mirror of https://github.com/CISOfy/lynis.git
177 lines
8.3 KiB
Bash
177 lines
8.3 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2007-2018, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Banners and identification
|
|
#
|
|
#################################################################################
|
|
#
|
|
InsertSection "Banners and identification"
|
|
#
|
|
#################################################################################
|
|
#
|
|
BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
|
|
LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence forbidden intrusion law legal monitor owner policy policies privacy private prohibited record restricted secure subject system terms unauthorized"
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : BANN-7113
|
|
# Description : Check FreeBSD COPYRIGHT banner file
|
|
Register --test-no BANN-7113 --os FreeBSD --weight L --network NO --category security --description "Check COPYRIGHT banner file"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Testing existence ${ROOTDIR}COPYRIGHT or ${ROOTDIR}etc/COPYRIGHT"
|
|
if [ -f ${ROOTDIR}COPYRIGHT ]; then
|
|
Display --indent 2 --text "- ${ROOTDIR}COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
|
|
if [ -s ${ROOTDIR}COPYRIGHT ]; then
|
|
LogText "Result: ${ROOTDIR}COPYRIGHT available and contains text"
|
|
else
|
|
LogText "Result: ${ROOTDIR}COPYRIGHT available, but empty"
|
|
fi
|
|
else
|
|
Display --indent 2 --text "- ${ROOTDIR}COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
|
|
LogText "Result: ${ROOTDIR}COPYRIGHT not found"
|
|
fi
|
|
|
|
if [ -f ${ROOTDIR}etc/COPYRIGHT ]; then
|
|
Display --indent 2 --text "- ${ROOTDIR}etc/COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
|
|
if [ -s ${ROOTDIR}etc/COPYRIGHT ]; then
|
|
LogText "Result: ${ROOTDIR}etc/COPYRIGHT available and contains text"
|
|
else
|
|
LogText "Result: ${ROOTDIR}etc/COPYRIGHT available, but empty"
|
|
fi
|
|
else
|
|
Display --indent 2 --text "- ${ROOTDIR}etc/COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
|
|
LogText "Result: ${ROOTDIR}etc/COPYRIGHT not found"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : BANN-7124
|
|
# Description : Check issue banner file
|
|
Register --test-no BANN-7124 --weight L --network NO --category security --description "Check issue banner file"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking file ${ROOTDIR}etc/issue"
|
|
if [ -f ${ROOTDIR}etc/issue ]; then
|
|
# Check for symlink
|
|
if [ -L ${ROOTDIR}etc/issue ]; then
|
|
LogText "Result: file ${ROOTDIR}etc/issue exists (symlink)"
|
|
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result SYMLINK --color GREEN
|
|
else
|
|
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result "${STATUS_FOUND}" --color GREEN
|
|
fi
|
|
else
|
|
LogText "Result: file ${ROOTDIR}etc/issue does not exist"
|
|
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result "${STATUS_NOT_FOUND}" --color WHITE
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : BANN-7126
|
|
# Description : Check issue file to see if it contains some form of message
|
|
# to discourage unauthorized users to leave the system alone
|
|
if [ -f ${ROOTDIR}etc/issue ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no BANN-7126 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue banner file contents"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
COUNT=0
|
|
FILE="${ROOTDIR}etc/issue"
|
|
LogText "Test: Checking file ${FILE} contents for legal key words"
|
|
for ITEM in ${LEGAL_BANNER_STRINGS}; do
|
|
FIND=$(${GREPBINARY} -i "${ITEM}" ${FILE})
|
|
if HasData "${FIND}"; then
|
|
LogText "Result: found string '${ITEM}'"
|
|
COUNT=$((COUNT + 1))
|
|
fi
|
|
done
|
|
# Check if we have 5 or more key words
|
|
if [ ${COUNT} -gt 4 ]; then
|
|
LogText "Result: Found ${COUNT} key words (5 or more suggested), to warn unauthorized users"
|
|
Display --indent 4 --text "- ${FILE} contents" --result "${STATUS_OK}" --color GREEN
|
|
AddHP 2 2
|
|
else
|
|
LogText "Result: Found only ${COUNT} key words (5 or more suggested), to warn unauthorized users and could be increased"
|
|
Display --indent 4 --text "- ${FILE} contents" --result WEAK --color YELLOW
|
|
ReportSuggestion ${TEST_NO} "Add a legal banner to ${FILE}, to warn unauthorized users"
|
|
AddHP 0 1
|
|
Report "weak_banner_file[]=${FILE}"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : BANN-7128
|
|
# Description : Check issue.net banner file
|
|
Register --test-no BANN-7128 --weight L --network NO --category security --description "Check issue.net banner file"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking file ${ROOTDIR}etc/issue.net"
|
|
if [ -f ${ROOTDIR}etc/issue.net ]; then
|
|
# Check for symlink
|
|
if [ -L ${ROOTDIR}etc/issue.net ]; then
|
|
LogText "Result: file ${ROOTDIR}etc/issue.net exists (symlink)"
|
|
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result SYMLINK --color GREEN
|
|
else
|
|
LogText "Result: file ${ROOTDIR}etc/issue.net exists"
|
|
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result "${STATUS_FOUND}" --color GREEN
|
|
fi
|
|
else
|
|
LogText "Result: file ${ROOTDIR}etc/issue.net does not exist"
|
|
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result "${STATUS_NOT_FOUND}" --color WHITE
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : BANN-7130
|
|
# Description : Check issue.net file to see if it contains some form of message
|
|
# to discourage unauthorized users to leave the system alone
|
|
if [ -f ${ROOTDIR}etc/issue.net ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no BANN-7130 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue.net banner file contents"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
COUNT=0
|
|
LogText "Test: Checking file ${ROOTDIR}etc/issue.net contents for legal key words"
|
|
for ITEM in ${LEGAL_BANNER_STRINGS}; do
|
|
FIND=$(${GREPBINARY} -i "${ITEM}" ${ROOTDIR}etc/issue.net)
|
|
if HasData "${FIND}"; then
|
|
LogText "Result: found string '${ITEM}'"
|
|
COUNT=$((COUNT + 1))
|
|
fi
|
|
done
|
|
# Check if we have 5 or more key words
|
|
if [ ${COUNT} -gt 4 ]; then
|
|
LogText "Result: Found ${COUNT} key words, to warn unauthorized users"
|
|
Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result "${STATUS_OK}" --color GREEN
|
|
AddHP 2 2
|
|
else
|
|
LogText "Result: Found only ${COUNT} key words, to warn unauthorized users and could be increased"
|
|
Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result WEAK --color YELLOW
|
|
ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users"
|
|
AddHP 0 1
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
WaitForKeyPress
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|