diff options
Diffstat (limited to 'include/tests_logging')
| -rw-r--r-- | include/tests_logging | 482 |
1 files changed, 482 insertions, 0 deletions
diff --git a/include/tests_logging b/include/tests_logging new file mode 100644 index 00000000..3080cc92 --- /dev/null +++ b/include/tests_logging @@ -0,0 +1,482 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands +# Web site: http://www.rootkit.nl +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# Logging and related files +# +################################################################################# +# + LOG_FILES_LOCS="/var/log /var/adm" + LOGROTATE_CONFIG_FOUND=0 + LOGROTATE_TOOL="" + METALOG_RUNNING=0 + RFC3195D_RUNNING=0 + RSYSLOG_RUNNING=0 + SOLARIS_LOGHOST_FOUND=0 + SYSLOG_DAEMON_PRESENT=0 + SYSLOG_DAEMON_RUNNING=0 + SYSLOG_NG_RUNNING=0 + #YYY (extend support for systemd journal) + SYSTEMD_JOURNAL_RUNNING=0 +# +################################################################################# +# + + InsertSection "Logging and files" + + # Test : LOGG-2130 + # Description : Check for a running syslog daemon + # Notes : Log which syslog daemon is found YYY + Register --test-no LOGG-2130 --weight L --network NO --description "Check for running syslog daemon" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Searching for a logging daemon... " + FIND=`${PSBINARY} ax | egrep "syslogd|syslog-ng|metalog|systemd-journal" | grep -v "grep"` + if [ "${FIND}" = "" ]; then + Display --indent 2 --text "- Checking for a running log daemon..." --result WARNING --color RED + logtext "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal" + ReportSuggestion ${TEST_NO} "Check if any syslog daemon is running and correctly configured." + ReportWarning ${TEST_NO} "H" "No syslog daemon found" + AddHP 0 3 + else + Display --indent 2 --text "- Checking for a running log daemon..." --result OK --color GREEN + logtext "Result: Found a logging daemon" + SYSLOG_DAEMON_PRESENT=1 + SYSLOG_DAEMON_RUNNING=1 + AddHP 3 3 + fi + fi +# +################################################################################# +# + # Test : LOGG-2132 + # Description : Check for a running syslog-ng daemon + Register --test-no LOGG-2132 --weight L --network NO --description "Check for running syslog-ng daemon" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Searching for syslog-ng daemon in process list... " + FIND=`${PSBINARY} ax | grep "/syslog-ng" | grep -v "grep"` + if [ ! "${FIND}" = "" ]; then + logtext "Result: Found syslog-ng in process list" + Display --indent 4 --text "- Checking Syslog-NG status" --result FOUND --color GREEN + SYSLOG_DAEMON_PRESENT=1 + SYSLOG_NG_RUNNING=1 + else + logtext "Result: Syslog-ng NOT found in process list" + Display --indent 4 --text "- Checking Syslog-NG status" --result "NOT FOUND" --color WHITE + fi + fi +# +################################################################################# +# + # Test : LOGG-2134 + # Description : Check for Syslog-NG configuration file consistency + if [ ! "${SYSLOGNGBINARY}" = "" -a ${SYSLOG_NG_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no LOGG-2134 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking Syslog-NG configuration file consistency" + if [ ${SKIPTEST} -eq 0 ]; then + FIND=`${SYSLOGNGBINARY} -s; echo $?` + if [ "${FIND}" = "0" ]; then + logtext "Result: Syslog-NG configuration file seems to be consistent" + Display --indent 6 --text "- Checking Syslog-NG consistency" --result OK --color GREEN + else + logtext "Result: Syslog-NG configuration file seems NOT to be consistent" + Display --indent 6 --text "- Checking Syslog-NG consistency" --result WARNING --color RED + ReportWarning ${TEST_NO} "L" "Found one or more problems in Syslog-NG configuration file" + ReportSuggestion ${TEST_NO} "Check the Syslog-NG configuration file and/or run a manual consistency check with: syslog-ng -s" + fi + fi +# +################################################################################# +# + # Test : LOGG-2210 + # Description : Check for a running metalog daemon + Register --test-no LOGG-2210 --weight L --network NO --description "Check for running metalog daemon" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Searching for metalog daemon in process list... " + FIND=`${PSBINARY} ax | grep "metalog" | grep -v "grep"` + if [ ! "${FIND}" = "" ]; then + logtext "Result: Found metalog in process list" + Display --indent 4 --text "- Checking Metalog status" --result FOUND --color GREEN + SYSLOG_DAEMON_PRESENT=1 + METALOG_RUNNING=1 + else + logtext "Result: metalog NOT found in process list" + Display --indent 4 --text "- Checking Metalog status" --result "NOT FOUND" --color WHITE + fi + fi +# +################################################################################# +# + # Test : LOGG-2230 + # Description : Check for a running rsyslog daemon + Register --test-no LOGG-2230 --weight L --network NO --description "Check for running RSyslog daemon" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Searching for RSyslog daemon in process list... " + FIND=`${PSBINARY} ax | grep "rsyslogd" | grep -v "grep"` + if [ ! "${FIND}" = "" ]; then + logtext "Result: Found rsyslogd in process list" + Display --indent 4 --text "- Checking RSyslog status" --result FOUND --color GREEN + SYSLOG_DAEMON_PRESENT=1 + RSYSLOG_RUNNING=1 + else + logtext "Result: rsyslogd NOT found in process list" + Display --indent 4 --text "- Checking RSyslog status" --result "NOT FOUND" --color WHITE + fi + fi +# +################################################################################# +# + # Test : LOGG-2240 + # Description : Check for a running RFC 3195 compliant daemon (syslog via TCP) + Register --test-no LOGG-2240 --weight L --network NO --description "Check for running RFC 3195 compliant daemon" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Searching for RFC 3195 daemon (alias syslog reliable) in process list... " + FIND=`${PSBINARY} ax | grep "rfc3195d" | grep -v "grep"` + if [ ! "${FIND}" = "" ]; then + logtext "Result: Found rfc3195d in process list" + Display --indent 4 --text "- Checking RFC 3195 daemon status" --result FOUND --color GREEN + SYSLOG_DAEMON_PRESENT=1 + RFC3195D_RUNNING=1 + else + logtext "Result: rfc3195d NOT found in process list" + Display --indent 4 --text "- Checking RFC 3195 daemon status" --result "NOT FOUND" --color WHITE + fi + fi +# +################################################################################# +# + # Test : LOGG-2138 + # Description : Check for kernel log daemon (klogd) presence on Linux systems + # Notes : When using rsyslog, this process is not needed. In combination + # with syslog-ng, klogd is still an addition to it, since it + # captures kernel related events and send them to syslog-ng. + # This test should be below all other logging daemons + Register --test-no LOGG-2138 --os Linux --weight L --network NO --description "Checking kernel logger daemon on Linux" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Searching kernel logger daemon (klogd)" + if [ ${RSYSLOG_RUNNING} -eq 0 ]; then + # Search for klogd, but ignore other lines related to klogd (like dd with input/output file) + FIND=`${PSBINARY} ax | grep "klogd" | grep -v "dd" | grep -v "grep"` + if [ ! "${FIND}" = "" ]; then + logtext "Result: klogd running" + Display --indent 4 --text "- Checking klogd" --result FOUND --color GREEN + else + logtext "Result: No klogd found" + Display --indent 4 --text "- Checking klogd" --result "NOT FOUND" --color RED + ReportWarning ${TEST_NO} "L" "klogd is not running, which could lead to missing kernel messages in log files" + ReportSuggestion ${TEST_NO} "Check why klogd is not running" + fi + else + logtext "Result: test skipped, because rsyslogd is being used" + fi + fi +# +################################################################################# +# + # Test : LOGG-2142 + # Description : Check for minilogd presence on Linux systems + Register --test-no LOGG-2142 --os Linux --weight L --network NO --description "Checking minilog daemon" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Result: Checking for unkilled minilogd instances.." + # Search for minilogd. It shouldn't be running normally, if another syslog daemon is started + FIND=`${PSBINARY} ax | grep "minilogd" | grep -v "grep"` + if [ "${FIND}" = "" ]; then + Display --indent 4 --text "- Checking minilogd instances" --result "NOT FOUND" --color WHITE + logtext "Result: No minilogd is running.." + else + Display --indent 4 --text "- Checking minilogd instances" --result WARNING --color RED + logtext "Result: minilogd found in process list" + # minilogd daemon seems to be running.. + ReportWarning ${TEST_NO} "L" "minilogd is running, which should normally not be running" + ReportSuggestion ${TEST_NO} "Check minilogd is active and if other syslog daemons are started up properly" + fi + fi +# +################################################################################# +# + # Test : LOGG-2146 + # Description : Check for logrotate (/etc/logrotate.conf and logrotate.d) + Register --test-no LOGG-2146 --weight L --os Linux --network NO --description "Checking logrotate.conf and logrotate.d" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking for /etc/logrotate.conf" + if [ -f /etc/logrotate.conf ]; then + LOGROTATE_CONFIG_FOUND=1 + LOGROTATE_TOOL="logrotate" + logtext "Result: /etc/logrotate.conf found (file)" + else + logtext "Result: /etc/logrotate.conf NOT found" + fi + logtext "Test: Checking for /etc/logrotate.d (directory)" + if [ -d /etc/logrotate.d ]; then + LOGROTATE_CONFIG_FOUND=1 + LOGROTATE_TOOL="logrotate" + logtext "Result: /etc/logrotate.d found" + else + logtext "Result: /etc/logrotate.conf found" + fi + if [ ${LOGROTATE_CONFIG_FOUND} -eq 1 ]; then + Display --indent 2 --text "- Checking logrotate presence" --result OK --color GREEN + logtext "Result: logrotate configuration found" + else + Display --indent 2 --text "- Checking logrotate presence" --result WARNING --color RED + logtext "Result: No logrotate configuration found" + ReportWarning ${TEST_NO} "L" "No logrotate configuration has been found" + ReportSuggestion ${TEST_NO} "Check if files are properly rotated by a some tool instead of logrotate" + fi + fi +# +################################################################################# +# + # Test : LOGG-2148 + # Description : Checking log files rotated with logrotate + if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking logrotated files" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking which files are rotated with logrotate and if they exist" + FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }'` + if [ "${FIND}" = "" ]; then + logtext "Result: nothing found" + else + logtext "Result: found one or more files which are rotated via logrotate" + for I in ${FIND}; do + logtext "Output: ${I}" + done + fi + fi +# +################################################################################# +# + # Test : LOGG-2150 + # Description : Checking log directories rotated with logrotate + if [ ! "${LOGROTATEBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --description "Checking directories in logrotate configuration" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Checking which directories can be found in logrotate configuration" + FIND=`${LOGROTATEBINARY} -d -v /etc/logrotate.conf 2>&1 | egrep "considering log|skipping" | grep -v '*' | sort | uniq | awk '{ if ($2=="log") { print $3 } }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq` + if [ "${FIND}" = "" ]; then + logtext "Result: nothing found" + else + logtext "Result: found one or more directories (via logrotate configuration)" + for I in ${FIND}; do + if [ -d ${I} ]; then + logtext "Directory found: ${I}" + report "log_directory[]=${I}" + else + logtext "Directory could not be found: ${I}" + # YYY strip more parts of the name, until it can be found (and stop at /) + fi + done + fi + fi +# +################################################################################# +# + # Test : LOGG-2152 + # Description : Check for Solaris 'loghost' entry in /etc/inet/hosts, or + # succesful resolving via DNS or any other name service. + Register --test-no LOGG-2152 --weight L --os Solaris --network NO --description "Checking loghost" + if [ ${SKIPTEST} -eq 0 ]; then + # Try local hosts file + logtext "Result: Checking for loghost in /etc/inet/hosts" + FIND=`grep loghost /etc/inet/hosts | grep -v "^#"` + if [ ! "${FIND}" = "" ]; then + SOLARIS_LOGHOST_FOUND=1 + logtext "Result: Found loghost entry in /etc/inet/hosts" + else + logtext "Result: No loghost entry found in /etc/inet/hosts" + + # Try name resolving if no entry is present in local host file + logtext "Result: Checking for loghost via name resolving" + FIND=`getent hosts loghost | grep loghost` + if [ ! "${FIND}" = "" ]; then + SOLARIS_LOGHOST_FOUND=1 + logtext "Result: name resolving was succesful" + logtext "Output: ${FIND}" + else + logtext "Result: name resolving didn't find results" + fi + fi + + if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ]; then + logtext "Result: loghost entry found and most likely used to send syslog messages" + Display --indent 2 --text "- Checking loghost entry" --result OK --color GREEN + else + Display --indent 2 --text "- Checking loghost entry" --result WARNING --color RED + logtext "Result: No loghost entry found" + ReportWarning ${TEST_NO} "L" "No loghost entry found" + ReportSuggestion ${TEST_NO} "Add a loghost entry to /etc/inet/hosts or other name services" + fi + fi +# +################################################################################# +# + # Test : LOGG-2154 + # Description : Check to see if remote logging is enabled + # Notes : prevent lines showing up with commands in it (like |mail) + if [ ${SYSLOG_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no LOGG-2154 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking syslog configuration file" + if [ ${SKIPTEST} -eq 0 ]; then + if [ ${SYSLOG_NG_RUNNING} -eq 1 ]; then + SYSLOGD_CONF="/etc/syslog-ng/syslog-ng.conf" + else + SYSLOGD_CONF="/etc/syslog.conf" + fi + if [ -f ${SYSLOGD_CONF} ]; then + logtext "Test: check if logs are also logged to a remote logging host" + FIND=`egrep "@[a-zA-Z0-9]" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"` + if [ ! "${FIND}" = "" ]; then + logtext "Result: remote logging enabled" + AddHP 5 5 + Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN + else + logtext "Result: no remote logging found" + ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection" + AddHP 1 3 + Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW + fi + else + logtext "Result: test skipped, file ${SYSLOGD_CONF} not found" + fi + fi +# +################################################################################# +# + # Test : LOGG-2160 + # Description : Check for /etc/newsyslog.conf (FreeBSD/OpenBSD) + if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no LOGG-2160 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Result: /etc/newsyslog.conf found" + Display --indent 2 --text "- Checking /etc/newsyslog.conf" --result FOUND --color GREEN + LOGROTATE_CONFIG_FOUND=1 + LOGROTATE_TOOL="newsyslog" + fi +# +################################################################################# +# + # Test : LOGG-2162 + # Description : Check for directories in /etc/newsyslog.conf + if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no LOGG-2162 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: parsing directories from /etc/newsyslog.conf file" + FIND=`cat /etc/newsyslog.conf | sort | uniq | grep "^/" | awk '{ print $1 }' | sed 's/\/*[a-zA-Z_.-]*$//g' | sort | uniq` + for I in ${FIND}; do + if [ -d ${I} ]; then + logtext "Result: Directory ${I} found and exists" + report "log_directory[]=${I}" + else + logtext "Result: Item ${I} is not a directory" + fi + done + Display --indent 4 --text "- Checking log directories (newsyslog.conf)" --result DONE --color GREEN + fi +# +################################################################################# +# + # Test : LOGG-2164 + # Description : Check for files in /etc/newsyslog.conf + if [ -f /etc/newsyslog.conf ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no LOGG-2164 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking /etc/newsyslog.conf" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: parsing directories from /etc/newsyslog.conf file" + FIND=`cat /etc/newsyslog.conf | sort | uniq | grep "^/" | awk '{ print $1 }'` + for I in ${FIND}; do + if [ -f ${I} ]; then + logtext "Result: File ${I} found and exists" + else + logtext "Result: Item ${I} is not a file" + fi + done + Display --indent 4 --text "- Checking log files (newsyslog.conf)" --result DONE --color GREEN + fi +# +################################################################################# +# + # Test : LOGG-2170 + # Description : Search available log paths + Register --test-no LOGG-2170 --weight L --network NO --description "Checking log paths" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: Searching log paths" + for I in ${LOG_FILES_LOCS}; do + if [ -d ${I} ]; then + logtext "Result: directory ${I} exists" + report "log_directory[]=${I}" + else + logtext "Result: directory ${I} can't be found" + fi + done + Display --indent 2 --text "- Checking log directories (static list)" --result DONE --color GREEN + fi +# +################################################################################# +# + # Test : LOGG-2180 + # Description : Search open log file + Register --test-no LOGG-2180 --weight L --network NO --description "Checking open log files" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: checking open log files with lsof" + if [ ! "${LSOFBINARY}" = "" ]; then + FIND=`${LSOFBINARY} -n 2>&1 | grep "log$" | egrep -v "WARNING|Output information" | awk '{ if ($5=="REG") { print $9 } }' | sort | uniq | grep -v "^$"` + for I in ${FIND}; do + logtext "Found logfile: ${I}" + report "open_logfile[]=${I}" + done + Display --indent 2 --text "- Checking open log files" --result DONE --color GREEN + else + logtext "Result: lsof not installed, skipping test" + Display --indent 2 --text "- Checking open log files" --result SKIPPED --color YELLOW + # Add suggestion + fi + fi +# +################################################################################# +# + # Test : LOGG-2190 + # Description : Checking deleted files + if [ ! "${LSOFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no LOGG-2190 --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking deleted files in file table" + if [ ${SKIPTEST} -eq 0 ]; then + logtext "Test: checking deleted files but are still in use" + FIND=`${LSOFBINARY} -n +L 1 2>&1 | egrep -v "WARNING|Output information" | awk '{ if ($5=="REG") { print $10 } }' | grep -v "^$"` + if [ ! "${FIND}" = "" ]; then + logtext "Result: found one or more files which are deleted, but still in use" + for I in ${FIND}; do + logtext "Found deleted file: ${I}" + report "deleted_file[]=${I}" + done + Display --indent 2 --text "- Checking deleted files in use" --result "FILES FOUND" --color YELLOW + ReportSuggestion ${TEST_NO} "Check what deleted files are still in use and why." + else + logtext "Result: no deleted files found" + Display --indent 2 --text "- Checking deleted files in use" --result DONE --color GREEN + fi + fi +# +################################################################################# +# +# +# Rsyslogd checks +# +# +################################################################################# +# + +report "log_rotation_config_found=${LOGROTATE_CONFIG_FOUND}" +report "log_rotation_tool=${LOGROTATE_TOOL}" + +wait_for_keypress + +# +#================================================================================ +# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands |