diff --git a/include/binaries b/include/binaries index 6369885a..06ccd032 100644 --- a/include/binaries +++ b/include/binaries @@ -96,6 +96,7 @@ debsecan) DEBSECANBINARY="${BINARY}"; logtext " Found known binary: debsecan (package vulnerability checking) - ${BINARY}" ;; debsums) DEBSUMSBINARY="${BINARY}"; logtext " Found known binary: debsums (package integrity checking) - ${BINARY}" ;; dig) if [ -f ${BINARY} ]; then DIGFOUND=1; DIGBINARY=${BINARY}; logtext " Found known binary: dig (network/dns tool) - ${BINARY}"; fi ;; + dnf) DNFBINARY="${BINARY}"; logtext " Found known binary: dnf (package manager) - ${BINARY}"; ;; dnsdomainname) DNSDOMAINNAMEFOUND=1; DNSDOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: dnsdomainname (DNS domain) - ${BINARY}" ;; docker) if [ -f ${BINARY} ]; then DOCKERBINARY="${BINARY}"; logtext " Found known binary: docker (container technology) - ${BINARY}"; fi ;; domainname) DOMAINNAMEFOUND=1; DOMAINNAMEBINARY="${BINARY}"; logtext " Found known binary: domainname (NIS domain) - ${BINARY}" ;; diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 3237f7e7..2e121676 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -374,6 +374,44 @@ fi # ################################################################################# +# + # Test : PKGS-7350 + # Description : Use Dandified YUM + # Notes : Possible replacement for YUM in the long term + if [ ! "${DNFBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no "PKGS-7350" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for DNF utility and its output" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Result: found DNF (Dandified YUM) utility" + PACKAGE_AUDIT_TOOL_FOUND=1 + PACKAGE_AUDIT_TOOL="dnf" + SPACKAGES=`${DNFBINARY} -q list installed 2>&1 /dev/null | awk '{ if ($1!="Installed" && $1!="Last") {print $1","$2 }}'` + for J in ${SPACKAGES}; do + N=`expr ${N} + 1` + PACKAGE_NAME=`echo ${J} | cut -d ',' -f2` + PACKAGE_VERSION=`echo ${J} | cut -d ',' -f3` + LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" + done + Report "installed_packages=${N}" + + # Check for security updates + LogText "Action: checking updateinfo for security updates" + FIND=`${DNFBINARY} -q updateinfo list sec | awk '{ if ($2=="security") {print $3}}'` + if [ ! "${FIND}" = "" ]; then + VULNERABLE_PACKAGES_FOUND=1 + for PKG in ${FIND}; do + Report "vulnerable_package[]=${I}" + LogText "Vulnerable package: ${I}" + # Decrease hardening points for every found vulnerable package + AddHP 1 2 + done + else + LogText "Result: no security updates found" + AddHP 5 5 + fi + fi +# +################################################################################# # # Test : PKGS-7366 # Description : Checking if debsecan is installed and enabled on Debian systems