#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2009, Michael Boelen (michael@rootkit.nl), The Netherlands
# Web site: http://www.rootkit.nl
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Category: Boot and services
#
#################################################################################
#
    InsertSection "Boot and services"
#
#################################################################################
#
    Display --indent 2 --text "- Checking boot loaders"
#
#################################################################################
#
    # Test        : BOOT-5102
    # Description : Check for tasks which are autostarted via /etc/inittab
    #Register --test-no BOOT-5102 --weight L --network NO --description "Check inittab for services"
    #if [ ${SKIPTEST} -eq 0 ]; then
    #fi
    #YYY check against static list?
#
#################################################################################
#

    # Test        : BOOT-5121
    # Description : Check for GRUB boot loader
    Register --test-no BOOT-5121 --weight L --network NO --description "Check for GRUB boot loader presence"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
        logtext "Test: Checking for presence GRUB conf file (/boot/grub/grub.conf or /boot/grub/menu.lst)..."
	if [ -f /boot/grub/grub.conf -o -f /boot/grub/menu.lst ]; then
	    FOUND=1
	    Display --indent 4 --text "- Checking presence GRUB... " --result "OK" --color GREEN
	    if [ -f /boot/grub/grub.conf ]; then GRUBCONFFILE="/boot/grub/grub.conf"; else GRUBCONFFILE="/boot/grub/menu.lst"; fi
	    logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
	    FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'`
	    if [ "${FIND}" = "" ]; then
		Display --indent 6 --text "- Checking for password protection..." --result WARNING --color RED
		logtext "Result: Didn't find MD5 hashed password line in GRUB boot file!"
	        logtext "Risk: switching to single user mode due editing current menu items or bypassing them."
	        logtext "Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!"
		logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access."
		ReportWarning ${TEST_NO} "M" "No password set on GRUB bootloader"	
	        ReportSuggestion ${TEST_NO} "Run grub-md5-crypt and create a hashed password. After that, add a line below the line saying timeout=<value>: password --md5 <password hash>"
		AddHP 0 2
	      else
	        Display --indent 6 --text "- Checking for password protection..." --result OK --color GREEN
	        logtext "Result: GRUB has password protection."
		AddHP 4 4
	    fi
        fi

	# GRUB2 configuration file
	if [ -f /boot/grub/grub.cfg ]; then
	    FOUND=1
	    Display --indent 4 --text "- Checking presence GRUB2... " --result "OK" --color GREEN	
	    logtext "Result: found GRUB2 configuration file (/boot/grub/grub.cfg)"
	    # YYY password check, when documentation of GRUB2 project is improved
	    # YYY Add check permission check (600)
	fi
	
	if [ ${FOUND} -eq 0 ]; then
	    Display --indent 4 --text "- Checking presence GRUB... " --result "NOT FOUND" --color WHITE
    	    logtext "Result: no GRUB configuration file found."
	fi    
    fi
#
#################################################################################
#
    # Test        : BOOT-5124
    # Description : Check for FreeBSD boot loader
    Register --test-no BOOT-5124 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot loader presence"
    if [ ${SKIPTEST} -eq 0 ]; then
	if [ -f /boot/boot1 -a -f /boot/boot2 -a -f /boot/loader ]; then
	    logtext "Result: found boot1, boot2 and loader files in /boot"
	    Display --indent 4 --text "- Checking presence FreeBSD loader" --result FOUND --color GREEN
	    report "bootloader=FreeBSD boot loader"
	  else
	    logtext "Result: Not all expected files found in /boot"	  
	    Display --indent 4 --text "- Checking presence FreeBSD loader" --result "NOT FOUND" --color WHITE	  
	fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5139
    # Description : Check for LILO boot loader
    Register --test-no BOOT-5139 --weight L --network NO --description "Check for LILO boot loader presence"
    if [ ${SKIPTEST} -eq 0 ]; then
        logtext "Test: checking for presence LILO configuration file..."
	if [ -f /etc/lilo.conf ]; then
	    Display --indent 4 --text "- Checking presence LILO... " --result "OK" --color GREEN
	    logtext "Checking password option LILO..."
	    FIND=`cat /etc/lilo.conf | grep 'password=' | grep -v "^#"`
	    if [ "${FIND}" = "" ]; then
	        Display --indent 6 --text "- Password option presence " --result "WARNING" --color RED
	        logtext "Result: no password set for LILO. Bootloader is unprotected to"
	        logtext "dropping to single user mode or unauthorized access to devices/data."
    	        ReportSuggestion ${TEST_NO} "Add a password to LILO, by adding a line to the lilo.conf file, above the first line saying 'image=<name>': password=<password>"
		ReportWarning ${TEST_NO} "M" "No password set on LILO bootloader"
		AddHP 0 2
	      else
	        Display --indent 6 --text "- Password option presence " --result "OK" --color GREEN
	        logtext "Result: LILO password option set"
		AddHP 4 4
	    fi
	    #YYY (making /etc/lilo.conf immutable is a good idea, chattr +i /etc/lilo.conf)
          else
            Display --indent 4 --text "- Checking presence LILO... " --result "NOT FOUND" --color WHITE
    	    logtext "Result: LILO configuration file not found."
        fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5155
    # Description : Check for YABOOT boot loader
    Register --test-no BOOT-5155 --weight L --network NO --description "Check for YABOOT boot loader configuration file"
    if [ ${SKIPTEST} -eq 0 ]; then
	logtext "Test: Check for /etc/yaboot.conf"
        if [ -f /etc/yaboot.conf ]; then
	    logtext "Result: Found YABOOT configuration file (/etc/yaboot.conf)"
	    Display --indent 4 --text "- Checking presence YABOOT..." --result "OK" --color GREEN
	    #YYY add permission check
	  else
	    logtext "Result: no YABOOT configuration file found."
	    Display --indent 4 --text "- Checking presence YABOOT..." --result "NOT FOUND" --color WHITE
	fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5159
    # Description : Check for OpenBSD boot loader
    # More info   : only OpenBSD && i386 platform
    Register --test-no BOOT-5159 --os OpenBSD --platform i386 --weight L --network NO --description "Check for OpenBSD i386 boot loader presence"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ -f /etc/boot.conf ]; then
    	    Display --indent 2 --text "- Checking /etc/boot.conf..." --result "FOUND" --color GREEN
            FIND=`grep '^boot' /etc/boot.conf`
	    if [ "${FIND}" = "" ]; then
		Display --indent 4 --text "- Checking boot option..." --result WARNING --color RED
		ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time, to disallow booting into single user mode."
		ReportWarning ${TEST_NO} "M" "System can be booted into single user mode without password"
	      else
		Display --indent 4 --text "- Checking boot option..." --result OK --color GREEN
		logtext "Ok, boot option is enabled."	
	    fi
	  else
    	    Display --indent 2 --text "- Checking /etc/boot.conf..." --result "NOT FOUND" --color YELLOW
	    logtext "Result: no /etc/boot.conf found. When using the default boot loader, physical"
	    logtext "access to the server can be used to possibly enter single user mode."
	    ReportSuggestion ${TEST_NO} "Add 'boot' to the /etc/boot.conf file to disable the default 5 seconds waiting time."
	fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5165
    # Description : Check for FreeBSD boot services
    Register --test-no BOOT-5165 --os FreeBSD --weight L --network NO --description "Check for FreeBSD boot services"
    if [ ${SKIPTEST} -eq 0 ]; then
	# FreeBSD (Read /etc/rc.conf file for enabled services)
        logtext "Searching for services at startup (rc.conf)..."
	FIND=`egrep -v -i '^#|none' /etc/rc.conf | egrep -i '_enable.*(yes|on|1)' | sort | awk -F= '{ print $1 }' | sed 's/_enable//'`
        N=0	
	for I in ${FIND}; do	
            logtext "Found service (rc.conf): ${I}"
	    report "boottask[]=${I}"
	    N=`expr ${N} + 1`
        done
        Display --indent 2 --text "- Checking services at startup (rc.conf)..." --result "DONE" --color GREEN
        Display --indent 6 --text "Result: found $N services/options set"
        logtext "Found $N services/options to run at startup"
    fi
#
#################################################################################
#
    # Test        : BOOT-5177
    # Description : Check for Linux boot services (Red Hat style)
    if [ ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no BOOT-5177 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Red Hat style)"
    if [ ${SKIPTEST} -eq 0 ]; then
	# Linux (use only chkconfig for now)
        logtext "Searching for services at startup (chkconfig, runlevel 3 and 5)... "
        FIND=`${CHKCONFIGBINARY} --list | egrep '3:on|5:on' | awk '{ print $1 }'`
        N=0
        for I in ${FIND}; do
            logtext "Found service (at boot, runlevel 3 or 5): ${I}"
	    N=`expr ${N} + 1`
        done
        logtext "Run chkconfig --list to see all services and disable unneeded services"
        Display --indent 2 --text "- Check services at startup (chkconfig)... " --result "DONE" --color GREEN
        Display --indent 8 --text "Result: found $N services"
    	logtext "Found $N services"
    fi
#
#################################################################################
#
    # Test        : BOOT-5178
    # Description : Check for Linux boot services (Red Hat style)
    #    if [ ! "${CHKCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    #    Register --test-no BOOT-5178 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for unneeded Linux boot services (Red Hat style)"
    #    if [ ${SKIPTEST} -eq 0 ]; then
    #	N=0
    #	N=`expr ${N} + 1`

	#* mctrans (if selinux is NOT enabled)
	#* restorecond (if selinux is NOT enabled) --> and is it really needed? 
	#
	# if profile is server, warn if found:
	#* pcscd (if profile=server)
	#* avahi-daemon
	#	Redhat: /etc/sysconfig/network
	#		check if NOZEROCONF=yes is available
	#
	#* xfs (if /usr/bin/startx is not found)
	#
	#if [ ! -f /etc/mdadm.conf -a ! -f /etc/mdadm/mdadm.conf ]; then
	#* mdmonitor
	#
	#
	#* firstboot
	#  Display warning if [ ! -f /etc/reconfigSys ]
	#    AND "RUN_FIRSTBOOT=YES" is NOT in /etc/sysconfig/firstboot
	#
	#* acpid
	#  Display warning if no modules are loaded (lsmod | grep -i acpi)
	#
	#
	#    fi
#
#################################################################################
#

    # Test        : BOOT-5180
    # Description : Check for Linux boot services (Debian style)
    if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for Linux boot services (Debian style)"
    if [ ${SKIPTEST} -eq 0 ]; then
        # YYY runlevel check
	sRUNLEVEL=`runlevel | grep "N 2"`
	if [ ! "${sRUNLEVEL}" = "" ]; then
            FIND=`find /etc/rc2.d -type l -print | cut -d '/' -f4 | sed "s/S[0-9][0-9]//g" | sort`
    	    if [ ! "${FIND}" = "" ]; then
        	N=0
	        for I in ${FIND}; do
    	            logtext "Found service (at boot, runlevel 2): ${I}"
		    N=`expr ${N} + 1`
	        done
    	        Display --indent 2 --text "- Check services at startup (rc2.d)... " --result "DONE" --color WHITE
        	Display --indent 8 --text "Result: found $N services"
    		logtext "Found $N services"
	    fi
	fi
    fi
#
#################################################################################
#
    # Test        : BOOT-5182
    # Description : Check for SILO boot loader
#
#################################################################################
#
    # Test        : BOOT-5184
    # Description : Check world writable startup scripts
    Register --test-no BOOT-5184 --os Linux --weight L --network NO --description "Check for Linux boot services (Debian style)"
    if [ ${SKIPTEST} -eq 0 ]; then
        FOUND=0
	logtext "Result: Checking /etc/init.d scripts for writable bit"
        if [ -d /etc/init.d ]; then
	    FILE=`find /etc/init.d -type f -print`
	    for I in ${FIND}; do
	        IsWorldWritable ${I}
		if [ "${FileIsWorldWritable}" = "TRUE" ]; then
		    ReportWarning ${TEST_NO} "H" "Found writable startup script ${I}"
		    FOUND=1
		fi
	    done
	fi

        if [ -d /etc/rc.d ]; then
	    logtext "Test: Checking /etc/rc.d scripts for writable bit"
	    FILE=`find /etc/rc.d -type f -print`
	    for I in ${FIND}; do
	        IsWorldWritable ${I}
		if [ "${FileIsWorldWritable}" = "TRUE" ]; then
		    ReportWarning ${TEST_NO} "H" "Found writable startup script ${I}"
		    FOUND=1
		fi
	    done
	fi

        if [ -d /etc/rcS.d ]; then
	    logtext "Test: Checking /etc/rc.d scripts for writable bit"
	    FILE=`find /etc/rcS.d -type f -print`
	    for I in ${FIND}; do
	        IsWorldWritable ${I}
		if [ "${FileIsWorldWritable}" = "TRUE" ]; then
		    ReportWarning ${TEST_NO} "H" "Found writable startup script ${I}"
		    FOUND=1
		fi
	    done
	fi

	# /etc/rc[0-6].d
	for NO in 0 1 2 3 4 5 6; do
	    logtext "Test: Checking /etc/rc${NO}.d scripts for writable bit"
	    if [ -d /etc/rc${NO}.d ]; then
		FILE=`find /etc/rc${NO}.d -type f -print`
		for I in ${FIND}; do
		    IsWorldWritable ${I}
		    if [ "${FileIsWorldWritable}" = "TRUE" ]; then
		        ReportWarning ${TEST_NO} "H" "Found writable startup script ${I}"
			FOUND=1
		    fi
	        done
	    fi
	done
	
	# Other files
	CHECKFILES="/etc/rc /etc/rc.local /etc/rc.d/rc.sysinit"
	for I in ${CHECKFILES}; do
	    if [ -f ${I} ]; then
		logtext "Test: Checking ${I} file for writable bit"
	        IsWorldWritable ${I}
	        if [ "${FileIsWorldWritable}" = "TRUE" ]; then
	            ReportWarning ${TEST_NO} "H" "Found writable startup script ${I}"
		    FOUND=1
	        fi
	    fi
	done
	
	if [ ${FOUND} -eq 1 ]; then
	    ReportSuggestion ${TEST_NO} "Check startup scripts for world write access and change permissions if needed"
	    logtext "Result: found one or more scripts which are possibly writable by other users"
	fi
    fi
#
#################################################################################
#
    # Add autostart services, like from KDE/Gnome
#
#################################################################################
#

wait_for_keypress

#
#================================================================================
# Lynis - Copyright 2007-2009, Michael Boelen - www.rootkit.nl - The Netherlands
