Comments (6)
Hi,
Thanks for the suggestion. Sounds like a good approach. Do you want to create a pull request for that?
from lynis.
I might have to learn how to do this - it may take a while as I have never done a pull request before.
from lynis.
That's totally fine. A good way to get started by trying. Just let us know if you get stuck!
from lynis.
This is the code I have modified. Still to trying to work out how to do it...
`#!/bin/sh
#################################################################################
Lynis
------------------
Copyright 2007-2013, Michael Boelen
Copyright 2007-2021, CISOfy
Website : https://cisofy.com
Blog : http://linux-audit.com
GitHub : https://github.com/CISOfy/lynis
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See LICENSE file for usage of this software.
#################################################################################
Malware scanners
#################################################################################
InsertSection "${SECTION_MALWARE}"
#################################################################################
AVAST_DAEMON_RUNNING=0
AVIRA_DAEMON_RUNNING=0
BITDEFENDER_DAEMON_RUNNING=0
CLAMD_RUNNING=0
CLAMSCAN_INSTALLED=0
CROWDSTRIKE_FALCON_SENSOR_RUNNING=0
ESET_DAEMON_RUNNING=0
FRESHCLAM_DAEMON_RUNNING=0
KASPERSKY_SCANNER_RUNNING=0
MCAFEE_SCANNER_RUNNING=0
MALWARE_SCANNER_INSTALLED=0
MALWARE_DAEMON_RUNNING=0
ROOTKIT_SCANNER_FOUND=0
SENTINELONE_SCANNER_RUNNING=0
SOPHOS_SCANNER_RUNNING=0
SYMANTEC_SCANNER_RUNNING=0
SYNOLOGY_DAEMON_RUNNING=0
TRENDMICRO_DSA_DAEMON_RUNNING=0
#################################################################################
# Test : MALW-3274
# Description : Check for installed tool (McAfee VirusScan for Command Line)
Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence McAfee VirusScan for Command Line"
if [ -x /usr/local/uvscan/uvscan ]; then
Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color RED
LogText "Result: Found ${MCAFEECLBINARY}"
MALWARE_SCANNER_INSTALLED=0
AddHP 0 2
LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another Anti-virus"
fi
#################################################################################
# Test : MALW-3275
# Description : Check for installed tool (chkrootkit)
Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence chkrootkit"
if [ -n "${CHKROOTKITBINARY}" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${CHKROOTKITBINARY}"
MALWARE_SCANNER_INSTALLED=1
ROOTKIT_SCANNER_FOUND=1
AddHP 2 2
Report "malware_scanner[]=chkrootkit"
else
LogText "Result: chkrootkit not found"
fi
fi
#################################################################################
# Test : MALW-3276
# Description : Check for installed tool (Rootkit Hunter)
Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence Rootkit Hunter"
if [ -n "${RKHUNTERBINARY}" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${RKHUNTERBINARY}"
MALWARE_SCANNER_INSTALLED=1
ROOTKIT_SCANNER_FOUND=1
AddHP 2 2
Report "malware_scanner[]=rkhunter"
else
LogText "Result: Rootkit Hunter not found"
fi
fi
#################################################################################
# Test : MALW-3278
# Description : Check for installed tool (Linux Malware Detect or LMD)
Register --test-no MALW-3278 --weight L --network NO --category security --description "Check for LMD"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence LMD"
if [ ! "${LMDBINARY}" = "" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} LMD (Linux Malware Detect)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${LMDBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
Report "malware_scanner[]=lmd"
else
LogText "Result: LMD not found"
fi
fi
#################################################################################
# Test : MALW-3280
# Description : Check if an anti-virus tool is installed
Register --test-no MALW-3280 --weight L --network NO --category security --description "Check if anti-virus tool is installed"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# Avast (macOS)
LogText "Test: checking process com.avast.daemon"
if IsRunning --full "com.avast.daemon"; then
FOUND=1
AVAST_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Avast daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Avast security product"
Report "malware_scanner[]=avast"
fi
# Avira
LogText "Test: checking process Avira daemon"
if IsRunning "avqmd"; then
FOUND=1
AVIRA_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Avira daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Avira security product"
Report "malware_scanner[]=avira"
fi
# Bitdefender (macOS)
LogText "Test: checking process epagd"
if IsRunning "bdagentd" || IsRunning "epagd"; then
FOUND=1
BITDEFENDER_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Bitdefender security product"
Report "malware_scanner[]=bitdefender"
fi
# CrowdStrike falcon-sensor
LogText "Test: checking process falcon-sensor (CrowdStrike)"
if IsRunning "falcon-sensor"; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} falcon-sensor" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found falcon-sensor service"
CROWDSTRIKE_FALCON_SENSOR_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=falcon-sensor"
fi
# Cylance (macOS)
LogText "Test: checking process CylanceSvc"
if IsRunning "CylanceSvc"; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} CylancePROTECT" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found CylancePROTECT service"
AVAST_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=cylance-protect"
fi
# ESET security products
LogText "Test: checking process esets_daemon"
if IsRunning "esets_daemon"; then
FOUND=1
ESET_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found ESET security product"
Report "malware_scanner[]=eset"
fi
# Kaspersky products
LogText "Test: checking process wdserver or klnagent (Kaspersky)"
# wdserver is too generic to match on, so we want to ensure that it is related to Kaspersky first
if [ -x /opt/kaspersky/kesl/libexec/kesl_launcher.sh ]; then
if IsRunning "wdserver"; then KASPERSKY_SCANNER_RUNNING=1; fi
else
if IsRunning "klnagent"; then KASPERSKY_SCANNER_RUNNING=1; fi
fi
if [ ${KASPERSKY_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Kaspersky" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found Kaspersky"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=kaspersky"
fi
# McAfee products
LogText "Test: checking process cma or cmdagent (McAfee)"
# cma is too generic to match on, so we want to ensure that it is related to McAfee first
if [ -x /opt/McAfee/cma/bin/cma ]; then
if IsRunning "cma"; then MCAFEE_SCANNER_RUNNING=1; fi
else
if IsRunning "cmdagent"; then MCAFEE_SCANNER_RUNNING=1; fi
fi
if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} McAfee" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found McAfee"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=mcafee"
fi
# SentinelOne
LogText "Text: checking process sentineld (SentinelOne)"
if IsRunning "sentineld"; then SENTINELONE_SCANNER_RUNNING=1; fi # macOS
if IsRunning "s1-agent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Linux
if IsRunning "SentinelAgent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Windows
if [ ${SENTINELONE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} SentinelOne" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found SentinelOne"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=sentinelone"
fi
# Sophos savscand/SophosScanD
LogText "Test: checking process savscand"
if IsRunning "savscand"; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1
fi
LogText "Test: checking process SophosScanD"
if IsRunning "SophosScanD"; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1
fi
if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Sophos" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found Sophos"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=sophos"
fi
# Symantec rtvscand/smcd/symcfgd
LogText "Test: checking process rtvscand"
if IsRunning "rtvscand"; then
SYMANTEC_SCANNER_RUNNING=1
fi
LogText "Test: checking process Symantec management client service"
if IsRunning "smcd"; then
SYMANTEC_SCANNER_RUNNING=1
fi
LogText "Test: checking process Symantec Endpoint Protection configuration service"
if IsRunning "symcfgd"; then
SYMANTEC_SCANNER_RUNNING=1
fi
if [ ${SYMANTEC_SCANNER_RUNNING} -eq 1 ]; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Symantec" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found one or more Symantec components"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
FOUND=1
Report "malware_scanner[]=symantec"
fi
# Synology Antivirus Essential
LogText "Test: checking process synoavd"
if IsRunning "synoavd"; then
FOUND=1
SYNOLOGY_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Synology Antivirus Essential" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Synology Antivirus Essential"
Report "malware_scanner[]=synoavd"
fi
# Trend Micro Anti Malware for Linux
# Typically ds_agent is running as well, the Deep Security Agent
LogText "Test: checking process ds_agent to test for Trend Micro Deep Anti Malware component"
if IsRunning "ds_am"; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Trend Micro Anti Malware" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Trend Micro Anti Malware component"
FOUND=1
MALWARE_SCANNER_INSTALLED=1
MALWARE_DAEMON_RUNNING=1
TRENDMICRO_DSA_DAEMON_RUNNING=1
Report "malware_scanner[]=trend-micro-am"
fi
# TrendMicro (macOS)
LogText "Test: checking process TmccMac to test for Trend Micro anti-virus (macOS)"
if IsRunning "TmccMac"; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Trend Micro anti-virus" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Trend Micro component"
FOUND=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=trend-micro-av"
fi
if [ ${FOUND} -eq 0 ]; then
LogText "Result: no commercial anti-virus tools found"
AddHP 0 3
else
LogText "Result: found one or more commercial anti-virus tools"
AddHP 2 2
fi
fi
#################################################################################
# Test : MALW-3282
# Description : Check if clamscan is installed
Register --test-no MALW-3282 --weight L --network NO --category security --description "Check for clamscan"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence clamscan"
if [ ! "${CLAMSCANBINARY}" = "" ]; then
Display --indent 2 --text "- Checking ClamAV scanner" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${CLAMSCANBINARY}"
MALWARE_SCANNER_INSTALLED=1
CLAMSCAN_INSTALLED=1
AddHP 2 2
else
LogText "Result: clamscan couldn't be found"
fi
fi
#################################################################################
# Test : MALW-3284
# Description : Check running clamd process
Register --test-no MALW-3284 --weight L --network NO --category security --description "Check for clamd"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking running ClamAV daemon (clamd)"
if IsRunning "clamd"; then
Display --indent 2 --text "- ${GEN_CHECKING} ClamAV daemon" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found running clamd process"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
CLAMD_RUNNING=1
else
LogText "Result: clamd not running"
fi
fi
#################################################################################
# Test : MALW-3286
# Description : Check running freshclam if clamd process is running
if [ ${CLAMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3286 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for freshclam"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking running freshclam daemon"
if IsRunning "freshclam"; then
FRESHCLAM_DAEMON_RUNNING=1
Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found running freshclam process"
AddHP 2 2
else
Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: freshclam is not running"
ReportSuggestion "${TEST_NO}" "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
fi
fi
#################################################################################
# Test : MALW-3288
# Description : Check for ClamXav (macOS)
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav"
if [ ${SKIPTEST} -eq 0 ]; then
CLAMSCANBINARY=$(${LSBINARY} /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan')
if [ -n "${CLAMSCANBINARY}" ]; then
LogText "Result: Found ClamXav clamscan installed"
Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN
MALWARE_SCANNER_INSTALLED=1
CLAMSCAN_INSTALLED=1
AddHP 3 3
else
LogText "Result: ClamXav malware scanner not found"
AddHP 0 3
fi
fi
#################################################################################
# Check if we found any of the ClamAV components
if [ ${CLAMSCAN_INSTALLED} -eq 1 -o ${CLAMD_RUNNING} -eq 1 -o ${FRESHCLAM_DAEMON_RUNNING} -eq 1 ]; then
Report "malware_scanner[]=clamav"
fi
#################################################################################
# Test : MALW-3290
# Description : Presence of malware scanners
Register --test-no MALW-3290 --weight L --network NO --category security --description "Presence of for malware detection"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${MALWARE_SCANNER_INSTALLED} -eq 0 ]; then
Display --indent 2 --text "- Malware software components" --result "${STATUS_NOT_FOUND}" --color YELLOW
else
Display --indent 2 --text "- Malware software components" --result "${STATUS_FOUND}" --color GREEN
if [ ${MALWARE_DAEMON_RUNNING} -eq 0 ]; then
Display --indent 4 --text "- Active agent" --result "${STATUS_NOT_FOUND}" --color WHITE
else
Display --indent 4 --text "- Active agent" --result "${STATUS_FOUND}" --color GREEN
fi
if [ ${ROOTKIT_SCANNER_FOUND} -eq 0 ]; then
Display --indent 4 --text "- Rootkit scanner" --result "${STATUS_NOT_FOUND}" --color WHITE
else
Display --indent 4 --text "- Rootkit scanner" --result "${STATUS_FOUND}" --color GREEN
fi
fi
fi
#################################################################################
Report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"
WaitForKeyPress
#================================================================================
Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com`
from lynis.
Hope I did it correctly: #1481
from lynis.
Related PR has been merged. Thank you!
from lynis.
Related Issues (20)
- Duplicated file "software-eol.db" HOT 1
- Add Alt Linux to a list of a checkable versions of linux HOT 5
- Unknown OS: OSMC HOT 3
- systemd Plugin tests get stuck on Debian 12 HOT 11
- Cryptography tests get stuck on Debian 12 HOT 2
- Consider to add MFA checking on Lynis HOT 1
- Consider to add checks for some more kernel and memory hardenig HOT 1
- Firewalls [x] but nftables HOT 2
- fail2ban.configreader prints warning to stderr (allowipv6) HOT 8
- Error message on debian 12 HOT 4
- Exception found! [KRNL-5730] _ReportException_ should have _GREPTOOL_ passed in and not _GREPBINARY_ HOT 1
- Unraid /boot Function/test: [KRNL-5830:2] Can not find any vmlinuz or kernel files in
- SSH daemon is running - Exception Found HOT 1
- Unknown OS found - Neon KDE HOT 1
- Lynis on OpenBSD HOT 9
- Download area cannot be listed anymore HOT 6
- [INSE-8000] The inetd service is not detected HOT 1
- [PKGS-7410] Does not detect the package containing the kernel. HOT 1
- PKGS-7392 - Found one or more vulnerable package right after dist-upgrade HOT 10
- NETW-3200 and FILE-6430 do no longer detect blacklisted modules HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lynis.