mirror of https://github.com/CISOfy/lynis.git
814 lines
42 KiB
Bash
814 lines
42 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2007-2019, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# File systems
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Number of days to mark a file as old
|
|
TMP_OLD_DAYS=90
|
|
LVM_VG_USED=0
|
|
#
|
|
#################################################################################
|
|
#
|
|
InsertSection "File systems"
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6310
|
|
# Description : Checking if some mount points are separated from /
|
|
# Goal : Users should not be able to fill their home directory or temporary directory and creating a Denial of Service
|
|
Register --test-no FILE-6310 --weight L --network NO --category security --description "Checking /tmp, /home and /var directory"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
Display --indent 2 --text "- Checking mount points"
|
|
SEPARATED_FILESYTEMS="/home /tmp /var"
|
|
for I in ${SEPARATED_FILESYTEMS}; do
|
|
LogText "Test: Checking if ${I} is mounted separately or mounted on / file system"
|
|
if [ -L ${I} ]; then
|
|
ShowSymlinkPath ${I}
|
|
LogText "Result: ${I} is a symlink. Manual check required to determine exact file system options"
|
|
ReportSuggestion "${TEST_NO}" "Symlinked mount point needs to be checked manually" "${I}" ""
|
|
Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE
|
|
elif [ -d ${I} ]; then
|
|
LogText "Result: directory ${I} exists"
|
|
case "${OS}" in
|
|
"AIX") FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($2==MP) { print $2 }}') ;;
|
|
"HP-UX") FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($1==MP) { print $1 }}') ;;
|
|
*) FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($3==MP) { print $3 }}') ;;
|
|
esac
|
|
|
|
if IsEmpty "${FIND}"; then
|
|
LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system"
|
|
Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_SUGGESTION}" --color YELLOW
|
|
ReportSuggestion "${TEST_NO}" "To decrease the impact of a full ${I} file system, place ${I} on a separate partition"
|
|
AddHP 9 10
|
|
else
|
|
LogText "Result: found ${I} as a separated mount point"
|
|
Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_OK}" --color GREEN
|
|
AddHP 10 10
|
|
fi
|
|
else
|
|
LogText "Result: directory ${I} does not exist"
|
|
fi
|
|
done
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6311
|
|
# Description : Checking LVM Volume Groups
|
|
# Notes : No volume groups found is sent to STDERR for unclear reasons. Filtering both STDERR redirecting and grep.
|
|
if [ ! "${VGDISPLAYBINARY}" = "" -o ! "${LSVGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no FILE-6311 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking LVM volume groups"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking for LVM volume groups"
|
|
case ${OS} in
|
|
AIX)
|
|
FIND=$(${LSVGBINARY} -o)
|
|
;;
|
|
Linux)
|
|
FIND=$(${VGDISPLAYBINARY} 2> /dev/null | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "VG Name" | ${AWKBINARY} '{ print $3 }' | ${SORTBINARY})
|
|
;;
|
|
*)
|
|
ReportException "${TEST_NO}:1" "Don't know this specific operating system yet, while volume group manager was found"
|
|
;;
|
|
esac
|
|
if [ -n "${FIND}" ]; then
|
|
LogText "Result: found one or more volume groups"
|
|
for I in ${FIND}; do
|
|
LogText "Found LVM volume group: ${I}"
|
|
Report "lvm_volume_group[]=${I}"
|
|
done
|
|
LVM_VG_USED=1
|
|
Display --indent 2 --text "- Checking LVM volume groups" --result "${STATUS_FOUND}" --color GREEN
|
|
else
|
|
LogText "Result: no LVM volume groups found"
|
|
if IsVerbose; then Display --indent 2 --text "- Checking LVM volume groups" --result "${STATUS_NONE}" --color WHITE; fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6312
|
|
# Description : Checking LVM volumes
|
|
if [ ${LVM_VG_USED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no FILE-6312 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking LVM volumes"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking for LVM volumes"
|
|
case ${OS} in
|
|
AIX)
|
|
ACTIVE_VG_LIST=$(${LSVGBINARY} -o)
|
|
FIND=$(for I in ${ACTIVE_VG_LIST}; do ${LSVGBINARY} -l ${I} | ${AWKBINARY} 'NR>2 { print $1 }'; done)
|
|
;;
|
|
Linux)
|
|
FIND=$(${LVDISPLAYBINARY} | ${GREPBINARY} -v "No volume groups found" | ${GREPBINARY} "LV Name" | ${AWKBINARY} '{ print $3 }' | ${SORTBINARY})
|
|
;;
|
|
*)
|
|
ReportException "${TEST_NO}:1" "Need specific test for gathering volume manager data"
|
|
;;
|
|
esac
|
|
if [ ! "${FIND}" = "" ]; then
|
|
LogText "Result: found one or more volumes"
|
|
for I in ${FIND}; do
|
|
LogText "Found LVM volume: ${I}"
|
|
Report "lvm_volume[]=${I}"
|
|
done
|
|
Display --indent 4 --text "- Checking LVM volumes" --result "${STATUS_FOUND}" --color GREEN
|
|
else
|
|
LogText "Result: no LVM volume groups found"
|
|
Display --indent 4 --text "- Checking LVM volumes" --result "${STATUS_NONE}" --color WHITE
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6316
|
|
# Description : Checking /etc/fstab file permissions
|
|
#Register --test-no FILE-6316 --os Linux --weight L --network NO --category security --description "Checking /etc/fstab"
|
|
#if [ ${SKIPTEST} -eq 0 ]; then
|
|
# 644
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6323
|
|
# Description : Checking Linux EXT2, EXT3, EXT4 file systems
|
|
Register --test-no FILE-6323 --os Linux --weight L --network NO --category security --description "Checking EXT file systems"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking for Linux EXT file systems"
|
|
FIND=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${AWKBINARY} '{ print $3","$5 }')
|
|
if [ -n "${FIND}" ]; then
|
|
LogText "Result: found one or more EXT file systems"
|
|
for I in ${FIND}; do
|
|
FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1)
|
|
FILETYPE=$(echo ${I} | ${CUTBINARY} -d ',' -f2)
|
|
LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})"
|
|
Report "file_systems_ext[]=${FILESYSTEM}|${FILETYPE}|"
|
|
done
|
|
else
|
|
LogText "Result: no EXT file systems found"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6324
|
|
# Description : Checking Linux XFS file systems
|
|
Register --test-no FILE-6324 --os Linux --weight L --network NO --category security --description "Checking XFS file systems"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking for Linux XFS file systems"
|
|
FIND=$(${MOUNTBINARY} -t xfs | ${AWKBINARY} '{ print $3","$5 }')
|
|
if [ -n "${FIND}" ]; then
|
|
LogText "Result: found one or more XFS file systems"
|
|
for I in ${FIND}; do
|
|
FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1)
|
|
FILETYPE=$(echo ${I} | ${CUTBINARY} -d ',' -f2)
|
|
LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})"
|
|
Report "file_systems_xfs[]=${FILESYSTEM}|${FILETYPE}|"
|
|
done
|
|
else
|
|
LogText "Result: no XFS file systems found"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6329
|
|
# Description : Query all FFS/UFS mounts from /etc/fstab
|
|
if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no FILE-6329 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking FFS/UFS file systems"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Query /etc/fstab for available FFS/UFS mount points"
|
|
FIND=$(${AWKBINARY} '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab)
|
|
if [ -z "${FIND}" ]; then
|
|
if IsVerbose; then Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_NONE}" --color WHITE; fi
|
|
LogText "Result: unable to find any single mount point (FFS/UFS)"
|
|
else
|
|
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_FOUND}" --color GREEN
|
|
Report "filesystem[]=ufs"
|
|
for I in ${FIND}; do
|
|
LogText "FFS/UFS mount found: ${I}"
|
|
Report "mountpoint_ufs[]=${I}"
|
|
done
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6330
|
|
# Description : Query all ZFS mounts from /etc/fstab
|
|
Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --category security --description "Checking ZFS file systems"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Query /etc/fstab for available ZFS mount points"
|
|
FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}')
|
|
if [ -z "${FIND}" ]; then
|
|
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE
|
|
LogText "Result: unable to find any single mount point (ZFS)"
|
|
else
|
|
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_FOUND}" --color GREEN
|
|
Report "filesystem[]=zfs"
|
|
for I in ${FIND}; do
|
|
LogText "ZFS mount found: ${I}"
|
|
Report "mountpoint_zfs[]=${I}"
|
|
done
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6439
|
|
# Description : Query all HAMMER PFS mounts from /etc/fstab
|
|
Register --test-no FILE-6439 --os DragonFly --weight L --network NO --category security --description "Checking HAMMER PFS mounts"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Query /etc/fstab for available HAMMER PFS mount points"
|
|
FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "null") { print $1":"$2":"$3":"$4":" }}')
|
|
if [ -z "${FIND}" ]; then
|
|
Display --indent 2 --text "- Querying HAMMER PFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE
|
|
LogText "Result: unable to find any single PFS mount point"
|
|
else
|
|
Display --indent 2 --text "- Querying HAMMER PFS mount points (mount -p)" --result "${STATUS_FOUND}" --color GREEN
|
|
Report "filesystem[]=hammer"
|
|
for I in ${FIND}; do
|
|
LogText "HAMMER mount found: ${I}"
|
|
Report "mountpoint_hammer[]=${I}"
|
|
done
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6332
|
|
# Description : Check swap partitions
|
|
if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no FILE-6332 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking swap partitions"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
FOUND=0
|
|
LogText "Test: query swap partitions from /etc/fstab file"
|
|
# Check if third field contains 'swap'
|
|
FIND=$(${AWKBINARY} '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | ${GREPBINARY} -v "^#")
|
|
for I in ${FIND}; do
|
|
FOUND=1
|
|
REAL=""
|
|
UUID=""
|
|
LogText "Swap partition found: ${I}"
|
|
# TODO Add a test if partition is not a normal partition (e.g. UUID=)
|
|
# Can be ^/dev/mapper/vg-name_lv-name
|
|
# Can be ^/dev/partition
|
|
|
|
# Test for UUID usage (e.g. UUID=uuid --> /dev/disk/by-uuid/<uuid>)
|
|
HAS_UUID=$(echo ${I} | ${GREPBINARY} "^UUID=")
|
|
if [ -n "${HAS_UUID}" ]; then
|
|
UUID=$(echo ${HAS_UUID} | ${AWKBINARY} -F= '{ print $2 }')
|
|
LogText "Result: Using ${UUID} as UUID"
|
|
if [ -n "${BLKIDBINARY}" ]; then
|
|
FIND2=$(${BLKIDBINARY} | ${AWKBINARY} '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | ${SEDBINARY} 's/:$//')
|
|
if [ -n "${FIND2}" ]; then
|
|
REAL="${FIND2}"
|
|
fi
|
|
else
|
|
LogText "Result: blkid binary not found, trying by checking device listing"
|
|
sFILE=""
|
|
if [ -L /dev/disk/by-uuid/${UUID} ]; then
|
|
LogText "Result: found disk via /dev/disk/by-uuid listing"
|
|
ShowSymlinkPath /dev/disk/by-uuid/${UUID}
|
|
if [ -n "${sFILE}" ]; then
|
|
REAL="${sFILE}"
|
|
LogText "Result: disk is ${REAL}"
|
|
fi
|
|
else
|
|
LogText "Result: no symlink found to /dev/disk/by-uuid/${UUID}"
|
|
fi
|
|
fi
|
|
fi
|
|
# Set real device
|
|
if [ -z "${REAL}" ]; then
|
|
REAL="${I}"
|
|
fi
|
|
Report "swap_partition[]=${I},${REAL},"
|
|
done
|
|
if [ ${FOUND} -eq 1 ]; then
|
|
Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_OK}" --color GREEN
|
|
else
|
|
Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_NONE}" --color YELLOW
|
|
LogText "Result: no swap partitions found in /etc/fstab"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6336
|
|
# Description : Check swap mount options
|
|
# Examples : [partition] swap swap defaults 0 0
|
|
# [partition] none swap sw 0 0
|
|
if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no FILE-6336 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking swap mount options"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
# Swap partitions should be mounted with 'sw' or 'swap'
|
|
LogText "Test: check swap partitions with incorrect mount options"
|
|
FIND=$(${AWKBINARY} '{ if ($3=="swap" && ($4!~/sw/ && $4!="defaults")) { print $1 }}' /etc/fstab)
|
|
if [ -z "${FIND}" ]; then
|
|
Display --indent 2 --text "- Testing swap partitions" --result "${STATUS_OK}" --color GREEN
|
|
LogText "Result: all swap partitions have correct options (sw or swap)"
|
|
else
|
|
Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
|
|
LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
|
|
#ReportWarning "${TEST_NO}" "Possible incorrect mount options used for swap partition (${FIND})"
|
|
ReportSuggestion "${TEST_NO}" "Check your /etc/fstab file for swap partition mount options"
|
|
LogText "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6344
|
|
# Description : Check proc mount options (Linux >=3.3 only)
|
|
# Examples : proc /proc proc defaults,hidepid=2 0 0
|
|
# Goal : Users should not be able to see processes of other users
|
|
if [ "${OS}" = "Linux" -a -f ${ROOTDIR}proc/version ]; then
|
|
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}')
|
|
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}')
|
|
if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then
|
|
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
else
|
|
PREQS_MET="NO";
|
|
fi
|
|
fi
|
|
Register --test-no FILE-6344 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking proc mount options"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
# Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least
|
|
LogText "Test: check proc mount with incorrect mount options"
|
|
FIND=$(${MOUNTBINARY} | ${EGREPBINARY} "${ROOTDIR}proc " | ${EGREPBINARY} -o "hidepid=[0-9]")
|
|
if [ "${FIND}" = "hidepid=2" ]; then
|
|
Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN
|
|
LogText "Result: proc mount mounted with hidepid=2"
|
|
AddHP 3 3
|
|
elif [ "${FIND}" = "hidepid=1" ]; then
|
|
Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN
|
|
LogText "Result: proc mount mounted with hidepid=1"
|
|
AddHP 2 3
|
|
elif [ -z "${FIND}" ]; then
|
|
# HIDEPID1_SUGGESTION=" (or at least hidepid=1)"
|
|
AddHP 0 3
|
|
Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_SUGGESTION}" --color YELLOW
|
|
LogText "Result: /proc filesystem is not mounted with option hidepid=1 or hidepid=2"
|
|
# TODO ReportSuggestion "${TEST_NO}" "Consider mounting /proc via /etc/fstab with mount option hidepid=2" "/proc" "-"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6354
|
|
# Description : Search files within /tmp which are older than 3 months
|
|
if [ -d ${ROOTDIR}tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Searching for old files in /tmp"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Searching for old files in ${ROOTDIR}tmp"
|
|
# Search for files only in ${ROOTDIR}tmp, with an access time older than X days
|
|
FIND=$(${FINDBINARY} ${ROOTDIR}tmp -xdev -type f -atime +${TMP_OLD_DAYS} 2> /dev/null | ${SEDBINARY} 's/ /!space!/g')
|
|
if IsEmpty "${FIND}"; then
|
|
Display --indent 2 --text "- Checking for old files in ${ROOTDIR}tmp" --result "${STATUS_OK}" --color GREEN
|
|
LogText "Result: no files found in ${ROOTDIR}tmp which are older than 3 months"
|
|
else
|
|
Display --indent 2 --text "- Checking for old files in ${ROOTDIR}tmp" --result "${STATUS_FOUND}" --color RED
|
|
COUNT=0
|
|
for ITEM in ${FIND}; do
|
|
FILE=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
|
|
LogText "Old temporary file: ${FILE}"
|
|
COUNT=$((COUNT + 1))
|
|
done
|
|
LogText "Result: found old files in ${ROOTDIR}tmp, which were not modified in the last ${TMP_OLD_DAYS} days"
|
|
LogText "Advice: check and clean up unused files in ${ROOTDIR}tmp. Old files can fill up a disk or contain"
|
|
LogText "private information and should be deleted it not being used actively. Use a tool like lsof to"
|
|
LogText "see which programs possibly are using a particular file. Some systems can cleanup temporary"
|
|
LogText "directories by setting a boot option."
|
|
ReportSuggestion "${TEST_NO}" "Check ${COUNT} files in ${ROOTDIR}tmp which are older than ${TMP_OLD_DAYS} days"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6362
|
|
# Description : Check for sticky bit on /tmp
|
|
if [ -d ${ROOTDIR}tmp -a ! -L ${ROOTDIR}tmp ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No /tmp or /tmp is symlinked"; fi
|
|
Register --test-no FILE-6362 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking /tmp sticky bit"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
# Depending on OS, number of field with 'tmp' differs
|
|
FIND=$(${LSBINARY} -ld ${ROOTDIR}tmp | ${AWKBINARY} '$1 ~ /[tT]/ { print 1 }')
|
|
if [ "${FIND}" = "1" ]; then
|
|
Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_OK}" --color GREEN
|
|
LogText "Result: sticky bit found on ${ROOTDIR}tmp directory"
|
|
AddHP 3 3
|
|
else
|
|
Display --indent 2 --text "- Checking ${ROOTDIR}tmp sticky bit" --result "${STATUS_WARNING}" --color RED
|
|
ReportSuggestion "${TEST_NO}" "Set the sticky bit on ${ROOTDIR}tmp, to prevent users deleting (by other owned) files in the /tmp directory." "/tmp" "text:Set sticky bit"
|
|
AddHP 0 3
|
|
fi
|
|
unset FIND
|
|
else
|
|
LogText "Result: Sticky bit test (on /tmp) skipped. Possible reason: missing directory, or symlinked directory, or test skipped."
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6363
|
|
# Description : Check for sticky bit on /var/tmp
|
|
if [ -d ${ROOTDIR}var/tmp -a ! -L ${ROOTDIR}var/tmp ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No /var/tmp or /var/tmp is symlinked"; fi
|
|
Register --test-no FILE-6363 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking /var/tmp sticky bit"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
# Depending on OS, number of field with 'tmp' differs
|
|
FIND=$(${LSBINARY} -ld ${ROOTDIR}var/tmp | ${AWKBINARY} '$1 ~ /[tT]/ { print 1 }')
|
|
if [ "${FIND}" = "1" ]; then
|
|
Display --indent 2 --text "- Checking ${ROOTDIR}var/tmp sticky bit" --result "${STATUS_OK}" --color GREEN
|
|
LogText "Result: sticky bit found on ${ROOTDIR}var/tmp directory"
|
|
AddHP 3 3
|
|
else
|
|
Display --indent 2 --text "- Checking ${ROOTDIR}var/tmp sticky bit" --result "${STATUS_WARNING}" --color RED
|
|
ReportSuggestion "${TEST_NO}" "Set the sticky bit on ${ROOTDIR}var/tmp, to prevent users deleting (by other owned) files in the /var/tmp directory." "/var/tmp" "text:Set sticky bit"
|
|
AddHP 0 3
|
|
fi
|
|
unset FIND
|
|
else
|
|
LogText "Result: Sticky bit test (on /var/tmp) skipped. Possible reason: missing directory, or symlinked directory, or test skipped."
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6366
|
|
# Description : Check for noatime option
|
|
# More info : especially useful for profile 'desktop' and 'server-storage'
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6368
|
|
# Description : Checking Linux root file system ACL support
|
|
Register --test-no FILE-6368 --os Linux --weight L --network NO --root-only YES --category security --description "Checking ACL support on root file system"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
FOUND=0
|
|
LogText "Test: Checking acl option on ext[2-4] root file system"
|
|
FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | ${GREPBINARY} acl)
|
|
if [ -n "${FIND}" ]; then
|
|
LogText "Result: found ACL option"
|
|
FOUND=1
|
|
else
|
|
LogText "Result: mount point probably mounted with defaults"
|
|
LogText "Test: Checking device which holds root file system"
|
|
# Get device on which root file system is mounted. Use /dev/root if it exists, or
|
|
# else check output of mount
|
|
if [ -b ${ROOTDIR}dev/root ]; then
|
|
FIND1="${ROOTDIR}dev/root"
|
|
else
|
|
# Only determine device if it is EXT2/3/4
|
|
#FIND1=$(mount | ${GREPBINARY} "on / " | ${AWKBINARY} '{ if ($5~/ext[2-4]/) { print $1 }}')
|
|
FIND1=$(${MOUNTBINARY} -t ext2,ext3,ext4 | ${GREPBINARY} "on / " | ${AWKBINARY} '{ print $1 }')
|
|
fi
|
|
# Trying to determine default mount options from EXT2/EXT3/EXT4 file systems
|
|
if [ -n "${FIND1}" ]; then
|
|
LogText "Result: found ${FIND1}"
|
|
LogText "Test: Checking default options on ${FIND1}"
|
|
FIND2=$(${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | ${GREPBINARY} "^Default mount options" | ${GREPBINARY} "acl")
|
|
if [ -n "${FIND2}" ]; then
|
|
LogText "Result: found ACL option in default mount options"
|
|
FOUND=1
|
|
else
|
|
LogText "Result: no ACL option found in default mount options list"
|
|
fi
|
|
else
|
|
LogText "Result: No file system found with root file system"
|
|
fi
|
|
fi
|
|
|
|
LogText "Test: Checking acl option on xfs root file system"
|
|
FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr')
|
|
if [ -z "${FIND}" ]; then
|
|
FOUND=1
|
|
# some other tests to do ?
|
|
fi
|
|
|
|
if [ ${FOUND} -eq 0 ]; then
|
|
LogText "Result: ACL option NOT enabled on root file system"
|
|
LogText "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option"
|
|
LogText "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file"
|
|
Display --indent 2 --text "- ACL support root file system" --result "${STATUS_DISABLED}" --color YELLOW
|
|
AddHP 0 1
|
|
else
|
|
LogText "Result: ACL option enabled on root file system"
|
|
Display --indent 2 --text "- ACL support root file system" --result "${STATUS_ENABLED}" --color GREEN
|
|
AddHP 3 3
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6372
|
|
# Description : Check / mount options for Linux
|
|
# Notes :
|
|
Register --test-no FILE-6372 --os Linux --weight L --network NO --category security --description "Checking / mount options"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
if [ -f ${ROOTDIR}etc/fstab ]; then
|
|
FIND=$(${GREPBINARY} -w "/" ${ROOTDIR}etc/fstab | ${GREPBINARY} -v "^#" | ${CUTBINARY} -f1 -d"#" | ${AWKBINARY} '{ if ($2=="/") { print $4 }}')
|
|
NODEV=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "nodev") { print "YES" } else { print "NO" } }')
|
|
NOEXEC=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "noexec") { print "YES" } else { print "NO" } }')
|
|
NOSUID=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "nosuid") { print "YES" } else { print "NO" } }')
|
|
|
|
if [ -n "${FIND}" ]; then
|
|
LogText "Result: mount system / is configured with options: ${FIND}"
|
|
if [ "${FIND}" = "defaults" ]; then
|
|
Display --indent 2 --text "- Mount options of /" --result "${STATUS_OK}" --color GREEN
|
|
else
|
|
Display --indent 2 --text "- Mount options of /" --result "NON DEFAULT" --color YELLOW
|
|
fi
|
|
else
|
|
LogText "Result: no mount point / or expected options found"
|
|
fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6374
|
|
# Description : Check mount options for Linux
|
|
# Notes : This test determines if the mount point exists. If it does not exist as mount point, yet it is an directory,
|
|
# you might consider to make it a separate mount point with restrictions.
|
|
#
|
|
# Depending on the primary goals of a machine, some mount points might be too restrictive. Before applying any
|
|
# mount flags, test them on a similar or cloned test system.
|
|
#
|
|
# ---------------------------------------------------------
|
|
# Mount point nodev noexec nosuid
|
|
# /boot v v v
|
|
# /dev/shm v v v
|
|
# /home v v
|
|
# /tmp v v v
|
|
# /var v
|
|
# /var/log v v v
|
|
# /var/log/audit v v v
|
|
# /var/tmp v v v
|
|
# ---------------------------------------------------------
|
|
|
|
FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid"
|
|
Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Linux mount options"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
if [ -f ${ROOTDIR}etc/fstab ]; then
|
|
for I in ${FILESYSTEMS_TO_CHECK}; do
|
|
FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d: -f1)
|
|
EXPECTED_FLAGS=$(echo ${I} | ${CUTBINARY} -d: -f2 | ${SEDBINARY} 's/,/ /g')
|
|
FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' ${ROOTDIR}etc/fstab)
|
|
if [ "${FS_FSTAB}" = "glusterfs" ]; then
|
|
EXPECTED_FLAGS=$(echo ${EXPECTED_FLAGS} | ${SEDBINARY} 's/\<\(nodev\|nosuid\)\> *//g')
|
|
if [ -z "${EXPECTED_FLAGS}" ]; then
|
|
FS_FSTAB=""
|
|
fi
|
|
fi
|
|
if [ -n "${FS_FSTAB}" ]; then
|
|
# In awk using caret/circumflex as first character between brackets, means 'not' (instead of beginning of line)
|
|
FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
|
|
LogText "File system: ${FILESYSTEM}"
|
|
LogText "Expected flags: ${EXPECTED_FLAGS}"
|
|
LogText "Found flags: ${FOUND_FLAGS}"
|
|
PARTIALLY_HARDENED=0
|
|
FULLY_HARDENED=1
|
|
for FLAG in ${EXPECTED_FLAGS}; do
|
|
FLAG_AVAILABLE=$(echo ${FOUND_FLAGS} | ${GREPBINARY} ${FLAG})
|
|
if [ -z "${FLAG_AVAILABLE}" ]; then
|
|
LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}"
|
|
FULLY_HARDENED=0
|
|
else
|
|
LogText "Result: GOOD, found mount option ${FLAG} on file system ${FILESYSTEM}"
|
|
PARTIALLY_HARDENED=1
|
|
fi
|
|
done
|
|
if [ ${FULLY_HARDENED} -eq 1 ]; then
|
|
LogText "Result: marked ${FILESYSTEM} as fully hardened"
|
|
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN
|
|
AddHP 5 5
|
|
elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then
|
|
LogText "Result: marked ${FILESYSTEM} as partially hardened"
|
|
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW
|
|
AddHP 4 5
|
|
else
|
|
# if
|
|
if ContainsString "defaults" "${FOUND_FLAGS}"; then
|
|
LogText "Result: marked ${FILESYSTEM} options as default (not hardened)"
|
|
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW
|
|
AddHP 3 5
|
|
else
|
|
LogText "Result: marked ${FILESYSTEM} options as non-default (unclear about hardening)"
|
|
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW
|
|
AddHP 4 5
|
|
fi
|
|
fi
|
|
else
|
|
LogText "Result: file system ${FILESYSTEM} not found in ${ROOTDIR}etc/fstab"
|
|
fi
|
|
done
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6376
|
|
# Description : Bind mount the /var/tmp directory to /tmp
|
|
Register --test-no FILE-6376 --os Linux --weight L --network NO --category security --description "Determine if /var/tmp is bound to /tmp"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
if [ -f ${ROOTDIR}etc/fstab ]; then
|
|
FIND=$(${AWKBINARY} '{ if ($2=="/var/tmp") { print $4 } }' ${ROOTDIR}etc/fstab)
|
|
BIND=$(echo ${FIND} | ${AWKBINARY} '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }')
|
|
if [ -n "${FIND}" ]; then
|
|
LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
|
|
if [ "${BIND}" = "YES" ]; then
|
|
Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN
|
|
LogText "Result : /var/tmp is bind to /tmp"
|
|
else
|
|
Display --indent 2 --text "- /var/tmp is not bound to /tmp" --result "NON DEFAULT" --color YELLOW
|
|
LogText "Result: /var/tmp is not bind to /tmp"
|
|
fi
|
|
else
|
|
LogText "Result: no mount point /var/tmp or expected options found"
|
|
if IsVerbose; then Display --indent 2 --text "- /var/tmp is not bound to /tmp" --result "INFO" --color WHITE; fi
|
|
fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6378 TODO
|
|
# Description : Check for nodirtime option
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6380 TODO
|
|
# Description : Check for relatime
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6390 TODO
|
|
# Description : Check writeback/journalling mode (ext3)
|
|
# More info : data=writeback | data=ordered | data=journal
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6394 TODO
|
|
# Description : Check vm.swappiness (Linux)
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6398 TODO
|
|
# Description : Check if JBD (Journal Block Device) driver is loaded
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6410
|
|
# Description : Checking locate database (file index)
|
|
# Notes : Linux /var/lib/mlocate/mlocate.db or /var/lib/slocate/slocate.db
|
|
# or /var/cache/locate/locatedb
|
|
# FreeBSD /var/db/locate.database
|
|
if [ ! "${LOCATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no FILE-6410 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Checking Locate database"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking locate database"
|
|
FOUND=0
|
|
LOCATE_DBS="${ROOTDIR}var/lib/mlocate/mlocate.db ${ROOTDIR}var/lib/locate/locatedb ${ROOTDIR}var/lib/locatedb ${ROOTDIR}var/lib/slocate/slocate.db ${ROOTDIR}var/cache/locate/locatedb ${ROOTDIR}var/db/locate.database"
|
|
for FILE in ${LOCATE_DBS}; do
|
|
if [ -f ${FILE} ]; then
|
|
LogText "Result: locate database found (${FILE})"
|
|
FOUND=1
|
|
LOCATE_DB="${FILE}"
|
|
else
|
|
LogText "Result: file ${FILE} not found"
|
|
fi
|
|
done
|
|
if [ ${FOUND} -eq 1 ]; then
|
|
Display --indent 2 --text "- Checking Locate database" --result "${STATUS_FOUND}" --color GREEN
|
|
Report "locate_db=${LOCATE_DB}"
|
|
else
|
|
LogText "Result: database not found"
|
|
Display --indent 2 --text "- Checking Locate database" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
|
ReportSuggestion "${TEST_NO}" "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6420 TODO
|
|
# Description : Check automount process
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6422 TODO
|
|
# Description : Check automount maps (files or for example LDAP based)
|
|
# Notes : Warn when automounter is running
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6424 TODO
|
|
# Description : Check automount map files
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6425 TODO
|
|
# Description : Check mounted files systems via automounter
|
|
# Notes : Warn when no systems are mounted?
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6430
|
|
# Description : Disable mounting of some filesystems
|
|
# Rationale : Unless there is a specific reason to use a particular file system, disable it.
|
|
# Data : cramfs freevxfs hfs hfsplus jffs2 squashfs udf
|
|
Register --test-no FILE-6430 --weight L --network NO --category security --description "Disable mounting of some filesystems"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
if [ -n "${LSMODBINARY}" -a -f /proc/modules ]; then
|
|
Display --indent 2 --text "- Disable kernel support of some filesystems"
|
|
LIST_FS_NOT_SUPPORTED="cramfs freevxfs hfs hfsplus jffs2 squashfs udf"
|
|
FOUND=0
|
|
AVAILABLE_FS=""
|
|
AVAILABLE_MODPROBE_FS=""
|
|
for FS in ${LIST_FS_NOT_SUPPORTED}; do
|
|
# Check if filesystem is present in modprobe output
|
|
FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | ${TAILBINARY} -1)
|
|
if [ -n "${FIND}" ]; then
|
|
LogText "Result: found ${FS} support in the kernel (output = ${FIND})"
|
|
Debug "Module ${FS} present in the kernel"
|
|
LogText "Test: Checking if ${FS} is active"
|
|
# Check if FS is present in lsmod output
|
|
FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}")
|
|
if IsEmpty "${FIND}"; then
|
|
LogText "Result: module ${FS} is currently not loaded in the kernel."
|
|
AddHP 2 3
|
|
if IsDebug; then Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN; fi
|
|
FOUND=1
|
|
AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} "
|
|
else
|
|
LogText "Result: module ${FS} is loaded in the kernel"
|
|
Display --indent 4 --text "- Module $FS loaded in the kernel (lsmod)" --result "FOUND" --color WHITE
|
|
fi
|
|
else
|
|
AddHP 3 3
|
|
if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi
|
|
fi
|
|
done
|
|
if [ ${FOUND} -eq 1 ]; then
|
|
Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}"
|
|
ReportSuggestion "${TEST_NO}" "Consider disabling unused kernel modules" "/etc/modprobe.d/blacklist.conf" "Add 'install MODULENAME /bin/true' (without quotes)"
|
|
fi
|
|
else
|
|
LogText "Test skipped lsmod binary not found or /proc/modules can not be opened"
|
|
fi
|
|
unset AVAILABLE_FS AVAILABLE_MODPROBE_FS
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
WaitForKeyPress
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|