mirror of https://github.com/CISOfy/lynis.git
265 lines
12 KiB
Bash
265 lines
12 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2007-2017, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# E-mail and messaging
|
|
#
|
|
#################################################################################
|
|
#
|
|
InsertSection "Software: e-mail and messaging"
|
|
#
|
|
#################################################################################
|
|
#
|
|
DOVECOT_RUNNING=0
|
|
EXIM_RUNNING=0
|
|
IMAP_DAEMON=""
|
|
OPENSMTPD_RUNNING=0
|
|
POP3_DAEMON=""
|
|
POSTFIX_RUNNING=0
|
|
QMAIL_RUNNING=0
|
|
SENDMAIL_RUNNING=0
|
|
SMTP_DAEMON=""
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8802
|
|
# Description : Check Exim process status
|
|
Register --test-no MAIL-8802 --weight L --network NO --category security --description "Check Exim status"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: check Exim status"
|
|
IsRunning exim
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
LogText "Result: found running Exim process"
|
|
Display --indent 2 --text "- Exim status" --result "${STATUS_RUNNING}" --color GREEN
|
|
EXIM_RUNNING=1
|
|
SMTP_DAEMON="exim"
|
|
Report "smtp_daemon[]=exim"
|
|
else
|
|
LogText "Result: no running Exim processes found"
|
|
if IsVerbose; then Display --indent 2 --text "- Exim status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8814
|
|
# Description : Check Postfix process
|
|
# Notes : qmgr and pickup run under postfix uid, without full path to binary
|
|
Register --test-no MAIL-8814 --weight L --network NO --category security --description "Check postfix process status"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: check Postfix status"
|
|
# Some other processes also use master, therefore it should include both master and postfix
|
|
FIND1=$(${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep")
|
|
if [ ! -z "${FIND1}" ]; then
|
|
LogText "Result: found running Postfix process"
|
|
Display --indent 2 --text "- Postfix status" --result "${STATUS_RUNNING}" --color GREEN
|
|
POSTFIX_RUNNING=1
|
|
SMTP_DAEMON="postfix"
|
|
Report "smtp_daemon[]=postfix"
|
|
else
|
|
LogText "Result: no running Postfix processes found"
|
|
if IsVerbose; then Display --indent 2 --text "- Postfix status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8816
|
|
# Description : Check Postfix configuration
|
|
if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
Display --indent 4 --text "- Postfix configuration" --result "${STATUS_FOUND}" --color GREEN
|
|
POSTFIX_CONFIGDIR=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^config_directory' | ${AWKBINARY} '{ print $3 }')
|
|
POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf"
|
|
LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}"
|
|
LogText "Postfix configuration file: ${POSTFIX_CONFIGFILE}"
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8817
|
|
# Description : Check Postfix configuration for error
|
|
if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no MAIL-8817 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration errors"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: using postconf to see if Postfix configuration has errors"
|
|
FIND=$(${POSTCONFBINARY} 2>&1 | ${GREPBINARY} "warning:")
|
|
if [ ! -z "${FIND}" ]; then
|
|
Report "postfix_config_error=1"
|
|
Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_WARNING}" --color RED
|
|
LogText "Result: found an error or warning in the Postfix configuration. Manual check suggested."
|
|
ReportSuggestion ${TEST_NO} "Found a configuration error in Postfix" "${POSTFIX_CONFIGFILE}" "text:run postconf > /dev/null"
|
|
else
|
|
LogText "Result: all looks to be fine with Postfix configuration"
|
|
if IsVerbose; then Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_OK}" --color GREEN; fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8818
|
|
# Description : Check Postfix configuration
|
|
if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no MAIL-8818 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration: banner"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking Postfix banner"
|
|
FIND1=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} 'postfix')
|
|
FIND2=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} '$mail_name')
|
|
FIND3=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^mail_name' | ${GREPBINARY} -i 'postfix')
|
|
FIND4=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${OS}")
|
|
if [ ! -z "${LINUX_VERSION}" ]; then
|
|
FIND5=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${LINUX_VERSION}")
|
|
fi
|
|
SHOWWARNING=0
|
|
|
|
if [ ! -z "${FIND1}" ]; then
|
|
SHOWWARNING=1
|
|
Report "banner_software_disclosure[]=${FIND1}"
|
|
elif [ ! -z "${FIND2}" -a ! -z "${FIND3}" ]; then
|
|
SHOWWARNING=1
|
|
Report "banner_software_disclosure[]=${FIND2}"
|
|
elif [ ! -z "${FIND4}" ]; then
|
|
SHOWWARNING=1
|
|
Report "banner_os_disclosure[]=${FIND4}"
|
|
elif [ ! -z "${FIND5}" ]; then
|
|
SHOWWARNING=1
|
|
Report "banner_os_disclosure[]=${FIND5}"
|
|
fi
|
|
|
|
if [ ${SHOWWARNING} -eq 1 ]; then
|
|
Display --indent 6 --text "- Postfix banner" --result "${STATUS_WARNING}" --color RED
|
|
LogText "Result: found OS, or mail_name in SMTP banner, and/or mail_name contains 'Postfix'."
|
|
ReportWarning ${TEST_NO} "Found some information disclosure in SMTP banner (OS or software name)"
|
|
ReportSuggestion ${TEST_NO} "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
|
|
else
|
|
if IsVerbose; then Display --indent 6 --text "- Postfix banner" --result "${STATUS_OK}" --color GREEN; fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8820
|
|
Register --test-no MAIL-8820 --weight L --network NO --category security --description "Postfix configuration scan"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
if [ "$(postconf -h inet_interfaces 2> /dev/null)" = "all" ]; then
|
|
if ! SkipAtomicTest "${TEST_NO}:disable_vrfy_command"; then
|
|
if [ "$(postconf -h disable_vrfy_command 2> /dev/null)" = "no" ]; then
|
|
ReportSuggestion "${TEST_NO}:disable_vrfy_command" "Disable the 'VRFY' command" "disable_vrfy_command=no" "text:run postconf -e disable_vrfy_command=yes to change the value"
|
|
fi
|
|
fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8838
|
|
# Description : Check Dovecot process
|
|
Register --test-no MAIL-8838 --weight L --network NO --category security --description "Check dovecot process"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: check dovecot status"
|
|
IsRunning dovecot
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
LogText "Result: found running dovecot process"
|
|
Display --indent 2 --text "- Dovecot status" --result "${STATUS_RUNNING}" --color GREEN
|
|
DOVECOT_RUNNING=1
|
|
IMAP_DAEMON="dovecot"
|
|
POP3_DAEMON="dovecot"
|
|
Report "pop3_daemon[]=dovecot"
|
|
Report "imap_daemon[]=dovecot"
|
|
else
|
|
LogText "Result: dovecot not found"
|
|
if IsVerbose; then Display --indent 2 --text "- Dovecot status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8860
|
|
# Description : Check Qmail process status
|
|
Register --test-no MAIL-8860 --weight L --network NO --category security --description "Check Qmail status"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: check Qmail status"
|
|
IsRunning qmail-smtpd
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
LogText "Result: found running Qmail process"
|
|
Display --indent 2 --text "- Qmail status" --result "${STATUS_RUNNING}" --color GREEN
|
|
QMAIL_RUNNING=1
|
|
SMTP_DAEMON="qmail"
|
|
Report "smtp_daemon[]=qmail"
|
|
else
|
|
LogText "Result: no running Qmail processes found"
|
|
if IsVerbose; then Display --indent 2 --text "- Qmail status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8880
|
|
# Description : Check Sendmail process status
|
|
Register --test-no MAIL-8880 --weight L --network NO --category security --description "Check Sendmail status"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: check sendmail status"
|
|
IsRunning sendmail
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
LogText "Result: found running Sendmail process"
|
|
Display --indent 2 --text "- Sendmail status" --result "${STATUS_RUNNING}" --color GREEN
|
|
SENDMAIL_RUNNING=1
|
|
SMTP_DAEMON="sendmail"
|
|
Report "smtp_daemon[]=sendmail"
|
|
else
|
|
LogText "Result: no running Sendmail processes found"
|
|
if IsVerbose; then Display --indent 2 --text "- Sendmail status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MAIL-8920
|
|
# Description : Check OpenSMTPD process status
|
|
if [ ! -z "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: check smtpd status"
|
|
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep")
|
|
if [ ! "${FIND}" = "" ]; then
|
|
LogText "Result: found running smtpd process"
|
|
Display --indent 2 --text "- OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN
|
|
OPENSMTPD_RUNNING=1
|
|
Report "smtp_daemon[]=opensmtpd"
|
|
else
|
|
LogText "Result: smtpd not found"
|
|
if IsVerbose; then Display --indent 2 --text "- OpenSMTPD status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
Report "imap_daemon=${IMAP_DAEMON}"
|
|
Report "pop3_daemon=${POP3_DAEMON}"
|
|
Report "smtp_daemon=${SMTP_DAEMON}"
|
|
|
|
|
|
WaitForKeyPress
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|