CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
https://cisofy.com/lynis/
GNU General Public License v3.0
13.53k stars 1.49k forks source link

McAfee Antivirus for Linux deprecated [MALW-3280] #1455

Closed vk6xebec closed 6 months ago

vk6xebec commented 10 months ago

McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please see:

End of Life announcement for McAfee AntiVirus for Linux Please modify the MALW-3280 check so that if it finds cmdagent, it throws up an error about it being deprecated; and no hardening points are assigned.

mboelen commented 8 months ago

Hi,

Thanks for the suggestion. Sounds like a good approach. Do you want to create a pull request for that?

vk6xebec commented 8 months ago

I might have to learn how to do this - it may take a while as I have never done a pull request before.

mboelen commented 8 months ago

That's totally fine. A good way to get started by trying. Just let us know if you get stuck!

vk6xebec commented 8 months ago

This is the code I have modified. Still to trying to work out how to do it...

`#!/bin/sh

################################################################################# #

Lynis

------------------

#

Copyright 2007-2013, Michael Boelen

Copyright 2007-2021, CISOfy

#

Website : https://cisofy.com

Blog : http://linux-audit.com

GitHub : https://github.com/CISOfy/lynis

#

Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

welcome to redistribute it under the terms of the GNU General Public License.

See LICENSE file for usage of this software.

# ################################################################################# #

Malware scanners

# ################################################################################# # InsertSection "${SECTION_MALWARE}" # ################################################################################# # AVAST_DAEMON_RUNNING=0 AVIRA_DAEMON_RUNNING=0 BITDEFENDER_DAEMON_RUNNING=0 CLAMD_RUNNING=0 CLAMSCAN_INSTALLED=0 CROWDSTRIKE_FALCON_SENSOR_RUNNING=0 ESET_DAEMON_RUNNING=0 FRESHCLAM_DAEMON_RUNNING=0 KASPERSKY_SCANNER_RUNNING=0 MCAFEE_SCANNER_RUNNING=0 MALWARE_SCANNER_INSTALLED=0 MALWARE_DAEMON_RUNNING=0 ROOTKIT_SCANNER_FOUND=0 SENTINELONE_SCANNER_RUNNING=0 SOPHOS_SCANNER_RUNNING=0 SYMANTEC_SCANNER_RUNNING=0 SYNOLOGY_DAEMON_RUNNING=0 TRENDMICRO_DSA_DAEMON_RUNNING=0 # ################################################################################# #

Test : MALW-3274

# Description : Check for installed tool (McAfee VirusScan for Command Line)
Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line"
if [ ${SKIPTEST} -eq 0 ]; then
    LogText "Test: checking presence McAfee VirusScan for Command Line"
    if [ -x /usr/local/uvscan/uvscan ]; then
        Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color RED
        LogText "Result: Found ${MCAFEECLBINARY}"
        MALWARE_SCANNER_INSTALLED=0
        AddHP 0 2
        LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another Anti-virus"
fi

# ################################################################################# #

Test : MALW-3275

# Description : Check for installed tool (chkrootkit)
Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit"
if [ ${SKIPTEST} -eq 0 ]; then
    LogText "Test: checking presence chkrootkit"
    if [ -n "${CHKROOTKITBINARY}" ]; then
        Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN
        LogText "Result: Found ${CHKROOTKITBINARY}"
        MALWARE_SCANNER_INSTALLED=1
        ROOTKIT_SCANNER_FOUND=1
        AddHP 2 2
        Report "malware_scanner[]=chkrootkit"
    else
        LogText "Result: chkrootkit not found"
    fi
fi

# ################################################################################# #

Test : MALW-3276

# Description : Check for installed tool (Rootkit Hunter)
Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter"
if [ ${SKIPTEST} -eq 0 ]; then
    LogText "Test: checking presence Rootkit Hunter"
    if [ -n "${RKHUNTERBINARY}" ]; then
        Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN
        LogText "Result: Found ${RKHUNTERBINARY}"
        MALWARE_SCANNER_INSTALLED=1
        ROOTKIT_SCANNER_FOUND=1
        AddHP 2 2
        Report "malware_scanner[]=rkhunter"
    else
        LogText "Result: Rootkit Hunter not found"
    fi
fi

# ################################################################################# #

Test : MALW-3278

# Description : Check for installed tool (Linux Malware Detect or LMD)
Register --test-no MALW-3278 --weight L --network NO --category security --description "Check for LMD"
if [ ${SKIPTEST} -eq 0 ]; then
    LogText "Test: checking presence LMD"
    if [ ! "${LMDBINARY}" = "" ]; then
        Display --indent 2 --text "- ${GEN_CHECKING} LMD (Linux Malware Detect)" --result "${STATUS_FOUND}" --color GREEN
        LogText "Result: Found ${LMDBINARY}"
        MALWARE_SCANNER_INSTALLED=1
        AddHP 2 2
        Report "malware_scanner[]=lmd"
    else
        LogText "Result: LMD not found"
    fi
fi

# ################################################################################# #

Test : MALW-3280

# Description : Check if an anti-virus tool is installed
Register --test-no MALW-3280 --weight L --network NO --category security --description "Check if anti-virus tool is installed"
if [ ${SKIPTEST} -eq 0 ]; then
    FOUND=0

    # Avast (macOS)
    LogText "Test: checking process com.avast.daemon"
    if IsRunning --full "com.avast.daemon"; then
        FOUND=1
        AVAST_DAEMON_RUNNING=1
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Avast daemon" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found Avast security product"
        Report "malware_scanner[]=avast"
    fi

    # Avira
    LogText "Test: checking process Avira daemon"
    if IsRunning "avqmd"; then
        FOUND=1
        AVIRA_DAEMON_RUNNING=1
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Avira daemon" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found Avira security product"
        Report "malware_scanner[]=avira"
    fi

    # Bitdefender (macOS)
    LogText "Test: checking process epagd"
    if IsRunning "bdagentd" || IsRunning "epagd"; then
        FOUND=1
        BITDEFENDER_DAEMON_RUNNING=1
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found Bitdefender security product"
        Report "malware_scanner[]=bitdefender"
    fi

    # CrowdStrike falcon-sensor
    LogText "Test: checking process falcon-sensor (CrowdStrike)"
    if IsRunning "falcon-sensor"; then
        FOUND=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} falcon-sensor" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found falcon-sensor service"
        CROWDSTRIKE_FALCON_SENSOR_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        Report "malware_scanner[]=falcon-sensor"
    fi

    # Cylance (macOS)
    LogText "Test: checking process CylanceSvc"
    if IsRunning "CylanceSvc"; then
        FOUND=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} CylancePROTECT" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found CylancePROTECT service"
        AVAST_DAEMON_RUNNING=1
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        Report "malware_scanner[]=cylance-protect"
    fi

    # ESET security products
    LogText "Test: checking process esets_daemon"
    if IsRunning "esets_daemon"; then
        FOUND=1
        ESET_DAEMON_RUNNING=1
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found ESET security product"
        Report "malware_scanner[]=eset"
    fi

    # Kaspersky products
    LogText "Test: checking process wdserver or klnagent (Kaspersky)"
    # wdserver is too generic to match on, so we want to ensure that it is related to Kaspersky first
    if [ -x /opt/kaspersky/kesl/libexec/kesl_launcher.sh ]; then
        if IsRunning "wdserver"; then KASPERSKY_SCANNER_RUNNING=1; fi
    else
        if IsRunning "klnagent"; then KASPERSKY_SCANNER_RUNNING=1; fi
    fi
    if [ ${KASPERSKY_SCANNER_RUNNING} -eq 1 ]; then
        FOUND=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Kaspersky" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: Found Kaspersky"
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        Report "malware_scanner[]=kaspersky"
    fi

    # McAfee products
    LogText "Test: checking process cma or cmdagent (McAfee)"
    # cma is too generic to match on, so we want to ensure that it is related to McAfee first
    if [ -x /opt/McAfee/cma/bin/cma ]; then
        if IsRunning "cma"; then MCAFEE_SCANNER_RUNNING=1; fi
    else
        if IsRunning "cmdagent"; then MCAFEE_SCANNER_RUNNING=1; fi
    fi
    if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
        FOUND=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} McAfee" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: Found McAfee"
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        Report "malware_scanner[]=mcafee"
    fi

   # SentinelOne
   LogText "Text: checking process sentineld (SentinelOne)"
   if IsRunning "sentineld"; then SENTINELONE_SCANNER_RUNNING=1; fi # macOS
   if IsRunning "s1-agent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Linux
   if IsRunning "SentinelAgent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Windows
   if [ ${SENTINELONE_SCANNER_RUNNING} -eq 1 ]; then
        FOUND=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} SentinelOne" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: Found SentinelOne"
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        Report "malware_scanner[]=sentinelone"
    fi

    # Sophos savscand/SophosScanD
    LogText "Test: checking process savscand"
    if IsRunning "savscand"; then
        FOUND=1
        SOPHOS_SCANNER_RUNNING=1
    fi
    LogText "Test: checking process SophosScanD"
    if IsRunning "SophosScanD"; then
        FOUND=1
        SOPHOS_SCANNER_RUNNING=1
    fi
    if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Sophos" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: Found Sophos"
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        Report "malware_scanner[]=sophos"
    fi

    # Symantec rtvscand/smcd/symcfgd
    LogText "Test: checking process rtvscand"
    if IsRunning "rtvscand"; then
        SYMANTEC_SCANNER_RUNNING=1
    fi
    LogText "Test: checking process Symantec management client service"
    if IsRunning "smcd"; then
        SYMANTEC_SCANNER_RUNNING=1
    fi
    LogText "Test: checking process Symantec Endpoint Protection configuration service"
    if IsRunning "symcfgd"; then
        SYMANTEC_SCANNER_RUNNING=1
    fi
    if [ ${SYMANTEC_SCANNER_RUNNING} -eq 1 ]; then
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Symantec" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found one or more Symantec components"
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        FOUND=1
        Report "malware_scanner[]=symantec"
    fi

    # Synology Antivirus Essential
    LogText "Test: checking process synoavd"
    if IsRunning "synoavd"; then
        FOUND=1
        SYNOLOGY_DAEMON_RUNNING=1
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Synology Antivirus Essential" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found Synology Antivirus Essential"
        Report "malware_scanner[]=synoavd"
    fi

    # Trend Micro Anti Malware for Linux
    # Typically ds_agent is running as well, the Deep Security Agent
    LogText "Test: checking process ds_agent to test for Trend Micro Deep Anti Malware component"
    if IsRunning "ds_am"; then
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Trend Micro Anti Malware" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found Trend Micro Anti Malware component"
        FOUND=1
        MALWARE_SCANNER_INSTALLED=1
        MALWARE_DAEMON_RUNNING=1
        TRENDMICRO_DSA_DAEMON_RUNNING=1
        Report "malware_scanner[]=trend-micro-am"
    fi

    # TrendMicro (macOS)
    LogText "Test: checking process TmccMac to test for Trend Micro anti-virus (macOS)"
    if IsRunning "TmccMac"; then
        if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Trend Micro anti-virus" --result "${STATUS_FOUND}" --color GREEN; fi
        LogText "Result: found Trend Micro component"
        FOUND=1
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        Report "malware_scanner[]=trend-micro-av"
    fi

    if [ ${FOUND} -eq 0 ]; then
        LogText "Result: no commercial anti-virus tools found"
        AddHP 0 3
    else
        LogText "Result: found one or more commercial anti-virus tools"
        AddHP 2 2
    fi
fi

# ################################################################################# #

Test : MALW-3282

# Description : Check if clamscan is installed
Register --test-no MALW-3282 --weight L --network NO --category security --description "Check for clamscan"
if [ ${SKIPTEST} -eq 0 ]; then
    LogText "Test: checking presence clamscan"
    if [ ! "${CLAMSCANBINARY}" = "" ]; then
        Display --indent 2 --text "- Checking ClamAV scanner" --result "${STATUS_FOUND}" --color GREEN
        LogText "Result: Found ${CLAMSCANBINARY}"
        MALWARE_SCANNER_INSTALLED=1
        CLAMSCAN_INSTALLED=1
        AddHP 2 2
    else
        LogText "Result: clamscan couldn't be found"
    fi
fi

# ################################################################################# #

Test : MALW-3284

# Description : Check running clamd process
Register --test-no MALW-3284 --weight L --network NO --category security --description "Check for clamd"
if [ ${SKIPTEST} -eq 0 ]; then
    LogText "Test: checking running ClamAV daemon (clamd)"
    if IsRunning "clamd"; then
        Display --indent 2 --text "- ${GEN_CHECKING} ClamAV daemon" --result "${STATUS_FOUND}" --color GREEN
        LogText "Result: found running clamd process"
        MALWARE_DAEMON_RUNNING=1
        MALWARE_SCANNER_INSTALLED=1
        CLAMD_RUNNING=1
    else
        LogText "Result: clamd not running"
    fi
fi

# ################################################################################# #

Test : MALW-3286

# Description : Check running freshclam if clamd process is running
if [ ${CLAMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3286 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for freshclam"
if [ ${SKIPTEST} -eq 0 ]; then
    LogText "Test: checking running freshclam daemon"
    if IsRunning "freshclam"; then
        FRESHCLAM_DAEMON_RUNNING=1
        Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_FOUND}" --color GREEN
        LogText "Result: found running freshclam process"
        AddHP 2 2
    else
        Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_SUGGESTION}" --color YELLOW
        LogText "Result: freshclam is not running"
        ReportSuggestion "${TEST_NO}" "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
    fi
fi

# ################################################################################# #

Test : MALW-3288

# Description : Check for ClamXav (macOS)
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav"
if [ ${SKIPTEST} -eq 0 ]; then
    CLAMSCANBINARY=$(${LSBINARY} /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan')
    if [ -n "${CLAMSCANBINARY}" ]; then
        LogText "Result: Found ClamXav clamscan installed"
        Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN
        MALWARE_SCANNER_INSTALLED=1
        CLAMSCAN_INSTALLED=1
        AddHP 3 3
    else
        LogText "Result: ClamXav malware scanner not found"
        AddHP 0 3
    fi
fi

# ################################################################################# #

Check if we found any of the ClamAV components

if [ ${CLAMSCAN_INSTALLED} -eq 1 -o ${CLAMD_RUNNING} -eq 1 -o ${FRESHCLAM_DAEMON_RUNNING} -eq 1 ]; then
    Report "malware_scanner[]=clamav"
fi

# ################################################################################# #

Test : MALW-3290

# Description : Presence of malware scanners
Register --test-no MALW-3290 --weight L --network NO --category security --description "Presence of for malware detection"
if [ ${SKIPTEST} -eq 0 ]; then
    if [ ${MALWARE_SCANNER_INSTALLED} -eq 0 ]; then
        Display --indent 2 --text "- Malware software components" --result "${STATUS_NOT_FOUND}" --color YELLOW
    else
        Display --indent 2 --text "- Malware software components" --result "${STATUS_FOUND}" --color GREEN
        if [ ${MALWARE_DAEMON_RUNNING} -eq 0 ]; then
            Display --indent 4 --text "- Active agent" --result "${STATUS_NOT_FOUND}" --color WHITE
        else
            Display --indent 4 --text "- Active agent" --result "${STATUS_FOUND}" --color GREEN
        fi
        if [ ${ROOTKIT_SCANNER_FOUND} -eq 0 ]; then
            Display --indent 4 --text "- Rootkit scanner" --result "${STATUS_NOT_FOUND}" --color WHITE
        else
            Display --indent 4 --text "- Rootkit scanner" --result "${STATUS_FOUND}" --color GREEN
        fi
    fi
fi

# ################################################################################# #

Report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"

WaitForKeyPress

#

================================================================================

Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com`

vk6xebec commented 8 months ago

Hope I did it correctly: https://github.com/CISOfy/lynis/pull/1481

mboelen commented 6 months ago

Related PR has been merged. Thank you!