lynis/include/tests_mac_frameworks

288 lines
15 KiB
Bash

#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
APPARMORFOUND=0 # Set default for test MACF-6208
MAC_FRAMEWORK_ACTIVE=0 # Default no MAC framework active
RBAC_FRAMEWORK_ACTIVE=0 # Default no RBAC framework active
SELINUXFOUND=0
TOMOYOFOUND=0
InsertSection "${SECTION_SECURITY_FRAMEWORKS}"
#
#################################################################################
#
# Test : MACF-6204
# Description : Check if AppArmor is installed
Register --test-no MACF-6204 --weight L --network NO --category security --description "Check AppArmor presence"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -z "${AASTATUSBINARY}" ]; then
APPARMORFOUND=0
LogText "Result: aa-status binary not found, AppArmor not installed"
Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_NOT_FOUND}" --color WHITE
else
APPARMORFOUND=1
LogText "Result: aa-status binary found, AppArmor is installed"
Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_FOUND}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : MACF-6208
# Description : Check AppArmor active status
if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if AppArmor is enabled"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -n "${AASTATUSBINARY}" ]; then
CAN_READ_FILE=0
FILE="/sys/kernel/security/apparmor/profiles"
if [ -f ${FILE} ]; then
FIND=$(${CAT_BINARY} ${FILE} 2> /dev/null)
if [ $? -eq 0 ]; then CAN_READ_FILE=1; fi
else
LogText "File ${FILE} does not exist"
fi
if [ ${CAN_READ_FILE} -eq 1 ]; then
LogText "Result: file ${FILE} is available and readable"
# Checking AppArmor status
# 0 if apparmor is enabled and policy is loaded.
# 1 if apparmor is not enabled/loaded.
# 2 if apparmor is enabled but no policy is loaded.
# 3 if control files are not available
# 4 if apparmor status can't be read
FIND=$(${AASTATUSBINARY} 2>&1 > /dev/null)
if [ $? -eq 0 ]; then
MAC_FRAMEWORK_ACTIVE=1
LogText "Result: AppArmor is enabled and a policy is loaded"
Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_ENABLED}" --color GREEN
Report "apparmor_enabled=1"
Report "apparmor_policy_loaded=1"
AddHP 3 3
# ignore kernel threads (Parent PID = 2 [kthreadd])
NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} -l)
Display --indent 8 --text "Found ${NUNCONFINED} unconfined processes"
for PROCESS in $(${PSBINARY} -N --ppid 2 -o label:1,pid,comm | ${GREPBINARY} '^unconfined' | ${TRBINARY} ' ' ':'); do
LogText "Result: Unconfined process: ${PROCESS}"
done
elif [ $? -eq 4 ]; then
LogText "Result: Can not determine status, most likely due to lacking permissions"
Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
elif [ $? -eq 3 ]; then
LogText "Result: Can not check control files"
Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
elif [ $? -eq 2 ]; then
LogText "Result: AppArmor is enabled, but no policy is loaded"
ReportSuggestion "${TEST_NO}" "Load AppArmor policies"
Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN
Report "apparmor_enabled=1"
Report "apparmor_policy_loaded=0"
AddHP 0 3
elif [ $? -eq 1 ]; then
LogText "Result: AppArmor is disabled"
Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_DISABLED}" --color YELLOW
Report "apparmor_enabled=0"
AddHP 0 3
else
Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected"
fi
else
LogText "Result: could not find or read ${FILE}"
Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check output of aa-status" "${FILE}" "text:Run aa-status"
fi
else
LogText "Result: no aa-status binary available"
fi
fi
#
#################################################################################
#
# Test : MACF-6232
# Description : Check SELINUX for installation
Register --test-no MACF-6232 --weight L --network NO --category security --description "Check SELINUX presence"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking if we have sestatus binary"
if [ -n "${SESTATUSBINARY}" ]; then
LogText "Result: found sestatus binary (${SESTATUSBINARY})"
Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: sestatus binary NOT found"
Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : MACF-6234
# Description : Check SELINUX status
if HasData "${SESTATUSBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SELINUX status"
if [ ${SKIPTEST} -eq 0 ]; then
# Status: Enabled/Disabled
FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^SELinux status" | ${AWKBINARY} '{ print $3 }')
if [ "${FIND}" = "enabled" ]; then
MAC_FRAMEWORK_ACTIVE=1
LogText "Result: SELinux framework is enabled"
Report "selinux_status=1"
SELINUXFOUND=1
Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN
FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^Current mode" | ${AWKBINARY} '{ print $3 }')
Report "selinux_mode=${FIND}"
FIND2=$(${SESTATUSBINARY} | ${GREPBINARY} "^Mode from config file" | ${AWKBINARY} '{ print $5 }')
LogText "Result: current SELinux mode is ${FIND}"
LogText "Result: mode configured in config file is ${FIND2}"
if [ "${FIND}" = "${FIND2}" ]; then
LogText "Result: Current SELinux mode is the same as in config file."
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
ReportWarning "${TEST_NO}" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
fi
Display --indent 8 --text "Current SELinux mode: ${FIND}"
if [ -n "${SEMANAGEBINARY}" ]; then
PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
LogText "Permissive SELinux object types: ${PERMISSIVE}"
else
LogText "Result: semanage binary NOT found, can't analyse permissive domains"
fi
UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ')
INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ')
NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l)
NINITRC=$(${PSBINARY} -eo label | ${GREPBINARY} '[i]nitrc_t' | ${WCBINARY} -l)
Display --indent 8 --text "Found ${NUNCONFINED} unconfined and ${NINITRC} initrc_t processes"
LogText "Unconfined processes: ${UNCONFINED}"
LogText "Processes with initrc_t type: ${INITRC}"
else
LogText "Result: SELinux framework is disabled"
Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : MACF-6240
# Description : Check if the tomoyo-init binary is available on the system
Register --test-no MACF-6240 --weight L --network NO --category security --description "Check TOMOYO Linux presence"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking if we have tomoyo-init binary"
if [ -z "${TOMOYOINITBINARY}" ]; then
TOMOYOFOUND=0
LogText "Result: tomoyo-init binary not found"
Display --indent 2 --text "- Checking presence TOMOYO Linux" --result "${STATUS_NOT_FOUND}" --color WHITE
else
TOMOYOFOUND=1
LogText "Result: tomoyo-init binary found"
Display --indent 2 --text "- Checking presence TOMOYO Linux" --result "${STATUS_FOUND}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : MACF-6242
# Description : Check TOMOYO Linux status
if [ ${TOMOYOFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MACF-6242 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check TOMOYO Linux status"
if [ ${SKIPTEST} -eq 0 ]; then
FILE="/sys/kernel/security/tomoyo/stat"
if [ -f ${FILE} ]; then
MAC_FRAMEWORK_ACTIVE=1
LogText "Result: TOMOYO Linux is enabled"
Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_ENABLED}" --color GREEN
Report "tomoyo_enabled=1"
if [ ! -z ${TOMOYOPSTREEBINARY} ]; then
NUNCONFINED=$(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${WCBINARY} -l)
Display --indent 8 --text "Found ${NUNCONFINED} unconfined (not profile 3) processes"
for PROCESS in $(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${SEDBINARY} -e 's/+-//g' -e 's/^ *//g' -e 's/ \+/:/g' | ${SORTBINARY}); do
LogText "Result: Unconfined process: ${PROCESS}"
done
fi
AddHP 3 3
else
LogText "Result: TOMOYO Linux is disabled"
Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_DISABLED}" --color YELLOW
Report "tomoyo_enabled=0"
AddHP 0 3
fi
fi
#
#################################################################################
#
# Test : RBAC-6272
# Description : Check if grsecurity is installed
# Notes : We already checked grsecurity in osdetection
Register --test-no RBAC-6272 --weight L --network NO --category security --description "Check grsecurity presence"
if [ ${SKIPTEST} -eq 0 ]; then
# Check Linux kernel configuration
if [ -n "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then
FIND=$(${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE})
if [ ! "${FIND}" = "" ]; then
LogText "Result: grsecurity available (in kernel config)"
GRSEC_FOUND=1
else
LogText "Result: no grsecurity found in kernel config"
fi
fi
if [ ${GRSEC_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
if HasData "${GRADMBINARY}"; then
FIND=$(${GRADMBINARY} --status 2>/dev/null)
if [ "${FIND}" = "The RBAC system is currently enabled." ]; then
MAC_FRAMEWORK_ACTIVE=1
fi
fi
fi
#
#################################################################################
#
# Test : MACF-6290
# Description : Check if at least one MAC framework is implemented
Register --test-no MACF-6290 --weight L --network NO --category security --description "Check for implemented MAC framework"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${MAC_FRAMEWORK_ACTIVE} -eq 1 ]; then
Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
LogText "Result: found implemented MAC framework"
else
Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_NONE}" --color YELLOW
AddHP 2 3
LogText "Result: found no implemented MAC framework"
fi
fi
#
#################################################################################
#
Report "framework_grsecurity=${GRSEC_FOUND}"
Report "framework_selinux=${SELINUXFOUND}"
WaitForKeyPress
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com