📄 Viewing: tests_file_integrity
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
AIDECONFIG=""
CSF_CONFIG="${ROOTDIR}etc/csf/csf.conf"
FILE_INT_TOOL=""
FILE_INT_TOOL_FOUND=0 # Boolean, file integrity tool found
#
#################################################################################
#
InsertSection "Software: file integrity"
Display --indent 2 --text "- Checking file integrity tools"
#
#################################################################################
#
# Test : FINT-4310
# Description : Check if AFICK is installed
Register --test-no FINT-4310 --weight L --network NO --category security --description "AFICK availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking AFICK binary"
if [ ! -z "${AFICKBINARY}" ]; then
LogText "Result: AFICK is installed (${AFICKBINARY})"
Report "file_integrity_tool[]=afick"
FILE_INT_TOOL="afick"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AFICK" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: AFICK is not installed"
if IsVerbose; then Display --indent 4 --text "- AFICK" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
#################################################################################
#
# Test : FINT-4314
# Description : Check if AIDE is installed
Register --test-no FINT-4314 --weight L --network NO --category security --description "AIDE availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking AIDE binary"
if [ ! -z "${AIDEBINARY}" ]; then
LogText "Result: AIDE is installed (${AIDEBINARY})"
Report "file_integrity_tool[]=aide"
FILE_INT_TOOL="aide"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- AIDE" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: AIDE is not installed"
if IsVerbose; then Display --indent 4 --text "- AIDE" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
#################################################################################
#
# Test : FINT-4315
# Description : Check AIDE configuration file
if [ ! -z "${AIDEBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4315 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check AIDE configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
AIDE_CONFIG_LOCS="/etc /etc/aide /usr/local/etc"
LogText "Test: search for aide.conf in ${AIDE_CONFIG_LOCS}"
for I in ${AIDE_CONFIG_LOCS}; do
if [ -f ${I}/aide.conf ]; then
LogText "Result: found aide.conf in directory ${I}"
AIDECONFIG="${I}/aide.conf"
fi
done
if [ -z "${AIDECONFIG}" ]; then
Display --indent 6 --text "- AIDE config file" --result "${STATUS_NOT_FOUND}" --color RED
ReportWarning "${TEST_NO}" "No AIDE configuration file was found, needed for AIDE functionality"
else
LogText "Checking configuration file ${AIDECONFIG} for errors"
FIND=$(${AIDEBINARY} --config=${AIDECONFIG} -D)
if [ $? -eq 0 ]; then
Display --indent 6 --text "- AIDE config file" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 6 --text "- AIDE config file" --result "${STATUS_WARNING}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Check the AIDE configuration file as it may contain errors"
fi
fi
fi
#
#################################################################################
#
# Test : FINT-4318
# Description : Check if Osiris is installed
Register --test-no FINT-4318 --weight L --network NO --category security --description "Osiris availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Osiris binary"
if [ ! -z "${OSIRISBINARY}" ]; then
LogText "Result: Osiris is installed (${OSIRISBINARY})"
Report "file_integrity_tool[]=osiris"
FILE_INT_TOOL="osiris"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Osiris" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: Osiris is not installed"
if IsVerbose; then Display --indent 4 --text "- Osiris" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
#################################################################################
#
# Test : FINT-4322
# Description : Check if Samhain is installed
Register --test-no FINT-4322 --weight L --network NO --category security --description "Samhain availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Samhain binary"
if [ ! -z "${SAMHAINBINARY}" ]; then
LogText "Result: Samhain is installed (${SAMHAINBINARY})"
Report "file_integrity_tool[]=samhain"
FILE_INT_TOOL="samhain"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Samhain" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: Samhain is not installed"
if IsVerbose; then Display --indent 4 --text "- Samhain" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
#################################################################################
#
# Test : FINT-4326
# Description : Check if Tripwire is installed
Register --test-no FINT-4326 --weight L --network NO --category security --description "Tripwire availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking Tripwire binary"
if [ ! -z "${TRIPWIREBINARY}" ]; then
LogText "Result: Tripwire is installed (${TRIPWIREBINARY})"
Report "file_integrity_tool[]=tripwire"
FILE_INT_TOOL="tripwire"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Tripwire" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: Tripwire is not installed"
if IsVerbose; then Display --indent 4 --text "- Tripwire" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
#################################################################################
#
# Test : FINT-4328
# Description : Check if OSSEC system integrity tool is running
Register --test-no FINT-4328 --weight L --network NO --category security --description "OSSEC syscheck daemon running"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if OSSEC syscheck daemon is running"
IsRunning ossec-syscheckd
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: syscheck (OSSEC) installed"
Report "file_integrity_tool[]=ossec"
FILE_INT_TOOL="ossec-syscheck"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- OSSEC (syscheck)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: syscheck (OSSEC) not installed"
if IsVerbose; then Display --indent 4 --text "- OSSEC" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
#################################################################################
#
# Test : FINT-4330
# Description : Check if mtree is installed
# Note : Usually on BSD and similar
Register --test-no FINT-4330 --weight L --network NO --category security --description "mtree availability"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking mtree binary"
if [ ! -z "${MTREEBINARY}" ]; then
LogText "Result: mtree is installed (${MTREEBINARY})"
Report "file_integrity_tool[]=mtree"
FILE_INT_TOOL="mtree"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- mtree" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: mtree is not installed"
if IsVerbose; then Display --indent 4 --text "- mtree" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
#################################################################################
#
# Test : FINT-4334
# Description : Check if LFD is used (part of CSF suite)
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4334 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd daemon status"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- lfd (CSF)" --result "${STATUS_FOUND}" --color GREEN
IsRunning 'lfd '
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: lfd daemon is running (CSF)"
Report "file_integrity_tool[]=csf-lfd"
Display --indent 6 --text "- LFD (CSF) daemon" --result "${STATUS_RUNNING}" --color GREEN
FILE_INT_TOOL="csf-lfd"
FILE_INT_TOOL_FOUND=1
else
Display --indent 6 --text "- LFD (CSF) daemon" --result "${STATUS_NOT_RUNNING}" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : FINT-4336
# Description : Check if LFD is enabled (part of CSF suite)
if [ -f ${CSF_CONFIG} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4336 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check lfd configuration status"
if [ ${SKIPTEST} -eq 0 ]; then
# LFD configuration parameters
ENABLED=$(${GREPBINARY} "^LF_DAEMON = \"1\"" ${CSF_CONFIG})
if [ ! -z "${ENABLED}" ]; then
LogText "Result: lfd service is configured to run"
Display --indent 6 --text "- Configuration status" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: lfd service is configured NOT to run"
Display --indent 6 --text "- Configuration status" --result "${STATUS_DISABLED}" --color YELLOW
fi
ENABLED=$(${GREPBINARY} "^LF_DIRWATCH =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
if [ ! "${ENABLED}" = "0" -a ! -z "${ENABLED}" ]; then
LogText "Result: lfd directory watching is enabled (value: ${ENABLED})"
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_ENABLED}" --color GREEN
else
LogText "Result: lfd directory watching is disabled"
Display --indent 6 --text "- Temporary directory watches" --result "${STATUS_DISABLED}" --color YELLOW
fi
ENABLED=$(${GREPBINARY} "^LF_DIRWATCH_FILE =" ${CSF_CONFIG} | ${AWKBINARY} '{ print $3 }' | ${SEDBINARY} 's/\"//g')
if [ ! "${ENABLED}" = "0" -a ! -z "${ENABLED}" ]; then
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_ENABLED}" --color GREEN
else
Display --indent 6 --text "- Directory/File watches" --result "${STATUS_DISABLED}" --color YELLOW
fi
fi
#
#################################################################################
#
# Test : FINT-4338
# Description : Check if osquery system integrity tool is running
Register --test-no FINT-4338 --weight L --network NO --category security --description "osqueryd syscheck daemon running"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if osqueryd syscheck daemon is running"
IsRunning osqueryd
if [ ${RUNNING} -eq 1 ]; then
LogText "Result: syscheck (osquery) installed"
Report "file_integrity_tool[]=osquery"
FILE_INT_TOOL="osquery"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: syscheck (osquery) not installed"
if IsVerbose; then Display --indent 4 --text "- osquery daemon (syscheck)" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
#################################################################################
#
# Test : FINT-4402 (was FINT-4316)
# Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
if [ ! "${AIDEBINARY}" = "" -a ! -z "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)")
if [ -z "${FIND}" ]; then
LogText "Result: No SHA256 or SHA512 found for creating checksums"
Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW
ReportSuggestion ${TEST_NO} "Use SHA256 or SHA512 to create checksums in AIDE"
AddHP 1 3
else
LogText "Result: Found SHA256 or SHA512 found for creating checksums"
Display --indent 6 --text "- AIDE config (Checksum)" --result "${STATUS_OK}" --color GREEN
AddHP 2 2
fi
fi
#
#################################################################################
#
# Test : FINT-4350
# Description : Check if at least one file integrity tool is installed
Register --test-no FINT-4350 --weight L --network NO --category security --description "File integrity software installed"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check if at least on file integrity tool is available/installed"
if [ ${FILE_INT_TOOL_FOUND} -eq 1 ]; then
LogText "Result: found at least one file integrity tool"
Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_FOUND}" --color GREEN
AddHP 5 5
else
LogText "Result: No file integrity tools found"
Display --indent 2 --text "- Checking presence integrity tool" --result "${STATUS_NOT_FOUND}" --color YELLOW
ReportSuggestion ${TEST_NO} "Install a file integrity tool to monitor changes to critical and sensitive files"
AddHP 0 5
fi
fi
#
#################################################################################
#
WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com
🌑 DarkStealth — WP Plugin Edition
Directory: /usr/share/lynis/include