Gecko [ www.finalhopeacademy.com ]

Name	Size	Permission
binaries	38.36 KB	-rw-r--r--
consts	10.77 KB	-rw-r--r--
data_upload	13.63 KB	-rw-r--r--
functions	157.68 KB	-rw-r--r--
helper_audit_dockerfile	7.82 KB	-rw-r--r--
helper_configure	3.67 KB	-rw-r--r--
helper_generate	7.39 KB	-rw-r--r--
helper_show	22.29 KB	-rw-r--r--
helper_system_remote_scan	3.54 KB	-rw-r--r--
helper_update	3.59 KB	-rw-r--r--
osdetection	37.98 KB	-rw-r--r--
parameters	16.48 KB	-rw-r--r--
profiles	26.89 KB	-rw-r--r--
report	16.45 KB	-rw-r--r--
tests_accounting	25.48 KB	-rw-r--r--
tests_authentication	84.03 KB	-rw-r--r--
tests_banners	8.35 KB	-rw-r--r--
tests_boot_services	54.51 KB	-rw-r--r--
tests_containers	11.29 KB	-rw-r--r--
tests_crypto	17.67 KB	-rw-r--r--
tests_custom.template	6.78 KB	-rw-r--r--
tests_databases	23.72 KB	-rw-r--r--
tests_dns	3.39 KB	-rw-r--r--
tests_file_integrity	21.41 KB	-rw-r--r--
tests_file_permissions	3.25 KB	-rw-r--r--
tests_filesystems	46.33 KB	-rw-r--r--
tests_firewalls	29.96 KB	-rw-r--r--
tests_hardening	7.01 KB	-rw-r--r--
tests_homedirs	9.17 KB	-rw-r--r--
tests_insecure_services	26.73 KB	-rw-r--r--
tests_kernel	60.76 KB	-rw-r--r--
tests_kernel_hardening	5.62 KB	-rw-r--r--
tests_ldap	3.96 KB	-rw-r--r--
tests_logging	31.25 KB	-rw-r--r--
tests_mac_frameworks	14.53 KB	-rw-r--r--
tests_mail_messaging	21.45 KB	-rw-r--r--
tests_malware	18.44 KB	-rw-r--r--
tests_memory_processes	7.17 KB	-rw-r--r--
tests_nameservices	34.51 KB	-rw-r--r--
tests_networking	40.67 KB	-rw-r--r--
tests_php	27.48 KB	-rw-r--r--
tests_ports_packages	78.76 KB	-rw-r--r--
tests_printers_spoolers	13.85 KB	-rw-r--r--
tests_scheduling	15.74 KB	-rw-r--r--
tests_shells	13.37 KB	-rw-r--r--
tests_snmp	4.32 KB	-rw-r--r--
tests_squid	16.9 KB	-rw-r--r--
tests_ssh	17.59 KB	-rw-r--r--
tests_storage	3.74 KB	-rw-r--r--
tests_storage_nfs	8.4 KB	-rw-r--r--
tests_system_integrity	2.13 KB	-rw-r--r--
tests_time	32.61 KB	-rw-r--r--
tests_tooling	20.87 KB	-rw-r--r--
tests_usb	21.04 KB	-rw-r--r--
tests_virtualization	1.95 KB	-rw-r--r--
tests_webservers	30.9 KB	-rw-r--r--
tool_tips	2.16 KB	-rw-r--r--

Code Editor : tests_hardening

#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
#
# Website  : https://cisofy.com
# Blog     : http://linux-audit.com
# GitHub   : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
    InsertSection "${SECTION_HARDENING}"

# COMPILER_INSTALLED is initialized before
    HARDEN_COMPILERS_NEEDED=0
#
#################################################################################
#
    # Test        : HRDN-7220
    # Description : Check for installed compilers
    # Notes       : No suggestion for hardening compilers, as HRDN-7222 will take care of that
    Register --test-no HRDN-7220 --weight L --network NO --category security --description "Check if one or more compilers are installed"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Check if one or more compilers can be found on the system"
        if [ ${COMPILER_INSTALLED} -eq 0 ]; then
            LogText "Result: no compilers found"
            Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_NOT_FOUND}" --color GREEN
            AddHP 3 3
        else
            LogText "Result: found installed compiler. See top of logfile which compilers have been found or use ${GREPBINARY} to filter on 'compiler'"
            Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED
            AddHP 1 3
        fi
    fi
#
#################################################################################
#
    # Test        : HRDN-7222
    # Description : Check for permissions of installed compilers
    Register --test-no HRDN-7222 --weight L --network NO --category security --description "Check compiler permissions"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Check if one or more compilers can be found on the system"
        HARDEN_COMPILERS_NEEDED=0
        if [ ${COMPILER_INSTALLED} -eq 0 ]; then
            LogText "Result: no compilers found"
        else
            # TODO - c89 c99 cpp ld
            TEST_BINARIES="${ASBINARY} ${CCBINARY} ${CLANGBINARY} ${GCCBINARY}"
            for ITEM in ${TEST_BINARIES}; do
                FILE="${ITEM}"
                LogText "Test: Check file permissions for ${ITEM}"
                ShowSymlinkPath ${ITEM}
                if [ -n "${SYMLINK}" ]; then
                    FILE="${SYMLINK}"
                fi

if IsWorldExecutable ${FILE}; then
                    LogText "Binary: found ${FILE} (world executable)"
                    Report "compiler_world_executable[]=${FILE}"
                    AddHP 2 3
                    HARDEN_COMPILERS_NEEDED=1
                else
                    AddHP 3 3
                fi
            done

# Report suggestion is one or more compilers can be better hardened
            if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then
                LogText "Result: at least one compiler could be better hardened by restricting executable access to root or group only"
                ReportSuggestion "${TEST_NO}" "Harden compilers like restricting access to root user only"
            fi
        fi
    fi
#
#################################################################################
#
    # Test        : HRDN-7230
    # Description : Check for installed malware scanners
    Register --test-no HRDN-7230 --weight L --network NO --category security --description "Check for malware scanner"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Check if a malware scanner is installed"
        if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then
            LogText "Result: found at least one malware scanner"
            Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_FOUND}" --color GREEN
            AddHP 3 3
        else
            LogText "Result: no malware scanner found"
            if [ "${MACHINE_ROLE}" = "personal" ]; then
                Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color YELLOW
            else
                Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED
            fi
            ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC"
            AddHP 1 3
            LogText "Result: no malware scanner found"
        fi
    fi
#
#################################################################################
#
    # Test        : HRDN-7231
    # Description : Check for registered non-native binary formats
    Register --test-no HRDN-7231  --os Linux --weight L --network NO --category security --description "Check for registered non-native binary formats"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: Check for registered non-native binary formats"
        NFORMATS=0
        if [ -d /proc/sys/fs/binfmt_misc ]; then
            NFORMATS=$(${FINDBINARY} /proc/sys/fs/binfmt_misc -type f -not -name register -not -name status | ${WCBINARY} -l)
        fi
        if [ ${NFORMATS} -eq 0 ]; then
            LogText "Result: no non-native binary formats found"
            Display --indent 4 --text "- Non-native binary formats" --result "${STATUS_NOT_FOUND}" --color GREEN
        else
            FORMATS=$(${FINDBINARY} /proc/sys/fs/binfmt_misc -type f -not -name register -not -name status -printf '%f ')
            LogText "Result: found ${NFORMATS} non-native binary formats registered: ${FORMATS}"
            Display --indent 4 --text "- Non-native binary formats" --result "${STATUS_FOUND}" --color RED
        fi
    fi
#
#################################################################################
#
#    LogText "--------------------------------------------------------------------"
#    LogText "| System part                        | Preferred value | Actual value | Points |"
#    LogText "| [!] Compiler installed               |              0  | [${COMPILER_INSTALLED}]     | x  |"
#    LogText "| [V] Malware scanner installed        |              1  | [x]     | x  |"
#    LogText "| [V] Packet filter enabled            |              1  | [x]     | x  |"
#    LogText "--------------------------------------------------------------------"
#    LogText "| [!]: Hardening possible,  [V]: Hardening performed,  [ ]: Unknown "
#    LogText "--------------------------------------------------------------------"
#
#################################################################################
#

Report "compiler_installed=${COMPILER_INSTALLED}"
WaitForKeyPress

#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com

${this.title}

Code Editor : tests_hardening