1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
|
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Check which tools are installed
#
#################################################################################
#
COMPILER_INSTALLED=0
IDLE_SESSION_KILLER_INSTALLED=0
MALWARE_SCANNER_INSTALLED=0
#
#################################################################################
#
InsertSection "System Tools"
#
#################################################################################
#
Display --indent 2 --text "- Scanning available tools..."
logtext "Start scanning for available audit binaries and tools..."
# Test : FILE-7502
# Description : Check all system binaries
# Notes : Always perform test, dependency for many other tests
Register --test-no FILE-7502 --weight L --network NO --description "Check all system binaries"
#if [ ${SKIPTEST} -eq 0 ]; then
SCANNEDPATHS=""; N=0
Display --indent 2 --text "- Checking system binaries..."
logtext "Status: Starting binary scan..."
for SCANDIR in ${BINPATHS}; do
logtext "Test: Check if directory exists"
if [ -d ${SCANDIR} ]; then
SKIPDIR=0
if [ -L ${SCANDIR} ]; then
logtext "Result: directory exists, but is actually a symlink"
ShowSymlinkPath ${SCANDIR}
if [ ${FOUNDPATH} -eq 1 -a -d ${sFILE} ]; then
# Set path to new location
logtext "Result: found the path behind this symlink (${SCANDIR} --> ${sFILE})"
ORGPATH="${SCANDIR}"
SCANDIR="${sFILE}"
FIND=`echo ${SCANNEDPATHS} | grep ", ${SCANDIR}"`
if [ ! "${FIND}" = "" ]; then
SKIPDIR=1; logtext "Result: Skipping this directory as it is a symlink and was already scanned"
fi
else
SKIPDIR=1; logtext "Result: Could not find the location of this symlink, or is not a directory"
fi
fi
if [ ${SKIPDIR} -eq 0 ]; then
logtext "Test: Checking binaries in directory ${SCANDIR}"
Display --indent 4 --text "- ${SCANDIR}" --result FOUND --color GREEN
SCANNEDPATHS="${SCANNEDPATHS}, ${SCANDIR}"
logtext "Directory ${SCANDIR} exists. Starting directory scanning..."
FIND=`ls ${SCANDIR}`
for I in ${FIND}; do
N=`expr ${N} + 1`
BINARY="${SCANDIR}/${I}"
logtext "Binary: ${BINARY}"
# Optimized, much quicker (limited file access needed)
case ${I} in
aa-status) APPARMORFOUND=1; AASTATUSBINARY=${BINARY}; logtext " Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
afick.pl) AFICKFOUND=1; AFICKBINARY=${BINARY}; logtext " Found known binary: afick (file integrity checker) - ${BINARY}" ;;
aide) AIDEFOUND=1; AIDEBINARY=${BINARY}; logtext " Found known binary: aide (file integrity checker) - ${BINARY}" ;;
apache2) if [ -f ${BINARY} ]; then HTTPDFOUND=1; HTTPDBINARY=${BINARY}; logtext " Found known binary: apache2 (web server) - ${BINARY}"; fi ;;
auditd) AUDITDFOUND=1; AUDITDBINARY=${BINARY}; logtext " Found known binary: auditd (audit framework) - ${BINARY}" ;;
awk) if [ -f ${BINARY} ]; then AWKFOUND=1; AWKBINARY=${BINARY}; logtext " Found known binary: awk (string tool) - ${BINARY}"; fi ;;
dig) DIGFOUND=1; DIGBINARY=${BINARY}; logtext " Found known binary: dig (nameservice tool) - ${BINARY}" ;;
as) ASFOUND=1; ASBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: as (compiler) - ${BINARY}" ;;
auditctl) AUDITCTLFOUND=1; AUDITCTLBINARY="${BINARY}"; logtext " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;;
autolog) AUTOLOGFOUND=1; AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; logtext " Found known binary: autolog (idle session killer) - ${BINARY}" ;;
chkconfig) CHKCONFIGFOUND=1; CHKCONFIGBINARY=${BINARY}; logtext " Found known binary: chkconfig (administration tool) - ${BINARY}" ;;
clamscan) CLAMSCANFOUND=1; CLAMSCANBINARY=${BINARY}; logtext " Found known binary: clamscan (AV scanner) - ${BINARY}" ;;
cfagent) CFAGENTFOUND=1; CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; logtext " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;;
chkrootkit) CHKROOTKITFOUND=1; CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;;
curl) CURLFOUND=1; CURLBINARY="${BINARY}"; logtext " Found known binary: curl (browser) - ${BINARY}" ;;
dig) if [ -f ${BINARY} ]; then DIGFOUND=1; DIGBINARY=${BINARY}; logtext " Found known binary: dig (network/dns tool) - ${BINARY}"; fi ;;
dnsdomainname) DNSDOMAINNAMEFOUND=1; DNSDOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: dnsdomainname (DNS domain) - ${BINARY}" ;;
domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
egrep) EGREPFOUND=1; EGREPBINARY=${BINARY}; logtext " Found known binary: egrep (text search) - ${BINARY}" ;;
exim) EXIMFOUND=1; EXIMBINARY="${BINARY}"; EXIMVERSION=`${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs`; logtext "Found ${BINARY} (version ${EXIMVERSION})" ;;
find) FINDFOUND=1; FINDBINARY="${BINARY}"; logtext " Found known binary: find (search tool) - ${BINARY}" ;;
g++) GPLUSPLUSFOUND=1; GPLUSPLUSBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: g++ (compiler) - ${BINARY}" ;;
# additional file check due to existance /usr/libexec/gcc (directory)
gcc) if [ -f ${BINARY} ]; then GCCBINARY="${BINARY}"; COMPILER_INSTALLED=1; logtext " Found known binary: gcc (compiler) - ${BINARY}"; fi ;;
grep) GREPFOUND=1; GREPBINARY=${BINARY}; logtext " Found known binary: grep (text search) - ${BINARY}" ;;
httpd2-prefork) HTTPDFOUND=1; HTTPDBINARY=${BINARY}; logtext " Found known binary: apache2 (web server) - ${BINARY}" ;;
lvdisplay) LVDISPLAYBINARY="${BINARY}"; logtext " Found known binary: lvdisplay (LVM tool) - ${BINARY}" ;;
named-checkconf) NAMEDCHECKCONFIGFOUND=1; NAMEDCHECKCONFBINARY="${BINARY}"; logtext " Found known binary: named-checkconf (BIND configuration analyzer) - ${BINARY}" ;;
grpck) GRPCKFOUND=1; GRPCKBINARY="${BINARY}"; logtext " Found known binary: grpck (consistency checker) - ${BINARY}" ;;
httpd) if [ -f ${BINARY} ]; then HTTPDFOUND=1; HTTPDBINARY="${BINARY}"; logtext " Found known binary: httpd (web server) - ${BINARY}"; fi ;;
ip) IPFOUND=1; IPBINARY="${BINARY}"; logtext " Found known binary: ip (IP configuration) - ${BINARY}" ;;
ipf) IPFFOUND=1; IPFBINARY="${BINARY}"; logtext " Found known binary: ipf (firewall) - ${BINARY}" ;;
ifconfig) IFCONFIGFOUND=1; IFCONFIGBINARY="${BINARY}"; logtext " Found known binary: ipconfig (IP configuration) - ${BINARY}" ;;
iptables) if [ -f ${BINARY} ]; then IPTABLESFOUND=1; IPTABLESBINARY="${BINARY}"; logtext " Found known binary: iptables (firewall) - ${BINARY}"; fi ;;
kldstat) KLDSTATFOUND=1; KLDSTATBINARY="${BINARY}"; logtext " Found known binary: kldstat (kernel modules) - ${BINARY}" ;;
kstat) KSTATFOUND=1; KSTATBINARY="${BINARY}"; logtext " Found known binary: kstat (kernel statistics) - ${BINARY}" ;;
locate) LOCATEFOUND=1; LOCATEBINARY="${BINARY}"; logtext " Found known binary: locate (file database) - ${BINARY}" ;;
logrotate) LOGROTATEFOUND=1; LOGROTATEBINARY="${BINARY}"; logtext " Found known binary: logrotate (log rotation tool) - ${BINARY}" ;;
ls) LSFOUND=1; LSBINARY="${BINARY}"; logtext " Found known binary: ls (file listing) - ${BINARY}" ;;
lsattr) LSATTRFOUND=1; LSATTRBINARY="${BINARY}"; logtext " Found known binary: lsattr (file attributes) - ${BINARY}" ;;
lsmod) LSMODFOUND=1; LSMODBINARY="${BINARY}"; logtext " Found known binary: lsmod (kernel modules) - ${BINARY}" ;;
lsof) LSOFFOUND=1; LSOFBINARY="${BINARY}"; logtext " Found known binary: lsof (open files) - ${BINARY}" ;;
lynx) LYNXFOUND=1; LYNXBINARY="${BINARY}"; LYNXVERSION=`${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3`; logtext "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;;
md5) MD5FOUND=1; MD5BINARY="${BINARY}"; logtext " Found ${BINARY}" ;;
md5sum) MD5FOUND=1; MD5BINARY="${BINARY}"; logtext " Found ${BINARY}" ;;
mtree) MTREEFOUND=1; MTREEBINARY="${BINARY}"; logtext " Found known binary: mtree (mapping directory tree) - ${BINARY}" ;;
mysql) MYSQLCLIENTFOUND=1; MYSQLCLIENTBINARY="${BINARY}"; MYSQLCLIENTVERSION=`${BINARY} -V | awk '{ if ($4=="Distrib") { print $5 }}' | sed 's/,//g'` ; logtext "Found ${BINARY} (version: ${MYSQLCLIENTVERSION})" ;;
netstat) NETSTATFOUND=1; NETSTATBINARY="${BINARY}"; logtext " Found ${BINARY}" ;;
nmap) NMAPFOUND=1; NMAPBINARY="${BINARY}"; NMAPVERSION=`${BINARY} -V | grep "^Nmap version" | awk '{ print $3 }'`; logtext "Found ${BINARY} (version ${NMAPVERSION})" ;;
ntpq) NTPQFOUND=1; NTPQBINARY="${BINARY}"; logtext " Found known binary ntpq (time daemon client) - ${BINARY}" ;;
osiris) OSIRISFOUND=1; OSIRISBINARY="${BINARY}"; logtext " Found known binary: osiris - ${BINARY}" ;;
openssl) OPENSSLFOUND=1; OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=`${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs`; logtext "Found ${BINARY} (version ${OPENSSLVERSION})" ;;
pacman) PACMANFOUND=1; PACMANBINARY="${BINARY}"; logtext " Found known binary: pacman (package manager) - ${BINARY}" ;;
perl) PERLFOUND=1; PERLBINARY="${BINARY}"; PERLVERSION=`${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs`; logtext "Found ${BINARY} (version ${PERLVERSION})" ;;
php) PHPFOUND=1; PHPBINARY="${BINARY}"; PHPVERSION=`${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1`; logtext "Found known binary: php (programming language) - ${BINARY} (version ${PHPVERSION})" ;;
postconf) POSTCONFFOUND=1; POSTCONFBINARY="${BINARY}"; logtext " Found known binary: postconf (postfix configuration) - ${BINARY}" ;;
postfix) POSTFIXFOUND=1; POSTFIXBINARY="${BINARY}"; logtext " Found known binary: postfix (postfix binary) - ${BINARY}" ;;
prelink) PRELINKFOUND=1; PRELINKBINARY="${BINARY}"; logtext " Found known binary: prelink (system optimizer) - ${BINARY}" ;;
pfctl) PFCTLFOUND=1; PFCTLBINARY="${BINARY}"; logtext " Found known binary: pfctl (client to pf firewall) - ${BINARY}" ;;
ps) PSFOUND=1; PSBINARY="${BINARY}"; logtext " Found known binary: ps (process listing) - ${BINARY}" ;;
puppet) PUPPETFOUND=1; PUPPETBINARY="${BINARY}"; logtext " Found known binary: puppet (automation tooling) - ${BINARY}" ;;
puppetmasterd) PUPPETMASTERDFOUND=1; PUPPETMASTERDBINARY="${BINARY}"; logtext " Found known binary: puppetmasterd (puppet master daemon) - ${BINARY}" ;;
readlink) READLINKFOUND=1; READLINKBINARY="${BINARY}"; logtext " Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
rkhunter) RKHUNTERFOUND=1; RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; logtext " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
rpcinfo) RPCINFOFOUND=1; RPCINFOBINARY="${BINARY}"; logtext " Found known binary: rpcinfo (RPC information) - ${BINARY}" ;;
rpm) RPMFOUND=1; RPMBINARY="${BINARY}"; logtext " Found known binary: rpm (package manager) - ${BINARY}" ;;
runlevel) RUNLEVELFOUND=1; RUNLEVELBINARY="${BINARY}"; logtext " Found known binary: runlevel (system utility) - ${BINARY}" ;;
salt-master) SALTMASTERFOUND=1; SALTMASTERBINARY="${BINARY}"; logtext " Found known binary: salt-master (SaltStack master) - ${BINARY}" ;;
salt-minion) SALTMINIONFOUND=1; SALTMINIONBINARY="${BINARY}"; logtext " Found known binary: salt-minion (SaltStack client) - ${BINARY}" ;;
samhain) SAMHAINFOUND=1; SAMHAINBINARY="${BINARY}"; logtext " Found known binary: samhain (integrity tool) - ${BINARY}" ;;
sestatus) SESTATUSFOUND=1; SESTATUSBINARY="${BINARY}"; logtext " Found known binary: sestatus (SELinux client) - ${BINARY}" ;;
slocate) LOCATEFOUND=1; LOCATEBINARY="${BINARY}"; logtext " Found known binary: slocate (file database) - ${BINARY}" ;;
smbd) SMBDFOUND=1; SMBDBINARY="${BINARY}"; if [ "${OS}" = "MacOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=`${BINARY} -V | grep "^Version" | awk '{ print $2 }'`; fi; logtext "Found ${BINARY} (version ${SMBDVERSION})" ;;
showmount) SHOWMOUNTFOUND=1; SHOWMOUNTBINARY="${BINARY}"; logtext " Found known binary: showmount (NFS mounts) - ${BINARY}" ;;
sockstat) SOCKSTATFOUND=1; SOCKSTATBINARY="${BINARY}"; logtext " Found known binary: sockstat (open network sockets) - ${BINARY}" ;;
squid) SQUIDFOUND=1; SQUIDBINARY="${BINARY}"; logtext " Found known binary: squid (proxy) - ${BINARY}" ;;
sshd) SSHDFOUND=1; SSHDBINARY="${BINARY}"; SSHDVERSION=`${BINARY} -t -d 2>&1 | head -n 1 | awk '{ print $4 }' | cut -d '_' -f2 | tr -d '\r'`; logtext "Found ${BINARY} (version ${SSHDVERSION})" ;;
stat) STATFOUND=1; STATBINARY="${BINARY}"; logtext " Found known binary: stat (file information) - ${BINARY}" ;;
strings) STRINGSFOUND=1; STRINGSBINARY="${BINARY}"; logtext " Found known binary: strings (text strings search) - ${BINARY}" ;;
sha1|sha1sum|shasum) SHA1SUMFOUND=1; SHA1SUMBINARY="${BINARY}"; logtext " Found known binary: sha1/sha1sum/shasum (crypto hashing) - ${BINARY}" ;;
ssh-keyscan) SSHKEYSCANFOUND=1; SSHKEYSCANBINARY="${BINARY}"; logtext " Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;;
sysctl) SYSCTLFOUND=1; SYSCTLBINARY="${BINARY}"; logtext " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;;
syslog-ng) SYSLOGNGFOUND=1; SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=`${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'`; logtext "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;;
systemctl) SYSTEMCTLFOUND=1; SYSTEMCTLBINARY="${BINARY}"; logtext " Found known binary: systemctl (client to systemd) - ${BINARY}" ;;
timedatectl) TIMEDATECTLFOUND=1; TIMEDATECTL="${BINARY}"; logtext " Found known binary: timedatectl (timedate client) - ${BINARY}" ;;
tripwire) TRIPWIREFOUND=1; TRIPWIREBINARY="${BINARY}"; logtext " Found known binary: tripwire (file integrity) - ${BINARY}" ;;
tune2fs) TUNE2FSFOUND=1; TUNE2FSBINARY="${BINARY}"; logtext " Found known binary: tune2fs (file system tool) - ${BINARY}" ;;
vgdisplay) VGDISPLAYFOUND=1; VGDISPLAYBINARY="${BINARY}"; logtext " Found known binary: vgdisplay (LVM tool) - ${BINARY}" ;;
vmtoolsd) VMWARETOOLSFOUND=1; VMWARETOOLSDBINARY="${BINARY}"; logtext " Found known binary: vmtoolsd (VMWare tools) - ${BINARY}" ;;
wget) WGETFOUND=1; WGETBINARY="${BINARY}"; WGETVERSION=`${BINARY} -V | grep "^GNU Wget" | awk '{ print $3 }'`; logtext "Found ${BINARY} (version ${WGETVERSION})" ;;
yum) YUMFOUND=1; YUMBINARY="${BINARY}"; logtext " Found known binary: yum (package manager) - ${BINARY}" ;;
zypper) ZYPPERFOUND=1; ZYPPERBINARY="${BINARY}"; logtext " Found known binary: zypper (package manager) - ${BINARY}" ;;
esac
done
else
logtext "Result: Directory ${SCANDIR} skipped"
Display --indent 4 --text "- ${SCANDIR} (symlinked from ${ORGPATH})" --result SKIPPED --color YELLOW
fi
else
Display --indent 4 --text "- ${SCANDIR}" --result "NOT FOUND" --color WHITE
logtext "Result: Directory ${SCANDIR} does NOT exist"
fi
logtextbreak
done
SCANNEDPATHS=`echo ${SCANNEDPATHS} | sed 's/^, //g'`
logtext "Discovered directories: ${SCANNEDPATHS}"
#fi
logtext "Result: found ${N} binaries"
report "binaries_count=${N}"
#
#################################################################################
#
wait_for_keypress
#
#================================================================================
# Lynis - Copyright 2007-2014, Michael Boelen - www.rootkit.nl - The Netherlands
|
