1#!/bin/sh 2 3################################################################################# 4# 5# Lynis 6# ------------------ 7# 8# Copyright 2007-2013, Michael Boelen 9# Copyright 2007-2021, CISOfy 10# 11# Website : https://cisofy.com 12# Blog : http://linux-audit.com 13# GitHub : https://github.com/CISOfy/lynis 14# 15# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are 16# welcome to redistribute it under the terms of the GNU General Public License. 17# See LICENSE file for usage of this software. 18# 19################################################################################# 20# 21 APPARMORFOUND=0 # Set default for test MACF-6208 22 MAC_FRAMEWORK_ACTIVE=0 # Default no MAC framework active 23 RBAC_FRAMEWORK_ACTIVE=0 # Default no RBAC framework active 24 SELINUXFOUND=0 25 TOMOYOFOUND=0 26 27 InsertSection "${SECTION_SECURITY_FRAMEWORKS}" 28# 29################################################################################# 30# 31 # Test : MACF-6204 32 # Description : Check if AppArmor is installed 33 Register --test-no MACF-6204 --weight L --network NO --category security --description "Check AppArmor presence" 34 if [ ${SKIPTEST} -eq 0 ]; then 35 if [ -z "${AASTATUSBINARY}" ]; then 36 APPARMORFOUND=0 37 LogText "Result: aa-status binary not found, AppArmor not installed" 38 Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_NOT_FOUND}" --color WHITE 39 else 40 APPARMORFOUND=1 41 LogText "Result: aa-status binary found, AppArmor is installed" 42 Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_FOUND}" --color GREEN 43 fi 44 fi 45# 46################################################################################# 47# 48 # Test : MACF-6208 49 # Description : Check AppArmor active status 50 if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 51 Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if AppArmor is enabled" 52 if [ ${SKIPTEST} -eq 0 ]; then 53 if [ -n "${AASTATUSBINARY}" ]; then 54 CAN_READ_FILE=0 55 FILE="/sys/kernel/security/apparmor/profiles" 56 if [ -f ${FILE} ]; then 57 FIND=$(${CAT_BINARY} ${FILE} 2> /dev/null) 58 if [ $? -eq 0 ]; then CAN_READ_FILE=1; fi 59 else 60 LogText "File ${FILE} does not exist" 61 fi 62 if [ ${CAN_READ_FILE} -eq 1 ]; then 63 LogText "Result: file ${FILE} is available and readable" 64 # Checking AppArmor status 65 # 0 if apparmor is enabled and policy is loaded. 66 # 1 if apparmor is not enabled/loaded. 67 # 2 if apparmor is enabled but no policy is loaded. 68 # 3 if control files are not available 69 # 4 if apparmor status can't be read 70 FIND=$(${AASTATUSBINARY} 2>&1 > /dev/null) 71 if [ $? -eq 0 ]; then 72 MAC_FRAMEWORK_ACTIVE=1 73 LogText "Result: AppArmor is enabled and a policy is loaded" 74 Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_ENABLED}" --color GREEN 75 Report "apparmor_enabled=1" 76 Report "apparmor_policy_loaded=1" 77 AddHP 3 3 78 # ignore kernel threads (Parent PID = 2 [kthreadd]) 79 NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} -l) 80 Display --indent 8 --text "Found ${NUNCONFINED} unconfined processes" 81 for PROCESS in $(${PSBINARY} -N --ppid 2 -o label:1,pid,comm | ${GREPBINARY} '^unconfined' | ${TRBINARY} ' ' ':'); do 82 LogText "Result: Unconfined process: ${PROCESS}" 83 done 84 elif [ $? -eq 4 ]; then 85 LogText "Result: Can not determine status, most likely due to lacking permissions" 86 Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED 87 elif [ $? -eq 3 ]; then 88 LogText "Result: Can not check control files" 89 Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED 90 elif [ $? -eq 2 ]; then 91 LogText "Result: AppArmor is enabled, but no policy is loaded" 92 ReportSuggestion "${TEST_NO}" "Load AppArmor policies" 93 Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN 94 Report "apparmor_enabled=1" 95 Report "apparmor_policy_loaded=0" 96 AddHP 0 3 97 elif [ $? -eq 1 ]; then 98 LogText "Result: AppArmor is disabled" 99 Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_DISABLED}" --color YELLOW 100 Report "apparmor_enabled=0" 101 AddHP 0 3 102 else 103 Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED 104 ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected" 105 fi 106 else 107 LogText "Result: could not find or read ${FILE}" 108 Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color YELLOW 109 ReportSuggestion "${TEST_NO}" "Check output of aa-status" "${FILE}" "text:Run aa-status" 110 fi 111 else 112 LogText "Result: no aa-status binary available" 113 fi 114 fi 115# 116################################################################################# 117# 118 # Test : MACF-6232 119 # Description : Check SELINUX for installation 120 Register --test-no MACF-6232 --weight L --network NO --category security --description "Check SELINUX presence" 121 if [ ${SKIPTEST} -eq 0 ]; then 122 LogText "Test: checking if we have sestatus binary" 123 if [ -n "${SESTATUSBINARY}" ]; then 124 LogText "Result: found sestatus binary (${SESTATUSBINARY})" 125 Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN 126 else 127 LogText "Result: sestatus binary NOT found" 128 Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_NOT_FOUND}" --color WHITE 129 fi 130 fi 131# 132################################################################################# 133# 134 # Test : MACF-6234 135 # Description : Check SELINUX status 136 if HasData "${SESTATUSBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 137 Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SELINUX status" 138 if [ ${SKIPTEST} -eq 0 ]; then 139 # Status: Enabled/Disabled 140 FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^SELinux status" | ${AWKBINARY} '{ print $3 }') 141 if [ "${FIND}" = "enabled" ]; then 142 MAC_FRAMEWORK_ACTIVE=1 143 LogText "Result: SELinux framework is enabled" 144 Report "selinux_status=1" 145 SELINUXFOUND=1 146 Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN 147 FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^Current mode" | ${AWKBINARY} '{ print $3 }') 148 Report "selinux_mode=${FIND}" 149 FIND2=$(${SESTATUSBINARY} | ${GREPBINARY} "^Mode from config file" | ${AWKBINARY} '{ print $5 }') 150 LogText "Result: current SELinux mode is ${FIND}" 151 LogText "Result: mode configured in config file is ${FIND2}" 152 if [ "${FIND}" = "${FIND2}" ]; then 153 LogText "Result: Current SELinux mode is the same as in config file." 154 Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN 155 else 156 LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})." 157 ReportWarning "${TEST_NO}" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})" 158 Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED 159 fi 160 Display --indent 8 --text "Current SELinux mode: ${FIND}" 161 PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ') 162 NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l) 163 Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types" 164 LogText "Permissive SELinux object types: ${PERMISSIVE}" 165 UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ') 166 INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ') 167 NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l) 168 NINITRC=$(${PSBINARY} -eo label | ${GREPBINARY} '[i]nitrc_t' | ${WCBINARY} -l) 169 Display --indent 8 --text "Found ${NUNCONFINED} unconfined and ${NINITRC} initrc_t processes" 170 LogText "Unconfined processes: ${UNCONFINED}" 171 LogText "Processes with initrc_t type: ${INITRC}" 172 else 173 LogText "Result: SELinux framework is disabled" 174 Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW 175 fi 176 fi 177# 178################################################################################# 179# 180 # Test : MACF-6240 181 # Description : Check if the tomoyo-init binary is available on the system 182 Register --test-no MACF-6240 --weight L --network NO --category security --description "Check TOMOYO Linux presence" 183 if [ ${SKIPTEST} -eq 0 ]; then 184 LogText "Test: checking if we have tomoyo-init binary" 185 if [ -z "${TOMOYOINITBINARY}" ]; then 186 TOMOYOFOUND=0 187 LogText "Result: tomoyo-init binary not found" 188 Display --indent 2 --text "- Checking presence TOMOYO Linux" --result "${STATUS_NOT_FOUND}" --color WHITE 189 else 190 TOMOYOFOUND=1 191 LogText "Result: tomoyo-init binary found" 192 Display --indent 2 --text "- Checking presence TOMOYO Linux" --result "${STATUS_FOUND}" --color GREEN 193 fi 194 fi 195# 196################################################################################# 197# 198 # Test : MACF-6242 199 # Description : Check TOMOYO Linux status 200 if [ ${TOMOYOFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi 201 Register --test-no MACF-6242 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check TOMOYO Linux status" 202 if [ ${SKIPTEST} -eq 0 ]; then 203 FILE="/sys/kernel/security/tomoyo/stat" 204 if [ -f ${FILE} ]; then 205 MAC_FRAMEWORK_ACTIVE=1 206 LogText "Result: TOMOYO Linux is enabled" 207 Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_ENABLED}" --color GREEN 208 Report "tomoyo_enabled=1" 209 if [ ! -z ${TOMOYOPSTREEBINARY} ]; then 210 NUNCONFINED=$(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${WCBINARY} -l) 211 Display --indent 8 --text "Found ${NUNCONFINED} unconfined (not profile 3) processes" 212 for PROCESS in $(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${SEDBINARY} -e 's/+-//g' -e 's/^ *//g' -e 's/ \+/:/g' | ${SORTBINARY}); do 213 LogText "Result: Unconfined process: ${PROCESS}" 214 done 215 fi 216 AddHP 3 3 217 else 218 LogText "Result: TOMOYO Linux is disabled" 219 Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_DISABLED}" --color YELLOW 220 Report "tomoyo_enabled=0" 221 AddHP 0 3 222 fi 223 fi 224# 225################################################################################# 226# 227 # Test : RBAC-6272 228 # Description : Check if grsecurity is installed 229 # Notes : We already checked grsecurity in osdetection 230 Register --test-no RBAC-6272 --weight L --network NO --category security --description "Check grsecurity presence" 231 if [ ${SKIPTEST} -eq 0 ]; then 232 # Check Linux kernel configuration 233 if [ -n "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then 234 FIND=$(${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE}) 235 if [ ! "${FIND}" = "" ]; then 236 LogText "Result: grsecurity available (in kernel config)" 237 GRSEC_FOUND=1 238 else 239 LogText "Result: no grsecurity found in kernel config" 240 fi 241 fi 242 if [ ${GRSEC_FOUND} -eq 1 ]; then 243 Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_FOUND}" --color GREEN 244 AddHP 3 3 245 else 246 Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE 247 fi 248 if HasData "${GRADMBINARY}"; then 249 FIND=$(${GRADMBINARY} --status 2>/dev/null) 250 if [ "${FIND}" = "The RBAC system is currently enabled." ]; then 251 MAC_FRAMEWORK_ACTIVE=1 252 fi 253 fi 254 fi 255# 256################################################################################# 257# 258 # Test : MACF-6290 259 # Description : Check if at least one MAC framework is implemented 260 Register --test-no MACF-6290 --weight L --network NO --category security --description "Check for implemented MAC framework" 261 if [ ${SKIPTEST} -eq 0 ]; then 262 if [ ${MAC_FRAMEWORK_ACTIVE} -eq 1 ]; then 263 Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_OK}" --color GREEN 264 AddHP 3 3 265 LogText "Result: found implemented MAC framework" 266 else 267 Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_NONE}" --color YELLOW 268 AddHP 2 3 269 LogText "Result: found no implemented MAC framework" 270 fi 271 fi 272# 273################################################################################# 274# 275 276Report "framework_grsecurity=${GRSEC_FOUND}" 277Report "framework_selinux=${SELINUXFOUND}" 278 279WaitForKeyPress 280 281# 282#================================================================================ 283# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com 284