1#!/bin/sh
2
3#################################################################################
4#
5#   Lynis
6# ------------------
7#
8# Copyright 2007-2013, Michael Boelen
9# Copyright 2007-2021, CISOfy
10#
11# Website  : https://cisofy.com
12# Blog     : http://linux-audit.com
13# GitHub   : https://github.com/CISOfy/lynis
14#
15# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
16# welcome to redistribute it under the terms of the GNU General Public License.
17# See LICENSE file for usage of this software.
18#
19#################################################################################
20#
21    APPARMORFOUND=0                     # Set default for test MACF-6208
22    MAC_FRAMEWORK_ACTIVE=0              # Default no MAC framework active
23    RBAC_FRAMEWORK_ACTIVE=0             # Default no RBAC framework active
24    SELINUXFOUND=0
25    TOMOYOFOUND=0
26
27    InsertSection "${SECTION_SECURITY_FRAMEWORKS}"
28#
29#################################################################################
30#
31    # Test        : MACF-6204
32    # Description : Check if AppArmor is installed
33    Register --test-no MACF-6204 --weight L --network NO --category security --description "Check AppArmor presence"
34    if [ ${SKIPTEST} -eq 0 ]; then
35        if [ -z "${AASTATUSBINARY}" ]; then
36            APPARMORFOUND=0
37            LogText "Result: aa-status binary not found, AppArmor not installed"
38            Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_NOT_FOUND}" --color WHITE
39        else
40            APPARMORFOUND=1
41            LogText "Result: aa-status binary found, AppArmor is installed"
42            Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_FOUND}" --color GREEN
43        fi
44    fi
45#
46#################################################################################
47#
48    # Test        : MACF-6208
49    # Description : Check AppArmor active status
50    if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
51    Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if AppArmor is enabled"
52    if [ ${SKIPTEST} -eq 0 ]; then
53        if [ -n "${AASTATUSBINARY}" ]; then
54            CAN_READ_FILE=0
55            FILE="/sys/kernel/security/apparmor/profiles"
56            if [ -f ${FILE} ]; then
57                FIND=$(${CAT_BINARY} ${FILE} 2> /dev/null)
58                if [ $? -eq 0 ]; then CAN_READ_FILE=1; fi
59            else
60                LogText "File ${FILE} does not exist"
61            fi
62            if [ ${CAN_READ_FILE} -eq 1 ]; then
63                LogText "Result: file ${FILE} is available and readable"
64                # Checking AppArmor status
65                # 0 if apparmor is enabled and policy is loaded.
66                # 1 if apparmor is not enabled/loaded.
67                # 2 if apparmor is enabled but no policy is loaded.
68                # 3 if control files are not available
69                # 4 if apparmor status can't be read
70                FIND=$(${AASTATUSBINARY} 2>&1 > /dev/null)
71                if [ $? -eq 0 ]; then
72                    MAC_FRAMEWORK_ACTIVE=1
73                    LogText "Result: AppArmor is enabled and a policy is loaded"
74                    Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_ENABLED}" --color GREEN
75                    Report "apparmor_enabled=1"
76                    Report "apparmor_policy_loaded=1"
77                    AddHP 3 3
78                    # ignore kernel threads (Parent PID = 2 [kthreadd])
79                    NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} -l)
80                    Display --indent 8 --text "Found ${NUNCONFINED} unconfined processes"
81                    for PROCESS in $(${PSBINARY} -N --ppid 2 -o label:1,pid,comm | ${GREPBINARY} '^unconfined' | ${TRBINARY} ' ' ':'); do
82                        LogText "Result: Unconfined process: ${PROCESS}"
83                    done
84                elif [ $? -eq 4 ]; then
85                    LogText "Result: Can not determine status, most likely due to lacking permissions"
86                    Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
87                elif [ $? -eq 3 ]; then
88                    LogText "Result: Can not check control files"
89                    Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
90                elif [ $? -eq 2 ]; then
91                    LogText "Result: AppArmor is enabled, but no policy is loaded"
92                    ReportSuggestion "${TEST_NO}" "Load AppArmor policies"
93                    Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN
94                    Report "apparmor_enabled=1"
95                    Report "apparmor_policy_loaded=0"
96                    AddHP 0 3
97                elif [ $? -eq 1 ]; then
98                    LogText "Result: AppArmor is disabled"
99                    Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_DISABLED}" --color YELLOW
100                    Report "apparmor_enabled=0"
101                    AddHP 0 3
102                else
103                    Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
104                    ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected"
105                fi
106            else
107                LogText "Result: could not find or read ${FILE}"
108                Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color YELLOW
109                ReportSuggestion "${TEST_NO}" "Check output of aa-status" "${FILE}" "text:Run aa-status"
110            fi
111        else
112            LogText "Result: no aa-status binary available"
113        fi
114    fi
115#
116#################################################################################
117#
118    # Test        : MACF-6232
119    # Description : Check SELINUX for installation
120    Register --test-no MACF-6232 --weight L --network NO --category security --description "Check SELINUX presence"
121    if [ ${SKIPTEST} -eq 0 ]; then
122        LogText "Test: checking if we have sestatus binary"
123        if [ -n "${SESTATUSBINARY}" ]; then
124            LogText "Result: found sestatus binary (${SESTATUSBINARY})"
125            Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN
126        else
127            LogText "Result: sestatus binary NOT found"
128            Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_NOT_FOUND}" --color WHITE
129        fi
130    fi
131#
132#################################################################################
133#
134    # Test        : MACF-6234
135    # Description : Check SELINUX status
136    if HasData "${SESTATUSBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
137    Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SELINUX status"
138    if [ ${SKIPTEST} -eq 0 ]; then
139        # Status: Enabled/Disabled
140        FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^SELinux status" | ${AWKBINARY} '{ print $3 }')
141        if [ "${FIND}" = "enabled" ]; then
142            MAC_FRAMEWORK_ACTIVE=1
143            LogText "Result: SELinux framework is enabled"
144            Report "selinux_status=1"
145            SELINUXFOUND=1
146            Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN
147            FIND=$(${SESTATUSBINARY} | ${GREPBINARY} "^Current mode" | ${AWKBINARY} '{ print $3 }')
148            Report "selinux_mode=${FIND}"
149            FIND2=$(${SESTATUSBINARY} | ${GREPBINARY} "^Mode from config file" | ${AWKBINARY} '{ print $5 }')
150            LogText "Result: current SELinux mode is ${FIND}"
151            LogText "Result: mode configured in config file is ${FIND2}"
152            if [ "${FIND}" = "${FIND2}" ]; then
153                LogText "Result: Current SELinux mode is the same as in config file."
154                Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN
155            else
156                LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
157                ReportWarning "${TEST_NO}" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
158                Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
159            fi
160            Display --indent 8 --text "Current SELinux mode: ${FIND}"
161            PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
162            NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
163            Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
164            LogText "Permissive SELinux object types: ${PERMISSIVE}"
165            UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ')
166            INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ')
167            NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l)
168            NINITRC=$(${PSBINARY} -eo label | ${GREPBINARY} '[i]nitrc_t' | ${WCBINARY} -l)
169            Display --indent 8 --text "Found ${NUNCONFINED} unconfined and ${NINITRC} initrc_t processes"
170            LogText "Unconfined processes: ${UNCONFINED}"
171            LogText "Processes with initrc_t type: ${INITRC}"
172        else
173            LogText "Result: SELinux framework is disabled"
174            Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW
175        fi
176    fi
177#
178#################################################################################
179#
180    # Test        : MACF-6240
181    # Description : Check if the tomoyo-init binary is available on the system
182    Register --test-no MACF-6240 --weight L --network NO --category security --description "Check TOMOYO Linux presence"
183    if [ ${SKIPTEST} -eq 0 ]; then
184        LogText "Test: checking if we have tomoyo-init binary"
185        if [ -z "${TOMOYOINITBINARY}" ]; then
186            TOMOYOFOUND=0
187            LogText "Result: tomoyo-init binary not found"
188            Display --indent 2 --text "- Checking presence TOMOYO Linux" --result "${STATUS_NOT_FOUND}" --color WHITE
189        else
190            TOMOYOFOUND=1
191            LogText "Result: tomoyo-init binary found"
192            Display --indent 2 --text "- Checking presence TOMOYO Linux" --result "${STATUS_FOUND}" --color GREEN
193        fi
194    fi
195#
196#################################################################################
197#
198    # Test        : MACF-6242
199    # Description : Check TOMOYO Linux status
200    if [ ${TOMOYOFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
201    Register --test-no MACF-6242 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check TOMOYO Linux status"
202    if [ ${SKIPTEST} -eq 0 ]; then
203        FILE="/sys/kernel/security/tomoyo/stat"
204        if [ -f ${FILE} ]; then
205            MAC_FRAMEWORK_ACTIVE=1
206            LogText "Result: TOMOYO Linux is enabled"
207            Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_ENABLED}" --color GREEN
208            Report "tomoyo_enabled=1"
209            if [ ! -z ${TOMOYOPSTREEBINARY} ]; then
210                NUNCONFINED=$(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^  3 ' | ${WCBINARY} -l)
211                Display --indent 8 --text "Found ${NUNCONFINED} unconfined (not profile 3) processes"
212                for PROCESS in $(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^  3 ' | ${SEDBINARY} -e 's/+-//g' -e 's/^ *//g' -e 's/ \+/:/g' | ${SORTBINARY}); do
213                    LogText "Result: Unconfined process: ${PROCESS}"
214                done
215            fi
216            AddHP 3 3
217        else
218            LogText "Result: TOMOYO Linux is disabled"
219            Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_DISABLED}" --color YELLOW
220            Report "tomoyo_enabled=0"
221            AddHP 0 3
222        fi
223    fi
224#
225#################################################################################
226#
227    # Test        : RBAC-6272
228    # Description : Check if grsecurity is installed
229    # Notes       : We already checked grsecurity in osdetection
230    Register --test-no RBAC-6272 --weight L --network NO --category security --description "Check grsecurity presence"
231    if [ ${SKIPTEST} -eq 0 ]; then
232        # Check Linux kernel configuration
233        if [ -n "${LINUXCONFIGFILE}" -a -f "${LINUXCONFIGFILE}" ]; then
234            FIND=$(${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE})
235            if [ ! "${FIND}" = "" ]; then
236                LogText "Result: grsecurity available (in kernel config)"
237                GRSEC_FOUND=1
238            else
239                LogText "Result: no grsecurity found in kernel config"
240            fi
241        fi
242        if [ ${GRSEC_FOUND} -eq 1 ]; then
243            Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_FOUND}" --color GREEN
244            AddHP 3 3
245        else
246            Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE
247        fi
248        if HasData "${GRADMBINARY}"; then
249            FIND=$(${GRADMBINARY} --status 2>/dev/null)
250            if [ "${FIND}" = "The RBAC system is currently enabled." ]; then
251                MAC_FRAMEWORK_ACTIVE=1
252            fi
253        fi
254    fi
255#
256#################################################################################
257#
258    # Test        : MACF-6290
259    # Description : Check if at least one MAC framework is implemented
260    Register --test-no MACF-6290 --weight L --network NO --category security --description "Check for implemented MAC framework"
261    if [ ${SKIPTEST} -eq 0 ]; then
262        if [ ${MAC_FRAMEWORK_ACTIVE} -eq 1 ]; then
263            Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_OK}" --color GREEN
264            AddHP 3 3
265            LogText "Result: found implemented MAC framework"
266        else
267            Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_NONE}" --color YELLOW
268            AddHP 2 3
269            LogText "Result: found no implemented MAC framework"
270        fi
271     fi
272#
273#################################################################################
274#
275
276Report "framework_grsecurity=${GRSEC_FOUND}"
277Report "framework_selinux=${SELINUXFOUND}"
278
279WaitForKeyPress
280
281#
282#================================================================================
283# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
284