#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2013-2016, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # AUTOMATION_TOOL_FOUND=0 AUTOMATION_TOOL_RUNNING="" CFENGINE_AGENT_FOUND=0 CFENGINE_SERVER_RUNNING=0 BACKUP_AGENT_FOUND=0 PUPPET_MASTER_RUNNING=0 SALT_MASTER_RUNNING=0 SALT_MINION_RUNNING=0 IPS_TOOL_FOUND=0 FAIL2BAN_FOUND=0 FAIL2BAN_EMAIL=0 FAIL2BAN_SILENT=0 # ################################################################################# # InsertSection "Software: System tooling" # ################################################################################# # # Automation # ################################################################################# # # Test : TOOL-5002 # Description : Check if automation tools are found Register --test-no TOOL-5002 --weight L --network NO --description "Checking for automation tools" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking automation tooling" # Cfengine if [ ! "${CFAGENTBINARY}" = "" ]; then LogText "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})" AUTOMATION_TOOL_FOUND=1 CFENGINE_AGENT_FOUND=1 Report "automation_tool_running[]=cf-agent" Display --indent 4 --text "Found: Cfengine (cfagent)" --result "${STATUS_FOUND}" --color GREEN fi OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin" for I in ${OTHER_CFENGINE_LOCATIONS}; do if [ -d ${I} ]; then if [ -f ${I}/cf-agent ]; then LogText "Result: found CFEngine agent (cf-agent) in ${I}" AUTOMATION_TOOL_FOUND=1 CFENGINE_AGENT_FOUND=1 Report "automation_tool_running[]=cf-agent" Display --indent 4 --text "Found: CFEngine (cf-agent)" --result "${STATUS_FOUND}" --color GREEN fi IsRunning "cf-server" if [ ${RUNNING} -eq 1 ]; then LogText "Result: found CFEngine server" AUTOMATION_TOOL_FOUND=1 CFENGINE_SERVER_RUNNING=1 Report "automation_tool_running[]=cf-server" Display --indent 4 --text "Found: CFEngine (cf-server)" --result "${STATUS_FOUND}" --color GREEN fi fi done # Chef CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin" for I in ${CHEF_LOCATIONS}; do if [ -d ${I} ]; then if [ -f ${I}/chef-client ]; then CHEFCLIENTBINARY="${I}/chef-client" AUTOMATION_TOOL_FOUND=1 Report "automation_tool_running[]=chef-client" Display --indent 4 --text "Found: Chef client (chef-client)" --result "${STATUS_FOUND}" --color GREEN LogText "Result: found chef-client (chef client daemon) in ${I}" fi if [ -f ${I}/erchef ]; then CHEFSERVERBINARY="${I}/erchef" LogText "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})" AUTOMATION_TOOL_FOUND=1 Report "automation_tool_running[]=chef-server" Display --indent 4 --text "Found: Chef Server (erchef)" --result "${STATUS_FOUND}" --color GREEN LogText "Result: found erchef (chef server daemon) in ${I}" fi fi done # Puppet if [ ! "${PUPPETBINARY}" = "" ]; then LogText "Result: Puppet is installed (${PUPPETBINARY})" AUTOMATION_TOOL_FOUND=1 Report "automation_tool_running[]=puppet-agent" Display --indent 4 --text "Found: Puppet (agent)" --result "${STATUS_FOUND}" --color GREEN fi IsRunning "puppet master" if [ ${RUNNING} -eq 1 ]; then LogText "Result: found puppet master" PUPPET_MASTER_RUNNING=1 Report "automation_tool_running[]=puppet-master" Display --indent 4 --text "Found: Puppet (master)" --result "${STATUS_FOUND}" --color GREEN fi # SaltStack if [ ! "${SALTMINIONBINARY}" = "" ]; then LogText "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})" AUTOMATION_TOOL_FOUND=1 SALT_MINION_RUNNING=1 Report "automation_tool_running[]=saltstack-minion" Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result "${STATUS_FOUND}" --color GREEN fi if [ ! "${SALTMASTERBINARY}" = "" ]; then LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})" AUTOMATION_TOOL_FOUND=1 SALT_MASTER_RUNNING=1 Report "automation_tool_running[]=saltstack-minion" Display --indent 4 --text "Found: SaltStack master (salt-master)" --result "${STATUS_FOUND}" --color GREEN else IsRunning "salt-master" if [ ${RUNNING} -eq 1 ]; then LogText "Result: found SaltStack (master)" AUTOMATION_TOOL_FOUND=1 SALT_MASTER_RUNNING=1 Report "automation_tool_running[]=saltstack-master" Display --indent 4 --text "Found: SaltStack (master)" --result "${STATUS_FOUND}" --color GREEN fi fi if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then Display --indent 2 --text "- Automation tooling" --result "${STATUS_FOUND}" --color GREEN else Display --indent 2 --text "- Automation tooling" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management" fi fi # ################################################################################# # # Intrusion Prevention tools # ################################################################################# # # Test : TOOL-5102 # Description : Check for Fail2ban Register --test-no TOOL-5102 --weight L --network NO --description "Check for presence of Fail2ban" if [ ${SKIPTEST} -eq 0 ]; then # Fail2ban presence if [ ! "${FAIL2BANBINARY}" = "" ]; then FAIL2BAN_FOUND=1 IDS_IPS_TOOL_FOUND=1 LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})" Report "ids_ips_tooling[]=fail2ban" Display --indent 2 --text "- Checking presence of Fail2ban" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: Fail2ban not present (fail2ban-server not found)" fi # Fail2ban configuration LogText "Checking Fail2ban configuration file" if [ -f /etc/fail2ban/jail.local ]; then FAIL2BAN_CONFIG="/etc/fail2ban/jail.local" elif [ -f /etc/fail2ban/jail.conf ]; then FAIL2BAN_CONFIG="/etc/fail2ban/jail.conf" else FAIL2BAN_CONFIG="" fi # Continue if tooling is available and configuration file found if [ ${FAIL2BAN_FOUND} -eq 1 -a ! "${FAIL2BAN_CONFIG}" = "" ]; then LogText "Result: found configuration file (${FAIL2BAN_CONFIG})" # Check email alert configuration LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}" FIND=`egrep "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}` FIND2=`egrep "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}` if [ ! "${FIND}" = "" ]; then FAIL2BAN_EMAIL=1 LogText "Result: found at least one jail which sends an email alert" fi if [ ! "${FIND2}" = "" ]; then FAIL2BAN_SILENT=1 LogText "Result: found at least one jail which does NOT send an email alert" fi if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then LogText "No registered actions found in ${FAIL2BAN_CONFIG}" Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color RED ReportWarning "${TEST_NO}" "M" "${FAIL2BAN_CONFIG}" "There are no actions configured for Fail2ban." AddHP 0 3 fi if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then LogText "All actions in ${FAIL2BAN_CONFIG} are configured to send email alerts" Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_OK}" --color GREEN AddHP 3 3 fi if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then LogText "Some actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts" Display --indent 4 --text "- Checking Fail2ban actions" --result PARTIAL --color YELLOW ReportSuggestion "${TEST_NO}" "Some Fail2ban jails are configured with non-notified actions. Consider changing these to emailed alerts." AddHP 2 3 fi if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then LogText "None of the actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts" Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color YELLOW ReportSuggestion "${TEST_NO}" "None of the Fail2ban jails are configured to send email notifications. Consider changing these to emailed alerts." AddHP 1 3 fi # Check at least one enabled jail LogText "Checking for enabled jails within ${FAIL2BAN_CONFIG}" FIND=`egrep "^enabled\s*=\s*true" ${FAIL2BAN_CONFIG}` if [ ! "${FIND}" = "" ]; then LogText "Result: found at least one enabled jail" Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_ENABLED}" --color GREEN AddHP 3 3 else LogText "Result: Fail2ban installed but completely disabled" Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_DISABLED}" --color RED AddHP 0 3 ReportWarning "${TEST_NO}" "M" "All jails in Fail2ban are disabled" "${FAIL2BAN_CONFIG}" fi # Confirm at least one iptables chain for fail2ban LogText "Checking for fail2ban iptables chains" if [ ! "${IPTABLESBINARY}" = "" ]; then CHECK_CHAINS=`${IPTABLESBINARY} -L 2>&1 | grep fail2ban` if [ ! "${CHECK_CHAINS}" = "" ]; then LogText "Result: found at least one iptables chain for fail2ban" Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN else LogText "Result: Fail2ban installed but iptables chain not present - fail2ban will not work" Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED AddHP 0 3 ReportSuggestion "${TEST_NO}" "M" "Check config to see why iptables does not have a fail2ban chain" "${FAIL2BAN_CONFIG}" fi else Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED ReportSuggestion "${TEST_NO}" "H" "iptables doesn't seem to be installed; Fail2ban will not work. Remove Fail2ban or install iptables" "${FAIL2BAN_CONFIG}" fi fi fi # ################################################################################# # # Test : TOOL-5190 # Description : Check for an IDS/IPS tool Register --test-no TOOL-5014 --weight L --network NO --description "Check presence of IDS/IPS tool" if [ ${SKIPTEST} -eq 0 ]; then if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result "${STATUS_FOUND}" --color GREEN AddHP 2 2 else Display --indent 2 --text "- Checking for intrusion detection/prevention system" --result "${STATUS_NONE}" --color YELLOW #ReportSuggestion ${TEST_NO} "Ensure that automatic intrusion detection/prevention tools are installed" AddHP 0 2 fi fi # ################################################################################# # # Backup tools # ################################################################################# # # Netvault # Rsync in cron # ################################################################################# # Report "automation_tool_present=${AUTOMATION_TOOL_FOUND}" WaitForKeyPress # #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com