#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # AIDECONFIG="" CSF_CONFIG="${ROOTDIR}etc/csf/csf.conf" FILE_INT_TOOL="" FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found # ################################################################################# # InsertSection "${SECTION_FILE_INTEGRITY}" Display --indent 2 --text "- Checking file integrity tools" # ################################################################################# # # Test : FINT-4310 # Description : Check if AFICK is installed Register --test-no FINT-4310 --weight L --network NO --category security --description "AFICK availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking AFICK binary" if [ -n "${AFICKBINARY}" ]; then LogText "Result: AFICK is installed (${AFICKBINARY})" Report "file_integrity_tool[]=afick" FILE_INT_TOOL="afick" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- AFICK" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: AFICK is not installed" if IsVerbose; then Display --indent 4 --text "- AFICK" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : FINT-4314 # Description : Check if AIDE is installed Register --test-no FINT-4314 --weight L --network NO --category security --description "AIDE availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking AIDE binary" if [ -n "${AIDEBINARY}" ]; then LogText "Result: AIDE is installed (${AIDEBINARY})" Report "file_integrity_tool[]=aide" FILE_INT_TOOL="aide" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- AIDE" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: AIDE is not installed" if IsVerbose; then Display --indent 4 --text "- AIDE" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : FINT-4315 # Description : Check AIDE configuration file if [ -n "${AIDEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check AIDE configuration file" if [ ${SKIPTEST} -eq 0 ]; then AIDE_CONFIG_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/aide ${ROOTDIR}usr/local/etc" LogText "Test: search for aide.conf in ${AIDE_CONFIG_LOCS}" for I in ${AIDE_CONFIG_LOCS}; do if [ -f "${I}/aide.conf" ]; then LogText "Result: found aide.conf in directory ${I}" AIDECONFIG="${I}/aide.conf" fi done if [ -z "${AIDECONFIG}" ]; then Display --indent 6 --text "- AIDE config file" --result "${STATUS_NOT_FOUND}" --color RED ReportWarning "${TEST_NO}" "No AIDE configuration file was found, needed for AIDE functionality" else LogText "Checking configuration file ${AIDECONFIG} for errors" FIND=$(${AIDEBINARY} --config=${AIDECONFIG} -D) if [ $? -eq 0 ]; then Display --indent 6 --text "- AIDE config file" --result "${STATUS_FOUND}" --color GREEN else Display --indent 6 --text "- AIDE config file" --result "${STATUS_WARNING}" --color YELLOW ReportSuggestion "${TEST_NO}" "Check the AIDE configuration file as it may contain errors" fi fi fi # ################################################################################# # # Test : FINT-4316 # Description : Presence of AIDE database and size check if [ -n "${AIDEBINARY}" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of AIDE database and size check" if [ ${SKIPTEST} -eq 0 ]; then AIDE_DB=$(${GREPBINARY} -E '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://") if case ${AIDE_DB} in @@*) ;; *) false;; esac; then I=$(${GREPBINARY} "@@define.*DBDIR" ${AIDECONFIG} | ${AWKBINARY} '{print $3}') AIDE_DB=$(echo ${AIDE_DB} | ${SEDBINARY} "s#.*}#${I}#") fi LogText "Test: search for AIDE database on disk ${AIDE_DB}" if [ ! -e "${AIDE_DB}" ]; then Display --indent 6 --text "- AIDE database" --result "${STATUS_NOT_FOUND}" --color RED LogText "Result: AIDE database ${AIDE_DB} does not exist" ReportWarning "${TEST_NO}" "No AIDE database was found, needed for AIDE functionality" else LogText "Checking database size ${AIDE_DB}" if [ -s "${AIDE_DB}" ]; then Display --indent 6 --text "- AIDE database" --result "${STATUS_FOUND}" --color GREEN LogText "Result: AIDE database ${AIDE_DB} exist and has a size greater than zero" else Display --indent 6 --text "- AIDE database" --result "${STATUS_WARNING}" --color YELLOW LogText "Result: AIDE database ${AIDE_DB} exist but has a size of zero" ReportSuggestion "${TEST_NO}" "Check the AIDE database as it may contain errors" fi fi unset AIDE_DB I fi # ################################################################################# # # Test : FINT-4318 # Description : Check if Osiris is installed Register --test-no FINT-4318 --weight L --network NO --category security --description "Osiris availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Osiris binary" if [ -n "${OSIRISBINARY}" ]; then LogText "Result: Osiris is installed (${OSIRISBINARY})" Report "file_integrity_tool[]=osiris" FILE_INT_TOOL="osiris" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Osiris" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: Osiris is not installed" if IsVerbose; then Display --indent 4 --text "- Osiris" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : FINT-4322 # Description : Check if Samhain is installed Register --test-no FINT-4322 --weight L --network NO --category security --description "Samhain availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Samhain binary" if [ -n "${SAMHAINBINARY}" ]; then LogText "Result: Samhain is installed (${SAMHAINBINARY})" Report "file_integrity_tool[]=samhain" FILE_INT_TOOL="samhain" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Samhain" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: Samhain is not installed" if IsVerbose; then Display --indent 4 --text "- Samhain" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : FINT-4326 # Description : Check if Tripwire is installed Register --test-no FINT-4326 --weight L --network NO --category security --description "Tripwire availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking Tripwire binary" if [ -n "${TRIPWIREBINARY}" ]; then LogText "Result: Tripwire is installed (${TRIPWIREBINARY})" Report "file_integrity_tool[]=tripwire" FILE_INT_TOOL="tripwire" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Tripwire" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: Tripwire is not installed" if IsVerbose; then Display --indent 4 --text "- Tripwire" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : FINT-4328 # Description : Check if OSSEC system integrity tool is running Register --test-no FINT-4328 --weight L --network NO --category security --description "OSSEC syscheck daemon running" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if OSSEC syscheck daemon is running" if IsRunning "ossec-syscheckd"; then LogText "Result: syscheck (OSSEC) active" Report "file_integrity_tool[]=ossec" FILE_INT_TOOL="ossec-syscheck" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- OSSEC (syscheck)" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: syscheck (OSSEC) is not active" if IsVerbose; then Display --indent 4 --text "- OSSEC" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : FINT-4330 # Description : Check if mtree is installed # Note : Usually on BSD and similar Register --test-no FINT-4330 --weight L --network NO --category security --description "mtree availability" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking mtree binary" if [ -n "${MTREEBINARY}" ]; then LogText "Result: mtree is installed (${MTREEBINARY})" Report "file_integrity_tool[]=mtree" FILE_INT_TOOL="mtree" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- mtree" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: mtree is not installed" if IsVerbose; then Display --indent 4 --text "- mtree" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : FINT-4334 # Description : Check if LFD is used (part of CSF suite) if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd daemon status" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- lfd (CSF)" --result "${STATUS_FOUND}" --color GREEN LogText "Test: determine lfd status" if IsRunning "lfd - sleeping"; then LogText "Result: lfd daemon is running (CSF)" Report "file_integrity_tool[]=csf-lfd" Display --indent 6 --text "- LFD (CSF) daemon" --result "${STATUS_RUNNING}" --color GREEN FILE_INT_TOOL="csf-lfd" FILE_INT_TOOL_FOUND=1 else Display --indent 6 --text "- LFD (CSF) daemon" --result "${STATUS_NOT_RUNNING}" --color YELLOW fi fi # ################################################################################# # # Test : FINT-4336 # Description : Check if LFD is enabled (part of CSF suite) if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd configuration status" if [ ${SKIPTEST} -eq 0 ]; then # LFD configuration parameters ENABLED=$(${GREPBINARY} "^LF_DAEMON = \"1\"" ${CSF_CONFIG}) if [ -n "${ENABLED}" ]; then LogText "Result: lfd service is configured to run" Display --indent 6 --text "- Configuration status" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: lfd service is configured NOT to run" Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW fi ENABLED=$(${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g') if [ ! "${ENABLED}" = "0" -a -n "${ENABLED}" ]; then LogText "Result: lfd directory watching is enabled (value: ${ENABLED})" Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: lfd directory watching is disabled" Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW fi ENABLED=$(${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g') if [ ! "${ENABLED}" = "0" -a -n "${ENABLED}" ]; then Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN else Display --indent 6 --text "- Directory/File watches" --result "${STATUS_DISABLED}" --color YELLOW fi fi # ################################################################################# # # Test : FINT-4338 # Description : Check if osquery system integrity tool is running Register --test-no FINT-4338 --weight L --network NO --category security --description "osqueryd syscheck daemon running" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if osqueryd syscheck daemon is running" if IsRunning "osqueryd"; then LogText "Result: syscheck (osquery) installed" Report "file_integrity_tool[]=osquery" FILE_INT_TOOL="osquery" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: syscheck (osquery) not installed" if IsVerbose; then Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : FINT-4339 # Description : Check IMA/EVM status if [ ! -z "${EVMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No evmctl binary found"; fi Register --test-no FINT-4339 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check IMA/EVM status" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 if [ -e /sys/kernel/security/ima ]; then FOUND=$(${CAT_BINARY} /sys/kernel/security/ima/runtime_measurements_count) fi if [ "${FOUND}" -ne 1 ]; then LogText "Result: EVM tools found but IMA/EVM disabled" Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_DISABLED}" --color YELLOW else LogText "Result: EVM tools found, IMA/EVM enabled" FILE_INT_TOOL="evmctl" FILE_INT_TOOL_FOUND=1 Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_ENABLED}" --color GREEN fi fi # ################################################################################# # # Test : FINT-4340 # Description : Check dm-integrity status if [ ! -z "${INTEGRITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No integritysetup binary found"; fi Register --test-no FINT-4340 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-integrity status" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 ROOTPROTECTED=0 ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }') for DEVICE in /dev/mapper/*; do if [ -e "${DEVICE}" ]; then FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*INTEGRITY') if [ ! -z "${FIND}" ]; then FOUND=1 LogText "Result: found dm-integrity device ${DEVICE}" if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then ROOTPROTECTED=1 fi fi fi done if [ "${FOUND}" -ne 1 ]; then LogText "Result: dm-integrity tools found but no active devices" Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_DISABLED}" --color WHITE else LogText "Result: dm-integrity tools found, active devices" if [ ${ROOTPROTECTED} -eq 1 ]; then LogText "Result: root filesystem is protected by dm-integrity" Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: root filesystem is not protected by dm-integrity but active devices found" Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_FOUND}" --color YELLOW fi FILE_INT_TOOL="dm-integrity" FILE_INT_TOOL_FOUND=1 Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN fi fi # ################################################################################# # # Test : FINT-4341 # Description : Check dm-verity status if [ ! -z "${VERITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No veritysetup binary found"; fi Register --test-no FINT-4341 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-verity status" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 ROOTPROTECTED=0 ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }') for DEVICE in /dev/mapper/*; do if [ -e "${DEVICE}" ]; then FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*VERITY') if [ ! -z "${FIND}" ]; then FOUND=1 LogText "Result: found dm-verity device ${DEVICE}" if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then ROOTPROTECTED=1 fi fi fi done if [ "${FOUND}" -ne 1 ]; then LogText "Result: dm-verity tools found but no active devices" Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_DISABLED}" --color WHITE else LogText "Result: dm-verity tools found, active devices" if [ ${ROOTPROTECTED} -eq 1 ]; then LogText "Result: root filesystem is protected by dm-verity" Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: root filesystem is not protected by dm-verity but active devices found" Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_FOUND}" --color YELLOW fi FILE_INT_TOOL="dm-verity" FILE_INT_TOOL_FOUND=1 fi fi # ################################################################################# # # Test : FINT-4344 # Description : Check if Wazuh system integrity tool is running Register --test-no FINT-4344 --weight L --network NO --category security --description "Wazuh syscheck daemon running" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if Wazuh syscheck daemon is running" if IsRunning "wazuh-syscheckd"; then LogText "Result: syscheck (Wazuh) active" Report "file_integrity_tool[]=wazuh" FILE_INT_TOOL="wazuh-syscheck" FILE_INT_TOOL_FOUND=1 Display --indent 4 --text "- Wazuh (syscheck)" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: syscheck (Wazuh) is not active" if IsVerbose; then Display --indent 4 --text "- Wazuh" --result "${STATUS_NOT_FOUND}" --color WHITE; fi fi fi # ################################################################################# # # Test : FINT-4402 (was FINT-4316) # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${GREPBINARY} -E "= .*(sha256|sha512)") if [ -z "${FIND}" ]; then LogText "Result: No SHA256 or SHA512 found for creating checksums" Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW ReportSuggestion "${TEST_NO}" "Use SHA256 or SHA512 to create checksums in AIDE" AddHP 1 3 else LogText "Result: Found SHA256 or SHA512 found for creating checksums" Display --indent 6 --text "- AIDE config (Checksum)" --result "${STATUS_OK}" --color GREEN AddHP 2 2 fi fi # ################################################################################# # # Test : FINT-4350 # Description : Check if at least one file integrity tool is installed Register --test-no FINT-4350 --weight L --network NO --category security --description "File integrity software installed" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check if at least on file integrity tool is available/installed" if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then LogText "Result: found at least one file integrity tool" Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_FOUND}" --color GREEN AddHP 5 5 else LogText "Result: No file integrity tools found" Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion "${TEST_NO}" "Install a file integrity tool to monitor changes to critical and sensitive files" AddHP 0 5 fi fi # ################################################################################# # WaitForKeyPress # #================================================================================ # Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com