#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2013-2016, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # InsertSection "Hardening" # COMPILER_INSTALLED is initialised before HARDEN_COMPILERS_NEEDED=0 # ################################################################################# # # Test : HRDN-7220 # Description : Check for installed compilers # Notes : No suggestion for hardening compilers, as HRDN-7222 will take care of that Register --test-no HRDN-7220 --weight L --network NO --category security --description "Check if one or more compilers are installed" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check if one or more compilers can be found on the system" if [ ${COMPILER_INSTALLED} -eq 0 ]; then LogText "Result: no compilers found" Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_NOT_FOUND}" --color GREEN AddHP 3 3 else LogText "Result: found installed compiler. See top of logfile which compilers have been found or use ${GREPBINARY} to filter on 'compiler'" Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED AddHP 1 3 fi fi # ################################################################################# # # Test : HRDN-7222 # Description : Check for permissions of installed compilers Register --test-no HRDN-7222 --weight L --network NO --category security --description "Check compiler permissions" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check if one or more compilers can be found on the system" HARDEN_COMPILERS_NEEDED=0 if [ ${COMPILER_INSTALLED} -eq 0 ]; then LogText "Result: no compilers found" else # as if [ ! "${ASBINARY}" = "" ]; then LogText "Test: Check file permissions for as (Assembler)" if IsWorldExecutable ${ASBINARY}; then LogText "Binary: found ${ASBINARY} (world executable)" Report "compiler[]=${ASBINARY}" AddHP 2 3 HARDEN_COMPILERS_NEEDED=1 else AddHP 3 3 fi fi # gcc if [ ! "${GCCBINARY}" = "" ]; then LogText "Test: Check file permissions for GCC compiler" if IsWorldExecutable ${GCCBINARY}; then LogText "Binary: found ${GCCBINARY} (world executable)" Report "compiler[]=${GCCBINARY}" AddHP 2 3 HARDEN_COMPILERS_NEEDED=1 else AddHP 3 3 fi fi # Report suggestion is one or more compilers can be better hardened if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then LogText "Result: at least one compiler could be better hardened by restricting executable access to root or group only" ReportSuggestion ${TEST_NO} "Harden compilers like restricting access to root user only" fi #YYY check if compilers have a specific group (like compiler, or NOT root/wheel) # Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED # /usr/bin/*cc* # /usr/bin/*++* # /usr/bin/ld # (and 700 or 750 permissions) fi fi # ################################################################################# # # Test : HRDN-7230 # Description : Check for installed malware scanners Register --test-no HRDN-7230 --weight L --network NO --category security --description "Check for malware scanner" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check if a malware scanner is installed" if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then LogText "Result: found at least one malware scanner" Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 else LogText "Result: no malware scanner found" Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED ReportSuggestion ${TEST_NO} "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC" AddHP 1 3 fi fi # ################################################################################# # # LogText "--------------------------------------------------------------------" # LogText "| System part | Preferred value | Actual value | Points |" # LogText "| [!] Compiler installed | 0 | [${COMPILER_INSTALLED}] | x |" # LogText "| [V] Malware scanner installed | 1 | [x] | x |" # LogText "| [V] Packet filter enabled | 1 | [x] | x |" # LogText "--------------------------------------------------------------------" # LogText "| [!]: Hardening possible, [V]: Hardening performed, [ ]: Unknown " # LogText "--------------------------------------------------------------------" # ################################################################################# # Report "compiler_installed=${COMPILER_INSTALLED}" WaitForKeyPress # #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com