1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
|
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Malware scanners
#
#################################################################################
#
InsertSection "${SECTION_MALWARE}"
#
#################################################################################
#
AVAST_DAEMON_RUNNING=0
AVIRA_DAEMON_RUNNING=0
BITDEFENDER_DAEMON_RUNNING=0
CLAMD_RUNNING=0
CLAMSCAN_INSTALLED=0
CROWDSTRIKE_FALCON_SENSOR_RUNNING=0
ESET_DAEMON_RUNNING=0
FRESHCLAM_DAEMON_RUNNING=0
KASPERSKY_SCANNER_RUNNING=0
MCAFEE_SCANNER_RUNNING=0
MALWARE_SCANNER_INSTALLED=0
MALWARE_DAEMON_RUNNING=0
ROOTKIT_SCANNER_FOUND=0
SENTINELONE_SCANNER_RUNNING=0
SOPHOS_SCANNER_RUNNING=0
SYMANTEC_SCANNER_RUNNING=0
SYNOLOGY_DAEMON_RUNNING=0
TRENDMICRO_DSA_DAEMON_RUNNING=0
WAZUH_DAEMON_RUNNING=0
#
#################################################################################
#
# Test : MALW-3274
# Description : Check for installed tool (McAfee VirusScan for Command Line)
Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence McAfee VirusScan for Command Line"
if [ -x /usr/local/uvscan/uvscan ]; then
Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line (deprecated)" --result "${STATUS_FOUND}" --color RED
LogText "Result: Found ${MCAFEECLBINARY}"
AddHP 0 2
LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another antivirus instead."
fi
fi
#################################################################################
#
# Test : MALW-3275
# Description : Check for installed tool (chkrootkit)
Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence chkrootkit"
if [ -n "${CHKROOTKITBINARY}" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${CHKROOTKITBINARY}"
MALWARE_SCANNER_INSTALLED=1
ROOTKIT_SCANNER_FOUND=1
AddHP 2 2
Report "malware_scanner[]=chkrootkit"
else
LogText "Result: chkrootkit not found"
fi
fi
#
#################################################################################
#
# Test : MALW-3276
# Description : Check for installed tool (Rootkit Hunter)
Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence Rootkit Hunter"
if [ -n "${RKHUNTERBINARY}" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${RKHUNTERBINARY}"
MALWARE_SCANNER_INSTALLED=1
ROOTKIT_SCANNER_FOUND=1
AddHP 2 2
Report "malware_scanner[]=rkhunter"
else
LogText "Result: Rootkit Hunter not found"
fi
fi
#
#################################################################################
#
# Test : MALW-3278
# Description : Check for installed tool (Linux Malware Detect or LMD)
Register --test-no MALW-3278 --weight L --network NO --category security --description "Check for LMD"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence LMD"
if [ ! "${LMDBINARY}" = "" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} LMD (Linux Malware Detect)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${LMDBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
Report "malware_scanner[]=lmd"
else
LogText "Result: LMD not found"
fi
fi
#
#################################################################################
#
# Test : MALW-3280
# Description : Check if an anti-virus tool is installed
Register --test-no MALW-3280 --weight L --network NO --category security --description "Check if anti-virus tool is installed"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# Avast (macOS)
LogText "Test: checking process com.avast.daemon"
if IsRunning --full "com.avast.daemon"; then
FOUND=1
AVAST_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Avast daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Avast security product"
Report "malware_scanner[]=avast"
fi
# Avira
LogText "Test: checking process Avira daemon"
if IsRunning "avqmd"; then
FOUND=1
AVIRA_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Avira daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Avira security product"
Report "malware_scanner[]=avira"
fi
# Bitdefender (macOS & Linux)
LogText "Test: checking process Bitdefender daemon"
if IsRunning "bdagentd" || IsRunning "epagd" || IsRunning "bdsecd"; then
FOUND=1
BITDEFENDER_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Bitdefender security product"
Report "malware_scanner[]=bitdefender"
fi
# CrowdStrike falcon-sensor
LogText "Test: checking process falcon-sensor (CrowdStrike)"
if IsRunning "falcon-sensor"; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} falcon-sensor" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found falcon-sensor service"
CROWDSTRIKE_FALCON_SENSOR_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=falcon-sensor"
fi
# Cylance (macOS)
LogText "Test: checking process CylanceSvc"
if IsRunning "CylanceSvc"; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} CylancePROTECT" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found CylancePROTECT service"
AVAST_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=cylance-protect"
fi
# ESET security products
LogText "Test: checking process esets_daemon or oaeventd (ESET)"
if IsRunning "esets_daemon" || IsRunning "oaeventd"; then
FOUND=1
ESET_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found ESET security product"
Report "malware_scanner[]=eset"
fi
# Kaspersky products
LogText "Test: checking process wdserver or klnagent (Kaspersky)"
# wdserver is too generic to match on, so we want to ensure that it is related to Kaspersky first
if [ -x /opt/kaspersky/kesl/libexec/kesl_launcher.sh ]; then
if IsRunning "wdserver"; then KASPERSKY_SCANNER_RUNNING=1; fi
else
if IsRunning "klnagent"; then KASPERSKY_SCANNER_RUNNING=1; fi
fi
if [ ${KASPERSKY_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Kaspersky" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found Kaspersky"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=kaspersky"
fi
# McAfee products
LogText "Test: checking process cma or cmdagent (McAfee)"
# cma is too generic to match on, so we want to ensure that it is related to McAfee first
if [ -x /opt/McAfee/cma/bin/cma ]; then
if IsRunning "cma"; then MCAFEE_SCANNER_RUNNING=1; fi
else
if IsRunning "cmdagent"; then MCAFEE_SCANNER_RUNNING=1; fi
fi
if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} McAfee" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found McAfee"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=mcafee"
fi
# SentinelOne
LogText "Text: checking process sentineld (SentinelOne)"
if IsRunning "sentineld"; then SENTINELONE_SCANNER_RUNNING=1; fi # macOS
if IsRunning "s1-agent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Linux
if IsRunning "SentinelAgent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Windows
if [ ${SENTINELONE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} SentinelOne" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found SentinelOne"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=sentinelone"
fi
# Sophos savscand/SophosScanD
LogText "Test: checking process savscand"
if IsRunning "savscand"; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1
fi
LogText "Test: checking process SophosScanD"
if IsRunning "SophosScanD"; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1
fi
if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Sophos" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found Sophos"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=sophos"
fi
# Symantec rtvscand/smcd/symcfgd
LogText "Test: checking process rtvscand"
if IsRunning "rtvscand"; then
SYMANTEC_SCANNER_RUNNING=1
fi
LogText "Test: checking process Symantec management client service"
if IsRunning "smcd"; then
SYMANTEC_SCANNER_RUNNING=1
fi
LogText "Test: checking process Symantec Endpoint Protection configuration service"
if IsRunning "symcfgd"; then
SYMANTEC_SCANNER_RUNNING=1
fi
if [ ${SYMANTEC_SCANNER_RUNNING} -eq 1 ]; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Symantec" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found one or more Symantec components"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
FOUND=1
Report "malware_scanner[]=symantec"
fi
# Synology Antivirus Essential
LogText "Test: checking process synoavd"
if IsRunning "synoavd"; then
FOUND=1
SYNOLOGY_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Synology Antivirus Essential" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Synology Antivirus Essential"
Report "malware_scanner[]=synoavd"
fi
# Trend Micro Anti Malware for Linux
# Typically ds_agent is running as well, the Deep Security Agent
LogText "Test: checking process ds_agent to test for Trend Micro Deep Anti Malware component"
if IsRunning "ds_am"; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Trend Micro Anti Malware" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Trend Micro Anti Malware component"
FOUND=1
MALWARE_SCANNER_INSTALLED=1
MALWARE_DAEMON_RUNNING=1
TRENDMICRO_DSA_DAEMON_RUNNING=1
Report "malware_scanner[]=trend-micro-am"
fi
# TrendMicro (macOS)
LogText "Test: checking process TmccMac to test for Trend Micro anti-virus (macOS)"
if IsRunning "TmccMac"; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Trend Micro anti-virus" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Trend Micro component"
FOUND=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=trend-micro-av"
fi
# Wazuh agent
LogText "Test: checking process wazuh-agent to test for Wazuh agent"
if IsRunning "wazuh-agentd"; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Wazuh agent" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Wazuh component"
FOUND=1
WAZUH_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
ROOTKIT_SCANNER_FOUND=1
Report "malware_scanner[]=wazuh"
fi
if [ ${FOUND} -eq 0 ]; then
LogText "Result: no commercial anti-virus tools found"
AddHP 0 3
else
LogText "Result: found one or more commercial anti-virus tools"
AddHP 2 2
fi
fi
#
#################################################################################
#
# Test : MALW-3282
# Description : Check if clamscan is installed
Register --test-no MALW-3282 --weight L --network NO --category security --description "Check for clamscan"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence clamscan"
if [ ! "${CLAMSCANBINARY}" = "" ]; then
Display --indent 2 --text "- Checking ClamAV scanner" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${CLAMSCANBINARY}"
MALWARE_SCANNER_INSTALLED=1
CLAMSCAN_INSTALLED=1
AddHP 2 2
else
LogText "Result: clamscan couldn't be found"
fi
fi
#
#################################################################################
#
# Test : MALW-3284
# Description : Check running clamd process
Register --test-no MALW-3284 --weight L --network NO --category security --description "Check for clamd"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking running ClamAV daemon (clamd)"
if IsRunning "clamd"; then
Display --indent 2 --text "- ${GEN_CHECKING} ClamAV daemon" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found running clamd process"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
CLAMD_RUNNING=1
else
LogText "Result: clamd not running"
fi
fi
#
#################################################################################
#
# Test : MALW-3291
# Description : Check if Microsoft Defender Antivirus is installed
Register --test-no MALW-3291 --weight L --network NO --category security --description "Check for mdatp"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence mdatp"
if [ ! "${MDATPBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Microsoft Defender Antivirus" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${MDATPBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
Report "malware_scanner[]=mdatp"
else
LogText "Result: mdatp couldn't be found"
fi
fi
#
#################################################################################
#
# Test : MALW-3286
# Description : Check running freshclam if clamd process is running
if [ ${CLAMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3286 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for freshclam"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking running freshclam daemon"
if IsRunning "freshclam"; then
FRESHCLAM_DAEMON_RUNNING=1
Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found running freshclam process"
AddHP 2 2
else
Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: freshclam is not running"
ReportSuggestion "${TEST_NO}" "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
fi
fi
#
#################################################################################
#
# Test : MALW-3288
# Description : Check for ClamXav (macOS)
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav"
if [ ${SKIPTEST} -eq 0 ]; then
CLAMSCANBINARY=$(${LSBINARY} /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan')
if [ -n "${CLAMSCANBINARY}" ]; then
LogText "Result: Found ClamXav clamscan installed"
Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN
MALWARE_SCANNER_INSTALLED=1
CLAMSCAN_INSTALLED=1
AddHP 3 3
else
LogText "Result: ClamXav malware scanner not found"
AddHP 0 3
fi
fi
#
#################################################################################
#
# Check if we found any of the ClamAV components
if [ ${CLAMSCAN_INSTALLED} -eq 1 -o ${CLAMD_RUNNING} -eq 1 -o ${FRESHCLAM_DAEMON_RUNNING} -eq 1 ]; then
Report "malware_scanner[]=clamav"
fi
#
#################################################################################
#
# Test : MALW-3290
# Description : Presence of malware scanners
Register --test-no MALW-3290 --weight L --network NO --category security --description "Presence of for malware detection"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${MALWARE_SCANNER_INSTALLED} -eq 0 ]; then
Display --indent 2 --text "- Malware software components" --result "${STATUS_NOT_FOUND}" --color YELLOW
else
Display --indent 2 --text "- Malware software components" --result "${STATUS_FOUND}" --color GREEN
if [ ${MALWARE_DAEMON_RUNNING} -eq 0 ]; then
Display --indent 4 --text "- Active agent" --result "${STATUS_NOT_FOUND}" --color WHITE
else
Display --indent 4 --text "- Active agent" --result "${STATUS_FOUND}" --color GREEN
fi
if [ ${ROOTKIT_SCANNER_FOUND} -eq 0 ]; then
Display --indent 4 --text "- Rootkit scanner" --result "${STATUS_NOT_FOUND}" --color WHITE
else
Display --indent 4 --text "- Rootkit scanner" --result "${STATUS_FOUND}" --color GREEN
fi
fi
fi
#
#################################################################################
#
Report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"
WaitForKeyPress
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
|
