blob: 348e0306e20ea8a29c4c564641c16dd25d2cf353 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
|
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2017, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
AUTOMATION_TOOL_FOUND=0
AUTOMATION_TOOL_RUNNING=""
CFENGINE_AGENT_FOUND=0
CFENGINE_SERVER_RUNNING=0
BACKUP_AGENT_FOUND=0
PUPPET_MASTER_RUNNING=0
SALT_MASTER_RUNNING=0
SALT_MINION_RUNNING=0
IPS_TOOL_FOUND=0
FAIL2BAN_FOUND=0
FAIL2BAN_EMAIL=0
FAIL2BAN_SILENT=0
PERFORM_FAIL2BAN_TESTS=0
#
#################################################################################
#
InsertSection "Software: System tooling"
#
#################################################################################
#
# Automation
#
#################################################################################
#
# Test : TOOL-5002
# Description : Check if automation tools are found
Register --test-no TOOL-5002 --weight L --network NO --category security --description "Checking for automation tools"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking automation tooling"
# Cfengine
if [ ! "${CFAGENTBINARY}" = "" ]; then
LogText "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})"
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
Report "automation_tool_running[]=cf-agent"
Display --indent 4 --text "Found: Cfengine (cfagent)" --result "${STATUS_FOUND}" --color GREEN
fi
OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin /var/rudder/cfengine-community/bin"
for I in ${OTHER_CFENGINE_LOCATIONS}; do
if [ -d ${I} ]; then
if [ -f ${I}/cf-agent ]; then
LogText "Result: found CFEngine agent (cf-agent) in ${I}"
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
Report "automation_tool_running[]=cf-agent"
Display --indent 4 --text "Found: CFEngine (cf-agent)" --result "${STATUS_FOUND}" --color GREEN
fi
IsRunning "cf-server"
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found CFEngine server"
AUTOMATION_TOOL_FOUND=1
CFENGINE_SERVER_RUNNING=1
Report "automation_tool_running[]=cf-server"
Display --indent 4 --text "Found: CFEngine (cf-server)" --result "${STATUS_FOUND}" --color GREEN
fi
fi
done
# Chef
CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin"
for I in ${CHEF_LOCATIONS}; do
if [ -d ${I} ]; then
if [ -f ${I}/chef-client ]; then
CHEFCLIENTBINARY="${I}/chef-client"
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=chef-client"
Display --indent 4 --text "Found: Chef client (chef-client)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found chef-client (chef client daemon) in ${I}"
fi
if [ -f ${I}/erchef ]; then
CHEFSERVERBINARY="${I}/erchef"
LogText "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})"
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=chef-server"
Display --indent 4 --text "Found: Chef Server (erchef)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found erchef (chef server daemon) in ${I}"
fi
fi
done
# Puppet
# Check for Puppet installation provided by Puppetlabs package
if [ -z "${PUPPETBINARY}" ]; then
if [ -f ${ROOTDIR}opt/puppetlabs/puppet/bin/puppet ]; then
PUPPETBINARY="${ROOTDIR}opt/puppetlabs/puppet/bin/puppet"
fi
fi
if [ ! -z "${PUPPETBINARY}" ]; then
LogText "Result: Puppet is installed (${PUPPETBINARY})"
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=puppet-agent"
Display --indent 4 --text "Found: Puppet (agent)" --result "${STATUS_FOUND}" --color GREEN
fi
IsRunning "puppet master"
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found puppet master"
AUTOMATION_TOOL_FOUND=1
PUPPET_MASTER_RUNNING=1
Report "automation_tool_running[]=puppet-master"
Display --indent 4 --text "Found: Puppet (master)" --result "${STATUS_FOUND}" --color GREEN
fi
# SaltStack
if [ ! "${SALTMINIONBINARY}" = "" ]; then
LogText "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})"
AUTOMATION_TOOL_FOUND=1
SALT_MINION_RUNNING=1
Report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result "${STATUS_FOUND}" --color GREEN
fi
if [ ! "${SALTMASTERBINARY}" = "" ]; then
LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1
Report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "Found: SaltStack master (salt-master)" --result "${STATUS_FOUND}" --color GREEN
else
IsRunning "salt-master"
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found SaltStack (master)"
AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1
Report "automation_tool_running[]=saltstack-master"
Display --indent 4 --text "Found: SaltStack (master)" --result "${STATUS_FOUND}" --color GREEN
fi
fi
if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Automation tooling" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 2 --text "- Automation tooling" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management"
fi
fi
#
#################################################################################
#
# Intrusion Prevention tools
#
#################################################################################
#
# Test : TOOL-5102
# Description : Check for Fail2ban
Register --test-no TOOL-5102 --weight L --network NO --category security --description "Check for presence of Fail2ban"
if [ ${SKIPTEST} -eq 0 ]; then
# Fail2ban presence
if [ ! "${FAIL2BANBINARY}" = "" ]; then
FAIL2BAN_FOUND=1
IDS_IPS_TOOL_FOUND=1
LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})"
Report "ids_ips_tooling[]=fail2ban"
Display --indent 2 --text "- Checking presence of Fail2ban" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: Fail2ban not present (fail2ban-server not found)"
fi
# Fail2ban configuration
LogText "Checking Fail2ban configuration file"
if [ -f /etc/fail2ban/jail.local ]; then
FAIL2BAN_CONFIG="/etc/fail2ban/jail.local"
elif [ -f /etc/fail2ban/jail.conf ]; then
FAIL2BAN_CONFIG="/etc/fail2ban/jail.conf"
else
FAIL2BAN_CONFIG=""
fi
# Continue if tooling is available and configuration file found
if [ ${FAIL2BAN_FOUND} -eq 1 -a ! "${FAIL2BAN_CONFIG}" = "" ]; then
Report "fail2ban_config=${FAIL2BAN_CONFIG}"
FAIL2BANCLIENT=$(which fail2ban-client 2> /dev/null | grep -v "no [^ ]* in ")
if [ ! -z "${FAIL2BANCLIENT}" ]; then PERFORM_FAIL2BAN_TESTS=1; fi
fi
fi
#
#################################################################################
#
# Test : TOOL-5104
# Description : Check for Fail2ban enabled tests
if [ ${PERFORM_FAIL2BAN_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TOOL-5104 --weight L --network NO --preqs-met ${PREQS_MET} --category security --description "Enabled tests in Fail2ban"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${FAIL2BANCLIENT} -d | ${TRBINARY} -d '[]' | ${TRBINARY} -d "'" | ${AWKBINARY} -F, '{ if ($1=="add") { print $2 }}' | ${TRBINARY} -d ' ')
if [ ! "${FIND}" = "" ]; then
for F2BSERVICE in ${FIND}; do
LogText "Result: service '${F2BSERVICE}' enabled"
Report "fail2ban_enabled_service[]=${F2BSERVICE}"
done
LogText "Result: found at least one enabled jail"
Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3
else
LogText "Result: Fail2ban installed but completely disabled"
Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_DISABLED}" --color RED
AddHP 0 5
ReportWarning "${TEST_NO}" "All jails in Fail2ban are disabled" "${FAIL2BAN_CONFIG}"
fi
fi
#
#################################################################################
#
# These tests are temporarily disabled to split them up in different areas to check
#
# LogText "Result: found configuration file (${FAIL2BAN_CONFIG})"
#
# # Check email alert configuration
# LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}"
#
# FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
# FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
#
# if [ ! "${FIND}" = "" ]; then
# FAIL2BAN_EMAIL=1
# LogText "Result: found at least one jail which sends an email alert"
# fi
#
# if [ ! "${FIND2}" = "" ]; then
# FAIL2BAN_SILENT=1
# LogText "Result: found at least one jail which does NOT send an email alert"
# fi
#
# if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
# LogText "No registered actions found in ${FAIL2BAN_CONFIG}"
# Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color RED
# ReportWarning "${TEST_NO}" "${FAIL2BAN_CONFIG}" "There are no actions configured for Fail2ban."
# AddHP 0 3
# fi
#
# if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then
# LogText "All actions in ${FAIL2BAN_CONFIG} are configured to send email alerts"
# Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_OK}" --color GREEN
# AddHP 3 3
# fi
#
# if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then
# LogText "Some actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts"
# Display --indent 4 --text "- Checking Fail2ban actions" --result PARTIAL --color YELLOW
# ReportSuggestion "${TEST_NO}" "Some Fail2ban jails are configured with non-notified actions. Consider changing these to emailed alerts."
# AddHP 2 3
# fi
#
# if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
# LogText "None of the actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts"
# Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color YELLOW
# ReportSuggestion "${TEST_NO}" "None of the Fail2ban jails are configured to send email notifications. Consider changing these to emailed alerts."
# AddHP 1 3
# fi
#
# # Check at least one enabled jail
# LogText "Checking for enabled jails within ${FAIL2BAN_CONFIG}"
#
#
#
# # Confirm at least one iptables chain for fail2ban
#
# LogText "Checking for fail2ban iptables chains"
#
# if [ ! "${IPTABLESBINARY}" = "" ]; then
# CHECK_CHAINS=$(${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban)
# if [ ! "${CHECK_CHAINS}" = "" ]; then
# LogText "Result: found at least one iptables chain for fail2ban"
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN
# else
# LogText "Result: Fail2ban installed but iptables chain not present - fail2ban will not work"
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED
# AddHP 0 3
# ReportSuggestion "${TEST_NO}" "Check config to see why iptables does not have a fail2ban chain" "${FAIL2BAN_CONFIG}"
# fi
# else
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED
# ReportSuggestion "${TEST_NO}" "iptables doesn't seem to be installed; Fail2ban will not work. Remove Fail2ban or install iptables" "${FAIL2BAN_CONFIG}"
# fi
# fi
# fi
#
#################################################################################
#
# Test : TOOL-5190
# Description : Check for an IDS/IPS tool
Register --test-no TOOL-5190 --weight L --network NO --category security --description "Check presence of IDS/IPS tool"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking for IDS/IPS tooling" --result "${STATUS_FOUND}" --color GREEN
AddHP 2 2
else
Display --indent 2 --text "- Checking for IDS/IPS tooling" --result "${STATUS_NONE}" --color YELLOW
#ReportSuggestion ${TEST_NO} "Install and configure automated intrusion detection/prevention tools"
AddHP 0 2
fi
fi
#
#################################################################################
#
# Backup tools
#
#################################################################################
#
# Netvault
# Rsync in cron
#
#################################################################################
#
Report "automation_tool_present=${AUTOMATION_TOOL_FOUND}"
WaitForKeyPress
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|