mirror of https://github.com/CISOfy/lynis.git
653 lines
31 KiB
Bash
653 lines
31 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2013-2016, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# File systems
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Number of days to mark a file as old
|
|
TMP_OLD_DAYS=90
|
|
LVM_VG_USED=0
|
|
#
|
|
#################################################################################
|
|
#
|
|
InsertSection "File systems"
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6310
|
|
# Description : Checking if some mount points are separated from /
|
|
# Goal : Users should not be able to fill their home directory or temporary directory and creating a Denial of Service
|
|
Register --test-no FILE-6310 --weight L --network NO --description "Checking /tmp, /home and /var directory"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
Display --indent 2 --text "- Checking mount points"
|
|
SEPARATED_FILESYTEMS="/home /tmp /var"
|
|
for I in ${SEPARATED_FILESYTEMS}; do
|
|
LogText "Test: Checking if ${I} is mounted separately or mounted on / file system"
|
|
if [ -L ${I} ]; then
|
|
ShowSymlinkPath ${I}
|
|
LogText "Result: ${I} is a symlink. Manual check required to determine exact file system options"
|
|
ReportSuggestion ${TEST_NO} "Symlinked mount point needs to be checked manually" "${I}" ""
|
|
Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE
|
|
elif [ -d ${I} ]; then
|
|
LogText "Result: directory ${I} exists"
|
|
FIND=`mount | grep "${I}"`
|
|
if [ ! "${FIND}" = "" ]; then
|
|
LogText "Result: found ${I} as a separated mount point"
|
|
Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_OK}" --color GREEN
|
|
AddHP 10 10
|
|
else
|
|
LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system"
|
|
Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_SUGGESTION}" --color YELLOW
|
|
ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separated partition"
|
|
AddHP 9 10
|
|
fi
|
|
else
|
|
LogText "Result: directory ${I} does not exist"
|
|
fi
|
|
done
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6311
|
|
# Description : Checking LVM Volume Groups
|
|
# Notes : No volume groups found is sent to STDERR for unclear reasons. Filtering both STDERR redirecting and grep.
|
|
if [ ! "${VGDISPLAYBINARY}" = "" -o ! "${LSVGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no FILE-6311 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking LVM volume groups"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking for LVM volume groups"
|
|
case ${OS} in
|
|
AIX)
|
|
FIND=`${LSVGBINARY} -o`
|
|
;;
|
|
Linux)
|
|
FIND=`${VGDISPLAYBINARY} 2> /dev/null | grep -v "No volume groups found" | grep "VG Name" | awk '{ print $3 }' | sort`
|
|
;;
|
|
*)
|
|
ReportException "${TEST_NO}:1" "Don't know this specific operating system yet, while volume group manager was found"
|
|
;;
|
|
esac
|
|
if [ ! "${FIND}" = "" ]; then
|
|
LogText "Result: found one or more volume groups"
|
|
for I in ${FIND}; do
|
|
LogText "Found LVM volume group: ${I}"
|
|
Report "lvm_volume_group[]=${I}"
|
|
done
|
|
LVM_VG_USED=1
|
|
Display --indent 2 --text "- Checking LVM volume groups" --result "${STATUS_FOUND}" --color GREEN
|
|
else
|
|
LogText "Result: no LVM volume groups found"
|
|
if IsVerbose; then Display --indent 2 --text "- Checking LVM volume groups" --result "${STATUS_NONE}" --color WHITE; fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6312
|
|
# Description : Checking LVM volumes
|
|
if [ ${LVM_VG_USED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no FILE-6312 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking LVM volumes"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking for LVM volumes"
|
|
case ${OS} in
|
|
AIX)
|
|
ACTIVE_VG_LIST=`${LSVGBINARY} -o`
|
|
FIND=`for I in ${ACTIVE_VG_LIST}; do ${LSVGBINARY} -l ${I} | awk 'NR>2 { print $1 }'; done`
|
|
;;
|
|
Linux)
|
|
FIND=`${LVDISPLAYBINARY} | grep -v "No volume groups found" | grep "LV Name" | awk '{ print $3 }' | sort`
|
|
;;
|
|
*)
|
|
ReportException "${TEST_NO}:1" "Need specific test for gathering volume manager data"
|
|
;;
|
|
esac
|
|
if [ ! "${FIND}" = "" ]; then
|
|
LogText "Result: found one or more volumes"
|
|
for I in ${FIND}; do
|
|
LogText "Found LVM volume: ${I}"
|
|
Report "lvm_volume[]=${I}"
|
|
done
|
|
Display --indent 4 --text "- Checking LVM volumes" --result "${STATUS_FOUND}" --color GREEN
|
|
else
|
|
LogText "Result: no LVM volume groups found"
|
|
Display --indent 4 --text "- Checking LVM volumes" --result "${STATUS_NONE}" --color WHITE
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6316
|
|
# Description : Checking /etc/fstab file permissions
|
|
#Register --test-no FILE-6316 --os Linux --weight L --network NO --description "Checking /etc/fstab"
|
|
#if [ ${SKIPTEST} -eq 0 ]; then
|
|
# 644
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6323
|
|
# Description : Checking Linux EXT2, EXT3, EXT4 file systems
|
|
Register --test-no FILE-6323 --os Linux --weight L --network NO --description "Checking EXT file systems"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking for Linux EXT file systems"
|
|
FIND=`mount -t ext2,ext3,ext4 | awk '{ print $3","$5 }'`
|
|
if [ ! "${FIND}" = "" ]; then
|
|
LogText "Result: found one or more EXT file systems"
|
|
for I in ${FIND}; do
|
|
FILESYSTEM=`echo ${I} | cut -d ',' -f1`
|
|
FILETYPE=`echo ${I} | cut -d ',' -f2`
|
|
LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})"
|
|
Report "file_systems_ext[]=${FILESYSTEM}|${FILETYPE}|"
|
|
done
|
|
else
|
|
LogText "Result: no EXT file systems found"
|
|
Report "file_systems_ext[]=none"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6329
|
|
# Description : Query all FFS/UFS mounts from /etc/fstab
|
|
if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no FILE-6329 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking FFS/UFS file systems"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Query /etc/fstab for available FFS/UFS mount points"
|
|
FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab`
|
|
if [ "${FIND}" = "" ]; then
|
|
if IsVerbose; then Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_NONE}" --color WHITE; fi
|
|
LogText "Result: unable to find any single mount point (FFS/UFS)"
|
|
else
|
|
Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)" --result "${STATUS_FOUND}" --color GREEN
|
|
Report "filesystem[]=ufs"
|
|
for I in ${FIND}; do
|
|
LogText "FFS/UFS mount found: ${I}"
|
|
Report "mountpoint_ufs[]=${I}"
|
|
done
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6330
|
|
# Description : Query all ZFS mounts from /etc/fstab
|
|
Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --description "Checking ZFS file systems"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Query /etc/fstab for available ZFS mount points"
|
|
FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'`
|
|
if [ "${FIND}" = "" ]; then
|
|
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE
|
|
LogText "Result: unable to find any single mount point (ZFS)"
|
|
else
|
|
Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_FOUND}" --color GREEN
|
|
Report "filesystem[]=zfs"
|
|
for I in ${FIND}; do
|
|
LogText "ZFS mount found: ${I}"
|
|
Report "mountpoint_zfs[]=${I}"
|
|
done
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6332
|
|
# Description : Check swap partitions
|
|
if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no FILE-6332 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap partitions"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
FOUND=0
|
|
LogText "Test: query swap partitions from /etc/fstab file"
|
|
# Check if third field contains 'swap'
|
|
FIND=`awk '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | grep -v "^#"`
|
|
for I in ${FIND}; do
|
|
FOUND=1
|
|
REAL=""
|
|
UUID=""
|
|
LogText "Swap partition found: ${I}"
|
|
# YYY Add a test if partition is not a normal partition (e.g. UUID=)
|
|
# Can be ^/dev/mapper/vg-name_lv-name
|
|
# Can be ^/dev/partition
|
|
|
|
# Can be ^UUID=uuid --> /dev/disk/by-uuid/<uuid>
|
|
HAS_UUID=`echo ${I} | grep "^UUID="`
|
|
if [ ! "${HAS_UUID}" = "" ]; then
|
|
UUID=`echo ${HAS_UUID} | awk -F= '{ print $2 }'`
|
|
LogText "Result: Using ${UUID} as UUID"
|
|
if [ ! "${BLKIDBINARYx}" = "" ]; then
|
|
FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'`
|
|
if [ ! "${FIND2}" = "" ]; then
|
|
REAL="${FIND2}"
|
|
fi
|
|
else
|
|
LogText "Result: blkid binary not found, trying by checking device listing"
|
|
sFILE=""
|
|
if [ -L /dev/disk/by-uuid/${UUID} ]; then
|
|
LogText "Result: found disk via /dev/disk/by-uuid listing"
|
|
ShowSymlinkPath /dev/disk/by-uuid/${UUID}
|
|
if [ ! "${sFILE}" = "" ]; then
|
|
REAL="${sFILE}"
|
|
LogText "Result: disk is ${REAL}"
|
|
fi
|
|
else
|
|
LogText "Result: no symlink found to /dev/disk/by-uuid/${UUID}"
|
|
fi
|
|
fi
|
|
fi
|
|
# Set real device
|
|
if [ "${REAL}" = "" ]; then
|
|
REAL="${I}"
|
|
fi
|
|
Report "swap_partition[]=${I},${REAL},"
|
|
done
|
|
if [ ${FOUND} -eq 1 ]; then
|
|
Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_OK}" --color GREEN
|
|
else
|
|
Display --indent 2 --text "- Query swap partitions (fstab)" --result "${STATUS_NONE}" --color YELLOW
|
|
LogText "Result: no swap partitions found in /etc/fstab"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6336
|
|
# Description : Check swap mount options
|
|
# Examples : [partition] swap swap defaults 0 0
|
|
# [partition] none swap sw 0 0
|
|
if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no FILE-6336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap mount options"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
# Swap partitions should be mounted with 'sw' or 'swap'
|
|
LogText "Test: check swap partitions with incorrect mount options"
|
|
#FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab`
|
|
FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab`
|
|
if [ ! "${FIND}" = "" ]; then
|
|
Display --indent 2 --text "- Testing swap partitions" --result "${STATUS_OK}" --color GREEN
|
|
LogText "Result: all swap partitions have correct options (sw or swap)"
|
|
else
|
|
Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
|
|
LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
|
|
#ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})"
|
|
ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options"
|
|
LogText "Notes: usually swap partition have 'sw' or 'swap' in the options field (4th)"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6354
|
|
# Description : Search files within /tmp which are older than 3 months
|
|
if [ -d /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --description "Searching for old files in /tmp"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Searching for old files in /tmp"
|
|
# Search for files only in /tmp, with an access time older than X days
|
|
FIND=`find /tmp -xdev -type f -atime +${TMP_OLD_DAYS} | sed 's/ /!space!/g'`
|
|
if [ "${FIND}" = "" ]; then
|
|
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_OK}" --color GREEN
|
|
LogText "Result: no files found in /tmp which are older than 3 months"
|
|
else
|
|
Display --indent 2 --text "- Checking for old files in /tmp" --result "${STATUS_FOUND}" --color RED
|
|
N=0
|
|
for I in ${FIND}; do
|
|
FILE=`echo ${I} | sed 's/!space!/ /g'`
|
|
LogText "Old temporary file: ${FILE}"
|
|
N=$((N + 1))
|
|
done
|
|
LogText "Result: found old files in /tmp, which were not modified in the last ${TMP_OLD_DAYS} days"
|
|
LogText "Advice: check and clean up unused files in /tmp. Old files can fill up a disk or contain"
|
|
LogText "private information and should be deleted it not being used actively. Use a tool like lsof to"
|
|
LogText "see which programs possibly are using a particular file. Some systems can cleanup temporary"
|
|
LogText "directories by setting a boot option."
|
|
ReportSuggestion ${TEST_NO} "Check ${N} files in /tmp which are older than ${TMP_OLD_DAYS} days"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6362
|
|
# Description : Check for sticky bit on /tmp
|
|
if [ -d /tmp -a ! -L /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no FILE-6362 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /tmp sticky bit"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
# Depending on OS, number of field with 'tmp' differs
|
|
FIND=`ls -l / | tr -s ' ' | awk -F" " '{ if ( $8 == "tmp" || $9 == "tmp" ) { print $1 } }' | cut -c 10`
|
|
if [ "${FIND}" = "t" -o "${FIND}" = "T" ]; then
|
|
Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_OK}" --color GREEN
|
|
LogText "Result: Sticky bit (${FIND}) found on /tmp directory"
|
|
AddHP 3 3
|
|
else
|
|
Display --indent 2 --text "- Checking /tmp sticky bit" --result "${STATUS_WARNING}" --color RED
|
|
ReportWarning ${TEST_NO} "H" "No sticky bit found on /tmp directory, which can be dangerous!"
|
|
ReportSuggestion ${TEST_NO} "Consult documentation and place the sticky bit, to prevent users deleting (by other owned) files in the /tmp directory."
|
|
AddHP 0 3
|
|
fi
|
|
else
|
|
LogText "Result: Sticky bit test (on /tmp) skipped. Possible reason: missing or symlinked directory, or test skipped."
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6366
|
|
# Description : Check for noatime option
|
|
# More info : especially useful for profile 'desktop' and 'server-storage'
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6368
|
|
# Description : Checking Linux root file system ACL support
|
|
Register --test-no FILE-6368 --os Linux --weight L --network NO --root-only YES --description "Checking ACL support on root file system"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
FOUND=0
|
|
LogText "Test: Checking acl option on ext[2-4] root file system"
|
|
FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/ext[2-4]/) { print $6 } }' | grep acl`
|
|
if [ ! "${FIND}" = "" ]; then
|
|
LogText "Result: found ACL option"
|
|
FOUND=1
|
|
else
|
|
LogText "Result: mount point probably mounted with defaults"
|
|
LogText "Test: Checking device which holds root file system"
|
|
# Get device on which root file system is mounted. Use /dev/root if it exists, or
|
|
# else check output of mount
|
|
if [ -b /dev/root ]; then
|
|
FIND1="/dev/root"
|
|
else
|
|
# Only determine device if it is EXT2/3/4
|
|
#FIND1=`mount | grep "on / " | awk '{ if ($5~/ext[2-4]/) { print $1 }}'`
|
|
FIND1=`mount -t ext2,ext3,ext4 | grep "on / " | awk '{ print $1 }'`
|
|
fi
|
|
# Trying to determine default mount options from EXT2/EXT3/EXT4 file systems
|
|
if [ ! "${FIND1}" = "" ]; then
|
|
LogText "Result: found ${FIND1}"
|
|
LogText "Test: Checking default options on ${FIND1}"
|
|
FIND2=`${TUNE2FSBINARY} -l ${FIND1} 2> /dev/null | grep "^Default mount options" | grep "acl"`
|
|
if [ ! "${FIND2}" = "" ]; then
|
|
LogText "Result: found ACL option in default mount options"
|
|
FOUND=1
|
|
else
|
|
LogText "Result: no ACL option found in default mount options list"
|
|
fi
|
|
else
|
|
LogText "Result: No file system found with root file system"
|
|
fi
|
|
fi
|
|
|
|
LogText "Test: Checking acl option on xfs root file system"
|
|
FIND=`mount | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | egrep 'no_acl|no_user_xattr'`
|
|
if [ "${FIND}" = "" ]; then
|
|
FOUND=1
|
|
# some other tests to do ?
|
|
fi
|
|
|
|
if [ ${FOUND} -eq 0 ]; then
|
|
LogText "Result: ACL option NOT enabled on root file system"
|
|
LogText "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option"
|
|
LogText "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file"
|
|
Display --indent 2 --text "- ACL support root file system" --result "${STATUS_DISABLED}" --color YELLOW
|
|
AddHP 0 1
|
|
else
|
|
LogText "Result: ACL option enabled on root file system"
|
|
Display --indent 2 --text "- ACL support root file system" --result "${STATUS_ENABLED}" --color GREEN
|
|
AddHP 3 3
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6372
|
|
# Description : Check / mount options for Linux
|
|
# Notes :
|
|
Register --test-no FILE-6372 --os Linux --weight L --network NO --description "Checking / mount options"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
if [ -f /etc/fstab ]; then
|
|
FIND=`cat /etc/fstab | grep -v "^#" | awk '{ if ($2=="/") { print $4 } }'`
|
|
NODEV=`echo ${FIND} | awk '{ if ($1 ~ "nodev") { print "YES" } else { print "NO" } }'`
|
|
NOEXEC=`echo ${FIND} | awk '{ if ($1 ~ "noexec") { print "YES" } else { print "NO" } }'`
|
|
NOSUID=`echo ${FIND} | awk '{ if ($1 ~ "nosuid") { print "YES" } else { print "NO" } }'`
|
|
|
|
if [ ! "${FIND}" = "" ]; then
|
|
LogText "Result: mount system / is configured with options: ${FIND}"
|
|
if [ "${FIND}" = "defaults" ]; then
|
|
Display --indent 2 --text "- Mount options of /" --result "${STATUS_OK}" --color GREEN
|
|
else
|
|
Display --indent 2 --text "- Mount options of /" --result "NON DEFAULT" --color YELLOW
|
|
fi
|
|
else
|
|
LogText "Result: no mount point / or expected options found"
|
|
fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6374
|
|
# Description : Check mount options for Linux
|
|
# Notes : This test determines if the mount point exists. If it does not exist as mount point, yet it is an directory,
|
|
# you might consider to make it a separate mount point with restrictions.
|
|
#
|
|
# Depending on the primary goals of a machine, some mount points might be too restrictive. Before applying any
|
|
# mount flags, test them on a similar or cloned test system.
|
|
#
|
|
# ---------------------------------------------------------
|
|
# Mount point nodev noexec nosuid
|
|
# /boot v v v
|
|
# /dev/shm v v v
|
|
# /home v v
|
|
# /tmp v v v
|
|
# /var v
|
|
# /var/log v v v
|
|
# /var/log/audit v v v
|
|
# /var/tmp v v v
|
|
# ---------------------------------------------------------
|
|
|
|
FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid"
|
|
Register --test-no FILE-6374 --os Linux --weight L --network NO --description "Checking /boot mount options"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
if [ -f /etc/fstab ]; then
|
|
for I in ${FILESYSTEMS_TO_CHECK}; do
|
|
FILESYSTEM=`echo ${I} | cut -d: -f1`
|
|
EXPECTED_FLAGS=`echo ${I} | cut -d: -f2 | sed 's/,/ /g'`
|
|
IN_FSTAB=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print "FOUND" } }'`
|
|
if [ ! "${IN_FSTAB}" = "" ]; then
|
|
FOUND_FLAGS=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' | sed 's/,/ /g'`
|
|
LogText "File system: ${FILESYSTEM}"
|
|
LogText "Expected flags: ${EXPECTED_FLAGS}"
|
|
LogText "Found flags: ${FOUND_FLAGS}"
|
|
PARTIALLY_HARDENED=0
|
|
FULLY_HARDENED=1
|
|
for FLAG in ${EXPECTED_FLAGS}; do
|
|
FLAG_AVAILABLE=`echo ${FOUND_FLAGS} | grep ${FLAG}`
|
|
if [ "${FLAG_AVAILABLE}" = "" ]; then
|
|
LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}"
|
|
FULLY_HARDENED=0
|
|
else
|
|
LogText "Result: GOOD, found mount option ${FLAG} on file system ${FILESYSTEM}"
|
|
PARTIALLY_HARDENED=1
|
|
fi
|
|
done
|
|
if [ ${FULLY_HARDENED} -eq 1 ]; then
|
|
LogText "Result: marked ${FILESYSTEM} as fully hardenened"
|
|
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN
|
|
AddHP 5 5
|
|
elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then
|
|
LogText "Result: marked ${FILESYSTEM} as fully hardenened"
|
|
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW
|
|
AddHP 4 5
|
|
else
|
|
if [ "${FOUND_FLAGS}" = "defaults" ]; then
|
|
LogText "Result: marked ${FILESYSTEM} options as default (non hardened)"
|
|
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW
|
|
AddHP 3 5
|
|
else
|
|
LogText "Result: marked ${FILESYSTEM} options as non default (unclear about hardening)"
|
|
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW
|
|
AddHP 4 5
|
|
fi
|
|
fi
|
|
else
|
|
LogText "Result: file system ${FILESYSTEM} not found in /etc/fstab"
|
|
fi
|
|
done
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6376
|
|
# Description : Bind mount the /var/tmp directory to /tmp
|
|
Register --test-no FILE-6376 --os Linux --weight L --network NO --description "Determine if /var/tmp is bound to /tmp"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
if [ -f /etc/fstab ]; then
|
|
FIND=`awk '{ if ($2=="/var/tmp") { print $4 } }' /etc/fstab`
|
|
BIND=`echo ${FIND} | awk '{ if ($1 ~ "bind") { print "YES" } else { print "NO" } }'`
|
|
if [ ! "${FIND}" = "" ]; then
|
|
LogText "Result: mount system /var/tmp is configured with options: ${FIND}"
|
|
if [ "${BIND}" = "YES" ]; then
|
|
Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN
|
|
LogText "Result : /var/tmp is bind to /tmp"
|
|
else
|
|
Display --indent 2 --text "- /var/tmp is not bound to /tmp" --result "NON DEFAULT" --color YELLOW
|
|
LogText "Result: /var/tmp is not bind to /tmp"
|
|
fi
|
|
else
|
|
LogText "Result: no mount point /var/tmp or expected options found"
|
|
if IsVerbose; then Display --indent 2 --text "- /var/tmp is not bound to /tmp" --result "INFO" --color WHITE; fi
|
|
fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6378
|
|
# Description : Check for nodirtime option
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6380
|
|
# Description : Check for relatime
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6390
|
|
# Description : Check writeback/journalling mode (ext3)
|
|
# More info : data=writeback | data=ordered | data=journal
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6394
|
|
# Description : Check vm.swappiness (Linux)
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6398
|
|
# Description : Check if JBD (Journal Block Device) driver is loaded
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6410
|
|
# Description : Checking locate database (file index)
|
|
# Notes : Linux /var/lib/mlocate/mlocate.db or /var/lib/slocate/slocate.db
|
|
# or /var/cache/locate/locatedb
|
|
# FreeBSD /var/db/locate.database
|
|
if [ ! "${LOCATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no FILE-6410 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Checking Locate database"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking locate database"
|
|
FOUND=0
|
|
LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locate/locatedb /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database"
|
|
for I in ${LOCATE_DBS}; do
|
|
if [ -f ${I} ]; then
|
|
LogText "Result: locate database found (${I})"
|
|
FOUND=1
|
|
LOCATE_DB="${I}"
|
|
else
|
|
LogText "Result: file ${I} not found"
|
|
fi
|
|
done
|
|
if [ ${FOUND} -eq 1 ]; then
|
|
Display --indent 2 --text "- Checking Locate database" --result "${STATUS_FOUND}" --color GREEN
|
|
Report "locate_db=${LOCATE_DB}"
|
|
else
|
|
LogText "Result: database not found"
|
|
Display --indent 2 --text "- Checking Locate database" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
|
ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6420
|
|
# Description : Check automount process
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6422
|
|
# Description : Check automount maps (files or for example LDAP based)
|
|
# Notes : Warn when automounter is running
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6424
|
|
# Description : Check automount map files
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : FILE-6425
|
|
# Description : Check mounted files systems via automounter
|
|
# Notes : Warn when no systems are mounted?
|
|
|
|
# Want to contribute to Lynis? Create this test
|
|
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
WaitForKeyPress
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|