/usr/share/lynis/include/tests_shells is in lynis 2.6.2-1.
This file is owned by root:root, with mode 0o600.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 | #!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2018, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Shells
#
#################################################################################
#
IDLE_TIMEOUT=0
InsertSection "Shells"
#
#################################################################################
#
# bash
# Files (interactive login shells): /etc/profile $HOME/.bash_profile
# $HOME/.bash_login $HOME/.profile
# Files (interactive non-login shells): $HOME/.bash_rc
# csh/tcsh
# Files: /etc/csh.cshrc /etc/csh.login
# zsh
# Files: /etc/zshenv /etc/zsh/zshenv $HOME/.zshenv /etc/zprofile
# /etc/zsh/zprofile $HOME/.zprofile /etc/zshrc /etc/zsh/zshrc
# $ZDOTDIR/.zshrc /etc/zlogin /etc/zsh/zlogin
SHELL_LOGIN_FILES="${ROOTDIR}etc/csh.cshrc ${ROOTDIR}etc/csh.login ${ROOTDIR}etc/zshenv ${ROOTDIR}etc/zsh/zshenv
${ROOTDIR}etc/zprofile ${ROOTDIR}etc/zsh/zprofile ${ROOTDIR}etc/zshrc ${ROOTDIR}etc/zsh/zshrc
${ROOTDIR}etc/zlogin ${ROOTDIR}etc/zsh/zlogin"
#
#################################################################################
#
# Test : SHLL-6202
# Description : check all console TTYs in which root user can enter single user mode without password
Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking console TTYs"
FIND=$(${EGREPBINARY} '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN
LogText "Result: console is secured against single user mode without password."
else
Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_WARNING}" --color RED
LogText "Result: Found insecure console in ${ROOTDIR}etc/ttys. Single user mode login without password allowed!"
LogText "Output ${ROOTDIR}etc/ttys:"
LogText "${FIND}"
ReportWarning ${TEST_NO} "Found unprotected console in ${ROOTDIR}etc/ttys"
LogText "Possible solution: Change the console line from 'secure' to 'insecure'."
fi
fi
#
#################################################################################
#
# Test : SHLL-6211
# Description : which shells are available according /etc/shells
Register --test-no SHLL-6211 --weight L --network NO --category security --description "Checking available and valid shells"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for ${ROOTDIR}etc/shells"
if [ -f ${ROOTDIR}etc/shells ]; then
LogText "Result: Found ${ROOTDIR}etc/shells file"
LogText "Test: Reading available shells from ${ROOTDIR}etc/shells"
SSHELLS=$(${GREPBINARY} "^/" ${ROOTDIR}etc/shells)
CSSHELLS=0; CSSHELLS_ALL=0
Display --indent 2 --text "- Checking shells from ${ROOTDIR}etc/shells"
for I in ${SSHELLS}; do
CSSHELLS_ALL=$((CSSHELLS_ALL + 1))
Report "available_shell[]=${I}"
# TODO add check for symlinked shells
if [ -f ${I} ]; then
LogText "Found installed shell: ${I}"
CSSHELLS=$((CSSHELLS + 1))
else
LogText "Shell ${I} not installed. Probably a dummy or non existing shell."
fi
done
Display --indent 4 --text "Result: found ${CSSHELLS_ALL} shells (valid shells: ${CSSHELLS})."
else
LogText "Result: ${ROOTDIR}etc/shells not found, skipping test"
fi
fi
#
#################################################################################
#
# Test : SHLL-6220
# Description : check for idle session killing tools or settings
Register --test-no SHLL-6220 --weight L --network NO --category security --description "Checking available and valid shells"
if [ ${SKIPTEST} -eq 0 ]; then
IDLE_TIMEOUT_METHOD=""
IDLE_TIMEOUT_READONLY=""
LogText "Test: Search for session timeout tools or settings in shell"
IsRunning timeoutd
if [ ${RUNNING} -eq 1 ]; then
IDLE_TIMEOUT=1
LogText "Result: found timeoutd process to kill idle sesions"
IDLE_TIMEOUT_METHOD="timeout-daemon"
fi
IsRunning autolog
if [ ${RUNNING} -eq 1 ]; then
IDLE_TIMEOUT=1
LogText "Result: found autolog process to kill idle sesions"
Report="session_timeout_method[]=autolog"
IDLE_TIMEOUT_METHOD="autolog"
fi
if [ -f ${ROOTDIR}etc/profile ]; then
# Determine if we can find a TMOUT value
FIND=$(${GREPBINARY} 'TMOUT=' ${ROOTDIR}etc/profile | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
# Determine if the value is exported (with export, readonly, or typeset)
FIND2=$(${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' ${ROOTDIR}etc/profile | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
if [ ! -z "${FIND}" ]; then
N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do
LogText "Output: ${I}"
Report "session_timeout_value[]=${I}"
N=$((N + 1))
done
if [ ${N} -eq 1 ]; then
LogText "Result: found TMOUT value configured in ${ROOTDIR}etc/profile"
else
LogText "Result: found several TMOUT values configured in ${ROOTDIR}etc/profile"
fi
IDLE_TIMEOUT_METHOD="profile"
else
LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile"
fi
if [ ! -z "${FIND2}" ]; then
N=0;
for I in ${FIND2}; do
LogText "Output: ${I}"
if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then
N=$((N + 1))
fi
done
if [ ${N} -gt 0 ]; then
LogText "Result: found readonly setting in ${ROOTDIR}etc/profile (readonly or typeset -r)"
IDLE_TIMEOUT_READONLY=1
else
LogText "Result: NO readonly setting found in ${ROOTDIR}etc/profile (readonly or typeset -r)"
IDLE_TIMEOUT_READONLY=0
fi
else
LogText "Result: could not find export, readonly or typeset -r in ${ROOTDIR}etc/profile"
fi
else
LogText "Result: skip ${ROOTDIR}etc/profile test, file not available on this system"
fi
if [ -d ${ROOTDIR}etc/profile.d ]; then
FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null)
if [ ! -z "${FIND}" ]; then
# Determine if we can find a TMOUT value
FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
# Determine if the value is exported (with export, readonly, or typeset)
FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
if [ ! -z "${FIND}" ]; then
N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do
LogText "Output: ${I}"
Report "session_timeout_value[]=${I}"
N=$((N + 1))
done
if [ ${N} -eq 1 ]; then
LogText "Result: found TMOUT value configured in one of the files in ${ROOTDIR}etc/profile.d directory"
else
LogText "Result: found several TMOUT values configured in one of the files in ${ROOTDIR}etc/profile.d directory"
fi
IDLE_TIMEOUT_METHOD="profile.d"
else
LogText "Result: could not find TMOUT setting in ${ROOTDIR}etc/profile.d/*.sh"
fi
# Check for readonly
if [ ! -z "${FIND2}" ]; then
N=0;
for I in ${FIND2}; do
LogText "Output: ${I}"
if [ "${I}" = "readonly" -o "${I}" = "typeset" ]; then
N=$((N + 1))
fi
done
if [ ${N} -gt 0 ]; then
LogText "Result: found readonly setting in ${ROOTDIR}etc/profile (readonly or typeset -r)"
IDLE_TIMEOUT_READONLY=1
else
LogText "Result: NO readonly setting found in ${ROOTDIR}etc/profile (readonly or typeset -r)"
IDLE_TIMEOUT_READONLY=0
fi
else
LogText "Result: could not find export, readonly or typeset -r in ${ROOTDIR}etc/profile"
fi
fi
else
LogText "Result: skip ${ROOTDIR}etc/profile.d directory test, directory not available on this system"
fi
if [ ! -z "${IDLE_TIMEOUT_METHOD}" ]; then
Report "session_timeout_method[]=${IDLE_TIMEOUT_METHOD}"
fi
if [ ! -z "${IDLE_TIMEOUT_READONLY}" ]; then
Report "session_timeout_set_readonly=${IDLE_TIMEOUT_READONLY}"
fi
if [ ${IDLE_TIMEOUT} -eq 1 ]; then
Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
Display --indent 4 --text "- Session timeout settings/tools" --result "${STATUS_NONE}" --color YELLOW
AddHP 1 3
fi
fi
#
#################################################################################
#
# Test : SHLL-6230
# Description : Check for umask values in shell configurations
SHELL_CONFIG_FILES="${ROOTDIR}etc/bashrc ${ROOTDIR}etc/bash.bashrc ${ROOTDIR}etc/csh.cshrc ${ROOTDIR}etc/profile"
Register --test-no SHLL-6230 --weight H --network NO --category security --description "Perform umask check for shell configurations"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
HARDENING_POSSIBLE=0
Display --indent 2 --text "- Checking default umask values"
for FILE in ${SHELL_CONFIG_FILES}; do
FIND=""
if [ -f ${FILE} ]; then
LogText "Result: file ${FILE} exists"
FOUND=1
FIND=$(${GREPBINARY} umask ${FILE} | ${SEDBINARY} 's/^[ \t]*//g' | ${SEDBINARY} 's/#.*$//' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ print $2 }')
if IsEmpty "${FIND}"; then
LogText "Result: did not find umask configured in ${FILE}"
Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_NONE}" --color YELLOW
else
for UMASKVALUE in ${FIND}; do
LogText "Result: found umask ${UMASKVALUE} in ${FILE}"
case ${UMASKVALUE} in
027|0027|077|0077)
LogText "Result: umask ${UMASKVALUE} is considered a properly hardened value"
;;
*)
LogText "Result: umask ${UMASKVALUE} can be hardened "
HARDENING_POSSIBLE=1
;;
esac
done
if [ ${HARDENING_POSSIBLE} -eq 0 ]; then
Display --indent 4 --text "- Checking default umask in ${FILE}" --result "${STATUS_OK}" --color GREEN
AddHP 3 3
else
Display --indent 4 --text "- Checking default umask in ${FILE}" --result WEAK --color YELLOW
AddHP 1 3
fi
fi
else
LogText "Result: file ${FILE} not found"
fi
done
fi
#
#################################################################################
#
Report "session_timeout_enabled=${IDLE_TIMEOUT}"
WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2018, CISOfy - http://cisofy.com
|