mirror of https://github.com/CISOfy/lynis.git
149 lines
7.0 KiB
Bash
149 lines
7.0 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2007-2021, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
InsertSection "${SECTION_HARDENING}"
|
|
|
|
# COMPILER_INSTALLED is initialized before
|
|
HARDEN_COMPILERS_NEEDED=0
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : HRDN-7220
|
|
# Description : Check for installed compilers
|
|
# Notes : No suggestion for hardening compilers, as HRDN-7222 will take care of that
|
|
Register --test-no HRDN-7220 --weight L --network NO --category security --description "Check if one or more compilers are installed"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Check if one or more compilers can be found on the system"
|
|
if [ ${COMPILER_INSTALLED} -eq 0 ]; then
|
|
LogText "Result: no compilers found"
|
|
Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_NOT_FOUND}" --color GREEN
|
|
AddHP 3 3
|
|
else
|
|
LogText "Result: found installed compiler. See top of logfile which compilers have been found or use ${GREPBINARY} to filter on 'compiler'"
|
|
Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED
|
|
AddHP 1 3
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : HRDN-7222
|
|
# Description : Check for permissions of installed compilers
|
|
Register --test-no HRDN-7222 --weight L --network NO --category security --description "Check compiler permissions"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Check if one or more compilers can be found on the system"
|
|
HARDEN_COMPILERS_NEEDED=0
|
|
if [ ${COMPILER_INSTALLED} -eq 0 ]; then
|
|
LogText "Result: no compilers found"
|
|
else
|
|
# TODO - c89 c99 cpp ld
|
|
TEST_BINARIES="${ASBINARY} ${CCBINARY} ${CLANGBINARY} ${GCCBINARY}"
|
|
for ITEM in ${TEST_BINARIES}; do
|
|
FILE="${ITEM}"
|
|
LogText "Test: Check file permissions for ${ITEM}"
|
|
ShowSymlinkPath ${ITEM}
|
|
if [ -n "${SYMLINK}" ]; then
|
|
FILE="${SYMLINK}"
|
|
fi
|
|
|
|
if IsWorldExecutable ${FILE}; then
|
|
LogText "Binary: found ${FILE} (world executable)"
|
|
Report "compiler_world_executable[]=${FILE}"
|
|
AddHP 2 3
|
|
HARDEN_COMPILERS_NEEDED=1
|
|
else
|
|
AddHP 3 3
|
|
fi
|
|
done
|
|
|
|
# Report suggestion is one or more compilers can be better hardened
|
|
if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then
|
|
LogText "Result: at least one compiler could be better hardened by restricting executable access to root or group only"
|
|
ReportSuggestion "${TEST_NO}" "Harden compilers like restricting access to root user only"
|
|
fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : HRDN-7230
|
|
# Description : Check for installed malware scanners
|
|
Register --test-no HRDN-7230 --weight L --network NO --category security --description "Check for malware scanner"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Check if a malware scanner is installed"
|
|
if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
|
|
LogText "Result: found at least one malware scanner"
|
|
Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_FOUND}" --color GREEN
|
|
AddHP 3 3
|
|
else
|
|
LogText "Result: no malware scanner found"
|
|
if [ "${MACHINE_ROLE}" = "personal" ]; then
|
|
Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
|
else
|
|
Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED
|
|
fi
|
|
ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC, Wazuh"
|
|
AddHP 1 3
|
|
LogText "Result: no malware scanner found"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : HRDN-7231
|
|
# Description : Check for registered non-native binary formats
|
|
Register --test-no HRDN-7231 --os Linux --weight L --network NO --category security --description "Check for registered non-native binary formats"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Check for registered non-native binary formats"
|
|
NFORMATS=0
|
|
if [ -d /proc/sys/fs/binfmt_misc ]; then
|
|
NFORMATS=$(${FINDBINARY} /proc/sys/fs/binfmt_misc -type f -not -name register -not -name status | ${WCBINARY} -l)
|
|
fi
|
|
if [ ${NFORMATS} -eq 0 ]; then
|
|
LogText "Result: no non-native binary formats found"
|
|
Display --indent 4 --text "- Non-native binary formats" --result "${STATUS_NOT_FOUND}" --color GREEN
|
|
else
|
|
FORMATS=$(${FINDBINARY} /proc/sys/fs/binfmt_misc -type f -not -name register -not -name status -printf '%f ')
|
|
LogText "Result: found ${NFORMATS} non-native binary formats registered: ${FORMATS}"
|
|
Display --indent 4 --text "- Non-native binary formats" --result "${STATUS_FOUND}" --color RED
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# LogText "--------------------------------------------------------------------"
|
|
# LogText "| System part | Preferred value | Actual value | Points |"
|
|
# LogText "| [!] Compiler installed | 0 | [${COMPILER_INSTALLED}] | x |"
|
|
# LogText "| [V] Malware scanner installed | 1 | [x] | x |"
|
|
# LogText "| [V] Packet filter enabled | 1 | [x] | x |"
|
|
# LogText "--------------------------------------------------------------------"
|
|
# LogText "| [!]: Hardening possible, [V]: Hardening performed, [ ]: Unknown "
|
|
# LogText "--------------------------------------------------------------------"
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
Report "compiler_installed=${COMPILER_INSTALLED}"
|
|
WaitForKeyPress
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|