diff options
| author | Michael Boelen <michael.boelen@cisofy.com> | 2019-07-15 19:55:10 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-07-15 19:55:10 +0300 |
| commit | 7728213ac40ab3beb72c1e05c955ce021217c1e8 (patch) | |
| tree | 8698846213c70166b6a2368400796bf97de8aeae | |
| parent | 8400849c58ef05b6a045d6d43013e85e66beaa60 (diff) | |
| parent | 5cc5ecf534371b7eea6f7666b7b6e798d5d10de2 (diff) | |
Merge branch 'master' into docu
| -rw-r--r-- | CHANGELOG.md | 10 | ||||
| -rw-r--r-- | db/tests.db | 4 | ||||
| -rw-r--r-- | include/binaries | 11 | ||||
| -rw-r--r-- | include/consts | 1 | ||||
| -rw-r--r-- | include/functions | 56 | ||||
| -rw-r--r-- | include/helper_generate | 14 | ||||
| -rw-r--r-- | include/profiles | 8 | ||||
| -rw-r--r-- | include/report | 36 | ||||
| -rw-r--r-- | include/tests_homedirs | 63 | ||||
| -rw-r--r-- | include/tests_insecure_services | 75 | ||||
| -rw-r--r-- | include/tests_kernel | 103 | ||||
| -rw-r--r-- | include/tests_scheduling | 1 | ||||
| -rw-r--r-- | include/tests_ssh | 4 | ||||
| -rwxr-xr-x | lynis | 139 |
14 files changed, 343 insertions, 182 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 17c5492b..47215980 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,13 +23,16 @@ measures to further tighten any possible misuse. - Security: test if setuid bit is set on Lynis binary - New function: DisplayWarning - show a warning on the screen - New function: Equals - compare two strings +- New function: GetReportData - retrieve earlier stored data - New function: Readonly - mark variable read-only (security) - New function: SafeFile - test file type and call permission check - New function: SafeInput - check for safe input (security) - New profile option: disable-plugin - disables a single plugin - New profile option: ssl-certificate-paths-to-ignore - ignore a path - New test: CRYP-7930 - disk or file system encryption testing -- New test: PROC-3802 - Check presence of prelink tooling +- New test: INSE-8314 - test for NIS client +- New test: INSE-8316 - test for NIS server +- New test: PROC-3802 - check presence of prelink tooling - New report key: openssh_daemon_running - New command: lynis generate systemd-units - Measure timing of tests and report slow tests (10+ seconds) @@ -41,13 +44,18 @@ measures to further tighten any possible misuse. - Security: the 'nounset' (set -u) parameter is now activated by default - Use only locations from PATH environment variable, unless it is not defined - Show 'lynis generate hostids' when they are missing +- INSE-8116 - added rsync service +- INSE-8342 - renamed to INSE-8304 +- KRNL-5820 - extended check to include limits.d directory - NAME-4408 - corrected Report function call - NETW-3032 - small rewrite of test and extended with addrwatch - PROC-3602 - allow different root directory - PROC-3612 - show 'Not found' instead of 'OK' - PROC-3614 - show 'Not found' instead of 'OK' +- SCHD-7702 - removed hardening points - SSH-7402 - detect other SSH daemons like dropbear - SSH-7406 - strip OpenSSH patch version and remove characters (carriage return) +- SSH-7408 - changed text in suggestion and report - Show changelog works again for newer versions - systemd service file adjusted - bash completion script extended diff --git a/db/tests.db b/db/tests.db index cd978c50..56faba09 100644 --- a/db/tests.db +++ b/db/tests.db @@ -181,6 +181,10 @@ INSE-8116:test:security:insecure_services::Insecure services enabled via xinetd: INSE-8200:test:security:insecure_services::Usage of TCP wrappers: INSE-8300:test:security:insecure_services::Presence of rsh client: INSE-8302:test:security:insecure_services::Presence of rsh server: +INSE-8310:test:security:insecure_services::Presence of telnet client: +INSE-8312:test:security:insecure_services::Presence of telnet server: +INSE-8314:test:security:insecure_services::Presence of NIS client: +INSE-8316:test:security:insecure_services::Presence of NIS server: KRNL-5622:test:security:kernel:Linux:Determine Linux default run level: KRNL-5677:test:security:kernel:Linux:Check CPU options and support: KRNL-5695:test:security:kernel:Linux:Determine Linux kernel version and release number: diff --git a/include/binaries b/include/binaries index d894caf9..0fbefe46 100644 --- a/include/binaries +++ b/include/binaries @@ -304,12 +304,11 @@ [ "${WCBINARY:-}" ] || ExitFatal "wc binary not found" # Test a few other tools that we did not specifically define (yet) - TOOLS="xxd" - for T in ${TOOLS}; do - DATA=$(type ${T}) - if [ $? -gt 0 ]; then ExitFatal "${T} binary not found"; fi - done - + #TOOLS="xxd" + #for T in ${TOOLS}; do + # DATA=$(type ${T}) + # if [ $? -gt 0 ]; then ExitFatal "${T} binary not found"; fi + #done else LogText "Result: checking of binaries skipped in this mode" diff --git a/include/consts b/include/consts index 67a18733..343567df 100644 --- a/include/consts +++ b/include/consts @@ -327,7 +327,6 @@ unset LANG HPTOTAL=0 # Maximum number of hardening points LOG_INCORRECT_OS=1 # Log tests with incorrect OS NEVERBREAK=0 # Don't wait for user input - PENTESTINGMODE=0 # Try tests without root privileges QUICKMODE=1 # Don't wait for user input QUIET=0 # Show normal messages and warnings as well SKIPLOGTEST=0 # Skip logging for one test diff --git a/include/functions b/include/functions index 16cef804..c8f689e7 100644 --- a/include/functions +++ b/include/functions @@ -52,6 +52,7 @@ # FileIsEmpty Check if a file is empty # FileIsReadable Check if a file is readable or directory accessible # GetHostID Retrieve an unique ID for this host +# GetReportData Request data from report # HasData Checks for data in variable # InsertSection Insert a section block # InsertPluginSection Insert a section block for plugins @@ -1176,6 +1177,47 @@ fi } + + ################################################################################ + # Name : GetReportData() + # Description : Request data from report + # Returns : Data (when matches were found) + # Exit code: True (0) or False (1) when search was cancelled + ################################################################################ + + GetReportData() { + KEY="" + VALID_CHARS="[:alnum:]/:;\-,\._\[\]\n " + if [ $# -eq 0 ]; then ExitFatal "No parameters provided to GetReportData() function"; fi + + while [ $# -ge 1 ]; do + case $1 in + --key) + shift + KEY="$1" + ;; + --valid-chars) + shift + VALID_CHARS="$1" + ;; + *) + ExitFatal "Invalid option provided to GetReportData() function" + ;; + esac + # Go to next parameter + shift + done + + if [ "${REPORTFILE}" = "/dev/null" ]; then + return 1 + else + ${AWKBINARY} -v pattern="^${KEY}" -F= '$1 ~ pattern {print $2}' ${REPORTFILE} | ${TRBINARY} -cd "${VALID_CHARS}" | ${TRBINARY} '[:blank:]' '__space__' + + fi + return 0 + } + + ################################################################################ # Name : HasData() # Description : Check for a filled variable @@ -2742,9 +2784,8 @@ fi # Check file permissions if [ ! -f "$1" ]; then - LogText "Fatal error: file $1 does not exist. Quitting." - echo "Fatal error: file $1 does not exist" - ExitFatal + LogText "Fatal error: file $1 does not exist." + ExitFatal "Fatal error: file $1 does not exist" else PERMS=$(ls -l $1) @@ -2771,21 +2812,22 @@ # Owner permissions OWNER_PERMS=$(echo ${PERMS} | cut -c2-4) if [ ! "${OWNER_PERMS}" = "rw-" -a ! "${OWNER_PERMS}" = "r--" ]; then - echo "Fatal error: permissions of file $1 are not strict enough. Access to 'owner' should be read-write, or read. Change with: chmod 600 $1" + echo "Fatal error: permissions of file $1 are not strict enough. Access to 'owner' should be read-write, or read. Change with: chmod u=rw $1" ExitFatal fi - # Owner permissions + # Group permissions + # TODO - harden this even more by setting default to read-only for group (like 'other') GROUP_PERMS=$(echo ${PERMS} | cut -c5-7) if [ ! "${GROUP_PERMS}" = "rw-" -a ! "${GROUP_PERMS}" = "r--" -a ! "${GROUP_PERMS}" = "---" ]; then - echo "Fatal error: permissions of file $1 are not strict enough. Access to 'group' should be read-write, read, or none. Change with: chmod 600 $1" + echo "Fatal error: permissions of file $1 are not strict enough. Access to 'group' should be read-write, read, or none. Change with: chmod g=r $1" ExitFatal fi # Other permissions OTHER_PERMS=$(echo ${PERMS} | cut -c8-10) if [ ! "${OTHER_PERMS}" = "---" -a ! "${OTHER_PERMS}" = "r--" ]; then - echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only. Change with: chmod 600 $1" + echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied or read-only. Change with: chmod o=r $1" ExitFatal fi # Set PERMS_OK to 1 if no fatal errors occurred diff --git a/include/helper_generate b/include/helper_generate index 31dba7ec..30044705 100644 --- a/include/helper_generate +++ b/include/helper_generate @@ -43,8 +43,18 @@ if [ $# -gt 0 ]; then fi # Generate random host IDs - HOSTID=$(head -c20 < /dev/urandom | xxd -c 20 -p) - HOSTID2=$(head -c32 < /dev/urandom | xxd -c 32 -p) + case "${OS}" in + "AIX") + # hexdump does not exist on AIX + HOSTID=$(head -c20 < /dev/urandom | xxd -c 20 -p) + HOSTID2=$(head -c32 < /dev/urandom | xxd -c 32 -p) + ;; + *) + # xxd does not exist on FreeBSD + HOSTID=$(head -c20 < /dev/urandom | hexdump -ve '"%.2x"') + HOSTID2=$(head -c32 < /dev/urandom | hexdump -ve '"%.2x"') + ;; + esac ${ECHOCMD} "Generated host identifiers" ${ECHOCMD} "- hostid: ${HOSTID}" diff --git a/include/profiles b/include/profiles index f8935ece..ad5e6b07 100644 --- a/include/profiles +++ b/include/profiles @@ -35,10 +35,8 @@ # Show deprecation message for old config entries FOUND=0 - #DATA=$(egrep "^config:" ${PROFILE} | od --address-radix=none -t a | sed 's/ /!space!/g') - #if ! IsEmpty "${DATA}"; then FOUND=1; fi - # Items such as 'apache:' - DATA=$(egrep "^[a-z-]{1,}:" ${PROFILE} | od --address-radix=none -t a | sed 's/ /!space!/g') + # Items such as 'config:' and 'apache:' + DATA=$(egrep "^[a-z-]{1,}:" ${PROFILE} | od -An -ta | sed 's/ /!space!/g') # od -An (no file offset), -ta (named character, to be on safe side) if ! IsEmpty "${DATA}"; then FOUND=1; fi if [ ${FOUND} -eq 1 ]; then @@ -49,7 +47,7 @@ fi # Security check for unexpected and possibly harmful escape characters - DATA=$(grep -v '^$\|^ \|^#\|^config:' ${PROFILE} | tr -d '[:alnum:]/\[\]\(\)\-_\|,\.:;= \n\r' | od --address-radix=none -t a | sed 's/ /!space!/g') + DATA=$(grep -v '^$\|^ \|^#\|^config:' ${PROFILE} | tr -d '[:alnum:]/\[\]\(\)\-_\|,\.:;= \n\r' | od -An -ta | sed 's/ /!space!/g') if ! IsEmpty "${DATA}"; then DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information." LogText "Found unexpected or possibly harmful characters in the profile. See output below." diff --git a/include/report b/include/report index 2df666e4..88d75ce0 100644 --- a/include/report +++ b/include/report @@ -22,8 +22,7 @@ # ################################################################################# # - - # Add data fields to report file + # Add additional data fields to the report file at the end of the scan Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}" Report "arpwatch_running=${ARPWATCH_RUNNING}" @@ -37,10 +36,11 @@ Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}" Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}" Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}" - - +# +################################################################################# +# # Hardening Index - + # # Goal: # Provide a visual way to show how much the system is hardened # @@ -95,8 +95,9 @@ HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]" LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]" LogText "Hardening strength: ${HIDESCRIPTION}" - - +# +################################################################################# +# # Only show overview if not running in quiet mode if [ ${QUIET} -eq 0 ]; then echo ""; echo "================================================================================" @@ -108,19 +109,14 @@ LogTextBreak - # - ################################################################################# - # # Show test results overview - # - ################################################################################# - # - if [ "${CONTROL_URL_PROTOCOL}" = "" ]; then CONTROL_URL_PROTOCOL="https"; fi - if [ "${CONTROL_URL_PREPEND}" = "" ]; then CONTROL_URL_PREPEND="cisofy.com/lynis/controls/"; fi - if [ "${CONTROL_URL_APPEND}" = "" ]; then CONTROL_URL_APPEND="/"; fi - if [ "${CUSTOM_URL_PROTOCOL}" = "" ]; then CUSTOM_URL_PROTOCOL="https"; fi - if [ "${CUSTOM_URL_PREPEND}" = "" ]; then CUSTOM_URL_PREPEND="your-domain.example.org/controls/"; fi - if [ "${CUSTOM_URL_APPEND}" = "" ]; then CUSTOM_URL_APPEND="/"; fi + + if [ -z "${CONTROL_URL_PROTOCOL}" ]; then CONTROL_URL_PROTOCOL="https"; fi + if [ -z "${CONTROL_URL_PREPEND}" ]; then CONTROL_URL_PREPEND="cisofy.com/lynis/controls/"; fi + if [ -z "${CONTROL_URL_APPEND}" ]; then CONTROL_URL_APPEND="/"; fi + if [ -z "${CUSTOM_URL_PROTOCOL}" ]; then CUSTOM_URL_PROTOCOL="https"; fi + if [ -z "${CUSTOM_URL_PREPEND}" ]; then CUSTOM_URL_PREPEND="your-domain.example.org/controls/"; fi + if [ -z "${CUSTOM_URL_APPEND}" ]; then CUSTOM_URL_APPEND="/"; fi # Show warnings from logfile SWARNINGS=$(${GREPBINARY} 'Warning: ' ${LOGFILE} | sed 's/ /!space!/g') @@ -249,7 +245,7 @@ if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then # Determine if the quality of the program can be increased by filtering out the exceptions FIND=$(${GREPBINARY} "^exception" ${REPORTFILE}) - if [ ! "${FIND}" = "" ]; then + if [ -n "${FIND}" ]; then echo "" echo " ${RED}${NOTE_EXCEPTIONS_FOUND}${NORMAL}" echo " ${WHITE}${NOTE_EXCEPTIONS_FOUND_DETAILED}!${NORMAL}" diff --git a/include/tests_homedirs b/include/tests_homedirs index 045a2753..9570816b 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -37,8 +37,8 @@ Register --test-no HOME-9302 --weight L --network NO --category security --description "Create list with home directories" if [ ${SKIPTEST} -eq 0 ]; then # Read sixth field of /etc/passwd - LogText "Test: query /etc/passwd to obtain home directories" - FIND=$(${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | ${SORTBINARY} -u) + LogText "Test: query ${ROOTDIR}etc/passwd to obtain home directories" + FIND=$(${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' ${ROOTDIR}etc/passwd | ${SORTBINARY} -u) for I in ${FIND}; do if [ -d ${I} ]; then LogText "Result: found home directory: ${I} (directory exists)" @@ -51,6 +51,65 @@ # ################################################################################# # + # Test : HOME-9304 + # Description : Check if users' home directories permissions are 750 or more restrictive + Register --test-no HOME-9304 --weight L --network NO --category security --description "Check if users' home directories permissions are 750 or more restrictive" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if users' home directories permissions are 750 or more restrictive + FOUND=0 + for LINE in "$(${CAT_BINARY} ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }')"; do + USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) + DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) + if [ -d ${DIR} ]; then + WRITE_GROUP_PERM=$(ls -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c6) + OTHER_PERMS=$(ls -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c8-10) + if [ ! ${WRITE_GROUP_PERM} = "-" -o ! ${OTHER_PERMS} = "---" ]; then + LogText "Result: permissions of home directory ${DIR} of user ${USER} are not strict enough. Should be 750 or more restrictive. Change with: chmod 750 ${DIR}" + FOUND=1 + fi + fi + done + + if [ ${FOUND} -eq 1 ]; then + Display --indent 2 --text "- Checking users' home directories permissions" --result "${STATUS_WARNING}" --color RED + ReportWarning ${TEST_NO} "Permissions of some users' home directories are not strict enough. Should be 750 or more restrictive." + else + Display --indent 2 --text "- Checking users' home directories permissions" --result "${STATUS_OK}" --color GREEN + LogText "Result: Ok, All users' home directories permissions are 750 or more restrictive" + fi + fi +# +################################################################################# +# + # Test : HOME-9306 + # Description : Check if users own their home directories + Register --test-no HOME-9306 --weight L --network NO --category security --description "Check if users own their home directories" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if users own their home directories + FOUND=0 + for LINE in "$(${CAT_BINARY} ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }')"; do + USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) + DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) + if [ -d ${DIR} ]; then + OWNER=$(ls -ld ${DIR} | awk -F" " '{ print $3 }') + if [ ! ${OWNER} = ${USER} ]; then + LogText "Result: The home directory ${DIR} of user ${USER} is owned by ${OWNER}. Change with: chown ${USER} ${DIR}" + FOUND=1 + fi + fi + done + + if [ ${FOUND} -eq 1 ]; then + Display --indent 2 --text "- Checking users' home directories ownership" --result "${STATUS_WARNING}" --color RED + ReportWarning ${TEST_NO} "Owner of some users' home directories are not correctly set" + else + Display --indent 2 --text "- Checking users' home directories ownership" --result "${STATUS_OK}" --color GREEN + LogText "Result: Ok, All users own their home directories" + fi + fi +# +################################################################################# +# # Test : HOME-9310 # Description : Check for suspicious shell history files Register --test-no HOME-9310 --weight L --network NO --category security --description "Checking for suspicious shell history files" diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 841189d8..c446705f 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -213,7 +213,7 @@ if [ ${SKIPTEST} -eq 0 ]; then XINETD_INSECURE_SERVICE_FOUND=0 - ITEMS="chargen chargen-dgram chargen-stream daytime daytime-dgram daytime-stream discard discard-dgram discard-stream echo echo-dgram echo-stream time time-dgram time-stream ntalk rexec rlogin rsh talk telnet tftp" + ITEMS="chargen chargen-dgram chargen-stream daytime daytime-dgram daytime-stream discard discard-dgram discard-stream echo echo-dgram echo-stream time time-dgram time-stream ntalk rexec rlogin rsh rsync talk telnet tftp" for SERVICE in ${ITEMS}; do LogText "Test: checking service ${SERVICE}" @@ -247,26 +247,6 @@ # ################################################################################# # - # Test : INSE-8150 - # Description : Check for rsync enabled via xinetd - #RSYNC_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rsync" - #if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RSYNC_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - #Register --test-no INSE-8150 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rsync via xinetd" - #if [ ${SKIPTEST} -eq 0 ]; then - # LogText "Test: checking rsync presence in xinetd configuration" - # FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RSYNC_XINETD_CONFIG_FILE}) - # if [ "${FIND}" = "" ]; then - # LogText "Result: rsync not enabled in ${RSYNC_XINETD_CONFIG_FILE}" - # Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_DISABLED}" --color GREEN - # else - # LogText "Result: rsync enabled in ${RSYNC_XINETD_CONFIG_FILE}" - # Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_ENABLED}" --color RED - # ReportSuggestion "${TEST_NO}" "Disable rsync in xinetd configuration" - # fi - #fi -# -################################################################################# -# # Test : INSE-8200 # Description : Check if tcp_wrappers is installed when inetd/xinetd is active if [ ${INETD_ACTIVE} -eq 1 -o ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi @@ -348,7 +328,7 @@ # # Test : INSE-8304 # Description : Check if rsh server is installed - Register --test-no INSE-8342 --weight L --network NO --category security --description "Check if rsh server is installed" + Register --test-no INSE-8304 --weight L --network NO --category security --description "Check if rsh server is installed" if [ ${SKIPTEST} -eq 0 ]; then # Check if rsh server is installed LogText "Test: Checking if rsh server is installed" @@ -412,6 +392,57 @@ Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_NOT_FOUND}" --color GREEN fi fi + +# +################################################################################# +# + # Test : INSE-8314 + # Description : Check if NIS client is installed + Register --test-no INSE-8314 --weight L --network NO --category security --description "Check if NIS client is installed" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND="" + LogText "Test: Checking if NIS client is installed" + PACKAGES="nis ypbind" + for PACKAGE in ${PACKAGES}; do + PackageIsInstalled "${PACKAGE}" + if [ $? -eq 0 ]; then + FOUND="${PACKAGE}" + fi + done + if [ ${FOUND} ]; then + LogText "Result: NIS client is installed" + Display --indent 2 --text "- Checking NIS client installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "NIS client should be removed as it contains numerous security exposures and have been replaced with the more secure SSH package" + else + LogText "Result: NIS client is NOT installed" + Display --indent 2 --text "- Checking NIS client installation" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8316 + # Description : Check if NIS server is installed + Register --test-no INSE-8316 --weight L --network NO --category security --description "Check if NIS server is installed" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND="" + LogText "Test: Checking if NIS server is installed" + PACKAGES="nis ypserv" + for PACKAGE in ${PACKAGES}; do + PackageIsInstalled "${PACKAGE}" + if [ $? -eq 0 ]; then + FOUND="${PACKAGE}" + fi + done + if [ ${FOUND} ]; then + LogText "Result: NIS server is installed" + Display --indent 2 --text "- Checking NIS server installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services" + else + LogText "Result: NIS server is NOT installed" + Display --indent 2 --text "- Checking NIS server installation" --result "${STATUS_OK}" --color GREEN + fi + fi # ################################################################################# # diff --git a/include/tests_kernel b/include/tests_kernel index f89177ce..7a542c3d 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -31,6 +31,7 @@ CPU_NX=0 LINUXCONFIGFILE="" LINUXCONFIGFILE_ZIPPED=0 + LIMITS_DIRECTORY="${ROOTDIR}etc/security/limits.d" # ################################################################################# # @@ -234,18 +235,18 @@ # Description : Checking for available Linux kernel configuration file in /boot Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config" if [ ${SKIPTEST} -eq 0 ]; then - CHECKFILE="/boot/config-$(uname -r)" + CHECKFILE="${ROOTDIR}boot/config-$(uname -r)" if [ -f ${CHECKFILE} ]; then LINUXCONFIGFILE="${CHECKFILE}" LogText "Result: found config (${LINUXCONFIGFILE})" Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN - elif [ -f /proc/config.gz ]; then + elif [ -f ${ROOTDIR}proc/config.gz ]; then LINUXCONFIGFILE="${CHECKFILE}" LINUXCONFIGFILE_ZIPPED=1 - LogText "Result: found config: /proc/config.gz (compressed)" + LogText "Result: found config: ${ROOTDIR}proc/config.gz (compressed)" Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN else - LogText "Result: no Linux kernel configuration file found in /boot" + LogText "Result: no Linux kernel configuration file found in ${ROOTDIR}boot" Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE fi if HasData "${LINUXCONFIGFILE}"; then @@ -266,15 +267,15 @@ Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking disk I/O kernel scheduler" if [ ${SKIPTEST} -eq 0 ]; then if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi - if [ ! "${GREPTOOL}" = "" ]; then + if [ -n "${GREPTOOL}" ]; then LogText "Test: Checking the default I/O kernel scheduler" LINUX_KERNEL_IOSCHED=$(${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g) - if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then + if [ -n "${LINUX_KERNEL_IOSCHED}" ]; then LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'" Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}" else - LogText "Result: no default i/o kernel scheduler found" + LogText "Result: no default I/O kernel scheduler found" Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_NOT_FOUND}" --color WHITE fi else @@ -322,8 +323,8 @@ LogText "Test: Active kernel modules (KLDs)" LogText "Description: View all active kernel modules (including kernel)" LogText "Test: Checking modules" - if [ -f ${ROOTDIR}sbin/kldstat ]; then - FIND=$(${ROOTDIR}sbin/kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6) + if [ -x /sbin/kldstat ]; then + FIND=$(/sbin/kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6) if [ $? -eq 0 ]; then LogText "Loaded modules according kldstat:" COUNT=0 @@ -339,7 +340,7 @@ fi else echo "[ ${WHITE}SKIPPED${NORMAL} ]" - LogText "Result: no results, can NOT find ${ROOTDIR}sbin/kldstat" + LogText "Result: no results, can NOT find /sbin/kldstat" fi fi # @@ -436,62 +437,60 @@ # Description : Checking core dumps configuration (Linux) Register --test-no KRNL-5820 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Checking presence /etc/security/limits.conf" - if [ -f /etc/security/limits.conf ]; then - LogText "Result: file /etc/security/limits.conf exists" - LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf" - FIND1=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }') - FIND2=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }') - if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then - LogText "Result: core dumps (soft or hard) are enabled" - Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW - ReportSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system" - AddHP 1 2 - else + # Limits option + LogText "Test: Checking presence ${ROOTDIR}etc/security/limits.conf" + if [ -f ${ROOTDIR}etc/security/limits.conf ]; then + LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists" + LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${ROOTDIR}etc/security/limits.d/*" + FIND1=$(${GREPBINARY} -r -v "^#" ${ROOTDIR}etc/security/limits.conf ${LIMITS_DIRECTORY} | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }') + FIND2=$(${GREPBINARY} -r -v "^#" ${ROOTDIR}etc/security/limits.conf ${LIMITS_DIRECTORY} | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }') + if [ "${FIND2}" = "hard core disabled" ]; then LogText "Result: core dumps (soft and hard) are both disabled" Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN CORE_DUMPS_DISABLED=1 AddHP 3 3 - fi - - # Sysctl option - LogText "Test: Checking sysctl value of fs.suid_dumpable" - FIND=$(${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | ${AWKBINARY} '{ if ($1=="fs.suid_dumpable") { print $3 } }') - if [ -z "${FIND}" ]; then - LogText "Result: sysctl key fs.suid_dumpable not found" - else - LogText "Result: value ${FIND} found" - fi - if [ "${FIND}" = "2" ]; then - LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" - Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN - AddHP 1 1 - elif [ "${FIND}" = "1" ]; then - LogText "Result: all programs can perform core dumps (value 1, for debugging)" - Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW - ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump" - AddHP 0 1 + elif [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then + LogText "Result: core dumps (soft or hard) are enabled" + Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system" + AddHP 1 3 else - LogText "Result: found default option, some programs can dump (not processes which need to change credentials)" - Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color WHITE - AddHP 1 1 + LogText "Result: core dumps are not explicitly disabled" + Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_NOT_FOUND}" --color WHITE + ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file" + AddHP 2 3 fi else - LogText "Result: file /etc/security/limits.conf does not exist, skipping test" + LogText "Result: file ${ROOTDIR}etc/security/limits.conf does not exist, skipping test" fi # TODO: Check ulimit settings in /etc/profile and /etc/profile.d + # Sysctl option + LogText "Test: Checking sysctl value of fs.suid_dumpable" + FIND=$(${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | ${AWKBINARY} '{ if ($1=="fs.suid_dumpable") { print $3 } }') + if [ -z "${FIND}" ]; then + LogText "Result: sysctl key fs.suid_dumpable not found" + else + LogText "Result: value ${FIND} found" + fi + if [ "${FIND}" = "2" ]; then + LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" + Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN + AddHP 1 1 + elif [ "${FIND}" = "1" ]; then + LogText "Result: all programs can perform core dumps (value 1, for debugging)" + Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW + ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump" + AddHP 0 1 + else + LogText "Result: found default option, some programs can dump (not processes which need to change credentials)" + Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color WHITE + AddHP 1 1 + fi fi # ################################################################################# # - # Test : KRNL-5826 - # Description : Checking core dumps configuration (Solaris) - #Register --test-no KRNL-5826 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration" - #if [ ${SKIPTEST} -eq 0 ]; then -# -################################################################################# -# # Test : KRNL-5830 # Description : Check if system needs a reboot (Linux only) Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel" diff --git a/include/tests_scheduling b/include/tests_scheduling index f0f54b5b..91a89c63 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -38,7 +38,6 @@ FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )") if IsEmpty "${FIND}"; then LogText "Result: no cron daemon found" - AddHP 3 3 else LogText "Result: cron daemon running" CROND_RUNNING=1 diff --git a/include/tests_ssh b/include/tests_ssh index dde395e3..8a55eabf 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -267,13 +267,13 @@ AddHP 3 3 elif [ "${RESULT}" = "MIDSCORED" ]; then LogText "Result: OpenSSH option ${OPTIONNAME} is configured reasonably" - ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" + ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-" ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}" Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW AddHP 1 3 elif [ "${RESULT}" = "WEAK" ]; then LogText "Result: OpenSSH option ${OPTIONNAME} is in a weak configuration state and should be fixed" - ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-" + ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (set ${FOUNDVALUE} to ${EXPECTEDVALUE})" "-" ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}" Display --indent 4 --text "- OpenSSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW AddHP 0 3 @@ -22,26 +22,28 @@ # ################################################################################# # - # Code quality: don't allow using undefined variables - set -o nounset + # In Solaris /bin/sh is not POSIX, but /usr/xpg4/bin/sh is. + # Switch to /usr/xpg4/bin/sh if it exists and we are not already running it. + if [ "$(uname)" = "SunOS" ]; then + test "$_" != "/usr/xpg4/bin/sh" && test -f /usr/xpg4/bin/sh && exec /usr/xpg4/bin/sh "$0" "$@" + fi # ################################################################################# # - # In Solaris /bin/sh is not POSIX, but /usr/xpg4/bin/sh is. - # Switch to /usr/xpg4/bin/sh if it exists and we are not already running it. - test "$_" != "/usr/xpg4/bin/sh" && test -f /usr/xpg4/bin/sh && exec /usr/xpg4/bin/sh "$0" "$@" + # Code quality: don't allow using undefined variables + # Notes: $_ may be empty on FreeBSD + set -o nounset # ################################################################################# # - # Program information PROGRAM_NAME="Lynis" PROGRAM_AUTHOR="CISOfy" PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com" # Version details - PROGRAM_RELEASE_DATE="2019-06-29" - PROGRAM_RELEASE_TIMESTAMP=1561383761 + PROGRAM_RELEASE_DATE="2019-07-14" + PROGRAM_RELEASE_TIMESTAMP=1563094548 PROGRAM_RELEASE_TYPE="dev" # dev or final PROGRAM_VERSION="3.0.0" @@ -58,7 +60,6 @@ REPORT_version_major="1"; REPORT_version_minor="0" REPORT_version="${REPORT_version_major}.${REPORT_version_minor}" - DISPLAY_LANG="${LANG}" # required by function Display to deal with multi-bytes characters. # ################################################################################# @@ -74,53 +75,31 @@ WORKDIR=$(pwd) # Test from which directories we can use all functions and tests - - INCLUDEDIR="" # Set default include directory to none - tINCLUDE_TARGETS="/usr/local/include/lynis /usr/local/lynis/include /usr/share/lynis/include ./include" # Default paths to check (CWD as last option, in case we run from standalone) - for I in ${tINCLUDE_TARGETS}; do - if [ "${I}" = "./include" ]; then - if [ -d "${WORKDIR}/include" ]; then INCLUDEDIR="${WORKDIR}/include"; fi - elif [ -d ${I} -a -z "${INCLUDEDIR}" ]; then - INCLUDEDIR=${I} - fi - done - - # Drop out if our include directory can't be found - if [ -z "${INCLUDEDIR}" ]; then - printf "%s" " -Fatal error: can't find include directory -Make sure to execute ${PROGRAM_NAME} from untarred directory or check your installation." - exit 1 + INCLUDEDIR="" + tINCLUDE_TARGETS="/usr/local/include/lynis /usr/local/lynis/include /usr/share/lynis/include ./include" # Default paths to check (CWD as last option, in case we run from standalone) + for I in ${tINCLUDE_TARGETS}; do + if [ "${I}" = "./include" ]; then + if [ -d "${WORKDIR}/include" ]; then INCLUDEDIR="${WORKDIR}/include"; fi + elif [ -d ${I} -a -z "${INCLUDEDIR}" ]; then + INCLUDEDIR=${I} fi + done - # Test for database directory - - DBDIR=""; tDB_TARGETS="/usr/local/share/lynis/db /usr/local/lynis/db /usr/share/lynis/db ./db" - for I in ${tDB_TARGETS}; do - if [ "${I}" = "./db" ]; then - if [ -d "${WORKDIR}/db" ]; then DBDIR="${WORKDIR}/db"; fi - elif [ -d ${I} -a -z "${DBDIR}" ]; then - DBDIR="${I}" - fi - done - - # Import translations. First import English to prefill all texts - if [ ! -f ${DBDIR}/languages/en ]; then - echo "Could not find languages directory (file: ${DBDIR}/languages/en)" + # Drop out if our include directory can't be found + if [ -z "${INCLUDEDIR}" ]; then + printf "%s" "\nFatal error: can't find include directory\nMake sure to execute ${PROGRAM_NAME} from untarred directory or check your installation." exit 1 - else - . ${DBDIR}/languages/en - fi - - # Auto detection of language based on locale (first two characters). Set to English when nothing found. - if [ -x "$(command -v locale 2> /dev/null)" ]; then - LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | egrep "^[a-z]{2}$") - fi - if [ -z "${LANGUAGE}" ]; then - #Debug "Result: no (valid) language found, setting to default language (en)" - LANGUAGE="en" fi + # Test for database directory + DBDIR=""; tDB_TARGETS="/usr/local/share/lynis/db /usr/local/lynis/db /usr/share/lynis/db ./db" + for I in ${tDB_TARGETS}; do + if [ "${I}" = "./db" ]; then + if [ -d "${WORKDIR}/db" ]; then DBDIR="${WORKDIR}/db"; fi + elif [ -d ${I} -a -z "${DBDIR}" ]; then + DBDIR="${I}" + fi + done # ################################################################################# # @@ -128,7 +107,7 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta # Check user to determine file permissions later on. If we encounter Solaris, use related id binary instead if [ -x /usr/xpg4/bin/id ]; then MYID=$(/usr/xpg4/bin/id -u 2> /dev/null) - elif [ $(uname) = "SunOS" ]; then + elif [ "$(uname)" = "SunOS" ]; then MYID=$(id | tr '=' ' ' | tr '(' ' ' | awk '{ print $2 }' 2> /dev/null) else MYID=$(id -u 2> /dev/null) @@ -137,10 +116,21 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta # ################################################################################# # -# Consts (bin paths, text strings, colors) +# Set basic values and test permissions of the files to include, such as: +# - consts: bin paths, text strings, colors +# - functions: function library # ################################################################################# # + # Determine if we are root (UID = 0) + if [ ${MYID} -eq 0 ]; then + PRIVILEGED=1 + PENTESTINGMODE=0 + else + # Set to pentesting mode if scan is with root privileges + PENTESTINGMODE=1 + fi + # Perform a basic check for permissions. After including functions, using SafePerms() IGNORE_FILE_PERMISSION_ISSUES=0 @@ -204,6 +194,41 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta # ################################################################################# # +# Language settings +# +################################################################################# +# + # Auto detection of language based on shell LANG variable. This is required by the Display() function to deal with multi-bytes characters. + DISPLAY_LANG="${LANG:-}" + # Try locale command if shell variable had no value + if [ -z "${DISPLAY_LANG}" ]; then + DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2) + fi + + # Extract the short notation of the language (first two characters). + if [ -x "$(command -v locale 2> /dev/null)" ]; then + LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | egrep "^[a-z]{2}$") + fi + + # Set default language: 'en' (English) if no value is set + if [ -z "${LANGUAGE}" ]; then + LANGUAGE="en" + fi + + # Import translations. First import English to prefill all texts + if [ -f ${DBDIR}/languages/en ]; then + if SafeFile "${DBDIR}/languages/en"; then + . ${DBDIR}/languages/en + else + ExitFatal "Incorrect ownership or permissions of language file (${DBDIR}/languages/en)" + fi + else + echo "Could not find languages directory (file: ${DBDIR}/languages/en)" + exit 1 + fi +# +################################################################################# +# # Traps # ################################################################################# @@ -222,14 +247,6 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta SafePerms ${INCLUDEDIR}/parameters . ${INCLUDEDIR}/parameters - # Now determine if we are root (UID = 0) - if [ ${MYID} -eq 0 ]; then - PRIVILEGED=1 - else - Debug "Starting Lynis non-privileged" - # Implied pentesting mode if not performed by root user - PENTESTINGMODE=1 - fi # Disable logging if no alternative was provided if [ ${PRIVILEGED} -eq 0 ]; then |