mirror of https://github.com/CISOfy/lynis.git
326 lines
15 KiB
Bash
326 lines
15 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2007-2017, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
AUTOMATION_TOOL_FOUND=0
|
|
AUTOMATION_TOOL_RUNNING=""
|
|
CFENGINE_AGENT_FOUND=0
|
|
CFENGINE_SERVER_RUNNING=0
|
|
BACKUP_AGENT_FOUND=0
|
|
PUPPET_MASTER_RUNNING=0
|
|
SALT_MASTER_RUNNING=0
|
|
SALT_MINION_RUNNING=0
|
|
IPS_TOOL_FOUND=0
|
|
FAIL2BAN_FOUND=0
|
|
FAIL2BAN_EMAIL=0
|
|
FAIL2BAN_SILENT=0
|
|
PERFORM_FAIL2BAN_TESTS=0
|
|
#
|
|
#################################################################################
|
|
#
|
|
InsertSection "Software: System tooling"
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Automation
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : TOOL-5002
|
|
# Description : Check if automation tools are found
|
|
Register --test-no TOOL-5002 --weight L --network NO --category security --description "Checking for automation tools"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
|
|
Display --indent 2 --text "- Checking automation tooling"
|
|
|
|
# Cfengine
|
|
if [ ! "${CFAGENTBINARY}" = "" ]; then
|
|
LogText "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})"
|
|
AUTOMATION_TOOL_FOUND=1
|
|
CFENGINE_AGENT_FOUND=1
|
|
Report "automation_tool_running[]=cf-agent"
|
|
Display --indent 4 --text "Found: Cfengine (cfagent)" --result "${STATUS_FOUND}" --color GREEN
|
|
fi
|
|
OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin /var/rudder/cfengine-community/bin"
|
|
for I in ${OTHER_CFENGINE_LOCATIONS}; do
|
|
if [ -d ${I} ]; then
|
|
if [ -f ${I}/cf-agent ]; then
|
|
LogText "Result: found CFEngine agent (cf-agent) in ${I}"
|
|
AUTOMATION_TOOL_FOUND=1
|
|
CFENGINE_AGENT_FOUND=1
|
|
Report "automation_tool_running[]=cf-agent"
|
|
Display --indent 4 --text "Found: CFEngine (cf-agent)" --result "${STATUS_FOUND}" --color GREEN
|
|
fi
|
|
IsRunning "cf-server"
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
LogText "Result: found CFEngine server"
|
|
AUTOMATION_TOOL_FOUND=1
|
|
CFENGINE_SERVER_RUNNING=1
|
|
Report "automation_tool_running[]=cf-server"
|
|
Display --indent 4 --text "Found: CFEngine (cf-server)" --result "${STATUS_FOUND}" --color GREEN
|
|
fi
|
|
fi
|
|
done
|
|
|
|
# Chef
|
|
CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin"
|
|
for I in ${CHEF_LOCATIONS}; do
|
|
if [ -d ${I} ]; then
|
|
if [ -f ${I}/chef-client ]; then
|
|
CHEFCLIENTBINARY="${I}/chef-client"
|
|
AUTOMATION_TOOL_FOUND=1
|
|
Report "automation_tool_running[]=chef-client"
|
|
Display --indent 4 --text "Found: Chef client (chef-client)" --result "${STATUS_FOUND}" --color GREEN
|
|
LogText "Result: found chef-client (chef client daemon) in ${I}"
|
|
fi
|
|
if [ -f ${I}/erchef ]; then
|
|
CHEFSERVERBINARY="${I}/erchef"
|
|
LogText "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})"
|
|
AUTOMATION_TOOL_FOUND=1
|
|
Report "automation_tool_running[]=chef-server"
|
|
Display --indent 4 --text "Found: Chef Server (erchef)" --result "${STATUS_FOUND}" --color GREEN
|
|
LogText "Result: found erchef (chef server daemon) in ${I}"
|
|
fi
|
|
fi
|
|
done
|
|
|
|
# Puppet
|
|
if [ ! "${PUPPETBINARY}" = "" ]; then
|
|
LogText "Result: Puppet is installed (${PUPPETBINARY})"
|
|
AUTOMATION_TOOL_FOUND=1
|
|
Report "automation_tool_running[]=puppet-agent"
|
|
Display --indent 4 --text "Found: Puppet (agent)" --result "${STATUS_FOUND}" --color GREEN
|
|
fi
|
|
IsRunning "puppet master"
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
LogText "Result: found puppet master"
|
|
PUPPET_MASTER_RUNNING=1
|
|
Report "automation_tool_running[]=puppet-master"
|
|
Display --indent 4 --text "Found: Puppet (master)" --result "${STATUS_FOUND}" --color GREEN
|
|
fi
|
|
|
|
# SaltStack
|
|
if [ ! "${SALTMINIONBINARY}" = "" ]; then
|
|
LogText "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})"
|
|
AUTOMATION_TOOL_FOUND=1
|
|
SALT_MINION_RUNNING=1
|
|
Report "automation_tool_running[]=saltstack-minion"
|
|
Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result "${STATUS_FOUND}" --color GREEN
|
|
fi
|
|
if [ ! "${SALTMASTERBINARY}" = "" ]; then
|
|
LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
|
|
AUTOMATION_TOOL_FOUND=1
|
|
SALT_MASTER_RUNNING=1
|
|
Report "automation_tool_running[]=saltstack-minion"
|
|
Display --indent 4 --text "Found: SaltStack master (salt-master)" --result "${STATUS_FOUND}" --color GREEN
|
|
else
|
|
IsRunning "salt-master"
|
|
if [ ${RUNNING} -eq 1 ]; then
|
|
LogText "Result: found SaltStack (master)"
|
|
AUTOMATION_TOOL_FOUND=1
|
|
SALT_MASTER_RUNNING=1
|
|
Report "automation_tool_running[]=saltstack-master"
|
|
Display --indent 4 --text "Found: SaltStack (master)" --result "${STATUS_FOUND}" --color GREEN
|
|
fi
|
|
fi
|
|
|
|
if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then
|
|
Display --indent 2 --text "- Automation tooling" --result "${STATUS_FOUND}" --color GREEN
|
|
else
|
|
Display --indent 2 --text "- Automation tooling" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
|
ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Intrusion Prevention tools
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : TOOL-5102
|
|
# Description : Check for Fail2ban
|
|
Register --test-no TOOL-5102 --weight L --network NO --category security --description "Check for presence of Fail2ban"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
|
|
# Fail2ban presence
|
|
if [ ! "${FAIL2BANBINARY}" = "" ]; then
|
|
FAIL2BAN_FOUND=1
|
|
IDS_IPS_TOOL_FOUND=1
|
|
LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})"
|
|
Report "ids_ips_tooling[]=fail2ban"
|
|
Display --indent 2 --text "- Checking presence of Fail2ban" --result "${STATUS_FOUND}" --color GREEN
|
|
else
|
|
LogText "Result: Fail2ban not present (fail2ban-server not found)"
|
|
fi
|
|
|
|
# Fail2ban configuration
|
|
LogText "Checking Fail2ban configuration file"
|
|
if [ -f /etc/fail2ban/jail.local ]; then
|
|
FAIL2BAN_CONFIG="/etc/fail2ban/jail.local"
|
|
elif [ -f /etc/fail2ban/jail.conf ]; then
|
|
FAIL2BAN_CONFIG="/etc/fail2ban/jail.conf"
|
|
else
|
|
FAIL2BAN_CONFIG=""
|
|
fi
|
|
|
|
# Continue if tooling is available and configuration file found
|
|
if [ ${FAIL2BAN_FOUND} -eq 1 -a ! "${FAIL2BAN_CONFIG}" = "" ]; then
|
|
Report "fail2ban_config=${FAIL2BAN_CONFIG}"
|
|
FAIL2BANCLIENT=$(which fail2ban-client 2> /dev/null | grep -v "no [^ ]* in ")
|
|
if [ ! -z "${FAIL2BANCLIENT}" ]; then PERFORM_FAIL2BAN_TESTS=1; fi
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : TOOL-5104
|
|
# Description : Check for Fail2ban enabled tests
|
|
if [ ${PERFORM_FAIL2BAN_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no TOOL-5104 --weight L --network NO --preqs-met ${PREQS_MET} --category security --description "Enabled tests in Fail2ban"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
FIND=$(${FAIL2BANCLIENT} -d | ${TRBINARY} -d '[]' | ${TRBINARY} -d "'" | ${AWKBINARY} -F, '{ if ($1=="add") { print $2 }}' | ${TRBINARY} -d ' ')
|
|
if [ ! "${FIND}" = "" ]; then
|
|
for F2BSERVICE in ${FIND}; do
|
|
LogText "Result: service '${F2BSERVICE}' enabled"
|
|
Report "fail2ban_enabled_service[]=${F2BSERVICE}"
|
|
done
|
|
LogText "Result: found at least one enabled jail"
|
|
Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_ENABLED}" --color GREEN
|
|
AddHP 3 3
|
|
else
|
|
LogText "Result: Fail2ban installed but completely disabled"
|
|
Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_DISABLED}" --color RED
|
|
AddHP 0 5
|
|
ReportWarning "${TEST_NO}" "All jails in Fail2ban are disabled" "${FAIL2BAN_CONFIG}"
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# These tests are temporarily disabled to split them up in different areas to check
|
|
#
|
|
# LogText "Result: found configuration file (${FAIL2BAN_CONFIG})"
|
|
#
|
|
# # Check email alert configuration
|
|
# LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}"
|
|
#
|
|
# FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
|
|
# FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
|
|
#
|
|
# if [ ! "${FIND}" = "" ]; then
|
|
# FAIL2BAN_EMAIL=1
|
|
# LogText "Result: found at least one jail which sends an email alert"
|
|
# fi
|
|
#
|
|
# if [ ! "${FIND2}" = "" ]; then
|
|
# FAIL2BAN_SILENT=1
|
|
# LogText "Result: found at least one jail which does NOT send an email alert"
|
|
# fi
|
|
#
|
|
# if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
|
|
# LogText "No registered actions found in ${FAIL2BAN_CONFIG}"
|
|
# Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color RED
|
|
# ReportWarning "${TEST_NO}" "${FAIL2BAN_CONFIG}" "There are no actions configured for Fail2ban."
|
|
# AddHP 0 3
|
|
# fi
|
|
#
|
|
# if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then
|
|
# LogText "All actions in ${FAIL2BAN_CONFIG} are configured to send email alerts"
|
|
# Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_OK}" --color GREEN
|
|
# AddHP 3 3
|
|
# fi
|
|
#
|
|
# if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then
|
|
# LogText "Some actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts"
|
|
# Display --indent 4 --text "- Checking Fail2ban actions" --result PARTIAL --color YELLOW
|
|
# ReportSuggestion "${TEST_NO}" "Some Fail2ban jails are configured with non-notified actions. Consider changing these to emailed alerts."
|
|
# AddHP 2 3
|
|
# fi
|
|
#
|
|
# if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
|
|
# LogText "None of the actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts"
|
|
# Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color YELLOW
|
|
# ReportSuggestion "${TEST_NO}" "None of the Fail2ban jails are configured to send email notifications. Consider changing these to emailed alerts."
|
|
# AddHP 1 3
|
|
# fi
|
|
#
|
|
# # Check at least one enabled jail
|
|
# LogText "Checking for enabled jails within ${FAIL2BAN_CONFIG}"
|
|
#
|
|
#
|
|
#
|
|
# # Confirm at least one iptables chain for fail2ban
|
|
#
|
|
# LogText "Checking for fail2ban iptables chains"
|
|
#
|
|
# if [ ! "${IPTABLESBINARY}" = "" ]; then
|
|
# CHECK_CHAINS=$(${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban)
|
|
# if [ ! "${CHECK_CHAINS}" = "" ]; then
|
|
# LogText "Result: found at least one iptables chain for fail2ban"
|
|
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN
|
|
# else
|
|
# LogText "Result: Fail2ban installed but iptables chain not present - fail2ban will not work"
|
|
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED
|
|
# AddHP 0 3
|
|
# ReportSuggestion "${TEST_NO}" "Check config to see why iptables does not have a fail2ban chain" "${FAIL2BAN_CONFIG}"
|
|
# fi
|
|
# else
|
|
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED
|
|
# ReportSuggestion "${TEST_NO}" "iptables doesn't seem to be installed; Fail2ban will not work. Remove Fail2ban or install iptables" "${FAIL2BAN_CONFIG}"
|
|
# fi
|
|
# fi
|
|
# fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : TOOL-5190
|
|
# Description : Check for an IDS/IPS tool
|
|
Register --test-no TOOL-5190 --weight L --network NO --category security --description "Check presence of IDS/IPS tool"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
|
|
if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then
|
|
Display --indent 2 --text "- Checking for IDS/IPS tooling" --result "${STATUS_FOUND}" --color GREEN
|
|
AddHP 2 2
|
|
else
|
|
Display --indent 2 --text "- Checking for IDS/IPS tooling" --result "${STATUS_NONE}" --color YELLOW
|
|
#ReportSuggestion ${TEST_NO} "Install and configure automated intrusion detection/prevention tools"
|
|
AddHP 0 2
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Backup tools
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Netvault
|
|
# Rsync in cron
|
|
#
|
|
#################################################################################
|
|
#
|
|
Report "automation_tool_present=${AUTOMATION_TOOL_FOUND}"
|
|
|
|
|
|
WaitForKeyPress
|
|
#
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|