#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2007-2017, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # E-mail and messaging # ################################################################################# # InsertSection "Software: e-mail and messaging" # ################################################################################# # DOVECOT_RUNNING=0 EXIM_RUNNING=0 IMAP_DAEMON="" OPENSMTPD_RUNNING=0 POP3_DAEMON="" POSTFIX_RUNNING=0 QMAIL_RUNNING=0 SENDMAIL_RUNNING=0 SMTP_DAEMON="" # ################################################################################# # # Test : MAIL-8802 # Description : Check Exim process status Register --test-no MAIL-8802 --weight L --network NO --category security --description "Check Exim status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check Exim status" IsRunning exim if [ ${RUNNING} -eq 1 ]; then LogText "Result: found running Exim process" Display --indent 2 --text "- Exim status" --result "${STATUS_RUNNING}" --color GREEN EXIM_RUNNING=1 SMTP_DAEMON="exim" Report "smtp_daemon[]=exim" else LogText "Result: no running Exim processes found" if IsVerbose; then Display --indent 2 --text "- Exim status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : MAIL-8814 # Description : Check Postfix process # Notes : qmgr and pickup run under postfix uid, without full path to binary Register --test-no MAIL-8814 --weight L --network NO --category security --description "Check postfix process status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check Postfix status" # Some other processes also use master, therefore it should include both master and postfix FIND1=$(${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep") if [ ! -z "${FIND1}" ]; then LogText "Result: found running Postfix process" Display --indent 2 --text "- Postfix status" --result "${STATUS_RUNNING}" --color GREEN POSTFIX_RUNNING=1 SMTP_DAEMON="postfix" Report "smtp_daemon[]=postfix" else LogText "Result: no running Postfix processes found" if IsVerbose; then Display --indent 2 --text "- Postfix status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : MAIL-8816 # Description : Check Postfix configuration if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Postfix configuration" --result "${STATUS_FOUND}" --color GREEN POSTFIX_CONFIGDIR=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^config_directory' | ${AWKBINARY} '{ print $3 }') POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf" LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}" LogText "Postfix configuration file: ${POSTFIX_CONFIGFILE}" fi # ################################################################################# # # Test : MAIL-8817 # Description : Check Postfix configuration for error if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MAIL-8817 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration errors" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: using postconf to see if Postfix configuration has errors" FIND=$(${POSTCONFBINARY} 2>&1 | ${GREPBINARY} "warning:") if [ ! -z "${FIND}" ]; then Report "postfix_config_error=1" Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_WARNING}" --color RED LogText "Result: found an error or warning in the Postfix configuration. Manual check suggested." ReportSuggestion ${TEST_NO} "Found a configuration error in Postfix" "${POSTFIX_CONFIGFILE}" "text:run postconf > /dev/null" else LogText "Result: all looks to be fine with Postfix configuration" if IsVerbose; then Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_OK}" --color GREEN; fi fi fi # ################################################################################# # # Test : MAIL-8818 # Description : Check Postfix configuration if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MAIL-8818 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration: banner" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Postfix banner" FIND1=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} 'postfix') FIND2=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} '$mail_name') FIND3=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^mail_name' | ${GREPBINARY} -i 'postfix') FIND4=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${OS}") if [ ! -z "${LINUX_VERSION}" ]; then FIND5=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${LINUX_VERSION}") fi SHOWWARNING=0 if [ ! -z "${FIND1}" ]; then SHOWWARNING=1 Report "banner_software_disclosure[]=${FIND1}" elif [ ! -z "${FIND2}" -a ! -z "${FIND3}" ]; then SHOWWARNING=1 Report "banner_software_disclosure[]=${FIND2}" elif [ ! -z "${FIND4}" ]; then SHOWWARNING=1 Report "banner_os_disclosure[]=${FIND4}" elif [ ! -z "${FIND5}" ]; then SHOWWARNING=1 Report "banner_os_disclosure[]=${FIND5}" fi if [ ${SHOWWARNING} -eq 1 ]; then Display --indent 6 --text "- Postfix banner" --result "${STATUS_WARNING}" --color RED LogText "Result: found OS, or mail_name in SMTP banner, and/or mail_name contains 'Postfix'." ReportWarning ${TEST_NO} "Found some information disclosure in SMTP banner (OS or software name)" ReportSuggestion ${TEST_NO} "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})" else if IsVerbose; then Display --indent 6 --text "- Postfix banner" --result "${STATUS_OK}" --color GREEN; fi fi fi # ################################################################################# # # Test : MAIL-8838 # Description : Check Dovecot process Register --test-no MAIL-8838 --weight L --network NO --category security --description "Check dovecot process" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check dovecot status" IsRunning dovecot if [ ${RUNNING} -eq 1 ]; then LogText "Result: found running dovecot process" Display --indent 2 --text "- Dovecot status" --result "${STATUS_RUNNING}" --color GREEN DOVECOT_RUNNING=1 IMAP_DAEMON="dovecot" POP3_DAEMON="dovecot" Report "pop3_daemon[]=dovecot" Report "imap_daemon[]=dovecot" else LogText "Result: dovecot not found" if IsVerbose; then Display --indent 2 --text "- Dovecot status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : MAIL-8860 # Description : Check Qmail process status Register --test-no MAIL-8860 --weight L --network NO --category security --description "Check Qmail status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check Qmail status" IsRunning qmail-smtpd if [ ${RUNNING} -eq 1 ]; then LogText "Result: found running Qmail process" Display --indent 2 --text "- Qmail status" --result "${STATUS_RUNNING}" --color GREEN QMAIL_RUNNING=1 SMTP_DAEMON="qmail" Report "smtp_daemon[]=qmail" else LogText "Result: no running Qmail processes found" if IsVerbose; then Display --indent 2 --text "- Qmail status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : MAIL-8880 # Description : Check Sendmail process status Register --test-no MAIL-8880 --weight L --network NO --category security --description "Check Sendmail status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check sendmail status" IsRunning sendmail if [ ${RUNNING} -eq 1 ]; then LogText "Result: found running Sendmail process" Display --indent 2 --text "- Sendmail status" --result "${STATUS_RUNNING}" --color GREEN SENDMAIL_RUNNING=1 SMTP_DAEMON="sendmail" Report "smtp_daemon[]=sendmail" else LogText "Result: no running Sendmail processes found" if IsVerbose; then Display --indent 2 --text "- Sendmail status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : MAIL-8920 # Description : Check OpenSMTPD process status if [ ! -z "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check smtpd status" FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep") if [ ! "${FIND}" = "" ]; then LogText "Result: found running smtpd process" Display --indent 2 --text "- OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN OPENSMTPD_RUNNING=1 Report "smtp_daemon[]=opensmtpd" else LogText "Result: smtpd not found" if IsVerbose; then Display --indent 2 --text "- OpenSMTPD status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # Report "imap_daemon=${IMAP_DAEMON}" Report "pop3_daemon=${POP3_DAEMON}" Report "smtp_daemon=${SMTP_DAEMON}" WaitForKeyPress # #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com