mirror of https://github.com/CISOfy/lynis.git
367 lines
38 KiB
Bash
367 lines
38 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2007-2020, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# * Check which binaries and tools are installed
|
|
# * With the results a customized scan can be performed for every single system.
|
|
#
|
|
#################################################################################
|
|
#
|
|
COMPILER_INSTALLED=0
|
|
IDLE_SESSION_KILLER_INSTALLED=0
|
|
MALWARE_SCANNER_INSTALLED=0
|
|
#
|
|
#################################################################################
|
|
#
|
|
if [ ${CHECK_BINARIES} -eq 1 ]; then
|
|
InsertSection "System Tools"
|
|
Display --indent 2 --text "- Scanning available tools..."
|
|
LogText "Start scanning for available audit binaries and tools..."
|
|
|
|
# Test : CORE-1000
|
|
# Description : Check all system binaries
|
|
# Notes : Always perform test, dependency for many other tests
|
|
Register --test-no CORE-1000 --weight L --network NO --description "Check all system binaries"
|
|
BINARY_PATHS_FOUND=""; COUNT=0
|
|
Display --indent 2 --text "- Checking system binaries..."
|
|
LogText "Status: Starting binary scan..."
|
|
|
|
# Notes:
|
|
# - If PATH is empty, we use the predefined list in include/consts
|
|
# - Common paths first, then followed by more specific paths. This helps on the slightly ancient UNIX derivatives.
|
|
# - Avoid sorting the path list, as this might result in incorrect order of finding binaries (e.g. awk binary)
|
|
|
|
# Test if our PATH variable provides a set of paths. If so, reverse the order. If we discover the same binary
|
|
# multiple times, the one first in PATH should be used.
|
|
if [ -n "${PATH}" ]; then
|
|
PATH_REVERSED=$(echo "${PATH}" | sed 's/ /!!space!!/g' | awk -F: '{ for (i=NF; i>1; i--) printf("%s ",$i); print $1; }')
|
|
BIN_PATHS=$(echo "${PATH_REVERSED}" | tr ':' ' ')
|
|
fi
|
|
|
|
# First test available locations that may be suspicious or dangerous
|
|
for SCANDIR in ${BIN_PATHS}; do
|
|
FOUND=0
|
|
if [ "${SCANDIR}" = "." ]; then FOUND=1; MSG="Found single dot (.) in PATH"
|
|
elif [ "${SCANDIR}" = ".." ]; then FOUND=1; MSG="Found double dot (..) in PATH"
|
|
elif echo "${SCANDIR}" | grep '^\.\.' > /dev/null; then FOUND=1; MSG="Found path starting with double dot (..) in PATH"
|
|
elif echo "${SCANDIR}" | grep '^[a-zA-Z]' > /dev/null; then FOUND=1; MSG="Found relative path in PATH"
|
|
fi
|
|
if [ ${FOUND} -eq 1 ]; then
|
|
# Stop execution if privileged, otherwise continue but warn user
|
|
if [ ${PRIVILEGED} -eq 1 ]; then
|
|
ExitFatal "Suspicious location (${SCANDIR}) in PATH discovered. Quitting..."
|
|
else
|
|
Display --indent 4 --text "Warning: suspicious location (${SCANDIR}) in PATH"
|
|
ReportWarning "${TEST_NO}" "Suspicious location in PATH discovered" "text:${MSG}"
|
|
sleep 1
|
|
fi
|
|
fi
|
|
done
|
|
|
|
NSUID_BINARIES=0
|
|
NSGID_BINARIES=0
|
|
SUID_BINARIES=
|
|
SGID_BINARIES=
|
|
# Now perform binary detection
|
|
for SCANDIR in ${BIN_PATHS}; do
|
|
SCANDIR=$(echo "${SCANDIR}" | sed 's/!!space!!/ /g')
|
|
LogText "Test: Checking binaries in directory ${SCANDIR}"
|
|
ORGPATH=""
|
|
if [ -d "${SCANDIR}" ]; then
|
|
SKIPDIR=0
|
|
if [ -L "${SCANDIR}" ]; then
|
|
LogText "Result: directory exists, but is actually a symlink"
|
|
ShowSymlinkPath ${SCANDIR}
|
|
if [ ${FOUNDPATH} -eq 1 ]; then
|
|
if [ -n "${SYMLINK}" -a -d ${SYMLINK} ]; then
|
|
# Set path to new location
|
|
LogText "Result: found the path behind this symlink (${SCANDIR} --> ${sFILE})"
|
|
ORGPATH="${SCANDIR}"
|
|
SCANDIR="${sFILE}"
|
|
else
|
|
SKIPDIR=1; LogText "Result: Symlink variable empty, or directory to symlink is non-existing"
|
|
fi
|
|
else
|
|
SKIPDIR=1; LogText "Result: Could not find the location of this symlink, or is not a directory"
|
|
fi
|
|
fi
|
|
|
|
# Add a space to make sure we discover a related directory if it was already scanned
|
|
# The grep -v is to prevent a match /usr/bin in something like /usr/bin/core_perl
|
|
FIND=$(echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}" | grep -v ", ${SCANDIR}/")
|
|
if [ -n "${FIND}" ]; then
|
|
SKIPDIR=1; LogText "Result: Skipping this directory as it was already scanned"
|
|
fi
|
|
|
|
if [ ${SKIPDIR} -eq 0 ]; then
|
|
BINARY_PATHS_FOUND="${BINARY_PATHS_FOUND}, ${SCANDIR}"
|
|
LogText "Directory ${SCANDIR} exists. Starting directory scanning..."
|
|
|
|
# Show the contents of the directory with binaries, ignore directories
|
|
FIND=$(ls -p "${SCANDIR}" | grep -v '/$')
|
|
for FILENAME in ${FIND}; do
|
|
COUNT=$((COUNT + 1))
|
|
BINARY="${SCANDIR}/${FILENAME}"
|
|
DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} "
|
|
if [ -u ${BINARY} ]; then
|
|
NSUID_BINARIES=$((NSUID_BINARIES + 1))
|
|
SUID_BINARIES="${SUID_BINARIES}${BINARY} "
|
|
fi
|
|
if [ -g ${BINARY} ]; then
|
|
NSGID_BINARIES=$((NSGID_BINARIES + 1))
|
|
SGID_BINARIES="${SGID_BINARIES}${BINARY} "
|
|
fi
|
|
# Optimized, much quicker (limited file access needed)
|
|
case ${FILENAME} in
|
|
aa-status) AASTATUSBINARY=${BINARY}; LogText " Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
|
|
afick.pl) AFICKBINARY=${BINARY}; LogText " Found known binary: afick (file integrity checker) - ${BINARY}" ;;
|
|
aide) AIDEBINARY=${BINARY}; LogText " Found known binary: aide (file integrity checker) - ${BINARY}" ;;
|
|
apache2) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;;
|
|
apt) APTBINARY=${BINARY}; LogText " Found known binary: apt (package manager) - ${BINARY}" ;;
|
|
arch-audit) ARCH_AUDIT_BINARY="${BINARY}"; LogText " Found known binary: arch-audit (auditing utility to test for vulnerable packages) - ${BINARY}" ;;
|
|
auditd) AUDITDBINARY=${BINARY}; LogText " Found known binary: auditd (audit framework) - ${BINARY}" ;;
|
|
awk) AWKBINARY=${BINARY}; LogText " Found known binary: awk (string tool) - ${BINARY}" ;;
|
|
as) ASBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: as (compiler) - ${BINARY}" ;;
|
|
auditctl) AUDITCTLBINARY="${BINARY}"; LogText " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;;
|
|
autolog) AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; LogText " Found known binary: autolog (idle session killer) - ${BINARY}" ;;
|
|
base64) BASE64BINARY="${BINARY}"; LogText " Found known binary: base64 (encoding tool) - ${BINARY}" ;;
|
|
blkid) BLKIDBINARY="${BINARY}"; LogText " Found known binary: blkid (information about block devices) - ${BINARY}" ;;
|
|
bootctl) BOOTCTLBINARY="${BINARY}"; LogText " Found known binary: bootctl (systemd-boot manager utility) - ${BINARY}" ;;
|
|
bro) BROBINARY="${BINARY}"; LogText " Found known binary: bro (IDS) - ${BINARY}" ;;
|
|
cat) CAT_BINARY="${BINARY}"; LogText " Found known binary: cat (generic file handling) - ${BINARY}" ;;
|
|
cc) CCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: cc (compiler) - ${BINARY}" ;;
|
|
chkconfig) CHKCONFIGBINARY=${BINARY}; LogText " Found known binary: chkconfig (administration tool) - ${BINARY}" ;;
|
|
clamconf) CLAMCONF_BINARY=${BINARY}; LogText " Found known binary: clamconf (information about ClamAV) - ${BINARY}" ;;
|
|
clamscan) CLAMSCANBINARY=${BINARY}; LogText " Found known binary: clamscan (AV scanner) - ${BINARY}" ;;
|
|
clang) CLANGBINARY=${BINARY}; COMPILER_INSTALLED=1; LogText " Found known binary: clang (compiler) - ${BINARY}" ;;
|
|
cfagent) CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; LogText " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;;
|
|
chkrootkit) CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;;
|
|
comm) COMMBINARY="${BINARY}"; LogText " Found known binary: comm (file compare) - ${BINARY}" ;;
|
|
cryptsetup) CRYPTSETUPBINARY="${BINARY}"; LogText " Found known binary: cryptsetup (block device encryption) - ${BINARY}" ;;
|
|
csum) CSUMBINARY="${BINARY}"; LogText " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;;
|
|
curl) CURLBINARY="${BINARY}"; CURLVERSION=$(${BINARY} --version | grep "^curl" | awk '{ if ($1=="curl") { print $2 }}'); LogText " Found known binary: curl (browser, download utility) - ${BINARY}" ;;
|
|
cut) CUTBINARY="${BINARY}"; LogText " Found known binary: cut (text stream editor) - ${BINARY}" ;;
|
|
debsecan) DEBSECANBINARY="${BINARY}"; LogText " Found known binary: debsecan (package vulnerability checking) - ${BINARY}" ;;
|
|
debsums) DEBSUMSBINARY="${BINARY}"; LogText " Found known binary: debsums (package integrity checking) - ${BINARY}" ;;
|
|
dig) DIGBINARY=${BINARY}; LogText " Found known binary: dig (network/dns tool) - ${BINARY}" ;;
|
|
dmidecode) DMIDECODEBINARY=${BINARY}; LogText " Found known binary: dmidecode (hardware collector tool) - ${BINARY}" ;;
|
|
dnf) DNFBINARY="${BINARY}"; LogText " Found known binary: dnf (package manager) - ${BINARY}" ;;
|
|
dnsdomainname) DNSDOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: dnsdomainname (DNS domain) - ${BINARY}" ;;
|
|
docker) DOCKERBINARY="${BINARY}"; LogText " Found known binary: docker (container technology) - ${BINARY}" ;;
|
|
domainname) DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
|
|
dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;;
|
|
xbps-query) XBPSBINARY="${BINARY}"; LogText " Found known binary: xbps (package management) - ${BINARY}" ;;
|
|
egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;;
|
|
equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;;
|
|
evmctl) EVMCTLBINARY=${BINARY}; LogText " Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;;
|
|
exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;;
|
|
fail2ban-server) FAIL2BANBINARY="${BINARY}"; LogText " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;;
|
|
file) FILEBINARY="${BINARY}"; LogText " Found known binary: file (file type detection) - ${BINARY}" ;;
|
|
find) FINDBINARY="${BINARY}"; LogText " Found known binary: find (search tool) - ${BINARY}" ;;
|
|
g++) GPLUSPLUSBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: g++ (compiler) - ${BINARY}" ;;
|
|
gcc) GCCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: gcc (compiler) - ${BINARY}" ;;
|
|
getcap) GETCAPBINARY="${BINARY}"; LogText " Found known binary: getcap (kernel capabilities) - ${BINARY}" ;;
|
|
getent) GETENT_BINARY="${BINARY}"; LogText " Found known binary: getent (query tool for name service switch libraries) - ${BINARY}" ;;
|
|
gradm) GRADMBINARY=${BINARY}; LogText " Found known binary: gradm (Grsecurity Administration Utility) - ${BINARY}" ;;
|
|
grep) GREPBINARY=${BINARY}; LogText " Found known binary: grep (text search) - ${BINARY}" ;;
|
|
grpck) GRPCKBINARY="${BINARY}"; LogText " Found known binary: grpck (consistency checker) - ${BINARY}" ;;
|
|
grub2-install) GRUB2INSTALLBINARY=${BINARY}; LogText " Found known binary: grub2-install (installer for boot loader) - ${BINARY}" ;;
|
|
gzip) GZIPBINARY="${BINARY}"; LogText " Found known binary: gzip (compressing utility) - ${BINARY}" ;;
|
|
head) HEADBINARY="${BINARY}"; LogText " Found known binary: head (text filter) - ${BINARY}" ;;
|
|
httpd) HTTPDBINARY="${BINARY}"; LogText " Found known binary: httpd (web server) - ${BINARY}" ;;
|
|
httpd2-prefork) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;;
|
|
initctl) INITCTLBINARY=${BINARY}; SERVICE_MANAGER="upstart"; LogText " Found known binary: initctl (client to upstart init) - ${BINARY}" ;;
|
|
ifconfig) IFCONFIGBINARY="${BINARY}"; LogText " Found known binary: ipconfig (IP configuration) - ${BINARY}" ;;
|
|
integritysetup) INTEGRITYSETUPBINARY="${BINARY}"; LogText " Found known binary: integritysetup (dm-integrity setup tool) - ${BINARY}" ;;
|
|
ip) IPBINARY="${BINARY}"; LogText " Found known binary: ip (IP configuration) - ${BINARY}" ;;
|
|
ipf) IPFBINARY="${BINARY}"; LogText " Found known binary: ipf (firewall) - ${BINARY}" ;;
|
|
iptables) IPTABLESBINARY="${BINARY}"; LogText " Found known binary: iptables (firewall) - ${BINARY}" ;;
|
|
iptables-save) IPTABLESSAVEBINARY="${BINARY}"; LogText " Found known binary: iptables-save (firewall) - ${BINARY}" ;;
|
|
istat) ISTATBINARY="${BINARY}"; LogText " Found known binary: istat (file information) - ${BINARY}" ;;
|
|
journalctl) JOURNALCTLBINARY="${BINARY}"; LogText " Found known binary: journalctl (systemd journal) - ${BINARY}" ;;
|
|
kldstat) KLDSTATBINARY="${BINARY}"; LogText " Found known binary: kldstat (kernel modules) - ${BINARY}" ;;
|
|
kstat) KSTATBINARY="${BINARY}"; LogText " Found known binary: kstat (kernel statistics) - ${BINARY}" ;;
|
|
launchctl) LAUNCHCTL_BINARY="${BINARY}"; SERVICE_MANAGER="launchd"; LogText " Found known binary: launchctl (launchd client) - ${BINARY}" ;;
|
|
locate) LOCATEBINARY="${BINARY}"; LogText " Found known binary: locate (file database) - ${BINARY}" ;;
|
|
logrotate) LOGROTATEBINARY="${BINARY}"; LogText " Found known binary: logrotate (log rotation tool) - ${BINARY}" ;;
|
|
ls) LSBINARY="${BINARY}"; LogText " Found known binary: ls (file listing) - ${BINARY}" ;;
|
|
lsattr) LSATTRBINARY="${BINARY}"; LogText " Found known binary: lsattr (file attributes) - ${BINARY}" ;;
|
|
lsblk) LSBLKBINARY="${BINARY}"; LogText " Found known binary: lsblk (block devices) - ${BINARY}" ;;
|
|
lsmod) LSMODBINARY="${BINARY}"; LogText " Found known binary: lsmod (kernel modules) - ${BINARY}" ;;
|
|
lsof)
|
|
LSOFBINARY="${BINARY}"
|
|
LogText " Found known binary: lsof (open files) - ${BINARY}"
|
|
DATA=$(${LSOFBINARY} -h 2>&1 | grep "\-K \[i\] list\|\(i\)gn tasKs")
|
|
if [ $? -eq 0 ]; then
|
|
LogText "Note: added -K i to ignore tasks on Linux"
|
|
LSOF_EXTRA_OPTIONS=" -K i"
|
|
fi
|
|
;;
|
|
lsvg) LSVGBINARY=${BINARY}; LogText " Found known binary: lsvg (volume manager) - ${BINARY}" ;;
|
|
lvdisplay) LVDISPLAYBINARY="${BINARY}"; LogText " Found known binary: lvdisplay (LVM tool) - ${BINARY}" ;;
|
|
lynx) LYNXBINARY="${BINARY}"; LYNXVERSION=$(${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3); LogText "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;;
|
|
maldet) LMDBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;;
|
|
md5) MD5BINARY="${BINARY}"; LogText " Found known binary: md5 (hash tool) - ${BINARY}" ;;
|
|
md5sum) MD5BINARY="${BINARY}"; LogText " Found known binary: md5sum (hash tool) - ${BINARY}" ;;
|
|
modprobe) MODPROBEBINARY="${BINARY}"; LogText " Found known binary: modprobe (kernel modules) - ${BINARY}" ;;
|
|
mount) MOUNTBINARY="${BINARY}"; LogText " Found known binary: mount (disk utility) - ${BINARY}" ;;
|
|
mtree) MTREEBINARY="${BINARY}"; LogText " Found known binary: mtree (mapping directory tree) - ${BINARY}" ;;
|
|
mysql) MYSQLCLIENTBINARY="${BINARY}"; MYSQLCLIENTVERSION=$(${BINARY} -V | awk '{ if ($4=="Distrib") { print $5 }}' | sed 's/,//g') ; LogText "Found ${BINARY} (version: ${MYSQLCLIENTVERSION})" ;;
|
|
named-checkconf) NAMEDCHECKCONFBINARY="${BINARY}"; LogText " Found known binary: named-checkconf (BIND configuration analyzer) - ${BINARY}" ;;
|
|
netstat) NETSTATBINARY="${BINARY}"; LogText " Found known binary: netstat (network statistics) - ${BINARY}" ;;
|
|
nft) NFTBINARY="${BINARY}"; LogText " Found known binary: nft (nftables client) - ${BINARY}" ;;
|
|
nmap) NMAPBINARY="${BINARY}"; NMAPVERSION=$(${BINARY} -V | grep "^Nmap version" | awk '{ print $3 }'); LogText "Found ${BINARY} (version ${NMAPVERSION})" ;;
|
|
ntpctl) NTPCTLBINARY="${BINARY}"; LogText " Found known binary: ntpctl (openntpd client) - ${BINARY}" ;;
|
|
ntpq) NTPQBINARY="${BINARY}"; LogText " Found known binary ntpq (time daemon client) - ${BINARY}" ;;
|
|
osiris) OSIRISBINARY="${BINARY}"; LogText " Found known binary: osiris - ${BINARY}" ;;
|
|
openssl) OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=$(${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs); LogText "Found ${BINARY} (version ${OPENSSLVERSION})" ;;
|
|
pacman)
|
|
if [ -z "$(echo "${BINARY}" | grep -E "/usr(/local)?/games")" ]; then
|
|
PACMANBINARY="${BINARY}"
|
|
LogText " Found known binary: pacman (package manager) - ${BINARY}"
|
|
fi
|
|
;;
|
|
perl) PERLBINARY="${BINARY}"; PERLVERSION=$(${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs); LogText "Found ${BINARY} (version ${PERLVERSION})" ;;
|
|
pgrep) PGREPBINARY="${BINARY}"; LogText " Found known binary: pgrep (search in process list) - ${BINARY}" ;;
|
|
php) PHPBINARY="${BINARY}"; PHPVERSION=$(${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1); LogText "Found known binary: php (programming language interpreter) - ${BINARY} (version ${PHPVERSION})" ;;
|
|
pkg) PKG_BINARY="${BINARY}"; LogText " Found known binary: pkg (software package administration) - ${BINARY}" ;;
|
|
pkg_admin) PKGADMINBINARY="${BINARY}"; LogText " Found known binary: pkg_admin (software package administration) - ${BINARY}" ;;
|
|
pkg_info) PKGINFOBINARY="${BINARY}"; LogText " Found known binary: pkg_info (software package information) - ${BINARY}" ;;
|
|
postconf) POSTCONFBINARY="${BINARY}"; LogText " Found known binary: postconf (postfix configuration) - ${BINARY}" ;;
|
|
postfix) POSTFIXBINARY="${BINARY}"; LogText " Found known binary: postfix (postfix binary) - ${BINARY}" ;;
|
|
prelink) PRELINKBINARY="${BINARY}"; LogText " Found known binary: prelink (system optimizer) - ${BINARY}" ;;
|
|
pfctl) PFCTLBINARY="${BINARY}"; LogText " Found known binary: pfctl (client to pf firewall) - ${BINARY}" ;;
|
|
ps) PSBINARY="${BINARY}"; LogText " Found known binary: ps (process listing) - ${BINARY}" ;;
|
|
puppet) PUPPETBINARY="${BINARY}"; LogText " Found known binary: puppet (automation tooling) - ${BINARY}" ;;
|
|
puppetmasterd) PUPPETMASTERDBINARY="${BINARY}"; LogText " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;;
|
|
python) PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;;
|
|
python2) PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;;
|
|
python3) PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;;
|
|
rcctl) RCCTLBINARY="${BINARY}"; LogText " Found known binary: rcctl (services and daemons configuration and control) - ${BINARY}" ;;
|
|
readlink) READLINKBINARY="${BINARY}"; LogText " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
|
|
resolvectl) RESOLVECTLBINARY="${BINARY}"; LogText " Found known binary: resolvectl (systemd-resolved DNS resolver manager) - ${BINARY}" ;;
|
|
rkhunter) RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
|
|
rootsh) ROOTSHBINARY="${BINARY}"; LogText " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;;
|
|
rpcinfo) RPCINFOBINARY="${BINARY}"; LogText " Found known binary: rpcinfo (RPC information) - ${BINARY}" ;;
|
|
rpm) RPMBINARY="${BINARY}"; LogText " Found known binary: rpm (package manager) - ${BINARY}" ;;
|
|
runlevel) RUNLEVELBINARY="${BINARY}"; LogText " Found known binary: runlevel (system utility) - ${BINARY}" ;;
|
|
salt-master) SALTMASTERBINARY="${BINARY}"; LogText " Found known binary: salt-master (SaltStack master) - ${BINARY}" ;;
|
|
salt-minion) SALTMINIONBINARY="${BINARY}"; LogText " Found known binary: salt-minion (SaltStack client) - ${BINARY}" ;;
|
|
samhain) SAMHAINBINARY="${BINARY}"; LogText " Found known binary: samhain (integrity tool) - ${BINARY}" ;;
|
|
service) SERVICEBINARY="${BINARY}"; LogText " Found known binary: service (system services) - ${BINARY}" ;;
|
|
sed) SEDBINARY="${BINARY}"; LogText " Found known binary: sed (text stream editor) - ${BINARY}" ;;
|
|
semanage) SEMANAGEBINARY="${BINARY}"; LogText " Found known binary: semanage (SELinux policy management tool) - ${BINARY}" ;;
|
|
sestatus) SESTATUSBINARY="${BINARY}"; LogText " Found known binary: sestatus (SELinux status tool) - ${BINARY}" ;;
|
|
slocate) LOCATEBINARY="${BINARY}"; LogText " Found known binary: slocate (file database) - ${BINARY}" ;;
|
|
smbd) SMBDBINARY="${BINARY}"; if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=$(${BINARY} -V | grep "^Version" | awk '{ print $2 }'); fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;;
|
|
smtpctl) SMTPCTLBINARY="${BINARY}"; LogText " Found known binary: smtpctl (OpenSMTPD client) - ${BINARY}" ;;
|
|
showmount) SHOWMOUNTBINARY="${BINARY}"; LogText " Found known binary: showmount (NFS mounts) - ${BINARY}" ;;
|
|
snort) SNORTBINARY="${BINARY}"; LogText " Found known binary: snort (IDS) - ${BINARY}" ;;
|
|
sockstat) SOCKSTATBINARY="${BINARY}"; LogText " Found known binary: sockstat (open network sockets) - ${BINARY}" ;;
|
|
sort) SORTBINARY="${BINARY}"; LogText " Found known binary: sort (sort data streams) - ${BINARY}" ;;
|
|
squid) SQUIDBINARY="${BINARY}"; LogText " Found known binary: squid (proxy) - ${BINARY}" ;;
|
|
ss) SSBINARY="${BINARY}"; LogText " Found known binary: ss (show sockets) - ${BINARY}" ;;
|
|
sshd) SSHDBINARY="${BINARY}"; SSHDVERSION=$(${BINARY} -t -d 2>&1 | grep 'sshd version' | awk '{ print $4 }' | cut -d '_' -f2 | tr -d ',' | tr -d '\r'); LogText "Found ${BINARY} (version ${SSHDVERSION})" ;;
|
|
stat) STATBINARY="${BINARY}"; LogText " Found known binary: stat (file information) - ${BINARY}" ;;
|
|
strings) STRINGSBINARY="${BINARY}"; LogText " Found known binary: strings (text strings search) - ${BINARY}" ;;
|
|
sha1|sha1sum|shasum) SHA1SUMBINARY="${BINARY}"; LogText " Found known binary: sha1/sha1sum/shasum (crypto hashing) - ${BINARY}" ;;
|
|
sha256|sha256sum) SHA256SUMBINARY="${BINARY}"; LogText " Found known binary: sha256/sha256sum (crypto hashing) - ${BINARY}" ;;
|
|
ssh-keyscan) SSHKEYSCANBINARY="${BINARY}"; LogText " Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;;
|
|
suricata) SURICATABINARY="${BINARY}"; LogText " Found known binary: suricata (IDS) - ${BINARY}" ;;
|
|
swapon) SWAPONBINARY="${BINARY}"; LogText " Found known binary: swapon (swap device tool) - ${BINARY}" ;;
|
|
swupd) SWUPDBINARY="${BINARY}"; LogText " Found known binary: swupd (package manager) - ${BINARY}" ;;
|
|
sysctl) SYSCTLBINARY="${BINARY}"; LogText " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;;
|
|
syslog-ng) SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;;
|
|
systemctl) SYSTEMCTLBINARY="${BINARY}"; LogText " Found known binary: systemctl (client to systemd) - ${BINARY}" ;;
|
|
systemd-analyze) SYSTEMDANALYZEBINARY="${BINARY}"; LogText " Found known binary: systemd-analyze (systemd service analysis tool) - ${BINARY}" ;;
|
|
tail) TAILBINARY="${BINARY}"; LogText " Found known binary: tail (text filter) - ${BINARY}" ;;
|
|
timedatectl) TIMEDATECTL="${BINARY}"; LogText " Found known binary: timedatectl (timedate client) - ${BINARY}" ;;
|
|
tomoyo-init) TOMOYOINITBINARY=${BINARY}; LogText " Found known binary: tomoyo-init (tomoyo component) - ${BINARY}" ;;
|
|
tomoyo-pstree) TOMOYOPSTREEBINARY=${BINARY}; LogText " Found known binary: tomoyo-pstree (tomoyo process tree) - ${BINARY}" ;;
|
|
tr) TRBINARY="${BINARY}"; LogText " Found known binary: tr (text transformation) - ${BINARY}" ;;
|
|
tripwire) TRIPWIREBINARY="${BINARY}"; LogText " Found known binary: tripwire (file integrity) - ${BINARY}" ;;
|
|
tune2fs) TUNE2FSBINARY="${BINARY}"; LogText " Found known binary: tune2fs (file system tool) - ${BINARY}" ;;
|
|
uname) UNAMEBINARY="${BINARY}"; LogText " Found known binary: uname (operating system details) - ${BINARY}" ;;
|
|
uniq) UNIQBINARY="${BINARY}"; LogText " Found known binary: uniq (text manipulation utility) - ${BINARY}";;
|
|
usbguard) USBGUARDBINARY="${BINARY}"; LogText " Found known binary: usbguard (USB security tool) - ${BINARY}" ;;
|
|
veritysetup) VERITYSETUPBINARY="${BINARY}"; LogText " Found known binary: veritysetup (dm-verity setup tool) - ${BINARY}" ;;
|
|
vgdisplay) VGDISPLAYBINARY="${BINARY}"; LogText " Found known binary: vgdisplay (LVM tool) - ${BINARY}" ;;
|
|
vmtoolsd) VMWARETOOLSDBINARY="${BINARY}"; LogText " Found known binary: vmtoolsd (VMWare tools) - ${BINARY}" ;;
|
|
wc) WCBINARY="${BINARY}"; LogText " Found known binary: wc (word count) - ${BINARY}" ;;
|
|
wget) WGETBINARY="${BINARY}"; WGETVERSION=$(${BINARY} -V 2> /dev/null | grep "^GNU Wget" | awk '{ print $3 }'); LogText "Found ${BINARY} (version ${WGETVERSION})" ;;
|
|
yum) YUMBINARY="${BINARY}"; LogText " Found known binary: yum (package manager) - ${BINARY}" ;;
|
|
xargs) XARGSBINARY="${BINARY}"; LogText " Found known binary: xargs (command output redirection) - ${BINARY}" ;;
|
|
zgrep) ZGREPBINARY=${BINARY}; LogText " Found known binary: zgrep (text search for compressed files) - ${BINARY}" ;;
|
|
zypper) ZYPPERBINARY="${BINARY}"; LogText " Found known binary: zypper (package manager) - ${BINARY}" ;;
|
|
esac
|
|
done
|
|
else
|
|
LogText "Result: Directory ${SCANDIR} skipped"
|
|
if [ -n "${ORGPATH}" ]; then TEXT="${ORGPATH} (links to ${SCANDIR})"; else TEXT="${SCANDIR}"; fi
|
|
fi
|
|
else
|
|
LogText "Result: Directory ${SCANDIR} does NOT exist"
|
|
fi
|
|
done
|
|
|
|
# unset SORTED_BIN_PATHS
|
|
BINARY_SCAN_FINISHED=1
|
|
BINARY_PATHS_FOUND=$(echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/, /,/g')
|
|
LogText "Discovered directories: ${BINARY_PATHS_FOUND}"
|
|
LogText "Result: found ${COUNT} binaries including ${NSUID_BINARIES} set-uid and ${NSGID_BINARIES} set-gid"
|
|
LogText "Result: set-uid binaries: ${SUID_BINARIES}"
|
|
LogText "Result: set-gid binaries: ${SGID_BINARIES}"
|
|
Report "binaries_count=${COUNT}"
|
|
Report "binaries_suid_count=${SUID_BINARIES}"
|
|
Report "binaries_sgid_count=${SGID_BINARIES}"
|
|
Report "binary_paths=${BINARY_PATHS_FOUND}"
|
|
|
|
# Test if the basic system tools are defined. These will be used during the audit.
|
|
[ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found"
|
|
[ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found"
|
|
[ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found"
|
|
[ "${EGREPBINARY:-}" ] || ExitFatal "grep binary not found"
|
|
[ "${FINDBINARY:-}" ] || ExitFatal "find binary not found"
|
|
[ "${GREPBINARY:-}" ] || ExitFatal "grep binary not found"
|
|
[ "${HEADBINARY:-}" ] || ExitFatal "head binary not found"
|
|
[ "${TAILBINARY:-}" ] || ExitFatal "tail binary not found"
|
|
[ "${LSBINARY:-}" ] || ExitFatal "ls binary not found"
|
|
[ "${PSBINARY:-}" ] || ExitFatal "ps binary not found"
|
|
[ "${SEDBINARY:-}" ] || ExitFatal "sed binary not found"
|
|
[ "${SORTBINARY:-}" ] || ExitFatal "sort binary not found"
|
|
[ "${TRBINARY:-}" ] || ExitFatal "tr binary not found"
|
|
[ "${UNIQBINARY:-}" ] || ExitFatal "uniq binary not found"
|
|
[ "${WCBINARY:-}" ] || ExitFatal "wc binary not found"
|
|
|
|
# Test a few other tools that we did not specifically define (yet)
|
|
#TOOLS="xxd"
|
|
#for T in ${TOOLS}; do
|
|
# DATA=$(type ${T})
|
|
# if [ $? -gt 0 ]; then ExitFatal "${T} binary not found"; fi
|
|
#done
|
|
|
|
else
|
|
LogText "Result: checking of binaries skipped in this mode"
|
|
fi
|
|
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|