A UNIX security auditing tool based on several security frameworks
Introduction
This scripts generates a scored audit report of a Unix host's security. It is based on the CIS and other frameworks. Where possible there are references to the CIS and other benchmarks in the code documentation.
Why a shell script? I wanted a tool that was able to run on locked down systems where other tools may not be available. I also wanted a tool that ran on all versions of UNIX. Having said that there are some differences between sh and bash, so I've used functions only from sh.
There is no warranty implied or given with this script. My recommendation is to use this script in audit mode only, and address each warning individually via policy, documentation and configuration management.
It can also can perform a lockdown. Unlike some other scripts I have added capability to backout changes. Files are backed up using cpio to a directory based on the date.
Although it can perform a lockdown, as previously stated, I'd recommend you address the warnings via policy, documentation and configuration management. This is how I use the tool.
Supported Operating Systems:
Linux
- RHEL 5,6,7
- Centos 5,6,7
- Scientific Linux
- SLES 10,11,12
- Debian
- Ubuntu
- Amazon Linux
- Solaris (6,7,8,9,10 and 11)
- Mac OS X
- FreeBSD (needs more testing)
- AIX (needs more testing)
- ESXi (initial support - some tests)
More Information
For more information refer to wiki:
Usage
Usage: ./lunar.sh -[a|A|s|S|d|p|c|l|h|c|V] -[u]
-a: Run in audit mode (no changes made to system)
-A: Run in audit mode (no changes made to system)
[includes filesystem checks which take some time]
-s: Run in selective mode (only run tests you want to)
-d: Print information for a specific test
-S: List functions available to selective mode
-l: Run in lockdown mode (changes made to system)
-L: Run in lockdown mode (changes made to system)
[includes filesystem checks which take some time]
-c: Show changes previously made to system
-p: Show previously versions of file
-u: Undo lockdown (changes made to system)
-h: Display usage
-V: Display version
-v: Verbose mode [used with -a and -A]
[Provides more information about the audit taking place]
Examples
Run in Audit Mode:
./lunar.sh -a
Run in Audit Mode and provide more information:
./lunar.sh -a -v
Display previous backups:
./lunar.sh -b
Previous backups:
21_12_2012_19_45_05 21_12_2012_20_35_54 21_12_2012_21_57_25
Restore from previous backup:
./lunar.sh -u 21_12_2012_19_45_05
List tests:
./lunar.sh -S
Only run apache based tests:
./lunar.sh -s audit_apache
Print documentation regarding apache based tests:
./lunar.sh -d audit_apache
# SYSTEM INFORMATION:
Platform: i386
Vendor: Apple
Name: Darwin
Version: 10.12
Update: 3
Checking: If node is managed
Notice: Node is not managed
# Module: audit_apache
# Solaris:
# The action in this section describes disabling the Apache 1.x and 2.x web
# servers provided with Solaris 10. Both services are disabled by default.
# Run control scripts for Apache 1 and the NCA web servers still exist,
# but the services will only be started if the respective configuration
# files have been set up appropriately, and these configuration files do not
# exist by default.
# Even if the system is a Web server, the local site may choose not to use
# the Web server provided with Solaris in favor of a locally developed and
# supported Web environment. If the machine is a Web server, the administrator
# is encouraged to search the Web for additional documentation on Web server
# security.
# Linux:
# HTTP or web servers provide the ability to host web site content.
# The default HTTP server shipped with CentOS Linux is Apache.
# The default HTTP proxy package shipped with CentOS Linux is squid.
# Unless there is a need to run the system as a web server, or a proxy it is
# recommended that the package(s) be deleted.
# Refer to Section(s) 3.11,14 Page(s) 66-9 CIS CentOS Linux 6 Benchmark v1.0.0
# Refer to Section(s) 2.2.10 Page(s) 110 CIS Ubuntu Linux 16.04 Benchmark v1.0.0
# Refer to Section(s) 3.11,14 Page(s) 79-81 CIS RHEL 5 Benchmark v2.1.0
# Refer to Section(s) 3.11,14 Page(s) 69-71 CIS RHEL 6 Benchmark v1.2.0
# Refer to Section(s) 2.2.10,13 Page(s) 110,113 CIS RHEL 7 Benchmark v2.1.0
# Refer to Section(s) 6.10,13 Page(s) 59,61 CIS SLES 11 Benchmark v1.0.0
# Refer to Section(s) 2.4.14.7 Page(s) 56-7 CIS OS X 10.5 Benchmark v1.1.0
# Refer to Section(s) 2.10 Page(s) 21-2 CIS Solaris 11.1 v1.0.0
# Refer to Section(s) 2.2.11 Page(s) 30-2 CIS Solaris 10 v5.1.0
# Refer to Section(s) 2.2.10,13 Page(s) 102,105 CIS Amazon Linux Benchmark v2.0.0