1#!/bin/sh
2
3#################################################################################
4#
5#   Lynis
6# ------------------
7#
8# Copyright 2007-2013, Michael Boelen
9# Copyright 2007-2021, CISOfy
10#
11# Website  : https://cisofy.com
12# Blog     : http://linux-audit.com
13# GitHub   : https://github.com/CISOfy/lynis
14#
15# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
16# welcome to redistribute it under the terms of the GNU General Public License.
17# See LICENSE file for usage of this software.
18#
19#################################################################################
20#
21# Home directories
22#
23#################################################################################
24#
25    InsertSection "${SECTION_HOME_DIRECTORIES}"
26#
27#################################################################################
28#
29    # Ignore some top level directories (not the sub directories below)
30    IGNORE_HOME_DIRS="/bin /boot /cdrom /dev /etc /home /lib /lib64 /media /mnt
31                      /opt /proc /sbin /selinux /srv /sys /tmp /usr /var"
32#
33#################################################################################
34#
35    # Test        : HOME-9302
36    # Description : Create list with home directories
37    Register --test-no HOME-9302 --weight L --network NO --category security --description "Create list with home directories"
38    if [ ${SKIPTEST} -eq 0 ]; then
39        # Read sixth field of /etc/passwd
40        LogText "Test: query ${ROOTDIR}etc/passwd to obtain home directories"
41        FIND=$(${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' ${ROOTDIR}etc/passwd | ${SORTBINARY} -u)
42        for I in ${FIND}; do
43            if [ -d ${I} ]; then
44                LogText "Result: found home directory: ${I} (directory exists)"
45                Report "home_directory[]=${I}"
46            else
47                LogText "Result: found home directory: ${I} (directory does not exist)"
48            fi
49        done
50    fi
51#
52#################################################################################
53#
54    # Test        : HOME-9304
55    # Description : Check if users' home directories permissions are 750 or more restrictive
56    Register --test-no HOME-9304 --weight L --network NO --category security --description "Check if users' home directories permissions are 750 or more restrictive"
57    if [ ${SKIPTEST} -eq 0 ]; then
58        # Check if users' home directories permissions are 750 or more restrictive
59        FOUND=0
60        USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
61        while read -r LINE; do
62            USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
63            DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
64            LogText "Test: checking directory '${DIR}' for user '${USER}'"
65            if [ -d "${DIR}" ]; then
66                WRITE_GROUP_PERM=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c6)
67                OTHER_PERMS=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c8-10)
68                if [ ! ${WRITE_GROUP_PERM} = "-" -o ! ${OTHER_PERMS} = "---" ]; then
69                    LogText "Result: permissions of home directory ${DIR} of user ${USER} are not strict enough. Should be 750 or more restrictive. Change with: chmod 750 ${DIR}"
70                    FOUND=1
71                else
72                    LogText "Result: permissions of home directory ${DIR} of user ${USER} are fine"
73                fi
74            fi
75        done << EOF
76${USERDATA}
77EOF
78
79        if [ ${FOUND} -eq 1 ]; then
80            Display --indent 2 --text "- Permissions of home directories" --result "${STATUS_WARNING}" --color RED
81            ReportSuggestion "${TEST_NO}" "Double check the permissions of home directories as some might be not strict enough."
82        else
83            Display --indent 2 --text "- Permissions of home directories" --result "${STATUS_OK}" --color GREEN
84            LogText "Result: OK, all permissions of the home directories are 750 or more restrictive"
85        fi
86    fi
87#
88#################################################################################
89#
90    # Test        : HOME-9306
91    # Description : Check if users own their home directories
92    Register --test-no HOME-9306 --weight L --network NO --category security --description "Check if users own their home directories"
93    if [ ${SKIPTEST} -eq 0 ]; then
94        # Check if users own their home directories
95        FOUND=0
96        USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
97        while read -r LINE; do
98            USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
99            DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
100            LogText "Test: checking directory '${DIR}' for user '${USER}'"
101            if [ -d "${DIR}" ]; then
102                OWNER=$(ls -ld ${DIR} | awk -F" " '{ print $3 }')
103                if [ ! "${OWNER}" = "${USER}" ]; then
104                    LogText "Result: the home directory ${DIR} of user ${USER} is owned by ${OWNER}. Correct: chown ${USER} ${DIR}"
105                    FOUND=1
106                else
107                    LogText "Result: ownership of home directory ${DIR} for user ${USER} looks to be correct"
108                fi
109            fi
110        done << EOF
111${USERDATA}
112EOF
113
114        if [ ${FOUND} -eq 1 ]; then
115            Display --indent 2 --text "- Ownership of home directories" --result "${STATUS_WARNING}" --color RED
116            ReportSuggestion "${TEST_NO}" "Double check the ownership of home directories as some might be incorrect."
117        else
118            Display --indent 2 --text "- Ownership of home directories" --result "${STATUS_OK}" --color GREEN
119            LogText "Result: OK, all users own their home directories"
120        fi
121    fi
122#
123#################################################################################
124#
125    # Test        : HOME-9310
126    # Description : Check for suspicious shell history files
127    Register --test-no HOME-9310 --weight L --network NO --category security --description "Checking for suspicious shell history files"
128    if [ ${SKIPTEST} -eq 0 ]; then
129        if [ -n "${HOMEDIRS}" ]; then
130            if [ "${OS}" = "Solaris" ]; then
131                # Solaris doesn't support -maxdepth
132                FIND=$(${FINDBINARY} ${HOMEDIRS} -name ".*history" ! -type f -print)
133            else
134                FIND=$(${FINDBINARY} ${HOMEDIRS} -maxdepth 1 -name ".*history" ! -type f -print)
135            fi
136            if [ -z "${FIND}" ]; then
137                Display --indent 2 --text "- Checking shell history files" --result "${STATUS_OK}" --color GREEN
138                LogText "Result: Ok, history files are type 'file'."
139            else
140                Display --indent 2 --text "- Checking shell history files" --result "${STATUS_WARNING}" --color RED
141                LogText "Result: the following files seem to be of the wrong file type:"
142                LogText "Output: ${FIND}"
143                LogText "Info: above files could be redirected files to avoid logging and should be investigated"
144                ReportWarning "${TEST_NO}" "Incorrect file type found for shell history file"
145            fi
146            LogText "Remark: History files are normally of the type 'file'. Symbolic links and other types are suspicious."
147        else
148            Display --indent 2 --text "- Checking shell history files" --result "${STATUS_SKIPPED}" --color WHITE
149            LogText "Result: Homedirs is empty, therefore test will be skipped"
150        fi
151    fi
152#
153#################################################################################
154#
155    # Test        : HOME-9314
156    # Description : Check if non local paths are found in PATH, which can be a risk, but also bad for performance
157    #               (like searching on a filer, instead of local disk)
158    #Register --test-no HOME-9314 --weight L --network NO --category security --description "Create list with home directories"
159#
160#################################################################################
161#
162    # Test        : HOME-9350
163    # Description : Scan home directories for specific files, used in different tests later
164    # Notes       : For performance reasons we combine the scanning of different files, so inode caching is used
165    #               as much as possible for every find command
166    # Profile opt : ignore-home-dir (multiple lines allowed), ignores home directory
167    if [ -n "${REPORTFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
168    Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Collecting information from home directories"
169    if [ ${SKIPTEST} -eq 0 ]; then
170        IGNORE_HOME_DIRS=$(${GREPBINARY} "^ignore-home-dir=" ${REPORTFILE} | ${AWKBINARY} -F= '{ print $2 }')
171        if [ -z "${IGNORE_HOME_DIRS}" ]; then
172            LogText "Result: IGNORE_HOME_DIRS empty, no paths excluded"
173        else
174            LogText "Output: ${IGNORE_HOME_DIRS}"
175        fi
176    fi
177#
178#################################################################################
179#
180
181WaitForKeyPress
182
183#
184#================================================================================
185# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
186