lynis/include/tests_banners

177 lines
8.3 KiB
Bash

#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Banners and identification
#
#################################################################################
#
InsertSection "${SECTION_BANNERS_AND_IDENTIFICATION}"
#
#################################################################################
#
BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited record restricted secure subject system terms warning"
#
#################################################################################
#
# Test : BANN-7113
# Description : Check FreeBSD COPYRIGHT banner file
Register --test-no BANN-7113 --os FreeBSD --weight L --network NO --category security --description "Check COPYRIGHT banner file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Testing existence ${ROOTDIR}COPYRIGHT or ${ROOTDIR}etc/COPYRIGHT"
if [ -f ${ROOTDIR}COPYRIGHT ]; then
Display --indent 2 --text "- ${ROOTDIR}COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
if [ -s ${ROOTDIR}COPYRIGHT ]; then
LogText "Result: ${ROOTDIR}COPYRIGHT available and contains text"
else
LogText "Result: ${ROOTDIR}COPYRIGHT available, but empty"
fi
else
Display --indent 2 --text "- ${ROOTDIR}COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: ${ROOTDIR}COPYRIGHT not found"
fi
if [ -f ${ROOTDIR}etc/COPYRIGHT ]; then
Display --indent 2 --text "- ${ROOTDIR}etc/COPYRIGHT" --result "${STATUS_FOUND}" --color GREEN
if [ -s ${ROOTDIR}etc/COPYRIGHT ]; then
LogText "Result: ${ROOTDIR}etc/COPYRIGHT available and contains text"
else
LogText "Result: ${ROOTDIR}etc/COPYRIGHT available, but empty"
fi
else
Display --indent 2 --text "- ${ROOTDIR}etc/COPYRIGHT" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: ${ROOTDIR}etc/COPYRIGHT not found"
fi
fi
#
#################################################################################
#
# Test : BANN-7124
# Description : Check issue banner file
Register --test-no BANN-7124 --weight L --network NO --category security --description "Check issue banner file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking file ${ROOTDIR}etc/issue"
if [ -f ${ROOTDIR}etc/issue ]; then
# Check for symlink
if [ -L ${ROOTDIR}etc/issue ]; then
LogText "Result: file ${ROOTDIR}etc/issue exists (symlink)"
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result SYMLINK --color GREEN
else
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result "${STATUS_FOUND}" --color GREEN
fi
else
LogText "Result: file ${ROOTDIR}etc/issue does not exist"
Display --indent 2 --text "- ${ROOTDIR}etc/issue" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : BANN-7126
# Description : Check issue file to see if it contains some form of message
# to discourage unauthorized users to leave the system alone
if [ -f ${ROOTDIR}etc/issue ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BANN-7126 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue banner file contents"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
FILE="${ROOTDIR}etc/issue"
LogText "Test: Checking file ${FILE} contents for legal key words"
for ITEM in ${LEGAL_BANNER_STRINGS}; do
FIND=$(${GREPBINARY} -i "${ITEM}" ${FILE})
if HasData "${FIND}"; then
LogText "Result: found string '${ITEM}'"
COUNT=$((COUNT + 1))
fi
done
# Check if we have 5 or more key words
if [ ${COUNT} -gt 4 ]; then
LogText "Result: Found ${COUNT} key words (5 or more suggested), to warn unauthorized users"
Display --indent 4 --text "- ${FILE} contents" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: Found only ${COUNT} key words (5 or more suggested), to warn unauthorized users and could be increased"
Display --indent 4 --text "- ${FILE} contents" --result "${STATUS_WEAK}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Add a legal banner to ${FILE}, to warn unauthorized users"
AddHP 0 1
Report "weak_banner_file[]=${FILE}"
fi
fi
#
#################################################################################
#
# Test : BANN-7128
# Description : Check issue.net banner file
Register --test-no BANN-7128 --weight L --network NO --category security --description "Check issue.net banner file"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking file ${ROOTDIR}etc/issue.net"
if [ -f ${ROOTDIR}etc/issue.net ]; then
# Check for symlink
if [ -L ${ROOTDIR}etc/issue.net ]; then
LogText "Result: file ${ROOTDIR}etc/issue.net exists (symlink)"
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result SYMLINK --color GREEN
else
LogText "Result: file ${ROOTDIR}etc/issue.net exists"
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result "${STATUS_FOUND}" --color GREEN
fi
else
LogText "Result: file ${ROOTDIR}etc/issue.net does not exist"
Display --indent 2 --text "- ${ROOTDIR}etc/issue.net" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : BANN-7130
# Description : Check issue.net file to see if it contains some form of message
# to discourage unauthorized users to leave the system alone
if [ -f ${ROOTDIR}etc/issue.net ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BANN-7130 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check issue.net banner file contents"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
LogText "Test: Checking file ${ROOTDIR}etc/issue.net contents for legal key words"
for ITEM in ${LEGAL_BANNER_STRINGS}; do
FIND=$(${GREPBINARY} -i "${ITEM}" ${ROOTDIR}etc/issue.net)
if HasData "${FIND}"; then
LogText "Result: found string '${ITEM}'"
COUNT=$((COUNT + 1))
fi
done
# Check if we have 5 or more key words
if [ ${COUNT} -gt 4 ]; then
LogText "Result: Found ${COUNT} key words, to warn unauthorized users"
Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
else
LogText "Result: Found only ${COUNT} key words, to warn unauthorized users and could be increased"
Display --indent 4 --text "- ${ROOTDIR}etc/issue.net contents" --result "${STATUS_WEAK}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Add legal banner to /etc/issue.net, to warn unauthorized users"
AddHP 0 1
fi
fi
#
#################################################################################
#
WaitForKeyPress
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com