1#!/bin/sh 2 3################################################################################# 4# 5# Lynis 6# ------------------ 7# 8# Copyright 2007-2013, Michael Boelen 9# Copyright 2007-2021, CISOfy 10# 11# Website : https://cisofy.com 12# Blog : http://linux-audit.com 13# GitHub : https://github.com/CISOfy/lynis 14# 15# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are 16# welcome to redistribute it under the terms of the GNU General Public License. 17# See LICENSE file for usage of this software. 18# 19################################################################################# 20# 21# Shells 22# 23################################################################################# 24# 25 IDLE_TIMEOUT=0 26 InsertSection "${SECTION_SHELLS}" 27# 28################################################################################# 29# 30 # bash 31 # Files (interactive login shells): /etc/profile $HOME/.bash_profile 32 # $HOME/.bash_login $HOME/.profile 33 # Files (interactive non-login shells): $HOME/.bash_rc 34 # 35 # csh/tcsh 36 # Files: /etc/csh.cshrc /etc/csh.login 37 # 38 # zsh 39 # Files: /etc/zshenv /etc/zsh/zshenv $HOME/.zshenv /etc/zprofile 40 # /etc/zsh/zprofile $HOME/.zprofile /etc/zshrc /etc/zsh/zshrc 41 # $ZDOTDIR/.zshrc /etc/zlogin /etc/zsh/zlogin 42 43 SHELL_LOGIN_FILES="${ROOTDIR}etc/csh.cshrc ${ROOTDIR}etc/csh.login ${ROOTDIR}etc/zshenv ${ROOTDIR}etc/zsh/zshenv 44 ${ROOTDIR}etc/zprofile ${ROOTDIR}etc/zsh/zprofile ${ROOTDIR}etc/zshrc ${ROOTDIR}etc/zsh/zshrc 45 ${ROOTDIR}etc/zlogin ${ROOTDIR}etc/zsh/zlogin" 46# 47################################################################################# 48# 49 50 # Test : SHLL-6202 51 # Description : check all console TTYs in which root user can enter single user mode without password 52 Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs" 53 if [ ${SKIPTEST} -eq 0 ]; then 54 LogText "Test: Checking console TTYs" 55 FIND=$(${EGREPBINARY} '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure') 56 if [ -z "${FIND}" ]; then 57 Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN 58 LogText "Result: console is secured against single user mode without password." 59 else 60 Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_WARNING}" --color RED 61 LogText "Result: Found insecure console in ${ROOTDIR}etc/ttys. Single user mode login without password allowed!" 62 LogText "Output ${ROOTDIR}etc/ttys:" 63 LogText "${FIND}" 64 ReportWarning "${TEST_NO}" "Found unprotected console in ${ROOTDIR}etc/ttys" 65 LogText "Possible solution: Change the console line from 'secure' to 'insecure'." 66 fi 67 fi 68# 69################################################################################# 70# 71 # Test : SHLL-6211 72 # Description : Determine available shell according /etc/shells 73 Register --test-no SHLL-6211 --weight L --network NO --category security --description "Available and valid shells" 74 if [ ${SKIPTEST} -eq 0 ]; then 75 LogText "Test: Searching for ${ROOTDIR}etc/shells" 76 if [ -f ${ROOTDIR}etc/shells ]; then 77 LogText "Result: Found ${ROOTDIR}etc/shells file" 78 LogText "Test: Reading available shells from ${ROOTDIR}etc/shells" 79 SSHELLS=$(${GREPBINARY} "^/" ${ROOTDIR}etc/shells) 80 CSSHELLS=0; CSSHELLS_ALL=0 81 Display --indent 2 --text "- Checking shells from ${ROOTDIR}etc/shells" 82 for I in ${SSHELLS}; do 83 CSSHELLS_ALL=$((CSSHELLS_ALL + 1)) 84 Report "available_shell[]=${I}" 85 # TODO add check for symlinked shells 86 if [ -f ${I} ]; then 87 LogText "Found installed shell: ${I}" 88 CSSHELLS=$((CSSHELLS + 1)) 89 else 90 LogText "Shell ${I} not installed. Probably a dummy or non existing shell." 91 fi 92 done 93 Display --indent 4 --text "Result: found ${CSSHELLS_ALL} shells (valid shells: ${CSSHELLS})." 94 else 95 LogText "Result: ${ROOTDIR}etc/shells not found, skipping test" 96 fi 97 fi 98# 99################################################################################# 100# 101 # Test : SHLL-6220 102 # Description : Check for idle session killing tools or settings 103 Register --test-no SHLL-6220 --weight L --network NO --category security --description "Idle session killing tools or settings" 104 if [ ${SKIPTEST} -eq 0 ]; then 105 106 IDLE_TIMEOUT_METHOD="" 107 IDLE_TIMEOUT_READONLY="" 108 109 LogText "Test: Search for session timeout tools or settings in shell" 110 if IsRunning "timeoutd"; then 111 IDLE_TIMEOUT=1 112 LogText "Result: found timeoutd process to kill idle sessions" 113 IDLE_TIMEOUT_METHOD="timeout-daemon" 114 fi 115 if IsRunning "autolog"; then 116 IDLE_TIMEOUT=1 117 LogText "Result: found autolog process to kill idle sessions" 118 Report "session_timeout_method[]=autolog" 119 IDLE_TIMEOUT_METHOD="autolog" 120 fi 121 122 if [ -f ${ROOTDIR}etc/profile ]; then 123 # Determine if we can find a TMOUT value 124 FIND=$(${GREPBINARY} 'TMOUT=' ${ROOTDIR}etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }') 125 # Determine if the value is exported (with export, readonly, or typeset) 126 FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' ${ROOTDIR}etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }') 127 if [ -n "${FIND}" ]; then 128 N=0; IDLE_TIMEOUT=1 129 for I in ${FIND}; do 130 LogText "Output: ${I}" 131 Report "session_timeout_value[]=${I}" 132 N=$((N + 1)) 133 done 134 if [ ${N} -eq 1 ]; then 135 LogText "Result: found TMOUT value configured in ${ROOTDIR}etc/profile" 136 else 137 LogText "Result: found several TMOUT values configured in ${ROOTDIR}etc/profile" 138 fi 139 IDLE_TIMEOUT_METHOD="profile" 140 else 141 LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile" 142 fi 143 144 if [ -n "${FIND2}" ]; then 145 N=0; 146 for I in ${FIND2}; do 147 LogText "Output: ${I}" 148 if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then 149 N=$((N + 1)) 150 fi 151 done 152 if [ ${N} -gt 0 ]; then 153 LogText "Result: found readonly setting in ${ROOTDIR}etc/profile (readonly or typeset -r)" 154 IDLE_TIMEOUT_READONLY=1 155 else 156 LogText "Result: NO readonly setting found in ${ROOTDIR}etc/profile (readonly or typeset -r)" 157 IDLE_TIMEOUT_READONLY=0 158 fi 159 else 160 LogText "Result: could not find export, readonly or typeset -r in ${ROOTDIR}etc/profile" 161 fi 162 else 163 LogText "Result: skip ${ROOTDIR}etc/profile test, file not available on this system" 164 fi 165 166 if [ -d ${ROOTDIR}etc/profile.d ]; then 167 FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null) 168 if [ -n "${FIND}" ]; then 169 # Determine if we can find a TMOUT value 170 FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }') 171 # Determine if the value is exported (with export, readonly, or typeset) 172 FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }') 173 if [ -n "${FIND}" ]; then 174 N=0; IDLE_TIMEOUT=1 175 for I in ${FIND}; do 176 LogText "Output: ${I}" 177 Report "session_timeout_value[]=${I}" 178 N=$((N + 1)) 179 done 180 if [ ${N} -eq 1 ]; then 181 LogText "Result: found TMOUT value configured in one of the files in ${ROOTDIR}etc/profile.d directory" 182 else 183 LogText "Result: found several TMOUT values configured in one of the files in ${ROOTDIR}etc/profile.d directory" 184 fi 185 IDLE_TIMEOUT_METHOD="profile.d" 186 else 187 LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile.d/*.sh" 188 fi 189 # Check for readonly 190 if [ -n "${FIND2}" ]; then 191 N=0; 192 for I in ${FIND2}; do 193 LogText "Output: ${I}" 194 if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then 195 N=$((N + 1)) 196 fi 197 done 198 if [ ${N} -gt 0 ]; then 199 LogText "Result: found readonly setting in ${ROOTDIR}etc/profile (readonly or typeset -r)" 200 IDLE_TIMEOUT_READONLY=1 201 else 202 LogText "Result: NO readonly setting found in ${ROOTDIR}etc/profile (readonly or typeset -r)" 203 IDLE_TIMEOUT_READONLY=0 204 fi 205 else 206 LogText "Result: could not find export, readonly or typeset -r in ${ROOTDIR}etc/profile" 207 fi 208 fi 209 else 210 LogText "Result: skip ${ROOTDIR}etc/profile.d directory test, directory not available on this system" 211 fi 212 213 if [ -n "${IDLE_TIMEOUT_METHOD}" ]; then 214 Report "session_timeout_method[]=${IDLE_TIMEOUT_METHOD}" 215 fi 216 if [ -n "${IDLE_TIMEOUT_READONLY}" ]; then 217 Report "session_timeout_set_readonly=${IDLE_TIMEOUT_READONLY}" 218 fi 219 220 if [ ${IDLE_TIMEOUT} -eq 1 ]; then 221 Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_FOUND}" --color GREEN 222 AddHP 3 3 223 else 224 Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_NONE}" --color YELLOW 225 AddHP 1 3 226 fi 227 fi 228# 229################################################################################# 230# 231 # Test : SHLL-6230 232 # Description : Check for umask values in shell configurations 233 SHELL_CONFIG_FILES="${ROOTDIR}etc/bashrc ${ROOTDIR}etc/bash.bashrc ${ROOTDIR}etc/bash.bashrc.local ${ROOTDIR}etc/csh.cshrc ${ROOTDIR}etc/profile" 234 Register --test-no SHLL-6230 --weight H --network NO --category security --description "Perform umask check for shell configurations" 235 if [ ${SKIPTEST} -eq 0 ]; then 236 FOUND=0 237 Display --indent 2 --text "- Checking default umask values" 238 for FILE in ${SHELL_CONFIG_FILES}; do 239 HARDENING_POSSIBLE=0 240 FIND="" 241 if [ -f ${FILE} ]; then 242 LogText "Result: file ${FILE} exists" 243 FOUND=1 244 FIND=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//g' | ${SEDBINARY} 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }') 245 if IsEmpty "${FIND}"; then 246 LogText "Result: did not find umask configured in ${FILE}" 247 Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW 248 else 249 for UMASKVALUE in ${FIND}; do 250 LogText "Result: found umask ${UMASKVALUE} in ${FILE}" 251 case ${UMASKVALUE} in 252 027|0027|077|0077) 253 LogText "Result: umask ${UMASKVALUE} is considered a properly hardened value" 254 ;; 255 *) 256 LogText "Result: umask ${UMASKVALUE} can be hardened " 257 HARDENING_POSSIBLE=1 258 ;; 259 esac 260 done 261 if [ ${HARDENING_POSSIBLE} -eq 0 ]; then 262 Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_OK}" --color GREEN 263 AddHP 3 3 264 else 265 Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_WEAK}" --color YELLOW 266 AddHP 1 3 267 fi 268 fi 269 else 270 LogText "Result: file ${FILE} not found" 271 fi 272 done 273 fi 274# 275################################################################################# 276# 277 278Report "session_timeout_enabled=${IDLE_TIMEOUT}" 279 280 281WaitForKeyPress 282 283# 284#================================================================================ 285# Lynis - Copyright 2007-2021, CISOfy - http://cisofy.com 286