2014-08-26 17:33:55 +02:00
#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
2016-03-13 16:00:39 +01:00
# Copyright 2007-2013, Michael Boelen
2019-01-31 14:47:35 +01:00
# Copyright 2007-2019, CISOfy
2016-03-13 16:00:39 +01:00
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
2014-08-26 17:33:55 +02:00
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Ports and packages
#
#################################################################################
#
InsertSection "Ports and packages"
PACKAGE_MGR_PKG=0
2015-04-17 15:50:46 +02:00
PACKAGE_AUDIT_TOOL=""
PACKAGE_AUDIT_TOOL_FOUND=0
2019-10-08 16:43:09 +02:00
PACMANCONF="${ROOTDIR}etc/pacman.conf"
2015-01-03 12:45:22 +01:00
INSTALLED_PACKAGES=""
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Searching package managers"
2016-03-22 23:06:10 +01:00
#
#################################################################################
#
2014-08-26 17:33:55 +02:00
# Test : PKGS-7301
# Description : Query FreeBSD pkg
2016-09-26 12:05:30 +02:00
if [ -x ${ROOTDIR}usr/sbin/pkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query NetBSD pkg"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-26 12:05:30 +02:00
FIND=$(pkg -N 2>&1; echo $?)
2014-08-26 17:33:55 +02:00
if [ "${FIND}" = "0" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Searching packages with pkg" --result "${STATUS_FOUND}" --color GREEN
2015-12-21 21:17:15 +01:00
Report "package_manager[]=pkg"
2014-08-26 17:33:55 +02:00
PACKAGE_MGR_PKG=1
2015-12-21 21:17:15 +01:00
LogText "Result: Found pkg"
LogText "Test: Querying pkg to get package list"
2015-01-03 12:45:22 +01:00
Display --indent 6 --text "- Querying pkg for installed packages"
2015-12-21 21:17:15 +01:00
LogText "Output:"; LogText "-----"
2016-09-26 12:05:30 +02:00
SPACKAGES=$(${ROOTDIR}usr/sbin/pkg query %n,%v)
for ITEM in ${SPACKAGES}; do
sPKG_NAME=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f1)
sPKG_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f2)
2015-12-21 21:17:15 +01:00
LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
2016-09-26 12:05:30 +02:00
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${ITEM}"
2015-01-03 12:45:22 +01:00
done
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : PKGS-7302
# Description : Query FreeBSD/NetBSD pkg_info
2017-04-30 17:59:35 +02:00
if [ -x ${ROOTDIR}usr/sbin/pkg_info ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7302 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query FreeBSD/NetBSD pkg_info"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-30 17:59:35 +02:00
COUNT=0
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Checking pkg_info" --result "${STATUS_FOUND}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: Found pkg_info"
Report "package_manager[]=pkg_info"
LogText "Test: Querying pkg_info to get package list"
2014-09-15 12:01:09 +02:00
Display --indent 6 --text "- Querying pkg_info for installed packages"
2015-12-21 21:17:15 +01:00
LogText "Output:"; LogText "-----"
2016-09-26 12:05:30 +02:00
SPACKAGES=$(${ROOTDIR}usr/sbin/pkg_info 2>&1 | ${SORTBINARY} | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1 | ${SEDBINARY} -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g')
for ITEM in ${SPACKAGES}; do
2017-04-30 17:59:35 +02:00
COUNT=$((COUNT + 1))
2016-09-26 12:05:30 +02:00
sPKG_NAME=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f1)
sPKG_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f2)
2015-12-21 21:17:15 +01:00
LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
2016-09-26 12:05:30 +02:00
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${ITEM}"
2014-08-26 17:33:55 +02:00
done
2017-04-30 17:59:35 +02:00
Report "installed_packages=${COUNT}"
2014-08-26 17:33:55 +02:00
fi
2016-03-22 23:06:10 +01:00
#
#################################################################################
#
# Test : PKGS-7303
# Description : Query brew package manager
A bunch of Solaris compatibility tweaks (#367)
* Work around Solaris' /bin/sh not being POSIX.
If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or
a derivative, and /bin/sh cannot be trusted to support POSIX, but
/usr/xpg4/bin/sh can be. Exec it right away.
* Work around Solaris 'which' command oddity.
Solaris' (at least) 'which' command outputs not-found errors to STDOUT
instead of STDERR.
This makes "did we get any output from which" checks insufficient;
piping to grep -v the "no foo in ..." message should work.
Note that this patch set includes all such uses of which that I could
find, including ones that should never be reached on Solaris (i.e. only
executed on some other OS) just for consistency.
* Improved alternate-sh exec to avoid looping.
* Solaris' /usr/ucb/echo supports -n.
* Check for the best hash type that openssl supports.
When using openssl to generate hashes, do not assume it supports
sha256; try that, then sha1, then give up and use md5.
* Solaris does not support sed -i; use a tempfile.
* Use the full path for modinfo.
When running as non-root, /usr/sbin/ might not be in PATH.
include/tests_accounting already calls modinfo by full path, but
include/tests_kernel did not.
* Solaris find does not support -maxdepth.
This mirrors the logic already in tests_homedirs.
* Use PSBINARY instead of ps.
* Work around Solaris' date not supporting +%s.
Printing nawk's srand value is a bizarre but apparently once popular
workaround for there being no normal userland command to print
UNIX epoch seconds. A perl one-liner is the other common approach,
but nawk may be more reliably present on Solaris than perl.
* Revert to using sha1 for HOSTID.
* Whitespace cleanup for openssl hash tests.
2017-03-08 17:24:24 +01:00
FIND=$(which brew 2> /dev/null | grep -v "no [^ ]* in ")
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7303 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query brew package manager"
2016-03-22 23:06:10 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Searching brew" --result "${STATUS_FOUND}" --color GREEN
2016-03-22 23:06:10 +01:00
LogText "Result: Found brew"
2017-04-30 17:59:35 +02:00
PACKAGE_MGR_PKG=1
2016-03-22 23:06:10 +01:00
Report "package_manager[]=brew"
LogText "Test: Querying brew to get package list"
Display --indent 4 --text "- Querying brew for installed packages"
LogText "Output:"; LogText "-----"
2017-03-06 08:41:21 +01:00
GPACKAGES=$(brew list)
2016-03-22 23:06:10 +01:00
for J in ${GPACKAGES}; do
LogText "Found package ${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
done
2017-04-23 20:06:54 +02:00
else
2016-03-22 23:06:10 +01:00
LogText "Result: brew can NOT be found on this system"
fi
2014-08-26 17:33:55 +02:00
#
#################################################################################
2014-09-23 22:48:20 +02:00
#
# Test : PKGS-7304
# Description : Gentoo packages
2016-09-26 12:05:30 +02:00
if [ -x ${ROOTDIR}usr/bin/emerge -a -x ${ROOTDIR}usr/bin/equery ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7304 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Gentoo packages"
2014-09-23 22:54:38 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Searching emerge" --result "${STATUS_FOUND}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: Found Gentoo emerge"
Report "package_manager[]=emerge"
LogText "Test: Querying portage to get package list"
2014-09-23 22:48:20 +02:00
Display --indent 4 --text "- Querying portage for installed packages"
2015-12-21 21:17:15 +01:00
LogText "Output:"; LogText "-----"
2016-09-26 12:05:30 +02:00
GPACKAGES=$(equery l '*' | ${SEDBINARY} -e 's/[.*]//g')
2017-04-30 17:59:35 +02:00
for PKG in ${GPACKAGES}; do
LogText "Found package ${PKG}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0,"
2014-09-23 22:48:20 +02:00
done
2017-04-30 17:59:35 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: emerge can NOT be found on this system"
2014-09-23 22:48:20 +02:00
fi
#
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : PKGS-7306
# Description : Solaris packages
2016-09-26 12:05:30 +02:00
if [ -x ${ROOTDIR}usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Solaris packages"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Searching pkginfo" --result "${STATUS_FOUND}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: Found Solaris pkginfo"
Report "package_manager[]=pkginfo"
2017-04-30 17:59:35 +02:00
PACKAGE_MGR_PKG=1
2015-12-21 21:17:15 +01:00
LogText "Test: Querying pkginfo to get package list"
2014-09-15 12:01:09 +02:00
Display --indent 4 --text "- Querying pkginfo for installed packages"
2015-12-21 21:17:15 +01:00
LogText "Output:"; LogText "-----"
2014-08-26 17:33:55 +02:00
# Strip SUNW from strings
2016-09-26 12:05:30 +02:00
SPACKAGES=$(${ROOTDIR}usr/bin/pkginfo -i | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2 | ${SEDBINARY} "s#^SUNW##")
2014-08-26 17:33:55 +02:00
for J in ${SPACKAGES}; do
2015-12-21 21:17:15 +01:00
LogText "Found package ${J}"
2015-01-03 12:45:22 +01:00
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
2014-08-26 17:33:55 +02:00
done
2017-04-23 20:06:54 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: pkginfo can NOT be found on this system"
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : PKGS-7308
# Description : RPM package based systems
2019-07-16 13:20:30 +02:00
if [ -n "${RPMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with RPM"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-30 17:59:35 +02:00
COUNT=0
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Searching RPM package manager" --result "${STATUS_FOUND}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: Found rpm binary (${RPMBINARY})"
Report "package_manager[]=rpm"
LogText "Test: Querying 'rpm -qa' to get package list"
2014-09-15 12:01:09 +02:00
Display --indent 6 --text "- Querying RPM package manager"
2015-12-21 21:17:15 +01:00
LogText "Output:"; LogText "--------"
2017-03-06 08:41:21 +01:00
SPACKAGES=$(${RPMBINARY} -qa --queryformat "%{NAME},%{VERSION}-%{RELEASE}.%{ARCH}\n" 2> /dev/null | sort)
2017-04-23 20:06:54 +02:00
if [ -z "${SPACKAGES}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: RPM binary available, but package list seems to be empty"
LogText "Info: looks like the rpm binary is installed, but not used for package installation"
2014-10-26 23:33:26 +01:00
ReportSuggestion "${TEST_NO}" "Check RPM database as RPM binary available but does not reveal any packages"
2017-04-23 20:06:54 +02:00
else
2017-04-30 17:59:35 +02:00
for PKG in ${SPACKAGES}; do
COUNT=$((COUNT + 1))
PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{print $1}')
PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{print $2}')
LogText "Found package: ${PKG}"
2015-12-21 19:10:22 +01:00
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION},"
2014-08-26 17:33:55 +02:00
done
2017-04-30 17:59:35 +02:00
Report "installed_packages=${COUNT}"
2014-08-26 17:33:55 +02:00
fi
2017-04-30 17:59:35 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: RPM binary NOT found on this system, test skipped"
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : PKGS-7310
# Description : pacman package based systems
2019-10-08 16:43:09 +02:00
if [ -n "${PACMANBINARY}" -a -f "${PACMANCONF}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7310 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package list with pacman"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-30 17:59:35 +02:00
COUNT=0
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Searching pacman package manager" --result "${STATUS_FOUND}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: Found pacman binary (${PACMANBINARY})"
Report "package_manager[]=pacman"
2017-04-30 17:59:35 +02:00
PACKAGE_MGR_PKG=1
2015-12-21 21:17:15 +01:00
LogText "Test: Querying 'pacman -Q' to get package list"
2014-09-15 12:01:09 +02:00
Display --indent 6 --text "- Querying pacman package manager"
2015-12-21 21:17:15 +01:00
LogText "Output:"; LogText "--------"
2017-03-06 08:41:21 +01:00
SPACKAGES=$(${PACMANBINARY} -Q | ${SORTBINARY} | ${SEDBINARY} 's/ /,/g')
2017-04-23 20:06:54 +02:00
if [ -z "${SPACKAGES}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: pacman binary available, but package list seems to be empty"
LogText "Info: looks like the pacman binary is installed, but not used for package installation"
2016-09-26 12:05:30 +02:00
else
2017-04-30 17:59:35 +02:00
for PKG in ${SPACKAGES}; do
COUNT=$((COUNT + 1))
PACKAGE_NAME=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $1 }')
PACKAGE_VERSION=$(echo ${PKG} | ${AWKBINARY} -F, '{ print $2 }')
2015-12-21 21:17:15 +01:00
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
2017-04-30 17:59:35 +02:00
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG}"
2014-08-26 17:33:55 +02:00
done
2017-04-30 17:59:35 +02:00
Report "installed_packages=${COUNT}"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : PKGS-7312
2017-03-12 19:27:16 +01:00
# Description : Check for available package updates when pacman package is used
2019-10-08 16:43:09 +02:00
if [ -n "${PACMANBINARY}" -a -f "${PACMANCONF}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7312 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking available updates for pacman based system"
2014-09-22 23:40:53 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
A bunch of Solaris compatibility tweaks (#367)
* Work around Solaris' /bin/sh not being POSIX.
If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or
a derivative, and /bin/sh cannot be trusted to support POSIX, but
/usr/xpg4/bin/sh can be. Exec it right away.
* Work around Solaris 'which' command oddity.
Solaris' (at least) 'which' command outputs not-found errors to STDOUT
instead of STDERR.
This makes "did we get any output from which" checks insufficient;
piping to grep -v the "no foo in ..." message should work.
Note that this patch set includes all such uses of which that I could
find, including ones that should never be reached on Solaris (i.e. only
executed on some other OS) just for consistency.
* Improved alternate-sh exec to avoid looping.
* Solaris' /usr/ucb/echo supports -n.
* Check for the best hash type that openssl supports.
When using openssl to generate hashes, do not assume it supports
sha256; try that, then sha1, then give up and use md5.
* Solaris does not support sed -i; use a tempfile.
* Use the full path for modinfo.
When running as non-root, /usr/sbin/ might not be in PATH.
include/tests_accounting already calls modinfo by full path, but
include/tests_kernel did not.
* Solaris find does not support -maxdepth.
This mirrors the logic already in tests_homedirs.
* Use PSBINARY instead of ps.
* Work around Solaris' date not supporting +%s.
Printing nawk's srand value is a bizarre but apparently once popular
workaround for there being no normal userland command to print
UNIX epoch seconds. A perl one-liner is the other common approach,
but nawk may be more reliably present on Solaris than perl.
* Revert to using sha1 for HOSTID.
* Whitespace cleanup for openssl hash tests.
2017-03-08 17:24:24 +01:00
FIND=$(which checkupdates 2> /dev/null | grep -v "no [^ ]* in ")
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2017-03-06 08:41:21 +01:00
FIND=$(checkupdates)
2014-09-22 23:40:53 +02:00
for I in ${FIND}; do
2015-12-21 21:17:15 +01:00
LogText "Result: update available for ${I}"
Report "available_update[]=${I}"
2014-09-22 23:40:53 +02:00
FOUND=1
done
2014-09-25 16:55:47 +02:00
if [ ${FOUND} -eq 1 ]; then
2014-09-22 23:40:53 +02:00
Display --indent 4 --text "- Searching update status (checkupdates)" --result "OUTDATED" --color YELLOW
ReportSuggestion "${TEST_NO}" "Perform update of system updates as this system uses rolling updates"
2016-09-26 12:05:30 +02:00
else
2014-09-22 23:40:53 +02:00
Display --indent 4 --text "- Searching update status (checkupdates)" --result "UP-TO-DATE" --color GREEN
fi
2017-04-30 17:59:35 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: skipping this test, can't find checkupdates binary"
2014-09-22 23:40:53 +02:00
fi
2017-04-30 17:59:35 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: pacman binary NOT found on this system, test skipped"
2014-09-22 23:40:53 +02:00
fi
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
2014-09-22 23:40:53 +02:00
# Test : PKGS-7314
# Description : Check pacman.conf options
2019-10-08 16:43:09 +02:00
if [ -n "${PACMANBINARY}" -a -f "${PACMANCONF}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7314 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking pacman configuration options"
2014-09-22 23:40:53 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
# Check configuration options (options start with a capital)
2015-12-21 21:17:15 +01:00
LogText "Test: searching configured options in ${PACMANCONF}"
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} "^[A-Z]" ${PACMANCONF} | ${SORTBINARY} -u | ${SEDBINARY} 's/ /:space:/g')
2014-09-22 23:40:53 +02:00
for I in ${FIND}; do
2017-03-06 08:41:21 +01:00
PMOPTION=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $1 }')
PMVALUE=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $2 }')
2015-12-21 21:17:15 +01:00
LogText "Result: found option ${PMOPTION} configured with value ${PMVALUE}"
Report "pacman_option[]=${PMOPTION}:${PMVALUE}:"
2014-09-22 23:40:53 +02:00
done
# Check software repositories
2015-12-21 21:17:15 +01:00
LogText "Test: checking available repositories"
2017-03-06 08:41:21 +01:00
FIND=$(${GREPBINARY} "^\[.*\]$" ${PACMANCONF} | ${TRBINARY} -d '[]')
2014-09-22 23:40:53 +02:00
for I in ${FIND}; do
2016-05-03 14:57:53 +02:00
COUNT=$((COUNT + 1))
2015-12-21 21:17:15 +01:00
Report "package_repository[]=${I}"
2014-09-22 23:40:53 +02:00
done
2015-12-21 21:17:15 +01:00
LogText "Result: found ${COUNT} repositories"
2014-09-22 23:40:53 +02:00
fi
2014-08-26 17:33:55 +02:00
#
#################################################################################
2017-08-19 10:51:06 +02:00
#
# TODO
## Test : PKGS-7318
## Description : APT configuration
#if [ -x ${ROOTDIR}usr/bin/apt-config ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
#Register --test-no PKGS-7318 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "APT configuration"
#if [ ${SKIPTEST} -eq 0 ]; then
# LogText "Test: check APT configuration"
# if ! SkipAtomicTest ${TEST_NO}:atomicname; then
# # Acquire::AllowInsecureRepositories should be 0 (could be 1)
# # Acquire::AllowDowngradeToInsecureRepositories should be 0
# # Binary::apt::Acquire::AllowInsecureRepositories should be 0
#fi
#
#################################################################################
2016-09-24 14:49:14 +02:00
#
# Test : PKGS-7320
# Description : Check available of arch-audit
2016-09-24 14:58:30 +02:00
if [ "${OS_FULLNAME}" = "Arch Linux" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="Test only applies to Arch Linux"; fi
2016-09-24 16:17:11 +02:00
Register --test-no PKGS-7320 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking for arch-audit tooling"
2016-09-24 14:49:14 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
if [ -z "${ARCH_AUDIT_BINARY}" ]; then
LogText "Result: no arch-audit binary found"
AddHP 1 2
ReportSuggestion "${TEST_NO}" "Consider installing arch-audit to determine vulnerable packages" "arch-audit" "text:Install arch-audit"
else
2016-09-24 15:36:45 +02:00
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="arch-audit"
2016-09-24 14:49:14 +02:00
LogText "Result: arch-audit binary found (${ARCH_AUDIT_BINARY})"
AddHP 3 3
fi
fi
#
#################################################################################
#
# Test : PKGS-7322
# Description : Discover vulnerable packages with arch-audit
2019-07-16 13:20:30 +02:00
if [ -n "${ARCH_AUDIT_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="arch-audit not found"; fi
2016-09-24 16:17:11 +02:00
Register --test-no PKGS-7322 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Discover vulnerable packages with arch-audit"
2016-09-24 14:49:14 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking arch-audit output for vulnerable packages"
2016-09-24 15:07:20 +02:00
FIND=$(${ARCH_AUDIT_BINARY} | ${SEDBINARY} 's/\.\..*$//' | ${SEDBINARY} 's/, //g' | ${SEDBINARY} 's/\(\["\|"\]\)//g' | ${SEDBINARY} 's/""/,/g' | ${AWKBINARY} '{ if($1=="Package") { print $2"|"$6"|"}}' | ${AWKBINARY} -F'|' 'NF>1{a[$1] = a[$1]","$2}END{for(i in a){print i""a[i]"|"}}' | ${SEDBINARY} 's/,/|cve=/' | ${SORTBINARY})
2016-09-24 14:49:14 +02:00
if [ -z "${FIND}" ]; then
LogText "Result: no vulnerable packages found with arch-audit"
AddHP 10 10
else
LogText "Result: found one or more vulnerable packages"
for ITEM in ${FIND}; do
LogText "Found line: ${ITEM}"
Report "vulnerable_package[]=${ITEM}"
AddHP 1 2
done
2018-09-17 09:23:04 +02:00
ReportWarning "${TEST_NO}" "Vulnerable packages found" "arch-audit has output" "text:Run arch-audit to see the output, and when needed update the packages with pacman -Suy"
2016-09-24 14:49:14 +02:00
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : PKGS-7328
# Description : Check installed packages with Zypper
2019-07-16 13:20:30 +02:00
if [ -n "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7328 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for installed packages"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-30 17:59:35 +02:00
COUNT=0
2015-04-16 19:59:51 +02:00
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="zypper"
2019-04-15 19:30:21 +02:00
FIND=$(${ZYPPERBINARY} --non-interactive -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2017-04-30 17:59:35 +02:00
for PKG in ${FIND}; do
COUNT=$((COUNT + 1))
LogText "Installed package: ${PKG}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PKG},0,"
2014-08-26 17:33:55 +02:00
done
2017-04-30 17:59:35 +02:00
Report "installed_packages=${COUNT}"
2016-09-26 12:05:30 +02:00
else
2014-08-26 17:33:55 +02:00
# Could not find any installed packages
2017-04-30 17:59:35 +02:00
ReportException "${TEST_NO}" "No installed packages found with Zypper"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : PKGS-7330
# Description : Check vulnerable packages with Zypper
2019-07-16 13:20:30 +02:00
if [ -n "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2019-04-17 15:07:07 +02:00
FIND=$(${ZYPPERBINARY} --non-interactive pchk | ${GREPBINARY} "(0 security patches)")
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2017-04-23 20:06:54 +02:00
LogText "Result: No security updates found with Zypper"
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
else
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
LogText "Result: Zypper found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed"
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
2019-04-17 15:07:07 +02:00
FIND=$(${ZYPPERBINARY} --non-interactive lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
2017-04-23 20:06:54 +02:00
LogText "List of vulnerable packages/version:"
2017-04-30 17:59:35 +02:00
for PKG in ${FIND}; do
2017-04-23 20:06:54 +02:00
VULNERABLE_PACKAGES_FOUND=1
2017-04-30 17:59:35 +02:00
Report "vulnerable_package[]=${PKG}"
LogText "Vulnerable package: ${PKG}"
2017-04-23 20:06:54 +02:00
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
2017-04-30 17:59:35 +02:00
#
# Test : PKGS-7332
# Description : Query macOS ports
if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7332 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --description "Query macOS ports"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${ROOTDIR}opt/local/bin/port installed 2>&1 | ${GREPBINARY} active | ${SORTBINARY}; ${ROOTDIR}bin/echo $?)
if [ "${FIND}" = "0" ]; then
Display --indent 4 --text "- Searching packages with port" --result "{STATUS_FOUND}" --color GREEN
Report "package_manager[]=port"
PACKAGE_MGR_PKG=1
LogText "Result: Found port utility"
LogText "Test: Querying port to get package list"
Display --indent 6 --text "- Querying port for installed packages"
LogText "Output:"; LogText "-----"
SPACKAGES=$(${ROOTDIR}opt/local/bin/port installed | ${GREPBINARY} active)
for ITEM in ${SPACKAGES}; do
SPORT_NAME=$(echo ${ITEM} | ${CUTBINARY} -d@ -f1)
SPORT_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d@ -f2 | ${CUTBINARY} -d' ' -f1)
LogText "Installed package: ${SPORT_NAME} (version: ${SPORT_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PORTS}|${ITEM}"
done
fi
fi
#
#################################################################################
#
# Test : PKGS-7334
# Description : Query macOS ports for available port upgrades
if [ -x ${ROOTDIR}opt/local/bin/port ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7334 --os "macOS" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query port for port upgrades"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
LogText "Test: Querying ports for possible port upgrades"
UPACKAGES=$(${ROOTDIR}opt/local/bin/port outdated 2> /dev/null | ${CUTBINARY} -d' ' -f1)
for J in ${UPACKAGES}; do
COUNT=$((COUNT + 1))
LogText "Upgrade available (new version): ${J}"
Report "upgrade_available[]=${J}"
done
Report "upgrade_available_count=${COUNT}"
if [ ${COUNT} -eq 0 ]; then
LogText "Result: no upgrades found"
Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_NONE}" --color GREEN
AddHP 2 2
else
Display --indent 2 --text "- Checking ports for updates" --result "${STATUS_FOUND}" --color YELLOW
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : PKGS-7345
# Description : Debian package based systems (dpkg)
2017-04-30 17:59:35 +02:00
if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7345 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying dpkg"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-30 17:59:35 +02:00
COUNT=0
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Searching dpkg package manager" --result "${STATUS_FOUND}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: Found dpkg binary"
Report "package_manager[]=dpkg"
2017-04-30 17:59:35 +02:00
PACKAGE_MGR_PKG=1
2015-12-21 21:17:15 +01:00
LogText "Test: Querying dpkg -l to get package list"
2014-09-15 12:01:09 +02:00
Display --indent 6 --text "- Querying package manager"
2015-12-21 21:17:15 +01:00
LogText "Output:"
2017-03-06 08:41:21 +01:00
SPACKAGES=$(dpkg -l 2>/dev/null | ${GREPBINARY} "^ii" | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | sort)
2014-08-26 17:33:55 +02:00
for J in ${SPACKAGES}; do
2017-04-30 17:59:35 +02:00
COUNT=$((COUNT + 1))
2017-03-06 08:41:21 +01:00
PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f3)
2015-12-21 21:17:15 +01:00
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
2015-01-03 12:45:22 +01:00
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
2014-08-26 17:33:55 +02:00
done
2017-04-30 17:59:35 +02:00
Report "installed_packages=${COUNT}"
2016-09-26 12:05:30 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: dpkg can NOT be found on this system, test skipped"
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : PKGS-7346
# Description : Check packages which are removed, but still own configuration files, cron jobs etc
2017-03-06 08:41:21 +01:00
# Notes : Cleanup: for pkg in $(dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3); do aptitude purge ${pkg}; done
2017-04-30 17:59:35 +02:00
if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Search unpurged packages on system"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-30 17:59:35 +02:00
COUNT=0
2015-12-21 21:17:15 +01:00
LogText "Test: Querying dpkg -l to get unpurged packages"
2017-04-30 17:59:35 +02:00
SPACKAGES=$(${ROOTDIR}usr/bin/dpkg -l 2>/dev/null | ${GREPBINARY} "^rc" | ${CUTBINARY} -d ' ' -f3 | sort)
2017-04-23 20:06:54 +02:00
if [ -z "${SPACKAGES}" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_NONE}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: no packages found with left overs"
2016-09-26 12:05:30 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Query unpurged packages" --result "${STATUS_FOUND}" --color YELLOW
2015-12-21 21:17:15 +01:00
LogText "Result: found one or more packages with left over configuration files, cron jobs etc"
LogText "Output:"
2014-08-26 17:33:55 +02:00
for J in ${SPACKAGES}; do
2017-04-30 17:59:35 +02:00
COUNT=$((COUNT + 1))
2015-12-21 21:17:15 +01:00
LogText "Found unpurged package: ${J}"
2014-08-26 17:33:55 +02:00
done
2017-04-30 17:59:35 +02:00
ReportSuggestion ${TEST_NO} "Purge old/removed packages (${COUNT} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts."
2014-08-26 17:33:55 +02:00
fi
2016-09-26 12:05:30 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: dpkg can NOT be found on this system, test skipped"
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
2015-07-22 16:28:11 +02:00
#
2014-08-26 17:33:55 +02:00
# Test : PKGS-7348
# Description : Show unneeded distfiles if present
# Notes : Portsclean seems to be gone from the ports, so no suggestion or warning is
# issued when it's missing.
# Add portmaster --clean-distfiles-all
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7348 --os FreeBSD --weight L --network NO --category security --description "Check for old distfiles"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-30 17:59:35 +02:00
if [ -x ${ROOTDIR}usr/local/sbin/portsclean ]; then
FIND=$(${ROOTDIR}usr/local/sbin/portsclean -n -DD | ${GREPBINARY} 'Delete' | wc -l | ${TRBINARY} -d ' ')
2014-08-26 17:33:55 +02:00
if [ ${FIND} -eq 0 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: no unused distfiles found"
2016-09-26 12:05:30 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking presence old distfiles" --result "${STATUS_WARNING}" --color YELLOW
2015-12-21 21:17:15 +01:00
LogText "Result: found ${FIND} unused distfiles"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD."
fi
fi
fi
#
#################################################################################
2016-01-25 13:18:59 +01:00
#
# Test : PKGS-7350
2016-01-25 13:43:05 +01:00
# Description : Use Dandified YUM to gather installed packages
2016-01-25 13:18:59 +01:00
# Notes : Possible replacement for YUM in the long term
2019-07-16 13:20:30 +02:00
if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for installed packages with DNF utility"
2016-01-25 13:18:59 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-30 17:59:35 +02:00
COUNT=0
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- Searching DNF package manager" --result "${STATUS_FOUND}" --color GREEN
2016-01-25 15:38:46 +01:00
LogText "Result: found DNF (Dandified YUM) utility (binary: ${DNFBINARY})"
2016-01-25 13:52:58 +01:00
Report "package_manager[]=dnf"
Display --indent 6 --text "- Querying DNF package manager"
2016-01-25 13:18:59 +01:00
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="dnf"
2017-03-06 08:41:21 +01:00
SPACKAGES=$(${DNFBINARY} -q list installed 2> /dev/null | ${AWKBINARY} '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}')
2017-04-30 17:59:35 +02:00
for PKG in ${SPACKAGES}; do
COUNT=$((COUNT + 1))
PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ',' -f1)
PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ',' -f2)
2016-01-25 13:18:59 +01:00
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done
2017-04-30 17:59:35 +02:00
Report "installed_packages=${COUNT}"
2016-01-25 13:43:05 +01:00
fi
2017-04-23 20:06:54 +02:00
#
#################################################################################
#
2016-01-25 13:43:05 +01:00
# Test : PKGS-7352
# Description : Use Dandified YUM to detect security updates
2019-07-16 13:20:30 +02:00
if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no "PKGS-7352" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for security updates with DNF utility"
2016-01-25 13:43:05 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-01-25 13:18:59 +01:00
# Check for security updates
LogText "Action: checking updateinfo for security updates"
2017-03-06 08:41:21 +01:00
FIND=$(${DNFBINARY} -q updateinfo list sec 2> /dev/null | ${AWKBINARY} '{ if ($2=="security") { print $3 }}')
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2016-01-25 13:18:59 +01:00
VULNERABLE_PACKAGES_FOUND=1
2016-01-25 13:57:31 +01:00
LogText "Result: found vulnerable packages, upgrade of system needed."
2016-01-25 13:18:59 +01:00
for PKG in ${FIND}; do
2016-01-25 15:38:46 +01:00
Report "vulnerable_package[]=${PKG}"
LogText "Vulnerable package: ${PKG}"
2016-01-25 13:18:59 +01:00
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
2016-08-10 07:24:10 +02:00
ReportWarning ${TEST_NO} "Found one or more vulnerable packages. Run: dnf upgrade"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_WARNING}" --color RED
2016-09-26 12:05:30 +02:00
else
2016-01-25 13:18:59 +01:00
LogText "Result: no security updates found"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Using DNF to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
2016-01-25 13:18:59 +01:00
AddHP 5 5
fi
fi
2017-04-23 20:06:54 +02:00
#
#################################################################################
#
2016-01-25 13:43:05 +01:00
# Test : PKGS-7354
# Description : Perform integrity tests for package database
2019-07-16 13:20:30 +02:00
if [ -n "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no "PKGS-7354" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking package database integrity"
2016-01-25 13:43:05 +01:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-04-21 11:44:42 +02:00
# Check if repoquery plugin is available
2017-03-06 08:41:21 +01:00
FIND=$(${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery")
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2016-04-21 11:44:42 +02:00
LogText "Action: checking integrity of package database"
2016-09-26 12:05:30 +02:00
FIND=$(${DNFBINARY} -q repoquery --duplicated)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2016-04-21 11:44:42 +02:00
LogText "Result: found unexpected result on repoquery --duplicated"
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --duplicated"
fi
2017-03-06 08:41:21 +01:00
FIND=$(${DNFBINARY} -q repoquery --unsatisfied)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2016-04-21 11:44:42 +02:00
LogText "Result: found unexpected result on repoquery --unsatisfied"
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --unsatisfied"
fi
2016-09-26 12:05:30 +02:00
else
2016-04-21 11:44:42 +02:00
LogText "Result: repoquery plugin not installed."
2016-01-25 13:43:05 +01:00
fi
fi
2016-01-25 13:18:59 +01:00
#
#################################################################################
2015-05-27 12:35:56 +02:00
#
# Test : PKGS-7366
# Description : Checking if debsecan is installed and enabled on Debian systems
2019-07-16 13:20:30 +02:00
if [ -n "${DEBSECANBINARY}" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsecan utility"
2015-05-27 12:35:56 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2019-07-16 13:20:30 +02:00
if [ -n "${DEBSECANBINARY}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: debsecan utility is installed"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- debsecan utility" --result "${STATUS_FOUND}" --color GREEN
2015-05-27 12:35:56 +02:00
AddHP 3 3
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="debsecan"
2016-09-26 12:05:30 +02:00
FIND=$(${FINDBINARY} ${ROOTDIR}etc/cron* -name debsecan)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: cron job is configured for debsecan"
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- debsecan cron job" --result "${STATUS_FOUND}" --color GREEN
2015-05-27 12:35:56 +02:00
AddHP 3 3
2016-09-26 12:05:30 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: no cron job is configured for debsecan"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- debsecan cron job" --result "${STATUS_NOT_FOUND}" --color YELLOW
2015-05-27 12:35:56 +02:00
AddHP 1 3
ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled"
fi
2016-09-26 12:05:30 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: debsecan is not installed."
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- debsecan utility" --result "${STATUS_NOT_FOUND}" --color YELLOW
2015-05-27 12:35:56 +02:00
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages."
fi
fi
#
#################################################################################
2014-12-05 19:43:35 +01:00
#
# Test : PKGS-7370
2015-05-27 12:35:56 +02:00
# Description : Checking debsums installation status and presence in cron job
# Note : Run this only when it is a DPKG based system
2019-07-16 13:20:30 +02:00
if [ -n "${DPKGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsums utility"
2015-05-27 12:35:56 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2019-07-16 13:20:30 +02:00
if [ -n "${DEBSUMSBINARY}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: debsums utility is installed"
2016-06-18 11:14:01 +02:00
Display --indent 4 --text "- debsums utility" --result "${STATUS_FOUND}" --color GREEN
2015-05-27 12:35:56 +02:00
AddHP 1 1
# Check in /etc/cron.hourly, daily, weekly, monthly etc
2017-03-06 08:41:21 +01:00
COUNT=$(find /etc/cron* -name debsums | wc -l)
2015-05-27 12:35:56 +02:00
if [ ${COUNT} -gt 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: Cron job is configured for debsums utility."
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
2015-05-27 12:35:56 +02:00
AddHP 3 3
2016-09-26 12:05:30 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: Cron job is not configured for debsums utility."
2016-06-18 11:14:01 +02:00
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
2015-05-27 12:35:56 +02:00
AddHP 1 3
2019-09-21 16:31:06 +02:00
ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regularly via a cron job."
2015-05-27 12:35:56 +02:00
fi
2016-09-26 12:05:30 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: debsums utility is not installed."
2015-05-27 12:35:56 +02:00
AddHP 0 2
ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database."
fi
fi
2014-12-05 19:43:35 +01:00
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : PKGS-7378
# Description : Query FreeBSD portmaster for available port upgrades
2017-04-23 20:06:54 +02:00
if [ -x ${ROOTDIR}usr/local/sbin/portmaster ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query portmaster for port upgrades"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-30 17:59:35 +02:00
COUNT=0
2015-12-21 21:17:15 +01:00
LogText "Test: Querying portmaster for possible port upgrades"
2017-04-23 20:06:54 +02:00
UPACKAGES=$(${ROOTDIR}usr/local/sbin/portmaster -L | ${GREPBINARY} "version available" | ${AWKBINARY} '{ print $5 }')
2017-04-30 17:59:35 +02:00
for PKG in ${UPACKAGES}; do
COUNT=$((COUNT + 1))
LogText "Upgrade available (new version): ${PKG}"
Report "upgrade_available[]=${PKG}"
2014-08-26 17:33:55 +02:00
done
2017-04-30 17:59:35 +02:00
Report "upgrade_available_count=${COUNT}"
if [ ${COUNT} -eq 0 ]; then
LogText "Result: no updates found"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_NONE}" --color GREEN
2017-04-23 20:06:54 +02:00
else
2017-04-30 17:59:35 +02:00
LogText "Result: found ${COUNT} updates"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking portmaster for updates" --result "${STATUS_FOUND}" --color YELLOW
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : PKGS-7380
# Description : Check for vulnerable NetBSD packages (with pkg_admin)
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7380 --os NetBSD --weight L --network NO --category security --description "Check for vulnerable NetBSD packages"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-30 17:59:35 +02:00
if [ -x ${ROOTDIR}usr/sbin/pkg_admin ]; then
2015-04-17 15:50:46 +02:00
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="pkg_admin audit"
2017-08-19 10:53:25 +02:00
if [ -f ${ROOTDIR}var/db/pkg/pkg-vulnerabilities ]; then
2017-04-30 17:59:35 +02:00
FIND=$(${ROOTDIR}usr/sbin/pkg_admin audit)
2017-04-23 20:06:54 +02:00
if [ -z "${FIND}" ]; then
2016-10-15 15:38:06 +02:00
LogText "Result: pkg_admin audit results are clean"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
2016-09-26 12:05:30 +02:00
AddHP 10 10
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_WARNING}" --color RED
2015-12-21 21:17:15 +01:00
LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
2016-08-10 07:13:38 +02:00
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
2015-12-21 21:17:15 +01:00
LogText "List of vulnerable packages/version:"
2017-04-30 17:59:35 +02:00
for I in $(${ROOTDIR}usr/sbin/pkg_admin audit | ${AWKBINARY} '{ print $2 }' | ${SORTBINARY} -u); do
2015-10-21 21:45:53 +02:00
VULNERABLE_PACKAGES_FOUND=1
2015-12-21 21:17:15 +01:00
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
2014-12-05 19:43:35 +01:00
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
fi
2016-09-26 12:05:30 +02:00
else
2014-12-05 19:43:35 +01:00
ReportSuggestion "${TEST_NO}" "Fetch the package database with pkg_admin fetch-pkg-vulnerabilities"
AddHP 0 2
2014-08-26 17:33:55 +02:00
fi
2016-09-26 12:05:30 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- pkg_admin audit not installed" --result "${STATUS_NOT_FOUND}" --color WHITE
2015-12-21 21:17:15 +01:00
LogText "Result: pkg_admin audit not installed, skipping this vulnerability test."
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : PKGS-7381
# Description : Check for vulnerable FreeBSD packages (with pkg)
2016-10-15 16:12:49 +02:00
# Notes : Related vulnerability file is /var/db/pkg/vuln.xml
# TODO : Run this in any jail
2019-07-16 13:20:30 +02:00
if [ -n "${PKG_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="pkg tool not available"; fi
2016-09-22 14:47:06 +02:00
Register --test-no PKGS-7381 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with pkg"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-22 14:47:06 +02:00
COUNT=0
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="pkg audit"
2016-10-15 16:38:33 +02:00
if [ -f ${ROOTDIR}var/db/pkg/vuln.xml ]; then
2017-03-09 12:27:38 +01:00
# Query pkg audit, with optional refresh of vulnerability data (-F)
if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
FIND=$(${PKG_BINARY} audit -F -q 2> /dev/null)
else
FIND=$(${PKG_BINARY} audit -q 2> /dev/null)
fi
2016-10-15 16:38:33 +02:00
if [ $? -eq 0 ]; then
LogText "Result: pkg audit results are clean"
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
AddHP 10 10
elif [ $? -eq 1 ]; then
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2016-10-15 16:38:33 +02:00
VULNERABLE_PACKAGES_FOUND=1
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_FOUND}" --color YELLOW
for ITEM in ${FIND}; do
COUNT=$((COUNT + 1))
Report "vulnerable_package[]=${ITEM}"
LogText "Vulnerable package: ${ITEM}"
AddHP 1 2
done
2017-03-09 12:32:32 +01:00
ReportWarning ${TEST_NO} "Found vulnerable packages" "${COUNT} vulnerable packages" "text:Run pkg audit"
2016-10-15 16:38:33 +02:00
else
LogText "Result: found an exit code greater than zero, yet no output"
fi
2016-09-22 14:47:06 +02:00
else
2016-10-15 16:38:33 +02:00
LogText "Result: exited with code $?"
ReportException "${TEST_NO}" "Found an unknown exit code for pkg audit. Please create an issue at ${PROJECT_SOURCE}"
2014-08-26 17:33:55 +02:00
fi
2016-10-15 16:12:49 +02:00
else
2016-10-15 16:38:33 +02:00
LogText "Result: could not find vulnerability database"
2017-06-14 14:06:18 +02:00
ReportWarning "${TEST_NO}" "No vulnerability database available" "pkg audit" "text:Run pkg audit -F"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : PKGS-7382
# Description : Check for vulnerable FreeBSD packages
2015-01-03 12:45:22 +01:00
# Notes : Newer machines should use pkg audit instead of portaudit
2017-04-30 17:59:35 +02:00
if [ -x ${ROOTDIR}usr/local/sbin/portaudit ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for vulnerable FreeBSD packages with portaudit"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2016-09-26 12:05:30 +02:00
PACKAGE_AUDIT_TOOL_FOUND=1
2017-04-30 17:59:35 +02:00
FIND=$(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} 'problem(s) in your installed packages found' | ${GREPBINARY} -v '0 problem(s) in your installed packages found')
2017-04-23 20:06:54 +02:00
if [ -z "${FIND}" ]; then
2016-09-26 12:05:30 +02:00
LogText "Result: Portaudit results are clean"
Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
AddHP 10 10
else
Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result "${STATUS_WARNING}" --color RED
LogText "Result: Portaudit found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools"
LogText "List of vulnerable packages/version:"
2017-04-30 17:59:35 +02:00
for PKG in $(${ROOTDIR}usr/local/sbin/portaudit | ${GREPBINARY} "Affected package" | ${CUTBINARY} -d ' ' -f3 | ${SORTBINARY} -u); do
2016-09-26 12:05:30 +02:00
VULNERABLE_PACKAGES_FOUND=1
2017-04-30 17:59:35 +02:00
Report "vulnerable_package[]=${PKG}"
LogText "Vulnerable package: ${PKG}"
2016-09-26 12:05:30 +02:00
# Decrease hardening points for every found vulnerable package
AddHP 1 2
done
fi
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : PKGS-7383
# Description : Check for YUM package Update management
2016-01-25 13:43:05 +01:00
# Notes : Skip if DNF is used as package manager
2019-07-16 13:20:30 +02:00
if [ -n "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-31 15:51:34 +02:00
Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: YUM package update management"
2018-10-05 10:23:19 +02:00
FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$")
2016-07-31 15:51:34 +02:00
if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
LogText "Result: YUM package update management failed"
Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED
ReportWarning ${TEST_NO} "YUM is not properly configured or registered for this platform (no repolist found)"
2014-08-26 17:33:55 +02:00
else
2016-07-31 15:51:34 +02:00
LogText "Result: YUM repository available (${FIND})"
Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_OK}" --color GREEN
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
# Test : PKGS-7384
# Description : Search for YUM utils package
2019-07-16 13:20:30 +02:00
if [ -n "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2018-02-19 15:01:59 +01:00
# package-cleanup tool can be found in different locations
if [ -x ${ROOTDIR}bin/package-cleanup -o -x ${ROOTDIR}usr/bin/package-cleanup ]; then
LogText "Result: found YUM utils package (package-cleanup)"
2014-08-26 17:33:55 +02:00
# Check for duplicates
2015-12-21 21:17:15 +01:00
LogText "Test: Checking for duplicate packages"
2018-02-19 15:01:59 +01:00
FIND=$(package-cleanup -q --dupes > /dev/null; echo $?)
2014-08-26 17:33:55 +02:00
if [ "${FIND}" = "0" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: No duplicate packages found"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN
2016-09-26 12:05:30 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: One or more duplicate packages found"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_WARNING}" --color RED
2016-08-10 07:24:10 +02:00
ReportWarning ${TEST_NO} "Found one or more duplicate packages installed"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems"
fi
# Check for package database problems
2015-12-21 21:17:15 +01:00
LogText "Test: Checking for database problems"
2018-02-19 15:01:59 +01:00
FIND=$(package-cleanup --problems > /dev/null; echo $?)
2014-08-26 17:33:55 +02:00
if [ "${FIND}" = "0" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: No package database problems found"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN
2016-09-26 12:05:30 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: One or more problems found in package database"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_WARNING}" --color RED
2016-08-10 07:24:10 +02:00
ReportWarning ${TEST_NO} "Found one or more problems in the package database"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems"
fi
2016-09-26 12:05:30 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- yum-utils package not installed" --result "${STATUS_SUGGESTION}" --color YELLOW
2015-12-21 21:17:15 +01:00
LogText "Result: YUM utils package not found"
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Install package 'yum-utils' for better consistency checking of the package database"
fi
fi
#
#################################################################################
#
# Test : PKGS-7386
# Description : Search for YUM security package
# Notes : This test does not apply to CentOS and clones, as --security is not available
2015-11-18 15:57:33 +01:00
# : RHEL 7: plugin default installed
# : RHEL 6: yum-security-plugin (plugin)
# : RHEL 5: yum-security (plugin)
2017-04-23 20:06:54 +02:00
if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7386 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM security package"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
DO_TEST=0
2015-12-21 21:17:15 +01:00
LogText "Test: Determining if yum-security package installed"
2014-08-26 17:33:55 +02:00
2014-10-13 20:36:09 +02:00
# Check for built-in --security option
if [ ${DO_TEST} -eq 0 ]; then
2017-04-23 20:06:54 +02:00
FileExists ${ROOTDIR}usr/share/yum-cli/cli.py
2014-10-13 20:36:09 +02:00
if [ ${FILE_FOUND} -eq 1 ]; then
2019-07-10 19:35:51 +02:00
if SearchItem "\-\-security" "${ROOTDIR}usr/share/yum-cli/cli.py"; then
2016-09-26 12:05:30 +02:00
DO_TEST=1
LogText "Result: found built-in security in yum"
else
2017-04-23 20:06:54 +02:00
LogText "Result: did not find --security in ${ROOTDIR}usr/share/yum-cli/cli.py"
2016-09-26 12:05:30 +02:00
fi
2014-10-13 20:36:09 +02:00
fi
fi
if [ ${DO_TEST} -eq 0 ]; then
2017-04-23 20:06:54 +02:00
FileExists ${ROOTDIR}etc/yum/pluginconf.d/security.conf
2014-10-13 20:36:09 +02:00
if [ ${FILE_FOUND} -eq 1 ]; then
2019-07-10 19:35:51 +02:00
if SearchItem "^enabled=1$" "${ROOTDIR}etc/yum/pluginconf.d/security.conf"; then
2016-09-26 12:05:30 +02:00
DO_TEST=1
LogText "Result: found enabled plugin"
else
2017-04-23 20:06:54 +02:00
LogText "Result: plugin NOT enabled in ${ROOTDIR}etc/yum/pluginconf.d/security.conf"
2016-09-26 12:05:30 +02:00
fi
2014-10-13 20:36:09 +02:00
fi
fi
# Check if it's installed as package (this is old style)
if [ ${DO_TEST} -eq 0 ]; then
2017-03-06 08:41:21 +01:00
FIND=$(rpm -q yum-security yum-plugin-security | ${GREPBINARY} -v "not installed")
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found yum-plugin-security package"
2014-10-13 20:36:09 +02:00
DO_TEST=1
fi
2014-08-26 17:33:55 +02:00
fi
2014-10-13 20:36:09 +02:00
# If we have the module of yum active, continue testing
2014-08-26 17:33:55 +02:00
if [ ${DO_TEST} -eq 1 ]; then
2015-04-17 15:50:46 +02:00
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="yum-security"
2015-12-21 21:17:15 +01:00
LogText "Test: Checking for vulnerable packages"
2017-04-23 20:06:54 +02:00
FIND2=$(${ROOTDIR}usr/bin/yum list-sec security | ${AWKBINARY} '{ if($2=="security" || $2~"Sec") print $3","$5 }')
if [ -z "${FIND2}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: no vulnerable packages found"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_OK}" --color GREEN
2016-09-26 12:05:30 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: found vulnerable package(s)"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_WARNING}" --color RED
2014-08-26 17:33:55 +02:00
for I in ${FIND2}; do
2015-10-21 21:45:53 +02:00
VULNERABLE_PACKAGES_FOUND=1
2015-12-21 21:17:15 +01:00
Report "vulnerable_package[]=${I}"
LogText "Vulnerable package: ${I}"
2014-08-26 17:33:55 +02:00
AddHP 1 2
done
2016-08-10 07:13:38 +02:00
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
2014-08-26 17:33:55 +02:00
fi
2016-09-26 12:05:30 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: yum-security package not found"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking missing security packages" --result "${STATUS_SKIPPED}" --color YELLOW
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)"
fi
fi
#
#################################################################################
#
# Test : PKGS-7387
# Description : Search for YUM GPG check
2017-04-30 17:59:35 +02:00
if [ -x ${ROOTDIR}usr/bin/yum -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7387 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for GPG signing in YUM security package"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2019-07-16 13:20:30 +02:00
if [ -n "${PYTHONBINARY}" ]; then
2017-03-13 19:53:56 +01:00
LogText "Test: checking enabled repositories"
2017-11-08 19:20:20 +01:00
REPOS=$(${PYTHONBINARY} -c 'import yum ; yb = yum.YumBase() ; yb.conf ; print [(r.id + "=" + str(r.gpgcheck)) for r in yb.repos.listEnabled()]' | ${GREPBINARY} "^\[" | ${TRBINARY} -d '[] ' | ${TRBINARY} -d "'" | ${SEDBINARY} 's/,/ /g')
2017-03-13 19:53:56 +01:00
if [ -z "${REPOS}" ]; then LogText "Result: found no repositories"; fi
2017-03-13 19:47:06 +01:00
for I in ${REPOS}; do
REPO=$(echo ${I} | ${AWKBINARY} -F= '{print $1}')
GPGSIGNED=$(echo ${I} | ${AWKBINARY} -F= '{print $2}')
if [ "${GPGSIGNED}" = "False" ]; then
LogText "Result: software repository '${REPO}' is NOT signed"
Report "software_repository_unsigned[]=${REPO}"
AddHP 3 4
elif [ "${GPGSIGNED}" = "True" ]; then
LogText "Result: software repository '${REPO}' is signed"
AddHP 4 4
else
LogText "Result: unknown status for repository (data: ${I})"
fi
done
fi
2014-08-26 17:33:55 +02:00
FOUND=0
2017-04-30 17:59:35 +02:00
FileExists ${ROOTDIR}etc/yum.conf
2014-08-26 17:33:55 +02:00
if [ ${FILE_FOUND} -eq 1 ]; then
2019-07-10 19:35:51 +02:00
if SearchItem "^gpgenabled\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; then FOUND=1; fi
if SearchItem "^gpgcheck\s*=\s*1$" "${ROOTDIR}etc/yum.conf"; then FOUND=1; fi
2016-09-26 12:05:30 +02:00
if [ ${FOUND} -eq 1 ]; then
LogText "Result: GPG check is enabled"
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_OK}" --color GREEN
2017-04-30 17:59:35 +02:00
AddHP 3 3
2016-09-26 12:05:30 +02:00
else
Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result "${STATUS_DISABLED}" --color RED
ReportWarning ${TEST_NO} "No GPG signing option found in yum.conf"
2017-04-30 17:59:35 +02:00
AddHP 2 3
2016-09-26 12:05:30 +02:00
fi
2014-08-26 17:33:55 +02:00
fi
2016-09-26 12:05:30 +02:00
fi
2014-08-26 17:33:55 +02:00
#
#################################################################################
#
# Test : PKGS-7388
# Description : Check security repository in Debian/ubuntu apt sources.list file
2017-04-23 20:06:54 +02:00
if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check security repository in Debian/ubuntu apt sources.list file"
2014-08-26 17:33:55 +02:00
if [ $SKIPTEST -eq 0 ]; then
FOUND=0
2016-07-30 16:40:44 +02:00
if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then
2017-04-23 20:06:54 +02:00
if [ -f ${ROOTDIR}etc/apt/sources.list ]; then
2015-12-21 21:17:15 +01:00
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
2019-03-07 10:03:11 +01:00
FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2014-09-15 11:17:26 +02:00
FOUND=1
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN
2017-04-23 20:06:54 +02:00
LogText "Result: Found security repository in ${ROOTDIR}etc/apt/sources.list"
2016-07-30 16:40:44 +02:00
for REPO in ${FIND}; do
2016-09-08 21:04:17 +02:00
REPO=$(echo ${REPO} | ${SEDBINARY} 's/!space!/ /g')
2016-07-30 16:40:44 +02:00
LogText "Output: ${REPO}"
2014-09-15 11:17:26 +02:00
done
2014-08-26 17:33:55 +02:00
fi
2014-09-15 11:17:26 +02:00
fi
if [ -d /etc/apt/sources.list.d ]; then
2015-12-21 21:17:15 +01:00
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
2019-03-07 10:03:11 +01:00
FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2014-09-15 11:17:26 +02:00
FOUND=1
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d"
2016-07-30 16:40:44 +02:00
for REPO in ${FIND}; do
2016-09-08 21:04:17 +02:00
REPO=$(echo ${REPO} | ${SEDBINARY} 's/!space!/ /g')
2016-07-30 16:40:44 +02:00
LogText "Output: ${REPO}"
2014-09-15 11:17:26 +02:00
done
2014-08-26 17:33:55 +02:00
fi
2014-09-15 11:17:26 +02:00
fi
if [ ${FOUND} -eq 1 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: security repository was found"
2014-09-15 11:17:26 +02:00
AddHP 3 3
2016-07-30 16:40:44 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result "${STATUS_WARNING}" --color RED
2016-08-10 07:13:38 +02:00
ReportWarning ${TEST_NO} "Can't find any security repository in /etc/apt/sources.list or sources.list.d directory"
2014-09-15 11:17:26 +02:00
AddHP 0 3
2014-08-26 17:33:55 +02:00
fi
2016-07-30 16:40:44 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Skipped as option is set to ignore security repository"
2014-08-26 17:33:55 +02:00
fi
2016-07-30 16:40:44 +02:00
unset FIND FOUND REPO
2014-08-26 17:33:55 +02:00
fi
#
#################################################################################
#
# Test : PKGS-7390
# Description : Check Ubuntu database consistency
2017-04-30 17:59:35 +02:00
if [ "${LINUX_VERSION}" = "Ubuntu" -a -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: Package database consistency by running apt-get check"
2017-04-30 17:59:35 +02:00
FIND=$(${ROOTDIR}usr/bin/apt-get -q=2 check 2> /dev/null; echo $?)
2014-08-26 17:33:55 +02:00
if [ "${FIND}" = "0" ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking APT package database" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: package database seems to be consistent."
2016-09-26 12:05:30 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: package database is most likely NOT consistent"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking APT package database" --result "${STATUS_WARNING}" --color RED
2016-08-10 07:13:38 +02:00
ReportWarning ${TEST_NO} "apt-get check returned a non successful exit code."
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check."
fi
fi
#
#################################################################################
#
# Test : PKGS-7392
# Description : Check Debian/Ubuntu vulnerable packages
2019-04-17 15:26:43 +02:00
# Note : Skip for zypper-based systems
if [ -x ${ROOTDIR}usr/bin/apt-get -a -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network YES --category security --description "Check for Debian/Ubuntu security updates"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
VULNERABLE_PACKAGES_FOUND=0
SCAN_PERFORMED=0
2016-03-14 00:02:18 +01:00
# If apt-get is installed, then it's a reasonable option for a Package Audit tool
# If apt-check exists, it will be preferred and will overwrite the PACKAGE_AUDIT_TOOL setting
PACKAGE_AUDIT_TOOL="apt-get"
PACKAGE_AUDIT_TOOL_FOUND=1
2014-08-26 17:33:55 +02:00
# Update the repository, outdated repositories don't give much information
2017-04-30 17:59:35 +02:00
if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
LogText "Action: updating package repository with apt-get"
${ROOTDIR}usr/bin/apt-get -q=2 update
LogText "Result: apt-get finished"
else
LogText "Result: using a possibly outdated repository, as updating is disabled via configuration"
fi
LogText "Test: Checking if ${ROOTDIR}usr/lib/update-notifier/apt-check exists"
if [ -x ${ROOTDIR}usr/lib/update-notifier/apt-check ]; then
2016-09-26 12:05:30 +02:00
PACKAGE_AUDIT_TOOL="apt-check"
2017-04-30 17:59:35 +02:00
LogText "Result: found ${ROOTDIR}usr/lib/update-notifier/apt-check"
2016-09-26 12:05:30 +02:00
LogText "Test: checking if any of the updates contain security updates"
# apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only
2017-04-30 17:59:35 +02:00
FIND=$(${ROOTDIR}usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }')
2016-09-26 12:05:30 +02:00
# Check if we get the proper line back and amount of security patches available
if [ -z "${FIND}" ]; then
LogText "Result: did not find security updates line"
ReportSuggestion ${TEST_NO} "Check if system is up-to-date, security updates test (apt-check) gives an unexpected result"
ReportException "${TEST_NO}:1" "Apt-check did not provide any result"
2014-08-26 17:33:55 +02:00
else
2016-09-26 12:05:30 +02:00
if [ "${FIND}" = "0" ]; then
LogText "Result: no vulnerable packages found via apt-check"
SCAN_PERFORMED=1
2014-08-26 17:33:55 +02:00
else
2016-09-26 12:05:30 +02:00
VULNERABLE_PACKAGES_FOUND=1
SCAN_PERFORMED=1
LogText "Result: found ${FIND} security updates via apt-check"
AddHP 0 25
fi
fi
else
2015-12-21 21:17:15 +01:00
LogText "Result: apt-check (update-notifier-common) not found"
2014-08-26 17:33:55 +02:00
fi
# Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
# Show packages which would be upgraded and match 'security' in repository name
2017-04-23 20:06:54 +02:00
FIND=$(${ROOTDIR}usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | ${CUTBINARY} -d ' ' -f2 | ${SORTBINARY} -u)
2019-07-16 13:20:30 +02:00
if [ -n "${FIND}" ]; then
2014-08-26 17:33:55 +02:00
VULNERABLE_PACKAGES_FOUND=1
SCAN_PERFORMED=1
2015-12-21 21:17:15 +01:00
LogText "Result: found vulnerable package(s) via apt-get (-security channel)"
2015-04-17 15:50:46 +02:00
PACKAGE_AUDIT_TOOL="apt-get"
PACKAGE_AUDIT_TOOL_FOUND=1
2017-04-30 17:59:35 +02:00
for PKG in ${FIND}; do
LogText "Found vulnerable package: ${PKG}"
Report "vulnerable_package[]=${PKG}"
2014-08-26 17:33:55 +02:00
done
fi
if [ ${SCAN_PERFORMED} -eq 1 ]; then
if [ ${VULNERABLE_PACKAGES_FOUND} -eq 1 ]; then
2016-08-10 07:13:38 +02:00
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Update your system with apt-get update, apt-get upgrade, apt-get dist-upgrade and/or unattended-upgrades"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_WARNING}" --color RED
2016-09-26 12:05:30 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking vulnerable packages" --result "${STATUS_OK}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: no vulnerable packages found"
2014-08-26 17:33:55 +02:00
fi
2016-09-26 12:05:30 +02:00
else
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking vulnerable packages (apt-get only)" --result "${STATUS_DONE}" --color GREEN
2015-12-21 21:17:15 +01:00
LogText "Result: test not fully executed (missing apt-check output)"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
2014-09-23 22:48:20 +02:00
#
# Test : PKGS-7393
# Description : Check Gentoo vulnerable packages
2017-04-30 17:59:35 +02:00
if [ -x ${ROOTDIR}usr/bin/emerge-webrsync ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7393 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Gentoo vulnerable packages"
2014-09-23 22:48:20 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
VULNERABLE_PACKAGES_FOUND=0
SCAN_PERFORMED=0
# Update portage.
# Multiple ways to do this. Some require extra packages to be installed,
2015-09-07 17:35:07 +02:00
# others require potential firewall ports to be open, outbound. This is the
2014-09-23 22:48:20 +02:00
# "most friendly" way.
2016-08-11 10:01:29 +02:00
if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
LogText "Action: updating portage with emerge-webrsync"
2017-04-30 17:59:35 +02:00
${ROOTDIR}usr/bin/emerge-webrsync --quiet 2> /dev/null
2016-08-11 10:01:29 +02:00
LogText "Result: emerge-webrsync finished"
else
LogText "Result: using a possibly outdated repository, as updating is disabled"
fi
2017-04-30 17:59:35 +02:00
LogText "Test: checking if ${ROOTDIR}usr/bin/glsa-check exists"
if [ -x ${ROOTDIR}usr/bin/glsa-check ]; then
2015-04-17 15:50:46 +02:00
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="glsa-check"
2017-04-30 17:59:35 +02:00
LogText "Result: found ${ROOTDIR}usr/bin/glsa-check"
2015-12-21 21:17:15 +01:00
LogText "Test: checking if there are any vulnerable packages"
2014-09-23 22:48:20 +02:00
# glsa-check reports the GLSA date/ID string, not the vulnerable package.
2017-04-30 17:59:35 +02:00
FIND=$(${ROOTDIR}usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | ${WCBINARY} -l)
2016-09-26 12:05:30 +02:00
if [ -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: unexpected result: wc should report 0 if no vulnerable packages are found."
LogText "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result"
2014-10-14 10:54:02 +02:00
ReportException "${TEST_NO}:1" "glsa-check did not provide any result, which is unexpected"
2016-09-26 12:05:30 +02:00
else
2014-09-23 22:48:20 +02:00
if [ "${FIND}" = "0" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result; no vulnerable packages found via glsa-check"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result "${STATUS_OK}" --color GREEN
2016-09-26 12:05:30 +02:00
else
2014-09-23 22:48:20 +02:00
VULNERABLE_PACKAGES_FOUND=1
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result "${STATUS_FOUND}" --color RED
2015-12-21 21:17:15 +01:00
LogText "Result: found ${FIND} security updates with glsa-check"
2016-08-10 07:24:10 +02:00
ReportWarning "${TEST_NO}" "Found ${FIND} security update(s) with glsa-check."
2015-12-21 21:17:15 +01:00
LogText "Notes: Run 'glsa-check -t all' to see which GLSA(s) were identified."
2014-09-23 22:48:20 +02:00
AddHP 0 25
fi
fi
2017-04-30 17:59:35 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: glsa-check tool not found"
2014-09-25 19:10:58 +02:00
ReportSuggestion ${TEST_NO} "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks."
2014-09-23 22:48:20 +02:00
fi
fi
#
#################################################################################
2014-08-26 17:33:55 +02:00
#
# Test : PKGS-7394
# Description : Check Ubuntu upgradeable packages
if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Ubuntu updates"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2017-04-30 17:59:35 +02:00
LogText "Test: checking ${ROOTDIR}usr/bin/apt-show-versions"
if [ -x ${ROOTDIR}usr/bin/apt-show-versions ]; then
LogText "Result: found ${ROOTDIR}usr/bin/apt-show-versions"
2015-12-21 21:17:15 +01:00
LogText "Test: Checking packages which can be upgraded via apt-show-versions"
2017-04-30 17:59:35 +02:00
FIND=$(${ROOTDIR}usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g')
2016-09-26 12:05:30 +02:00
if [ -z "${FIND}" ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: no packages found which can be upgraded"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN
2014-08-26 17:33:55 +02:00
AddHP 3 3
2016-09-26 12:05:30 +02:00
else
2015-12-21 21:17:15 +01:00
LogText "Result: found one or more packages which can be upgraded"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_FOUND}" --color YELLOW
2014-08-26 17:33:55 +02:00
# output: program/repository upgradeable from version X to Y
2016-09-26 12:05:30 +02:00
for ITEM in ${FIND}; do
ITEM=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
LogText "${ITEM}"
2014-08-26 17:33:55 +02:00
done
fi
2017-04-30 17:59:35 +02:00
else
LogText "Result: ${ROOTDIR}usr/bin/apt-show-versions not found"
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_SKIPPED}" --color WHITE
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes"
fi
fi
#
#################################################################################
#
# Test : PKGS-7398
# Description : Check package audit tool
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7398 --weight L --network YES --category security --description "Check for package audit tool"
2014-08-26 17:33:55 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Test: checking for package audit tool"
2015-04-17 15:50:46 +02:00
if [ ${PACKAGE_AUDIT_TOOL_FOUND} -eq 0 ]; then
2016-06-18 11:14:01 +02:00
Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_NONE}" --color RED
2014-08-26 17:33:55 +02:00
ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages"
2015-12-21 21:17:15 +01:00
LogText "Result: no package audit tool found"
2017-04-30 17:59:35 +02:00
else
2014-09-15 12:01:09 +02:00
Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN
2015-04-17 15:50:46 +02:00
Display --indent 4 --text "Found: ${PACKAGE_AUDIT_TOOL}"
2015-12-21 21:17:15 +01:00
LogText "Result: found package audit tool: ${PACKAGE_AUDIT_TOOL}"
2014-08-26 17:33:55 +02:00
fi
fi
#
#################################################################################
#
2014-09-22 23:40:53 +02:00
# Description : HP-UX packages
2016-08-25 15:31:33 +02:00
# Notes : swlist -l fileset (|${GREPBINARY} patch) / print_manifest
2014-09-22 23:40:53 +02:00
#
#################################################################################
#
# Description : AIX patches
2017-04-30 17:59:35 +02:00
# Notes : ${ROOTDIR}usr/sbin/instfix -c -i | ${CUTBINARY} -d":" -f1
2014-09-22 23:40:53 +02:00
#
#################################################################################
#
2015-05-27 12:35:56 +02:00
# Test : PKGS-7410
# Description : Count number of installed kernel packages
2016-07-24 17:22:00 +02:00
Register --test-no PKGS-7410 --weight L --network NO --category security --description "Count installed kernel packages"
2015-05-27 12:35:56 +02:00
if [ ${SKIPTEST} -eq 0 ]; then
KERNELS=0
2019-03-29 12:22:20 +01:00
LogText "Test: Checking how many kernel packages are installed"
2019-07-16 13:20:30 +02:00
if [ -n "${DPKGBINARY}" ]; then
2019-10-20 19:55:34 +02:00
KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]"
KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${EGREPBINARY} "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l)
2019-03-29 12:22:20 +01:00
if [ ${KERNELS} -eq 0 ]; then
LogText "Result: found no kernels from dpkg -l output, which is unexpected"
ReportException "KRNL-5840:2" "Could not find any kernel packages from DPKG output"
elif [ ${KERNELS} -gt 5 ]; then
LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages" "${KERNELS} kernels" "text:validate dpkg -l output and perform cleanup with apt autoremove"
else
LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
fi
2019-07-16 13:20:30 +02:00
elif [ -n "${RPMBINARY}" ]; then
2016-09-26 12:05:30 +02:00
KERNELS=$(${RPMBINARY} -q kernel 2> /dev/null | ${WCBINARY} -l)
2015-05-27 12:35:56 +02:00
if [ ${KERNELS} -eq 0 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found no kernels from rpm -q kernel output, which is unexpected"
2015-05-27 12:35:56 +02:00
ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output"
elif [ ${KERNELS} -gt 5 ]; then
2015-12-21 21:17:15 +01:00
LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
2015-05-27 12:35:56 +02:00
ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)"
else
2019-03-29 12:22:20 +01:00
LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
2015-05-27 12:35:56 +02:00
fi
fi
2019-03-29 12:22:20 +01:00
Report "installed_kernel_packages=${KERNELS}"
2015-05-27 12:35:56 +02:00
fi
#
#################################################################################
#
2019-03-29 12:53:13 +01:00
# Test : PKGS-7420
# Description : Detect toolkit to automatically download and apply upgrades
Register --test-no PKGS-7420 --weight L --network NO --category security --description "Detect toolkit to automatically download and apply upgrades"
if [ ${SKIPTEST} -eq 0 ]; then
UNATTENDED_UPGRADES_TOOLKIT=0
UNATTENDED_UPGRADES_TOOL=""
2019-03-30 13:31:03 +01:00
UNATTENDED_UPGRADES_OPTION_AVAILABLE=0
case "${OS}" in
"Linux")
case "${LINUX_VERSION}" in
"CentOS" | "Debian" | "Fedora" | "RHEL" | "Ubuntu")
UNATTENDED_UPGRADES_OPTION_AVAILABLE=1
# Test available tools for Linux
if [ -f "${ROOTDIR}bin/auter" ]; then
UNATTENDED_UPGRADES_TOOL="auter"
UNATTENDED_UPGRADES_TOOLKIT=1
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
fi
if [ -f "${ROOTDIR}sbin/yum-cron" ]; then
UNATTENDED_UPGRADES_TOOL="yum-cron"
UNATTENDED_UPGRADES_TOOLKIT=1
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
fi
if [ -f "${ROOTDIR}usr/bin/dnf-automatic" ]; then
UNATTENDED_UPGRADES_TOOL="dnf-automatic"
UNATTENDED_UPGRADES_TOOLKIT=1
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
fi
if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then
UNATTENDED_UPGRADES_TOOL="unattended-upgrade"
UNATTENDED_UPGRADES_TOOLKIT=1
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
fi
;;
esac
;;
esac
if [ ${UNATTENDED_UPGRADES_OPTION_AVAILABLE} -eq 1 ]; then
if [ ${UNATTENDED_UPGRADES_TOOLKIT} -eq 1 ]; then
AddHP 5 5
Display --indent 2 --text "- Toolkit for automatic upgrades (${UNATTENDED_UPGRADES_TOOL})" --result "${STATUS_FOUND}" --color GREEN
else
AddHP 1 5
Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOTFOUND}" --color YELLOW
LogText "Result: no toolkit for automatic updates discovered"
ReportSuggestion "${TEST_NO}" "Consider using a tool to automatically apply upgrades"
fi
2019-03-29 12:53:13 +01:00
fi
2019-03-30 13:58:23 +01:00
Report "unattended_upgrade_option_available=${UNATTENDED_UPGRADES_OPTION_AVAILABLE}"
2019-03-29 12:53:13 +01:00
fi
#
#################################################################################
#
2016-04-28 12:31:57 +02:00
WaitForKeyPress
2014-08-26 17:33:55 +02:00
#
#================================================================================
2016-03-13 16:03:46 +01:00
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
