mirror of https://github.com/CISOfy/lynis.git
215 lines
9.3 KiB
Bash
215 lines
9.3 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2013-2016, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# E-mail and messaging
|
|
#
|
|
#################################################################################
|
|
#
|
|
InsertSection "Software: e-mail and messaging"
|
|
#
|
|
#################################################################################
|
|
#
|
|
DOVECOT_RUNNING=0
|
|
EXIM_RUNNING=0
|
|
SMTP_DAEMON=""
|
|
POSTFIX_RUNNING=0
|
|
QMAIL_RUNNING=0
|
|
SENDMAIL_RUNNING=0
|
|
OPENSMTPD_RUNNING=0
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8802
|
|
# Description : Check Exim process status
|
|
Register --test-no MAIL-8802 --weight L --network NO --description "Check Exim status"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: check Exim status"
|
|
IsRunning exim
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
LogText "Result: found running Exim process"
|
|
Display --indent 2 --text "- Checking Exim status" --result RUNNING --color GREEN
|
|
EXIM_RUNNING=1
|
|
SMTP_DAEMON="exim"
|
|
else
|
|
LogText "Result: no running Exim processes found"
|
|
Display --indent 2 --text "- Checking Exim status" --result "NOT FOUND" --color WHITE
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8814
|
|
# Description : Check Postfix process
|
|
# Notes : qmgr and pickup run under postfix uid, without full path to binary
|
|
Register --test-no MAIL-8814 --weight L --network NO --description "Check postfix process status"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: check Postfix status"
|
|
# Some other processes also use master, therefore it should include both master and postfix
|
|
FIND1=`${PSBINARY} ax | grep "master" | grep "postfix" | grep -v "grep"`
|
|
#FIND2=`${PSBINARY} ax | grep "qmgr" | grep "postfix" | grep -v "grep"`
|
|
#FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"`
|
|
if [ ! "${FIND1}" = "" ]; then
|
|
LogText "Result: found running Postfix process"
|
|
Display --indent 2 --text "- Checking Postfix status" --result RUNNING --color GREEN
|
|
POSTFIX_RUNNING=1
|
|
SMTP_DAEMON="postfix"
|
|
else
|
|
LogText "Result: no running Postfix processes found"
|
|
Display --indent 2 --text "- Checking Postfix status" --result "NOT FOUND" --color WHITE
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8816
|
|
# Description : Check Postfix configuration
|
|
if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
Display --indent 2 --text "- Checking Postfix configuration" --result FOUND --color GREEN
|
|
POSTFIX_CONFIGDIR=`${POSTCONFBINARY} 2> /dev/null | grep '^config_directory' | awk '{ print $3 }'`
|
|
POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf"
|
|
LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}"
|
|
LogText "Postfix configuration file: ${POSTFIX_CONFIGFILE}"
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8818
|
|
# Description : Check Postfix configuration
|
|
if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no MAIL-8818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration: banner"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking Postfix banner"
|
|
FIND1=`${POSTCONFBINARY} 2> /dev/null | grep '^smtpd_banner' | grep 'postfix'`
|
|
FIND2=`${POSTCONFBINARY} 2> /dev/null | grep '^smtpd_banner' | grep '$mail_name'`
|
|
FIND3=`${POSTCONFBINARY} 2> /dev/null | grep '^mail_name' | grep -i 'postfix'`
|
|
#YYY Check if OS name shows up in banner
|
|
#FIND4=`${POSTCONFBINARY} 2> /dev/null | grep '^smtpd_banner' | egrep "${OS}|${LINUX_VERSION}`
|
|
SHOWWARNING=0
|
|
if [ ! "${FIND1}" = "" ]; then
|
|
SHOWWARNING=1
|
|
else
|
|
if [ ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then
|
|
SHOWWARNING=1
|
|
else
|
|
Display --indent 4 --text "- Checking Postfix banner" --result OK --color GREEN
|
|
fi
|
|
fi
|
|
if [ ${SHOWWARNING} -eq 1 ]; then
|
|
Display --indent 4 --text "- Checking Postfix banner" --result WARNING --color RED
|
|
LogText "Result: found mail_name in SMTP banner, and/or mail_name contains 'Postfix'."
|
|
ReportWarning ${TEST_NO} "L" "Found mail_name in SMTP banner, and/or mail_name contains 'Postfix'"
|
|
ReportSuggestion ${TEST_NO} "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8838
|
|
# Description : Check Dovecot process
|
|
Register --test-no MAIL-8838 --weight L --network NO --description "Check dovecot process"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: check dovecot status"
|
|
IsRunning dovecot
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
LogText "Result: found running dovecot process"
|
|
Display --indent 2 --text "- Checking Dovecot status" --result RUNNING --color GREEN
|
|
DOVECOT_RUNNING=1
|
|
IMAP_DAEMON="dovecot"
|
|
POP3_DAEMON="dovecot"
|
|
else
|
|
LogText "Result: dovecot not found"
|
|
Display --indent 2 --text "- Checking Dovecot status" --result "NOT FOUND" --color WHITE
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8860
|
|
# Description : Check Qmail process status
|
|
Register --test-no MAIL-8860 --weight L --network NO --description "Check Qmail status"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: check Qmail status"
|
|
IsRunning qmail-smtpd
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
LogText "Result: found running Qmail process"
|
|
Display --indent 2 --text "- Checking Qmail status" --result RUNNING --color GREEN
|
|
QMAIL_RUNNING=1
|
|
SMTP_DAEMON="qmail"
|
|
else
|
|
LogText "Result: no running Qmail processes found"
|
|
Display --indent 2 --text "- Checking Qmail status" --result "NOT FOUND" --color WHITE
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8880
|
|
# Description : Check Sendmail process status
|
|
Register --test-no MAIL-8880 --weight L --network NO --description "Check Sendmail status"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: check sendmail status"
|
|
IsRunning sendmail
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
LogText "Result: found running Sendmail process"
|
|
Display --indent 2 --text "- Checking Sendmail status" --result RUNNING --color GREEN
|
|
SENDMAIL_RUNNING=1
|
|
SMTP_DAEMON="sendmail"
|
|
else
|
|
LogText "Result: no running Sendmail processes found"
|
|
Display --indent 2 --text "- Checking Sendmail status" --result "NOT FOUND" --color WHITE
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8920
|
|
# Description : Check OpenSMTPD process status
|
|
if [ ! "${SMTPCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check OpenSMTPD status"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: check smtpd status"
|
|
FIND=`${PSBINARY} ax | egrep "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | grep -v "grep"`
|
|
if [ ! "${FIND}" = "" ]; then
|
|
LogText "Result: found running smtpd process"
|
|
Display --indent 2 --text "- Checking OpenSMTPD status" --result RUNNING --color GREEN
|
|
OPENSMTPD_RUNNING=1
|
|
SMTP_DAEMON="opensmtpd"
|
|
else
|
|
LogText "Result: smtpd not found"
|
|
Display --indent 2 --text "- Checking OpenSMTPD status" --result "NOT FOUND" --color WHITE
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
Report "imap_daemon=${IMAP_DAEMON}"
|
|
Report "pop3_daemon=${POP3_DAEMON}"
|
|
Report "smtp_daemon=${SMTP_DAEMON}"
|
|
|
|
|
|
WaitForKeyPress
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|