Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRoland Smith <rsmith@xs4all.nl>2015-09-16 21:29:51 +0300
committerRoland Smith <rsmith@xs4all.nl>2015-09-16 21:29:51 +0300
commitf11783dbdf4460317e8df7f975a15d5e9cd73bd2 (patch)
tree68501ea8f3a14a184fcb34daf9cf0f762d4eba5c
parent1bb5b4b0a69694e3e23aa9587a5c73884bd8c0d1 (diff)
parentba32017eea79ea61a1f4525c50af6badb9d8e13a (diff)
Merge branch 'master' into freebsd-services
Diffstat
-rw-r--r--CHANGELOG251
-rw-r--r--CONTRIBUTIONS.md39
-rw-r--r--CONTRIBUTORS19
-rw-r--r--FAQ27
-rw-r--r--README31
-rw-r--r--README.md49
-rw-r--r--db/fileperms.db3
-rw-r--r--db/integrity.db2
-rw-r--r--debian/README.Debian8
-rwxr-xr-xdebian/rules4
-rw-r--r--default.prf46
-rw-r--r--extras/README2
-rwxr-xr-xextras/build-lynis.sh4
-rw-r--r--extras/lynis.spec42
-rw-r--r--include/binaries39
-rw-r--r--include/consts104
-rw-r--r--include/data_upload36
-rw-r--r--include/functions184
-rw-r--r--include/helper_audit_dockerfile3
-rw-r--r--include/helper_update266
-rw-r--r--include/parameters33
-rw-r--r--include/profiles54
-rw-r--r--include/report49
-rw-r--r--include/tests_accounting62
-rw-r--r--include/tests_authentication336
-rw-r--r--include/tests_banners22
-rw-r--r--include/tests_boot_services152
-rw-r--r--include/tests_containers169
-rw-r--r--include/tests_crypto7
-rw-r--r--include/tests_custom.template48
-rw-r--r--include/tests_databases2
-rw-r--r--include/tests_file_integrity71
-rw-r--r--include/tests_file_permissions6
-rw-r--r--include/tests_filesystems182
-rw-r--r--include/tests_firewalls41
-rw-r--r--include/tests_hardening2
-rw-r--r--include/tests_hardening_tools52
-rw-r--r--include/tests_homedirs22
-rw-r--r--include/tests_insecure_services15
-rw-r--r--include/tests_kernel26
-rw-r--r--include/tests_kernel_hardening6
-rw-r--r--include/tests_ldap6
-rw-r--r--include/tests_logging14
-rw-r--r--include/tests_mac_frameworks28
-rw-r--r--include/tests_mail_messaging66
-rw-r--r--include/tests_malware78
-rw-r--r--include/tests_memory_processes21
-rw-r--r--include/tests_nameservices65
-rw-r--r--include/tests_networking33
-rw-r--r--include/tests_php30
-rw-r--r--include/tests_ports_packages129
-rw-r--r--include/tests_printers_spools2
-rw-r--r--include/tests_scheduling26
-rw-r--r--include/tests_shells94
-rw-r--r--include/tests_solaris6
-rw-r--r--include/tests_squid61
-rw-r--r--include/tests_ssh82
-rw-r--r--include/tests_storage26
-rw-r--r--include/tests_storage_nfs12
-rw-r--r--include/tests_tcpwrappers47
-rw-r--r--include/tests_time81
-rw-r--r--include/tests_tooling78
-rw-r--r--include/tests_virtualization56
-rw-r--r--include/tests_webservers43
-rw-r--r--include/tool_tips40
-rwxr-xr-xlynis164
-rw-r--r--lynis.883
67 files changed, 2196 insertions, 1691 deletions
diff --git a/CHANGELOG b/CHANGELOG
index fbb2dd02..f53d4435 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -8,60 +8,206 @@
Author: Michael Boelen (michael.boelen@cisofy.com)
Description: Security and system auditing tool
Website: https://cisofy.com/lynis/
- GitHub: https://github.com/CISOfy/Lynis
+ GitHub: https://github.com/CISOfy/lynis
- Support policy: See section 'Support' (README file);
+ Support policy: See section 'Support' in README file
Commercial support and plugins available via CISOfy
- https://cisofy.com
Documentation: See web site, README, FAQ and CHANGELOG file
================================================================================
- = Lynis 2.1.0 (2015-04-16) =
+ = Lynis 2.1.2 =
- General:
- ---------
- Screen output has been improved to provide additional information.
+ This is an major release, which includes both new features and enhancements to existing tests.
- OS support:
- ------------
- CUPS detection on Mac OS has been improved. AIX systems will now use csum
- utility to create host ID. Group check have been altered on AIX, to include
- the -n ALL. Core dump check on Linux is extended to check for actual values
- as well.
+ * Operating systems
+ Improved support for Debian 8
+ Don't show boot loader exception when a subset of tests is performed
- Software:
- ----------
- McAfee detection has been extended by detecting a running cma binary.
- Improved detection of pf firewall on BSD and Mac OS. Security patch checking
- with zypper extended.
+ * Screen output
+ Improved output for tests which before showed results as a warning, while actually are just suggestions
- Session timeout:
- -----------------
- Tests to determine shell time out setting have been extended to account for
- AIX, HP-UX and other platforms. It will now determine also if variable is
- exported as a readonly variable. Related compliance section PCI DSS 8.1.8
- has been extended.
+ * Virtual machines
+ Detection of virtual machines extended with vmtoolsd detection
- Documentation:
- ---------------
- - New document: Getting started with Lynis
- https://cisofy.com/documentation/lynis/get-started/
+ * Mount points
+ FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.
- Plugins (Enterprise):
- ----------------------
- - Update to file integrity plugin
- Changes to PLGN-2606 (capabilities check)
+ * Docker
+ Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker
- - New configuration plugins:
- PLGN-4802 (SSH settings)
- PLGN-4804 (login.defs)
+ * UEFI and Secure Boot
+ Initial support to test UEFI settings, including Secure Boot option
+ Options boot_uefi_booted and boot_uefi_booted_secure added to report file
- Download link: https://cisofy.com/download/lynis/
+ * Authentication
+ Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes
+ checking for /etc/login.defs [AUTH-9408]
+
+ report option: auth_failed_logins_logged
+ **** ^ NEEDS more tests ###################################
+
+ * DNS and Name services
+ Support added for Unbound DNS caching tool [NAME-4034]
+ Configuration check for Unbound [NAME-4036]
+ Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used
+
+ * Firewalls
+ IPFW firewall on FreeBSD test improved
+
+ * Individual tests
+ BOOT-5180 now only gets executed if runlevel 2 is found
+ AUTH-9328 show correct message when no umask is found in /etc/profile, including correct logging entries
+ AUTH-9204 now excludes NIS entries to avoid false positives
+ TIME-3104 Only shows suggestion now on FreeBSD if ntpdate is configured, yet ntpd isn't running
+ FILE-6410 Added /var/lib/locatedb as search path
+
+ Don't wait when using pentest mode in quick mode
+ Data uploads: provide help when self-signed certificates are used
+
+
+
+ 8888888888888888888888888
+ implement base64
+ 8888888888888888888888888
+
+
+ * Plugins
+ ---------
+ [PLGN-2804] Limit report output of EXT file systems to 1 item per line
+
+ --------------------------------------------------------------
+
+ = Lynis 2.1.1 (2015-07-22) =
+
+ This release adds a lot of improvements, with focus on performance, and
+ additional support for common Linux distributions and external utilities.
+ We recommend to use this latest version.
+
+ * Operating system enhancements
+ -------------------------------
+ Support for systems like CentOS, openSUSE, Slackware is improved.
+
+ * Performance
+ -------------
+ Performance tuning has been applied, to speed up execution of the audit on
+ systems with many files. This also includes code cleanups.
+
+ * Automatic updates
+ -------------------
+ Initial work on an automatic updater has been implemented. This way Lynis
+ can be scheduled for automatic updating from a trusted source.
+
+ * Internal functions
+ --------------------
+ Not all systems have readlink, or the -f option of readlink. The
+ ShowSymlinkPath function has been extended with a Python based check, which
+ is often available.
+
+ * Software support
+ ------------------
+ Apache module directory /usr/lib64/apache has been added, which is used on
+ openSUSE.
+
+ Support for Chef has been added.
+
+ Added tests for CSF's lfd utility for integrity monitoring on directories and
+ files. Related tests are FINT-4334 and FINT-4336.
+
+ Added support for Chrony time daemon and timesync daemon. Additionally NTP
+ sychronization status is checked when it is enabled.
+
+ Improved single user mode protection on the rescue.service file.
+
+ * Other
+ -------
+ Check for user permissions has been extended.
+ Python binary is now detected, to help with symlink detection.
+ Several new legal terms have been added, which are used for usage in banners.
+ In several files old tests have been removed, to further clean up the code.
+
+ * Bug fixes
+ ---------
+ Nginx test showed error when access_log had multiple parameters.
+ Tests using locate won't be performed if not present.
+ Fix false positive match on Squid unsafe ports [SQD-3624].
+ The hardening index is now also inserted into the report if it is not displayed
+ on screen.
+
+ * Functions
+ ---------
+ Added AddSystemGroup function
+
+ * New tests
+ ---------
+ Several new tests have been added:
+
+ [PKGS-7366] Scan for debsecan utility on Debian systems
+ [PKGS-7410] Determine amount of installed kernel packages
+ [TIME-3106] Check synchronization status of NTP on systemd based systems
+ [CONT-8102] Docker daemon status and gather basic details
+ [CONT-8104] Check docker info for any Docker warnings
+ [CONT-8106] Check total, running and unused Docker containers
+
+ * Plugins
+ ---------
+ [PLGN-2602] Disabled by default, as it may be too slow for some machines
+ [PLGN-3002] Extended with /sbin/nologin
+
+ * Documentation
+ ---------------
+ A new document has been created to help with the process of upgrading Lynis.
+ It is available at https://cisofy.com/documentation/lynis/upgrading/
--------------------------------------------------------------
+
+ = Lynis 2.1.0 (2015-04-16) =
+
+ * General
+ ---------
+ Screen output has been improved to provide additional information.
+
+ * OS support
+ ------------
+ CUPS detection on Mac OS has been improved. AIX systems will now use csum
+ utility to create host ID. Group check have been altered on AIX, to include
+ the -n ALL. Core dump check on Linux is extended to check for actual values
+ as well.
+
+ * Software
+ ----------
+ McAfee detection has been extended by detecting a running cma binary.
+ Improved detection of pf firewall on BSD and Mac OS. Security patch checking
+ with zypper extended.
+
+ * Session timeout
+ -----------------
+ Tests to determine shell time out setting have been extended to account for
+ AIX, HP-UX and other platforms. It will now determine also if variable is
+ exported as a readonly variable. Related compliance section PCI DSS 8.1.8
+ has been extended.
+
+ * Documentation
+ ---------------
+ - New document: Getting started with Lynis
+ https://cisofy.com/documentation/lynis/get-started/
+
+ * Plugins (Enterprise)
+ ----------------------
+ - Update to file integrity plugin
+ Changes to PLGN-2606 (capabilities check)
+
+ - New configuration plugins:
+ PLGN-4802 (SSH settings)
+ PLGN-4804 (login.defs)
+
+ Download link: https://cisofy.com/download/lynis/
+
+ --------------------------------------------------------------
+
+
= Lynis 2.0.0 (2015-02-25) =
@@ -835,7 +981,7 @@
- Added Squid test: reply_body_max_size option [SQD-3630]
- Added /etc/init.d/rc and /etc/init.d/rcS to umask test [AUTH-9328]
- Check PHP option allow_url_include [PHP-2378]
-
+
Changes:
- Extended possible Squid configuration file locations
- Added additional sysctl keys to default profile
@@ -1012,7 +1158,7 @@
- nginx configuration file check [HTTP-6704]
- Exim status check [MAIL-8802]
- Postfix status check [MAIL-8814]
-
+
Changes:
- atd needs to run before testing at files [SCHD-7720]
- Removed Solaris OS requirement from logrotate test [LOGG-2148]
@@ -1022,7 +1168,7 @@
- Binary scan optimized and partially combined with other check
- Only perform iptables tests if kernel module is active
- Don't show message when /etc/shells can't be found [SHLL-6211]
- - Check /var/spool/cron/crontabs first, if it exists [SCHD-7704]
+ - Check /var/spool/cron/crontabs first, if it exists [SCHD-7704]
- Renumbered FreeBSD test SHLL-7225 [SHLL-6202]
- Renumbered malware test MALW-3292 [HRDN-7230]
- Improved grep on process status [PRNT-2304]
@@ -1212,10 +1358,10 @@
New:
- New test: Passwordless Solaris accounts test [AUTH-9254]
- New test: AFICK file integrity [FINT-4310]
- - New test: AIDE file integrity [FINT-4314]
- - New test: Osiris file integrity [FINT-4318]
- - New test: Samhain file integrity [FINT-4322]
- - New test: Tripwire file integrity [FINT-4326]
+ - New test: AIDE file integrity [FINT-4314]
+ - New test: Osiris file integrity [FINT-4318]
+ - New test: Samhain file integrity [FINT-4322]
+ - New test: Tripwire file integrity [FINT-4326]
- New tests: NIS and NIS+ authentication test [AUTH-9240/42]
- Initial support added for AFICK, AIDE, Osiris, Samhain, Tripwire
@@ -1241,12 +1387,12 @@
- New test: Promiscuous network interfaces (Linux) [NETW-3015]
- Report option 'bootloader' added to several tests
- Added readlink binary check
-
+
Changes:
- Extended file check (IsWorldWritable) for symlinks
- Show result if no default gateway is found [NETW-3001]
- Added /usr/local/etc to sudoers test [AUTH-9250]
- - Improved FreeBSD banner output [BANN-7113]
+ - Improved FreeBSD banner output [BANN-7113]
- Removed incorrect line at promiscuous interface test [NETW-3014]
- Fix: Show only once the GRUB test output [BOOT-5121]
- Fix: Typo in NTP test [TIME-3104]
@@ -1294,7 +1440,7 @@
- New test: checking for heavy IO waiting processes [PROC-3614]
- Initial HP-UX support (untested)
- Initial AIX support (untested)
- - Added iptables binary check
+ - Added iptables binary check
- Added dig check, for DNS related tests
- Added option --no-colors to remove all colors from screen output
- Added option --reverse-colors for optimizing output at light backgrounds
@@ -1314,7 +1460,7 @@
- Several tests have their warning reporting improved
- Improved SuSE Linux detection
- Improved syslog-ng detection
- - Adjusted README with link to online (extended) documentation
+ - Adjusted README with link to online (extended) documentation
--
@@ -1324,7 +1470,7 @@
- New test: Check writable startup scripts [BOOT-5184]
- New test: Syslog-NG consistency check [LOGG-2134]
- New test: Check yum-utils package and scanning package database [PKGS-7384]
- - New test: Test for empty ruleset when iptables is loaded [FIRE-4512]
+ - New test: Test for empty ruleset when iptables is loaded [FIRE-4512]
- New test: Check for expired SSL certificates [CRYP-7902]
- New test: Check for LDAP authentication support [AUTH-9238]
- New test: Read available crontab/cron files [SCHD-7704]
@@ -1363,7 +1509,7 @@
* 1.1.5 (2008-06-10)
New:
- - Assigned ID to Apache configuration file test [HTTP-6624]
+ - Assigned ID to Apache configuration file test [HTTP-6624]
- Added pause_between_tests to profile file, to regulate the speed of a scan
- Assigned ID to dpkg test and solved issue with colon in package names [PKG-7345]
- Assigned ID to Solaris package test [PKG-7306]
@@ -1646,12 +1792,12 @@
--
* 1.0.3 (2007-11-19)
-
+
New:
- Added check for sockstat
- Test: added test for GRUB and password option
- Test: query listening ports (sockstat)
-
+
Changes:
- Fixed NTPd check (bug)
- Extended help for 'double installed package' check (BSD systems, pkg_info)
@@ -1703,7 +1849,7 @@
Changes:
- [bug] Changed skel directory check
- Fixed display Apache configuration file
-
+
--
* 1.0.0 (2007-11-08)
@@ -1752,4 +1898,3 @@
================================================================================
Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
-
diff --git a/CONTRIBUTIONS.md b/CONTRIBUTIONS.md
new file mode 100644
index 00000000..dd032453
--- /dev/null
+++ b/CONTRIBUTIONS.md
@@ -0,0 +1,39 @@
+# Contributions
+
+## Pull Requests
+We welcome any contribution to improve Lynis. Contributions to the Lynis project can
+be submitted as a pull request. The upstream project can be found in our [GitHub repository](https://github.com/CISOfy/lynis).
+
+By submitting a [Pull Request](https://help.github.com/articles/using-pull-requests/)
+to this repository, you agree that you:
+
+1. Own the contribution that you are providing or have obtained permission from
+ the contribution owner
+
+2. Allow your contribution to be licensed under the license of the target
+ project (GPLv3)
+
+3. Allow your contribution to be freely distributed to the Lynis community
+
+4. Allow the project the [Unlimited Rights](#Unlimited-Rights) to your contribution
+
+If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com)
+
+## Unlimited Rights
+Our project is licensed under GPLv3. By providing a contribution to the project, it
+will be used for the purpose of the project. Unlimited rights includes the rights to
+use, modify, reproduce, release, perform, display, or disclose computer software or
+computer software documentation in whole or in part, in any manner and for any
+purpose whatsoever, and to have or authorize others to do so.
+
+If you want to be named in as a contributor in the CONTRIBUTOR file, then include
+this notition in your pull request. Preferred format: Full Name, with optional the
+company name and/or your e-mail address).
+
+## Developer Guidelines
+
+To ensure all pull requests can be easily checked and merged, here are some tips:
+* Your code should work on other platforms running the bourne shell (/bin/sh), not just BASH.
+* Properly document your code where needed. Besides the 'what', focus on explaining the 'why'.
+* Check the log information (lynis.log) of your new test or changed code, so that it provides helpful details for others.
+* Most variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1)
diff --git a/CONTRIBUTORS b/CONTRIBUTORS
index f90af8f3..53b83795 100644
--- a/CONTRIBUTORS
+++ b/CONTRIBUTORS
@@ -1,24 +1,35 @@
================================================================================
- Lynis - CONTRIBUTIONS
+ Lynis - CONTRIBUTORS
================================================================================
The Lynis project is very thankful for the following individuals who
- contributed to the project. They invested time and effort to report issues
- and send in related patches to improve the software and other components.
+ contributed to the project.
================================================================================
+ Want to contribute as well? Here are some suggestions:
-[+] Patches, bug fixes and suggestions
+ - Create new tests for your favorite software packages
+ - Report (unexpected) screen errors
+ - Share missing results and findings
+ - Check for grammar issues
+
+ Create a pull request at GitHub --> https://github.com/CISOfy/lynis
+
+
+[+] Contributors
------------------------------------------
+ Alexander Lobodzinski
+ Bodine Wilson
Brian Ginsbach
C.J. Adams-Collier, US
Charlie Heselton, US
Dave Vehrs
+ Kamil BoratyƄski, Poland
Mikko Lehtisalo, Finland
Steve Bosek, France
Thomas Siebel, Germany
diff --git a/FAQ b/FAQ
index 21bad933..e0bd9736 100644
--- a/FAQ
+++ b/FAQ
@@ -7,9 +7,11 @@
Author: Michael Boelen (michael.boelen@cisofy.com)
Description: Security and system auditing tool
- Website: https://cisofy.com/lynis/
+ Web site: https://cisofy.com/lynis/
+ GitHub: https://github.com/CISOfy/lynis
+ Support address: lynis-dev@cisofy.com
Development: May 2007 - Now
- Suppor: See README file and https://cisofy.com/support/
+ Support: See README file and https://cisofy.com/support/
Documentation: See web site, README, FAQ and CHANGELOG file
================================================================================
@@ -18,9 +20,9 @@
-------------------------------
Q: I don't understand the program (output), what to do?
- A: Keep reading this FAQ, then continue with reading the README file, followed
- by the log file (default: /var/log/lynis.log). After those sources, check
- the documentation on the website.
+ A: Keep reading this FAQ. Also useful are the README file and the log file
+ (default: /var/log/lynis.log). Or check out the documentation on the
+ website: https://cisofy.com/support/
Q: I can't find any configuration file for Lynis, where is it?
A: There isn't one (currently), since all options are available as command
@@ -30,11 +32,10 @@
Q: Why is there no port/package for my operating system?
A: Because there is no maintainer for it yet. If you have the time to keep
- the port/package current for your preferred operating system, fill in the
- contact form to notify me and confirm no one else is working on it.
+ the port/package current for your preferred operating system, let us know.
Q: What to do with the report files?
- A: The output could be used for monitoring (baseline checks). For user of the
+ A: The output could be used for monitoring (baseline checks). For users of the
Lynis Enterprise Suite, they will be used to upload data.
@@ -42,7 +43,7 @@
[+] Bugs or issues
-------------------------------
Q: Where can I report an issue or bug?
- A: Use the developer e-mail address lynis-dev@cisofy.com
+ A: GitHub, or use the developer e-mail address lynis-dev@cisofy.com
@@ -57,7 +58,7 @@
have a dark background, so it gives extra attention to the message. However
if you have a white background (for example Mac OS X), you can run Lynis
with --no-colors to strip colors or --reverse-colors to reverse the color
- scheme. Another option is to change your terminal colors within Mac OS.
+ scheme. Another option is to change your terminal colors within Mac OS.
Q: Some tests take very long to finish, what to do?
A: Use a second console (or connection) and check the output of ps/lsof etc,
@@ -72,12 +73,12 @@
invoke Lynis (example: bash lynis -c).
Q: One or more tests are giving incorrect output. How to solve that?
- A: Check the log file. If that also has incorrect data, fill in the contact
- form and describe the issue.
+ A: Check the log file. If that also has incorrect data, let us know via GitHub
+ or the developer e-mail address.
Q: The program takes long to complete and also uses too much resources. Can it
be tuned?
- A: The time it takes to complete is depends on the amount of tests to run.
+ A: The time it takes to complete depends on the amount of tests to run.
However the resources it take can be slighty lowered by increasing the
pause_between_tests profile option. Keep in mind this increases the total
length of the scan to complete.
diff --git a/README b/README
index 5b4dfcbb..debc1002 100644
--- a/README
+++ b/README
@@ -15,11 +15,14 @@
================================================================================
- == The website contains up-to-date documentation ==
+ *** NOTE ***
+
+ The website contains the latest documentation
See https://cisofy.com/documentation/lynis/
+
[+] Introduction
-------------------------------
@@ -29,7 +32,8 @@
Some of the (future) features and usage options:
- System and security audit checks
- - File Integrity Assessment
+ - Compliance testing
+ - File integrity monitoring
- System and file forensics
- Usage of templates/baselines (reporting and monitoring)
- Extended debugging features
@@ -45,7 +49,7 @@
- License: GPL v3
- Language: Shell script
- Author: Michael Boelen, CISOfy
- - Website: https://cisofy.com
+ - Web site: https://cisofy.com
- Required permissions: root preferred, not needed
- Other requirements: write access to /tmp
@@ -90,8 +94,11 @@
-------------------------------
If you have input to improve Lynis, let us know via:
- - GitHub - https://github.com/CISOfy/lynis
- - E-mail - lynis-dev@cisofy.com
+ * GitHub - https://github.com/CISOfy/lynis
+ * E-mail - lynis-dev@cisofy.com
+
+ Contributions are appreciated and can be done via GitHub. See CONTRIBUTIONS.md
+ for more information about how to submit them.
[+] Support
@@ -99,15 +106,11 @@
Lynis is tested on the most common operating systems. The documentation (README,
FAQ) and the debugging information in the log file should cover most questions and
- problems. Bugs can be reported by filling in the contact form at rootkit.nl, or by
- sending an e-mail.
-
- NOTE: User related questions should not be asked via the contact form. Read the
- documentation, the website resources and the log file for answers to common problems.
+ problems. Bugs can be reported via GitHub, or sending an e-mail to the lynis-dev
+ address above.
- Commercial support is available under strict conditions and depends on the request.
- For more information fill in the contact form and describe what kind of service is
- requested.
+ Commercial support is available and provided by CISOfy. For more information use
+ the contact address on https://cisofy.com/contact/.
@@ -119,7 +122,7 @@
this tool we have a commercial version available. Lynis Enterprise Suite uses
Lynis to audit systems, but also provides malware scanning, intrusion detection
and has additional guidance. For all features, please see our website:
- http://cisofy.com/lynis-enterprise/
+ https://cisofy.com/lynis-enterprise/
diff --git a/README.md b/README.md
index 317cda8d..b7fa2940 100644
--- a/README.md
+++ b/README.md
@@ -3,22 +3,27 @@ lynis
Lynis - Security auditing and hardening tool, for Unix based systems
-Lynis is an security auditing and hardening tool for Unix derivatives like Linux, BSD and Solaris. It performs
-an in-depth security scan on the system to detect software and security issues. Besides information related to
-security, it will also scan for general system information, installed packages, and possible configuration
-issues.
+Lynis is a security auditing for Unix derivatives like Linux, BSD, and Solaris. It performs an in-depth security scan on the system to detect software and security issues. Besides information related to security, it will also scan for general system information, vulnerable software packages, and possible configuration issues.
-We believe software should be simple, updated on a regular basis and open. You should be able to trust, understand,
-and even alter the software. Many agree with us, as the software is being used by thousands every day to protect
-their systems.
+We believe software should be simple, updated on a regular basis and open. You should be able to trust, understand, and even alter the software. Many agree with us, as the software is being used by thousands every day to protect their systems.
-The software is aimed at assisting with automated auditing, configuration management, software patch management,
-penetration testing, vulnerability management, and malware scanning of Unix-based systems.
+Main goals:
+- Security auditing (automated)
+- Compliance testing (e.g. PCI-DSS, HIPAA)
+- Vulnerability testing
+
+The software aims to also assist with:
+- Configuration management
+- Software patch management
+- System hardening
+- Penetration testing
+- Malware scanning
+- Intrusion detection
License:
- GPLv3
-Main audience:
+Typical users of the software:
- System administrators
- Auditors
- Security officers
@@ -27,25 +32,23 @@ Main audience:
## First run
-Clone or download the project files. No compilation or installation is required.
-
-Execute: ./lynis audit system
-
-By default
-If you want to run the software as root, we suggest to alter the ownership of the files.
+1. Clone or download the project files. No compilation or installation is required.
+2. Execute: `./lynis audit system`
+If you want to run the software as root, we suggest altering the ownership of the files. Use chown -R and
+chgrp -R to recursively alter the owner and group.
## Documentation
-See for full documentation https://cisofy.com/documentation/lynis/
+Full documentation: https://cisofy.com/documentation/lynis/
## Flexibility
-For people who want to expand tests, it is suggested to use the tests_custom file (template in include directory).
+If you want to create your own tests, use the 'tests_custom' file (template available in 'include' directory).
Plugins are another possibility to customize, although their main goal is collecting data.
-## Enterprise options
-This software component has additional options and support available for companies. If you want to perform more
-tests and centrally manage them, consider the purchase of a license.
+## Enterprise version
+This software is also available as part of an enterprise suite. It includes additional functionality (plugins, centralized system, reporting, dashboard), and supports.
-## Support
-Got an improvement to share? Create an issue in the tracker on GitHub or send us an e-mail: lynis-dev@cisofy.com
+## Contribute
+Got an improvement? Create it as an issue in the tracker on GitHub or send us an e-mail: lynis-dev@cisofy.com
+More details can be found at [Contributors Guide](https://github.com/CISOfy/lynis/blob/master/CONTRIBUTIONS.md)
diff --git a/db/fileperms.db b/db/fileperms.db
index a4bbcf18..1abba213 100644
--- a/db/fileperms.db
+++ b/db/fileperms.db
@@ -9,11 +9,10 @@
# 5) file group owner
# 6) operating system, or systems
# 7) operating system special
-# 8)
+# 8)
#
#==================================================
file:/etc/group:644:root:root:Linux:
file:/etc/gshadow:400:root:root:Linux:
file:/etc/passwd:644:root:root:Linux:
file:/etc/shadow:400:root:root:Linux:
-
diff --git a/db/integrity.db b/db/integrity.db
index 421d8196..4a2ebbaf 100644
--- a/db/integrity.db
+++ b/db/integrity.db
@@ -1,3 +1,3 @@
#version=2008062800
#binary:string:|NOT:
-ifconfig:PROMISC::
+ifconfig:PROMISC:: \ No newline at end of file
diff --git a/debian/README.Debian b/debian/README.Debian
index 60820ff7..8a6f45c5 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -1,20 +1,20 @@
lynis for Debian
----------------
-When execute Lynis from Debian menu, the program runs with the following
+When execute Lynis from Debian menu, the program runs with the following
parameter:
lynis --no-colors
-It makes a full system check, with the default profile file
+It makes a full system check, with the default profile file
(/etc/lynis/default.prf). Please adjust this config file with your needs.
For better perform, launch Lynis from a terminal, as root user, with your best
configuration.
Lynis can be executed directly:
-# lynis -c
-or
+# lynis -c
+or
# lynis
After Lynis runs the system check, it creates the following two files with the
diff --git a/debian/rules b/debian/rules
index 468f07a6..5ea1eafc 100755
--- a/debian/rules
+++ b/debian/rules
@@ -12,13 +12,13 @@ clean:
dh_testdir
dh_testroot
rm -f build-stamp
- dh_clean
+ dh_clean
install: build
dh_testdir
dh_testroot
- dh_prep
+ dh_prep
# Add here commands to install the package into debian/lynis.
install -D -m 0755 $(CURDIR)/lynis $(CURDIR)/debian/lynis/usr/sbin/lynis
diff --git a/default.prf b/default.prf
index c97e55f5..ab167e45 100644
--- a/default.prf
+++ b/default.prf
@@ -122,7 +122,7 @@ sysctl:kernel.use-nx:0:1:XXX:
[network]
sysctl:net.inet.icmp.bmcastecho:0:1:Ignore ICMP packets directed to broadcast address:
sysctl:net.inet.icmp.rediraccept:0:1:Disable incoming ICMP redirect routing redirects:
-sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing:
+sysctl:net.inet.ip.accept_sourceroute:0:1:Disable IP source routing:
sysctl:net.inet.ip.redirect:0:1:Disable/Ignore ICMP routing redirects:
sysctl:net.inet.ip.sourceroute:0:1:Disable IP source routing:
sysctl:net.inet.ip6.redirect:0:1:Disable/Ignore ICMP routing redirects:
@@ -149,9 +149,9 @@ sysctl:net.ipv4.tcp_syncookies:1:1:Use SYN cookies to prevent SYN attack:
sysctl:net.ipv4.tcp_timestamps:0:1:Do not use TCP time stamps:
sysctl:net.ipv6.conf.all.send_redirects:0:1:Disable/ignore ICMP routing redirects:
sysctl:net.ipv6.conf.all.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing:
+sysctl:net.ipv6.conf.all.accept_source_route:0:1:Disable IP source routing:
sysctl:net.ipv6.conf.default.accept_redirects:0:1:Disable/Ignore ICMP routing redirects:
-sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing:
+sysctl:net.ipv6.conf.default.accept_source_route:0:1:Disable IP source routing:
[security]
#sysctl:kern.securelevel:1^2^3:1:FreeBSD security level:
@@ -270,8 +270,8 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
#
#################################################################################
-# Amount of connections in WAIT state before reporting it as a warning
-#config:connections_max_wait_state:50:
+# Amount of connections in WAIT state before reporting it as a suggestion
+#config:connections_max_wait_state:5000:
# Skip security repository check for Debian based systems
#config:debian_skip_security_repository:yes:
@@ -310,6 +310,38 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
#################################################################################
#
+# Automatic Updating
+# -------------------
+#
+# These settings are required when using the lynis update functionality.
+# By specifying local paths and your update server, the tool can do an update
+# check, compare versions and download a new version.
+#
+#################################################################################
+
+# Local directory (without slash at end) where lynis directory will be installed
+# Note: do not add full path to lynis, as subdirectory is part of tarball
+#config:update_local_directory:/usr/local:
+# Full path to local file. Change local path if Lynis is installed on a different place
+#config:update_local_version_info:/usr/local/lynis/client-version:
+
+# Download information
+# -----------------------------
+# Protocol to use: http, https
+#config:update_server_protocol:http:
+
+# Address of update server
+#config:update_server_address:192.168.1.125:
+
+# Path to last stable release
+#config:update_latest_version_download:/files/lynis-latest.tar.gz:
+
+# Last part of URL (file to gather)
+#config:update_latest_version_info:/files/lynis-latest-version:
+
+
+#################################################################################
+#
# Lynis Enterprise
# -----------------
#
@@ -322,7 +354,7 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
# Provide options to cURL when uploading data. Common options include:
# -k or --insecure --> use HTTPS, but skip certificate check (e.g. self-signed)
-# --proxy [http://]proxyserver:8080 --> use HTTP/HTTPS proxy
+# --proxy [http://]proxyserver:8080 --> use HTTP/HTTPS proxy
# --socks5 proxyserver:8080 --> use SOCKS proxy
#config:upload_options:-k:
@@ -330,4 +362,4 @@ permdir:/root/.ssh:rwx------:root:-:WARN:
#config:group:[group name]:
#config:group:test:
-#EOF
+#EOF \ No newline at end of file
diff --git a/extras/README b/extras/README
index c51df06f..57f42d94 100644
--- a/extras/README
+++ b/extras/README
@@ -6,4 +6,4 @@
- Integrity checks and tools
- Development tools
-================================================================================ \ No newline at end of file
+================================================================================
diff --git a/extras/build-lynis.sh b/extras/build-lynis.sh
index 9d82bcc6..f0f6cc72 100755
--- a/extras/build-lynis.sh
+++ b/extras/build-lynis.sh
@@ -364,7 +364,7 @@ Exit
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- echo -n "- Cleaning up OpenBSD package build... "
+ echo -n "- Cleaning up OpenBSD package build... "
if [ -f openbsd/+CONTENTS ]; then rm openbsd/+CONTENTS; fi
echo "DONE"
OPENBSD_CONTENTS="openbsd/+CONTENTS"
@@ -377,7 +377,7 @@ Exit
for I in ${PACKAGE_LIST_FILES}; do
echo -n "${I} "
- #FULLNAME=`cat files.dat | grep ":file:include:
+ #FULLNAME=`cat files.dat | grep ":file:include:
#echo "${FULLNAME}" >> ${OPENBSD_CONTENTS}
echo "${I}" >> ${OPENBSD_CONTENTS}
FILE="../${I}"
diff --git a/extras/lynis.spec b/extras/lynis.spec
index 997a386f..3ff52e7a 100644
--- a/extras/lynis.spec
+++ b/extras/lynis.spec
@@ -3,6 +3,8 @@
# Lynis spec file
# -----------------
#
+# This file helps to create your custom RPM package of Lynis.
+#
# Usage:
# - Adjust version number (Version:)
# - Check if you have the directories in your home directory (or adjust topdir)
@@ -12,9 +14,9 @@
#
#################################################################################
#
-# (c) 2014 Michael Boelen
+# Copyright 2015 CISOfy
#
-# Website: http://cisofy.com/
+# Documentation: https://cisofy.com/documentation/lynis/upgrading/
#
#################################################################################
@@ -27,30 +29,32 @@
Summary: Security and system auditing tool.
Name: lynis
-Version: 1.6.2
+Version: 2.1.1
Release: 1
License: GPL
Group: Applications/System
Source: lynis-%{version}.tar.gz
BuildRoot: /tmp/lynis-root
-URL: http://cisofy.com/
-Vendor: CISOfy / Michael Boelen
-Packager: Michael Boelen <michael@rootkit.nl>
+URL: https://cisofy.com/
+Vendor: CISOfy
+Packager: Michael Boelen <michael.boelen@cisofy.com>
BuildArch: noarch
%description
-Lynis is a security tool to audit and harden Unix/Linux based systems. It scans a
-system and provides the user with suggestion and warnings regarding taken security
-measures. Examples include:
- - Security enhancements
- - Logging and auditing options
- - Banner identification
- - Software availability
- - Missing security patches
+Lynis is an security auditing and hardening tool for Unix derivatives like Linux, BSD
+and Solaris. It performs an in-depth security scan on the system to detect software
+and security issues. Besides information related to security, it will also scan for
+general system information, installed packages, and possible
+configuration issues.
+
+This software is aimed at assisting with automated auditing, configuration management,
+software patch management, penetration testing, vulnerability management, and malware
+scanning of Unix-based systems.
Lynis is released as a GPLv3 licensed project and free for everyone to use.
+Commercial support and extensions are available.
-See http://cisofy.com for a full description and documentation.
+See https://cisofy.com for a full description and documentation.
%prep
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT"
@@ -84,11 +88,6 @@ install plugins/* ${RPM_BUILD_ROOT}%{_pluginsdir}
install -d ${RPM_BUILD_ROOT}%{_dbdir}
install db/* ${RPM_BUILD_ROOT}%{_dbdir}
-
-# Patch default paths (not required for 1.1.2+)
-#sed -i -e 's#INCLUDEDIR="include"#INCLUDEDIR="%{_includedir}"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis
-#sed -i -e 's#PROFILE="default.prf"#PROFILE="/etc/lynis/default.prf"#g' ${RPM_BUILD_ROOT}/usr/bin/lynis
-
%clean
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "$RPM_BUILD_ROOT"
@@ -111,6 +110,9 @@ install db/* ${RPM_BUILD_ROOT}%{_dbdir}
#%attr(644, root, root) %{_plugindir}/*
%changelog
+* Wed May 13 2015 Michael Boelen - 1.1.9-1
+- Changed website address, version bump
+
* Sun Sep 14 2014 Michael Boelen - 1.1.8-1
- Changed permissions with regards of pentest option
diff --git a/include/binaries b/include/binaries
index 5b85adb2..a6af374b 100644
--- a/include/binaries
+++ b/include/binaries
@@ -14,7 +14,8 @@
#
#################################################################################
#
-# Check which tools are installed
+# * Check which binaries and tools are installed
+# * With the results a customized scan can be performed for every single system.
#
#################################################################################
#
@@ -25,23 +26,18 @@
#################################################################################
#
if [ ${CHECK_BINARIES} -eq 1 ]; then
- InsertSection "System Tools"
- #
- #################################################################################
- #
+ InsertSection "System Tools"
+ Display --indent 2 --text "- Scanning available tools..."
+ logtext "Start scanning for available audit binaries and tools..."
- Display --indent 2 --text "- Scanning available tools..."
- logtext "Start scanning for available audit binaries and tools..."
-
- # Test : FILE-7502
- # Description : Check all system binaries
- # Notes : Always perform test, dependency for many other tests
- Register --test-no FILE-7502 --weight L --network NO --description "Check all system binaries"
- #if [ ${SKIPTEST} -eq 0 ]; then
+ # Test : FILE-7502
+ # Description : Check all system binaries
+ # Notes : Always perform test, dependency for many other tests
+ Register --test-no FILE-7502 --weight L --network NO --description "Check all system binaries"
BINARY_PATHS_FOUND=""; N=0
Display --indent 2 --text "- Checking system binaries..."
logtext "Status: Starting binary scan..."
- for SCANDIR in ${BINPATHS}; do
+ for SCANDIR in ${BIN_PATHS}; do
logtext "Test: Check if directory exists"
ORGPATH=""
if [ -d ${SCANDIR} ]; then
@@ -78,7 +74,6 @@
N=`expr ${N} + 1`
BINARY="${SCANDIR}/${I}"
DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} "
- logtext "Binary: ${BINARY}"
# Optimized, much quicker (limited file access needed)
case ${I} in
aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; logtext " Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
@@ -98,8 +93,11 @@
comm) COMMBINARY="${BINARY}"; logtext " Found known binary: comm (file compare) - ${BINARY}" ;;
csum) CSUMFOUND=1; CSUMBINARY="${BINARY}"; logtext " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;;
curl) CURLFOUND=1; CURLBINARY="${BINARY}"; logtext " Found known binary: curl (browser) - ${BINARY}" ;;
+ debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (package vulnerability checking) - ${BINARY}" ;;
+ debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (package integrity checking) - ${BINARY}" ;;
dig) if [ -f ${BINARY} ]; then DIGFOUND=1; DIGBINARY=${BINARY}; logtext " Found known binary: dig (network/dns tool) - ${BINARY}"; fi ;;
dnsdomainname) DNSDOMAINNAMEFOUND=1; DNSDOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: dnsdomainname (DNS domain) - ${BINARY}" ;;
+ docker) if [ -f ${BINARY} ]; then DOCKERBINARY="${BINARY}"; logtext " Found known binary: docker (container technology) - ${BINARY}"; fi ;;
domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
dpkg) DPKGBINARY="${BINARY}"; logtext " Found known binary: dpkg (package management) - ${BINARY}" ;;
egrep) EGREPFOUND=1; EGREPBINARY=${BINARY}; logtext " Found known binary: egrep (text search) - ${BINARY}" ;;
@@ -145,7 +143,7 @@
openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; logtext "Found ${BINARY} (version ${OPENSSLVERSION})" ;;
pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; logtext " Found known binary: pacman (package manager) - ${BINARY}" ;;
perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; logtext "Found ${BINARY} (version ${PERLVERSION})" ;;
- php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language) - ${BINARY} (version ${PHPVERSION})" ;;
+ php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language intrepreter) - ${BINARY} (version ${PHPVERSION})" ;;
pkg_admin) PKGADMINBINARY="${BINARY}"; logtext " Found known binary: pkg_admin (software package administration) - ${BINARY}" ;;
postconf) POSTCONFFOUND=1; POSTCONFBINARY="${BINARY}"; logtext " Found known binary: postconf (postfix configuration) - ${BINARY}" ;;
postfix) POSTFIXFOUND=1; POSTFIXBINARY="${BINARY}"; logtext " Found known binary: postfix (postfix binary) - ${BINARY}" ;;
@@ -154,6 +152,7 @@
ps) PSFOUND=1; PSBINARY="${BINARY}"; logtext " Found known binary: ps (process listing) - ${BINARY}" ;;
puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; logtext " Found known binary: puppet (automation tooling) - ${BINARY}" ;;
puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; logtext " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;;
+ python) PYTHONBINARY="${BINARY}"; logtext " Found known binary: python (programming language intepreter) - ${BINARY}" ;;
readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; logtext " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
rootsh) ROOTSHFOUND=1; ROOTSHBINARY="${BINARY}"; logtext " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;;
@@ -204,13 +203,11 @@
logtext "Discovered directories: ${BINARY_PATHS_FOUND}"
report "binary_paths=${BINARY_PATHS_FOUND}"
BINARY_SCAN_FINISHED=1
- #fi
-
- logtext "Result: found ${N} binaries"
- report "binaries_count=${N}"
+ logtext "Result: found ${N} binaries"
+ report "binaries_count=${N}"
else
- logtext "Result: checking binaries skipped in this mode"
+ logtext "Result: checking of binaries skipped in this mode"
fi
#
diff --git a/include/consts b/include/consts
index 077628f9..e80baa64 100644
--- a/include/consts
+++ b/include/consts
@@ -18,45 +18,22 @@
#################################################################################
#
-# Program information
-
# Paths where system and program binaries are located
-# Includes Sun Solaris dirs
-BINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \
+BIN_PATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \
/usr/local/libexec /usr/libexec /usr/sfw/bin /usr/sfw/sbin \
/usr/sfw/libexec /opt/sfw/bin /opt/sfw/sbin /opt/sfw/libexec \
/usr/xpg4/bin /usr/css/bin /usr/ucb /usr/X11R6/bin /usr/X11R7/bin \
/usr/pkg/bin /usr/pkg/sbin"
+ETC_PATHS="/etc /usr/local/etc"
+
# Do not use specific language, fall back to default
+# Some tools with translated strings are very hard to parse
unset LANG
#
#################################################################################
#
-# Deprecated
-#
-#################################################################################
-#
- HOME_HISTORY_AUDIT_TITLE="Incorrect history file types"
- HOME_HISTORY_AUDIT_DESCRIPTION=""
-
- HOME_HISTORY_LOG_TITLE="History files type check"
- HOME_HISTORY_LOG_DESCRIPTION="History files type check"
- HOME_HISTORY_LOG_TEXT="History files are normally of the type 'file'. Symbolic links and other types can be riskful"
-
- HOME_PATH_LOG_MESSAGE="A single dot in the PATH variable of a user can be a risk, while executing commands in for example a home directory."
-
- USER_PASSWD_DOUBLEUID_AUDIT_TITLE="Non unique UIDs"
- USER_PASSWD_DOUBLEUID_AUDIT_DESCRIPTION="Non unique UIDs in passwd file"
- USER_PASSWD_DOUBLEUID_AUDIT_TEXT="Non unique UIDs can riskful for the system or part of a configuration mistake"
-
- KERNEL_ACTIVE_MODULES_TITLE="Active kernel modules (KLDs)"
- KERNEL_ACTIVE_MODULES_DESCRIPTION="View all active kernel modules (including kernel)"
- KERNEL_ACTIVE_MODULES_TEXT="Displays the loaded kernel modules in memory. Make sure to check the integrity of the kld tools."
-#
-#################################################################################
-#
# Initialize defaults
#
#################################################################################
@@ -64,6 +41,7 @@ unset LANG
# == Variable initializing ==
#
AUDITORNAME=""
+ AUTH_FAILED_LOGINS_LOGGED=0
PROFILE=""
REPORTFILE=""
AFICKBINARY=""
@@ -77,6 +55,7 @@ unset LANG
CONTROL_URL_PREPEND=""
CUSTOM_URL_APPEND=""
CUSTOM_URL_PREPEND=""
+ DOCKER_DAEMON_RUNNING=0
FILEVALUE=""
FIND=""
FIREWALL_ACTIVE=0
@@ -93,6 +72,7 @@ unset LANG
LYNIS_COMPLIANCE_TESTS=0
MACHINEID=""
MALWARE_SCANNER_INSTALLED=0
+ NAME_CACHE_USED=0
NGINX_ACCESS_LOG_DISABLED=0
NGINX_ACCESS_LOG_MISSING=0
NGINX_ALIAS_FOUND=0
@@ -129,6 +109,7 @@ unset LANG
SCAN_TEST_HEAVY=""; SCAN_TEST_MEDIUM=""; SCAN_TEST_LOW=""
SESTATUSBINARY=""
SERVICE_MANAGER=""
+ SHOW_PROGRAM_DETAILS=1
SHOW_REPORT=1
SKIPPED_TESTS_ROOTONLY=""
SSHKEYSCANBINARY=""
@@ -137,37 +118,42 @@ unset LANG
TEST_SKIP_ALWAYS=""
TESTS_EXECUTED=""
TESTS_SKIPPED=""
+ TOTAL_SUGGESTIONS=0
+ TOTAL_WARNINGS=0
TRIPWIREBINARY=""
+ UEFI_BOOTED=0
+ UEFI_BOOTED_SECURE=0
+ UNBOUND_RUNNING=0
UPLOAD_OPTIONS=""
UPDATE_CHECK_SKIPPED=0
VALUE=""
+ VMTYPE=""
#
#################################################################################
#
-# == Options ==
+# * Options
#
-# Option Description
-# --------------------------------------------------------------------------
- CRONJOB=0 # Run as a cronjob
- CTESTS_PERFORMED=0 # Number of tests which are performed
+#################################################################################
+#
+ CRONJOB=0 # Run as a cronjob
+ CTESTS_PERFORMED=0 # Number of tests which are performed
DEBUG=0 # Debugging mode (to screen)
HPPOINTS=0 # Number of hardening points
HPTOTAL=0 # Maximum number of hardening points
- LOG_INCORRECT_OS=1 # Log tests with incorrect OS
- NEVERBREAK=0 # Don't wait for user input
+ LOG_INCORRECT_OS=1 # Log tests with incorrect OS
+ NEVERBREAK=0 # Don't wait for user input
PENTESTINGMODE=0 # Try tests without root privileges
- QUICKMODE=0 # Don't wait for user input
- QUIET=0 # Show normal messages and warnings as well
- SHOW_TOOL_TIPS=1 # Show inline tool tips (default true)
- SKIPLOGTEST=0 # Skip logging for one test
- SKIP_UPGRADE_TEST=0 # Skip upgrade test
- TESTS_TO_PERFORM="" # Which tests only to perform
- TEST_PAUSE_TIME=0 # Default pause time
- TOTAL_TESTS=0 # Total amount of tests (counter)
+ QUICKMODE=0 # Don't wait for user input
+ QUIET=0 # Show normal messages and warnings as well
+ SHOW_TOOL_TIPS=1 # Show inline tool tips (default true)
+ SKIPLOGTEST=0 # Skip logging for one test
+ SKIP_UPGRADE_TEST=0 # Skip upgrade test
+ TESTS_TO_PERFORM="" # Which tests only to perform
+ TEST_PAUSE_TIME=0 # Default pause time
+ TOTAL_TESTS=0 # Total amount of tests (counter)
UPLOAD_DATA=0 # Upload of data to central node
- VIEWHELP=0 # Show help
- VIEWUPDATEINFO=0 # View program/database version
- WRONGOPTION=0 # A wrong option is used
+ VIEWHELP=0 # Show help
+ WRONGOPTION=0 # A wrong option is used
#
#################################################################################
#
@@ -176,24 +162,24 @@ unset LANG
#
#################################################################################
#
-# Colors
+# * Colors
+#
+# For improved display
#
#################################################################################
#
-# Color name Description
-# --------------------------------------------------------------------------
- NORMAL=""
- WARNING="" # Bad (red)
- SECTION="" # Section (yellow)
- NOTICE="" # Notice (yellow)
- OK="" # Ok (green)
- BAD="" # Bad (red)
+ NORMAL=""
+ WARNING="" # Bad (red)
+ SECTION="" # Section (yellow)
+ NOTICE="" # Notice (yellow)
+ OK="" # Ok (green)
+ BAD="" # Bad (red)
- # Real color names
- YELLOW="" # Yellow
- WHITE="" # White
- GREEN="" # Green
- RED="" # Red
+ # Normal color names
+ YELLOW=""
+ WHITE=""
+ GREEN=""
+ RED=""
PURPLE=""
MAGENTA=""
BROWN=""
diff --git a/include/data_upload b/include/data_upload
index 821deaa9..d7bf1401 100644
--- a/include/data_upload
+++ b/include/data_upload
@@ -90,7 +90,21 @@ output "Settings file: ${SETTINGS_FILE}"
if [ -f ${REPORTFILE} ]; then
output "${WHITE}Report file found.${NORMAL} Starting with connectivity check.."
# Quit if license is not valid, to reduce load on both client and server.
- UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL}`
+ UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null`
+ EXITCODE=$?
+ if [ ${EXITCODE} -gt 0 ]; then
+ if [ ${EXITCODE} -eq 60 ]; then
+ echo "${RED}Self-signed certificate used on Lynis Enterprise node${NORMAL}"
+ echo "If you want to accept a self-signed certificate, use the -k option in the profile."
+ echo "Example: ${WHITE}config:upload_options:-k:${NORMAL}"
+ logtext "Result: found self-signed certificate, however cURL -k option not used."
+ else
+ output "${RED}Error: ${NORMAL}cURL exited with code ${EXITCODE}"
+ logtext "Result: cURL exited with code ${EXITCODE}"
+ fi
+ logtext "Result: quitting, can't check license"
+ ExitFatal
+ fi
UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}'`
if [ "${UPLOAD_CODE}" = "100" ]; then
output "${WHITE}License is valid${NORMAL}"
@@ -110,7 +124,7 @@ output "Settings file: ${SETTINGS_FILE}"
echo "Key: ${LICENSE_KEY}"
output "Debug information: ${UPLOAD}"
# Quit
- ExitClean
+ ExitFatal
fi
# Extract the hostid from the parse file
HOSTID=`cat ${REPORTFILE} | grep "^hostid=" | awk -F= '{ print $2 }'`
@@ -119,23 +133,27 @@ output "Settings file: ${SETTINGS_FILE}"
# Try to connect
output "Uploading data.."
logtext "Command used: ${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
- UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${UPLOAD_URL}`
- if [ $? -gt 0 ]; then
+ UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${UPLOAD_URL} 2> /dev/null`
+ EXITCODE=$?
+ if [ ${EXITCODE} -gt 0 ]; then
#UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'`
#output "Output code from upload: ${UPLOAD_CODE}"
- output "${RED}Error occurred, please check documentation for code ${UPLOAD_CODE}.${NORMAL}"
- output "Debug:"
- output ${UPLOAD}
+ echo "${RED}Error: ${NORMAL}Error occurred, cURL ended during the upload of the report data."
+ echo "Related exit code: ${EXITCODE}"
+ echo "Check the last section of the log file for the exact command used, for further troubleshooting"
+ echo "Debug:"
+ echo ${UPLOAD}
# Quit
ExitClean
fi
else
- echo "${RED}Fatal error${NORMAL}: No hostid found in report file. Can not upload report file."
+ echo "${RED}Error${NORMAL}: No hostid found in report file. Can not upload report file."
# Quit
- ExitClean
+ ExitFatal
fi
else
output "${YELLOW}No report file found to upload.${NORMAL}"
+ ExitFatal
fi
#
diff --git a/include/functions b/include/functions
index 1dc1c1d9..dac54cc2 100644
--- a/include/functions
+++ b/include/functions
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015 - Michael Boelen, CISOfy (michael.boelen@cisofy.com)
-# https://cisofy.com
+# Copyright 2007-2015, Michael Boelen - CISOfy (michael.boelen@cisofy.com)
+# Website: https://cisofy.com
#
# This software is licensed under GPL, version 3. See LICENSE file for
# usage of this software.
@@ -20,14 +20,16 @@
# Function Description
# ----------------------- -------------------------------------------------
# AddHP Add Hardening points to plot a graph later
+# AddSystemGroup Adds a system to a group
# CheckFilePermissions Check file permissions
# CheckUpdates Determine if a new version of Lynis is available
# counttests Count number of performed tests
# Debug Display additional information on the screen (not suited for cronjob)
# DirectoryExists Check if a directory exists on the disk
# Display Output text to screen with colors and identation
-# ExitClean Stop the program (cleanly)
-# ExitFatal Stop the program (cleanly), with fatal
+# ExitClean Stop the program (cleanly), with exit code 0
+# ExitCustom Stop the program (cleanly), with custom exit code
+# ExitFatal Stop the program (cleanly), with exit code 1
# FileExists Check if a file exists on the disk
# FileIsEmpty Check if a file is empty
# FileIsReadable Check if a file is readable or directory accessible
@@ -50,6 +52,7 @@
# ShowSymlinkPath Show a path behind a symlink
# ViewCategories Display tests categories
# logtext Log text strings to logfile, prefixed with date/time
+# report Add string of data to report file
#
#################################################################################
@@ -62,6 +65,19 @@
logtext "Hardening: assigned ${HPADD} hardening points (max for this item: ${HPADDMAX}), current: ${HPPOINTS}, total: ${HPTOTAL}"
}
+
+ ################################################################################
+ # Name : AddSystemGroup
+ # Description : Adds a system to a group, which can be used for categorizing
+ # Returns : <nothing>
+ ################################################################################
+
+ AddSystemGroup()
+ {
+ report "system_group[]=$1"
+ }
+
+
# Check file permissions
# Parameter 1 is file/dir
# Result: FILE_NOT_FOUND | OK | BAD
@@ -74,10 +90,10 @@
# If 'file' is an directory, use -d
if [ -d ${CHECKFILE} ]; then
FILEVALUE=`ls -d -l ${CHECKFILE} | cut -c 2-10`
- PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3`
+ PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3`
else
FILEVALUE=`ls -l ${CHECKFILE} | cut -c 2-10`
- PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3`
+ PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3`
fi
if [ "${FILEVALUE}" = "${PROFILEVALUE}" ]; then PERMS="OK"; else PERMS="BAD"; fi
fi
@@ -117,7 +133,6 @@
# Check updates
CheckUpdates()
{
- # Possible improvement: determine if host binary exists YYY
PROGRAM_LV="0000000000"; DB_MALWARE_LV="0000000000"; DB_FILEPERMS_LV="0000000000"
LYNIS_LV_RECORD="lynis-latest-version.cisofy.com."
FIND=`which dig 2> /dev/null`
@@ -236,6 +251,18 @@
exit 0
}
+ # Clean exit with custom code
+ ExitCustom()
+ {
+ RemovePIDFile
+ # Exit with the exit code given, otherwise use 1
+ if [ $# -eq 1 ]; then
+ exit $1
+ else
+ exit 1
+ fi
+ }
+
# Clean exit (removing temp files, PID files), with error code 1
ExitFatal()
{
@@ -337,8 +364,6 @@
fi
fi
- # YYY check group ownership (just in case)
-
# Check if we have the read bit
if [ "${OTHERPERMS}" = "r" ]; then
CANREAD=1
@@ -577,25 +602,101 @@
logtext "Test: Determine if this system is a virtual machine"
# 0 = no, 1 = yes, 2 = unknown
ISVIRTUALMACHINE=2; VMTYPE="unknown"; VMFULLTYPE="Unknown"
-
SHORT=""
- # Trying systemd
- if [ "${SHORT}" = "" -a ! "${SYSTEMCTLBINARY}" = "" ]; then
- logtext "Test: trying to guess virtualization technology with systemctl"
- FIND=`${SYSTEMCTLBINARY} | grep "^Virtualization=" | awk -F= '{ print $2 }'`
- if [ ! "${FIND}" = "" ]; then
- SHORT="${FIND}"
+ # facter
+ if [ "${SHORT}" = "" ]; then
+ if [ -x /usr/bin/facter ]; then
+ case "`facter is_virtual`" in
+ "true")
+ SHORT=`facter virtual`
+ logtext "Result: found ${SHORT}"
+ ;;
+ "false")
+ logtext "Result: facter says this machine is not a virtual"
+ ;;
+ esac
+ else
+ logtext "Result: facter utility not found"
+ fi
+ else
+ logtext "Result: skipped facter test, as we already found machine type"
+ fi
+
+ # systemd
+ if [ "${SHORT}" = "" ]; then
+ if [ -x /usr/bin/systemd-detect-virt ]; then
+ logtext "Test: trying to guess virtualization technology with systemd-detect-virt"
+ FIND=`/usr/bin/systemd-detect-virt`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found ${FIND}"
+ SHORT="${FIND}"
+ fi
+ else
+ logtext "Result: systemd-detect-virt not found"
fi
+ else
+ logtext "Result: skipped systemd test, as we already found machine type"
+ fi
+
+ # lscpu
+ # Values: VMware
+ if [ "${SHORT}" = "" ]; then
+ if [ -x /usr/bin/lscpu ]; then
+ logtext "Test: trying to guess virtualization with lscpu"
+ FIND=`lscpu | grep "^Hypervisor Vendor" | awk -F: '{ print $2 }' | sed 's/ //g'`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found ${FIND}"
+ SHORT="${FIND}"
+ else
+ logtext "Result: can't find hypervisor vendor with lscpu"
+ fi
+ else
+ logtext "Result: lscpu not found"
+ fi
+ else
+ logtext "Result: skipped lscpu test, as we already found machine type"
+ fi
+
+ # dmidecode
+ # Values: VMware Virtual Platform / VirtualBox
+ if [ "${SHORT}" = "" ]; then
+ if [ -x /usr/sbin/dmidecode ]; then
+ logtext "Test: trying to guess virtualization with dmidecode"
+ FIND=`dmidecode -s system-product-name | awk '{ print $1 }'`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found ${FIND}"
+ SHORT="${FIND}"
+ else
+ logtext "Result: can't find product name with dmidecode"
+ fi
+ else
+ logtext "Result: dmidecode not found"
+ fi
+ else
+ logtext "Result: skipped dmidecode test, as we already found machine type"
fi
# lshw
if [ "${SHORT}" = "" ]; then
if [ -x /usr/bin/lshw ]; then
- SHORT=`lshw -quiet -class system | awk '{ if ($1=="product:") { print $2 }}'`
+ logtext "Test: trying to guess virtualization with lshw"
+ FIND=`lshw -quiet -class system | awk '{ if ($1=="product:") { print $2 }}'`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found ${FIND}"
+ SHORT="${FIND}"
+ fi
+ else
+ logtext "Result: lshw not found"
fi
+ else
+ logtext "Result: skipped lshw test, as we already found machine type"
fi
+ # Other options
+ # SaltStack: salt-call grains.get virtual
+ # < needs snippet >
+
# Try common guest processes
if [ "${SHORT}" = "" ]; then
logtext "Test: trying to guess virtual machine type by running processes"
@@ -603,33 +704,49 @@
# VMware
IsRunning vmware-guestd
if [ ${RUNNING} -eq 1 ]; then SHORT="vmware"; fi
+ IsRunning vmtoolsd
+ if [ ${RUNNING} -eq 1 ]; then SHORT="vmware"; fi
# VirtualBox based on guest services
IsRunning vboxguest-service
if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi
IsRunning VBoxClient
if [ ${RUNNING} -eq 1 ]; then SHORT="virtualbox"; fi
+ else
+ logtext "Result: skipped processes test, as we already found platform"
fi
# Amazon EC2
if [ "${SHORT}" = "" ]; then
logtext "Test: checking specific files for Amazon"
- if [ -f /etc/ec2_version -a ! -z /etc/ec2_version ]; then SHORT="amazon-ec2"; fi
+ if [ -f /etc/ec2_version -a ! -z /etc/ec2_version ]; then
+ SHORT="amazon-ec2"
+ else
+ logtext "Result: system not hosted on Amazon"
+ fi
+ else
+ logtext "Result: skipped Amazon EC2 test, as we already found platform"
fi
# sysctl values
if [ "${SHORT}" = "" ]; then
logtext "Test: trying to guess virtual machine type by sysctl keys"
+ # FreeBSD: hw.hv_vendor (remains empty for VirtualBox)
# NetBSD: machdep.dmi.system-product
# OpenBSD: hw.product
- SHORT=`sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }'`
+ FIND=`sysctl -a 2> /dev/null | egrep "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }'`
+ if [ ! "${FIND}" = "" ]; then
+ SHORT="${FIND}"
+ fi
+ else
+ logtext "Result: skipped sysctl test, as we already found platform"
fi
# Check if we catched some string along all tests
if [ ! "${SHORT}" = "" ]; then
# Lowercase and see if we found a match
- SHORT=`echo ${SHORT} | tr [[:upper:]] [[:lower:]]`
+ SHORT=`echo ${SHORT} | awk '{ print $1 }' | tr [[:upper:]] [[:lower:]]`
case ${SHORT} in
amazon-ec2) ISVIRTUALMACHINE=1; VMTYPE="amazon-ec2"; VMFULLTYPE="Amazon AWS EC2 Instance" ;;
@@ -637,7 +754,7 @@
docker) ISVIRTUALMACHINE=1; VMTYPE="docker"; VMFULLTYPE="Docker container" ;;
kvm) ISVIRTUALMACHINE=1; VMTYPE="kvm"; VMFULLTYPE="KVM" ;;
lxc) ISVIRTUALMACHINE=1; VMTYPE="lxc"; VMFULLTYPE="Linux Containers" ;;
- lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers" ;;
+ lxc-libvirt) ISVIRTUALMACHINE=1; VMTYPE="lxc-libvirt"; VMFULLTYPE="libvirt LXC driver (Linux Containers)" ;;
microsoft) ISVIRTUALMACHINE=1; VMTYPE="microsoft"; VMFULLTYPE="Microsoft Virtual PC" ;;
openvz) ISVIRTUALMACHINE=1; VMTYPE="openvz"; VMFULLTYPE="OpenVZ" ;;
oracle|virtualbox) ISVIRTUALMACHINE=1; VMTYPE="virtualbox"; VMFULLTYPE="Oracle VM VirtualBox" ;;
@@ -656,9 +773,11 @@
logtext "Result: found virtual machine (type: ${VMTYPE}, ${VMFULLTYPE})"
report "vm=1"
report "vmtype=${VMTYPE}"
- elif [ ${ISVIRTUALMACHINE} -eq 2 ]; then
+ elif [ ${ISVIRTUALMACHINE} -eq 2 ]; then
logtext "Result: unknown if this system is a virtual machine"
report "vm=2"
+ else
+ logtext "Result: system seems to be non-virtual"
fi
}
@@ -778,6 +897,8 @@
NGINX_ACCESS_LOG_DISABLED=1
else
if [ ! "${VALUE}" = "" ]; then
+ # If multiple values follow, select first one
+ VALUE=`echo ${VALUE} | awk '{ print $1 }'`
if [ ! -f ${VALUE} ]; then
logtext "Result: could not find referenced log file ${VALUE} in nginx configuration"
NGINX_ACCESS_LOG_MISSING=1
@@ -807,12 +928,12 @@
NGINX_EXPIRES_FOUND=1
;;
error_log)
- # YYY Check if debug is appended
+ # Check if debug is appended
FIND=`echo ${VALUE} | awk '{ if ($2=="debug") { print 1 } else { print 0 }}'`
if [ ${FIND} -eq 1 ]; then
NGINX_ERROR_LOG_DEBUG=1
fi
- # YYY Check if file exists
+ # Check if log file exists
FILE=`echo ${VALUE} | awk '{ print $1 }'`
if [ ! "${FILE}" = "" ]; then
if [ ! -f ${FILE} ]; then
@@ -1023,7 +1144,7 @@
if [ ! "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Skipped by configuration"; fi
fi
- # Skip if test is not in the list
+ # Skip if test is not in the list
if [ ${SKIPTEST} -eq 0 -a ! "${TESTS_TO_PERFORM}" = "" ]; then
FIND=`echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}"`
if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi
@@ -1109,7 +1230,7 @@
{
if [ $1 = "" ]; then TESTID="UNKNOWN"; fi
# Status: OK, WARNING, NEUTRAL, SUGGESTION
- # Impact: HIGH, SEVERE, LOW,
+ # Impact: HIGH, SEVERE, LOW,
#report "result[]=TESTID-${TESTID},STATUS-$2,IMPACT-$3,MESSAGE-$4-"
# Reset ID before next test
TESTID=""
@@ -1118,6 +1239,7 @@
# Log suggestions to report file
ReportSuggestion()
{
+ TOTAL_SUGGESTIONS=`expr ${TOTAL_SUGGESTIONS} + 1`
# 2 parameters
# <ID> <suggestion text>
report "suggestion[]=$1|$2|"
@@ -1127,6 +1249,7 @@
# Log warning to report file
ReportWarning()
{
+ TOTAL_WARNINGS=`expr ${TOTAL_WARNINGS} + 1`
# 3 parameters
# <ID> <priority/impact> <warning text>
if [ "$2" = "L" -o "$2" = "M" -o "$2" = "H" ]; then
@@ -1283,6 +1406,7 @@
SYMLINK_USE_READLINK=1
logtext "Note: Using real readlink binary to determine symlinks"
tFILE=`${READLINKBINARY} -f ${sFILE}`
+ logtext "Result: readlink shows ${tFILE} as output"
fi
fi
# Check if we can find the file now
@@ -1292,6 +1416,14 @@
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to file ${sFILE}"
FOUNDPATH=1
+ elif [ -b ${tFILE} ]; then
+ sFILE="${tFILE}"
+ logtext "Result: symlink found, pointing to block device ${sFILE}"
+ FOUNDPATH=1
+ elif [ -c ${tFILE} ]; then
+ sFILE="${tFILE}"
+ logtext "Result: symlink found, pointing to character device ${sFILE}"
+ FOUNDPATH=1
elif [ -d ${tFILE} ]; then
sFILE="${tFILE}"
logtext "Result: symlink found, pointing to directory ${sFILE}"
diff --git a/include/helper_audit_dockerfile b/include/helper_audit_dockerfile
index 3c481914..13174e40 100644
--- a/include/helper_audit_dockerfile
+++ b/include/helper_audit_dockerfile
@@ -4,7 +4,6 @@ if [ $# -eq 0 ]; then
Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}"
Display --text " "; Display --text " "
-
ExitFatal
else
FILE=`echo $1 | egrep "^http|https"`
@@ -18,7 +17,7 @@ if [ $# -eq 0 ]; then
if [ -f ${TMP_FILE} ]; then
rm -f ${TMP_FILE}
fi
- Dislpay --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}"
+ Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}"
ExitFatal
fi
else
diff --git a/include/helper_update b/include/helper_update
new file mode 100644
index 00000000..60529c4b
--- /dev/null
+++ b/include/helper_update
@@ -0,0 +1,266 @@
+#!/bin/sh
+
+######################################################################
+#
+# Helper program to support automatic updates of Lynis
+#
+######################################################################
+#
+# Options:
+# ---------
+# 1) lynis update info - Show version information (external)
+# 2) lynis update release - Check and install new release (internal)
+#
+# How to use:
+# ------------
+# Run option 1 to know about current and latest release information.
+# Run option 2 to query internal server for possible upgrade of Lynis.
+#
+# Steps for updating to new release:
+# 1) Run Lynis with: lynis update release
+# 2) Lynis will use this helper and check the profile
+# 3) The configured web server will be queried (lynis-latest-version)
+# 4) The contents of this file will be compared with a local file
+# 5) If there is a difference, download package
+# 6) Check paths and extract files
+# 7) Quit program
+#
+# Suggested documentation if you want to use this functionality:
+# https://cisofy.com/documentation/lynis/upgrading/
+#
+######################################################################
+
+LOCAL_VERSION="-"
+SERVER_VERSION=""
+PERFORM_UPGRADE=0
+
+WGET_EXISTS=`which wget 2> /dev/null`
+CURL_EXISTS=`which curl 2> /dev/null`
+FETCH_EXISTS=`which fetch 2> /dev/null`
+
+# Update version
+if [ "$1" = "release" ]; then
+
+ if [ "${UPDATE_SERVER_PROTOCOL}" = "" ] ; then
+ Display --indent 2 --text "Error: Unknown protocol, please specify (http, https) in profile (update_server_protocol)"
+ ExitFatal
+ fi
+
+ if [ "${UPDATE_SERVER_ADDRESS}" = "" ] ; then
+ Display --indent 2 --text "Error: Unknown download address, please specify in profile (update_server_address)"
+ ExitFatal
+ fi
+
+ if [ "${UPDATE_LATEST_VERSION_DOWNLOAD}" = "" ] ; then
+ Display --indent 2 --text "Error: No URL to latest download has been specifiedrsion on the server, please specify in profile (update_latest_version_download)"
+ ExitFatal
+ fi
+
+ if [ "${UPDATE_LATEST_VERSION_INFO}" = "" ] ; then
+ Display --indent 2 --text "Error: No URL has been specified to know the latest version on the server, please specify in profile (update_latest_version_info)"
+ ExitFatal
+ fi
+
+ if [ "${UPDATE_LOCAL_DIRECTORY}" = "" ] ; then
+ Display --indent 2 --text "Error: No local directory has been specified to store Lynis files. Please specify in profile (update_local_directory)"
+ ExitFatal
+ else
+ if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then
+ Display --indent 2 --text "Error: Directory ${UPDATE_LOCAL_DIRECTORY} does not exist"
+ ExitFatal
+ fi
+ fi
+
+ if [ "${UPDATE_LOCAL_VERSION_INFO}" = "" ] ; then
+ Display --indent 2 --text "Error: No data file has been specified to determine local Lynis version, please specify in profile (update_local_version_info)"
+ ExitFatal
+ fi
+
+ if [ ! -f ${UPDATE_LOCAL_VERSION_INFO} ]; then
+ Display --indent 2 --text "Note: local data file ${UPDATE_LOCAL_VERSION_INFO} does not exist. It will be created after updating. (update_local_version_info)"
+ else
+ LOCAL_VERSION=`cat ${UPDATE_LOCAL_VERSION_INFO}`
+ fi
+
+ # Normal update
+ FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_INFO}"
+ TMP_FILE=`mktemp /tmp/audit.XXXXXXXXXX`
+ if [ "${TMP_FILE}" = "" ]; then
+ Display --indent 2 --text "Could not create a temporary file in /tmp with mktemp. Aborting.."
+ ExitFatal
+ fi
+ Display --indent 2 --text "${CYAN}[Phase 1] Downloading details${NORMAL}"
+ if [ ! "${WGET_EXISTS}" = "" ]; then
+ logtext "Using wget to download release information"
+ LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}"
+ wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null
+ EXIT_CODE=$?
+ elif [ ! "${CURL_EXISTS}" = "" ]; then
+ logtext "Using curl to download release information"
+ LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}"
+ curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null
+ EXIT_CODE=$?
+ else
+ Display --indent 2 --text "No download tool available to perform download"
+ ExitFatal
+ fi
+
+ if [ ! "${TMP_FILE}" = "" ]; then
+ if [ -f ${TMP_FILE} ]; then
+ SERVER_VERSION=`cat ${TMP_FILE}`
+ rm -f ${TMP_FILE}
+ fi
+ else
+ Display --indent 2 --text "Temporary file variable is empty, which is unexpected. Aborting.."
+ ExitFatal
+ fi
+
+ # Determine if downloading meta data was successful
+ if [ ${EXIT_CODE} -eq 0 ]; then
+ if [ "${SERVER_VERSION}" = "" ]; then
+ Display --indent 2 --text "No version found on the server. Aborting.."
+ ExitFatal
+ else
+ Display --indent 2 --text "Version found on server: ${SERVER_VERSION}"
+ Display --indent 2 --text "Local version found: ${LOCAL_VERSION}"
+ fi
+ else
+ Display --indent 2 --text "${RED}Error: ${WHITE}Download utility returned an unexpected error code.${NORMAL} Aborting.."
+ Display --indent 2 --text "Error code: ${EXIT_CODE}"
+ Display --indent 2 --text "Suggested command: ${LAST_COMMAND_HELP}"
+ ExitFatal
+ fi
+
+#==========================================================================================================================================
+
+ Display --indent 2 --text " "
+ Display --indent 2 --text "${CYAN}[Phase 2] Compare results${NORMAL}"
+ if [ ! "${LOCAL_VERSION}" = "${SERVER_VERSION}" ]; then
+ Display --indent 2 --text "Different version available, moving to upgrade phase"
+ PERFORM_UPGRADE=1
+ else
+ Display --indent 2 --text "${GREEN}No upgrade needed${NORMAL}"
+ fi
+
+ # Go to phase 3 if upgrade is needed
+ if [ ${PERFORM_UPGRADE} -eq 1 ]; then
+ FULLPATH="${UPDATE_SERVER_PROTOCOL}://${UPDATE_SERVER_ADDRESS}${UPDATE_LATEST_VERSION_DOWNLOAD}"
+ Display --indent 2 --text " "
+ Display --indent 2 --text "[Phase 3] Downloading latest release"
+ Display --indent 2 --text "Download location: ${FULLPATH}"
+ if [ ! "${WGET_EXISTS}" = "" ]; then
+ logtext "Using wget to download latest release"
+ LAST_COMMAND_HELP="wget --output-document ${TMP_FILE} ${FULLPATH}"
+ wget --output-document ${TMP_FILE} ${FULLPATH} 2> /dev/null
+ EXIT_CODE=$?
+ elif [ ! "${CURL_EXISTS}" = "" ]; then
+ logtext "Using curl to download latest release"
+ LAST_COMMAND_HELP="curl --fail -o ${TMP_FILE} ${FULLPATH}"
+ curl --fail -o ${TMP_FILE} ${FULLPATH} 2> /dev/null
+ EXIT_CODE=$?
+ fi
+ if [ ${EXIT_CODE} -eq 0 ]; then
+ if [ -f ${TMP_FILE} ]; then
+ Display --indent 2 --text "Download successful"
+ # Extract the file to the related path, with 'lynis' appended
+ # Note: by default the tarball includes 'lynis' as directory
+ if [ ! -d ${UPDATE_LOCAL_DIRECTORY} ]; then
+ Display --indent 2 --text "Error: directory ${UPDATE_LOCAL_DIRECTORY} does not exist"
+ ExitFatal
+ fi
+ Display --indent 2 --text "Extracting latest version to path ${UPDATE_LOCAL_DIRECTORY}"
+ if [ ! -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then
+ Display --indent 2 --text "Creating 'lynis' directory in ${UPDATE_LOCAL_DIRECTORY}"
+ mkdir ${UPDATE_LOCAL_DIRECTORY}/lynis
+ if [ $? -gt 0 ]; then
+ Display --indent 2 --text "Error: could not create directory ${UPDATE_LOCAL_DIRECTORY}/lynis"
+ ExitFatal
+ fi
+ fi
+ if [ -d ${UPDATE_LOCAL_DIRECTORY}/lynis ]; then
+ Display --indent 2 --text "Extracting files to ${UPDATE_LOCAL_DIRECTORY}"
+ tar xzf ${TMP_FILE} -C ${UPDATE_LOCAL_DIRECTORY}
+ if [ $? -eq 0 ]; then
+ # Check if we can find the Lynis binary (in the created 'lynis' directory)
+ if [ -f ${UPDATE_LOCAL_DIRECTORY}/lynis/lynis ]; then
+ # If version was downloaded, update local version
+ echo ${SERVER_VERSION} > ${UPDATE_LOCAL_VERSION_INFO}
+ else
+ Display --indent 2 --text "Error: could not find downloaded file on disk"
+ fi
+ else
+ Display --indent 2 --text "Error: File extraction failed"
+ ExitFatal
+ fi
+ else
+ Display --indent 2 --text "Error: could not find lynis directory"
+ fi
+ else
+ Display --indent 2 --text "Error: could not find downloaded file on disk"
+ ExitFatal
+ fi
+ else
+ Display --indent 2 --text "Error: could not download latest release"
+ Display --indent 2 --text "Suggestion: ${LAST_COMMAND_HELP}"
+ ExitFatal
+ fi
+ fi
+
+ # Removing temp file
+ logtext "Action: Removing temporary file ${TMP_FILE}"
+ if [ "${TMP_FILE}" = "" ]; then
+ if [ -f ${TMP_FILE} ]; then
+ rm -f ${TMP_FILE}
+ fi
+ fi
+
+ Display --indent 2 --text " "
+ Display --indent 2 --text "Done"
+ Display --indent 2 --text " "
+ ExitClean
+
+# Update check
+elif [ "$1" = "info" ]; then
+
+ # CV - Current Version
+ PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'`
+ PROGRAM_LV=0
+
+ CheckUpdates
+
+ # Reset everything if we can't determine our current version or the latest
+ # available version (due lack of internet connectivity for example)
+ if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then
+ # Set both to safe values
+ PROGRAM_AC=0; PROGRAM_LV=0
+ fi
+
+ echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} =="
+ echo ""
+ echo " Version : ${PROGRAM_version}"
+ echo -n " Status : "
+ if [ ${PROGRAM_LV} -eq 0 ]; then
+ echo "${RED}Unknown${NORMAL}";
+ elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
+ echo "${YELLOW}Outdated${NORMAL}";
+ echo " Current version : ${PROGRAM_AC}"
+ echo " Latest version : ${PROGRAM_LV}"
+ else
+ echo "${GREEN}Up-to-date${NORMAL}"
+ fi
+ echo " Release date : ${PROGRAM_releasedate}"
+ echo " Update location : ${PROGRAM_website}"
+ echo ""; echo ""
+ echo "${PROGRAM_copyright}"
+ echo ""
+
+ # Quit program
+ ExitClean
+
+else
+ Display --indent 2 --text "${RED}Error: ${WHITE}Unknown parameter $1.${NORMAL} Aborting.."
+ ExitFatal
+fi
+
+
+# The End
diff --git a/include/parameters b/include/parameters
index 790fa2f8..b4501f6a 100644
--- a/include/parameters
+++ b/include/parameters
@@ -23,6 +23,7 @@
PARAMCOUNT=$#
while [ $# -ge 1 ]; do
case $1 in
+ # Helpers first
audit)
CHECK_BINARIES=0
RUN_HELPERS=1
@@ -63,6 +64,28 @@
#break
;;
+ # Helpers first
+ update)
+ CHECK_BINARIES=0
+ RUN_HELPERS=1
+ HELPER="update"
+ RUN_PLUGINS=0
+ RUN_TESTS=0
+ SHOW_PROGRAM_DETAILS=0
+ if [ ! $2 = "" ]; then
+ shift
+ HELPER_PARAMS="$1 $2"
+ break
+ else
+ Display --text "${RED}Error: ${WHITE}Need a target for update${NORMAL}"
+ Display --text " "
+ Display --text "Examples:"
+ Display --text "lynis update info"
+ Display --text "lynis update release"
+ ExitFatal
+ fi
+ ;;
+
# Assign auditor to report
--auditor)
shift
@@ -102,7 +125,9 @@
# View program/database information
--check-update | --check-updates | --info)
- VIEWUPDATEINFO=1
+ echo "This option is deprecated"
+ echo "Use: lynis update info"
+ ExitClean
;;
# License key for Lynis Enterprise
@@ -144,11 +169,11 @@
LASTCHAR=`echo $1 | awk '{ print substr($0, length($0))}'`
if [ "${LASTCHAR}" = "/" ]; then
echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}"
- ExitFatal
+ ExitCustom 65
fi
if [ ! -d ${PLUGINDIR} ]; then
echo "${RED}Error:${WHITE} invalid plugin directory ${PLUGINDIR}${NORMAL}"
- ExitFatal
+ ExitCustom 66
fi
;;
@@ -238,4 +263,4 @@
done
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/profiles b/include/profiles
index fea8d412..1ceb4cd8 100644
--- a/include/profiles
+++ b/include/profiles
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -18,29 +18,12 @@
#
#################################################################################
#
- #YYY Enable check when profile files are complete and completely documented
- # Check if default profile is used
- if [ "${PROFILE}" = "defaultXXX.prf" ]; then
- echo ""
- echo " ==============================================================================="
- echo " ${WARNING}Warning${NORMAL}: ${WHITE}Default profile is used.${NORMAL}"
- echo " Default profile contains only a small amount of options and settings."
- echo " Consult the documentation to create a custom profile!"
- echo ""
- echo " [ ${WHITE}Press [ENTER] to continue with the default profile or [CTRL] + C to stop${NORMAL} ]"
- echo " ==============================================================================="
- wait_for_keypress
- fi
-
-#
-#################################################################################
-#
Display --indent 2 --text "- Checking profile file (${PROFILE})..."
logtext "Reading profile/configuration ${PROFILE}"
FIND=`cat ${PROFILE} | grep '^config:' | sed 's/ /!space!/g'`
for I in ${FIND}; do
OPTION=`echo ${I} | cut -d ':' -f2`
- VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'`
+ VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'`
logtext "Profile option set: ${OPTION} (with value ${VALUE})"
@@ -120,7 +103,6 @@
# Profile name
profile_name)
- # YYY dummy
PROFILE_NAME="${VALUE}"
;;
@@ -147,6 +129,36 @@
if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi
;;
+ # Server IP or hostname
+ update_server_address)
+ UPDATE_SERVER_ADDRESS="${VALUE}"
+ ;;
+
+ # Protocol (http, https)
+ update_server_protocol)
+ UPDATE_SERVER_PROTOCOL="${VALUE}"
+ ;;
+
+ # File path to tarball on server
+ update_latest_version_download)
+ UPDATE_LATEST_VERSION_DOWNLOAD="${VALUE}"
+ ;;
+
+ # File path to information file
+ update_latest_version_info)
+ UPDATE_LATEST_VERSION_INFO="${VALUE}"
+ ;;
+
+ # Local directory where lynis directory will be placed
+ update_local_directory)
+ UPDATE_LOCAL_DIRECTORY="${VALUE}"
+ ;;
+
+ # Local file to maintain current version
+ update_local_version_info)
+ UPDATE_LOCAL_VERSION_INFO="${VALUE}"
+ ;;
+
# Options during upload of data
upload_options)
UPLOAD_OPTIONS="${VALUE}"
diff --git a/include/report b/include/report
index 82b69c6b..fb57bd00 100644
--- a/include/report
+++ b/include/report
@@ -19,17 +19,6 @@
#################################################################################
#
-
- # Only show overview if not running in quiet mode
- if [ ${QUIET} -eq 0 ]; then
- echo ""; echo "================================================================================"
- echo ""; echo " -[ ${WHITE}${PROGRAM_name} ${PROGRAM_version} Results${NORMAL} ]-"
- echo "";
-
-
- if [ ${SHOW_REPORT} -eq 1 ]; then
-
- logtextbreak
#
#################################################################################
#
@@ -87,7 +76,18 @@
HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
logtext "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
logtext "Hardening strength: ${HIDESCRIPTION}"
- report "hardening_index=${HPINDEX}"
+
+
+ # Only show overview if not running in quiet mode
+ if [ ${QUIET} -eq 0 ]; then
+ echo ""; echo "================================================================================"
+ echo ""; echo " -[ ${WHITE}${PROGRAM_name} ${PROGRAM_version} Results${NORMAL} ]-"
+ echo "";
+
+
+ if [ ${SHOW_REPORT} -eq 1 ]; then
+
+ logtextbreak
#
#################################################################################
@@ -107,7 +107,7 @@
if [ "${SWARNINGS}" = "" ]; then
echo " ${OK}No warnings${NORMAL}"; echo ""
else
- echo " ${WARNING}Warnings${NORMAL}:"
+ echo " ${WARNING}Warnings${NORMAL} (${TOTAL_WARNINGS}):"
echo " ${WHITE}----------------------------${NORMAL}"
for WARNING in ${SWARNINGS}; do
SHOWWARNING=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: //'`
@@ -129,7 +129,7 @@
if [ "${SSUGGESTIONS}" = "" ]; then
echo " ${OK}No suggestions${NORMAL}"; echo ""
else
- echo " ${YELLOW}Suggestions${NORMAL}:"
+ echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):"
echo " ${WHITE}----------------------------${NORMAL}"
for SUGGESTION in ${SSUGGESTIONS}; do
SHOWSUGGESTION=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: //'`
@@ -169,9 +169,10 @@
echo ""
echo " ${SECTION}Lynis Modules${NORMAL}:"
- echo " - Heuristics Check [${WHITE}NA${NORMAL}] - Security Audit [${GREEN}V${NORMAL}]"
- if [ ${LYNIS_COMPLIANCE_TESTS} -eq 1 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi
- echo " - Compliance Tests [${COMPLIANCE}${NORMAL}] - Vulnerability Scan [${GREEN}V${NORMAL}]"
+ if [ ${LYNIS_COMPLIANCE_TESTS} -eq 1 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${YELLOW}NA"; fi
+ echo " - Compliance Tests [${COMPLIANCE}${NORMAL}]"
+ echo " - Security Audit [${GREEN}V${NORMAL}]"
+ echo " - Vulnerability Scan [${GREEN}V${NORMAL}]"
echo ""
echo " ${SECTION}Files${NORMAL}:"
echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}"
@@ -224,21 +225,15 @@
echo "================================================================================"
fi
- if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then
- echo " Tip: Disable all tests which are not relevant or are too strict for the"
- echo " purpose of this particular machine. This will remove unwanted suggestions"
- echo " and also boost the hardening index. Each test should be properly analyzed"
- echo " to see if the related risks can be accepted, before disabling the test."
- echo "================================================================================"
- fi
-
-
-
echo ""; echo ""
fi
fi
+ # Report data, even if it is not displayed on screen
+ report "hardening_index=${HPINDEX}"
+
+
if [ ${QUIET} -eq 0 ]; then
echo " ${PROGRAM_name} ${PROGRAM_version}"
diff --git a/include/tests_accounting b/include/tests_accounting
index 4228ff28..5c3bda3c 100644
--- a/include/tests_accounting
+++ b/include/tests_accounting
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -126,7 +126,9 @@
else
logtext "Result: auditd not active"
Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE
- ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
+ if [ ! "${VMTYPE}" = "openvz" ]; then
+ ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
+ fi
AUDITD_RUNNING=0
report "audit_daemon_running=0"
AddHP 0 1
@@ -226,7 +228,7 @@
if [ -f /etc/ld.so.preload ]; then
logtext "Result: found /etc/ld.so.preload, testing if snoopy.so is listed"
FIND=`grep ${FILE} /etc/ld.so.preload`
- if [ !"${FIND}" = "" ]; then
+ if [ ! "${FIND}" = "" ]; then
logtext "Result: found snoopy in ld.so.preload"
logtext "Output: ${FIND}"
Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN
@@ -325,15 +327,6 @@
#
#################################################################################
#
- # Test : ACCT-9658
- # Description : Check required audit files in /etc/security
- #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- #Register --test-no ACCT-9658 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check required audit files"
- #if [ ${SKIPTEST} -eq 0 ]; then
- #fi
-#
-#################################################################################
-#
# Test : ACCT-9662
# Description : Check location for audit events
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@@ -351,12 +344,13 @@
Display --indent 4 --text "- Checking Solaris audit location" --result FOUND --color GREEN
else
logtext "Result: location ${FIND} does not exist"
- # YYY perform manual audit
- Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW
+ Display --indent 4 --text "- Checking Solaris audit location" --result "NOT FOUND" --color YELLOW
+ ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is available"
fi
else
logtext "Result: unknown event location"
Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW
+ ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is properly configured"
fi
else
logtext "Result: could not find /etc/security/audit_control"
@@ -366,22 +360,6 @@
#
#################################################################################
#
- # Test : ACCT-96xx
- # Description : Check which events are audited
- #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- #Register --test-no ACCT-96xx --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list"
- #if [ ${SKIPTEST} -eq 0 ]; then
-#
-#################################################################################
-#
- # Test : ACCT-96xx
- # Description : Check user specific event auditing
- #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- #Register --test-no ACCT-96xx --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check user specific event auditing"
- #if [ ${SKIPTEST} -eq 0 ]; then
-#
-#################################################################################
-#
# Test : ACCT-9672
# Description : check auditstat
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@@ -403,28 +381,8 @@
#################################################################################
#
- # Test : ACCT-9680
- # Description : Check if required packages are installed
- #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- #Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list"
- #if [ ${SKIPTEST} -eq 0 ]; then
- #
- # Solaris 10 packages
- # bash-3.00# pkginfo | egrep 'SUNWcar|SUNWcsr|SUNWcsu|SUNWhea|SUNWman'
- #system SUNWcar Core Architecture, (Root)
- #system SUNWcsr Core Solaris, (Root)
- #system SUNWcsu Core Solaris, (Usr)
- #system SUNWhea SunOS Header Files
- #system SUNWman On-Line Manual Pages
-
-#
-#################################################################################
-#
-# Check psacct package (ac, lastcomm, accton, sa)
-# Check auditd (auditctl, ausearch, aureport)
-
wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen / CISOfy - https://cisofy.com
diff --git a/include/tests_authentication b/include/tests_authentication
index 6921373c..ad24a432 100644
--- a/include/tests_authentication
+++ b/include/tests_authentication
@@ -31,11 +31,12 @@
# Test : AUTH-9204
# Description : Check users with UID zero (0)
+ # Notes : Ignores :0: in file if match is in NIS related line
Register --test-no AUTH-9204 --weight L --network NO --description "Check users with an UID of zero"
if [ ${SKIPTEST} -eq 0 ]; then
# Search accounts with UID 0
logtext "Test: Searching accounts with UID 0"
- FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^:0:0:::' | cut -d ":" -f1,3 | grep ':0'`
+ FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^(\+:\*)?:0:0:::' | cut -d ":" -f1,3 | grep ':0'`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Search administrator accounts" --result WARNING --color RED
logtext "Result: Found more than one administrator accounts"
@@ -58,10 +59,8 @@
#
# Test : AUTH-9208
# Description : Check non-unique accounts
- Register --test-no AUTH-9208 --weight L --network NO --description "Check non-unique accounts"
+ Register --test-no AUTH-9208 --weight L --network NO --description "Check non-unique accounts in passwd file"
if [ ${SKIPTEST} -eq 0 ]; then
- logtext "Test: ${USER_PASSWD_DOUBLEUID_AUDIT_TITLE}"
- logtext "Description: ${USER_PASSWD_DOUBLEUID_AUDIT_DESCRIPTION}"
logtext "Test: Checking for non-unique accounts"
if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then
PASSWD_FILE="/etc/master.passwd"
@@ -84,7 +83,7 @@
Display --indent 2 --text "- Checking UIDs" --result SKIPPED --color WHITE
logtext "Result: test skipped, ${PASSWD_FILE} file not available"
fi
- logtext "Remarks: ${USER_PASSWD_DOUBLEUID_AUDIT_TEXT}"
+ logtext "Remarks: Non unique UIDs can riskful for the system or part of a configuration mistake"
fi
#
#################################################################################
@@ -251,27 +250,6 @@
#
#################################################################################
#
-# # Test : AUTH-9229
-# # Description : Check AIX password file consistency
-# # Notes : Read only mode?
-# if [ -x /usr/bin/usrck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-# Register --test-no AUTH-9229 --os AIX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
-# if [ ${SKIPTEST} -eq 0 ]; then
-# logtext "Test: Checking password file consistency (usrck)"
-# FIND=`/usr/bin/usrck -n ALL 2>; echo $?`
-# if [ "${FIND}" = "0" ]; then
-# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
-# logtext "Result: usrck finished didn't find problems"
-# else
-# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
-# logtext "Result: usrck found one or more errors/warnings in the password file."
-# ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file"
-# ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues."
-# fi
-# fi
-#
-#################################################################################
-#
# Test : AUTH-9230
# Description : Check Solaris password file consistency
if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@@ -292,47 +270,6 @@
#
#################################################################################
#
-# # Test : AUTH-9231
-# # Description : Check HP-UX password file consistency
-# # Notes : Read only mode?
-# if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-# Register --test-no AUTH-9231 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
-# if [ ${SKIPTEST} -eq 0 ]; then
-# logtext "Test: Checking password file consistency (pwck)"
-# FIND=`/usr/sbin/pwck 2> /dev/null; echo $?`
-# if [ "${FIND}" = "0" ]; then
-# Display --indent 2 --text "- Checking password file consistency" --result OK --color GREEN
-# logtext "Result: pwck finished didn't find problems"
-# else
-# Display --indent 2 --text "- Checking password file consistency" --result WARNING --color RED
-# logtext "Result: pwck found one or more errors/warnings in the password file."
-# ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
-# ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
-# fi
-# fi
-#
-#################################################################################
-#
-# # Test : AUTH-9232
-# # Description : Check HP-UX group file consistency
-# if [ -x /usr/sbin/grpck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-# Register --test-no AUTH-9232 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
-# if [ ${SKIPTEST} -eq 0 ]; then
-# logtext "Test: Checking group file consistency (grpck)"
-# FIND=`/usr/sbin/grpck 2> /dev/null; echo $?`
-# if [ "${FIND}" = "0" ]; then
-# Display --indent 2 --text "- Checking group file consistency" --result OK --color GREEN
-# logtext "Result: grpck finished didn't find problems"
-# else
-# Display --indent 2 --text "- Checking group file consistency" --result WARNING --color RED
-# logtext "Result: grpck found one or more errors/warnings in the group file."
-# ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file"
-# ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues."
-# fi
-# fi
-#
-#################################################################################
-#
# Test : AUTH-9234
# Description : Query user accounts
# Notes : HPUX > 100
@@ -435,23 +372,6 @@
#
#################################################################################
#
- # Test : AUTH-9244
- # Description : Query NIS servers
- #Register --test-no AUTH-9244 --weight L --network NO --description "Query NIS servers"
- #if [ ${SKIPTEST} -eq 0 ]; then
- #fi
-#
-#################################################################################
-#
- # Test : AUTH-9246
- # Description : Query NIS active
- #Register --test-no AUTH-9246 --weight L --network NO --description "Query active NIS servers"
- #if [ ${SKIPTEST} -eq 0 ]; then
- #if
- #grep '^+' /etc/passwd /etc/group
-#
-#################################################################################
-#
# Test : AUTH-9250
# Description : Check for sudoers file
Register --test-no AUTH-9250 --weight L --network NO --description "Checking sudoers file"
@@ -470,7 +390,6 @@
if [ ${FOUND} -eq 1 ]; then
logtext "Result: sudoers file found (${SUDOERS_FILE})"
Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN
- # YYY add more tests to audit sudoers file
else
logtext "Result: sudoers file NOT found"
Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW
@@ -516,64 +435,8 @@
#
#################################################################################
#
-# # Test : AUTH-9255
-# # Description : Solaris test for unique UIDs
-# Register --test-no AUTH-9255 --os Solaris --weight L --network NO --description "Solaris unique UIDs"
-# if [ ${SKIPTEST} -eq 0 ]; then
-# FIND=`logins -d | awk '{ print $1 }'`
-# if [ "${FIND}" = "" ]; then
-# logtext "Result: no duplicate accounts found, all accounts have an unique ID"
-# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result OK --color GREEN
-# else
-# for I in ${FIND}; do
-# ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})"
-# done
-# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result WARNING --color RED
-# fi
-# fi
-#
-#################################################################################
-#
- # Test : AUTH-9260 [T]
- # Description : Search for account lockout on Linux
- # Notes : lib directory should be fixed
-# Register --test-no AUTH-9260 --os Linux --weight L --network NO --description "Checking account lockout"
-# if [ ${SKIPTEST} -eq 0 ]; then
-# logtext "Test: searching for /lib/security/pam_tally.so"
-# if [ -f /lib/security/pam_tally.so ]; then
-# logtext "Result: /lib/security/pam_tally.so found"
-# AddHP 1 1
-# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result FOUND --color GREEN
-# if [ -f /etc/pam.d/system-auth ]; then
-# logtext "Test: search for enable pam_tally module in system-auth, with a deny value higher than zero"
-# FIND=`grep "account required" /etc/pam.d/system-auth | grep "pam_tally.so" | grep "deny=" | grep -v "deny=0"`
-# if [ "${FIND}" = "" ]; then
-# logtext "Result: pam_tally properly configured"
-# logtext "Output: ${FIND}"
-# AddHP 1 1
-# Display --indent 4 --text "- Checking lockout policy" --result FOUND --color GREEN
-# else
-# logtext "Result: pam_tally not (properly) configured"
-# logtext "Output: ${FIND}"
-# Display --indent 4 --text "- Checking lockout policy" --result SUGGESTION --color YELLOW
-# AddHP 0 1
-# ReportSuggestion ${TEST_NO} "Configure pam_tally in system-auth: account required /lib/security/pam_tally.so deny=3 no_magic_root reset"
-# fi
-# else
-# logtext "Result: skipped, /etc/pam.d/system-auth not found"
-# fi
-# else
-# logtext "Result: /lib/security/pam_tally.so not found"
-# AddHP 0 1
-# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result "SUGGESTION" --color YELLOW
-# ReportSuggestion ${TEST_NO} "Install a PAM module for account lockout to counter brute force attacks"
-# fi
-#
-#################################################################################
-#
# Test : AUTH-9262
# Description : Search for PAM password strength testing libraries
- # Notes : YYY (combine with other PAM modules)
Register --test-no AUTH-9262 --weight L --network NO --description "Checking presence password strength testing tools (PAM)"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
@@ -709,11 +572,6 @@
#
#################################################################################
#
- # Test : AUTH-9270
- # Description : Audit PAM configuration files
-#
-#################################################################################
-#
# Test : AUTH-9278
# Description : Search LDAP support in PAM files
Register --test-no AUTH-9278 --weight L --network NO --description "Checking LDAP pam status"
@@ -732,7 +590,6 @@
else
logtext "Result: LDAP module not found"
Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE
- # YYY display message when ldap is enabled in /etc/passwd, but not found in PAM
fi
else
logtext "Result: file /etc/pam.d/common-auth not found, skipping test"
@@ -815,7 +672,6 @@
logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
- # YYY check if LDAP is used with password policies
logtext "Result: password aging limits are not configured"
Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW
ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base"
@@ -830,14 +686,9 @@
#
#################################################################################
#
- # Test : AUTH-9292
- # Description : Check locked accounts (exclamation mark as first char in second column)
-#
-#################################################################################
-#
# Test : AUTH-9304
# Description : Check if single user mode login is properly configured in Solaris
- # Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d (YYY)
+ # Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d
Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration"
if [ ${SKIPTEST} -eq 0 ]; then
# Check if file exists (Solaris 10 does not have this file by default)
@@ -938,19 +789,12 @@
AddHP 2 2
fi
else
- # YYY
logtext "Result: No inittab or init file found, unsure if system is protected"
fi
fi
#
#################################################################################
#
- # Test : AUTH-9322
- # Description : Authentication time restrictions
- # /etc/security/time.conf
-#
-#################################################################################
-#
# Test : AUTH-9328
# Description : Check default umask in common files
# Notes: This test should be moved later to shells section
@@ -967,10 +811,12 @@
logtext "Test: Checking umask value in /etc/profile"
FIND=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }'`
FIND2=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }' | wc -l`
- #FIND2=`egrep "^([[:space:]])([[:tab:]])*umask" /etc/profile | awk '{ print $2 }' | wc -l`
WEAK_UMASK=0
FOUND_UMASK=0
- if [ "${FIND2}" = "1" ]; then
+ if [ "${FIND2}" = "0" ]; then
+ logtext "Result: did not find umask in /etc/profile"
+ #YYY possibly weak umask
+ elif [ "${FIND2}" = "1" ]; then
logtext "Result: found umask (prefixed with spaces)"
FOUND_UMASK=1
if [ ! "${FIND}" = "077" -a ! "${FIND}" = "027" ]; then
@@ -981,7 +827,7 @@
fi
# Found more than 1 umask value in profile
else
- logtext "Result: found several umask values configured in /etc/profile"
+ logtext "Result: found multiple umask values configured in /etc/profile"
FOUND_UMASK=1
for I in ${FIND}; do
if [ ! "${I}" = "077" -a ! "${I}" = "027" ]; then
@@ -1018,7 +864,7 @@
logtext "Test: Checking umask entries in /etc/passwd (pam_umask)"
if [ -f /etc/passwd ]; then
logtext "Result: file /etc/passwd exists"
- logtext "Test: Checking umask value in /etc/profile"
+ logtext "Test: Checking umask value in /etc/passwd"
FIND=`grep "umask=" /etc/passwd`
if [ "${FIND}" = "" ]; then
ReportManual "AUTH-9328:03"
@@ -1027,11 +873,10 @@
logtext "Result: file /etc/passwd does not exist"
fi
-
# /etc/login.defs
logtext "Test: Checking /etc/login.defs"
if [ -f /etc/login.defs ]; then
- logtext "Result: file /etc/profile exists"
+ logtext "Result: file /etc/login.defs exists"
logtext "Test: Checking umask value in /etc/login.defs"
FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'`
if [ "${FIND}" = "" ]; then
@@ -1075,8 +920,7 @@
logtext "Result: file /etc/init.d/functions does not exist"
fi
- # /etc/init.d/rc [T]
- # Always needed? (YYY)
+ # /etc/init.d/rc
logtext "Test: Checking /etc/init.d/rc"
if [ -f /etc/init.d/rc ]; then
logtext "Result: file /etc/init.d/rc exists"
@@ -1101,8 +945,43 @@
logtext "Result: file /etc/init.d/rc does not exist"
fi
- # /etc/init.d/rcS [T]
- # Always needed? (YYY)
+ # FreeBSD
+ if [ -f /etc/login.conf ]; then
+ FOUND=0
+ WEAK_UMASK=0
+ logtext "Result: file /etc/login.conf exists"
+ FIND=`cat /etc/login.conf | grep "umask" | sed 's/#.*//' | sed -E 's/^[[:cntrl:]]//' | grep -v '^$' | awk -F: '{ print $2}' | awk -F= '{ if ($1=="umask") { print $2 }}'`
+ if [ ! "${FIND}" = "" ]; then
+ for UMASK_VALUE in ${FIND}; do
+ case ${UMASK_VALUE} in
+ 027|0027|077|0077)
+ logtext "Result: found umask value ${VALUE}, which is fine"
+ AddHP 2 2
+ FOUND=1
+ ;;
+ *)
+ AddHP 0 2
+ FOUND=1
+ WEAK_UMASK=1
+ logtext "Result: found umask value ${VALUE}, which can be more strict"
+ ;;
+ esac
+ done
+ fi
+ if [ ${FOUND} -eq 1 ]; then
+ if [ ${WEAK_UMASK} -eq 0 ]; then
+ Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result OK --color GREEN
+ else
+ Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result WEAK --color YELLOW
+ ReportSuggestion ${TEST_NO} "Umask in /etc/login.conf could be more strict like 027"
+ fi
+ else
+ logtext "Result: no umask setting found in /etc/login.conf, which is unexpected"
+ Display --indent 4 --text "- Checking umask (/etc/login.conf)" --result NONE --color YELLOW
+ fi
+ fi
+
+ # /etc/init.d/rcS
logtext "Test: Checking /etc/init.d/rcS"
if [ -f /etc/init.d/rcS ]; then
logtext "Result: file /etc/init.d/rcS exists"
@@ -1188,36 +1067,6 @@
#
#################################################################################
#
- # Test : AUTH-9342 [T]
- # Description : AIX account locking
- # Notes : /usr/sbin/lsuser -a logretries ALL
- # should return ${ACCOUNT_MAX_RETRIES} or less for each user, but not 0
-#
-#################################################################################
-#
- # Test : AUTH-9344 [T]
- # Description : HP-UX account locking
- # Notes : grep :u_maxtries# /tcb/files/auth/system/default
- # should return ${ACCOUNT_MAX_RETRIES} or less, but not 0
-#
-#################################################################################
-#
- # Test : AUTH-9348 [T]
- # Description : Delay time after each failed login
- # Notes : This control counters brute force attacking by delaying each
- # attempt, while giving normal users to try typing in their
- # account details after a reasonable delay
- # Should return ${ACCOUNT_DELAY_TIME} or more
- # (4 seconds would be good)
- # AIX
- # grep "logindelay" /etc/security/login.cfg
- # Linux
- # grep "FAIL_DELAY" /etc/login.defs
- # HP-UX
- # grep ":t_logdelay#" /tcb/files/auth/system/default
-#
-#################################################################################
-#
# Test : AUTH-9402
# Description : Query LDAP authentication support
Register --test-no AUTH-9402 --weight L --network NO --description "Query LDAP authentication support"
@@ -1239,31 +1088,6 @@
#
#################################################################################
#
- # Test : AUTH-9404
- # Description : Check LDAP client configuration
-# if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-# Register --test-no AUTH-9404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration"
-# if [ ${SKIPTEST} -eq 0 ]; then
-# logtext "Test: checking ldap.conf locations"
-# for I in ${LDAP_CONF_LOCATIONS}; do
-# logtext "Test: checking ${I}"
-# if [ -f ${I} ]; then
-# logtext "Result: file ${I} exists"
-# logtext "Test: checking LDAP servers in file ${I}"
-# FIND2=`egrep "^host " ${I} | awk '{ print $2 }'`
-# for I in ${FIND2}; do
-# Display --indent 6 --text "LDAP server: ${I}"
-# logtext "Result: found LDAP server ${I}"
-# # YYY check if host(s) are reachable/respond to queries
-# done
-# else
-# logtext "Result: ${I} does NOT exist"
-# fi
-# done
-# fi
-#
-#################################################################################
-#
# Test : AUTH-9406
# Description : Check LDAP servers in client configuration
if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@@ -1273,13 +1097,14 @@
for I in ${LDAP_CONF_LOCATIONS}; do
logtext "Test: checking ${I}"
if [ -f ${I} ]; then
- logtext "Result: file ${I} exists"
+ logtext "Result: file ${I} exists, LDAP being used"
+ LDAP_CLIENT_CONFIG_FILE="${I}"
logtext "Test: checking LDAP servers in file ${I}"
FIND2=`egrep "^host " ${I} | awk '{ print $2 }'`
for I in ${FIND2}; do
Display --indent 6 --text "LDAP server: ${I}"
logtext "Result: found LDAP server ${I}"
- # YYY check if host(s) are reachable/respond to queries
+ report "ldap_server[]=${I}"
done
else
logtext "Result: ${I} does NOT exist"
@@ -1289,44 +1114,39 @@
#
#################################################################################
#
- # Test : AUTH-92xx
- # Description : login.access checks
- #Register --test-no AUTH-92xx --weight L --network NO --description "login.access checks"
-#
-#################################################################################
-#
-# pam_unix.so
-# pam_cracklib.so
-# pam_pwcheck.so
-# pam_env.so
-# pam_xauth.so
-# pam_tally.so
-# pam_wheel.so
-# pam_limits.so
-# pam_nologin.so
-# pam_deny.so
-# pam_securetty.so
-# pam_time.so
-# pam_access.so
-# pam_listfile.so
-# pam_lastlog.so
-# pam_warn.so
-# pam_console.so
-# pam_resmgr.so
-# pam_devperm.so
-#
-#################################################################################
-#
-# sudoers: Check for potential harmful commands like vi, echo, cat
+ # Test : AUTH-9408
+ # Description : Logging of failed login attempts
+ if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no AUTH-9408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Logging of failed login attempts via /etc/login.defs"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking FAILLOG_ENAB option in /etc/login.defs "
+ FIND=`grep "^FAILLOG_ENAB" /etc/login.defs | awk '{ if ($1=="FAILLOG_ENAB") { print $2 } }'`
+ # Search for enabled status (yes), otherwise consider it to be disabled (e.g. empty, or other value)
+ if [ "${FIND}" = "yes" ]; then
+ AUTH_FAILED_LOGINS_LOGGED=1
+ logtext "Result: failed login attempts are logged in /var/log/faillog"
+ Display --indent 2 --text "- Logging failed login attempts" --result ENABLED --color GREEN
+ AddHP 3 3
+ else
+ logtext "Result: failed login attempts are not logged"
+ Display --indent 2 --text "- Logging failed login attempts" --result DISABLED --color YELLOW
+ #ReportSuggestion ${TEST_NO} "Configure failed login attempts to be logged in /var/log/faillog"
+ AddHP 0 1
+ fi
+ fi
#
#################################################################################
#
+report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}"
report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
+if [ ! "${LDAP_CLIENT_CONFIG_FILE}" = "" ]; then
+ report "ldap_config_file=${LDAP_CLIENT_CONFIG_FILE}"
+fi
wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_banners b/include/tests_banners
index 1bc1bbd0..96e3998e 100644
--- a/include/tests_banners
+++ b/include/tests_banners
@@ -23,7 +23,7 @@
#################################################################################
#
BANNER_FILES="/etc/issue /etc/issue.net /etc/motd"
- LEGAL_BANNER_STRINGS="access authorized legal monitor owner policy policies private prohibited restricted this unauthorized"
+ LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence intrusion law legal monitor owner policy policies private prohibited restricted subject terms this unauthorized"
#
#################################################################################
#
@@ -221,29 +221,9 @@
#
#################################################################################
#
-# /etc/dt/config/*/Xresources
-# /etc/default/telnetd (telnet without TCP wrappers)
-# /etc/default/ftpd (ftp without TCP wrappers)
-# /etc/ftpd/banner.msg (ftp without TCP wrappers on Solaris)
-# /etc/ftpaccess (HP-UX)
-# /etc/ftpmotd (AIX)
-# /etc/ftpaccess.ctl (AIX)
-# /etc/security/login.cfg (AIX)
-# /etc/X11/xdm/Xresources
-# /etc/X11/xdm/kdmrc
-# /etc/X11/gdm/gdm
-# /etc/vsftpd.conf
-#
-#################################################################################
-#
wait_for_keypress
#
-#################################################################################
-#
-# Notes:
-# HPUX: /etc/copyright
-#
#================================================================================
# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_boot_services b/include/tests_boot_services
index 4a1f250c..fcc0d712 100644
--- a/include/tests_boot_services
+++ b/include/tests_boot_services
@@ -24,6 +24,7 @@
#
BOOT_LOADER="unknown"
BOOT_LOADER_FOUND=0
+ BOOT_LOADER_SEARCHED=0
GRUB_VERSION=0
SERVICE_MANAGER="unknown"
#
@@ -34,6 +35,7 @@
# Notes : The AIX bootstrap is called as software ROS. Bootstrap contains IPL (Initial Program loader)
Register --test-no BOOT-5102 --os AIX --weight L --network NO --root-only YES --description "Check for AIX boot device"
if [ ${SKIPTEST} -eq 0 ]; then
+ BOOT_LOADER_SEARCHED=1
logtext "Test: Query bootinfo for AIX boot device"
if [ -x /usr/sbin/bootinfo ]; then
FIND=`/usr/sbin/bootinfo -b`
@@ -49,7 +51,6 @@
fi
fi
fi
-
#
#################################################################################
#
@@ -61,6 +62,7 @@
# upstart - Used by Debian/Ubuntu
Register --test-no BOOT-5104 --weight L --network NO --description "Determine service manager"
if [ ${SKIPTEST} -eq 0 ]; then
+ BOOT_LOADER_SEARCHED=1
case ${OS} in
"Linux")
if [ -f /proc/1/cmdline ]; then
@@ -116,10 +118,71 @@
#
#################################################################################
#
+ # Test : BOOT-5116
+ # Description : Check if system is booted in UEFI mode
+ Register --test-no BOOT-5116 --weight L --network NO --root-only YES --description "Check if system is booted in UEFI mode"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ UEFI_TESTS_PERFORMED=0
+ case ${OS} in
+ Linux)
+ UEFI_TESTS_PERFORMED=1
+ # Check if UEFI is available in this boot
+ logtext "Test: checking if UEFI is used"
+ if [ -d /sys/firmware/efi ]; then
+ logtext "Result: system booted in UEFI mode"
+ UEFI_BOOTED=1
+ else
+ logtext "Result: UEFI not used, can't find /sys/firmware/efi directory"
+ fi
+
+ # Test if Secure Boot is enabled
+ logtext "Test: determine if Secure Boot is used"
+ if [ -d /sys/firmware/efi/efivars ]; then
+ FIND=`ls /sys/firmware/efi/efivars/SecureBoot-* 2> /dev/null`
+ if [ ! "${FIND}" = "" ]; then
+ for I in ${FIND}; do
+ logtext "Test: checking file ${I}"
+ J=`od -An -t u1 ${I} | awk '{ print $5 }'`
+ if [ "${J}" = "1" ]; then
+ logtext "Result: found SecureBoot file with enabled status"
+ UEFI_BOOTED_SECURE=1
+ else
+ logtext "Result: system not booted with Secure Boot (status 0 in file ${I})"
+ fi
+ done
+ fi
+ else
+ logtext "Result: system not booted with Secure Boot (no SecureBoot file found)"
+ fi
+ ;;
+ #MacOS)
+ # Mac OS ioreg -l -p IODeviceTree | grep firmware-abi
+ #;;
+ *)
+ logtext "Result: no test implemented yet to test for UEFI on this platform"
+ ;;
+ esac
+ if [ ${UEFI_BOOTED} -eq 1 ]; then
+ Display --indent 2 --text "- Checking UEFI boot" --result ENABLED --color GREEN
+ if [ ${UEFI_BOOTED_SECURE} -eq 1 ]; then
+ Display --indent 2 --text "- Checking Secure Boot" --result ENABLED --color GREEN
+ else
+ Display --indent 2 --text "- Checking Secure Boot" --result DISABLED --color YELLOW
+ fi
+ else
+ if [ ${UEFI_TESTS_PERFORMED} -eq 1 ]; then
+ Display --indent 2 --text "- Checking UEFI boot" --result DISABLED --color GREEN
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
# Test : BOOT-5121
# Description : Check for GRUB boot loader
Register --test-no BOOT-5121 --weight L --network NO --description "Check for GRUB boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
+ BOOT_LOADER_SEARCHED=1
FOUND=0
logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)"
if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then
@@ -127,7 +190,7 @@
BOOT_LOADER="GRUB"
BOOT_LOADER_FOUND=1
GRUB_VERSION=1
- Display --indent 4 --text "- Checking presence GRUB" --result "OK" --color GREEN
+ Display --indent 2 --text "- Checking presence GRUB" --result "OK" --color GREEN
if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
fi
@@ -137,16 +200,13 @@
BOOT_LOADER="GRUB2"
BOOT_LOADER_FOUND=1
GRUB_VERSION=2
- Display --indent 4 --text "- Checking presence GRUB2" --result FOUND --color GREEN
+ Display --indent 2 --text "- Checking presence GRUB2" --result FOUND --color GREEN
if [ -f /boot/grub/grub.cfg ]; then
GRUBCONFFILE="/boot/grub/grub.cfg"
elif [ -f /boot/grub2/grub.cfg ]; then
GRUBCONFFILE="/boot/grub2/grub.cfg"
fi
logtext "Result: found GRUB2 configuration file (${GRUBCONFFILE})"
- # YYY password check, when documentation of GRUB2 project is improved
- # YYY Add check permission check (600)
-
fi
# Some OSes like Gentoo do not have /boot mounted by default
@@ -207,6 +267,7 @@
# Description : Check for FreeBSD boot loader
Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
+ BOOT_LOADER_SEARCHED=1
if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then
logtext "Result: found boot1, boot2 and loader files in /boot"
Display --indent 2 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN
@@ -223,6 +284,7 @@
# Description : Check for NetBSD boot loader
Register --test-no BOOT-5126 --os NetBSD --weight L --network NO --description "Check for NetBSD boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
+ BOOT_LOADER_SEARCHED=1
if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then
logtext "Result: found NetBSD secondary bootstrap"
Display --indent 2 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN
@@ -241,6 +303,7 @@
# Notes : password= or password =
Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
+ BOOT_LOADER_SEARCHED=1
LILOCONFFILE="/etc/lilo.conf"
logtext "Test: checking for presence LILO configuration file"
if [ -f ${LILOCONFFILE} ]; then
@@ -263,7 +326,6 @@
logtext "Result: LILO password option set"
AddHP 4 4
fi
- #YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf)
else
logtext "Result: can not read ${LILOCONFFILE} (no permission)"
fi
@@ -278,6 +340,7 @@
# Description : Check for SILO boot loader
Register --test-no BOOT-5142 --weight L --network NO --description "Check SPARC Improved boot loader (SILO)"
if [ ${SKIPTEST} -eq 0 ]; then
+ BOOT_LOADER_SEARCHED=1
if [ -f /etc/silo.conf ]; then
logtext "Result: Found SILO configuration file (/etc/silo.conf)"
Display --indent 2 --text "- Checking boot loader SILO" --result FOUND --color GREEN
@@ -314,11 +377,11 @@
# Description : Check for YABOOT boot loader
Register --test-no BOOT-5155 --weight L --network NO --description "Check for YABOOT boot loader configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
+ BOOT_LOADER_SEARCHED=1
logtext "Test: Check for /etc/yaboot.conf"
if [ -f /etc/yaboot.conf ]; then
logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)"
Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN
- #YYY add permission check
BOOT_LOADER="YABOOT"
BOOT_LOADER_FOUND=1
else
@@ -333,6 +396,7 @@
# More info : Only OpenBSD
Register --test-no BOOT-5159 --os OpenBSD --weight L --network NO --description "Check for OpenBSD boot loader presence"
if [ ${SKIPTEST} -eq 0 ]; then
+ BOOT_LOADER_SEARCHED=1
FOUND=0
# Boot files
# /usr/mdec/biosboot: first stage bootstrap
@@ -370,7 +434,7 @@
#
#################################################################################
#
- if [ ${BOOT_LOADER_FOUND} -eq 0 ]; then
+ if [ ${BOOT_LOADER_FOUND} -eq 0 -a ${BOOT_LOADER_SEARCHED} -eq 1 ]; then
# Your boot loader is not detected. Want to help supporting it, see the README
ReportException "BOOTLOADER" "No boot loader found"
Display --indent 4 --text "- Boot loader" --result "NONE FOUND" --color RED
@@ -404,11 +468,6 @@
#
#################################################################################
#
- # Test : BOOT-5166
- # Description : Check for /etc/rc.local file (and contents)
-#
-#################################################################################
-#
# Test : BOOT-5177
# Description : Check for Linux boot services (systemd and chkconfig)
# Notes : We skip using chkconfig if systemd is being used.
@@ -474,49 +533,17 @@
#
#################################################################################
#
- # Test : BOOT-5178
- # Description : Check for Linux boot services (Red Hat style)
- # if [ ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- # Register --test-no BOOT-5178 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for unneeded Linux boot services (Red Hat style)"
- # if [ ${SKIPTEST} -eq 0 ]; then
- # N=0
- # N=`expr ${N} + 1`
-
- #* mctrans (if selinux is NOT enabled)
- #* restorecond (if selinux is NOT enabled) --> and is it really needed?
- #
- # if profile is server, warn if found:
- #* pcscd (if profile=server)
- #* avahi-daemon
- # Redhat: /etc/sysconfig/network
- # check if NOZEROCONF=yes is available
- #
- #* xfs (if /usr/bin/startx is not found)
- #
- #if [ ! -f /etc/mdadm.conf -a ! -f /etc/mdadm/mdadm.conf ]; then
- #* mdmonitor
- #
- #
- #* firstboot
- # Display warning if [ ! -f /etc/reconfigSys ]
- # AND "RUN_FIRSTBOOT=YES" is NOT in /etc/sysconfig/firstboot
- #
- #* acpid
- # Display warning if no modules are loaded (lsmod | grep -i acpi)
- #
- #
- # fi
-#
-#################################################################################
-#
# Test : BOOT-5180
# Description : Check for Linux boot services (Debian style)
+ # Notes : Debian 8+ shows runlevel 5
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)"
if [ ${SKIPTEST} -eq 0 ]; then
- # YYY runlevel check
- sRUNLEVEL=`${RUNLEVELBINARY} | grep "N 2"`
- if [ ! "${sRUNLEVEL}" = "" ]; then
+ # Runlevel check
+ sRUNLEVEL=`${RUNLEVELBINARY} | grep "N [0-9]" | awk '{ print $2} '`
+ logtext "Result: found runlevel ${sRUNLEVEL}"
+ if [ "${sRUNLEVEL}" = "2" ]; then
+ logtext "Result: performing find in /etc/rc2.d as runlevel 2 is found"
FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort`
if [ ! "${FIND}" = "" ]; then
N=0
@@ -526,10 +553,12 @@
done
Display --indent 2 --text "- Check services at startup (rc2.d)" --result "DONE" --color WHITE
Display --indent 4 --text "Result: found $N services"
- logtext "Found $N services"
+ logtext "Result: found $N services"
fi
- else
+ elif [ "${sRUNLEVEL}" = "" ]; then
ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup"
+ else
+ logtext "Result: skipping further actions"
fi
fi
#
@@ -616,16 +645,6 @@
#
#################################################################################
#
- # Add autostart services, like from KDE/Gnome
- # Test : BOOT-5102
- # Description : Check for tasks which are autostarted via /etc/inittab
- #Register --test-no BOOT-5102 --weight L --network NO --description "Check inittab for services"
- #if [ ${SKIPTEST} -eq 0 ]; then
- #fi
- #YYY check against static list?
-#
-#################################################################################
-#
# Test : BOOT-5202
# Description : Check uptime of system
Register --test-no BOOT-5202 --weight L --network NO --description "Check uptime of system"
@@ -708,7 +727,7 @@
if [ -f /usr/lib/systemd/system/rescue.service ]; then
logtext "Result: file /usr/lib/systemd/system/rescue.service"
logtext "Test: checking presence sulogin for single user mode"
- FIND=`egrep "^ExecStart=-(/usr)?/sbin/sulogin" /usr/lib/systemd/system/rescue.service`
+ FIND=`egrep "^ExecStart=-(/bin/sh -c \")?(/usr)?/(s)?bin/sulogin" /usr/lib/systemd/system/rescue.service`
if [ ! "${FIND}" = "" ]; then
FOUND=1
logtext "Result: found sulogin, so single user is protected"
@@ -727,8 +746,9 @@
#################################################################################
#
-
report "boot_loader=${BOOT_LOADER}"
+report "boot_uefi_booted=${UEFI_BOOTED}"
+report "boot_uefi_booted_secure=${UEFI_BOOTED_SECURE}"
report "service_manager=${SERVICE_MANAGER}"
wait_for_keypress
diff --git a/include/tests_containers b/include/tests_containers
new file mode 100644
index 00000000..c1ce3379
--- /dev/null
+++ b/include/tests_containers
@@ -0,0 +1,169 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Containers, Zones, Jails
+#
+#################################################################################
+#
+ InsertSection "Containers"
+#
+#################################################################################
+#
+ # Test : CONT-8004
+ # Description : Query running Solaris zones
+ if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no CONT-8004 --os Solaris --weight L --network NO --description "Query running Solaris zones"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: query zoneadm to list all running zones"
+ FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
+ if [ ! "${FIND}" = "" ]; then
+ N=0
+ for I in ${FIND}; do
+ N=`expr ${N} + 1`
+ ZONEID=`echo ${I} | cut -d ':' -f1`
+ ZONENAME=`echo ${I} | cut -d ':' -f2`
+ logtext "Result: found zone ${ZONENAME} (running)"
+ report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
+ done
+ logtext "Result: total of ${N} running zones"
+ Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
+ else
+ logtext "Result: no running zones found"
+ Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : CONT-1906
+ # Description : Query running Xen zones
+ #if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ #Register --test-no CONT-1906 --weight L --network NO --description "Query Xen guests"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ # Show Xen guests
+ #FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'`
+ #for I in ${FIND}; do
+ #XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
+ #XENGUESTID=`echo ${I} | cut -d ':' -f2`
+ #logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
+ #done
+ #fi
+#
+#################################################################################
+#
+ # Test : CONT-8102
+ # Description : Checking Docker daemon status and basic information for later tests
+ Register --test-no CONT-8102 --weight L --network NO --description "Checking Docker status and information"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ IsRunning "docker -d"
+ if [ ${RUNNING} -eq 1 ]; then
+ logtext "Result: found Docker daemon running"
+ report "docker_daemon_running=1"
+ DOCKER_DAEMON_RUNNING=1
+ Display --indent 4 --text "- Docker"
+ Display --indent 6 --text "- Docker daemon" --result RUNNING --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : CONT-8104
+ # Description : Checking Docker info for any warnings
+ # Notes : Hardening points are awarded, as usually warnings are the result of missing controls to restrict boundaries like memory
+ if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no CONT-8104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Docker info for any warnings"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ COUNT=0
+ logtext "Test: Check for any warnings"
+ FIND=`${DOCKERBINARY} info 2>&1 | grep "^WARNING:" | cut -d " " -f 2- | sed 's/ /:space:/g'`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found warning(s) in output"
+ for I in ${FIND}; do
+ J=`echo ${I} | sed 's/:space:/ /g'`
+ logtext "Output: ${J}"
+ COUNT=`expr ${COUNT} + 1`
+ done
+ Display --indent 8 --text "- Docker info output (warnings)" --result "${COUNT}" --color RED
+ ReportSuggestion "${TEST_NO}" "Run 'docker info' to see warnings applicable to Docker daemon"
+ AddHP 3 4
+ else
+ logtext "Result: no warnings found from 'docker info' output"
+ Display --indent 8 --text "- Docker info output (warnings)" --result "NONE" --color GREEN
+ AddHP 1 1
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : CONT-8106
+ # Description : Checking Docker containers (basic stats)
+ # Notes : Hardening points are awarded, if there aren't a lot of stopped containers
+ if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no CONT-8106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather basic stats from Docker"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 6 --text "- Containers"
+
+ # Check total of containers
+ logtext "Test: checking total amount of Docker containers"
+ DOCKER_CONTAINERS_TOTAL=`${DOCKERBINARY} info 2> /dev/null | grep "^Containers: " | awk '{ print $2 }'`
+ if [ "${DOCKER_CONTAINERS_TOTAL}" = "" ]; then
+ DOCKER_CONTAINERS_TOTAL=0
+ fi
+ logtext "Result: docker info shows ${DOCKER_CONTAINERS_TOTAL} containers"
+ DOCKER_CONTAINERS_TOTAL2=`${DOCKERBINARY} ps -a 2> /dev/null | grep -v "CONTAINER" | wc -l`
+ logtext "Result: docker ps -a shows ${DOCKER_CONTAINERS_TOTAL2} containers"
+ if [ ! "${DOCKER_CONTAINERS_TOTAL}" = "${DOCKER_CONTAINERS_TOTAL2}" ]; then
+ logtext "Result: difference detected, which is unexpected"
+ ReportSuggestion "${TEST_NO}" "Test output of both 'docker ps -a' and 'docker info', to determine why they report a different amount of containers"
+ Display --indent 8 --text "- Total containers" --result "UNKNOWN" --color RED
+ else
+ Display --indent 8 --text "- Total containers" --result "${DOCKER_CONTAINERS_TOTAL}" --color WHITE
+ fi
+
+ # Check running instances
+ DOCKER_CONTAINERS_RUNNING=`${DOCKERBINARY} ps 2> /dev/null | grep -v "CONTAINER" | wc -l`
+ Display --indent 8 --text "- Running containers" --result "${DOCKER_CONTAINERS_RUNNING}" --color GREEN
+ if [ ${DOCKER_CONTAINERS_RUNNING} -gt 0 ]; then
+ logtext "Result: ${DOCKER_CONTAINERS_RUNNING} containers are currently active"
+ report "docker_containers_running=${DOCKER_CONTAINERS_RUNNING}"
+ else
+ logtext "Result: no active containers"
+ report "docker_containers_running=0"
+ fi
+
+ # Check if there aren't too many unused containers on the system
+ if [ ${DOCKER_CONTAINERS_TOTAL} -gt 0 ]; then
+ DOCKER_CONTAINERS_UNUSED=`expr ${DOCKER_CONTAINERS_TOTAL} - ${DOCKER_CONTAINERS_RUNNING}`
+ if [ ${DOCKER_CONTAINERS_UNUSED} -gt 10 ]; then
+ ReportSuggestion "${TEST_NO}" "More than 10 unused containers found on the system. Clean up old containers by using output of 'docker ps -a' command"
+ Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color RED
+ AddHP 0 2
+ else
+ logtext "Result: found ${DOCKER_CONTAINERS_UNUSED} unused containers"
+ Display --indent 8 --text "- Unused containers" --result "${DOCKER_CONTAINERS_UNUSED}" --color YELLOW
+ AddHP 1 1
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com
diff --git a/include/tests_crypto b/include/tests_crypto
index ea69bf3c..7a08962b 100644
--- a/include/tests_crypto
+++ b/include/tests_crypto
@@ -29,7 +29,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUNDPROBLEM=0
# Check profile for paths to check
- sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3`
+ sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3`
for I in ${sSSL_PATHS}; do
if [ -d ${I} ]; then
FileIsReadable ${I}
@@ -50,7 +50,6 @@
FOUNDPROBLEM=1
logtext "Result: certificate ${J} has been expired"
report "expired_certificate[]=${J}|unknown entity|"
- #YYY Dump more information to log file
fi
else
logtext "Result: can not read file ${J} (no permission)"
@@ -65,9 +64,9 @@
done
if [ ${FOUNDPROBLEM} -eq 0 ]; then
- Display --indent 2 --text "- Checking SSL certificate expiration" --result OK --color GREEN
+ Display --indent 2 --text "- Checking for expired SSL certificates" --result NONE --color GREEN
else
- Display --indent 2 --text "- Checking SSL certificate expiration" --result WARNING --color RED
+ Display --indent 2 --text "- Checking for expired SSL certificates" --result FOUND --color RED
ReportSuggestion ${TEST_NO} "Check available certificates for expiration"
fi
fi
diff --git a/include/tests_custom.template b/include/tests_custom.template
index 14c6ae75..73cbc9ff 100644
--- a/include/tests_custom.template
+++ b/include/tests_custom.template
@@ -29,25 +29,51 @@
#################################################################################
#
# Test : CUST-0010
+ # Author : Your name <e-mail address>
# Description : Check for something interesting - template
- # This test first checks if OpenSSL binary was found
- if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "My description"
- # Or you could use this one without any dependencies
- # Register --test-no CUST-0010 --weight L --network NO --description "My description"
+ # Notes : This test first checks if OpenSSL binary was found
+
+ # * Prerequisites Check
+ # -----------------------
+ #
+ # Check first if any dependency. If it doesn't meet, the test will be skipped after registration (SKIPTEST == 1)
+ #
+ # Examples:
+ # -f /etc/file = Test if file exists
+ # -d /var/run/mydirectory = Test if directory exists
+ # ${MYVARIABLE} -eq 1 = Test if variable is set to 1
+ # "${MYVARIABLE}" = "Value" = Test if variable is equal to specific value
+
+ if [ -f /etc/myfile ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+
+ # * Registration of Test
+ # ------------------------
+ #
+ # Register the test, with custom ID CUST-0010, and only execute it when the prerequisites were met
+ Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Description of what this test does"
+
+ # Or we could use this test without any dependencies
+ # Register --test-no CUST-0010 --weight L --network NO --description "Description of what this test does"
+
+ # If everything is fine, perform test
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
logtext "Test: checking something"
- ReportWarning ${TEST_NO} "M" "Test warning"
if [ ${FOUND} -eq 0 ]; then
- Display --indent 4 --text "- Performing custom test 1" --result OK --color GREEN
- logtext "Result: the test looks great!"
+ Display --indent 4 --text "- Performing custom test" --result OK --color GREEN
+ logtext "Result: the test result looks great!"
+
+ # Optional: create a suggestion after a specific finding
+ #ReportSuggestion "${TEST_NO}" "This is my suggestion to improve the system even further."
+
else
- Display --indent 4 --text "- Performing custom test 1" --result WARNING --color RED
- logtext "Result: hmm bad result of this test :("
- ReportSuggestion ${TEST_NO} "This could be better!"
+ Display --indent 4 --text "- Performing custom test" --result WARNING --color RED
+ logtext "Result: this test had a bad result :("
+ # Throw a warning to the screen and report
+ ReportWarning ${TEST_NO} "M" "This is a warning message"
fi
fi
+
#
#################################################################################
#
diff --git a/include/tests_databases b/include/tests_databases
index ca2fb24c..80e7405b 100644
--- a/include/tests_databases
+++ b/include/tests_databases
@@ -79,7 +79,7 @@
Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED
AddHP 0 5
else
- logtext "Result: Login did not succeed, so a MySQL root password is set"
+ logtext "Result: Login did not succeed, so a MySQL root password is set"
Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN
AddHP 2 2
fi
diff --git a/include/tests_file_integrity b/include/tests_file_integrity
index d5d7ef1e..03fa0908 100644
--- a/include/tests_file_integrity
+++ b/include/tests_file_integrity
@@ -14,6 +14,8 @@
#
#################################################################################
#
+ CSF_CONFIG="/etc/csf/csf.conf"
+ FILE_INT_TOOL=""
FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found
#
#################################################################################
@@ -30,11 +32,11 @@
logtext "Test: Checking AFICK binary"
if [ ! "${AFICKBINARY}" = "" ]; then
logtext "Result: AFICK is installed (${AFICKBINARY})"
+ FILE_INT_TOOL="afick"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AFICK" --result FOUND --color GREEN
else
logtext "Result: AFICK is not installed"
- Display --indent 4 --text "- AFICK" --result "NOT FOUND" --color WHITE
fi
fi
#
@@ -47,11 +49,11 @@
logtext "Test: Checking AIDE binary"
if [ ! "${AIDEBINARY}" = "" ]; then
logtext "Result: AIDE is installed (${AIDEBINARY})"
+ FILE_INT_TOOL="aide"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AIDE" --result FOUND --color GREEN
else
logtext "Result: AIDE is not installed"
- Display --indent 4 --text "- AIDE" --result "NOT FOUND" --color WHITE
fi
fi
#
@@ -92,7 +94,7 @@
Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --description "AIDE configuration: Checksums (SHA256 or SHA512)"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=`${GREPBINARY} "^Checksums" ${AIDECONFIG}`
- FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"`
+ FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"`
if [ "${FIND}" = "" ]; then
logtext "Result: Unclear how AIDE is dealing with checksums"
Display --indent 6 --text "- AIDE config (Checksums)" --result UNKNOWN --color YELLOW
@@ -119,11 +121,11 @@
logtext "Test: Checking Osiris binary"
if [ ! "${OSIRISBINARY}" = "" ]; then
logtext "Result: Osiris is installed (${OSIRISBINARY})"
+ FILE_INT_TOOL="osiris"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Osiris" --result FOUND --color GREEN
else
logtext "Result: Osiris is not installed"
- Display --indent 4 --text "- Osiris" --result "NOT FOUND" --color WHITE
fi
fi
#
@@ -136,11 +138,11 @@
logtext "Test: Checking Samhain binary"
if [ ! "${SAMHAINBINARY}" = "" ]; then
logtext "Result: Samhain is installed (${SAMHAINBINARY})"
+ FILE_INT_TOOL="samhain"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Samhain" --result FOUND --color GREEN
else
logtext "Result: Samhain is not installed"
- Display --indent 4 --text "- Samhain" --result "NOT FOUND" --color WHITE
fi
fi
#
@@ -153,11 +155,11 @@
logtext "Test: Checking Tripwire binary"
if [ ! "${TRIPWIREBINARY}" = "" ]; then
logtext "Result: Tripwire is installed (${TRIPWIREBINARY})"
+ FILE_INT_TOOL="tripwire"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Tripwire" --result FOUND --color GREEN
else
logtext "Result: Tripwire is not installed"
- Display --indent 4 --text "- Tripwire" --result "NOT FOUND" --color WHITE
fi
fi
#
@@ -170,10 +172,12 @@
logtext "Test: Checking if OSSEC syscheck daemon is running"
IsRunning ossec-syscheckd
if [ ${RUNNING} -eq 1 ]; then
+ logtext "Result: syscheck (OSSEC) installed"
+ FILE_INT_TOOL="ossec-syscheck"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- OSSEC (syscheck)" --result FOUND --color GREEN
else
- Display --indent 4 --text "- OSSEC (syscheck)" --result "NOT FOUND" --color WHITE
+ logtext "Result: syscheck (OSSEC) not installed"
fi
fi
#
@@ -187,11 +191,59 @@
logtext "Test: Checking mtree binary"
if [ ! "${MTREEBINARY}" = "" ]; then
logtext "Result: mtree is installed (${MTREEBINARY})"
+ FILE_INT_TOOL="mtree"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- mtree" --result FOUND --color GREEN
else
logtext "Result: mtree is not installed"
- Display --indent 4 --text "- mtree" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FINT-4334
+ # Description : Check if LFD is used (part of CSF suite)
+ if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd daemon status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 4 --text "- lfd (CSF)" --result FOUND --color GREEN
+ IsRunning 'lfd '
+ if [ ${RUNNING} -eq 1 ]; then
+ logtext "Result: lfd daemon is running (CSF)"
+ Display --indent 6 --text "- Daemon status" --result RUNNING --color GREEN
+ FILE_INT_TOOL="csf-lfd"
+ FILE_INT_TOOL_FOUND=1
+ else
+ Display --indent 6 --text "- Daemon status" --result "NOT RUNNING" --color YELLOW
+ fi
+ fi
+ # Test : FINT-4336
+ # Description : Check if LFD is enabled (part of CSF suite)
+ if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check lfd configuration status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # LFD configuration parameters
+ ENABLED=`grep "^LF_DAEMON = \"1\"" ${CSF_CONFIG}`
+ if [ ! "${ENABLED}" = "" ]; then
+ logtext "Result: lfd service is configured to run"
+ Display --indent 6 --text "- Configuration status" --result ENABLED --color GREEN
+ else
+ logtext "Result: lfd service is configured NOT to run"
+ Display --indent 6 --text "- Configuration status" --result DISABLED --color YELLOW
+ fi
+ ENABLED=`grep "^LF_DIRWATCH =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
+ if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
+ logtext "Result: lfd directory watching is enabled (value: ${ENABLED})"
+ Display --indent 6 --text "- Temporary directory watches" --result ENABLED --color GREEN
+ else
+ logtext "Result: lfd directory watching is disabled"
+ Display --indent 6 --text "- Temporary directory watches" --result DISABLED --color YELLOW
+ fi
+ ENABLED=`grep "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | awk '{ print $3 }' | sed 's/\"//g'`
+ if [ ! "${ENABLED}" = "0" -a ! "${ENABLED}" = "" ]; then
+ Display --indent 6 --text "- Directory/File watches" --result ENABLED --color GREEN
+ else
+ Display --indent 6 --text "- Directory/File watches" --result DISABLED --color YELLOW
fi
fi
#
@@ -209,7 +261,7 @@
else
logtext "Result: No file integrity tools found"
Display --indent 2 --text "- Checking presence integrity tool" --result "NOT FOUND" --color YELLOW
- ReportSuggestion ${TEST_NO} "Install a file integrity tool"
+ ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files"
AddHP 0 5
fi
fi
@@ -217,6 +269,7 @@
#################################################################################
#
+report "file_integrity_tool=${FILE_INT_TOOL}"
report "file_integrity_tool_installed=${FILE_INT_TOOL_FOUND}"
wait_for_keypress
diff --git a/include/tests_file_permissions b/include/tests_file_permissions
index a62f27e9..a5f30270 100644
--- a/include/tests_file_permissions
+++ b/include/tests_file_permissions
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -56,4 +56,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com
diff --git a/include/tests_filesystems b/include/tests_filesystems
index 6d9453da..50c7308c 100644
--- a/include/tests_filesystems
+++ b/include/tests_filesystems
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -209,23 +209,46 @@
FOUND=0
logtext "Test: query swap partitions from /etc/fstab file"
# Check if third field contains 'swap'
- FIND=`awk '{ if ($3=="swap") print $1 }' /etc/fstab`
+ FIND=`awk '{ if ($2=="swap" || $3=="swap") { print $1 }}' /etc/fstab | grep -v "^#"`
for I in ${FIND}; do
FOUND=1
+ REAL=""
+ UUID=""
logtext "Swap partition found: ${I}"
# YYY Add a test if partition is not a normal partition (e.g. UUID=)
# Can be ^/dev/mapper/vg-name_lv-name
# Can be ^/dev/partition
+
# Can be ^UUID=uuid --> /dev/disk/by-uuid/<uuid>
- # if [ ! "${BLKIDBINARY}" = "" ]; then
- # FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'`
- # else
- # logtext "Result: blkid binary not found, trying by checking device listing"
- # if [ -f /dev/disk/by-uuid/${UUID} ]; then
- # logtext "Result: found disk via /dev/disk/by-uuid listing"
- # fi
- # fi
- report "swap_partition[]=${I}"
+ HAS_UUID=`echo ${I} | grep "^UUID="`
+ if [ ! "${HAS_UUID}" = "" ]; then
+ UUID=`echo ${HAS_UUID} | awk -F= '{ print $2 }'`
+ logtext "Result: Using ${UUID} as UUID"
+ if [ ! "${BLKIDBINARYx}" = "" ]; then
+ FIND2=`${BLKIDBINARY} | awk '{ if ($2=="UUID=\"${UUID}\"") print $1 }' | sed 's/:$//'`
+ if [ ! "${FIND2}" = "" ]; then
+ REAL="${FIND2}"
+ fi
+ else
+ logtext "Result: blkid binary not found, trying by checking device listing"
+ sFILE=""
+ if [ -L /dev/disk/by-uuid/${UUID} ]; then
+ logtext "Result: found disk via /dev/disk/by-uuid listing"
+ ShowSymlinkPath /dev/disk/by-uuid/${UUID}
+ if [ ! "${sFILE}" = "" ]; then
+ REAL="${sFILE}"
+ logtext "Result: disk is ${REAL}"
+ fi
+ else
+ logtext "Result: no symlink found to /dev/disk/by-uuid/${UUID}"
+ fi
+ fi
+ fi
+ # Set real device
+ if [ "${REAL}" = "" ]; then
+ REAL="${I}"
+ fi
+ report "swap_partition[]=${I},${REAL},"
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 2 --text "- Query swap partitions (fstab)" --result OK --color GREEN
@@ -239,18 +262,20 @@
#
# Test : FILE-6336
# Description : Check swap mount options
+ # Examples : [partition] swap swap defaults 0 0
+ # [partition] none swap sw 0 0
if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FILE-6336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap mount options"
if [ ${SKIPTEST} -eq 0 ]; then
# Swap partitions should be mounted with 'sw' or 'swap'
logtext "Test: check swap partitions with incorrect mount options"
#FIND=`awk '{ if ($3=="swap" && ($4!="sw" && $4!="swap" && $4!="defaults")) print $1 }' /etc/fstab`
- FIND=`awk '{ if ($3=="swap" && $4~/sw/) { print $1 }}' /etc/fstab`
+ FIND=`awk '{ if ($3=="swap" && ($4~/sw/ || $4=="defaults")) { print $1 }}' /etc/fstab`
if [ ! "${FIND}" = "" ]; then
Display --indent 2 --text "- Testing swap partitions" --result OK --color GREEN
logtext "Result: all swap partitions have correct options (sw or swap)"
else
- Display --indent 2 --text "- Testing swap partitions" --result WARNING --color RED
+ Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW
logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
#ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})"
ReportSuggestion ${TEST_NO} "Check your /etc/fstab file for swap partition mount options"
@@ -272,7 +297,7 @@
Display --indent 2 --text "- Checking for old files in /tmp" --result OK --color GREEN
logtext "Result: no files found in /tmp which are older than 3 months"
else
- Display --indent 2 --text "- Checking for old files in /tmp" --result WARNING --color RED
+ Display --indent 2 --text "- Checking for old files in /tmp" --result FOUND --color RED
N=0
for I in ${FIND}; do
FILE=`echo ${I} | sed 's/!space!/ /g'`
@@ -297,7 +322,7 @@
#SKELDIRS="/etc/skel /usr/share/skel"
#for I in ${SKELDIRS}; do
- #
+ #
# logtext "Searching skel directory ${I}"
#
# if [ -d ${I} ]; then
@@ -435,77 +460,76 @@
#################################################################################
#
# Test : FILE-6374
- # Description : Check /boot mount options for Linux
- # Notes : Expecting nodev,noexec,nosuid
+ # Description : Check mount options for Linux
+ # Notes : This test determines if the mount point exists. If it does not exist as mount point, yet it is an directory,
+ # you might consider to make it a separate mount point with restrictions.
+ #
+ # Depending on the primary goals of a machine, some mount points might be too restrictive. Before applying any
+ # mount flags, test them on a similar or cloned test system.
+ #
+ # ---------------------------------------------------------
+ # Mount point nodev noexec nosuid
+ # /boot v v v
+ # /home v v
+ # /tmp v v v
+ # /var v
+ # /var/log v v v
+ # /var/log/audit v v v
+ # ---------------------------------------------------------
+
+ FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /home:nodev,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /tmp:nodev,noexec,nosuid"
Register --test-no FILE-6374 --os Linux --weight L --network NO --description "Checking /boot mount options"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/fstab ]; then
- HARDENED=0
- FIND=`echo /etc/fstab | awk '{ if ($2=="/boot") { print $4 } }'`
- NODEV=`echo ${FIND} | awk '{ if ($1=="nodev") { print "YES" } else { print "NO" } }'`
- NOEXEC=`echo ${FIND} | awk '{ if ($1=="noexec") { print "YES" } else { print "NO" } }'`
- NOSUID=`echo ${FIND} | awk '{ if ($1=="nosuid") { print "YES" } else { print "NO" } }'`
- if [ "${NODEV}" = "YES" -a "${NOEXEC}" = "YES" -a "${NOSUID}" = "YES" ]; then HARDENED=1; fi
- if [ ! "${FIND}" = "" ]; then
- logtext "Result: mount system /boot is configured with options: ${FIND}"
- if [ ${HARDENED} -eq 1 ]; then
- logtext "Result: marked /boot options as hardenened"
- Display --indent 2 --text "- Mount options of /boot" --result HARDENED --color GREEN
- AddHP 5 5
- else
- if [ "${FIND}" = "defaults" ]; then
- logtext "Result: marked /boot options as default (non hardened)"
- Display --indent 2 --text "- Mount options of /boot" --result DEFAULT --color RED
- AddHP 3 5
- else
- logtext "Result: marked /boot options as non default (unclear about hardening)"
- Display --indent 2 --text "- Mount options of /boot" --result "NON DEFAULT" --color YELLOW
+ for I in ${FILESYSTEMS_TO_CHECK}; do
+ FILESYSTEM=`echo ${I} | cut -d: -f1`
+ EXPECTED_FLAGS=`echo ${I} | cut -d: -f2 | sed 's/,/ /g'`
+ IN_FSTAB=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print "FOUND" } }'`
+ if [ ! "${IN_FSTAB}" = "" ]; then
+ FOUND_FLAGS=`cat /etc/fstab | awk -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' | sed 's/,/ /g'`
+ logtext "File system: ${FILESYSTEM}"
+ logtext "Expected flags: ${EXPECTED_FLAGS}"
+ logtext "Found flags: ${FOUND_FLAGS}"
+ PARTIALLY_HARDENED=0
+ FULLY_HARDENED=1
+ for FLAG in ${EXPECTED_FLAGS}; do
+ FLAG_AVAILABLE=`echo ${FOUND_FLAGS} | grep ${FLAG}`
+ if [ "${FLAG_AVAILABLE}" = "" ]; then
+ logtext "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}"
+ FULLY_HARDENED=0
+ else
+ logtext "Result: GOOD, found mount option ${FLAG} on file system ${FILESYSTEM}"
+ PARTIALLY_HARDENED=1
+ fi
+ done
+ if [ ${FULLY_HARDENED} -eq 1 ]; then
+ logtext "Result: marked ${FILESYSTEM} as fully hardenened"
+ Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN
+ AddHP 5 5
+ elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then
+ logtext "Result: marked ${FILESYSTEM} as fully hardenened"
+ Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW
AddHP 4 5
+ else
+ if [ "${FOUND_FLAGS}" = "defaults" ]; then
+ logtext "Result: marked ${FILESYSTEM} options as default (non hardened)"
+ Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW
+ AddHP 3 5
+ else
+ logtext "Result: marked ${FILESYSTEM} options as non default (unclear about hardening)"
+ Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW
+ AddHP 4 5
+ fi
fi
+ else
+ logtext "Result: file system ${FILESYSTEM} not found in /etc/fstab"
fi
- else
- logtext "Result: no mount point /boot or expected options found"
- fi
+ done
fi
fi
#
#################################################################################
#
- # Test : FILE-XXXX
- # Description : Check /home mount options for Linux
- # Notes : Expecting nodev,nosuid
-#
-#################################################################################
-#
-
- # Test : FILE-XXXX
- # Description : Check /var mount options for Linux
- # Notes : Expecting nosuid
-#
-#################################################################################
-#
- # Test : FILE-XXXX
- # Description : Check /var/log mount options for Linux
- # Notes : Expecting nodev,noexec,nosuid
-#
-#################################################################################
-#
- # Test : FILE-XXXX
- # Description : Check /var/log/audit mount options for Linux
- # Notes : Expecting nodev,noexec,nosuid
-#
-#################################################################################
-#
-
- # Test : FILE-XXXX
- # Description : Check /tmp mount options for Linux
- # Notes : Expecting nodev,noexec,nosuid
-#
-#################################################################################
-#
-#
-#################################################################################
-#
# Test : FILE-6378
# Description : Check for nodirtime option
#
@@ -538,11 +562,11 @@
# or /var/cache/locate/locatedb
# FreeBSD /var/db/locate.database
if [ ! "${LOCATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no FILE-6410 --os Linux --weight L --network NO --description "Checking Locate database"
+ Register --test-no FILE-6410 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Checking Locate database"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking locate database"
FOUND=0
- LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database"
+ LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locate/locatedb /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database"
for I in ${LOCATE_DBS}; do
if [ -f ${I} ]; then
logtext "Result: locate database found (${I})"
@@ -598,4 +622,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_firewalls b/include/tests_firewalls
index 5a529d35..302fd733 100644
--- a/include/tests_firewalls
+++ b/include/tests_firewalls
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -30,10 +30,6 @@
#
#################################################################################
#
-# YYY Improvement needed for iptables to check if kernel modules are used or not.
-# If they are not used and iptables is not found in configuration, no checks should be performed.
-#
-
# Test : FIRE-4511
# Description : Check iptables kernel module
Register --test-no FIRE-4511 --os Linux --weight L --network NO --description "Check iptables kernel module"
@@ -124,7 +120,7 @@
Display --indent 4 --text "- Checking for unused rules" --result OK --color GREEN
logtext "Result: There are no unused rules present"
else
- Display --indent 4 --text "- Checking for unused rules" --result WARNING --color YELLOW
+ Display --indent 4 --text "- Checking for unused rules" --result FOUND --color YELLOW
logtext "Result: Found one or more possible unused rules"
logtext "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
logtext "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
@@ -189,7 +185,6 @@
PFLOGDFOUND=1
else
logtext "Result: pflog daemon not found in process list"
- Display --indent 4 --text "- Checking pflogd status" --result "NOT FOUND" --color YELLOW
fi
fi
@@ -198,7 +193,6 @@
FIREWALL_SOFTWARE="pf"
else
logtext "Result: pf not running on this system"
- Display --indent 2 --text "- Checking pf" --result "NOT FOUND" --color WHITE
fi
fi
#
@@ -274,7 +268,34 @@
#################################################################################
#
# Test : FIRE-4530
- # Description : Check ipfw
+ # Description : Check IPFW (FreeBSD)
+ Register --test-no FIRE-4530 --os FreeBSD --weight L --network NO --description "Check IPFW status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ! "${SYSCTLBINARY}" = "" ]; then
+ # For now, only check for IPv4.
+ FIND=`${SYSCTLBINARY} net.inet.ip.fw.enable | awk '{ print $2 }'`
+ if [ "${FIND}" = "1" ]; then
+ Display --indent 2 --text "- Checking IPFW status" --result RUNNING --color GREEN
+ logtext "Result: IPFW is running for IPv4"
+ FIREWALL_ACTIVE=1
+ FIREWALL_SOFTWARE="ipfw"
+ IPFW_ENABLED=`service -e | grep -o ipfw`
+ if [ "${IPFW_ENABLED}" = "ipfw" ]; then
+ Display --indent 4 --text "- IPFW enabled in /etc/rc.conf" --result YES --color GREEN
+ logtext "Result: IPFW is enabled at start-up for IPv4"
+ else
+ Display --indent 4 --text "- ipfw enabled in /etc/rc.conf" --result NO --color YELLOW
+ logtext "Result: IPFW is disabled at start-up for IPv4"
+ fi
+ else
+ Display --indent 2 --text "- Checking IPFW status" --result "NOT RUNNING" --color YELLOW
+ logtext "Result: IPFW is not running for IPv4"
+ fi
+ else
+ Display --indent 2 --text "- Checking IPFW" --result SKIPPED --color YELLOW
+ ReportException "${TEST_NO}:1" "No IPFW test available (sysctl missing)"
+ fi
+ fi
#
#################################################################################
#
diff --git a/include/tests_hardening b/include/tests_hardening
index 592e8b16..713264b9 100644
--- a/include/tests_hardening
+++ b/include/tests_hardening
@@ -55,6 +55,7 @@
IsWorldExecutable ${ASBINARY}
if [ $? -eq 1 ]; then
logtext "Binary: found ${ASBINARY} (world executable)"
+ report "compiler[]=${ASBINARY}"
AddHP 2 3
HARDEN_COMPILERS_NEEDED=1
else
@@ -67,6 +68,7 @@
IsWorldExecutable ${GCCBINARY}
if [ $? -eq 1 ]; then
logtext "Binary: found ${GCCBINARY} (world executable)"
+ report "compiler[]=${GCCBINARY}"
AddHP 2 3
HARDEN_COMPILERS_NEEDED=1
else
diff --git a/include/tests_hardening_tools b/include/tests_hardening_tools
deleted file mode 100644
index c148e9a0..00000000
--- a/include/tests_hardening_tools
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/bin/sh
-
-#################################################################################
-#
-# Lynis
-# ------------------
-#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
-#
-# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
-# welcome to redistribute it under the terms of the GNU General Public License.
-# See LICENSE file for usage of this software.
-#
-#################################################################################
-#
-# InsertSection "Hardening tools"
-#
-#################################################################################
-#
- # Checking Solaris Security Toolkit (Jass)
- # Test : HRDN-7402
- # Description : Check jass hardening
- # Register --test-no HRDN-7402 --weight L --network NO --description "Check jass hardening"
- # if [ ${SKIPTEST} -eq 0 ]; then
- # if [ -d /opt/SUNWjass -o -d /var/opt/SUNWjass ]; then
- # logtext "Result: found Solaris Security Toolkit (Jass hardening tool)"
- # fi
- #
-#
-#################################################################################
-#
- # Test : HRDN-7410
- # Description : Check tiger hardening tool
-#
-#################################################################################
-#
- # Test : HRDN-7420
- # Description : Check Bastille Unix hardening tool
-#
-#################################################################################
-#
- # Checking Solaris Security Toolkit (ASET)
- # - Automated Security Enhancement Tool
-
- # AddHP 3 3
-
-#wait_for_keypress
-
-#
-#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_homedirs b/include/tests_homedirs
index 7afe5068..012cf648 100644
--- a/include/tests_homedirs
+++ b/include/tests_homedirs
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -28,7 +28,6 @@
#
#################################################################################
#
-
# Test : HOME-9302
# Description : Create list with home directories
Register --test-no HOME-9302 --weight L --network NO --description "Create list with home directories"
@@ -69,7 +68,7 @@
logtext "Info: above files could be redirected files to avoid logging and should be investigated"
ReportWarning ${TEST_NO} "M" "Incorrect file type found for shell history file"
fi
- logtext "Remarks: ${HOME_HISTORY_LOG_TEXT}"
+ logtext "Remarks: History files are normally of the type 'file'. Symbolic links and other types can be riskful."
else
Display --indent 2 --text "- Checking shell history files" --result SKIPPED --color WHITE
logtext "Result: Homedirs is empty, test will be skipped"
@@ -100,19 +99,6 @@
logtext "Output: ${IGNORE_HOME_DIRS}"
fi
fi
-
- #YYY
- #echo -n " - Checking PATH variable vulnerabilities"
- #
- #FIND=`find ${HOMEDIRS} -name * | grep -r 'PATH=' | egrep '=.:|:.:|:.;' | grep -v 'CDPATH'`
- #if [ "${FIND}" = "" ]
- # then
- # logtext "Result: Ok, no special things found in the PATH variable"
- # else
- # echo "[ ${WARNING}WARNING${NORMAL} ]"
- # logtext "Warning: Probably found \".\" in the PATH. Details: ${FIND}"
- #fi
- #
#
#################################################################################
#
@@ -121,4 +107,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_insecure_services b/include/tests_insecure_services
index 534132ee..f6b5e15d 100644
--- a/include/tests_insecure_services
+++ b/include/tests_insecure_services
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -37,7 +37,6 @@
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: inetd is running"
Display --indent 2 --text "- Checking inetd status" --result ACTIVE --color GREEN
- #YYY perform manual check
INETD_ACTIVE=1
else
logtext "Result: inetd is NOT running"
@@ -61,8 +60,6 @@
logtext "Result: ${INETD_CONFIG_FILE} does not exist"
Display --indent 4 --text "- Checking inetd.conf" --result "NOT FOUND" --color WHITE
fi
- # YYY immutable bit could be set
- # YYY permission check (already set in profile)
fi
#
#################################################################################
@@ -106,15 +103,9 @@
#
#################################################################################
#
-# Check telnet in /etc/xinetd.conf
-# Check telnet in /etc/xinetd/*
-# Check running telnet daemon (telnetd)
-# rshd rlogin rexec
-# /etc/hosts.equiv
-
wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_kernel b/include/tests_kernel
index a2ba9e9b..495d62bc 100644
--- a/include/tests_kernel
+++ b/include/tests_kernel
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -49,7 +49,7 @@
logtext "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
report "linux_default_runlevel=5"
- else
+ else
logtext "Result: No match found on runlevel, defaulting to runlevel 3"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
report "linux_default_runlevel=3"
@@ -252,6 +252,8 @@
#
# Test : KRNL-5730
# Description : Checking default I/O kernel scheduler
+ # Notes : This test could be extended with testing some of the specific devices like disks
+ # cat /sys/block/sda/queue/scheduler
PREQS_MET="NO"
if [ ! "${LINUXCONFIGFILE}" = "" ]; then
if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi
@@ -277,17 +279,13 @@
#
#################################################################################
#
-# YYY Check for kernel options
-#
-#################################################################################
-#
# Test : KRNL-5745
# Description : Checking FreeBSD loaded kernel modules
Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking active kernel modules"
- logtext "Test: ${KERNEL_ACTIVE_MODULES_TITLE}"
- logtext "Description: ${KERNEL_ACTIVE_MODULES_DESCRIPTION}"
+ logtext "Test: Active kernel modules (KLDs)"
+ logtext "Description: View all active kernel modules (including kernel)"
logtext "Test: Checking modules"
if [ -f /sbin/kldstat ]; then
FIND=`kldstat | grep -v 'Name' | tr -s ' ' | cut -d ' ' -f6`
@@ -340,7 +338,6 @@
logtext "Test: Searching apt-cache, to determine if a newer kernel is available"
if [ -x /usr/bin/apt-cache ]; then
logtext "Result: found /usr/bin/apt-cache"
- # YYY Test for presence /usr/bin/apt-cache and dpkg
logtext "Test: checking readlink location of /vmlinuz"
FINDKERNFILE=`readlink -f /vmlinuz`
logtext "Output: readlink reported file ${FINDKERNFILE}"
@@ -381,7 +378,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking presence /etc/security/limits.conf"
if [ -f /etc/security/limits.conf ]; then
- logtext "Result: file /etc/security/limits.conf exists"
+ logtext "Result: file /etc/security/limits.conf exists"
logtext "Test: Checking if core dumps are disabled in /etc/security/limits.conf"
FIND1=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }'`
FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }'`
@@ -443,7 +440,7 @@
FILE="/var/run/reboot-required.pkgs"
logtext "Test: Checking presence ${FILE}"
if [ -f ${FILE} ]; then
- logtext "Result: file ${FILE} exists"
+ logtext "Result: file ${FILE} exists"
FIND=`cat ${FILE}`
if [ "${FIND}" = "" ]; then
logtext "Result: No reboot needed (file empty)"
@@ -516,7 +513,8 @@
FIND=`ls /boot/vmlinuz* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
# Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers)
- KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
+ # Remove generic. and huge. for Slackware machines
+ KERNELS=`ls /boot/vmlinuz* | sed 's/vmlinuz-//' | sed 's/generic.//' | sed 's/huge.//' | sed 's/\.[a-z].*.//g' | sed 's/-[a-z].*.//g' | sed 's./boot/..' | sed 's/-/./g' | sort -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.`
elif [ ! `ls /boot/kernel* 2> /dev/null` = "" ]; then
# Display kernels, extract version numbers and sort them numeric per column (up to 6 numbers)
# Examples:
@@ -580,4 +578,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands
+# Lynis - Copyright 2007-2015, CISOfy - https://cisofy.com
diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening
index 7797fa1a..cc82eb47 100644
--- a/include/tests_kernel_hardening
+++ b/include/tests_kernel_hardening
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -66,4 +66,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - http://cisofy.com - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_ldap b/include/tests_ldap
index 551fae3a..26c35c0b 100644
--- a/include/tests_ldap
+++ b/include/tests_ldap
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -101,4 +101,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_logging b/include/tests_logging
index 0d8189a9..707b6948 100644
--- a/include/tests_logging
+++ b/include/tests_logging
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -36,7 +36,6 @@
# Test : LOGG-2130
# Description : Check for a running syslog daemon
- # Notes : Log which syslog daemon is found YYY
Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Searching for a logging daemon"
@@ -274,7 +273,7 @@
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking which directories can be found in logrotate configuration"
- FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq`
+ FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's@/[^/]*$@@g' | sort | uniq`
if [ "${FIND}" = "" ]; then
logtext "Result: nothing found"
else
@@ -285,7 +284,6 @@
report "log_directory[]=${I}"
else
logtext "Directory could not be found: ${I}"
- # YYY strip more parts of the name, until it can be found (and stop at /)
fi
done
fi
@@ -477,12 +475,6 @@
#
#################################################################################
#
-#
-# Rsyslogd checks
-#
-#
-#################################################################################
-#
report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}"
report "log_rotation_tool=${LOGROTATE_TOOL}"
diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks
index 23e75e5e..9b7fa2c2 100644
--- a/include/tests_mac_frameworks
+++ b/include/tests_mac_frameworks
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -48,11 +48,11 @@
if [ ${SKIPTEST} -eq 0 ]; then
if [ ! "${AASTATUSBINARY}" = "" ]; then
# Checking AppArmor status
- #0 if apparmor is enabled and policy is loaded.
- #1 if apparmor is not enabled/loaded.
- #2 if apparmor is enabled but no policy is loaded.
- #3 if control files are not available
- #4 if apparmor status can't be read
+ # 0 if apparmor is enabled and policy is loaded.
+ # 1 if apparmor is not enabled/loaded.
+ # 2 if apparmor is enabled but no policy is loaded.
+ # 3 if control files are not available
+ # 4 if apparmor status can't be read
FIND=`${AASTATUSBINARY} > /dev/null; echo $?`
if [ ${FIND} -eq 0 ]; then
MAC_FRAMEWORK_ACTIVE=1
@@ -71,7 +71,7 @@
elif [ ${FIND} -eq 1 ]; then
logtext "Result: AppArmor is disabled"
Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW
- else
+ else
Display --indent 4 --text "- Checking AppArmor status" --result "UNKNOWN" --color RED
ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected"
fi
@@ -119,7 +119,7 @@
Display --indent 6 --text "- Checking current mode and config file" --result "OK" --color GREEN
else
logtext "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
- ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
+ ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
Display --indent 6 --text "- Checking current mode and config file" --result "WARNING" --color RED
fi
Display --indent 8 --text "Current SELinux mode: ${FIND}"
@@ -187,14 +187,6 @@ report "framework_selinux=${SELINUXFOUND}"
wait_for_keypress
-# To implement:
-# FMAC (OpenSolaris, MAC)
-# LSM (Linux Security Modules)
-# TrustedBSD (MAC)
-# RSBAC (RBAC)
-# Apple sandbox technology
-# PAX
-
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging
index dc568283..b936dbb8 100644
--- a/include/tests_mail_messaging
+++ b/include/tests_mail_messaging
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -51,29 +51,6 @@
#
#################################################################################
#
- # Test : MAIL-8804
- # Description : Check Exim configuration
- #if [ ${EXIM_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- #Register --test-no MAIL-8804 --weight L --network NO --description "Check Exim configuration"
- #if [ ${SKIPTEST} -eq 0 ]; then
- # if [ ! "${EXIMBINARY}" = "" ]; then
- # logtext "Test: Searching Exim configuration file"
- # FIND=`${EXIMBINARY} -d | grep "configuration file is" | sed 's/configuration file is//'`
- # if [ ! "${FIND}" = "" ]; then
- # Display --indent 2 --text "- Checking Exim configuration" --result FOUND --color GREEN
- # Display --indent 4 --text "Result: configuration file is ${FIND}"
- # logtext "Result: found Exim"
- # logtext "Result: configuration file is ${FIND}"
- # else
- # Display --indent 2 --text "- Checking Exim configuration" --result WARNING --color RED
- # logtext "Couldn't find the Exim configuration file, however Exim seems to be installed."
- # fi
- # else
- # logtext "Exim binary not found, no tests performed"
- # fi
-#
-#################################################################################
-#
# Test : MAIL-8814
# Description : Check Postfix process
# Notes : qmgr and pickup run under postfix uid, without full path to binary
@@ -162,26 +139,6 @@
#
#################################################################################
#
- # Test : MAIL-8842
- # Description : Check Dovecot logging locations
- #Register --test-no MAIL-8842 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dovecot logging locations"
- #if [ ${SKIPTEST} -eq 0 ]; then
-# ParseDovecot
-# CONF="/etc/dovecot/dovecot.conf"
-# FIND=`cat ${CONF} | grep "^log_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'`
-# if [ ! "${FIND}" = "" ]; then
-# logtext "Result: output for error messages = ${FIND}"
-# fi
-#
-# FIND=`cat ${CONF} | grep "^log_info_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'`
-# if [ ! "${FIND}" = "" ]; then
-# logtext "Result: output for informational messages = ${FIND}"
-# fi
-#
-# fi
-#
-#################################################################################
-#
# Test : MAIL-8860
# Description : Check Qmail process status
Register --test-no MAIL-8860 --weight L --network NO --description "Check Qmail status"
@@ -240,23 +197,6 @@
#
#################################################################################
#
- # Test : MAIL-xxxx
- # Description : Check if outgoing mail is obscured (increased privacy)
- #Register --test-no MAIL-xxxx --weight L --network NO --description "Check XXX"
- #if [ ${SKIPTEST} -eq 0 ]; then
-#
-#################################################################################
-#
- #YYY Add support for mail, procmail
- #YYY Add support for MUAs: Thunderbird, Kmail, Evolution
- # Other software : Cyrus-IMAP, Amavisd-new, SpamAssassin, Fetchmail, Procmail, maildrop
- #- Dovecot : \'/usr/local/etc/dovecot.conf\'
- #- For Sendmail : \'/var/mail/sendmail.cf\'
- #- Fetchmail : \'~/.fetchmailrc\' (not only root)
- #- Cyrus-IMAP : \'/usr/local/etc/imapd.conf\' for parameters and \'/usr/local/etc/cyrus.conf\' for the services launched
-#
-#################################################################################
-#
report "imap_daemon=${IMAP_DAEMON}"
report "pop3_daemon=${POP3_DAEMON}"
@@ -267,4 +207,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_malware b/include/tests_malware
index 6465ab0e..75517156 100644
--- a/include/tests_malware
+++ b/include/tests_malware
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), The Netherlands
-# Web site: http://cisofy.com
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -23,7 +23,9 @@
#################################################################################
#
CLAMD_RUNNING=0
+ MCAFEE_SCANNER_RUNNING=0
MALWARE_SCANNER_INSTALLED=0
+ SOPHOS_SCANNER_RUNNING=0
#
#################################################################################
#
@@ -45,7 +47,7 @@
#################################################################################
#
# Test : MALW-3276
- # Description : Check for installed tool (Rootkit Hunter)
+ # Description : Check for installed tool (Rootkit Hunter)
Register --test-no MALW-3276 --weight L --network NO --description "Check for Rootkit Hunter"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: checking presence Rootkit Hunter"
@@ -66,27 +68,36 @@
Register --test-no MALW-3280 --weight L --network NO --description "Check if anti-virus tool is installed"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
- MCAFEE_RUNNING=0
logtext "Test: checking process cma or cmdagent (McAfee)"
# cma is too generic to match on, so we want to ensure that it is related to McAfee first
if [ -x /opt/McAfee/cma/bin/cma ]; then
IsRunning cma
- if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi
+ if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
else
IsRunning cmdagent
- if [ ${RUNNING} -eq 1 ]; then MCAFEE_RUNNING=1; fi
+ if [ ${RUNNING} -eq 1 ]; then MCAFEE_SCANNER_RUNNING=1; fi
fi
- if [ ${MCAFEE_RUNNING} -eq 1 ]; then
+ if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN
logtext "Result: Found McAfee"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
fi
+ # Sophos savscand/SophosScanD
+ logtext "Test: checking process savscand"
+ IsRunning savscand
+ if [ ${RUNNING} -eq 1 ]; then
+ FOUND=1
+ SOPHOS_SCANNER_RUNNING=1;
+ fi
logtext "Test: checking process SophosScanD"
IsRunning SophosScanD
if [ ${RUNNING} -eq 1 ]; then
FOUND=1
+ SOPHOS_SCANNER_RUNNING=1;
+ fi
+ if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN
logtext "Result: Found Sophos"
MALWARE_SCANNER_INSTALLED=1
@@ -114,7 +125,6 @@
logtext "Result: clamscan couldn't be found"
fi
fi
-
#
#################################################################################
#
@@ -156,26 +166,20 @@
#
#################################################################################
#
-# Test : MALW-3288
-# Description : Check for ClamXav (Mac OS X)
-#
-#################################################################################
-#
- Register --test-no MALW-3288 --weight L --network NO --description "Check for ClamXav"
+ # Test : MALW-3288
+ # Description : Check for ClamXav (Mac OS X)
+ if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for ClamXav"
if [ ${SKIPTEST} -eq 0 ]; then
- if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then
- CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'`
- if [ ! "${CLAMSCANBINARY}" = "" ]; then
- logtext "Result: Found ClamXav clamscan installed"
- Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN
- MALWARE_SCANNER_INSTALLED=1
- AddHP 3 3
- else
- logtext "Result: ClamXav malware scanner not found"
- AddHP 0 3
- fi
+ CLAMSCANBINARY=`ls /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | grep 'clamscan'`
+ if [ ! "${CLAMSCANBINARY}" = "" ]; then
+ logtext "Result: Found ClamXav clamscan installed"
+ Display --indent 2 --text "- Checking presence of ClamXav AV scanner" --result "FOUND" --color GREEN
+ MALWARE_SCANNER_INSTALLED=1
+ AddHP 3 3
else
- logtext "Result: could not find ClamXav location"
+ logtext "Result: ClamXav malware scanner not found"
+ AddHP 0 3
fi
fi
#
@@ -186,28 +190,6 @@
#
#################################################################################
#
- # Test : MALW-3292
- # Description : Check if at least one malware scanner is installed
-# Register --test-no MALW-3292 --weight L --network NO --description "Check for at least one malware scanner"
-# if [ ${SKIPTEST} -eq 0 ]; then
-# if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
-# logtext "Result: At least one malware scanner is installed"
-# Display --indent 2 --text "- Checking presence malware scanner" --result "FOUND" --color GREEN
-# #AddHP 3 3
-# else
-# logtext "Result: No malware scanners found"
-# Display --indent 2 --text "- Checking presence malware scanner" --result "NOT FOUND" --color YELLOW
-# ReportSuggestion ${TEST_NO} "Install at least one malware scanner to perform periodic integrity tests on the system"
-# #AddHP 0 3
-# fi
-# fi
-#
-#################################################################################
-#
-# Other projects: maldetect (rfxn)
-#
-#################################################################################
-#
report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"
diff --git a/include/tests_memory_processes b/include/tests_memory_processes
index 4fa64c1c..b78429db 100644
--- a/include/tests_memory_processes
+++ b/include/tests_memory_processes
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -64,7 +64,7 @@
#
# Test : PROC-3612
# Description : Searching for dead and zombie processes
- # Notes : Don't perform test on Solaris
+ # Notes : Don't perform test on Solaris
if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dead or zombie processes"
if [ ${SKIPTEST} -eq 0 ]; then
@@ -111,22 +111,9 @@
#
#################################################################################
#
- # Ubuntu test: dead processes
- # who -d
-#
-#################################################################################
-#
- # Test : PROC-3624
- # Description : Check shared memory (ipcs -m)
- # Notes : if it's empty, check /dev/shm and warn if any files are left behind
- #Register --test-no PROC-3614 --os Linux --weight L --network NO --description "Check shared memory"
- #if [ ${SKIPTEST} -eq 0 ]; then
-#
-#################################################################################
-#
wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_nameservices b/include/tests_nameservices
index 38782a8b..5131364b 100644
--- a/include/tests_nameservices
+++ b/include/tests_nameservices
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -30,6 +30,7 @@
POWERDNS_AUTH_CONFIG_LOCATION=""
POWERDNS_AUTH_MASTER=0
POWERDNS_AUTH_SLAVE=0
+ UNBOUND_CONFIG_OK=0
YPBIND_RUNNING=0
#
#################################################################################
@@ -93,7 +94,7 @@
# Check amount of search domains (max 1)
FIND=`cat /etc/resolv.conf | grep "^search" | wc -l | tr -s ' ' | tr -d ' '`
if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
- logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
+ logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
Display --indent 4 --text "- Checking search domains lines" --result "CONFIG ERROR" --color YELLOW
ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
else
@@ -228,12 +229,57 @@
logtext "Test: checking nscd status"
IsRunning nscd
if [ ${RUNNING} -eq 1 ]; then
+ NAME_CACHE_USED=1
logtext "Result: nscd is running"
Display --indent 2 --text "- Checking nscd status" --result RUNNING --color GREEN
else
logtext "Result: nscd is not running"
Display --indent 2 --text "- Checking nscd status" --result "NOT FOUND" --color WHITE
- #YYY show performance suggestion if LDAP is used
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4034
+ # Description : Check name service caching daemon (Unbound) status
+ Register --test-no NAME-4034 --weight L --network NO --description "Check Unbound status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking Unbound (unbound) status"
+ IsRunning unbound
+ if [ ${RUNNING} -eq 1 ]; then
+ UNBOUND_RUNNING=1
+ NAME_CACHE_USED=1
+ logtext "Result: Unbound daemon is running"
+ Display --indent 2 --text "- Checking Unbound status" --result RUNNING --color GREEN
+ else
+ logtext "Result: Unbound daemon is not running"
+ Display --indent 2 --text "- Checking Unbound status" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4036
+ # Description : Checking Unbound configuration file
+ if [ ${UNBOUND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no NAME-4036 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Unbound configuration file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`which unbound-checkconf`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Test: running unbound-checkconf"
+ # Don't capture any output, just gather exit code (0 is fine, otherwise bad)
+ FIND=`unbound-checkconf > /dev/null 2>&1`
+ if [ $? -eq 0 ]; then
+ UNBOUND_CONFIG_OK=1
+ logtext "Result: Configuration is fine"
+ Display --indent 2 --text "- Checking configuration file" --result OK --color GREEN
+ else
+ logtext "Result: Unbound daemon is not running"
+ Display --indent 2 --text "- Checking configuration file" --result "NOT OK" --color YELLOW
+ ReportWarning "${TEST_NO}" "L" "Found Unbound configuration file issues (run unbound-checkconf)"
+ fi
+ else
+ logtext "Result: skipped, can't find unbound-checkconf utility"
fi
fi
#
@@ -263,7 +309,6 @@
Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search BIND configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Search BIND configuration file"
- #YYY add chrooted environments
for I in ${BIND_CONFIG_LOCS}; do
if [ -f ${I}/named.conf ]; then
BIND_CONFIG_LOCATION="${I}/named.conf"
@@ -377,7 +422,6 @@
Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search PowerDNS configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Search PowerDNS configuration file"
- #YYY add chrooted environments
for I in ${POWERDNS_CONFIG_LOCS}; do
if [ -f ${I}/pdns.conf ]; then
POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf"
@@ -522,7 +566,7 @@
fi
fi
# Check if we found any NIS domain
- if [ ! "${NISDOMAIN}" = "" ]; then
+ if [ ! "${NISDOMAIN}" = "" ]; then
logtext "Found NIS domain: ${NISDOMAIN}"
report "nisdomain=${NISDOMAIN}"
Display --indent 4 --text "- Checking NIS domain" --result "FOUND" --color GREEN
@@ -569,7 +613,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check /etc/hosts contains an entry for this server name"
if [ -f /etc/hosts ]; then
- sFIND=`cat /etc/hosts | egrep -v '^(#|$|::1|localhost)' | grep ${HOSTNAME}`
+ sFIND=`cat /etc/hosts | egrep -v '^(#|$|^::1\s|localhost)' | grep ${HOSTNAME}`
if [ "${sFIND}" != "" ]; then
logtext "Result: Found entry for ${HOSTNAME} in /etc/hosts"
Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result OK --color GREEN
@@ -590,7 +634,7 @@
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check server hostname mapping"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Check server hostname not locally mapped in /etc/hosts"
- sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|::1)' | grep ${HOSTNAME}`
+ sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|^::1\s)' | grep -w ${HOSTNAME}`
if [ ! "${sFIND}" = "" ]; then
logtext "Result: Found this server hostname mapped to a local address"
Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW
@@ -605,8 +649,9 @@
#################################################################################
#
+report ="name_cache_used=${NAME_CACHE_USED}"
wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_networking b/include/tests_networking
index ac0d3c43..469a22f4 100644
--- a/include/tests_networking
+++ b/include/tests_networking
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -29,7 +29,7 @@
#
#################################################################################
#
- # Test : NETW-2704 (YYY move to nameservices section)
+ # Test : NETW-2704
# Description : Basic nameserver configuration tests (connectivity)
Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests"
if [ ${SKIPTEST} -eq 0 ]; then
@@ -44,7 +44,7 @@
for I in ${FIND}; do
logtext "Found nameserver: ${I}"
report "nameserver[]=${I}"
- # Check if a local resolver is available (like DNSMasq)
+ # Check if a local resolver is available (like DNSMasq)
if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "0.0.0.0" ]; then
LOCAL_DNSRESOLVER_FOUND=1
fi
@@ -200,7 +200,7 @@
case ${OS} in
AIX)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
- # IPv6 support in AIX? (YYY)
+ FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
;;
DragonFly|FreeBSD|NetBSD)
FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
@@ -447,16 +447,17 @@
# Test : NETW-3028
# Description : Checking for many waiting connections
# Type : Performance
+ # Notes : It is common to see a healthy web server seeing to have several thousands of TCP connections in WAIT state
if [ ! "${NETSTATBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no NETW-3028 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking connections in WAIT state"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Using netstat for check for connections in WAIT state"
FIND=`${NETSTATBINARY} -an | grep WAIT | wc -l | awk '{ print $1 }'`
- if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="100"; fi
+ if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="5000"; fi
logtext "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
Display --indent 2 --text "- Checking waiting connections" --result WARNING --color YELLOW
- ReportWarning ${TEST_NO} "H" "Found too much connections in WAIT state (${FIND})"
+ ReportSuggestion "${TEST_NO}" "Determine why system has many connections in WAIT state (${FIND})"
else
Display --indent 2 --text "- Checking waiting connections" --result OK --color GREEN
logtext "Result: ${FIND} connections are in WAIT state"
@@ -472,8 +473,6 @@
IsRunning dhclient
if [ ${RUNNING} -eq 1 ]; then
Display --indent 2 --text "- Checking status DHCP client" --result RUNNING --color WHITE
- #YYY report if system type is server, that it is running with DHCP client, might be a badly configured machine
- #report "manual[]=System is running DHCP client"
DHCP_CLIENT_RUNNING=1
else
Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE
@@ -482,24 +481,10 @@
#
#################################################################################
#
- # Test : NETW-3060
- # Description : Check if IPv6 is configured AND used
- # /etc/modprobe.d (add 'install ipv6 /bin/true' if IPv6 isn't used)
- # or
- # aliased (/etc/modprobe.d/aliases?): alias net-pf-10 off ipv6 (to disable)
- #Register --test-no NETW-3060 --weight L --network NO --description "Checking IPv6 connectivity"
- #if [ ${SKIPTEST} -eq 0 ]; then
-#
-#################################################################################
-#
-# Linux: net.ipv4.ip_always_defrag
-#
-#################################################################################
-#
report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_php b/include/tests_php
index 8a7db951..d4e842c8 100644
--- a/include/tests_php
+++ b/include/tests_php
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -252,37 +252,13 @@
logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
AddHP 2 2
fi
- #YYY Check through all files
fi
#
#################################################################################
#
-# Disable/use functions:
-# safe_mode (only for PHP5?)
-# open_basedir (limits access to defined directory, comparable with chrooting)
-# disable_classes
-# session.save_path
-# session.referer_check
-# upload_tmp_dir
-# file_uploads Off, if possible
-# Set display_errors to Off
-# Set log_errors to On and define error_log (with value Syslog or a filename)
-#
-#################################################################################
-#
- # mod_suexec
- # suPHP (/etc/suphp.conf)
-#
-#################################################################################
-#
- # Test : PHP-2388
- # Description : Check php version number
-#
-#################################################################################
-#
wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_ports_packages b/include/tests_ports_packages
index 30d67f85..c21db924 100644
--- a/include/tests_ports_packages
+++ b/include/tests_ports_packages
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -79,35 +79,6 @@
#
#################################################################################
#
-# Temporary disabled due false positives
-# Packages like docbook, gcc, automake report multiple installed versions
-# # Test : PKGS-7303
-# # Description : Query FreeBSD pkg_info
-# if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-# Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD for double installed packages"
-# if [ ${SKIPTEST} -eq 0 ]; then
-# SDOUBLEINSTALLED=`pkg_info | sort | sed -e 's/-[0-9].*$//' | uniq -c | grep -v '^[[:space:]]*1' | tr -s ' ' | cut -d ' ' -f3`
-# if [ "${SDOUBLEINSTALLED}" = "" ]; then
-# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result OK --color GREEN
-# logtext "Ok, no packages show up twice or more in the package listing."
-# else
-# Display --indent 6 --text "- Querying pkg_info for double installed packages" --result WARNING --color RED
-# for J in ${SDOUBLEINSTALLED}; do
-# ReportWarning ${TEST_NO} "M" "Found probably incorrect installed package (${J})"
-# logtext "This package ${J} is visible twice or more in the pkg_info listing."
-# ReportSuggestion ${TEST_NO} "(FreeBSD) run pkgdb -F and check this manually."
-# ReportSuggestion ${TEST_NO} "(OpenBSD) check dependencies to see if one of the double "
-# logtext "installed packages is unneeded."
-# report "double_installed_package[]=${J}"
-# done
-# fi
-# else
-# Display --indent 4 --text "- Searching pkg_info" --result "NOT FOUND" --color WHITE
-# logtext "Result: pkg_info can NOT be found on this system"
-# fi
-#
-#################################################################################
-#
# Test : PKGS-7304
# Description : Gentoo packages
if [ -x /usr/bin/emerge -a -x /usr/bin/equery ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@@ -152,7 +123,6 @@
logtext "Result: pkginfo can NOT be found on this system"
fi
#
-#
#################################################################################
#
# Test : PKGS-7308
@@ -202,7 +172,6 @@
if [ "${SPACKAGES}" = "" ]; then
logtext "Result: pacman binary available, but package list seems to be empty"
logtext "Info: looks like the pacman binary is installed, but not used for package installation"
- #YYY ReportException?
else
for J in ${SPACKAGES}; do
N=`expr ${N} + 1`
@@ -380,7 +349,7 @@
fi
#
#################################################################################
-
+#
# Test : PKGS-7348
# Description : Show unneeded distfiles if present
# Notes : Portsclean seems to be gone from the ports, so no suggestion or warning is
@@ -403,8 +372,66 @@
#
#################################################################################
#
+ # Test : PKGS-7366
+ # Description : Checking if debsecan is installed and enabled on Debian systems
+ if [ ! "${DEBSECANBINARY}" = "" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsecan utility"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ! "${DEBSECANBINARY}" = "" ]; then
+ logtext "Result: debsecan utility is installed"
+ Display --indent 4 --text "- debsecan utility" --result "FOUND" --color GREEN
+ AddHP 3 3
+ PACKAGE_AUDIT_TOOL_FOUND=1
+ PACKAGE_AUDIT_TOOL="debsecan"
+ FIND=`find /etc/cron* -name debsecan`
+ if [ ! ${FIND} = "" ]; then
+ logtext "Result: cron job is configured for debsecan"
+ Display --indent 6 --text "- debsecan cron job" --result "FOUND" --color GREEN
+ AddHP 3 3
+ else
+ logtext "Result: no cron job is configured for debsecan"
+ Display --indent 4 --text "- debsecan cron job" --result "NOT FOUND" --color YELLOW
+ AddHP 1 3
+ ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled"
+ fi
+ else
+ logtext "Result: debsecan is not installed."
+ Display --indent 4 --text "- debsecan utility" --result "NOT FOUND" --color YELLOW
+ AddHP 0 2
+ ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages."
+ fi
+ fi
+#
+#################################################################################
+#
# Test : PKGS-7370
- # Description : Check debsums output
+ # Description : Checking debsums installation status and presence in cron job
+ # Note : Run this only when it is a DPKG based system
+ if [ ! "${DPKGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsums utility"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ! "${DEBSUMSBINARY}" = "" ]; then
+ logtext "Result: debsums utility is installed"
+ Display --indent 4 --text "- debsums utility" --result "FOUND" --color GREEN
+ AddHP 1 1
+ # Check in /etc/cron.hourly, daily, weekly, monthly etc
+ COUNT=`find /etc/cron* -name debsums | wc -l`
+ if [ ${COUNT} -gt 0 ]; then
+ logtext "Result: Cron job is configured for debsums utility."
+ Display --indent 6 --text "- Cron job for debsums" --result "FOUND" --color GREEN
+ AddHP 3 3
+ else
+ logtext "Result: Cron job is not configured for debsums utility."
+ Display --indent 6 --text "- Cron job for debsums" --result "NOT FOUND" --color YELLOW
+ AddHP 1 3
+ ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job."
+ fi
+ else
+ logtext "Result: debsums utility is not installed."
+ AddHP 0 2
+ ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database."
+ fi
+ fi
#
#################################################################################
#
@@ -482,7 +509,6 @@
if [ "${FIND}" = "" ]; then
logtext "Result: pkg audit results are clean"
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN
- # Don't check yet, output of found vulnerable packages unclear (YYY)
else
logtext "Result: ${FIND}"
#Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED
@@ -834,7 +860,7 @@
SCAN_PERFORMED=0
# Update portage.
# Multiple ways to do this. Some require extra packages to be installed,
- # others require potential firewall ports to be open, outbound. This is the
+ # others require potential firewall ports to be open, outbound. This is the
# "most friendly" way.
logtext "Action: updating portage with emerge-webrsync"
/usr/bin/emerge-webrsync --quiet 2> /dev/null
@@ -933,9 +959,30 @@
#
#################################################################################
#
-# check for popularity-contest (Debian/Ubuntu)
-# check for yum-changelog
-
+ # Test : PKGS-7410
+ # Description : Count number of installed kernel packages
+ Register --test-no PKGS-7410 --weight L --network NO --description "Count installed kernel packages"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ KERNELS=0
+ if [ ! "${RPMBINARY}" = "" ]; then
+ logtext "Test: Checking how many kernel packages are installed"
+ KERNELS=`rpm -q kernel 2> /dev/null | wc -l`
+ if [ ${KERNELS} -eq 0 ]; then
+ logtext "Result: found no kernels from rpm -q kernel output, which is unexpected"
+ ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output"
+ elif [ ${KERNELS} -gt 5 ]; then
+ logtext "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
+ ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)"
+ AddHP 4 5
+ else
+ logtext "Result: found ${KERNELS} on the system, which is fine"
+ AddHP 1 1
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
if [ ! "${INSTALLED_PACKAGES}" = "" ]; then
report "installed_packages_array=${INSTALLED_PACKAGES}"
@@ -949,4 +996,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015 Michael Boelen, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_printers_spools b/include/tests_printers_spools
index 5d35ba3d..ec64bc11 100644
--- a/include/tests_printers_spools
+++ b/include/tests_printers_spools
@@ -293,4 +293,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_scheduling b/include/tests_scheduling
index 176da013..1b5e23f0 100644
--- a/include/tests_scheduling
+++ b/include/tests_scheduling
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -139,16 +139,16 @@
# Description : Check atd status
Register --test-no SCHD-7718 --weight L --network NO --description "Check at users"
if [ ${SKIPTEST} -eq 0 ]; then
- logtext "Test: Checking atd status"
- FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"`
- if [ ! "${FIND}" = "" ]; then
- logtext "Result: at daemon active"
- Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN
- ATD_RUNNING=1
- else
- logtext "Result: at daemon not active"
- Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE
- fi
+ logtext "Test: Checking atd status"
+ FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: at daemon active"
+ Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN
+ ATD_RUNNING=1
+ else
+ logtext "Result: at daemon not active"
+ Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE
+ fi
fi
#
#################################################################################
@@ -247,4 +247,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_shells b/include/tests_shells
index cf406602..1f1cdc21 100644
--- a/include/tests_shells
+++ b/include/tests_shells
@@ -57,19 +57,12 @@
logtext "Output /etc/ttys:"
logtext "${FIND}"
ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys"
- #ReportSuggestion ${TEST_NO} "Change the console line from 'secure' to 'insecure'."
+ logtext "Possible solution: Change the console line from 'secure' to 'insecure'."
fi
fi
#
#################################################################################
#
- # Test : SHLL-6214
- # Description : check for idle session killing tools (timeoutd)
-
-
-#
-#################################################################################
-#
# Test : SHLL-6211
# Description : which shells are available according /etc/shells
Register --test-no SHLL-6211 --weight L --network NO --description "Checking available and valid shells"
@@ -221,40 +214,55 @@
#
#################################################################################
#
- # Test : SHLL-6236
- # Description : Check /etc/profile
-#
-#################################################################################
-#
-
- # Test : SHLL-6240
- # Description : Check default umask
-# Register --test-no SHLL-6240 --weight L --network NO --description "Check default umask"
-# if [ ${SKIPTEST} -eq 0 ]; then
-# logtext "Test: Checking /etc/profile"
-# if [ -f /etc/profile ]; then
-# FIND=`grep "^umask" | awk '{ print $2 }'`
-# if [ "${FIND}" = "" ]; then
-# logtext "Result: xxx"
-# Display --indent 2 --text "- Checking default umask" --result OK --color GREEN
-# else
-# logtext "Result: xxx"
-# Display --indent 2 --text "- Checking default umask" --result WARNING --color RED
-# #ReportWarning ${TEST_NO} "M" "xxx"
-# #ReportSuggestion ${TEST_NO} "xxx"
-# fi
-# fi
-# fi
-#
-#################################################################################
-#
- # Test : SHLL-6250
- # Description : Check /etc/bash.bashrc
-# Register --test-no SHLL-6250 --weight L --network NO --description "Check default umask"
-# if [ ${SKIPTEST} -eq 0 ]; then
-#
-#################################################################################
-#
+ # Test : SHLL-6230
+ # Description : Check for umask values in shell configurations
+ SHELL_CONFIG_FILES="/etc/bashrc /etc/bash.bashrc /etc/csh.cshrc /etc/profile"
+ Register --test-no SHLL-6230 --weight H --network NO --description "Perform umask check for shell configurations"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ HARDENING_POSSIBLE=0
+ Display --indent 2 --text "- Checking default umask values"
+ for FILE in ${SHELL_CONFIG_FILES}; do
+ FIND=""
+ if [ -f ${FILE} ]; then
+ logtext "Result: file ${FILE} exists"
+ FOUND=1
+ FIND=`grep umask ${FILE} | sed 's/^[ \t]*//g' | sed 's/#.*$//' | grep -v "^$" | awk '{ print $2 }'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: did not find umask configured in ${FILE}"
+ Display --indent 4 --text "- Checking default umask in ${FILE}" --result NONE --color YELLOW
+ else
+ for UMASKVALUE in ${FIND}; do
+ logtext "Result: found umask ${UMASKVALUE} in ${FILE}"
+ case ${UMASKVALUE} in
+ 027|0027|077|0077)
+ logtext "Result: umask ${UMASKVALUE} is considered a properly hardened value"
+ ;;
+ *)
+ logtext "Result: umask ${UMASKVALUE} can be hardened "
+ HARDENING_POSSIBLE=1
+ ;;
+ esac
+ done
+ if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
+ Display --indent 4 --text "- Checking default umask in ${FILE}" --result OK --color GREEN
+ AddHP 3 3
+ else
+ Display --indent 4 --text "- Checking default umask in ${FILE}" --result WEAK --color YELLOW
+ AddHP 1 3
+ fi
+ fi
+ else
+ logtext "Result: file ${FILE} not found"
+ fi
+ done
+ #if [ ${FOUND} -eq 1 ]; then
+ # if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
+ # logtext "Result: all shell files found, contain a proper umask"
+ # Display --indent 4 --text "- Default umask" --result OK --color GREEN
+ # fi
+ #fi
+ fi
#
#################################################################################
#
@@ -395,4 +403,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, CISOfy & Michael Boelen - http://cisofy.com - The Netherlands
+# Lynis - Copyright 2007-2015, CISOfy - http://cisofy.com
diff --git a/include/tests_solaris b/include/tests_solaris
index 4b0783af..109bee67 100644
--- a/include/tests_solaris
+++ b/include/tests_solaris
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com), The Netherlands
-# Web site: http://cisofy.com
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -66,4 +66,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_squid b/include/tests_squid
index 0ce03159..f6277feb 100644
--- a/include/tests_squid
+++ b/include/tests_squid
@@ -104,15 +104,6 @@
#
#################################################################################
#
-# # Test : SQD-3608
-# # Description : Check Squid build options
-# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-# Register --test-no SQD-3608 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
-# if [ ${SKIPTEST} -eq 0 ]; then
-# fi
-#
-#################################################################################
-#
# Test : SQD-3610
# Description : Check Squid configuration options
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@@ -130,15 +121,6 @@
#
#################################################################################
#
-# # Test : SQD-3612
-# # Description : Check Squid additional configuration files
-# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-# Register --test-no SQD-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check additional Squid configuration files"
-# if [ ${SKIPTEST} -eq 0 ]; then
-# fi
-#
-#################################################################################
-#
# Test : SQD-3613
# Description : Check Squid configuration options
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@@ -265,7 +247,7 @@
#SQUID_DAEMON_UNSAFE_PORTS_LIST
for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
logtext "Test: Checking port ${I} in Safe_ports list"
- FIND2=`grep "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
+ FIND2=`grep -w "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
if [ "${FIND2}" = "" ]; then
Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})" --result "NOT FOUND" --color GREEN
AddHP 1 1
@@ -315,7 +297,6 @@
#
#################################################################################
#
-
# Test : SQD-3680
# Description : Check httpd_suppress_version_string
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@@ -338,46 +319,6 @@
#################################################################################
#
-
-# Squid
-#Hardening:
-# $1 $3
-# acl snmp_community
-# acl maxconn
-# acl max_user_ip
-#
-# follow_x_forwarded_for
-#Read cache_peer host type(sibling/parent) proxyport icpport options (if set, icp_access should be set as well)
-#Read cache_peer_domain
-#Read cache_peer_access
-#Read icp_access
-#Read icp_port
-#Read htcp_access
-#Read htcp_port
-#Read http_port
-#Read https_port
-#Read cache_dir
-#Read access_log
-#Read coredump_dir
-#Read quick_abort_min / max /pct
-#
-# Memory tuning
-#Read cache_mem
-#Read maximum_object_size_in_memory
-#Read maximum_object_size
-#Read cache_swap_low
-#Read cache_swap_high
-
-# Security
-#cache_effective_user
-# off
-#forwarded_for
-
-#wccp
-#
-#################################################################################
-#
-
wait_for_keypress
#
diff --git a/include/tests_ssh b/include/tests_ssh
index 15fb599c..303af6b6 100644
--- a/include/tests_ssh
+++ b/include/tests_ssh
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -80,28 +80,6 @@
#
#################################################################################
#
-# # Test : SSH-7406
-# # Description : Check for a running SSH daemon
-# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-# Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --description "SSH daemon listening port"
-# if [ ${SKIPTEST} -eq 0 ]; then
-# logtext "Test: Searching for a SSH daemon"
-# CheckOption "^Port " ${SSH_DAEMON_CONFIG}
-# if [ ${FOUND} -eq 1 ]; then
-# FIND=`echo ${FIND} | awk '{ if ($1=="Port") { print $2 }}'`
-# # Check if this output is numeric and usuable for later (e.g. in netstat output)
-# Display --indent 2 --text "- Checking SSH listening port" --result FOUND --color GREEN
-# logtext "Result: setting port number to ${FIND}"
-# SSH_DAEMON_PORT="${FIND}"
-# else
-# Display --indent 2 --text "- Checking SSH listening port" --result "NOT FOUND" --color WHITE
-# logtext "Result: setting port to default number, as no other port has been configured"
-# SSH_DAEMON_PORT="22"
-# fi
-# fi
-#
-#################################################################################
-#
# Test : SSH-7408
# Description : Check SSH specific defined options
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@@ -203,32 +181,6 @@
#
#################################################################################
#
- # Test : SSH-7418
- # Description : Check SSH Port option
-# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-# Register --test-no SSH-7418 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Port"
-# if [ ${SKIPTEST} -eq 0 ]; then
-# logtext "Test: check allowed SSH protocol versions"
-# FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Port" | awk '{ if ($2!="22") { print $2 } }'`
-# if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
-# logtext "Result: Protocol option is set to allow SSH protocol version 1"
-# Display --indent 4 --text "- SSH option: Protocol" --result WARNING --color RED
-# ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed"
-# AddHP 0 3
-# else
-# if [ "${FIND}" = "2" ]; then
-# logtext "Result: only protocol 2 is allowed"
-# Display --indent 4 --text "- SSH option: Protocol" --result OK --color GREEN
-# AddHP 3 3
-# else
-# logtext "Result: value of Protocol is unknown (not defined)"
-# Display --indent 4 --text "- SSH option: Protocol" --result DEFAULT --color WHITE
-# fi
-# fi
-# fi
-#
-#################################################################################
-#
# Test : SSH-7440
# Description : AllowUsers / AllowGroups
# Goal : Check if only a specific amount of users/groups can log in to the system
@@ -269,33 +221,7 @@
#
#################################################################################
#
- # Test : SSH-7464
- # Description : HashKnownHosts
- #if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- #Register --test-no SSH-7464 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: HashKnownHosts"
- #if [ ${SKIPTEST} -eq 0 ]; then
- # /etc/ssh/ssh_config
- # ReportSuggestion ${TEST_NO} "HashKnownHosts option can migitate worm attacks"
- #AddHP 2 2
- #fi
-#
-#################################################################################
-#
- # Test : SSH-7480
- # Description : AllowUsers / AllowGroups
- # Goal : Scan SSH daemon
- #if [ ! ${SSHKEYSCANBINARY} = "" -a ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- #Register --test-no SSH-7480 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups"
- #if [ ${SKIPTEST} -eq 0 ]; then
- # First determine what port the local instance of SSH daemon is running on. If unknown, use port 22
- # FIND=`${SSHKEYSCANBINARY} localhost 2>&1 | grep OpenSSH | egrep -i "bsd|debian|ubuntu|redhat"`
-#
-#################################################################################
-#
- # sshd -T can provide additional insights
-#
-#################################################################################
-#
+
report "ssh_daemon_running=${SSH_DAEMON_RUNNING}"
#report "ssh_daemon_port=${SSH_DAEMON_PORT}"
@@ -303,4 +229,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_storage b/include/tests_storage
index a3b59eae..dbae4aca 100644
--- a/include/tests_storage
+++ b/include/tests_storage
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -33,7 +33,7 @@
if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
- FIND=`grep -r "install usb-storage /bin/true" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"`
+ FIND=`grep -r "install usb-storage /bin/\(false\|true\)" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"`
FIND2=`egrep -r "^blacklist (usb_storage|usb-storage)" /etc/modprobe.d/*`
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
@@ -44,7 +44,7 @@
fi
fi
if [ -f /etc/modprobe.conf ]; then
- FIND=`grep "install usb-storage /bin/true" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"`
+ FIND=`grep "install usb-storage /bin/\(false\|true\)" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"`
if [ ! "${FIND}" = "" ]; then
FOUND=1
logtext "Result: found usb-storage driver in disabled state"
@@ -66,6 +66,7 @@
#
# Test : STRG-1846
# Description : Check for disabled firewire storage
+ # Explanation : Best option is to use the install function, or else drivers can still be loaded manually
Register --test-no STRG-1846 --os Linux --weight L --network NO --description "Check if firewire storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
@@ -73,8 +74,8 @@
if [ -d /etc/modprobe.d ]; then
FIND=`ls /etc/modprobe.d/* 2> /dev/null`
if [ ! "${FIND}" = "" ]; then
- FIND1=`egrep "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
- FIND2=`egrep "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
+ FIND1=`egrep "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
+ FIND2=`egrep "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
logtext "Result: found firewire ohci driver in disabled state"
@@ -84,8 +85,8 @@
fi
fi
if [ -f /etc/modprobe.conf ]; then
- FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
- FIND2=`egrep -r "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
+ FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci|firewire_ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
+ FIND2=`egrep -r "install (ohci1394|firewire-ohci|firewire_ohci) /bin/(false|true)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
logtext "Result: found firewire ohci driver in disabled state"
@@ -108,15 +109,8 @@
#################################################################################
#
-# NetBSD: amd (auto mount daemon)
-
-#
-#################################################################################
-#
-
-
wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, CISOfy, Michael Boelen - https://cisofy.com
diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs
index 2de8a8e0..1795aeb6 100644
--- a/include/tests_storage_nfs
+++ b/include/tests_storage_nfs
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -59,7 +59,7 @@
#
# Test : STRG-1906
# Description : Check nfs protocols (TCP/UDP) and port in rpcinfo
- if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: Checking NFS registered protocols"
@@ -114,7 +114,7 @@
# Description : Check NFS exports
if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking NFS exports"
- if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: check /etc/exports"
if [ -f /etc/exports ]; then
logtext "Result: /etc/exports exists"
@@ -139,7 +139,7 @@
#
# Test : STRG-1928
# Description : Check for empty exports file while NFS is running
- if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then
@@ -177,4 +177,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_tcpwrappers b/include/tests_tcpwrappers
deleted file mode 100644
index ca610165..00000000
--- a/include/tests_tcpwrappers
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/sh
-
-#################################################################################
-#
-# Lynis
-# ------------------
-#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
-#
-# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
-# welcome to redistribute it under the terms of the GNU General Public License.
-# See LICENSE file for usage of this software.
-#
-#################################################################################
-#
-# TCP Wrappers
-# Run after: NFS checks
-#
-#################################################################################
-#
-#
-#################################################################################
-#
-# InsertSection "TCP Wrappers"
-#
-#################################################################################
-#
- # Test : TCPW-xxxx (YYY move to nameservices section)
- # Description : Basic nameserver configuration tests (connectivity)
-# Register --test-no TCPW-xxxx --weight L --network YES --description "Basic nameserver configuration tests"
-# if [ ${SKIPTEST} -eq 0 ]; then
-# Display --indent 2 --text "- Checking configured nameservers"
-# logtext "Test: Checking /etc/resolv.conf file"
-# Display --indent 8 --text "Nameserver: ${I}" --result OK --color GREEN
-# ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
-# ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond"
-# fi
-#
-#################################################################################
-#
-
-#wait_for_keypress
-
-#
-#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_time b/include/tests_time
index 4e40bace..4184f9b3 100644
--- a/include/tests_time
+++ b/include/tests_time
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -22,6 +22,7 @@
#
#################################################################################
#
+ CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs"
NTP_DAEMON=""
NTP_DAEMON_RUNNING=0
NTP_CONFIG_FOUND=0
@@ -29,9 +30,8 @@
NTP_CONFIG_TYPE_SCHEDULED=0
NTP_CONFIG_TYPE_EVENTBASED=0
NTP_CONFIG_TYPE_STARTUP=0
- # Specific for ntpd
- NTPD_RUNNING=0
- CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs"
+ NTPD_RUNNING=0 # Specific for ntpd
+ SYSTEMD_NTP_ENABLED=0
#
#################################################################################
#
@@ -46,10 +46,25 @@
fi
Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client"
if [ ${SKIPTEST} -eq 0 ]; then
- # Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate)
+ # Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate), Chrony, systemd-timesyncd
logtext "Test: Searching for a running NTP daemon or available client"
FOUND=0
+ if [ -f /etc/chrony.conf ]; then
+ IsRunning chronyd
+ if [ ${RUNNING} -eq 1 ]; then
+ FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="chronyd"
+ Display --indent 2 --text "- NTP daemon found: chronyd" --result FOUND --color GREEN
+ fi
+ fi
+
+ # Check time daemon (eg DragonFly BSD)
+ IsRunning dntpd
+ if [ ${RUNNING} -eq 1 ]; then
+ FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
+ Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN
+ fi
+
# Check running processes
FIND=`${PSBINARY} ax | grep "ntpd" | grep -v "dntpd" | grep -v "grep"`
if [ ! "${FIND}" = "" ]; then
@@ -66,19 +81,18 @@
Display --indent 2 --text "- NTP daemon found: timed" --result FOUND --color GREEN
fi
- # Check time daemon (eg DragonFly BSD)
- IsRunning dntpd
- if [ ${RUNNING} -eq 1 ]; then
- FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
- Display --indent 2 --text "- NTP daemon found: dntpd" --result FOUND --color GREEN
- fi
-
# Check timedate daemon (systemd)
if [ ! "${TIMEDATECTL}" = "" ]; then
FIND=`${TIMEDATECTL} status | grep "NTP enabled: yes"`
if [ ! "${FIND}" = "" ]; then
- FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timedated"
- Display --indent 2 --text "- NTP daemon found: timedated" --result "FOUND" --color GREEN
+ # Check for systemd-timesyncd
+ if [ -f /etc/systemd/timesyncd.conf ]; then
+ FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
+ Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "FOUND" --color GREEN
+ SYSTEMD_NTP_ENABLED=1
+ fi
+ else
+ logtext "Result: time sychronization not performed according timedatectl command"
fi
fi
@@ -94,18 +108,14 @@
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate reference in crontab file ${I}"
else
- Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE
+ #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate reference found in crontab file ${I}"
fi
else
logtext "Result: crontab file ${I} not found"
- fi
+ fi
done
- ##########################
- # To do: test on Solaris #
- ##########################
-
# Don't run check in cron job directory on Solaris
# /etc/cron.d/FIFO is a special file and test get stuck at this file
FOUND_IN_CRON=0
@@ -133,11 +143,10 @@
Display --indent 2 --text "- Checking NTP client in cron files" --result FOUND --color GREEN
logtext "Result: found ntpdate or rdate in cron directory"
else
- Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE
+ #Display --indent 2 --text "- Checking NTP client in cron.d files" --result "NOT FOUND" --color WHITE
logtext "Result: no ntpdate or rdate found in cron directories"
fi
-
# Checking if ntpdate is performed by event
logtext "Test: checking for file /etc/network/if-up.d/ntpdate"
if [ -f /etc/network/if-up.d/ntpdate ]; then
@@ -155,10 +164,12 @@
FIND=`grep 'ntpdate_enable="YES"' /etc/rc.conf`
if [ ! "${FIND}" = "" ]; then
logtext "Result: ntpdate is enabled in rc.conf"
- # Mark system having a NTP client, but remind user to improve it
FOUND=1
NTP_CONFIG_TYPE_STARTUP=1
- ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is adviced to run it at least daily or use a NTP daemon"
+ # Only show suggestion when ntpdate is enabled, however ntpd is not running
+ if [ ${NTP_DAEMON_RUNNING} -eq 0 ]; then
+ ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is adviced to run it at least daily or use a NTP daemon"
+ fi
else
logtext "Result: ntpdate is not enabled in rc.conf"
fi
@@ -182,6 +193,21 @@
#
#################################################################################
#
+ # Test : TIME-3106
+ # Description : Check status of systemd time synchronization
+ if [ ${SYSTEMD_NTP_ENABLED} -eq 1 -a ! "${TIMEDATECTL}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check systemd NTP time synchronization status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Check the status of time synchronization via timedatectl"
+ FIND=`${TIMEDATECTL} status | grep "NTP sychronized: yes"`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: time not synchronized via NTP"
+ ReportSuggestion "${TEST_NO}" "Check timedatectl output. Sychronization via NTP is enabled, but status reflects it is not synchronized"
+ fi
+ fi
+#
+#################################################################################
+#
# Test : TIME-3112
# Description : Check for valid associations from ntpq peers list
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
@@ -331,7 +357,6 @@
#
# Test : TIME-3136
# Description : Check ntpq reported ntp version (Linux)
- # Notes : Test could be improved by checking every host (YYY)
if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP protocol version"
if [ ${SKIPTEST} -eq 0 ]; then
@@ -404,6 +429,8 @@
#
#################################################################################
#
+# For VMs check ntpd.conf : tinker panic 0
+#
wait_for_keypress
@@ -429,4 +456,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_tooling b/include/tests_tooling
index 6f8e6150..0ae7f194 100644
--- a/include/tests_tooling
+++ b/include/tests_tooling
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -16,6 +16,8 @@
#
AUTOMATION_TOOL_FOUND=0
AUTOMATION_TOOL_RUNNING=""
+ CFENGINE_AGENT_FOUND=0
+ CFENGINE_SERVER_RUNNING=0
BACKUP_AGENT_FOUND=0
PUPPET_MASTER_RUNNING=0
SALT_MASTER_RUNNING=0
@@ -40,22 +42,67 @@
# Cfengine
if [ ! "${CFAGENTBINARY}" = "" ]; then
- logtext "Result: Cfengine (cfagent) is installed (${CFAGENTBINARY})"
+ logtext "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})"
AUTOMATION_TOOL_FOUND=1
+ CFENGINE_AGENT_FOUND=1
+ report "automation_tool_running[]=cf-agent"
Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN
fi
+ OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin"
+ for I in ${OTHER_CFENGINE_LOCATIONS}; do
+ if [ -d ${I} ]; then
+ if [ -f ${I}/cf-agent ]; then
+ logtext "Result: found CFEngine agent (cf-agent) in ${I}"
+ AUTOMATION_TOOL_FOUND=1
+ CFENGINE_AGENT_FOUND=1
+ report "automation_tool_running[]=cf-agent"
+ Display --indent 4 --text "Found: CFEngine (cf-agent)" --result FOUND --color GREEN
+ fi
+ IsRunning "cf-server"
+ if [ ${RUNNING} -eq 1 ]; then
+ logtext "Result: found CFEngine server"
+ AUTOMATION_TOOL_FOUND=1
+ CFENGINE_SERVER_RUNNING=1
+ report "automation_tool_running[]=cf-server"
+ Display --indent 4 --text "Found: CFEngine (cf-server)" --result FOUND --color GREEN
+ fi
+ fi
+ done
+
+ # Chef
+ CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin"
+ for I in ${CHEF_LOCATIONS}; do
+ if [ -d ${I} ]; then
+ if [ -f ${I}/chef-client ]; then
+ CHEFCLIENTBINARY="${I}/chef-client"
+ AUTOMATION_TOOL_FOUND=1
+ report "automation_tool_running[]=chef-client"
+ Display --indent 4 --text "Found: Chef client (chef-client)" --result FOUND --color GREEN
+ logtext "Result: found chef-client (chef client daemon) in ${I}"
+ fi
+ if [ -f ${I}/erchef ]; then
+ CHEFSERVERBINARY="${I}/erchef"
+ logtext "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})"
+ AUTOMATION_TOOL_FOUND=1
+ report "automation_tool_running[]=chef-server"
+ Display --indent 4 --text "Found: Chef Server (erchef)" --result FOUND --color GREEN
+ logtext "Result: found erchef (chef server daemon) in ${I}"
+ fi
+ fi
+ done
# Puppet
if [ ! "${PUPPETBINARY}" = "" ]; then
logtext "Result: Puppet is installed (${PUPPETBINARY})"
AUTOMATION_TOOL_FOUND=1
+ report "automation_tool_running[]=puppet-agent"
Display --indent 4 --text "Found: Puppet (agent)" --result FOUND --color GREEN
fi
IsRunning "puppet master"
if [ ${RUNNING} -eq 1 ]; then
logtext "Result: found puppet master"
PUPPET_MASTER_RUNNING=1
- report "automation_tool_running[]=puppet"
+ report "automation_tool_running[]=puppet-master"
Display --indent 4 --text "Found: Puppet (master)" --result FOUND --color GREEN
fi
@@ -64,19 +111,24 @@
logtext "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})"
AUTOMATION_TOOL_FOUND=1
SALT_MINION_RUNNING=1
+ report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result FOUND --color GREEN
fi
if [ ! "${SALTMASTERBINARY}" = "" ]; then
logtext "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
AUTOMATION_TOOL_FOUND=1
- Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN
- fi
- IsRunning "salt-master"
- if [ ${RUNNING} -eq 1 ]; then
- logtext "Result: found SaltStack (master)"
SALT_MASTER_RUNNING=1
- report "automation_tool_running[]=saltstack-master"
- Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN
+ report "automation_tool_running[]=saltstack-minion"
+ Display --indent 4 --text "Found: SaltStack master (salt-master)" --result FOUND --color GREEN
+ else
+ IsRunning "salt-master"
+ if [ ${RUNNING} -eq 1 ]; then
+ logtext "Result: found SaltStack (master)"
+ AUTOMATION_TOOL_FOUND=1
+ SALT_MASTER_RUNNING=1
+ report "automation_tool_running[]=saltstack-master"
+ Display --indent 4 --text "Found: SaltStack (master)" --result FOUND --color GREEN
+ fi
fi
if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then
@@ -98,9 +150,7 @@
#
#################################################################################
#
- report "puppet_master=${PUPPET_MASTER_RUNNING}"
- report "salt_master=${SALT_MASTER_RUNNING}"
- report "salt_minion=${SALT_MINION_RUNNING}"
+ report "automation_tool_present=${AUTOMATION_TOOL_FOUND}"
wait_for_keypress
diff --git a/include/tests_virtualization b/include/tests_virtualization
index c9100bf9..6c80e081 100644
--- a/include/tests_virtualization
+++ b/include/tests_virtualization
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -22,49 +22,6 @@
#
#################################################################################
#
- # Test : VIRT-1902
- # Description : Query running Solaris zones
- if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no VIRT-1902 --os Solaris --weight L --network NO --description "Query running Solaris zones"
- if [ ${SKIPTEST} -eq 0 ]; then
- logtext "Test: query zoneadm to list all running zones"
- FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
- if [ ! "${FIND}" = "" ]; then
- N=0
- for I in ${FIND}; do
- N=`expr ${N} + 1`
- ZONEID=`echo ${I} | cut -d ':' -f1`
- ZONENAME=`echo ${I} | cut -d ':' -f2`
- logtext "Result: found zone ${ZONENAME} (running)"
- report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
- done
- logtext "Result: total of ${N} running zones"
- Display --indent 2 --text "- Checking Solaris Zones" --result "FOUND ${N} zones" --color GREEN
- else
- logtext "Result: no running zones found"
- Display --indent 2 --text "- Checking Solaris Zones" --result NONE --color WHITE
- fi
- fi
-#
-#################################################################################
-#
- # Test : VIRT-1906
- # Description : Query running Xen zones
- #if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- #Register --test-no VIRT-1906 --weight L --network NO --description "Query Xen guests"
- #if [ ${SKIPTEST} -eq 0 ]; then
- # Show Xen guests
- #FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'`
- #for I in ${FIND}; do
- #XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
- #XENGUESTID=`echo ${I} | cut -d ':' -f2`
- #logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
- #done
- #fi
-#
-#################################################################################
-#
-
# # Test : VIRT-1920
# # Description : Checking VMware
# Register --test-no VIRT-1920 --weight L --network NO --description "Checking VMware guest status"
@@ -72,9 +29,9 @@
# # Initialise
# VMWARE_GUEST=0
# Display --indent 2 --text "- Checking VMware guest status"
-# #YYY check memory driver file
-# #YYY check LKM list
-# #YYY check vmware tools
+# # check memory driver file
+# # check LKM list
+# # check vmware tools
# logtext "Test: checking VMware tools daemon presence"
# if [ ! "${VMWARETOOLSBINARY}" = "" ]; then
# logtext "Result: VMware tools binary found"
@@ -89,9 +46,8 @@
#################################################################################
#
-
wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - www.rootkit.nl - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tests_webservers b/include/tests_webservers
index b83d93a9..cfe6dcce 100644
--- a/include/tests_webservers
+++ b/include/tests_webservers
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2015, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -50,9 +50,13 @@
# Test : HTTP-6622
# Description : Test for Apache installation
# Notes : Do not run on NetBSD, -v is unknown option for httpd binary
+ # On OpenBSD do not run /usr/sbin/httpd with -v: builtin non-Apache
if [ ! "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Apache presence"
if [ ${SKIPTEST} -eq 0 ]; then
+ if [ "${OS}" = "OpenBSD" -a "${HTTPDBINARY}" = "/usr/sbin/httpd" ]; then
+ HTTPDBINARY=""
+ fi
if [ "${HTTPDBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE
else
@@ -194,9 +198,9 @@
# # Configuration specific tests
# SERVERTOKENSFOUND=0
# APACHE_CONFIGFILES="${APACHE_CONFIGFILE} /usr/local/etc/apache22/extra/httpd-default.conf /etc/apache2/sysconfig.d/global.conf"
-#
+#
# for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do
-# if [ -f ${APACHE_CONFIGFILE} ]; then
+# if [ -f ${APACHE_CONFIGFILE} ]; then
# # Check if option ServerTokens is configured
# SERVERTOKENSTEST=`cat ${APACHE_CONFIGFILE} | grep ServerTokens | grep -v '^#'`
# if [ ! "${SERVERTOKENSTEST}" = "" ]; then
@@ -215,17 +219,17 @@
# else
# Display --indent 4 --text "- Checking option ServerTokens" --result "NOT FOUND" --color WHITE
# fi
-#
+#
# else
# # File does not exist, skipping
# logtext "File ${APACHE_CONFIGFILE} does not exist, so skipping tests on this file"
# fi
# done
-#
+#
# # Display results from checks
# if [ ${SERVERTOKENSFOUND} -eq 1 ]; then
# Display --indent 6 --text "- Value of ServerTokens" --result OK --color GREEN
-# else
+# else
# Display --indent 6 --text "- Value of ServerTokens" --result WARNING --color RED
# ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template"
# fi
@@ -391,19 +395,16 @@
Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
logtext "Test: searching nginx configuration file"
- #YYY warning if multiple nginx.conf files are found
for I in ${NGINX_CONF_LOCS}; do
if [ -f ${I}/nginx.conf ]; then
NGINX_CONF_LOCATION="${I}/nginx.conf"
logtext "Found file ${NGINX_CONF_LOCATION}"
fi
done
- #YYY strings /usr/sbin/nginx | grep "conf$"
if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then
logtext "Result: found nginx configuration file"
report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
Display --indent 4 --text "- Searching nginx configuration file" --result FOUND --color GREEN
- #FIND=`cat ${NGINX_CONF_LOCATION} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}`
else
logtext "Result: no nginx configuration file found"
Display --indent 2 --text "- Searching nginx configuration file" --result "NOT FOUND" --color WHITE
@@ -415,25 +416,26 @@
# Test : HTTP-6706
# Description : Search for includes within nginx configuration file
# Notes : Daemon nginx should be running, nginx.conf should be found
- if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for additional nginx configuration files"
if [ ${SKIPTEST} -eq 0 ]; then
# Remove temp file
if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
N=0
+ cat ${NGINX_CONF_LOCATION} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}
# Search for included configuration files (may include directories and wild cards)
FIND=`grep "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'`
for I in ${FIND}; do
FIND2=`${LSBINARY} ${I} 2>/dev/null`
for J in ${FIND2}; do
- # Double check if we are dealing with a file
+ # Ensure that we are parsing normal files
if [ -f ${J} ]; then
N=`expr ${N} + 1`
logtext "Result: found Nginx configuration file ${J}"
report "nginx_sub_conf_file=${J}"
FileIsReadable ${J}
if [ ${CANREAD} -eq 1 ]; then
- FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}`
+ FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE}`
else
ReportException "${TEST_NO}:1" "Can not parse file ${J}, as it is not readable"
fi
@@ -442,14 +444,14 @@
done
# Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx
- SORTFILE=`cat ${TMPFILE2} | sort | uniq | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"`
- for I in ${SORTFILE}; do
+ SORTFILE=`cat ${TMPFILE} | sort | uniq | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"`
+ for I in ${SORTFILE}; do
I=`echo ${I} | sed 's/:space:/ /g'`
report "nginx_config_option=${I}";
- done
+ done
# Remove unsorted file for next tests
- if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi
+ if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi
if [ ${N} -eq 0 ]; then
logtext "Result: no nginx include statements found"
@@ -694,11 +696,6 @@
#
#################################################################################
#
- # Scan for websites
- #/etc/apache2/sites-available
-#
-#################################################################################
-#
# Remove temp file (double check)
if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
@@ -709,4 +706,4 @@ wait_for_keypress
#
#================================================================================
-# Lynis - Copyright 2007-2015, Michael Boelen - cisofy.com - The Netherlands
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/include/tool_tips b/include/tool_tips
new file mode 100644
index 00000000..ee37fa94
--- /dev/null
+++ b/include/tool_tips
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com)
+# Web site: https://cisofy.com
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Hints and Tips
+#
+#################################################################################
+#
+
+ # Only show tips when enabled
+ if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then
+
+ # Bash completion support
+ if [ ! "${ETC_PATHS}" = "" ]; then
+ for I in ${ETC_PATHS}; do
+ if [ -d ${I}/bash-completion.d ]; then
+ if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then
+ Display "This system has a bash_completition directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis"
+ fi
+ fi
+ done
+ fi
+ fi
+
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com
diff --git a/lynis b/lynis
index f8cdc18a..87687673 100755
--- a/lynis
+++ b/lynis
@@ -6,7 +6,7 @@
# ------------------
#
# Copyright 2007-2015 Michael Boelen, CISOfy (michael.boelen@cisofy.com)
-# Website: https://cisofy.com
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -22,9 +22,9 @@
#
# Program information
PROGRAM_name="Lynis"
- PROGRAM_version="2.1.1"
- PROGRAM_releasedate="19 April 2015"
- PROGRAM_author="CISOfy"
+ PROGRAM_version="2.1.2"
+ PROGRAM_releasedate="13 September 2015"
+ PROGRAM_author="Michael Boelen, CISOfy"
PROGRAM_author_contact="lynis-dev@cisofy.com"
PROGRAM_website="https://cisofy.com"
PROGRAM_copyright="Copyright 2007-2015 - ${PROGRAM_author}, ${PROGRAM_website}"
@@ -103,12 +103,17 @@
# Check if owner of both files is root user, or the same user which is running Lynis (for pentester mode)
# Consts
- if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="consts"; fi
- if [ ! "${MYID}" = "${OWNER2ID}" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="consts"; fi
+ if [ ! "${OWNER}" = "root" -a ! "${OWNERID}" = "0" ]; then
+ if [ ! "${MYID}" = "${OWNER2ID}" ]; then
+ ISSUE=1; SHOWPERMERROR=1; FILE="consts"
+ fi
+ fi
# Functions
- if [ ! "${OWNER2}" = "root" -a ! "${OWNER2ID}" = "0" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="functions"; fi
- if [ ! "${MYID}" = "${OWNER2ID}" ]; then ISSUE=1; SHOWPERMERROR=1; FILE="functions"; fi
-
+ if [ ! "${OWNER2}" = "root" -a ! "${OWNER2ID}" = "0" ]; then
+ if [ ! "${MYID}" = "${OWNER2ID}" ]; then
+ ISSUE=1; SHOWPERMERROR=1; FILE="functions"
+ fi
+ fi
if [ ${SHOWPERMERROR} -eq 1 ]; then
echo ""
echo "[!] Change ownership of ${INCLUDEDIR}/${FILE} to 'root' or similar (found: ${OWNER} with UID ${OWNERID})."
@@ -129,7 +134,7 @@
echo ""
echo " Why do I see this error?"
echo " -------------------------------"
- echo " This error is a protection mechanism, to prevent root user from executing user created files."
+ echo " This is a protection mechanism, to prevent the root user from executing user created files."
echo ""; echo ""
echo " What can I do?"
echo " ---------------------"
@@ -221,55 +226,6 @@
# CV - Current Version
PROGRAM_AC=`echo ${PROGRAM_version} | awk '{ print $1 }' | sed 's/[.]//g'`
PROGRAM_LV=0
- #DB_MALWARE_CV=`grep "^#version=" ${DBDIR}/malware.db | cut -d '=' -f2`
- #DB_FILEPERMS_CV=`grep "^#version=" ${DBDIR}/fileperms.db | cut -d '=' -f2`
-
- # Number of signatures
- #DB_MALWARE_IC=`grep -v "^#" ${DBDIR}/malware.db | wc -l | tr -s ' ' | tr -d ' '`
-
- if [ ${VIEWUPDATEINFO} -eq 1 ]; then
-
- CheckUpdates
-
- # Reset everything if we can't determine our current version or the latest
- # available version (due lack of internet connectivity for example)
- if [ "${PROGRAM_AC}" = "" -o "${PROGRAM_LV}" = "" ]; then
- # Set both to safe values
- PROGRAM_AC=0; PROGRAM_LV=0
- #DB_MALWARE_LV=0; DB_MALWARE_CV=0
- #DB_FILEPERMS_LV=0; DB_FILEPERMS_CV=0
- fi
-
- echo ""; echo " == ${WHITE}${PROGRAM_name}${NORMAL} =="; echo ""
- echo " Version : ${PROGRAM_version}"
- echo -n " Status : "
- if [ ${PROGRAM_LV} -eq 0 ]; then
- echo "${RED}Unknown${NORMAL}";
- elif [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
- echo "${YELLOW}Outdated${NORMAL}";
- echo " Current version : ${PROGRAM_AC}"
- echo " Latest version : ${PROGRAM_LV}"
- else
- echo "${GREEN}Up-to-date${NORMAL}"
- fi
- echo " Release date : ${PROGRAM_releasedate}"
- echo " Update location : ${PROGRAM_website}"
-# echo ""
-# echo " == ${WHITE}Plugins${NORMAL} =="
-# echo ""
-# echo " == ${WHITE}Databases${NORMAL} =="
-# echo " Current Latest Status"
-# echo " -----------------------------------------------------------------------------"
-# echo -n " Malware : ${DB_MALWARE_CV} ${DB_MALWARE_LV} "
-# if [ ${DB_MALWARE_LV} -gt ${DB_MALWARE_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi
-# echo -n " File perms : ${DB_FILEPERMS_CV} ${DB_FILEPERMS_LV} "
-# if [ ${DB_FILEPERMS_LV} -gt ${DB_FILEPERMS_CV} ]; then echo "${WARNING}Outdated${NORMAL}"; else echo "${OK}Up-to-date${NORMAL}"; fi
- echo ""; echo ""
- echo "${PROGRAM_copyright}"; echo ""
-
- # Quit program
- ExitClean
- fi
#
#################################################################################
#
@@ -320,7 +276,7 @@
if [ "${PROFILE}" = "" ]; then
echo "${RED}Fatal error: ${WHITE}No profile defined and could not find default profile${NORMAL}"
echo "Search paths used --> ${tPROFILE_TARGETS}"
- ExitFatal
+ ExitCustom 66
fi
# Initialize and check profile file, auditor name, log file and report file
if [ ! -r ${PROFILE} ]; then echo "Fatal error: Can't open profile file (${PROFILE})"; exit 1; fi
@@ -334,8 +290,22 @@
#
#################################################################################
#
- # Check if there is already a PID file (incorrect termination of previous instance)
- if [ -f lynis.pid -o -f /var/run/lynis.pid ]; then
+
+ # Decide where to write our PID file. For unprivileged users this will be in their home directory, or /tmp if their
+ # home directory isn't set. For root it will be /var/run, or the current workign directory if /var/run doesn't exist.
+ MYHOMEDIR=`echo ~ 2> /dev/null`
+ if [ "${MYHOMEDIR}" = "" ]; then MYHOMEDIR="/tmp"; fi
+
+ if [ ${PRIVILEGED} -eq 0 ]; then
+ PIDFILE="${MYHOMEDIR}/lynis.pid"
+ elif [ -d /var/run ]; then
+ PIDFILE="/var/run/lynis.pid"
+ else
+ PIDFILE="./lynis.pid"
+ fi
+
+ # Check if there is already a PID file in any of the locations (incorrect termination of previous instance)
+ if [ -f "${MYHOMEDIR}/lynis.pid" -o -f "./lynis.pid" -o -f "/var/run/lynis.pid" ]; then
echo ""
echo " ${WARNING}Warning${NORMAL}: ${WHITE}PID file exists, probably another Lynis process is running.${NORMAL}"
echo " ------------------------------------------------------------------------------"
@@ -349,26 +319,24 @@
echo " ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${NORMAL}"
echo ""
wait_for_keypress
- if [ -f lynis.pid ]; then rm -f lynis.pid; fi
- if [ -f /var/run/lynis.pid ]; then rm -f /var/run/lynis.pid; fi
- #YYY Display function not working yet from here, due to OS detection
- #Display --indent 2 --text "- Deleting old PID file..." --result DONE --color GREEN
+ # Deleting any stale PID files that might exist.
+ # Note: Display function does not work yet at this point
+ if [ -f "${MYHOMEDIR}/lynis.pid" ]; then rm -f "${MYHOMEDIR}/lynis.pid"; fi
+ if [ -f "./lynis.pid" ]; then rm -f "./lynis.pid"; fi
+ if [ -f "/var/run/lynis.pid" ]; then rm -f "/var/run/lynis.pid"; fi
fi
- # Create new PID file (use work directory if /var/run is not available)
- if [ ${PRIVILEGED} -eq 0 ]; then
- # Store it in home directory of user
- MYHOMEDIR=`echo ~`
- if [ "${MYHOMEDIR}" = "" ]; then HOMEDIR="/tmp"; fi
- PIDFILE="${MYHOMEDIR}/lynis.pid"
- elif [ -d /var/run ]; then
- PIDFILE="/var/run/lynis.pid"
+ # Ensure symlink attack is not possible, by confirming there is no symlink of the file already
+ OURPID=`echo $$`
+ if [ -L ${PIDFILE} ]; then
+ echo "Found symlinked PID file (${PIDFILE}), quitting"
+ ExitFatal
else
- PIDFILE="lynis.pid"
+ # Create new PID file writable only by owner
+ echo "${OURPID}" > ${PIDFILE}
+ chmod 600 ${PIDFILE}
fi
- OURPID=`echo $$`
- echo ${OURPID} > ${PIDFILE}
- chmod 600 ${PIDFILE}
+
#
#################################################################################
#
@@ -389,8 +357,11 @@
echo " audit system : Perform security scan"
echo " audit dockerfile <file> : Analyze Dockerfile"
echo ""
+ echo " ${GREEN}update${NORMAL}"
+ echo " update info : Show update details"
+ echo " update release : Update Lynis release"
+ echo ""
echo ""
-
echo " ${WHITE}Scan options:${NORMAL}"
echo " --auditor \"<name>\" : Auditor name"
echo " --dump-options : See all available options"
@@ -407,7 +378,6 @@
echo " --reverse-colors : Optimize color display for light backgrounds"
echo ""
echo " ${WHITE}Misc options:${NORMAL}"
- echo " --check-update : Check for updates"
echo " --debug : Debug logging to screen"
echo " --view-manpage (--man) : View man page"
echo " --version (-V) : Display version number and quit"
@@ -431,7 +401,7 @@
# Cleanup PID file if we drop out earlier
RemovePIDFile
# Exit with exit code 1
- exit 1
+ exit 64
fi
#
#################################################################################
@@ -459,7 +429,7 @@
echo ""
echo " ###################################################################"
echo "${NORMAL}"; echo ""
- if [ ${NEVERBREAK} -eq 0 ]; then read void; fi
+ if [ ${QUICKMODE} -eq 0 ]; then read void; fi
fi
#
#################################################################################
@@ -524,13 +494,13 @@
#
#################################################################################
#
- if [ ${QUIET} -eq 0 ]; then
+ if [ ${QUIET} -eq 0 -a ${SHOW_PROGRAM_DETAILS} -eq 1 ]; then
echo ""
echo " ---------------------------------------------------"
echo " Program version: ${PROGRAM_version}"
echo " Operating system: ${OS}"
echo " Operating system name: ${OS_NAME}"
- echo " Operating system version: ${OS_VERSION}"
+ echo " Operating system version: ${OS_VERSION}"
if [ ! "${OS_MODE}" = "" ]; then echo " Operating system mode: ${OS_MODE}"; fi
echo " Kernel version: ${OS_KERNELVERSION}"
echo " Hardware platform: ${HARDWARE}"
@@ -541,7 +511,6 @@
echo " Report file: ${REPORTFILE}"
echo " Report version: ${REPORT_version}"
echo " Plugin directory: ${PLUGINDIR}"
- #echo " Database directory: ${DBDIR}"
echo " ---------------------------------------------------"
fi
@@ -564,9 +533,7 @@
logtext "-----------------------------------------------------"
logtext "Include directory: ${INCLUDEDIR}"
logtext "Plugin directory: ${PLUGINDIR}"
- logtext "Database directory: ${DBDIR}"
logtextbreak
- #wait_for_keypress
#
#################################################################################
@@ -761,13 +728,11 @@
logtext "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
- filesystems storage storage_nfs \
- nameservices ports_packages networking printers_spools \
- mail_messaging firewalls \
- webservers ssh snmp databases ldap php squid logging \
- insecure_services banners scheduling accounting \
- time crypto virtualization mac_frameworks file_integrity hardening_tools tooling \
- malware file_permissions homedirs kernel_hardening hardening"
+ filesystems storage storage_nfs nameservices ports_packages networking printers_spools \
+ mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
+ insecure_services banners scheduling accounting time crypto virtualization containers \
+ mac_frameworks file_integrity tooling malware file_permissions homedirs \
+ kernel_hardening hardening"
else
INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}"
logtext "Info: only performing tests from categories: ${TESTS_CATEGORY_TO_PERFORM}"
@@ -829,12 +794,12 @@
#################################################################################
#
if [ ${RUN_HELPERS} -eq 1 ]; then
- InsertPluginSection "Audit Module"
if [ ! "${HELPER}" = "" ]; then
logtext "Helper tool is $HELPER"
if [ -f ${INCLUDEDIR}/helper_${HELPER} ]; then
SafePerms ${INCLUDEDIR}/helper_${HELPER}
logtext "Running helper tool ${HELPER} with params: ${HELPER_PARAMS}"
+ InsertPluginSection "Helper: ${HELPER}"
. ${INCLUDEDIR}/helper_${HELPER} ${HELPER_PARAMS}
else
echo "Error, could not find helper"
@@ -856,6 +821,9 @@
# Show report
if [ -f ${INCLUDEDIR}/report ]; then SafePerms ${INCLUDEDIR}/report; . ${INCLUDEDIR}/report; fi
+ # Show tool tips
+ if [ -f ${INCLUDEDIR}/hints_tips ]; then SafePerms ${INCLUDEDIR}/hints_tips; . ${INCLUDEDIR}/hints_tips; fi
+
logtext "================================================================================"
logtext "Tests performed: ${CTESTS_PERFORMED}"
logtext "Total tests: ${TOTAL_TESTS}"
@@ -883,7 +851,11 @@
logtext "================================================================================"
# Clean exit (Delete PID file)
- ExitClean
+ if [ ${TOTAL_WARNINGS} -gt 0 ]; then
+ ExitCustom 78
+ else
+ ExitClean
+ fi
# The End
diff --git a/lynis.8 b/lynis.8
index 38be837d..742354a8 100644
--- a/lynis.8
+++ b/lynis.8
@@ -1,28 +1,28 @@
-.TH Lynis 8 "30 January 2015" "1.17" "Unix System Administrator's Manual"
+.TH Lynis 8 "10 September 2015" "1.19" "Unix System Administrator's Manual"
.SH "NAME"
\fB
\fB
\fB
-Lynis \fP\- Run an system and security audit on the system
+Lynis \fP\- System and security auditing tool
\fB
.SH "SYNOPSIS"
.nf
.fam C
-\fBlynis\fP \-\-check-all(\-c) [other options]
+\fBlynis\fP [scan mode] [other options]
.fam T
.fi
.SH "DESCRIPTION"
-\fBLynis\fP is an auditing tool for Unix (specialists). It checks the system
-and software configuration and logs all the found information into a log file
-for debugging purposes, and in a report file suitable to create fancy looking
-auditing reports.
-\fBLynis\fP can be run as a cronjob, or from the command line. It needs to have
-full access to the system, so running it as root (or with sudo rights) is
-required.
+\fBLynis\fP is a security auditing tool for Linux and Unix systems. It checks
+the system and software configurations, to determine any improvements.
+All details are logged in a log file. Findings and other data is stored in a
+report file, which can be used to create auditing reports.
+\fBLynis\fP can be run as a cronjob, or from the command line. Lynis prefers
+root permissions (or sudo), so it can access all parts of the system, however it
+not required (see pentest mode).
.PP
The following system areas may be checked:
.IP
@@ -30,27 +30,34 @@ The following system areas may be checked:
.IP
\- Configuration files
.IP
-\- Common files by software packages
+\- Files part of software packages
.IP
\- Directories and files related to logging and auditing
+
+.SH "FIRST TIME USAGE"
+When running \fBLynis\fP for the first time, run: lynis audit system --quick
+
+.SH "SCAN MODES"
+
+.IP audit system
+Performs a system audit, which is the most common audit.
+
+For more scan modes, see the helper utilities.
+
.SH "OPTIONS"
.TP
.B \-\-auditor <full name>
Define the name of the auditor/pen-tester. When a full name is used, add double
quotes, like "Your Name".
-
.TP
.B \-\-checkall (or \-c)
\fBLynis\fP performs a full check of the system, printing out the results of
each test to stdout. Additional information will be saved into a log file
-(default is /var/log/lynis.log).
+(default is /var/log/lynis.log). This option invokes scan mode "audit system".
.IP
In case the outcome of a scan needs to be automated, use the report file.
.TP
-.B \-\-check\-update (or \-\-info)
-Show program, database and update information.
-.TP
.B \-\-cronjob
Perform automatic scan with cron safe options (no colors, no questions, no
breaks).
@@ -115,14 +122,42 @@ with others. When running Lynis without any parameters, help will be shown and
the program will exit.
.RE
.PP
+.SH "HELPERS"
+Lynis has special helpers to do certain tasks. This way the framework of Lynis is
+used, while at the same time storing most of the functionality in a separated
+file. This speeds up execution and keeps the code clean.
+
+.B audit
+Run audit on the system or on other targets
+
+.B update
+Run updater utility
+
+To use a helper, run Lynis followed by the helper name.
+
+.SH "EXIT CODES"
+Lynis uses exit codes to signal any invoking script. Currently the following codes are used:
+.IP 0
+Program exited normally, nothing found
+.IP 1
+Fatal error
+.IP 64
+An unknown parameter is used, or incomplete
+.IP 65
+Incorrect data encountered
+.IP 66
+Can't open file or directory
+.IP 78
+Lynis found 1 or more warnings or configurations errors
+
.SH "BUGS"
-Discovered a bug? Please report them via e-mail (lynis-dev@cisofy.com) or via GitHub: https://github.com/CISOfy/Lynis
-.RE
-.PP
+Bugs can be reported via GitHub at https://github.com/CISOfy/lynis
+
+.SH "DOCUMENTATION"
+Supporting documentation can be found via https://cisofy.com/documentation/lynis/
+
.SH "LICENSING"
-Lynis is licensed with the GPL v3 license and under development by CISOfy and Michael Boelen. Plugins have their own license.
-.RE
-.PP
-.SH "CONTACT INFORMATION"
+Lynis is licensed as GPL v3, written by Michael Boelen. Development is supported by CISOfy. Plugins may have their own license.
-Support and project related questions are addressed via https://cisofy.com/support/.
+.SH "CONTACT INFORMATION"
+Support requests and project related questions can be addressed via e-mail: lynis-dev@cisofy.com.
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-04 13:49:24 +0300