mirror of https://github.com/CISOfy/lynis.git
287 lines
13 KiB
Bash
287 lines
13 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2007-2019, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Shells
|
|
#
|
|
#################################################################################
|
|
#
|
|
IDLE_TIMEOUT=0
|
|
InsertSection "Shells"
|
|
#
|
|
#################################################################################
|
|
#
|
|
# bash
|
|
# Files (interactive login shells): /etc/profile $HOME/.bash_profile
|
|
# $HOME/.bash_login $HOME/.profile
|
|
# Files (interactive non-login shells): $HOME/.bash_rc
|
|
|
|
# csh/tcsh
|
|
# Files: /etc/csh.cshrc /etc/csh.login
|
|
# zsh
|
|
# Files: /etc/zshenv /etc/zsh/zshenv $HOME/.zshenv /etc/zprofile
|
|
# /etc/zsh/zprofile $HOME/.zprofile /etc/zshrc /etc/zsh/zshrc
|
|
# $ZDOTDIR/.zshrc /etc/zlogin /etc/zsh/zlogin
|
|
|
|
SHELL_LOGIN_FILES="${ROOTDIR}etc/csh.cshrc ${ROOTDIR}etc/csh.login ${ROOTDIR}etc/zshenv ${ROOTDIR}etc/zsh/zshenv
|
|
${ROOTDIR}etc/zprofile ${ROOTDIR}etc/zsh/zprofile ${ROOTDIR}etc/zshrc ${ROOTDIR}etc/zsh/zshrc
|
|
${ROOTDIR}etc/zlogin ${ROOTDIR}etc/zsh/zlogin"
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
# Test : SHLL-6202
|
|
# Description : check all console TTYs in which root user can enter single user mode without password
|
|
Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking console TTYs"
|
|
FIND=$(${EGREPBINARY} '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure')
|
|
if [ -z "${FIND}" ]; then
|
|
Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN
|
|
LogText "Result: console is secured against single user mode without password."
|
|
else
|
|
Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_WARNING}" --color RED
|
|
LogText "Result: Found insecure console in ${ROOTDIR}etc/ttys. Single user mode login without password allowed!"
|
|
LogText "Output ${ROOTDIR}etc/ttys:"
|
|
LogText "${FIND}"
|
|
ReportWarning ${TEST_NO} "Found unprotected console in ${ROOTDIR}etc/ttys"
|
|
LogText "Possible solution: Change the console line from 'secure' to 'insecure'."
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SHLL-6211
|
|
# Description : which shells are available according /etc/shells
|
|
Register --test-no SHLL-6211 --weight L --network NO --category security --description "Checking available and valid shells"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Searching for ${ROOTDIR}etc/shells"
|
|
if [ -f ${ROOTDIR}etc/shells ]; then
|
|
LogText "Result: Found ${ROOTDIR}etc/shells file"
|
|
LogText "Test: Reading available shells from ${ROOTDIR}etc/shells"
|
|
SSHELLS=$(${GREPBINARY} "^/" ${ROOTDIR}etc/shells)
|
|
CSSHELLS=0; CSSHELLS_ALL=0
|
|
Display --indent 2 --text "- Checking shells from ${ROOTDIR}etc/shells"
|
|
for I in ${SSHELLS}; do
|
|
CSSHELLS_ALL=$((CSSHELLS_ALL + 1))
|
|
Report "available_shell[]=${I}"
|
|
# TODO add check for symlinked shells
|
|
if [ -f ${I} ]; then
|
|
LogText "Found installed shell: ${I}"
|
|
CSSHELLS=$((CSSHELLS + 1))
|
|
else
|
|
LogText "Shell ${I} not installed. Probably a dummy or non existing shell."
|
|
fi
|
|
done
|
|
Display --indent 4 --text "Result: found ${CSSHELLS_ALL} shells (valid shells: ${CSSHELLS})."
|
|
else
|
|
LogText "Result: ${ROOTDIR}etc/shells not found, skipping test"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SHLL-6220
|
|
# Description : check for idle session killing tools or settings
|
|
Register --test-no SHLL-6220 --weight L --network NO --category security --description "Checking available and valid shells"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
|
|
IDLE_TIMEOUT_METHOD=""
|
|
IDLE_TIMEOUT_READONLY=""
|
|
|
|
LogText "Test: Search for session timeout tools or settings in shell"
|
|
IsRunning timeoutd
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
IDLE_TIMEOUT=1
|
|
LogText "Result: found timeoutd process to kill idle sesions"
|
|
IDLE_TIMEOUT_METHOD="timeout-daemon"
|
|
fi
|
|
IsRunning autolog
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
IDLE_TIMEOUT=1
|
|
LogText "Result: found autolog process to kill idle sesions"
|
|
Report="session_timeout_method[]=autolog"
|
|
IDLE_TIMEOUT_METHOD="autolog"
|
|
fi
|
|
|
|
if [ -f ${ROOTDIR}etc/profile ]; then
|
|
# Determine if we can find a TMOUT value
|
|
FIND=$(${GREPBINARY} 'TMOUT=' ${ROOTDIR}etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
|
|
# Determine if the value is exported (with export, readonly, or typeset)
|
|
FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' ${ROOTDIR}etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
|
|
if [ ! -z "${FIND}" ]; then
|
|
N=0; IDLE_TIMEOUT=1
|
|
for I in ${FIND}; do
|
|
LogText "Output: ${I}"
|
|
Report "session_timeout_value[]=${I}"
|
|
N=$((N + 1))
|
|
done
|
|
if [ ${N} -eq 1 ]; then
|
|
LogText "Result: found TMOUT value configured in ${ROOTDIR}etc/profile"
|
|
else
|
|
LogText "Result: found several TMOUT values configured in ${ROOTDIR}etc/profile"
|
|
fi
|
|
IDLE_TIMEOUT_METHOD="profile"
|
|
else
|
|
LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile"
|
|
fi
|
|
|
|
if [ ! -z "${FIND2}" ]; then
|
|
N=0;
|
|
for I in ${FIND2}; do
|
|
LogText "Output: ${I}"
|
|
if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then
|
|
N=$((N + 1))
|
|
fi
|
|
done
|
|
if [ ${N} -gt 0 ]; then
|
|
LogText "Result: found readonly setting in ${ROOTDIR}etc/profile (readonly or typeset -r)"
|
|
IDLE_TIMEOUT_READONLY=1
|
|
else
|
|
LogText "Result: NO readonly setting found in ${ROOTDIR}etc/profile (readonly or typeset -r)"
|
|
IDLE_TIMEOUT_READONLY=0
|
|
fi
|
|
else
|
|
LogText "Result: could not find export, readonly or typeset -r in ${ROOTDIR}etc/profile"
|
|
fi
|
|
else
|
|
LogText "Result: skip ${ROOTDIR}etc/profile test, file not available on this system"
|
|
fi
|
|
|
|
if [ -d ${ROOTDIR}etc/profile.d ]; then
|
|
FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null)
|
|
if [ ! -z "${FIND}" ]; then
|
|
# Determine if we can find a TMOUT value
|
|
FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
|
|
# Determine if the value is exported (with export, readonly, or typeset)
|
|
FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
|
|
if [ ! -z "${FIND}" ]; then
|
|
N=0; IDLE_TIMEOUT=1
|
|
for I in ${FIND}; do
|
|
LogText "Output: ${I}"
|
|
Report "session_timeout_value[]=${I}"
|
|
N=$((N + 1))
|
|
done
|
|
if [ ${N} -eq 1 ]; then
|
|
LogText "Result: found TMOUT value configured in one of the files in ${ROOTDIR}etc/profile.d directory"
|
|
else
|
|
LogText "Result: found several TMOUT values configured in one of the files in ${ROOTDIR}etc/profile.d directory"
|
|
fi
|
|
IDLE_TIMEOUT_METHOD="profile.d"
|
|
else
|
|
LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile.d/*.sh"
|
|
fi
|
|
# Check for readonly
|
|
if [ ! -z "${FIND2}" ]; then
|
|
N=0;
|
|
for I in ${FIND2}; do
|
|
LogText "Output: ${I}"
|
|
if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then
|
|
N=$((N + 1))
|
|
fi
|
|
done
|
|
if [ ${N} -gt 0 ]; then
|
|
LogText "Result: found readonly setting in ${ROOTDIR}etc/profile (readonly or typeset -r)"
|
|
IDLE_TIMEOUT_READONLY=1
|
|
else
|
|
LogText "Result: NO readonly setting found in ${ROOTDIR}etc/profile (readonly or typeset -r)"
|
|
IDLE_TIMEOUT_READONLY=0
|
|
fi
|
|
else
|
|
LogText "Result: could not find export, readonly or typeset -r in ${ROOTDIR}etc/profile"
|
|
fi
|
|
fi
|
|
else
|
|
LogText "Result: skip ${ROOTDIR}etc/profile.d directory test, directory not available on this system"
|
|
fi
|
|
|
|
if [ ! -z "${IDLE_TIMEOUT_METHOD}" ]; then
|
|
Report "session_timeout_method[]=${IDLE_TIMEOUT_METHOD}"
|
|
fi
|
|
if [ ! -z "${IDLE_TIMEOUT_READONLY}" ]; then
|
|
Report "session_timeout_set_readonly=${IDLE_TIMEOUT_READONLY}"
|
|
fi
|
|
|
|
if [ ${IDLE_TIMEOUT} -eq 1 ]; then
|
|
Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_FOUND}" --color GREEN
|
|
AddHP 3 3
|
|
else
|
|
Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_NONE}" --color YELLOW
|
|
AddHP 1 3
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SHLL-6230
|
|
# Description : Check for umask values in shell configurations
|
|
SHELL_CONFIG_FILES="${ROOTDIR}etc/bashrc ${ROOTDIR}etc/bash.bashrc ${ROOTDIR}etc/bash.bashrc.local ${ROOTDIR}etc/csh.cshrc ${ROOTDIR}etc/profile"
|
|
Register --test-no SHLL-6230 --weight H --network NO --category security --description "Perform umask check for shell configurations"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
FOUND=0
|
|
Display --indent 2 --text "- Checking default umask values"
|
|
for FILE in ${SHELL_CONFIG_FILES}; do
|
|
HARDENING_POSSIBLE=0
|
|
FIND=""
|
|
if [ -f ${FILE} ]; then
|
|
LogText "Result: file ${FILE} exists"
|
|
FOUND=1
|
|
FIND=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//g' | ${SEDBINARY} 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }')
|
|
if IsEmpty "${FIND}"; then
|
|
LogText "Result: did not find umask configured in ${FILE}"
|
|
Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW
|
|
else
|
|
for UMASKVALUE in ${FIND}; do
|
|
LogText "Result: found umask ${UMASKVALUE} in ${FILE}"
|
|
case ${UMASKVALUE} in
|
|
027|0027|077|0077)
|
|
LogText "Result: umask ${UMASKVALUE} is considered a properly hardened value"
|
|
;;
|
|
*)
|
|
LogText "Result: umask ${UMASKVALUE} can be hardened "
|
|
HARDENING_POSSIBLE=1
|
|
;;
|
|
esac
|
|
done
|
|
if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
|
|
Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_OK}" --color GREEN
|
|
AddHP 3 3
|
|
else
|
|
Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_WEAK}" --color YELLOW
|
|
AddHP 1 3
|
|
fi
|
|
fi
|
|
else
|
|
LogText "Result: file ${FILE} not found"
|
|
fi
|
|
done
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
Report "session_timeout_enabled=${IDLE_TIMEOUT}"
|
|
|
|
|
|
WaitForKeyPress
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Copyright 2007-2019, CISOfy - http://cisofy.com
|