#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2013-2016, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
InsertSection "Hardening"
# COMPILER_INSTALLED is initialised before
HARDEN_COMPILERS_NEEDED=0
#
#################################################################################
#
# Test : HRDN-7220
# Description : Check for installed compilers
# Notes : No suggestion for hardening compilers, as HRDN-7222 will take care of that
Register --test-no HRDN-7220 --weight L --network NO --category security --description "Check if one or more compilers are installed"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check if one or more compilers can be found on the system"
if [ ${COMPILER_INSTALLED} -eq 0 ]; then
LogText "Result: no compilers found"
Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 3 3
else
LogText "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'"
Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED
AddHP 1 3
fi
fi
#
#################################################################################
#
# Test : HRDN-7222
# Description : Check for permissions of installed compilers
Register --test-no HRDN-7222 --weight L --network NO --category security --description "Check compiler permissions"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check if one or more compilers can be found on the system"
HARDEN_COMPILERS_NEEDED=0
if [ ${COMPILER_INSTALLED} -eq 0 ]; then
LogText "Result: no compilers found"
else
# as
if [ ! "${ASBINARY}" = "" ]; then
LogText "Test: Check file permissions for as (Assembler)"
if IsWorldExecutable ${ASBINARY}; then
LogText "Binary: found ${ASBINARY} (world executable)"
Report "compiler[]=${ASBINARY}"
AddHP 2 3
HARDEN_COMPILERS_NEEDED=1
else
AddHP 3 3
fi
fi
# gcc
if [ ! "${GCCBINARY}" = "" ]; then
LogText "Test: Check file permissions for GCC compiler"
if IsWorldExecutable ${GCCBINARY}; then
LogText "Binary: found ${GCCBINARY} (world executable)"
Report "compiler[]=${GCCBINARY}"
AddHP 2 3
HARDEN_COMPILERS_NEEDED=1
else
AddHP 3 3
fi
fi
# Report suggestion is one or more compilers can be better hardened
if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then
LogText "Result: at least one compiler could be better hardened by restricting executable access to root or group only"
ReportSuggestion ${TEST_NO} "Harden compilers like restricting access to root user only"
fi
#YYY check if compilers have a specific group (like compiler, or NOT root/wheel)
# Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED
# /usr/bin/*cc*
# /usr/bin/*++*
# /usr/bin/ld
# (and 700 or 750 permissions)
fi
fi
#
#################################################################################
#
# Test : HRDN-7230
# Description : Check for installed malware scanners
Register --test-no HRDN-7230 --weight L --network NO --category security --description "Check for malware scanner"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check if a malware scanner is installed"
if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
LogText "Result: found at least one malware scanner"
Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
LogText "Result: no malware scanner found"
Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED
ReportSuggestion ${TEST_NO} "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC"
AddHP 1 3
fi
fi
#
#################################################################################
#
# LogText "--------------------------------------------------------------------"
# LogText "| System part | Preferred value | Actual value | Points |"
# LogText "| [!] Compiler installed | 0 | [${COMPILER_INSTALLED}] | x |"
# LogText "| [V] Malware scanner installed | 1 | [x] | x |"
# LogText "| [V] Packet filter enabled | 1 | [x] | x |"
# LogText "--------------------------------------------------------------------"
# LogText "| [!]: Hardening possible, [V]: Hardening performed, [ ]: Unknown "
# LogText "--------------------------------------------------------------------"
#
#################################################################################
#
Report "compiler_installed=${COMPILER_INSTALLED}"
WaitForKeyPress
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com