1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2020, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Memory and processes
#
#################################################################################
#
InsertSection "${SECTION_MEMORY_AND_PROCESSES}"
#
#################################################################################
#
# Test : PROC-3602
# Description : Query /proc/meminfo
Register --test-no PROC-3602 --os Linux --weight L --network NO --category security --description "Checking /proc/meminfo for memory details"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f ${ROOTDIR}proc/meminfo ]; then
LogText "Result: found ${ROOTDIR}proc/meminfo"
Display --indent 2 --text "- Checking ${ROOTDIR}proc/meminfo" --result "${STATUS_FOUND}" --color GREEN
FIND=$(${AWKBINARY} '/^MemTotal/ { print $2, $3 }' ${ROOTDIR}proc/meminfo)
MEMORY_SIZE=$(echo ${FIND} | ${AWKBINARY} '{ print $1 }')
MEMORY_UNITS=$(echo ${FIND} | ${AWKBINARY} '{ print $2 }')
LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
Report "memory_size=${MEMORY_SIZE}"
Report "memory_units=${MEMORY_UNITS}"
else
LogText "Result: ${ROOTDIR}proc/meminfo file not found on this system"
fi
fi
#
#################################################################################
#
# Test : PROC-3604
# Description : Query /proc/meminfo
# Notes : TODO - prtconf replacement
Register --test-no PROC-3604 --os Solaris --weight L --network NO --category security --description "Query prtconf for memory details"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching /usr/sbin/prtconf"
if [ -x /usr/sbin/prtconf ]; then
Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_DONE}" --color GREEN
MEMORY_SIZE=$(/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f3)
MEMORY_UNITS=$(/usr/sbin/prtconf | ${GREPBINARY} "^Memory size:" | ${CUTBINARY} -d ' ' -f4)
LogText "Result: Found ${MEMORY_SIZE} ${MEMORY_UNITS} memory"
Report "memory_size=${MEMORY_SIZE}"
Report "memory_units=${MEMORY_UNITS}"
else
Display --indent 2 --text "- Querying prtconf for installed memory" --result "${STATUS_SKIPPED}" --color WHITE
LogText "Result: /usr/sbin/prtconf not found"
fi
fi
#
#################################################################################
#
# Test : PROC-3612
# Description : Searching for dead and zombie processes
# Notes : Don't perform test on Solaris
if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PROC-3612 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check dead or zombie processes"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OS}" = "AIX" ]; then
FIND=$(${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | ${XARGSBINARY})
else
FIND=$(${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2 ~ /Z|X/) print $1 }' | ${XARGSBINARY})
fi
if [ -z "${FIND}" ]; then
LogText "Result: no zombie processes found"
Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_NOT_FOUND}" --color GREEN
else
LogText "Result: found one or more dead or zombie processes"
LogText "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for dead/zombie processes" --result "${STATUS_FOUND}" --color RED
ReportSuggestion "${TEST_NO}" "Check the output of ps for dead or zombie processes"
fi
fi
#
#################################################################################
#
# Test : PROC-3614
# Description : Searching for heavy IO based waiting processes
# Notes : Don't perform test on Solaris
if [ ! "${OS}" = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PROC-3614 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check heavy IO waiting based processes"
if [ ${SKIPTEST} -eq 0 ]; then
if [ "${OS}" = "AIX" ]; then
FIND=$(${PSBINARY} -Ae -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | ${XARGSBINARY})
else
FIND=$(${PSBINARY} x -o pid,stat,comm | ${AWKBINARY} '{ if ($2=="D") print $1 }' | ${XARGSBINARY})
fi
if [ -z "${FIND}" ]; then
LogText "Result: No processes were waiting for IO requests to be handled first"
Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_NOT_FOUND}" --color GREEN
else
LogText "Result: found one or more processes which were waiting to get IO requests handled first"
LogText "More info: processes which show up with the status flag 'D' are often stuck, until a disk IO event finished. This can happen for example with network storage, where the connection or protocol settings are not logtext well configured."
LogText "Output: PIDs ${FIND}"
Display --indent 2 --text "- Searching for IO waiting processes" --result "${STATUS_FOUND}" --color RED
ReportSuggestion "${TEST_NO}" "Check process listing for processes waiting for IO requests"
fi
fi
#
#################################################################################
#
# Test : PROC-3802
# Description : Check presence of prelink tooling
Register --test-no PROC-3802 --package-manager-required --os Linux --weight L --network NO --category security --description "Check presence of prelink tooling"
if [ ${SKIPTEST} -eq 0 ]; then
if PackageIsInstalled "prelink"; then
LogText "Result: prelink packages is installed"
# TODO
# - Add item to website with rationale
#ReportSuggestion "${TEST_NO}" "Disable and remove prelinking of binaries"
AddHP 1 3
Display --indent 2 --text "- Search prelink tooling" --result "${STATUS_FOUND}" --color YELLOW
else
Display --indent 2 --text "- Search prelink tooling" --result "${STATUS_NOT_FOUND}" --color GREEN
LogText "Result: prelink package is NOT installed"
AddHP 3 3
fi
fi
#
#################################################################################
#
WaitForKeyPress
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|