#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2013-2016, CISOfy
#
# Website  : https://cisofy.com
# Blog     : http://linux-audit.com
# GitHub   : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
    APPARMORFOUND=0                     # Set default for test MACF-6208
    MAC_FRAMEWORK_ACTIVE=0              # Default no MAC framework active
    RBAC_FRAMEWORK_ACTIVE=0             # Default no RBAC framework active
    SELINUXFOUND=0

    InsertSection "Security frameworks"
#
#################################################################################
#
    # Test        : MACF-6204
    # Description : Check if AppArmor is installed
    Register --test-no MACF-6204 --weight L --network NO --description "Check AppArmor presence"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ "${AASTATUSBINARY}" = "" ]; then
            APPARMORFOUND=0
            LogText "Result: aa-status binary not found, AppArmor not installed"
            Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_NOT_FOUND}" --color WHITE
          else
            APPARMORFOUND=1
            LogText "Result: aa-status binary found, AppArmor is installed"
            Display --indent 2 --text "- Checking presence AppArmor" --result "${STATUS_FOUND}" --color GREEN
        fi
    fi
#
#################################################################################
#
    # Test        : MACF-6208
    # Description : Check AppArmor active status
    if [ ${APPARMORFOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no MACF-6208 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check if AppArmor is enabled"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ ! "${AASTATUSBINARY}" = "" ]; then
            # Checking AppArmor status
            # 0 if apparmor is enabled and policy is loaded.
            # 1 if apparmor is not enabled/loaded.
            # 2 if apparmor is enabled but no policy is loaded.
            # 3 if control files are not available
            # 4 if apparmor status can't be read
            FIND=`${AASTATUSBINARY} > /dev/null; echo $?`
            if [ ${FIND} -eq 0 ]; then
                MAC_FRAMEWORK_ACTIVE=1
                LogText "Result: AppArmor is enabled and a policy is loaded"
                Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_ENABLED}" --color GREEN
              elif [ ${FIND} -eq 4 ]; then
                LogText "Result: Can not determine status, most likely due to lacking permissions"
                Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
              elif [ ${FIND} -eq 3 ]; then
                LogText "Result: Can not check control files"
                Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
              elif [ ${FIND} -eq 2 ]; then
                LogText "Result: AppArmor is enabled, but no policy is loaded"
                ReportSuggestion ${TEST_NO} "Disable AppArmor or load a policy"
                Display --indent 4 --text "- Checking AppArmor status" --result "NON-ACTIVE" --color GREEN
              elif [ ${FIND} -eq 1 ]; then
                LogText "Result: AppArmor is disabled"
                Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_DISABLED}" --color YELLOW
              else
                Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
                ReportException "${TEST_NO}:1" "Invalid or unknown AppArmor status detected"
            fi
        fi
    fi
#
#################################################################################
#
    # Test        : MACF-6232
    # Description : Check SELINUX for installation
    Register --test-no MACF-6232 --weight L --network NO --description "Check SELINUX presence"
    if [ ${SKIPTEST} -eq 0 ]; then
        LogText "Test: checking if we have sestatus binary"
        if [ ! "${SESTATUSBINARY}" = "" ]; then
            LogText "Result: found sestatus binary (${SESTATUSBINARY})"
            Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_FOUND}" --color GREEN
          else
            LogText "Result: sestatus binary NOT found"
            Display --indent 2 --text "- Checking presence SELinux" --result "${STATUS_NOT_FOUND}" --color WHITE
        fi
    fi
#
#################################################################################
#
    # Test        : MACF-6234
    # Description : Check SELINUX status
    if [ ! "${SESTATUSBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no MACF-6234 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check SELINUX status"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Status: Enabled/Disabled
        FIND=`${SESTATUSBINARY} | grep "^SELinux status" | awk '{ print $3 }'`
        if [ "${FIND}" = "enabled" ]; then
                MAC_FRAMEWORK_ACTIVE=1
                LogText "Result: SELinux framework is enabled"
                Report "selinux_status=1"
                SELINUXFOUND=1
                Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_ENABLED}" --color GREEN
                FIND=`${SESTATUSBINARY} | grep "^Current mode" | awk '{ print $3 }'`
                Report "selinux_mode=${FIND}"
                FIND2=`${SESTATUSBINARY} | grep "^Mode from config file" | awk '{ print $5 }'`
                LogText "Result: current SELinux mode is ${FIND}"
                LogText "Result: mode configured in config file is ${FIND2}"
                if [ "${FIND}" = "${FIND2}" ]; then
                    LogText "Result: Current SELinux mode is the same as in config file."
                    Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_OK}" --color GREEN
                  else
                    LogText "Result: Current SELinux mode (${FIND}) is NOT the same as in config file (${FIND2})."
                    ReportWarning ${TEST_NO} "M" "Current SELinux mode is different from config file (current: ${FIND}, config file: ${FIND2})"
                    Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
                fi
                Display --indent 8 --text "Current SELinux mode: ${FIND}"
          else
                LogText "Result: SELinux framework is disabled"
                Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW
        fi
    fi
#
#################################################################################
#
    # Test        : RBAC-6272
    # Description : Check if grsecurity is installed
    # Notes       : We already checked grsecurity in osdetection
    Register --test-no RBAC-6272 --weight L --network NO --description "Check grsecurity presence"
    if [ ${SKIPTEST} -eq 0 ]; then
        # Check Linux kernel configuration
        if [ ! "${LINUXCONFIGFILE}" = "" -a -f "${LINUXCONFIGFILE}" ]; then
            FIND=`${GREPBINARY} ^CONFIG_GRKERNSEC=y ${LINUXCONFIGFILE}`
            if [ ! "${FIND}" = "" ]; then
                LogText "Result: grsecurity available (in kernel config)"
                GRSEC_FOUND=1
              else
                LogText "Result: no grsecurity found in kernel config"
            fi
        fi
        if [ ${GRSEC_FOUND} -eq 1 ]; then
            Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_FOUND}" --color GREEN
            AddHP 3 3
          else
            Display --indent 2 --text "- Checking presence grsecurity" --result "${STATUS_NOT_FOUND}" --color WHITE
        fi
    fi
#
#################################################################################
#
    # Test        : MACF-6290
    # Description : Check if at least one MAC framework is implemented
    Register --test-no MACF-6290 --weight L --network NO --description "Check for implemented MAC framework"
    if [ ${SKIPTEST} -eq 0 ]; then
        if [ ${MAC_FRAMEWORK_ACTIVE} -eq 1 ]; then
            Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_OK}" --color GREEN
            AddHP 3 3
            LogText "Result: found implemented MAC framework"
          else
            Display --indent 2 --text "- Checking for implemented MAC framework" --result "${STATUS_NONE}" --color YELLOW
            AddHP 2 3
            LogText "Result: found no implemented MAC framework"
        fi
     fi
#
#################################################################################
#

Report "framework_grsecurity=${GRSEC_FOUND}"
Report "framework_selinux=${SELINUXFOUND}"

WaitForKeyPress

#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
