting - template # Description : Check for something interesting - template
# This test first checks if OpenSSL binary was found # Notes : This test first checks if OpenSSL binary was found
if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "My description" # * Prerequisites Check
# Or you could use this one without any dependencies # -----------------------
# Register --test-no CUST-0010 --weight L --network NO --description "My description" #
# Check first if any dependency. If it doesn't meet, the test will be skipped after registration (SKIPTEST == 1)
#
# Examples:
# -f /etc/file = Test if file exists
# -d /var/run/mydirectory = Test if directory exists
# ${MYVARIABLE} -eq 1 = Test if variable is set to 1
# "${MYVARIABLE}" = "Value" = Test if variable is equal to specific value
if [ -f /etc/myfile ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# * Registration of Test
# ------------------------
#
# Register the test, with custom ID CUST-0010, and only execute it when the prerequisites were met
Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Description of what this test does"
# Or we could use this test without any dependencies
# Register --test-no CUST-0010 --weight L --network NO --description "Description of what this test does"
# If everything is fine, perform test
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
logtext "Test: checking something" logtext "Test: checking something"
ReportWarning ${TEST_NO} "M" "Test warning"
if [ ${FOUND} -eq 0 ]; then if [ ${FOUND} -eq 0 ]; then
Display --indent 4 --text "- Performing custom test 1" --result OK --color GREEN Display --indent 4 --text "- Performing custom test" --result OK --color GREEN
logtext "Result: the test looks great!" logtext "Result: the test result looks great!"
# Optional: create a suggestion after a specific finding
#ReportSuggestion "${TEST_NO}" "This is my suggestion to improve the system even further."
else else
Display --indent 4 --text "- Performing custom test 1" --result WARNING --color RED Display --indent 4 --text "- Performing custom test" --result WARNING --color RED
logtext "Result: hmm bad result of this test :(" logtext "Result: this test had a bad result :("
ReportSuggestion ${TEST_NO} "This could be better!" # Throw a warning to the screen and report
ReportWarning ${TEST_NO} "M" "This is a warning message"
fi fi
fi fi
# #
################################################################################# #################################################################################
# #

69
include/tests_file_integrity
View File

@ -14,6 +14,8 @@
# #
################################################################################# #################################################################################
# #
CSF_CONFIG="/etc/csf/csf.conf"
FILE_INT_TOOL=""
FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found
# #
################################################################################# #################################################################################
@ -30,11 +32,11 @@
logtext "Test: Checking AFICK binary" logtext "Test: Checking AFICK binary"
if [ ! "${AFICKBINARY}" = "" ]; then if [ ! "${AFICKBINARY}" = "" ]; then
logtext "Result: AFICK is installed (${AFICKBINARY})" logtext "Result: AFICK is installed (${AFICKBINARY})"
FILE_INT_TOOL="afick"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AFICK" --result FOUND --color GREEN Display --indent 4 --text "- AFICK" --result FOUND --color GREEN
else else
logtext "Result: AFICK is not installed" logtext "Result: AFICK is not installed"
Display --indent 4 --text "- AFICK" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -47,11 +49,11 @@
logtext "Test: Checking AIDE binary" logtext "Test: Checking AIDE binary"
if [ ! "${AIDEBINARY}" = "" ]; then if [ ! "${AIDEBINARY}" = "" ]; then
logtext "Result: AIDE is installed (${AIDEBINARY})" logtext "Result: AIDE is installed (${AIDEBINARY})"
FILE_INT_TOOL="aide"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AIDE" --result FOUND --color GREEN Display --indent 4 --text "- AIDE" --result FOUND --color GREEN
else else
logtext "Result: AIDE is not installed" logtext "Result: AIDE is not installed"
Display --indent 4 --text "- AIDE" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -119,11 +121,11 @@
logtext "Test: Checking Osiris binary" logtext "Test: Checking Osiris binary"
if [ ! "${OSIRISBINARY}" = "" ]; then if [ ! "${OSIRISBINARY}" = "" ]; then
logtext "Result: Osiris is installed (${OSIRISBINARY})" logtext "Result: Osiris is installed (${OSIRISBINARY})"
FILE_INT_TOOL="osiris"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Osiris" --result FOUND --color GREEN Display --indent 4 --text "- Osiris" --result FOUND --color GREEN
else else
logtext "Result: Osiris is not installed" logtext "Result: Osiris is not installed"
Display --indent 4 --text "- Osiris" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -136,11 +138,11 @@
logtext "Test: Checking Samhain binary" logtext "Test: Checking Samhain binary"
if [ ! "${SAMHAINBINARY}" = "" ]; then if [ ! "${SAMHAINBINARY}" = "" ]; then
logtext "Result: Samhain is installed (${SAMHAINBINARY})" logtext "Result: Samhain is installed (${SAMHAINBINARY})"
FILE_INT_TOOL="samhain"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Samhain" --result FOUND --color GREEN Display --indent 4 --text "- Samhain" --result FOUND --color GREEN
else else
logtext "Result: Samhain is not installed" logtext "Result: Samhain is not installed"
Display --indent 4 --text "- Samhain" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -153,11 +155,11 @@
logtext "Test: Checking Tripwire binary" logtext "Test: Checking Tripwire binary"
if [ ! "${TRIPWIREBINARY}" = "" ]; then if [ ! "${TRIPWIREBINARY}" = "" ]; then
logtext "Result: Tripwire is installed (${TRIPWIREBINARY})" logtext "Result: Tripwire is installed (${TRIPWIREBINARY})"
FILE_INT_TOOL="tripwire"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN
else else
logtext "Result: Tripwire is not installed" logtext "Result: Tripwire is not installed"
Display --indent 4 --text "- Tripwire" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -170,10 +172,12 @@
logtext "Test: Checking if OSSEC syscheck daemon is running" logtext "Test: Checking if OSSEC syscheck daemon is running"
IsRunning ossec-syscheckd IsRunning ossec-syscheckd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
logtext "Result: syscheck (OSSEC) installed"
FILE_INT_TOOL="ossec-syscheck"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN
else else
Display --indent 4 --text "- OSSEC (syscheck)" --result "NOT FOUND" --color WHITE logtext "Result: syscheck (OSSEC) not installed"
fi fi
fi fi
# #
@ -187,11 +191,59 @@
logtext "Test: Checking mtree binary" logtext "Test: Checking mtree binary"
if [ ! "${MTREEBINARY}" = "" ]; then if [ ! "${MTREEBINARY}" = "" ]; then
logtext "Result: mtree is installed (${MTREEBINARY})" logtext "Result: mtree is installed (${MTREEBINARY})"
FILE_INT_TOOL="mtree"
FILE_INT_TOOL_FOUND=1 FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- mtree" --result FOUND --color GREEN Display --indent 4 --text "- mtree" --result FOUND --color GREEN
else else
logtext "Result: mtree is not installed" logtext "Result: mtree is not installed"
Display --indent 4 --text "- mtree" --result "NOT FOUND" --color WHITE fi
fi
#
#################################################################################
#
# Test : FINT-4334
# Description : Check if LFD is used (part of CSF suite)
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd daemon status"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- lfd (CSF)" --result FOUND --color GREEN
IsRunning 'lfd '
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: lfd daemon is running (CSF)"
Display --indent 6 --text "- Daemon status" --result RUNNING --color GREEN
FILE_INT_TOOL="csf-lfd"
FILE_INT_TOOL_FOUND=1
else
Display --indent 6 --text "- Daemon status" --result "NOT RUNNING" --color YELLOW
fi
fi
# Test : FINT-4336
# Description : Check if LFD is enabled (part of CSF suite)
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd configuration status"
if [ ${SKIPTEST} -eq 0 ]; then
# LFD configuration parameters
ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}`
if [ ! "${ENABLED}" = "" ]; then
logtext "Result: lfd service is configured to run"
Display --indent 6 --text "- Configuration status" --result ENABLED --color GREEN
else
logtext "Result: lfd service is configured NOT to run"
Display --indent 6 --text "- Configuration status" --result DISABLED --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
logtext "Result: lfd directory watching is enabled (value: ${ENABLED})"
Display --indent 6 --text "- Temporary directory watches" --result ENABLED --color GREEN
else
logtext "Result: lfd directory watching is disabled"
Display --indent 6 --text "- Temporary directory watches" --result DISABLED --color YELLOW
fi
ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
Display --indent 6 --text "- Directory/File watches" --result ENABLED --color GREEN
else
Display --indent 6 --text "- Directory/File watches" --result DISABLED --color YELLOW
fi fi
fi fi
# #
@ -209,7 +261,7 @@
else else
logtext "Result: No file integrity tools found" logtext "Result: No file integrity tools found"
Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Install a file integrity tool" ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files"
AddHP 0 5 AddHP 0 5
fi fi
fi fi
@ -217,6 +269,7 @@
################################################################################# #################################################################################
# #
report "file_integrity_tool=${FILE_INT_TOOL}"
report "file_integrity_tool_installed=${FILE_INT_TOOL_FOUND}" report "file_integrity_tool_installed=${FILE_INT_TOOL_FOUND}"
wait_for_keypress wait_for_keypress

6
include/tests_file_permissions
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -56,4 +56,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

180
include/tests_filesystems
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -209,23 +209,46 @@
FOUND=0 FOUND=0
logtext "Test: query swap partitions from /etc/fstab file" logtext "Test: query swap partitions from /etc/fstab file"
# Check if third field contains 'swap' # Check if third field contains 'swap'
FIND=`awk '{ if ($3=="swap") print $1 }' /etc/fstab` FIND=`awk '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | grep -v "^#"`
for I in ${FIND}; do for I in ${FIND}; do
FOUND=1 FOUND=1
REAL=""
UUID=""
logtext "Swap partition found: ${I}" logtext "Swap partition found: ${I}"
# YYY Add a test if partition is not a normal partition (e.g. UUID=) # YYY Add a test if partition is not a normal partition (e.g. UUID=)
# Can be ^/dev/mapper/vg-name_lv-name # Can be ^/dev/mapper/vg-name_lv-name
# Can be ^/dev/partition # Can be ^/dev/partition
# Can be ^UUID=uuid --> /dev/disk/by-uuid/<uuid> # Can be ^UUID=uuid --> /dev/disk/by-uuid/<uuid>
# if [ ! "${BLKIDBINARY}" = "" ]; then HAS_UUID=`echo ${I} | grep "^UUID="`
# FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'` if [ ! "${HAS_UUID}" = "" ]; then
# else UUID=`echo ${HAS_UUID} | awk -F= '{ print $2 }'`
# logtext "Result: blkid binary not found, trying by checking device listing" logtext "Result: Using ${UUID} as UUID"
# if [ -f /dev/disk/by-uuid/${UUID} ]; then if [ ! "${BLKIDBINARYx}" = "" ]; then
# logtext "Result: found disk via /dev/disk/by-uuid listing" FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'`
# fi if [ ! "${FIND2}" = "" ]; then
# fi REAL="${FIND2}"
report "swap_partition[]=${I}" fi
else
logtext "Result: blkid binary not found, trying by checking device listing"
sFILE=""
if [ -L /dev/disk/by-uuid/${UUID} ]; then
logtext "Result: found disk via /dev/disk/by-uuid listing"
ShowSymlinkPath /dev/disk/by-uuid/${UUID}
if [ ! "${sFILE}" = "" ]; then
REAL="${sFILE}"
logtext "Result: disk is ${REAL}"
fi
else
logtext "Result: no symlink found to /dev/disk/by-uuid/${UUID}"
fi
fi
fi
# Set real device
if [ "${REAL}" = "" ]; then
REAL="${I}"
fi
report "swap_partition[]=${I},${REAL},"
done done
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN
@ -239,18 +262,20 @@
# #
# Test : FILE-6336 # Test : FILE-6336
# Description : Check swap mount options # Description : Check swap mount options
# Examples : [partition] swap swap defaults 0 0
# [partition] none swap sw 0 0
if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap mount options" Register --test-no FILE-6336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap mount options"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Swap partitions should be mounted with 'sw' or 'swap' # Swap partitions should be mounted with 'sw' or 'swap'
logtext "Test: check swap partitions with incorrect mount options" logtext "Test: check swap partitions with incorrect mount options"
#FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab` #FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab`
FIND=`awk '{ if ($3=="swap" && $4~/sw/) { print $1 }}' /etc/fstab` FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN
logtext "Result: all swap partitions have correct options (sw or swap)" logtext "Result: all swap partitions have correct options (sw or swap)"
else else
Display --indent 2 --text "- Testing swap partitions" --result WARNING --color RED Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})" logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
#ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})" #ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})"
ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options" ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options"
@ -272,7 +297,7 @@
Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN
logtext "Result: no files found in /tmp which are older than 3 months" logtext "Result: no files found in /tmp which are older than 3 months"
else else
Display --indent 2 --text "- Checking for old files in /tmp" --result WARNING --color RED Display --indent 2 --text "- Checking for old files in /tmp" --result FOUND --color RED
N=0 N=0
for I in ${FIND}; do for I in ${FIND}; do
FILE=`echo ${I} | sed 's/!space!/ /g'` FILE=`echo ${I} | sed 's/!space!/ /g'`
@ -435,76 +460,75 @@
################################################################################# #################################################################################
# #
# Test : FILE-6374 # Test : FILE-6374
# Description : Check /boot mount options for Linux # Description : Check mount options for Linux
# Notes : Expecting nodev,noexec,nosuid # Notes : This test determines if the mount point exists. If it does not exist as mount point, yet it is an directory,
# you might consider to make it a separate mount point with restrictions.
#
# Depending on the primary goals of a machine, some mount points might be too restrictive. Before applying any
# mount flags, test them on a similar or cloned test system.
#
# ---------------------------------------------------------
# Mount point nodev noexec nosuid
# /boot v v v
# /home v v
# /tmp v v v
# /var v
# /var/log v v v
# /var/log/audit v v v
# ---------------------------------------------------------
FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /home:nodev,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /tmp:nodev,noexec,nosuid"
Register --test-no FILE-6374 --os Linux --weight L --network NO --description "Checking /boot mount options" Register --test-no FILE-6374 --os Linux --weight L --network NO --description "Checking /boot mount options"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/fstab ]; then if [ -f /etc/fstab ]; then
HARDENED=0 for I in ${FILESYSTEMS_TO_CHECK}; do
FIND=`echo /etc/fstab | awk '{ if ($2=="/boot") { print $4 } }'` FILESYSTEM=`echo ${I} | cut -d: -f1`
NODEV=`echo ${FIND} | awk '{ if ($1=="nodev") { print "YES" } else { print "NO" } }'` EXPECTED_FLAGS=`echo ${I} | cut -d: -f2 | sed 's/,/ /g'`
NOEXEC=`echo ${FIND} | awk '{ if ($1=="noexec") { print "YES" } else { print "NO" } }'` IN_FSTAB=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print "FOUND" } }'`
NOSUID=`echo ${FIND} | awk '{ if ($1=="nosuid") { print "YES" } else { print "NO" } }'` if [ ! "${IN_FSTAB}" = "" ]; then
if [ "${NODEV}" = "YES" -a "${NOEXEC}" = "YES" -a "${NOSUID}" = "YES" ]; then HARDENED=1; fi FOUND_FLAGS=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' | sed 's/,/ /g'`
if [ ! "${FIND}" = "" ]; then logtext "File system: ${FILESYSTEM}"
logtext "Result: mount system /boot is configured with options: ${FIND}" logtext "Expected flags: ${EXPECTED_FLAGS}"
if [ ${HARDENED} -eq 1 ]; then logtext "Found flags: ${FOUND_FLAGS}"
logtext "Result: marked /boot options as hardenened" PARTIALLY_HARDENED=0
Display --indent 2 --text "- Mount options of /boot" --result HARDENED --color GREEN FULLY_HARDENED=1
AddHP 5 5 for FLAG in ${EXPECTED_FLAGS}; do
else FLAG_AVAILABLE=`echo ${FOUND_FLAGS} | grep ${FLAG}`
if [ "${FIND}" = "defaults" ]; then if [ "${FLAG_AVAILABLE}" = "" ]; then
logtext "Result: marked /boot options as default (non hardened)" logtext "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}"
Display --indent 2 --text "- Mount options of /boot" --result DEFAULT --color RED FULLY_HARDENED=0
AddHP 3 5 else
else logtext "Result: GOOD, found mount option ${FLAG} on file system ${FILESYSTEM}"
logtext "Result: marked /boot options as non default (unclear about hardening)" PARTIALLY_HARDENED=1
Display --indent 2 --text "- Mount options of /boot" --result "NON DEFAULT" --color YELLOW fi
done
if [ ${FULLY_HARDENED} -eq 1 ]; then
logtext "Result: marked ${FILESYSTEM} as fully hardenened"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN
AddHP 5 5
elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then
logtext "Result: marked ${FILESYSTEM} as fully hardenened"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW
AddHP 4 5 AddHP 4 5
else
if [ "${FOUND_FLAGS}" = "defaults" ]; then
logtext "Result: marked ${FILESYSTEM} options as default (non hardened)"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW
AddHP 3 5
else
logtext "Result: marked ${FILESYSTEM} options as non default (unclear about hardening)"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW
AddHP 4 5
fi
fi fi
else
logtext "Result: file system ${FILESYSTEM} not found in /etc/fstab"
fi fi
else done
logtext "Result: no mount point /boot or expected options found"
fi
fi fi
fi fi
# #
################################################################################# #################################################################################
#
# Test : FILE-XXXX
# Description : Check /home mount options for Linux
# Notes : Expecting nodev,nosuid
#
#################################################################################
#
# Test : FILE-XXXX
# Description : Check /var mount options for Linux
# Notes : Expecting nosuid
#
#################################################################################
#
# Test : FILE-XXXX
# Description : Check /var/log mount options for Linux
# Notes : Expecting nodev,noexec,nosuid
#
#################################################################################
#
# Test : FILE-XXXX
# Description : Check /var/log/audit mount options for Linux
# Notes : Expecting nodev,noexec,nosuid
#
#################################################################################
#
# Test : FILE-XXXX
# Description : Check /tmp mount options for Linux
# Notes : Expecting nodev,noexec,nosuid
#
#################################################################################
#
#
#################################################################################
# #
# Test : FILE-6378 # Test : FILE-6378
# Description : Check for nodirtime option # Description : Check for nodirtime option
@ -538,11 +562,11 @@
# or /var/cache/locate/locatedb # or /var/cache/locate/locatedb
# FreeBSD /var/db/locate.database # FreeBSD /var/db/locate.database
if [ ! "${LOCATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${LOCATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6410 --os Linux --weight L --network NO --description "Checking Locate database" Register --test-no FILE-6410 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Checking Locate database"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking locate database" logtext "Test: Checking locate database"
FOUND=0 FOUND=0
LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database" LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locate/locatedb /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database"
for I in ${LOCATE_DBS}; do for I in ${LOCATE_DBS}; do
if [ -f ${I} ]; then if [ -f ${I} ]; then
logtext "Result: locate database found (${I})" logtext "Result: locate database found (${I})"
@ -598,4 +622,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

41
include/tests_firewalls
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -30,10 +30,6 @@
# #
################################################################################# #################################################################################
# #
# YYY Improvement needed for iptables to check if kernel modules are used or not.
# If they are not used and iptables is not found in configuration, no checks should be performed.
#
# Test : FIRE-4511 # Test : FIRE-4511
# Description : Check iptables kernel module # Description : Check iptables kernel module
Register --test-no FIRE-4511 --os Linux --weight L --network NO --description "Check iptables kernel module" Register --test-no FIRE-4511 --os Linux --weight L --network NO --description "Check iptables kernel module"
@ -124,7 +120,7 @@
Display --indent 4 --text "- Checking for unused rules" --result OK --color GREEN Display --indent 4 --text "- Checking for unused rules" --result OK --color GREEN
logtext "Result: There are no unused rules present" logtext "Result: There are no unused rules present"
else else
Display --indent 4 --text "- Checking for unused rules" --result WARNING --color YELLOW Display --indent 4 --text "- Checking for unused rules" --result FOUND --color YELLOW
logtext "Result: Found one or more possible unused rules" logtext "Result: Found one or more possible unused rules"
logtext "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date" logtext "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
logtext "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules." logtext "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
@ -189,7 +185,6 @@
PFLOGDFOUND=1 PFLOGDFOUND=1
else else
logtext "Result: pflog daemon not found in process list" logtext "Result: pflog daemon not found in process list"
Display --indent 4 --text "- Checking pflogd status" --result "NOT FOUND" --color YELLOW
fi fi
fi fi
@ -198,7 +193,6 @@
FIREWALL_SOFTWARE="pf" FIREWALL_SOFTWARE="pf"
else else
logtext "Result: pf not running on this system" logtext "Result: pf not running on this system"
Display --indent 2 --text "- Checking pf" --result "NOT FOUND" --color WHITE
fi fi
fi fi
# #
@ -274,7 +268,34 @@
################################################################################# #################################################################################
# #
# Test : FIRE-4530 # Test : FIRE-4530
# Description : Check ipfw # Description : Check IPFW (FreeBSD)
Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --description "Check IPFW status"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${SYSCTLBINARY}" = "" ]; then
# For now, only check for IPv4.
FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'`
if [ "${FIND}" = "1" ]; then
Display --indent 2 --text "- Checking IPFW status" --result RUNNING --color GREEN
logtext "Result: IPFW is running for IPv4"
FIREWALL_ACTIVE=1
FIREWALL_SOFTWARE="ipfw"
IPFW_ENABLED=`service -e | grep -o ipfw`
if [ "${IPFW_ENABLED}" = "ipfw" ]; then
Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result YES --color GREEN
logtext "Result: IPFW is enabled at start-up for IPv4"
else
Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW
logtext "Result: IPFW is disabled at start-up for IPv4"
fi
else
Display --indent 2 --text "- Checking IPFW status" --result "NOT RUNNING" --color YELLOW
logtext "Result: IPFW is not running for IPv4"
fi
else
Display --indent 2 --text "- Checking IPFW" --result SKIPPED --color YELLOW
ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)"
fi
fi
# #
################################################################################# #################################################################################
# #

2
include/tests_hardening
View File

@ -55,6 +55,7 @@
IsWorldExecutable ${ASBINARY} IsWorldExecutable ${ASBINARY}
if [ $? -eq 1 ]; then if [ $? -eq 1 ]; then
logtext "Binary: found ${ASBINARY} (world executable)" logtext "Binary: found ${ASBINARY} (world executable)"
report "compiler[]=${ASBINARY}"
AddHP 2 3 AddHP 2 3
HARDEN_COMPILERS_NEEDED=1 HARDEN_COMPILERS_NEEDED=1
else else
@ -67,6 +68,7 @@
IsWorldExecutable ${GCCBINARY} IsWorldExecutable ${GCCBINARY}
if [ $? -eq 1 ]; then if [ $? -eq 1 ]; then
logtext "Binary: found ${GCCBINARY} (world executable)" logtext "Binary: found ${GCCBINARY} (world executable)"
report "compiler[]=${GCCBINARY}"
AddHP 2 3 AddHP 2 3
HARDEN_COMPILERS_NEEDED=1 HARDEN_COMPILERS_NEEDED=1
else else

52
include/tests_hardening_tools
View File

@ -1,52 +0,0 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# InsertSection "Hardening tools"
#
#################################################################################
#
# Checking Solaris Security Toolkit (Jass)
# Test : HRDN-7402
# Description : Check jass hardening
# Register --test-no HRDN-7402 --weight L --network NO --description "Check jass hardening"
# if [ ${SKIPTEST} -eq 0 ]; then
# if [ -d /opt/SUNWjass -o -d /var/opt/SUNWjass ]; then
# logtext "Result: found Solaris Security Toolkit (Jass hardening tool)"
# fi
#
#
#################################################################################
#
# Test : HRDN-7410
# Description : Check tiger hardening tool
#
#################################################################################
#
# Test : HRDN-7420
# Description : Check Bastille Unix hardening tool
#
#################################################################################
#
# Checking Solaris Security Toolkit (ASET)
# - Automated Security Enhancement Tool
# AddHP 3 3
#wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands

22
include/tests_homedirs
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -28,7 +28,6 @@
# #
################################################################################# #################################################################################
# #
# Test : HOME-9302 # Test : HOME-9302
# Description : Create list with home directories # Description : Create list with home directories
Register --test-no HOME-9302 --weight L --network NO --description "Create list with home directories" Register --test-no HOME-9302 --weight L --network NO --description "Create list with home directories"
@ -69,7 +68,7 @@
logtext "Info: above files could be redirected files to avoid logging and should be investigated" logtext "Info: above files could be redirected files to avoid logging and should be investigated"
ReportWarning ${TEST_NO} "M" "Incorrect file type found for shell history file" ReportWarning ${TEST_NO} "M" "Incorrect file type found for shell history file"
fi fi
logtext "Remarks: ${HOME_HISTORY_LOG_TEXT}" logtext "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful."
else else
Display --indent 2 --text "- Checking shell history files" --result SKIPPED --color WHITE Display --indent 2 --text "- Checking shell history files" --result SKIPPED --color WHITE
logtext "Result: Homedirs is empty, test will be skipped" logtext "Result: Homedirs is empty, test will be skipped"
@ -100,19 +99,6 @@
logtext "Output: ${IGNORE_HOME_DIRS}" logtext "Output: ${IGNORE_HOME_DIRS}"
fi fi
fi fi
#YYY
#echo -n " - Checking PATH variable vulnerabilities"
#
#FIND=`find ${HOMEDIRS} -name * | grep -r 'PATH=' | egrep '=.:|:.:|:.;' | grep -v 'CDPATH'`
#if [ "${FIND}" = "" ]
# then
# logtext "Result: Ok, no special things found in the PATH variable"
# else
# echo "[ ${WARNING}WARNING${NORMAL} ]"
# logtext "Warning: Probably found \".\" in the PATH. Details: ${FIND}"
#fi
#
# #
################################################################################# #################################################################################
# #
@ -121,4 +107,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

15
include/tests_insecure_services
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -37,7 +37,6 @@
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
logtext "Result: inetd is running" logtext "Result: inetd is running"
Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN
#YYY perform manual check
INETD_ACTIVE=1 INETD_ACTIVE=1
else else
logtext "Result: inetd is NOT running" logtext "Result: inetd is NOT running"
@ -61,8 +60,6 @@
logtext "Result: ${INETD_CONFIG_FILE} does not exist" logtext "Result: ${INETD_CONFIG_FILE} does not exist"
Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE
fi fi
# YYY immutable bit could be set
# YYY permission check (already set in profile)
fi fi
# #
################################################################################# #################################################################################
@ -106,15 +103,9 @@
# #
################################################################################# #################################################################################
# #
# Check telnet in /etc/xinetd.conf
# Check telnet in /etc/xinetd/*
# Check running telnet daemon (telnetd)
# rshd rlogin rexec
# /etc/hosts.equiv
wait_for_keypress wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

20
include/tests_kernel
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -252,6 +252,8 @@
# #
# Test : KRNL-5730 # Test : KRNL-5730
# Description : Checking default I/O kernel scheduler # Description : Checking default I/O kernel scheduler
# Notes : This test could be extended with testing some of the specific devices like disks
# cat /sys/block/sda/queue/scheduler
PREQS_MET="NO" PREQS_MET="NO"
if [ ! "${LINUXCONFIGFILE}" = "" ]; then if [ ! "${LINUXCONFIGFILE}" = "" ]; then
if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi
@ -276,18 +278,14 @@
fi fi
# #
################################################################################# #################################################################################
#
# YYY Check for kernel options
#
#################################################################################
# #
# Test : KRNL-5745 # Test : KRNL-5745
# Description : Checking FreeBSD loaded kernel modules # Description : Checking FreeBSD loaded kernel modules
Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules" Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking active kernel modules" Display --indent 2 --text "- Checking active kernel modules"
logtext "Test: ${KERNEL_ACTIVE_MODULES_TITLE}" logtext "Test: Active kernel modules (KLDs)"
logtext "Description: ${KERNEL_ACTIVE_MODULES_DESCRIPTION}" logtext "Description: View all active kernel modules (including kernel)"
logtext "Test: Checking modules" logtext "Test: Checking modules"
if [ -f /sbin/kldstat ]; then if [ -f /sbin/kldstat ]; then
FIND=`kldstat | grep -v 'Name' | tr -s ' ' | cut -d ' ' -f6` FIND=`kldstat | grep -v 'Name' | tr -s ' ' | cut -d ' ' -f6`
@ -340,7 +338,6 @@
logtext "Test: Searching apt-cache, to determine if a newer kernel is available" logtext "Test: Searching apt-cache, to determine if a newer kernel is available"
if [ -x /usr/bin/apt-cache ]; then if [ -x /usr/bin/apt-cache ]; then
logtext "Result: found /usr/bin/apt-cache" logtext "Result: found /usr/bin/apt-cache"
# YYY Test for presence /usr/bin/apt-cache and dpkg
logtext "Test: checking readlink location of /vmlinuz" logtext "Test: checking readlink location of /vmlinuz"
FINDKERNFILE=`readlink -f /vmlinuz` FINDKERNFILE=`readlink -f /vmlinuz`
logtext "Output: readlink reported file ${FINDKERNFILE}" logtext "Output: readlink reported file ${FINDKERNFILE}"
@ -516,7 +513,8 @@
FIND=`ls /boot/vmlinuz* 2> /dev/null` FIND=`ls /boot/vmlinuz* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
# Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers) # Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers)
KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.` # Remove generic. and huge. for Slackware machines
KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
elif [ ! `ls /boot/kernel* 2> /dev/null` = "" ]; then elif [ ! `ls /boot/kernel* 2> /dev/null` = "" ]; then
# Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers) # Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers)
# Examples: # Examples:
@ -580,4 +578,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands # Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com

6
include/tests_kernel_hardening
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -66,4 +66,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

6
include/tests_ldap
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -101,4 +101,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

14
include/tests_logging
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -36,7 +36,6 @@
# Test : LOGG-2130 # Test : LOGG-2130
# Description : Check for a running syslog daemon # Description : Check for a running syslog daemon
# Notes : Log which syslog daemon is found YYY
Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon" Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a logging daemon" logtext "Test: Searching for a logging daemon"
@ -274,7 +273,7 @@
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration" Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking which directories can be found in logrotate configuration" logtext "Test: Checking which directories can be found in logrotate configuration"
FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq` FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | sort | uniq`
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: nothing found" logtext "Result: nothing found"
else else
@ -285,7 +284,6 @@
report "log_directory[]=${I}" report "log_directory[]=${I}"
else else
logtext "Directory could not be found: ${I}" logtext "Directory could not be found: ${I}"
# YYY strip more parts of the name, until it can be found (and stop at /)
fi fi
done done
fi fi
@ -477,12 +475,6 @@
# #
################################################################################# #################################################################################
# #
#
# Rsyslogd checks
#
#
#################################################################################
#
report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}" report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}"
report "log_rotation_tool=${LOGROTATE_TOOL}" report "log_rotation_tool=${LOGROTATE_TOOL}"

24
include/tests_mac_frameworks
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -48,11 +48,11 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${AASTATUSBINARY}" = "" ]; then if [ ! "${AASTATUSBINARY}" = "" ]; then
# Checking AppArmor status # Checking AppArmor status
#0 if apparmor is enabled and policy is loaded. # 0 if apparmor is enabled and policy is loaded.
#1 if apparmor is not enabled/loaded. # 1 if apparmor is not enabled/loaded.
#2 if apparmor is enabled but no policy is loaded. # 2 if apparmor is enabled but no policy is loaded.
#3 if control files are not available # 3 if control files are not available
#4 if apparmor status can't be read # 4 if apparmor status can't be read
FIND=`${AASTATUSBINARY} > /dev/null; echo $?` FIND=`${AASTATUSBINARY} > /dev/null; echo $?`
if [ ${FIND} -eq 0 ]; then if [ ${FIND} -eq 0 ]; then
MAC_FRAMEWORK_ACTIVE=1 MAC_FRAMEWORK_ACTIVE=1
@ -187,14 +187,6 @@ report "framework_selinux=${SELINUXFOUND}"
wait_for_keypress wait_for_keypress
# To implement:
# FMAC (OpenSolaris, MAC)
# LSM (Linux Security Modules)
# TrustedBSD (MAC)
# RSBAC (RBAC)
# Apple sandbox technology
# PAX
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

66
include/tests_mail_messaging
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -50,29 +50,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : MAIL-8804
# Description : Check Exim configuration
#if [ ${EXIM_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no MAIL-8804 --weight L --network NO --description "Check Exim configuration"
#if [ ${SKIPTEST} -eq 0 ]; then
# if [ ! "${EXIMBINARY}" = "" ]; then
# logtext "Test: Searching Exim configuration file"
# FIND=`${EXIMBINARY} -d | grep "configuration file is" | sed 's/configuration file is//'`
# if [ ! "${FIND}" = "" ]; then
# Display --indent 2 --text "- Checking Exim configuration" --result FOUND --color GREEN
# Display --indent 4 --text "Result: configuration file is ${FIND}"
# logtext "Result: found Exim"
# logtext "Result: configuration file is ${FIND}"
# else
# Display --indent 2 --text "- Checking Exim configuration" --result WARNING --color RED
# logtext "Couldn't find the Exim configuration file, however Exim seems to be installed."
# fi
# else
# logtext "Exim binary not found, no tests performed"
# fi
#
#################################################################################
# #
# Test : MAIL-8814 # Test : MAIL-8814
# Description : Check Postfix process # Description : Check Postfix process
@ -161,26 +138,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : MAIL-8842
# Description : Check Dovecot logging locations
#Register --test-no MAIL-8842 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dovecot logging locations"
#if [ ${SKIPTEST} -eq 0 ]; then
# ParseDovecot
# CONF="/etc/dovecot/dovecot.conf"
# FIND=`cat ${CONF} | grep "^log_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'`
# if [ ! "${FIND}" = "" ]; then
# logtext "Result: output for error messages = ${FIND}"
# fi
#
# FIND=`cat ${CONF} | grep "^log_info_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'`
# if [ ! "${FIND}" = "" ]; then
# logtext "Result: output for informational messages = ${FIND}"
# fi
#
# fi
#
#################################################################################
# #
# Test : MAIL-8860 # Test : MAIL-8860
# Description : Check Qmail process status # Description : Check Qmail process status
@ -239,23 +196,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : MAIL-xxxx
# Description : Check if outgoing mail is obscured (increased privacy)
#Register --test-no MAIL-xxxx --weight L --network NO --description "Check XXX"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
#YYY Add support for mail, procmail
#YYY Add support for MUAs: Thunderbird, Kmail, Evolution
# Other software : Cyrus-IMAP, Amavisd-new, SpamAssassin, Fetchmail, Procmail, maildrop
#- Dovecot : \'/usr/local/etc/dovecot.conf\'
#- For Sendmail : \'/var/mail/sendmail.cf\'
#- Fetchmail : \'~/.fetchmailrc\' (not only root)
#- Cyrus-IMAP : \'/usr/local/etc/imapd.conf\' for parameters and \'/usr/local/etc/cyrus.conf\' for the services launched
#
#################################################################################
# #
report "imap_daemon=${IMAP_DAEMON}" report "imap_daemon=${IMAP_DAEMON}"
@ -267,4 +207,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

76
include/tests_malware
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://cisofy.com # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -23,7 +23,9 @@
################################################################################# #################################################################################
# #
CLAMD_RUNNING=0 CLAMD_RUNNING=0
MCAFEE_SCANNER_RUNNING=0
MALWARE_SCANNER_INSTALLED=0 MALWARE_SCANNER_INSTALLED=0
SOPHOS_SCANNER_RUNNING=0
# #
################################################################################# #################################################################################
# #
@ -66,27 +68,36 @@
Register --test-no MALW-3280 --weight L --network NO --description "Check if anti-virus tool is installed" Register --test-no MALW-3280 --weight L --network NO --description "Check if anti-virus tool is installed"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
MCAFEE_RUNNING=0
logtext "Test: checking process cma or cmdagent (McAfee)" logtext "Test: checking process cma or cmdagent (McAfee)"
# cma is too generic to match on, so we want to ensure that it is related to McAfee first # cma is too generic to match on, so we want to ensure that it is related to McAfee first
if [ -x /opt/McAfee/cma/bin/cma ]; then if [ -x /opt/McAfee/cma/bin/cma ]; then
IsRunning cma IsRunning cma
if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
else else
IsRunning cmdagent IsRunning cmdagent
if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
fi fi
if [ ${MCAFEE_RUNNING} -eq 1 ]; then if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1 FOUND=1
Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN
logtext "Result: Found McAfee" logtext "Result: Found McAfee"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
AddHP 2 2 AddHP 2 2
fi fi
# Sophos savscand/SophosScanD
logtext "Test: checking process savscand"
IsRunning savscand
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1;
fi
logtext "Test: checking process SophosScanD" logtext "Test: checking process SophosScanD"
IsRunning SophosScanD IsRunning SophosScanD
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
FOUND=1 FOUND=1
SOPHOS_SCANNER_RUNNING=1;
fi
if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN
logtext "Result: Found Sophos" logtext "Result: Found Sophos"
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
@ -114,7 +125,6 @@
logtext "Result: clamscan couldn't be found" logtext "Result: clamscan couldn't be found"
fi fi
fi fi
# #
################################################################################# #################################################################################
# #
@ -156,26 +166,20 @@
# #
################################################################################# #################################################################################
# #
# Test : MALW-3288 # Test : MALW-3288
# Description : Check for ClamXav (Mac OS X) # Description : Check for ClamXav (Mac OS X)
# if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
################################################################################# Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for ClamXav"
#
Register --test-no MALW-3288 --weight L --network NO --description "Check for ClamXav"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'`
CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'` if [ ! "${CLAMSCANBINARY}" = "" ]; then
if [ ! "${CLAMSCANBINARY}" = "" ]; then logtext "Result: Found ClamXav clamscan installed"
logtext "Result: Found ClamXav clamscan installed" Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN
Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN MALWARE_SCANNER_INSTALLED=1
MALWARE_SCANNER_INSTALLED=1 AddHP 3 3
AddHP 3 3
else
logtext "Result: ClamXav malware scanner not found"
AddHP 0 3
fi
else else
logtext "Result: could not find ClamXav location" logtext "Result: ClamXav malware scanner not found"
AddHP 0 3
fi fi
fi fi
# #
@ -185,28 +189,6 @@
# Description : Check for LMD # Description : Check for LMD
# #
################################################################################# #################################################################################
#
# Test : MALW-3292
# Description : Check if at least one malware scanner is installed
# Register --test-no MALW-3292 --weight L --network NO --description "Check for at least one malware scanner"
# if [ ${SKIPTEST} -eq 0 ]; then
# if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
# logtext "Result: At least one malware scanner is installed"
# Display --indent 2 --text "- Checking presence malware scanner" --result "FOUND" --color GREEN
# #AddHP 3 3
# else
# logtext "Result: No malware scanners found"
# Display --indent 2 --text "- Checking presence malware scanner" --result "NOT FOUND" --color YELLOW
# ReportSuggestion ${TEST_NO} "Install at least one malware scanner to perform periodic integrity tests on the system"
# #AddHP 0 3
# fi
# fi
#
#################################################################################
#
# Other projects: maldetect (rfxn)
#
#################################################################################
# #
report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}" report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"

19
include/tests_memory_processes
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -110,23 +110,10 @@
fi fi
# #
################################################################################# #################################################################################
#
# Ubuntu test: dead processes
# who -d
#
#################################################################################
#
# Test : PROC-3624
# Description : Check shared memory (ipcs -m)
# Notes : if it's empty, check /dev/shm and warn if any files are left behind
#Register --test-no PROC-3614 --os Linux --weight L --network NO --description "Check shared memory"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
# #
wait_for_keypress wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

61
include/tests_nameservices
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -30,6 +30,7 @@
POWERDNS_AUTH_CONFIG_LOCATION="" POWERDNS_AUTH_CONFIG_LOCATION=""
POWERDNS_AUTH_MASTER=0 POWERDNS_AUTH_MASTER=0
POWERDNS_AUTH_SLAVE=0 POWERDNS_AUTH_SLAVE=0
UNBOUND_CONFIG_OK=0
YPBIND_RUNNING=0 YPBIND_RUNNING=0
# #
################################################################################# #################################################################################
@ -228,12 +229,57 @@
logtext "Test: checking nscd status" logtext "Test: checking nscd status"
IsRunning nscd IsRunning nscd
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
NAME_CACHE_USED=1
logtext "Result: nscd is running" logtext "Result: nscd is running"
Display --indent 2 --text "- Checking nscd status" --result RUNNING --color GREEN Display --indent 2 --text "- Checking nscd status" --result RUNNING --color GREEN
else else
logtext "Result: nscd is not running" logtext "Result: nscd is not running"
Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE
#YYY show performance suggestion if LDAP is used fi
fi
#
#################################################################################
#
# Test : NAME-4034
# Description : Check name service caching daemon (Unbound) status
Register --test-no NAME-4034 --weight L --network NO --description "Check Unbound status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking Unbound (unbound) status"
IsRunning unbound
if [ ${RUNNING} -eq 1 ]; then
UNBOUND_RUNNING=1
NAME_CACHE_USED=1
logtext "Result: Unbound daemon is running"
Display --indent 2 --text "- Checking Unbound status" --result RUNNING --color GREEN
else
logtext "Result: Unbound daemon is not running"
Display --indent 2 --text "- Checking Unbound status" --result "NOT FOUND" --color WHITE
fi
fi
#
#################################################################################
#
# Test : NAME-4036
# Description : Checking Unbound configuration file
if [ ${UNBOUND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NAME-4036 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Unbound configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`which unbound-checkconf`
if [ ! "${FIND}" = "" ]; then
logtext "Test: running unbound-checkconf"
# Don't capture any output, just gather exit code (0 is fine, otherwise bad)
FIND=`unbound-checkconf > /dev/null 2>&1`
if [ $? -eq 0 ]; then
UNBOUND_CONFIG_OK=1
logtext "Result: Configuration is fine"
Display --indent 2 --text "- Checking configuration file" --result OK --color GREEN
else
logtext "Result: Unbound daemon is not running"
Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW
ReportWarning "${TEST_NO}" "L" "Found Unbound configuration file issues (run unbound-checkconf)"
fi
else
logtext "Result: skipped, can't find unbound-checkconf utility"
fi fi
fi fi
# #
@ -263,7 +309,6 @@
Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search BIND configuration file" Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search BIND configuration file"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Search BIND configuration file" logtext "Test: Search BIND configuration file"
#YYY add chrooted environments
for I in ${BIND_CONFIG_LOCS}; do for I in ${BIND_CONFIG_LOCS}; do
if [ -f ${I}/named.conf ]; then if [ -f ${I}/named.conf ]; then
BIND_CONFIG_LOCATION="${I}/named.conf" BIND_CONFIG_LOCATION="${I}/named.conf"
@ -377,7 +422,6 @@
Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search PowerDNS configuration file" Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search PowerDNS configuration file"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Search PowerDNS configuration file" logtext "Test: Search PowerDNS configuration file"
#YYY add chrooted environments
for I in ${POWERDNS_CONFIG_LOCS}; do for I in ${POWERDNS_CONFIG_LOCS}; do
if [ -f ${I}/pdns.conf ]; then if [ -f ${I}/pdns.conf ]; then
POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf" POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf"
@ -569,7 +613,7 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check /etc/hosts contains an entry for this server name" logtext "Test: Check /etc/hosts contains an entry for this server name"
if [ -f /etc/hosts ]; then if [ -f /etc/hosts ]; then
sFIND=`cat /etc/hosts | egrep -v '^(#|$|::1|localhost)' | grep ${HOSTNAME}` sFIND=`cat /etc/hosts | egrep -v '^(#|$|^::1\s|localhost)' | grep ${HOSTNAME}`
if [ "${sFIND}" != "" ]; then if [ "${sFIND}" != "" ]; then
logtext "Result: Found entry for ${HOSTNAME} in /etc/hosts" logtext "Result: Found entry for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result OK --color GREEN Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result OK --color GREEN
@ -590,7 +634,7 @@
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check server hostname mapping" Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check server hostname mapping"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check server hostname not locally mapped in /etc/hosts" logtext "Test: Check server hostname not locally mapped in /etc/hosts"
sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|::1)' | grep ${HOSTNAME}` sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|^::1\s)' | grep -w ${HOSTNAME}`
if [ ! "${sFIND}" = "" ]; then if [ ! "${sFIND}" = "" ]; then
logtext "Result: Found this server hostname mapped to a local address" logtext "Result: Found this server hostname mapped to a local address"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW
@ -605,8 +649,9 @@
################################################################################# #################################################################################
# #
report ="name_cache_used=${NAME_CACHE_USED}"
wait_for_keypress wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

31
include/tests_networking
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -29,7 +29,7 @@
# #
################################################################################# #################################################################################
# #
# Test : NETW-2704 (YYY move to nameservices section) # Test : NETW-2704
# Description : Basic nameserver configuration tests (connectivity) # Description : Basic nameserver configuration tests (connectivity)
Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests" Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
@ -200,7 +200,7 @@
case ${OS} in case ${OS} in
AIX) AIX)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'` FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
# IPv6 support in AIX? (YYY) FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
;; ;;
DragonFly|FreeBSD|NetBSD) DragonFly|FreeBSD|NetBSD)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'` FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
@ -447,16 +447,17 @@
# Test : NETW-3028 # Test : NETW-3028
# Description : Checking for many waiting connections # Description : Checking for many waiting connections
# Type : Performance # Type : Performance
# Notes : It is common to see a healthy web server seeing to have several thousands of TCP connections in WAIT state
if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking connections in WAIT state" Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking connections in WAIT state"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Using netstat for check for connections in WAIT state" logtext "Test: Using netstat for check for connections in WAIT state"
FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'` FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'`
if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="100"; fi if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
logtext "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})." logtext "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
Display --indent 2 --text "- Checking waiting connections" --result WARNING --color YELLOW Display --indent 2 --text "- Checking waiting connections" --result WARNING --color YELLOW
ReportWarning ${TEST_NO} "H" "Found too much connections in WAIT state (${FIND})" ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})"
else else
Display --indent 2 --text "- Checking waiting connections" --result OK --color GREEN Display --indent 2 --text "- Checking waiting connections" --result OK --color GREEN
logtext "Result: ${FIND} connections are in WAIT state" logtext "Result: ${FIND} connections are in WAIT state"
@ -472,8 +473,6 @@
IsRunning dhclient IsRunning dhclient
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE
#YYY report if system type is server, that it is running with DHCP client, might be a badly configured machine
#report "manual[]=System is running DHCP client"
DHCP_CLIENT_RUNNING=1 DHCP_CLIENT_RUNNING=1
else else
Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE
@ -481,20 +480,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : NETW-3060
# Description : Check if IPv6 is configured AND used
# /etc/modprobe.d (add 'install ipv6 /bin/true' if IPv6 isn't used)
# or
# aliased (/etc/modprobe.d/aliases?): alias net-pf-10 off ipv6 (to disable)
#Register --test-no NETW-3060 --weight L --network NO --description "Checking IPv6 connectivity"
#if [ ${SKIPTEST} -eq 0 ]; then
#
#################################################################################
#
# Linux: net.ipv4.ip_always_defrag
#
#################################################################################
# #
report "dhcp_client_running=${DHCP_CLIENT_RUNNING}" report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
@ -502,4 +487,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

30
include/tests_php
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -252,37 +252,13 @@
logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)" logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
AddHP 2 2 AddHP 2 2
fi fi
#YYY Check through all files
fi fi
# #
################################################################################# #################################################################################
# #
# Disable/use functions:
# safe_mode (only for PHP5?)
# open_basedir (limits access to defined directory, comparable with chrooting)
# disable_classes
# session.save_path
# session.referer_check
# upload_tmp_dir
# file_uploads Off, if possible
# Set display_errors to Off
# Set log_errors to On and define error_log (with value Syslog or a filename)
#
#################################################################################
#
# mod_suexec
# suPHP (/etc/suphp.conf)
#
#################################################################################
#
# Test : PHP-2388
# Description : Check php version number
#
#################################################################################
#
wait_for_keypress wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

127
include/tests_ports_packages
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -78,35 +78,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Temporary disabled due false positives
# Packages like docbook, gcc, automake report multiple installed versions
# # Test : PKGS-7303
# # Description : Query FreeBSD pkg_info
# if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD for double installed packages"
# if [ ${SKIPTEST} -eq 0 ]; then
# SDOUBLEINSTALLED=`pkg_info | sort | sed -e 's/-[0-9].*$//' | uniq -c | grep -v '^[[:space:]]*1' | tr -s ' ' | cut -d ' ' -f3`
# if [ "${SDOUBLEINSTALLED}" = "" ]; then
# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result OK --color GREEN
# logtext "Ok, no packages show up twice or more in the package listing."
# else
# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result WARNING --color RED
# for J in ${SDOUBLEINSTALLED}; do
# ReportWarning ${TEST_NO} "M" "Found probably incorrect installed package (${J})"
# logtext "This package ${J} is visible twice or more in the pkg_info listing."
# ReportSuggestion ${TEST_NO} "(FreeBSD) run pkgdb -F and check this manually."
# ReportSuggestion ${TEST_NO} "(OpenBSD) check dependencies to see if one of the double "
# logtext "installed packages is unneeded."
# report "double_installed_package[]=${J}"
# done
# fi
# else
# Display --indent 4 --text "- Searching pkg_info" --result "NOT FOUND" --color WHITE
# logtext "Result: pkg_info can NOT be found on this system"
# fi
#
#################################################################################
# #
# Test : PKGS-7304 # Test : PKGS-7304
# Description : Gentoo packages # Description : Gentoo packages
@ -152,7 +123,6 @@
logtext "Result: pkginfo can NOT be found on this system" logtext "Result: pkginfo can NOT be found on this system"
fi fi
# #
#
################################################################################# #################################################################################
# #
# Test : PKGS-7308 # Test : PKGS-7308
@ -202,7 +172,6 @@
if [ "${SPACKAGES}" = "" ]; then if [ "${SPACKAGES}" = "" ]; then
logtext "Result: pacman binary available, but package list seems to be empty" logtext "Result: pacman binary available, but package list seems to be empty"
logtext "Info: looks like the pacman binary is installed, but not used for package installation" logtext "Info: looks like the pacman binary is installed, but not used for package installation"
#YYY ReportException?
else else
for J in ${SPACKAGES}; do for J in ${SPACKAGES}; do
N=`expr ${N} + 1` N=`expr ${N} + 1`
@ -380,7 +349,7 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : PKGS-7348 # Test : PKGS-7348
# Description : Show unneeded distfiles if present # Description : Show unneeded distfiles if present
# Notes : Portsclean seems to be gone from the ports, so no suggestion or warning is # Notes : Portsclean seems to be gone from the ports, so no suggestion or warning is
@ -402,9 +371,67 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : PKGS-7366
# Description : Checking if debsecan is installed and enabled on Debian systems
if [ ! "${DEBSECANBINARY}" = "" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsecan utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSECANBINARY}" = "" ]; then
logtext "Result: debsecan utility is installed"
Display --indent 4 --text "- debsecan utility" --result "FOUND" --color GREEN
AddHP 3 3
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="debsecan"
FIND=`find /etc/cron* -name debsecan`
if [ ! ${FIND} = "" ]; then
logtext "Result: cron job is configured for debsecan"
Display --indent 6 --text "- debsecan cron job" --result "FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: no cron job is configured for debsecan"
Display --indent 4 --text "- debsecan cron job" --result "NOT FOUND" --color YELLOW
AddHP 1 3
ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled"
fi
else
logtext "Result: debsecan is not installed."
Display --indent 4 --text "- debsecan utility" --result "NOT FOUND" --color YELLOW
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages."
fi
fi
#
#################################################################################
# #
# Test : PKGS-7370 # Test : PKGS-7370
# Description : Check debsums output # Description : Checking debsums installation status and presence in cron job
# Note : Run this only when it is a DPKG based system
if [ ! "${DPKGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsums utility"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${DEBSUMSBINARY}" = "" ]; then
logtext "Result: debsums utility is installed"
Display --indent 4 --text "- debsums utility" --result "FOUND" --color GREEN
AddHP 1 1
# Check in /etc/cron.hourly, daily, weekly, monthly etc
COUNT=`find /etc/cron* -name debsums | wc -l`
if [ ${COUNT} -gt 0 ]; then
logtext "Result: Cron job is configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "FOUND" --color GREEN
AddHP 3 3
else
logtext "Result: Cron job is not configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "NOT FOUND" --color YELLOW
AddHP 1 3
ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job."
fi
else
logtext "Result: debsums utility is not installed."
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database."
fi
fi
# #
################################################################################# #################################################################################
# #
@ -482,7 +509,6 @@
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
logtext "Result: pkg audit results are clean" logtext "Result: pkg audit results are clean"
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN
# Don't check yet, output of found vulnerable packages unclear (YYY)
else else
logtext "Result: ${FIND}" logtext "Result: ${FIND}"
#Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED #Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED
@ -933,9 +959,30 @@
# #
################################################################################# #################################################################################
# #
# check for popularity-contest (Debian/Ubuntu) # Test : PKGS-7410
# check for yum-changelog # Description : Count number of installed kernel packages
Register --test-no PKGS-7410 --weight L --network NO --description "Count installed kernel packages"
if [ ${SKIPTEST} -eq 0 ]; then
KERNELS=0
if [ ! "${RPMBINARY}" = "" ]; then
logtext "Test: Checking how many kernel packages are installed"
KERNELS=`rpm -q kernel 2> /dev/null | wc -l`
if [ ${KERNELS} -eq 0 ]; then
logtext "Result: found no kernels from rpm -q kernel output, which is unexpected"
ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output"
elif [ ${KERNELS} -gt 5 ]; then
logtext "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)"
AddHP 4 5
else
logtext "Result: found ${KERNELS} on the system, which is fine"
AddHP 1 1
fi
fi
fi
#
#################################################################################
#
if [ ! "${INSTALLED_PACKAGES}" = "" ]; then if [ ! "${INSTALLED_PACKAGES}" = "" ]; then
report "installed_packages_array=${INSTALLED_PACKAGES}" report "installed_packages_array=${INSTALLED_PACKAGES}"
@ -949,4 +996,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

2
include/tests_printers_spools
View File

@ -293,4 +293,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

26
include/tests_scheduling
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -139,16 +139,16 @@
# Description : Check atd status # Description : Check atd status
Register --test-no SCHD-7718 --weight L --network NO --description "Check at users" Register --test-no SCHD-7718 --weight L --network NO --description "Check at users"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking atd status" logtext "Test: Checking atd status"
FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: at daemon active" logtext "Result: at daemon active"
Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN
ATD_RUNNING=1 ATD_RUNNING=1
else else
logtext "Result: at daemon not active" logtext "Result: at daemon not active"
Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE
fi fi
fi fi
# #
################################################################################# #################################################################################
@ -247,4 +247,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

94
include/tests_shells
View File

@ -57,16 +57,9 @@
logtext "Output /etc/ttys:" logtext "Output /etc/ttys:"
logtext "${FIND}" logtext "${FIND}"
ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys" ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys"
#ReportSuggestion ${TEST_NO} "Change the console line from 'secure' to 'insecure'." logtext "Possible solution: Change the console line from 'secure' to 'insecure'."
fi fi
fi fi
#
#################################################################################
#
# Test : SHLL-6214
# Description : check for idle session killing tools (timeoutd)
# #
################################################################################# #################################################################################
# #
@ -221,40 +214,55 @@
# #
################################################################################# #################################################################################
# #
# Test : SHLL-6236 # Test : SHLL-6230
# Description : Check /etc/profile # Description : Check for umask values in shell configurations
# SHELL_CONFIG_FILES="/etc/bashrc /etc/bash.bashrc /etc/csh.cshrc /etc/profile"
################################################################################# Register --test-no SHLL-6230 --weight H --network NO --description "Perform umask check for shell configurations"
# if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# Test : SHLL-6240 HARDENING_POSSIBLE=0
# Description : Check default umask Display --indent 2 --text "- Checking default umask values"
# Register --test-no SHLL-6240 --weight L --network NO --description "Check default umask" for FILE in ${SHELL_CONFIG_FILES}; do
# if [ ${SKIPTEST} -eq 0 ]; then FIND=""
# logtext "Test: Checking /etc/profile" if [ -f ${FILE} ]; then
# if [ -f /etc/profile ]; then logtext "Result: file ${FILE} exists"
# FIND=`grep "^umask" | awk '{ print $2 }'` FOUND=1
# if [ "${FIND}" = "" ]; then FIND=`grep umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | grep -v "^$" | awk '{ print $2 }'`
# logtext "Result: xxx" if [ "${FIND}" = "" ]; then
# Display --indent 2 --text "- Checking default umask" --result OK --color GREEN logtext "Result: did not find umask configured in ${FILE}"
# else Display --indent 4 --text "- Checking default umask in ${FILE}" --result NONE --color YELLOW
# logtext "Result: xxx" else
# Display --indent 2 --text "- Checking default umask" --result WARNING --color RED for UMASKVALUE in ${FIND}; do
# #ReportWarning ${TEST_NO} "M" "xxx" logtext "Result: found umask ${UMASKVALUE} in ${FILE}"
# #ReportSuggestion ${TEST_NO} "xxx" case ${UMASKVALUE} in
# fi 027|0027|077|0077)
# fi logtext "Result: umask ${UMASKVALUE} is considered a properly hardened value"
# fi ;;
# *)
################################################################################# logtext "Result: umask ${UMASKVALUE} can be hardened "
# HARDENING_POSSIBLE=1
# Test : SHLL-6250 ;;
# Description : Check /etc/bash.bashrc esac
# Register --test-no SHLL-6250 --weight L --network NO --description "Check default umask" done
# if [ ${SKIPTEST} -eq 0 ]; then if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
# Display --indent 4 --text "- Checking default umask in ${FILE}" --result OK --color GREEN
################################################################################# AddHP 3 3
# else
Display --indent 4 --text "- Checking default umask in ${FILE}" --result WEAK --color YELLOW
AddHP 1 3
fi
fi
else
logtext "Result: file ${FILE} not found"
fi
done
#if [ ${FOUND} -eq 1 ]; then
# if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
# logtext "Result: all shell files found, contain a proper umask"
# Display --indent 4 --text "- Default umask" --result OK --color GREEN
# fi
#fi
fi
# #
################################################################################# #################################################################################
# #
@ -395,4 +403,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, CISOfy & Michael Boelen - http://cisofy.com - The Netherlands # Lynis - Copyright 2007-2015, CISOfy - http://cisofy.com

6
include/tests_solaris
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://cisofy.com # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -66,4 +66,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

61
include/tests_squid
View File

@ -103,15 +103,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# # Test : SQD-3608
# # Description : Check Squid build options
# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SQD-3608 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
# if [ ${SKIPTEST} -eq 0 ]; then
# fi
#
#################################################################################
# #
# Test : SQD-3610 # Test : SQD-3610
# Description : Check Squid configuration options # Description : Check Squid configuration options
@ -129,15 +120,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# # Test : SQD-3612
# # Description : Check Squid additional configuration files
# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SQD-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check additional Squid configuration files"
# if [ ${SKIPTEST} -eq 0 ]; then
# fi
#
#################################################################################
# #
# Test : SQD-3613 # Test : SQD-3613
# Description : Check Squid configuration options # Description : Check Squid configuration options
@ -265,7 +247,7 @@
#SQUID_DAEMON_UNSAFE_PORTS_LIST #SQUID_DAEMON_UNSAFE_PORTS_LIST
for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
logtext "Test: Checking port ${I} in Safe_ports list" logtext "Test: Checking port ${I} in Safe_ports list"
FIND2=`grep "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}` FIND2=`grep -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND2}" = "" ]; then if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN
AddHP 1 1 AddHP 1 1
@ -315,7 +297,6 @@
# #
################################################################################# #################################################################################
# #
# Test : SQD-3680 # Test : SQD-3680
# Description : Check httpd_suppress_version_string # Description : Check httpd_suppress_version_string
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@ -338,46 +319,6 @@
################################################################################# #################################################################################
# #
# Squid
#Hardening:
# $1 $3
# acl snmp_community
# acl maxconn
# acl max_user_ip
#
# follow_x_forwarded_for
#Read cache_peer host type(sibling/parent) proxyport icpport options (if set, icp_access should be set as well)
#Read cache_peer_domain
#Read cache_peer_access
#Read icp_access
#Read icp_port
#Read htcp_access
#Read htcp_port
#Read http_port
#Read https_port
#Read cache_dir
#Read access_log
#Read coredump_dir
#Read quick_abort_min / max /pct
#
# Memory tuning
#Read cache_mem
#Read maximum_object_size_in_memory
#Read maximum_object_size
#Read cache_swap_low
#Read cache_swap_high
# Security
#cache_effective_user
# off
#forwarded_for
#wccp
#
#################################################################################
#
wait_for_keypress wait_for_keypress
# #

82
include/tests_ssh
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -79,28 +79,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# # Test : SSH-7406
# # Description : Check for a running SSH daemon
# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --description "SSH daemon listening port"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: Searching for a SSH daemon"
# CheckOption "^Port " ${SSH_DAEMON_CONFIG}
# if [ ${FOUND} -eq 1 ]; then
# FIND=`echo ${FIND} | awk '{ if ($1=="Port") { print $2 }}'`
# # Check if this output is numeric and usuable for later (e.g. in netstat output)
# Display --indent 2 --text "- Checking SSH listening port" --result FOUND --color GREEN
# logtext "Result: setting port number to ${FIND}"
# SSH_DAEMON_PORT="${FIND}"
# else
# Display --indent 2 --text "- Checking SSH listening port" --result "NOT FOUND" --color WHITE
# logtext "Result: setting port to default number, as no other port has been configured"
# SSH_DAEMON_PORT="22"
# fi
# fi
#
#################################################################################
# #
# Test : SSH-7408 # Test : SSH-7408
# Description : Check SSH specific defined options # Description : Check SSH specific defined options
@ -202,32 +180,6 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : SSH-7418
# Description : Check SSH Port option
# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
# Register --test-no SSH-7418 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Port"
# if [ ${SKIPTEST} -eq 0 ]; then
# logtext "Test: check allowed SSH protocol versions"
# FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Port" | awk '{ if ($2!="22") { print $2 } }'`
# if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
# logtext "Result: Protocol option is set to allow SSH protocol version 1"
# Display --indent 4 --text "- SSH option: Protocol" --result WARNING --color RED
# ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed"
# AddHP 0 3
# else
# if [ "${FIND}" = "2" ]; then
# logtext "Result: only protocol 2 is allowed"
# Display --indent 4 --text "- SSH option: Protocol" --result OK --color GREEN
# AddHP 3 3
# else
# logtext "Result: value of Protocol is unknown (not defined)"
# Display --indent 4 --text "- SSH option: Protocol" --result DEFAULT --color WHITE
# fi
# fi
# fi
#
#################################################################################
# #
# Test : SSH-7440 # Test : SSH-7440
# Description : AllowUsers / AllowGroups # Description : AllowUsers / AllowGroups
@ -269,33 +221,7 @@
# #
################################################################################# #################################################################################
# #
# Test : SSH-7464
# Description : HashKnownHosts
#if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no SSH-7464 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: HashKnownHosts"
#if [ ${SKIPTEST} -eq 0 ]; then
# /etc/ssh/ssh_config
# ReportSuggestion ${TEST_NO} "HashKnownHosts option can migitate worm attacks"
#AddHP 2 2
#fi
#
#################################################################################
#
# Test : SSH-7480
# Description : AllowUsers / AllowGroups
# Goal : Scan SSH daemon
#if [ ! ${SSHKEYSCANBINARY} = "" -a ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no SSH-7480 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups"
#if [ ${SKIPTEST} -eq 0 ]; then
# First determine what port the local instance of SSH daemon is running on. If unknown, use port 22
# FIND=`${SSHKEYSCANBINARY} localhost 2>&1 | grep OpenSSH | egrep -i "bsd|debian|ubuntu|redhat"`
#
#################################################################################
#
# sshd -T can provide additional insights
#
#################################################################################
#
report "ssh_daemon_running=${SSH_DAEMON_RUNNING}" report "ssh_daemon_running=${SSH_DAEMON_RUNNING}"
#report "ssh_daemon_port=${SSH_DAEMON_PORT}" #report "ssh_daemon_port=${SSH_DAEMON_PORT}"
@ -303,4 +229,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

26
include/tests_storage
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -33,7 +33,7 @@
if [ -d /etc/modprobe.d ]; then if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null` FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FIND=`grep -r "install usb-storage /bin/true" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"` FIND=`grep -r "install usb-storage /bin/\(false\|true\)" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"`
FIND2=`egrep -r "^blacklist (usb_storage|usb-storage)" /etc/modprobe.d/*` FIND2=`egrep -r "^blacklist (usb_storage|usb-storage)" /etc/modprobe.d/*`
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1 FOUND=1
@ -44,7 +44,7 @@
fi fi
fi fi
if [ -f /etc/modprobe.conf ]; then if [ -f /etc/modprobe.conf ]; then
FIND=`grep "install usb-storage /bin/true" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"` FIND=`grep "install usb-storage /bin/\(false\|true\)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1 FOUND=1
logtext "Result: found usb-storage driver in disabled state" logtext "Result: found usb-storage driver in disabled state"
@ -66,6 +66,7 @@
# #
# Test : STRG-1846 # Test : STRG-1846
# Description : Check for disabled firewire storage # Description : Check for disabled firewire storage
# Explanation : Best option is to use the install function, or else drivers can still be loaded manually
Register --test-no STRG-1846 --os Linux --weight L --network NO --description "Check if firewire storage is disabled" Register --test-no STRG-1846 --os Linux --weight L --network NO --description "Check if firewire storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
@ -73,8 +74,8 @@
if [ -d /etc/modprobe.d ]; then if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null` FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FIND1=`egrep "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"` FIND1=`egrep "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
FIND2=`egrep "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.d/* | grep "ohci" | grep -v "#"` FIND2=`egrep "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1 FOUND=1
logtext "Result: found firewire ohci driver in disabled state" logtext "Result: found firewire ohci driver in disabled state"
@ -84,8 +85,8 @@
fi fi
fi fi
if [ -f /etc/modprobe.conf ]; then if [ -f /etc/modprobe.conf ]; then
FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"` FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
FIND2=`egrep -r "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.conf | grep "ohci" | grep -v "#"` FIND2=`egrep -r "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1 FOUND=1
logtext "Result: found firewire ohci driver in disabled state" logtext "Result: found firewire ohci driver in disabled state"
@ -108,15 +109,8 @@
################################################################################# #################################################################################
# #
# NetBSD: amd (auto mount daemon)
#
#################################################################################
#
wait_for_keypress wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, CISOfy, Michael Boelen - https://cisofy.com

6
include/tests_storage_nfs
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -177,4 +177,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

47
include/tests_tcpwrappers
View File

@ -1,47 +0,0 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# TCP Wrappers
# Run after: NFS checks
#
#################################################################################
#
#
#################################################################################
#
# InsertSection "TCP Wrappers"
#
#################################################################################
#
# Test : TCPW-xxxx (YYY move to nameservices section)
# Description : Basic nameserver configuration tests (connectivity)
# Register --test-no TCPW-xxxx --weight L --network YES --description "Basic nameserver configuration tests"
# if [ ${SKIPTEST} -eq 0 ]; then
# Display --indent 2 --text "- Checking configured nameservers"
# logtext "Test: Checking /etc/resolv.conf file"
# Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN
# ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
# ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond"
# fi
#
#################################################################################
#
#wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands

81
include/tests_time
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -22,6 +22,7 @@
# #
################################################################################# #################################################################################
# #
CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs"
NTP_DAEMON="" NTP_DAEMON=""
NTP_DAEMON_RUNNING=0 NTP_DAEMON_RUNNING=0
NTP_CONFIG_FOUND=0 NTP_CONFIG_FOUND=0
@ -29,9 +30,8 @@
NTP_CONFIG_TYPE_SCHEDULED=0 NTP_CONFIG_TYPE_SCHEDULED=0
NTP_CONFIG_TYPE_EVENTBASED=0 NTP_CONFIG_TYPE_EVENTBASED=0
NTP_CONFIG_TYPE_STARTUP=0 NTP_CONFIG_TYPE_STARTUP=0
# Specific for ntpd NTPD_RUNNING=0 # Specific for ntpd
NTPD_RUNNING=0 SYSTEMD_NTP_ENABLED=0
CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs"
# #
################################################################################# #################################################################################
# #
@ -46,10 +46,25 @@
fi fi
Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client" Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate) # Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate), Chrony, systemd-timesyncd
logtext "Test: Searching for a running NTP daemon or available client" logtext "Test: Searching for a running NTP daemon or available client"
FOUND=0 FOUND=0
if [ -f /etc/chrony.conf ]; then
IsRunning chronyd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd"
Display --indent 2 --text "- NTP daemon found: chronyd" --result FOUND --color GREEN
fi
fi
# Check time daemon (eg DragonFly BSD)
IsRunning dntpd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN
fi
# Check running processes # Check running processes
FIND=`${PSBINARY} ax | grep "ntpd" | grep -v "dntpd" | grep -v "grep"` FIND=`${PSBINARY} ax | grep "ntpd" | grep -v "dntpd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
@ -66,19 +81,18 @@
Display --indent 2 --text "- NTP daemon found: timed" --result FOUND --color GREEN Display --indent 2 --text "- NTP daemon found: timed" --result FOUND --color GREEN
fi fi
# Check time daemon (eg DragonFly BSD)
IsRunning dntpd
if [ ${RUNNING} -eq 1 ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN
fi
# Check timedate daemon (systemd) # Check timedate daemon (systemd)
if [ ! "${TIMEDATECTL}" = "" ]; then if [ ! "${TIMEDATECTL}" = "" ]; then
FIND=`${TIMEDATECTL} status | grep "NTP enabled: yes"` FIND=`${TIMEDATECTL} status | grep "NTP enabled: yes"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timedated" # Check for systemd-timesyncd
Display --indent 2 --text "- NTP daemon found: timedated" --result "FOUND" --color GREEN if [ -f /etc/systemd/timesyncd.conf ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "FOUND" --color GREEN
SYSTEMD_NTP_ENABLED=1
fi
else
logtext "Result: time sychronization not performed according timedatectl command"
fi fi
fi fi
@ -94,18 +108,14 @@
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate reference in crontab file ${I}" logtext "Result: found ntpdate or rdate reference in crontab file ${I}"
else else
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate reference found in crontab file ${I}" logtext "Result: no ntpdate or rdate reference found in crontab file ${I}"
fi fi
else else
logtext "Result: crontab file ${I} not found" logtext "Result: crontab file ${I} not found"
fi fi
done done
##########################
# To do: test on Solaris #
##########################
# Don't run check in cron job directory on Solaris # Don't run check in cron job directory on Solaris
# /etc/cron.d/FIFO is a special file and test get stuck at this file # /etc/cron.d/FIFO is a special file and test get stuck at this file
FOUND_IN_CRON=0 FOUND_IN_CRON=0
@ -133,11 +143,10 @@
Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate in cron directory" logtext "Result: found ntpdate or rdate in cron directory"
else else
Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE #Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate found in cron directories" logtext "Result: no ntpdate or rdate found in cron directories"
fi fi
# Checking if ntpdate is performed by event # Checking if ntpdate is performed by event
logtext "Test: checking for file /etc/network/if-up.d/ntpdate" logtext "Test: checking for file /etc/network/if-up.d/ntpdate"
if [ -f /etc/network/if-up.d/ntpdate ]; then if [ -f /etc/network/if-up.d/ntpdate ]; then
@ -155,10 +164,12 @@
FIND=`grep 'ntpdate_enable="YES"' /etc/rc.conf` FIND=`grep 'ntpdate_enable="YES"' /etc/rc.conf`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
logtext "Result: ntpdate is enabled in rc.conf" logtext "Result: ntpdate is enabled in rc.conf"
# Mark system having a NTP client, but remind user to improve it
FOUND=1 FOUND=1
NTP_CONFIG_TYPE_STARTUP=1 NTP_CONFIG_TYPE_STARTUP=1
ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is adviced to run it at least daily or use a NTP daemon" # Only show suggestion when ntpdate is enabled, however ntpd is not running
if [ ${NTP_DAEMON_RUNNING} -eq 0 ]; then
ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is adviced to run it at least daily or use a NTP daemon"
fi
else else
logtext "Result: ntpdate is not enabled in rc.conf" logtext "Result: ntpdate is not enabled in rc.conf"
fi fi
@ -181,6 +192,21 @@
fi fi
# #
################################################################################# #################################################################################
#
# Test : TIME-3106
# Description : Check status of systemd time synchronization
if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! "${TIMEDATECTL}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check systemd NTP time synchronization status"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check the status of time synchronization via timedatectl"
FIND=`${TIMEDATECTL} status | grep "NTP sychronized: yes"`
if [ "${FIND}" = "" ]; then
logtext "Result: time not synchronized via NTP"
ReportSuggestion "${TEST_NO}" "Check timedatectl output. Sychronization via NTP is enabled, but status reflects it is not synchronized"
fi
fi
#
#################################################################################
# #
# Test : TIME-3112 # Test : TIME-3112
# Description : Check for valid associations from ntpq peers list # Description : Check for valid associations from ntpq peers list
@ -331,7 +357,6 @@
# #
# Test : TIME-3136 # Test : TIME-3136
# Description : Check ntpq reported ntp version (Linux) # Description : Check ntpq reported ntp version (Linux)
# Notes : Test could be improved by checking every host (YYY)
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP protocol version" Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP protocol version"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
@ -404,6 +429,8 @@
# #
################################################################################# #################################################################################
# #
# For VMs check ntpd.conf : tinker panic 0
#
wait_for_keypress wait_for_keypress
@ -429,4 +456,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

78
include/tests_tooling
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -16,6 +16,8 @@
# #
AUTOMATION_TOOL_FOUND=0 AUTOMATION_TOOL_FOUND=0
AUTOMATION_TOOL_RUNNING="" AUTOMATION_TOOL_RUNNING=""
CFENGINE_AGENT_FOUND=0
CFENGINE_SERVER_RUNNING=0
BACKUP_AGENT_FOUND=0 BACKUP_AGENT_FOUND=0
PUPPET_MASTER_RUNNING=0 PUPPET_MASTER_RUNNING=0
SALT_MASTER_RUNNING=0 SALT_MASTER_RUNNING=0
@ -40,22 +42,67 @@
# Cfengine # Cfengine
if [ ! "${CFAGENTBINARY}" = "" ]; then if [ ! "${CFAGENTBINARY}" = "" ]; then
logtext "Result: Cfengine (cfagent) is installed (${CFAGENTBINARY})" logtext "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})"
AUTOMATION_TOOL_FOUND=1 AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
report "automation_tool_running[]=cf-agent"
Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN
fi fi
OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin"
for I in ${OTHER_CFENGINE_LOCATIONS}; do
if [ -d ${I} ]; then
if [ -f ${I}/cf-agent ]; then
logtext "Result: found CFEngine agent (cf-agent) in ${I}"
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
report "automation_tool_running[]=cf-agent"
Display --indent 4 --text "Found: CFEngine (cf-agent)" --result FOUND --color GREEN
fi
IsRunning "cf-server"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found CFEngine server"
AUTOMATION_TOOL_FOUND=1
CFENGINE_SERVER_RUNNING=1
report "automation_tool_running[]=cf-server"
Display --indent 4 --text "Found: CFEngine (cf-server)" --result FOUND --color GREEN
fi
fi
done
# Chef
CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin"
for I in ${CHEF_LOCATIONS}; do
if [ -d ${I} ]; then
if [ -f ${I}/chef-client ]; then
CHEFCLIENTBINARY="${I}/chef-client"
AUTOMATION_TOOL_FOUND=1
report "automation_tool_running[]=chef-client"
Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN
logtext "Result: found chef-client (chef client daemon) in ${I}"
fi
if [ -f ${I}/erchef ]; then
CHEFSERVERBINARY="${I}/erchef"
logtext "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})"
AUTOMATION_TOOL_FOUND=1
report "automation_tool_running[]=chef-server"
Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN
logtext "Result: found erchef (chef server daemon) in ${I}"
fi
fi
done
# Puppet # Puppet
if [ ! "${PUPPETBINARY}" = "" ]; then if [ ! "${PUPPETBINARY}" = "" ]; then
logtext "Result: Puppet is installed (${PUPPETBINARY})" logtext "Result: Puppet is installed (${PUPPETBINARY})"
AUTOMATION_TOOL_FOUND=1 AUTOMATION_TOOL_FOUND=1
report "automation_tool_running[]=puppet-agent"
Display --indent 4 --text "Found: Puppet (agent)" --result FOUND --color GREEN Display --indent 4 --text "Found: Puppet (agent)" --result FOUND --color GREEN
fi fi
IsRunning "puppet master" IsRunning "puppet master"
if [ ${RUNNING} -eq 1 ]; then if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found puppet master" logtext "Result: found puppet master"
PUPPET_MASTER_RUNNING=1 PUPPET_MASTER_RUNNING=1
report "automation_tool_running[]=puppet" report "automation_tool_running[]=puppet-master"
Display --indent 4 --text "Found: Puppet (master)" --result FOUND --color GREEN Display --indent 4 --text "Found: Puppet (master)" --result FOUND --color GREEN
fi fi
@ -64,19 +111,24 @@
logtext "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})" logtext "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})"
AUTOMATION_TOOL_FOUND=1 AUTOMATION_TOOL_FOUND=1
SALT_MINION_RUNNING=1 SALT_MINION_RUNNING=1
report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result FOUND --color GREEN Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result FOUND --color GREEN
fi fi
if [ ! "${SALTMASTERBINARY}" = "" ]; then if [ ! "${SALTMASTERBINARY}" = "" ]; then
logtext "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})" logtext "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
AUTOMATION_TOOL_FOUND=1 AUTOMATION_TOOL_FOUND=1
Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN
fi
IsRunning "salt-master"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found SaltStack (master)"
SALT_MASTER_RUNNING=1 SALT_MASTER_RUNNING=1
report "automation_tool_running[]=saltstack-master" report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN
else
IsRunning "salt-master"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found SaltStack (master)"
AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1
report "automation_tool_running[]=saltstack-master"
Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN
fi
fi fi
if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then
@ -98,9 +150,7 @@
# #
################################################################################# #################################################################################
# #
report "puppet_master=${PUPPET_MASTER_RUNNING}" report "automation_tool_present=${AUTOMATION_TOOL_FOUND}"
report "salt_master=${SALT_MASTER_RUNNING}"
report "salt_minion=${SALT_MINION_RUNNING}"
wait_for_keypress wait_for_keypress

56
include/tests_virtualization
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -22,49 +22,6 @@
# #
################################################################################# #################################################################################
# #
# Test : VIRT-1902
# Description : Query running Solaris zones
if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no VIRT-1902 --os Solaris --weight L --network NO --description "Query running Solaris zones"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: query zoneadm to list all running zones"
FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
if [ ! "${FIND}" = "" ]; then
N=0
for I in ${FIND}; do
N=`expr ${N} + 1`
ZONEID=`echo ${I} | cut -d ':' -f1`
ZONENAME=`echo ${I} | cut -d ':' -f2`
logtext "Result: found zone ${ZONENAME} (running)"
report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
done
logtext "Result: total of ${N} running zones"
Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
else
logtext "Result: no running zones found"
Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
fi
fi
#
#################################################################################
#
# Test : VIRT-1906
# Description : Query running Xen zones
#if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no VIRT-1906 --weight L --network NO --description "Query Xen guests"
#if [ ${SKIPTEST} -eq 0 ]; then
# Show Xen guests
#FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'`
#for I in ${FIND}; do
#XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
#XENGUESTID=`echo ${I} | cut -d ':' -f2`
#logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
#done
#fi
#
#################################################################################
#
# # Test : VIRT-1920 # # Test : VIRT-1920
# # Description : Checking VMware # # Description : Checking VMware
# Register --test-no VIRT-1920 --weight L --network NO --description "Checking VMware guest status" # Register --test-no VIRT-1920 --weight L --network NO --description "Checking VMware guest status"
@ -72,9 +29,9 @@
# # Initialise # # Initialise
# VMWARE_GUEST=0 # VMWARE_GUEST=0
# Display --indent 2 --text "- Checking VMware guest status" # Display --indent 2 --text "- Checking VMware guest status"
# #YYY check memory driver file # # check memory driver file
# #YYY check LKM list # # check LKM list
# #YYY check vmware tools # # check vmware tools
# logtext "Test: checking VMware tools daemon presence" # logtext "Test: checking VMware tools daemon presence"
# if [ ! "${VMWARETOOLSBINARY}" = "" ]; then # if [ ! "${VMWARETOOLSBINARY}" = "" ]; then
# logtext "Result: VMware tools binary found" # logtext "Result: VMware tools binary found"
@ -89,9 +46,8 @@
################################################################################# #################################################################################
# #
wait_for_keypress wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

33
include/tests_webservers
View File

@ -5,8 +5,8 @@
# Lynis # Lynis
# ------------------ # ------------------
# #
# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands # Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: http://www.rootkit.nl # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -50,9 +50,13 @@
# Test : HTTP-6622 # Test : HTTP-6622
# Description : Test for Apache installation # Description : Test for Apache installation
# Notes : Do not run on NetBSD, -v is unknown option for httpd binary # Notes : Do not run on NetBSD, -v is unknown option for httpd binary
# On OpenBSD do not run /usr/sbin/httpd with -v: builtin non-Apache
if [ ! "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ! "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Apache presence" Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Apache presence"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then
HTTPDBINARY=""
fi
if [ "${HTTPDBINARY}" = "" ]; then if [ "${HTTPDBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE
else else
@ -391,19 +395,16 @@
Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx configuration file" Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx configuration file"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching nginx configuration file" logtext "Test: searching nginx configuration file"
#YYY warning if multiple nginx.conf files are found
for I in ${NGINX_CONF_LOCS}; do for I in ${NGINX_CONF_LOCS}; do
if [ -f ${I}/nginx.conf ]; then if [ -f ${I}/nginx.conf ]; then
NGINX_CONF_LOCATION="${I}/nginx.conf" NGINX_CONF_LOCATION="${I}/nginx.conf"
logtext "Found file ${NGINX_CONF_LOCATION}" logtext "Found file ${NGINX_CONF_LOCATION}"
fi fi
done done
#YYY strings /usr/sbin/nginx | grep "conf$"
if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then
logtext "Result: found nginx configuration file" logtext "Result: found nginx configuration file"
report "nginx_main_conf_file=${NGINX_CONF_LOCATION}" report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
Display --indent 4 --text "- Searching nginx configuration file" --result FOUND --color GREEN Display --indent 4 --text "- Searching nginx configuration file" --result FOUND --color GREEN
#FIND=`cat ${NGINX_CONF_LOCATION} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}`
else else
logtext "Result: no nginx configuration file found" logtext "Result: no nginx configuration file found"
Display --indent 2 --text "- Searching nginx configuration file" --result "NOT FOUND" --color WHITE Display --indent 2 --text "- Searching nginx configuration file" --result "NOT FOUND" --color WHITE
@ -415,25 +416,26 @@
# Test : HTTP-6706 # Test : HTTP-6706
# Description : Search for includes within nginx configuration file # Description : Search for includes within nginx configuration file
# Notes : Daemon nginx should be running, nginx.conf should be found # Notes : Daemon nginx should be running, nginx.conf should be found
if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for additional nginx configuration files" Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for additional nginx configuration files"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Remove temp file # Remove temp file
if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
N=0 N=0
cat ${NGINX_CONF_LOCATION} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}
# Search for included configuration files (may include directories and wild cards) # Search for included configuration files (may include directories and wild cards)
FIND=`grep "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'` FIND=`grep "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'`
for I in ${FIND}; do for I in ${FIND}; do
FIND2=`${LSBINARY} ${I} 2>/dev/null` FIND2=`${LSBINARY} ${I} 2>/dev/null`
for J in ${FIND2}; do for J in ${FIND2}; do
# Double check if we are dealing with a file # Ensure that we are parsing normal files
if [ -f ${J} ]; then if [ -f ${J} ]; then
N=`expr ${N} + 1` N=`expr ${N} + 1`
logtext "Result: found Nginx configuration file ${J}" logtext "Result: found Nginx configuration file ${J}"
report "nginx_sub_conf_file=${J}" report "nginx_sub_conf_file=${J}"
FileIsReadable ${J} FileIsReadable ${J}
if [ ${CANREAD} -eq 1 ]; then if [ ${CANREAD} -eq 1 ]; then
FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}` FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}`
else else
ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable" ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable"
fi fi
@ -442,14 +444,14 @@
done done
# Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx # Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx
SORTFILE=`cat ${TMPFILE2} | sort | uniq | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"` SORTFILE=`cat ${TMPFILE} | sort | uniq | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"`
for I in ${SORTFILE}; do for I in ${SORTFILE}; do
I=`echo ${I} | sed 's/:space:/ /g'` I=`echo ${I} | sed 's/:space:/ /g'`
report "nginx_config_option=${I}"; report "nginx_config_option=${I}";
done done
# Remove unsorted file for next tests # Remove unsorted file for next tests
if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi
if [ ${N} -eq 0 ]; then if [ ${N} -eq 0 ]; then
logtext "Result: no nginx include statements found" logtext "Result: no nginx include statements found"
@ -693,11 +695,6 @@
# Description : Nginx: Check for server_tokens off in configuration files # Description : Nginx: Check for server_tokens off in configuration files
# #
################################################################################# #################################################################################
#
# Scan for websites
#/etc/apache2/sites-available
#
#################################################################################
# #
# Remove temp file (double check) # Remove temp file (double check)
@ -709,4 +706,4 @@ wait_for_keypress
# #
#================================================================================ #================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen - cisofy.com - The Netherlands # Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

40
include/tool_tips Normal file
View File

@ -0,0 +1,40 @@
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Hints and Tips
#
#################################################################################
#
# Only show tips when enabled
if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then
# Bash completion support
if [ ! "${ETC_PATHS}" = "" ]; then
for I in ${ETC_PATHS}; do
if [ -d ${I}/bash-completion.d ]; then
if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then
Display "This system has a bash_completition directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis"
fi
fi
done
fi
fi
#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com

164
lynis
View File

@ -6,7 +6,7 @@
# ------------------ # ------------------
# #
# Copyright 2007-2015 Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Copyright 2007-2015 Michael Boelen, CISOfy (michael.boelen@cisofy.com)
# Website: https://cisofy.com # Web site: https://cisofy.com
# #
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License. # welcome to redistribute it under the terms of the GNU General Public License.
@ -22,9 +22,9 @@
# #
# Program information # Program information
PROGRAM_name="Lynis" PROGRAM_name="Lynis"
PROGRAM_version="2.1.1" PROGRAM_version="2.1.2"
PROGRAM_releasedate="19 April 2015" PROGRAM_releasedate="13 September 2015"
PROGRAM_author="CISOfy" PROGRAM_author="Michael Boelen, CISOfy"
PROGRAM_author_contact="lynis-dev@cisofy.com" PROGRAM_author_contact="lynis-dev@cisofy.com"
PROGRAM_website="https://cisofy.com" PROGRAM_website="https://cisofy.com"
PROGRAM_copyright="Copyright 2007-2015 - ${PROGRAM_author}, ${PROGRAM_website}" PROGRAM_copyright="Copyright 2007-2015 - ${PROGRAM_author}, ${PROGRAM_website}"
@ -103,12 +103,17 @@
# Check if owner of both files is root user, or the same user which is running Lynis (for pentester mode) # Check if owner of both files is root user, or the same user which is running Lynis (for pentester mode)
# Consts # Consts
if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="consts"; fi if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then
if [ ! "${MYID}" = "${OWNER2ID}" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="consts"; fi if [ ! "${MYID}" = "${OWNER2ID}" ]; then
ISSUE=1; SHOWPERMERROR=1; FILE="consts"
fi
fi
# Functions # Functions
if [ ! "${OWNER2}" = "root" -a ! "${OWNER2ID}" = "0" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="functions"; fi if [ ! "${OWNER2}" = "root" -a ! "${OWNER2ID}" = "0" ]; then
if [ ! "${MYID}" = "${OWNER2ID}" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="functions"; fi if [ ! "${MYID}" = "${OWNER2ID}" ]; then
ISSUE=1; SHOWPERMERROR=1; FILE="functions"
fi
fi
if [ ${SHOWPERMERROR} -eq 1 ]; then if [ ${SHOWPERMERROR} -eq 1 ]; then
echo "" echo ""
echo "[!] Change ownership of ${INCLUDEDIR}/${FILE} to 'root' or similar (found: ${OWNER} with UID ${OWNERID})." echo "[!] Change ownership of ${INCLUDEDIR}/${FILE} to 'root' or similar (found: ${OWNER} with UID ${OWNERID})."
@ -129,7 +134,7 @@
echo "" echo ""
echo " Why do I see this error?" echo " Why do I see this error?"
echo " -------------------------------" echo " -------------------------------"
echo " This error is a protection mechanism, to prevent root user from executing user created files." echo " This is a protection mechanism, to prevent the root user from executing user created files."
echo ""; echo "" echo ""; echo ""
echo " What can I do?" echo " What can I do?"
echo " ---------------------" echo " ---------------------"
@ -221,55 +226,6 @@
# CV - Current Version # CV - Current Version
PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'` PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'`
PROGRAM_LV=0 PROGRAM_LV=0
#DB_MALWARE_CV=`grep "^#version=" ${DBDIR}/malware.db | cut -d '=' -f2`
#DB_FILEPERMS_CV=`grep "^#version=" ${DBDIR}/fileperms.db | cut -d '=' -f2`
# Number of signatures
#DB_MALWARE_IC=`grep -v "^#" ${DBDIR}/malware.db | wc -l | tr -s ' ' | tr -d ' '`
if [ ${VIEWUPDATEINFO} -eq 1 ]; then
CheckUpdates
# Reset everything if we can't determine our current version or the latest
# available version (due lack of internet connectivity for example)
if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then
# Set both to safe values
PROGRAM_AC=0; PROGRAM_LV=0
#DB_MALWARE_LV=0; DB_MALWARE_CV=0
#DB_FILEPERMS_LV=0; DB_FILEPERMS_CV=0
fi
echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} =="; echo ""
echo " Version : ${PROGRAM_version}"
echo -n " Status : "
if [ ${PROGRAM_LV} -eq 0 ]; then
echo "${RED}Unknown${NORMAL}";
elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
echo "${YELLOW}Outdated${NORMAL}";
echo " Current version : ${PROGRAM_AC}"
echo " Latest version : ${PROGRAM_LV}"
else
echo "${GREEN}Up-to-date${NORMAL}"
fi
echo " Release date : ${PROGRAM_releasedate}"
echo " Update location : ${PROGRAM_website}"
# echo ""
# echo " == ${WHITE}Plugins${NORMAL} =="
# echo ""
# echo " == ${WHITE}Databases${NORMAL} =="
# echo " Current Latest Status"
# echo " -----------------------------------------------------------------------------"
# echo -n " Malware : ${DB_MALWARE_CV} ${DB_MALWARE_LV} "
# if [ ${DB_MALWARE_LV} -gt ${DB_MALWARE_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi
# echo -n " File perms : ${DB_FILEPERMS_CV} ${DB_FILEPERMS_LV} "
# if [ ${DB_FILEPERMS_LV} -gt ${DB_FILEPERMS_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi
echo ""; echo ""
echo "${PROGRAM_copyright}"; echo ""
# Quit program
ExitClean
fi
# #
################################################################################# #################################################################################
# #
@ -320,7 +276,7 @@
if [ "${PROFILE}" = "" ]; then if [ "${PROFILE}" = "" ]; then
echo "${RED}Fatal error: ${WHITE}No profile defined and could not find default profile${NORMAL}" echo "${RED}Fatal error: ${WHITE}No profile defined and could not find default profile${NORMAL}"
echo "Search paths used --> ${tPROFILE_TARGETS}" echo "Search paths used --> ${tPROFILE_TARGETS}"
ExitFatal ExitCustom 66
fi fi
# Initialize and check profile file, auditor name, log file and report file # Initialize and check profile file, auditor name, log file and report file
if [ ! -r ${PROFILE} ]; then echo "Fatal error: Can't open profile file (${PROFILE})"; exit 1; fi if [ ! -r ${PROFILE} ]; then echo "Fatal error: Can't open profile file (${PROFILE})"; exit 1; fi
@ -334,8 +290,22 @@
# #
################################################################################# #################################################################################
# #
# Check if there is already a PID file (incorrect termination of previous instance)
if [ -f lynis.pid -o -f /var/run/lynis.pid ]; then # Decide where to write our PID file. For unprivileged users this will be in their home directory, or /tmp if their
# home directory isn't set. For root it will be /var/run, or the current workign directory if /var/run doesn't exist.
MYHOMEDIR=`echo ~ 2> /dev/null`
if [ "${MYHOMEDIR}" = "" ]; then MYHOMEDIR="/tmp"; fi
if [ ${PRIVILEGED} -eq 0 ]; then
PIDFILE="${MYHOMEDIR}/lynis.pid"
elif [ -d /var/run ]; then
PIDFILE="/var/run/lynis.pid"
else
PIDFILE="./lynis.pid"
fi
# Check if there is already a PID file in any of the locations (incorrect termination of previous instance)
if [ -f "${MYHOMEDIR}/lynis.pid" -o -f "./lynis.pid" -o -f "/var/run/lynis.pid" ]; then
echo "" echo ""
echo " ${WARNING}Warning${NORMAL}: ${WHITE}PID file exists, probably another Lynis process is running.${NORMAL}" echo " ${WARNING}Warning${NORMAL}: ${WHITE}PID file exists, probably another Lynis process is running.${NORMAL}"
echo " ------------------------------------------------------------------------------" echo " ------------------------------------------------------------------------------"
@ -349,26 +319,24 @@
echo " ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${NORMAL}" echo " ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${NORMAL}"
echo "" echo ""
wait_for_keypress wait_for_keypress
if [ -f lynis.pid ]; then rm -f lynis.pid; fi # Deleting any stale PID files that might exist.
if [ -f /var/run/lynis.pid ]; then rm -f /var/run/lynis.pid; fi # Note: Display function does not work yet at this point
#YYY Display function not working yet from here, due to OS detection if [ -f "${MYHOMEDIR}/lynis.pid" ]; then rm -f "${MYHOMEDIR}/lynis.pid"; fi
#Display --indent 2 --text "- Deleting old PID file..." --result DONE --color GREEN if [ -f "./lynis.pid" ]; then rm -f "./lynis.pid"; fi
if [ -f "/var/run/lynis.pid" ]; then rm -f "/var/run/lynis.pid"; fi
fi fi
# Create new PID file (use work directory if /var/run is not available) # Ensure symlink attack is not possible, by confirming there is no symlink of the file already
if [ ${PRIVILEGED} -eq 0 ]; then
# Store it in home directory of user
MYHOMEDIR=`echo ~`
if [ "${MYHOMEDIR}" = "" ]; then HOMEDIR="/tmp"; fi
PIDFILE="${MYHOMEDIR}/lynis.pid"
elif [ -d /var/run ]; then
PIDFILE="/var/run/lynis.pid"
else
PIDFILE="lynis.pid"
fi
OURPID=`echo $$` OURPID=`echo $$`
echo ${OURPID} > ${PIDFILE} if [ -L ${PIDFILE} ]; then
chmod 600 ${PIDFILE} echo "Found symlinked PID file (${PIDFILE}), quitting"
ExitFatal
else
# Create new PID file writable only by owner
echo "${OURPID}" > ${PIDFILE}
chmod 600 ${PIDFILE}
fi
# #
################################################################################# #################################################################################
# #
@ -389,8 +357,11 @@
echo " audit system : Perform security scan" echo " audit system : Perform security scan"
echo " audit dockerfile <file> : Analyze Dockerfile" echo " audit dockerfile <file> : Analyze Dockerfile"
echo "" echo ""
echo " ${GREEN}update${NORMAL}"
echo " update info : Show update details"
echo " update release : Update Lynis release"
echo ""
echo "" echo ""
echo " ${WHITE}Scan options:${NORMAL}" echo " ${WHITE}Scan options:${NORMAL}"
echo " --auditor \"<name>\" : Auditor name" echo " --auditor \"<name>\" : Auditor name"
echo " --dump-options : See all available options" echo " --dump-options : See all available options"
@ -407,7 +378,6 @@
echo " --reverse-colors : Optimize color display for light backgrounds" echo " --reverse-colors : Optimize color display for light backgrounds"
echo "" echo ""
echo " ${WHITE}Misc options:${NORMAL}" echo " ${WHITE}Misc options:${NORMAL}"
echo " --check-update : Check for updates"
echo " --debug : Debug logging to screen" echo " --debug : Debug logging to screen"
echo " --view-manpage (--man) : View man page" echo " --view-manpage (--man) : View man page"
echo " --version (-V) : Display version number and quit" echo " --version (-V) : Display version number and quit"
@ -431,7 +401,7 @@
# Cleanup PID file if we drop out earlier # Cleanup PID file if we drop out earlier
RemovePIDFile RemovePIDFile
# Exit with exit code 1 # Exit with exit code 1
exit 1 exit 64
fi fi
# #
################################################################################# #################################################################################
@ -459,7 +429,7 @@
echo "" echo ""
echo " ###################################################################" echo " ###################################################################"
echo "${NORMAL}"; echo "" echo "${NORMAL}"; echo ""
if [ ${NEVERBREAK} -eq 0 ]; then read void; fi if [ ${QUICKMODE} -eq 0 ]; then read void; fi
fi fi
# #
################################################################################# #################################################################################
@ -524,7 +494,7 @@
# #
################################################################################# #################################################################################
# #
if [ ${QUIET} -eq 0 ]; then if [ ${QUIET} -eq 0 -a ${SHOW_PROGRAM_DETAILS} -eq 1 ]; then
echo "" echo ""
echo " ---------------------------------------------------" echo " ---------------------------------------------------"
echo " Program version: ${PROGRAM_version}" echo " Program version: ${PROGRAM_version}"
@ -541,7 +511,6 @@
echo " Report file: ${REPORTFILE}" echo " Report file: ${REPORTFILE}"
echo " Report version: ${REPORT_version}" echo " Report version: ${REPORT_version}"
echo " Plugin directory: ${PLUGINDIR}" echo " Plugin directory: ${PLUGINDIR}"
#echo " Database directory: ${DBDIR}"
echo " ---------------------------------------------------" echo " ---------------------------------------------------"
fi fi
@ -564,9 +533,7 @@
logtext "-----------------------------------------------------" logtext "-----------------------------------------------------"
logtext "Include directory: ${INCLUDEDIR}" logtext "Include directory: ${INCLUDEDIR}"
logtext "Plugin directory: ${PLUGINDIR}" logtext "Plugin directory: ${PLUGINDIR}"
logtext "Database directory: ${DBDIR}"
logtextbreak logtextbreak
#wait_for_keypress
# #
################################################################################# #################################################################################
@ -761,13 +728,11 @@
logtext "Info: perform tests from all categories" logtext "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \ INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
filesystems storage storage_nfs \ filesystems storage storage_nfs nameservices ports_packages networking printers_spools \
nameservices ports_packages networking printers_spools \ mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
mail_messaging firewalls \ insecure_services banners scheduling accounting time crypto virtualization containers \
webservers ssh snmp databases ldap php squid logging \ mac_frameworks file_integrity tooling malware file_permissions homedirs \
insecure_services banners scheduling accounting \ kernel_hardening hardening"
time crypto virtualization mac_frameworks file_integrity hardening_tools tooling \
malware file_permissions homedirs kernel_hardening hardening"
else else
INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}" INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}"
logtext "Info: only performing tests from categories: ${TESTS_CATEGORY_TO_PERFORM}" logtext "Info: only performing tests from categories: ${TESTS_CATEGORY_TO_PERFORM}"
@ -829,12 +794,12 @@
################################################################################# #################################################################################
# #
if [ ${RUN_HELPERS} -eq 1 ]; then if [ ${RUN_HELPERS} -eq 1 ]; then
InsertPluginSection "Audit Module"
if [ ! "${HELPER}" = "" ]; then if [ ! "${HELPER}" = "" ]; then
logtext "Helper tool is $HELPER" logtext "Helper tool is $HELPER"
if [ -f ${INCLUDEDIR}/helper_${HELPER} ]; then if [ -f ${INCLUDEDIR}/helper_${HELPER} ]; then
SafePerms ${INCLUDEDIR}/helper_${HELPER} SafePerms ${INCLUDEDIR}/helper_${HELPER}
logtext "Running helper tool ${HELPER} with params: ${HELPER_PARAMS}" logtext "Running helper tool ${HELPER} with params: ${HELPER_PARAMS}"
InsertPluginSection "Helper: ${HELPER}"
. ${INCLUDEDIR}/helper_${HELPER} ${HELPER_PARAMS} . ${INCLUDEDIR}/helper_${HELPER} ${HELPER_PARAMS}
else else
echo "Error, could not find helper" echo "Error, could not find helper"
@ -856,6 +821,9 @@
# Show report # Show report
if [ -f ${INCLUDEDIR}/report ]; then SafePerms ${INCLUDEDIR}/report; . ${INCLUDEDIR}/report; fi if [ -f ${INCLUDEDIR}/report ]; then SafePerms ${INCLUDEDIR}/report; . ${INCLUDEDIR}/report; fi
# Show tool tips
if [ -f ${INCLUDEDIR}/hints_tips ]; then SafePerms ${INCLUDEDIR}/hints_tips; . ${INCLUDEDIR}/hints_tips; fi
logtext "================================================================================" logtext "================================================================================"
logtext "Tests performed: ${CTESTS_PERFORMED}" logtext "Tests performed: ${CTESTS_PERFORMED}"
logtext "Total tests: ${TOTAL_TESTS}" logtext "Total tests: ${TOTAL_TESTS}"
@ -883,7 +851,11 @@
logtext "================================================================================" logtext "================================================================================"
# Clean exit (Delete PID file) # Clean exit (Delete PID file)
ExitClean if [ ${TOTAL_WARNINGS} -gt 0 ]; then
ExitCustom 78
else
ExitClean
fi
# The End # The End

87
lynis.8
View File

@ -1,28 +1,28 @@
.TH Lynis 8 "30 January 2015" "1.17" "Unix System Administrator's Manual" .TH Lynis 8 "10 September 2015" "1.19" "Unix System Administrator's Manual"
.SH "NAME" .SH "NAME"
\fB \fB
\fB \fB
\fB \fB
Lynis \fP\- Run an system and security audit on the system Lynis \fP\- System and security auditing tool
\fB \fB
.SH "SYNOPSIS" .SH "SYNOPSIS"
.nf .nf
.fam C .fam C
\fBlynis\fP \-\-check-all(\-c) [other options] \fBlynis\fP [scan mode] [other options]
.fam T .fam T
.fi .fi
.SH "DESCRIPTION" .SH "DESCRIPTION"
\fBLynis\fP is an auditing tool for Unix (specialists). It checks the system \fBLynis\fP is a security auditing tool for Linux and Unix systems. It checks
and software configuration and logs all the found information into a log file the system and software configurations, to determine any improvements.
for debugging purposes, and in a report file suitable to create fancy looking All details are logged in a log file. Findings and other data is stored in a
auditing reports. report file, which can be used to create auditing reports.
\fBLynis\fP can be run as a cronjob, or from the command line. It needs to have \fBLynis\fP can be run as a cronjob, or from the command line. Lynis prefers
full access to the system, so running it as root (or with sudo rights) is root permissions (or sudo), so it can access all parts of the system, however it
required. not required (see pentest mode).
.PP .PP
The following system areas may be checked: The following system areas may be checked:
.IP .IP
@ -30,27 +30,34 @@ The following system areas may be checked:
.IP .IP
\- Configuration files \- Configuration files
.IP .IP
\- Common files by software packages \- Files part of software packages
.IP .IP
\- Directories and files related to logging and auditing \- Directories and files related to logging and auditing
.SH "FIRST TIME USAGE"
When running \fBLynis\fP for the first time, run: lynis audit system --quick
.SH "SCAN MODES"
.IP audit system
Performs a system audit, which is the most common audit.
For more scan modes, see the helper utilities.
.SH "OPTIONS" .SH "OPTIONS"
.TP .TP
.B \-\-auditor <full name> .B \-\-auditor <full name>
Define the name of the auditor/pen-tester. When a full name is used, add double Define the name of the auditor/pen-tester. When a full name is used, add double
quotes, like "Your Name". quotes, like "Your Name".
.TP .TP
.B \-\-checkall (or \-c) .B \-\-checkall (or \-c)
\fBLynis\fP performs a full check of the system, printing out the results of \fBLynis\fP performs a full check of the system, printing out the results of
each test to stdout. Additional information will be saved into a log file each test to stdout. Additional information will be saved into a log file
(default is /var/log/lynis.log). (default is /var/log/lynis.log). This option invokes scan mode "audit system".
.IP .IP
In case the outcome of a scan needs to be automated, use the report file. In case the outcome of a scan needs to be automated, use the report file.
.TP .TP
.B \-\-check\-update (or \-\-info)
Show program, database and update information.
.TP
.B \-\-cronjob .B \-\-cronjob
Perform automatic scan with cron safe options (no colors, no questions, no Perform automatic scan with cron safe options (no colors, no questions, no
breaks). breaks).
@ -115,14 +122,42 @@ with others. When running Lynis without any parameters, help will be shown and
the program will exit. the program will exit.
.RE .RE
.PP .PP
.SH "BUGS" .SH "HELPERS"
Discovered a bug? Please report them via e-mail (lynis-dev@cisofy.com) or via GitHub: https://github.com/CISOfy/Lynis Lynis has special helpers to do certain tasks. This way the framework of Lynis is
.RE used, while at the same time storing most of the functionality in a separated
.PP file. This speeds up execution and keeps the code clean.
.SH "LICENSING"
Lynis is licensed with the GPL v3 license and under development by CISOfy and Michael Boelen. Plugins have their own license.
.RE
.PP
.SH "CONTACT INFORMATION"
Support and project related questions are addressed via https://cisofy.com/support/. .B audit
Run audit on the system or on other targets
.B update
Run updater utility
To use a helper, run Lynis followed by the helper name.
.SH "EXIT CODES"
Lynis uses exit codes to signal any invoking script. Currently the following codes are used:
.IP 0
Program exited normally, nothing found
.IP 1
Fatal error
.IP 64
An unknown parameter is used, or incomplete
.IP 65
Incorrect data encountered
.IP 66
Can't open file or directory
.IP 78
Lynis found 1 or more warnings or configurations errors
.SH "BUGS"
Bugs can be reported via GitHub at https://github.com/CISOfy/lynis
.SH "DOCUMENTATION"
Supporting documentation can be found via https://cisofy.com/documentation/lynis/
.SH "LICENSING"
Lynis is licensed as GPL v3, written by Michael Boelen. Development is supported by CISOfy. Plugins may have their own license.
.SH "CONTACT INFORMATION"
Support requests and project related questions can be addressed via e-mail: lynis-dev@cisofy.com.