1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2017, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
InsertSection "Storage"
#
#################################################################################
#
AUTOMOUNTER_DAEMON_RUNNING=0
NFS_DAEMON_RUNNING=0
AUTOMOUNTER_DAEMON_TOOL=""
#
#################################################################################
#
# Test : STRG-1840
# Description : Check for disabled USB storage
Register --test-no STRG-1840 --os Linux --weight L --network NO --category security --description "Check if USB storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
LogText "Test: Checking USB storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d /etc/modprobe.d ]; then
FIND=$(ls /etc/modprobe.d/* 2> /dev/null)
if [ ! "${FIND}" = "" ]; then
FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" /etc/modprobe.d/*)
if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state (blacklisted)"
fi
else
LogText "Result: uncommon situation. Found /etc/modprobe.d directory, but no files in it."
fi
fi
if [ -f /etc/modprobe.conf ]; then
FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
if [ ! "${FIND}" = "" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state"
fi
fi
if [ ${FOUND} -eq 0 ]; then
LogText "Result: usb-storage driver is not explicitly disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE
ReportSuggestion ${TEST_NO} "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
AddHP 2 3
else
LogText "Result: usb-storage driver is disabled"
Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
#
# Test : STRG-1842
# Description : Check USB authorizations
Register --test-no STRG-1842 --os Linux --weight L --network NO --category security --description "Check USB authorizations"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking USB devices authorization to connect to the system"
FOUND=0
USBDEVICESPATH="/sys/bus/usb/devices/usb"
for device in "${USBDEVICESPATH}"*; do
if [ -e "${device}/authorized" ] || [ -e "${device}/authorized_default" ]; then
if [ $(cat "${device}/authorized_default") -eq 1 ]; then
FOUND=1
LogText "Test: ${device} is authorized by default"
Report "usb_authorized_default_device[]=${device}"
elif [ $(cat "${device}/authorized") -eq 1 ]; then
FOUND=1
LogText "Test: ${device} is authorized currently"
Report "usb_authorized_device[]=${device}"
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW
# To-Be-Added: create documentation and enable the suggestion
#ReportSuggestion ${TEST_NO} "Disable USB devices authorization, to prevent unauthorized storage or data theft"
AddHP 0 3
else
LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system"
Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
#
# Test : STRG-1846
# Description : Check for disabled firewire storage
# Explanation : Best option is to use the install function, or else drivers can still be loaded manually
Register --test-no STRG-1846 --os Linux --weight L --network NO --category security --description "Check if firewire storage is disabled"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
LogText "Test: Checking firewire storage driver in directory /etc/modprobe.d and configuration file /etc/modprobe.conf"
if [ -d /etc/modprobe.d ]; then
FIND=$(ls /etc/modprobe.d/* 2> /dev/null)
if [ ! "${FIND}" = "" ]; then
FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.d/* | ${GREPBINARY} -v "#")
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
LogText "Result: found firewire ohci driver in disabled state"
fi
else
LogText "Result: skipping /etc/modprobe.d, directory found but no files in it"
fi
fi
if [ -f /etc/modprobe.conf ]; then
FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" /etc/modprobe.conf | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" /etc/modprobe.conf | ${GREPBINARY} -v "#")
if [ ! "${FIND1}" = "" -o ! "${FIND2}" = "" ]; then
FOUND=1
LogText "Result: found firewire ohci driver in disabled state"
fi
fi
if [ ${FOUND} -eq 0 ]; then
LogText "Result: firewire ohci driver is not explicitly disabled"
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "NOT DISABLED" --color WHITE
ReportSuggestion ${TEST_NO} "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft"
# after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u
AddHP 2 3
else
LogText "Result: firewire ohci driver is disabled"
Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "${STATUS_DISABLED}" --color GREEN
AddHP 3 3
fi
fi
#
#################################################################################
#
WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2017, CISOfy, Michael Boelen - https://cisofy.com
|