Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/include/tests_kernel
diff options
context:
space:
mode:
Diffstat (limited to 'include/tests_kernel')
-rw-r--r--include/tests_kernel458
1 files changed, 458 insertions, 0 deletions
diff --git a/include/tests_kernel b/include/tests_kernel
new file mode 100644
index 00000000..a0107973
--- /dev/null
+++ b/include/tests_kernel
@@ -0,0 +1,458 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
+# Web site: http://www.rootkit.nl
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# Kernel
+#
+#################################################################################
+#
+ InsertSection "Kernel"
+#
+#################################################################################
+#
+ CORE_DUMPS_DISABLED=0
+ CPU_PAE=0
+ CPU_NX=0
+#
+#################################################################################
+#
+ # Test : KRNL-5622
+ # Description : Check default run level on Linux machines
+ Register --test-no KRNL-5622 --os Linux --weight L --network NO --description "Determine Linux default run level"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Checking if we can find the systemd default target
+ logtext "Test: Checking for systemd default.target"
+ if [ -L /etc/systemd/system/default.target ]; then
+ logtext "Result: symlink found"
+ if [ ! "${READLINKBINARY}" = "" ]; then
+ FIND=`${READLINKBINARY} /etc/systemd/system/default.target`
+ if [ "${FIND}" = "" ]; then
+ logtext "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
+ ReportException "${TEST_NO}:01"
+ else
+ FIND2=`echo ${FIND} | egrep "runlevel5|graphical"`
+ if [ ! "${FIND2}" = "" ]; then
+ logtext "Result: Found match on runlevel5/graphical"
+ Display --indent 2 --text "- Checking default runlevel..." --result "runlevel 5" --color GREEN
+ report "linux_default_runlevel=5"
+ else
+ logtext "Result: No match found on runlevel, defaulting to runlevel 3"
+ Display --indent 2 --text "- Checking default runlevel..." --result "runlevel 3" --color GREEN
+ report "linux_default_runlevel=3"
+ fi
+ fi
+ else
+ logtext "Result: No readlink binary, can't determine where symlink is pointing to"
+ Display --indent 2 --text "- Checking default run level" --result UNKNOWN --color YELLOW
+ fi
+ else
+ logtext "Result: no systemd found, so trying inittab"
+ logtext "Test: Checking /etc/inittab"
+ if [ -f /etc/inittab ]; then
+ logtext "Result: file /etc/inittab found"
+ logtext "Test: Checking default Linux run level..."
+ FIND=`awk -F: '/^id/ { print $2; }' /etc/inittab | head -n 1`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Checking default runlevel" --result UNKNOWN --color YELLOW
+ logtext "Result: Can't determine default run level from /etc/inittab"
+ else
+ Display --indent 2 --text "- Checking default run level..." --result "${FIND}" --color GREEN
+ logtext "Found default run level '${FIND}'"
+ report "linux_default_runlevel=${FIND}"
+ fi
+ else
+ logtext "Result: file /etc/inittab not found"
+ if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then
+ logtext "Test: Checking run level with who -r, for Debian based systems"
+ FIND=`who -r | awk '{ if ($1=="run-level") { print $2 } }'`
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Result: Found default run level '${FIND}'"
+ report "linux_default_runlevel=${FIND}"
+ Display --indent 2 --text "- Checking default run level..." --result "RUNLEVEL ${FIND}" --color GREEN
+ else
+ logtext "Result: Can't determine default run level from who -r"
+ Display --indent 2 --text "- Checking default run level..." --result UNKNOWN --color YELLOW
+ fi
+ fi
+ fi
+ fi
+ fi
+#
+#################################################################################
+#
+
+ # Test : KRNL-5677
+ # Description : Check CPU options and support (PAE, No eXecute, eXecute Disable)
+ # More info : pae and nx bit are both visible on AMD and Intel CPU's if supported
+ Register --test-no KRNL-5677 --os Linux --weight L --network NO --description "Check CPU options and support"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Checking CPU support (NX/PAE)"
+ logtext "Test: Checking /proc/cpuinfo..."
+ if [ -f /proc/cpuinfo ]; then
+ logtext "Result: found /proc/cpuinfo"
+ logtext "Test: Checking CPU options (XD/NX/PAE)..."
+ FIND_PAE_NX=`cat /proc/cpuinfo | grep " pae " | grep " nx "`
+ FIND_PAE=`cat /proc/cpuinfo | grep " pae "`
+ FIND_NX=`cat /proc/cpuinfo | grep " nx "`
+ FOUND=0
+ if [ ! "${FIND_PAE_NX}" = "" ]; then
+ logtext "PAE: Yes"
+ logtext "NX: Yes"
+ CPU_PAE=1
+ CPU_NX=1
+ logtext "Result: PAE or No eXecute option(s) both found"
+ report "cpu_pae=1"
+ report "cpu_nx=1"
+ FOUND=1
+ else
+ if [ ! "${FIND_PAE}" = "" -a "${FIND_NX}" = "" ]; then
+ report "cpu_pae=1"
+ logtext "Result: found PAE"
+ CPU_PAE=1
+ FOUND=1
+ else
+ if [ ! "${FIND_NX}" = "" -a "${FIND_PAE}" = "" ]; then
+ report "cpu_nx=1"
+ logtext "Result: found No eXecute"
+ CPU_NX=1
+ FOUND=1
+ else
+ logtext "Result: found no CPU options enabled (PAE or NX bit)"
+ fi
+ fi
+ fi
+ if [ ${FOUND} -eq 1 ]; then
+ Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result FOUND --color GREEN
+ else
+ Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result NONE --color YELLOW
+ ReportSuggestion ${TEST_NO} "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support"
+ fi
+ else
+ Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result SKIPPED --color YELLOW
+ logtext "Result: /proc/cpuinfo not found"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5680
+ # Description : Check if installed kernel has PAE support
+ # Dependency : KRNL-5677
+ # More info : RedHat/CentOS/Fedora uses the package name 'kernel-PAE'
+#
+#################################################################################
+#
+ # Test : KRNL-5695
+ # Description : Determining Linux kernel version and release number
+ Register --test-no KRNL-5695 --os Linux --weight L --network NO --description "Determine Linux kernel version and release number"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Kernel number (and suffix)
+ LINUX_KERNEL_RELEASE=`uname -r`
+ report "linux_kernel_release=${LINUX_KERNEL_RELEASE}"
+ logtext "Result: found kernel release ${LINUX_KERNEL_RELEASE}"
+ # Type and build date
+ LINUX_KERNEL_VERSION=`uname -v`
+ report "linux_kernel_version=${LINUX_KERNEL_VERSION}"
+ logtext "Result: found kernel version ${LINUX_KERNEL_VERSION}"
+ Display --indent 2 --text "- Checking kernel version and release" --result DONE --color GREEN
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5723
+ # Description : Check if Linux is build as a monolithic kernel or not
+ Register --test-no KRNL-5723 --os Linux --weight L --network NO --description "Determining if Linux kernel is monolithic"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ! "${LSMODBINARY}" = "" ]; then
+ logtext "Test: checking if kernel is monolithic or modular"
+ # Checking if any modules are loaded
+ FIND=`${LSMODBINARY} | grep -v "^Module" | wc -l | tr -s ' ' | tr -d ' '`
+ Display --indent 2 --text "- Checking kernel type" --result DONE --color GREEN
+ if [ "${FIND}" = "0" ]; then
+ logtext "Result: Found monolithic kernel"
+ report "linux_kernel_type=monolithic"
+ MONOLITHIC_KERNEL=1
+ else
+ logtext "Result: Found modular kernel"
+ report "linux_kernel_type=modular"
+ MONOLITHIC_KERNEL=0
+ fi
+ else
+ logtext "Test skipped, no lsmod binary found"
+ # Exception?
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5726
+ # Description : Checking Linux loaded kernel modules
+ Register --test-no KRNL-5726 --os Linux --weight L --network NO --description "Checking Linux loaded kernel modules"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ! "${LSMODBINARY}" = "" ]; then
+ FIND=`lsmod | awk '{ if ($1!="Module") print $1 }' | sort`
+ Display --indent 2 --text "- Checking loaded kernel modules" --result DONE --color GREEN
+ if [ ! "${FIND}" = "" ]; then
+ logtext "Loaded modules according lsmod:"
+ N=0
+ for I in ${FIND}; do
+ logtext "Loaded module: ${I}"
+ report "loaded_kernel_module[]=${I}"
+ N=`expr ${N} + 1`
+ done
+ Display --indent 6 --text "Found ${N} active modules"
+ else
+ logtext "Result: no loaded modules found"
+ logtext "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel"
+ fi
+ else
+ logtext "Test skipped, no lsmod binary found"
+ # Exception?
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5728
+ # Description : Checking for available Linux kernel configuration file in /boot
+ Register --test-no KRNL-5728 --os Linux --weight L --network NO --description "Checking Linux kernel config"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LINUXCONFIGFILE="/boot/config-`uname -r`"
+ if [ -f ${LINUXCONFIGFILE} ]; then
+ logtext "Result: found config (${LINUXCONFIGFILE})"
+ Display --indent 2 --text "- Checking Linux kernel configuration file" --result FOUND --color GREEN
+ else
+ logtext "Result: no Linux kernel configuration file found in /boot"
+ Display --indent 2 --text "- Checking Linux kernel configuration file" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5730
+ # Description : Checking default I/O kernel scheduler
+ PREQS_MET="NO"
+ if [ ! "${LINUXCONFIGFILE}" = "" ]; then
+ if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi
+ fi
+ Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking disk I/O kernel scheduler"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking the default I/O kernel scheduler"
+ LINUX_KERNEL_IOSCHED=`${GREPBINARY} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | awk -F= '{ print $2 }' | sed s/\"//g`
+ if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then
+ logtext "Result: found [${LINUX_KERNEL_IOSCHED}]"
+ Display --indent 2 --text "- Checking default I/O kernel scheduler" --result FOUND --color GREEN
+ report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}"
+ else
+ logtext "Result: no default i/o kernel scheduler found"
+ Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "NOT FOUND" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+# YYY Check for kernel options
+#
+#################################################################################
+#
+ # Test : KRNL-5745
+ # Description : Checking FreeBSD loaded kernel modules
+ Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --description "Checking FreeBSD loaded kernel modules"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ Display --indent 2 --text "- Checking active kernel modules..."
+ logtext "Test: ${KERNEL_ACTIVE_MODULES_TITLE}"
+ logtext "Description: ${KERNEL_ACTIVE_MODULES_DESCRIPTION}"
+ logtext "Action: Checking modules"
+ if [ -f /sbin/kldstat ]; then
+ FIND=`kldstat | grep -v 'Name' | tr -s ' ' | cut -d ' ' -f6`
+ if [ $? -eq 0 ]; then
+ logtext "Loaded modules according kldstat:"
+ N=0
+ for I in ${FIND}; do
+ logtext "Loaded module: ${I}"
+ report "loaded_kernel_module[]=${I}"
+ N=`expr ${N} + 1`
+ done
+ Display --indent 4 --text "Found ${N} kernel modules" --result DONE --color GREEN
+ else
+ Display --indent 4 --text "Test failed" --result WARNING --color RED
+ logtext "Result: Problem with executing kldstat"
+ fi
+ else
+ echo "[ ${WHITE}SKIPPED${NORMAL} ]"
+ logtext "Result: no results, can't find /sbin/kldstat"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5770
+ # Description : Checking Solaris load modules
+ Register --test-no KRNL-5770 --os Solaris --weight L --network NO --description "Checking active kernel modules"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: searching loaded kernel modules"
+ FIND=`modinfo -c -w | grep -v "UNLOADED" | grep LOADED | awk '{ print $3 }' | sort`
+ if [ ! "${FIND}" = "" ]; then
+ for I in ${FIND}; do
+ logtext "Found module: ${I}"
+ report "loaded_kernel_module[]=${I}"
+ done
+ Display --indent 2 --text "- Checking Solaris active kernel modules" --result DONE --color GREEN
+ else
+ logtext "Result: no output"
+ Display --indent 2 --text "- Checking Solaris active kernel modules" --result UNKNOWN --color YELLOW
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5788
+ # Description : Checking availability new kernel
+ if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking availability new Linux kernel"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Searching apt-cache, to determine if a newer kernel is available"
+ if [ -x /usr/bin/apt-cache ]; then
+ logtext "Result: found /usr/bin/apt-cache"
+ # YYY Test for presence /usr/bin/apt-cache and dpkg
+ logtext "Test: checking readlink location of /vmlinuz"
+ FINDKERNFILE=`readlink -f /vmlinuz`
+ logtext "Output: readlink reported file ${FINDKERNFILE}"
+ logtext "Test: checking package from dpkg -S"
+ FINDKERNEL=`dpkg -S ${FINDKERNFILE} 2> /dev/null | awk -F : '{print $1}'`
+ logtext "Output: dpkg -S reported package ${FINDKERNEL}"
+ logtext "Test: Using apt-cache policy to determine if there is an update available"
+ FINDINST=`apt-cache policy ${FINDKERNEL} | egrep 'Installed' | cut -d ':' -f2 | tr -d ' '`
+ FINDCAND=`apt-cache policy ${FINDKERNEL} | egrep 'Candidate' | cut -d ':' -f2 | tr -d ' '`
+ logtext "Kernel installed: ${FINDINST}"
+ logtext "Kernel candidate: ${FINDCAND}"
+ if [ "${FINDINST}" = "" ]; then
+ Display --indent 2 --text "- Checking for available kernel update... " --result UNKNOWN --color YELLOW
+ logtext "Result: Exception occured, no output from apt-cache policy"
+ ReportException "${TEST_NO}:01"
+ logtext "Exception: apt-cache policy did not return an installed kernel version"
+ ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty"
+ else
+ if [ "${FINDINST}" = "${FINDCAND}" ]; then
+ Display --indent 2 --text "- Checking for available kernel update... " --result OK --color GREEN
+ logtext "Result: no kernel update available"
+ else
+ Display --indent 2 --text "- Checking for available kernel update... " --result "UPDATE AVAILABLE" --color YELLOW
+ logtext "Result: kernel update available according 'apt-cache policy'."
+ ReportSuggestion ${TEST_NO} "Determine priority for available kernel update"
+ fi
+ fi
+ else
+ logtext "Result: could NOT find /usr/bin/apt-cache, skipped other tests."
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5820
+ # Description : Checking core dumps configuration (Linux)
+ Register --test-no KRNL-5820 --os Linux --weight L --network NO --description "Checking core dumps configuration"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ logtext "Test: Checking presence /etc/security/limits.conf"
+ if [ -f /etc/security/limits.conf ]; then
+ logtext "Result: file /etc/security/limits.conf exists"
+ logtext "Test: Checking if core dumps are disabled in /etc/security/limits.conf"
+ FIND1=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="soft" && $3=="core") { print "soft core enabled" } }'`
+ FIND2=`cat /etc/security/limits.conf | grep -v "^#" | grep -v "^$" | awk '{ if ($1=="*" && $2=="hard" && $3=="core") { print "hard core enabled" } }'`
+ if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then
+ logtext "Result: core dumps (soft or hard) are enabled"
+ Display --indent 2 --text "- Checking core dumps configuration... " --result ENABLED --color YELLOW
+ #YYY suggestion
+ AddHP 1 2
+ else
+ logtext "Result: core dumps (soft and hard) are both disabled"
+ Display --indent 2 --text "- Checking core dumps configuration... " --result DISABLED --color GREEN
+ CORE_DUMPS_DISABLED=1
+ AddHP 3 3
+ fi
+
+ # Sysctl option
+ logtext "Test: Checking sysctl value of fs.suid_dumpable"
+ FIND=`${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | awk '{ if ($1=="fs.suid_dumpable") { print $3 } }'`
+ if [ "${FIND}" = "" ]; then
+ logtext "Result: value ${FIND} found"
+ else
+ logtext "Result: sysctl key fs.suid_dumpable not found"
+ fi
+ if [ "${FIND}" = "2" ]; then
+ logtext "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)"
+ Display --indent 4 --text "- Checking setuid core dumps configuration... " --result PROTECTED --color GREEN
+ AddHP 1 1
+ elif [ "${FIND}" = "1" ]; then
+ logtext "Result: all programs can perform core dumps (value 1, for debugging)"
+ Display --indent 2 --text "- Checking setuid core dumps configuration... " --result DEBUG --color YELLOW
+ ReportSuggestion ${TEST_NO} "Determine if really all binaries need to be able to core dump"
+ AddHP 0 1
+ else
+ logtext "Result: found default option, some programs can dump (not processes which need to change credentials)"
+ Display --indent 4 --text "- Checking setuid core dumps configuration... " --result DEFAULT --color YELLOW
+ AddHP 1 1
+ fi
+ # Check ulimit settings and harden it
+ # echo 'ulimit -S -c 0 > /dev/null 2>&1' >> /etc/profile
+ else
+ logtext "Result: file /etc/security/limits.conf does not exist, skipping test"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : KRNL-5826
+ # Description : Checking core dumps configuration (Solaris)
+ #Register --test-no KRNL-5826 --os Linux --weight L --network NO --description "Checking core dumps configuration"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+#
+#################################################################################
+#
+ # Test : KRNL-5830
+ # Description : Check if system needs a reboot (Debian based)
+ Register --test-no KRNL-5830 --weight L --network NO --description "Checking core dumps configuration"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ FILE="/var/run/reboot-required.pkgs"
+ logtext "Test: Checking presence ${FILE}"
+ if [ -f ${FILE} ]; then
+ logtext "Result: file ${FILE} exists"
+ FIND=`cat ${FILE}`
+ if [ "${FIND}" = "" ]; then
+ Display --indent 2 --text "- Check if reboot is needed" --result NO --color GREEN
+ AddHP 5 5
+ else
+ PKGSCOUNT=`cat ${FILE} | wc -l`
+ Display --indent 2 --text "- Check if reboot is needed" --result YES --color RED
+ ReportWarning ${TEST_NO} "H" "Reboot of system is needed"
+ logtext "Result: reboot is needed, related to ${PKGSCOUNT} packages"
+ for I in ${FIND}; do
+ logtext "Package: ${I}"
+ done
+ AddHP 0 5
+ fi
+ else
+ logtext "Result: file ${FILE} not found, skipping further testing"
+ fi
+ fi
+#
+#################################################################################
+#
+
+wait_for_keypress
+
+#
+#================================================================================
+# Lynis - Copyright 2007-2014, Michael Boelen - http://cisofy.com - The Netherlands
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-30 02:12:37 +0300