#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2015, Michael Boelen (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # InsertSection "Accounting" # ################################################################################# # AUDITD_CONF_LOCS="/etc /etc/audit" AUDITD_CONF_FILE="" AUDITD_RUNNING=0 SOLARIS_AUDITD_RUNNING=0 # ################################################################################# # # Test : ACCT-2754 # Description : Check availability FreeBSD accounting data Register --test-no ACCT-2754 --os FreeBSD --weight L --network NO --description "Check for available FreeBSD accounting information" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /var/account/acct ]; then Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN logtext "Result: /var/account/acct available" AddHP 3 3 else Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW logtext "Result: No accounting information available" logtext "Remark: Possibly there is another location where the accounting data is stored" ReportSuggestion ${TEST_NO} "Enable process accounting" AddHP 2 3 fi fi # ################################################################################# # # Test : ACCT-9622 # Description : Check availability Linux accounting data # Notes : /var/log/pacct (Slackware) Register --test-no ACCT-9622 --os Linux --weight L --network NO --description "Check for available Linux accounting information" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Check accounting information" if [ -f /var/account/pacct ]; then Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN logtext "Result: /var/account/pacct available" AddHP 3 3 elif [ -f /var/log/account/pacct ]; then Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN logtext "Result: /var/log/account/pacct available" AddHP 3 3 elif [ -f /var/log/pacct ]; then Display --indent 2 --text "- Checking accounting information" --result OK --color GREEN logtext "Result: /var/log/pacct available" AddHP 3 3 else Display --indent 2 --text "- Checking accounting information" --result "NOT FOUND" --color YELLOW logtext "Result: No accounting information available (/var/account/pacct, /var/log/account/pact nor /var/log/pact exist)" logtext "Remark: Possibly there is another location where the accounting data is stored" ReportSuggestion ${TEST_NO} "Enable process accounting" AddHP 2 3 fi fi # ################################################################################# # # Test : ACCT-9626 # Description : Check sysstat accounting data Register --test-no ACCT-9626 --os Linux --weight L --network NO --description "Check for sysstat accounting data" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: check /etc/default/sysstat presence" if [ -f /etc/default/sysstat ]; then logtext "Result: /etc/default/sysstat found" FIND=`grep "^ENABLED" /etc/default/sysstat | grep -i true` if [ ! "${FIND}" = "" ]; then logtext "Result: sysstat enabled via /etc/default/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN else logtext "Result: sysstat disabled via /etc/default/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (disabled)" fi elif [ -f /etc/cron.d/sysstat ]; then FIND=`grep -v '^[[:space:]]*\(#\|$\)' /etc/cron.d/sysstat` if [ ! "${FIND}" = "" ]; then logtext "Result: sysstat enabled via /etc/cron.d/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result ENABLED --color GREEN else logtext "Result: sysstat disabled via /etc/cron.d/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result DISABLED --color WHITE ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (cron disabled)" fi else logtext "Result: sysstat not found via /etc/default/sysstat or /etc/cron.d/sysstat" Display --indent 2 --text "- Checking sysstat accounting data" --result "NOT FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "Enable sysstat to collect accounting (no results)" fi fi # ################################################################################# # # Test : ACCT-9628 # Description : Check auditd status if [ ! "${AUDITDBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9628 --os Linux --weight L --network NO --description "Check for auditd" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Check auditd status" # Should not get kauditd IsRunning auditd if [ ${RUNNING} -eq 1 ]; then logtext "Result: auditd running" Display --indent 2 --text "- Checking auditd" --result ENABLED --color GREEN AUDITD_RUNNING=1 report "audit_daemon_running=1" report "audit_trail_tool[]=auditd" AddHP 4 4 else logtext "Result: auditd not active" Display --indent 2 --text "- Checking auditd" --result "NOT FOUND" --color WHITE if [ ! "${VMTYPE}" = "openvz" ]; then ReportSuggestion ${TEST_NO} "Enable auditd to collect audit information" fi AUDITD_RUNNING=0 report "audit_daemon_running=0" AddHP 0 1 fi fi # ################################################################################# # # Test : ACCT-9630 # Description : Check auditd rules if [ ! "${AUDITDBINARY}" = "" -a ! "${AUDITCTLBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9630 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --description "Check for auditd rules" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking auditd rules" FIND=`${AUDITCTLBINARY} -l | grep -v "No rules"` if [ "${FIND}" = "" ]; then logtext "Result: auditd rules empty" Display --indent 4 --text "- Checking audit rules" --result SUGGESTION --color YELLOW AddHP 0 2 ReportSuggestion ${TEST_NO} "Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules" else logtext "Result: found auditd rules" Display --indent 4 --text "- Checking audit rules" --result OK --color GREEN # Log audit daemon rules FIND=`${AUDITCTLBINARY} -l | sed 's/ /!space!/g'` for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` logtext "Output: ${I}" done fi fi # ################################################################################# # # Test : ACCT-9632 # Description : Check auditd configuration file if [ ! "${AUDITDBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9632 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd configuration file" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking auditd configuration file" for I in ${AUDITD_CONF_LOCS}; do if [ -f ${I}/auditd.conf ]; then AUDITD_CONF_FILE="${I}/auditd.conf" logtext "Result: Found ${I}/auditd.conf" else logtext "Result: ${I}/auditd.conf not found" fi done # Check if we discovered the configuration file. It should be there is the binaries are available and process is running if [ ! "${AUDITD_CONF_FILE}" = "" ]; then Display --indent 4 --text "- Checking audit configuration file" --result OK --color GREEN else logtext "Result: could not find auditd configuration file" Display --indent 4 --text "- Checking audit configuration file" --result WARNING --color RED ReportSuggestion ${TEST_NO} "Determine the location of auditd configuration file" fi fi # ################################################################################# # # Test : ACCT-9634 # Description : Check auditd log file if [ ! "${AUDITDBINARY}" = "" -a ${AUDITD_RUNNING} -eq 1 -a ! "${AUDITD_CONF_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for auditd log file" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Checking auditd log file" FIND=`grep "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }'` if [ ! "${FIND}" = "" ]; then logtext "Result: log file is defined" logtext "Defined value: ${FIND}" if [ -f ${FIND} ]; then logtext "Result: log file ${FIND} exists on disk" Display --indent 4 --text "- Checking auditd log file" --result FOUND --color GREEN report "logfile[]=${FIND}" else logtext "Result: can't find log file ${FIND} on disk" Display --indent 4 --text "- Checking auditd log file" --result SUGGESTION --color YELLOW ReportSuggestion ${TEST_NO} "Check auditd log file location" fi else logtext "Result: no log file found" Display --indent 4 --text "- Checking auditd log file" --result WARNING --color RED ReportWarning ${TEST_NO} "L" "Auditd log file is defined but can not be found on disk" fi fi # ################################################################################# # # Test : ACCT-9636 # Description : Check for Snoopy (wrapper for execve() and logger) Register --test-no ACCT-9636 --os Linux --weight L --network NO --description "Check for Snoopy wrapper and logger" if [ ${SKIPTEST} -eq 0 ]; then FILE="/lib/snoopy.so" if [ -f ${FILE} ]; then logtext "Result: found ${FILE}" Display --indent 2 --text "- Checking Snoopy" --result FOUND --color GREEN if [ -f /etc/ld.so.preload ]; then logtext "Result: found /etc/ld.so.preload, testing if snoopy.so is listed" FIND=`grep ${FILE} /etc/ld.so.preload` if [ ! "${FIND}" = "" ]; then logtext "Result: found snoopy in ld.so.preload" logtext "Output: ${FIND}" Display --indent 6 --text "- Library in ld.so.preload" --result "LOADED" --color GREEN report "audit_trail_tool[]=snoopy" else Display --indent 6 --text "- Library in ld.so.preload" --result "NOT FOUND" --color YELLOW ReportSuggestion ${TEST_NO} "Snoopy is installed but not loaded via /etc/ld.so.preload" AddHP 3 3 fi else logtext "Result: /etc/ld.so.preload does not exist" Display --indent 6 --text "- Library in ld.so.preload" --result "UNKNOWN" --color PURPLE ReportException "${TEST_NO}:1" "Unsure how Snoopy might be loaded as ld.so.preload does not exist" fi fi fi # ################################################################################# # # Test : ACCT-9650 # Description : Check Solaris audit daemon presence Register --test-no ACCT-9650 --os Solaris --weight L --network NO --description "Check Solaris audit daemon" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: check if audit daemon is running" IsRunning auditd if [ ${RUNNING} -eq 1 ]; then logtext "Result: Solaris audit daemon is running" SOLARIS_AUDITD_RUNNING=1 Display --indent 2 --text "- Checking Solaris audit daemon status" --result RUNNING --color GREEN else logtext "Result: Solaris audit daemon is not running" Display --indent 2 --text "- Checking Solaris audit daemon status" --result "NOT RUNNING" --color YELLOW fi fi # ################################################################################# # # Test : ACCT-9652 # Description : Check Solaris auditd service status if [ -x /usr/bin/svcs -a ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9652 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check auditd SMF status" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: check if auditd service is enabled and online" FIND=`/usr/bin/svcs svc:/system/auditd:default | grep "^online"` if [ ! "${FIND}" = "" ]; then logtext "Result: auditd service is online" Display --indent 4 --text "- Checking Solaris audit daemon status" --result ONLINE --color GREEN else Display --indent 4 --text "- Checking Solaris audit daemon status" --result "NOT ONLINE" --color YELLOW ReportSuggestion "${TEST_NO}" "Check status of audit daemon" fi fi # ################################################################################# # # Test : ACCT-9654 # Description : Check Solaris Basic Security Mode (BSM) in /etc/system if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9654 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in /etc/system" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: check if BSM is enabled in /etc/system" if [ -f /etc/system ]; then FIND=`grep 'set c2audit:audit_load = 1' /etc/system` if [ ! "${FIND}" = "" ]; then logtext "Result: BSM is enabled in /etc/system" Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result ENABLED --color GREEN else Display --indent 4 --text "- Checking Solaris BSM (/etc/system)" --result "NOT FOUND" --color YELLOW fi else logtext "Result: /etc/system does not exist" fi fi # ################################################################################# # # Test : ACCT-9656 # Description : Check Solaris BSM (c2audit) module status if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9656 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check BSM auditing in module list" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: check if c2audit module is active" if [ -x /usr/sbin/modinfo ]; then FIND=`/usr/sbin/modinfo | grep c2audit` if [ ! "${FIND}" = "" ]; then logtext "Result: c2audit found in modinfo output" Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result ENABLED --color GREEN else logtext "Result: c2audit not found in modinfo output" Display --indent 4 --text "- Checking Solaris BSM (modules list)" --result "NOT FOUND" --color YELLOW fi else logtext "Result: /usr/sbin/modinfo does not exist, skipping test" fi fi # ################################################################################# # # Test : ACCT-9662 # Description : Check location for audit events if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9660 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check location of audit events" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: check /etc/security/audit_control for event logging location" if [ -f /etc/security/audit_control ]; then logtext "Result: file /etc/security/audit_control found" FIND=`grep "^dir" /etc/security/audit_control | ${AWKBINARY} -F: '{ print $2 }'` if [ ! "${FIND}" = "" ]; then logtext "Result: found location ${FIND}" logtext "Test: Checking if location is a valid directory" if [ -d ${FIND} ]; then logtext "Result: location ${FIND} is valid" Display --indent 4 --text "- Checking Solaris audit location" --result FOUND --color GREEN else logtext "Result: location ${FIND} does not exist" Display --indent 4 --text "- Checking Solaris audit location" --result "NOT FOUND" --color YELLOW ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is available" fi else logtext "Result: unknown event location" Display --indent 4 --text "- Checking Solaris audit location" --result UNKNOWN --color YELLOW ReportSuggestion "${TEST_NO}" "Check if the Solaris audit directory is properly configured" fi else logtext "Result: could not find /etc/security/audit_control" Display --indent 4 --text "- Checking Solaris audit location" --result SKIPPED --color YELLOW fi fi # ################################################################################# # # Test : ACCT-9672 # Description : check auditstat if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Solaris auditing stats" if [ ${SKIPTEST} -eq 0 ]; then logtext "Test: Check auditing statistics" if [ -x /usr/sbin/auditstat ]; then FIND=`/usr/sbin/auditstat | tr -s ' ' ','` for I in ${FIND}; do logtext "Output: ${I}" done Display --indent 4 --text "- Checking Solaris audit statistics" --result DONE --color GREEN else logtext "Result: /usr/sbin/auditstat not found, skipping test" Display --indent 4 --text "- Checking Solaris audit statistics" --result SKIPPED --color YELLOW fi fi # ################################################################################# # wait_for_keypress # #================================================================================ # Lynis - Copyright 2007-2015, Michael Boelen / CISOfy - https://cisofy.com