1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
|
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Cryptography
#
#################################################################################
#
RNG_FOUND=0
#
#################################################################################
#
InsertSection "${SECTION_CRYPTOGRAPHY}"
#
#################################################################################
#
# Test : CRYP-7902
# Description : check for expired SSL certificates
if [ -n "${OPENSSLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CRYP-7902 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check expire date of SSL certificates"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT_EXPIRED=0
COUNT_TOTAL=0
FOUNDPROBLEM=0
SKIP=0
sSSL_PATHS=$(echo ${SSL_CERTIFICATE_PATHS} | ${SEDBINARY} 's/:space:/__space__/g' | ${SEDBINARY} 's/:/ /g')
sSSL_PATHS=$(echo ${sSSL_PATHS} | ${SEDBINARY} 's/^ //' | ${SORTBINARY} -u)
LogText "Paths to scan: ${sSSL_PATHS}"
IGNORE_PATHS_PRINT=$(echo ${SSL_CERTIFICATE_PATHS_TO_IGNORE} | ${SEDBINARY} 's/:/, /g' | ${SEDBINARY} 's/__space__/ /g' | ${SEDBINARY} 's/^ //' | ${SORTBINARY} -u)
LogText "Paths to ignore: ${IGNORE_PATHS_PRINT}"
for DIR in ${sSSL_PATHS}; do
COUNT_DIR=0
if [ -d ${DIR} ]; then
FileIsReadable ${DIR}
if [ ${CANREAD} -eq 1 ]; then
LASTSUBDIR=""
LogText "Result: found directory ${DIR}"
# Search for certificate files
FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
for FILE in ${FILES}; do
FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g')
# See if we need to skip this path
SUBDIR=$(echo ${FILE} | ${AWKBINARY} -F/ 'sub(FS $NF,x)' | ${SEDBINARY} 's/__space__/ /g')
# If we discover a new directory, do evaluation
#Debug "File : ${FILE}"
#Debug "Lastdir: ${LASTSUBDIR}"
#Debug "Curdir : ${SUBDIR}"
if [ ! "${SUBDIR}" = "${LASTSUBDIR}" ]; then
SKIP=0
# Now check if this path is on the to-be-ignored list
for D in ${SSL_CERTIFICATE_PATHS_TO_IGNORE}; do
if ContainsString "${D}" "${SUBDIR}"; then
SKIP=1
LogText "Result: skipping directory (${SUBDIR}) as it is on ignore list"
fi
done
fi
if [ ${SKIP} -eq 0 ]; then
#Debug "Testing ${FILE} in path: $SUBDIR"
COUNT_DIR=$((COUNT_DIR + 1))
FileIsReadable "${FILE}"
if [ ${CANREAD} -eq 1 ]; then
# Only check the files that are not installed by a package, unless enabled by profile
if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then
echo ${FILE} | ${EGREPBINARY} -q ".cer$|.der$"
CER_DER=$?
OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then
LogText "Result: file is a certificate file"
if [ ${CER_DER} -eq 0 ]; then
SSL_DER_OPT="-inform der"
else
SSL_DER_OPT=
fi
FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
if [ $? -eq 0 ]; then
# Check certificate where 'end date' has been expired
FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
EXIT_CODE=$?
CERT_CN=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
if [ ${EXIT_CODE} -eq 0 ]; then
LogText "Result: certificate ${FILE} seems to be correct and still valid"
else
FOUNDPROBLEM=1
COUNT_EXPIRED=$((COUNT_EXPIRED + 1))
LogText "Result: certificate ${FILE} has been expired"
fi
else
LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (is it a key file?)"
fi
else
LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'"
fi
fi
else
LogText "Result: can not read file ${FILE} (no permission)"
fi
fi
LASTSUBDIR="${SUBDIR}"
done
COUNT_TOTAL=$((COUNT_TOTAL + COUNT_DIR))
LogText "Result: found ${COUNT_DIR} certificates in ${DIR}"
else
LogText "Result: can not read path ${DIR} (no permission)"
fi
else
LogText "Result: SSL path ${DIR} does not exist"
fi
done
Report "certificates=${COUNT_TOTAL}"
LogText "Result: found a total of ${COUNT_TOTAL} certificates"
if [ ${FOUNDPROBLEM} -eq 0 ]; then
Display --indent 2 --text "- Checking for expired SSL certificates [${COUNT_EXPIRED}/${COUNT_TOTAL}]" --result "${STATUS_NONE}" --color GREEN
else
Display --indent 2 --text "- Checking for expired SSL certificates [${COUNT_EXPIRED}/${COUNT_TOTAL}]" --result "${STATUS_FOUND}" --color RED
ReportSuggestion "${TEST_NO}" "Check available certificates for expiration"
fi
fi
#
#################################################################################
#
# Test : CRYP-7930
# Description : Determine if system uses LUKS block device encryption
Register --test-no CRYP-7930 --os Linux --weight L --network NO --root-only YES --category security --description "Determine if system uses LUKS block device encryption"
if [ ${SKIPTEST} -eq 0 ]; then
CRYPTTABFILE="${ROOTDIR}etc/crypttab"
FOUND=0
# cryptsetup only works as root
if [ -n "${LSBLKBINARY}" ] && [ -n "${CRYPTSETUPBINARY}" ] && [ ${FORENSICS_MODE} -eq 0 ]; then
for BLOCK_DEV in $(${LSBLKBINARY} --noheadings --list -o NAME 2> /dev/null | cut -d' ' -f1); do
if ${CRYPTSETUPBINARY} isLuks $(${FINDBINARY} /dev/ -name "${BLOCK_DEV}" 2> /dev/null) 2> /dev/null; then
LogText "Result: Found LUKS encrypted block device: ${BLOCK_DEV}"
Report "encryption[]=luks,block_device,${BLOCK_DEV}"
FOUND=$((FOUND +1))
else
LogText "Result: block device ${BLOCK_DEV} is not LUKS encrypted"
fi
done
unset BLOCK_DEV
# This will enable us to do a test for forensics or when crypsetup/lsblk are not available
elif [ -f ${CRYPTTABFILE} ]; then
LogText "Result: crypttab (${CRYPTTABFILE}) exists"
DATA=$(${GREPBINARY} "^[a-z]" ${CRYPTTABFILE} | ${TRBINARY} -cd '[:alnum:]_\-=,\n\t ' | ${SEDBINARY} 's/[[:blank:]]/__space__/g')
for LINE in ${DATA}; do
LINE=$(echo ${LINE} | ${SEDBINARY} 's/__space__/ /g')
if ContainsString "luks," "${LINE}"; then
PARTITION=$(echo ${LINE} | ${AWKBINARY} '{print $1}' | ${AWKBINARY} -F_ '{print $1}')
LogText "Result: Found LUKS encryption on partition ${PARTITION}"
Report "encryption[]=luks,partition,${PARTITION}"
FOUND=$((FOUND +1))
fi
done
unset DATA LINE PARTITION
fi
if [ ${FOUND} -gt 0 ]; then
Display --indent 2 --text "- Found ${FOUND} LUKS encrypted block devices." --result OK --color WHITE
fi
unset FOUND
fi
#
#################################################################################
#
# Test : CRYP-7931
# Description : Determine if system uses encrypted swap
if [ -e "${SWAPONBINARY}" -a -e "${CRYPTSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no CRYP-7931 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Determine if system uses encrypted swap"
if [ ${SKIPTEST} -eq 0 ]; then
ENCRYPTED_SWAPS=0
UNENCRYPTED_SWAPS=0
# Redirect errors, as RHEL 5/6 and others don't have the --show option
SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings 2> /dev/null)
if [ $? -eq 0 ]; then
for BLOCK_DEV in ${SWAPS}; do
if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then
LogText "Result: Found LUKS encrypted swap device: ${BLOCK_DEV}"
ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
Report "encrypted_swap[]=${BLOCK_DEV},LUKS"
elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" 2> /dev/null | ${GREPBINARY} -q "cipher:"; then
LogText "Result: Found non-LUKS encrypted swap device: ${BLOCK_DEV}"
ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
Report "encrypted_swap[]=${BLOCK_DEV},other"
else
LogText "Result: Found unencrypted swap device: ${BLOCK_DEV}"
UNENCRYPTED_SWAPS=$((UNENCRYPTED_SWAPS +1))
Report "non_encrypted_swap[]=${BLOCK_DEV}"
fi
done
Display --indent 2 --text "- Found ${ENCRYPTED_SWAPS} encrypted and ${UNENCRYPTED_SWAPS} unencrypted swap devices in use." --result OK --color WHITE
else
LogText "Result: skipping testing as swapon returned an error."
fi
fi
#
#################################################################################
#
# Test : CRYP-8002
# Description : Gather available kernel entropy
Register --test-no CRYP-8002 --os Linux --weight L --network NO --root-only NO --category security --description "Gather available kernel entropy"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f ${ROOTDIR}proc/sys/kernel/random/entropy_avail ]; then
DATA=$(${AWKBINARY} '$1 ~ /^[0-9]+$/ {print $1}' ${ROOTDIR}proc/sys/kernel/random/entropy_avail)
if [ -n "${DATA}" ]; then
LogText "Result: found kernel entropy value of ${DATA}"
Report "kernel_entropy=${DATA}"
if [ ${DATA} -gt 200 ]; then
Display --indent 2 --text "- Kernel entropy is sufficient" --result "${STATUS_YES}" --color GREEN
else
Display --indent 2 --text "- Kernel entropy is sufficient" --result "${STATUS_NO}" --color YELLOW
# TODO - enable suggestion when information on website is available
fi
fi
fi
fi
#
#################################################################################
#
# Test : CRYP-8004
# Description : Test for presence of hardware random number generators
Register --test-no CRYP-8004 --os Linux --weight L --network NO --root-only NO --category security --description "Presence of hardware random number generators"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: looking for ${ROOTDIR}sys/class/misc/hw_random/rng_current"
if [ -f "${ROOTDIR}sys/class/misc/hw_random/rng_current" ]; then
DATA=$(${HEADBINARY} -n 1 ${ROOTDIR}sys/class/misc/hw_random/rng_current | ${TRBINARY} -d '[[:cntrl:]]')
if [ "${DATA}" != "none" ]; then
LogText "Result: positive match, found RNG: ${DATA}"
if IsRunning "rngd"; then
Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_YES}" --color GREEN
LogText "Result: rngd is running"
RNG_FOUND=1
else
Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW
# TODO - enable suggestion when website has listing for this control
# ReportSuggestion "${TEST_NO}" "Utilize hardware random number generation by running rngd"
fi
else
Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW
LogText "Result: no HW RNG available"
fi
else
Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color RED
LogText "Result: could not find ${ROOTDIR}sys/class/misc/hw_random/rng_current"
fi
fi
#
#################################################################################
#
# Test : CRYP-8005
# Description : Test for presence of software pseudo random number generators
Register --test-no CRYP-8005 --os Linux --weight L --network NO --root-only NO --category security --description "Presence of software pseudo random number generators"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: looking for software pseudo random number generators"
FOUND=""
for SERVICE in audio-entropyd haveged jitterentropy-rngd; do
# Using --full as jitterentropy-rngd would otherwise not match
if IsRunning --full "${SERVICE}"; then
FOUND="${FOUND} ${SERVICE}"
fi
done
if [ -z "${FOUND}" ]; then
Display --indent 2 --text "- SW prng" --result "${STATUS_NO}" --color YELLOW
# ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators"
else
RNG_FOUND=1
Display --indent 2 --text "- SW prng" --result "${STATUS_YES}" --color GREEN
LogText "Result: found ${FOUND} running"
fi
fi
#
#################################################################################
#
# Test : CRYP-8006
# Description : Check that the MemoryOverwriteRequest-bit is set to protect against cold-boot attacks
Register --test-no CRYP-8006 --os Linux --weight L --network NO --root-only NO --category security --description "MemoryOverwriteRequest-bit set"
if [ ${SKIPTEST} -eq 0 ]; then
MOR_CONTROL="${ROOTDIR}sys/firmware/efi/efivars/MemoryOverwriteRequestControl-e20939be-32d4-41be-a150-897f85d49829"
LogText "Test: looking for ${MOR_CONTROL}"
if [ -f "${MOR_CONTROL}" ]; then
DATA=$(od -An --skip-bytes=4 "$MOR_CONTROL")
if [ "$DATA" = " 000001" ]; then
LogText "Result: MOR-bit set"
Display --indent 2 --text "MOR-bit set" --result "${STATUS_YES}" --color GREEN
elif [ "$DATA" = " 000000" ]; then
LogText "Result: MOR-bit not set!"
Display --indent 2 --text "MOR-bit set" --result "${STATUS_NO}" --color RED
else
LogText "Result: MOR-bit unknown. Found: $DATA"
Display --indent 2 --text "MOR-bit set" --result "${STATUS_UNKNOWN}" --color YELLOW
fi
else
LogText "Result: could not find ${MOR_CONTROL}"
Display --indent 2 --text "- MOR variable not found" --result "${STATUS_WEAK}" --color WHITE
fi
fi
#
#################################################################################
#
Report "rng_found=${RNG_FOUND}"
#
#################################################################################
#
WaitForKeyPress
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|