Closed vk6xebec closed 6 months ago
Hi,
Thanks for the suggestion. Sounds like a good approach. Do you want to create a pull request for that?
I might have to learn how to do this - it may take a while as I have never done a pull request before.
That's totally fine. A good way to get started by trying. Just let us know if you get stuck!
This is the code I have modified. Still to trying to work out how to do it...
`#!/bin/sh
################################################################################# #
#
#
#
# ################################################################################# #
# ################################################################################# # InsertSection "${SECTION_MALWARE}" # ################################################################################# # AVAST_DAEMON_RUNNING=0 AVIRA_DAEMON_RUNNING=0 BITDEFENDER_DAEMON_RUNNING=0 CLAMD_RUNNING=0 CLAMSCAN_INSTALLED=0 CROWDSTRIKE_FALCON_SENSOR_RUNNING=0 ESET_DAEMON_RUNNING=0 FRESHCLAM_DAEMON_RUNNING=0 KASPERSKY_SCANNER_RUNNING=0 MCAFEE_SCANNER_RUNNING=0 MALWARE_SCANNER_INSTALLED=0 MALWARE_DAEMON_RUNNING=0 ROOTKIT_SCANNER_FOUND=0 SENTINELONE_SCANNER_RUNNING=0 SOPHOS_SCANNER_RUNNING=0 SYMANTEC_SCANNER_RUNNING=0 SYNOLOGY_DAEMON_RUNNING=0 TRENDMICRO_DSA_DAEMON_RUNNING=0 # ################################################################################# #
# Description : Check for installed tool (McAfee VirusScan for Command Line)
Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence McAfee VirusScan for Command Line"
if [ -x /usr/local/uvscan/uvscan ]; then
Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color RED
LogText "Result: Found ${MCAFEECLBINARY}"
MALWARE_SCANNER_INSTALLED=0
AddHP 0 2
LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another Anti-virus"
fi
# ################################################################################# #
# Description : Check for installed tool (chkrootkit)
Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence chkrootkit"
if [ -n "${CHKROOTKITBINARY}" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} chkrootkit" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${CHKROOTKITBINARY}"
MALWARE_SCANNER_INSTALLED=1
ROOTKIT_SCANNER_FOUND=1
AddHP 2 2
Report "malware_scanner[]=chkrootkit"
else
LogText "Result: chkrootkit not found"
fi
fi
# ################################################################################# #
# Description : Check for installed tool (Rootkit Hunter)
Register --test-no MALW-3276 --weight L --network NO --category security --description "Check for Rootkit Hunter"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence Rootkit Hunter"
if [ -n "${RKHUNTERBINARY}" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} Rootkit Hunter" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${RKHUNTERBINARY}"
MALWARE_SCANNER_INSTALLED=1
ROOTKIT_SCANNER_FOUND=1
AddHP 2 2
Report "malware_scanner[]=rkhunter"
else
LogText "Result: Rootkit Hunter not found"
fi
fi
# ################################################################################# #
# Description : Check for installed tool (Linux Malware Detect or LMD)
Register --test-no MALW-3278 --weight L --network NO --category security --description "Check for LMD"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence LMD"
if [ ! "${LMDBINARY}" = "" ]; then
Display --indent 2 --text "- ${GEN_CHECKING} LMD (Linux Malware Detect)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${LMDBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
Report "malware_scanner[]=lmd"
else
LogText "Result: LMD not found"
fi
fi
# ################################################################################# #
# Description : Check if an anti-virus tool is installed
Register --test-no MALW-3280 --weight L --network NO --category security --description "Check if anti-virus tool is installed"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# Avast (macOS)
LogText "Test: checking process com.avast.daemon"
if IsRunning --full "com.avast.daemon"; then
FOUND=1
AVAST_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Avast daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Avast security product"
Report "malware_scanner[]=avast"
fi
# Avira
LogText "Test: checking process Avira daemon"
if IsRunning "avqmd"; then
FOUND=1
AVIRA_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Avira daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Avira security product"
Report "malware_scanner[]=avira"
fi
# Bitdefender (macOS)
LogText "Test: checking process epagd"
if IsRunning "bdagentd" || IsRunning "epagd"; then
FOUND=1
BITDEFENDER_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Bitdefender security product"
Report "malware_scanner[]=bitdefender"
fi
# CrowdStrike falcon-sensor
LogText "Test: checking process falcon-sensor (CrowdStrike)"
if IsRunning "falcon-sensor"; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} falcon-sensor" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found falcon-sensor service"
CROWDSTRIKE_FALCON_SENSOR_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=falcon-sensor"
fi
# Cylance (macOS)
LogText "Test: checking process CylanceSvc"
if IsRunning "CylanceSvc"; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} CylancePROTECT" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found CylancePROTECT service"
AVAST_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=cylance-protect"
fi
# ESET security products
LogText "Test: checking process esets_daemon"
if IsRunning "esets_daemon"; then
FOUND=1
ESET_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found ESET security product"
Report "malware_scanner[]=eset"
fi
# Kaspersky products
LogText "Test: checking process wdserver or klnagent (Kaspersky)"
# wdserver is too generic to match on, so we want to ensure that it is related to Kaspersky first
if [ -x /opt/kaspersky/kesl/libexec/kesl_launcher.sh ]; then
if IsRunning "wdserver"; then KASPERSKY_SCANNER_RUNNING=1; fi
else
if IsRunning "klnagent"; then KASPERSKY_SCANNER_RUNNING=1; fi
fi
if [ ${KASPERSKY_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Kaspersky" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found Kaspersky"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=kaspersky"
fi
# McAfee products
LogText "Test: checking process cma or cmdagent (McAfee)"
# cma is too generic to match on, so we want to ensure that it is related to McAfee first
if [ -x /opt/McAfee/cma/bin/cma ]; then
if IsRunning "cma"; then MCAFEE_SCANNER_RUNNING=1; fi
else
if IsRunning "cmdagent"; then MCAFEE_SCANNER_RUNNING=1; fi
fi
if [ ${MCAFEE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} McAfee" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found McAfee"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=mcafee"
fi
# SentinelOne
LogText "Text: checking process sentineld (SentinelOne)"
if IsRunning "sentineld"; then SENTINELONE_SCANNER_RUNNING=1; fi # macOS
if IsRunning "s1-agent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Linux
if IsRunning "SentinelAgent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Windows
if [ ${SENTINELONE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} SentinelOne" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found SentinelOne"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=sentinelone"
fi
# Sophos savscand/SophosScanD
LogText "Test: checking process savscand"
if IsRunning "savscand"; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1
fi
LogText "Test: checking process SophosScanD"
if IsRunning "SophosScanD"; then
FOUND=1
SOPHOS_SCANNER_RUNNING=1
fi
if [ ${SOPHOS_SCANNER_RUNNING} -eq 1 ]; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Sophos" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found Sophos"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=sophos"
fi
# Symantec rtvscand/smcd/symcfgd
LogText "Test: checking process rtvscand"
if IsRunning "rtvscand"; then
SYMANTEC_SCANNER_RUNNING=1
fi
LogText "Test: checking process Symantec management client service"
if IsRunning "smcd"; then
SYMANTEC_SCANNER_RUNNING=1
fi
LogText "Test: checking process Symantec Endpoint Protection configuration service"
if IsRunning "symcfgd"; then
SYMANTEC_SCANNER_RUNNING=1
fi
if [ ${SYMANTEC_SCANNER_RUNNING} -eq 1 ]; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Symantec" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found one or more Symantec components"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
FOUND=1
Report "malware_scanner[]=symantec"
fi
# Synology Antivirus Essential
LogText "Test: checking process synoavd"
if IsRunning "synoavd"; then
FOUND=1
SYNOLOGY_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Synology Antivirus Essential" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Synology Antivirus Essential"
Report "malware_scanner[]=synoavd"
fi
# Trend Micro Anti Malware for Linux
# Typically ds_agent is running as well, the Deep Security Agent
LogText "Test: checking process ds_agent to test for Trend Micro Deep Anti Malware component"
if IsRunning "ds_am"; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Trend Micro Anti Malware" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Trend Micro Anti Malware component"
FOUND=1
MALWARE_SCANNER_INSTALLED=1
MALWARE_DAEMON_RUNNING=1
TRENDMICRO_DSA_DAEMON_RUNNING=1
Report "malware_scanner[]=trend-micro-am"
fi
# TrendMicro (macOS)
LogText "Test: checking process TmccMac to test for Trend Micro anti-virus (macOS)"
if IsRunning "TmccMac"; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Trend Micro anti-virus" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Trend Micro component"
FOUND=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=trend-micro-av"
fi
if [ ${FOUND} -eq 0 ]; then
LogText "Result: no commercial anti-virus tools found"
AddHP 0 3
else
LogText "Result: found one or more commercial anti-virus tools"
AddHP 2 2
fi
fi
# ################################################################################# #
# Description : Check if clamscan is installed
Register --test-no MALW-3282 --weight L --network NO --category security --description "Check for clamscan"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence clamscan"
if [ ! "${CLAMSCANBINARY}" = "" ]; then
Display --indent 2 --text "- Checking ClamAV scanner" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${CLAMSCANBINARY}"
MALWARE_SCANNER_INSTALLED=1
CLAMSCAN_INSTALLED=1
AddHP 2 2
else
LogText "Result: clamscan couldn't be found"
fi
fi
# ################################################################################# #
# Description : Check running clamd process
Register --test-no MALW-3284 --weight L --network NO --category security --description "Check for clamd"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking running ClamAV daemon (clamd)"
if IsRunning "clamd"; then
Display --indent 2 --text "- ${GEN_CHECKING} ClamAV daemon" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found running clamd process"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
CLAMD_RUNNING=1
else
LogText "Result: clamd not running"
fi
fi
# ################################################################################# #
# Description : Check running freshclam if clamd process is running
if [ ${CLAMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3286 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for freshclam"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking running freshclam daemon"
if IsRunning "freshclam"; then
FRESHCLAM_DAEMON_RUNNING=1
Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found running freshclam process"
AddHP 2 2
else
Display --indent 4 --text "- ${GEN_CHECKING} freshclam" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: freshclam is not running"
ReportSuggestion "${TEST_NO}" "Confirm that freshclam is properly configured and keeps updating the ClamAV database"
fi
fi
# ################################################################################# #
# Description : Check for ClamXav (macOS)
if [ -d /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no MALW-3288 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ClamXav"
if [ ${SKIPTEST} -eq 0 ]; then
CLAMSCANBINARY=$(${LSBINARY} /Applications/ClamXav.app/Contents/Resources/ScanningEngine/bin/ 2> /dev/null | ${GREPBINARY} 'clamscan')
if [ -n "${CLAMSCANBINARY}" ]; then
LogText "Result: Found ClamXav clamscan installed"
Display --indent 2 --text "- ${GEN_CHECKING} ClamXav AV scanner" --result "${STATUS_FOUND}" --color GREEN
MALWARE_SCANNER_INSTALLED=1
CLAMSCAN_INSTALLED=1
AddHP 3 3
else
LogText "Result: ClamXav malware scanner not found"
AddHP 0 3
fi
fi
# ################################################################################# #
if [ ${CLAMSCAN_INSTALLED} -eq 1 -o ${CLAMD_RUNNING} -eq 1 -o ${FRESHCLAM_DAEMON_RUNNING} -eq 1 ]; then
Report "malware_scanner[]=clamav"
fi
# ################################################################################# #
# Description : Presence of malware scanners
Register --test-no MALW-3290 --weight L --network NO --category security --description "Presence of for malware detection"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${MALWARE_SCANNER_INSTALLED} -eq 0 ]; then
Display --indent 2 --text "- Malware software components" --result "${STATUS_NOT_FOUND}" --color YELLOW
else
Display --indent 2 --text "- Malware software components" --result "${STATUS_FOUND}" --color GREEN
if [ ${MALWARE_DAEMON_RUNNING} -eq 0 ]; then
Display --indent 4 --text "- Active agent" --result "${STATUS_NOT_FOUND}" --color WHITE
else
Display --indent 4 --text "- Active agent" --result "${STATUS_FOUND}" --color GREEN
fi
if [ ${ROOTKIT_SCANNER_FOUND} -eq 0 ]; then
Display --indent 4 --text "- Rootkit scanner" --result "${STATUS_NOT_FOUND}" --color WHITE
else
Display --indent 4 --text "- Rootkit scanner" --result "${STATUS_FOUND}" --color GREEN
fi
fi
fi
# ################################################################################# #
Report "malware_scanner_installed=${MALWARE_SCANNER_INSTALLED}"
WaitForKeyPress
#
Hope I did it correctly: https://github.com/CISOfy/lynis/pull/1481
Related PR has been merged. Thank you!
McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please see:
End of Life announcement for McAfee AntiVirus for Linux Please modify the MALW-3280 check so that if it finds cmdagent, it throws up an error about it being deprecated; and no hardening points are assigned.