tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-31 01:34:23 +02:00
Code Issues Packages Projects Releases Wiki Activity
lynis/include/tests_logging
hlein b595cc0fb5 Various cleanups (#363) 
* Typo fix.

* Style change: always use $(), never ``.

The Lynis code already mostly used $(), but backticks were sprinkled
around.  Converted all of them.

* Lots of minor spelling/typo fixes.

FWIW these were found with:

  find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less

And then reviewing the list to pick out things that looked like
misspelled words as opposed to variables, etc., and then manual
inspection of context to determine the intention.
2017-03-06 07:41:21 +00:00

545 lines
27 KiB
Bash
Raw Permalink Blame History

#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2017, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Logging and related files
#
#################################################################################
#
LOG_FILES_LOCS="${ROOTDIR}var/log ${ROOTDIR}var/adm"
LOGROTATE_CONFIG_FOUND=0
LOGROTATE_TOOL=""
METALOG_RUNNING=0
RFC3195D_RUNNING=0
RSYSLOG_RUNNING=0
SOLARIS_LOGHOST_FOUND=0
SYSLOG_DAEMON_PRESENT=0
SYSLOG_DAEMON_RUNNING=0
SYSLOG_NG_RUNNING=0
SYSTEMD_JOURNAL_RUNNING=0
#
#################################################################################
#
InsertSection "Logging and files"
# Test : LOGG-2130
# Description : Check for a running syslog daemon
Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for a logging daemon"
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep")
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED
LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured."
AddHP 0 3
else
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_OK}" --color GREEN
LogText "Result: Found a logging daemon"
SYSLOG_DAEMON_PRESENT=1
SYSLOG_DAEMON_RUNNING=1
AddHP 3 3
fi
fi
#
#################################################################################
#
# Test : LOGG-2132
# Description : Check for a running syslog-ng daemon
Register --test-no LOGG-2132 --weight L --network NO --category security --description "Check for running syslog-ng daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for syslog-ng daemon in process list"
IsRunning syslog-ng
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: Found syslog-ng in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
SYSLOG_NG_RUNNING=1
Report "syslog_daemon_present=1"
Report "syslog_daemon[]=syslog-ng"
else
LogText "Result: Syslog-ng NOT found in process list"
Display --indent 4 --text "- Checking Syslog-NG status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : LOGG-2134
# Description : Check for Syslog-NG configuration file consistency
if [ ! "${SYSLOGNGBINARY}" = "" -a ${SYSLOG_NG_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2134 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Syslog-NG configuration file consistency"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${SYSLOGNGBINARY} -s; echo $?)
if [ "${FIND}" = "0" ]; then
LogText "Result: Syslog-NG configuration file seems to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: Syslog-NG configuration file seems NOT to be consistent"
Display --indent 6 --text "- Checking Syslog-NG consistency" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
fi
fi
#
#################################################################################
#
# Test : LOGG-2136
# Description : Check for a running systemd-journal daemon
Register --test-no LOGG-2136 --weight L --network NO --category security --description "Check for running systemd journal daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for systemd journal daemon in process list"
IsRunning systemd-journal
if [ ${RUNNING} -eq 1 ]; then
Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_FOUND}" --color GREEN
SYSTEMD_JOURNAL_RUNNING=1
Report "syslog_daemon_present=1"
Report "syslog_daemon[]=systemd-journal"
else
Display --indent 4 --text "- Checking systemd journal status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : LOGG-2210
# Description : Check for a running metalog daemon
Register --test-no LOGG-2210 --weight L --network NO --category security --description "Check for running metalog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for metalog daemon in process list"
IsRunning metalog
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: Found metalog in process list"
Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
METALOG_RUNNING=1
Report "syslog_daemon_present=1"
Report "syslog_daemon[]=metalog"
else
LogText "Result: metalog NOT found in process list"
Display --indent 4 --text "- Checking Metalog status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : LOGG-2230
# Description : Check for a running rsyslog daemon
Register --test-no LOGG-2230 --weight L --network NO --category security --description "Check for running RSyslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for RSyslog daemon in process list"
IsRunning rsyslogd
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: Found rsyslogd in process list"
Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
RSYSLOG_RUNNING=1
Report "syslog_daemon_present=1"
Report "syslog_daemon[]=rsyslog"
else
LogText "Result: rsyslogd NOT found in process list"
Display --indent 4 --text "- Checking RSyslog status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : LOGG-2240
# Description : Check for a running RFC 3195 compliant daemon (syslog via TCP)
Register --test-no LOGG-2240 --weight L --network NO --category security --description "Check for running RFC 3195 compliant daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list"
IsRunning rfc3195d
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: Found rfc3195d in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_FOUND}" --color GREEN
SYSLOG_DAEMON_PRESENT=1
RFC3195D_RUNNING=1
else
LogText "Result: rfc3195d NOT found in process list"
Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : LOGG-2138
# Description : Check for kernel log daemon (klogd) presence on Linux systems
# Notes : * When using rsyslog or systemd (systemd-journal), this process is not needed.
# * In combination with syslog-ng, klogd is still an addition to it, since it
# captures kernel related events and send them to syslog-ng.
# * This test should be below all other logging daemons
Register --test-no LOGG-2138 --os Linux --weight L --network NO --category security --description "Checking kernel logger daemon on Linux"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching kernel logger daemon (klogd)"
if [ ${RSYSLOG_RUNNING} -eq 0 -a ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ]; then
# Search for klogd, but ignore other lines related to klogd (like dd with input/output file)
#FIND=$(${PSBINARY} ax | ${GREPBINARY} "klogd" | ${GREPBINARY} -v "dd" | ${GREPBINARY} -v "grep")
IsRunning klogd
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: klogd running"
Display --indent 4 --text "- Checking klogd" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: No klogd found"
Display --indent 4 --text "- Checking klogd" --result "${STATUS_NOT_FOUND}" --color RED
ReportWarning ${TEST_NO} "klogd is not running, which could lead to missing kernel messages in log files"
fi
else
LogText "Result: test skipped, because other facility is being used to log kernel messages"
fi
fi
#
#################################################################################
#
# Test : LOGG-2142
# Description : Check for minilogd presence on Linux systems
Register --test-no LOGG-2142 --os Linux --weight L --network NO --category security --description "Checking minilog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Result: Checking for unkilled minilogd instances"
# Search for minilogd. It shouldn't be running normally, if another syslog daemon is started
IsRunning minilogd
if [ ${RUNNING} -eq 0 ]; then
Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: No minilogd is running"
else
Display --indent 4 --text "- Checking minilogd instances" --result "${STATUS_WARNING}" --color RED
LogText "Result: minilogd found in process list"
# minilogd daemon seems to be running
ReportWarning ${TEST_NO} "minilogd is running, which should normally not be running"
fi
fi
#
#################################################################################
#
# Test : LOGG-2146
# Description : Check for logrotate (/etc/logrotate.conf and logrotate.d)
Register --test-no LOGG-2146 --weight L --os Linux --network NO --category security --description "Checking logrotate.conf and logrotate.d"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking for ${ROOTDIR}etc/logrotate.conf"
if [ -f ${ROOTDIR}etc/logrotate.conf ]; then
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="logrotate"
LogText "Result: ${ROOTDIR}etc/logrotate.conf found (file)"
else
LogText "Result: ${ROOTDIR}etc/logrotate.conf NOT found"
fi
LogText "Test: Checking for ${ROOTDIR}etc/logrotate.d (directory)"
if [ -d ${ROOTDIR}etc/logrotate.d ]; then
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="logrotate"
LogText "Result: ${ROOTDIR}etc/logrotate.d found"
else
LogText "Result: ${ROOTDIR}etc/logrotate.conf found"
fi
if [ ${LOGROTATE_CONFIG_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking logrotate presence" --result "${STATUS_OK}" --color GREEN
LogText "Result: logrotate configuration found"
else
Display --indent 2 --text "- Checking logrotate presence" --result "${STATUS_WARNING}" --color RED
LogText "Result: No logrotate configuration found"
ReportSuggestion ${TEST_NO} "Check if log files are properly rotated"
fi
fi
#
#################################################################################
#
# Test : LOGG-2148
# Description : Checking log files rotated with logrotate
if [ ! -z "${LOGROTATEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which files are rotated with logrotate and if they exist"
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }')
if [ -z "${FIND}" ]; then
LogText "Result: nothing found"
else
LogText "Result: found one or more files which are rotated via logrotate"
for I in ${FIND}; do
LogText "Output: ${I}"
done
fi
fi
#
#################################################################################
#
# Test : LOGG-2150
# Description : Checking log directories rotated with logrotate
if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which directories can be found in logrotate configuration"
FIND=$(${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
if [ "${FIND}" = "" ]; then
LogText "Result: nothing found"
else
LogText "Result: found one or more directories (via logrotate configuration)"
for I in ${FIND}; do
if [ -d ${I} ]; then
LogText "Directory found: ${I}"
Report "log_directory[]=${I}"
else
LogText "Directory could not be found: ${I}"
fi
done
fi
fi
#
#################################################################################
#
# Test : LOGG-2152
# Description : Check for Solaris 'loghost' entry in /etc/inet/hosts, or
# succesful resolving via DNS or any other name service.
Register --test-no LOGG-2152 --weight L --os Solaris --network NO --category security --description "Checking loghost"
if [ ${SKIPTEST} -eq 0 ]; then
# Try local hosts file
LogText "Result: Checking for loghost in /etc/inet/hosts"
FIND=$(${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#")
if [ ! -z "${FIND}" ]; then
SOLARIS_LOGHOST_FOUND=1
LogText "Result: Found loghost entry in /etc/inet/hosts"
else
LogText "Result: No loghost entry found in /etc/inet/hosts"
# Try name resolving if no entry is present in local host file
LogText "Result: Checking for loghost via name resolving"
FIND=$(getent hosts loghost | ${GREPBINARY} loghost)
if [ ! -z "${FIND}" ]; then
SOLARIS_LOGHOST_FOUND=1
LogText "Result: name resolving was succesful"
LogText "Output: ${FIND}"
else
LogText "Result: name resolving didn't find results"
fi
fi
if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then
LogText "Result: loghost entry found and most likely used to send syslog messages"
Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_OK}" --color GREEN
else
Display --indent 2 --text "- Checking loghost entry" --result "${STATUS_WARNING}" --color RED
LogText "Result: No loghost entry found"
ReportWarning ${TEST_NO} "No loghost entry found"
ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services"
fi
fi
#
#################################################################################
#
# Test : LOGG-2154
# Description : Check to see if remote logging is enabled
# Notes : prevent lines showing up with commands in it (like |mail)
if [ ${SYSLOG_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2154 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking syslog configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then
SYSLOGD_CONF="/etc/syslog-ng/syslog-ng.conf"
else
SYSLOGD_CONF="/etc/syslog.conf"
fi
if [ -f ${SYSLOGD_CONF} ]; then
LogText "Test: check if logs are also logged to a remote logging host"
FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
if [ ! -z "${FIND}" ]; then
LogText "Result: remote logging enabled"
REMOTE_LOGGING_ENABLED=1
else
# Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
for DESTINATION in ${DESTINATIONS}; do
FIND2=$(${GREPBINARY} "log" | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
if [ ! -z "${FIND2}" = "" ]; then
LogText "Result: found destination ${DESTINATION} configured for remote logging"
REMOTE_LOGGING_ENABLED=1
fi
done
fi
if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
LogText "Result: no remote logging found"
ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection"
AddHP 1 3
Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
else
AddHP 5 5
Display --indent 2 --text "- Checking remote logging" --result "${STATUS_ENABLED}" --color GREEN
fi
else
LogText "Result: test skipped, file ${SYSLOGD_CONF} not found"
fi
fi
#
#################################################################################
#
# Test : LOGG-2160
# Description : Check for /etc/newsyslog.conf (FreeBSD/OpenBSD)
if [ -f ${ROOTDIR}etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Result: ${ROOTDIR}etc/newsyslog.conf found"
Display --indent 2 --text "- Checking ${ROOTDIR}etc/newsyslog.conf" --result "${STATUS_FOUND}" --color GREEN
LOGROTATE_CONFIG_FOUND=1
LOGROTATE_TOOL="newsyslog"
fi
#
#################################################################################
#
# Test : LOGG-2162
# Description : Check for directories in /etc/newsyslog.conf
if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking directories in /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: parsing directories from /etc/newsyslog.conf file"
FIND=$(${AWKBINARY} '/^\// { print $1 }' /etc/newsyslog.conf | ${SEDBINARY} 's/\/*[a-zA-Z_.-]*$//g' | ${SORTBINARY} -u)
for I in ${FIND}; do
if [ -d ${I} ]; then
LogText "Result: Directory ${I} found and exists"
Report "log_directory[]=${I}"
else
LogText "Result: Item ${I} is not a directory"
fi
done
Display --indent 4 --text "- Checking log directories (newsyslog.conf)" --result "${STATUS_DONE}" --color GREEN
fi
#
#################################################################################
#
# Test : LOGG-2164
# Description : Check for files in /etc/newsyslog.conf
if [ -f ${ROOTDIR}etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking files specified /etc/newsyslog.conf"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: parsing files from ${ROOTDIR}etc/newsyslog.conf file"
FIND=$(${AWKBINARY} '/^\// { print $1 }' ${ROOTDIR}etc/newsyslog.conf | ${SORTBINARY} -u)
for I in ${FIND}; do
if [ -f ${I} ]; then
LogText "Result: File ${I} found and exists"
else
LogText "Result: Item ${I} is not a file"
fi
done
Display --indent 4 --text "- Checking log files (newsyslog.conf)" --result "${STATUS_DONE}" --color GREEN
fi
#
#################################################################################
#
# Test : LOGG-2170
# Description : Search available log paths
Register --test-no LOGG-2170 --weight L --network NO --category security --description "Checking log paths"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching log paths"
for I in ${LOG_FILES_LOCS}; do
if [ -d ${I} ]; then
LogText "Result: directory ${I} exists"
Report "log_directory[]=${I}"
else
LogText "Result: directory ${I} can't be found"
fi
done
Display --indent 2 --text "- Checking log directories (static list)" --result "${STATUS_DONE}" --color GREEN
fi
#
#################################################################################
#
# Test : LOGG-2180
# Description : Search open log file
Register --test-no LOGG-2180 --weight L --network NO --category security --description "Checking open log files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking open log files with lsof"
if [ ! -z "${LSOFBINARY}" ]; then
FIND=$(${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
for I in ${FIND}; do
LogText "Found logfile: ${I}"
Report "open_logfile[]=${I}"
done
Display --indent 2 --text "- Checking open log files" --result "${STATUS_DONE}" --color GREEN
else
LogText "Result: lsof not installed, skipping test"
Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color YELLOW
# Add suggestion
fi
fi
#
#################################################################################
#
# Test : LOGG-2190
# Description : Checking deleted files
if [ ! "${LSOFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2190 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for deleted files in use"
if [ ${SKIPTEST} -eq 0 ]; then
EARLY_MYSQL=""
LogText "Test: checking deleted files that are still in use"
LSOF_GREP="WARNING|Output information"
# MySQL versions prior to 5.6 leave lots of deleted in-use files in /tmp, ignoring those
if [ ! -z "${DPKGBINARY}" ]; then EARLY_MYSQL=$(${DPKGBINARY} -l | ${EGREPBINARY} mysql-server-5.[0-5]); fi
if [ ! -z "${EARLY_MYSQL}" ]; then LSOF_GREP="${LSOF_GREP}|mysqld"; fi
# grsecurity causes Fail2Ban to hold onto deleted in-use files in /var/tmp
if [ ${GRSEC_FOUND} -eq 1 ]; then LSOF_GREP="${LSOF_GREP}|fail2ban"; fi
if [ ${OS_REDHAT_OR_CLONE} -eq 1 ]; then
# If lynis is run from /etc/cron.daily some deleted in-use files are kept in /tmp
LSOF_GREP="${LSOF_GREP}|anacron|awk|run-parts"
fi
FIND=$(${LSOFBINARY} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
if [ ! -z "${FIND}" ]; then
LogText "Result: found one or more files which are deleted, but still in use"
for I in ${FIND}; do
LogText "Found deleted file: ${I}"
Report "deleted_file[]=${I}"
done
Display --indent 2 --text "- Checking deleted files in use" --result "FILES FOUND" --color YELLOW
ReportSuggestion ${TEST_NO} "Check what deleted files are still in use and why."
else
LogText "Result: no deleted files found"
Display --indent 2 --text "- Checking deleted files in use" --result "${STATUS_DONE}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : LOGG-2192
# Description : Check for open log files which are empty. This may indicate a problem with log rotation, or unused services
if [ ! "${LSOFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2192 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for open log files that are empty"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${LSOFBINARY} -n -w | ${AWKBINARY} '{if ($5=="REG" && $7=="0" && $9 ~ /log$/) {print $1","$9}}' | ${SORTBINARY} | uniq)
if [ ! -z "${FIND}" ]; then
for I in ${FIND}; do
LogText "Found an opened logfile that is empty: ${I}"
Report "open_empty_log_file[]=${I}"
done
else
LogText "Result: all opened log files are bigger than zero bytes in size"
fi
fi
#
#################################################################################
#
Report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}"
Report "log_rotation_tool=${LOGROTATE_TOOL}"
WaitForKeyPress
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
Reference in New Issue View Git Blame Copy Permalink