#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands # Web site: http://www.rootkit.nl # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Kernel # ################################################################################# # InsertSection "Kernel" # ################################################################################# # CORE_DUMPS_DISABLED=0 CPU_PAE=0 CPU_NX=0 LINUXCONFIGFILE="" LINUXCONFIGFILE_ZIPPED=0 # ################################################################################# # # Test : KRNL-5622 # Description : Check default run level on Linux machines Register --test-no KRNL-5622 --os Linux --weight L --network NO --description "Determine Linux default run level" if [ ${SKIPTEST} -eq 0 ]; then # Checking if we can find the systemd default target logtext "Test: Checking for systemd default.target" if [ -L /etc/systemd/system/default.target ]; then logtext "Result: symlink found" if [ ! "${READLINKBINARY}" = "" ]; then FIND=`${READLINKBINARY} /etc/systemd/system/default.target` if [ "${FIND}" = "" ]; then logtext "Exception: can't find the target of the symlink of /etc/systemd/system/default.target" ReportException "${TEST_NO}:01" else FIND2=`echo ${FIND} | egrep "runlevel5|graphical"` if [ ! "${FIND2}" = "" ]; then logtext "Result: Found match on runlevel5/graphical" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN report "linux_default_runlevel=5" else logtext "Result: No match found on runlevel, defaulting to runlevel 3" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN report "linux_default_runlevel=3" fi fi else logtext "Result: No readlink binary, can't determine where symlink is pointing to" Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW fi else logtext "Result: no systemd found, so trying inittab" logtext "Test: Checking /etc/inittab" if [ -f /etc/inittab ]; then logtext "Result: file /etc/inittab found" logtext "Test: Checking default Linux run level" FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking default runlevel" --result UNKNOWN --color YELLOW logtext "Result: Can't determine default run level from /etc/inittab" else Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN logtext "Found default run level '${FIND}'" report "linux_default_runlevel=${FIND}" fi else logtext "Result: file /etc/inittab not found" if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then logtext "Test: Checking run level with who -r, for Debian based systems" FIND=`who -r | awk '{ if ($1=="run-level") { print $2 } }'` if [ ! "${FIND}" = "" ]; then logtext "Result: Found default run level '${FIND}'" report "linux_default_runlevel=${FIND}" Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN else logtext "Result: Can't determine default run level from who -r" Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW fi fi fi fi fi # ################################################################################# # # Test : KRNL-5677 # Description : Check CPU options and support (PAE, No eXecute, eXecute Disable) # More info : pae and nx bit are both visible on AMD and Intel CPU's if supported Register --test-no KRNL-5677 --os Linux --weight L --network NO --description "Check CPU options and support" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking CPU support (NX/PAE)" logtext "Test: Checking /proc/cpuinfo" if [ -f /proc/cpuinfo ]; then logtext "Result: found /proc/cpuinfo" logtext "Test: Checking CPU options (XD/NX/PAE)" FIND_PAE_NX=`cat /proc/cpuinfo | grep " pae " | grep " nx "` FIND_PAE=`cat /proc/cpuinfo | grep " pae "` FIND_NX=`cat /proc/cpuinfo | grep " nx "` FOUND=0 if [ ! "${FIND_PAE_NX}" = "" ]; then logtext "PAE: Yes" logtext "NX: Yes" CPU_PAE=1 CPU_NX=1 logtext "Result: PAE or No eXecute option(s) both found" report "cpu_pae=1" report "cpu_nx=1" FOUND=1 else if [ ! "${FIND_PAE}" = "" -a "${FIND_NX}" = "" ]; then report "cpu_pae=1" logtext "Result: found PAE" CPU_PAE=1 FOUND=1 else if [ ! "${FIND_NX}" = "" -a "${FIND_PAE}" = "" ]; then report "cpu_nx=1" logtext "Result: found No eXecute" CPU_NX=1 FOUND=1 else logtext "Result: found no CPU options enabled (PAE or NX bit)" fi fi fi if [ ${FOUND} -eq 1 ]; then Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result FOUND --color GREEN else Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result NONE --color YELLOW ReportSuggestion ${TEST_NO} "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support" fi else Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result SKIPPED --color YELLOW logtext "Result: /proc/cpuinfo not found" fi fi # ################################################################################# # # Test : KRNL-5680 # Description : Check if installed kernel has PAE support # Dependency : KRNL-5677 # More info : RedHat/CentOS/Fedora uses the package name 'kernel-PAE' # ################################################################################# # # Test : KRNL-5695 # Description : Determining Linux kernel version and release number Register --test-no KRNL-5695 --os Linux --weight L --network NO --description "Determine Linux kernel version and release number" if [ ${SKIPTEST} -eq 0 ]; then # Kernel number (and suffix) LINUX_KERNEL_RELEASE=`uname -r` report "linux_kernel_release=${LINUX_KERNEL_RELEASE}" logtext "Result: found kernel release ${LINUX_KERNEL_RELEASE}" # Type and build date LINUX_KERNEL_VERSION=`uname -v` report "linux_kernel_version=${LINUX_KERNEL_VERSION}" logtext "Result: found kernel version ${LINUX_KERNEL_VERSION}" Display --indent 2 --text "- Checking kernel version and release" --result DONE --color GREEN fi # ################################################################################# # # Test : KRNL-5723 # Description : Check if Linux is build as a monolithic kernel or not Register --test-no KRNL-5723 --os Linux --weight L --network NO --description "Determining if Linux kernel is monolithic" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then logtext "Test: checking if kernel is monolithic or modular" # Checking if any modules are loaded FIND=`${LSMODBINARY} | grep -v "^Module" | wc -l | tr -s ' ' | tr -d ' '` Display --indent 2 --text "- Checking kernel type" --result DONE --color GREEN if [ "${FIND}" = "0" ]; then logtext "Result: Found monolithic kernel" report "linux_kernel_type=monolithic" MONOLITHIC_KERNEL=1 else logtext "Result: Found modular kernel" report "linux_kernel_type=modular" MONOLITHIC_KERNEL=0 fi else logtext "Test skipped, lsmod binary not found or /proc/modules can not be opened" fi fi # ################################################################################# # # Test : KRNL-5726 # Description : Checking Linux loaded kernel modules Register --test-no KRNL-5726 --os Linux --weight L --network NO --description "Checking Linux loaded kernel modules" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then FIND=`lsmod | awk '{ if ($1!="Module") print $1 }' | sort` Display --indent 2 --text "- Checking loaded kernel modules" --result DONE --color GREEN if [ ! "${FIND}" = "" ]; then logtext "Loaded modules according lsmod:" N=0 for I in ${FIND}; do logtext "Loaded module: ${I}" report "loaded_kernel_module[]=${I}" N=`expr ${N} + 1` done Display --indent 6 --text "Found ${N} active modules" else logtext "Result: no loaded modules found" logtext "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel" fi else logtext "Test skipped, lsmod binary not found or /proc/modules can not be opened" fi fi # ################################################################################# # # Test : KRNL-5728 # Description : Checking for available Linux kernel configuration file in /boot Register --test-no KRNL-5728 --os Linux --weight L --network NO --description "Checking Linux kernel config" if [ ${SKIPTEST} -eq 0 ]; then CHECKFILE="/boot/config-`uname -r`" if [ -f ${CHECKFILE} ]; then LINUXCONFIGFILE="${CHECKFILE}" logtext "Result: found config (${LINUXCONFIGFILE})" Display --indent 2 --text "- Checking Linux kernel configuration file" --result FOUND --color GREEN elif [ -f /boot/config.gz ]; then LINUXCONFIGFILE="${CHECKFILE}" LINUXCONFIGFILE_ZIPPED=1 logtext "Result: found config: /boot/config.gz (compressed)" Display --indent 2 --text "- Checking Linux kernel configuration file" --result FOUND --color GREEN else logtext "Result: no Linux kernel configuration file found in /boot" Display --indent 2 --text "- Checking Linux kernel configuration file" --result "NOT FOUND" --color WHITE fi if [ ! "${LINUXCONFIGFILE}" = "" ]; then report "linux_config_file=${LINUXCONFIGFILE}" fi fi # ################################################################################# # # Test : KRNL-5730 # Description : Checking default I/O kernel scheduler PREQS_MET="NO" if [ ! "${LINUXCONFIGFILE}" = "" ]; then if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi fi Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking disk I/O kernel scheduler" if [ ${SKIPTEST} -eq 0 ]; then if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi if [ ! "${GREPTOOL}" = "" ]; then logtext "Test: Checking the default I/O kernel scheduler" LINUX_KERNEL_IOSCHED=`${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | awk -F= '{ print $2 }' | sed s/\"//g` if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then logtext "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'" Display --indent 2 --text "- Checking default I/O kernel scheduler" --result FOUND --color GREEN report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}" else logtext "Result: no default i/o kernel scheduler found" Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "NOT FOUND" --color WHITE fi else ReportException "${TEST_NO}" "No valid grep tool found to search kernel settings" fi fi # ################################################################################# # # YYY Check for kernel options # ################################################################################# # # Test : KRNL-5745 # Description : Checking FreeBSD loaded kernel modules Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking active kernel modules" logtext "Test: ${KERNEL_ACTIVE_MODULES_TITLE}" logtext "Description: ${KERNEL_ACTIVE_MODULES_DESCRIPTION}" logtext "Test: Checking modules" if [ -f /sbin/kldstat ]; then FIND=`kldstat | grep -v 'Name' | tr -s ' ' | cut -d ' ' -f6` if [ $? -eq 0 ]; then logtext "Loaded modules according kldstat:" N=0 for I in ${FIND}; do logtext "Loaded module: ${I}" report "loaded_kernel_module[]=${I}" N=`expr ${N} + 1` done Display --indent 4 --text "Found ${N} kernel modules" --result DONE --color GREEN else Display --indent 4 --text "Test failed" --result WARNING --color RED logtext "Result: Problem with executing kldstat" fi else echo "[ ${WHITE}SKIPPED${NORMAL} ]" logtext "Result: no results, can't find /sbin/kldstat" fi fi # ################################################################################# # # Test : KRNL-5770 # Description : Checking Solaris load modules Register --test-no KRNL-5770 --os Solaris --weight L --network NO --description "Checking active kernel modules" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: searching loaded kernel modules" FIND=`modinfo -c -w | grep -v "UNLOADED" | grep LOADED | awk '{ print $3 }' | sort` if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do logtext "Found module: ${I}" report "loaded_kernel_module[]=${I}" done Display --indent 2 --text "- Checking Solaris active kernel modules" --result DONE --color GREEN else logtext "Result: no output" Display --indent 2 --text "- Checking Solaris active kernel modules" --result UNKNOWN --color YELLOW fi fi # ################################################################################# # # Test : KRNL-5788 # Description : Checking availability new kernel if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking availability new Linux kernel" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Searching apt-cache, to determine if a newer kernel is available" if [ -x /usr/bin/apt-cache ]; then logtext "Result: found /usr/bin/apt-cache" # YYY Test for presence /usr/bin/apt-cache and dpkg logtext "Test: checking readlink location of /vmlinuz" FINDKERNFILE=`readlink -f /vmlinuz` logtext "Output: readlink reported file ${FINDKERNFILE}" logtext "Test: checking package from dpkg -S" FINDKERNEL=`dpkg -S ${FINDKERNFILE} 2> /dev/null | awk -F : '{print $1}'` logtext "Output: dpkg -S reported package ${FINDKERNEL}" logtext "Test: Using apt-cache policy to determine if there is an update available" FINDINST=`apt-cache policy ${FINDKERNEL} | egrep 'Installed' | cut -d ':' -f2 | tr -d ' '` FINDCAND=`apt-cache policy ${FINDKERNEL} | egrep 'Candidate' | cut -d ':' -f2 | tr -d ' '` logtext "Kernel installed: ${FINDINST}" logtext "Kernel candidate: ${FINDCAND}" if [ "${FINDINST}" = "" ]; then Display --indent 2 --text "- Checking for available kernel update" --result UNKNOWN --color YELLOW logtext "Result: Exception occured, no output from apt-cache policy" ReportException "${TEST_NO}:01" logtext "Exception: apt-cache policy did not return an installed kernel version" ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty" else if [ "${FINDINST}" = "${FINDCAND}" ]; then Display --indent 2 --text "- Checking for available kernel update" --result OK --color GREEN logtext "Result: no kernel update available" else Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW logtext "Result: kernel update available according 'apt-cache policy'." ReportSuggestion ${TEST_NO} "Determine priority for available kernel update" fi fi else logtext "Result: could NOT find /usr/bin/apt-cache, skipped other tests." fi fi # ################################################################################# # # Test : KRNL-5820 # Description : Checking core dumps configuration (Linux) Register --test-no KRNL-5820 --os Linux --weight L --network NO --description "Checking core dumps configuration" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking presence /etc/security/limits.conf" if [ -f /etc/security/limits.conf ]; then logtext "Result: file /etc/security/limits.conf exists" logtext "Test: Checking if core dumps are disabled in /etc/security/limits.conf" FIND1=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core") { print "soft core enabled" } }'` FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core") { print "hard core enabled" } }'` if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then logtext "Result: core dumps (soft or hard) are enabled" Display --indent 2 --text "- Checking core dumps configuration" --result ENABLED --color YELLOW #YYY suggestion AddHP 1 2 else logtext "Result: core dumps (soft and hard) are both disabled" Display --indent 2 --text "- Checking core dumps configuration" --result DISABLED --color GREEN CORE_DUMPS_DISABLED=1 AddHP 3 3 fi # Sysctl option logtext "Test: Checking sysctl value of fs.suid_dumpable" FIND=`${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | awk '{ if ($1=="fs.suid_dumpable") { print $3 } }'` if [ "${FIND}" = "" ]; then logtext "Result: value ${FIND} found" else logtext "Result: sysctl key fs.suid_dumpable not found" fi if [ "${FIND}" = "2" ]; then logtext "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN AddHP 1 1 elif [ "${FIND}" = "1" ]; then logtext "Result: all programs can perform core dumps (value 1, for debugging)" Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW ReportSuggestion ${TEST_NO} "Determine if really all binaries need to be able to core dump" AddHP 0 1 else logtext "Result: found default option, some programs can dump (not processes which need to change credentials)" Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color YELLOW AddHP 1 1 fi # Check ulimit settings and harden it # echo 'ulimit -S -c 0 > /dev/null 2>&1' >> /etc/profile else logtext "Result: file /etc/security/limits.conf does not exist, skipping test" fi fi # ################################################################################# # # Test : KRNL-5826 # Description : Checking core dumps configuration (Solaris) #Register --test-no KRNL-5826 --os Linux --weight L --network NO --description "Checking core dumps configuration" #if [ ${SKIPTEST} -eq 0 ]; then # ################################################################################# # # Test : KRNL-5830 # Description : Check if system needs a reboot (Linux only) Register --test-no KRNL-5830 --os Linux --weight L --network NO --description "Checking if running on the latest kernel" if [ ${SKIPTEST} -eq 0 ]; then REBOOT_NEEDED=2 FILE="/var/run/reboot-required.pkgs" logtext "Test: Checking presence ${FILE}" if [ -f ${FILE} ]; then logtext "Result: file ${FILE} exists" FIND=`cat ${FILE}` if [ "${FIND}" = "" ]; then logtext "Result: No reboot needed (file empty)" REBOOT_NEEDED=0 else PKGSCOUNT=`cat ${FILE} | wc -l` logtext "Result: reboot is needed, related to ${PKGSCOUNT} packages" for I in ${FIND}; do logtext "Package: ${I}" done REBOOT_NEEDED=1 fi else logtext "Result: file ${FILE} not found" fi # Check if /boot exists if [ -d /boot ]; then if [ -f /boot/vmlinuz ]; then logtext "Result: found /boot/vmlinuz" ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data" elif [ -f /boot/vmlinuz-linux ]; then logtext "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)" logtext "Test: checking kernel version on disk" VERSION_ON_DISK=`file -b /boot/vmlinuz-linux | awk '{ if ($1=="Linux" && $7=="version") { print $8 }}'` if [ ! "${VERSION_ON_DISK}" = "" ]; then logtext "Result: found version ${VERSION_ON_DISK}" ACTIVE_KERNEL=`uname -r` logtext "Result: active kernel version ${ACTIVE_KERNEL}" if [ "${VERSION_ON_DISK}" = "${ACTIVE_KERNEL}" ]; then REBOOT_NEEDED=0 logtext "Result: no reboot needed, active kernel is the same version as the one on disk" else REBOOT_NEEDED=1 logtext "Result: reboot needed, as there is a difference between active kernel and the one on disk" fi else logtext "Result: could not find the version on disk" ReportException "${TEST_NO}:4" "Could not find the kernel version from /boot/vmlinux-linux" fi else logtext "Result: /boot/vmlinuz not on disk, trying to find /boot/vmlinuz*" FIND=`ls /boot/vmlinuz* 2> /dev/null` if [ "${FIND}" = "" ]; then logtext "Result: No kernels (/boot/vmlinuz*) found on disk" ReportException "${TEST_NO}:2" "Can not find any vmlinuz files in /boot, which is unexpected" else MYKERNEL=`uname -r | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g'` logtext "Result: using ${MYKERNEL} as my kernel version (stripped)" KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sort` FOUND_KERNEL=0 for I in ${KERNELS}; do if [ ${FOUND_KERNEL} -eq 1 ]; then logtext "Result: found a kernel (${I}) later than running one (${MYKERNEL})" REBOOT_NEEDED=1 fi if [ "${MYKERNEL}" = "${I}" ]; then FOUND_KERNEL=1 logtext "Result: Found ${I} (= our kernel)" else logtext "Result: Found ${I}" fi done # Check if we at least found the kernel on disk if [ ${FOUND_KERNEL} -eq 0 ]; then ReportException "${TEST_NO}:3" "Could not find our running kernel on disk, which is unexpected" else # If we are not sure yet reboot it needed, but we found running kernel as last one on disk, we run latest kernel if [ ${REBOOT_NEEDED} -eq 2 ]; then logtext "Result: we found our kernel on disk as last entry, so seems to be up-to-date" REBOOT_NEEDED=0 fi fi fi fi else logtext "Result: /boot does not exist" fi # Display discovered status if [ ${REBOOT_NEEDED} -eq 0 ]; then Display --indent 2 --text "- Check if reboot is needed" --result NO --color GREEN AddHP 5 5 elif [ ${REBOOT_NEEDED} -eq 1 ]; then Display --indent 2 --text "- Check if reboot is needed" --result YES --color RED ReportWarning ${TEST_NO} "H" "Reboot of system is most likely needed" AddHP 0 5 else Display --indent 2 --text "- Check if reboot is needed" --result UNKNOWN --color YELLOW fi fi # ################################################################################# # wait_for_keypress # #================================================================================ # Lynis - Copyright 2007-2014, Michael Boelen - http://cisofy.com - The Netherlands