mirror of https://github.com/CISOfy/lynis.git
252 lines
9.7 KiB
Bash
252 lines
9.7 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2013-2016, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Malware scanners
|
|
#
|
|
#################################################################################
|
|
#
|
|
InsertSection "Software: Malware scanners"
|
|
#
|
|
#################################################################################
|
|
#
|
|
CLAMD_RUNNING=0
|
|
CLAMSCAN_INSTALLED=0
|
|
ESET_DAEMON_RUNNING=0
|
|
FRESHCLAM_DAEMON_RUNNING=0
|
|
MCAFEE_SCANNER_RUNNING=0
|
|
MALWARE_SCANNER_INSTALLED=0
|
|
SOPHOS_SCANNER_RUNNING=0
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MALW-3275
|
|
# Description : Check for installed tool (chkrootkit)
|
|
Register --test-no MALW-3275 --weight L --network NO --description "Check for chkrootkit"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: checking presence chkrootkit"
|
|
if [ ! "${CHKROOTKITBINARY}" = "" ]; then
|
|
Display --indent 2 --text "- Checking chkrootkit" --result "FOUND" --color GREEN
|
|
LogText "Result: Found ${CHKROOTKITBINARY}"
|
|
MALWARE_SCANNER_INSTALLED=1
|
|
AddHP 2 2
|
|
Report "malware_scanner[]=chkrootkit"
|
|
else
|
|
LogText "Result: chkrootkit not found"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MALW-3276
|
|
# Description : Check for installed tool (Rootkit Hunter)
|
|
Register --test-no MALW-3276 --weight L --network NO --description "Check for Rootkit Hunter"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: checking presence Rootkit Hunter"
|
|
if [ ! "${RKHUNTERBINARY}" = "" ]; then
|
|
Display --indent 2 --text "- Checking Rootkit Hunter" --result "FOUND" --color GREEN
|
|
LogText "Result: Found ${RKHUNTERBINARY}"
|
|
MALWARE_SCANNER_INSTALLED=1
|
|
AddHP 2 2
|
|
Report "malware_scanner[]=rkhunter"
|
|
else
|
|
LogText "Result: Rootkit Hunter not found"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MALW-3278
|
|
# Description : Check for installed tool (Linux Malware Detect or LMD)
|
|
Register --test-no MALW-3278 --weight L --network NO --description "Check for LMD"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: checking presence LMD"
|
|
if [ ! "${LMDBINARY}" = "" ]; then
|
|
Display --indent 2 --text "- Checking LMD (Linux Malware Detect)" --result "FOUND" --color GREEN
|
|
LogText "Result: Found ${LMDBINARY}"
|
|
MALWARE_SCANNER_INSTALLED=1
|
|
AddHP 2 2
|
|
Report "malware_scanner[]=lmd"
|
|
else
|
|
LogText "Result: LMD not found"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MALW-3280
|
|
# Description : Check if an anti-virus tool is installed
|
|
Register --test-no MALW-3280 --weight L --network NO --description "Check if anti-virus tool is installed"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
FOUND=0
|
|
|
|
# ESET security products
|
|
LogText "Test: checking process esets_daemon"
|
|
IsRunning esets_daemon
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
FOUND=1
|
|
Display --indent 2 --text "- Checking ESET daemon" --result "FOUND" --color GREEN
|
|
LogText "Result: found ESET security product"
|
|
ESET_DAEMON_RUNNING=1
|
|
MALWARE_SCANNER_INSTALLED=1
|
|
AddHP 2 2
|
|
Report "malware_scanner[]=eset"
|
|
fi
|
|
|
|
# McAfee products
|
|
LogText "Test: checking process cma or cmdagent (McAfee)"
|
|
# cma is too generic to match on, so we want to ensure that it is related to McAfee first
|
|
if [ -x /opt/McAfee/cma/bin/cma ]; then
|
|
IsRunning cma
|
|
if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
|
|
else
|
|
IsRunning cmdagent
|
|
if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
|
|
fi
|
|
if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
|
|
FOUND=1
|
|
Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN
|
|
LogText "Result: Found McAfee"
|
|
MALWARE_SCANNER_INSTALLED=1
|
|
AddHP 2 2
|
|
Report "malware_scanner[]=mcafee"
|
|
|
|
fi
|
|
# Sophos savscand/SophosScanD
|
|
LogText "Test: checking process savscand"
|
|
IsRunning savscand
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
FOUND=1
|
|
SOPHOS_SCANNER_RUNNING=1
|
|
fi
|
|
LogText "Test: checking process SophosScanD"
|
|
IsRunning SophosScanD
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
FOUND=1
|
|
SOPHOS_SCANNER_RUNNING=1
|
|
fi
|
|
if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
|
|
Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN
|
|
LogText "Result: Found Sophos"
|
|
MALWARE_SCANNER_INSTALLED=1
|
|
AddHP 2 2
|
|
Report "malware_scanner[]=sophos"
|
|
fi
|
|
if [ ${FOUND} -eq 0 ]; then
|
|
LogText "Result: no commercial anti-virus tools found"
|
|
AddHP 0 3
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MALW-3282
|
|
# Description : Check if clamscan is installed
|
|
Register --test-no MALW-3282 --weight L --network NO --description "Check for clamscan"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: checking presence clamscan"
|
|
if [ ! "${CLAMSCANBINARY}" = "" ]; then
|
|
Display --indent 2 --text "- Checking ClamAV scanner" --result "FOUND" --color GREEN
|
|
LogText "Result: Found ${CLAMSCANBINARY}"
|
|
MALWARE_SCANNER_INSTALLED=1
|
|
CLAMSCAN_INSTALLED=1
|
|
AddHP 2 2
|
|
else
|
|
LogText "Result: clamscan couldn't be found"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MALW-3284
|
|
# Description : Check running clamd process
|
|
Register --test-no MALW-3284 --weight L --network NO --description "Check for clamd"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: checking running ClamAV daemon (clamd)"
|
|
IsRunning clamd
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
Display --indent 2 --text "- Checking ClamAV daemon" --result "FOUND" --color GREEN
|
|
LogText "Result: found running clamd process"
|
|
MALWARE_SCANNER_INSTALLED=1
|
|
CLAMD_RUNNING=1
|
|
else
|
|
LogText "Result: clamd not running"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MALW-3286
|
|
# Description : Check running freshclam if clamd process is running
|
|
if [ ${CLAMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no MALW-3286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for freshclam"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: checking running freshclam daemon"
|
|
IsRunning freshclam
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
FRESHCLAM_DAEMON_RUNNING=1
|
|
Display --indent 4 --text "- Checking freshclam" --result "FOUND" --color GREEN
|
|
LogText "Result: found running freshclam process"
|
|
AddHP 2 2
|
|
else
|
|
Display --indent 4 --text "- Checking freshclam" --result "SUGGESTION" --color YELLOW
|
|
LogText "Result: freshclam is not running"
|
|
ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : MALW-3288
|
|
# Description : Check for ClamXav (Mac OS X)
|
|
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for ClamXav"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'`
|
|
if [ ! "${CLAMSCANBINARY}" = "" ]; then
|
|
LogText "Result: Found ClamXav clamscan installed"
|
|
Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN
|
|
MALWARE_SCANNER_INSTALLED=1
|
|
CLAMSCAN_INSTALLED=1
|
|
AddHP 3 3
|
|
else
|
|
LogText "Result: ClamXav malware scanner not found"
|
|
AddHP 0 3
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Check if we found any of the ClamAV components
|
|
if [ ${CLAMSCAN_INSTALLED} -eq 1 -o ${CLAMD_RUNNING} -eq 1 -o ${FRESHCLAM_DAEMON_RUNNING} -eq 1 ]; then
|
|
Report "malware_scanner[]=clamav"
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
Report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"
|
|
|
|
|
|
WaitForKeyPress
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|