#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2013-2016, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # CSF_CONFIG="/etc/csf/csf.conf" FILE_INT_TOOL="" FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found # ################################################################################# # InsertSection "Software: file integrity" Display --indent 2 --text "- Checking file integrity tools" # ################################################################################# # # Test : FINT-4310 # Description : Check if AFICK is installed Register --test-no FINT-4310 --weight L --network NO --description "AFICK availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking AFICK binary" if [ ! "${AFICKBINARY}" = "" ]; then LogText "Result: AFICK is installed (${AFICKBINARY})" FILE_INT_TOOL="afick" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- AFICK" --result FOUND --color GREEN else LogText "Result: AFICK is not installed" fi fi # ################################################################################# # # Test : FINT-4314 # Description : Check if AIDE is installed Register --test-no FINT-4314 --weight L --network NO --description "AIDE availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking AIDE binary" if [ ! "${AIDEBINARY}" = "" ]; then LogText "Result: AIDE is installed (${AIDEBINARY})" FILE_INT_TOOL="aide" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- AIDE" --result FOUND --color GREEN else LogText "Result: AIDE is not installed" fi fi # ################################################################################# # # Test : FINT-4315 # Description : Check AIDE configuration file if [ ! "${AIDEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check AIDE configuration file" if [ ${SKIPTEST} -eq 0 ]; then AIDE_CONFIG_LOCS="/etc /etc/aide /usr/local/etc" LogText "Test: search for aide.conf in ${AIDE_CONFIG_LOCS}" for I in ${AIDE_CONFIG_LOCS}; do if [ -f ${I}/aide.conf ]; then LogText "Result: found aide.conf in directory ${I}" AIDECONFIG="${I}/aide.conf" fi done if [ "${AIDECONFIG}" = "" ]; then Display --indent 6 --text "- AIDE config file" --result "NOT FOUND" --color YELLOW else LogText "Checking configuration file ${AIDECONFIG} for errors" FIND=`${AIDEBINARY} --config=${AIDECONFIG} -D; echo $?` if [ "${FIND}" = "0" ]; then Display --indent 6 --text "- AIDE config file" --result FOUND --color GREEN else Display --indent 6 --text "- AIDE config file" --result WARNING --color YELLOW ReportSuggestion "${TEST_NO}" "Check the AIDE configuratio file as it may contain errors" fi fi fi # ################################################################################# # # Test : FINT-4316 # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums if [ ! "${AIDEBINARY}" = "" -a ! "${AIDECONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --description "AIDE configuration: Checksums (SHA256 or SHA512)" if [ ${SKIPTEST} -eq 0 ]; then FIND=`${GREPBINARY} "^Checksums" ${AIDECONFIG}` FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"` if [ "${FIND}" = "" ]; then LogText "Result: Unclear how AIDE is dealing with checksums" Display --indent 6 --text "- AIDE config (Checksums)" --result UNKNOWN --color YELLOW else if [ "${FIND2}" = "" ]; then LogText "Result: No SHA256 or SHA512 found for creating checksums" Display --indent 6 --text "- AIDE config (Checksum)" --result WARNING --color RED ReportSuggestion ${TEST_NO} "Use SHA256 or SHA512 to create checksums in AIDE" AddHP 1 3 else LogText "Result: Found SHA256 or SHA512 found for creating checksums" Display --indent 6 --text "- AIDE config (Checksum)" --result OK --color GREEN AddHP 2 2 fi fi fi # ################################################################################# # # Test : FINT-4318 # Description : Check if Osiris is installed Register --test-no FINT-4318 --weight L --network NO --description "Osiris availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Osiris binary" if [ ! "${OSIRISBINARY}" = "" ]; then LogText "Result: Osiris is installed (${OSIRISBINARY})" FILE_INT_TOOL="osiris" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Osiris" --result FOUND --color GREEN else LogText "Result: Osiris is not installed" fi fi # ################################################################################# # # Test : FINT-4322 # Description : Check if Samhain is installed Register --test-no FINT-4322 --weight L --network NO --description "Samhain availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Samhain binary" if [ ! "${SAMHAINBINARY}" = "" ]; then LogText "Result: Samhain is installed (${SAMHAINBINARY})" FILE_INT_TOOL="samhain" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Samhain" --result FOUND --color GREEN else LogText "Result: Samhain is not installed" fi fi # ################################################################################# # # Test : FINT-4326 # Description : Check if Tripwire is installed Register --test-no FINT-4326 --weight L --network NO --description "Tripwire availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Tripwire binary" if [ ! "${TRIPWIREBINARY}" = "" ]; then LogText "Result: Tripwire is installed (${TRIPWIREBINARY})" FILE_INT_TOOL="tripwire" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN else LogText "Result: Tripwire is not installed" fi fi # ################################################################################# # # Test : FINT-4328 # Description : Check if OSSEC system integrity tool is running Register --test-no FINT-4328 --weight L --network NO --description "OSSEC syscheck daemon running" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if OSSEC syscheck daemon is running" IsRunning ossec-syscheckd if [ ${RUNNING} -eq 1 ]; then LogText "Result: syscheck (OSSEC) installed" FILE_INT_TOOL="ossec-syscheck" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN else LogText "Result: syscheck (OSSEC) not installed" fi fi # ################################################################################# # # Test : FINT-4330 # Description : Check if mtree is installed # Note : Usually on BSD and similar Register --test-no FINT-4330 --weight L --network NO --description "mtree availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking mtree binary" if [ ! "${MTREEBINARY}" = "" ]; then LogText "Result: mtree is installed (${MTREEBINARY})" FILE_INT_TOOL="mtree" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- mtree" --result FOUND --color GREEN else LogText "Result: mtree is not installed" fi fi # ################################################################################# # # Test : FINT-4334 # Description : Check if LFD is used (part of CSF suite) if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd daemon status" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- lfd (CSF)" --result FOUND --color GREEN IsRunning 'lfd ' if [ ${RUNNING} -eq 1 ]; then LogText "Result: lfd daemon is running (CSF)" Display --indent 6 --text "- Daemon status" --result RUNNING --color GREEN FILE_INT_TOOL="csf-lfd" FILE_INT_TOOL_FOUND=1 else Display --indent 6 --text "- Daemon status" --result "NOT RUNNING" --color YELLOW fi fi # Test : FINT-4336 # Description : Check if LFD is enabled (part of CSF suite) if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd configuration status" if [ ${SKIPTEST} -eq 0 ]; then # LFD configuration parameters ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}` if [ ! "${ENABLED}" = "" ]; then LogText "Result: lfd service is configured to run" Display --indent 6 --text "- Configuration status" --result ENABLED --color GREEN else LogText "Result: lfd service is configured NOT to run" Display --indent 6 --text "- Configuration status" --result DISABLED --color YELLOW fi ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'` if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then LogText "Result: lfd directory watching is enabled (value: ${ENABLED})" Display --indent 6 --text "- Temporary directory watches" --result ENABLED --color GREEN else LogText "Result: lfd directory watching is disabled" Display --indent 6 --text "- Temporary directory watches" --result DISABLED --color YELLOW fi ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'` if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then Display --indent 6 --text "- Directory/File watches" --result ENABLED --color GREEN else Display --indent 6 --text "- Directory/File watches" --result DISABLED --color YELLOW fi fi ################################################################################# # # Test : FINT-4338 # Description : Check if osquery system integrity tool is running Register --test-no FINT-4338 --weight L --network NO --description "osqueryd syscheck daemon running" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if osqueryd syscheck daemon is running" IsRunning osqueryd if [ ${RUNNING} -eq 1 ]; then LogText "Result: syscheck (osquery) installed" FILE_INT_TOOL="osquery" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- osquery (syscheck)" --result FOUND --color GREEN else LogText "Result: syscheck (osquery) not installed" fi fi # ################################################################################# # # Test : FINT-4350 # Description : Check if at least one file integrity tool is installed Register --test-no FINT-4350 --weight L --network NO --description "File integrity software installed" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check if at least on file integrity tool is available/installed" if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then LogText "Result: found at least one file integrity tool" Display --indent 2 --text "- Checking presence integrity tool" --result FOUND --color GREEN AddHP 5 5 else LogText "Result: No file integrity tools found" Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files" AddHP 0 5 fi fi # Report "file_integrity_tool=${FILE_INT_TOOL}" Report "file_integrity_tool_installed=${FILE_INT_TOOL_FOUND}" wait_for_keypress # #================================================================================ # Lynis - Copyright 2007-2016 Michael Boelen, CISOfy - https://cisofy.com