mirror of
https://github.com/CISOfy/lynis.git
synced 2026-03-11 08:55:28 +00:00
* Typo fix. * Style change: always use $(), never ``. The Lynis code already mostly used $(), but backticks were sprinkled around. Converted all of them. * Lots of minor spelling/typo fixes. FWIW these were found with: find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less And then reviewing the list to pick out things that looked like misspelled words as opposed to variables, etc., and then manual inspection of context to determine the intention.
305 lines
15 KiB
Bash
305 lines
15 KiB
Bash
#!/bin/sh
|
|
|
|
#################################################################################
|
|
#
|
|
# Lynis
|
|
# ------------------
|
|
#
|
|
# Copyright 2007-2013, Michael Boelen
|
|
# Copyright 2007-2017, CISOfy
|
|
#
|
|
# Website : https://cisofy.com
|
|
# Blog : http://linux-audit.com
|
|
# GitHub : https://github.com/CISOfy/lynis
|
|
#
|
|
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
|
|
# welcome to redistribute it under the terms of the GNU General Public License.
|
|
# See LICENSE file for usage of this software.
|
|
#
|
|
#################################################################################
|
|
#
|
|
# SSH
|
|
#
|
|
#################################################################################
|
|
#
|
|
SSH_DAEMON_CONFIG_LOCS="/etc /etc/ssh /usr/local/etc/ssh /opt/csw/etc/ssh"
|
|
SSH_DAEMON_CONFIG=""
|
|
SSH_DAEMON_PORT=""
|
|
SSH_DAEMON_RUNNING=0
|
|
SSH_DAEMON_OPTIONS_FILE=""
|
|
#
|
|
#################################################################################
|
|
#
|
|
InsertSection "SSH Support"
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SSH-7402
|
|
# Description : Check for a running SSH daemon
|
|
Register --test-no SSH-7402 --weight L --network NO --category security --description "Check for running SSH daemon"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Searching for a SSH daemon"
|
|
IsRunning sshd
|
|
if [ ${RUNNING} -eq 1 ] || PortIsListening "TCP" 22; then
|
|
SSH_DAEMON_RUNNING=1
|
|
Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_FOUND}" --color GREEN
|
|
# Store settings in a temporary file
|
|
CreateTempFile
|
|
SSH_DAEMON_OPTIONS_FILE="${TEMP_FILE}"
|
|
${SSHDBINARY} -T 2> /dev/null > ${SSH_DAEMON_OPTIONS_FILE}
|
|
else
|
|
Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_NOT_FOUND}" --color WHITE
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SSH-7404
|
|
# Description : Determine SSH daemon configuration file location
|
|
if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no SSH-7404 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH daemon file location"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
FOUND=0
|
|
LogText "Test: searching for sshd_config file"
|
|
for I in ${SSH_DAEMON_CONFIG_LOCS}; do
|
|
if [ -f "${I}/sshd_config" ]; then
|
|
LogText "Result: ${I}/sshd_config exists"
|
|
if [ ${FOUND} -eq 1 ]; then
|
|
ReportException "${TEST_NO}:01"
|
|
LogText "Result: we already had found another sshd_config file. Using this new file then."
|
|
fi
|
|
FileIsReadable ${I}/sshd_config
|
|
if [ ${CANREAD} -eq 1 ]; then
|
|
FOUND=1
|
|
SSH_DAEMON_CONFIG="${I}/sshd_config"
|
|
else
|
|
LogText "Result: can not read ${I}/sshd_config file (no permission)"
|
|
fi
|
|
fi
|
|
done
|
|
if [ "${SSH_DAEMON_CONFIG}" = "" ]; then
|
|
LogText "Result: No sshd configuration found"
|
|
Display --indent 4 --text "- Searching SSH configuration" --result "${STATUS_NOT_FOUND}" --color YELLOW
|
|
ReportException "${TEST_NO}:1" "SSH daemon is running, but no readable configuration file found"
|
|
else
|
|
LogText "Result: using last found configuration file: ${SSH_DAEMON_CONFIG}"
|
|
Display --indent 4 --text "- Searching SSH configuration" --result "${STATUS_FOUND}" --color GREEN
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SSH-7408
|
|
# Description : Check SSH specific defined options
|
|
# Notes : Instead of parsing the configuration file, we query the SSH daemon itself
|
|
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_OPTIONS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH specific defined options"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
LogText "Test: Checking specific defined options in ${SSH_DAEMON_OPTIONS_FILE}"
|
|
## SSHOPTIONS scheme:
|
|
## <OptionName>:<ExpectedValue>,<MediumScoreValue>,<WeakValue>:<TestType>
|
|
##
|
|
## Test types:
|
|
## (a) '=' -- equal to is better,
|
|
## (b) '<' -- less or equal is better,
|
|
## (c) '>' -- more or equal is better,
|
|
## (d) '!' -- not equal is better.
|
|
##
|
|
## Example:
|
|
## PermitRootLogin:NO,WITHOUT-PASSWORD,YES,:=
|
|
SSHOPS="AllowTcpForwarding:NO,LOCAL,YES:=\
|
|
ClientAliveCountMax:2,4,16:<\
|
|
ClientAliveInterval:300,600,900:<\
|
|
Compression:NO,DELAYED,YES:=\
|
|
FingerprintHash:SHA256,MD5,:=\
|
|
GatewayPorts:NO,,YES:=\
|
|
IgnoreRhosts:YES,,NO:=\
|
|
LoginGraceTime:120,240,480:<\
|
|
LogLevel:VERBOSE,INFO,:=\
|
|
MaxAuthTries:2,4,6:<\
|
|
MaxSessions:2,4,8:<\
|
|
PermitRootLogin:NO,(PROHIBIT-PASSWORD|WITHOUT-PASSWORD),YES:=\
|
|
PermitUserEnvironment:NO,,YES:=\
|
|
PermitTunnel:NO,,YES:=\
|
|
Port:,,22:!\
|
|
PrintLastLog:YES,,NO:=\
|
|
Protocol:2,,1:=\
|
|
StrictModes:YES,,NO:=\
|
|
TCPKeepAlive:NO,,YES:=\
|
|
UseDNS:NO,,YES:=\
|
|
UsePrivilegeSeparation:SANDBOX,YES,NO:=\
|
|
VerifyReverseMapping:YES,,NO:=\
|
|
X11Forwarding:NO,,YES:=\
|
|
AllowAgentForwarding:NO,,YES:="
|
|
|
|
# Disabled MaxStartups:4,8,16:<\ (needs fixing)
|
|
|
|
# Go through our list of options
|
|
for I in ${SSHOPS}; do
|
|
OPTIONNAME=$(echo ${I} | ${CUTBINARY} -d ':' -f1)
|
|
OPTIONNAME_LOWER=$(echo ${I} | ${CUTBINARY} -d ':' -f1 | ${AWKBINARY} '{ print tolower($1) }')
|
|
EXPECTEDVALUE=$(echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f1)
|
|
MEDIUMSCOREDVALUE=$(echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f2)
|
|
WEAKVALUE=$(echo ${I} | ${CUTBINARY} -d ':' -f2 | ${CUTBINARY} -d',' -f3)
|
|
TESTTYPE=$(echo ${I} | ${CUTBINARY} -d ':' -f3)
|
|
RESULT="NONE"
|
|
|
|
if ! SkipAtomicTest "${TEST_NO}:${OPTIONNAME_LOWER}"; then
|
|
|
|
# Get value and use the last occurrence
|
|
FOUNDVALUE=$(${AWKBINARY} -v OPT="${OPTIONNAME_LOWER}" 'index($0, OPT) == 1 { print toupper($2) }' ${SSH_DAEMON_OPTIONS_FILE} | tail -1)
|
|
LogText "Test: Checking ${OPTIONNAME} in ${SSH_DAEMON_OPTIONS_FILE}"
|
|
|
|
if [ ! "${FOUNDVALUE}" = "" ]; then
|
|
LogText "Result: Option ${OPTIONNAME} found"
|
|
LogText "Result: Option ${OPTIONNAME} value is ${FOUNDVALUE}"
|
|
|
|
if [ "${TESTTYPE}" = "=" ]; then
|
|
if [ "${FOUNDVALUE}" = "${EXPECTEDVALUE}" ]; then
|
|
RESULT="GOOD"
|
|
elif [ "${FOUNDVALUE}" = "${MEDIUMSCOREDVALUE}" ]; then
|
|
RESULT="MIDSCORED"
|
|
elif [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then
|
|
RESULT="WEAK"
|
|
else
|
|
if [ ! -z "${EXPECTEDVALUE}" ]; then
|
|
LogText "Expected value has multiple values, testing if active value is in list (${EXPECTEDVALUE})"
|
|
FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${EXPECTEDVALUE}")
|
|
if [ $? -eq 0 ]; then
|
|
LogText "Result: found"
|
|
RESULT="GOOD"
|
|
else
|
|
LogText "Result: not found"
|
|
fi
|
|
fi
|
|
if [ ! -z "${MEDIUMSCOREDVALUE}" ]; then
|
|
LogText "Medium scored value has multiple values, testing if active value is in list (${MEDIUMSCOREDVALUE})"
|
|
FIND=$(echo ${FOUNDVALUE} | ${GREPBINARY} -E "${MEDIUMSCOREDVALUE}")
|
|
if [ $? -eq 0 ]; then
|
|
LogText "Result: found"
|
|
RESULT="MIDSCORED"
|
|
else
|
|
LogText "Result: not found"
|
|
fi
|
|
fi
|
|
# Set result to weak if we can't find any matches
|
|
if [ "${RESULT}" = "NONE" ]; then RESULT="WEAK"; fi
|
|
fi
|
|
|
|
elif [ "${TESTTYPE}" = "<" ]; then
|
|
if [ "${FOUNDVALUE}" -ge "${WEAKVALUE}" -o "${FOUNDVALUE}" -gt "${MEDIUMSCOREDVALUE}" ]; then
|
|
RESULT="WEAK"
|
|
elif [ "${FOUNDVALUE}" -le "${MEDIUMSCOREDVALUE}" -a "${FOUNDVALUE}" -gt "${EXPECTEDVALUE}" ]; then
|
|
RESULT="MIDSCORED"
|
|
elif [ "${FOUNDVALUE}" -le "${EXPECTEDVALUE}" ]; then
|
|
RESULT="GOOD"
|
|
else
|
|
RESULT="UNKNOWN"
|
|
fi
|
|
|
|
elif [ "${TESTTYPE}" = ">" ]; then
|
|
if [ "${FOUNDVALUE}" -le "${WEAKVALUE}" ]; then
|
|
RESULT="WEAK"
|
|
elif [ "${FOUNDVALUE}" -le "${WEAKVALUE}" -a "${FOUNDVALUE}" -ge "${MEDIUMSCOREDVALUE}" ]; then
|
|
RESULT="MIDSCORED"
|
|
elif [ "${FOUNDVALUE}" -ge "${EXPECTEDVALUE}" ]; then
|
|
RESULT="GOOD"
|
|
else
|
|
RESULT="UNKNOWN"
|
|
fi
|
|
|
|
elif [ "${TESTTYPE}" = "!" ]; then
|
|
if [ "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then
|
|
RESULT="WEAK"
|
|
elif [ ! "${FOUNDVALUE}" = "${WEAKVALUE}" ]; then
|
|
RESULT="GOOD"
|
|
else
|
|
RESULT="UNKNOWN"
|
|
fi
|
|
|
|
else
|
|
RESULT="NONE"
|
|
fi
|
|
fi
|
|
|
|
if [ "${RESULT}" = "GOOD" ]; then
|
|
LogText "Result: SSH option ${OPTIONNAME} is configured very well"
|
|
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_OK}" --color GREEN
|
|
AddHP 3 3
|
|
elif [ "${RESULT}" = "MIDSCORED" ]; then
|
|
LogText "Result: SSH option ${OPTIONNAME} is configured reasonably"
|
|
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
|
|
ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
|
|
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
|
|
AddHP 1 3
|
|
elif [ "${RESULT}" = "WEAK" ]; then
|
|
LogText "Result: SSH option ${OPTIONNAME} is in a weak configuration state and should be fixed"
|
|
ReportSuggestion ${TEST_NO} "Consider hardening SSH configuration" "${OPTIONNAME} (${FOUNDVALUE} --> ${EXPECTEDVALUE})" "-"
|
|
ReportDetails --test "${TEST_NO}" --service "sshd" --field "${OPTIONNAME}" --value "${FOUNDVALUE}" --preferredvalue "${EXPECTEDVALUE}" --description "sshd option ${OPTIONNAME}"
|
|
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_SUGGESTION}" --color YELLOW
|
|
AddHP 0 3
|
|
elif [ "${RESULT}" = "UNKNOWN" ]; then
|
|
LogText "Result: Value of SSH option ${OPTIONNAME} is unknown (not defined)"
|
|
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result DEFAULT --color WHITE
|
|
Report "unknown_config_option[]=ssh|$SSH_DAEMON_CONFIG}|${OPTIONNAME}|"
|
|
else
|
|
LogText "Result: Option ${OPTIONNAME} not found in output"
|
|
Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "${STATUS_NOT_FOUND}" --color WHITE
|
|
fi
|
|
else
|
|
if IsVerbose; then Display --indent 4 --text "- SSH option: ${OPTIONNAME}" --result "SKIPPED (via config)" --color WHITE; fi
|
|
fi
|
|
done
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
# Test : SSH-7440
|
|
# Description : AllowUsers / AllowGroups
|
|
# Goal : Check if only a specific amount of users/groups can log in to the system
|
|
if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! "${SSH_DAEMON_OPTIONS_FILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
|
Register --test-no SSH-7440 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH option: AllowUsers and AllowGroups"
|
|
if [ ${SKIPTEST} -eq 0 ]; then
|
|
FOUND=0
|
|
# AllowUsers
|
|
FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
|
|
if [ ! "${FIND}" = "" ]; then
|
|
LogText "Result: AllowUsers set, with value ${FIND}"
|
|
Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
|
|
FOUND=1
|
|
else
|
|
LogText "Result: AllowUsers is not set"
|
|
Display --indent 4 --text "- SSH option: AllowUsers" --result "${STATUS_NOT_FOUND}" --color WHITE
|
|
fi
|
|
|
|
# AllowGroups
|
|
FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
|
|
if [ ! "${FIND}" = "" ]; then
|
|
LogText "Result: AllowUsers set ${FIND}"
|
|
Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
|
|
FOUND=1
|
|
else
|
|
LogText "Result: AllowGroups is not set"
|
|
Display --indent 4 --text "- SSH option: AllowGroups" --result "${STATUS_NOT_FOUND}" --color WHITE
|
|
fi
|
|
|
|
if [ ${FOUND} -eq 1 ]; then
|
|
LogText "Result: SSH is limited to a specific set of users, which is good"
|
|
AddHP 2 2
|
|
else
|
|
LogText "Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine."
|
|
AddHP 0 1
|
|
fi
|
|
fi
|
|
#
|
|
#################################################################################
|
|
#
|
|
|
|
Report "ssh_daemon_running=${SSH_DAEMON_RUNNING}"
|
|
#Report "ssh_daemon_port=${SSH_DAEMON_PORT}"
|
|
|
|
WaitForKeyPress
|
|
|
|
#
|
|
#================================================================================
|
|
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|