1#!/bin/sh 2 3################################################################################# 4# 5# Lynis 6# ------------------ 7# 8# Copyright 2007-2013, Michael Boelen 9# Copyright 2007-2021, CISOfy 10# 11# Website : https://cisofy.com 12# Blog : http://linux-audit.com 13# GitHub : https://github.com/CISOfy/lynis 14# 15# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are 16# welcome to redistribute it under the terms of the GNU General Public License. 17# See LICENSE file for usage of this software. 18# 19################################################################################# 20# 21# Home directories 22# 23################################################################################# 24# 25 InsertSection "${SECTION_HOME_DIRECTORIES}" 26# 27################################################################################# 28# 29 # Ignore some top level directories (not the sub directories below) 30 IGNORE_HOME_DIRS="/bin /boot /cdrom /dev /etc /home /lib /lib64 /media /mnt 31 /opt /proc /sbin /selinux /srv /sys /tmp /usr /var" 32# 33################################################################################# 34# 35 # Test : HOME-9302 36 # Description : Create list with home directories 37 Register --test-no HOME-9302 --weight L --network NO --category security --description "Create list with home directories" 38 if [ ${SKIPTEST} -eq 0 ]; then 39 # Read sixth field of /etc/passwd 40 LogText "Test: query ${ROOTDIR}etc/passwd to obtain home directories" 41 FIND=$(${AWKBINARY} -F: '{ if ($1 !~ "#") print $6 }' ${ROOTDIR}etc/passwd | ${SORTBINARY} -u) 42 for I in ${FIND}; do 43 if [ -d ${I} ]; then 44 LogText "Result: found home directory: ${I} (directory exists)" 45 Report "home_directory[]=${I}" 46 else 47 LogText "Result: found home directory: ${I} (directory does not exist)" 48 fi 49 done 50 fi 51# 52################################################################################# 53# 54 # Test : HOME-9304 55 # Description : Check if users' home directories permissions are 750 or more restrictive 56 Register --test-no HOME-9304 --weight L --network NO --category security --description "Check if users' home directories permissions are 750 or more restrictive" 57 if [ ${SKIPTEST} -eq 0 ]; then 58 # Check if users' home directories permissions are 750 or more restrictive 59 FOUND=0 60 USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') 61 while read -r LINE; do 62 USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) 63 DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) 64 LogText "Test: checking directory '${DIR}' for user '${USER}'" 65 if [ -d "${DIR}" ]; then 66 WRITE_GROUP_PERM=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c6) 67 OTHER_PERMS=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c8-10) 68 if [ ! ${WRITE_GROUP_PERM} = "-" -o ! ${OTHER_PERMS} = "---" ]; then 69 LogText "Result: permissions of home directory ${DIR} of user ${USER} are not strict enough. Should be 750 or more restrictive. Change with: chmod 750 ${DIR}" 70 FOUND=1 71 else 72 LogText "Result: permissions of home directory ${DIR} of user ${USER} are fine" 73 fi 74 fi 75 done << EOF 76${USERDATA} 77EOF 78 79 if [ ${FOUND} -eq 1 ]; then 80 Display --indent 2 --text "- Permissions of home directories" --result "${STATUS_WARNING}" --color RED 81 ReportSuggestion "${TEST_NO}" "Double check the permissions of home directories as some might be not strict enough." 82 else 83 Display --indent 2 --text "- Permissions of home directories" --result "${STATUS_OK}" --color GREEN 84 LogText "Result: OK, all permissions of the home directories are 750 or more restrictive" 85 fi 86 fi 87# 88################################################################################# 89# 90 # Test : HOME-9306 91 # Description : Check if users own their home directories 92 Register --test-no HOME-9306 --weight L --network NO --category security --description "Check if users own their home directories" 93 if [ ${SKIPTEST} -eq 0 ]; then 94 # Check if users own their home directories 95 FOUND=0 96 USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') 97 while read -r LINE; do 98 USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) 99 DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) 100 LogText "Test: checking directory '${DIR}' for user '${USER}'" 101 if [ -d "${DIR}" ]; then 102 OWNER=$(ls -ld ${DIR} | awk -F" " '{ print $3 }') 103 if [ ! "${OWNER}" = "${USER}" ]; then 104 LogText "Result: the home directory ${DIR} of user ${USER} is owned by ${OWNER}. Correct: chown ${USER} ${DIR}" 105 FOUND=1 106 else 107 LogText "Result: ownership of home directory ${DIR} for user ${USER} looks to be correct" 108 fi 109 fi 110 done << EOF 111${USERDATA} 112EOF 113 114 if [ ${FOUND} -eq 1 ]; then 115 Display --indent 2 --text "- Ownership of home directories" --result "${STATUS_WARNING}" --color RED 116 ReportSuggestion "${TEST_NO}" "Double check the ownership of home directories as some might be incorrect." 117 else 118 Display --indent 2 --text "- Ownership of home directories" --result "${STATUS_OK}" --color GREEN 119 LogText "Result: OK, all users own their home directories" 120 fi 121 fi 122# 123################################################################################# 124# 125 # Test : HOME-9310 126 # Description : Check for suspicious shell history files 127 Register --test-no HOME-9310 --weight L --network NO --category security --description "Checking for suspicious shell history files" 128 if [ ${SKIPTEST} -eq 0 ]; then 129 if [ -n "${HOMEDIRS}" ]; then 130 if [ "${OS}" = "Solaris" ]; then 131 # Solaris doesn't support -maxdepth 132 FIND=$(${FINDBINARY} ${HOMEDIRS} -name ".*history" ! -type f -print) 133 else 134 FIND=$(${FINDBINARY} ${HOMEDIRS} -maxdepth 1 -name ".*history" ! -type f -print) 135 fi 136 if [ -z "${FIND}" ]; then 137 Display --indent 2 --text "- Checking shell history files" --result "${STATUS_OK}" --color GREEN 138 LogText "Result: Ok, history files are type 'file'." 139 else 140 Display --indent 2 --text "- Checking shell history files" --result "${STATUS_WARNING}" --color RED 141 LogText "Result: the following files seem to be of the wrong file type:" 142 LogText "Output: ${FIND}" 143 LogText "Info: above files could be redirected files to avoid logging and should be investigated" 144 ReportWarning "${TEST_NO}" "Incorrect file type found for shell history file" 145 fi 146 LogText "Remark: History files are normally of the type 'file'. Symbolic links and other types are suspicious." 147 else 148 Display --indent 2 --text "- Checking shell history files" --result "${STATUS_SKIPPED}" --color WHITE 149 LogText "Result: Homedirs is empty, therefore test will be skipped" 150 fi 151 fi 152# 153################################################################################# 154# 155 # Test : HOME-9314 156 # Description : Check if non local paths are found in PATH, which can be a risk, but also bad for performance 157 # (like searching on a filer, instead of local disk) 158 #Register --test-no HOME-9314 --weight L --network NO --category security --description "Create list with home directories" 159# 160################################################################################# 161# 162 # Test : HOME-9350 163 # Description : Scan home directories for specific files, used in different tests later 164 # Notes : For performance reasons we combine the scanning of different files, so inode caching is used 165 # as much as possible for every find command 166 # Profile opt : ignore-home-dir (multiple lines allowed), ignores home directory 167 if [ -n "${REPORTFILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 168 Register --test-no HOME-9350 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Collecting information from home directories" 169 if [ ${SKIPTEST} -eq 0 ]; then 170 IGNORE_HOME_DIRS=$(${GREPBINARY} "^ignore-home-dir=" ${REPORTFILE} | ${AWKBINARY} -F= '{ print $2 }') 171 if [ -z "${IGNORE_HOME_DIRS}" ]; then 172 LogText "Result: IGNORE_HOME_DIRS empty, no paths excluded" 173 else 174 LogText "Output: ${IGNORE_HOME_DIRS}" 175 fi 176 fi 177# 178################################################################################# 179# 180 181WaitForKeyPress 182 183# 184#================================================================================ 185# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com 186