#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2013-2016, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Scheduled tasks # ################################################################################# # InsertSection "Scheduled tasks" # ################################################################################# # ATD_RUNNING=0 CROND_RUNNING=0 # ################################################################################# # # Test : SCHD-7702 # Description : Check cron daemon Register --test-no SCHD-7702 --weight L --network NO --description "Check status of cron daemon" if [ ${SKIPTEST} -eq 0 ]; then FIND=`ps aux | egrep "( cron$|/cron(d)? )"` if [ "${FIND}" = "" ]; then LogText "Result: no cron daemon found" else LogText "Result: cron daemon running" CROND_RUNNING=1 Report "crond_running=1" Report "scheduler[]=crond" fi fi # ################################################################################# # # Test : SCHD-7704 # Description : Check crontab / cronjobs Register --test-no SCHD-7704 --weight L --network NO --description "Check crontab/cronjobs" if [ ${SKIPTEST} -eq 0 ]; then BAD_FILE_PERMISSIONS=0 BAD_FILE_OWNERSHIP=0 FindCronJob() { sCRONJOBS=`egrep '^([0-9*])' $1 | tr '\t' ' ' | tr -s ' ' | tr ' ' ','` } CRONTAB_FILE="/etc/crontab" if [ -f ${CRONTAB_FILE} ]; then if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILES}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi FindCronJob ${CRONTAB_FILE} for I in ${sCRONJOBS}; do LogText "Found cronjob (${CRONTAB_FILE}): ${I}" Report "cronjob[]=${I}" done fi CRON_DIRS="/etc/cron.d" for I in ${CRON_DIRS}; do LogText "Test: checking directory ${I}" if [ -d ${I} ]; then FileIsReadable ${I} if [ ${CANREAD} -eq 1 ]; then LogText "Result: found directory ${I}" LogText "Test: searching files in ${I}" FIND=`find ${I} -type f -print | grep -v ".placeholder"` if [ "${FIND}" = "" ]; then LogText "Result: no files found in ${I}" else LogText "Result: found one or more files in ${I}. Analyzing files.." for J in ${FIND}; do if IsWorldWritable ${J}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${J}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi FindCronJob ${J} if [ ! "${sCRONJOBS}" = "" ]; then for K in ${sCRONJOBS}; do LogText "Result: Found cronjob (${J}): ${K}" Report "cronjob[]=${J}" done fi done LogText "Result: done with analyzing files in ${I}" fi else LogText "Result: can not read file or directory ${I}" fi else LogText "Result: directory ${I} does not exist" fi done CRON_DIRS="/etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly" for I in ${CRON_DIRS}; do LogText "Test: checking directory ${I}" if [ -d ${I} ]; then LogText "Result: found directory ${I}" LogText "Test: searching files in ${I}" FIND=`find ${I} -type f -print | grep -v ".placeholder"` if [ "${FIND}" = "" ]; then LogText "Result: no files found in ${I}" else LogText "Result: found one or more files in ${I}. Analyzing files.." for J in ${FIND}; do if IsWorldWritable ${J}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${J}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi LogText "Result: Found cronjob (${I}): ${J}" Report "cronjob[]=${J}" done LogText "Result: done with analyzing files in ${I}" fi else LogText "Result: directory ${I} does not exist" fi done # /var/spool/cron/* and /var/spool/cron/crontabs/* # Search only in one tree, to avoid searching the tree twice if [ -d /var/spool/cron/crontabs ]; then FIND=`find /var/spool/cron/crontabs -type f -print` for I in ${FIND}; do FindCronJob ${I} for J in ${sCRONJOBS}; do LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${J})" Report "cronjob[]=${I}" done done else if [ -d /var/spool/cron ]; then FIND=`find /var/spool/cron -type f -print` for I in ${FIND}; do FindCronJob ${I} for J in ${sCRONJOBS}; do LogText "Found cronjob (/var/spool/cron): ${I} (${J})" LogText "cronjob[]=${I}" done done fi fi # Anacron if [ "${OS}" = "Linux" ]; then if [ -f /etc/anacrontab ]; then LogText "Test: checking anacrontab" sANACRONJOBS=`egrep '^([0-9@])' /etc/anacrontab | tr '\t' ' ' | tr -s ' ' | tr ' ' ','` if [ ! "${sANACRONJOBS}" = "" ]; then Report "scheduler[]=anacron" for J in ${sANACRONJOBS}; do LogText "Found anacron job (/etc/anacrontab): ${J}" Report "cronjob[]=${J}" done fi fi fi # Show warning when an issue shows up. Even if *both* the permissions and ownership are wrong, just show one (prevent overload of warnings). if [ ${BAD_FILE_PERMISSIONS} -eq 1 ]; then ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect file permissions (see log for details)" Display --indent 2 --text "- Checking crontab/cronjob" --result WARNING --color RED elif [ ${BAD_FILE_OWNERSHIP} -eq 1 ]; then ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect ownership (see log for details)" Display --indent 2 --text "- Checking crontab/cronjob" --result WARNING --color RED else Display --indent 2 --text "- Checking crontab/cronjob" --result DONE --color GREEN fi fi # ################################################################################# # # Test : SCHD-7718 # Description : Check atd status Register --test-no SCHD-7718 --weight L --network NO --description "Check at users" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking atd status" FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"` if [ ! "${FIND}" = "" ]; then LogText "Result: at daemon active" Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN ATD_RUNNING=1 Report "scheduler[]=atd" else LogText "Result: at daemon not active" if IsVerbose; then Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE; fi fi fi # ################################################################################# # # Test : SCHD-7720 # Description : Check at users # Notes : if at.allow exists, only users listed can schedule at jobs # if at.allow does not exist, but at.deny does, everyone # except the listed ones can schedule jobs. If both can't be # found, only root can schedule jobs. if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SCHD-7720 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at users" if [ ${SKIPTEST} -eq 0 ]; then AT_UNKNOWN=0 case ${OS} in FreeBSD) AT_ALLOW="/var/at/at.allow"; AT_DENY="/var/at/at.deny" ;; HPUX) AT_ALLOW="/usr/lib/cron/at.allow"; AT_DENY="/usr/lib/cron/at.deny" ;; Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;; OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;; SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;; *) AT_UNKNOWN=1; LogText "Test skipped, files for at unknown" ;; esac if [ ${AT_UNKNOWN} -eq 0 ]; then LogText "Test: checking for file ${AT_ALLOW}" if [ -f ${AT_ALLOW} ]; then FileIsReadable ${AT_ALLOW} if [ ${CANREAD} -eq 1 ]; then LogText "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs" FIND=`cat ${AT_ALLOW} | sort` if [ "${FIND}" = "" ]; then LogText "Result: File empty, no users are allowed to schedule at jobs" else for I in ${FIND}; do LogText "Allowed at user: ${I}" done fi else LogText "Result: can not read ${AT_ALLOW} (no permission)" fi else LogText "Result: file ${AT_ALLOW} does not exist" LogText "Test: checking for file ${AT_DENY}" if [ -f ${AT_DENY} ]; then FileIsReadable ${AT_DENY} if [ ${CANREAD} -eq 1 ]; then LogText "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs" FIND=`cat ${AT_DENY} | sort` if [ "${FIND}" = "" ]; then LogText "Result: file is empty, no users are denied access to schedule jobs" else for I in ${FIND}; do LogText "Denied at user: ${I}" done fi else LogText "Result: can not read ${AT_DENY} (no permission)" fi else LogText "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist" LogText "Note: only root can schedule at jobs" AddHP 1 1 fi fi Display --indent 4 --text "- Checking at users" --result DONE --color GREEN else Display --indent 4 --text "- Checking at users" --result SKIPPED --color YELLOW fi fi # ################################################################################# # # Test : SCHD-7724 # Description : Check scheduled at jobs if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at jobs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check scheduled at jobs" FIND=`atq | grep -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'` if [ ! "${FIND}" = "" ]; then LogText "Result: found one or more jobs" for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` LogText "Found at job: ${I}" done Display --indent 4 --text "- Checking at jobs" --result FOUND --color GREEN else LogText "Result: no pending at jobs" Display --indent 4 --text "- Checking at jobs" --result NONE --color GREEN fi fi # ################################################################################# # wait_for_keypress # #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com