Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/include
diff options
context:
space:
mode:
authormboelen <michael@cisofy.com>2014-08-26 19:33:55 +0400
committermboelen <michael@cisofy.com>2014-08-26 19:33:55 +0400
commitc0ae2e217b7f1fb0171017ce5afb8eb8898470db (patch)
tree545aa150c35c5fb74d7bb4c2d3b0ae41cfa7b4e5 /include
Initial import
Diffstat (limited to 'include')
-rw-r--r--include/binaries166
-rw-r--r--include/consts182
-rw-r--r--include/data_upload110
-rw-r--r--include/functions974
-rw-r--r--include/osdetection376
-rw-r--r--include/parameters184
-rw-r--r--include/profiles186
-rw-r--r--include/report223
-rw-r--r--include/tests_accounting398
-rw-r--r--include/tests_authentication1325
-rw-r--r--include/tests_banners250
-rw-r--r--include/tests_boot_services522
-rw-r--r--include/tests_crypto72
-rw-r--r--include/tests_custom.template59
-rw-r--r--include/tests_databases154
-rw-r--r--include/tests_file_integrity217
-rw-r--r--include/tests_file_permissions59
-rw-r--r--include/tests_filesystems565
-rw-r--r--include/tests_firewalls296
-rw-r--r--include/tests_hardening140
-rw-r--r--include/tests_hardening_tools52
-rw-r--r--include/tests_homedirs125
-rw-r--r--include/tests_insecure_services117
-rw-r--r--include/tests_kernel458
-rw-r--r--include/tests_kernel_hardening69
-rw-r--r--include/tests_ldap105
-rw-r--r--include/tests_logging482
-rw-r--r--include/tests_mac_frameworks188
-rw-r--r--include/tests_mail_messaging269
-rw-r--r--include/tests_malware185
-rw-r--r--include/tests_memory_processes132
-rw-r--r--include/tests_nameservices607
-rw-r--r--include/tests_networking450
-rw-r--r--include/tests_php281
-rw-r--r--include/tests_ports_packages797
-rw-r--r--include/tests_printers_spools215
-rw-r--r--include/tests_scheduling234
-rw-r--r--include/tests_shells216
-rw-r--r--include/tests_snmp105
-rw-r--r--include/tests_solaris69
-rw-r--r--include/tests_squid384
-rw-r--r--include/tests_ssh295
-rw-r--r--include/tests_storage117
-rw-r--r--include/tests_storage_nfs181
-rw-r--r--include/tests_tcpwrappers47
-rw-r--r--include/tests_time428
-rw-r--r--include/tests_tooling78
-rw-r--r--include/tests_virtualization97
-rw-r--r--include/tests_webservers695
49 files changed, 13936 insertions, 0 deletions
diff --git a/include/binaries b/include/binaries
new file mode 100644
index 00000000..07bd557c
--- /dev/null
+++ b/include/binaries
@@ -0,0 +1,166 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Check which tools are installed
+#
+#################################################################################
+#
+ COMPILER_INSTALLED=0
+ IDLE_SESSION_KILLER_INSTALLED=0
+ MALWARE_SCANNER_INSTALLED=0
+#
+#################################################################################
+#
+ InsertSection "System Tools"
+#
+#################################################################################
+#
+ Display --indent 2 --text "- Scanning available tools..."
+ logtext "Start scanning for available audit binaries and tools..."
+
+ # Test : FILE-7502
+ # Description : Check all system binaries
+ # Notes : Always perform test, dependency for many other tests
+ Register --test-no FILE-7502 --weight L --network NO --description "Check all system binaries"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ SCANNEDPATHS=""; N=0
+ Display --indent 2 --text "- Checking system binaries..."
+ logtext "Status: Starting binary scan..."
+ for SCANDIR in ${BINPATHS}; do
+ logtext "Test: Checking binaries in directory ${SCANDIR}"
+ if [ -d ${SCANDIR} ]; then
+ Display --indent 4 --text "- Checking ${SCANDIR}... " --result FOUND --color GREEN
+ SCANNEDPATHS="${SCANNEDPATHS}, ${SCANDIR}"
+ logtext "Directory ${SCANDIR} exists. Starting directory scanning..."
+ FIND=`ls ${SCANDIR}`
+ for I in ${FIND}; do
+ N=`expr ${N} + 1`
+ BINARY="${SCANDIR}/${I}"
+ logtext "Binary: ${BINARY}"
+ # Optimized, much quicker (limited file access needed)
+ case ${I} in
+ aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; logtext " Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
+ afick.pl) AFICKFOUND=1; AFICKBINARY=${BINARY}; logtext " Found known binary: afick (file integrity checker) - ${BINARY}" ;;
+ aide) AIDEFOUND=1; AIDEBINARY=${BINARY}; logtext " Found known binary: aide (file integrity checker) - ${BINARY}" ;;
+ apache2) if [ -f ${BINARY} ]; then HTTPDFOUND=1; HTTPDBINARY=${BINARY}; logtext " Found known binary: apache2 (web server) - ${BINARY}"; fi ;;
+ auditd) AUDITDFOUND=1; AUDITDBINARY=${BINARY}; logtext " Found known binary: auditd (audit framework) - ${BINARY}" ;;
+ awk) if [ -f ${BINARY} ]; then AWKFOUND=1; AWKBINARY=${BINARY}; logtext " Found known binary: awk (string tool) - ${BINARY}"; fi ;;
+ dig) DIGFOUND=1; DIGBINARY=${BINARY}; logtext " Found known binary: dig (nameservice tool) - ${BINARY}" ;;
+ as) ASFOUND=1; ASBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: as (compiler) - ${BINARY}" ;;
+ auditctl) AUDITCTLFOUND=1; AUDITCTLBINARY="${BINARY}"; logtext " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;;
+ autolog) AUTOLOGFOUND=1; AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; logtext " Found known binary: autolog (idle session killer) - ${BINARY}" ;;
+ chkconfig) CHKCONFIGFOUND=1; CHKCONFIGBINARY=${BINARY}; logtext " Found known binary: chkconfig (administration tool) - ${BINARY}" ;;
+ clamscan) CLAMSCANFOUND=1; CLAMSCANBINARY=${BINARY}; logtext " Found known binary: clamscan (AV scanner) - ${BINARY}" ;;
+ cfagent) CFAGENTFOUND=1; CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; logtext " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;;
+ chkrootkit) CHKROOTKITFOUND=1; CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;;
+ curl) CURLFOUND=1; CURLBINARY="${BINARY}"; logtext " Found known binary: curl (browser) - ${BINARY}" ;;
+ dig) if [ -f ${BINARY} ]; then DIGFOUND=1; DIGBINARY=${BINARY}; logtext " Found known binary: dig (network/dns tool) - ${BINARY}"; fi ;;
+ dnsdomainname) DNSDOMAINNAMEFOUND=1; DNSDOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: dnsdomainname (DNS domain) - ${BINARY}" ;;
+ domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
+ egrep) EGREPFOUND=1; EGREPBINARY=${BINARY}; logtext " Found known binary: egrep (text search) - ${BINARY}" ;;
+ exim) EXIMFOUND=1; EXIMBINARY="${BINARY}"; EXIMVERSION=`${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs`; logtext "Found ${BINARY} (version ${EXIMVERSION})" ;;
+ find) FINDFOUND=1; FINDBINARY="${BINARY}"; logtext " Found known binary: find (search tool) - ${BINARY}" ;;
+ g++) GPLUSPLUSFOUND=1; GPLUSPLUSBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: g++ (compiler) - ${BINARY}" ;;
+ # additional file check due to existance /usr/libexec/gcc (directory)
+ gcc) if [ -f ${BINARY} ]; then GCCBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: gcc (compiler) - ${BINARY}"; fi ;;
+ grep) GREPFOUND=1; GREPBINARY=${BINARY}; logtext " Found known binary: grep (text search) - ${BINARY}" ;;
+ httpd2-prefork) HTTPDFOUND=1; HTTPDBINARY=${BINARY}; logtext " Found known binary: apache2 (web server) - ${BINARY}" ;;
+ lvdisplay) LVDISPLAYBINARY="${BINARY}"; logtext " Found known binary: lvdisplay (LVM tool) - ${BINARY}" ;;
+ named-checkconf) NAMEDCHECKCONFIGFOUND=1; NAMEDCHECKCONFBINARY="${BINARY}"; logtext " Found known binary: named-checkconf (BIND configuration analyzer) - ${BINARY}" ;;
+ grpck) GRPCKFOUND=1; GRPCKBINARY="${BINARY}"; logtext " Found known binary: grpck (consistency checker) - ${BINARY}" ;;
+ httpd) if [ -f ${BINARY} ]; then HTTPDFOUND=1; HTTPDBINARY="${BINARY}"; logtext " Found known binary: httpd (web server) - ${BINARY}"; fi ;;
+ ip) IPFOUND=1; IPBINARY="${BINARY}"; logtext " Found known binary: ip (IP configuration) - ${BINARY}" ;;
+ ipf) IPFFOUND=1; IPFBINARY="${BINARY}"; logtext " Found known binary: ipf (firewall) - ${BINARY}" ;;
+ ifconfig) IFCONFIGFOUND=1; IFCONFIGBINARY="${BINARY}"; logtext " Found known binary: ipconfig (IP configuration) - ${BINARY}" ;;
+ iptables) if [ -f ${BINARY} ]; then IPTABLESFOUND=1; IPTABLESBINARY="${BINARY}"; logtext " Found known binary: iptables (firewall) - ${BINARY}"; fi ;;
+ kldstat) KLDSTATFOUND=1; KLDSTATBINARY="${BINARY}"; logtext " Found known binary: kldstat (kernel modules) - ${BINARY}" ;;
+ kstat) KSTATFOUND=1; KSTATBINARY="${BINARY}"; logtext " Found known binary: kstat (kernel statistics) - ${BINARY}" ;;
+ locate) LOCATEFOUND=1; LOCATEBINARY="${BINARY}"; logtext " Found known binary: locate (file database) - ${BINARY}" ;;
+ logrotate) LOGROTATEFOUND=1; LOGROTATEBINARY="${BINARY}"; logtext " Found known binary: logrotate (log rotation tool) - ${BINARY}" ;;
+ ls) LSFOUND=1; LSBINARY="${BINARY}"; logtext " Found known binary: ls (file listing) - ${BINARY}" ;;
+ lsattr) LSATTRFOUND=1; LSATTRBINARY="${BINARY}"; logtext " Found known binary: lsattr (file attributes) - ${BINARY}" ;;
+ lsmod) LSMODFOUND=1; LSMODBINARY="${BINARY}"; logtext " Found known binary: lsmod (kernel modules) - ${BINARY}" ;;
+ lsof) LSOFFOUND=1; LSOFBINARY="${BINARY}"; logtext " Found known binary: lsof (open files) - ${BINARY}" ;;
+ lynx) LYNXFOUND=1; LYNXBINARY="${BINARY}"; LYNXVERSION=`${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3`; logtext "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;;
+ md5) MD5FOUND=1; MD5BINARY="${BINARY}"; logtext " Found ${BINARY}" ;;
+ md5sum) MD5FOUND=1; MD5BINARY="${BINARY}"; logtext " Found ${BINARY}" ;;
+ mtree) MTREEFOUND=1; MTREEBINARY="${BINARY}"; logtext " Found known binary: mtree (mapping directory tree) - ${BINARY}" ;;
+ mysql) MYSQLCLIENTFOUND=1; MYSQLCLIENTBINARY="${BINARY}"; MYSQLCLIENTVERSION=`${BINARY} -V | awk '{ if ($4=="Distrib") { print $5 }}' | sed 's/,//g'` ; logtext "Found ${BINARY} (version: ${MYSQLCLIENTVERSION})" ;;
+ netstat) NETSTATFOUND=1; NETSTATBINARY="${BINARY}"; logtext " Found ${BINARY}" ;;
+ nmap) NMAPFOUND=1; NMAPBINARY="${BINARY}"; NMAPVERSION=`${BINARY} -V | grep "^Nmap version" | awk '{ print $3 }'`; logtext "Found ${BINARY} (version ${NMAPVERSION})" ;;
+ ntpq) NTPQFOUND=1; NTPQBINARY="${BINARY}"; logtext " Found known binary ntpq (time daemon client) - ${BINARY}" ;;
+ osiris) OSIRISFOUND=1; OSIRISBINARY="${BINARY}"; logtext " Found known binary: osiris - ${BINARY}" ;;
+ openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; logtext "Found ${BINARY} (version ${OPENSSLVERSION})" ;;
+ pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; logtext " Found known binary: pacman (package manager) - ${BINARY}" ;;
+ perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; logtext "Found ${BINARY} (version ${PERLVERSION})" ;;
+ php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language) - ${BINARY} (version ${PHPVERSION})" ;;
+ postconf) POSTCONFFOUND=1; POSTCONFBINARY="${BINARY}"; logtext " Found known binary: postconf (postfix configuration) - ${BINARY}" ;;
+ postfix) POSTFIXFOUND=1; POSTFIXBINARY="${BINARY}"; logtext " Found known binary: postfix (postfix binary) - ${BINARY}" ;;
+ prelink) PRELINKFOUND=1; PRELINKBINARY="${BINARY}"; logtext " Found known binary: prelink (system optimizer) - ${BINARY}" ;;
+ pfctl) PFCTLFOUND=1; PFCTLBINARY="${BINARY}"; logtext " Found known binary: pfctl (client to pf firewall) - ${BINARY}" ;;
+ ps) PSFOUND=1; PSBINARY="${BINARY}"; logtext " Found known binary: ps (process listing) - ${BINARY}" ;;
+ puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; logtext " Found known binary: puppet (automation tooling) - ${BINARY}" ;;
+ puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; logtext " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;;
+ readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; logtext " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
+ rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
+ rpcinfo) RPCINFOFOUND=1; RPCINFOBINARY="${BINARY}"; logtext " Found known binary: rpcinfo (RPC information) - ${BINARY}" ;;
+ rpm) RPMFOUND=1; RPMBINARY="${BINARY}"; logtext " Found known binary: rpm (package manager) - ${BINARY}" ;;
+ runlevel) RUNLEVELFOUND=1; RUNLEVELBINARY="${BINARY}"; logtext " Found known binary: runlevel (system utility) - ${BINARY}" ;;
+ samhain) SAMHAINFOUND=1; SAMHAINBINARY="${BINARY}"; logtext " Found known binary: samhain (integrity tool) - ${BINARY}" ;;
+ sestatus) SESTATUSFOUND=1; SESTATUSBINARY="${BINARY}"; logtext " Found known binary: sestatus (SELinux client) - ${BINARY}" ;;
+ slocate) LOCATEFOUND=1; LOCATEBINARY="${BINARY}"; logtext " Found known binary: slocate (file database) - ${BINARY}" ;;
+ smbd) SMBDFOUND=1; SMBDBINARY="${BINARY}"; if [ "${OS}" = "MacOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=`${BINARY} -V | grep "^Version" | awk '{ print $2 }'`; fi; logtext "Found ${BINARY} (version ${SMBDVERSION})" ;;
+ showmount) SHOWMOUNTFOUND=1; SHOWMOUNTBINARY="${BINARY}"; logtext " Found known binary: showmount (NFS mounts) - ${BINARY}" ;;
+ sockstat) SOCKSTATFOUND=1; SOCKSTATBINARY="${BINARY}"; logtext " Found known binary: sockstat (open network sockets) - ${BINARY}" ;;
+ squid) SQUIDFOUND=1; SQUIDBINARY="${BINARY}"; logtext " Found known binary: squid (proxy) - ${BINARY}" ;;
+ sshd) SSHDFOUND=1; SSHDBINARY="${BINARY}"; SSHDVERSION=`${BINARY} -t -d 2>&1 | head -n 1 | awk '{ print $4 }' | cut -d '_' -f2 | xargs`; logtext "Found ${BINARY} (version ${SSHDVERSION})" ;;
+ stat) STATFOUND=1; STATBINARY="${BINARY}"; logtext " Found known binary: stat (file information) - ${BINARY}" ;;
+ strings) STRINGSFOUND=1; STRINGSBINARY="${BINARY}"; logtext " Found known binary: strings (text strings search) - ${BINARY}" ;;
+ sha1|sha1sum|shasum) SHA1SUMFOUND=1; SHA1SUMBINARY="${BINARY}"; logtext " Found known binary: sha1/sha1sum/shasum (crypto hashing) - ${BINARY}" ;;
+ ssh-keyscan) SSHKEYSCANFOUND=1; SSHKEYSCANBINARY="${BINARY}"; logtext " Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;;
+ sysctl) SYSCTLFOUND=1; SYSCTLBINARY="${BINARY}"; logtext " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;;
+ syslog-ng) SYSLOGNGFOUND=1; SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=`${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'`; logtext "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;;
+ systemctl) SYSTEMCTLFOUND=1; SYSTEMCTLBINARY="${BINARY}"; logtext " Found known binary: systemctl (client to systemd) - ${BINARY}" ;;
+ tripwire) TRIPWIREFOUND=1; TRIPWIREBINARY="${BINARY}"; logtext " Found known binary: tripwire (file integrity) - ${BINARY}" ;;
+ tune2fs) TUNE2FSFOUND=1; TUNE2FSBINARY="${BINARY}"; logtext " Found known binary: tune2fs (file system tool) - ${BINARY}" ;;
+ vgdisplay) VGDISPLAYFOUND=1; VGDISPLAYBINARY="${BINARY}"; logtext " Found known binary: vgdisplay (LVM tool) - ${BINARY}" ;;
+ vmtoolsd) VMWARETOOLSFOUND=1; VMWARETOOLSDBINARY="${BINARY}"; logtext " Found known binary: vmtoolsd (VMWare tools) - ${BINARY}" ;;
+ wget) WGETFOUND=1; WGETBINARY="${BINARY}"; WGETVERSION=`${BINARY} -V | grep "^GNU Wget" | awk '{ print $3 }'`; logtext "Found ${BINARY} (version ${WGETVERSION})" ;;
+ yum) YUMFOUND=1; YUMBINARY="${BINARY}"; logtext " Found known binary: yum (package manager) - ${BINARY}" ;;
+ zypper) ZYPPERFOUND=1; ZYPPERBINARY="${BINARY}"; logtext " Found known binary: zypper (package manager) - ${BINARY}" ;;
+ esac
+ done
+ else
+ Display --indent 4 --text "- Checking ${SCANDIR}... " --result "NOT FOUND" --color WHITE
+ logtext "Directory ${SCANDIR} does NOT exist."
+ fi
+ logtextbreak
+ done
+ SCANNEDPATHS=`echo ${SCANNEDPATHS} | sed 's/^, //g'`
+ logtext "Discovered directories: ${SCANNEDPATHS}"
+ #fi
+
+ logtext "Result: found ${N} binaries"
+ report "binaries_count=${N}"
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/consts b/include/consts
new file mode 100644
index 00000000..9de50d5f
--- /dev/null
+++ b/include/consts
@@ -0,0 +1,182 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# This software is licensed under GPL, version 3. See LICENSE file for
+# usage of this software.
+#
+#################################################################################
+#
+# Consts
+#
+#################################################################################
+#
+
+# Program information
+
+# Paths where system and program binaries are located
+# Includes Sun Solaris dirs
+BINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \
+ /usr/local/libexec /usr/libexec /usr/sfw/bin /usr/sfw/sbin \
+ /usr/sfw/libexec /opt/sfw/bin /opt/sfw/sbin /opt/sfw/libexec \
+ /usr/xpg4/bin /usr/css/bin /usr/ucb /usr/X11R6/bin /usr/X11R7/bin"
+
+# Do not use specific language, fall back to default
+unset LANG
+
+#
+#################################################################################
+#
+# Deprecated
+#
+#################################################################################
+#
+ HOME_HISTORY_AUDIT_TITLE="Incorrect history file types"
+ HOME_HISTORY_AUDIT_DESCRIPTION=""
+
+ HOME_HISTORY_LOG_TITLE="History files type check"
+ HOME_HISTORY_LOG_DESCRIPTION="History files type check"
+ HOME_HISTORY_LOG_TEXT="History files are normally of the type 'file'. Symbolic links and other types can be riskful"
+
+ HOME_PATH_LOG_MESSAGE="A single dot in the PATH variable of a user can be a risk, while executing commands in for example a home directory."
+
+ USER_PASSWD_DOUBLEUID_AUDIT_TITLE="Non unique UIDs"
+ USER_PASSWD_DOUBLEUID_AUDIT_DESCRIPTION="Non unique UIDs in passwd file"
+ USER_PASSWD_DOUBLEUID_AUDIT_TEXT="Non unique UIDs can riskful for the system or part of a configuration mistake"
+
+ KERNEL_ACTIVE_MODULES_TITLE="Active kernel modules (KLDs)"
+ KERNEL_ACTIVE_MODULES_DESCRIPTION="View all active kernel modules (including kernel)"
+ KERNEL_ACTIVE_MODULES_TEXT="Displays the loaded kernel modules in memory. Make sure to check the integrity of the kld tools."
+#
+#################################################################################
+#
+# Initialize defaults
+#
+#################################################################################
+#
+# == Variable initializing ==
+#
+ AUDITORNAME=""
+ PROFILE=""
+ REPORTFILE=""
+ AFICKBINARY=""
+ AIDEBINARY=""
+ AASTATUSBINARY=""
+ CHKROOTKITBINARY=""
+ CHKCONFIGBINARY=""
+ FILEVALUE=""
+ FIND=""
+ GRPCKBINARY=""
+ GROUP_NAME=""
+ IPTABLESBINARY=""
+ LINUX_VERSION=""
+ LINUXCONFIGFILE=""
+ LOGFILE=""
+ NGINX_ACCESS_LOG_DISABLED=0
+ NGINX_ACCESS_LOG_MISSING=0
+ NGINX_ALIAS_FOUND=0
+ NGINX_ALLOW_FOUND=0
+ NGINX_DENY_FOUND=0
+ NGINX_ERROR_LOG_DEBUG=0
+ NGINX_ERROR_LOG_MISSING=0
+ NGINX_EXPIRES_FOUND=0
+ NGINX_FASTCGI_FOUND=0
+ NGINX_FASTCGI_PARAMS_FOUND=0
+ NGINX_FASTCGI_PASS_FOUND=0
+ NGINX_LISTEN_FOUND=0
+ NGINX_LOCATION_FOUND=0
+ NGINX_SSL_CIPHERS=0
+ NGINX_SSL_ON=0
+ NGINX_SSL_PREFER_SERVER_CIPHERS=0
+ NGINX_SSL_PROTOCOLS=0
+ NGINX_RETURN_FOUND=0
+ NGINX_ROOT_FOUND=0
+ OS=""; OS_MODE=""
+ OS_REDHAT_OR_CLONE=0
+ OSIRISBINARY=""
+ PIDFILE=""
+ PFFOUND=0
+ PROFILEVALUE=""
+ RKHUNTERBINARY=""
+ RPMBINARY=""
+ SAMHAINBINARY=""
+ SCAN_TEST_HEAVY=""; SCAN_TEST_MEDIUM=""; SCAN_TEST_LOW=""
+ SESTATUSBINARY=""
+ SSHKEYSCANBINARY=""
+ SSHKEYSCANFOUND=0
+ SYSLOGNGBINARY=""
+ TEST_SKIP_ALWAYS=""
+ TESTS_EXECUTED=""
+ TESTS_SKIPPED=""
+ TRIPWIREBINARY=""
+ UPDATE_CHECK_SKIPPED=0
+ VALUE=""
+#
+#################################################################################
+#
+# == Options ==
+#
+# Option Description
+# --------------------------------------------------------------------------
+ CRONJOB=0 # Run as a cronjob
+ CTESTS_PERFORMED=0 # Number of tests which are performed
+ DEBUG=0 # Debugging mode (to screen)
+ HPPOINTS=0 # Number of hardening points
+ HPTOTAL=0 # Maximum number of hardening points
+ LOG_INCORRECT_OS=1 # Log tests with incorrect OS
+ NEVERBREAK=0 # Don't wait for user input
+ QUICKMODE=0 # Don't wait for user input
+ QUIET=0 # Show normal messages and warnings as well
+ SHOW_TOOL_TIPS=1 # Show inline tool tips (default true)
+ SKIPLOGTEST=0 # Skip logging for one test
+ SKIP_UPGRADE_TEST=0 # Skip upgrade test
+ TESTS_TO_PERFORM="" # Which tests only to perform
+ TEST_PAUSE_TIME=0 # Default pause time
+ TOTAL_TESTS=0 # Total amount of tests (counter)
+ UPLOAD_DATA=0 # Upload of data to central node
+ VIEWHELP=0 # Show help
+ VIEWUPDATEINFO=0 # View program/database version
+ WRONGOPTION=0 # A wrong option is used
+#
+#################################################################################
+#
+ # Installed packages and other settings
+ COMPILER_INSTALLED=0
+#
+#################################################################################
+#
+# Colors
+#
+#################################################################################
+#
+# Color name Description
+# --------------------------------------------------------------------------
+ NORMAL=""
+ WARNING="" # Bad (red)
+ SECTION="" # Section (yellow)
+ NOTICE="" # Notice (yellow)
+ OK="" # Ok (green)
+ BAD="" # Bad (red)
+
+ # Real color names
+ YELLOW="" # Yellow
+ WHITE="" # White
+ GREEN="" # Green
+ RED="" # Red
+ PURPLE=""
+ MAGENTA=""
+ BROWN=""
+ CYAN=""
+ BLUE=""
+#
+#################################################################################
+#
+
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/data_upload b/include/data_upload
new file mode 100644
index 00000000..7b41a3c7
--- /dev/null
+++ b/include/data_upload
@@ -0,0 +1,110 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@cisofy.com), The Netherlands
+# Web site: http://cisofy.com
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Data upload
+#
+#################################################################################
+#
+# logtextbreak
+PROGRAM_VERSION="101"
+DATA_SERVER="https://cisofy.com"
+# Additional options to curl
+CURL_OPTIONS=""
+SETTINGS_FILE="${PROFILE}"
+#DEBUG=1
+
+# Only output text to stdout if DEBUG mode is not used
+output()
+ {
+ if [ ${DEBUG} -eq 1 ]; then echo "$1"; fi
+ }
+
+#####################################################################################
+#
+# SYSTEM CHECKS
+#
+#####################################################################################
+
+output "Lynis Enterprise data uploader starting"
+output "Settings file: ${SETTINGS_FILE}"
+
+ # Check if we can find curl
+ # Suggestion: If you want to keep the system hardened, copying the binary from a trusted source is a good alternative.
+ # Restrict access to this binary to the user who is running this script.
+ if [ "${CURLBINARY}" = "" ]; then
+ echo "Fatal: can't find curl binary. Please install the related package or put the binary in the PATH. Quitting.."
+ exit 1
+ fi
+
+ # Extra the license key from the settings file
+ if [ "${LICENSE_KEY}" = "" ]; then
+ echo "Fatal: no license key found. Quitting.."
+ exit 1
+ else
+ output "License key = ${LICENSE_KEY}"
+ fi
+
+
+#####################################################################################
+#
+# JOB CONTROL
+#
+#####################################################################################
+
+ # Check report file
+ if [ -f ${REPORTFILE} ]; then
+ output "${WHITE}Report file found.${NORMAL} Starting with connectivity check.."
+ # Quit if license is not valid, to reduce load on both client and server.
+ UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${DATA_SERVER}/license/`
+ UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ if ($1=="Response") { print $2 }}'`
+ if [ "${UPLOAD_CODE}" = "100" ]; then
+ output "${WHITE}License is valid{$NORMAL}"
+ else
+ echo "${RED}Fatal error: provided license key is unknown or invalid.${NORMAL}"
+ output "Debug information: ${UPLOAD}"
+ # Quit
+ ExitClean
+ fi
+ # Extract the hostid from the parse file
+ HOSTID=`cat ${REPORTFILE} | grep "^hostid=" | awk -F= '{ print $2 }'`
+ if [ ! "${HOSTID}" = "" ]; then
+ output "${WHITE}Found hostid: ${HOSTID}${NORMAL}"
+ # Try to connect
+ output "Uploading data.."
+ UPLOAD=`${CURLBINARY} ${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" ${DATA_SERVER}/upload/`
+ UPLOAD_CODE=`echo ${UPLOAD} | head -n 1 | awk '{ print $2 }'`
+ output "Output code from upload: ${UPLOAD_CODE}"
+ if [ "${UPLOAD_CODE}" = "100" ]; then
+ output "${GREEN}Data uploaded successfully${NORMAL}"
+ else
+ echo "${RED}Error occured, please check documentation for code ${UPLOAD_CODE}.${NORMAL}"
+ output "Debug:"
+ output ${UPLOAD}
+ # Quit
+ ExitClean
+ fi
+ else
+ echo "${RED}Fatal error${NORMAL}: No hostid found in report file. Can not upload report file."
+ # Quit
+ ExitClean
+ fi
+ else
+ output "${YELLOW}No report file found to upload.${NORMAL}"
+ fi
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/functions b/include/functions
new file mode 100644
index 00000000..3517d38a
--- /dev/null
+++ b/include/functions
@@ -0,0 +1,974 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# This software is licensed under GPL, version 3. See LICENSE file for
+# usage of this software.
+#
+#################################################################################
+#
+# Functions
+#
+#################################################################################
+#
+# Function Description
+# ----------------------- -------------------------------------------------
+# AddHP Add Hardening points to plot a graph later
+# CheckFilePermissions Check file permissions
+# CheckUpdates Determine if a new version of Lynis is available
+# counttests Count number of performed tests
+# Debug Display additional information on the screen (not suited for cronjob)
+# DirectoryExists Check if a directory exists on the disk
+# Display Output text to screen with colors and identation
+# ExitClean Stop the program (cleanly)
+# ExitFatal Stop the program (cleanly), with fatal
+# FileExists Check if a file exists on the disk
+# GetHostID Retrieve an unique ID for this host
+# InsertSection Insert a section block
+# InsertPluginSection Insert a section block for plugins
+# IsRunning Check if a process is running
+# ParseNginx Parse nginx configuration lines
+# ReportException Add an exception to the report file (for debugging purposes)
+# ReportSuggestion Add a suggestion to report file
+# ReportWarning Add a warning and priority to report file
+# Register Register a test (for logging and execution)
+# SafePerms Check if a directory has safe permissions
+# SearchItem Search a string in a file
+# ViewCategories Display tests categories
+# logtext Log text strings to logfile, prefixed with date/time
+#
+#################################################################################
+
+ # Add Hardening Points
+ AddHP()
+ {
+ HPADD=$1; HPADDMAX=$2
+ HPPOINTS=`expr ${HPPOINTS} + ${HPADD}`
+ HPTOTAL=`expr ${HPTOTAL} + ${HPADDMAX}`
+ logtext "Hardening: assigned ${HPADD} hardening points (max for this item: ${HPADDMAX}), current: ${HPPOINTS}, total: ${HPTOTAL}"
+ }
+
+ # Check file permissions
+ # Parameter 1 is file/dir
+ # Result: FILE_NOT_FOUND | OK | BAD
+ CheckFilePermissions()
+ {
+ CHECKFILE=$1
+ if [ ! -d $CHECKFILE -a ! -f $CHECKFILE ]; then
+ PERMS="FILE_NOT_FOUND"
+ else
+ # If 'file' is an directory, use -d
+ if [ -d ${CHECKFILE} ]; then
+ FILEVALUE=`ls -d -l ${CHECKFILE} | cut -c 2-10`
+ PROFILEVALUE=`cat ${PROFILE} | grep '^permdir' | grep ":${CHECKFILE}:" | cut -d: -f3`
+ else
+ FILEVALUE=`ls -l ${CHECKFILE} | cut -c 2-10`
+ PROFILEVALUE=`cat ${PROFILE} | grep '^permfile' | grep ":${CHECKFILE}:" | cut -d: -f3`
+ fi
+ if [ "${FILEVALUE}" = "${PROFILEVALUE}" ]; then PERMS="OK"; else PERMS="BAD"; fi
+ fi
+ }
+
+ ################################################################################
+ # Name : CheckItem()
+ # Description : Check if a specific item exists in the report
+ # Returns : <nothing>
+ ################################################################################
+
+ CheckItem()
+ {
+ ITEM_FOUND=0
+ if [ $# -eq 2 ]; then
+ # Don't search in /dev/null, it's too empty there
+ if [ ! "${REPORTFILE}" = "/dev/null" ]; then
+ # Check if we can find the main type (with or without brackets)
+ logtext "Test: search string $2 in earlier discovered results"
+ FIND=`egrep "^$1(\[\])?=" ${REPORTFILE} | egrep "$2"`
+ if [ ! "${FIND}" = "" ]; then
+ ITEM_FOUND=1
+ logtext "Result: found string"
+ else
+ logtext "Result: search string NOT found"
+ fi
+ else
+ logtext "Skipping search, as /dev/null is being used"
+ fi
+ else
+ ReportException ${TEST_NO} "Error in function call to CheckItem"
+ fi
+ }
+
+ # Check updates
+ CheckUpdates()
+ {
+ # Possible improvement: determine if host binary exists YYY
+ PROGRAM_LV="0000000000"; DB_MALWARE_LV="0000000000"; DB_FILEPERMS_LV="0000000000"
+ FIND=`which dig 2> /dev/null`
+ if [ ! "${FIND}" = "" ]; then
+ PROGRAM_LV=`dig +short -t txt lynis-lv.rootkit.nl 2> /dev/null | sed 's/[".]//g'`
+ #DB_MALWARE_LV=`dig +short -t txt lynis-mw.rootkit.nl 2> /dev/null | sed 's/[".]//g'`
+ #DB_FILEPERMS_LV=`dig +short -t txt lynis-fp.rootkit.nl 2> /dev/null | sed 's/[".]//g'`
+ else
+ FIND=`which host 2> /dev/null`
+ if [ ! "${FIND}" = "" ]; then
+ PROGRAM_LV=`host -t txt lynis-lv.rootkit.nl | awk '{ if ($1=="lynis-lv.rootkit.nl" && $3=="text") { print $4 }}' | sed 's/"//g'`
+ if [ "${PROGRAM_LV}" = "" ]; then PROGRAM_LV=0; fi
+ else
+ logtext "Result: dig and host not installed, update check skipped"
+ UPDATE_CHECK_SKIPPED=1
+ fi
+ fi
+ }
+
+ # Count the number of performed tests
+ counttests()
+ {
+ CTESTS_PERFORMED=`expr ${CTESTS_PERFORMED} + 1`
+ }
+
+ # Determine if a directory exists
+ DirectoryExists()
+ {
+ DIRECTORY_FOUND=0
+ logtext "Test: checking if directory $1 exists"
+ if [ -d $1 ]; then
+ logtext "Result: directory exists"
+ DIRECTORY_FOUND=1
+ else
+ logtext "Result: directory NOT found"
+ fi
+ }
+
+ # More information on the screen
+ Debug()
+ {
+ if [ ${DEBUG} -eq 1 ]; then echo "DEBUG: $1"; fi
+ }
+
+ # Display text
+ Display()
+ {
+ INDENT=0; TEXT=""; RESULT=""; COLOR=""
+ while [ $# -ge 1 ]; do
+ case $1 in
+ --color)
+ shift
+ case $1 in
+ GREEN) COLOR=$GREEN ;;
+ RED) COLOR=$RED ;;
+ WHITE) COLOR=$WHITE ;;
+ YELLOW) COLOR=$YELLOW ;;
+ esac
+ ;;
+ --indent)
+ shift
+ INDENT=$1
+ ;;
+ --no-break | --nobreak | -nb)
+ ECHOCMD="echo -en"
+ ;;
+ --result)
+ shift
+ RESULT=$1
+ ;;
+ --text)
+ shift
+ TEXT=$1
+ ;;
+ *)
+ echo "INVALID OPTION (Display): $1"
+ exit 1
+ ;;
+ esac
+ # Go to next parameter
+ shift
+ done
+
+ if [ "${RESULT}" = "" ]; then
+ RESULTPART=""
+ else
+ if [ ${CRONJOB} -eq 0 ]; then
+ RESULTPART=" [ ${COLOR}${RESULT}${NORMAL} ]"
+ else
+ RESULTPART=" [ ${RESULT} ]"
+ fi
+ fi
+
+ if [ ! "${TEXT}" = "" ]; then
+ # Show warnings always, and other messages if no quiet is being used
+ if [ ${QUIET} -eq 0 -o "${RESULT}" = "WARNING" ]; then
+ # Display
+ LINESIZE=`echo "${TEXT}" | wc -c | tr -d ' '`
+ SPACES=`expr 62 - ${INDENT} - ${LINESIZE}`
+ if [ ${CRONJOB} -eq 0 ]; then
+ ${ECHOCMD} "\033[${INDENT}C${TEXT}\033[${SPACES}C${RESULTPART}"
+ else
+ echo "${TEXT}${RESULTPART}"
+ fi
+ fi
+ fi
+ }
+
+ # Clean exit (removing temp files, PID files)
+ ExitClean()
+ {
+ RemovePIDFile
+ exit 0
+ }
+
+ # Clean exit (removing temp files, PID files), with error code 1
+ ExitFatal()
+ {
+ RemovePIDFile
+ exit 1
+ }
+
+ # Determine if a file exists
+ FileExists()
+ {
+ FILE_FOUND=0
+ logtext "Test: checking if file $1 exists"
+ if [ -f $1 ]; then
+ logtext "Result: file exists"
+ FILE_FOUND=1
+ else
+ logtext "Result: file NOT found"
+ fi
+ }
+
+ # Get Host ID
+ GetHostID()
+ {
+ HOSTID="-"
+ if [ ! "${SHA1SUMBINARY}" = "" ]; then
+
+ case "${OS}" in
+
+ "AIX")
+ FIND=`entstat en0 2>/dev/null | grep "Hardware Address" | awk -F ": " '{ print $2 }'`
+ if [ ! "${FIND}" = "" ]; then
+ HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'`
+ else
+ ReportException "GetHostID" "No MAC address returned on AIX"
+ fi
+ ;;
+
+ "DragonFly" | "FreeBSD")
+ FIND=`${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
+ if [ ! "${FIND}" = "" ]; then
+ HOSTID=`echo ${FIND} | sha1`
+ else
+ ReportException "GetHostID" "No MAC address returned on DragonFly or FreeBSD"
+ fi
+ ;;
+
+ "Linux")
+ if [ ! "${IPBINARY}" = "" ]; then
+ # Define preferred interfaces
+ #PREFERRED_INTERFACES="eth0 eth1 eth2 enp0s25"
+ # Determine if we have ETH0 at all (not all Linux distro have this, e.g. Arch)
+ HASETH0=`${IFCONFIGBINARY} | grep "^eth0"`
+ # Check if we can find it with HWaddr on the line
+ FIND=`${IFCONFIGBINARY} 2> /dev/null | grep "^eth0" | grep -v "eth0:" | grep HWaddr | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]'`
+
+ # If nothing found, then try first for alternative interface. Else other versions of ifconfig (e.g. Slackware/Arch)
+ if [ "${FIND}" = "" ]; then
+ FIND=`${IFCONFIGBINARY} 2> /dev/null | grep HWaddr`
+ if [ "${FIND}" = "" ]; then
+ # If possible directly address eth0 to avoid risking gathering the incorrect MAC address.
+ # If not, then falling back to getting first interface. Better than nothing.
+ if [ ! "${HASETH0}" = "" ]; then
+ FIND=`${IFCONFIGBINARY} eth0 2> /dev/null | grep "ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
+ else
+ FIND=`${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]'`
+ if [ "${FIND}" = "" ]; then
+ report "exception[]=No eth0 found (and no ether was found)"
+ else
+ logtext "Result: No eth0 found (ether found), using first network interface to determine hostid"
+ fi
+ fi
+ else
+ FIND=`${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]'`
+ report "exception[]=No eth0 found (but HWaddr was found), using first network interface to determine hostid"
+ fi
+ fi
+
+ if [ ! "${HASETH0}" = "" ]; then
+ # Now determine the MAC with the ip command
+ FIND2=`${IPBINARY} addr show eth0 2> /dev/null | egrep "link/ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
+ else
+ # Forcing them to be the same. Unreliable to test with ip while knowing eth0 does not exist.
+ # Additionally usually lo0 will show up first, making test not worth doing.
+ FIND2="${FIND}"
+ fi
+ # Check if both commands give the same data
+ if [ "${FIND}" = "${FIND2}" ]; then
+ HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'`
+ logtext "Result: Found HostID: ${HOSTID}"
+ else
+ report "exception[]=Can't create HOSTID, receiving different output from commands"
+ logtext "Debug: output FIND (ifconfig): ${FIND}"
+ logtext "Debug: output FIND2 (ip): ${FIND2}"
+ fi
+ else
+ report "exception[]=Can't create HOSTID, command ip not found"
+ fi
+ ;;
+
+ "MacOS")
+ FIND=`${IFCONFIGBINARY} en0 | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
+ if [ ! "${FIND}" = "" ]; then
+ HOSTID=`echo ${FIND} | shasum | awk '{ print $1 }'`
+ else
+ ReportException "GetHostID" "No MAC address returned on Mac OS"
+ fi
+ ;;
+
+ "NetBSD")
+ FIND=`${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
+ if [ ! "${FIND}" = "" ]; then
+ HOSTID=`echo ${FIND} | sha1`
+ else
+ ReportException "GetHostID" "No MAC address returned on NetBSD"
+ fi
+ ;;
+
+ "OpenBSD")
+ FIND=`${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]'`
+ if [ ! "${FIND}" = "" ]; then
+ HOSTID=`echo ${FIND} | sha1`
+ else
+ ReportException "GetHostID" "No MAC address returned on OpenBSD"
+ fi
+ ;;
+
+ "Solaris")
+ INTERFACES_TO_TEST="e1000g1 net0"
+ FOUND=0
+ for I in ${INTERFACES_TO_TEST}; do
+ FIND=`${IFCONFIGBINARY} -a | grep "^${I}"`
+ if [ ! "${FIND}" = "" ]; then
+ FOUND=1; logtext "Found interface ${I} on Solaris"
+ fi
+ done
+ if [ ${FOUND} -eq 1 ]; then
+ FIND=`${IFCONFIGBINARY} ${I} | grep ether | awk '{ if ($1=="ether") { print $2 }}'`
+ HOSTID=`echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }'`
+ else
+ ReportException "GetHostID" "No interface found op Solaris to create HostID"
+ fi
+ ;;
+
+
+ *)
+ ReportException "GetHostID" "Can't create HOSTID as OS is not supported by this function"
+ ;;
+ esac
+ else
+ report "exception[]=No SHA1/SHA1SUM binary found to create HOSTID"
+ fi
+
+ }
+
+ # Insert section block
+ InsertSection()
+ {
+ if [ ${QUIET} -eq 0 ]; then
+ echo ""
+ echo "[+] ${SECTION}$1${NORMAL}"
+ echo "------------------------------------"
+ fi
+ logtextbreak
+ logtext "Action: Performing tests from category: $1"
+ }
+
+ # Insert section block for plugins
+ InsertPluginSection()
+ {
+ if [ ${QUIET} -eq 0 ]; then
+ echo ""
+ echo "[+] ${MAGENTA}$1${NORMAL}"
+ echo "------------------------------------"
+ fi
+ logtext "Action: Performing plugin tests"
+ }
+
+ # Is a process running?
+ # Returns: RUNNING
+ IsRunning()
+ {
+ RUNNING=0
+ FIND=`${PSBINARY} ax | egrep "( |/)$1" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ RUNNING=1
+ logtext "IsRunning: process '$1' found (${FIND})"
+ else
+ logtext "IsRunning: process '$1' not found"
+ fi
+ }
+
+
+ # Function IsWorldExecutable
+ IsWorldExecutable()
+ {
+ sFILE=$1
+ FileIsWorldExecutable=""
+ SYMLINK=0
+
+ # Check for symlink
+ if [ -L ${sFILE} ]; then
+ if [ ! "${READLINKBINARY}" = "" ]; then
+ tFILE=`${READLINKBINARY} ${sFILE}`
+ # Check if we can find the file now
+ if [ -f ${tFILE} ]; then
+ sFILE="${tFILE}"
+ logtext "Result: symlink found, pointing to ${sFILE}"
+ SYMLINK=1
+ else
+ # Check the full path of the symlink, strip the filename, copy the path and linked filename together
+ tDIR=`echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}'`
+ tFILE="${tDIR}/${tFILE}"
+ if [ -f ${tFILE} ]; then
+ sFILE="${tFILE}"
+ logtext "Result: symlink found, seems to be ${sFILE}"
+ SYMLINK=1
+ fi
+ fi
+ fi
+ fi
+ # Only check the file if it isn't a symlink (after previous check)
+ if [ -f ${sFILE} -a ! -L ${sFILE} ]; then
+ FINDVAL=`ls -l ${sFILE} | cut -c 10`
+ if [ "${FINDVAL}" = "x" ]; then FileIsWorldExecutable="TRUE"; else FileIsWorldExecutable="FALSE"; fi
+ else
+ FileIsWorldExecutable="NOSUCHFILE"
+ fi
+ }
+
+ # Function IsWorldWritable
+ IsWorldWritable()
+ {
+ sFILE=$1
+ FileIsWorldWritable=""
+
+ # Check for symlink
+ if [ -L ${sFILE} ]; then
+ if [ ! "${READLINKBINARY}" = "" ]; then
+ tFILE=`${READLINKBINARY} ${sFILE}`
+ # Check if we can find the file now
+ if [ -f ${tFILE} ]; then
+ sFILE="${tFILE}"
+ logtext "Result: symlink found, pointing to ${sFILE}"
+ SYMLINK=1
+ else
+ # Check the full path of the symlink, strip the filename, copy the path and linked filename together
+ tDIR=`echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}'`
+ tFILE="${tDIR}/${tFILE}"
+ if [ -f ${tFILE} ]; then
+ sFILE="${tFILE}"
+ logtext "Result: symlink found, seems to be ${sFILE}"
+ SYMLINK=1
+ fi
+ fi
+ fi
+ fi
+
+ # Only check the file if it isn't a symlink (after previous check)
+ if [ -f ${sFILE} -a ! -L ${sFILE} ]; then
+ FINDVAL=`ls -l ${sFILE} | cut -c 9`
+ if [ "${FINDVAL}" = "w" ]; then FileIsWorldWritable="TRUE"; else FileIsWorldWritable="FALSE"; fi
+ else
+ FileIsWorldWritable="NOSUCHFILE"
+ fi
+ }
+
+ # Function logtext (redirect data ($1) to log file)
+ logtext()
+ {
+ if [ ! "${LOGFILE}" = "" ]; then
+ CDATE=`date "+[%H:%M:%S]"`
+ echo "${CDATE} $1" >> ${LOGFILE}
+ fi
+ }
+
+
+ ################################################################################
+ # Name : logtextbreak()
+ # Description : Add a separator to log file between sections, tests etc
+ # Returns : <nothing>
+ logtextbreak()
+ {
+ if [ ! "${LOGFILE}" = "" ]; then
+ CDATE=`date "+[%H:%M:%S]"`
+ echo "${CDATE} ===---------------------------------------------------------------===" >> ${LOGFILE}
+ fi
+ }
+
+
+ ################################################################################
+ # Name : Maid()
+ # Description : Cleanup service
+ # Returns : <nothing>
+ Maid()
+ {
+ echo ""; echo "Interrupt detected."
+ # Remove PID
+ RemovePIDFile
+
+ # Clean up temp files
+ if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
+ if [ ! "${TMPFILE2}" = "" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
+
+ Display --text "Cleaning up..." --result DONE --color GREEN
+
+ # Exit with exit code 1
+ exit 1
+ }
+
+ # Parse nginx configuration lines
+ ParseNginx()
+ {
+ FIND=`cat ${REPORTFILE} | grep "^nginx_config_option=" | awk -F= '{ if ($1=="nginx_config_option") { print $2 }}' | sed 's/ /:space:/g'`
+ for I in ${FIND}; do
+ I=`echo ${I} | sed 's/:space:/ /g' | sed 's/;$//'`
+ OPTION=`echo ${I} | awk '{ print $1 }'`
+ VALUE=`echo ${I}| cut -d' ' -f2-`
+ logtext "Result: found option ${OPTION} with parameters ${VALUE}"
+ case ${OPTION} in
+ access_log)
+ if [ "${VALUE}" = "off" ]; then
+ logtext "Result: found logging disabled for one virtual host"
+ NGINX_ACCESS_LOG_DISABLED=1
+ else
+ if [ ! -f ${VALUE} ]; then
+ logtext "Result: could not find referenced log file ${VALUE} in nginx configuration"
+ NGINX_ACCESS_LOG_MISSING=1
+ fi
+ fi
+ ;;
+ # Headers
+ add_header)
+ ;;
+ alias)
+ NGINX_ALIAS_FOUND=1
+ ;;
+ allow)
+ NGINX_ALLOW_FOUND=1
+ ;;
+ autoindex)
+ ;;
+ deny)
+ NGINX_DENY_FOUND=1
+ ;;
+ expires)
+ NGINX_EXPIRES_FOUND=1
+ ;;
+ error_log)
+ # YYY Check if debug is appended
+ FIND=`echo ${VALUE} | awk '{ if ($2=="debug") { print 1 } else { print 0 }}'`
+ if [ ${FIND} -eq 1 ]; then
+ NGINX_ERROR_LOG_DEBUG=1
+ fi
+ # YYY Check if file exists
+ FILE=`echo ${VALUE} | awk '{ print $1 }'`
+ if [ ! "${FILE}" = "" ]; then
+ if [ ! -f ${FILE} ]; then
+ NGINX_ERROR_LOG_MISSING=1
+ fi
+ else
+ logtext "Warning: did not find a filename after error_log in nginx configuration"
+ fi
+ ;;
+ error_page)
+ ;;
+ fastcgi_intercept_errors)
+ ;;
+ fastcgi_param)
+ NGINX_FASTCGI_FOUND=1
+ NGINX_FASTCGI_PARAMS_FOUND=1
+ ;;
+ fastcgi_pass)
+ NGINX_FASTCGI_FOUND=1
+ NGINX_FASTCGI_PASS_FOUND=1
+ ;;
+ fastcgi_pass_header)
+ ;;
+ index)
+ ;;
+ keepalive_timeout)
+ ;;
+ listen)
+ NGINX_LISTEN_FOUND=1
+ # Test for ssl on listen statement
+ FIND_SSL=`echo ${VALUE} | grep ssl`
+ if [ ! "${FIND_SSL}" = "" ]; then NGINX_SSL_ON=1; fi
+ ;;
+ location)
+ NGINX_LOCATION_FOUND=1
+ ;;
+ return)
+ NGINX_RETURN_FOUND=1
+ ;;
+ root)
+ NGINX_ROOT_FOUND=1
+ ;;
+ server_name)
+ ;;
+ ssl)
+ if [ "${VALUE}" = "on" ]; then NGINX_SSL_ON=1; fi
+ ;;
+ ssl_certificate)
+ logtext "Found SSL certificate in nginx configuration"
+ ;;
+ ssl_certificate_key)
+ ;;
+ ssl_ciphers)
+ NGINX_SSL_CIPHERS=1
+ ;;
+ ssl_prefer_server_ciphers)
+ if [ "${VALUE}" = "on" ]; then NGINX_SSL_PREFER_SERVER_CIPHERS=1; fi
+ ;;
+ ssl_protocols)
+ ;;
+ ssl_session_cache)
+ ;;
+ ssl_session_timeout)
+ ;;
+ types)
+ ;;
+ *)
+ logtext "Found unknown option ${OPTION} in nginx configuration"
+ ;;
+ esac
+ done
+ }
+
+
+ # Function to determine what the real file location is
+ RealFilename()
+ {
+ sFILE=$1
+ FileIsWorldExecutable=""
+ SYMLINK=0
+
+ # Check for symlink
+ if [ -L ${sFILE} ]; then
+ if [ ! "${READLINKBINARY}" = "" ]; then
+ tFILE=`${READLINKBINARY} ${sFILE}`
+ # Check if we can find the file now
+ if [ -f ${tFILE} ]; then
+ rFILE="${tFILE}"
+ logtext "Result: symlink found, pointing to ${sFILE}"
+ SYMLINK=1
+ else
+ # Check the full path of the symlink, strip the filename, copy the path and linked filename together
+ tDIR=`echo ${sFILE} | awk '{match($1, "^.*/"); print substr($1, 1, RLENGTH-1)}'`
+ tFILE="${tDIR}/${tFILE}"
+ if [ -f ${tFILE} ]; then
+ rFILE="${tFILE}"
+ logtext "Result: symlink found, seems to be ${sFILE}"
+ fi
+ fi
+ fi
+ else
+ # No symlinke
+ rFILE="${sFILE}"
+ fi
+ }
+
+
+ ################################################################################
+ # Name : Register()
+ # Description : Register a test and see if it has to be run
+ # Returns : SKIPTEST (0 or 1)
+ Register()
+ {
+ # Do not insert a log break, if previous test was not logged
+ if [ ${SKIPLOGTEST} -eq 0 ]; then logtextbreak; fi
+ SKIPTEST=0; SKIPLOGTEST=0; TEST_NEED_OS=""; PREQS_MET=""
+ TEST_NEED_NETWORK=""; TEST_NEED_PLATFORM=""
+ TOTAL_TESTS=`expr ${TOTAL_TESTS} + 1`
+ while [ $# -ge 1 ]; do
+ case $1 in
+ --description)
+ shift
+ TEST_DESCRIPTION=$1
+ ;;
+ --platform)
+ shift
+ TEST_NEED_PLATFORM=$1
+ ;;
+ --network)
+ shift
+ TEST_NEED_NETWORK=$1
+ ;;
+ --os)
+ shift
+ TEST_NEED_OS=$1
+ ;;
+ --preqs-met)
+ shift
+ PREQS_MET=$1
+ ;;
+ --test-no)
+ shift
+ TEST_NO=$1
+ ;;
+ --weight)
+ shift
+ TEST_WEIGHT=$1
+ ;;
+
+ *)
+ echo "INVALID OPTION (Register): $1"
+ exit 1
+ ;;
+ esac
+ # Go to next parameter
+ shift
+ done
+
+ # Skip test if it's configured in profile
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`echo "${TEST_SKIP_ALWAYS}" | grep "${TEST_NO}"`
+ if [ ! "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Skipped by configuration"; fi
+ fi
+
+ # Skip if test is not in the list
+ if [ ${SKIPTEST} -eq 0 -a ! "${TESTS_TO_PERFORM}" = "" ]; then
+ FIND=`echo "${TESTS_TO_PERFORM}" | grep "${TEST_NO}"`
+ if [ "${FIND}" = "" ]; then SKIPTEST=1; SKIPREASON="Test not in list of tests to perform"; fi
+ fi
+
+ # Do not run scans which have a higher intensity than what we prefer
+ if [ ${SKIPTEST} -eq 0 -a "${TEST_WEIGHT}" = "H" -a "${SCAN_TEST_HEAVY}" = "NO" ]; then SKIPTEST=1; SKIPREASON="Test to system intensive for scan mode (H)"; fi
+ if [ ${SKIPTEST} -eq 0 -a "${TEST_WEIGHT}" = "M" -a "${SCAN_TEST_MEDIUM}" = "NO" ]; then SKIPTEST=1; SKIPREASON="Test to system intensive for scan mode (M)"; fi
+
+ # Skip test if OS is different than requested
+ if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_NEED_OS}" -a ! "${OS}" = "${TEST_NEED_OS}" ]; then
+ SKIPTEST=1; SKIPREASON="Incorrect guest OS (${TEST_NEED_OS} only)"
+ if [ ${LOG_INCORRECT_OS} -eq 0 ]; then
+ SKIPLOGTEST=1
+ fi
+ fi
+
+ # Check for correct hardware platform
+ if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi
+
+ # Not all prerequisites met, like missing tool
+ if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; SKIPREASON="Prerequisities not met (ie missing tool, other type of Linux distribution)"; fi
+
+ # Skip test?
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # First wait X seconds (depending pause_between_tests)
+ if [ ${TEST_PAUSE_TIME} -gt 0 ]; then sleep ${TEST_PAUSE_TIME}; fi
+
+ # Increase counter for every registered test which is performed
+ counttests
+ if [ ${SKIPLOGTEST} -eq 0 ]; then logtext "Performing test ID ${TEST_NO} ($TEST_DESCRIPTION)"; fi
+ TESTS_EXECUTED="${TEST_NO}|${TESTS_EXECUTED}"
+ else
+ if [ ${SKIPLOGTEST} -eq 0 ]; then logtext "Skipped test ${TEST_NO} ($TEST_DESCRIPTION)"; fi
+ if [ ${SKIPLOGTEST} -eq 0 ]; then logtext "Reason to skip: ${SKIPREASON}"; fi
+ TESTS_SKIPPED="${TEST_NO}|${TESTS_SKIPPED}"
+ fi
+
+ }
+
+ # Remove PID file
+ RemovePIDFile()
+ {
+ # Test if PIDFILE is defined, before checking file presence
+ if [ ! "${PIDFILE}" = "" ]; then
+ if [ -f ${PIDFILE} ]; then
+ rm -f $PIDFILE;
+ logtext "PID file removed (${PIDFILE})"
+ else
+ logtext "PID file not found (${PIDFILE})"
+ fi
+ fi
+ }
+
+ # Dump to report file
+ report()
+ {
+ echo "$1" >> ${REPORTFILE}
+ }
+
+
+ # Log exceptions
+ ReportException()
+ {
+ # 1 parameters
+ # <ID>:<2 char numeric>|text|
+ report "exception_event[]=$1|$2|"
+ logtext "Exception: test has an exceptional event ($1) with text $2"
+ }
+
+
+ # Log manual actions to report file
+ ReportManual()
+ {
+ # 1 parameters
+ # <ID>:<2 char numeric>
+ report "manual_event[]=$1"
+ logtext "Manual: one or more manual actions are required for further testing of this control/plugin"
+ }
+
+ # Report data (TESTID STATUS IMPACT MESSAGE)
+ ReportResult()
+ {
+ if [ $1 = "" ]; then TESTID="UNKNOWN"; fi
+ # Status: OK, WARNING, NEUTRAL, SUGGESTION
+ # Impact: HIGH, SEVERE, LOW,
+ #report "result[]=TESTID-${TESTID},STATUS-$2,IMPACT-$3,MESSAGE-$4-"
+ # Reset ID before next test
+ TESTID=""
+ }
+
+ # Log suggestions to report file
+ ReportSuggestion()
+ {
+ # 2 parameters
+ # <ID> <suggestion text>
+ report "suggestion[]=$1|$2|"
+ logtext "Suggestion: $2 [$1]"
+ }
+
+ # Log warning to report file
+ ReportWarning()
+ {
+ # 3 parameters
+ # <ID> <priority/impact> <warning text>
+ if [ "$2" = "L" -o "$2" = "M" -o "$2" = "H" ]; then
+ # old style warning
+ report "warning[]=$1|$3|"
+ logtext "Warning: $3 [$1]"
+ else
+ # new style warning
+ report "warning[]=$1|$2|"
+ logtext "Warning: $2 [test:$1]"
+ fi
+ }
+
+ SafePerms()
+ {
+ PERMS_OK=0
+ logtext "Checking permissions of $1"
+ if [ $# -eq 1 ]; then
+ # Check file permissions
+ if [ ! -f "$1" ]; then
+ logtext "Fatal error: file $1 does not exist. Quitting."
+ echo "Fatal error: file $1 does not exist"
+ ExitFatal
+ else
+ PERMS=`ls -l $1`
+ # Owner permissions
+ OWNER=`echo ${PERMS} | awk -F" " '{ print $3 }'`
+ if [ ! "${OWNER}" = "root" ]; then
+ echo "Fatal error: file $1 should be owned by user 'root' (found: ${OWNER})"
+ ExitFatal
+ fi
+ # Group permissions
+ GROUP=`echo ${PERMS} | awk -F" " '{ print $4 }'`
+ if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" ]; then
+ echo "Fatal error: group owner of directory $1 should be owned by root user, or related group"
+ ExitFatal
+ fi
+ # Other permissions
+ OTHER_PERMS=`echo ${PERMS} | cut -c8-10`
+ if [ ! "${OTHER_PERMS}" = "---" ]; then
+ echo "Fatal error: permissions of file $1 are not strict enough. Access to 'other' should be denied."
+ ExitFatal
+ fi
+ # Set PERMS_OK to 1 if no fatal errors occurred
+ PERMS_OK=1
+ logtext "File permissions are OK"
+ fi
+ else
+ logtext "Fatal error: invalid amount of parameters when calling function SafePerms()"
+ echo "Invalid amount of parameters for function SafePerms()"
+ ExitFatal
+ fi
+ }
+
+ ################################################################################
+ # Name : SearchItem()
+ # Description : Search if a specific string exists in in a file
+ # Parameters : $1 = search string
+ # : $2 = file
+ # Returns : <nothing>
+ ################################################################################
+
+ SearchItem()
+ {
+ ITEM_FOUND=0
+ if [ $# -eq 2 ]; then
+ # Don't search in /dev/null, it's too empty there
+ if [ -f $2 ]; then
+ # Check if we can find the main type (with or without brackets)
+ logtext "Test: search string $1 in file $2"
+ FIND=`egrep "$1" $2`
+ if [ ! "${FIND}" = "" ]; then
+ ITEM_FOUND=1
+ logtext "Result: found string"
+ logtext "Full string: ${FILE}"
+ else
+ logtext "Result: search string NOT found"
+ fi
+ else
+ logtext "Skipping search, file does not exist"
+ ReportException ${TEST_NO} "Test is trying to search for a string in nonexistent file"
+ fi
+ else
+ ReportException ${TEST_NO} "Error in function call to CheckItem"
+ fi
+ }
+
+
+ # Show result code
+ ShowResult()
+ {
+ case $1 in
+ OK)
+ echo "[ ${OK}OK${NORMAL} ]"
+ ;;
+ WARNING)
+ echo "[ ${WARNING}WARNING${NORMAL} ]"
+ # log the warning to our log file
+ #logtext "Warning: $2"
+ # add the warning to our report file
+ #report "warning=$2"
+ ;;
+ esac
+ }
+
+ ViewCategories()
+ {
+ if [ ! "${INCLUDEDIR}" = "" ]; then
+ InsertSection "Available test categories"
+ for I in `ls ${INCLUDEDIR}/tests_* | xargs -n 1 basename | sed 's/tests_//' | grep -v "custom.template"`; do
+ echo " - ${I}"
+ done
+ fi
+ echo ""
+ exit 0
+ }
+ # Wait for [ENTER] or manually break
+ wait_for_keypress()
+ {
+ if [ ! ${QUICKMODE} -eq 1 ]; then
+ echo ""; echo "[ ${WHITE}Press [ENTER] to continue, or [CTRL]+C to stop${NORMAL} ]"
+ read void
+ fi
+ }
+
+
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/osdetection b/include/osdetection
new file mode 100644
index 00000000..c0e44ca5
--- /dev/null
+++ b/include/osdetection
@@ -0,0 +1,376 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# This software is licensed under GPL, version 3. See LICENSE file for
+# usage of this software.
+#
+#################################################################################
+#
+# Operating System detection
+#
+#################################################################################
+#
+
+ # Check operating system
+ case `uname` in
+
+ # IBM AIX
+ AIX)
+ OS="AIX"
+ OS_NAME="AIX"
+ OS_VERSION=`oslevel`
+ OS_FULLNAME="AIX ${OS_VERSION}"
+ CPU=`uname -p`
+ HARDWARE=`uname -M`
+ FIND_BINARIES="whereis -b"
+ SYSCTL_READKEY=""
+ ;;
+
+ # Mac OS X
+ Darwin)
+ OS="MacOS"
+ if [ -x /usr/bin/sw_vers ]; then
+ OS_NAME=`/usr/bin/sw_vers -productName`
+ OS_VERSION=`/usr/bin/sw_vers -productVersion`
+ OS_FULLNAME="${OS_NAME} ${OS_VERSION}"
+ else
+ # Fall back to pretty safe name
+ OS_NAME="Mac OS X"
+ OS_FULLNAME=`uname -s -r`
+ OS_VERSION=`uname -r`
+ fi
+ HARDWARE=`uname -m`
+ HOMEDIRS="/Users"
+ FIND_BINARIES="whereis"
+ OS_KERNELVERSION=`uname -r`
+ SYSCTL_READKEY=""
+ ;;
+
+ # DragonFly BSD
+ DragonFly)
+ OS="DragonFly"
+ OS_NAME="DragonFly BSD"
+ OS_FULLNAME=`uname -s -r`
+ OS_VERSION=`uname -r`
+ HARDWARE=`uname -m`
+ HOMEDIRS="/home /root"
+ FIND_BINARIES="whereis -q -a -b"
+ OS_KERNELVERSION=`uname -i`
+ SYSCTL_READKEY="sysctl -n"
+ ;;
+
+ # FreeBSD
+ FreeBSD)
+ OS="FreeBSD"
+ OS_NAME="FreeBSD"
+ OS_FULLNAME=`uname -s -r`
+ OS_VERSION=`uname -r`
+ HARDWARE=`uname -m`
+ HOMEDIRS="/home /root"
+ FIND_BINARIES="whereis -q -a -b"
+ OS_KERNELVERSION=`uname -i`
+ SYSCTL_READKEY="sysctl -n"
+
+ # TrueOS
+ if [ -f /etc/defaults/trueos ]; then
+ OS_NAME="TrueOS"
+ logtext "Result: found TrueOS file, system is completely based on FreeBSD though. Only adjusting OS name."
+ fi
+ ;;
+
+ # HP-UX
+ HP-UX)
+ OS="HP-UX"
+ OS_NAME="HP-UX"
+ OS_FULLNAME=`uname -s -r`
+ OS_VERSION=`uname -r`
+ HARDWARE=`uname -m`
+ FIND_BINARIES="whereis -b"
+ SYSCTL_READKEY=""
+ ;;
+
+ # Linux
+ Linux)
+ OS="Linux"
+ OS_NAME="Linux"
+ OS_FULLNAME=""
+ OS_VERSION=`uname -r`
+ LINUX_VERSION=""
+ HARDWARE=`uname -m`
+ HOMEDIRS="/home"
+ FIND_BINARIES="whereis -b"
+ OS_KERNELVERSION=`uname -r`
+
+ # Amazon
+ if [ -e "/etc/system-release" ]; then
+ FIND=`grep "Amazon" /etc/system-release`
+ if [ ! "${FIND}" = "" ]; then
+ OS_REDHAT_OR_CLONE=1
+ OS_FULLNAME=`cat /etc/system-release | grep "^Amazon"`
+ OS_VERSION=`grep "^Amazon" /etc/system-release | awk '{ if ($4=="release") { print $5 } }'`
+ LINUX_VERSION="Amazon"
+ fi
+ fi
+
+ # Arch Linux
+ if [ -e "/etc/arch-release" ]; then
+ OS_FULLNAME="Arch Linux"
+ OS_VERSION="Unknown"
+ LINUX_VERSION="Arch Linux"
+ fi
+
+ # Chakra Linux
+ if [ -e "/etc/chakra-release" ]; then
+ OS_FULLNAME=`cat /etc/chakra-release | grep "^Chakra"`
+ OS_VERSION=`cat /etc/chakra-release | grep "^Chakra" | awk '{ if ($3=="release") { print $4 }}'`
+ LINUX_VERSION="Chakra Linux"
+ fi
+
+ # Cobalt
+ if [ -e "/etc/cobalt-release" ]; then OS_FULLNAME=`cat /etc/cobalt-release`; fi
+ # CPUBuilders Linux
+ if [ -e "/etc/cpub-release" ]; then OS_FULLNAME=`cat /etc/cpub-release`; fi
+
+ # Debian/Ubuntu (***) - Set first to Debian
+ if [ -e "/etc/debian_version" ]; then
+ OS_VERSION=`cat /etc/debian_version`
+ OS_FULLNAME="Debian ${OS_VERSION}"
+ LINUX_VERSION="Debian"
+ fi
+ # /etc/lsb-release does not exist on Debian
+ if [ -e "/etc/debian_version" -a -e /etc/lsb-release ]; then
+ OS_VERSION=`cat /etc/debian_version`
+ FIND=`grep "^DISTRIB_ID=" /etc/lsb-release | cut -d '=' -f2 | sed 's/"//g'`
+ if [ "${FIND}" = "Ubuntu" ]; then
+ OS_VERSION=`grep "^DISTRIB_RELEASE=" /etc/lsb-release | cut -d '=' -f2`
+ OS_FULLNAME="Ubuntu ${OS_VERSION}"
+ LINUX_VERSION="Ubuntu"
+ elif [ "${FIND}" = "elementary OS" ]; then
+ LINUX_VERSION="elementary OS"
+ OS_VERSION=`grep "^DISTRIB_RELEASE=" /etc/lsb-release | cut -d '=' -f2`
+ OS_FULLNAME=`grep "^DISTRIB_DESCRIPTION=" /etc/lsb-release | cut -d '=' -f2 | sed 's/"//g'`
+ else
+ # Catch all, in case it's unclear what specific release this is.
+ OS_FULLNAME="Debian ${OS_VERSION}"
+ LINUX_VERSION="Debian"
+ fi
+ # Ubuntu test (optional) `cat /proc/version | grep "[Uu]buntu"`
+ fi
+ # E-smith
+ if [ -e "/etc/e-smith-release" ]; then OS_FULLNAME=`cat /etc/e-smith-release`; fi
+ # Gentoo
+ if [ -e "/etc/gentoo-release" ]; then OS_FULLNAME=`cat /etc/gentoo-release | awk '{ print $5 }' | cut -d '.' -f1,2`; fi
+
+
+
+ # Red Hat and others
+ if [ -e "/etc/redhat-release" ]; then
+ OS_REDHAT_OR_CLONE=1
+
+ # CentOS
+ FIND=`grep "CentOS" /etc/redhat-release`
+ if [ ! "${FIND}" = "" ]; then
+ OS_FULLNAME=`cat /etc/redhat-release | grep "CentOS"`
+ LINUX_VERSION="CentOS"
+ OS_VERSION="${OS_FULLNAME}"
+ fi
+
+ # ClearOS
+ FIND=`grep "ClearOS" /etc/redhat-release`
+ if [ ! "${FIND}" = "" ]; then
+ OS_FULLNAME=`cat /etc/redhat-release | grep "ClearOS"`
+ LINUX_VERSION="ClearOS"
+ OS_VERSION="${OS_FULLNAME}"
+ fi
+
+ # Fedora
+ FIND=`grep "Fedora" /etc/redhat-release`
+ if [ ! "${FIND}" = "" ]; then
+ OS_FULLNAME=`cat /etc/redhat-release | grep "Fedora"`
+ OS_VERSION="${OS_FULLNAME}"
+ LINUX_VERSION="Fedora"
+ fi
+
+ # Mageia (has also /etc/megaia-release)
+ FIND=`grep "Mageia" /etc/redhat-release`
+ if [ ! "${FIND}" = "" ]; then
+ OS_FULLNAME=`cat /etc/redhat-release | grep "^Mageia"`
+ OS_VERSION=`grep "^Mageia" /etc/redhat-release | awk '{ if ($2=="release") { print $3 } }'`
+ LINUX_VERSION="Mageia"
+ fi
+
+ # Oracle Enterprise Linux
+ FIND=`grep "Enterprise Linux Enterprise Linux Server" /etc/redhat-release`
+ if [ ! "${FIND}" = "" ]; then
+ LINUX_VERSION="Oracle Enterprise Linux";
+ OS_FULLNAME=`cat /etc/redhat-release | grep "Enterprise Linux"`;
+ OS_VERSION="${OS_FULLNAME}";
+ fi
+
+ # Oracle Enterprise Linux
+ if [ -e /etc/oracle-release ]; then
+ FIND=`grep "Oracle Linux Server" /etc/oracle-release`
+ if [ ! "${FIND}" = "" ]; then
+ LINUX_VERSION="Oracle Enterprise Linux";
+ OS_FULLNAME=`cat /etc/oracle-release | grep "Oracle Linux"`;
+ OS_VERSION="${OS_FULLNAME}";
+ fi
+ fi
+
+ # Oracle VM Server
+ if [ -e /etc/ovs-release ]; then
+ FIND=`grep "Oracle VM" /etc/ovs-release`
+ if [ ! "${FIND}" = "" ]; then
+ LINUX_VERSION="Oracle VM Server";
+ OS_FULLNAME=`cat /etc/ovs-release | grep "Oracle VM"`;
+ OS_VERSION="${OS_FULLNAME}";
+ fi
+ fi
+
+ # Red Hat
+ FIND=`grep "Red Hat" /etc/redhat-release`
+ if [ ! "${FIND}" = "" ]; then
+ OS_FULLNAME=`cat /etc/redhat-release | grep "Red Hat"`
+ OS_VERSION="${OS_FULLNAME}"
+ LINUX_VERSION="Red Hat"
+ fi
+
+ # Scientific
+ FIND=`grep "Scientific" /etc/redhat-release`
+ if [ ! "${FIND}" = "" ]; then
+ OS_FULLNAME=`cat /etc/redhat-release | grep "^Scientific"`
+ OS_VERSION=`grep "^Scientific" /etc/redhat-release | awk '{ if ($3=="release") { print $4 } }'`
+ LINUX_VERSION="Scientific"
+ fi
+
+
+ fi
+
+ # PCLinuxOS
+ if [ -f /etc/pclinuxos-release ]; then
+ FIND=`grep "^PCLinuxOS" /etc/pclinuxos-release`
+ if [ ! "${FIND}" = "" ]; then
+ OS_FULLNAME="PCLinuxOS Linux"
+ LINUX_VERSION="PCLinuxOS"
+ OS_VERSION=`grep "^PCLinuxOS" /etc/pclinuxos-release | awk '{ if ($2=="release") { print $3 } }'`
+ fi
+ fi
+
+ # Sabayon Linux
+ if [ -f /etc/sabayon-edition ]; then
+ FIND=`grep "Sabayon Linux" /etc/sabayon-edition`
+ if [ ! "${FIND}" = "" ]; then
+ OS_FULLNAME="Sabayon Linux"
+ LINUX_VERSION="Sabayon"
+ OS_VERSION=`cat /etc/sabayon-edition | awk '{ print $3 }'`
+ fi
+ fi
+
+ if [ -f /etc/SLOX-release ]; then
+ OS_FULLNAME=`cat /etc/SLOX-release | grep "SuSE Linux"`
+ LINUX_VERSION="SuSE"
+ fi
+
+ # Slackware
+ if [ -f /etc/slackware-version ]; then
+ LINUX_VERSION="Slackware"
+ OS_VERSION=`grep "^Slackware" /etc/slackware-version | awk '{ if ($1=="Slackware") { print $2 } }'`
+ OS_FULLNAME="Slackware Linux ${OS_VERSION}"
+ fi
+
+ # SuSE
+ if [ -e "/etc/SuSE-release" ]; then
+ OS_VERSION=`cat /etc/SuSE-release | head -n 1`;
+ LINUX_VERSION="SuSE";
+ fi
+
+ # Turbo Linux
+ if [ -e "/etc/turbolinux-release" ]; then OS_FULLNAME=`cat /etc/turbolinux-release`; fi
+ # YellowDog
+ if [ -e "/etc/yellowdog-release" ]; then OS_FULLNAME=`cat /etc/yellowdog-release`; fi
+
+ # ===================================================================
+ # Set OS name to the discovered Linux version
+ if [ ! "${LINUX_VERSION}" = "" -a "${OS_NAME}" = "Linux" ]; then
+ OS_NAME="${LINUX_VERSION}"
+ fi
+ # If Linux version (full name) is unknown, use uname value
+ if [ "${OS_FULLNAME}" = "" ]; then OS_FULLNAME=`uname -s -r`; fi
+ SYSCTL_READKEY="sysctl -n"
+
+ ;;
+
+ # NetBSD
+ NetBSD)
+ OS="NetBSD"
+ OS_NAME="NetBSD"
+ OS_FULLNAME=`uname -s -r`
+ OS_KERNELVERSION=`uname -v`
+ OS_VERSION=`uname -r`
+ HARDWARE=`uname -m`
+ FIND_BINARIES="whereis"
+ SYSCTL_READKEY=""
+ ;;
+
+ # OpenBSD
+ OpenBSD)
+ OS="OpenBSD"
+ OS_NAME="OpenBSD"
+ OS_FULLNAME=`uname -s -r`
+ OS_KERNELVERSION=`uname -v`
+ OS_VERSION=`uname -r`
+ HARDWARE=`uname -m`
+ FIND_BINARIES="whereis"
+ SYSCTL_READKEY=""
+ ;;
+
+ # Solaris / OpenSolaris
+ SunOS)
+ OS="Solaris"
+ OS_NAME="Sun Solaris"
+ OS_FULLNAME=`uname -s -r`
+ OS_VERSION=`uname -r`
+ HARDWARE=`uname -m`
+ if [ -x /usr/bin/isainfo ]; then
+ # Returns 32, 64
+ OS_MODE=`/usr/bin/isainfo -b`
+ fi
+ SYSCTL_READKEY=""
+ ;;
+
+ # Unknown or unsupported systems
+ *)
+ echo "[ ${WARNING}WARNING${NORMAL} ]"
+ echo "${WARNING}Error${NORMAL}: ${WHITE}Unknown OS found. No support available for this OS or platform...${NORMAL}"
+ echo "Please consult the README/documentation for more information."
+ exit 1
+ ;;
+
+ esac
+
+ # Set correct echo binary and parameters after detecting operating system
+ case ${OS} in
+ "AIX") ECHOCMD="echo" ;;
+ "MacOS") ECHOCMD="echo" ;;
+ "Solaris") ECHOCMD="echo" ;;
+ "Linux")
+ # Check if dash is used (Debian/Ubuntu)
+ DEFAULT_SHELL=`ls -l /bin/sh | awk -F'>' '{print $2}'`
+ case ${DEFAULT_SHELL} in
+ " dash") ECHOCMD="/bin/echo -e" ;;
+ *) ECHOCMD="echo -e" ;;
+ esac
+ ;;
+ *) ECHOCMD="echo -e" ;;
+ esac
+
+
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/parameters b/include/parameters
new file mode 100644
index 00000000..4a0d889f
--- /dev/null
+++ b/include/parameters
@@ -0,0 +1,184 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Parameter checks
+#
+#################################################################################
+#
+
+ # Check number of parameters submitted (at least one is needed)
+ PARAMCOUNT=$#
+ while [ $# -ge 1 ]; do
+ case $1 in
+
+ # Assign auditor to report
+ --auditor)
+ shift
+ AUDITORNAME=$1
+ ;;
+
+ # Perform tests
+ -c | --check-all | --checkall)
+ CHECK=1
+ ;;
+
+ # Cronjob support
+ --cronjob | --cron)
+ CRONJOB=1;
+ # Use some defaults (-c, -Q, no colors)
+ CHECK=1; QUICKMODE=1; NEVERBREAK=1
+ # Get rid of the colors
+ NORMAL=""; WARNING=""; SECTION=""; NOTICE=""; OK=""; BAD=""; CYAN=""; MAGENTA=""; PURPLE=""; YELLOW=""; WHITE=""; GREEN=""; RED=""
+ ;;
+
+ # Perform tests with additional debugging information on screen
+ --debug)
+ DEBUG=1
+ ;;
+
+
+ # View help
+ --help | -h)
+ VIEWHELP=1
+ ;;
+
+ # View program/database information
+ --check-update | --info)
+ VIEWUPDATEINFO=1
+ ;;
+
+ # License key for Lynis Enterprise
+ --license-key)
+ shift
+ LICENSE_KEY=$1
+ ;;
+
+ # Adjust default logfile location
+ --logfile | --log-file)
+ shift
+ LOGFILE=$1
+ ;;
+
+ # Don't use colors
+ --no-colors)
+ NORMAL=""; WARNING=""; SECTION=""; NOTICE=""; OK=""; BAD=""; CYAN=""; MAGENTA=""; PURPLE=""; YELLOW=""; WHITE=""; GREEN=""; RED=""
+ ;;
+
+ # Disable logging
+ --no-log | --nolog)
+ LOGFILE="/dev/null"
+ ;;
+
+ # Define a custom profile file
+ --profile)
+ shift
+ PROFILE=$1
+ ;;
+
+ # Define a custom plugin directory
+ --plugin-dir)
+ shift
+ PLUGINDIR=$1
+ LASTCHAR=`echo $1 | awk '{ print substr($0, length($0))}'`
+ if [ "${LASTCHAR}" = "/" ]; then
+ echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}"
+ ExitFatal
+ fi
+ if [ ! -d ${PLUGINDIR} ]; then
+ echo "${RED}Error:${WHITE} invalid plugin directory ${PLUGINDIR}${NORMAL}"
+ ExitFatal
+ fi
+ ;;
+
+ # Quiet mode
+ -q | --quiet)
+ QUIET=1
+ # Run non-interactive
+ QUICKMODE=1
+ ;;
+
+ # Non-interactive mode
+ -Q | --quick)
+ QUICKMODE=1
+ ;;
+
+ # Strip the colors which aren't clearly visible on light backgrounds
+ --reverse-colors)
+ #NORMAL="";
+ SECTION="${NORMAL}";
+ NOTICE="${NORMAL}";
+ #OK="";
+ #BAD="";
+ CYAN="${NORMAL}";
+ GREEN="${NORMAL}";
+ YELLOW="${NORMAL}";
+ WHITE="${NORMAL}";
+ PURPLE="${NORMAL}";
+ #GREEN="";
+ #RED=""
+ ;;
+
+ # Only scan these tests
+ --tests)
+ shift
+ TESTS_TO_PERFORM=$1
+ ;;
+
+ # Scan one or more categories only
+ --tests-category)
+ shift
+ TESTS_CATEGORY_TO_PERFORM=$1
+ ;;
+
+ # Lynis Enterprise: upload data to central node
+ --upload)
+ UPLOAD_DATA=1
+ ;;
+ # Version number
+ -V | --version)
+ echo "${PROGRAM_version}"
+ exit 0
+ ;;
+
+ --view-categories | --list-categories | --show-categories)
+ ViewCategories
+ exit 0
+ ;;
+
+ # View man page
+ --view-manpage | --man)
+ if [ -f lynis.8 ]; then
+ nroff -man lynis.8
+ exit 0
+ else
+ echo "Error: man page file not found (lynis.8)"
+ echo "If you are running an installed version of Lynis, use 'man lynis'"
+ exit 1
+ fi
+ ;;
+
+ # Drop out when using wrong option(s)
+ *)
+ # Wrong option used, we bail out later
+ WRONGOPTION=1
+ WRONGOPTION_value=$1
+ ;;
+ esac
+ shift
+ done
+
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/profiles b/include/profiles
new file mode 100644
index 00000000..ac4a4ec0
--- /dev/null
+++ b/include/profiles
@@ -0,0 +1,186 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Read profile/template
+#
+#################################################################################
+#
+ #YYY Enable check when profile files are complete and completely documented
+ # Check if default profile is used
+ if [ "${PROFILE}" = "defaultXXX.prf" ]; then
+ echo ""
+ echo " ==============================================================================="
+ echo " ${WARNING}Warning${NORMAL}: ${WHITE}Default profile is used.${NORMAL}"
+ echo " Default profile contains only a small amount of options and settings."
+ echo " Consult the documentation to create a custom profile!"
+ echo ""
+ echo " [ ${WHITE}Press [ENTER] to continue with the default profile or [CTRL] + C to stop${NORMAL} ]"
+ echo " ==============================================================================="
+ wait_for_keypress
+ fi
+
+#
+#################################################################################
+#
+ Display --indent 2 --text "- Checking profile file (${PROFILE})..."
+ logtext "Reading profile/configuration ${PROFILE}"
+ FIND=`cat ${PROFILE} | grep '^config:' | sed 's/ /!space!/g'`
+ for I in ${FIND}; do
+ OPTION=`echo ${I} | cut -d ':' -f2`
+ VALUE=`echo ${I} | cut -d ':' -f3 | sed 's/!space!/ /g'`
+
+ logtext "Profile option set: ${OPTION} (with value ${VALUE})"
+
+ case ${OPTION} in
+
+ # Maximum number of WAITing connections
+ connections_max_wait_state)
+ OPTIONS_CONN_MAX_WAIT_STATE="${VALUE}"
+ ;;
+
+ # Do not check security repository in sources.list (Debian/Ubuntu)
+ debian_skip_security_repository)
+ OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY="${VALUE}"
+ ;;
+ debug)
+ if [ "${VALUE}" = "yes" -o "${VALUE}" = "true" ]; then
+ DEBUG=1
+ fi
+ ;;
+ # Skip FreeBSD port audit
+ freebsd_skip_portaudit)
+ logtext "Option set: Skip FreeBSD portaudit"
+ OPTION_FREEBSD_SKIP_PORTAUDIT="${VALUE}"
+ ;;
+
+ # Lynis Enterprise: group name
+ group)
+ GROUP_NAME="${VALUE}"
+ ;;
+
+ # Lynis Enterprise license key
+ license_key)
+ LICENSE_KEY="${VALUE}"
+ ;;
+
+ # Do (not) log tests if they have an different operating system
+ log_tests_incorrect_os)
+ logtext "Option set: No logging for incorrect OS"
+ if [ "${VALUE}" = "no" ]; then LOG_INCORRECT_OS=0; else LOG_INCORRECT_OS=1; fi
+ ;;
+
+ # What type of machine we are scanning (eg. desktop, server, server with storage)
+ machine_role)
+ MACHINE_ROLE="${VALUE}"
+ ;;
+
+ # Define if any found NTP daemon instance is configured as a server or client
+ ntpd_role)
+ NTPD_ROLE="${VALUE}"
+ ;;
+
+ # How much seconds to wait between tests
+ pause_between_tests)
+ TEST_PAUSE_TIME="${VALUE}"
+ ;;
+
+ # Profile name
+ profile_name)
+ # YYY dummy
+ ;;
+
+ # Inline tips about tool
+ show_tool_tips)
+ SHOW_TOOL_TIPS="${VALUE}"
+ ;;
+
+ # Tests to always skip (useful for false positives or problematic tests)
+ test_skip_always)
+ TEST_SKIP_ALWAYS="${VALUE}"
+ logtext "Tests to be skipped: ${VALUE}"
+ ;;
+
+ # Do not check the latest version on the internet
+ skip_upgrade_test)
+ if [ "${VALUE}" = "yes" -o "${VALUE}" = "YES" ]; then SKIP_UPGRADE_TEST=1; else SKIP_UPGRADE_TEST=0; fi
+ ;;
+
+ # Define what kind of scan we are performing
+ test_scan_mode)
+ if [ "${VALUE}" = "light" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="NO"; SCAN_TEST_HEAVY="NO"; fi
+ if [ "${VALUE}" = "normal" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="NO"; fi
+ if [ "${VALUE}" = "full" ]; then SCAN_TEST_LIGHT="YES"; SCAN_TEST_MEDIUM="YES"; SCAN_TEST_HEAVY="YES"; fi
+ ;;
+
+ # Catch all bad options and bail out
+ *)
+ logtext "Unknown option ${OPTION} (with value: ${VALUE})"
+ echo "Fatal error: found errors in profile"
+ echo "Unknown option '${OPTION}' found (with value: ${VALUE})"
+ RemovePIDFile
+ exit 1
+ ;;
+
+ esac
+
+ done
+#
+#################################################################################
+#
+ # Add group name to report
+ if [ ! "${GROUP_NAME}" = "" ]; then
+ report "group=${GROUP_NAME}"
+ fi
+#
+#################################################################################
+#
+# Plugins
+#
+#################################################################################
+#
+ #FIND=`cat ${PROFILE} | grep '^plugin_enable=' | sed 's/ /!space!/g'`
+ #for I in ${FIND}; do
+ # PLUGIN=`echo ${I} | cut -d '=' -f2`
+ # if [ -f "${PLUGINDIR}/${PLUGIN}" ]; then
+ # logtext "Found plugin: ${PLUGIN}"
+ # # XXX - enable plugin
+ # else
+ # logtext "Couldn't find plugin: ${PLUGIN} (${PLUGINDIR}/${PLUGIN})"
+ # fi
+ #done
+#
+#################################################################################
+#
+ # Set default values (only if not configured in profile)
+
+ if [ "${MACHINE_ROLE}" = "" ]; then
+ MACHINE_ROLE="server"
+ logtext "Set option to default value: MACHINE_ROLE --> ${MACHINE_ROLE}"
+ fi
+
+ if [ "${NTPD_ROLE}" = "" ]; then
+ NTPD_ROLE="client"
+ logtext "Set option to default value: NTPD_ROLE --> ${NTPD_ROLE}"
+ fi
+
+#
+#################################################################################
+#
+
+logtextbreak
+
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - cisofy.com - The Netherlands
diff --git a/include/report b/include/report
new file mode 100644
index 00000000..318ed027
--- /dev/null
+++ b/include/report
@@ -0,0 +1,223 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Report
+#
+#################################################################################
+#
+ logtextbreak
+ #if [ ${QUIET} -eq 0 ]; then
+# echo ""
+# echo " ---------------------------------------------------"
+# echo " Program version: ${PROGRAM_version}"
+# echo " Operating system: ${OS_NAME}"
+# echo " Operating system version: ${OS_VERSION}"
+# if [ ! "${OS_MODE}" = "" ]; then echo " Operating system mode: ${OS_MODE}"; fi
+# echo " Kernel version: ${OS_KERNELVERSION}"
+# echo " Hardware platform: ${HARDWARE}"
+# echo " Hostname: ${HOSTNAME}"
+# echo " Auditor: ${AUDITORNAME}"
+# echo " Profile: ${PROFILE}"
+# echo " Log file: ${LOGFILE}"
+# echo " Report file: ${REPORTFILE}"
+# echo " Report version: ${REPORT_version}"
+# echo " ---------------------------------------------------"
+# fi
+
+#
+#################################################################################
+#
+# Hardening Index
+# Define approximately how strong a machine has been hardened
+#
+#################################################################################
+#
+ # If no hardening has been found, set value to 1
+ if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi
+ HPINDEX=`expr $HPPOINTS \* 100 / $HPTOTAL`
+ HPAOBLOCKS=`expr $HPPOINTS \* 20 / $HPTOTAL`
+ # Set color related to rating
+ if [ ${HPINDEX} -lt 50 ]; then
+ HPCOLOR="${RED}"
+ HIDESCRIPTION="System has not or a low amount been hardened"
+ fi
+ if [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then
+ HPCOLOR="${YELLOW}"
+ HIDESCRIPTION="System has been hardened, but could use additional hardening"
+ fi
+ if [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then
+ HPCOLOR="${GREEN}"
+ HIDESCRIPTION="System seem to be decent hardened"
+ fi
+ if [ ${HPINDEX} -gt 89 ]; then
+ HPCOLOR="${GREEN}"
+ HIDESCRIPTION="System seem to be well hardened"
+ fi
+
+ case ${HPAOBLOCKS} in
+ 0) HPBLOCKS="#"; HPEMPTY=" " ;;
+ 1) HPBLOCKS="#"; HPEMPTY=" " ;;
+ 2) HPBLOCKS="##"; HPEMPTY=" " ;;
+ 3) HPBLOCKS="###"; HPEMPTY=" " ;;
+ 4) HPBLOCKS="####"; HPEMPTY=" " ;;
+ 5) HPBLOCKS="#####"; HPEMPTY=" " ;;
+ 6) HPBLOCKS="######"; HPEMPTY=" " ;;
+ 7) HPBLOCKS="#######"; HPEMPTY=" " ;;
+ 8) HPBLOCKS="########"; HPEMPTY=" " ;;
+ 9) HPBLOCKS="#########"; HPEMPTY=" " ;;
+ 10) HPBLOCKS="##########"; HPEMPTY=" " ;;
+ 11) HPBLOCKS="###########"; HPEMPTY=" " ;;
+ 12) HPBLOCKS="############"; HPEMPTY=" " ;;
+ 13) HPBLOCKS="#############"; HPEMPTY=" " ;;
+ 14) HPBLOCKS="##############"; HPEMPTY=" " ;;
+ 15) HPBLOCKS="###############"; HPEMPTY=" " ;;
+ 16) HPBLOCKS="################"; HPEMPTY=" " ;;
+ 17) HPBLOCKS="#################"; HPEMPTY=" " ;;
+ 18) HPBLOCKS="##################"; HPEMPTY=" " ;;
+ 19) HPBLOCKS="###################"; HPEMPTY=" " ;;
+ 20) HPBLOCKS="####################"; HPEMPTY="" ;;
+ esac
+
+ HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]"
+ logtext "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]"
+ logtext "Hardening strength: ${HIDESCRIPTION}"
+ report "hardening_index=${HPINDEX}"
+
+#
+#################################################################################
+#
+# Show test results overview
+#
+#################################################################################
+#
+ # Only show overview if not running in quiet mode
+ if [ ${QUIET} -eq 0 ]; then
+ echo ""; echo "================================================================================"
+ echo ""; echo " -[ ${WHITE}${PROGRAM_name} ${PROGRAM_version} Results${NORMAL} ]-"
+ echo "";
+
+ # Show warnings from logfile
+ SWARNINGS=`cat ${LOGFILE} | grep -i 'warning:' | sed 's/ /!space!/g'`
+
+
+ if [ "${SWARNINGS}" = "" ]; then
+ echo " ${OK}No warnings${NORMAL}"; echo ""
+ else
+ echo " ${WARNING}Warnings${NORMAL}:"
+ echo " ${WHITE}----------------------------${NORMAL}"
+ for WARNING in ${SWARNINGS}; do
+ SHOWWARNING=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: //'`
+ ADDLINK=`echo ${WARNING} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Warning: \(.*\)\[//' | sed 's/\]//'`
+ echo " ${WHITE}- ${SHOWWARNING}${NORMAL}"
+ echo " http://cisofy.com/controls/${ADDLINK}/"
+ echo ""
+ done
+ fi
+
+ # Show suggestions from logfile
+ SSUGGESTIONS=`grep -i 'suggestion:' ${LOGFILE} | sed 's/ /!space!/g'`
+
+ if [ "${SSUGGESTIONS}" = "" ]; then
+ echo " ${OK}No suggestions${NORMAL}"; echo ""
+ else
+ echo " ${YELLOW}Suggestions${NORMAL}:"
+ echo " ${WHITE}----------------------------${NORMAL}"
+ for SUGGESTION in ${SSUGGESTIONS}; do
+ SHOWSUGGESTION=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: //'`
+ ADDLINK=`echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^\[\(.*\)\] Suggestion: \(.*\)\[//' | sed 's/\]//'`
+ echo " - ${SHOWSUGGESTION}"
+ echo " http://cisofy.com/controls/${ADDLINK}/"
+ done
+ echo ""
+ fi
+
+ if [ ! "${SWARNINGS}" = "" -o ! "${SSUGGESTIONS}" = "" ]; then
+ echo " ${CYAN}Follow-up${NORMAL}:"
+ echo " ${WHITE}----------------------------${NORMAL}"
+ echo " ${WHITE}-${NORMAL} Check the logfile (less $LOGFILE)"
+ echo " ${WHITE}-${NORMAL} Read security controls texts (http://cisofy.com)"
+ echo " ${WHITE}-${NORMAL} Use --upload to upload data (Lynis Enterprise users)"
+ echo ""
+ fi
+ echo "================================================================================"
+ echo " ${WHITE}Lynis Scanner (details)${NORMAL}:"
+ echo ""
+ echo " ${CYAN}Hardening index${NORMAL} : ${WHITE}${HPINDEX}${NORMAL} ${HPGRAPH}"
+ echo " ${CYAN}Tests performed${NORMAL} : ${WHITE}${CTESTS_PERFORMED}${NORMAL}"
+ echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"
+ echo ""
+ echo " ${SECTION}Lynis Modules${NORMAL}:"
+ # Heuristics will be implemented later
+ echo " - Heuristics Check [${WHITE}NA${NORMAL}] - Security Audit [${GREEN}V${NORMAL}] - Vulnerability Scan [${GREEN}V${NORMAL}]"
+ echo ""
+ echo " ${SECTION}Compliance Checks${NORMAL}:"
+ # Compliance checks and status will be marked in upcoming releases
+ echo " - HIPAA [${WHITE}NA${NORMAL}] - PCI [${WHITE}NA${NORMAL}] - SOx [${WHITE}NA${NORMAL}] "
+
+ echo ""
+ echo " ${SECTION}Files${NORMAL}:"
+ echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}"
+ echo " - Report data : ${WHITE}${REPORTFILE}${NORMAL}"
+ echo "================================================================================"
+ if [ ${PROGRAM_LV} -gt ${PROGRAM_AC} ]; then
+ echo " ${NOTICE}Notice: ${WHITE}${PROGRAM_name} update available${NORMAL}"
+ echo " Current version : ${WHITE}${PROGRAM_AC}${NORMAL} Latest version : ${WHITE}${PROGRAM_LV}${NORMAL}"
+ echo "================================================================================"
+ else
+ ###########################################################################################
+ #
+ # Software quality program
+ # Only provide this hint when the tool is at the latest version
+ #
+ ###########################################################################################
+
+ if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then
+ # Determine if the quality of the program can be increased by filtering out the exceptions
+ FIND=`${GREPBINARY} "^exception" ${REPORTFILE}`
+ if [ ! "${FIND}" = "" ]; then
+ echo ""
+ echo " ${RED}Exceptions found${NORMAL}"
+ echo " ${WHITE}Some exceptional events or information was found!${NORMAL}"
+ echo ""
+ echo " ${CYAN}What to do:${NORMAL}"
+ echo " You can help improving Lynis by providing your report file."
+ echo " Go to http://cisofy.com/contact/ and send your file to the e-mail address listed"
+ echo ""
+ echo "================================================================================"
+ fi
+ fi
+ fi
+
+ if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then
+ echo " Tip: Disable all tests which are not relevant or are too strict for the"
+ echo " purpose of this particular machine. This will remove unwanted suggestions"
+ echo " and also boost the hardening index. Each test should be properly analyzed"
+ echo " to see if the related risks can be accepted, before disabling the test."
+ echo "================================================================================"
+ fi
+
+ echo " ${PROGRAM_name} ${PROGRAM_version}"
+ echo " ${PROGRAM_copyright}"
+ echo " ${WHITE}${PROGRAM_extrainfo}${NORMAL}"
+ echo "================================================================================"
+
+
+ echo ""; echo ""
+ fi
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - cisofy.com - The Netherlands
diff --git a/include/tests_accounting b/include/tests_accounting
new file mode 100644
index 00000000..e6036b6a
--- /dev/null
+++ b/include/tests_accounting
@@ -0,0 +1,398 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+ InsertSection "Accounting"
+#
+#################################################################################
+#
+ AUDITD_CONF_LOCS="/etc /etc/audit"
+ AUDITD_CONF_FILE=""
+ AUDITD_RUNNING=0
+ SOLARIS_AUDITD_RUNNING=0
+#
+#################################################################################
+#
+ # Test : ACCT-2754
+ # Description : Check availability FreeBSD accounting data
+ Register --test-no ACCT-2754 --os FreeBSD --weight L --network NO --description "Check for available FreeBSD accounting information"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -f /var/account/acct ]; then
+ Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN
+ logtext "Result: /var/account/acct available"
+ AddHP 3 3
+ else
+ Display --indent 2 --text "- Checking accounting information..." --result "NOT FOUND" --color YELLOW
+ logtext "Result: No accounting information available"
+ logtext "Remark: Possibly there is another location where the accounting data is stored"
+ ReportSuggestion ${TEST_NO} "Enable process accounting"
+ AddHP 2 3
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : ACCT-9622
+ # Description : Check availability Linux accounting data
+ # Notes : /var/log/pacct (Slackware)
+ Register --test-no ACCT-9622 --os Linux --weight L --network NO --description "Check for available Linux accounting information"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Check accounting information"
+ if [ -f /var/account/pacct ]; then
+ Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN
+ logtext "Result: /var/account/pacct available"
+ AddHP 3 3
+ elif [ -f /var/log/account/pacct ]; then
+ Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN
+ logtext "Result: /var/log/account/pacct available"
+ AddHP 3 3
+ elif [ -f /var/log/pacct ]; then
+ Display --indent 2 --text "- Checking accounting information..." --result OK --color GREEN
+ logtext "Result: /var/log/pacct available"
+ AddHP 3 3
+ else
+ Display --indent 2 --text "- Checking accounting information... " --result "NOT FOUND" --color YELLOW
+ logtext "Result: No accounting information available (/var/account/pacct does not exist)"
+ logtext "Remark: Possibly there is another location where the accounting data is stored"
+ ReportSuggestion ${TEST_NO} "Enable process accounting"
+ AddHP 2 3
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : ACCT-9626
+ # Description : Check sysstat accounting data
+ Register --test-no ACCT-9626 --os Linux --weight L --network NO --description "Check for sysstat accounting data"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check /etc/default/sysstat presence"
+ if [ -f /etc/default/sysstat ]; then
+ logtext "Result: /etc/default/sysstat found"
+ FIND=`grep "^ENABLED" /etc/default/sysstat | grep -i true`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: sysstat enabled via /etc/default/sysstat"
+ Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN
+ else
+ logtext "Result: sysstat disabled via /etc/default/sysstat"
+ Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE
+ ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)"
+ fi
+ elif [ -f /etc/cron.d/sysstat ]; then
+ FIND=`grep -v '^[[:space:]]*\(#\|$\)' /etc/cron.d/sysstat`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: sysstat enabled via /etc/cron.d/sysstat"
+ Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN
+ else
+ logtext "Result: sysstat disabled via /etc/cron.d/sysstat"
+ Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE
+ ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)"
+ fi
+ else
+ logtext "Result: sysstat not found via /etc/default/sysstat or /etc/cron.d/sysstat"
+ Display --indent 2 --text "- Checking sysstat accounting data" --result "NOT FOUND" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (no results)"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : ACCT-9628
+ # Description : Check auditd status
+ if [ ! "${AUDITDBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no ACCT-9628 --os Linux --weight L --network NO --description "Check for auditd"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Check auditd status"
+ FIND=`${PSBINARY} ax | grep "auditd" | grep -v "grep" | grep -v "kauditd"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: auditd running"
+ Display --indent 2 --text "- Checking auditd" --result ENABLED --color GREEN
+ AUDITD_RUNNING=1
+ report "audit_deamon_running=1"
+ AddHP 4 4
+ else
+ logtext "Result: auditd not active"
+ Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE
+ ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information"
+ AUDITD_RUNNING=0
+ report "audit_deamon_running=0"
+ AddHP 0 1
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : ACCT-9630
+ # Description : Check auditd rules
+ if [ ! "${AUDITDBINARY}" = "" -a ! "${AUDITCTLBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd rules"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking auditd rules"
+ FIND=`${AUDITCTLBINARY} -l | grep -v "No rules"`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: auditd rules empty"
+ Display --indent 4 --text "- Checking audit rules" --result SUGGESTION --color YELLOW
+ AddHP 0 2
+ ReportSuggestion ${TEST_NO} "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules"
+ else
+ logtext "Result: found auditd rules"
+ Display --indent 4 --text "- Checking audit rules" --result OK --color GREEN
+ # Log audit daemon rules
+ FIND=`${AUDITCTLBINARY} -l | sed 's/ /!space!/g'`
+ for I in ${FIND}; do
+ I=`echo ${I} | sed 's/!space!/ /g'`
+ logtext "Output: ${I}"
+ done
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : ACCT-9632
+ # Description : Check auditd configuration file
+ if [ ! "${AUDITDBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd configuration file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking auditd configuration file"
+ for I in ${AUDITD_CONF_LOCS}; do
+ if [ -f ${I}/auditd.conf ]; then
+ AUDITD_CONF_FILE="${I}/auditd.conf"
+ logtext "Result: Found ${I}/auditd.conf"
+ else
+ logtext "Result: ${I}/auditd.conf not found"
+ fi
+ done
+ # Check if we discovered the configuration file. It should be there is the binaries are available and process is running
+ if [ ! "${AUDITD_CONF_FILE}" = "" ]; then
+ Display --indent 4 --text "- Checking audit configuration file" --result OK --color GREEN
+ else
+ logtext "Result: could not find auditd configuration file"
+ Display --indent 4 --text "- Checking audit configuration file" --result WARNING --color RED
+ ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : ACCT-9634
+ # Description : Check auditd log file
+ if [ ! "${AUDITDBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 -a ! "${AUDITD_CONF_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd log file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking auditd log file"
+ FIND=`grep "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }'`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: log file is defined"
+ logtext "Defined value: ${FIND}"
+ if [ -f ${FIND} ]; then
+ logtext "Result: log file ${FIND} exists on disk"
+ Display --indent 4 --text "- Checking auditd log file" --result FOUND --color GREEN
+ report "logfile[]=${FIND}"
+ else
+ logtext "Result: can't find log file ${FIND} on disk"
+ Display --indent 4 --text "- Checking auditd log file" --result SUGGESTION --color YELLOW
+ ReportSuggestion ${TEST_NO} "Check auditd log file location"
+ fi
+ else
+ logtext "Result: no log file found"
+ Display --indent 4 --text "- Checking auditd log file" --result WARNING --color RED
+ ReportWarning ${TEST_NO} "L" "Auditd log file is defined but can not be found on disk"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : ACCT-9650
+ # Description : Check Solaris audit daemon presence
+ Register --test-no ACCT-9650 --os Solaris --weight L --network NO --description "Check Solaris audit daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check if audit daemon is running"
+ FIND=`${PSBINARY} ax | grep "/auditd" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: Solaris audit daemon is running"
+ SOLARIS_AUDITD_RUNNING=1
+ Display --indent 2 --text "- Checking Solaris audit daemon status" --result RUNNING --color GREEN
+ else
+ logtext "Result: Solaris audit daemon is not running"
+ Display --indent 2 --text "- Checking Solaris audit daemon status" --result "NOT RUNNING" --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : ACCT-9652
+ # Description : Check Solaris auditd service status
+ if [ -x /usr/bin/svcs -a ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no ACCT-9652 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check auditd SMF status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check if auditd service is enabled and online"
+ FIND=`/usr/bin/svcs svc:/system/auditd:default | grep "^online"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: auditd service is online"
+ Display --indent 4 --text "- Checking Solaris audit daemon status" --result ONLINE --color GREEN
+ else
+ Display --indent 4 --text "- Checking Solaris audit daemon status" --result WARNING --color YELLOW
+ # YYY
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : ACCT-9654
+ # Description : Check Solaris Basic Security Mode (BSM) in /etc/system
+ if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no ACCT-9654 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in /etc/system"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check if BSM is enabled in /etc/system"
+ if [ -f /etc/system ]; then
+ FIND=`grep 'set c2audit:audit_load = 1' /etc/system`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: BSM is enabled in /etc/system"
+ Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result ENABLED --color GREEN
+ else
+ Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result "NOT FOUND" --color YELLOW
+ fi
+ else
+ logtext "Result: /etc/system does not exist"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : ACCT-9656
+ # Description : Check Solaris BSM (c2audit) module status
+ if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no ACCT-9656 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check if c2audit module is active"
+ if [ -x /usr/sbin/modinfo ]; then
+ FIND=`/usr/sbin/modinfo | grep c2audit`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: c2audit found in modinfo output"
+ Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result ENABLED --color GREEN
+ else
+ logtext "Result: c2audit not found in modinfo output"
+ Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "NOT FOUND" --color YELLOW
+ fi
+ else
+ logtext "Result: /usr/sbin/modinfo does not exist, skipping test"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : ACCT-9658
+ # Description : Check required audit files in /etc/security
+ #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ #Register --test-no ACCT-9658 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check required audit files"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ #fi
+#
+#################################################################################
+#
+ # Test : ACCT-9662
+ # Description : Check location for audit events
+ if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no ACCT-9660 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check location of audit events"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check /etc/security/audit_control for event logging location"
+ if [ -f /etc/security/audit_control ]; then
+ logtext "Result: file /etc/security/audit_control found"
+ FIND=`grep "^dir" /etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }'`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found location ${FIND}"
+ logtext "Test: Checking if location is a valid directory"
+ if [ -d ${FIND} ]; then
+ logtext "Result: location ${FIND} is valid"
+ Display --indent 4 --text "- Checking Solaris audit location" --result FOUND --color GREEN
+ else
+ logtext "Result: location ${FIND} does not exist"
+ # YYY perform manual audit
+ Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW
+ fi
+ else
+ logtext "Result: unknown event location"
+ Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW
+ fi
+ else
+ logtext "Result: could not find /etc/security/audit_control"
+ Display --indent 4 --text "- Checking Solaris audit location" --result SKIPPED --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : ACCT-9662
+ # Description : Check which events are audited
+ #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ #Register --test-no ACCT-9660 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+#
+#################################################################################
+#
+ # Test : ACCT-9664
+ # Description : Check user specific event auditing
+ #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ #Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+#
+#################################################################################
+#
+ # Test : ACCT-9672
+ # Description : check auditstat
+ if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Solaris auditing stats"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Check auditing statistics"
+ if [ -x /usr/sbin/auditstat ]; then
+ FIND=`/usr/sbin/auditstat | tr -s ' ' ','`
+ for I in ${FIND}; do
+ logtext "Output: ${I}"
+ done
+ Display --indent 4 --text "- Checking Solaris audit statistics" --result DONE --color GREEN
+ else
+ logtext "Result: /usr/sbin/auditstat not found, skipping test"
+ Display --indent 4 --text "- Checking Solaris audit statistics" --result SKIPPED --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+
+ # Test : ACCT-9680
+ # Description : Check if required packages are installed
+ #if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ #Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+
+ #
+ # Solaris 10 packages
+ # bash-3.00# pkginfo | egrep 'SUNWcar|SUNWcsr|SUNWcsu|SUNWhea|SUNWman'
+ #system SUNWcar Core Architecture, (Root)
+ #system SUNWcsr Core Solaris, (Root)
+ #system SUNWcsu Core Solaris, (Usr)
+ #system SUNWhea SunOS Header Files
+ #system SUNWman On-Line Manual Pages
+
+#
+#################################################################################
+#
+# Check psacct package (ac, lastcomm, accton, sa)
+# Check auditd (auditctl, ausearch, aureport)
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - http://cisofy.com - The Netherlands
diff --git a/include/tests_authentication b/include/tests_authentication
new file mode 100644
index 00000000..ad59897a
--- /dev/null
+++ b/include/tests_authentication
@@ -0,0 +1,1325 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# User, Group and authentication tests
+#
+#################################################################################
+#
+ LDAP_AUTH_ENABLED=0
+ LDAP_PAM_ENABLED=0
+ LDAP_CONF_LOCATIONS="/etc/ldap.conf /etc/ldap/ldap.conf /etc/openldap/ldap.conf /usr/local/etc/ldap.conf /usr/local/etc/openldap/ldap.conf"
+ PAM_FILE_LOCATIONS="/lib/i386-linux-gnu/security /lib/security /lib/x86_64-linux-gnu/security /lib64/security /usr/lib/security"
+ SUDOERS_LOCATIONS="/etc/sudoers /usr/local/etc/sudoers /usr/pkg/etc/sudoers"
+ SUDOERS_FILE=""
+#
+#################################################################################
+#
+ InsertSection "Users, Groups and Authentication"
+
+ # Test : AUTH-9204
+ # Description : Check users with UID zero (0)
+ Register --test-no AUTH-9204 --weight L --network NO --description "Check users with an UID of zero"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Search accounts with UID 0
+ logtext "Test: Searching accounts with UID 0"
+ FIND=`grep ':0:' /etc/passwd | egrep -v '^#|^root:|^:0:0:::' | cut -d ":" -f1,3 | grep ':0'`
+ if [ ! "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Search administrator accounts..." --result WARNING --color RED
+ logtext "Result: Found more than one administrator accounts"
+ ReportWarning "${TEST_NO}" "H" "Multiple users with UID 0 found in passwd file"
+ for I in ${FIND}; do
+ logtext "Administrator account: ${I}"
+ if [ "${I}" = "toor" ]; then
+ logtext "BSD note: default there is a user 'toor' installed. This account is considered useless unless it"
+ logtext "is assigned a password and used for daily operations or emergencies. ie: bad shell for root user."
+ ReportSuggestion ${TEST_NO} "Use vipw to delete the 'toor' user if not used."
+ fi
+ done
+ else
+ Display --indent 2 --text "- Search administrator accounts..." --result OK --color GREEN
+ logtext "Result: No accounts found with UID 0 other than root."
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9208
+ # Description : Check non-unique accounts
+ Register --test-no AUTH-9208 --weight L --network NO --description "Check non-unique accounts"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: ${USER_PASSWD_DOUBLEUID_AUDIT_TITLE}"
+ logtext "Description: ${USER_PASSWD_DOUBLEUID_AUDIT_DESCRIPTION}"
+ logtext "Action: Checking for non-unique accounts"
+ if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then
+ PASSWD_FILE="/etc/master.passwd"
+ else
+ PASSWD_FILE="/etc/passwd"
+ fi
+ # Check password file
+ if [ -f ${PASSWD_FILE} ]; then
+ FIND=`cat ${PASSWD_FILE} | grep -v '^#' | cut -d ':' -f3 | uniq -d`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking for non-unique UIDs... " --result OK --color GREEN
+ logtext "Result: all accounts found in ${PASSWD_FILE} are unique"
+ else
+ Display --indent 2 --text "- Checking for non-unique UIDs... " --result WARNING --color RED
+ logtext "Result: found multiple accounts with same UID"
+ logtext "Output (non-unique UIDs): ${FIND}"
+ ReportWarning ${TEST_NO} "Multiple accounts found with same UID"
+ fi
+ else
+ Display --indent 2 --text "- Checking UIDs... " --result SKIPPED --color WHITE
+ logtext "Result: test skipped, ${PASSWD_FILE} file not available"
+ fi
+ logtext "Remarks: ${USER_PASSWD_DOUBLEUID_AUDIT_TEXT}"
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9212
+ # Description : Test group file with chkgrp tool (ie FreeBSD)
+ if [ -f /usr/sbin/chkgrp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no AUTH-9212 --preqs-met ${PREQS_MET} --weight L --network NO --description "Test group file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Checking chkgrp tool..." --result FOUND --color GREEN
+ logtext "Result: /usr/sbin/chkgrp binary found. Using this to perform next test(s)."
+ logtext "Test: Testing consistency of /etc/group file... "
+ FIND=`/usr/sbin/chkgrp | grep -v 'is fine'`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 4 --text "- Checking consistency of /etc/group file..." --result OK --color GREEN
+ logtext "Result: chkgrp test performed, Group file seems to be ok."
+ else
+ Display --indent 4 --text "- Checking consistency of /etc/group file..." --result WARNING --color RED
+ logtext "Result: chkgrp found some errors. Run the tool manually to see details."
+ logtext "chkgrp output: ${FIND}"
+ ReportWarning ${TEST_NO} "M" "chkgrp reported inconsistencies in /etc/group file"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9216
+ # Description : Check /etc/group and shadow group files
+ if [ ! "${GRPCKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no AUTH-9216 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check group and shadow group files"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Test : run grpck to test group files (most likely /etc/group and shadow group files)
+ # Expected result : 0 (exit code)
+ logtext "Test: Checking for grpck binary..."
+
+ if [ "${OS}" = "Linux" ]; then
+ # Read only mode
+ FIND=`${GRPCKBINARY} -r 2> /dev/null ; echo $?`
+ elif [ "${OS}" = "AIX" ]; then
+ FIND=`${GRPCKBINARY} -n 2> /dev/null ; echo $?`
+ else
+ FIND=`${GRPCKBINARY} 2> /dev/null ; echo $?`
+ fi
+
+ # Overrule for SuSE
+ if [ "${LINUX_VERSION}" = "SuSE" ]; then
+ FIND=`${GRPCKBINARY} -q -r > /dev/null ; echo $?`
+ fi
+
+ # Check exit-code
+ if [ "${FIND}" = "0" ]; then
+ Display --indent 2 --text "- Checking consistency of group files (grpck)..." --result OK --color GREEN
+ logtext "Result: grpck binary didn't find any errors in the group files"
+ else
+ Display --indent 2 --text "- Checking consistency of group files (grpck)..." --result WARNING --color RED
+ ReportWarning ${TEST_NO} "M" "grpck binary found errors in one or more group files"
+ ReportSuggestion ${TEST_NO} "Run grpck manually and check your group files"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9218
+ # Description : Check login shells for passwordless accounts
+ # Notes : Results should be checked
+ Register --test-no AUTH-9218 --os FreeBSD --weight L --network NO --description "Check harmful login shells"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ logtext "Test: Checking login shells"
+ if [ -f /etc/master.passwd ]; then
+ # Check for all shells, except: (/usr)/sbin/nologin /nonexistent
+ FIND=`cat /etc/master.passwd | grep "[a-z]:\*:" | egrep -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | sed 's/ /!space!/g'`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking login shells..." --result OK --color GREEN
+ else
+ Display --indent 2 --text "- Checking login shells..." --result WARNING --color RED
+ for I in ${FIND}; do
+ I=`echo ${I} | sed 's/!space!/ /g'`
+ J=`echo ${I} | awk -F: '{ print $10 }'`
+ logtext "Output: ${I}"
+ if [ "${J}" = "" ]; then
+ logtext "Result: found no shell on line"
+ else
+ logtext "Result: found possible harmful shell ${J}"
+ ReportSuggestion ${TEST_NO} "Determine if account is needed, as shell ${J} does not exist"
+ if [ -f ${J} ]; then
+ logtext "Result: shell ${J} does exist"
+ FOUND=1
+ else
+ logtext "Result: shell ${J} does not exist"
+ fi
+ fi
+ done
+ if [ ${FOUND} -eq 1 ]; then
+ ReportWarning ${TEST_NO} "H" "Possible harmful shell found (for passwordless account!)"
+ fi
+ fi
+ else
+ Display --indent 2 --text "- Checking login shells..." --result SKIPPED --color WHITE
+ logtext "Result: No /etc/master.passwd file found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9222
+ # Description : Check for non unique groups
+ Register --test-no AUTH-9222 --weight L --network NO --description "Check for non unique groups"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking for non unique group ID's in /etc/group"
+ FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $3 }' | sort | uniq -d`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking non unique group ID's..." --result OK --color GREEN
+ logtext "Result: All group ID's are unique"
+ else
+ Display --indent 2 --text "- Checking non unique group ID's..." --result WARNING --color RED
+ logtext "Result: Found the same group ID multiple times"
+ logtext "Output: ${FIND}"
+ ReportWarning ${TEST_NO} "H" "Found multiple groups with same group ID"
+ ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct inconsistencies"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9226
+ # Description : Check non unique group names
+ if [ -f /etc/group ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no AUTH-9226 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check non unique group names"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking for non unique group names in /etc/group"
+ FIND=`cat /etc/group | grep -v '^#' | grep -v '^$' | awk -F: '{ print $1 }' | sort | uniq -d`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking non unique group names..." --result OK --color GREEN
+ logtext "Result: All group names are unique"
+ else
+ Display --indent 2 --text "- Checking non unique group names..." --result WARNING --color WARNING
+ logtext "Result: Found the same group name multiple times"
+ logtext "Output: ${FIND}"
+ ReportWarning ${TEST_NO} "M" "Found inconsistencies in group file (multiple occurences of a single group)"
+ ReportSuggestion ${TEST_NO} "Check your /etc/group file and correct inconsistencies"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9228
+ # Description : Check Linux password file consistency
+ if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no AUTH-9228 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking password file consistency (pwck)"
+ FIND=`/usr/sbin/pwck -q -r 2> /dev/null; echo $?`
+ if [ "${FIND}" = "0" ]; then
+ Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN
+ logtext "Result: pwck check didn't find any problems"
+ else
+ Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED
+ logtext "Result: pwck found one or more errors/warnings in the password file."
+ ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
+ ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
+ fi
+ fi
+#
+#################################################################################
+#
+# # Test : AUTH-9229
+# # Description : Check AIX password file consistency
+# # Notes : Read only mode?
+# if [ -x /usr/bin/usrck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+# Register --test-no AUTH-9229 --os AIX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# logtext "Test: Checking password file consistency (usrck)"
+# FIND=`/usr/bin/usrck -n ALL 2>; echo $?`
+# if [ "${FIND}" = "0" ]; then
+# Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN
+# logtext "Result: usrck finished didn't find problems"
+# else
+# Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED
+# logtext "Result: usrck found one or more errors/warnings in the password file."
+# ReportWarning ${TEST_NO} "M" "usrck found one or more errors/warnings in the password file"
+# ReportSuggestion ${TEST_NO} "Run usrck manually and correct found issues."
+# fi
+# fi
+#
+#################################################################################
+#
+ # Test : AUTH-9230
+ # Description : Check Solaris password file consistency
+ if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no AUTH-9230 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking password file consistency (pwck)"
+ FIND=`/usr/sbin/pwck 2> /dev/null; echo $?`
+ if [ "${FIND}" = "0" ]; then
+ Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN
+ logtext "Result: pwck finished didn't find problems"
+ else
+ Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED
+ logtext "Result: pwck found one or more errors/warnings in the password file."
+ ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
+ ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
+ fi
+ fi
+#
+#################################################################################
+#
+# # Test : AUTH-9231
+# # Description : Check HP-UX password file consistency
+# # Notes : Read only mode?
+# if [ -x /usr/sbin/pwck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+# Register --test-no AUTH-9231 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# logtext "Test: Checking password file consistency (pwck)"
+# FIND=`/usr/sbin/pwck 2> /dev/null; echo $?`
+# if [ "${FIND}" = "0" ]; then
+# Display --indent 2 --text "- Checking password file consistency..." --result OK --color GREEN
+# logtext "Result: pwck finished didn't find problems"
+# else
+# Display --indent 2 --text "- Checking password file consistency..." --result WARNING --color RED
+# logtext "Result: pwck found one or more errors/warnings in the password file."
+# ReportWarning ${TEST_NO} "M" "pwck found one or more errors/warnings in the password file"
+# ReportSuggestion ${TEST_NO} "Run pwck manually and correct found issues."
+# fi
+# fi
+#
+#################################################################################
+#
+# # Test : AUTH-9232
+# # Description : Check HP-UX group file consistency
+# if [ -x /usr/sbin/grpck ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+# Register --test-no AUTH-9232 --os HP-UX --preqs-met ${PREQS_MET} --weight L --network NO --description "Check password file consistency"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# logtext "Test: Checking group file consistency (grpck)"
+# FIND=`/usr/sbin/grpck 2> /dev/null; echo $?`
+# if [ "${FIND}" = "0" ]; then
+# Display --indent 2 --text "- Checking group file consistency..." --result OK --color GREEN
+# logtext "Result: grpck finished didn't find problems"
+# else
+# Display --indent 2 --text "- Checking group file consistency..." --result WARNING --color RED
+# logtext "Result: grpck found one or more errors/warnings in the group file."
+# ReportWarning ${TEST_NO} "M" "grpck found one or more errors/warnings in the group file"
+# ReportSuggestion ${TEST_NO} "Run grpck manually and correct found issues."
+# fi
+# fi
+#
+#################################################################################
+#
+ # Test : AUTH-9234
+ # Description : Query user accounts (YYY)
+ # Notes : HPUX > 100
+ # MacOS: need to be improved (just reading passwd file is not enough)
+ # OpenBSD/NetBSD: unknown
+ Register --test-no AUTH-9234 --os Linux --weight L --network NO --description "Query user accounts"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Read real system users (including root user) from /etc/passwd..."
+ FIND=""
+
+ if [ "${OS}" = "FreeBSD" ]; then
+ logtext "FreeBSD real users output (ID > 1000, but not 65534):"
+ FIND=`awk -F: '($3 > 1000) && ($3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
+ fi
+
+ if [ "${OS}" = "Linux" ]; then
+ logtext "Linux real users output (ID > 500, but not 65534):"
+ FIND=`awk -F: '($3 > 500) && ($3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
+ fi
+
+ if [ "${OS}" = "Solaris" ]; then
+ logtext "Solaris real users output (ID > 100, but not 60001/65534):"
+ FIND=`awk -F: '($3 > 100 && $3 != 60001 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd`
+ fi
+
+ Display --indent 2 --text "- Query system users (non daemons)..." --result DONE --color GREEN
+ # Check if we got any output
+ if [ "${FIND}" = "" ]; then
+ Display --indent 4 --text "Result: No users found/unknown result"
+ logtext "Result: Querying of system users skipped"
+ else
+ for I in ${FIND}; do
+ logtext "Real user: ${I}"
+ report "real_user[]=${I}"
+ done
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9240
+ # Description : Query NIS+ authentication support
+ Register --test-no AUTH-9240 --weight L --network NO --description "Query NIS+ authentication support"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -f /etc/nsswitch.conf ]; then
+ FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nisplus"`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: NIS+ authentication not enabled"
+ Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE
+ else
+ FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nisplus"`
+ FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nisplus"`
+ if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
+ logtext "Result: NIS+ authentication enabled"
+ Display --indent 2 --text "- Checking NIS+ authentication support" --result "ENABLED" --color GREEN
+ else
+ logtext "Result: NIS+ authentication not enabled"
+ Display --indent 2 --text "- Checking NIS+ authentication support" --result "NOT ENABLED" --color WHITE
+ fi
+ fi
+ else
+ logtext "Result: /etc/nsswitch.conf not found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9242
+ # Description : Query NIS authentication support
+ Register --test-no AUTH-9242 --weight L --network NO --description "Query NIS authentication support"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -f /etc/nsswitch.conf ]; then
+ FIND=`egrep "^passwd" /etc/nsswitch.conf | egrep "compat|nis" | grep -v "nisplus"`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: NIS authentication not enabled"
+ Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE
+ else
+ FIND2=`egrep "^passwd_compat" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"`
+ FIND3=`egrep "^passwd" /etc/nsswitch.conf | grep "nis" | grep -v "nisplus"`
+ if [ ! "${FIND2}" = "" -o ! "${FIND3}" = "" ]; then
+ logtext "Result: NIS authentication enabled"
+ Display --indent 2 --text "- Checking NIS authentication support" --result "ENABLED" --color GREEN
+ else
+ logtext "Result: NIS authentication not enabled"
+ Display --indent 2 --text "- Checking NIS authentication support" --result "NOT ENABLED" --color WHITE
+ fi
+ fi
+ else
+ logtext "Result: /etc/nsswitch.conf not found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9244
+ # Description : Query NIS servers
+ #Register --test-no AUTH-9244 --weight L --network NO --description "Query NIS servers"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ #fi
+#
+#################################################################################
+#
+ # Test : AUTH-9246
+ # Description : Query NIS active
+ #Register --test-no AUTH-9246 --weight L --network NO --description "Query active NIS servers"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ #if
+ #grep '^+' /etc/passwd /etc/group
+#
+#################################################################################
+#
+ # Test : AUTH-9250
+ # Description : Check for sudoers file
+ Register --test-no AUTH-9250 --weight L --network NO --description "Checking sudoers file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ for I in ${SUDOERS_LOCATIONS}; do
+ logtext "Test: checking presence ${I}"
+ if [ -f ${I} ]; then
+ FOUND=1
+ SUDOERS_FILE="${I}"
+ logtext "Result: found file (${SUDOERS_FILE})"
+ else
+ logtext "Result: file ${I} not found"
+ fi
+ done
+ if [ ${FOUND} -eq 1 ]; then
+ logtext "Result: sudoers file found (${SUDOERS_FILE})"
+ Display --indent 2 --text "- Checking sudoers file" --result FOUND --color GREEN
+ # YYY add more tests to audit sudoers file
+ else
+ logtext "Result: sudoers file NOT found"
+ Display --indent 2 --text "- Checking sudoers file" --result "NOT FOUND" --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9252
+ # Description : Check for sudoers file permissions
+ if [ ! "${SUDOERS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sudoers file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking sudoers file (${SUDOERS_FILE}) permissions"
+ FIND=`ls -l ${SUDOERS_FILE} | cut -c 2-10`
+ logtext "Result: Found file permissions: ${FIND}"
+ if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then
+ logtext "Result: file ${SUDOERS_FILE} has correct permissions"
+ Display --indent 4 --text "- Check sudoers file permissions" --result OK --color GREEN
+ else
+ logtext "Result: file has possibly unsafe file permissions"
+ Display --indent 4 --text "- Check sudoers file permissions" --result WARNING --color RED
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9254
+ # Description : Solaris test to check passwordless accounts
+ Register --test-no AUTH-9254 --os Solaris --weight L --network NO --description "Solaris passwordless accounts"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`logins -p | awk '{ print $1 }'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: no passwordless accounts found"
+ Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result OK --color GREEN
+ else
+ for I in ${FIND}; do
+ ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})"
+ done
+ Display --indent 2 --text "- Checking passwordless accounts on Solaris" --result WARNING --color RED
+ fi
+ fi
+#
+#################################################################################
+#
+# # Test : AUTH-9255
+# # Description : Solaris test for unique UIDs
+# Register --test-no AUTH-9255 --os Solaris --weight L --network NO --description "Solaris unique UIDs"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# FIND=`logins -d | awk '{ print $1 }'`
+# if [ "${FIND}" = "" ]; then
+# logtext "Result: no duplicate accounts found, all accounts have an unique ID"
+# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result OK --color GREEN
+# else
+# for I in ${FIND}; do
+# ReportWarning ${TEST_NO} "H" "Found passwordless account (${I})"
+# done
+# Display --indent 2 --text "- Checking unique UIDs on Solaris" --result WARNING --color RED
+# fi
+# fi
+#
+#################################################################################
+#
+ # Test : AUTH-9260 [T]
+ # Description : Search for account lockout on Linux
+ # Notes : lib directory should be fixed
+# Register --test-no AUTH-9260 --os Linux --weight L --network NO --description "Checking account lockout"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# logtext "Test: searching for /lib/security/pam_tally.so"
+# if [ -f /lib/security/pam_tally.so ]; then
+# logtext "Result: /lib/security/pam_tally.so found"
+# AddHP 1 1
+# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result FOUND --color GREEN
+# if [ -f /etc/pam.d/system-auth ]; then
+# logtext "Test: search for enable pam_tally module in system-auth, with a deny value higher than zero"
+# FIND=`grep "account required" /etc/pam.d/system-auth | grep "pam_tally.so" | grep "deny=" | grep -v "deny=0"`
+# if [ "${FIND}" = "" ]; then
+# logtext "Result: pam_tally properly configured"
+# logtext "Output: ${FIND}"
+# AddHP 1 1
+# Display --indent 4 --text "- Checking lockout policy" --result FOUND --color GREEN
+# else
+# logtext "Result: pam_tally not (properly) configured"
+# logtext "Output: ${FIND}"
+# Display --indent 4 --text "- Checking lockout policy" --result SUGGESTION --color YELLOW
+# AddHP 0 1
+# ReportSuggestion ${TEST_NO} "Configure pam_tally in system-auth: account required /lib/security/pam_tally.so deny=3 no_magic_root reset"
+# fi
+# else
+# logtext "Result: skipped, /etc/pam.d/system-auth not found"
+# fi
+# else
+# logtext "Result: /lib/security/pam_tally.so not found"
+# AddHP 0 1
+# Display --indent 2 --text "- Checking account lockout module (pam_tally)" --result "SUGGESTION" --color YELLOW
+# ReportSuggestion ${TEST_NO} "Install a PAM module for account lockout to counter brute force attacks"
+# fi
+#
+#################################################################################
+#
+ # Test : AUTH-9262
+ # Description : Search for PAM password strength testing libraries
+ # Notes : YYY (combine with other PAM modules)
+ Register --test-no AUTH-9262 --weight L --network NO --description "Checking presence password strength testing tools (PAM)"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ FOUND_CRACKLIB=0
+ FOUND_PASSWDQC=0
+
+ # Cracklib
+ logtext "Searching cracklib PAM module"
+ for I in ${PAM_FILE_LOCATIONS}; do
+ if [ -f ${I}/pam_cracklib.so ]; then
+ FOUND_CRACKLIB=1
+ logtext "Result: found pam_cracklib.so (crack library PAM) in ${I}"
+ fi
+ done
+ if [ ${FOUND_CRACKLIB} -eq 1 ]; then
+ logtext "Result: pam_cracklib.so found"
+ report "pam_cracklib=1"
+ AddHP 3 3
+ FOUND=1
+ else
+ logtext "Result: pam_cracklib.so NOT found (crack library PAM)"
+ AddHP 1 3
+ fi
+
+ # Passwd quality control
+ logtext "Searching passwdqc PAM module"
+ for I in ${PAM_FILE_LOCATIONS}; do
+ if [ -f ${I}/pam_passwdqc.so ]; then
+ FOUND_PASSWDQC=1
+ logtext "Result: found pam_passwdqc.so (passwd quality control PAM) in ${I}"
+ fi
+ done
+ if [ ${FOUND_PASSWDQC} -eq 1 ]; then
+ logtext "Result: pam_passwdqc.so found"
+ report "pam_passwdqc=1"
+ AddHP 3 3
+ FOUND=1
+ else
+ logtext "Result: pam_passwdqc.so NOT found (passwd quality control PAM)"
+ AddHP 1 3
+ fi
+
+ if [ ${FOUND} -eq 0 ]; then
+ Display --indent 2 --text "- Checking PAM password strength tools" --result "SUGGESTION" --color YELLOW
+ logtext "Result: no PAM modules for password strength testing found"
+ ReportSuggestion ${TEST_NO} "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
+ else
+ Display --indent 2 --text "- Checking PAM password strength tools" --result OK --color GREEN
+ logtext "Result: found at least one PAM module for password strength testing"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9264
+ # Description : Scan /etc/pam.conf file
+ Register --test-no AUTH-9264 --weight L --network NO --description "Checking presence pam.conf"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking file /etc/pam.conf"
+ if [ -f /etc/pam.conf ]; then
+ logtext "Result: file /etc/pam.conf exists"
+ Display --indent 2 --text "- Checking PAM configuration files (pam.conf)" --result FOUND --color GREEN
+ logtext "Test: searching PAM configuration files"
+ FIND=`cat /etc/pam.conf | grep -v "^#" | grep -v "^$" | sed 's/ /!space!/g'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)"
+ else
+ logtext "Result: found one or more configuration lines"
+ for I in ${FIND}; do
+ I=`echo ${I} | sed 's/!space!/ /g'`
+ logtext "Found line: ${I}"
+ done
+ fi
+ else
+ logtext "Result: file /etc/pam.conf could not be found"
+ Display --indent 2 --text "- Checking PAM configuration file (pam.conf)" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9266
+ # Description : Searching available PAM configurations (/etc/pam.d)
+ Register --test-no AUTH-9266 --weight L --network NO --description "Checking presence pam.d files"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking directory /etc/pam.d"
+ if [ -d /etc/pam.d ]; then
+ logtext "Result: directory /etc/pam.d exists"
+ Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result FOUND --color GREEN
+ logtext "Test: searching PAM configuration files"
+ FIND=`find /etc/pam.d -type f -print | sort`
+ for I in ${FIND}; do
+ logtext "Found file: ${I}"
+ done
+ else
+ logtext "Result: directory /etc/pam.d could not be found"
+ Display --indent 2 --text "- Checking PAM configuration files (pam.d)" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9268
+ # Description : Searching available PAM files
+ # Notes : PAM is used on AIX, Linux, HPUX, Solaris
+ if [ ${OS} = "AIX" -o ${OS} = "Linux" -o ${OS} = "HPUX" -o ${OS} = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no AUTH-9268 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking presence pam.d files"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ logtext "Test: Searching pam modules"
+ for I in ${PAM_FILE_LOCATIONS}; do
+ logtext "Test: Checking ${I}"
+ if [ -d ${I} -a ! -L ${I} ]; then
+ logtext "Result: directory ${I} exists"
+ FIND=`find ${I} -type f -name "*.so" -print | sort`
+ if [ ! "${FIND}" = "" ]; then FOUND=1; fi
+ for I in ${FIND}; do
+ logtext "Found file: ${I}"
+ done
+ else
+ logtext "Result: directory ${I} could not be found or is a symlink to another directory"
+ fi
+ done
+ # Check if we found at least one module
+ if [ ${FOUND} -eq 0 ]; then
+ Display --indent 2 --text "- Checking PAM modules" --result "NOT FOUND" --color WHITE
+ logtext "Result: no PAM modules found"
+ else
+ Display --indent 2 --text "- Checking PAM modules" --result FOUND --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9270
+ # Description : Audit PAM configuration files
+#
+#################################################################################
+#
+ # Test : AUTH-9278
+ # Description : Search LDAP support in PAM files
+ Register --test-no AUTH-9278 --weight L --network NO --description "Checking LDAP pam status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking presence /etc/pam.d/common-auth"
+ if [ -f /etc/pam.d/common-auth ]; then
+ logtext "Result: file /etc/pam.d/common-auth exists"
+ logtext "Test: checking presence LDAP module"
+ FIND=`cat /etc/pam.d/common-auth | grep "^auth" | grep "ldap"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: LDAP module present"
+ logtext "Output: ${FIND}"
+ Display --indent 2 --text "- Checking LDAP module in PAM" --result FOUND --color GREEN
+ LDAP_AUTH_ENABLED=1
+ LDAP_PAM_ENABLED=1
+ else
+ logtext "Result: LDAP module not found"
+ Display --indent 2 --text "- Checking LDAP module in PAM" --result "NOT FOUND" --color WHITE
+ # YYY display message when ldap is enabled in /etc/passwd, but not found in PAM
+ fi
+ else
+ logtext "Result: file /etc/pam.d/common-auth not found, skipping test"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9282 and AUTH-9283
+ # Note : Every Linux based operating system seem to have different passwd
+ # options, so we have to check the version first.
+ if [ "${OS}" = "Linux" ]; then
+ if [ ${OS_REDHAT_OR_CLONE} -eq 0 ]; then
+ case ${LINUX_VERSION} in
+ "SuSE")
+ PREQS_MET="YES"
+ FIND=`passwd -a -S | awk '{ if ($2=="P" && $5=="99999") print $1 }'`
+ FIND2=`passwd -a -S | awk '{ if ($2=="NP") print $1 }'`
+ ;;
+ *)
+ PREQS_MET="YES"
+ FIND=`passwd --all --status | awk '{ if ($2=="P" && $5=="99999") print $1 }'`
+ FIND2=`passwd --all --status | awk '{ if ($2=="NP") print $1 }'`
+ ;;
+ esac
+ else
+ logtext "Result: skipping test for this Linux version"
+ ReportManual "AUTH-9282:01"
+ PREQS_MET="NO"
+ FIND=""
+ FIND2=""
+ fi
+ else
+ PREQS_MET="NO"
+ fi
+
+ # Test : AUTH-9282
+ # Description : Search password protected accounts without expire (Linux)
+ Register --test-no AUTH-9282 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking password protected account without expire date"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking Linux version and password expire date status"
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: all accounts seem to have an expire date"
+ Display --indent 2 --text "- Checking accounts without expire date" --result OK --color GREEN
+ else
+ logtext "Result: found one or more accounts with expire date set"
+ for I in ${FIND}; do
+ logtext "Account without expire date: ${I}"
+ done
+ Display --indent 2 --text "- Checking accounts without expire date" --result SUGGESTION --color YELLOW
+ ReportSuggestion ${TEST_NO} "When possible set expire dates for all password protected accounts"
+ fi
+ fi
+ # Test : AUTH-9283
+ # Description : Search passwordless accounts
+ Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking accounts without password"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking passwordless accounts"
+ if [ "${FIND2}" = "" ]; then
+ logtext "Result: all accounts seem to have a password"
+ Display --indent 2 --text "- Checking accounts without password" --result OK --color GREEN
+ else
+ logtext "Result: found one or more accounts without password"
+ for I in ${FIND2}; do
+ logtext "Account without password: ${I}"
+ report "account_without_password=${I}"
+ done
+ Display --indent 2 --text "- Checking accounts without password" --result WARNING --color RED
+ ReportWarning ${TEST_NO} "Found accounts without password"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9286
+ # Description : Check user password aging
+ if [ -f /etc/login.defs ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no AUTH-9286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking user password aging"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking PASS_MAX_DAYS option in /etc/login.defs "
+ FIND=`grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{ if ($1=="PASS_MAX_DAYS") { print $2 } }'`
+ if [ "${FIND}" = "" -o "${FIND}" = "99999" ]; then
+ # YYY check if LDAP is used with password policies
+ logtext "Result: password aging limits are not configured"
+ Display --indent 2 --text "- Checking user password aging" --result DISABLED --color YELLOW
+ ReportSuggestion ${TEST_NO} "Configure password aging limits to enforce password changing on a regular base"
+ AddHP 0 1
+ else
+ logtext "Result: accounts with password aging set are checked against PASS_MAX_DAYS"
+ logtext "Result: value of PASS_MAX_DAYS is ${FIND}"
+ Display --indent 2 --text "- Checking user password aging" --result OK --color GREEN
+ AddHP 3 3
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9292
+ # Description : Check locked accounts (exclamation mark as first char in second column)
+#
+#################################################################################
+#
+ # Test : AUTH-9304
+ # Description : Check if single user mode login is properly configured in Solaris
+ # Notes : sulogin should be called from svm script (Solaris <10) in /etc/rcS.d (YYY)
+ Register --test-no AUTH-9304 --os Solaris --weight L --network NO --description "Check single user login configuration"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check if file exists (Solaris 10 does not have this file by default)
+ if [ -f /etc/default/sulogin ]; then
+ logtext "Result: file /etc/default/sulogin exists"
+ logtext "Test: checking presence PASSREQ=NO"
+ FIND=`grep "^PASSREQ=NO" /etc/default/sulogin`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: option not present or configured to request a password at single user mode login"
+ Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result OK --color GREEN
+ AddHP 1 1
+ else
+ logtext "Result: option present, no password needed at single user mode login"
+ Display --indent 2 --text "- Checking Solaris /etc/default/sulogin file" --result WARNING --color RED
+ ReportWarning ${TEST_NO} "H" "No password needed for single user mode login"
+ AddHP 0 1
+ fi
+ else
+ logtext "Result: file /etc/default/sulogin does not exist"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9306
+ # Description : Check if authentication is needed to boot the system
+ # Notes : :d_boot_authenticate: is a good option for production machines to
+ # avoid unauthorized booting of systems. Option :d_boot_autentication@:
+ # disabled a required login.
+ Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --description "Check single boot authentication"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check if file exists
+ logtext "Test: Searching /tcb/files/auth/system/default"
+ if [ -f /tcb/files/auth/system/default ]; then
+ logtext "Result: file /tcb/files/auth/system/default exists"
+ logtext "Test: checking presence :d_boot_authenticate@:"
+ FIND=`grep "^:d_boot_authenticate@" /tcb/files/auth/system/default`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: option not set, password is needed at boot"
+ Display --indent 2 --text "- Checking HP-UX boot authentication" --result OK --color GREEN
+ AddHP 1 1
+ else
+ logtext "Result: option present, no password needed at single user mode login"
+ Display --indent 2 --text "- Checking HP-UX boot authentication" --result SUGGESTION --color YELLOW
+ ReportSuggestion ${TEST_NO} "Set password for system boot"
+ AddHP 0 1
+ fi
+ else
+ logtext "Result: file /tcb/files/auth/system/default does not exist"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9308
+ # Description : Check single user mode login for Linux
+ Register --test-no AUTH-9308 --os Linux --weight L --network NO --description "Check single user login configuration"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ # Check if file exists
+ logtext "Test: Searching /etc/inittab"
+ if [ -f /etc/inittab ]; then
+ logtext "Result: file /etc/inittab exists"
+ logtext "Test: checking presence sulogin for single user mode"
+ FIND=`grep "^~~:S:wait:/sbin/sulogin" /etc/inittab`
+ FIND2=`grep "^su:S:wait:/sbin/sulogin" /etc/inittab`
+ if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
+ FOUND=1
+ logtext "Result: found sulogin, so single user is protected"
+ fi
+ else
+ logtext "Result: file /etc/inittab does not exist"
+ fi
+
+ # Check if file exists
+ logtext "Test: Searching /etc/sysconfig/init"
+ if [ -f /etc/sysconfig/init ]; then
+ logtext "Result: file /etc/sysconfig/init exists"
+ logtext "Test: checking presence sulogin for single user mode"
+ FIND=`grep "^SINGLE=/sbin/sulogin" /etc/sysconfig/init`
+ if [ ! "${FIND}" = "" ]; then
+ FOUND=1
+ logtext "Result: found sulogin, so single user is protected"
+ fi
+ else
+ logtext "Result: file /etc/inittab does not exist"
+ fi
+ if [ -f /etc/inittab -o -f /etc/sysconfig/init ]; then
+ if [ ${FOUND} -eq 0 ]; then
+ logtext "Result: option not set, no password needed at single user mode boot"
+ Display --indent 2 --text "- Checking Linux single user mode authentication" --result WARNING --color RED
+ ReportWarning ${TEST_NO} "L" "No password set for single mode"
+ ReportSuggestion ${TEST_NO} "Set password for single user mode to minimize physical access attack surface"
+ AddHP 0 2
+ else
+ logtext "Result: option set, password is needed at single user mode boot"
+ Display --indent 2 --text "- Checking Linux single user mode authentication" --result OK --color GREEN
+ AddHP 2 2
+ fi
+ else
+ # YYY
+ logtext "Result: No inittab or init file found, unsure if system is protected"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9322
+ # Description : Authentication time restrictions
+ # /etc/security/time.conf
+#
+#################################################################################
+#
+ # Test : AUTH-9328
+ # Description : Check default umask in common files
+ # Notes: This test should be moved later to shells section
+ # /etc/login.defs
+ # pam_umask
+ Register --test-no AUTH-9328 --weight L --network NO --description "Default umask values"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Determining default umask"
+
+ # /etc/profile
+ logtext "Test: Checking /etc/profile"
+ if [ -f /etc/profile ]; then
+ logtext "Result: file /etc/profile exists"
+ logtext "Test: Checking umask value in /etc/profile"
+ FIND=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }'`
+ FIND2=`grep "umask" /etc/profile | sed 's/^[ \t]*//' | grep -v "^#" | awk '{ print $2 }' | wc -l`
+ #FIND2=`egrep "^([[:space:]])([[:tab:]])*umask" /etc/profile | awk '{ print $2 }' | wc -l`
+ WEAK_UMASK=0
+ FOUND_UMASK=0
+ if [ "${FIND2}" = "1" ]; then
+ logtext "Result: found umask (prefixed with spaces)"
+ FOUND_UMASK=1
+ if [ ! "${FIND}" = "077" -a ! "${FIND}" = "027" ]; then
+ logtext "Result: found umask ${FIND}, which could be more strict"
+ WEAK_UMASK=1
+ else
+ logtext "Result: found umask ${FIND}, which is fine"
+ fi
+ # Found more than 1 umask value in profile
+ else
+ logtext "Result: found several umask values configured in /etc/profile"
+ FOUND_UMASK=1
+ for I in ${FIND}; do
+ if [ ! "${I}" = "077" -a ! "${I}" = "027" ]; then
+ logtext "Result: umask ${I} could be more strict"
+ WEAK_UMASK=1
+ else
+ logtext "Result: Found umask ${I}, which is fine"
+ fi
+ done
+ AddHP 1 2
+ fi
+
+ if [ ${FOUND_UMASK} -eq 1 ]; then
+ if [ ${WEAK_UMASK} -eq 0 ]; then
+ Display --indent 4 --text "- Checking umask (/etc/profile)" --result OK --color GREEN
+ AddHP 2 2
+ else
+ Display --indent 4 --text "- Checking umask (/etc/profile)" --result SUGGESTION --color YELLOW
+ ReportSuggestion ${TEST_NO} "Default umask in /etc/profile could be more strict like 027"
+ AddHP 0 2
+ fi
+ else
+ logtext "Result: found no umask. Please check if this is correct"
+ Display --indent 4 --text "- Checking umask (/etc/profile)" --result "NOT FOUND" --color YELLOW
+ ReportException "${TEST_NO}:01"
+ ReportManual "AUTH-9328:01"
+ AddHP 0 2
+ fi
+ else
+ logtext "Result: file /etc/profile does not exist"
+ fi
+
+ # /etc/passwd
+ logtext "Test: Checking umask entries in /etc/passwd (pam_umask)"
+ if [ -f /etc/passwd ]; then
+ logtext "Result: file /etc/passwd exists"
+ logtext "Test: Checking umask value in /etc/profile"
+ FIND=`grep "umask=" /etc/passwd`
+ if [ "${FIND}" = "" ]; then
+ ReportManual "AUTH-9328:03"
+ fi
+ else
+ logtext "Result: file /etc/passwd does not exist"
+ fi
+
+
+ # /etc/login.defs
+ logtext "Test: Checking /etc/login.defs"
+ if [ -f /etc/login.defs ]; then
+ logtext "Result: file /etc/profile exists"
+ logtext "Test: Checking UMASK value in /etc/login.defs"
+ FIND=`grep "^UMASK" /etc/login.defs | awk '{ print $2 }'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)"
+ Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW
+ ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027"
+ AddHP 1 2
+ elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
+ logtext "Result: umask is ${FIND}, which is fine"
+ Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result OK --color GREEN
+ AddHP 2 2
+ else
+ logtext "Result: found umask ${FIND}, which could be improved"
+ Display --indent 4 --text "- Checking umask (/etc/login.defs)" --result SUGGESTION --color YELLOW
+ ReportSuggestion ${TEST_NO} "Default umask in /etc/login.defs could be more strict like 027"
+ AddHP 0 2
+ fi
+ else
+ logtext "Result: file /etc/login.defs does not exist"
+ fi
+
+ # Red Hat /etc/init.d/functions
+ logtext "Test: Checking /etc/init.d/functions"
+ if [ -f /etc/init.d/functions ]; then
+ logtext "Result: file /etc/init.d/functions exists"
+ logtext "Test: Checking umask value in /etc/init.d/functions"
+ FIND=`grep "^umask" /etc/init.d/functions | awk '{ print $2 }'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: umask is not configured"
+ Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result NONE --color WHITE
+ elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
+ logtext "Result: umask is ${FIND}, which is fine"
+ Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result OK --color GREEN
+ AddHP 2 2
+ else
+ logtext "Result: found umask ${FIND}, which could be improved"
+ Display --indent 4 --text "- Checking umask (/etc/init.d/functions)" --result SUGGESTION --color YELLOW
+ AddHP 0 2
+ #YYY
+ fi
+ else
+ logtext "Result: file /etc/init.d/functions does not exist"
+ fi
+
+ # /etc/init.d/rc [T]
+ # Always needed? (YYY)
+ logtext "Test: Checking /etc/init.d/rc"
+ if [ -f /etc/init.d/rc ]; then
+ logtext "Result: file /etc/init.d/rc exists"
+ logtext "Test: Checking UMASK value in /etc/init.d/rc"
+ FIND=`grep -i "^UMASK" /etc/init.d/rc | awk '{ print $2 }'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)"
+ Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW
+ ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could not be found and defaults usually to 022, which could be more strict like 027"
+ AddHP 1 2
+ elif [ "${FIND}" = "077" -o "${FIND}" = "027" ]; then
+ logtext "Result: umask is ${FIND}, which is fine"
+ Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result OK --color GREEN
+ AddHP 2 2
+ else
+ logtext "Result: found umask ${FIND}, which could be improved"
+ Display --indent 4 --text "- Checking umask (/etc/init.d/rc)" --result SUGGESTION --color YELLOW
+ ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rc could be more strict like 027"
+ AddHP 0 2
+ fi
+ else
+ logtext "Result: file /etc/init.d/rc does not exist"
+ fi
+
+ # /etc/init.d/rcS [T]
+ # Always needed? (YYY)
+ logtext "Test: Checking /etc/init.d/rcS"
+ if [ -f /etc/init.d/rcS ]; then
+ logtext "Result: file /etc/init.d/rcS exists"
+ logtext "Test: Checking if script runs another script."
+ FIND=`grep -i "^exec " /etc/init.d/rcS | awk '{ print $2 }'`
+ if [ "${FIND}" = "" ]; then
+ FIND2=`grep -i "^UMASK" /etc/init.d/rcS | awk '{ print $2 }'`
+ if [ "${FIND2}" = "" ]; then
+ logtext "Result: UMASK value is not configured (most likely it will have the default 022 value)"
+ Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW
+ ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could not be found and defaults usually to 022, which could be more strict like 027"
+ AddHP 1 2
+ elif [ "${FIND2}" = "077" -o "${FIND2}" = "027" ]; then
+ logtext "Result: umask is ${FIND2}, which is fine"
+ Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result OK --color GREEN
+ AddHP 2 2
+ else
+ logtext "Result: found umask ${FIND2}, which could be improved"
+ Display --indent 4 --text "- Checking umask (/etc/init.d/rcS)" --result SUGGESTION --color YELLOW
+ ReportSuggestion ${TEST_NO} "Default umask in /etc/init.d/rcS could be more strict like 027"
+ AddHP 0 2
+ fi
+ else
+ # Improve check
+ logtext "Result: exec line present in file, setting of umask not needed in this script"
+ logtext "Output: ${FIND}"
+ fi
+ else
+ logtext "Result: file /etc/init.d/rcS does not exist"
+ fi
+
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9340
+ # Description : Solaris account locking
+ Register --test-no AUTH-9340 --os Solaris --weight L --network NO --description "Solaris account locking"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ if [ -f /etc/security/policy.conf ]; then
+ logtext "Result: found /etc/security/policy.conf"
+ FIND=`grep "^LOCK_AFTER_RETRIES" /etc/security/policy.conf`
+ if [ ! "${FIND}" = "" ]; then
+ FOUND=1
+ logtext "Result: account locking option set"
+ logtext "Output: ${FIND}"
+ AddHP 2 2
+ else
+ logtext "Result: option LOCK_AFTER_RETRIES not set"
+ AddHP 1 2
+ fi
+ else
+ logtext "Result: /etc/security/policy.conf does not exist"
+ fi
+ # If policy.conf does not exist, we most likely deal with a Solaris version below 10
+ # and we proceed with checking the softer option RETRIES in /etc/default/login
+ # which does not lock account, but discourages brute force password attacks.
+ if [ ${FOUND} -eq 0 ]; then
+ logtext "Test: checking /etc/default/login"
+ if [ -f /etc/default/login ]; then
+ logtext "Result: file /etc/default/login exists"
+ FIND=`grep "^RETRIES" /etc/default/login`
+ if [ ! "${FIND}" = "" ]; then
+ FOUND=1
+ logtext "Result: retries option configured"
+ logtext "Output: ${FIND}"
+ AddHP 2 2
+ else
+ logtext "Result: retries option not configured"
+ AddHP 1 2
+ fi
+ else
+ logtext "Result: file /etc/default/login does not exist"
+ fi
+ fi
+ if [ ${FOUND} -eq 1 ]; then
+ Display --indent 2 --text "- Checking account locking" --result "ENABLED" --color GREEN
+ else
+ Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW
+ fi
+
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9342 [T]
+ # Description : AIX account locking
+ # Notes : /usr/sbin/lsuser -a logretries ALL
+ # should return ${ACCOUNT_MAX_RETRIES} or less for each user, but not 0
+#
+#################################################################################
+#
+ # Test : AUTH-9344 [T]
+ # Description : HP-UX account locking
+ # Notes : grep :u_maxtries# /tcb/files/auth/system/default
+ # should return ${ACCOUNT_MAX_RETRIES} or less, but not 0
+#
+#################################################################################
+#
+ # Test : AUTH-9348 [T]
+ # Description : Delay time after each failed login
+ # Notes : This control counters brute force attacking by delaying each
+ # attempt, while giving normal users to try typing in their
+ # account details after a reasonable delay
+ # Should return ${ACCOUNT_DELAY_TIME} or more
+ # (4 seconds would be good)
+ # AIX
+ # grep "logindelay" /etc/security/login.cfg
+ # Linux
+ # grep "FAIL_DELAY" /etc/login.defs
+ # HP-UX
+ # grep ":t_logdelay#" /tcb/files/auth/system/default
+#
+#################################################################################
+#
+ # Test : AUTH-9402
+ # Description : Query LDAP authentication support
+ Register --test-no AUTH-9402 --weight L --network NO --description "Query LDAP authentication support"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -f /etc/nsswitch.conf ]; then
+ FIND=`egrep "^passwd" /etc/nsswitch.conf | grep "ldap"`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: LDAP authentication not enabled"
+ Display --indent 2 --text "- Checking LDAP authentication support" --result "NOT ENABLED" --color WHITE
+ else
+ logtext "Result: LDAP authentication enabled"
+ Display --indent 2 --text "- Checking LDAP authentication support" --result "ENABLED" --color GREEN
+ LDAP_AUTH_ENABLED=1
+ fi
+ else
+ logtext "Result: /etc/nsswitch.conf not found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-9404
+ # Description : Check LDAP client configuration
+# if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+# Register --test-no AUTH-9404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# logtext "Test: checking ldap.conf locations"
+# for I in ${LDAP_CONF_LOCATIONS}; do
+# logtext "Test: checking ${I}"
+# if [ -f ${I} ]; then
+# logtext "Result: file ${I} exists"
+# logtext "Test: checking LDAP servers in file ${I}"
+# FIND2=`egrep "^host " ${I} | awk '{ print $2 }'`
+# for I in ${FIND2}; do
+# Display --indent 6 --text "LDAP server: ${I}"
+# logtext "Result: found LDAP server ${I}"
+# # YYY check if host(s) are reachable/respond to queries
+# done
+# else
+# logtext "Result: ${I} does NOT exist"
+# fi
+# done
+# fi
+#
+#################################################################################
+#
+ # Test : AUTH-9406
+ # Description : Check LDAP servers in client configuration
+ if [ ${LDAP_AUTH_ENABLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no AUTH-9406 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query LDAP servers in client configuration"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking ldap.conf options"
+ for I in ${LDAP_CONF_LOCATIONS}; do
+ logtext "Test: checking ${I}"
+ if [ -f ${I} ]; then
+ logtext "Result: file ${I} exists"
+ logtext "Test: checking LDAP servers in file ${I}"
+ FIND2=`egrep "^host " ${I} | awk '{ print $2 }'`
+ for I in ${FIND2}; do
+ Display --indent 6 --text "LDAP server: ${I}"
+ logtext "Result: found LDAP server ${I}"
+ # YYY check if host(s) are reachable/respond to queries
+ done
+ else
+ logtext "Result: ${I} does NOT exist"
+ fi
+ done
+ fi
+#
+#################################################################################
+#
+ # Test : AUTH-92xx
+ # Description : login.access checks
+ #Register --test-no AUTH-92xx --weight L --network NO --description "login.access checks"
+#
+#################################################################################
+#
+# pam_unix.so
+# pam_cracklib.so
+# pam_pwcheck.so
+# pam_env.so
+# pam_xauth.so
+# pam_tally.so
+# pam_wheel.so
+# pam_limits.so
+# pam_nologin.so
+# pam_deny.so
+# pam_securetty.so
+# pam_time.so
+# pam_access.so
+# pam_listfile.so
+# pam_lastlog.so
+# pam_warn.so
+# pam_console.so
+# pam_resmgr.so
+# pam_devperm.so
+#
+#################################################################################
+#
+# sudoers: Check for potential harmful commands like vi, echo, cat
+#
+#################################################################################
+#
+
+report "ldap_auth_enabled=${LDAP_AUTH_ENABLED}"
+report "ldap_pam_enabled=${LDAP_PAM_ENABLED}"
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_banners b/include/tests_banners
new file mode 100644
index 00000000..38c42c01
--- /dev/null
+++ b/include/tests_banners
@@ -0,0 +1,250 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Banners and identification
+#
+#################################################################################
+#
+ InsertSection "Banners and identification"
+# Display --indent 2 --text "- Checking banners..."
+#
+#################################################################################
+#
+ BANNER_FILES="/etc/issue /etc/issue.net /etc/motd"
+ LEGAL_BANNER_STRINGS="access authorized legal monitor owner policy policies private prohibited restricted this unauthorized"
+#
+#################################################################################
+#
+ # Test : BANN-7113
+ # Description : Check FreeBSD COPYRIGHT banner file
+ Register --test-no BANN-7113 --os FreeBSD --weight L --network NO --description "Check COPYRIGHT banner file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Testing existence /COPYRIGHT or /etc/COPYRIGHT"
+ if [ -f /COPYRIGHT ]; then
+ Display --indent 2 --text "- /COPYRIGHT" --result FOUND --color GREEN
+ if [ -s /COPYRIGHT ]; then
+ logtext "Result: /COPYRIGHT available and contains text"
+ else
+ logtext "Result: /COPYRIGHT available, but empty"
+ fi
+ else
+ Display --indent 2 --text "- /COPYRIGHT" --result "NOT FOUND" --color WHITE
+ logtext "Result: /COPYRIGHT not found"
+ fi
+
+ if [ -f /etc/COPYRIGHT ]; then
+ Display --indent 2 --text "- /etc/COPYRIGHT" --result FOUND --color GREEN
+ if [ -s /etc/COPYRIGHT ]; then
+ logtext "Result: /etc/COPYRIGHT available and contains text"
+ else
+ logtext "Result: /etc/COPYRIGHT available, but empty"
+ fi
+ else
+ Display --indent 2 --text "- /etc/COPYRIGHT" --result "NOT FOUND" --color WHITE
+ logtext "Result: /etc/COPYRIGHT not found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BANN-7119
+ # Description : Check MOTD banner file
+ Register --test-no BANN-7119 --weight L --network NO --description "Check MOTD banner file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Testing existence /etc/motd"
+ if [ -f /etc/motd ]; then
+ logtext "Result: file /etc/motd exists"
+ Display --indent 2 --text "- /etc/motd..." --result FOUND --color GREEN
+ if [ ! -L /etc/motd ]; then
+ IsWorldWritable /etc/motd
+ if [ "${FileIsWorldWritable}" = "TRUE" ]; then
+ Display --indent 4 --text "- /etc/motd permissions..." --result WARNING --color RED
+ logtext "Result: /etc/motd is world writable. Users can change this file!"
+ ReportWarning ${TEST_NO} "H" "/etc/motd is world writable"
+ else
+ Display --indent 4 --text "- /etc/motd permissions..." --result OK --color GREEN
+ logtext "Result: /etc/motd is not world writable."
+ fi
+ else
+ logtext "Result: file /etc/motd is symlink"
+ fi
+ else
+ logtext "Result: File /etc/motd not found"
+ Display --indent 2 --text "- /etc/motd..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BANN-7122
+ # Description : Check motd file to see if it contains some form of message
+ # to discourage unauthorized users to leave the system alone
+ if [ -f /etc/motd -a ! -L /etc/motd ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no BANN-7122 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check /etc/motd banner file contents"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ logtext "Test: Checking file /etc/motd contents for legal key words"
+ for I in ${LEGAL_BANNER_STRINGS}; do
+ FIND=`grep -i "${I}" /etc/motd`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found string '${I}'"
+ N=`expr ${N} + 1`
+ fi
+ done
+ # Check if we have 5 or more key words
+ if [ ${N} -gt 4 ]; then
+ logtext "Result: Found ${N} key words, to warn unauthorized users"
+ Display --indent 4 --text "- /etc/motd contents..." --result OK --color GREEN
+ AddHP 2 2
+ else
+ logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
+ Display --indent 4 --text "- /etc/motd contents..." --result WEAK --color YELLOW
+ ReportSuggestion ${TEST_NO} "Add legal banner to /etc/motd, to warn unauthorized users"
+ AddHP 0 1
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BANN-7124
+ # Description : Check issue banner file
+ Register --test-no BANN-7124 --weight L --network NO --description "Check issue banner file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking file /etc/issue"
+ if [ -f /etc/issue ]; then
+ # Check for symlink
+ if [ -L /etc/issue ]; then
+ logtext "Result: file /etc/issue exists (symlink)"
+ Display --indent 2 --text "- /etc/issue..." --result SYMLINK --color GREEN
+ else
+ Display --indent 2 --text "- /etc/issue..." --result FOUND --color GREEN
+ fi
+ else
+ logtext "Result: file /etc/issue does not exist"
+ Display --indent 2 --text "- /etc/issue..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BANN-7126
+ # Description : Check issue file to see if it contains some form of message
+ # to discourage unauthorized users to leave the system alone
+ if [ -f /etc/issue ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no BANN-7126 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check issue banner file contents"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ logtext "Test: Checking file /etc/issue contents for legal key words"
+ for I in ${LEGAL_BANNER_STRINGS}; do
+ FIND=`grep -i "${I}" /etc/issue`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found string '${I}'"
+ N=`expr ${N} + 1`
+ fi
+ done
+ # Check if we have 5 or more key words
+ if [ ${N} -gt 4 ]; then
+ logtext "Result: Found ${N} key words (5 or more suggested), to warn unauthorized users"
+ Display --indent 4 --text "- /etc/issue contents..." --result OK --color GREEN
+ AddHP 2 2
+ else
+ logtext "Result: Found only ${N} key words (5 or more suggested), to warn unauthorized users and could be increased"
+ Display --indent 4 --text "- /etc/issue contents..." --result WEAK --color YELLOW
+ ReportSuggestion ${TEST_NO} "Add a legal banner to /etc/issue, to warn unauthorized users"
+ AddHP 0 1
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BANN-7128
+ # Description : Check issue.net banner file
+ Register --test-no BANN-7128 --weight L --network NO --description "Check issue.net banner file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking file /etc/issue.net"
+ if [ -f /etc/issue.net ]; then
+ # Check for symlink
+ if [ -L /etc/issue.net ]; then
+ logtext "Result: file /etc/issue.net exists (symlink)"
+ Display --indent 2 --text "- /etc/issue.net..." --result SYMLINK --color GREEN
+ else
+ logtext "Result: file /etc/issue.net exists"
+ Display --indent 2 --text "- /etc/issue.net..." --result FOUND --color GREEN
+ fi
+ else
+ logtext "Result: file /etc/issue.net does not exist"
+ Display --indent 2 --text "- /etc/issue.net..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BANN-7130
+ # Description : Check issue.net file to see if it contains some form of message
+ # to discourage unauthorized users to leave the system alone
+ if [ -f /etc/issue.net ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no BANN-7130 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check issue.net banner file contents"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ logtext "Test: Checking file /etc/issue.net contents for legal key words"
+ for I in ${LEGAL_BANNER_STRINGS}; do
+ FIND=`grep -i "${I}" /etc/issue.net`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found string '${I}'"
+ N=`expr ${N} + 1`
+ fi
+ done
+ # Check if we have 5 or more key words
+ if [ ${N} -gt 4 ]; then
+ logtext "Result: Found ${N} key words, to warn unauthorized users"
+ Display --indent 4 --text "- /etc/issue.net contents..." --result OK --color GREEN
+ AddHP 2 2
+ else
+ logtext "Result: Found only ${N} key words, to warn unauthorized users and could be increased"
+ Display --indent 4 --text "- /etc/issue.net contents..." --result WEAK --color YELLOW
+ ReportSuggestion ${TEST_NO} "Add legal banner to /etc/issue.net, to warn unauthorized users"
+ AddHP 0 1
+ fi
+ fi
+#
+#################################################################################
+#
+# /etc/dt/config/*/Xresources
+# /etc/default/telnetd (telnet without TCP wrappers)
+# /etc/default/ftpd (ftp without TCP wrappers)
+# /etc/ftpd/banner.msg (ftp without TCP wrappers on Solaris)
+# /etc/ftpaccess (HP-UX)
+# /etc/ftpmotd (AIX)
+# /etc/ftpaccess.ctl (AIX)
+# /etc/security/login.cfg (AIX)
+# /etc/X11/xdm/Xresources
+# /etc/X11/xdm/kdmrc
+# /etc/X11/gdm/gdm
+# /etc/vsftpd.conf
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#################################################################################
+#
+# Notes:
+# HPUX: /etc/copyright
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_boot_services b/include/tests_boot_services
new file mode 100644
index 00000000..2755460d
--- /dev/null
+++ b/include/tests_boot_services
@@ -0,0 +1,522 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Category: Boot and services
+#
+#################################################################################
+#
+ InsertSection "Boot and services"
+#
+#################################################################################
+#
+ Display --indent 2 --text "- Checking boot loaders"
+ BOOT_LOADER="Unknown"
+#
+#################################################################################
+#
+ # Test : BOOT-5121
+ # Description : Check for GRUB boot loader
+ Register --test-no BOOT-5121 --weight L --network NO --description "Check for GRUB boot loader presence"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)..."
+ if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then
+ FOUND=1
+ BOOT_LOADER="GRUB"
+ Display --indent 4 --text "- Checking presence GRUB... " --result "OK" --color GREEN
+ if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
+ logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
+ FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'`
+ FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'`
+ if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
+ Display --indent 6 --text "- Checking for password protection..." --result WARNING --color RED
+ logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!"
+ logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them."
+ logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!"
+ logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access."
+ ReportWarning ${TEST_NO} "M" "No password set on GRUB bootloader"
+ logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password"
+ AddHP 0 2
+ else
+ Display --indent 6 --text "- Checking for password protection..." --result OK --color GREEN
+ logtext "Result: GRUB has password protection."
+ AddHP 4 4
+ fi
+ fi
+
+ # GRUB2 configuration file
+ if [ -f /boot/grub/grub.cfg ]; then
+ FOUND=1
+ BOOT_LOADER="GRUB2"
+ Display --indent 4 --text "- Checking presence GRUB2... " --result FOUND --color GREEN
+ logtext "Result: found GRUB2 configuration file (/boot/grub/grub.cfg)"
+ # YYY password check, when documentation of GRUB2 project is improved
+ # YYY Add check permission check (600)
+ ReportManual "${TEST_NO}:01"
+ fi
+
+ if [ ${FOUND} -eq 0 ]; then
+ Display --indent 4 --text "- Checking presence GRUB... " --result "NOT FOUND" --color WHITE
+ logtext "Result: no GRUB configuration file found."
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BOOT-5124
+ # Description : Check for FreeBSD boot loader
+ Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot loader presence"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then
+ logtext "Result: found boot1, boot2 and loader files in /boot"
+ Display --indent 4 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN
+ BOOT_LOADER="FreeBSD"
+ else
+ logtext "Result: Not all expected files found in /boot"
+ Display --indent 4 --text "- Checking presence FreeBSD loader" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BOOT-5126
+ # Description : Check for NetBSD boot loader
+ Register --test-no BOOT-5126 --os NetBSD --weight L --network NO --description "Check for NetBSD boot loader presence"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -f /boot.${HARDWARE} -o -f /boot -o -f /ofwboot ]; then
+ logtext "Result: found NetBSD secondary bootstrap"
+ Display --indent 4 --text "- Checking presence NetBSD loader" --result FOUND --color GREEN
+ BOOT_LOADER="NetBSD"
+ else
+ logtext "Result: NetBSD secondary bootstrap not found"
+ Display --indent 4 --text "- Checking presence FreeBSD loader" --result "NOT FOUND" --color YELLOW
+ ReportException "${TEST_NO}:1" "No boot loader found on NetBSD"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BOOT-5139
+ # Description : Check for LILO boot loader
+ # Notes : password= or password =
+ Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking for presence LILO configuration file..."
+ if [ -f /etc/lilo.conf ]; then
+ BOOT_LOADER="LILO"
+ Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN
+ logtext "Checking password option LILO..."
+ FIND=`cat /etc/lilo.conf | ${EGREPBINARY} 'password[[:space:]]?=' | grep -v "^#"`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED
+ logtext "Result: no password set for LILO. Bootloader is unprotected to"
+ logtext "dropping to single user mode or unauthorized access to devices/data."
+ ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
+ ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader"
+ AddHP 0 2
+ else
+ Display --indent 6 --text "- Password option presence " --result "OK" --color GREEN
+ logtext "Result: LILO password option set"
+ AddHP 4 4
+ fi
+ #YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf)
+ else
+ Display --indent 4 --text "- Checking presence LILO... " --result "NOT FOUND" --color WHITE
+ logtext "Result: LILO configuration file not found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BOOT-5142
+ # Description : Check for SILO boot loader
+ Register --test-no BOOT-5142 --weight L --network NO --description "Check SPARC Improved boot loader (SILO)"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -f /etc/silo.conf ]; then
+ logtext "Result: Found SILO configuration file (/etc/silo.conf)"
+ Display --indent 4 --text "- Checking boot loader SILO" --result FOUND --color GREEN
+ BOOT_LOADER="SILO"
+ else
+ logtext "Result: no SILO configuration file found."
+ Display --indent 4 --text "- Checking boot loader SILO" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BOOT-5144
+ # Description : Check for SILO boot loader consistency
+ # Notes : To be tested on Gentoo
+# Register --test-no BOOT-5144 --weight L --network NO --description "Check SPARC Improved boot loader (SILO)"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# if [ -f /etc/silo.conf -a -x /sbin/silo ]; then
+# FIND=`/sbin/silo | grep "appears to be valid"`
+# if [ ! "${FIND}" = "" ]; then
+# logtext "Result: Found SILO configuration file (/etc/silo.conf)"
+# Display --indent 6 --text "- Checking SILO consistency" --result OK --color GREEN
+# else
+# logtext "Result: no positive result received from silo binary"
+# ReportWarning ${TEST_NO} "Possible issue with boot loader (SILO)"
+# Display --indent 6 --text "- Checking SILO consistency" --result WARNING --color RED
+# fi
+# fi
+# fi
+#
+#################################################################################
+#
+ # Test : BOOT-5155
+ # Description : Check for YABOOT boot loader
+ Register --test-no BOOT-5155 --weight L --network NO --description "Check for YABOOT boot loader configuration file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Check for /etc/yaboot.conf"
+ if [ -f /etc/yaboot.conf ]; then
+ logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)"
+ Display --indent 4 --text "- Checking boot loader YABOOT" --result FOUND --color GREEN
+ #YYY add permission check
+ BOOT_LOADER="YABOOT"
+ else
+ logtext "Result: no YABOOT configuration file found."
+ Display --indent 4 --text "- Checking boot loader YABOOT" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BOOT-5159
+ # Description : Check for OpenBSD boot loader
+ # More info : only OpenBSD && i386 platform
+ Register --test-no BOOT-5159 --os OpenBSD --platform i386 --weight L --network NO --description "Check for OpenBSD i386 boot loader presence"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -f /etc/boot.conf ]; then
+ Display --indent 2 --text "- Checking /etc/boot.conf..." --result "FOUND" --color GREEN
+ FIND=`grep '^boot' /etc/boot.conf`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 4 --text "- Checking boot option..." --result WARNING --color RED
+ ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
+ ReportWarning ${TEST_NO} "M" "System can be booted into single user mode without password"
+ else
+ Display --indent 4 --text "- Checking boot option..." --result OK --color GREEN
+ logtext "Ok, boot option is enabled."
+ fi
+ else
+ Display --indent 2 --text "- Checking /etc/boot.conf..." --result "NOT FOUND" --color YELLOW
+ logtext "Result: no /etc/boot.conf found. When using the default boot loader, physical"
+ logtext "access to the server can be used to possibly enter single user mode."
+ ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time."
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BOOT-5165
+ # Description : Check for FreeBSD boot services
+ Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot services"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # FreeBSD (Read /etc/rc.conf file for enabled services)
+ logtext "Searching for services at startup (rc.conf)..."
+ FIND=`egrep -v -i '^#|none' /etc/rc.conf | egrep -i '_enable.*(yes|on|1)' | sort | awk -F= '{ print $1 }' | sed 's/_enable//'`
+ N=0
+ for I in ${FIND}; do
+ logtext "Found service (rc.conf): ${I}"
+ report "boottask[]=${I}"
+ N=`expr ${N} + 1`
+ done
+ Display --indent 2 --text "- Checking services at startup (rc.conf)..." --result "DONE" --color GREEN
+ Display --indent 6 --text "Result: found $N services/options set"
+ logtext "Found $N services/options to run at startup"
+ fi
+#
+#################################################################################
+#
+ # Test : BOOT-5166
+ # Description : Check for /etc/rc.local file (and contents)
+#
+#################################################################################
+#
+ # Test : BOOT-5177
+ # Description : Check for Linux boot services (systemd and chkconfig)
+ # Notes : We skip using chkconfig if systemd is being used.
+ Register --test-no BOOT-5177 --os Linux --weight L --network NO --description "Check for Linux boot and running services"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ CHECKED=0
+ logtext "Test: checking presence systemctl binary"
+ # Determine if we have systemctl on board
+ if [ ! "${SYSTEMCTLBINARY}" = "" ]; then
+ logtext "Result: systemctl binary found, trying that to discover information"
+ # Running services
+ logtext "Searching for running services (systemctl services only)"
+ FIND=`${SYSTEMCTLBINARY} --full --type=service | awk '{ if ($4=="running") { print $1 } }' | awk -F. '{ print $1 }'`
+ N=0
+ report "running_service_tool=systemctl"
+ for I in ${FIND}; do
+ logtext "Found running service: ${I}"
+ report "running_service[]=${I}"
+ N=`expr ${N} + 1`
+ done
+ logtext "Suggestion: Run systemctl --full --type=service to see all services"
+ Display --indent 2 --text "- Check running services (systemctl)... " --result "DONE" --color GREEN
+ Display --indent 8 --text "Result: found $N running services"
+ logtext "Result: Found $N enabled services"
+
+ # Services at boot
+ logtext "Searching for enabled services (systemctl services only)"
+ FIND=`${SYSTEMCTLBINARY} list-unit-files --type=service | awk '{ if ($2=="enabled") { print $1 } }' | awk -F. '{ print $1 }'`
+ N=0
+ report "boot_service_tool=systemctl"
+ for I in ${FIND}; do
+ logtext "Found enabled service at boot: ${I}"
+ report "boot_service[]=${I}"
+ N=`expr ${N} + 1`
+ done
+ logtext "Suggestion: Run systemctl list-unit-files --type=service to see all services"
+ Display --indent 2 --text "- Check enabled services at boot (systemctl)... " --result "DONE" --color GREEN
+ Display --indent 8 --text "Result: found $N enabled services"
+ logtext "Result: Found $N running services"
+
+ else
+ logtext "Result: systemctl binary not found, checking chkconfig binary"
+ if [ ! "${CHKCONFIGBINARY}" = "" ]; then
+ logtext "Result: chkconfig binary found, trying that to discover information"
+ logtext "Searching for services at startup (chkconfig, runlevel 3 and 5)... "
+ FIND=`${CHKCONFIGBINARY} --list | egrep '3:on|5:on' | awk '{ print $1 }'`
+ N=0
+ report "boot_service_tool=chkconfig"
+ for I in ${FIND}; do
+ logtext "Found service (at boot, runlevel 3 or 5): ${I}"
+ report "boot_service[]=${I}"
+ N=`expr ${N} + 1`
+ done
+ logtext "Suggestion: Run chkconfig --list to see all services and disable unneeded services"
+ Display --indent 2 --text "- Check services at startup (chkconfig)... " --result "DONE" --color GREEN
+ Display --indent 8 --text "Result: found $N services"
+ logtext "Result: Found $N services at startup"
+ else
+ logtext "Result: both systemctl and chkconfig not found. Skipping this test"
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BOOT-5178
+ # Description : Check for Linux boot services (Red Hat style)
+ # if [ ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ # Register --test-no BOOT-5178 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for unneeded Linux boot services (Red Hat style)"
+ # if [ ${SKIPTEST} -eq 0 ]; then
+ # N=0
+ # N=`expr ${N} + 1`
+
+ #* mctrans (if selinux is NOT enabled)
+ #* restorecond (if selinux is NOT enabled) --> and is it really needed?
+ #
+ # if profile is server, warn if found:
+ #* pcscd (if profile=server)
+ #* avahi-daemon
+ # Redhat: /etc/sysconfig/network
+ # check if NOZEROCONF=yes is available
+ #
+ #* xfs (if /usr/bin/startx is not found)
+ #
+ #if [ ! -f /etc/mdadm.conf -a ! -f /etc/mdadm/mdadm.conf ]; then
+ #* mdmonitor
+ #
+ #
+ #* firstboot
+ # Display warning if [ ! -f /etc/reconfigSys ]
+ # AND "RUN_FIRSTBOOT=YES" is NOT in /etc/sysconfig/firstboot
+ #
+ #* acpid
+ # Display warning if no modules are loaded (lsmod | grep -i acpi)
+ #
+ #
+ # fi
+#
+#################################################################################
+#
+ # Test : BOOT-5180
+ # Description : Check for Linux boot services (Debian style)
+ if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # YYY runlevel check
+ sRUNLEVEL=`${RUNLEVELBINARY} | grep "N 2"`
+ if [ ! "${sRUNLEVEL}" = "" ]; then
+ FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort`
+ if [ ! "${FIND}" = "" ]; then
+ N=0
+ for I in ${FIND}; do
+ logtext "Found service (at boot, runlevel 2): ${I}"
+ N=`expr ${N} + 1`
+ done
+ Display --indent 2 --text "- Check services at startup (rc2.d)... " --result "DONE" --color WHITE
+ Display --indent 4 --text "Result: found $N services"
+ logtext "Found $N services"
+ fi
+ else
+ ReportSuggestion ${TEST_NO} "Determine runlevel and services at startup"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : BOOT-5184
+ # Description : Check world writable startup scripts
+ Register --test-no BOOT-5184 --os Linux --weight L --network NO --description "Check permissions for boot files/scripts"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ CHECKDIRS="/etc/init.d /etc/rc.d /etc/rcS.d"
+
+ logtext "Result: checking /etc/init.d scripts for writable bit"
+ for I in ${CHECKDIRS}; do
+ logtext "Test: checking if directory ${I} exists"
+ if [ -d ${I} ]; then
+ logtext "Result: directory ${I} found"
+ logtext "Test: checking for available files in directory"
+ FIND=`find ${I} -type f -print`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found files in directory, checking permissions now"
+ for J in ${FIND}; do
+ logtext "Test: checking permissions of file ${J}"
+ IsWorldWritable ${J}
+ if [ "${FileIsWorldWritable}" = "TRUE" ]; then
+ ReportWarning ${TEST_NO} "H" "Found writable startup script ${J}"
+ logtext "Result: warning, file ${J} is world writable"
+ FOUND=1
+ else
+ logtext "Result: good, file ${J} not world writable"
+ fi
+ done
+ else
+ logtext "Result: found no files in directory."
+ fi
+ else
+ logtext "Result: directory ${I} not found. Skipping.."
+ fi
+ done
+
+ # /etc/rc[0-6].d
+ for NO in 0 1 2 3 4 5 6; do
+ logtext "Test: Checking /etc/rc${NO}.d scripts for writable bit"
+ if [ -d /etc/rc${NO}.d ]; then
+ FIND=`find /etc/rc${NO}.d -type f -print`
+ for I in ${FIND}; do
+ IsWorldWritable ${I}
+ if [ "${FileIsWorldWritable}" = "TRUE" ]; then
+ ReportWarning ${TEST_NO} "H" "Found writable startup script ${I}"
+ logtext "Result: warning, file ${I} is world writable"
+ FOUND=1
+ else
+ logtext "Result: good, file ${I} not world writable"
+ fi
+ done
+ fi
+ done
+
+ # Other files
+ CHECKFILES="/etc/rc /etc/rc.local /etc/rc.d/rc.sysinit"
+ for I in ${CHECKFILES}; do
+ if [ -f ${I} ]; then
+ logtext "Test: Checking ${I} file for writable bit"
+ IsWorldWritable ${I}
+ if [ "${FileIsWorldWritable}" = "TRUE" ]; then
+ ReportWarning ${TEST_NO} "H" "Found writable startup script ${I}"
+ FOUND=1
+ logtext "Result: warning, file ${I} is world writable"
+ else
+ logtext "Result: good, file ${I} not world writable"
+ fi
+ fi
+ done
+
+ # Check results
+ if [ ${FOUND} -eq 1 ]; then
+ Display --indent 2 --text "- Check startup files (permissions)... " --result "WARNING" --color RED
+ ReportWarning ${TEST_NO} "H" "One or more startup files can be overwritten by all users"
+ ReportSuggestion ${TEST_NO} "Check startup scripts for world write access and change permissions if needed"
+ logtext "Result: found one or more scripts which are possibly writable by other users"
+ AddHP 0 3
+ else
+ Display --indent 2 --text "- Check startup files (permissions)... " --result "OK" --color GREEN
+ AddHP 3 3
+ fi
+ fi
+#
+#################################################################################
+#
+ # Add autostart services, like from KDE/Gnome
+ # Test : BOOT-5102
+ # Description : Check for tasks which are autostarted via /etc/inittab
+ #Register --test-no BOOT-5102 --weight L --network NO --description "Check inittab for services"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ #fi
+ #YYY check against static list?
+#
+#################################################################################
+#
+ # Test : BOOT-5202
+ # Description : Check uptime of system
+ Register --test-no BOOT-5202 --weight L --network NO --description "Check uptime of system"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ FIND=""
+ case "${OS}" in
+ Linux)
+ # Idle time, not real uptime
+ if [ -f /proc/uptime ]; then
+ FIND=`cat /proc/uptime | cut -d ' ' -f1 | cut -d '.' -f1`
+ else
+ Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW
+ ReportException "${TEST_NO}:1" "No uptime test available for this operating system (/proc/uptime missing)"
+ fi
+ ;;
+ Solaris)
+ if [ ! "${KSTATBINARY}" = "" ]; then
+ FIND=`${KSTATBINARY} -p unix:0:system_misc:snaptime | grep "^unix" | awk '{print $2}' | cut -d "." -f1`
+ else
+ Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW
+ ReportException "${TEST_NO}:2" "No uptime test available for this operating system (kstat missing)"
+ fi
+ ;;
+ *)
+ Display --indent 2 --text "- Checking uptime" --result SKIPPED --color YELLOW
+
+ # Want to help improving Lynis? Share your operating system and a way to determine the uptime (in seconds)
+ ReportException "${TEST_NO}:3" "No uptime test available yet for this operating system"
+ ;;
+ esac
+ if [ ! "${FIND}" = "" ]; then
+ UPTIME_IN_SECS="${FIND}"
+ UPTIME_IN_DAYS=`expr ${UPTIME_IN_SECS} / 60 / 60 / 24`
+ logtext "Uptime (in seconds): ${UPTIME_IN_SECS}"
+ logtext "Uptime (in days): ${UPTIME_IN_DAYS}"
+ else
+ logtext "Result: no uptime information available"
+ fi
+ fi
+
+
+
+#
+#################################################################################
+#
+
+report "boot_loader=${BOOT_LOADER}"
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_crypto b/include/tests_crypto
new file mode 100644
index 00000000..8560b05c
--- /dev/null
+++ b/include/tests_crypto
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Cryptography
+#
+#################################################################################
+#
+ InsertSection "Cryptography"
+#
+#################################################################################
+#
+ # Test : CRYP-7902
+ # Description : check for expired SSL certificates
+ if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check expire date of SSL certificates"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUNDPROBLEM=0
+ # Check profile for paths to check
+ sSSL_PATHS=`grep "^ssl:certificates:" ${PROFILE} | cut -d ':' -f3`
+ for I in ${sSSL_PATHS}; do
+ if [ -d ${I} ]; then
+ logtext "Result: found directory ${I}"
+ # Search for CRT files
+ sFINDCRTS=`find ${I} -name "*.crt" -type f -print`
+ for J in ${sFINDCRTS}; do
+ logtext "Test: checking certificate ${J}"
+ # Check certificate where 'end date' has been expired
+ FIND=`${OPENSSLBINARY} x509 -noout -checkend 0 -in ${J} -enddate > /dev/null ; echo $?`
+ if [ "${FIND}" = "0" ]; then
+ logtext "Result: certificate ${J} seems to be correct and still valid"
+ report "valid_certificate[]=${J}|unknown entity|"
+ else
+ FOUNDPROBLEM=1
+ logtext "Result: certificate ${J} has been expired"
+ report "expired_certificate[]=${J}"
+ #YYY Dump more information to log file
+ fi
+ done
+ else
+ logtext "Result: SSL path ${I} does not exist"
+ fi
+ done
+
+ if [ ${FOUNDPROBLEM} -eq 0 ]; then
+ Display --indent 2 --text "- Checking SSL certificate expiration..." --result OK --color GREEN
+ else
+ Display --indent 2 --text "- Checking SSL certificate expiration..." --result WARNING --color RED
+ ReportWarning ${TEST_NO} "M" "One or more SSL certificates expired"
+ fi
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_custom.template b/include/tests_custom.template
new file mode 100644
index 00000000..b6686494
--- /dev/null
+++ b/include/tests_custom.template
@@ -0,0 +1,59 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Here could you insert your own custom checks
+#
+# Tips:
+# - Make sure to use each test ID only once in Register function
+# - Use big steps in numbering, so you can easily put tests in between
+# - Want to improve Lynis? Share your checks!
+#
+#################################################################################
+#
+# This has already been inserted, but you might reuse it to split your tests
+# InsertSection "Custom Checks"
+#
+#################################################################################
+#
+ # Test : CUST-0010
+ # Description : Check for something interesting - template
+ # This test first checks if OpenSSL binary was found
+ if [ ! -z "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no CUST-0010 --preqs-met ${PREQS_MET} --weight L --network NO --description "My description"
+ # Or you could use this one without any dependencies
+ # Register --test-no CUST-0010 --weight L --network NO --description "My description"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ logtext "Test: checking something"
+ ReportWarning ${TEST_NO} "M" "Test warning"
+ if [ ${FOUND} -eq 0 ]; then
+ Display --indent 4 --text "- Performing custom test 1..." --result OK --color GREEN
+ logtext "Result: the test looks great!"
+ else
+ Display --indent 4 --text "- Performing custom test 1..." --result WARNING --color RED
+ logtext "Result: hmm bad result of this test :("
+ ReportSuggestion ${TEST_NO} "This could be better!"
+ fi
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_databases b/include/tests_databases
new file mode 100644
index 00000000..da0a3a07
--- /dev/null
+++ b/include/tests_databases
@@ -0,0 +1,154 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Databases
+#
+#################################################################################
+#
+ # Status of database processes
+ MYSQL_RUNNING=0
+ ORACLE_RUNNING=0
+ POSTGRESQL_RUNNING=0
+ # Paths to DATADIR
+ sMYSQLDBPATHS="/var/lib/mysql"
+ # Paths to my.cnf
+ sMYCNFLOCS="/etc/mysql/my.cnf /usr/etc/my.cnf"
+#
+#################################################################################
+#
+ InsertSection "Databases"
+
+ # Test : DBS-1804
+ # Description : Check if MySQL is being used
+ Register --test-no DBS-1804 --weight L --network NO --description "Checking active MySQL process"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`${PSBINARY} ax | egrep "mysqld|mysqld_safe" | grep -v "grep"`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- MySQL process status..." --result "NOT FOUND" --color WHITE
+ logtext "Result: MySQL process not active"
+ else
+ Display --indent 2 --text "- MySQL process status..." --result "FOUND" --color GREEN
+ logtext "Result: MySQL is active"
+ MYSQL_RUNNING=1
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : DBS-1808
+ # Description : Check MySQL data directory
+ #Register --test-no DBS-1808 --weight L --network NO --description "Checking MySQL data directory"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ #fi
+#
+#################################################################################
+#
+ # Test : DBS-1812
+ # Description : Check data directory permissions
+ #Register --test-no DBS-1812 --weight L --network NO --description "Checking MySQL data directory permissions"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ #fi
+#
+#################################################################################
+#
+ # Test : DBS-1816
+ # Description : Check empty MySQL root password
+ # Notes : Only perform test when MySQL is running and client is available
+ if [ ! "${MYSQLCLIENTBINARY}" = "" -a ${MYSQL_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking MySQL root password"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Trying to login to local MySQL server without password"
+ FIND=`${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?`
+ if [ "${FIND}" = "0" ]; then
+ logtext "Result: Login succeeded, no MySQL root password set!"
+ ReportWarning ${TEST_NO} "H" "No MySQL root password set"
+ ReportSuggestion ${TEST_NO} "Use mysqladmin to set a MySQL root password (mysqladmin -u root -p password MYPASSWORD)"
+ Display --indent 4 --text "- Checking empty MySQL root password" --result WARNING --color RED
+ AddHP 0 5
+ else
+ logtext "Result: Login did not succeed, so a MySQL root password is set"
+ Display --indent 4 --text "- Checking MySQL root password" --result OK --color GREEN
+ AddHP 2 2
+ fi
+ else
+ logtext "Test skipped, MySQL daemon not running or no MySQL client available"
+ fi
+#
+#################################################################################
+#
+ # Test : DBS-1826
+ # Description : Check if PostgreSQL is being used
+ Register --test-no DBS-1826 --weight L --network NO --description "Checking active PostgreSQL processes"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`${PSBINARY} ax | grep "postgres:" | grep -v "grep"`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- PostgreSQL processes status..." --result "NOT FOUND" --color WHITE
+ logtext "Result: PostgreSQL process not active"
+ else
+ Display --indent 2 --text "- PostgreSQL processes status..." --result "FOUND" --color GREEN
+ logtext "Result: PostgreSQL is active"
+ POSTGRESQL_RUNNING=1
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : DBS-1840
+ # Description : Check if Oracle is being used
+ # Notes : tnslsnr: Oracle listener
+ # pmon: process monitor
+ # smon: system monitor
+ # dbwr: database writer
+ # lgwr: log writer
+ # arch: archiver (optional)
+ # ckpt: checkpoint (optional)
+ # reco: recovery (optional)
+ Register --test-no DBS-1840 --weight L --network NO --description "Checking active Oracle processes"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Oracle processes status..." --result "NOT FOUND" --color WHITE
+ logtext "Result: Oracle process(es) not active"
+ else
+ Display --indent 2 --text "- Oracle processes status..." --result "FOUND" --color GREEN
+ logtext "Result: Oracle is active"
+ ORACLE_RUNNING=1
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : DBS-1842
+ # Description : Check Oracle home paths from oratab
+ #Register --test-no DBS-1842 --weight L --network NO --description "Checking Oracle home paths"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ # if [ -f /etc/oratab ]; then
+ # FIND=`cat /etc/oratab | grep -v "#" | awk -F: "{ print $2 }"`
+ # fi
+ #fi
+#
+#################################################################################
+#
+report "mysql_running=${MYSQL_RUNNING}"
+report "oracle_running=${ORACLE_RUNNING}"
+report "postgresql_running=${POSTGRESQL_RUNNING}"
+
+wait_for_keypress
+
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_file_integrity b/include/tests_file_integrity
new file mode 100644
index 00000000..4b0e1792
--- /dev/null
+++ b/include/tests_file_integrity
@@ -0,0 +1,217 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+ FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found
+#
+#################################################################################
+#
+ InsertSection "Software: file integrity"
+ Display --indent 2 --text "- Checking file integrity tools..."
+
+
+ # Test : FINT-4310
+ # Description : Check if AFICK is installed
+ Register --test-no FINT-4310 --weight L --network NO --description "AFICK availability"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking AFICK binary"
+ if [ ! "${AFICKBINARY}" = "" ]; then
+ logtext "Result: AFICK is installed (${AFICKBINARY})"
+ FILE_INT_TOOL_FOUND=1
+ Display --indent 4 --text "- AFICK..." --result FOUND --color GREEN
+ else
+ logtext "Result: AFICK is not installed"
+ Display --indent 4 --text "- AFICK..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FINT-4314
+ # Description : Check if AIDE is installed
+ Register --test-no FINT-4314 --weight L --network NO --description "AIDE availability"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking AIDE binary"
+ if [ ! "${AIDEBINARY}" = "" ]; then
+ logtext "Result: AIDE is installed (${AIDEBINARY})"
+ FILE_INT_TOOL_FOUND=1
+ Display --indent 4 --text "- AIDE..." --result FOUND --color GREEN
+ else
+ logtext "Result: AIDE is not installed"
+ Display --indent 4 --text "- AIDE..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FINT-4315
+ # Description : Check AIDE configuration file
+ if [ ! "${AIDEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check AIDE configuration file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ AIDE_CONFIG_LOCS="/etc /etc/aide /usr/local/etc"
+ logtext "Test: search for aide.conf in ${AIDE_CONFIG_LOCS}"
+ for I in ${AIDE_CONFIG_LOCS}; do
+ if [ -f ${I}/aide.conf ]; then
+ logtext "Result: found aide.conf in directory ${I}"
+ AIDECONFIG="${I}/aide.conf"
+ fi
+ done
+ if [ "${AIDECONFIG}" = "" ]; then
+ Display --indent 6 --text "- AIDE config file" --result "NOT FOUND" --color YELLOW
+ else
+ Display --indent 6 --text "- AIDE config file" --result FOUND --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FINT-4316
+ # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
+ if [ ! "${AIDEBINARY}" = "" -a ! "${AIDECONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --description "AIDE configuration: Checksums (SHA256 or SHA512)"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`${GREPBINARY} "^Checksums" ${AIDECONFIG}`
+ FIND2=`${GREPBINARY} "^Checksums" ${AIDECONFIG} | ${EGREPBINARY} "sha256|sha512"`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: Unclear how AIDE is dealing with checksums"
+ Display --indent 6 --text "- AIDE config (Checksums)" --result UNKNOWN --color YELLOW
+ else
+ if [ "${FIND2}" = "" ]; then
+ logtext "Result: No SHA256 or SHA512 found for creating checksums"
+ Display --indent 6 --text "- AIDE config (Checksum)" --result WARNING --color RED
+ ReportSuggestion ${TEST_NO} "Use SHA256 or SHA512 to create checksums in AIDE"
+ AddHP 1 3
+ else
+ logtext "Result: Found SHA256 or SHA512 found for creating checksums"
+ Display --indent 6 --text "- AIDE config (Checksum)" --result OK --color GREEN
+ AddHP 2 2
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FINT-4318
+ # Description : Check if Osiris is installed
+ Register --test-no FINT-4318 --weight L --network NO --description "Osiris availability"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking Osiris binary"
+ if [ ! "${OSIRISBINARY}" = "" ]; then
+ logtext "Result: Osiris is installed (${OSIRISBINARY})"
+ FILE_INT_TOOL_FOUND=1
+ Display --indent 4 --text "- Osiris..." --result FOUND --color GREEN
+ else
+ logtext "Result: Osiris is not installed"
+ Display --indent 4 --text "- Osiris..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FINT-4322
+ # Description : Check if Samhain is installed
+ Register --test-no FINT-4322 --weight L --network NO --description "Samhain availability"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking Samhain binary"
+ if [ ! "${SAMHAINBINARY}" = "" ]; then
+ logtext "Result: Samhain is installed (${SAMHAINBINARY})"
+ FILE_INT_TOOL_FOUND=1
+ Display --indent 4 --text "- Samhain..." --result FOUND --color GREEN
+ else
+ logtext "Result: Samhain is not installed"
+ Display --indent 4 --text "- Samhain..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FINT-4326
+ # Description : Check if Tripwire is installed
+ Register --test-no FINT-4326 --weight L --network NO --description "Tripwire availability"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking Tripwire binary"
+ if [ ! "${TRIPWIREBINARY}" = "" ]; then
+ logtext "Result: Tripwire is installed (${TRIPWIREBINARY})"
+ FILE_INT_TOOL_FOUND=1
+ Display --indent 4 --text "- Tripwire..." --result FOUND --color GREEN
+ else
+ logtext "Result: Tripwire is not installed"
+ Display --indent 4 --text "- Tripwire..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FINT-4328
+ # Description : Check if OSSEC system integrity tool is running
+ Register --test-no FINT-4328 --weight L --network NO --description "OSSEC syscheck daemon running"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking if OSSEC syscheck daemon is running"
+ IsRunning ossec-syscheckd
+ if [ ${RUNNING} -eq 1 ]; then
+ FILE_INT_TOOL_FOUND=1
+ Display --indent 4 --text "- OSSEC (syscheck)..." --result FOUND --color GREEN
+ else
+ Display --indent 4 --text "- OSSEC (syscheck)..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FINT-4330
+ # Description : Check if mtree is installed
+ # Note : Usually on BSD and similar
+ Register --test-no FINT-4330 --weight L --network NO --description "mtree availability"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking mtree binary"
+ if [ ! "${MTREEBINARY}" = "" ]; then
+ logtext "Result: mtree is installed (${MTREEBINARY})"
+ FILE_INT_TOOL_FOUND=1
+ Display --indent 4 --text "- mtree..." --result FOUND --color GREEN
+ else
+ logtext "Result: mtree is not installed"
+ Display --indent 4 --text "- mtree..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FINT-4350
+ # Description : Check if at least one file integrity tool is installed
+ Register --test-no FINT-4350 --weight L --network NO --description "File integrity software installed"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Check if at least on file integrity tool is available/installed"
+ if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then
+ logtext "Result: found at least one file integrity tool"
+ Display --indent 2 --text "- Checking presence integrity tool..." --result FOUND --color GREEN
+ AddHP 5 5
+ else
+ logtext "Result: No file integrity tools found"
+ Display --indent 2 --text "- Checking presence integrity tool..." --result "NOT FOUND" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Install a file integrity tool"
+ AddHP 0 5
+ fi
+ fi
+#
+#################################################################################
+#
+
+report "file_integrity_installed=${FILE_INT_TOOL_FOUND}"
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_file_permissions b/include/tests_file_permissions
new file mode 100644
index 00000000..b0ea1d73
--- /dev/null
+++ b/include/tests_file_permissions
@@ -0,0 +1,59 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# File permissions
+#
+#################################################################################
+#
+ InsertSection "System Tools"
+#
+#################################################################################
+#
+ # Test : FILE-7524
+ # Description : Perform file permissions check
+ Register --test-no FILE-7524 --weight L --network NO --description "Perform file permissions check"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Starting file permissions check..."
+ logtext "Test: Checking file permissions"
+ logtext "Using profile ${PROFILE} for baseline."
+ FIND=`cat ${PROFILE} | egrep '^permfile:|^permdir:' | cut -d: -f2`
+ for I in ${FIND}; do
+ logtext "Checking ${I}"
+ CheckFilePermissions ${I}
+ logtext " Expected permissions: ${PROFILEVALUE}"
+ logtext " Actual permissions: ${FILEVALUE}"
+ logtext " Result: $PERMS"
+ if [ "${PERMS}" = "FILE_NOT_FOUND" ]; then
+ Display --indent 4 --text "${I}" --result "NOT FOUND" --color WHITE
+ elif [ "${PERMS}" = "OK" ]; then
+ Display --indent 4 --text "${I}" --result OK --color GREEN
+ elif [ "${PERMS}" = "BAD" ]; then
+ Display --indent 4 --text "${I}" --result WARNING --color RED
+ ReportWarning ${TEST_NO} "M" "Incorrect permissions for file ${I}"
+ else
+ logtext "UNKNOWN status for file"
+ fi
+ done
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_filesystems b/include/tests_filesystems
new file mode 100644
index 00000000..1d77d8d9
--- /dev/null
+++ b/include/tests_filesystems
@@ -0,0 +1,565 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# File systems
+#
+#################################################################################
+#
+ # Number of days to mark a file as old
+ TMP_OLD_DAYS=90
+ LVM_VG_USED=0
+#
+#################################################################################
+#
+ InsertSection "File systems"
+#
+#################################################################################
+#
+ # Test : FILE-6310
+ # Description : Checking if /tmp and /home are separated from /
+ # Goal : Users should not be able to fill their home directory or
+ # temporary directory and creating a Denial of Service
+ Register --test-no FILE-6310 --weight L --network NO --description "Checking /tmp and /home directory"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Checking mount points"
+ SEPARATED_FILESYTEMS="/home /tmp"
+ for I in ${SEPARATED_FILESYTEMS}; do
+ logtext "Test: Checking if ${I} is mounted separately or mounted on / file system"
+ if [ -L ${I} ]; then
+ logtext "Result: ${I} is a symlink. Manual check required to determine exact file system"
+ Display --indent 4 --text "- Checking ${I} mount point..." --result SYMLINK --color WHITE
+ elif [ -d ${I} ]; then
+ logtext "Result: directory ${I} exists"
+ FIND=`mount | grep "${I}"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found ${I} as a separated mount point"
+ Display --indent 4 --text "- Checking ${I} mount point..." --result OK --color GREEN
+ else
+ logtext "Result: ${I} not found in mount list. Directory most likely stored on / file system"
+ Display --indent 4 --text "- Checking ${I} mount point..." --result SUGGESTION --color YELLOW
+ ReportSuggestion ${TEST_NO} "To decrease the impact of a full ${I} file system, place ${I} on a separated partition"
+ fi
+ else
+ logtext "Result: directory ${I} does not exist"
+ fi
+ done
+ fi
+#
+#################################################################################
+#
+ # YYY Checking Physical Volumes
+#
+#################################################################################
+#
+ # Test : FILE-6311
+ # Description : Checking LVM Volume Groups
+ # Notes : No volume groups found is sent to STDERR for unclear reasons. Filtering both STDERR redirecting and grep.
+ if [ ! "${VGDISPLAYBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FILE-6311 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking LVM volume groups"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking for LVM volume groups"
+ FIND=`${VGDISPLAYBINARY} 2> /dev/null | grep -v "No volume groups found" | grep "VG Name" | awk '{ print $3 }' | sort`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found one or more volume groups"
+ for I in ${FIND}; do
+ logtext "Found LVM volume group: ${I}"
+ report "lvm_volume_group[]=${I}"
+ done
+ LVM_VG_USED=1
+ Display --indent 2 --text "- Checking LVM volume groups..." --result FOUND --color GREEN
+ else
+ logtext "Result: no LVM volume groups found"
+ Display --indent 2 --text "- Checking LVM volume groups..." --result NONE --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FILE-6312
+ # Description : Checking LVM volumes
+ if [ ! "${LVDISPLAYBINARY}" = "" -a ${LVM_VG_USED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FILE-6312 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking LVM volumes"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking for LVM volumes"
+ FIND=`${LVDISPLAYBINARY} | grep -v "No volume groups found" | grep "LV Name" | awk '{ print $3 }' | sort`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found one or more volumes"
+ for I in ${FIND}; do
+ logtext "Found LVM volume: ${I}"
+ report "lvm_volume[]=${I}"
+ done
+ Display --indent 4 --text "- Checking LVM volumes..." --result FOUND --color GREEN
+ else
+ logtext "Result: no LVM volume groups found"
+ Display --indent 4 --text "- Checking LVM volumes..." --result NONE --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FILE-6316
+ # Description : Checking /etc/fstab file permissions
+ #Register --test-no FILE-6316 --os Linux --weight L --network NO --description "Checking /etc/fstab"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ # 644
+#
+#################################################################################
+#
+ # Test : FILE-6323
+ # Description : Checking Linux EXT2, EXT3, EXT4 file systems
+ Register --test-no FILE-6323 --os Linux --weight L --network NO --description "Checking EXT file systems"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking for Linux EXT file systems"
+ FIND=`mount -t ext2,ext3,ext4 | awk '{ print $3","$5 }'`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found one or more EXT file systems"
+ for I in ${FIND}; do
+ FILESYSTEM=`echo ${I} | cut -d ',' -f1`
+ FILETYPE=`echo ${I} | cut -d ',' -f2`
+ logtext "File system: ${FILESYSTEM} (type: ${FILETYPE})"
+ done
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FILE-6329
+ # Description : Query all FFS/UFS mounts from /etc/fstab
+ if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FILE-6329 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking FFS/UFS file systems"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Query /etc/fstab for available FFS/UFS mount points"
+ FIND=`awk '{ if ($3 == "ufs" || $3 == "ffs" ) { print $1":"$2":"$3":"$4":" }}' /etc/fstab`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)..." --result NONE --color WHITE
+ logtext "Result: unable to find any single mount point (FFS/UFS)"
+ else
+ Display --indent 2 --text "- Querying FFS/UFS mount points (fstab)..." --result FOUND --color GREEN
+ report "filesystem[]=ufs"
+ for I in ${FIND}; do
+ logtext "FFS/UFS mount found: ${I}"
+ report "mountpoint_ufs[]=${I}"
+ done
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FILE-6330
+ # Description : Query all ZFS mounts from /etc/fstab
+ Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --description "Checking ZFS file systems"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Query /etc/fstab for available ZFS mount points"
+ FIND=`mount -p | awk '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}'`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Querying ZFS mount points (mount -p)..." --result NONE --color WHITE
+ logtext "Result: unable to find any single mount point (ZFS)"
+ else
+ Display --indent 2 --text "- Querying ZFS mount points (mount -p)..." --result FOUND --color GREEN
+ report "filesystem[]=zfs"
+ for I in ${FIND}; do
+ logtext "ZFS mount found: ${I}"
+ report "mountpoint_zfs[]=${I}"
+ done
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FILE-6332
+ # Description : Check swap partitions
+ if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FILE-6332 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap partitions"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ logtext "Test: query swap partitions from /etc/fstab file"
+ # Check if third field contains 'swap'
+ FIND=`awk '{ if ($3=="swap") print $1 }' /etc/fstab`
+ for I in ${FIND}; do
+ FOUND=1
+ logtext "Swap partition found: ${I}"
+ # YYY add test if partition is not a normal partition (e.g. UUID=)
+ report "swap_partition[]=${I}"
+ done
+ if [ ${FOUND} -eq 1 ]; then
+ Display --indent 2 --text "- Query swap partitions (fstab)..." --result OK --color GREEN
+ else
+ Display --indent 2 --text "- Query swap partitions (fstab)..." --result WARNING --color YELLOW
+ ReportWarning ${TEST_NO} "L" "No swap partion found in /etc/fstab"
+ logtext "Result: no swap partitions found in /etc/fstab"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FILE-6336
+ # Description : Check swap mount options
+ if [ -f /etc/fstab ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FILE-6336 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking swap mount options"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Swap partitions should be mounted with 'sw'
+ logtext "Test: check swap partitions with incorrect mount options"
+ FIND=`awk '{ if ($3=="swap" && $4 !~ "sw") print $1 }' /etc/fstab`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Testing swap partitions..." --result OK --color GREEN
+ logtext "Result: all swap partitions have correct options (=sw)"
+ else
+ Display --indent 2 --text "- Testing swap partitions..." --result WARNING --color RED
+ logtext "Result: possible incorrect mount options used for mounting swap partition (${FIND})"
+ ReportWarning ${TEST_NO} "L" "Possible incorrect mount options used for swap parition (${FIND})"
+ ReportSuggestion ${TEST_NO} "Check your /etc/fstab file. Swap parition usually have 'sw' in the options field (4th)."
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FILE-6354
+ # Description : Search files within /tmp which are older than 3 months
+ if [ -d /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FILE-6354 --preqs-met ${PREQS_MET} --weight L --network NO --description "Searching for old files in /tmp"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching for old files in /tmp..."
+ # Search for files only in /tmp, with an access time older than X days
+ FIND=`find /tmp -type f -atime +${TMP_OLD_DAYS} | sed 's/ /!space!/g'`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking for old files in /tmp..." --result OK --color GREEN
+ logtext "Result: no files found in /tmp which are older than 3 months"
+ else
+ Display --indent 2 --text "- Checking for old files in /tmp..." --result WARNING --color RED
+ N=0
+ for I in ${FIND}; do
+ FILE=`echo ${I} | sed 's/!space!/ /g'`
+ logtext "Old temporary file: ${FILE}"
+ N=`expr ${N} + 1`
+ done
+ logtext "Result: found old files in /tmp, which were not modified in the last ${TMP_OLD_DAYS} days"
+ logtext "Advice: check and clean up unused files in /tmp. Old files can fill up a disk or contain"
+ logtext "private information and should be deleted it not being used actively. Use a tool like lsof to"
+ logtext "see which programs possibly are using a particular file. Some systems can cleanup temporary"
+ logtext "directories by setting a boot option."
+ ReportWarning ${TEST_NO} "L" "Found ${N} files in /tmp which are older than ${TMP_OLD_DAYS} days"
+ ReportSuggestion ${TEST_NO} "Clean up unused files in /tmp"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test: scan the skel directory for bad permissions
+ # Reason: bad permissions on these files will give new created users the same permissions
+ #YYY enable skel test
+ # Several differences between operating systems are present
+ #SKELDIRS="/etc/skel /usr/share/skel"
+
+ #for I in ${SKELDIRS}; do
+ #
+ # logtext "Searching skel directory ${I}..."
+ #
+ # if [ -d ${I} ]; then
+ # logtext "Result: Directory found, scanning for unsafe file permissions"
+ # FIND=`ls -A ${I} | wc -l | sed 's/ //g'`
+ # if [ ! "${FIND}" = "0" ]; then
+ # FIND=`find ${I} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)`
+ # if [ "${FIND}" = "" ]; then
+ # Display --indent 2 --text "- Checking skel file permissions (${I})..." --result OK --color GREEN
+ # logtext "Result: Directory seems to be ok, no files found with read/write/execute bit set."
+ # logtext "Status: OK"
+ # else
+ # Display --indent 2 --text "- Checking skel file permissions (${I})..." --result WARNING --color RED
+ # logtext "Result: The following files do have non restrictive permissions: ${FIND}"
+ # ReportSuggestion ${TEST_NO} "Remove the read, write or execute bit from these files (chmod o-rwx)"
+ # fi
+ # else
+ # Display --indent 2 --text "- Checking skel file permissions (${I})..." --result EMPTY --color WHITE
+ # logtext "Directory ${I} is empty, no scan performed"
+ # fi
+ # else
+ # Display --indent 2 --text "- Checking skel file permissions (${I})..." --result "NOT FOUND" --color WHITE
+ # logtext "Result: Skel directory (${I}) not found"
+ # fi
+ #done
+#
+#################################################################################
+#
+ # Test : FILE-6362
+ # Description : Check for sticky bit on /tmp
+ if [ -d /tmp -a ! -L /tmp ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FILE-6362 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /tmp sticky bit"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Depending on OS, number of field with 'tmp' differs
+ FIND=`ls -l / | tr -s ' ' | awk -F" " '{ if ( $8 == "tmp" || $9 == "tmp" ) { print $1 } }' | cut -c 10`
+ if [ "${FIND}" = "t" -o "${FIND}" = "T" ]; then
+ Display --indent 2 --text "- Checking /tmp sticky bit..." --result OK --color GREEN
+ logtext "Result: Sticky bit (${FIND}) found on /tmp directory"
+ AddHP 3 3
+ else
+ Display --indent 2 --text "- Checking /tmp sticky bit..." --result WARNING --color RED
+ ReportWarning ${TEST_NO} "H" "No sticky bit found on /tmp directory, which can be dangerous!"
+ ReportSuggestion ${TEST_NO} "Consult documentation and place the sticky bit, to prevent users deleting (by other owned) files in the /tmp directory."
+ AddHP 0 3
+ fi
+ else
+ logtext "Result: Sticky bit test (on /tmp) skipped. Possible reason: missing or symlinked directory, or test skipped."
+ fi
+#
+#################################################################################
+#
+ # Test : FILE-6366
+ # Description : Check for noatime option
+ # More info : especially useful for profile 'desktop' and 'server-storage'
+#
+#################################################################################
+#
+ # Test : FILE-6368
+ # Description : Checking Linux root file system ACL support
+ Register --test-no FILE-6368 --os Linux --weight L --network NO --description "Checking ACL support on root file system"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ logtext "Test: Checking acl option on root file system"
+ FIND=`mount | ${AWKBINARY} '{ if ($3=="/") { print $6 } }' | grep acl`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found ACL option"
+ FOUND=1
+ else
+ logtext "Result: mount point probably mounted with defaults"
+ logtext "Test: Checking device which holds root file system"
+ # Get device on which root file system is mounted. Use /dev/root if it exists, or
+ # else check output of mount
+ if [ -b /dev/root ]; then
+ FIND1="/dev/root"
+ else
+ FIND1=`mount | grep ' / ' | awk '{ print $1 }' | sed 's/rootfs//'`
+ fi
+ if [ ! "${FIND1}" = "" ]; then
+ logtext "Result: found ${FIND1}"
+ logtext "Test: Checking default options on ${FIND1}"
+ FIND2=`${TUNE2FSBINARY} -l ${FIND1} | grep "^Default mount options" | grep "acl"`
+ if [ ! "${FIND2}" = "" ]; then
+ logtext "Result: found ACL option in default mount options"
+ FOUND=1
+ else
+ logtext "Result: no ACL option found in default mount options list"
+ fi
+ else
+ logtext "Result: No file system found with root file system"
+ fi
+ fi
+
+ if [ ${FOUND} -eq 0 ]; then
+ logtext "Result: ACL option NOT enabled on root file system"
+ logtext "Additional information: if file access need to be more restricted, ACLs could be used. Install the acl utilities and remount the file system with the acl option"
+ logtext "Activate acl support on and active file system with mount -o remount,acl / and add the acl option to the fstab file"
+ Display --indent 2 --text "- ACL support root file system..." --result DISABLED --color YELLOW
+ AddHP 0 1
+ else
+ logtext "Result: ACL option enabled on root file system"
+ Display --indent 2 --text "- ACL support root file system..." --result ENABLED --color GREEN
+ AddHP 3 3
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FILE-6372
+ # Description : Check / mount options for Linux
+ # Notes :
+ Register --test-no FILE-6372 --os Linux --weight L --network NO --description "Checking / mount options"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -f /etc/fstab ]; then
+ FIND=`echo /etc/fstab | awk '{ if ($2=="/") { print $4 } }'`
+ NODEV=`echo ${FIND} | awk '{ if ($1=="nodev") { print "YES" } else { print "NO" } }'`
+ NOEXEC=`echo ${FIND} | awk '{ if ($1=="noexec") { print "YES" } else { print "NO" } }'`
+ NOSUID=`echo ${FIND} | awk '{ if ($1=="nosuid") { print "YES" } else { print "NO" } }'`
+
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: mount system / is configured with options: ${FIND}"
+ if [ "${FIND}" = "defaults" ]; then
+ Display --indent 2 --text "- Mount options of /..." --result OK --color GREEN
+ else
+ Display --indent 2 --text "- Mount options of /..." --result "NON DEFAULT" --color YELLOW
+ fi
+ else
+ logtext "Result: no mount point / or expected options found"
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FILE-6374
+ # Description : Check /boot mount options for Linux
+ # Notes : Expecting nodev,noexec,nosuid
+ Register --test-no FILE-6374 --os Linux --weight L --network NO --description "Checking /boot mount options"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -f /etc/fstab ]; then
+ HARDENED=0
+ FIND=`echo /etc/fstab | awk '{ if ($2=="/boot") { print $4 } }'`
+ NODEV=`echo ${FIND} | awk '{ if ($1=="nodev") { print "YES" } else { print "NO" } }'`
+ NOEXEC=`echo ${FIND} | awk '{ if ($1=="noexec") { print "YES" } else { print "NO" } }'`
+ NOSUID=`echo ${FIND} | awk '{ if ($1=="nosuid") { print "YES" } else { print "NO" } }'`
+ if [ "${NODEV}" = "YES" -a "${NOEXEC}" = "YES" -a "${NOSUID}" = "YES" ]; then HARDENED=1; fi
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: mount system /boot is configured with options: ${FIND}"
+ if [ ${HARDENED} -eq 1 ]; then
+ logtext "Result: marked /boot options as hardenened"
+ Display --indent 2 --text "- Mount options of /boot..." --result HARDENED --color GREEN
+ AddHP 5 5
+ else
+ if [ "${FIND}" = "defaults" ]; then
+ logtext "Result: marked /boot options as default (non hardened)"
+ Display --indent 2 --text "- Mount options of /boot..." --result DEFAULT --color RED
+ AddHP 3 5
+ else
+ logtext "Result: marked /boot options as non default (unclear about hardening)"
+ Display --indent 2 --text "- Mount options of /boot..." --result "NON DEFAULT" --color YELLOW
+ AddHP 4 5
+ fi
+ fi
+ else
+ logtext "Result: no mount point /boot or expected options found"
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FILE-XXXX
+ # Description : Check /home mount options for Linux
+ # Notes : Expecting nodev,nosuid
+#
+#################################################################################
+#
+
+ # Test : FILE-XXXX
+ # Description : Check /var mount options for Linux
+ # Notes : Expecting nosuid
+#
+#################################################################################
+#
+ # Test : FILE-XXXX
+ # Description : Check /var/log mount options for Linux
+ # Notes : Expecting nodev,noexec,nosuid
+#
+#################################################################################
+#
+ # Test : FILE-XXXX
+ # Description : Check /var/log/audit mount options for Linux
+ # Notes : Expecting nodev,noexec,nosuid
+#
+#################################################################################
+#
+
+ # Test : FILE-XXXX
+ # Description : Check /tmp mount options for Linux
+ # Notes : Expecting nodev,noexec,nosuid
+#
+#################################################################################
+#
+#
+#################################################################################
+#
+ # Test : FILE-6378
+ # Description : Check for nodirtime option
+#
+#################################################################################
+#
+ # Test : FILE-6380
+ # Description : Check for relatime
+#
+#################################################################################
+#
+ # Test : FILE-6390
+ # Description : Check writeback/journalling mode (ext3)
+ # More info : data=writeback | data=ordered | data=journal
+#
+#################################################################################
+#
+ # Test : FILE-6394
+ # Description : Check vm.swappiness (Linux)
+#
+#################################################################################
+#
+ # Test : FILE-6398
+ # Description : Check if JBD (Journal Block Device) driver is loaded
+#
+#################################################################################
+#
+ # Test : FILE-6410
+ # Description : Checking locate database (file index)
+ # Notes : Linux /var/lib/mlocate/mlocate.db or /var/lib/slocate/slocate.db
+ # or /var/cache/locate/locatedb
+ # FreeBSD /var/db/locate.database
+ if [ ! "${LOCATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FILE-6410 --os Linux --weight L --network NO --description "Checking Locate database"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking locate database"
+ FOUND=0
+ LOCATE_DBS="/var/lib/mlocate/mlocate.db /var/lib/locatedb /var/lib/slocate/slocate.db /var/cache/locate/locatedb /var/db/locate.database"
+ for I in ${LOCATE_DBS}; do
+ if [ -f ${I} ]; then
+ logtext "Result: locate database found (${I})"
+ FOUND=1
+ LOCATE_DB="${I}"
+ else
+ logtext "Result: file ${I} not found"
+ fi
+ done
+ if [ ${FOUND} -eq 1 ]; then
+ Display --indent 2 --text "- Checking Locate database..." --result FOUND --color GREEN
+ report "locate_db=${LOCATE_DB}"
+ else
+ logtext "Result: database not found"
+ Display --indent 2 --text "- Checking Locate database..." --result "NOT FOUND" --color YELLOW
+ ReportSuggestion ${TEST_NO} "The database required for 'locate' could not be found. Run 'updatedb' or 'locate.updatedb' to create this file."
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FILE-6412
+ # Description : Checking age of locate database
+#
+#################################################################################
+#
+
+ # Test : FILE-6420
+ # Description : Check automount process
+#
+#################################################################################
+#
+ # Test : FILE-6422
+ # Description : Check automount maps (files or for example LDAP based)
+ # Notes : Warn when automounter is running
+#
+#################################################################################
+#
+ # Test : FILE-6424
+ # Description : Check automount map files
+#
+#################################################################################
+#
+ # Test : FILE-6425
+ # Description : Check mounted files systems via automounter
+ # Notes : Warn when no systems are mounted?
+#
+#################################################################################
+#
+
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_firewalls b/include/tests_firewalls
new file mode 100644
index 00000000..2b8b32ec
--- /dev/null
+++ b/include/tests_firewalls
@@ -0,0 +1,296 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Firewalls
+#
+#################################################################################
+#
+ InsertSection "Software: firewalls"
+#
+#################################################################################
+#
+ IPTABLES_ACTIVE=0
+ IPTABLES_INKERNEL_ACTIVE=0
+ IPTABLES_MODULE_ACTIVE=0
+ FIREWALL_ACTIVE=0
+ FIREWALL_SOFTWARE=""
+#
+#################################################################################
+#
+# YYY Improvement needed for iptables to check if kernel modules are used or not.
+# If they are not used and iptables is not found in configuration, no checks should be performed.
+#
+
+ # Test : FIRE-4511
+ # Description : Check iptables kernel module
+ Register --test-no FIRE-4511 --os Linux --weight L --network NO --description "Check iptables kernel module"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`lsmod | awk '{ print $1 }' | grep "^ip*_tables"`
+ if [ ! "${FIND}" = "" ]; then
+ FIREWALL_ACTIVE=1
+ FIREWALL_SOFTWARE="iptables"
+ IPTABLES_ACTIVE=1
+ IPTABLES_MODULE_ACTIVE=1
+ Display --indent 2 --text "- Checking iptables kernel module" --result FOUND --color GREEN
+ logtext "Result: Found iptables in loaded kernel modules"
+ for I in ${FIND}; do
+ logtext "Found module: ${I}"
+ done
+ else
+ Display --indent 2 --text "- Checking iptables kernel module" --result "NOT FOUND" --color WHITE
+
+ # If we can't find an active module, try to find the Linux configuration file and check that
+ if [ -f /proc/config.gz ]; then
+ LINUXCONFIGFILE="/proc/config.gz"; tCATCMD="zcat";
+ fi
+ sLINUXCONFIGFILE="/boot/config-`uname -r`"
+ if [ -f ${sLINUXCONFIGFILE} ]; then
+ LINUXCONFIGFILE=${sLINUXCONFIGFILE}; tCATCMD="cat";
+ fi
+
+ # If we have a kernel configuration file, use it for testing
+ # Do not perform test if we already found it in kernel module list, to avoid triggered it in the upcoming
+ # tests, when using iptables --list
+ if [ ! "${LINUXCONFIGFILE}" = "" -a -f ${LINUXCONFIGFILE} -a ${IPTABLES_MODULE_ACTIVE} -eq 0 ]; then
+ logtext "Result: found kernel configuration file (${LINUXCONFIGFILE})"
+ FIND=`${tCATCMD} ${LINUXCONFIGFILE} | grep -v '^#' | grep "CONFIG_IP_NF_IPTABLES" | head -n 1`
+ if [ ! "${FIND}" = "" ]; then
+ HAVEMOD=`echo ${FIND} | cut -d '=' -f2`
+ # Do not use iptables if it's compiled as a module (=m), since we already tested for it in the
+ # active list.
+ if [ "${HAVEMOD}" = "y" ]; then
+ logtext "Result: iptables available as a module in the configuration"
+ IPTABLES_ACTIVE=1
+ IPTABLES_INKERNEL_ACTIVE=1
+ FIREWALL_ACTIVE=1
+ FIREWALL_SOFTWARE="iptables"
+ Display --indent 2 --text "- Checking iptables in config file" --result FOUND --color GREEN
+ else
+ logtext "Result: no iptables found in Linux kernel config file"
+ fi
+ else
+ logtext "Result: no Linux configuration file found"
+ Display --indent 2 --text "- Checking iptables in config file" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FIRE-4512
+ # Description : Check iptables for empty ruleset
+ if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check iptables for empty ruleset"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`${IPTABLESBINARY} --list --numeric | egrep -v "^(Chain|target|$)" | wc -l | tr -d ' '`
+ if [ "${FIND}" = "0" ]; then
+ # Firewall is active, but clearly needs configuration
+ FIREWALL_ACTIVE=1
+ logtext "Result: iptables ruleset is empty"
+ Display --indent 4 --text "- Checking for empty ruleset" --result WARNING --color RED
+ ReportWarning ${TEST_NO} "L" "iptables module(s) loaded, but no rules active"
+ ReportSuggestion ${TEST_NO} "Disable iptables kernel module if not used or make sure rules are being used"
+ else
+ logtext "Result: one or more rules are available"
+ Display --indent 4 --text "- Checking for empty ruleset" --result OK --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FIRE-4513
+ # Description : Check iptables for unused rules
+ if [ ! "${IPTABLESBINARY}" = "" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FIRE-4513 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check iptables for unused rules"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`${IPTABLESBINARY} --list --numeric --line-numbers --verbose | awk '{ if ($2=="0") print $1 }' | xargs`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 4 --text "- Checking for unused rules" --result OK --color GREEN
+ logtext "Result: There are no unused rules present"
+ else
+ Display --indent 4 --text "- Checking for unused rules" --result WARNING --color YELLOW
+ logtext "Result: Found one or more possible unused rules"
+ logtext "Description: Unused rules can be a sign that the firewall rules aren't optimized or up-to-date"
+ logtext "Note: Sometimes rules aren't triggered but still in use. Keep this in mind before cleaning up rules."
+ logtext "Output: iptables rule numbers: ${FIND}"
+ #ReportWarning ${TEST_NO} "L" "Found possible unused iptables rules ($FIND)"
+ ReportSuggestion ${TEST_NO} "Check iptables rules to see which rules are currently not used"
+ logtext "Tip: iptables --list --numeric --line-numbers --verbose"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FIRE-4518
+ # Description : Checking status of pf firewall components
+ Register --test-no FIRE-4518 --weight L --network NO --description "Check pf firewall components"
+ if [ ${SKIPTEST} -eq 0 ]; then
+
+ PFFOUND=0; PFLOGDFOUND=0
+
+ # Check status with pfctl
+ logtext "Test: checking pf status via pfctl"
+ if [ ! "${PFCTLBINARY}" = "" ]; then
+ FIND=`${PFCTLBINARY} -sa 2>&1 | grep "^Status" | head -1 | awk '{ print $2 }'`
+ if [ "${FIND}" = "Enabled" ]; then
+ Display --indent 2 --text "- Checking pf status (pfctl)" --result ENABLED --color GREEN
+ logtext "Result: pf is enabled"
+ PFFOUND=1
+ AddHP 3 3
+ else
+ if [ "${FIND}" = "Disabled" ]; then
+ Display --indent 2 --text "- Checking pf status (pfctl)" --result DISABLED --color RED
+ logtext "Result: pf is disabled"
+ AddHP 0 3
+ else
+ Display --indent 2 --text "- Checking pf status (pfctl)" --result UNKNOWN --color YELLOW
+ ReportException ${TEST_NO} "Unknown status of pf firewall"
+ fi
+ fi
+ fi
+
+ # If we didn't find the status to be enabled, stop searching
+ if [ ${PFFOUND} -eq 1 ]; then
+ # Check for pf kernel module (FreeBSD and similar)
+ logtext "Test: searching for pf kernel module"
+ if [ ! "${KLDSTATBINARY}" = "" ]; then
+ FIND=`${KLDSTATBINARY} | grep 'pf.ko'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: Can not find pf KLD"
+ else
+ logtext "Result: pf KLD loaded"
+ PFFOUND=1
+ fi
+ else
+ logtext "Result: no kldstat binary, skipping this part"
+ fi
+
+ IsRunning pflogd
+ if [ ${RUNNING} -eq 1 ]; then
+ logtext "Result: found pflog daemon in process list"
+ Display --indent 4 --text "- Checking pflogd status" --result ACTIVE --color GREEN
+ PFFOUND=1
+ PFLOGDFOUND=1
+ else
+ logtext "Result: pflog daemon not found in process list"
+ Display --indent 4 --text "- Checking pflogd status" --result "NOT FOUND" --color YELLOW
+ fi
+ fi
+
+ if [ ${PFFOUND} -eq 1 ]; then
+ FIREWALL_ACTIVE=1
+ FIREWALL_SOFTWARE="pf"
+ else
+ logtext "Result: pf not running on this system"
+ Display --indent 2 --text "- Checking pf" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FIRE-4520
+ # Description : Check pf configuration consistency
+ if [ ${PFFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FIRE-4520 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check pf configuration consistency"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check /etc/pf.conf"
+ # Test for warnings (-n don't load the rules)
+ if [ -f /etc/pf.conf ]; then
+ logtext "Result: /etc/pf.conf exists"
+ # Check results from pfctl
+ PFWARNINGS=`pfctl -n -f /etc/pf.conf -vvv 2>&1 | grep -i 'warning'`
+ if [ "${PFWARNINGS}" = "" ]; then
+ Display --indent 4 --text "- Checking pf configuration consistency" --result OK --color GREEN
+ logtext "Result: no pf filter warnings found"
+ else
+ Display --indent 4 --text "- Checking pf configuration consistency" --result WARNING --color RED
+ logtext "Result: found one or more warnings in the pf filter rules"
+ ReportWarning ${TEST_NO} "H" "Found one or more warnings in pf configuration file"
+ ReportSuggestion ${TEST_NO} "Run 'pfctl -n -f /etc/pf.conf -vvv' to see available pf warnings"
+ fi
+ else
+ logtext "Result: /etc/pf.conf does NOT exist"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FIRE-4522
+ # Description : Check ipchains
+#
+#################################################################################
+#
+ # Test : FIRE-4526
+ # Description : Check ipf (Solaris)
+ if [ ! "${IPFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no FIRE-4526 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check ipf status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`${IPFBINARY} -n -V | grep "^Running" | awk '{ print $2 }'`
+ if [ "${FIND}" = "yes" ]; then
+ Display --indent 4 --text "- Checking ipf status" --result RUNNING --color GREEN
+ logtext "Result: ipf is enabled and running"
+ FIREWALL_ACTIVE=1
+ FIREWALL_SOFTWARE="ipf"
+ else
+ Display --indent 4 --text "- Checking ipf status" --result "NOT RUNNING" --color YELLOW
+ logtext "Result: ipf is not running"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FIRE-4530
+ # Description : Check ipfw
+#
+#################################################################################
+#
+ # Test : FIRE-4590
+ # Description : Check if at least one firewall if active
+ Register --test-no FIRE-4590 --weight L --network NO --description "Check firewall status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ${FIREWALL_ACTIVE} -eq 1 ]; then
+ Display --indent 2 --text "- Checking host based firewall" --result ACTIVE --color GREEN
+ logtext "Result: host based firewall or packet filter is active"
+ #YYY add manual item to report
+ report "manual[]=Verify if there is a formal process for testing and applying firewall rules"
+ report "manual[]=verify all traffic is filtered the right way between the different security zones"
+ report "manual[]=verify if a list is available with all required services"
+ # YYY Solaris ipf (determine default policy)
+ report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic"
+ AddHP 5 5
+ else
+ Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW
+ logtext "Result: no host based firewall/packet filter found or configured"
+ ReportSuggestion ${TEST_NO} "Configure a firewall/packet filter to filter incoming and outgoing traffic"
+ AddHP 0 5
+ fi
+ fi
+#
+#################################################################################
+#
+
+# Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks.
+report "firewall_installed=${FIREWALL_ACTIVE}"
+report "firewall_active=${FIREWALL_ACTIVE}"
+report "firewall_software=${FIREWALL_SOFTWARE}"
+
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_hardening b/include/tests_hardening
new file mode 100644
index 00000000..fe59965e
--- /dev/null
+++ b/include/tests_hardening
@@ -0,0 +1,140 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+ InsertSection "Hardening"
+
+ # COMPILER_INSTALLED is initialised before
+ HARDEN_COMPILERS_NEEDED=0
+#
+#################################################################################
+#
+ # Test : HRDN-7220
+ # Description : Check for installed compilers
+ Register --test-no HRDN-7220 --weight L --network NO --description "Check if one or more compilers are installed"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Check if one or more compilers can be found on the system"
+ if [ ${COMPILER_INSTALLED} -eq 0 ]; then
+ logtext "Result: no compilers found"
+ Display --indent 4 --text "- Installed compiler(s)..." --result "NOT FOUND" --color GREEN
+ AddHP 3 3
+ else
+ logtext "Result: found installed compiler. See top of logfile which compilers have been found or use grep to filter on 'compiler'"
+ Display --indent 4 --text "- Installed compiler(s)..." --result "FOUND" --color RED
+ ReportSuggestion ${TEST_NO} "Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed"
+ AddHP 1 3
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HRDN-7222
+ # Description : Check for permissions of installed compilers
+ Register --test-no HRDN-7222 --weight L --network NO --description "Check compiler permissions"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Check if one or more compilers can be found on the system"
+ HARDEN_COMPILERS_NEEDED=0
+ if [ ${COMPILER_INSTALLED} -eq 0 ]; then
+ logtext "Result: no compilers found"
+ else
+ # as
+ if [ ! "${ASBINARY}" = "" ]; then
+ logtext "Test: Check file permissions for as (Assembler)"
+ IsWorldExecutable ${ASBINARY}
+ if [ ${SYMLINK} -eq 0 ]; then
+ logtext "Binary: ${ASBINARY} (world executable: ${FileIsWorldExecutable})"
+ else
+ logtext "Binary: ${GCCBINARY} (symlinked to: ${sFILE}) (world executable: ${FileIsWorldExecutable})"
+ fi
+ if [ ${FileIsWorldExecutable} = "TRUE" ]; then
+ AddHP 2 3
+ HARDEN_COMPILERS_NEEDED=1
+ else
+ AddHP 3 3
+ fi
+ fi
+ # gcc
+ if [ ! "${GCCBINARY}" = "" ]; then
+ logtext "Test: Check file permissions for GCC compiler"
+ IsWorldExecutable ${GCCBINARY}
+ if [ ${SYMLINK} -eq 0 ]; then
+ logtext "Binary: ${GCCBINARY} (world executable: ${FileIsWorldExecutable})"
+ else
+ logtext "Binary: ${GCCBINARY} (symlinked to: ${sFILE}) (world executable: ${FileIsWorldExecutable})"
+ fi
+ if [ ${FileIsWorldExecutable} = "TRUE" ]; then
+ AddHP 2 3
+ HARDEN_COMPILERS_NEEDED=1
+ else
+ AddHP 3 3
+ fi
+ fi
+ # Report suggestion is one or more compilers can be better hardened
+ if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then
+ logtext "Result: at least one compiler could be better hardened by restricting executable access to root or group only"
+ ReportSuggestion ${TEST_NO} "Harden compilers and restrict access to world"
+ fi
+
+ #YYY check if compilers have a specific group (like compiler, or NOT root/wheel)
+# Display --indent 4 --text "- Installed compiler(s)..." --result "FOUND" --color RED
+ # /usr/bin/*cc*
+ # /usr/bin/*++*
+ # /usr/bin/ld
+ # (and 700 or 750 permissions)
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HRDN-7230
+ # Description : Check for installed malware scanners
+ Register --test-no HRDN-7230 --weight L --network NO --description "Check for malware scanner"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Check if one or more compilers can be found on the system"
+ if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
+ logtext "Result: found at least one malware scanner"
+ Display --indent 4 --text "- Installed malware scanner..." --result "FOUND" --color GREEN
+ AddHP 3 3
+ else
+ logtext "Result: no malware scanner found"
+ Display --indent 4 --text "- Installed malware scanner..." --result "NOT FOUND" --color RED
+ ReportSuggestion ${TEST_NO} "Harden the system by installing one or malware scanners to perform periodic file system scans"
+ AddHP 1 3
+ fi
+ fi
+#
+#################################################################################
+#
+
+# logtext "--------------------------------------------------------------------"
+# logtext "| System part | Preferred value | Actual value | Points |"
+# logtext "| [!] Compiler installed | 0 | [${COMPILER_INSTALLED}] | x |"
+# logtext "| [V] Malware scanner installed | 1 | [x] | x |"
+# logtext "| [V] Packet filter enabled | 1 | [x] | x |"
+# logtext "--------------------------------------------------------------------"
+# logtext "| [!]: Hardening possible, [V]: Hardening performed, [ ]: Unknown "
+# logtext "--------------------------------------------------------------------"
+
+
+#
+#################################################################################
+#
+
+report "compiler_installed=${COMPILER_INSTALLED}"
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_hardening_tools b/include/tests_hardening_tools
new file mode 100644
index 00000000..e4a90a78
--- /dev/null
+++ b/include/tests_hardening_tools
@@ -0,0 +1,52 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# InsertSection "Hardening tools"
+#
+#################################################################################
+#
+ # Checking Solaris Security Toolkit (Jass)
+ # Test : HRDN-7402
+ # Description : Check jass hardening
+ # Register --test-no HRDN-7402 --weight L --network NO --description "Check jass hardening"
+ # if [ ${SKIPTEST} -eq 0 ]; then
+ # if [ -d /opt/SUNWjass -o -d /var/opt/SUNWjass ]; then
+ # logtext "Result: found Solaris Security Toolkit (Jass hardening tool)"
+ # fi
+ #
+#
+#################################################################################
+#
+ # Test : HRDN-7410
+ # Description : Check tiger hardening tool
+#
+#################################################################################
+#
+ # Test : HRDN-7420
+ # Description : Check Bastille Unix hardening tool
+#
+#################################################################################
+#
+ # Checking Solaris Security Toolkit (ASET)
+ # - Automated Security Enhancement Tool
+
+ # AddHP 3 3
+
+#wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_homedirs b/include/tests_homedirs
new file mode 100644
index 00000000..0ec1cad1
--- /dev/null
+++ b/include/tests_homedirs
@@ -0,0 +1,125 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Home directories
+#
+#################################################################################
+#
+ InsertSection "Home directories"
+#
+#################################################################################
+#
+ # Ignore some top level directories (not the sub directories below)
+ IGNORE_HOME_DIRS="/bin /boot /cdrom /dev /etc /home /lib /lib64 /media /mnt
+ /opt /proc /sbin /selinux /srv /sys /tmp /usr /var"
+
+#
+#################################################################################
+#
+
+ # Test : HOME-9302
+ # Description : Create list with home directories
+ Register --test-no HOME-9302 --weight L --network NO --description "Create list with home directories"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Read sixth field of /etc/passwd
+ logtext "Test: query /etc/passwd to obtain home directories"
+ FIND=`${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' /etc/passwd | sort | uniq`
+ for I in ${FIND}; do
+ if [ -d ${I} ]; then
+ logtext "Result: found home directory: ${I} (directory exists)"
+ report "home_directory[]=${I}"
+ else
+ logtext "Result: found home directory: ${I} (directory does not exist)"
+ fi
+ done
+ fi
+#
+#################################################################################
+#
+ # Test : HOME-9310
+ # Description : Check for suspicious shell history files
+ Register --test-no HOME-9310 --weight L --network NO --description "Checking for suspicious shell history files"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ! "${HOMEDIRS}" = "" ]; then
+ if [ "${OS}" = "Solaris" ]; then
+ # Solaris doesn't support -maxdepth
+ FIND=`find ${HOMEDIRS} -name ".*history" -not -type f -print`
+ else
+ FIND=`find ${HOMEDIRS} -maxdepth 1 -name ".*history" -not -type f -print`
+ fi
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking shell history files... " --result OK --color GREEN
+ logtext "Result: Ok, history files are type 'file'."
+ else
+ Display --indent 2 --text "- Checking shell history files... " --result WARNING --color RED
+ logtext "Result: the following files seem to be of the wrong file type:"
+ logtext "Output: ${FIND}"
+ logtext "Info: above files could be redirected files to avoid logging and should be investigated"
+ ReportWarning ${TEST_NO} "M" "Incorrect file type found for shell history file"
+ fi
+ logtext "Remarks: ${HOME_HISTORY_LOG_TEXT}"
+ else
+ Display --indent 2 --text "- Checking shell history files... " --result SKIPPED --color WHITE
+ logtext "Result: Homedirs is empty, test will be skipped"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HOME-9314
+ # Description : Check if non local paths are found in PATH, which can be a risk, but also bad for performance
+ # (like searching on a filer, instead of local disk)
+ #Register --test-no HOME-9314 --weight L --network NO --description "Create list with home directories"
+#
+#################################################################################
+#
+ # Test : HOME-9350
+ # Description : Scan home directories for specific files, used in different tests later
+ # Notes : For performance reasons we combine the scanning of different files, so inode caching is used
+ # as much as possible for every find command
+ # Profile opt : ignore_home_dir (multiple lines allowed), ignores home directory
+ if [ ! "${REPORTFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collecting information from home directories"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ IGNORE_HOME_DIRS=`grep "^config:ignore_home_dir:" ${PROFILE} | awk -F: '{ print $3 }'`
+ if [ "${IGNORE_HOME_DIRS}" = "" ]; then
+ logtext "Result: IGNORE_HOME_DIRS empty, no paths excluded"
+ else
+ logtext "Output: ${IGNORE_HOME_DIRS}"
+ fi
+ fi
+
+ #YYY
+ #echo -n " - Checking PATH variable vulnerabilities... "
+ #
+ #FIND=`find ${HOMEDIRS} -name * | grep -r 'PATH=' | egrep '=.:|:.:|:.;' | grep -v 'CDPATH'`
+ #if [ "${FIND}" = "" ]
+ # then
+ # logtext "Result: Ok, no special things found in the PATH variable"
+ # else
+ # echo "[ ${WARNING}WARNING${NORMAL} ]"
+ # logtext "Warning: Probably found \".\" in the PATH. Details: ${FIND}"
+ #fi
+ #
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_insecure_services b/include/tests_insecure_services
new file mode 100644
index 00000000..8beb913f
--- /dev/null
+++ b/include/tests_insecure_services
@@ -0,0 +1,117 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Unsecure services
+#
+#################################################################################
+#
+ InsertSection "Insecure services"
+#
+#################################################################################
+#
+ INETD_ACTIVE=0
+ INETD_CONFIG_FILE="/etc/inetd.conf"
+#
+#################################################################################
+#
+ # Test : INSE-8002
+ # Description : Check for inetd status
+ Register --test-no INSE-8002 --weight L --network NO --description "Check for enabled inet daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check running processes
+ logtext "Test: Searching for active inet daemon..."
+ FIND=`${PSBINARY} ax | grep "inetd" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: inetd is running"
+ Display --indent 2 --text "- Checking inetd status..." --result ACTIVE --color GREEN
+ #YYY perform manual check
+ INETD_ACTIVE=1
+ else
+ logtext "Result: inetd is NOT running"
+ Display --indent 2 --text "- Checking inetd status..." --result "NOT ACTIVE" --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : INSE-8004
+ # Description : Check for inetd configuration file
+ if [ ${INETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for enabled inet daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check configuration file
+ logtext "Test: Searching for file ${INETD_CONFIG_FILE}..."
+ if [ -f ${INETD_CONFIG_FILE} ]; then
+ logtext "Result: ${INETD_CONFIG_FILE} exists"
+ Display --indent 4 --text "- Checking inetd.conf..." --result FOUND --color WHITE
+ else
+ logtext "Result: ${INETD_CONFIG_FILE} does not exist"
+ Display --indent 4 --text "- Checking inetd.conf..." --result "NOT FOUND" --color WHITE
+ fi
+ # YYY immutable bit could be set
+ # YYY permission check (already set in profile)
+ fi
+#
+#################################################################################
+#
+ # Test : INSE-8006
+ # Description : Check for inetd configuration file contents if inetd is NOT active
+ if [ ${INETD_ACTIVE} -eq 0 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no INSE-8006 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for disabled inet daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002)
+ logtext "Test: check if all services are disabled if inetd is disabled"
+ FIND=`cat ${INETD_CONFIG_FILE} | grep -v "^#" | grep -v "^$"`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 4 --text "- Checking inetd.conf services..." --result OK --color GREEN
+ else
+ Display --indent 4 --text "- Checking inetd.conf services..." --result SUGGESTION --color YELLOW
+ ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : INSE-8016
+ # Description : Check for telnet enabled via inetd
+ if [ ${INETD_ACTIVE} -eq 1 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no INSE-8016 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for telnet via inetd"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking telnet presence in inetd configuration"
+ FIND=`grep "^telnet" ${INETD_CONFIG_FILE}`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: telnet not enabled in ${INETD_CONFIG_FILE}"
+ Display --indent 2 --text "- Checking inetd (telnet)..." --result FOUND --color GREEN
+ else
+ logtext "Result: telnet enabled in ${INETD_CONFIG_FILE}"
+ Display --indent 2 --text "- Checking inetd (telnet)..." --result WARNING --color RED
+ fi
+ fi
+#
+#################################################################################
+#
+# Check telnet in /etc/xinetd.conf
+# Check telnet in /etc/xinetd/*
+# Check running telnet daemon (telnetd)
+# rshd rlogin rexec
+# /etc/hosts.equiv
+
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_kernel b/include/tests_kernel
new file mode 100644
index 00000000..a0107973
--- /dev/null
+++ b/include/tests_kernel
@@ -0,0 +1,458 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Kernel
+#
+#################################################################################
+#
+ InsertSection "Kernel"
+#
+#################################################################################
+#
+ CORE_DUMPS_DISABLED=0
+ CPU_PAE=0
+ CPU_NX=0
+#
+#################################################################################
+#
+ # Test : KRNL-5622
+ # Description : Check default run level on Linux machines
+ Register --test-no KRNL-5622 --os Linux --weight L --network NO --description "Determine Linux default run level"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Checking if we can find the systemd default target
+ logtext "Test: Checking for systemd default.target"
+ if [ -L /etc/systemd/system/default.target ]; then
+ logtext "Result: symlink found"
+ if [ ! "${READLINKBINARY}" = "" ]; then
+ FIND=`${READLINKBINARY} /etc/systemd/system/default.target`
+ if [ "${FIND}" = "" ]; then
+ logtext "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
+ ReportException "${TEST_NO}:01"
+ else
+ FIND2=`echo ${FIND} | egrep "runlevel5|graphical"`
+ if [ ! "${FIND2}" = "" ]; then
+ logtext "Result: Found match on runlevel5/graphical"
+ Display --indent 2 --text "- Checking default runlevel..." --result "runlevel 5" --color GREEN
+ report "linux_default_runlevel=5"
+ else
+ logtext "Result: No match found on runlevel, defaulting to runlevel 3"
+ Display --indent 2 --text "- Checking default runlevel..." --result "runlevel 3" --color GREEN
+ report "linux_default_runlevel=3"
+ fi
+ fi
+ else
+ logtext "Result: No readlink binary, can't determine where symlink is pointing to"
+ Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW
+ fi
+ else
+ logtext "Result: no systemd found, so trying inittab"
+ logtext "Test: Checking /etc/inittab"
+ if [ -f /etc/inittab ]; then
+ logtext "Result: file /etc/inittab found"
+ logtext "Test: Checking default Linux run level..."
+ FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking default runlevel" --result UNKNOWN --color YELLOW
+ logtext "Result: Can't determine default run level from /etc/inittab"
+ else
+ Display --indent 2 --text "- Checking default run level..." --result "${FIND}" --color GREEN
+ logtext "Found default run level '${FIND}'"
+ report "linux_default_runlevel=${FIND}"
+ fi
+ else
+ logtext "Result: file /etc/inittab not found"
+ if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then
+ logtext "Test: Checking run level with who -r, for Debian based systems"
+ FIND=`who -r | awk '{ if ($1=="run-level") { print $2 } }'`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: Found default run level '${FIND}'"
+ report "linux_default_runlevel=${FIND}"
+ Display --indent 2 --text "- Checking default run level..." --result "RUNLEVEL ${FIND}" --color GREEN
+ else
+ logtext "Result: Can't determine default run level from who -r"
+ Display --indent 2 --text "- Checking default run level..." --result UNKNOWN --color YELLOW
+ fi
+ fi
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+
+ # Test : KRNL-5677
+ # Description : Check CPU options and support (PAE, No eXecute, eXecute Disable)
+ # More info : pae and nx bit are both visible on AMD and Intel CPU's if supported
+ Register --test-no KRNL-5677 --os Linux --weight L --network NO --description "Check CPU options and support"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Checking CPU support (NX/PAE)"
+ logtext "Test: Checking /proc/cpuinfo..."
+ if [ -f /proc/cpuinfo ]; then
+ logtext "Result: found /proc/cpuinfo"
+ logtext "Test: Checking CPU options (XD/NX/PAE)..."
+ FIND_PAE_NX=`cat /proc/cpuinfo | grep " pae " | grep " nx "`
+ FIND_PAE=`cat /proc/cpuinfo | grep " pae "`
+ FIND_NX=`cat /proc/cpuinfo | grep " nx "`
+ FOUND=0
+ if [ ! "${FIND_PAE_NX}" = "" ]; then
+ logtext "PAE: Yes"
+ logtext "NX: Yes"
+ CPU_PAE=1
+ CPU_NX=1
+ logtext "Result: PAE or No eXecute option(s) both found"
+ report "cpu_pae=1"
+ report "cpu_nx=1"
+ FOUND=1
+ else
+ if [ ! "${FIND_PAE}" = "" -a "${FIND_NX}" = "" ]; then
+ report "cpu_pae=1"
+ logtext "Result: found PAE"
+ CPU_PAE=1
+ FOUND=1
+ else
+ if [ ! "${FIND_NX}" = "" -a "${FIND_PAE}" = "" ]; then
+ report "cpu_nx=1"
+ logtext "Result: found No eXecute"
+ CPU_NX=1
+ FOUND=1
+ else
+ logtext "Result: found no CPU options enabled (PAE or NX bit)"
+ fi
+ fi
+ fi
+ if [ ${FOUND} -eq 1 ]; then
+ Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result FOUND --color GREEN
+ else
+ Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result NONE --color YELLOW
+ ReportSuggestion ${TEST_NO} "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support"
+ fi
+ else
+ Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result SKIPPED --color YELLOW
+ logtext "Result: /proc/cpuinfo not found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5680
+ # Description : Check if installed kernel has PAE support
+ # Dependency : KRNL-5677
+ # More info : RedHat/CentOS/Fedora uses the package name 'kernel-PAE'
+#
+#################################################################################
+#
+ # Test : KRNL-5695
+ # Description : Determining Linux kernel version and release number
+ Register --test-no KRNL-5695 --os Linux --weight L --network NO --description "Determine Linux kernel version and release number"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Kernel number (and suffix)
+ LINUX_KERNEL_RELEASE=`uname -r`
+ report "linux_kernel_release=${LINUX_KERNEL_RELEASE}"
+ logtext "Result: found kernel release ${LINUX_KERNEL_RELEASE}"
+ # Type and build date
+ LINUX_KERNEL_VERSION=`uname -v`
+ report "linux_kernel_version=${LINUX_KERNEL_VERSION}"
+ logtext "Result: found kernel version ${LINUX_KERNEL_VERSION}"
+ Display --indent 2 --text "- Checking kernel version and release" --result DONE --color GREEN
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5723
+ # Description : Check if Linux is build as a monolithic kernel or not
+ Register --test-no KRNL-5723 --os Linux --weight L --network NO --description "Determining if Linux kernel is monolithic"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ! "${LSMODBINARY}" = "" ]; then
+ logtext "Test: checking if kernel is monolithic or modular"
+ # Checking if any modules are loaded
+ FIND=`${LSMODBINARY} | grep -v "^Module" | wc -l | tr -s ' ' | tr -d ' '`
+ Display --indent 2 --text "- Checking kernel type" --result DONE --color GREEN
+ if [ "${FIND}" = "0" ]; then
+ logtext "Result: Found monolithic kernel"
+ report "linux_kernel_type=monolithic"
+ MONOLITHIC_KERNEL=1
+ else
+ logtext "Result: Found modular kernel"
+ report "linux_kernel_type=modular"
+ MONOLITHIC_KERNEL=0
+ fi
+ else
+ logtext "Test skipped, no lsmod binary found"
+ # Exception?
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5726
+ # Description : Checking Linux loaded kernel modules
+ Register --test-no KRNL-5726 --os Linux --weight L --network NO --description "Checking Linux loaded kernel modules"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ! "${LSMODBINARY}" = "" ]; then
+ FIND=`lsmod | awk '{ if ($1!="Module") print $1 }' | sort`
+ Display --indent 2 --text "- Checking loaded kernel modules" --result DONE --color GREEN
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Loaded modules according lsmod:"
+ N=0
+ for I in ${FIND}; do
+ logtext "Loaded module: ${I}"
+ report "loaded_kernel_module[]=${I}"
+ N=`expr ${N} + 1`
+ done
+ Display --indent 6 --text "Found ${N} active modules"
+ else
+ logtext "Result: no loaded modules found"
+ logtext "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel"
+ fi
+ else
+ logtext "Test skipped, no lsmod binary found"
+ # Exception?
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5728
+ # Description : Checking for available Linux kernel configuration file in /boot
+ Register --test-no KRNL-5728 --os Linux --weight L --network NO --description "Checking Linux kernel config"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LINUXCONFIGFILE="/boot/config-`uname -r`"
+ if [ -f ${LINUXCONFIGFILE} ]; then
+ logtext "Result: found config (${LINUXCONFIGFILE})"
+ Display --indent 2 --text "- Checking Linux kernel configuration file" --result FOUND --color GREEN
+ else
+ logtext "Result: no Linux kernel configuration file found in /boot"
+ Display --indent 2 --text "- Checking Linux kernel configuration file" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5730
+ # Description : Checking default I/O kernel scheduler
+ PREQS_MET="NO"
+ if [ ! "${LINUXCONFIGFILE}" = "" ]; then
+ if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi
+ fi
+ Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking disk I/O kernel scheduler"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking the default I/O kernel scheduler"
+ LINUX_KERNEL_IOSCHED=`${GREPBINARY} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | awk -F= '{ print $2 }' | sed s/\"//g`
+ if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then
+ logtext "Result: found [${LINUX_KERNEL_IOSCHED}]"
+ Display --indent 2 --text "- Checking default I/O kernel scheduler" --result FOUND --color GREEN
+ report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}"
+ else
+ logtext "Result: no default i/o kernel scheduler found"
+ Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+# YYY Check for kernel options
+#
+#################################################################################
+#
+ # Test : KRNL-5745
+ # Description : Checking FreeBSD loaded kernel modules
+ Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Checking active kernel modules..."
+ logtext "Test: ${KERNEL_ACTIVE_MODULES_TITLE}"
+ logtext "Description: ${KERNEL_ACTIVE_MODULES_DESCRIPTION}"
+ logtext "Action: Checking modules"
+ if [ -f /sbin/kldstat ]; then
+ FIND=`kldstat | grep -v 'Name' | tr -s ' ' | cut -d ' ' -f6`
+ if [ $? -eq 0 ]; then
+ logtext "Loaded modules according kldstat:"
+ N=0
+ for I in ${FIND}; do
+ logtext "Loaded module: ${I}"
+ report "loaded_kernel_module[]=${I}"
+ N=`expr ${N} + 1`
+ done
+ Display --indent 4 --text "Found ${N} kernel modules" --result DONE --color GREEN
+ else
+ Display --indent 4 --text "Test failed" --result WARNING --color RED
+ logtext "Result: Problem with executing kldstat"
+ fi
+ else
+ echo "[ ${WHITE}SKIPPED${NORMAL} ]"
+ logtext "Result: no results, can't find /sbin/kldstat"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5770
+ # Description : Checking Solaris load modules
+ Register --test-no KRNL-5770 --os Solaris --weight L --network NO --description "Checking active kernel modules"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: searching loaded kernel modules"
+ FIND=`modinfo -c -w | grep -v "UNLOADED" | grep LOADED | awk '{ print $3 }' | sort`
+ if [ ! "${FIND}" = "" ]; then
+ for I in ${FIND}; do
+ logtext "Found module: ${I}"
+ report "loaded_kernel_module[]=${I}"
+ done
+ Display --indent 2 --text "- Checking Solaris active kernel modules" --result DONE --color GREEN
+ else
+ logtext "Result: no output"
+ Display --indent 2 --text "- Checking Solaris active kernel modules" --result UNKNOWN --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5788
+ # Description : Checking availability new kernel
+ if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking availability new Linux kernel"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching apt-cache, to determine if a newer kernel is available"
+ if [ -x /usr/bin/apt-cache ]; then
+ logtext "Result: found /usr/bin/apt-cache"
+ # YYY Test for presence /usr/bin/apt-cache and dpkg
+ logtext "Test: checking readlink location of /vmlinuz"
+ FINDKERNFILE=`readlink -f /vmlinuz`
+ logtext "Output: readlink reported file ${FINDKERNFILE}"
+ logtext "Test: checking package from dpkg -S"
+ FINDKERNEL=`dpkg -S ${FINDKERNFILE} 2> /dev/null | awk -F : '{print $1}'`
+ logtext "Output: dpkg -S reported package ${FINDKERNEL}"
+ logtext "Test: Using apt-cache policy to determine if there is an update available"
+ FINDINST=`apt-cache policy ${FINDKERNEL} | egrep 'Installed' | cut -d ':' -f2 | tr -d ' '`
+ FINDCAND=`apt-cache policy ${FINDKERNEL} | egrep 'Candidate' | cut -d ':' -f2 | tr -d ' '`
+ logtext "Kernel installed: ${FINDINST}"
+ logtext "Kernel candidate: ${FINDCAND}"
+ if [ "${FINDINST}" = "" ]; then
+ Display --indent 2 --text "- Checking for available kernel update... " --result UNKNOWN --color YELLOW
+ logtext "Result: Exception occured, no output from apt-cache policy"
+ ReportException "${TEST_NO}:01"
+ logtext "Exception: apt-cache policy did not return an installed kernel version"
+ ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty"
+ else
+ if [ "${FINDINST}" = "${FINDCAND}" ]; then
+ Display --indent 2 --text "- Checking for available kernel update... " --result OK --color GREEN
+ logtext "Result: no kernel update available"
+ else
+ Display --indent 2 --text "- Checking for available kernel update... " --result "UPDATE AVAILABLE" --color YELLOW
+ logtext "Result: kernel update available according 'apt-cache policy'."
+ ReportSuggestion ${TEST_NO} "Determine priority for available kernel update"
+ fi
+ fi
+ else
+ logtext "Result: could NOT find /usr/bin/apt-cache, skipped other tests."
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5820
+ # Description : Checking core dumps configuration (Linux)
+ Register --test-no KRNL-5820 --os Linux --weight L --network NO --description "Checking core dumps configuration"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking presence /etc/security/limits.conf"
+ if [ -f /etc/security/limits.conf ]; then
+ logtext "Result: file /etc/security/limits.conf exists"
+ logtext "Test: Checking if core dumps are disabled in /etc/security/limits.conf"
+ FIND1=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core") { print "soft core enabled" } }'`
+ FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core") { print "hard core enabled" } }'`
+ if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then
+ logtext "Result: core dumps (soft or hard) are enabled"
+ Display --indent 2 --text "- Checking core dumps configuration... " --result ENABLED --color YELLOW
+ #YYY suggestion
+ AddHP 1 2
+ else
+ logtext "Result: core dumps (soft and hard) are both disabled"
+ Display --indent 2 --text "- Checking core dumps configuration... " --result DISABLED --color GREEN
+ CORE_DUMPS_DISABLED=1
+ AddHP 3 3
+ fi
+
+ # Sysctl option
+ logtext "Test: Checking sysctl value of fs.suid_dumpable"
+ FIND=`${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | awk '{ if ($1=="fs.suid_dumpable") { print $3 } }'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: value ${FIND} found"
+ else
+ logtext "Result: sysctl key fs.suid_dumpable not found"
+ fi
+ if [ "${FIND}" = "2" ]; then
+ logtext "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)"
+ Display --indent 4 --text "- Checking setuid core dumps configuration... " --result PROTECTED --color GREEN
+ AddHP 1 1
+ elif [ "${FIND}" = "1" ]; then
+ logtext "Result: all programs can perform core dumps (value 1, for debugging)"
+ Display --indent 2 --text "- Checking setuid core dumps configuration... " --result DEBUG --color YELLOW
+ ReportSuggestion ${TEST_NO} "Determine if really all binaries need to be able to core dump"
+ AddHP 0 1
+ else
+ logtext "Result: found default option, some programs can dump (not processes which need to change credentials)"
+ Display --indent 4 --text "- Checking setuid core dumps configuration... " --result DEFAULT --color YELLOW
+ AddHP 1 1
+ fi
+ # Check ulimit settings and harden it
+ # echo 'ulimit -S -c 0 > /dev/null 2>&1' >> /etc/profile
+ else
+ logtext "Result: file /etc/security/limits.conf does not exist, skipping test"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5826
+ # Description : Checking core dumps configuration (Solaris)
+ #Register --test-no KRNL-5826 --os Linux --weight L --network NO --description "Checking core dumps configuration"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+#
+#################################################################################
+#
+ # Test : KRNL-5830
+ # Description : Check if system needs a reboot (Debian based)
+ Register --test-no KRNL-5830 --weight L --network NO --description "Checking core dumps configuration"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FILE="/var/run/reboot-required.pkgs"
+ logtext "Test: Checking presence ${FILE}"
+ if [ -f ${FILE} ]; then
+ logtext "Result: file ${FILE} exists"
+ FIND=`cat ${FILE}`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Check if reboot is needed" --result NO --color GREEN
+ AddHP 5 5
+ else
+ PKGSCOUNT=`cat ${FILE} | wc -l`
+ Display --indent 2 --text "- Check if reboot is needed" --result YES --color RED
+ ReportWarning ${TEST_NO} "H" "Reboot of system is needed"
+ logtext "Result: reboot is needed, related to ${PKGSCOUNT} packages"
+ for I in ${FIND}; do
+ logtext "Package: ${I}"
+ done
+ AddHP 0 5
+ fi
+ else
+ logtext "Result: file ${FILE} not found, skipping further testing"
+ fi
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - http://cisofy.com - The Netherlands
diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening
new file mode 100644
index 00000000..b50e5978
--- /dev/null
+++ b/include/tests_kernel_hardening
@@ -0,0 +1,69 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Kernel
+#
+#################################################################################
+#
+ InsertSection "Kernel Hardening"
+#
+#################################################################################
+#
+ # Test : KRNL-6000
+ # Description : Check sysctl parameters
+ # Sysctl : net.ipv4.icmp_ingore_bogus_error_responses (=1)
+ if [ ! "${SYSCTL_READKEY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check sysctl key pairs in scan profile"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ Display --indent 2 --text "- Comparing sysctl key pairs with scan profile..."
+ FIND=`grep "^sysctl:" ${PROFILE} | sed 's/ /:space:/g'`
+ for I in ${FIND}; do
+ tFINDkey=`echo ${I} | awk -F: '{ print $2 }'`
+ tFINDexpvalue=`echo ${I} | awk -F: '{ print $3 }'`
+ tFINDhp=`echo ${I} | awk -F: '{ print $4 }' | grep "[0-9]"`
+ tFINDdesc=`echo ${I} | awk -F: '{ print $5 }' | sed 's/:space:/ /g'`
+ tFINDcurvalue=`${SYSCTL_READKEY} ${tFINDkey} 2> /dev/null`
+ if [ ! "${tFINDcurvalue}" = "" ]; then
+ if [ "${tFINDexpvalue}" = "${tFINDcurvalue}" ]; then
+ logtext "Result: sysctl key ${tFINDkey} contains equal expected and current value (${tFINDexpvalue})"
+ Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result OK --color GREEN
+ AddHP ${tFINDhp} ${tFINDhp}
+ else
+ logtext "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"
+ Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED
+ AddHP 0 ${tFINDhp}
+ N=1
+ fi
+ else
+ logtext "Result: key ${tFINDkey} does not exist on this machine"
+ fi
+ done
+
+ # Add suggestion if one or more sysctls have a different value than scan profile
+ if [ ${N} -eq 1 ]; then
+ ReportSuggestion ${TEST_NO} "One or more sysctl values differ from the scan profile and could be tweaked"
+ fi
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - http://cisofy.com - The Netherlands
diff --git a/include/tests_ldap b/include/tests_ldap
new file mode 100644
index 00000000..d41cd496
--- /dev/null
+++ b/include/tests_ldap
@@ -0,0 +1,105 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# LDAP Services
+#
+#################################################################################
+#
+ InsertSection "LDAP Services"
+#
+#################################################################################
+#
+ SLAPD_CONF_LOCS="/etc/ldap /etc/openldap /usr/local/etc/openldap"
+ SLAPD_CONF_LOCATION=""
+ SLAPD_RUNNING=0
+#
+#################################################################################
+#
+ # Test : LDAP-2219
+ # Description : Check running OpenLDAP instance
+ Register --test-no LDAP-2219 --weight L --network NO --description "Check running OpenLDAP instance"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ #YYY add additional slash
+ FIND=`${PSBINARY} ax | grep "slapd" | grep -v "grep"`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking OpenLDAP instance..." --result "NOT FOUND" --color WHITE
+ logtext "Result: No running slapd process found."
+ else
+ Display --indent 2 --text "- Checking OpenLDAP instance..." --result FOUND --color GREEN
+ logtext "Result: Found running slapd process"
+ SLAPDFOUND=1
+ SLAPD_RUNNING=1
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LDAP-2224
+ # Description : Search slapd.conf
+ if [ ${SLAPD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no LDAP-2224 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check presence slapd.conf"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching slapd.conf"
+ for I in ${SLAPD_CONF_LOCS}; do
+ if [ -f ${I}/slapd.conf ]; then
+ logtext "Result: found ${I}/slapd.conf"
+ SLAPD_CONF_LOCATION="${I}/slapd.conf"
+ else
+ logtext "Result: ${I} does not contain slapd.conf"
+ fi
+ done
+ # Check if we found a valid location
+ if [ ! "${SLAPD_CONF_LOCATION}" = "" ]; then
+ Display --indent 4 --text "- Checking slapd.conf..." --result FOUND --color GREEN
+ else
+ Display --indent 4 --text "- Checking slapd.conf..." --result "NOT FOUND" --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LDAP-2228
+ # Description : Check OpenLDAP slapd.conf file permissions
+#
+#################################################################################
+#
+ # Test : LDAP-2232
+ # Description : Check OpenLDAP ownership on files/directories
+#
+#################################################################################
+#
+ # Test : LDAP-2236
+ # Description : Check OpenLDAP database permissions
+#
+#################################################################################
+#
+ # Test : LDAP-2240
+ # Description : Check OpenLDAP unencrypted RootDN password
+#
+#################################################################################
+#
+ # Test : LDAP-2244
+ # Description : Check for LDAP configured client (and inform about LDAPS)
+#
+#################################################################################
+#
+
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_logging b/include/tests_logging
new file mode 100644
index 00000000..3080cc92
--- /dev/null
+++ b/include/tests_logging
@@ -0,0 +1,482 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Logging and related files
+#
+#################################################################################
+#
+ LOG_FILES_LOCS="/var/log /var/adm"
+ LOGROTATE_CONFIG_FOUND=0
+ LOGROTATE_TOOL=""
+ METALOG_RUNNING=0
+ RFC3195D_RUNNING=0
+ RSYSLOG_RUNNING=0
+ SOLARIS_LOGHOST_FOUND=0
+ SYSLOG_DAEMON_PRESENT=0
+ SYSLOG_DAEMON_RUNNING=0
+ SYSLOG_NG_RUNNING=0
+ #YYY (extend support for systemd journal)
+ SYSTEMD_JOURNAL_RUNNING=0
+#
+#################################################################################
+#
+
+ InsertSection "Logging and files"
+
+ # Test : LOGG-2130
+ # Description : Check for a running syslog daemon
+ # Notes : Log which syslog daemon is found YYY
+ Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching for a logging daemon... "
+ FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking for a running log daemon..." --result WARNING --color RED
+ logtext "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
+ ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured."
+ ReportWarning ${TEST_NO} "H" "No syslog daemon found"
+ AddHP 0 3
+ else
+ Display --indent 2 --text "- Checking for a running log daemon..." --result OK --color GREEN
+ logtext "Result: Found a logging daemon"
+ SYSLOG_DAEMON_PRESENT=1
+ SYSLOG_DAEMON_RUNNING=1
+ AddHP 3 3
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2132
+ # Description : Check for a running syslog-ng daemon
+ Register --test-no LOGG-2132 --weight L --network NO --description "Check for running syslog-ng daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching for syslog-ng daemon in process list... "
+ FIND=`${PSBINARY} ax | grep "/syslog-ng" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: Found syslog-ng in process list"
+ Display --indent 4 --text "- Checking Syslog-NG status" --result FOUND --color GREEN
+ SYSLOG_DAEMON_PRESENT=1
+ SYSLOG_NG_RUNNING=1
+ else
+ logtext "Result: Syslog-ng NOT found in process list"
+ Display --indent 4 --text "- Checking Syslog-NG status" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2134
+ # Description : Check for Syslog-NG configuration file consistency
+ if [ ! "${SYSLOGNGBINARY}" = "" -a ${SYSLOG_NG_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no LOGG-2134 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Syslog-NG configuration file consistency"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`${SYSLOGNGBINARY} -s; echo $?`
+ if [ "${FIND}" = "0" ]; then
+ logtext "Result: Syslog-NG configuration file seems to be consistent"
+ Display --indent 6 --text "- Checking Syslog-NG consistency" --result OK --color GREEN
+ else
+ logtext "Result: Syslog-NG configuration file seems NOT to be consistent"
+ Display --indent 6 --text "- Checking Syslog-NG consistency" --result WARNING --color RED
+ ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file"
+ ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2210
+ # Description : Check for a running metalog daemon
+ Register --test-no LOGG-2210 --weight L --network NO --description "Check for running metalog daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching for metalog daemon in process list... "
+ FIND=`${PSBINARY} ax | grep "metalog" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: Found metalog in process list"
+ Display --indent 4 --text "- Checking Metalog status" --result FOUND --color GREEN
+ SYSLOG_DAEMON_PRESENT=1
+ METALOG_RUNNING=1
+ else
+ logtext "Result: metalog NOT found in process list"
+ Display --indent 4 --text "- Checking Metalog status" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2230
+ # Description : Check for a running rsyslog daemon
+ Register --test-no LOGG-2230 --weight L --network NO --description "Check for running RSyslog daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching for RSyslog daemon in process list... "
+ FIND=`${PSBINARY} ax | grep "rsyslogd" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: Found rsyslogd in process list"
+ Display --indent 4 --text "- Checking RSyslog status" --result FOUND --color GREEN
+ SYSLOG_DAEMON_PRESENT=1
+ RSYSLOG_RUNNING=1
+ else
+ logtext "Result: rsyslogd NOT found in process list"
+ Display --indent 4 --text "- Checking RSyslog status" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2240
+ # Description : Check for a running RFC 3195 compliant daemon (syslog via TCP)
+ Register --test-no LOGG-2240 --weight L --network NO --description "Check for running RFC 3195 compliant daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list... "
+ FIND=`${PSBINARY} ax | grep "rfc3195d" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: Found rfc3195d in process list"
+ Display --indent 4 --text "- Checking RFC 3195 daemon status" --result FOUND --color GREEN
+ SYSLOG_DAEMON_PRESENT=1
+ RFC3195D_RUNNING=1
+ else
+ logtext "Result: rfc3195d NOT found in process list"
+ Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2138
+ # Description : Check for kernel log daemon (klogd) presence on Linux systems
+ # Notes : When using rsyslog, this process is not needed. In combination
+ # with syslog-ng, klogd is still an addition to it, since it
+ # captures kernel related events and send them to syslog-ng.
+ # This test should be below all other logging daemons
+ Register --test-no LOGG-2138 --os Linux --weight L --network NO --description "Checking kernel logger daemon on Linux"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching kernel logger daemon (klogd)"
+ if [ ${RSYSLOG_RUNNING} -eq 0 ]; then
+ # Search for klogd, but ignore other lines related to klogd (like dd with input/output file)
+ FIND=`${PSBINARY} ax | grep "klogd" | grep -v "dd" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: klogd running"
+ Display --indent 4 --text "- Checking klogd" --result FOUND --color GREEN
+ else
+ logtext "Result: No klogd found"
+ Display --indent 4 --text "- Checking klogd" --result "NOT FOUND" --color RED
+ ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files"
+ ReportSuggestion ${TEST_NO} "Check why klogd is not running"
+ fi
+ else
+ logtext "Result: test skipped, because rsyslogd is being used"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2142
+ # Description : Check for minilogd presence on Linux systems
+ Register --test-no LOGG-2142 --os Linux --weight L --network NO --description "Checking minilog daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Result: Checking for unkilled minilogd instances.."
+ # Search for minilogd. It shouldn't be running normally, if another syslog daemon is started
+ FIND=`${PSBINARY} ax | grep "minilogd" | grep -v "grep"`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 4 --text "- Checking minilogd instances" --result "NOT FOUND" --color WHITE
+ logtext "Result: No minilogd is running.."
+ else
+ Display --indent 4 --text "- Checking minilogd instances" --result WARNING --color RED
+ logtext "Result: minilogd found in process list"
+ # minilogd daemon seems to be running..
+ ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running"
+ ReportSuggestion ${TEST_NO} "Check minilogd is active and if other syslog daemons are started up properly"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2146
+ # Description : Check for logrotate (/etc/logrotate.conf and logrotate.d)
+ Register --test-no LOGG-2146 --weight L --os Linux --network NO --description "Checking logrotate.conf and logrotate.d"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking for /etc/logrotate.conf"
+ if [ -f /etc/logrotate.conf ]; then
+ LOGROTATE_CONFIG_FOUND=1
+ LOGROTATE_TOOL="logrotate"
+ logtext "Result: /etc/logrotate.conf found (file)"
+ else
+ logtext "Result: /etc/logrotate.conf NOT found"
+ fi
+ logtext "Test: Checking for /etc/logrotate.d (directory)"
+ if [ -d /etc/logrotate.d ]; then
+ LOGROTATE_CONFIG_FOUND=1
+ LOGROTATE_TOOL="logrotate"
+ logtext "Result: /etc/logrotate.d found"
+ else
+ logtext "Result: /etc/logrotate.conf found"
+ fi
+ if [ ${LOGROTATE_CONFIG_FOUND} -eq 1 ]; then
+ Display --indent 2 --text "- Checking logrotate presence" --result OK --color GREEN
+ logtext "Result: logrotate configuration found"
+ else
+ Display --indent 2 --text "- Checking logrotate presence" --result WARNING --color RED
+ logtext "Result: No logrotate configuration found"
+ ReportWarning ${TEST_NO} "L" "No logrotate configuration has been found"
+ ReportSuggestion ${TEST_NO} "Check if files are properly rotated by a some tool instead of logrotate"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2148
+ # Description : Checking log files rotated with logrotate
+ if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking logrotated files"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking which files are rotated with logrotate and if they exist"
+ FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: nothing found"
+ else
+ logtext "Result: found one or more files which are rotated via logrotate"
+ for I in ${FIND}; do
+ logtext "Output: ${I}"
+ done
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2150
+ # Description : Checking log directories rotated with logrotate
+ if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking which directories can be found in logrotate configuration"
+ FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: nothing found"
+ else
+ logtext "Result: found one or more directories (via logrotate configuration)"
+ for I in ${FIND}; do
+ if [ -d ${I} ]; then
+ logtext "Directory found: ${I}"
+ report "log_directory[]=${I}"
+ else
+ logtext "Directory could not be found: ${I}"
+ # YYY strip more parts of the name, until it can be found (and stop at /)
+ fi
+ done
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2152
+ # Description : Check for Solaris 'loghost' entry in /etc/inet/hosts, or
+ # succesful resolving via DNS or any other name service.
+ Register --test-no LOGG-2152 --weight L --os Solaris --network NO --description "Checking loghost"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Try local hosts file
+ logtext "Result: Checking for loghost in /etc/inet/hosts"
+ FIND=`grep loghost /etc/inet/hosts | grep -v "^#"`
+ if [ ! "${FIND}" = "" ]; then
+ SOLARIS_LOGHOST_FOUND=1
+ logtext "Result: Found loghost entry in /etc/inet/hosts"
+ else
+ logtext "Result: No loghost entry found in /etc/inet/hosts"
+
+ # Try name resolving if no entry is present in local host file
+ logtext "Result: Checking for loghost via name resolving"
+ FIND=`getent hosts loghost | grep loghost`
+ if [ ! "${FIND}" = "" ]; then
+ SOLARIS_LOGHOST_FOUND=1
+ logtext "Result: name resolving was succesful"
+ logtext "Output: ${FIND}"
+ else
+ logtext "Result: name resolving didn't find results"
+ fi
+ fi
+
+ if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then
+ logtext "Result: loghost entry found and most likely used to send syslog messages"
+ Display --indent 2 --text "- Checking loghost entry" --result OK --color GREEN
+ else
+ Display --indent 2 --text "- Checking loghost entry" --result WARNING --color RED
+ logtext "Result: No loghost entry found"
+ ReportWarning ${TEST_NO} "L" "No loghost entry found"
+ ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2154
+ # Description : Check to see if remote logging is enabled
+ # Notes : prevent lines showing up with commands in it (like |mail)
+ if [ ${SYSLOG_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no LOGG-2154 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking syslog configuration file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then
+ SYSLOGD_CONF="/etc/syslog-ng/syslog-ng.conf"
+ else
+ SYSLOGD_CONF="/etc/syslog.conf"
+ fi
+ if [ -f ${SYSLOGD_CONF} ]; then
+ logtext "Test: check if logs are also logged to a remote logging host"
+ FIND=`egrep "@[a-zA-Z0-9]" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: remote logging enabled"
+ AddHP 5 5
+ Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN
+ else
+ logtext "Result: no remote logging found"
+ ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection"
+ AddHP 1 3
+ Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
+ fi
+ else
+ logtext "Result: test skipped, file ${SYSLOGD_CONF} not found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2160
+ # Description : Check for /etc/newsyslog.conf (FreeBSD/OpenBSD)
+ if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Result: /etc/newsyslog.conf found"
+ Display --indent 2 --text "- Checking /etc/newsyslog.conf" --result FOUND --color GREEN
+ LOGROTATE_CONFIG_FOUND=1
+ LOGROTATE_TOOL="newsyslog"
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2162
+ # Description : Check for directories in /etc/newsyslog.conf
+ if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: parsing directories from /etc/newsyslog.conf file"
+ FIND=`cat /etc/newsyslog.conf | sort | uniq | grep "^/" | awk '{ print $1 }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq`
+ for I in ${FIND}; do
+ if [ -d ${I} ]; then
+ logtext "Result: Directory ${I} found and exists"
+ report "log_directory[]=${I}"
+ else
+ logtext "Result: Item ${I} is not a directory"
+ fi
+ done
+ Display --indent 4 --text "- Checking log directories (newsyslog.conf)" --result DONE --color GREEN
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2164
+ # Description : Check for files in /etc/newsyslog.conf
+ if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: parsing directories from /etc/newsyslog.conf file"
+ FIND=`cat /etc/newsyslog.conf | sort | uniq | grep "^/" | awk '{ print $1 }'`
+ for I in ${FIND}; do
+ if [ -f ${I} ]; then
+ logtext "Result: File ${I} found and exists"
+ else
+ logtext "Result: Item ${I} is not a file"
+ fi
+ done
+ Display --indent 4 --text "- Checking log files (newsyslog.conf)" --result DONE --color GREEN
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2170
+ # Description : Search available log paths
+ Register --test-no LOGG-2170 --weight L --network NO --description "Checking log paths"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching log paths"
+ for I in ${LOG_FILES_LOCS}; do
+ if [ -d ${I} ]; then
+ logtext "Result: directory ${I} exists"
+ report "log_directory[]=${I}"
+ else
+ logtext "Result: directory ${I} can't be found"
+ fi
+ done
+ Display --indent 2 --text "- Checking log directories (static list)" --result DONE --color GREEN
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2180
+ # Description : Search open log file
+ Register --test-no LOGG-2180 --weight L --network NO --description "Checking open log files"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking open log files with lsof"
+ if [ ! "${LSOFBINARY}" = "" ]; then
+ FIND=`${LSOFBINARY} -n 2>&1 | grep "log$" | egrep -v "WARNING|Output information" | awk '{ if ($5=="REG") { print $9 } }' | sort | uniq | grep -v "^$"`
+ for I in ${FIND}; do
+ logtext "Found logfile: ${I}"
+ report "open_logfile[]=${I}"
+ done
+ Display --indent 2 --text "- Checking open log files" --result DONE --color GREEN
+ else
+ logtext "Result: lsof not installed, skipping test"
+ Display --indent 2 --text "- Checking open log files" --result SKIPPED --color YELLOW
+ # Add suggestion
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : LOGG-2190
+ # Description : Checking deleted files
+ if [ ! "${LSOFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no LOGG-2190 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking deleted files in file table"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking deleted files but are still in use"
+ FIND=`${LSOFBINARY} -n +L 1 2>&1 | egrep -v "WARNING|Output information" | awk '{ if ($5=="REG") { print $10 } }' | grep -v "^$"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found one or more files which are deleted, but still in use"
+ for I in ${FIND}; do
+ logtext "Found deleted file: ${I}"
+ report "deleted_file[]=${I}"
+ done
+ Display --indent 2 --text "- Checking deleted files in use" --result "FILES FOUND" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Check what deleted files are still in use and why."
+ else
+ logtext "Result: no deleted files found"
+ Display --indent 2 --text "- Checking deleted files in use" --result DONE --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+#
+# Rsyslogd checks
+#
+#
+#################################################################################
+#
+
+report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}"
+report "log_rotation_tool=${LOGROTATE_TOOL}"
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks
new file mode 100644
index 00000000..21a55907
--- /dev/null
+++ b/include/tests_mac_frameworks
@@ -0,0 +1,188 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+ APPARMORFOUND=0 # Set default for test MACF-6208
+ GRSECFOUND=0 # grsecurity
+ MAC_FRAMEWORK_ACTIVE=0 # Default no MAC framework active
+ RBAC_FRAMEWORK_ACTIVE=0 # Default no RBAC framework active
+ SELINUXFOUND=0
+
+ InsertSection "Security frameworks"
+#
+#################################################################################
+#
+ # Test : MACF-6204
+ # Description : Check if AppArmor is installed
+ Register --test-no MACF-6204 --weight L --network NO --description "Check AppArmor presence"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ "${AASTATUSBINARY}" = "" ]; then
+ APPARMORFOUND=0
+ logtext "Result: aa-status binary not found, AppArmor not installed"
+ Display --indent 2 --text "- Checking presence AppArmor" --result "NOT FOUND" --color WHITE
+ else
+ APPARMORFOUND=1
+ logtext "Result: aa-status binary found, AppArmor is installed"
+ Display --indent 2 --text "- Checking presence AppArmor" --result FOUND --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MACF-6208
+ # Description : Check AppArmor active status
+ if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check if AppArmor is enabled"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ! "${AASTATUSBINARY}" = "" ]; then
+ # Checking AppArmor status
+ FIND=`${AASTATUSBINARY} > /dev/null; echo $?`
+ #0 if apparmor is enabled and policy is loaded.
+ #1 if apparmor is not enabled/loaded.
+ #2 if apparmor is enabled but no policy is loaded.
+ if [ ${FIND} -eq 0 ]; then
+ MAC_FRAMEWORK_ACTIVE=1
+ logtext "Result: AppArmor is enabled and a policy is loaded"
+ Display --indent 4 --text "- Checking AppArmor status" --result "ENABLED" --color GREEN
+ elif [ ${FIND} -eq 2 ]; then
+ logtext "Result: AppArmor is enabled, but no policy is loaded"
+ ReportSuggestion ${TEST_NO} "Disable AppArmor or load a policy"
+ Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN
+ elif [ ${FIND} -eq 1 ]; then
+ Display --indent 4 --text "- Checking AppArmor status" --result "DISABLED" --color YELLOW
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MACF-6232
+ # Description : Check SELINUX for installation
+ Register --test-no MACF-6232 --weight L --network NO --description "Check SELINUX presence"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking if we have sestatus binary"
+ if [ ! "${SESTATUSBINARY}" = "" ]; then
+ logtext "Result: found sestatus binary (${SESTATUSBINARY})"
+ Display --indent 2 --text "- Checking presence SELinux" --result "FOUND" --color GREEN
+ else
+ logtext "Result: sestatus binary NOT found"
+ Display --indent 2 --text "- Checking presence SELinux" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MACF-6234
+ # Description : Check SELINUX status
+ if [ ! "${SESTATUSBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SELINUX status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Status: Enabled/Disabled
+ FIND=`${SESTATUSBINARY} | grep "^SELinux status" | awk '{ print $3 }'`
+ if [ "${FIND}" = "enabled" ]; then
+ MAC_FRAMEWORK_ACTIVE=1
+ logtext "Result: SELinux framework is enabled"
+ report "selinux_status=1"
+ SELINUXFOUND=1
+ Display --indent 4 --text "- Checking SELinux status" --result "ENABLED" --color GREEN
+ FIND=`${SESTATUSBINARY} | grep "^Current mode" | awk '{ print $3 }'`
+ report "selinux_mode=${FIND}"
+ FIND2=`${SESTATUSBINARY} | grep "^Mode from config file" | awk '{ print $5 }'`
+ logtext "Result: current SELinux mode is ${FIND}"
+ logtext "Result: mode configured in config file is ${FIND2}"
+ if [ "${FIND}" = "${FIND2}" ]; then
+ logtext "Result: Current SELinux mode is the same as in config file."
+ Display --indent 6 --text "- Checking current mode and config file" --result "OK" --color GREEN
+ else
+ logtext "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
+ ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
+ Display --indent 6 --text "- Checking current mode and config file" --result "WARNING" --color RED
+ fi
+ Display --indent 8 --text "Current SELinux mode: ${FIND}"
+ else
+ logtext "Result: SELinux framework is disabled"
+ Display --indent 4 --text "- Checking SELinux status" --result "DISABLED" --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : RBAC-6272
+ # Description : Check if grsecurity is installed
+ # Notes : Solaris doesn't support test -e
+ if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no RBAC-6272 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check grsecurity presence"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -e /dev/grsec ]; then
+ GRSECFOUND=1
+ logtext "Result: grsecurity available (/dev/grsec found)"
+ else
+ logtext "Result: grsecurity not present (/dev/grsec not found)"
+ fi
+ # Check Linux kernel configuration
+ if [ ! "${LINUXCONFIGFILE}" = "" -a -f "${LINUXCONFIGFILE}" ]; then
+ FIND=`${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE}`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: grsecurity available (in kernel config)"
+ GRSECFOUND=1
+ else
+ logtext "Result: no grsecurity found in kernel config"
+ fi
+ fi
+ # Found grsecurity?
+ if [ ${GRSECFOUND} -eq 1 ]; then
+ Display --indent 2 --text "- Checking presence grsecurity" --result FOUND --color GREEN
+ AddHP 3 3
+ else
+ Display --indent 2 --text "- Checking presence grsecurity" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MACF-6290
+ # Description : Check if at least one MAC framework is implemented
+ Register --test-no MACF-6290 --weight L --network NO --description "Check for implemented MAC framework"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ${MAC_FRAMEWORK_ACTIVE} -eq 1 ]; then
+ Display --indent 2 --text "- Checking for implemented MAC framework" --result OK --color GREEN
+ AddHP 3 3
+ logtext "Result: found implemented MAC framework"
+ else
+ Display --indent 2 --text "- Checking for implemented MAC framework" --result NONE --color YELLOW
+ AddHP 2 3
+ logtext "Result: found no implemented MAC framework"
+ fi
+ fi
+#
+#################################################################################
+#
+
+report "framework_grsecurity=${GRSECFOUND}"
+report "framework_selinux=${SELINUXFOUND}"
+
+wait_for_keypress
+
+# To implement:
+# FMAC (OpenSolaris, MAC)
+# LSM (Linux Security Modules)
+# TrustedBSD (MAC)
+# RSBAC (RBAC)
+# Apple sandbox technology
+# PAX
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging
new file mode 100644
index 00000000..3ceab305
--- /dev/null
+++ b/include/tests_mail_messaging
@@ -0,0 +1,269 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# E-mail and messaging
+#
+#################################################################################
+#
+ InsertSection "Software: e-mail and messaging"
+#
+#################################################################################
+#
+ DOVECOT_RUNNING=0
+ EXIM_RUNNING=0
+ SMTP_DAEMON=""
+ POSTFIX_RUNNING=0
+ QMAIL_RUNNING=0
+ SENDMAIL_RUNNING=0
+ SMTPD_RUNNING=0
+#
+#################################################################################
+#
+ # Test : MAIL-8802
+ # Description : Check Exim process status
+ Register --test-no MAIL-8802 --weight L --network NO --description "Check Exim status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check Exim status"
+ IsRunning exim
+ if [ ${RUNNING} -eq 1 ]; then
+ logtext "Result: found running Exim process"
+ Display --indent 2 --text "- Checking Exim status..." --result RUNNING --color GREEN
+ EXIM_RUNNING=1
+ SMTP_DAEMON="exim"
+ else
+ logtext "Result: no running Exim processes found"
+ Display --indent 2 --text "- Checking Exim status..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MAIL-8804
+ # Description : Check Exim configuration
+ #if [ ${EXIM_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ #Register --test-no MAIL-8804 --weight L --network NO --description "Check Exim configuration"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ # if [ ! "${EXIMBINARY}" = "" ]; then
+ # logtext "Test: Searching Exim configuration file..."
+ # FIND=`${EXIMBINARY} -d | grep "configuration file is" | sed 's/configuration file is//'`
+ # if [ ! "${FIND}" = "" ]; then
+ # Display --indent 2 --text "- Checking Exim configuration..." --result FOUND --color GREEN
+ # Display --indent 4 --text "Result: configuration file is ${FIND}"
+ # logtext "Result: found Exim"
+ # logtext "Result: configuration file is ${FIND}"
+ # else
+ # Display --indent 2 --text "- Checking Exim configuration..." --result WARNING --color RED
+ # logtext "Couldn't find the Exim configuration file, however Exim seems to be installed."
+ # fi
+ # else
+ # logtext "Exim binary not found, no tests performed"
+ # fi
+#
+#################################################################################
+#
+ # Test : MAIL-8814
+ # Description : Check Postfix process
+ # Notes : qmgr and pickup run under postfix uid, without full path to binary
+ Register --test-no MAIL-8814 --weight L --network NO --description "Check postfix process status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check Postfix status"
+ # Some other processes also use master, therefore it should include both master and postfix
+ FIND1=`${PSBINARY} ax | grep "master" | grep "postfix" | grep -v "grep"`
+ FIND2=`${PSBINARY} ax | grep "qmgr" | grep "postfix" | grep -v "grep"`
+ FIND3=`${PSBINARY} ax | grep "pickup" | grep "postfix" | grep -v "grep"`
+ if [ ! "${FIND1}" = "" -a ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then
+ logtext "Result: found running Postfix process"
+ Display --indent 2 --text "- Checking Postfix status..." --result RUNNING --color GREEN
+ POSTFIX_RUNNING=1
+ SMTP_DAEMON="postfix"
+ else
+ logtext "Result: no running Postfix processes found"
+ Display --indent 2 --text "- Checking Postfix status..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MAIL-8816
+ # Description : Check Postfix configuration
+ if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Checking Postfix configuration..." --result FOUND --color GREEN
+ POSTFIX_CONFIGDIR=`${POSTCONFBINARY} | grep '^config_directory' | awk '{ print $3 }'`
+ POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf"
+ logtext "Postfix configuration directory: ${POSTFIX_CONFIGDIR}"
+ logtext "Postfix configuration file: ${POSTFIX_CONFIGFILE}"
+ fi
+#
+#################################################################################
+#
+ # Test : MAIL-8818
+ # Description : Check Postfix configuration
+ if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no MAIL-8818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Postfix configuration: banner"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking Postfix banner"
+ FIND1=`${POSTCONFBINARY} | grep '^smtpd_banner' | grep 'postfix'`
+ FIND2=`${POSTCONFBINARY} | grep '^smtpd_banner' | grep '$mail_name'`
+ FIND3=`${POSTCONFBINARY} | grep '^mail_name' | grep -i 'postfix'`
+ #YYY Check if OS name shows up in banner
+ #FIND4=`${POSTCONFBINARY} | grep '^smtpd_banner' | egrep "${OS}|${LINUX_VERSION}`
+ SHOWWARNING=0
+ if [ ! "${FIND1}" = "" ]; then
+ SHOWWARNING=1
+ else
+ if [ ! "${FIND2}" = "" -a ! "${FIND3}" = "" ]; then
+ SHOWWARNING=1
+ else
+ Display --indent 4 --text "- Checking Postfix banner..." --result OK --color GREEN
+ fi
+ fi
+ if [ ${SHOWWARNING} -eq 1 ]; then
+ Display --indent 4 --text "- Checking Postfix banner..." --result WARNING --color RED
+ logtext "Result: found mail_name in SMTP banner, and/or mail_name contains 'Postfix'."
+ ReportWarning ${TEST_NO} "L" "Found mail_name in SMTP banner, and/or mail_name contains 'Postfix'"
+ ReportSuggestion ${TEST_NO} "You are adviced to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MAIL-8838
+ # Description : Check Dovecot process
+ Register --test-no MAIL-8838 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dovecot process"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check dovecot status"
+ IsRunning dovecot
+ if [ ${RUNNING} -eq 1 ]; then
+ logtext "Result: found running dovecot process"
+ Display --indent 2 --text "- Checking Dovecot status..." --result RUNNING --color GREEN
+ DOVECOT_RUNNING=1
+ IMAP_DAEMON="dovecot"
+ POP3_DAEMON="dovecot"
+ else
+ logtext "Result: dovecot not found"
+ Display --indent 2 --text "- Checking Dovecot status..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MAIL-8842
+ # Description : Check Dovecot logging locations
+ #Register --test-no MAIL-8842 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dovecot logging locations"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+# ParseDovecot
+# CONF="/etc/dovecot/dovecot.conf"
+# FIND=`cat ${CONF} | grep "^log_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'`
+# if [ ! "${FIND}" = "" ]; then
+# logtext "Result: output for error messages = ${FIND}"
+# fi
+#
+# FIND=`cat ${CONF} | grep "^log_info_path" | awk '{ if ($1=="") { print "syslog" } else { print $3 } }'`
+# if [ ! "${FIND}" = "" ]; then
+# logtext "Result: output for informational messages = ${FIND}"
+# fi
+#
+# fi
+#
+#################################################################################
+#
+ # Test : MAIL-8860
+ # Description : Check Qmail process status
+ Register --test-no MAIL-8860 --weight L --network NO --description "Check Qmail status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check Qmail status"
+ IsRunning qmail-smtpd
+ if [ ${RUNNING} -eq 1 ]; then
+ logtext "Result: found running Qmail process"
+ Display --indent 2 --text "- Checking Qmail status..." --result RUNNING --color GREEN
+ QMAIL_RUNNING=1
+ SMTP_DAEMON="sendmail"
+ else
+ logtext "Result: no running Qmail processes found"
+ Display --indent 2 --text "- Checking Qmail status..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MAIL-8880
+ # Description : Check Sendmail process status
+ Register --test-no MAIL-8880 --weight L --network NO --description "Check Sendmail status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check sendmail status"
+ IsRunning sendmail
+ if [ ${RUNNING} -eq 1 ]; then
+ logtext "Result: found running Sendmail process"
+ Display --indent 2 --text "- Checking Sendmail status..." --result RUNNING --color GREEN
+ SENDMAIL_RUNNING=1
+ SMTP_DAEMON="sendmail"
+ else
+ logtext "Result: no running Sendmail processes found"
+ Display --indent 2 --text "- Checking Sendmail status..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MAIL-8920
+ # Description : Check OpenBSD smtpd process status
+ Register --test-no MAIL-8920 --os OpenBSD --weight L --network NO --description "Check smtpd status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check smtpd status"
+ FIND=`${PSBINARY} ax | grep "/smtpd" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found running smtpd process"
+ Display --indent 2 --text "- Checking OpenBSD smtpd status..." --result RUNNING --color GREEN
+ SMTPD_RUNNING=1
+ SMTP_DAEMON="smtpd"
+ else
+ logtext "Result: smtpd not found"
+ Display --indent 2 --text "- Checking OpenBSD smtpd status..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MAIL-xxxx
+ # Description : Check if outgoing mail is obscured (increased privacy)
+ #Register --test-no MAIL-xxxx --weight L --network NO --description "Check XXX"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+#
+#################################################################################
+#
+ #YYY Add support for mail, procmail
+ #YYY Add support for MUAs: Thunderbird, Kmail, Evolution
+ # Other software : Cyrus-IMAP, Amavisd-new, SpamAssassin, Fetchmail, Procmail, maildrop
+ #- Dovecot : \'/usr/local/etc/dovecot.conf\'
+ #- For Sendmail : \'/var/mail/sendmail.cf\'
+ #- Fetchmail : \'~/.fetchmailrc\' (not only root)
+ #- Cyrus-IMAP : \'/usr/local/etc/imapd.conf\' for parameters and \'/usr/local/etc/cyrus.conf\' for the services launched
+#
+#################################################################################
+#
+
+report "imap_daemon=${IMAP_DAEMON}"
+report "pop3_daemon=${POP3_DAEMON}"
+report "smtp_daemon=${SMTP_DAEMON}"
+
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_malware b/include/tests_malware
new file mode 100644
index 00000000..d613829c
--- /dev/null
+++ b/include/tests_malware
@@ -0,0 +1,185 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Malware scanners
+#
+#################################################################################
+#
+ InsertSection "Software: Malware scanners"
+#
+#################################################################################
+#
+ CLAMD_RUNNING=0
+ MALWARE_SCANNER_INSTALLED=0
+#
+#################################################################################
+#
+ # Test : MALW-3275
+ # Description : Check for installed tool (chkrootkit)
+ Register --test-no MALW-3275 --weight L --network NO --description "Check for chkrootkit"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking presence chkrootkit"
+ if [ ! "${CHKROOTKITBINARY}" = "" ]; then
+ Display --indent 2 --text "- Checking chkrootkit..." --result "FOUND" --color GREEN
+ logtext "Result: Found ${CHKROOTKITBINARY}"
+ MALWARE_SCANNER_INSTALLED=1
+ AddHP 2 2
+ else
+ Display --indent 2 --text "- Checking chkrootkit..." --result "NOT FOUND" --color WHITE
+ logtext "Result: chkrootkit not found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MALW-3276
+ # Description : Check for installed tool (Rootkit Hunter)
+ Register --test-no MALW-3276 --weight L --network NO --description "Check for Rootkit Hunter"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking presence Rootkit Hunter"
+ if [ ! "${RKHUNTERBINARY}" = "" ]; then
+ Display --indent 2 --text "- Checking Rootkit Hunter..." --result "FOUND" --color GREEN
+ logtext "Result: Found ${RKHUNTERBINARY}"
+ MALWARE_SCANNER_INSTALLED=1
+ AddHP 2 2
+ else
+ Display --indent 2 --text "- Checking Rootkit Hunter..." --result "NOT FOUND" --color WHITE
+ logtext "Result: Rootkit Hunter not found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MALW-3280
+ # Description : Check if an anti-virus tool is installed
+ Register --test-no MALW-3280 --weight L --network NO --description "Check for clamscan"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ logtext "Test: checking process cmdagent (McAfee)"
+ IsRunning cmdagent
+ if [ ${RUNNING} -eq 1 ]; then
+ FOUND=1
+ Display --indent 2 --text "- Checking McAfee" --result "FOUND" --color GREEN
+ logtext "Result: Found McAfee"
+ MALWARE_SCANNER_INSTALLED=1
+ AddHP 2 2
+ fi
+ logtext "Test: checking process SophosScanD"
+ IsRunning SophosScanD
+ if [ ${RUNNING} -eq 1 ]; then
+ FOUND=1
+ Display --indent 2 --text "- Checking Sophos" --result "FOUND" --color GREEN
+ logtext "Result: Found Sophos"
+ MALWARE_SCANNER_INSTALLED=1
+ AddHP 2 2
+ fi
+ if [ ${FOUND} -eq 0 ]; then
+ Display --indent 2 --text "- Checking commercial anti-virus scanners" --result "NONE FOUND" --color WHITE
+ logtext "Result: no commercial anti-virus tool found"
+ AddHP 0 3
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MALW-3282
+ # Description : Check if clamscan is installed
+ Register --test-no MALW-3282 --weight L --network NO --description "Check for clamscan"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking presence clamscan"
+ if [ ! "${CLAMSCANBINARY}" = "" ]; then
+ Display --indent 2 --text "- Checking ClamAV scanner..." --result "FOUND" --color GREEN
+ logtext "Result: Found ${CLAMSCANBINARY}"
+ MALWARE_SCANNER_INSTALLED=1
+ AddHP 2 2
+ else
+ Display --indent 2 --text "- Checking ClamAV scanner..." --result "NOT FOUND" --color WHITE
+ logtext "Result: clamscan couldn't be found"
+ fi
+ fi
+
+#
+#################################################################################
+#
+ # Test : MALW-3284
+ # Description : Check running clamd process
+ Register --test-no MALW-3284 --weight L --network NO --description "Check for clamd"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking running ClamAV daemon (clamd)"
+ FIND=`${PSBINARY} ax | grep "/clamd" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking ClamAV daemon..." --result "FOUND" --color GREEN
+ logtext "Result: found running clamd process"
+ MALWARE_SCANNER_INSTALLED=1
+ CLAMD_RUNNING=1
+ else
+ Display --indent 2 --text "- Checking ClamAV daemon..." --result "NOT FOUND" --color WHITE
+ logtext "Result: clamd not running"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MALW-3286
+ # Description : Check running freshclam if clamd process is running
+ if [ ${CLAMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no MALW-3286 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for freshclam"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking running freshclam daemon"
+ FIND=`${PSBINARY} ax | grep "/freshclam" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ Display --indent 4 --text "- Checking freshclam..." --result "FOUND" --color GREEN
+ logtext "Result: found running freshclam process"
+ AddHP 2 2
+ else
+ Display --indent 4 --text "- Checking freshclam..." --result "SUGGESTION" --color YELLOW
+ logtext "Result: freshclam is not running"
+ ReportSuggestion ${TEST_NO} "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : MALW-3292
+ # Description : Check if at least one malware scanner is installed
+# Register --test-no MALW-3292 --weight L --network NO --description "Check for at least one malware scanner"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
+# logtext "Result: At least one malware scanner is installed"
+# Display --indent 2 --text "- Checking presence malware scanner..." --result "FOUND" --color GREEN
+# #AddHP 3 3
+# else
+# logtext "Result: No malware scanners found"
+# Display --indent 2 --text "- Checking presence malware scanner..." --result "NOT FOUND" --color YELLOW
+# ReportSuggestion ${TEST_NO} "Install at least one malware scanner to perform periodic integrity tests on the system"
+# #AddHP 0 3
+# fi
+# fi
+#
+#################################################################################
+#
+# Other projects: maldetect (rfxn)
+#
+#################################################################################
+#
+
+report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_memory_processes b/include/tests_memory_processes
new file mode 100644
index 00000000..88c0cbc0
--- /dev/null
+++ b/include/tests_memory_processes
@@ -0,0 +1,132 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Memory and processes
+#
+#################################################################################
+#
+ InsertSection "Memory and processes"
+#
+#################################################################################
+#
+ # Test : PROC-3602
+ # Description : Query /proc/meminfo
+ Register --test-no PROC-3602 --os Linux --weight L --network NO --description "Checking /proc/meminfo for memory details"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -f /proc/meminfo ]; then
+ logtext "Result: found /proc/meminfo"
+ Display --indent 2 --text "- Checking /proc/meminfo... " --result FOUND --color GREEN
+ FIND=`cat /proc/meminfo | grep "^MemTotal" | tr -s ' ' | awk '{ print $2" "$3 }'`
+ MEMORY_SIZE=`echo ${FIND} | awk '{ print $1 }'`
+ MEMORY_UNITS=`echo ${FIND} | awk '{ print $2 }'`
+ logtext "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
+ report "memory_size=${MEMORY_SIZE}"
+ report "memory_units=${MEMORY_UNITS}"
+ else
+ logtext "Result: /proc/meminfo file not found on this system"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PROC-3604
+ # Description : Query /proc/meminfo
+ Register --test-no PROC-3604 --os Solaris --weight L --network NO --description "Query prtconf for memory details"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching /usr/sbin/prtconf"
+ if [ -x /usr/sbin/prtconf ]; then
+ Display --indent 2 --text "- Querying prtconf for installed memory..." --result DONE --color GREEN
+ MEMORY_SIZE=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f3`
+ MEMORY_UNITS=`/usr/sbin/prtconf | grep "^Memory size:" | cut -d ' ' -f4`
+ logtext "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
+ report "memory_size=${MEMORY_SIZE}"
+ report "memory_units=${MEMORY_UNITS}"
+ else
+ Display --indent 2 --text "- Querying prtconf for installed memory..." --result SKIPPED --color WHITE
+ logtext "Result: /usr/sbin/prtconf not found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PROC-3612
+ # Description : Searching for dead and zombie processes
+ # Notes : Don't perform test on Solaris
+ if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check dead or zombie processes"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ "${OS}" = "AIX" ]; then
+ FIND=`${PSBINARY} -Ae -o pid,wchan,stat,comm | awk '{ if ($3 ~ /Z|X/) print $1 }' | xargs`
+ else
+ FIND=`${PSBINARY} x -o pid,wchan,stat,comm | awk '{ if ($3 ~ /Z|X/) print $1 }' | xargs`
+ fi
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: no zombie processes found"
+ Display --indent 2 --text "- Searching for dead/zombie processes..." --result OK --color GREEN
+ else
+ logtext "Result: found one or more dead or zombie processes"
+ logtext "Output: PIDs ${FIND}"
+ Display --indent 2 --text "- Searching for dead/zombie processes..." --result WARNING --color RED
+ ReportSuggestion ${TEST_NO} "Check the output of ps for dead or zombie processes"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PROC-3614
+ # Description : Searching for heavy IO based waiting processes
+ # Notes : Don't perform test on Solaris
+ if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PROC-3614 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check heavy IO waiting based processes"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ "${OS}" = "AIX" ]; then
+ FIND=`${PSBINARY} -Ae -o pid,wchan,stat,comm | awk '{ if ($3=="D") print $1 }' | xargs`
+ else
+ FIND=`${PSBINARY} x -o pid,wchan,stat,comm | awk '{ if ($3=="D") print $1 }' | xargs`
+ fi
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: No processes were waiting for IO requests to be handled first"
+ Display --indent 2 --text "- Searching for IO waiting processes..." --result OK --color GREEN
+ else
+ logtext "Result: found one or more processes which were waiting to get IO requests handled first"
+ logtext "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured."
+ logtext "Output: PIDs ${FIND}"
+ Display --indent 2 --text "- Searching for IO waiting processes..." --result WARNING --color RED
+ ReportSuggestion ${TEST_NO} "Check process listing for processes waiting for IO requests"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Ubuntu test: dead processes
+ # who -d
+#
+#################################################################################
+#
+ # Test : PROC-3624
+ # Description : Check shared memory (ipcs -m)
+ # Notes : if it's empty, check /dev/shm and warn if any files are left behind
+ #Register --test-no PROC-3614 --os Linux --weight L --network NO --description "Check shared memory"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_nameservices b/include/tests_nameservices
new file mode 100644
index 00000000..f2e72ee9
--- /dev/null
+++ b/include/tests_nameservices
@@ -0,0 +1,607 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Name services
+#
+#################################################################################
+#
+ InsertSection "Software: name services"
+#
+#################################################################################
+#
+ BIND_RUNNING=0
+ BIND_CONFIG_LOCS="/etc /etc/bind /usr/local/etc"
+ BIND_CONFIG_LOCATIONS=""
+ POWERDNS_RUNNING=0
+ POWERDNS_CONFIG_LOCS="/etc/powerdns /usr/local/etc"
+ POWERDNS_AUTH_CONFIG_LOCATION=""
+ POWERDNS_AUTH_MASTER=0
+ POWERDNS_AUTH_SLAVE=0
+ YPBIND_RUNNING=0
+#
+#################################################################################
+#
+ # Test : NAME-4016
+ # Description : Check main domain (domain <domain name> in /etc/resolv.conf)
+ Register --test-no NAME-4016 --weight L --network NO --description "Check /etc/resolv.conf default domain"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check /etc/resolv.conf for default domain"
+ if [ -f /etc/resolv.conf ]; then
+ logtext "Result: /etc/resolv.conf found"
+ FIND=`cat /etc/resolv.conf | grep "^domain" | awk '{ print $2 }'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: no default domain found"
+ Display --indent 2 --text "- Checking default DNS search domain..." --result NONE --color WHITE
+ else
+ logtext "Result: found default domain"
+ logtext "Output: ${FIND}"
+ report "resolv_conf_domain=${FIND}"
+ Display --indent 2 --text "- Checking default DNS search domain..." --result FOUND --color GREEN
+ RESOLV_DOMAINNAME="${FIND}"
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4018
+ # Description : Check search domains in /etc/resolv.conf
+ # Notes : Maximum of one search keyword is allowed in /etc/resolv.conf
+ Register --test-no NAME-4018 --weight L --network NO --description "Check /etc/resolv.conf search domains"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ logtext "Test: check /etc/resolv.conf for search domains"
+ if [ -f /etc/resolv.conf ]; then
+ logtext "Result: /etc/resolv.conf found"
+ FIND=`cat /etc/resolv.conf | grep "^search" | sed 's/^search //'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: no search domains found, default domain is being used"
+ else
+ for I in ${FIND}; do
+ logtext "Found search domain: ${I}"
+ report "resolv_conf_search_domain[]=${I}"
+ N=`expr ${N} + 1`
+ done
+ # Warn if we have more than 6 search domains, which is maximum in most resolvers
+ if [ ${N} -gt 6 ]; then
+ logtext "Result: Found ${N} search domains"
+ Display --indent 2 --text "- Checking search domains..." --result WARNING --color YELLOW
+ ReportWarning ${TEST_NO} "L" "Found more than 6 search domains, which is usually more than the maximum allowed number in most resolvers"
+ else
+ logtext "Result: Found ${N} search domains"
+ Display --indent 2 --text "- Checking search domains..." --result FOUND --color GREEN
+ fi
+ fi
+ else
+ logtext "Result: /etc/resolv.conf does not exist, skipping test"
+ Display --indent 2 --text "- Checking search domains..." --result "NOT FOUND" --color YELLOW
+ fi
+
+ # Check amount of search domains (max 1)
+ FIND=`cat /etc/resolv.conf | grep "^search" | wc -l | tr -s ' ' | tr -d ' '`
+ if [ ! "${FIND}" = "0" -a ! "${FIND}" = "1" ]; then
+ logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
+ Display --indent 4 --text "- Checking search domains lines..." --result "CONFIG ERROR" --color YELLOW
+ ReportWarning ${TEST_NO} "L" "Found more than 1 search lines in /etc/resolv.conf, which is probably a misconfiguration"
+ else
+ logtext "Result: found ${FIND} line(s) with a search statement (expecting less than 2 lines)"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4020
+ # Description : Check non default resolv.conf options
+ Register --test-no NAME-4020 --weight L --network NO --description "Check non default options"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check /etc/resolv.conf for non default options"
+ if [ -f /etc/resolv.conf ]; then
+ logtext "Result: /etc/resolv.conf found"
+ FIND=`grep "^options" /etc/resolv.conf | awk '{ print $2 }'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: no specific other options configured in /etc/resolv.conf"
+ Display --indent 2 --text "- Checking /etc/resolv.conf options..." --result "NONE" --color WHITE
+ else
+ for I in ${FIND}; do
+ logtext "Found option: ${I}"
+ report "resolv_conf_option[]=${I}"
+ #rotate --> add performance tune point
+ #timeout <3 --> add performe tune point
+ done
+ Display --indent 2 --text "- Checking /etc/resolv.conf options..." --result "FOUND" --color GREEN
+ fi
+ else
+ logtext "Result: /etc/resolv.conf not found, test skipped"
+ Display --indent 2 --text "- Checking /etc/resolv.conf options..." --result "NOT FOUND" --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4024
+ # Description : Check Solaris uname -n output
+ Register --test-no NAME-4024 --os Solaris --weight L --network NO --description "Solaris uname -n output"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`uname -n`
+ logtext "Result: 'uname -n' returned ${FIND}"
+ Display --indent 2 --text "- Checking uname -n output..." --result DONE --color GREEN
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4026
+ # Description : Check Solaris /etc/nodename
+ # Notes : If a system is standalone, /etc/nodename should contain a system name only, not FQDN
+ Register --test-no NAME-4026 --os Solaris --weight L --network NO --description "Check /etc/nodename"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking /etc/nodename"
+ if [ -f /etc/nodename ]; then
+ logtext "Result: file /etc/nodename exists"
+ FIND=`cat /etc/nodename`
+ logtext "Output: ${FIND}"
+ Display --indent 2 --text "- Checking /etc/nodename..." --result "DONE" --color GREEN
+ else
+ logtext "Result: file /etc/nodename could not be found"
+ Display --indent 2 --text "- Checking /etc/nodename..." --result "NONE FOUND" --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4028
+ # Description : Check DNS domain name
+ # To Do : grep ^DOMAINNAME /etc/conf.d/domainname (remove "'s)
+ Register --test-no NAME-4028 --weight L --network NO --description "Check domain name"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ DOMAINNAME=""
+ # NIS
+ #logtext "Test: Checking file /etc/domainname"
+ #if [ -f /etc/domainname ]; then
+ # logtext "Result: file /etc/domainname exists"
+ # FIND2=`cat /etc/domainname`
+ # if [ ! "${FIND}" = "" ]; then
+ # logtext "Found domain name: ${FIND}"
+ # DOMAINNAME="${FIND}"
+ # else
+ # logtext "Result: no domain name found in file"
+ # fi
+ # else
+ # logtext "Result: file /etc/domainname does not exist"
+ #fi
+
+ logtext "Test: Checking if dnsdomainname command is available"
+ if [ ! "${DNSDOMAINNAMEBINARY}" = "" ]; then
+ FIND2=`${DNSDOMAINNAMEBINARY} 2> /dev/null`
+ if [ ! "${FIND2}" = "" ]; then
+ logtext "Result: dnsdomainname command returned a value"
+ logtext "Found domain name: ${FIND2}"
+ DOMAINNAME="${FIND2}"
+ else
+ logtext "Result: dnsdomainname command returned no value"
+ fi
+ else
+ logtext "Result: dnsdomainname binary not found, skip specific test"
+ fi
+
+ # If files and commands can't be found, use defined value from resolv.conf
+ if [ "${DOMAINNAME}" = "" ]; then
+ if [ ! "${RESOLV_DOMAINNAME}" = "" ]; then
+ logtext "Result: using domain name from /etc/resolv.conf"
+ DOMAINNAME=${RESOLV_DOMAINNAME}
+ else
+ logtext "Result: using domain name from FQDN hostname"
+ DOMAINNAME=${FQDN#${HOSTNAME}.}
+ fi
+ fi
+
+ if [ ! "${DOMAINNAME}" = "" ]; then
+ logtext "Result: found domain name"
+ report "domainname=${DOMAINNAME}"
+ Display --indent 2 --text "- Searching DNS domain name..." --result "FOUND" --color GREEN
+ Display --indent 6 --text "Domain name: ${DOMAINNAME}"
+ else
+ Display --indent 2 --text "- Searching DNS domain name..." --result "UNKNOWN" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Check DNS configuration for the dns domain name"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4032
+ # Description : Check name service caching daemon (NSCD) status
+ Register --test-no NAME-4032 --weight L --network NO --description "Check nscd status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking nscd status"
+ FIND=`${PSBINARY} ax | grep "nscd" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: nscd is running"
+ Display --indent 2 --text "- Checking nscd status..." --result RUNNING --color GREEN
+ else
+ logtext "Result: nscd is not running"
+ Display --indent 2 --text "- Checking nscd status..." --result "NOT FOUND" --color WHITE
+ #YYY show performance suggestion if LDAP is used
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4202
+ # Description : Check if BIND is running
+ Register --test-no NAME-4202 --weight L --network NO --description "Check BIND status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking for running BIND instance"
+ FIND=`${PSBINARY} ax | grep "/named" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found BIND process"
+ Display --indent 2 --text "- Checking BIND status..." --result "FOUND" --color GREEN
+ BIND_RUNNING=1
+ else
+ logtext "Result: BIND not running"
+ Display --indent 2 --text "- Checking BIND status..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4204
+ # Description : Check configuration file of BIND
+ if [ ${BIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no NAME-4204 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search BIND configuration file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Search BIND configuration file"
+ #YYY add chrooted environments
+ for I in ${BIND_CONFIG_LOCS}; do
+ if [ -f ${I}/named.conf ]; then
+ BIND_CONFIG_LOCATION="${I}/named.conf"
+ logtext "Result: found configuration file (${BIND_CONFIG_LOCATION})"
+ fi
+ done
+ if [ ! "${BIND_CONFIG_LOCATION}" = "" ]; then
+ Display --indent 4 --text "- Checking BIND configuration file..." --result "FOUND" --color GREEN
+ else
+ Display --indent 4 --text "- Checking BIND configuration file..." --result "NOT FOUND" --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4206
+ # Description : Check BIND configuration file consistency
+ if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no NAME-4206 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BIND configuration consistency"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: searching for named-checkconf binary"
+ if [ ! "${NAMEDCHECKCONFBINARY}" = "" ]; then
+ logtext "Result: named-checkconf is installed"
+ FIND=`${NAMEDCHECKCONFBINARY} ${BIND_CONFIG_LOCATION}; echo $?`
+ if [ "${FIND}" = "0" ]; then
+ logtext "Result: configuration file ${BIND_CONFIG_LOCATION} seems to be fine"
+ Display --indent 4 --text "- Checking BIND configuration consistency..." --result "OK" --color GREEN
+ else
+ logtext "Result: possible errors found in ${BIND_CONFIG_LOCATION}"
+ Display --indent 4 --text "- Checking BIND configuration consistency..." --result WARNING --color RED
+ ReportWarning ${TEST_NO} "Errors discovered in BIND configuration file"
+ fi
+ else
+ logtext "Result: named-checkconf not found, skipping test"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4208
+ # Description : Check DNS server type (master, slave, caching, forwarding)
+ #Register --test-no NAME-4050 --weight L --network NO --description "Check nscd status"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+#
+#################################################################################
+#
+ # Test : NAME-4210
+ # Description : Check if we can determine useful information from banner
+ if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check DNS banner"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Trying to determine version from banner"
+ FIND=`${DIGBINARY} @localhost version.bind chaos txt | grep "^version.bind" | grep TXT | egrep "[0-9].[0-9].[0-9]*"`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: no useful information in banner found"
+ Display --indent 4 --text "- Checking BIND version in banner ..." --result "OK" --color GREEN
+ AddHP 2 2
+ else
+ logtext "Result: possible BIND version available in version banner"
+ Display --indent 4 --text "- Checking BIND version in banner..." --result WARNING --color RED
+ ReportWarning ${TEST_NO} "M" "Found BIND version in banner"
+ ReportSuggestion ${TEST_NO} "The version in BIND can be masked by defining 'version none' in the configuration file"
+ AddHP 0 2
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4212
+ # Description : Check version option in BIND configuration
+ #if [ ${BIND_RUNNING} -eq 1 -a ! "${BIND_CONFIG_LOCATION}" = "" -a ! "${DIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ #Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check DNS banner"
+#
+#################################################################################
+#
+ # Test : NAME-4220
+ # Description : Check if we can perform a zone transfer of primary domain
+ #Register --test-no NAME-4220 --weight L --network NO --description "Check zone transfer"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+#
+#################################################################################
+#
+ # Test : NAME-4222
+ # Description : Check if we can perform a zone transfer of PTR (of primary domain)
+ #Register --test-no NAME-4222 --weight L --network NO --description "Check zone transfer"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+#
+#################################################################################
+#
+ # Test : NAME-4230
+ # Description : Check if PowerDNS is running
+ Register --test-no NAME-4230 --weight L --network NO --description "Check PowerDNS status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking for running PowerDNS instance"
+ FIND=`${PSBINARY} ax | grep "/pdns_server" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found PowerDNS process"
+ Display --indent 2 --text "- Checking PowerDNS status..." --result "RUNNING" --color GREEN
+ POWERDNS_RUNNING=1
+ else
+ logtext "Result: PowerDNS not running"
+ Display --indent 2 --text "- Checking PowerDNS status..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4232
+ # Description : Check PowerDNS configuration file
+ if [ ${POWERDNS_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no NAME-4232 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search PowerDNS configuration file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Search PowerDNS configuration file"
+ #YYY add chrooted environments
+ for I in ${POWERDNS_CONFIG_LOCS}; do
+ if [ -f ${I}/pdns.conf ]; then
+ POWERDNS_AUTH_CONFIG_LOCATION="${I}/pdns.conf"
+ logtext "Result: found configuration file (${POWERDNS_AUTH_CONFIG_LOCATION})"
+ fi
+ done
+ if [ ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then
+ Display --indent 4 --text "- Checking PowerDNS configuration file..." --result "FOUND" --color GREEN
+ else
+ Display --indent 4 --text "- Checking PowerDNS configuration file..." --result "NOT FOUND" --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+# # Test : NAME-4234
+# # Description : Check PowerDNS configuration file consistency
+# if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+# Register --test-no NAME-4234 --weight L --network NO --description "Check PowerDNS configuration consistency"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# fi
+#
+#################################################################################
+#
+ # Test : NAME-4236
+ # Description : Check PowerDNS server backends
+ if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no NAME-4236 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PowerDNS backends"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking for PowerDNS backends"
+ FIND=`cat ${POWERDNS_AUTH_CONFIG_LOCATION} | grep "^launch" | awk -F= '{ print $2 }'`
+ if [ ! "${FIND}" = "" ]; then
+ for I in ${FIND}; do
+ logtext "Found backend: ${I}"
+ done
+ Display --indent 4 --text "- Checking PowerDNS backends..." --result "FOUND" --color GREEN
+ else
+ logtext "Result: no PowerDNS backends found"
+ Display --indent 4 --text "- Checking PowerDNS backends..." --result "NOT FOUND" --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4238
+ # Description : Check PowerDNS authoritive status
+ if [ ${POWERDNS_RUNNING} -eq 1 -a ! "${POWERDNS_AUTH_CONFIG_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no NAME-4238 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PowerDNS authoritive status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking for PowerDNS master status"
+ FIND=`cat ${POWERDNS_AUTH_CONFIG_LOCATION} | grep "^master=yes"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Found master=yes in configuration file"
+ Display --indent 4 --text "- PowerDNS authoritive master: YES"
+ POWERDNS_AUTH_MASTER=1
+ else
+ logtext "Result: most likely not master (no master=yes)"
+ Display --indent 4 --text "- PowerDNS authoritive master: NO"
+ fi
+ logtext "Test: Checking for PowerDNS slave status"
+ FIND=`cat ${POWERDNS_AUTH_CONFIG_LOCATION} | grep "^slave=yes"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Found slave=yes in configuration file"
+ Display --indent 4 --text "- PowerDNS authoritive slave: YES"
+ POWERDNS_AUTH_SLAVE=1
+ else
+ logtext "Result: most likely not slave (no slave=yes)"
+ Display --indent 4 --text "- PowerDNS authoritive slave: NO"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4302
+ # Description : Check NIS ypbind daemon status
+ Register --test-no NAME-4304 --weight L --network NO --description "Check NIS ypbind status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking status of ypbind daemon"
+ FIND=`${PSBINARY} ax | grep "ypbind" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: ypbind is running"
+ Display --indent 2 --text "- Checking ypbind status..." --result "FOUND" --color GREEN
+ YPBIND_RUNNING=1
+ ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
+ else
+ logtext "Result: ypbind is not active"
+ Display --indent 2 --text "- Checking ypbind status..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4306
+ # Description : Check NIS domain
+ # Notes : FreeBSD: sysctl kern.domainname
+ if [ ${YPBIND_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no NAME-4306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NIS domain"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking `domainname` for NIS domain value"
+ FIND=`${DOMAINNAMEBINARY} | grep -v "(none)"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Value: ${FIND}"
+ NISDOMAIN="${FIND}"
+ else
+ logtext "Result: no NIS domain found in command output"
+ fi
+ # Solaris / Linux style
+ logtext "Test: Checking file /etc/defaultdomain"
+ if [ -f /etc/defaultdomain ]; then
+ logtext "Result: file /etc/defaultdomain exists"
+ FIND2=`cat /etc/defaultdomain`
+ if [ ! "${FIND2}" = "" ]; then
+ logtext "Output: ${FIND2}"
+ NISDOMAIN="${FIND2}"
+ else
+ logtext "Result: no NIS domain found in file"
+ fi
+ fi
+ # Red Hat style
+ logtext "Test: checking /etc/sysconfig/network"
+ if [ -f /etc/sysconfig/network ]; then
+ logtext "Result: file /etc/sysconfig/network exists"
+ logtext "Test: checking NISDOMAIN value in file"
+ FIND3=`grep "^NISDOMAIN" /etc/sysconfig/network | awk -F= '{ print $2 }' | sed 's/"//g'`
+ if [ ! "${FIND3}" = "" ]; then
+ logtext "Found NIS domain: ${FIND3}"
+ NISDOMAIN="${FIND3}"
+ else
+ logtext "Result: No NIS domain found in file"
+ fi
+ else
+ logtext "Result: file /etc/sysconfig/network does not exist"
+ fi
+
+ # Check sysctl (e.g. FreeBSD)
+ logtext "Test: checking sysctl for kern.domainname"
+ FIND=`sysctl -a 2>&1 | grep "^kern.domainname" | awk -F: '{ print $2 }' | sed 's/ //g' | grep -v "^$"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found NIS domain via sysctl"
+ NISDOMAIN="${FIND}"
+ fi
+ # Check if we found any NIS domain
+ if [ ! "${NISDOMAIN}" = "" ]; then
+ logtext "Found NIS domain: ${NISDOMAIN}"
+ report "nisdomain=${NISDOMAIN}"
+ Display --indent 4 --text "- Checking NIS domain..." --result "FOUND" --color GREEN
+ else
+ logtext "Result: No NIS domain found"
+ Display --indent 4 --text "- Checking NIS domain..." --result "UNKNOWN" --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ if [ -f /etc/hosts ]; then
+ Display --indent 2 --text "- Checking /etc/hosts"
+ fi
+
+ # Test : NAME-4402
+ # Description : Check /etc/hosts configuration
+ Register --test-no NAME-4402 --weight L --network NO --description "Check duplicate line in /etc/hosts"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check duplicate line in /etc/hosts"
+ if [ -f /etc/hosts ]; then
+ sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | uniq -d`
+ if [ "${sFIND}" = "" ]; then
+ logtext "Result: OK, no duplicate lines found"
+ Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result OK --color GREEN
+ else
+ logtext "Found duplicate line: ${sFIND}"
+ logtext "Result: found duplicate line"
+ Display --indent 4 --text "- Checking /etc/hosts (duplicates)" --result SUGGESTION --color YELLOW
+ ReportSuggestion ${TEST_NO} "L" "Remove duplicate lines in /etc/hosts"
+ fi
+ else
+ logtext "Result: /etc/hosts not found, test skipped"
+ Display --indent 4 --text "Searching duplicate line..." --result "SKIPPED" --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4404
+ # Description : Check /etc/hosts contains an entry for this server name
+ Register --test-no NAME-4404 --weight L --network NO --description "Check /etc/hosts contains an entry for this server name"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Check /etc/hosts contains an entry for this server name"
+ if [ -f /etc/hosts ]; then
+ sFIND=`cat /etc/hosts | egrep -v '^(#|$|::1|localhost)' | grep ${HOSTNAME}`
+ if [ "${sFIND}" != "" ]; then
+ logtext "Result: Found entry for ${HOSTNAME} in /etc/hosts"
+ Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result OK --color GREEN
+ else
+ logtext "Result: No entry found for ${HOSTNAME} in /etc/hosts"
+ Display --indent 4 --text "- Checking /etc/hosts (hostname)" --result SUGGESTION --color YELLOW
+ ReportSuggestion ${TEST_NO} "Add the IP name and FQDN to /etc/hosts for proper name resolving"
+ logtext "Risk: No entry for the server name [hostname] in /etc/hosts may cause unexpected performance problems for local connections"
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NAME-4406
+ # Description : Check server hostname mapping
+ Register --test-no NAME-4406 --weight L --network NO --description "Check server hostname mapping"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Check server hostname not locally mapped in /etc/hosts"
+ sFIND=`cat /etc/hosts | egrep -v '^(#|$)' | egrep '(localhost|::1)' | grep ${HOSTNAME}`
+ if [ ! "${sFIND}" = "" ]; then
+ logtext "Result: Found this server hostname mapped to a local address"
+ Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result SUGGESTION --color YELLOW
+ logtext "Information: Linking the hostname to the localhost entry may break some resolving. Split resolving so that localhost resolves back to 127.0.0.1 (and ::1) and the hostname of the machine to the real IP address on the network interface."
+ ReportSuggestion ${TEST_NO} "Split resolving between localhost and the hostname of the system"
+ else
+ logtext "Result: this server hostname is not mapped to a local address"
+ Display --indent 4 --text "- Checking /etc/hosts (localhost)" --result OK --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_networking b/include/tests_networking
new file mode 100644
index 00000000..9b4ad8a1
--- /dev/null
+++ b/include/tests_networking
@@ -0,0 +1,450 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Networking
+#
+#################################################################################
+#
+ FOUNDPROMISC=0 # Promiscuous interfaces
+ LOCAL_DNSRESOLVER_FOUND=0 # Local DNS resolver
+ NUMBERACTIVENS=0 # Number of active nameservers
+ DHCP_CLIENT_RUNNING=0 # DHCP client availability
+#
+#################################################################################
+#
+ InsertSection "Networking"
+#
+#################################################################################
+#
+ # Test : NETW-2704 (YYY move to nameservices section)
+ # Description : Basic nameserver configuration tests (connectivity)
+ Register --test-no NETW-2704 --weight L --network YES --description "Basic nameserver configuration tests"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Checking configured nameservers..."
+ logtext "Test: Checking /etc/resolv.conf file"
+ if [ -f /etc/resolv.conf ]; then
+ logtext "Result: Found /etc/resolv.conf file"
+ FIND=`grep '^nameserver' /etc/resolv.conf | tr -d '\t' | sed 's/nameserver*//g'`
+ if [ ! "${FIND}" = "" ]; then
+ Display --indent 4 --text "- Testing nameservers..."
+ logtext "Test: Querying nameservers"
+ for I in ${FIND}; do
+ logtext "Found nameserver: ${I}"
+ report "nameserver[]=${I}"
+ # Check if a local resolver is available (like DNSMasq)
+ if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "0.0.0.0" ]; then
+ LOCAL_DNSRESOLVER_FOUND=1
+ fi
+ if [ ! "${DIGBINARY}" = "" ]; then
+ # See if we can query something at the nameserver
+ # 0=good, other=bad
+ DNSRESPONSE=`${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?`
+ if [ "${DNSRESPONSE}" = "0" ]; then
+ Display --indent 8 --text "Nameserver: ${I}..." --result OK --color GREEN
+ logtext "Nameserver ${I} seems to respond to queries from this host."
+ # Count responsive nameservers
+ NUMBERACTIVENS=`expr ${NUMBERACTIVENS} + 1`
+ else
+ Display --indent 8 --text "Nameserver: ${I}..." --result "NO RESPONSE" --color RED
+ logtext "Result: nameserver ${I} does NOT respond"
+ logtext "Exit-code from dig: ${DNSRESPONSE}"
+ ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
+ ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond"
+ fi
+ else
+ logtext "Result: Nameserver test for ${I} skipped, 'dig' not installed"
+ Display --indent 6 --text "Nameserver: ${I}... " --result SKIPPED --color YELLOW
+ fi
+ done
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NETW-2705
+ # Description : Basic nameserver configuration tests (connectivity)
+ if [ ${LOCAL_DNSRESOLVER_FOUND} -eq 0 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network YES --description "Check availability two nameservers"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ! "${DIGBINARY}" = "" ]; then
+ if [ ${NUMBERACTIVENS} -lt 2 ]; then
+ Display --indent 4 --text "- Minimal of 2 responsive nameservers..." --result WARNING --color RED
+ logtext "Result: less than 2 responsive nameservers found"
+ ReportWarning ${TEST_NO} "L" "Couldn't find 2 responsive nameservers"
+ logtext "Note: Non responsive nameservers can give problems for your system(s). Like the lack of recursive lookups, bad connectivity to update servers etc."
+ ReportSuggestion ${TEST_NO} "Check your resolv.conf file and fill in a backup nameserver if possible"
+ AddHP 1 2
+ else
+ Display --indent 4 --text "- Minimal of 2 responsive nameservers..." --result OK --color GREEN
+ logtext "Result: found at least 2 responsive nameservers"
+ AddHP 3 3
+ fi
+ else
+ Display --indent 4 --text "- Minimal of 2 responsive nameservers..." --result SKIPPED --color YELLOW
+ logtext "Result: dig not installed, test can't be fully performed"
+ fi
+ else
+ logtext "Result: Test most likely skipped due having local resolver in /etc/resolv.conf"
+ fi
+#
+#################################################################################
+#
+ # Test : NETW-3001
+ # Description : Find default gateway (route)
+ # More info : BSD: ^default Linux: 0.0.0.0
+ Register --test-no NETW-3001 --weight L --network NO --description "Find default gateway (route)"
+ if [ $SKIPTEST -eq 0 ]; then
+ logtext "Test: Searching default gateway(s)..."
+ FIND=`netstat -rn | egrep "^0.0.0.0|default" | tr -s ' ' | cut -d ' ' -f2`
+ if [ ! "${FIND}" = "" ]; then
+ for I in ${FIND}; do
+ logtext "Result: Found default gateway ${I}"
+ report "default_gateway[]=${I}"
+ done
+ Display --indent 2 --text "- Checking default gateway..." --result DONE --color GREEN
+ else
+ logtext "Result: No default gateway found"
+ Display --indent 2 --text "- Checking default gateway..." --result "NONE FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NETW-3004
+ # Description : Find available network interfaces on FreeBSD and others
+ if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no NETW-3004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search available network interfaces on FreeBSD and others"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`${IFCONFIGBINARY} -l`
+ N=0
+ for I in ${FIND}; do
+ logtext "Found network interface: ${I}"
+ N=`expr ${N} + 1`
+ report "network_interface[]=${I}"
+ done
+ fi
+#
+#################################################################################
+#
+ # Test : NETW-3006
+ # Description : Get network MAC addresses
+ Register --test-no NETW-3006 --weight L --network NO --description "Get network MAC addresses"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=""
+ case ${OS} in
+ AIX)
+ FIND=`lscfg -vl ent* | fgrep "Network Address" | cut -d"." -f14 | awk '{ ctr=1; i=1; while (ctr <= 6) { d[ctr++]=substr($0,i,2);i=i+2 } printf("%s:%s:%s:%s:%s:%s\n",d[1],d[2],d[3],d[4],d[5],d[6]) }'`
+ ;;
+ DragonFly|FreeBSD)
+ FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="ether") print $2 }' | sort | uniq`
+ ;;
+ Linux)
+ FIND=`${IFCONFIGBINARY} -a | grep "HWaddr" | awk '{ if ($4=="HWaddr") print $5 }' | sort | uniq`
+ ;;
+ MacOS)
+ FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="lladdr" || $1=="ether") print $2 }' | sort | uniq`
+ ;;
+ NetBSD)
+ FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="address:") print $2 }' | sort | uniq`
+ ;;
+ OpenBSD)
+ FIND=`${IFCONFIGBINARY} -A | awk '{ if ($1=="lladdr") print $2 }' | sort | uniq`
+ ;;
+ Solaris)
+ FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="ether") print $2 }' | sort | uniq`
+ ;;
+ *)
+ # Having a system currently unsupported? Share your details to determine MAC information
+ ReportException "${TEST_NO}:1" "No support for this OS (${OS}) to find MAC information"
+ ;;
+ esac
+ N=0
+ for I in ${FIND}; do
+ logtext "Found MAC address: ${I}"
+ N=`expr ${N} + 1`
+ report "network_mac_address[]=${I}"
+ done
+ fi
+#
+#################################################################################
+#
+ # Test : NETW-3008
+ # Description : Get network IPv4/6 addresses
+ Register --test-no NETW-3008 --weight L --network NO --description "Get network IP addresses"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=""; FIND2=""
+ case ${OS} in
+ AIX)
+ FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
+ # IPv6 support in AIX? (YYY)
+ ;;
+ DragonFly|FreeBSD|NetBSD)
+ FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
+ FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
+ ;;
+ Linux)
+ FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }' | cut -d ':' -f2`
+ # Version which works for multiple types of ifconfig (e.g. Slackware)
+ FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6" && $2=="addr:") { print $3 } else { if ($1=="inet6" && $3=="prefixlen") { print $2 } } }'`
+ ;;
+ MacOS)
+ FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
+ FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
+ ;;
+ OpenBSD)
+ FIND=`${IFCONFIGBINARY} -A | awk '{ if ($1=="inet") print $2 }'`
+ FIND2=`${IFCONFIGBINARY} -A | awk '{ if ($1=="inet6") print $2 }'`
+ ;;
+ Solaris)
+ FIND=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet") print $2 }'`
+ FIND2=`${IFCONFIGBINARY} -a | awk '{ if ($1=="inet6") print $2 }'`
+ ;;
+ *)
+ logtext "Warning: no support yet for this OS (${OS}) to find IP address information"
+ ReportException "${TEST_NO}:1" "IP address information test not implemented for this operating system"
+ ;;
+ esac
+ N=0
+ # IPv4
+ for I in ${FIND}; do
+ logtext "Found IPv4 address: ${I}"
+ N=`expr ${N} + 1`
+ report "network_ipv4_address[]=${I}"
+ done
+ # IPv6
+ for I in ${FIND2}; do
+ logtext "Found IPv6 address: ${I}"
+ N=`expr ${N} + 1`
+ report "network_ipv6_address[]=${I}"
+ done
+
+ fi
+#
+#################################################################################
+#
+ # Test : NETW-3012
+ # Description : Check listening ports
+ Register --test-no NETW-3012 --weight L --network NO --description "Check listening ports"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=""; FIND2=""
+ N=0
+ case ${OS} in
+ DragonFly|FreeBSD)
+ if [ ! "${SOCKSTATBINARY}" = "" ]; then
+ FIND=`${SOCKSTATBINARY} | awk '{ if ($7 ~ /\*:\*/) print $5"|"$6"|"$2"|" }' | sort | uniq`
+ # To strip off IP's: sed 's/|.*:/|/'
+ else
+ FIND=""
+ fi
+ FIND2=""
+ ;;
+ Linux)
+ # UDP
+ FIND=`netstat -nlp | grep "^udp" | awk '{ print $4"|"$1"|"$6"|" }' | sed 's:|[0-9]*/:|:'`
+ # TCP
+ FIND2=`netstat -nlp | grep "^tcp" | awk '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | sed 's:|[0-9]*/:|:'`
+ ;;
+
+ NetBSD)
+ if [ ! "${SOCKSTATBINARY}" = "" ]; then
+ FIND=`${SOCKSTATBINARY} | awk '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | sort | uniq`
+ else
+ FIND=""
+ fi
+ FIND2=""
+ ;;
+ *)
+ # Got this exception? Provide your details and output of netstat or any other tool to determine this information.
+ ReportException "${TEST_NO}:1" "Unclear what method to use, to determine listening port information"
+ ;;
+ esac
+
+ # Retrieve information from sockstat, when available
+ logtext "Test: Retrieving sockstat information to find listening ports..."
+ if [ ! "${FIND}" = "" ]; then
+ for I in ${FIND}; do
+ N=`expr ${N} + 1`
+ logtext "Found listening info: ${I}"
+ report "network_listen_port=${I}"
+ done
+ fi
+
+ if [ ! "${FIND2}" = "" ]; then
+ for I in ${FIND2}; do
+ N=`expr ${N} + 1`
+ logtext "Found listening info: ${I}"
+ report "network_listen_port=${I}"
+ done
+ fi
+ if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
+ Display --indent 2 --text "- Getting listening ports (TCP/UDP)..." --result SKIPPED --color YELLOW
+ else
+ Display --indent 2 --text "- Getting listening ports (TCP/UDP)..." --result DONE --color GREEN
+ Display --indent 6 --text "* Found ${N} ports"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NETW-3014
+ # Description : Checking promiscuous interfaces (BSD)
+ # Note : FreeBSD and others
+ if [ "${OS}" = "DragonFly" -o "${OS}" = "FreeBSD" -o "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no NETW-3014 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking promiscuous interfaces (BSD)"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking promiscuous interfaces (FreeBSD)..."
+ FIND=`${IFCONFIGBINARY} | grep PROMISC | cut -d ':' -f1`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: Promiscuous interfaces: ${FIND}"
+ for I in ${FIND}; do
+ ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}`
+ if [ "${ISWHITELISTED}" = "" ]; then
+ FOUNDPROMISC=1
+ ReportWarning ${TEST_NO} "H" "Found promiscuous interface (${I})"
+ logtext "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
+ else
+ logtext "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
+ fi
+ done
+ fi
+
+ # Show result
+ if [ ${FOUNDPROMISC} -eq 0 ]; then
+ Display --indent 2 --text "- Checking promiscuous interfaces..." --result OK --color GREEN
+ logtext "Result: No promiscuous interfaces found"
+ else
+ Display --indent 2 --text "- Checking promiscuous interfaces..." --result WARNING --color RED
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NETW-3015
+ # Description : Checking promiscuous interfaces (Linux)
+ # Note : Linux
+ Register --test-no NETW-3015 --os Linux --weight L --network NO --description "Checking promiscuous interfaces (Linux)"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking promiscuous interfaces (Linux)"
+ NETWORK=`${IFCONFIGBINARY} | grep Link | tr -s ' ' | cut -d ' ' -f1`
+ if [ ! "${NETWORK}" = "" ]; then
+ for I in ${NETWORK}; do
+ FIND=`${IFCONFIGBINARY} ${I} | grep PROMISC`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: Promiscuous interface: ${I}"
+ ISWHITELISTED=`grep "^if_promisc:${I}:" ${PROFILE}`
+ if [ "${ISWHITELISTED}" = "" ]; then
+ FOUNDPROMISC=1
+ ReportWarning ${TEST_NO} "H" "Found promiscuous interface (${I})"
+ logtext "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
+ else
+ logtext "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
+ fi
+ fi
+ done
+ fi
+
+ # Show result
+ if [ ${FOUNDPROMISC} -eq 0 ]; then
+ Display --indent 2 --text "- Checking promiscuous interfaces..." --result OK --color GREEN
+ logtext "Result: No promiscuous interfaces found"
+ else
+ Display --indent 2 --text "- Checking promiscuous interfaces..." --result WARNING --color RED
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NETW-3020
+ # Description : Checking multipath configuration (Solaris)
+#
+#################################################################################
+#
+ # Test : NETW-3024
+ # Description : Netstat/socktstat compare (FreeBSD)
+ # echo -n " - Comparing output sockstat and netstat... "
+ # logtext "Comparing output of sockstat and netstat... "
+ # NETSTATOUTPUT=`netstat -an | grep -v 'TIME_WAIT' | grep -v 'ESTABLISHED' | grep -v 'SYN_SENT' | grep -v 'CLOSE_WAIT' | grep -v 'LAST_ACK' | grep -v 'SYN_RECV' | grep -v 'CLOSING' | cut -c 1-44 | grep '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | grep -v '*' | sort | uniq`
+ #
+ # if [ "${SOCKSTATOUTPUT}" = "${NETSTATOUTPUT}" ]; then
+ # ShowResult OK
+ # else
+ # echo "[ ${BAD}Warning!${NORMAL} ]"
+ # logtext "WARNING!"
+ # logtext "Sockstat tested output: ${SOCKSTAT}"
+ # logtext "Netstat tested output: ${NETSTAT}"
+ # fi
+#
+#################################################################################
+#
+ # Test : NETW-3028
+ # Description : Checking for many waiting connections
+ # Type : Performance
+ Register --test-no NETW-3028 --weight L --network NO --description "Checking connections in WAIT state"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Using netstat for check for connections in WAIT state..."
+ FIND=`netstat -an | grep WAIT | wc -l | awk '{ print $1 }'`
+ if [ "${OPTIONS_CONN_MAX_WAIT_STATE}" = "" ]; then OPTIONS_CONN_MAX_WAIT_STATE="100"; fi
+ logtext "Result: currently ${FIND} connections are in a waiting state (max configured: ${OPTIONS_CONN_MAX_WAIT_STATE})."
+ if [ ${FIND} -gt ${OPTIONS_CONN_MAX_WAIT_STATE} ]; then
+ Display --indent 2 --text "- Checking waiting connections..." --result WARNING --color YELLOW
+ ReportWarning ${TEST_NO} "H" "Found too much connections in WAIT state (${FIND})"
+ else
+ Display --indent 2 --text "- Checking waiting connections..." --result OK --color GREEN
+ logtext "Result: ${FIND} connections are in WAIT state"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NETW-3030
+ # Description : Checking for DHCP client
+ Register --test-no NETW-3030 --weight L --network NO --description "Checking DHCP client status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ IsRunning dhclient
+ if [ ${RUNNING} -eq 1 ]; then
+ Display --indent 2 --text "- Checking status DHCP client..." --result RUNNING --color WHITE
+ #YYY report if system type is server, that it is running with DHCP client, might be a badly configured machine
+ #report "manual[]=System is running DHCP client"
+ DHCP_CLIENT_RUNNING=1
+ else
+ Display --indent 2 --text "- Checking status DHCP client..." --result "NOT ACTIVE" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : NETW-3060
+ # Description : Check if IPv6 is configured AND used
+ # /etc/modprobe.d (add 'install ipv6 /bin/true' if IPv6 isn't used)
+ # or
+ # aliased (/etc/modprobe.d/aliases?): alias net-pf-10 off ipv6 (to disable)
+ #Register --test-no NETW-3060 --weight L --network NO --description "Checking IPv6 connectivity"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+#
+#################################################################################
+#
+# Linux: net.ipv4.ip_always_defrag
+#
+#################################################################################
+#
+
+report "dhcp_client_running=${DHCP_CLIENT_RUNNING}"
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_php b/include/tests_php
new file mode 100644
index 00000000..fcb582a2
--- /dev/null
+++ b/include/tests_php
@@ -0,0 +1,281 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Software: PHP
+#
+#################################################################################
+#
+ InsertSection "Software: PHP"
+
+ # Possible locations of php.ini
+ PHPINILOCS="/etc/php.ini \
+ /etc/php/cgi-php5/php.ini /etc/php/cli-php5/php.ini /etc/php/apache2-php5/php.ini \
+ /etc/php/apache2-php5.4/php.ini /etc/php/apache2-php5.5/php.ini \
+ /etc/php5/cgi/php.ini \
+ /etc/php5/cli/php.ini \
+ /etc/php5/cli-php5.4/php.ini /etc/php5/cli-php5.5/php.ini /etc/php5/cli-php5.6/php.ini \
+ /etc/php5/apache2/php.ini \
+ /private/etc/php.ini \
+ /var/www/conf/php.ini \
+ /usr/local/etc/php.ini /usr/local/lib/php.ini"
+
+ PHPINIDIRS="/etc/php5/conf.d"
+#
+#################################################################################
+#
+ # Test : PHP-2211
+ # Description : Check php.ini presence
+ Register --test-no PHP-2211 --weight L --network NO --description "Check php.ini presence"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking for presence php.ini"
+ PHPINIFILE=""
+ PHPINI_ALLFILES=""
+ for I in ${PHPINILOCS}; do
+ logtext "Test: checking presence ${I}"
+ if [ -f ${I} ]; then
+ PHPINIFILE=${I}
+ logtext "Result: Found php.ini file (${PHPINIFILE})"
+ logtext "Note: Adding file to php.ini array"
+ PHPINI_ALLFILES="${PHPINI_ALLFILES} ${PHPINIFILE}"
+ else
+ logtext "Result: file ${I} not found"
+ fi
+ done
+
+ # Check all known locations
+ for I in ${PHPINIDIRS}; do
+ tFILES=`ls ${I}/*.ini 2>/dev/null`
+ if [ "${tFILES}" = "" ]; then
+ logtext "Result: no files found for ${I}"
+ else
+ logtext "Result: found files in location ${I}, checking.."
+ for I in ${tFILES}; do
+ if [ -f ${I} ]; then
+ logtext "Result: file ${I} exists, adding to php.ini array"
+ PHPINI_ALLFILES="${PHPINI_ALLFILES} ${I}"
+ fi
+ done
+ fi
+ done
+
+ if [ ! "${PHPINIFILE}" = "" ]; then
+ Display --indent 2 --text "- Checking PHP..." --result "FOUND" --color GREEN
+ logtext "Result: using single file ${PHPINIFILE} for main php.ini tests"
+ logtext "Result: using php.ini array ${PHPINI_ALLFILES} for further tests"
+ else
+ Display --indent 2 --text "- Checking PHP..." --result "NOT FOUND" --color WHITE
+ logtext "Result: no php.ini file found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PHP-2320
+ # Description : Check php disable functions option
+ if [ ! "${PHPINI_ALLFILES}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PHP-2320 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP disabled functions"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ for I in ${PHPINI_ALLFILES}; do
+ logtext "Test: Checking for PHP function hardening disabled_functions or suhosin.executor.func.blacklist in file ${I}"
+ FIND=`grep "^disable_functions.*=" ${I}`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: ${I}: disabled_functions not found"
+ else
+ logtext "Result: ${I}: found disabled_functions"
+ FOUND=1
+ fi
+
+ FIND=`grep "^suhosin.executor.func.blacklist=" ${I}`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: ${I}: suhosin.executor.func.blacklist not found"
+ else
+ logtext "Result: ${I}: found suhosin.executor.func.blacklist"
+ FOUND=1
+ fi
+ done
+ if [ ${FOUND} -eq 0 ]; then
+ logtext "Result: all PHP functions can be executed"
+ Display --indent 4 --text "- Checking PHP disabled functions..." --result "NONE" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Harden PHP by disabling risky functions"
+ logtext "Functions of interest to research/disable: chown, diskfreespace, disk_free_space, disk_total_space, dl, exec, escapeshellarg, escapeshellcmd, fileinode, highlight_file, max_execution_time, passthru, pclose, phpinfo, popen, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, set_time_limit, shell_exec, show_source, system)"
+ AddHP 0 1
+ else
+ logtext "Result: one or more PHP functions are disabled/blacklisted"
+ Display --indent 4 --text "- Checking PHP disabled functions..." --result "FOUND" --color GREEN
+ AddHP 3 3
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PHP-2368
+ # Description : Check php register_globals option
+ # Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed)
+ if [ ! "${PHPINIFILE}" = "" -a ! "${PHPVERSION}" = "" ]; then
+ FIND=`echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])"`
+ if [ "${FIND}" = "" ]; then
+ PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals"
+ else
+ PREQS_MET="YES"; Debug "Found PHP version 4 or up to 5.3 (${FIND}) which we are going to scan"
+ fi
+ else
+ Debug "Skipping test: php.ini not found, or PHP version empty"
+ Debug "php.ini: ${PHPINIFILE}"
+ Debug "version: ${PHPVERSION}"
+ fi
+ Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP register_globals option"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking PHP register_globals option.."
+ FIND=`cat ${PHPINIFILE} | egrep -i 'register_globals.*(on|yes|1)' | grep -v '^;'`
+ if [ ! "${FIND}" = "" ]; then
+ Display --indent 4 --text "- Checking register_globals option..." --result WARNING --color RED
+ ReportWarning ${TEST_NO} "M" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
+ ReportSuggestion ${TEST_NO} "Change the register_globals line to: register_globals = Off"
+ logtext "Result: register_globals option is turned on, which can be a risk for variable value overwriting."
+ AddHP 1 2
+ else
+ Display --indent 4 --text "- Checking register_globals option..." --result OK --color GREEN
+ logtext "Result: No 'register_globals' found. Most likely it is in disabled state (0, no, or off), which is the default nowadays and considered the safe value."
+ ReportManual ${TEST_NO}:01
+ AddHP 2 2
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PHP-2372
+ # Description : Check php expose_php option
+ # Notes : Extend test to check all PHP files YYY
+ if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PHP-2372 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP expose_php option"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking expose_php option.."
+ FIND=`cat ${PHPINIFILE} | egrep -i 'expose_php.*(off|no|0)' | grep -v '^;'`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 4 --text "- Checking expose_php option..." --result ON --color RED
+ ReportWarning ${TEST_NO} "M" "PHP option expose_php is possibly turned on, which can reveal useful information for attackers."
+ ReportSuggestion ${TEST_NO} "Change the expose_php line to: expose_php = Off"
+ report "Result: expose_php option is turned on, which can expose useful information for an attacker"
+ AddHP 1 2
+ else
+ Display --indent 4 --text "- Checking expose_php option..." --result OFF --color GREEN
+ logtext "Result: Found 'expose_php' in disabled state (0, no, or off)"
+ AddHP 2 2
+ fi
+ #YYY Check through all files
+ fi
+#
+#################################################################################
+#
+ # Test : PHP-2374
+ # Description : Check PHP enable_dl option
+ # Notes : Extend test to check all PHP files YYY
+ if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP enable_dl option"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking PHP enable_dl option.."
+ FIND=`cat ${PHPINIFILE} | egrep -i 'enable_dl.*(off|no|0)' | grep -v '^;'`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 4 --text "- Checking enable_dl option..." --result ON --color YELLOW
+ report "Result: enable_dl option is turned on, which can be used for riskful downloads via PHP"
+ ReportSuggestion ${TEST_NO} "Change the enable_dl line to: enable_dl = Off, to disable downloads via PHP"
+ AddHP 0 1
+ else
+ Display --indent 4 --text "- Checking enable_dl option..." --result OFF --color GREEN
+ logtext "Result: Found 'enable_dl' in disabled state (0, no, or off)"
+ AddHP 2 2
+ fi
+ #YYY Check through all files
+ fi
+#
+#################################################################################
+#
+ # Test : PHP-2376
+ # Description : Check PHP allow_url_fopen option
+ # Notes : Extend test to check all PHP files YYY
+ if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_fopen option"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking PHP allow_url_fopen option.."
+ FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_fopen.*(off|no|0)' | grep -v '^;'`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 4 --text "- Checking allow_url_fopen option..." --result ON --color YELLOW
+ report "Result: allow_url_fopen option is turned on, which can be used for riskful downloads via PHP"
+ ReportSuggestion ${TEST_NO} "Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP"
+ AddHP 0 1
+ else
+ Display --indent 4 --text "- Checking allow_url_fopen option..." --result OFF --color GREEN
+ logtext "Result: Found 'allow_url_fopen' in disabled state (0, no, or off)"
+ AddHP 2 2
+ fi
+ #YYY Check through all files
+ fi
+#
+#################################################################################
+#
+ # Test : PHP-2378
+ # Description : Check PHP allow_url_include option
+ # Notes : Extend test to check all PHP files YYY
+ if [ ! "${PHPINIFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check PHP allow_url_include option"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking PHP allow_url_include option.."
+ FIND=`cat ${PHPINIFILE} | egrep -i 'allow_url_include.*(off|no|0)' | grep -v '^;'`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 4 --text "- Checking allow_url_include option..." --result ON --color YELLOW
+ report "Result: allow_url_include option is turned on, which can be used for riskful downloads via PHP"
+ ReportSuggestion ${TEST_NO} "Change the allow_url_include line to: allow_url_include = Off, to disable downloads via PHP"
+ AddHP 0 1
+ else
+ Display --indent 4 --text "- Checking allow_url_include option..." --result OFF --color GREEN
+ logtext "Result: Found 'allow_url_include' in disabled state (0, no, or off)"
+ AddHP 2 2
+ fi
+ #YYY Check through all files
+ fi
+#
+#################################################################################
+#
+# Disable/use functions:
+# safe_mode (only for PHP5?)
+# open_basedir (limits access to defined directory, comparable with chrooting)
+# disable_classes
+# session.save_path
+# session.referer_check
+# upload_tmp_dir
+# file_uploads Off, if possible
+# Set display_errors to Off
+# Set log_errors to On and define error_log (with value Syslog or a filename)
+#
+#################################################################################
+#
+ # mod_suexec
+ # suPHP (/etc/suphp.conf)
+#
+#################################################################################
+#
+ # Test : PHP-2388
+ # Description : Check php version number
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_ports_packages b/include/tests_ports_packages
new file mode 100644
index 00000000..96ff5eb7
--- /dev/null
+++ b/include/tests_ports_packages
@@ -0,0 +1,797 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Ports and packages
+#
+#################################################################################
+#
+ InsertSection "Ports and packages"
+ PACKAGE_MGR_PKG=0
+ PKG_AUDIT_TOOL_FOUND=0
+#
+#################################################################################
+#
+ Display --indent 2 --text "- Searching package managers..."
+
+ # Test : PKGS-7301
+ # Description : Query FreeBSD pkg
+ if [ -x /usr/sbin/pkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query NetBSD pkg"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`pkg -N 2>&1; echo $?`
+ if [ "${FIND}" = "0" ]; then
+ Display --indent 4 --text "- Searching packages with pkg..." --result FOUND --color GREEN
+ report "package_manager[]=pkg"
+ PACKAGE_MGR_PKG=1
+ #logtext "Result: Found pkg"
+ #logtext "Test: Querying pkg to get package list..."
+ #Display --indent 6 --text "- Querying pkg for installed packages..."
+ #logtext "Output:"; logtext "-----"
+ #SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'`
+ #for J in ${SPACKAGES}; do
+ # sPKG_NAME=`echo ${J} | cut -d ',' -f1`
+ # sPKG_VERSION=`echo ${J} | cut -d ',' -f2`
+ # logtext "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
+ # report "installed_package[]=${sPKG_NAME}|${sPKG_VERSION}|"
+ #done
+ else
+ Display --indent 4 --text "- Searching pkg..." --result "NOT INSTALLED" --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7302
+ # Description : Query FreeBSD/NetBSD pkg_info
+ if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD/NetBSD pkg_info"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ Display --indent 4 --text "- Checking pkg_info..." --result FOUND --color GREEN
+ logtext "Result: Found pkg_info"
+ report "package_manager[]=pkg_info"
+ logtext "Test: Querying pkg_info to get package list..."
+ Display --indent 6 --text "- Querying pkg_info for installed packages..."
+ logtext "Output:"; logtext "-----"
+ SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'`
+ for J in ${SPACKAGES}; do
+ N=`expr ${N} + 1`
+ sPKG_NAME=`echo ${J} | cut -d ',' -f1`
+ sPKG_VERSION=`echo ${J} | cut -d ',' -f2`
+ logtext "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
+ report "installed_package[]=${sPKG_NAME}|${sPKG_VERSION}|"
+ done
+ report "installed_packages=${N}"
+ fi
+#
+#################################################################################
+#
+# Temporary disabled due false positives
+# Packages like docbook, gcc, automake report multiple installed versions
+# # Test : PKGS-7303
+# # Description : Query FreeBSD pkg_info
+# if [ -x /usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+# Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query FreeBSD for double installed packages"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# SDOUBLEINSTALLED=`pkg_info | sort | sed -e 's/-[0-9].*$//' | uniq -c | grep -v '^[[:space:]]*1' | tr -s ' ' | cut -d ' ' -f3`
+# if [ "${SDOUBLEINSTALLED}" = "" ]; then
+# Display --indent 6 --text "- Querying pkg_info for double installed packages..." --result OK --color GREEN
+# logtext "Ok, no packages show up twice or more in the package listing."
+# else
+# Display --indent 6 --text "- Querying pkg_info for double installed packages..." --result WARNING --color RED
+# for J in ${SDOUBLEINSTALLED}; do
+# ReportWarning ${TEST_NO} "M" "Found probably incorrect installed package (${J})"
+# logtext "This package ${J} is visible twice or more in the pkg_info listing."
+# ReportSuggestion ${TEST_NO} "(FreeBSD) run pkgdb -F and check this manually."
+# ReportSuggestion ${TEST_NO} "(OpenBSD) check dependencies to see if one of the double "
+# logtext "installed packages is unneeded."
+# report "double_installed_package[]=${J}"
+# done
+# fi
+# else
+# Display --indent 4 --text "- Searching pkg_info..." --result "NOT FOUND" --color WHITE
+# logtext "Result: pkg_info can NOT be found on this system"
+# fi
+#
+#################################################################################
+#
+ # Test : PKGS-7306
+ # Description : Solaris packages
+ if [ -x /usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Solaris packages"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 4 --text "- Searching pkginfo..." --result FOUND --color GREEN
+ logtext "Result: Found Solaris pkginfo"
+ report "package_manager[]=pkginfo"
+ logtext "Test: Querying pkginfo to get package list"
+ Display --indent 4 --text "- Querying pkginfo for installed packages..."
+ logtext "Output:"; logtext "-----"
+ # Strip SUNW from strings
+ SPACKAGES=`/usr/bin/pkginfo -i | tr -s ' ' | cut -d ' ' -f2 | sed "s#^SUNW##"`
+ for J in ${SPACKAGES}; do
+ logtext "Found package ${J}"
+ report "installed_package[]=${J}||"
+ done
+ else
+ logtext "Result: pkginfo can NOT be found on this system"
+ fi
+#
+#
+#################################################################################
+#
+ # Test : PKGS-7308
+ # Description : RPM package based systems
+ if [ ! "${RPMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with RPM"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ Display --indent 4 --text "- Searching RPM package manager..." --result FOUND --color GREEN
+ logtext "Result: Found rpm binary (${RPMBINARY})"
+ report "package_manager[]=rpm"
+ logtext "Test: Querying 'rpm -qa' to get package list"
+ Display --indent 6 --text "- Querying RPM package manager..."
+ logtext "Output:"; logtext "--------"
+ SPACKAGES=`${RPMBINARY} -qa | sort`
+ if [ "${SPACKAGES}" = "" ]; then
+ logtext "Result: RPM binary available, but package list seems to be empty"
+ logtext "Info: looks like the rpm binary is installed, but not used for package installation"
+ else
+ for J in ${SPACKAGES}; do
+ N=`expr ${N} + 1`
+ logtext "Found package: ${J}"
+ report "installed_package[]=${J}||"
+ done
+ report "installed_packages=${N}"
+
+ fi
+ else
+ logtext "Result: RPM binary NOT found on this system, test skipped"
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7310
+ # Description : pacman package based systems
+ if [ ! "${PACMANBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking package list with pacman"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ Display --indent 4 --text "- Searching pacman package manager..." --result FOUND --color GREEN
+ logtext "Result: Found pacman binary (${PACMANBINARY})"
+ report "package_manager[]=pacman"
+ logtext "Test: Querying 'pacman -Q' to get package list"
+ Display --indent 6 --text "- Querying pacman package manager..."
+ logtext "Output:"; logtext "--------"
+ SPACKAGES=`${PACMANBINARY} -Q | sort | sed 's/ /,/g'`
+ if [ "${SPACKAGES}" = "" ]; then
+ logtext "Result: pacman binary available, but package list seems to be empty"
+ logtext "Info: looks like the pacman binary is installed, but not used for package installation"
+ #YYY ReportException?
+ else
+ for J in ${SPACKAGES}; do
+ N=`expr ${N} + 1`
+ PACKAGE_NAME=`echo ${J} | awk -F, '{ print $1 }'`
+ PACKAGE_VERSION=`echo ${J} | awk -F, '{ print $2 }'`
+ logtext "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
+ report "installed_package[]=${PACKAGE_NAME}|${PACKAGE_VERSION}|"
+ done
+ report "installed_packages=${N}"
+
+ fi
+ else
+ logtext "Result: pacman binary NOT found on this system, test skipped"
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7312
+ # Description : HP-UX packages
+ # Notes : swlist -l fileset (|grep patch) / print_manifest
+#
+#################################################################################
+#
+ # Test : PKGS-7316
+ # Description : AIX patches
+ # Notes : /usr/sbin/instfix -c -i | cut -d":" -f1
+#
+#################################################################################
+#
+ # Test : PKGS-7328
+ # Description : Check installed packages with Zypper
+ if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Zypper for installed packages"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ FIND=`${ZYPPERBINARY} se -i | awk '{ if ($1=="i") { print $3 } }'`
+ if [ ! "${FIND}" = "" ]; then
+ for I in ${FIND}; do
+ N=`expr ${N} + 1`
+ logtext "Installed package: ${I}"
+ report "installed_package[]=${I}|-|"
+ done
+ report "installed_packages=${N}"
+ else
+ # Could not find any installed packages
+ ReportException ${TEST_NO} "No installed packages found with Zypper"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7330
+ # Description : Check vulnerable packages with Zypper
+ if [ ! "${ZYPPERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Zypper for vulnerable packages"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`${ZYPPERBINARY} lp | ${AWKBINARY} '{ if ($7=="security") { if ($11=="update") { print $13 } else { print $11 } } }' | sed 's/:$//' | grep -v "^$" | sort | uniq`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: No security updates found with Zypper"
+ Display --indent 2 --text "- Using Zypper to obtain vulnerabile packages" --result NONE --color GREEN
+ else
+ Display --indent 2 --text "- Using Zypper to obtain vulnerabilities" --result WARNING --color RED
+ logtext "Result: Zypper found one or more installed packages which are vulnerable."
+ ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages installed"
+ logtext "List of vulnerable packages/version:"
+ for I in ${FIND}; do
+ report "vulnerable_package[]=${I}"
+ logtext "Vulnerable package: ${I}"
+ # Decrease hardening points for every found vulnerable package
+ AddHP 1 2
+ done
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7345
+ # Description : Debian package based systems (dpkg)
+ if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying dpkg"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ Display --indent 4 --text "- Searching dpkg package manager" --result FOUND --color GREEN
+ logtext "Result: Found dpkg binary"
+ report "package_manager[]=dpkg"
+ logtext "Test: Querying dpkg -l to get package list"
+ Display --indent 6 --text "- Querying package manager..."
+ logtext "Output:"
+ SPACKAGES=`dpkg -l 2>/dev/null | grep "^ii" | tr -s ' ' | tr ' ' '#' | sort`
+ for J in ${SPACKAGES}; do
+ N=`expr ${N} + 1`
+ PACKAGE_NAME=`echo ${J} | cut -d '#' -f2`
+ PACKAGE_VERSION=`echo ${J} | cut -d '#' -f3`
+ logtext "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
+ report "installed_package[]=${PACKAGE_NAME}|${PACKAGE_VERSION}|"
+ done
+ report "installed_packages=${N}"
+ else
+ logtext "Result: dpkg can NOT be found on this system, test skipped"
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7346
+ # Description : Check packages which are removed, but still own configuration files, cron jobs etc
+ # Notes : Cleanup: for pkg in `dpkg -l | grep "^rc" | cut -d' ' -f3`; do aptitude purge ${pkg}; done
+ if [ -x /usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search unpurged packages on system"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ logtext "Test: Querying dpkg -l to get unpurged packages"
+ SPACKAGES=`dpkg -l 2>/dev/null | grep "^rc" | cut -d ' ' -f3 | sort`
+ if [ "${SPACKAGES}" = "" ]; then
+ Display --indent 4 --text "- Query unpurged packages" --result NONE --color GREEN
+ logtext "Result: no packages found with left overs"
+ else
+ Display --indent 4 --text "- Query unpurged packages" --result FOUND --color YELLOW
+ logtext "Result: found one or more packages with left over configuration files, cron jobs etc"
+ logtext "Output:"
+ for J in ${SPACKAGES}; do
+ N=`expr ${N} + 1`
+ logtext "Found unpurged package: ${J}"
+ done
+ ReportSuggestion ${TEST_NO} "Purge old/removed packages (${N} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
+ fi
+ else
+ logtext "Result: dpkg can NOT be found on this system, test skipped"
+ fi
+#
+#################################################################################
+
+ # Test : PKGS-7348
+ # Description : Show unneeded distfiles if present
+ # Notes : Portsclean seems to be gone from the ports, so no suggestion or warning is
+ # issued when it's missing.
+ # Add portmaster --clean-distfiles-all
+ Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --description "Check for old distfiles"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -x /usr/local/sbin/portsclean ]; then
+ FIND=`/usr/local/sbin/portsclean -n -DD | grep 'Delete' | wc -l | tr -d ' '`
+ if [ ${FIND} -eq 0 ]; then
+ Display --indent 2 --text "- Checking presence old distfiles" --result OK --color GREEN
+ logtext "Result: no unused distfiles found"
+ else
+ Display --indent 2 --text "- Checking presence old distfiles" --result WARNING --color YELLOW
+ logtext "Result: found ${FIND} unused distfiles"
+ ReportSuggestion ${TEST_NO} "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD."
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7378
+ # Description : Query FreeBSD portmaster for available port upgrades
+ if [ -x /usr/local/sbin/portmaster ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query portmaster for port upgrades"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ logtext "Test: Querying portmaster for possible port upgrades"
+ UPACKAGES=`/usr/local/sbin/portmaster -L | grep "version available" | awk '{ print $5 }'`
+ for J in ${UPACKAGES}; do
+ N=`expr ${N} + 1`
+ logtext "Upgrade available (new version): ${J}"
+ report "upgrade_available[]=${J}"
+ done
+ report "upgrade_available_count=${N}"
+ if [ ${N} -eq 0 ]; then
+ logtext "Result: no upgrades found"
+ Display --indent 2 --text "- Checking portmaster for updates" --result NONE --color GREEN
+ else
+ Display --indent 2 --text "- Checking portmaster for updates" --result FOUND --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7380
+ # Description : Check for vulnerable NetBSD packages (with pkg_admin)
+ Register --test-no PKGS-7381 --os NetBSD --weight L --network NO --description "Check for vulnerable NetBSD packages"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -x /usr/sbin/pkg_admin ]; then
+ FIND=`/usr/sbin/pkg_admin audit`
+ PKG_AUDIT_TOOL_FOUND=1
+ PKG_AUDIT_TOOL="pkg_admin audit"
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: pkg audit results are clean"
+ Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result NONE --color GREEN
+ AddHP 2 2
+ else
+ Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result WARNING --color RED
+ logtext "Result: pkg_admin audit found one or more installed packages which are vulnerable."
+ ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
+ logtext "List of vulnerable packages/version:"
+ for I in `/usr/sbin/pkg_admin audit | awk '{ print $2 }' | sort | uniq`; do
+ report "vulnerable_package[]=${I}"
+ logtext "Vulnerable package: ${I}"
+ # Decrease hardening points for every found vulnerable package
+ AddHP 1 2
+ done
+ fi
+ else
+ Display --indent 2 --text "- pkg_admin audit not installed" --result "NOT FOUND" --color WHITE
+ logtext "Result: pkg_admin audit not installed, skipping this vulnerability test."
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7381
+ # Description : Check for vulnerable FreeBSD packages (with pkg)
+ Register --test-no PKGS-7381 --os FreeBSD --weight L --network NO --description "Check for vulnerable FreeBSD packages"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -x /usr/sbin/pkg ]; then
+ FIND=`/usr/sbin/pkg audit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'`
+ PKG_AUDIT_TOOL_FOUND=1
+ PKG_AUDIT_TOOL="pkg audit"
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: pkg audit results are clean"
+ Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN
+ # Don't check yet, output of found vulnerable packages unclear (YYY)
+ else
+ logtext "Result: ${FIND}"
+ #Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages..." --result WARNING --color RED
+ #logtext "Result: pkg audit found one or more installed packages which are vulnerable."
+ #ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
+ #ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
+ #logtext "List of vulnerable packages/version:"
+ #for I in `/usr/sbin/pkg audit -F | grep "Affected package" | cut -d ' ' -f3 | sort | uniq`; do
+ # report "vulnerable_package[]=${I}"
+ # logtext "Vulnerable package: ${I}"
+ # # Decrease hardening points for every found vulnerable package
+ # AddHP 1 2
+ #done
+ fi
+ else
+ Display --indent 2 --text "- pkg audit not installed" --result "NOT FOUND" --color WHITE
+ logtext "Result: pkg audit not installed, skipping this vulnerability test."
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7382
+ # Description : Check for vulnerable FreeBSD packages
+ Register --test-no PKGS-7382 --os FreeBSD --weight L --network NO --description "Check for vulnerable FreeBSD packages"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -x /usr/local/sbin/portaudit ]; then
+ PKG_AUDIT_TOOL_FOUND=1
+ FIND=`/usr/local/sbin/portaudit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: Portaudit results are clean"
+ Display --indent 2 --text "- Checking portaudit to obtain vulnerabile packages" --result NONE --color GREEN
+ else
+ Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result WARNING --color RED
+ logtext "Result: Portaudit found one or more installed packages which are vulnerable."
+ ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
+ ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
+ logtext "List of vulnerable packages/version:"
+ for I in `/usr/local/sbin/portaudit | grep "Affected package" | cut -d ' ' -f3 | sort | uniq`; do
+ report "vulnerable_package[]=${I}"
+ logtext "Vulnerable package: ${I}"
+ # Decrease hardening points for every found vulnerable package
+ AddHP 1 2
+ done
+ fi
+ else
+ # Don't advice portaudit anymore, as pkg audit is the replacement (pkgng)
+ logtext "Result: Portaudit not installed, can't perform vulnerability test."
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7383
+ # Description : Check for YUM package Update management
+ if [ ! "${YUMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --description "Check for YUM package Update management"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: YUM package update management"
+ sFIND=`${YUMBINARY} repolist 2>/dev/null | grep repolist | sed 's/ //g' | sed 's/[,.]//g' | awk -F ":" '{print $2}'`
+ if [ "$(echo ${sFIND} | egrep "^[0-9]+$")" -a "${sFIND}" = "0" ]; then
+ logtext "Result: YUM package update management failed"
+ Display --indent 2 --text "- Checking YUM package management consistency" --result WARNING --color RED
+ ReportWarning ${TEST_NO} "M" "YUM is not properly configured or registered for this platform (no repolist found)"
+ #ReportSuggestion ${TEST_NO} "Check YUM registration for repository configuration (repolist)"
+ else
+ logtext "Result: YUM repository available (${sFIND})"
+ Display --indent 2 --text "- Checking YUM package management consistency" --result OK --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7384
+ # Description : Search for YUM utils package
+ if [ ! "${YUMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for YUM utils package"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ -x /usr/bin/package-cleanup ]; then
+ logtext "Result: found YUM utils package (/usr/bin/package-cleanup)"
+ # Check for duplicates
+ logtext "Test: Checking for duplicate packages"
+ FIND=`/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?`
+ if [ "${FIND}" = "0" ]; then
+ logtext "Result: No duplicate packages found"
+ Display --indent 2 --text "- Checking package database duplicates" --result OK --color GREEN
+ else
+ logtext "Result: One or more duplicate packages found"
+ Display --indent 2 --text "- Checking package database duplicates" --result WARNING --color RED
+ ReportWarning ${TEST_NO} "L" "Found one or more duplicate packages installed"
+ ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems"
+ fi
+
+ # Check for package database problems
+ logtext "Test: Checking for database problems"
+ FIND=`/usr/bin/package-cleanup --problems > /dev/null; echo $?`
+ if [ "${FIND}" = "0" ]; then
+ logtext "Result: No package database problems found"
+ Display --indent 2 --text "- Checking package database for problems" --result OK --color GREEN
+ else
+ logtext "Result: One or more problems found in package database"
+ Display --indent 2 --text "- Checking package database for problems" --result WARNING --color RED
+ ReportWarning ${TEST_NO} "L" "Found one or more problems in the package database"
+ ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems"
+ fi
+ else
+ Display --indent 2 --text "- yum-utils package not installed" --result SUGGESTION --color YELLOW
+ logtext "Result: YUM utils package not found"
+ ReportSuggestion ${TEST_NO} "Install package 'yum-utils' for better consistency checking of the package database"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7386
+ # Description : Search for YUM security package
+ # Notes : This test does not apply to CentOS and clones, as --security is not available
+ if [ -x /usr/bin/yum ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7386 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for YUM security package"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ DO_TEST=0
+ logtext "Test: Determining if yum-security package installed"
+
+ FileExists /etc/yum/pluginconf.d/security.conf
+ if [ ${FILE_FOUND} -eq 1 ]; then
+ SearchItem "^enabled=1$" "/etc/yum/pluginconf.d/security.conf"
+ if [ ${ITEM_FOUND} -eq 1 ]; then
+ DO_TEST=1
+ fi
+ else
+ # Check if it's installed as package (this is old style)
+ FIND=`rpm -q yum-security yum-plugin-security | grep -v "not installed"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found yum-plugin-security package"
+ DO_TEST=1
+ fi
+ fi
+
+ # If we have the module of yum active, continue.
+ if [ ${DO_TEST} -eq 1 ]; then
+ PKG_AUDIT_TOOL_FOUND=1
+ PKG_AUDIT_TOOL="yum-security"
+ logtext "Test: Checking for vulnerable packages"
+ FIND2=`/usr/bin/yum list-sec security | awk '{ if($2=="security") print $3","$5 }'`
+ if [ "${FIND2}" = "" ]; then
+ logtext "Result: no vulnerable packages found"
+ Display --indent 2 --text "- Checking missing security packages" --result OK --color GREEN
+ else
+ logtext "Result: found vulnerable package(s)"
+ Display --indent 2 --text "- Checking missing security packages" --result WARNING --color RED
+ for I in ${FIND2}; do
+ report "vulnerable_package[]=${I}"
+ logtext "Vulnerable package: ${I}"
+ AddHP 1 2
+ done
+ ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
+ ReportSuggestion ${TEST_NO} "Use 'yum --security update' to update your system"
+ fi
+ else
+ logtext "Result: yum-security package not found"
+ Display --indent 2 --text "- Checking missing security packages" --result SKIPPED --color YELLOW
+ ReportSuggestion ${TEST_NO} "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7387
+ # Description : Search for YUM GPG check
+ if [ -x /usr/bin/yum ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for GPG signing in YUM security package"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ FileExists /etc/yum.conf
+ if [ ${FILE_FOUND} -eq 1 ]; then
+ SearchItem "^gpgenabled=1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
+ SearchItem "^gpgcheck=1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi
+ if [ ${FOUND} -eq 1 ]; then
+ logtext "Result: GPG check is enabled"
+ Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result OK --color GREEN
+ else
+ Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result DISABLED --color RED
+ ReportWarning ${TEST_NO} "M" "No GPG signing option found in yum.conf"
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7388
+ # Description : Check security repository in Debian/ubuntu apt sources.list file
+ Register --test-no PKGS-7388 --os Linux --weight L --network NO --description "Check security repository in Debian/ubuntu apt sources.list file"
+ if [ $SKIPTEST -eq 0 ]; then
+ FOUND=0
+ if [ -f /etc/apt/sources.list -o -d /etc/apt/sources.list.d ]; then
+ if [ ! "${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY}" = "yes" ]; then
+ if [ -f /etc/apt/sources.list ]; then
+ logtext "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
+ FIND=`egrep "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | grep -v '#' | sed 's/ /!space!/g'`
+ if [ ! "${FIND}" = "" ]; then
+ FOUND=1
+ Display --indent 2 --text "- Checking security repository in sources.list file" --result OK --color GREEN
+ logtext "Result: Found security repository in /etc/apt/sources.list"
+ for I in ${FIND}; do
+ I=`echo ${I} | sed 's/!space!/ /g'`
+ logtext "Output: ${I}"
+ done
+ fi
+ fi
+ if [ -d /etc/apt/sources.list.d ]; then
+ logtext "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
+ FIND=`egrep "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list.d/* | grep -v '#' | sed 's/ /!space!/g'`
+ if [ ! "${FIND}" = "" ]; then
+ FOUND=1
+ Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result OK --color GREEN
+ logtext "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d"
+ for I in ${FIND}; do
+ I=`echo ${I} | sed 's/!space!/ /g'`
+ logtext "Output: ${I}"
+ done
+ fi
+ fi
+ if [ ${FOUND} -eq 1 ]; then
+ logtext "Result: security repository was found"
+ AddHP 3 3
+ else
+ Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result WARNING --color RED
+ ReportWarning ${TEST_NO} "M" "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory"
+ AddHP 0 3
+ fi
+ else
+ logtext "Skipped as option is set to ignore security repository"
+ fi
+ else
+ logtext "Result: skipping test as sources.list or sources.list.d is not found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7390
+ # Description : Check Ubuntu database consistency
+ if [ "${LINUX_VERSION}" = "Ubuntu" -a -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Ubuntu database consistency"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Package database consistency by running apt-get check"
+ FIND=`/usr/bin/apt-get -q=2 check; echo $?`
+ if [ "${FIND}" = "0" ]; then
+ Display --indent 2 --text "- Checking APT package database..." --result OK --color GREEN
+ logtext "Result: package database seems to be consistent."
+ else
+ logtext "Result: package database is most likely NOT consistent"
+ Display --indent 2 --text "- Checking APT package database..." --result WARNING --color RED
+ ReportWarning ${TEST_NO} "M" "apt-get check returned a non successful exit code."
+ ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check."
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7392
+ # Description : Check Debian/Ubuntu vulnerable packages
+ if [ -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --description "Check for Debian/Ubuntu security updates"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ VULNERABLE_PACKAGES_FOUND=0
+ SCAN_PERFORMED=0
+ # Update the repository, outdated repositories don't give much information
+ logtext "Action: updating repository with apt-get"
+ /usr/bin/apt-get -q=2 update
+ logtext "Result: apt-get finished"
+ logtext "Action: Checking if /usr/lib/update-notifier/apt-check exists"
+ if [ -x /usr/lib/update-notifier/apt-check ]; then
+ PKG_AUDIT_TOOL_FOUND=1
+ PKG_AUDIT_TOOL="apt-check"
+ logtext "Result: found /usr/lib/update-notifier/apt-check"
+ logtext "Action: checking if any of the updates contain security updates"
+ FIND=`/usr/lib/update-notifier/apt-check --human-readable | grep "are security updates" | awk -F" " '{ print $1 }'`
+ # Check if we get the proper line back and amount of security patches available
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: did not find security updates line"
+ ReportSuggestion ${TEST_NO} "Check if system is up-to-date, security updates test gives an unexpected result"
+ else
+ if [ "${FIND}" = "0" ]; then
+ logtext "Result: no vulnerable packages found via apt-check"
+ SCAN_PERFORMED=1
+ else
+ VULNERABLE_PACKAGES_FOUND=1
+ SCAN_PERFORMED=1
+ logtext "Result: found ${FIND} security updates via apt-check"
+ AddHP 0 25
+ fi
+ fi
+ else
+ logtext "Result: apt-check (update-notifier-common) not found"
+ fi
+
+ # Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
+ # Show packages which would be upgraded and match 'security' in repository name
+ FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade | grep '-security' | grep "^Inst" | cut -d ' ' -f2 | sort | uniq`
+ if [ ! "${FIND}" = "" ]; then
+ #Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED
+ VULNERABLE_PACKAGES_FOUND=1
+ SCAN_PERFORMED=1
+ logtext "Result: found vulnerable package(s) via apt-get (-security channel)"
+ PKG_AUDIT_TOOL="apt-get"
+ PKG_AUDIT_TOOL_FOUND=1
+ for I in ${FIND}; do
+ logtext "Found vulnerable package: ${I}"
+ report "vulnerable_package[]=${I}"
+ done
+ fi
+ if [ ${SCAN_PERFORMED} -eq 1 ]; then
+ if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then
+ ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages."
+ ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades"
+ Display --indent 2 --text "- Checking vulnerable packages..." --result WARNING --color RED
+ else
+ Display --indent 2 --text "- Checking vulnerable packages..." --result OK --color GREEN
+ logtext "Result: no vulnerable packages found"
+ fi
+ else
+ Display --indent 2 --text "- Checking vulnerable packages (apt-get only)..." --result DONE --color GREEN
+ logtext "Result: test not fully executed (missing apt-check output)"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PKGS-7394
+ # Description : Check Ubuntu upgradeable packages
+ if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --description "Check for Ubuntu updates"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking /usr/bin/apt-show-versions"
+ if [ -x /usr/bin/apt-show-versions ]; then
+ logtext "Result: found /usr/bin/apt-show-versions"
+ logtext "Test: Checking packages which can be upgraded via apt-show-versions"
+ FIND=`/usr/bin/apt-show-versions -u | sed 's/ /!space!/g'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: no packages found which can be upgraded"
+ Display --indent 2 --text "- Checking upgradeable packages..." --result NONE --color GREEN
+ AddHP 3 3
+ else
+ logtext "Result: found one or more packages which can be upgraded"
+ Display --indent 2 --text "- Checking upgradeable packages..." --result FOUND --color YELLOW
+ # output: program/repository upgradeable from version X to Y
+ for I in ${FIND}; do
+ I=`echo ${I} | sed 's/!space!/ /g'`
+ logtext "${I}"
+ done
+ fi
+ else
+ logtext "Result: /usr/bin/apt-show-versions not found"
+ Display --indent 2 --text "- Checking upgradeable packages..." --result SKIPPED --color WHITE
+ ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
+ fi
+ fi
+
+#
+#################################################################################
+#
+ # Test : PKGS-7398
+ # Description : Check package audit tool
+ Register --test-no PKGS-7398 --weight L --network YES --description "Check for package audit tool"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: checking for package audit tool"
+ if [ ${PKG_AUDIT_TOOL_FOUND} -eq 0 ]; then
+ Display --indent 2 --text "- Checking package audit tool..." --result NONE --color RED
+ ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages"
+ logtext "Result: no package audit tool found"
+ else
+ Display --indent 2 --text "- Checking package audit tool..." --result INSTALLED --color GREEN
+ Display --indent 4 --text "Found: ${PKG_AUDIT_TOOL}"
+ logtext "Result: found package audit tool: ${PKG_AUDIT_TOOL}"
+ fi
+ fi
+#
+#################################################################################
+#
+
+# check for popularity-contest (Debian/Ubuntu)
+# check for yum-changelog
+
+
+report "pkg_audit_tool=${PKG_AUDIT_TOOL}"
+report "pkg_audit_tool_found=${PKG_AUDIT_TOOL_FOUND}"
+
+wait_for_keypress
+
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_printers_spools b/include/tests_printers_spools
new file mode 100644
index 00000000..1a5fdac6
--- /dev/null
+++ b/include/tests_printers_spools
@@ -0,0 +1,215 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Printers and spools
+#
+#################################################################################
+#
+ CUPSD_CONFIG_LOCS="/etc/cups /usr/local/etc/cups"
+ CUPSD_CONFIG_FILE=""
+ CUPSD_RUNNING=0
+ CUPSD_FOUND=0
+ LPD_RUNNING=0
+ PRINTING_DAEMON=""
+#
+#################################################################################
+#
+ InsertSection "Printers and Spools"
+#
+#################################################################################
+#
+ # Test : PRNT-2302
+ # Description : Check printcap file consistency
+ Register --test-no PRNT-2302 --os FreeBSD --weight L --network NO --description "Check for available accounting information"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching /usr/sbin/chkprintcap"
+ if [ ! -f /usr/sbin/chkprintcap ]; then
+ Display --indent 2 --text "- Checking chkprintcap..." --result "NOT FOUND" --color WHITE
+ logtext "Result: /usr/sbin/chkprintcap NOT found, test skipped."
+ else
+ logtext "Result: /usr/sbin/chkprintcap found"
+ FIND=`/usr/sbin/chkprintcap > /dev/null ; echo $?`
+ # Only an exit code of zero should come back. Use string instead of integer, due unexpected trash
+ if [ "${FIND}" = "0" ]; then
+ Display --indent 2 --text "- Integrity check of printcap file" --result OK --color GREEN
+ logtext "Result: chkprintcap did NOT gave any warnings"
+ else
+ Display --indent 2 --text "- Integrity check of printcap file" --result WARNING --color RED
+ ReportSuggestion ${TEST_NO} "Run chkprintcap manually to test printcap file"
+ logtext "Output from chkprintcap: ${FIND}"
+ logtext "Run chkprintcap and check the /etc/printcap file."
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PRNT-2304
+ # Description : Check cupsd status
+ Register --test-no PRNT-2304 --weight L --network NO --description "Check cupsd status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking cupsd status"
+ FIND=`${PSBINARY} ax | grep "cupsd" | grep -v "grep" | grep -v apcupsd`
+ if [ ! "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking cups daemon..." --result RUNNING --color GREEN
+ logtext "Result: cups daemon running"
+ CUPSD_RUNNING=1; PRINTING_DAEMON="cups"
+ else
+ Display --indent 2 --text "- Checking cups daemon..." --result "NOT FOUND" --color WHITE
+ logtext "Result: cups daemon not running, cups daemon tests skipped"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PRNT-2306
+ # Description : Check CUPSd configuration file
+ if [ ${CUPSD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PRNT-2306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd configuration file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching cupsd configuration file"
+ for I in ${CUPSD_CONFIG_LOCS}; do
+ if [ -f ${I}/cupsd.conf ]; then
+ CUPSD_CONFIG_FILE="${I}/cupsd.conf"
+ logtext "Result: found ${CUPSD_CONFIG_FILE}"
+ fi
+ done
+ if [ ! "${CUPSD_CONFIG_FILE}" = "" ]; then
+ Display --indent 2 --text "- Checking CUPS configuration file..." --result OK --color GREEN
+ logtext "Result: configuration file found (${CUPSD_CONFIG_FILE})"
+ CUPSD_FOUND=1
+ else
+ Display --indent 2 --text "- Checking CUPS configuration file..." --result "NOT FOUND" --color RED
+ logtext "Result: configuration file not found"
+ logtext "Development: no CUPS configuration file found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PRNT-2307
+ # Description : Check CUPSd configuration file permissions
+ if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PRNT-2307 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd configuration file permissions"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking CUPS configuration file permissions"
+ FIND=`ls -l ${CUPSD_CONFIG_FILE} | cut -c 2-10`
+ logtext "Result: found ${FIND}"
+ if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" ]; then
+ Display --indent 4 --text "- File permissions" --result "OK" --color GREEN
+ AddHP 1 1
+ else
+ Display --indent 4 --text "- File permissions" --result "WARNING" --color RED
+ ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict."
+ AddHP 1 2
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PRNT-2308
+ # Description : Check CUPS daemon network configuration
+ if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check CUPSd network configuration"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ # Checking network addresses
+ logtext "Test: Checking CUPS daemon listening network addresses"
+ FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep -v "/" | awk '{ print $2 }'`
+ N=0
+ for I in ${FIND}; do
+ logtext "Found network address: ${I}"
+ N=`expr ${N} + 1`
+ FOUND=1
+ done
+ if [ ${FOUND} -eq 0 ]; then
+ ReportException "${TEST_NO}:1" "No listen statement found in CUPS configuration file"
+ fi
+
+ # Check if daemon is only running on localhost
+ if [ ${N} -eq 1 ]; then
+ if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then
+ logtext "Result: CUPS daemon only running on localhost"
+ AddHP 2 2
+ else
+ logtext "Result: CUPS daemon running on one or more interfaces (not limited to localhost)"
+ ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to listen on the network"
+ AddHP 1 2
+ fi
+ else
+ logtext "Result: CUPS daemon is running on several network addresses"
+ ReportSuggestion ${TEST_NO} "Check CUPS configuration if it really needs to run on several network addresses"
+ AddHP 1 2
+ fi
+
+ # Checking sockets
+ logtext "Test: Checking cups daemon listening sockets"
+ FIND=`grep "^Listen" ${CUPSD_CONFIG_FILE} | grep "/" | awk '{ print $2 }'`
+ for I in ${FIND}; do
+ logtext "Found socket address: ${I}"
+ N=`expr ${N} + 1`
+ done
+
+ if [ ${N} -eq 0 ]; then
+ Display --indent 2 --text "- Checking CUPS addresses/sockets..." --result "NONE" --color WHITE
+ logtext "Result: no addresses found on which CUPS daemon is listening"
+ else
+ Display --indent 2 --text "- Checking CUPS addresses/sockets..." --result "FOUND" --color GREEN
+ logtext "Result: CUPS daemon is listening on network/socket"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PRNT-2314
+ # Description : Check lpd status
+ Register --test-no PRNT-2314 --weight L --network NO --description "Check lpd status"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking lpd status"
+ IsRunning lpd
+ if [ ${RUNNING} -eq 1 ]; then
+ Display --indent 2 --text "- Checking lp daemon" --result RUNNING --color GREEN
+ logtext "Result: lp daemon running"
+ LPD_RUNNING=1; PRINTING_DAEMON="lp"
+ else
+ Display --indent 2 --text "- Checking lp daemon" --result "NOT RUNNING" --color WHITE
+ logtext "Result: lp daemon not running"
+ AddHP 4 4
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : PRNT-23xx
+ # Description : Test Linux printcap file
+ #if [ ${CUPSD_RUNNING} -eq 1 -a ! "${CUPSD_CONFIG_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ #Register --test-no PRNT-23xx--preqs-met ${PREQS_MET} --weight L --network NO --description "Check cupsd address configuration"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ #if [ "${OS}" = "Linux" ]; then
+ # echo " - Testing printcap file... [Test not implemented yet]"
+ # # Check printcap with checkpc command
+ #fi
+#
+#################################################################################
+#
+
+report "printing_daemon=${PRINTING_DAEMON}"
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_scheduling b/include/tests_scheduling
new file mode 100644
index 00000000..be3ced5d
--- /dev/null
+++ b/include/tests_scheduling
@@ -0,0 +1,234 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Scheduled tasks
+#
+#################################################################################
+#
+ InsertSection "Scheduled tasks"
+#
+#################################################################################
+#
+ ATD_RUNNING=0
+#
+#################################################################################
+#
+ # Test : SCHD-7704
+ # Description : Check crontab / cronjobs
+ Register --test-no SCHD-7704 --weight L --network NO --description "Check crontab/cronjobs"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FindCronJob()
+ {
+ sCRONJOBS=`egrep '^([0-9*])' $1 | tr '\t' ' ' | tr -s ' ' | tr ' ' ','`
+ }
+
+ if [ -f /etc/crontab ]; then
+ FindCronJob /etc/crontab
+ for I in ${sCRONJOBS}; do
+ logtext "Found cronjob (/etc/crontab): ${I}"
+ report "cronjob[]=${I}"
+ done
+ fi
+
+ CRON_DIRS="/etc/cron.d"
+ for I in ${CRON_DIRS}; do
+ logtext "Test: checking directory ${I}"
+ if [ -d ${I} ]; then
+ logtext "Result: found directory ${I}"
+ logtext "Test: searching files in ${I}"
+ FIND=`find ${I} -type f -print`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: no files found in ${I}"
+ else
+ logtext "Result: found one or more files in ${I}. Analyzing files.."
+ for J in ${FIND}; do
+ FindCronJob ${J}
+ for K in ${sCRONJOBS}; do
+ logtext "Result: Found cronjob (${I}): ${K}"
+ done
+ done
+ logtext "Result: done with analyzing files in ${I}"
+ fi
+ else
+ logtext "Result: directory ${I} does not exist"
+ fi
+ done
+
+ CRON_DIRS="/etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly"
+ for I in ${CRON_DIRS}; do
+ logtext "Test: checking directory ${I}"
+ if [ -d ${I} ]; then
+ logtext "Result: found directory ${I}"
+ logtext "Test: searching files in ${I}"
+ FIND=`find ${I} -type f -print | grep -v ".placeholder"`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: no files found in ${I}"
+ else
+ logtext "Result: found one or more files in ${I}. Analyzing files.."
+ for J in ${FIND}; do
+ logtext "Result: Found cronjob (${I}): ${J}"
+ report "cronjob[]=${J}"
+ done
+ logtext "Result: done with analyzing files in ${I}"
+ fi
+ else
+ logtext "Result: directory ${I} does not exist"
+ fi
+ done
+
+ # /var/spool/cron/* and /var/spool/cron/crontabs/*
+ # Search only in one tree, to avoid searching the tree twice
+ if [ -d /var/spool/cron/crontabs ]; then
+ FIND=`find /var/spool/cron/crontabs -type f -print`
+ for I in ${FIND}; do
+ FindCronJob ${I}
+ for J in ${sCRONJOBS}; do
+ logtext "Found cronjob (/var/spool/cron/crontabs): ${I} (${J})"
+ report "cronjob[]=${I}"
+ done
+ done
+ else
+ if [ -d /var/spool/cron ]; then
+ FIND=`find /var/spool/cron -type f -print`
+ for I in ${FIND}; do
+ FindCronJob ${I}
+ for J in ${sCRONJOBS}; do
+ logtext "Found cronjob (/var/spool/cron): ${I} (${J})"
+ logtext "cronjob[]=${I}"
+ done
+ done
+ fi
+ fi
+
+ # Anacron
+ if [ "${OS}" = "Linux" ]; then
+ if [ -f /etc/anacrontab ]; then
+ logtext "Test: checking anacrontab"
+ sANACRONJOBS=`egrep '^([0-9@])' /etc/anacrontab | tr '\t' ' ' | tr -s ' ' | tr ' ' ','`
+ for J in ${sANACRONJOBS}; do
+ logtext "Found anacron job (/etc/anacrontab): ${J}"
+ report "cronjob[]=${J}"
+ done
+ fi
+ fi
+
+ Display --indent 2 --text "- Checking crontab/cronjob" --result DONE --color GREEN
+ fi
+#
+#################################################################################
+#
+ # Test : SCHD-7718
+ # Description : Check atd status
+ Register --test-no SCHD-7718 --weight L --network NO --description "Check at users"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking atd status"
+ FIND=`${PSBINARY} ax | grep "/atd" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: at daemon active"
+ Display --indent 2 --text "- Checking atd status" --result RUNNING --color GREEN
+ ATD_RUNNING=1
+ else
+ logtext "Result: at daemon not active"
+ Display --indent 2 --text "- Checking atd status" --result "NOT RUNNING" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SCHD-7720
+ # Description : Check at users
+ # Notes : if at.allow exists, only users listed can schedule at jobs
+ # if at.allow does not exist, but at.deny does, everyone
+ # except the listed ones can schedule jobs. If both can't be
+ # found, only root can schedule jobs.
+ if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SCHD-7720 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at users"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ AT_UNKNOWN=0
+ case ${OS} in
+ FreeBSD) AT_ALLOW="/var/at/at.allow"; AT_DENY="/var/at/at.deny" ;;
+ HPUX) AT_ALLOW="/usr/lib/cron/at.allow"; AT_DENY="/usr/lib/cron/at.deny" ;;
+ Linux) AT_ALLOW="/etc/at.allow"; AT_DENY="/etc/at.deny" ;;
+ OpenBSD) AT_ALLOW="/var/cron/at.allow"; AT_DENY="/var/cron/at.deny" ;;
+ SunOS) AT_ALLOW="/etc/cron.d/at.allow"; AT_DENY="/etc/cron.d/at.deny" ;;
+ *) AT_UNKNOWN=1; logtext "Test skipped, files for at unknown" ;;
+ esac
+ if [ ${AT_UNKNOWN} -eq 0 ]; then
+ logtext "Test: checking for file ${AT_ALLOW}"
+ if [ -f ${AT_ALLOW} ]; then
+ logtext "Result: file ${AT_ALLOW} exists, only listed users can schedule at jobs"
+ FIND=`cat ${AT_ALLOW} | sort`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: File empty, no users are allowed to schedule at jobs"
+ else
+ for I in ${FIND}; do
+ logtext "Allowed at user: ${I}"
+ done
+ fi
+ else
+ logtext "Result: file ${AT_ALLOW} does not exist"
+ logtext "Test: checking for file ${AT_DENY}"
+ if [ -f ${AT_DENY} ]; then
+ logtext "Result: file ${AT_DENY} exists, only non listed users can schedule at jobs"
+ FIND=`cat ${AT_DENY} | sort`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: file is empty, no users are denied access to schedule jobs"
+ else
+ for I in ${FIND}; do
+ logtext "Denied at user: ${I}"
+ done
+ fi
+ else
+ logtext "Result: both ${AT_ALLOW} and ${AT_DENY} do not exist"
+ logtext "Note: only root can schedule at jobs"
+ fi
+ fi
+ Display --indent 4 --text "- Checking at users" --result DONE --color GREEN
+ else
+ Display --indent 4 --text "- Checking at users" --result SKIPPED --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SCHD-7724
+ # Description : Check scheduled at jobs
+ if [ ${ATD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SCHD-7724 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check at jobs"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Check scheduled at jobs"
+ FIND=`atq | grep -v "no files in queue" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found one or more jobs"
+ for I in ${FIND}; do
+ I=`echo ${I} | sed 's/!space!/ /g'`
+ logtext "Found at job: ${I}"
+ done
+ Display --indent 4 --text "- Checking at jobs" --result FOUND --color GREEN
+ else
+ logtext "Result: no pending at jobs"
+ Display --indent 4 --text "- Checking at jobs" --result NONE --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_shells b/include/tests_shells
new file mode 100644
index 00000000..e1e1cdbe
--- /dev/null
+++ b/include/tests_shells
@@ -0,0 +1,216 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Shells
+#
+#################################################################################
+#
+ IDLE_TIMEOUT=0
+ InsertSection "Shells"
+#
+#################################################################################
+#
+ # bash
+ # Files (interactive login shells): /etc/profile $HOME/.bash_profile
+ # $HOME/.bash_login $HOME/.profile
+ # Files (interactive non-login shells): $HOME/.bash_rc
+
+ # csh/tcsh
+ # Files: /etc/csh.cshrc /etc/csh.login
+ # zsh
+ # Files: /etc/zshenv /etc/zsh/zshenv $HOME/.zshenv /etc/zprofile
+ # /etc/zsh/zprofile $HOME/.zprofile /etc/zshrc /etc/zsh/zshrc
+ # $ZDOTDIR/.zshrc /etc/zlogin /etc/zsh/zlogin
+
+ SHELL_LOGIN_FILES="/etc/csh.cshrc /etc/csh.login /etc/zshenv /etc/zsh/zshenv
+ /etc/zprofile /etc/zsh/zprofile /etc/zshrc /etc/zsh/zshrc
+ /etc/zlogin /etc/zsh/zlogin"
+#
+#################################################################################
+#
+
+ # Test : SHLL-6202
+ # Description : check all console TTYs in which root user can enter single user mode without password
+ Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --description "Check console TTYs"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking console TTYs..."
+ FIND=`cat /etc/ttys | egrep '^console' | grep -v 'insecure'`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking console TTYs... " --result OK --color GREEN
+ logtext "Result: console is secured against single user mode without password."
+ else
+ Display --indent 2 --text "- Checking console TTYs... " --result WARNING --color RED
+ logtext "Result: Found insecure console in /etc/ttys. Single user mode login without password allowed!"
+ logtext "Output /etc/ttys:"
+ logtext "${FIND}"
+ ReportWarning ${TEST_NO} "M" "Found unprotected console in /etc/ttys"
+ #ReportSuggestion ${TEST_NO} "Change the console line from 'secure' to 'insecure'."
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SHLL-6214
+ # Description : check for idle session killing tools (timeoutd)
+
+
+#
+#################################################################################
+#
+ # Test : SHLL-6211
+ # Description : which shells are available according /etc/shells
+ Register --test-no SHLL-6211 --weight L --network NO --description "Checking available and valid shells"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching for /etc/shells..."
+ if [ -f /etc/shells ]; then
+ logtext "Result: Found /etc/shells file"
+ logtext "Test: Reading available shells from /etc/shells"
+ SSHELLS=`cat /etc/shells | grep "^/"`
+ CSSHELLS=0; CSSHELLS_ALL=0
+ Display --indent 2 --text "- Checking shells from /etc/shells..."
+ for I in ${SSHELLS}; do
+ CSSHELLS_ALL=`expr ${CSSHELLS_ALL} + 1`
+ report "available_shell[]=${I}"
+ # YYY add check for symlinked shells
+ if [ -f ${I} ]; then
+ logtext "Found installed shell: ${I}"
+ CSSHELLS=`expr ${CSSHELLS} + 1`
+ else
+ logtext "Shell ${I} not installed. Probably a dummy or non existing shell."
+ fi
+ done
+ Display --indent 4 --text "Result: found ${CSSHELLS_ALL} shells (valid shells: ${CSSHELLS})."
+ else
+ logtext "Result: /etc/shells not found, skipping test"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SHLL-6220
+ # Description : check for idle session killing tools or settings
+ Register --test-no SHLL-6220 --weight L --network NO --description "Checking available and valid shells"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Search for session timeout tools or settings in shell"
+ IsRunning timeoutd
+ if [ ${RUNNING} -eq 1 ]; then
+ IDLE_TIMEOUT=1
+ logtext "Result: found timeoutd process to kill idle sesions"
+ report="session_timeout_method=timeout daemon"
+ fi
+ IsRunning autolog
+ if [ ${RUNNING} -eq 1 ]; then
+ IDLE_TIMEOUT=1
+ logtext "Result: found autolog process to kill idle sesions"
+ report="session_timeout_method[]=autolog"
+ fi
+
+ if [ -f /etc/profile ]; then
+ FIND=`cat /etc/profile | grep '\(export[ \t]*\)\?TMOUT=' | tr -d ' ' | tr -d '\t' | grep -v "^#" | sed 's/export//' | sed 's/#.*//'`
+ if [ ! "${FIND}" = "" ]; then
+ N=0; IDLE_TIMEOUT=1
+ for I in ${FIND}; do
+ logtext "Output: ${I}"
+ N=`expr ${N} + 1`
+ done
+ if [ ${N} -eq 1 ]; then
+ logtext "Result: found TMOUT value configured in /etc/profile"
+ else
+ logtext "Result: found several TMOUT values configured in /etc/profile"
+ fi
+ report "session_timeout_method[]=profile"
+ else
+ logtext "Result: could not find TMOUT setting in /etc/profile"
+ fi
+ else
+ logtext "Result: skip /etc/profile test, file not available on this system"
+ fi
+
+ if [ -d /etc/profile.d ]; then
+ FIND=`cat /etc/profile.d/*.sh 2> /dev/null | grep '\(export[ \t]*\)\?TMOUT=' | tr -d ' ' | tr -d '\t' | grep -v "^#" | sed 's/export//' | sed 's/#.*//'`
+ if [ ! "${FIND}" = "" ]; then
+ N=0; IDLE_TIMEOUT=1
+ for I in ${FIND}; do
+ logtext "Output: ${I}"
+ N=`expr ${N} + 1`
+ done
+ if [ ${N} -eq 1 ]; then
+ logtext "Result: found TMOUT value configured in one of the files in /etc/profile.d directory"
+ else
+ logtext "Result: found several TMOUT values configured in one of the files in /etc/profile.d directory"
+ fi
+ report "session_timeout_method[]=profile"
+ else
+ logtext "Result: could not find TMOUT setting in /etc/profile.d/*.sh"
+ fi
+ else
+ logtext "Result: skip /etc/profile.d directory test, directory not available on this system"
+ fi
+
+ if [ ${IDLE_TIMEOUT} -eq 1 ]; then
+ Display --indent 4 --text "- Session timeout settings/tools" --result "FOUND" --color GREEN
+ AddHP 3 3
+ else
+ Display --indent 4 --text "- Session timeout settings/tools" --result "NONE" --color YELLOW
+ AddHP 1 3
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SHLL-6236
+ # Description : Check /etc/profile
+#
+#################################################################################
+#
+
+ # Test : SHLL-6240
+ # Description : Check default umask
+# Register --test-no SHLL-6240 --weight L --network NO --description "Check default umask"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# logtext "Test: Checking /etc/profile..."
+# if [ -f /etc/profile ]; then
+# FIND=`grep "^umask" | awk '{ print $2 }'`
+# if [ "${FIND}" = "" ]; then
+# logtext "Result: xxx"
+# Display --indent 2 --text "- Checking default umask... " --result OK --color GREEN
+# else
+# logtext "Result: xxx"
+# Display --indent 2 --text "- Checking default umask... " --result WARNING --color RED
+# #ReportWarning ${TEST_NO} "M" "xxx"
+# #ReportSuggestion ${TEST_NO} "xxx"
+# fi
+# fi
+# fi
+#
+#################################################################################
+#
+ # Test : SHLL-6250
+ # Description : Check /etc/bash.bashrc
+# Register --test-no SHLL-6250 --weight L --network NO --description "Check default umask"
+# if [ ${SKIPTEST} -eq 0 ]; then
+#
+#################################################################################
+#
+
+report "session_timeout_enabled=${IDLE_TIMEOUT}"
+
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_snmp b/include/tests_snmp
new file mode 100644
index 00000000..92344a17
--- /dev/null
+++ b/include/tests_snmp
@@ -0,0 +1,105 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# SNMP
+#
+#################################################################################
+#
+ SNMP_DAEMON_CONFIG_LOCS="/etc/snmp"
+ SNMP_DAEMON_CONFIG=""
+ SNMP_DAEMON_RUNNING=0
+#
+#################################################################################
+#
+ InsertSection "SNMP Support"
+
+ # Test : SNMP-3302
+ # Description : Check for a running SNMP daemon
+ Register --test-no SNMP-3302 --weight L --network NO --description "Check for running SNMP daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching for a SNMP daemon..."
+ # Check running processes
+ FIND=`${PSBINARY} ax | grep "snmpd" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ SNMP_DAEMON_RUNNING=1
+ logtext "Result: SNMP daemon is running"
+ Display --indent 2 --text "- Checking running SNMP daemon..." --result FOUND --color GREEN
+ else
+ logtext "Result: No running SNMP daemon found"
+ Display --indent 2 --text "- Checking running SNMP daemon..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SNMP-3304
+ # Description : Determine SNMP daemon configuration file location
+ if [ ${SNMP_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SNMP-3304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SNMP daemon file location"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Action: searching for snmpd.conf file"
+ for I in ${SNMP_DAEMON_CONFIG_LOCS}; do
+ if [ -f "${I}/snmpd.conf" ]; then
+ logtext "Result: ${I}/snmpd.conf exists"
+ SNMPD_DAEMON_CONFIG="${I}/snmpd.conf"
+ fi
+ done
+ if [ "${SNMPD_DAEMON_CONFIG}" = "" ]; then
+ logtext "Result: No snmpd configuration found"
+ Display --indent 4 --text "- Checking SNMP configuration..." --result "NOT FOUND" --color WHITE
+ else
+ logtext "Restult: using last found configuration file: ${SNMPD_DAEMON_CONFIG}"
+ Display --indent 4 --text "- Checking SNMP configuration..." --result "FOUND" --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SNMP-3306
+ # Description : Determine SNMP communities
+ if [ ! "${SNMPD_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SNMP-3306 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SNMP communities"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ WARN=0
+ logtext "Test: reading active snmp communities"
+ FIND=`cat ${SNMPD_DAEMON_CONFIG} | grep "^com2sec" | ${AWKBINARY} '{ print $4 }'`
+ for I in ${FIND}; do
+ logtext "Output: ${I}"
+ if [ "${I}" = "public" -o "${I}" = "private" ]; then
+ logtext "Result: found easy guessable snmp community string (${I})"
+ WARN=1
+ AddHP 1 3
+ fi
+ done
+
+ # Check status of test
+ if [ ${WARN} -eq 0 ]; then
+ Display --indent 2 --text "- Checking SNMP community strings..." --result OK --color GREEN
+ AddHP 2 2
+ else
+ Display --indent 2 --text "- Checking SNMP community strings..." --result WARNING --color RED
+ ReportWarning ${TEST_NO} "M" "Found easy guessable SNMP community string"
+ fi
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_solaris b/include/tests_solaris
new file mode 100644
index 00000000..556444c6
--- /dev/null
+++ b/include/tests_solaris
@@ -0,0 +1,69 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Solaris
+#
+#################################################################################
+#
+ InsertSection "Solaris"
+#
+#################################################################################
+#
+ # Test : SOL-xxxx
+ # Description : Check if Stop-A is disabled
+# Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# logtext "Test: Searching for a SSH daemon..."
+# # Check running processes
+# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"`
+# if [ ! "${FIND}" = "" ]; then
+# SSH_DAEMON_RUNNING=1
+# logtext "Result: Stop-A is disabled"
+# Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN
+# else
+# logtext "Result: Stop-A is NOT disabled"
+# Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE
+# fi
+# fi
+#
+#################################################################################
+#
+ # Test : SOL-xxxx
+ # Description : Check if vold is disabled, to disallow unaudited mounts
+# Register --test-no SOL-xxxx --weight L --network NO --description "Check for running SSH daemon"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# logtext "Test: Searching for a SSH daemon..."
+# # Check running processes
+# FIND=`${PSBINARY} ax | grep "sshd" | grep -v "grep"`
+# if [ ! "${FIND}" = "" ]; then
+# SSH_DAEMON_RUNNING=1
+# logtext "Result: Stop-A is disabled"
+# Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN
+# else
+# logtext "Result: Stop-A is NOT disabled"
+# Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE
+# fi
+# fi
+
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_squid b/include/tests_squid
new file mode 100644
index 00000000..eedd23e2
--- /dev/null
+++ b/include/tests_squid
@@ -0,0 +1,384 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Squid
+#
+#################################################################################
+#
+ SQUID_DAEMON_CONFIG_LOCS="/etc /etc/squid /etc/squid3 /usr/local/etc/squid /usr/local/squid/etc"
+ SQUID_DAEMON_CONFIG=""
+ SQUID_DAEMON_UNSAFE_PORTS_LIST="22 23 25"
+ SQUID_DAEMON_RUNNING=0
+#
+#################################################################################
+#
+ InsertSection "Squid Support"
+#
+#################################################################################
+#
+ # Test : SQD-3602
+ # Description : Check for a running Squid daemon
+ # Notes : Search for squid(3) with a space, to avoid SquidGuard and other
+ # programs.
+ Register --test-no SQD-3602 --weight L --network NO --description "Check for running Squid daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching for a Squid daemon..."
+ FOUND=0
+ # Check running processes
+ FIND=`${PSBINARY} ax | egrep "(squid|squid3) " | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ SQUID_DAEMON_RUNNING=1
+ logtext "Result: Squid daemon is running"
+ Display --indent 2 --text "- Checking running Squid daemon..." --result FOUND --color GREEN
+ else
+ logtext "Result: No running Squid daemon found"
+ Display --indent 2 --text "- Checking running Squid daemon..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SQD-3604
+ # Description : Determine Squid daemon configuration file location
+ if [ ${SQUID_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SQD-3604 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid daemon file location"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Action: searching for squid.conf or squid3.conf file"
+ for I in ${SQUID_DAEMON_CONFIG_LOCS}; do
+ # Checking squid.conf
+ if [ -f "${I}/squid.conf" ]; then
+ logtext "Result: ${I}/squid.conf exists"
+ SQUID_DAEMON_CONFIG="${I}/squid.conf"
+ fi
+ # Checking squid3.conf
+ if [ -f "${I}/squid3.conf" ]; then
+ logtext "Result: ${I}/squid3.conf exists"
+ SQUID_DAEMON_CONFIG="${I}/squid3.conf"
+ fi
+ done
+ if [ "${SQUID_DAEMON_CONFIG}" = "" ]; then
+ logtext "Result: No Squid configuration file found"
+ Display --indent 4 --text "- Searching Squid configuration file..." --result "NOT FOUND" --color YELLOW
+ else
+ logtext "Result: using last found configuration file: ${SQUID_DAEMON_CONFIG}"
+ Display --indent 4 --text "- Searching Squid configuration..." --result FOUND --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SQD-3606
+ # Description : Check Squid version
+ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SQD-3606 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ! "${SQUIDBINARY}" = "" ]; then
+ logtext "Result: Squid binary found (${SQUIDBINARY})"
+ # Skip check if a setuid/setgid bit is found
+ FIND=`find ${SQUIDBINARY} \( -perm 4000 -o -perm 2000 \) -print`
+ if [ "${FIND}" = "" ]; then
+ FIND2=`${SQUIDBINARY} -v | awk '{ if ($3=="Version") { print $4 } }'`
+ Display --indent 4 --text "- Checking Squid version..." --result "FOUND" --color GREEN
+ SQUID_VERSION="${FIND2}"
+ else
+ logtext "Result: test skipped for security reasons, setuid/setgid bit set"
+ Display --indent 4 --text "- Checking Squid version..." --result "SKIPPED" --color RED
+ fi
+ else
+ logtext "Result: no Squid binary found"
+ fi
+ fi
+#
+#################################################################################
+#
+# # Test : SQD-3608
+# # Description : Check Squid build options
+# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+# Register --test-no SQD-3608 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# fi
+#
+#################################################################################
+#
+ # Test : SQD-3610
+ # Description : Check Squid configuration options
+ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
+ FIND=`cat ${SQUID_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
+ for I in ${FIND}; do
+ I=`echo ${I} | sed 's/!space!/ /g'`
+ logtext "Found Squid option: ${I}"
+ done
+ Display --indent 4 --text "- Checking defined Squid options..." --result "DONE" --color GREEN
+ fi
+#
+#################################################################################
+#
+# # Test : SQD-3612
+# # Description : Check Squid additional configuration files
+# if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+# Register --test-no SQD-3612 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check additional Squid configuration files"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# fi
+#
+#################################################################################
+#
+ # Test : SQD-3613
+ # Description : Check Squid configuration options
+ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid file permissions"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
+ FIND=`find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
+ Display --indent 4 --text "- Checking Squid configuration file permissions..." --result WARNING --color RED
+ ReportSuggestion ${TEST_NO} "Check file permissions of ${SQUID_DAEMON_CONFIG} to limit access"
+ ReportWarning ${TEST_NO} "M" "File permissions of ${SQUID_DAEMON_CONFIG} are not restrictive"
+ AddHP 0 2
+ else
+ logtext "Result: file ${SQUID_DAEMON_CONFIG} has proper file permissions"
+ Display --indent 4 --text "- Checking Squid configuration file permissions..." --result OK --color GREEN
+ AddHP 2 2
+ fi
+ fi
+#
+#################################################################################
+#
+ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
+ Display --indent 4 --text "- Checking Squid access control..."
+ fi
+#
+#################################################################################
+#
+ # Test : SQD-3614
+ # Description : Check Squid authentication
+ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SQD-3614 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid authentication methods"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check auth_param option for authentication methods"
+ FIND=`grep "^auth_param" ${SQUID_DAEMON_CONFIG} | awk '{ print $2 }'`
+ if [ "${FIND}" = "" ]; then
+ logtext "No auth_param option found, proxy access anonymous or based on other methods (like ACLs)"
+ Display --indent 6 --text "- Checking Squid authentication methods..." --result "NONE" --color YELLOW
+ else
+ Display --indent 6 --text "- Checking Squid authentication methods..." --result "FOUND" --color GREEN
+ for I in ${FIND}; do
+ logtext "Result: found authentication method ${I}"
+ report "squid_auth_method=${I}"
+ done
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SQD-3616
+ # Description : Check external Squid authentication
+ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SQD-3616 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check external Squid authentication"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check external_acl_type option for external authentication helpers"
+ FIND=`grep "^external_acl_type" ${SQUID_DAEMON_CONFIG}`
+ if [ "${FIND}" = "" ]; then
+ logtext "No external_acl_type found"
+ Display --indent 6 --text "- Checking Squid external authentication methods..." --result "NONE" --color YELLOW
+ else
+ Display --indent 6 --text "- Checking Squid external authentication methods..." --result "FOUND" --color GREEN
+ for I in ${FIND}; do
+ logtext "Result: found external authentication method helper"
+ logtext "Output: ${FIND}"
+ #report "squid_external_acl_type=TRUE"
+ done
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SQD-3620
+ # Description : Check ACLs
+ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SQD-3620 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid access control lists"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ logtext "Test: checking ACLs"
+ FIND=`grep "^acl " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: No ACLs found"
+ Display --indent 6 --text "- Checking Access Control Lists..." --result "NONE" --color RED
+ else
+ for I in ${FIND}; do
+ N=`expr ${N} + 1`
+ I=`echo ${I} | sed 's/!space!/ /g'`
+ logtext "Found ACL: ${I}"
+ #report "squid_acl=${I}"
+ done
+ logtext "Result: Found ${N} ACLs"
+ Display --indent 6 --text "- Checking Access Control Lists..." --result "${N} ACLs FOUND" --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SQD-3624 [T]
+ # Description : Check unsecure ports in Safe_ports list
+ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SQD-3624 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid safe ports"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ logtext "Test: checking ACL Safe_ports http_access option"
+ FIND=`grep "^http_access" ${SQUID_DAEMON_CONFIG} | grep "Safe_ports"`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: no Safe_ports found"
+ Display --indent 6 --text "- Checking ACL 'Safe_ports' http_access option..." --result "NOT FOUND" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Check if Squid has been configured to restrict access to all safe ports"
+ else
+ logtext "Result: checking ACL safe ports"
+ FIND2=`grep "^acl Safe_ports port" ${SQUID_DAEMON_CONFIG} | awk '{ print $4 }'`
+ if [ "${FIND2}" = "" ]; then
+ Display --indent 6 --text "- Checking ACL 'Safe_ports' ports..." --result "NONE FOUND" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Check if Squid has been configured for which ports it can allow outgoing traffic (Safe_ports)"
+ AddHP 0 1
+ else
+ logtext "Result: Safe_ports found"
+ for I in ${FIND}; do
+ logtext "Found safe port: ${I}"
+ done
+ Display --indent 6 --text "- Checking ACL 'Safe_ports' ports..." --result "FOUND" --color GREEN
+ AddHP 1 1
+ fi
+ #SQUID_DAEMON_UNSAFE_PORTS_LIST
+ for I in ${SQUID_DAEMON_UNSAFE_PORTS_LIST}; do
+ logtext "Test: Checking port ${I} in Safe_ports list"
+ FIND2=`grep "^acl Safe_ports port ${I}" ${SQUID_DAEMON_CONFIG}`
+ if [ "${FIND2}" = "" ]; then
+ Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})..." --result "NOT FOUND" --color GREEN
+ AddHP 1 1
+ else
+ Display --indent 6 --text "- Checking ACL 'Safe_ports' (port ${I})..." --result "FOUND" --color RED
+ ReportWarning ${TEST_NO} "H" "Squid configuration possibly allows relaying traffic via configured Safe_port ${I}"
+ AddHP 0 1
+ fi
+ done
+ fi
+ fi
+#
+#################################################################################
+#
+ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
+ Display --indent 4 --text "- Checking Squid Denial of Service tuning options..."
+ fi
+#
+#################################################################################
+#
+ # Test : SQD-3630 [T]
+ # Description : Check reply_body_max_size value
+ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SQD-3630 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid reply_body_max_size option"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ logtext "Test: checking option reply_body_max_size"
+ FIND=`grep "^reply_body_max_size " ${SQUID_DAEMON_CONFIG} | sed 's/ /!space!/g'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: option reply_body_max_size not configured"
+ Display --indent 6 --text "- Checking option: reply_body_max_size" --result "NONE" --color RED
+ AddHP 1 2
+ ReportSuggestion ${TEST_NO} "Configure Squid option reply_body_max_size to limit the upper size of requests."
+ else
+ logtext "Result: option reply_body_max_size configured"
+ logtext "Output: ${FIND}"
+ Display --indent 6 --text "- Checking option: reply_body_max_size" --result "FOUND" --color GREEN
+ AddHP 2 2
+ fi
+ fi
+#
+#################################################################################
+#
+ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then
+ Display --indent 4 --text "- Checking Squid general options..."
+ fi
+#
+#################################################################################
+#
+
+ # Test : SQD-3680
+ # Description : Check httpd_suppress_version_string
+ if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! "${SQUID_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Squid version suppresion"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FIND=`grep "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | grep " on"`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: option httpd_suppress_version_string not configured"
+ Display --indent 6 --text "- Checking option: httpd_supress_version_string" --result "NOT FOUND" --color YELLOW
+ AddHP 1 2
+ ReportSuggestion ${TEST_NO} "Configure Squid option httpd_suppress_version_string (on) to suppress the version."
+ else
+ logtext "Result: option httpd_suppress_version_string configured"
+ logtext "Output: ${FIND}"
+ Display --indent 6 --text "- Checking option: httpd_suppress_version_string" --result "FOUND" --color GREEN
+ AddHP 2 2
+ fi
+ fi
+#
+#################################################################################
+#
+
+
+# Squid
+#Hardening:
+# $1 $3
+# acl snmp_community
+# acl maxconn
+# acl max_user_ip
+#
+# follow_x_forwarded_for
+#Read cache_peer host type(sibling/parent) proxyport icpport options (if set, icp_access should be set as well)
+#Read cache_peer_domain
+#Read cache_peer_access
+#Read icp_access
+#Read icp_port
+#Read htcp_access
+#Read htcp_port
+#Read http_port
+#Read https_port
+#Read cache_dir
+#Read access_log
+#Read coredump_dir
+#Read quick_abort_min / max /pct
+#
+# Memory tuning
+#Read cache_mem
+#Read maximum_object_size_in_memory
+#Read maximum_object_size
+#Read cache_swap_low
+#Read cache_swap_high
+
+# Security
+#cache_effective_user
+# off
+#forwarded_for
+
+#wccp
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_ssh b/include/tests_ssh
new file mode 100644
index 00000000..91da5f0d
--- /dev/null
+++ b/include/tests_ssh
@@ -0,0 +1,295 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# SSH
+#
+#################################################################################
+#
+ SSH_DAEMON_CONFIG_LOCS="/etc /etc/ssh /usr/local/etc/ssh /opt/csw/etc/ssh"
+ SSH_DAEMON_CONFIG=""
+ SSH_DAEMON_PORT=""
+ SSH_DAEMON_RUNNING=0
+#
+#################################################################################
+#
+ InsertSection "SSH Support"
+#
+#################################################################################
+#
+ # Test : SSH-7402
+ # Description : Check for a running SSH daemon
+ Register --test-no SSH-7402 --weight L --network NO --description "Check for running SSH daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching for a SSH daemon..."
+ IsRunning sshd
+ if [ ${RUNNING} -eq 1 ]; then
+ SSH_DAEMON_RUNNING=1
+ Display --indent 2 --text "- Checking running SSH daemon..." --result FOUND --color GREEN
+ else
+ Display --indent 2 --text "- Checking running SSH daemon..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SSH-7404
+ # Description : Determine SSH daemon configuration file location
+ if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SSH-7404 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH daemon file location"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ logtext "Action: searching for sshd_config file"
+ for I in ${SSH_DAEMON_CONFIG_LOCS}; do
+ if [ -f "${I}/sshd_config" ]; then
+ logtext "Result: ${I}/sshd_config exists"
+ if [ ${FOUND} -eq 1 ]; then
+ ReportException "${TEST_NO}:01"
+ logtext "Result: we already had found another sshd_config file. Using this new file then."
+ fi
+ FOUND=1
+ SSH_DAEMON_CONFIG="${I}/sshd_config"
+ fi
+ done
+ if [ "${SSH_DAEMON_CONFIG}" = "" ]; then
+ logtext "Result: No sshd configuration found"
+ Display --indent 4 --text "- Searching SSH configuration..." --result "NOT FOUND" --color YELLOW
+ else
+ logtext "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
+ Display --indent 4 --text "- Searching SSH configuration..." --result FOUND --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+# # Test : SSH-7406
+# # Description : Check for a running SSH daemon
+# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+# Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --description "SSH daemon listening port"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# logtext "Test: Searching for a SSH daemon..."
+# CheckOption "^Port " ${SSH_DAEMON_CONFIG}
+# if [ ${FOUND} -eq 1 ]; then
+# FIND=`echo ${FIND} | awk '{ if ($1=="Port") { print $2 }}'`
+# # Check if this output is numeric and usuable for later (e.g. in netstat output)
+# Display --indent 2 --text "- Checking SSH listening port..." --result FOUND --color GREEN
+# logtext "Result: setting port number to ${FIND}"
+# SSH_DAEMON_PORT="${FIND}"
+# else
+# Display --indent 2 --text "- Checking SSH listening port..." --result "NOT FOUND" --color WHITE
+# logtext "Result: setting port to default number, as no other port has been configured"
+# SSH_DAEMON_PORT="22"
+# fi
+# fi
+#
+#################################################################################
+#
+ # Test : SSH-7408
+ # Description : Check SSH specific defined options
+ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH defined options"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking all specific defined options in ${SSH_DAEMON_CONFIG}"
+ FIND=`cat ${SSH_DAEMON_CONFIG} | grep -v "^#" | grep -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | sed 's/ /!space!/g'`
+ for I in ${FIND}; do
+ I=`echo ${I} | sed 's/!space!/ /g'`
+ logtext "Found SSH option: ${I}"
+ done
+ Display --indent 4 --text "- Checking defined SSH options..." --result "DONE" --color GREEN
+ fi
+#
+#################################################################################
+#
+ # Test : SSH-7412
+ # Description : Check SSH PermitRootLogin option
+ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SSH-7412 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: PermitRootLogin"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check PermitRootLogin option"
+ FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^PermitRootLogin" | awk '{ print $2 }'`
+ if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then
+ logtext "Result: PermitRootLogin is enabled, root can login directly"
+ Display --indent 4 --text "- SSH option: PermitRootLogin..." --result WARNING --color RED
+ ReportWarning ${TEST_NO} "M" "Root can directly login via SSH"
+ AddHP 0 3
+ else
+ # YYY add test for DenyUsers root
+ if [ "${FIND}" = "no" -o "${FIND}" = "No" ]; then
+ logtext "Result: PermitRootLogin is disabled. Root can't login directly"
+ Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DISABLED --color GREEN
+ AddHP 3 3
+ else
+ logtext "Result: Value of PermitRootLogin is unknown (not defined)"
+ Display --indent 4 --text "- SSH option: PermitRootLogin..." --result DEFAULT --color WHITE
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SSH-7414
+ # Description : Check SSH Protocol option
+ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SSH-7414 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Protocol"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check allowed SSH protocol versions"
+ FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Protocol" | awk '{ print $2 }'`
+ if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
+ logtext "Result: Protocol option is set to allow SSH protocol version 1"
+ Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED
+ ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed"
+ AddHP 0 3
+ else
+ if [ "${FIND}" = "2" ]; then
+ logtext "Result: only protocol 2 is allowed"
+ Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN
+ AddHP 3 3
+ else
+ logtext "Result: value of Protocol is unknown (not defined)"
+ Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SSH-7416
+ # Description : Check SSH StrictModes option
+ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SSH-7416 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: StrictModes"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Check configured StrictModes option"
+ FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^StrictModes" | awk '{ print $2 }'`
+ if [ "${FIND}" = "no" -o "${FIND}" = "NO" -o "${FIND}" = "No" ]; then
+ logtext "Result: StrictModes option is set to 'no', which means file permissions are NOT checked"
+ Display --indent 4 --text "- SSH option: StrictModes..." --result WARNING --color RED
+ ReportWarning ${TEST_NO} "M" "StrictModes is turned off"
+ ReportSuggestion ${TEST_NO} "Check StrictModes option in sshd_config"
+ AddHP 0 3
+ else
+ if [ "${FIND}" = "yes" -o "${FIND}" = "YES" -o "${FIND}" = "Yes" ]; then
+ logtext "Result: StrictModes active, file permissions are checked"
+ Display --indent 4 --text "- SSH option: StrictModes..." --result OK --color GREEN
+ AddHP 3 3
+ else
+ logtext "Result: value of StrictModes is unknown (not defined)"
+ Display --indent 4 --text "- SSH option: StrictModes..." --result DEFAULT --color WHITE
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SSH-7418
+ # Description : Check SSH Port option
+# if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+# Register --test-no SSH-7418 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: Port"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# logtext "Test: check allowed SSH protocol versions"
+# FIND=`cat ${SSH_DAEMON_CONFIG} | grep "^Port" | awk '{ if ($2!="22") { print $2 } }'`
+# if [ "${FIND}" = "1" -o "${FIND}" = "2,1" -o "${FIND}" = "1,2" ]; then
+# logtext "Result: Protocol option is set to allow SSH protocol version 1"
+# Display --indent 4 --text "- SSH option: Protocol..." --result WARNING --color RED
+# ReportWarning ${TEST_NO} "M" "SSH protocol version 1 is allowed"
+# AddHP 0 3
+# else
+# if [ "${FIND}" = "2" ]; then
+# logtext "Result: only protocol 2 is allowed"
+# Display --indent 4 --text "- SSH option: Protocol..." --result OK --color GREEN
+# AddHP 3 3
+# else
+# logtext "Result: value of Protocol is unknown (not defined)"
+# Display --indent 4 --text "- SSH option: Protocol..." --result DEFAULT --color WHITE
+# fi
+# fi
+# fi
+#
+#################################################################################
+#
+ # Test : SSH-7440
+ # Description : AllowUsers / AllowGroups
+ # Goal : Check if only a specific amount of users/groups can log in to the system
+ if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ # AllowUsers
+ FIND=`egrep "^AllowUsers" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: AllowUsers set, with value ${FIND}"
+ Display --indent 4 --text "- SSH option: AllowUsers..." --result FOUND --color GREEN
+ FOUND=1
+ else
+ logtext "Result: AllowUsers is not set"
+ Display --indent 4 --text "- SSH option: AllowUsers..." --result "NOT FOUND" --color WHITE
+ fi
+
+ # AllowGroups
+ FIND=`egrep "^AllowGroups" ${SSH_DAEMON_CONFIG} | awk '{ print $2 }'`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: AllowUsers set ${FIND}"
+ Display --indent 4 --text "- SSH option: AllowGroups..." --result FOUND --color GREEN
+ FOUND=1
+ else
+ logtext "Result: AllowGroups is not set"
+ Display --indent 4 --text "- SSH option: AllowGroups..." --result "NOT FOUND" --color WHITE
+ fi
+
+ if [ ${FOUND} -eq 1 ]; then
+ logtext "Result: SSH is limited to a specific set of users, which is good"
+ AddHP 2 2
+ else
+ logtext "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine."
+ AddHP 0 1
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : SSH-7464
+ # Description : HashKnownHosts
+ #if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_CONFIG}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ #Register --test-no SSH-7464 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: HashKnownHosts"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ # /etc/ssh/ssh_config
+ # ReportSuggestion ${TEST_NO} "HashKnownHosts option can migitate worm attacks"
+ #AddHP 2 2
+ #fi
+#
+#################################################################################
+#
+ # Test : SSH-7480
+ # Description : AllowUsers / AllowGroups
+ # Goal : Scan SSH daemon
+ #if [ ! ${SSHKEYSCANBINARY} = "" -a ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ #Register --test-no SSH-7480 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SSH option: AllowUsers and AllowGroups"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ # First determine what port the local instance of SSH daemon is running on. If unknown, use port 22
+ # FIND=`${SSHKEYSCANBINARY} localhost 2>&1 | grep OpenSSH | egrep -i "bsd|debian|ubuntu|redhat"`
+#
+#################################################################################
+#
+ # sshd -T can provide additional insights
+#
+#################################################################################
+#
+report "ssh_daemon_running=${SSH_DAEMON_RUNNING}"
+#report "ssh_daemon_port=${SSH_DAEMON_PORT}"
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_storage b/include/tests_storage
new file mode 100644
index 00000000..16d0a874
--- /dev/null
+++ b/include/tests_storage
@@ -0,0 +1,117 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+ InsertSection "Storage"
+#
+#################################################################################
+#
+ AUTOMOUNTER_DAEMON_RUNNING=0
+ NFS_DAEMON_RUNNING=0
+ AUTOMOUNTER_DAEMON_TOOL=""
+#
+#################################################################################
+#
+ # Test : STRG-1840
+ # Description : Check for disabled USB storage
+ Register --test-no STRG-1840 --os Linux --weight L --network NO --description "Check if USB storage is disabled"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ logtext "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
+ if [ -d /etc/modprobe.d ]; then
+ FIND=`ls /etc/modprobe.d/* 2>/dev/null`
+ if [ ! "${FIND}" = "" ]; then
+ FIND=`grep -r "install usb-storage /bin/true" /etc/modprobe.d/* | grep "usb-storage" | grep -v "#"`
+ FIND2=`egrep -r "^blacklist (usb_storage|usb-storage)" /etc/modprobe.d/*`
+ if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
+ FOUND=1
+ logtext "Result: found usb-storage driver in disabled state"
+ fi
+ else
+ logtext "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it."
+ fi
+ fi
+ if [ -f /etc/modprobe.conf ]; then
+ FIND=`grep "install usb-storage /bin/true" /etc/modprobe.conf | grep "usb-storage" | grep -v "#"`
+ if [ ! "${FIND}" = "" ]; then
+ FOUND=1
+ logtext "Result: found usb-storage driver in disabled state"
+ fi
+ fi
+ if [ ${FOUND} -eq 0 ]; then
+ logtext "Result: usb-storage driver is not explicitly disabled"
+ Display --indent 2 --text "- Checking usb-storage driver (modprobe config)..." --result "NOT DISABLED" --color WHITE
+ ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
+ AddHP 2 3
+ else
+ logtext "Result: usb-storage driver is disabled"
+ Display --indent 2 --text "- Checking usb-storage driver (modprobe config)..." --result "DISABLED" --color GREEN
+ AddHP 3 3
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : STRG-1846
+ # Description : Check for disabled firewire storage
+ Register --test-no STRG-1846 --os Linux --weight L --network NO --description "Check if firewire storage is disabled"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ logtext "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
+ if [ -d /etc/modprobe.d ]; then
+ FIND1=`egrep "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
+ FIND2=`egrep "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.d/* | grep "ohci" | grep -v "#"`
+ if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
+ FOUND=1
+ logtext "Result: found firewire ohci driver in disabled state"
+ fi
+ fi
+ if [ -f /etc/modprobe.conf ]; then
+ FIND1=`egrep -r "blacklist (ohci1394|firewire-ohci)" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
+ FIND2=`egrep -r "install (ohci1394|firewire-ohci) /bin/true" /etc/modprobe.conf | grep "ohci" | grep -v "#"`
+ if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
+ FOUND=1
+ logtext "Result: found firewire ohci driver in disabled state"
+ fi
+ fi
+
+ if [ ${FOUND} -eq 0 ]; then
+ logtext "Result: firewire ohci driver is not explicitly disabled"
+ Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)..." --result "NOT DISABLED" --color WHITE
+ ReportSuggestion ${TEST_NO} "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft"
+ # after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u
+ AddHP 2 3
+ else
+ logtext "Result: firewire ohci driver is disabled"
+ Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)..." --result "DISABLED" --color GREEN
+ AddHP 3 3
+ fi
+ fi
+#
+#################################################################################
+#
+
+# NetBSD: amd (auto mount daemon)
+
+#
+#################################################################################
+#
+
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs
new file mode 100644
index 00000000..defdf679
--- /dev/null
+++ b/include/tests_storage_nfs
@@ -0,0 +1,181 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# NFS
+#
+#################################################################################
+#
+ InsertSection "NFS"
+#
+#################################################################################
+#
+ NFS_DAEMON_RUNNING=0
+ NFS_EXPORTS_EMPTY=0
+#
+#################################################################################
+#
+
+ # Test : STRG-1902
+ # Description : Check rpcinfo
+ if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no STRG-1902 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check rpcinfo registered programs"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking rpcinfo registered programs"
+ FIND=`${RPCINFOBINARY} -p 2> /dev/null | tr -s ' ' ','`
+ for I in ${FIND}; do
+ logtext "rpcinfo: ${I}"
+ done
+ Display --indent 2 --text "- Query rpc registered programs..." --result "DONE" --color GREEN
+ fi
+#
+#################################################################################
+#
+ # Test : STRG-1904
+ # Description : Check nfs versions in rpcinfo
+ if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no STRG-1904 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking NFS registered versions"
+ FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $2 } }' | uniq | sort`
+ for I in ${FIND}; do
+ logtext "Found version: ${I}"
+ done
+ Display --indent 2 --text "- Query NFS versions..." --result "DONE" --color GREEN
+ fi
+#
+#################################################################################
+#
+ # Test : STRG-1906
+ # Description : Check nfs protocols (TCP/UDP) and port in rpcinfo
+ if [ ! "${RPCINFOBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no STRG-1906 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nfs rpc"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking NFS registered protocols"
+ FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort`
+ for I in ${FIND}; do
+ logtext "Found protocol: ${I}"
+ done
+ if [ "${FIND}" = "" ]; then
+ logtext "Output: no NFS protocols found"
+ fi
+
+ # Check port number
+ logtext "Test: Checking NFS registered ports"
+ FIND=`${RPCINFOBINARY} -p 2> /dev/null | ${AWKBINARY} '{ if ($5=="nfs") { print $3 } }' | uniq | sort`
+ for I in ${FIND}; do
+ logtext "Found port: ${I}"
+ done
+ if [ "${FIND}" = "" ]; then
+ logtext "Output: no NFS port number found"
+ fi
+ Display --indent 2 --text "- Query NFS protocols..." --result "DONE" --color GREEN
+ fi
+#
+#################################################################################
+#
+ # Test : STRG-1920
+ # Description : Check for running NFS daemons
+ Register --test-no STRG-1920 --weight L --network NO --description "Checking NFS daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking running NFS daemon"
+ FIND=`${PSBINARY} ax | grep "nfsd" | grep -v "grep"`
+ if [ "${FIND}" = "" ]; then
+ logtext "Output: NFS daemon is not running"
+ Display --indent 2 --text "- Check running NFS daemon..." --result "NOT FOUND" --color WHITE
+ else
+ logtext "Output: NFS daemon is running"
+ Display --indent 2 --text "- Check running NFS daemon.." --result "FOUND" --color GREEN
+ NFS_DAEMON_RUNNING=1
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : STRG-1924
+ # Description : Check missing nfs in rpcinfo while NFS is running
+ #Register --test-no STRG-1924 --weight L --network NO --description "Checking NFS daemon"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+#
+#################################################################################
+#
+ # Test : STRG-1926
+ # Description : Check NFS exports
+ if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no STRG-1926 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking NFS exports"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: check /etc/exports"
+ if [ -f /etc/exports ]; then
+ logtext "Result: /etc/exports exists"
+ FIND=`cat /etc/exports | grep -v "^$" | grep -v "^#" | sed 's/ /!space!/g'`
+ if [ ! "${FIND}" = "" ]; then
+ for I in ${FIND}; do
+ I=`echo ${I} | sed 's/!space!/ /g'`
+ logtext "Found line: ${I}"
+ done
+ else
+ logtext "Result: /etc/exports does not contain exported file systems"
+ NFS_EXPORTS_EMPTY=1
+ fi
+ Display --indent 4 --text "- Checking /etc/exports..." --result "FOUND" --color GREEN
+ else
+ logtext "Result: file /etc/exports does not exist"
+ Display --indent 4 --text "- Checking /etc/exports..." --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : STRG-1928
+ # Description : Check for empty exports file while NFS is running
+ if [ ${NFS_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no STRG-1928 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking empty /etc/exports"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ${NFS_EXPORTS_EMPTY} -eq 1 ]; then
+ Display --indent 6 --text "- Checking empty /etc/exports..." --result SUGGESTION --color YELLOW
+ logtext "Result: /etc/exports seems to have no exported file systems"
+ ReportSuggestion ${TEST_NO} "/etc/exports has no exported file systems, while NFS daemon is running. Check if NFS needs to run on this system"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : STRG-1930
+ # Description : Check client access to nfs share
+ if [ ${NFS_DAEMON_RUNNING} -eq 1 -a ${NFS_EXPORTS_EMPTY} -eq 0 -a ! "${SHOWMOUNTBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no STRG-1930 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check client access to nfs share"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ #logtext "Test: "
+ sFIND=`${SHOWMOUNTBINARY} -e | awk '{ print $2 }' | sed '1d'| grep "\*"`
+ if [ "${sFIND}" != "" ]; then
+ logtext "Result: all client are allowed to access a NFS share in /etc/exports"
+ Display --indent 4 --text "- Checking NFS client access..." --result "ALL CLIENTS" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Specify clients that are allowed to access a NFS share /etc/exports"
+ AddHP 2 3
+ else
+ logtext "Result: only some clients are allowed to access a NFS share"
+ Display --indent 4 --text "- Checking NFS client access..." --result OK --color GREEN
+ AddHP 3 3
+ fi
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_tcpwrappers b/include/tests_tcpwrappers
new file mode 100644
index 00000000..949adbf0
--- /dev/null
+++ b/include/tests_tcpwrappers
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# TCP Wrappers
+# Run after: NFS checks
+#
+#################################################################################
+#
+#
+#################################################################################
+#
+# InsertSection "TCP Wrappers"
+#
+#################################################################################
+#
+ # Test : TCPW-xxxx (YYY move to nameservices section)
+ # Description : Basic nameserver configuration tests (connectivity)
+# Register --test-no TCPW-xxxx --weight L --network YES --description "Basic nameserver configuration tests"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# Display --indent 2 --text "- Checking configured nameservers..."
+# logtext "Test: Checking /etc/resolv.conf file"
+# Display --indent 8 --text "Nameserver: ${I}..." --result OK --color GREEN
+# ReportSuggestion ${TEST_NO} "Check connection to this nameserver and make sure no outbound DNS queries are blocked (port 53 UDP and TCP)."
+# ReportWarning ${TEST_NO} "L" "Nameserver ${I} does not respond"
+# fi
+#
+#################################################################################
+#
+
+#wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_time b/include/tests_time
new file mode 100644
index 00000000..69a76a17
--- /dev/null
+++ b/include/tests_time
@@ -0,0 +1,428 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Time
+#
+#################################################################################
+#
+ InsertSection "Time and Synchronization"
+#
+#################################################################################
+#
+ NTP_DAEMON=""
+ NTP_DAEMON_RUNNING=0
+ NTP_CONFIG_FOUND=0
+ NTP_CONFIG_TYPE_DAEMON=0
+ NTP_CONFIG_TYPE_SCHEDULED=0
+ NTP_CONFIG_TYPE_EVENTBASED=0
+ NTP_CONFIG_TYPE_STARTUP=0
+ # Specific for ntpd
+ NTPD_RUNNING=0
+ CRON_DIRS="/etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /var/spool/crontabs"
+#
+#################################################################################
+#
+ # Test : TIME-3104
+ # Description : Check for a running NTP daemon
+ if [ -f /sys/hypervisor/type ]; then
+ # Skip NTP tests if we are in a DomU xen instance YYY
+ FIND=`cat /sys/hypervisor/type`
+ if [ "${FIND}" = "xen" ]; then PREQS_MET="NO"; else PREQS_MET="YES"; fi
+ else
+ PREQS_MET="YES"
+ fi
+ Register --test-no TIME-3104 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for running NTP daemon or client"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Linux/FreeBSD (ntpdate), OpenBSD (ntpd, rdate)
+ logtext "Test: Searching for a running NTP daemon or available client... "
+ FOUND=0
+
+ # Check running processes
+ FIND=`${PSBINARY} ax | grep "ntpd" | grep -v "dntpd" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1
+ NTP_DAEMON="ntpd"
+ logtext "Result: found running NTP daemon in process list"
+ Display --indent 2 --text "- Checking running NTP daemon (ntpd)..." --result FOUND --color GREEN
+ else
+ logtext "Result: NTP daemon not found in process list"
+ Display --indent 2 --text "- Checking running NTP daemon (ntpd)..." --result "NOT FOUND" --color WHITE
+ fi
+
+ # Check time daemon (eg NetBSD)
+ IsRunning timed
+ if [ ${RUNNING} -eq 1 ]; then
+ FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="timed"
+ Display --indent 2 --text "- Checking running NTP daemon (timed)..." --result FOUND --color GREEN
+ else
+ Display --indent 2 --text "- Checking running NTP daemon (timed)..." --result "NOT FOUND" --color WHITE
+ fi
+
+ # Check time daemon (eg DragonFly BSD)
+ IsRunning dntpd
+ if [ ${RUNNING} -eq 1 ]; then
+ FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="dntpd"
+ Display --indent 2 --text "- Checking running NTP daemon (dntpd)..." --result FOUND --color GREEN
+ else
+ Display --indent 2 --text "- Checking running NTP daemon (dntpd)..." --result "NOT FOUND" --color WHITE
+ fi
+
+ # Check crontab for OpenBSD/FreeBSD
+ # Check anacrontab for Linux
+ CRONTAB_FILES="/etc/anacrontab /etc/crontab"
+ for I in ${CRONTAB_FILES}; do
+ if [ -f ${I} ]; then
+ logtext "Test: checking for ntpdate or rdate in crontab file ${I}"
+ FIND=`cat ${I} | ${EGREPBINARY} "ntpdate|rdate" | grep -v '^#'`
+ if [ ! "${FIND}" = "" ]; then
+ FOUND=1;
+ NTP_CONFIG_TYPE_SCHEDULED=1
+ Display --indent 2 --text "- Checking NTP client in crontab file (${I})..." --result FOUND --color GREEN
+ logtext "Result: found ntpdate or rdate reference in crontab file ${I}"
+ else
+ Display --indent 2 --text "- Checking NTP client in crontab file (${I})..." --result "NOT FOUND" --color WHITE
+ logtext "Result: no ntpdate or rdate reference found in crontab file ${I}"
+ fi
+ else
+ logtext "Result: crontab file ${I} not found"
+ fi
+ done
+
+ ##########################
+ # To do: test on Solaris #
+ ##########################
+
+ # Don't run check in cron job directory on Solaris
+ # /etc/cron.d/FIFO is a special file and test get stuck at this file
+ FOUND_IN_CRON=0
+
+ # Check cron jobs
+ for I in ${CRON_DIRS}; do
+ if [ -d ${I} ]; then
+ FIND=`ls ${I} | grep -v FIFO`
+ if [ ! "${FIND}" = "" ]; then
+ for J in ${FIND}; do
+ logtext "Test: checking for ntpdate or rdate in ${I}/${J}"
+ FIND2=`${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | grep -v "^#"`
+ if [ ! "${FIND2}" = "" ]; then
+ logtext "Positive match found: ${FIND2}"
+ FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
+ fi
+ done
+ else
+ logtext "Result: ${I} is empty, skipping search in directory"
+ fi
+ fi
+ done
+
+ if [ ${FOUND_IN_CRON} -eq 1 ]; then
+ Display --indent 2 --text "- Checking NTP client in cron files..." --result FOUND --color GREEN
+ logtext "Result: found ntpdate or rdate in cron directory"
+ else
+ Display --indent 2 --text "- Checking NTP client in cron.d files..." --result "NOT FOUND" --color WHITE
+ logtext "Result: no ntpdate or rdate found in cron directories"
+ fi
+
+
+ # Checking if ntpdate is performed by event
+ logtext "Test: checking for file /etc/network/if-up.d/ntpdate"
+ if [ -f /etc/network/if-up.d/ntpdate ]; then
+ logtext "Result: found ntpdate action when network interface comes up"
+ FOUND=1
+ NTP_CONFIG_TYPE_EVENTBASED=1
+ Display --indent 2 --text "- Checking event based ntpdate (if-up)..." --result FOUND --color GREEN
+ else
+ logtext "Result: file /etc/network/if-up.d/ntpdate does not exist"
+ fi
+
+ if [ "${OS}" = "FreeBSD" ]; then
+ logtext "Test: Checking if ntpdate is enabled at startup in FreeBSD"
+ if [ -f /etc/rc.conf ]; then
+ FIND=`grep 'ntpdate_enable="YES"' /etc/rc.conf`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: ntpdate is enabled in rc.conf"
+ # Mark system having a NTP client, but remind user to improve it
+ FOUND=1
+ NTP_CONFIG_TYPE_STARTUP=1
+ ReportSuggestion ${TEST_NO} "Although ntpdate is enabled in rc.conf, it is adviced to run it at least daily or use a NTP daemon"
+ else
+ logtext "Result: ntpdate is not enabled in rc.conf"
+ fi
+ fi
+ fi
+
+ if [ ${FOUND} -eq 0 ]; then
+ Display --indent 2 --text "- Checking for a running NTP daemon or client" --result WARNING --color RED
+ logtext "Result: Could not find a NTP daemon or client"
+ ReportSuggestion ${TEST_NO} "Use NTP daemon or NTP client to prevent time issues."
+ AddHP 0 2
+ else
+ Display --indent 2 --text "- Checking for a running NTP daemon or client" --result OK --color GREEN
+ logtext "Result: Found a time syncing daemon/client."
+ AddHP 3 3
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : TIME-3112
+ # Description : Check for valid associations from ntpq peers list
+ if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no TIME-3112 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check active NTP associations ID's"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking for NTP association ID's from ntpq peers list"
+ FIND=`${NTPQBINARY} -p -n | grep "No association ID's returned"`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking valid association ID's" --result FOUND --color GREEN
+ logtext "Result: Found one or more association ID's"
+ else
+ Display --indent 2 --text "- Checking valid association ID's" --result WARNING --color RED
+ ReportSuggestion ${TEST_NO} "Check ntp.conf for properly configured NTP servers and a correctly functioning name service."
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : TIME-3116
+ # Description : Check for stratum 16 peers
+ if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no TIME-3116 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check peers with stratum value of 16"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ N=0
+ logtext "Test: Checking stratum 16 sources from ntpq peers list"
+ FIND=`${NTPQBINARY} -p -n | awk '{ if ($3=="16") { print $1 } }'`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking high stratum ntp peers" --result OK --color GREEN
+ logtext "Result: All peers are lower than stratum 16"
+ else
+ for I in ${FIND}; do
+ logtext "Found stratum 16 peer: ${I}"
+ FIND2=`egrep "^ntp:ignore_stratum_16_peer:${I}:" ${PROFILE}`
+ if [ "${FIND2}" = "" ]; then
+ N=`expr ${N} + 1`
+ else
+ logtext "Output: host ${I} ignored by profile"
+ fi
+ done
+ # Check if one or more high stratum time servers are found
+ if [ ${N} -eq 0 ]; then
+ Display --indent 2 --text "- Checking high stratum ntp peers" --result OK --color GREEN
+ logtext "Result: all non local servers are lower than stratum 16, or whitelisted within the scan profile"
+ else
+ Display --indent 2 --text "- Checking high stratum ntp peers" --result WARNING --color RED
+ logtext "Result: Found one or more high stratum (16) peers)"
+ ReportSuggestion ${TEST_NO} "Check ntpq peers output"
+ ReportWarning ${TEST_NO} "L" "Found one or more stratum 16 peers"
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : TIME-3120
+ # Description : Check unreliable peers from peer list
+ # Notes : Items with # are too far away (network distance)
+ # Items with - are not chosing due clustering algoritm
+ if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check unreliable NTP peers"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking unreliable ntp peers"
+ FIND=`${NTPQBINARY} -p -n | egrep "^(-|#)" | awk '{ print $1 }' | sed 's/^-//g'`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking unreliable ntp peers" --result NONE --color GREEN
+ logtext "Result: No unreliable peers found"
+ else
+ Display --indent 2 --text "- Checking unreliable ntp peers" --result FOUND --color YELLOW
+ logtext "Result: Found one or more unreliable peers (marked with a minus or dash sign)"
+ for I in ${FIND}; do
+ logtext "Unreliable peer: ${I}"
+ done
+ ReportSuggestion ${TEST_NO} "Check ntpq peers output for unreliable ntp peers and correct/replace them"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : TIME-3124
+ # Description : Check selected time source
+ if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no TIME-3124 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check selected time source"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking selected time source"
+ FIND=`${NTPQBINARY} -p -n | grep '^*' | awk '{ if ($4=="l") { print $1 } }'`
+ FIND2=`${NTPQBINARY} -p -n | grep '^*' | awk '{ print $1 }'`
+ if [ "${FIND}" = "" -a ! "${FIND2}" = "" ]; then
+ Display --indent 2 --text "- Checking selected time source" --result OK --color GREEN
+ FIND2=`echo ${FIND2} | sed 's/*//g'`
+ logtext "Result: Found selected time source (value: ${FIND2})"
+ else
+ Display --indent 2 --text "- Checking selected time source" --result WARNING --color RED
+ logtext "Result: Found local source as selected time source. This could indicate that no external sources are available to sync with."
+ logtext "Local source: ${FIND}"
+ ReportSuggestion ${TEST_NO} "Check ntpq peers output for selected time source"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : TIME-3128
+ # Description : Check time source candidates
+ if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no TIME-3128 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check preffered time source"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking preferred time source"
+ FIND=`${NTPQBINARY} -p -n | grep '^+' | awk '{ print $1 }'`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking time source candidates..." --result NONE --color YELLOW
+ logtext "Result: No other time source candidates found"
+ ReportSuggestion ${TEST_NO} "Check ntpq peers output for time source candidates"
+ else
+ Display --indent 2 --text "- Checking time source candidates..." --result OK --color GREEN
+ logtext "Result: Found one or more candidates to synchronize time with."
+ for I in ${FIND}; do
+ I=`echo ${I} | sed 's/+//g'`
+ logtext "Candidate found: ${I}"
+ done
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : TIME-3132
+ # Description : Check ntpq falsetickers
+ if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP falsetickers"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking preferred time source"
+ FIND=`${NTPQBINARY} -p -n | grep '^x'`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking falsetickers..." --result OK --color GREEN
+ logtext "Result: No falsetickers found (items preceeding with an 'x')"
+ else
+ Display --indent 2 --text "- Checking falsetickers..." --result NONE --color YELLOW
+ logtext "Result: Found one or more falsetickers (items preceeding with an 'x')"
+ for I in ${FIND}; do
+ I=`echo ${I} | sed 's/x//g'`
+ logtext "Falseticker found: ${I}"
+ report "ntp_falseticker=${I}"
+ done
+ ReportSuggestion ${TEST_NO} "Check ntpq peers output for falsetickers"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : TIME-3136
+ # Description : Check ntpq reported ntp version (Linux)
+ # Notes : Test could be improved by checking every host (YYY)
+ if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no TIME-3136 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check NTP protocol version"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking NTP protocol version (ntpq -c ntpversion)"
+ FIND=`${NTPQBINARY} -c ntpversion | awk '{ if ($1=="NTP" && $2=="version" && $5=="is") { print $6 } }'`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking NTP version..." --result UNKNOWN --color YELLOW
+ logtext "Result: No NTP version found"
+ ReportSuggestion ${TEST_NO} "Check ntpq output for NTP protocol version"
+ else
+ Display --indent 2 --text "- Checking NTP version..." --result FOUND --color GREEN
+ logtext "Result: Found NTP version ${FIND}"
+ report "ntp_version=${FIND}"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : TIME-3146
+ # Description : Check /etc/default/ntpdate (Linux)
+ # Notes : ntpdate-debian binary
+ #if [ ${NTPD_RUNNING} -eq 1 -a ! "${NTPQBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ #Register --test-no TIME-3146 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check /etc/default/ntpdate"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+#
+#################################################################################
+#
+ # Test : TIME-3160
+ # Description : Check empty NTP step-tickers
+ # Notes : Mostly applies to Red Hat and clones
+ if [ "${NTPD_RUNNING}" -eq 1 -a ! "${NTPQBINARY}" = "" -a ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no TIME-3160 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check empty NTP step-tickers"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
+ FILE="/etc/ntp/step-tickers"
+ if [ -f ${FILE} ]; then
+ if [ -z ${FILE} ]; then
+ logtext "Result: ${FILE} is empty. The step-tickers contain no configured NTP servers"
+ Display --indent 2 --text "- Checking NTP step-tickers file" --result "EMPTY FILE" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Use step-rickers file for quicker time synchronization"
+ else
+ logtext "Result: /etc/ntp/step-tickers is not empty, which is fine"
+ Display --indent 2 --text "- Checking NTP step-tickers file" --result "OK" --color GREEN
+ sFIND=`${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf | ${GREPBINARY} -v '127.127.1.0'`
+ for I in ${sFIND}; do
+ FIND=`${GREPBINARY} ^${I} ${FILE} | wc -l`
+ if [ ${FIND} -gt 0 ]; then
+ logtext "Result: $I exist in ${FILE}"
+ else
+ logtext "Result: ${I} does NOT exist in ${FILE}"
+ FOUND=1
+ fi
+ done
+ if [ ${FOUND} -eq 1 ]; then
+ Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "SOME MISSING" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Some time servers missing in step-tickers file"
+ AddHP 3 4
+ else
+ Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result OK --color GREEN
+ logtext "Result: all time servers are in step-tickers file"
+ AddHP 4 4
+ fi
+ fi
+ logtext "Information: step-tickers is used by ntpdate where as ntp.conf is the configuration file for the ntpd daemon. ntpdate is initially run to set the clock before ntpd to make sure time is within 1000 sec."
+ logtext "Risk: ntp will not run at boot if the time difference between the server and client by more then 1000 sec."
+ else
+ logtext "Result: test skipped because ${FILE} not found"
+ fi
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#################################################################################
+#
+ report "ntp_config_found=${NTP_CONFIG_FOUND}"
+ report "ntp_config_type_daemon=${NTP_CONFIG_TYPE_DAEMON}"
+ report "ntp_config_type_eventbased=${NTP_CONFIG_TYPE_EVENTBASED}"
+ report "ntp_config_type_scheduled=${NTP_CONFIG_TYPE_SCHEDULED}"
+ report "ntp_config_type_startup=${NTP_CONFIG_TYPE_STARTUP}"
+ report "ntp_daemon=${NTP_DAEMON}"
+ report "ntp_daemon_running=${NTP_DAEMON_RUNNING}"
+
+
+ # OS Time daemons Configuration file
+ # --------------------------------------------
+ # AIX xntpd /etc/ntp.conf
+ # HP
+ # Linux ntpd /etc/ntp.conf
+ # OpenBSD ntpd /etc/ntpd.conf
+ # Solaris xntpd /etc/inet/ntp.conf
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_tooling b/include/tests_tooling
new file mode 100644
index 00000000..70701f9a
--- /dev/null
+++ b/include/tests_tooling
@@ -0,0 +1,78 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+ AUTOMATION_TOOL_FOUND=0
+ BACKUP_AGENT_FOUND=0
+#
+#################################################################################
+#
+ InsertSection "Software: System tooling"
+
+PUPPET_MASTER_RUNNING=0
+
+#
+#################################################################################
+#
+# Automation
+#
+#################################################################################
+#
+ # Test : TOOL-5002
+ # Description : Check if automation tools are found
+ Register --test-no TOOL-5002 --weight L --network NO --description "Checking for automation tools"
+ if [ ${SKIPTEST} -eq 0 ]; then
+
+ Display --indent 2 --text "- Checking automation tooling..."
+
+ # Cfengine
+ if [ ! "${CFAGENTBINARY}" = "" ]; then
+ logtext "Result: Cfengine (cfagent) is installed (${CFAGENTBINARY})"
+ AUTOMATION_TOOL_FOUND=1
+ Display --indent 4 --text "Found: Cfengine (cfagent)" --result FOUND --color GREEN
+ fi
+
+ # Puppet
+ if [ ! "${PUPPETBINARY}" = "" ]; then
+ logtext "Result: Puppet is installed (${PUPPETBINARY})"
+ AUTOMATION_TOOL_FOUND=1
+ Display --indent 4 --text "Found: Puppet (agent)" --result FOUND --color GREEN
+ fi
+ IsRunning "puppet master"
+ if [ ${RUNNING} -eq 1 ]; then
+ logtext "Result: found puppet master"
+ PUPPET_MASTER_RUNNING=1
+ Display --indent 4 --text "Found: Puppet (master)" --result FOUND --color GREEN
+ fi
+
+ if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then
+ Display --indent 2 --text "- Automation tooling" --result FOUND --color GREEN
+ else
+ Display --indent 2 --text "- Automation tooling" --result "NOT FOUND" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management"
+ fi
+ fi
+#
+#################################################################################
+#
+# Backup tools
+#
+#################################################################################
+#
+ wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_virtualization b/include/tests_virtualization
new file mode 100644
index 00000000..4afd6d03
--- /dev/null
+++ b/include/tests_virtualization
@@ -0,0 +1,97 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Virtualization
+#
+#################################################################################
+#
+ InsertSection "Virtualization"
+#
+#################################################################################
+#
+ # Test : VIRT-1902
+ # Description : Query running Solaris zones
+ if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no VIRT-1902 --os Solaris --weight L --network NO --description "Query running Solaris zones"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: query zoneadm to list all running zones"
+ FIND=`/usr/sbin/zoneadm list -p | awk -F: '{ if ($2!="global") print $0 }'`
+ if [ ! "${FIND}" = "" ]; then
+ N=0
+ for I in ${FIND}; do
+ N=`expr ${N} + 1`
+ ZONEID=`echo ${I} | cut -d ':' -f1`
+ ZONENAME=`echo ${I} | cut -d ':' -f2`
+ logtext "Result: found zone ${ZONENAME} (running)"
+ report "solaris_running_zone[]=${ZONENAME} [id:${ZONEID}]"
+ done
+ logtext "Result: total of ${N} running zones"
+ Display --indent 2 --text "- Checking Solaris Zones..." --result "FOUND ${N} zones" --color GREEN
+ else
+ logtext "Result: no running zones found"
+ Display --indent 2 --text "- Checking Solaris Zones..." --result NONE --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : VIRT-1906
+ # Description : Query running Xen zones
+ #if [ -x /usr/bin/xm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ #Register --test-no VIRT-1906 --weight L --network NO --description "Query Xen guests"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ # Show Xen guests
+ #FIND=`xm list | awk '$1 != "Name|Domain-0" {print $1","$2}'`
+ #for I in ${FIND}; do
+ #XENGUESTNAME=`echo ${I} | cut -d ':' -f1`
+ #XENGUESTID=`echo ${I} | cut -d ':' -f2`
+ #logtext "Result: found Xen guest ${XENGUESTNAME} (ID: ${XENGUESTID})"
+ #done
+ #fi
+#
+#################################################################################
+#
+
+# # Test : VIRT-1920
+# # Description : Checking VMware
+# Register --test-no VIRT-1920 --weight L --network NO --description "Checking VMware guest status"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# # Initialise
+# VMWARE_GUEST=0
+# Display --indent 2 --text "- Checking VMware guest status..."
+# #YYY check memory driver file
+# #YYY check LKM list
+# #YYY check vmware tools
+# logtext "Test: checking VMware tools daemon presence"
+# if [ ! "${VMWARETOOLSBINARY}" = "" ]; then
+# logtext "Result: VMware tools binary found"
+# VMWARE_GUEST=1
+# Display --indent 4 --text "- Checking VMware tools daemon" --result FOUND --color GREEN
+# else
+# Display --indent 4 --text "- Checking VMware tools daemon" --result "NOT FOUND" --color WHITE
+# fi
+#
+# fi
+#
+#################################################################################
+#
+
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
diff --git a/include/tests_webservers b/include/tests_webservers
new file mode 100644
index 00000000..8ec5ca24
--- /dev/null
+++ b/include/tests_webservers
@@ -0,0 +1,695 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Software: webserver
+#
+#################################################################################
+#
+ InsertSection "Software: webserver"
+#
+#################################################################################
+#
+ # Reset Apache status
+ APACHE_INSTALLED=0
+ APACHE_MODULES_ENABLED_LOCS="/etc/apache2/mods-enabled"
+ APACHE_MODULES_LOCS="/etc/httpd/modules /opt/local/apache2/modules /usr/lib/apache2/modules /usr/lib/httpd/modules /usr/local/libexec/apache /usr/local/libexec/apache22 /usr/lib64/apache2/modules /usr/lib64/httpd/modules"
+ NGINX_RUNNING=0
+ NGINX_CONF_LOCS="/etc/nginx /usr/local/etc/nginx /usr/local/nginx/conf"
+ NGINX_CONF_LOCATION=""
+#
+#################################################################################
+#
+ sTEST_APACHE_TARGETS="/etc/apache /etc/apache2 /etc/httpd /usr/local/apache /usr/local/apache2 \
+ /usr/local/etc/apache /usr/local/etc/apache2 /usr/local/etc/apache22 \
+ /usr/pkg/etc/httpd /etc/sysconfig/apache2"
+
+ if [ "${OS}" = "AIX" ]; then
+ RANDOMSTRING1=`echo lynis-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')`; RANDOMSTRING2=`echo lynis2-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')`
+ TMPFILE="/tmp/${RANDOMSTRING1}"; TMPFILE2="/tmp/${RANDOMSTRING2}"
+ echo "" > ${TMPFILE}; echo "" > ${TMPFILE2}
+ else
+ TMPFILE=`mktemp /tmp/lynis.XXXXXXXXXX` || exit 1
+ TMPFILE2=`mktemp /tmp/lynis2.XXXXXXXXXX` || exit 1
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6622
+ # Description : Test for Apache installation
+ # Notes : Do not run on NetBSD, -v is unknown option for httpd binary
+ if [ ! "${OS}" = "NetBSD" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HTTP-6622 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Apache presence"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ "${HTTPDBINARY}" = "" ]; then
+ Display --indent 2 --text "- Checking Apache" --result "NOT FOUND" --color WHITE
+ else
+ logtext "Test: Scanning for Apache binary..."
+ IS_APACHE=`${HTTPDBINARY} -v | egrep '[aA]pache'`
+ if [ "${IS_APACHE}" = "" ]; then
+ logtext "Result: ${HTTPDBINARY} is not Apache"
+ Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE
+ else
+ Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "FOUND" --color GREEN
+ logtext "Result: ${HTTPDBINARY} seems to be Apache HTTP daemon"
+ APACHE_INSTALLED=1
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6624
+ # Description : Testing main Apache configuration file
+ # Notes : Do not run on NetBSD, -V is unknown option for httpd binary
+ if [ ${APACHE_INSTALLED} -eq 1 ]; then
+ if [ ! "${OS}" = "NetBSD" ]; then
+ PREQS_MET="YES"
+ else
+ PREQS_MET="NO"
+ fi
+ else
+ PREQS_MET="NO"
+ fi
+ Register --test-no HTTP-6624 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing main Apache configuration file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ APACHE_CONFIGFILE=""
+ APACHE_TEST=`${HTTPDBINARY} -V | grep "\-D SERVER_CONFIG_FILE=" | sed 's/[ ]-D SERVER_CONFIG_FILE=//' | tr -d '"' | tr -d ' '`
+
+ if [ "${APACHE_TEST}" = "" ]; then
+ Display --indent 6 --text "Result: Can't find the configuration file, so skipping some Apache related tests"
+ else
+ # We found a possible match. Checking if it's valid filename. If not, we need to add a prefix
+ if [ -f ${APACHE_TEST} ]; then
+ APACHE_CONFIGFILE="${APACHE_TEST}"
+ Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
+ else
+ # Probably the prefix is missing, so we are going to search that
+ APACHE_HTTPDROOT=`${HTTPDBINARY} -V | grep "\-D HTTPD_ROOT=" | sed 's/[ ]-D HTTPD_ROOT=//' | tr -d '"' | tr -d ' '`
+ #echo "Apache root prefix: ${APACHE_HTTPDROOT}"
+ #echo "Complete path to configuration file: ${APACHE_HTTPDROOT}/${APACHE_TEST}"
+ APACHE_TESTFILE="${APACHE_HTTPDROOT}/${APACHE_TEST}"
+ if [ -f ${APACHE_TESTFILE} ]; then
+ APACHE_CONFIGFILE="${APACHE_TESTFILE}"
+ Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
+ logtext "Result: Configuration file found (${APACHE_CONFIGFILE})"
+ else
+ logtext "Exception: File or directory ${APACHE_CONFIGFILE} does not exist"
+ Display --indent 6 --text "[Notice] possible directory/file parts found, but still unsure what the real configuration file is. Skipping some Apache related tests"
+ ReportException "${TEST_NO}:1" "Found some unknown directory or file references in Apache configuration"
+ fi
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6626
+ # Description : Testing other Apache configuration files
+ if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HTTP-6626 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing other Apache configuration file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ #Display --indent 4 --text "- Searching Apache virtual hosts..."
+ for I in ${sTEST_APACHE_TARGETS}; do
+ if [ -d ${I} ]; then
+ find ${I} -name "*.conf" -print >> ${TMPFILE2}
+ fi
+ done
+
+ # Sort unsorted list, save it in temp file and then remove unsorted list
+ if [ -f ${TMPFILE2} ]; then
+ sort ${TMPFILE2} | uniq >> ${TMPFILE}
+ rm -f ${TMPFILE2}
+ fi
+ cVHOSTS=0; tVHOSTS=""
+
+ # Check every configuration file
+ for I in `cat ${TMPFILE}`; do
+ logtext "Apache config file: ${I}"
+
+ # Search Virtual Hosts
+ for J in `cat ${I} | grep "ServerName" | grep -v "^#" | awk '{ if ($1=="ServerName") print $2 }'`; do
+ if [ ! -z ${J} ]; then
+ tVHOSTS="${tVHOSTS} ${J}"
+ cVHOSTS=`expr ${cVHOSTS} + 1`
+ fi
+ done
+ # Search Server aliases
+ for J in `cat ${I} | grep "ServerAlias" | grep -v "^#" | sed "s/.* ServerAlias//g" | sed "s/#.*//g"`; do
+ if [ ! -z ${J} ]; then
+ tVHOSTS="${tVHOSTS} ${J}"
+ cVHOSTS=`expr ${cVHOSTS} + 1`
+ fi
+ done
+ done
+
+ # Log all virtual hosts we found
+ for J in ${tVHOSTS}; do
+ if [ ! -z ${J} ]; then
+ logtext "Virtual host: ${J}"
+ report "apache_vhost_name[]=${J}"
+ fi
+ done
+
+ # Show number of vhosts if we found any
+ logtext "Result: found ${cVHOSTS} virtual hosts"
+ if [ ${cVHOSTS} -gt 0 ]; then
+ Display --indent 6 --text "Info: Found ${cVHOSTS} virtual hosts"
+ else
+ Display --indent 6 --text "Info: No virtual hosts found"
+ fi
+ fi
+
+ # Remove temp files
+ if [ -f ${TMPFILE} -a ! "${TMPFILE}" = "" ]; then
+ rm -f ${TMPFILE}
+ fi
+ if [ ! "${TMPFILE2}" = "" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
+#
+#################################################################################
+#
+ # Test : HTTP-6628
+ # Description : Testing other Apache configuration files
+ #if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ #Register --test-no HTTP-6628 --preqs-met ${PREQS_MET} --weight L --network NO --description "Testing other Apache configuration file"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+# # Configuration specific tests
+# SERVERTOKENSFOUND=0
+# APACHE_CONFIGFILES="${APACHE_CONFIGFILE} /usr/local/etc/apache22/extra/httpd-default.conf /etc/apache2/sysconfig.d/global.conf"
+#
+# for APACHE_CONFIGFILE in ${APACHE_CONFIGFILES}; do
+# if [ -f ${APACHE_CONFIGFILE} ]; then
+# # Check if option ServerTokens is configured
+# SERVERTOKENSTEST=`cat ${APACHE_CONFIGFILE} | grep ServerTokens | grep -v '^#'`
+# if [ ! "${SERVERTOKENSTEST}" = "" ]; then
+# Display --indent 4 --text "- Checking option ServerTokens..." --result FOUND --color WHITE
+# SERVERTOKENSTEST=`echo ${SERVERTOKENSTEST} | sed 's/ServerTokens//' | tr -d ' '`
+# logtext "Option ServerTokens found: ${SERVERTOKENSTEST}"
+# SERVERTOKENSEXPECTED=`cat ${PROFILE} | grep 'apache' | grep 'ServerTokens' | cut -d ':' -f3`
+# if [ "${SERVERTOKENSEXPECTED}" = "${SERVERTOKENSTEST}" ]; then
+# logtext "Result: Value from configuration file yielded the same output as in template"
+# SERVERTOKENSFOUND=1
+# else
+# logtext "Warning: Value of ServerTokens within active configuration is different than from used template."
+# logtext "Found: ${SERVERTOKENSTEST}"
+# logtext "Expected: ${SERVERTOKENSEXPECTED}"
+# fi
+# else
+# Display --indent 4 --text "- Checking option ServerTokens..." --result "NOT FOUND" --color WHITE
+# fi
+#
+# else
+# # File does not exist, skipping
+# logtext "File ${APACHE_CONFIGFILE} does not exist, so skipping tests on this file"
+# fi
+# done
+#
+# # Display results from checks
+# if [ ${SERVERTOKENSFOUND} -eq 1 ]; then
+# Display --indent 6 --text "- Value of ServerTokens..." --result OK --color GREEN
+# else
+# Display --indent 6 --text "- Value of ServerTokens..." --result WARNING --color RED
+# ReportWarning ${TEST_NO} "M" "Value of 'ServerTokens' in Apache config is different than template"
+# fi
+# fi
+# fi
+# fi
+
+#
+#################################################################################
+#
+ # Test : HTTP-6630
+ # Description : Search for all loaded modules
+ #if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ #Register --test-no HTTP-6630 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining all loaded Apache modules"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ # Testing Debian style
+ #logtext "Test: searching loaded/enabled Apache modules"
+ #apachectl -t -D DUMP_MODULES 2>&1 | egrep -v "(Loaded Modules|Syntax OK)" | sed 's/(\(shared\|static\))//' | sed 's/ //'
+ #for I in ${APACHE_MODULES_ENABLED_LOCS}; do
+ #logtext "Test: checking ${I}"
+ #if [ -d ${I} ]; then
+ #FIND=`grep -r LoadModule ${I}/* | grep -v "^#" | awk '{ print $2":"$3 }'`
+ #else
+ #logtext "Result: ${I} does not exist"
+ #fi
+ #done
+ #fi
+#
+#################################################################################
+#
+ # Test : HTTP-6632
+ # Description : Search for available Apache modules
+ if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HTTP-6632 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining all available Apache modules"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: searching available Apache modules"
+ N=0
+ for I in ${APACHE_MODULES_LOCS}; do
+ DirectoryExists ${I}
+ if [ ${DIRECTORY_FOUND} -eq 1 ]; then
+ FIND=`find ${I} -name mod_* -print | sort`
+ for J in ${FIND}; do
+ report "apache_module[]=${J}"
+ logtext "Result: found Apache module ${J}"
+ N=`expr ${N} + 1`
+ done
+ fi
+ done
+ if [ ${N} -eq 0 ]; then
+ Display --indent 4 --text "* Loadable modules" --result "NONE" --color WHITE
+ ReportException "${TEST_NO}:1" "No loadable Apache modules found"
+ else
+ Display --indent 4 --text "* Loadable modules" --result "FOUND" --color GREEN
+ Display --indent 8 --text "- Found ${N} loadable modules"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6640
+ # Description : Search for special Apache modules: evasive
+ if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HTTP-6640 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check modules, module
+ CheckItem "apache_module" "/mod_evasive20.so"
+ if [ ${ITEM_FOUND} -eq 1 ]; then
+ Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result FOUND --color GREEN
+ AddHP 3 3
+ else
+ Display --indent 10 --text "mod_evasive: anti-DoS/brute force" --result "NOT FOUND" --color WHITE
+ AddHP 2 3
+ ReportSuggestion ${TEST_NO} "Install Apache mod_evasive to guard webserver against DoS/brute force attempts"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6641
+ # Description : Search for special Apache modules: Quality of Service
+ if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HTTP-6641 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check modules, module
+ CheckItem "apache_module" "/mod_qos.so"
+ if [ ${ITEM_FOUND} -eq 1 ]; then
+ Display --indent 10 --text "mod_qos: anti-Slowloris" --result FOUND --color GREEN
+ AddHP 3 3
+ else
+ Display --indent 10 --text "mod_qos: anti-Slowloris" --result "NOT FOUND" --color WHITE
+ AddHP 2 3
+ ReportSuggestion ${TEST_NO} "Install Apache mod_qos to guard webserver against Slowloris attacks"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6642
+ # Description : Search for special Apache modules: Spamhaus
+ if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HTTP-6642 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check modules, module
+ CheckItem "apache_module" "/mod_spamhaus.so"
+ if [ ${ITEM_FOUND} -eq 1 ]; then
+ Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result FOUND --color GREEN
+ AddHP 3 3
+ else
+ Display --indent 10 --text "mod_spamhaus: anti-spam (spamhaus)" --result "NOT FOUND" --color WHITE
+ AddHP 2 3
+ ReportSuggestion ${TEST_NO} "Install Apache mod_spamhaus to guard webserver against spammers"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6643
+ # Description : Search for special Apache modules: security
+ if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HTTP-6643 --preqs-met ${PREQS_MET} --weight L --network NO --description "Determining existence of specific Apache modules"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check modules, module
+ CheckItem "apache_module" "/mod_security2.so"
+ if [ ${ITEM_FOUND} -eq 1 ]; then
+ Display --indent 10 --text "ModSecurity: web application firewall" --result FOUND --color GREEN
+ AddHP 3 3
+ else
+ Display --indent 10 --text "ModSecurity: web application firewall" --result "NOT FOUND" --color WHITE
+ AddHP 2 3
+ ReportSuggestion ${TEST_NO} "Install Apache modsecurity to guard webserver against web application attacks"
+ fi
+ # Extend test with nginx?
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6660
+ # Description : Search for "TraceEnable off" in configuration files
+#
+#################################################################################
+#
+ # Test : HTTP-6702
+ # Description : Search for nginx process
+ Register --test-no HTTP-6702 --weight L --network NO --description "Check nginx process"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: searching running nginx process"
+ FIND=`${PSBINARY} ax | grep "/nginx" | grep "master" | grep -v "grep"`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: found running nginx process(es)"
+ Display --indent 2 --text "- Checking nginx" --result FOUND --color GREEN
+ NGINX_RUNNING=1
+ else
+ logtext "Result: no running nginx process found"
+ Display --indent 2 --text "- Checking nginx" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6704
+ # Description : Search for nginx configuration file
+ if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HTTP-6704 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx configuration file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: searching nginx configuration file"
+ #YYY warning if multiple nginx.conf files are found
+ for I in ${NGINX_CONF_LOCS}; do
+ if [ -f ${I}/nginx.conf ]; then
+ NGINX_CONF_LOCATION="${I}/nginx.conf"
+ logtext "Found file ${NGINX_CONF_LOCATION}"
+ fi
+ done
+ #YYY strings /usr/sbin/nginx | grep "conf$"
+ if [ ! "${NGINX_CONF_LOCATION}" = "" ]; then
+ logtext "Result: found nginx configuration file"
+ report "nginx_main_conf_file=${NGINX_CONF_LOCATION}"
+ Display --indent 4 --text "- Searching nginx configuration file" --result FOUND --color GREEN
+ #FIND=`cat ${NGINX_CONF_LOCATION} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}`
+ else
+ logtext "Result: no nginx configuration file found"
+ Display --indent 2 --text "- Searching nginx configuration file" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6706
+ # Description : Search for includes within nginx configuration file
+ # Notes : Daemon nginx should be running, nginx.conf should be found
+ if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HTTP-6706 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for additional nginx configuration files"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Remove temp file
+ if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
+ N=0
+ # Search for included configuration files (may include directories and wild cards)
+ FIND=`grep "include" ${NGINX_CONF_LOCATION} | ${AWKBINARY} '{ if ($1=="include") { print $2 }}' | sed 's/;$//g'`
+ for I in ${FIND}; do
+ FIND2=`${LSBINARY} ${I} 2>/dev/null`
+ for J in ${FIND2}; do
+ # Double check if we are dealing with a file
+ if [ -f ${J} ]; then
+ N=`expr ${N} + 1`
+ logtext "Result: found Nginx configuration file ${J}"
+ report "nginx_sub_conf_file=${J}"
+ FIND3=`cat ${J} | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -v "^$" | sed 's/[\t]/ /g' | sed 's/ / /g' | sed 's/ / /g' >> ${TMPFILE2}`
+ fi
+ done
+ done
+
+ # Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx
+ SORTFILE=`cat ${TMPFILE2} | sort | uniq | sed 's/ /:space:/g' | egrep -v "(application|audio|image|text|video)/" | egrep -v "({|})"`
+ for I in ${SORTFILE}; do
+ I=`echo ${I} | sed 's/:space:/ /g'`
+ report "nginx_config_option=${I}";
+ done
+
+ # Remove unsorted file for next tests
+ if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi
+
+ if [ ${N} -eq 0 ]; then
+ logtext "Result: no nginx include statements found"
+ else
+ Display --indent 6 --text "- Found nginx includes" --result "${N} FOUND" --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6708
+ # Description : Check discovered nginx configuration settings for further hardering
+ # Notes : Daemon of nginx should be running, nginx.conf should be found
+ if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check discovered nginx configuration settings"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: start parsing all discovered nginx options"
+ Display --indent 4 --text "- Parsing configuration options..."
+ ParseNginx
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6710
+ # Description : Check SSL configuration of nginx
+ # Notes : Daemon of nginx should be running, nginx.conf should be found
+ if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HTTP-6710 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx SSL configuration settings"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ NGINX_SSL_SUGGESTION=0
+ if [ ${NGINX_SSL_ON} -eq 1 ]; then
+ logtext "Result: SSL is configured in nginx on one or more virtual hosts"
+ Display --indent 6 --text "- SSL configured" --result "YES" --color GREEN
+ AddHP 5 5
+ # Cipher tests
+ if [ ${NGINX_SSL_CIPHERS} -eq 1 ]; then
+ Display --indent 8 --text "- Ciphers configured" --result "YES" --color GREEN
+ else
+ Display --indent 8 --text "- Ciphers configured" --result "NO" --color RED
+ NGINX_SSL_SUGGESTION=1
+ fi
+
+ if [ ${NGINX_SSL_PREFER_SERVER_CIPHERS} -eq 1 ]; then
+ Display --indent 8 --text "- Prefer server ciphers" --result "YES" --color GREEN
+ else
+ Display --indent 8 --text "- Prefer server ciphers" --result "NO" --color RED
+ NGINX_SSL_SUGGESTION=1
+ fi
+
+ if [ ${NGINX_SSL_PROTOCOLS} -eq 1 ]; then
+ Display --indent 8 --text "- Protocols configured" --result "YES" --color GREEN
+ else
+ Display --indent 8 --text "- Protocols configured" --result "NO" --color RED
+ NGINX_SSL_SUGGESTION=1
+ fi
+
+ else
+ logtext "Result: No SSL configuration found"
+ Display --indent 6 --text "- SSL configured" --result "NO" --color RED
+ NGINX_SSL_SUGGESTION=1
+ AddHP 1 5
+ fi
+ if [ ${NGINX_SSL_SUGGESTION} -eq 1 ]; then
+ logtext "Result: one or more parts of the nginx configuration could be enhanced regarding SSL"
+ ReportSuggestion ${TEST_NO} "Configure SSL in nginx for protection of sensitive data and privacy"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6712
+ # Description : Check logging configuration of nginx
+ # Notes : Daemon of nginx should be running, nginx.conf should be found
+ if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx access logging"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ NGINX_LOG_SUGGESTION=0
+ Display --indent 6 --text "- Checking log file configuration..."
+
+ # Check for missing access log
+ if [ ${NGINX_ACCESS_LOG_MISSING} -eq 1 ]; then
+ NGINX_LOG_SUGGESTION=1
+ Display --indent 8 --text "- Missing log files (access_log)" --result "YES" --color RED
+ else
+ Display --indent 8 --text "- Missing log files (access_log)" --result "NO" --color GREEN
+ fi
+ # Access log disabled
+ if [ ${NGINX_ACCESS_LOG_DISABLED} -eq 1 ]; then
+ NGINX_LOG_SUGGESTION=1
+ logtext "Result: found one or more virtual hosts which have their access log disabled"
+ Display --indent 8 --text "- Disabled access logging" --result "YES" --color RED
+ AddHP 2 3
+ else
+ logtext "Result: no virtual hosts found which have their access log disabled"
+ Display --indent 8 --text "- Disabled access logging" --result "NO" --color GREEN
+ AddHP 3 3
+ fi
+ # Report suggestion
+ if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
+ ReportSuggestion ${TEST_NO} "Check your nginx access log for proper functioning"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6714
+ # Description : Check missing error logs in nginx
+ if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HTTP-6714 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for missing error logs in nginx"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ NGINX_LOG_SUGGESTION=0
+ # Check for missing access log
+ if [ ${NGINX_ERROR_LOG_MISSING} -eq 1 ]; then
+ NGINX_LOG_SUGGESTION=1
+ Display --indent 8 --text "- Missing log files (error_log)" --result "YES" --color RED
+ else
+ Display --indent 8 --text "- Missing log files (error_log)" --result "NO" --color GREEN
+ fi
+ # Report suggestion
+ if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
+ ReportSuggestion ${TEST_NO} "Check your nginx error_log statements"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6716
+ # Description : Check debug mode on error log in nginx
+ if [ ${NGINX_RUNNING} -eq 1 -a "${NGINX_CONF_LOCATION}" != "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HTTP-6716 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for debug mode on error log in nginx"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ NGINX_LOG_SUGGESTION=0
+ # Access log in debug mode
+ if [ ${NGINX_ERROR_LOG_DEBUG} -eq 1 ]; then
+ NGINX_LOG_SUGGESTION=1
+ logtext "Result: found one or more virtual hosts which have their error log in debug mode"
+ Display --indent 8 --text "- Debugging mode on error_log" --result "YES" --color RED
+ AddHP 2 3
+ else
+ logtext "Result: no virtual hosts found which have their access log disabled"
+ Display --indent 8 --text "- Debugging mode on error_log" --result "NO" --color GREEN
+ AddHP 3 3
+ fi
+ # Report suggestion
+ if [ ${NGINX_LOG_SUGGESTION} -eq 1 ]; then
+ ReportSuggestion ${TEST_NO} "Check your nginx error_log statements"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6712
+ # Description : Check if nginx is running as a reverse proxy
+ # Notes : aliases are not counted yet (YYY)
+# if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+# Register --test-no HTTP-6708 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx virtual hosts"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# N=0
+# logtext "Test: searching proxy_pass statement in configuration file ${NGINX_CONF_LOCATION}"
+# FIND=`grep "proxy_pass" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/proxy_pass//g' | tr -d ';'`
+# for I in ${FIND}; do
+# logtext "Found reverse proxy configuration for: ${I}"
+# N=`expr ${N} + 1`
+# done
+# if [ ${N} -eq 0 ]; then
+# logtext "Result: no reverse proxying functionality found"
+# Display --indent 4 --text "- Searching reverse proxy functionality..." --result "NOT FOUND" --color WHITE
+# else
+# logtext "Result: found ${N} addresses for which nginx will be a reverse proxy"
+# Display --indent 4 --text "- Searching reverse proxy functionality..." --result "${N} FOUND" --color GREEN
+# fi
+# fi
+#
+#################################################################################
+#
+ # Test : HTTP-6712
+ # Description : Search for nginx virtual hosts
+ # Notes : Test if not aware yet of included configuration files
+# if [ ${NGINX_RUNNING} -eq 1 -a ! "${NGINX_CONF_LOCATION}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+# Register --test-no HTTP-6712 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check nginx virtual hosts"
+# if [ ${SKIPTEST} -eq 0 ]; then
+# N=0
+# logtext "Test: searching nginx virtual hosts"
+# FIND=`grep "server_name" ${NGINX_CONF_LOCATION} | grep -v "#" | sed 's/server_name//g' | tr -d ';'`
+# for I in ${FIND}; do
+# if [ "${I}" = "_" ]; then I="Default virtual host"; fi
+# logtext "Found virtual host: ${I}"
+# report "nginx_vhost_name[]=${I}"
+# N=`expr ${N} + 1`
+# done
+# if [ ${N} -eq 0 ]; then
+# logtext "Result: no virtual hosts found"
+# Display --indent 4 --text "- Searching virtual hosts..." --result "NOT FOUND" --color WHITE
+# else
+# logtext "Result: found ${N} virtual hosts"
+# Display --indent 4 --text "- Searching virtual hosts..." --result "${N} FOUND" --color GREEN
+# fi
+# fi
+#
+#################################################################################
+#
+ # Test : HTTP-6720
+ # Description : Search for Nginx log files
+ if [ ${NGINX_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no HTTP-6720 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Nginx log files"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking directories for files with log file definitions"
+ for I in ${NGINX_CONF_LOCS}; do
+ logtext "Test: Checking ${I}"
+ if [ -d ${I} ]; then
+ logtext "Result: Directory ${I} exists, so will be used as search path"
+ FIND=`find ${I} -exec grep access_log \{\} \; | grep -v "#" | awk '{ if($1=="access_log") { print $2 } }' | sed 's/;$//g' | sort | uniq`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: no log files found"
+ else
+ logtext "Result: found one or more log files"
+ for I in ${FIND}; do
+ if [ -f ${I} ]; then
+ logtext "Found log file: ${I}"
+ report "log_file=${I}"
+ else
+ logtext "Found non existing log file: ${I}"
+ fi
+ done
+ fi
+ else
+ logtext "Result: directory ${I} not found, skipping search in this directory."
+ fi
+ done
+ fi
+#
+#################################################################################
+#
+ # Test : HTTP-6740
+ # Description : Nginx: Check for server_tokens off in configuration files
+#
+#################################################################################
+#
+ # Scan for websites
+ #/etc/apache2/sites-available
+#
+#################################################################################
+#
+
+ # Remove temp file (double check)
+ if [ ! "${TMPFILE}" = "" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
+ if [ ! "${TMPFILE2}" = "" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
+
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - cisofy.com - The Netherlands
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-11 14:55:50 +0300