lynis/include/tests_tooling
hlein b595cc0fb5 Various cleanups (#363)
* Typo fix.

* Style change: always use $(), never ``.

The Lynis code already mostly used $(), but backticks were sprinkled
around.  Converted all of them.

* Lots of minor spelling/typo fixes.

FWIW these were found with:

  find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less

And then reviewing the list to pick out things that looked like
misspelled words as opposed to variables, etc., and then manual
inspection of context to determine the intention.
2017-03-06 07:41:21 +00:00

325 lines
15 KiB
Bash

#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2017, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
AUTOMATION_TOOL_FOUND=0
AUTOMATION_TOOL_RUNNING=""
CFENGINE_AGENT_FOUND=0
CFENGINE_SERVER_RUNNING=0
BACKUP_AGENT_FOUND=0
PUPPET_MASTER_RUNNING=0
SALT_MASTER_RUNNING=0
SALT_MINION_RUNNING=0
IPS_TOOL_FOUND=0
FAIL2BAN_FOUND=0
FAIL2BAN_EMAIL=0
FAIL2BAN_SILENT=0
PERFORM_FAIL2BAN_TESTS=0
#
#################################################################################
#
InsertSection "Software: System tooling"
#
#################################################################################
#
# Automation
#
#################################################################################
#
# Test : TOOL-5002
# Description : Check if automation tools are found
Register --test-no TOOL-5002 --weight L --network NO --category security --description "Checking for automation tools"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Checking automation tooling"
# Cfengine
if [ ! "${CFAGENTBINARY}" = "" ]; then
LogText "Result: CFEngine (cfagent) is installed (${CFAGENTBINARY})"
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
Report "automation_tool_running[]=cf-agent"
Display --indent 4 --text "Found: Cfengine (cfagent)" --result "${STATUS_FOUND}" --color GREEN
fi
OTHER_CFENGINE_LOCATIONS="/var/cfengine/bin /var/rudder/cfengine-community/bin"
for I in ${OTHER_CFENGINE_LOCATIONS}; do
if [ -d ${I} ]; then
if [ -f ${I}/cf-agent ]; then
LogText "Result: found CFEngine agent (cf-agent) in ${I}"
AUTOMATION_TOOL_FOUND=1
CFENGINE_AGENT_FOUND=1
Report "automation_tool_running[]=cf-agent"
Display --indent 4 --text "Found: CFEngine (cf-agent)" --result "${STATUS_FOUND}" --color GREEN
fi
IsRunning "cf-server"
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found CFEngine server"
AUTOMATION_TOOL_FOUND=1
CFENGINE_SERVER_RUNNING=1
Report "automation_tool_running[]=cf-server"
Display --indent 4 --text "Found: CFEngine (cf-server)" --result "${STATUS_FOUND}" --color GREEN
fi
fi
done
# Chef
CHEF_LOCATIONS="/opt/chef/bin /opt/chef-server/sv /opt/chefdk/bin"
for I in ${CHEF_LOCATIONS}; do
if [ -d ${I} ]; then
if [ -f ${I}/chef-client ]; then
CHEFCLIENTBINARY="${I}/chef-client"
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=chef-client"
Display --indent 4 --text "Found: Chef client (chef-client)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found chef-client (chef client daemon) in ${I}"
fi
if [ -f ${I}/erchef ]; then
CHEFSERVERBINARY="${I}/erchef"
LogText "Result: Chef Server (erchef) is installed (${CHEFSERVERBINARY})"
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=chef-server"
Display --indent 4 --text "Found: Chef Server (erchef)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found erchef (chef server daemon) in ${I}"
fi
fi
done
# Puppet
if [ ! "${PUPPETBINARY}" = "" ]; then
LogText "Result: Puppet is installed (${PUPPETBINARY})"
AUTOMATION_TOOL_FOUND=1
Report "automation_tool_running[]=puppet-agent"
Display --indent 4 --text "Found: Puppet (agent)" --result "${STATUS_FOUND}" --color GREEN
fi
IsRunning "puppet master"
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found puppet master"
PUPPET_MASTER_RUNNING=1
Report "automation_tool_running[]=puppet-master"
Display --indent 4 --text "Found: Puppet (master)" --result "${STATUS_FOUND}" --color GREEN
fi
# SaltStack
if [ ! "${SALTMINIONBINARY}" = "" ]; then
LogText "Result: SaltStack (salt-minion) is installed (${SALTMINIONBINARY})"
AUTOMATION_TOOL_FOUND=1
SALT_MINION_RUNNING=1
Report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "Found: SaltStack minion (salt-minion)" --result "${STATUS_FOUND}" --color GREEN
fi
if [ ! "${SALTMASTERBINARY}" = "" ]; then
LogText "Result: SaltStack (salt-master) is installed (${SALTMASTERBINARY})"
AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1
Report "automation_tool_running[]=saltstack-minion"
Display --indent 4 --text "Found: SaltStack master (salt-master)" --result "${STATUS_FOUND}" --color GREEN
else
IsRunning "salt-master"
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: found SaltStack (master)"
AUTOMATION_TOOL_FOUND=1
SALT_MASTER_RUNNING=1
Report "automation_tool_running[]=saltstack-master"
Display --indent 4 --text "Found: SaltStack (master)" --result "${STATUS_FOUND}" --color GREEN
fi
fi
if [ ${AUTOMATION_TOOL_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Automation tooling" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 2 --text "- Automation tooling" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Determine if automation tools are present for system management"
fi
fi
#
#################################################################################
#
# Intrusion Prevention tools
#
#################################################################################
#
# Test : TOOL-5102
# Description : Check for Fail2ban
Register --test-no TOOL-5102 --weight L --network NO --category security --description "Check for presence of Fail2ban"
if [ ${SKIPTEST} -eq 0 ]; then
# Fail2ban presence
if [ ! "${FAIL2BANBINARY}" = "" ]; then
FAIL2BAN_FOUND=1
IDS_IPS_TOOL_FOUND=1
LogText "Result: Fail2ban is installed (${FAIL2BANBINARY})"
Report "ids_ips_tooling[]=fail2ban"
Display --indent 2 --text "- Checking presence of Fail2ban" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: Fail2ban not present (fail2ban-server not found)"
fi
# Fail2ban configuration
LogText "Checking Fail2ban configuration file"
if [ -f /etc/fail2ban/jail.local ]; then
FAIL2BAN_CONFIG="/etc/fail2ban/jail.local"
elif [ -f /etc/fail2ban/jail.conf ]; then
FAIL2BAN_CONFIG="/etc/fail2ban/jail.conf"
else
FAIL2BAN_CONFIG=""
fi
# Continue if tooling is available and configuration file found
if [ ${FAIL2BAN_FOUND} -eq 1 -a ! "${FAIL2BAN_CONFIG}" = "" ]; then
Report "fail2ban_config=${FAIL2BAN_CONFIG}"
FAIL2BANCLIENT=$(which fail2ban-client 2> /dev/null)
if [ ! -z "${FAIL2BANCLIENT}" ]; then PERFORM_FAIL2BAN_TESTS=1; fi
fi
fi
#
#################################################################################
#
# Test : TOOL-5104
# Description : Check for Fail2ban enabled tests
if [ ${PERFORM_FAIL2BAN_TESTS} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TOOL-5104 --weight L --network NO --preqs-met ${PREQS_MET} --category security --description "Enabled tests in Fail2ban"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${FAIL2BANCLIENT} -d | ${TRBINARY} -d '[]' | ${TRBINARY} -d "'" | ${AWKBINARY} -F, '{ if ($1=="add") { print $2 }}' | ${TRBINARY} -d ' ')
if [ ! "${FIND}" = "" ]; then
for F2BSERVICE in ${FIND}; do
LogText "Result: service '${F2BSERVICE}' enabled"
Report "fail2ban_enabled_service[]=${F2BSERVICE}"
done
LogText "Result: found at least one enabled jail"
Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_ENABLED}" --color GREEN
AddHP 3 3
else
LogText "Result: Fail2ban installed but completely disabled"
Display --indent 4 --text "- Checking Fail2ban jails" --result "${STATUS_DISABLED}" --color RED
AddHP 0 5
ReportWarning "${TEST_NO}" "All jails in Fail2ban are disabled" "${FAIL2BAN_CONFIG}"
fi
fi
#
#################################################################################
#
# These tests are temporarily disabled to split them up in different areas to check
#
# LogText "Result: found configuration file (${FAIL2BAN_CONFIG})"
#
# # Check email alert configuration
# LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}"
#
# FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
# FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
#
# if [ ! "${FIND}" = "" ]; then
# FAIL2BAN_EMAIL=1
# LogText "Result: found at least one jail which sends an email alert"
# fi
#
# if [ ! "${FIND2}" = "" ]; then
# FAIL2BAN_SILENT=1
# LogText "Result: found at least one jail which does NOT send an email alert"
# fi
#
# if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
# LogText "No registered actions found in ${FAIL2BAN_CONFIG}"
# Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color RED
# ReportWarning "${TEST_NO}" "${FAIL2BAN_CONFIG}" "There are no actions configured for Fail2ban."
# AddHP 0 3
# fi
#
# if [ ${FAIL2BAN_SILENT} -eq 0 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then
# LogText "All actions in ${FAIL2BAN_CONFIG} are configured to send email alerts"
# Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_OK}" --color GREEN
# AddHP 3 3
# fi
#
# if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 1 ]; then
# LogText "Some actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts"
# Display --indent 4 --text "- Checking Fail2ban actions" --result PARTIAL --color YELLOW
# ReportSuggestion "${TEST_NO}" "Some Fail2ban jails are configured with non-notified actions. Consider changing these to emailed alerts."
# AddHP 2 3
# fi
#
# if [ ${FAIL2BAN_SILENT} -eq 1 ] && [ ${FAIL2BAN_EMAIL} -eq 0 ]; then
# LogText "None of the actions found in ${FAIL2BAN_CONFIG} are configured to send email alerts"
# Display --indent 4 --text "- Checking Fail2ban actions" --result "${STATUS_NONE}" --color YELLOW
# ReportSuggestion "${TEST_NO}" "None of the Fail2ban jails are configured to send email notifications. Consider changing these to emailed alerts."
# AddHP 1 3
# fi
#
# # Check at least one enabled jail
# LogText "Checking for enabled jails within ${FAIL2BAN_CONFIG}"
#
#
#
# # Confirm at least one iptables chain for fail2ban
#
# LogText "Checking for fail2ban iptables chains"
#
# if [ ! "${IPTABLESBINARY}" = "" ]; then
# CHECK_CHAINS=$(${IPTABLESBINARY} -L 2>&1 | ${GREPBINARY} fail2ban)
# if [ ! "${CHECK_CHAINS}" = "" ]; then
# LogText "Result: found at least one iptables chain for fail2ban"
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_OK}" --color GREEN
# else
# LogText "Result: Fail2ban installed but iptables chain not present - fail2ban will not work"
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED
# AddHP 0 3
# ReportSuggestion "${TEST_NO}" "Check config to see why iptables does not have a fail2ban chain" "${FAIL2BAN_CONFIG}"
# fi
# else
# Display --indent 4 --text "- Checking for Fail2ban iptables chain" --result "${STATUS_WARNING}" --color RED
# ReportSuggestion "${TEST_NO}" "iptables doesn't seem to be installed; Fail2ban will not work. Remove Fail2ban or install iptables" "${FAIL2BAN_CONFIG}"
# fi
# fi
# fi
#
#################################################################################
#
# Test : TOOL-5190
# Description : Check for an IDS/IPS tool
Register --test-no TOOL-5190 --weight L --network NO --category security --description "Check presence of IDS/IPS tool"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then
Display --indent 2 --text "- Checking for IDS/IPS tooling" --result "${STATUS_FOUND}" --color GREEN
AddHP 2 2
else
Display --indent 2 --text "- Checking for IDS/IPS tooling" --result "${STATUS_NONE}" --color YELLOW
#ReportSuggestion ${TEST_NO} "Install and configure automated intrusion detection/prevention tools"
AddHP 0 2
fi
fi
#
#################################################################################
#
# Backup tools
#
#################################################################################
#
# Netvault
# Rsync in cron
#
#################################################################################
#
Report "automation_tool_present=${AUTOMATION_TOOL_FOUND}"
WaitForKeyPress
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com