tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-04-08 17:15:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into issue1376

Browse Source
This commit is contained in:
Michael Boelen 2024-05-14 11:50:07 +02:00 committed by GitHub
commit 240c2b1db4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
66 changed files with 725 additions and 275 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,4 +1,5 @@
.bzr
.bzrignore
.DS_Store
custom.prf
*.swp

53
CHANGELOG.md
View File

@ -1,10 +1,57 @@
# Lynis Changelog
## Lynis 3.0.9 (not released yet)
## Lynis 3.1.2 (not released yet)
### Added
- Detection of Athena OS
- Detection of Open Source Media Center (OSMC)
### Changed
- DBS-1820 - added newer style format for Mongo authorization setting
- Extra check to verify if nanoseconds are supported by the date command
- Correction of software EOL database and inclusion of AIX entries
- DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD
---------------------------------------------------------------------------------
## Lynis 3.1.1 (2024-03-17)
### Added
- Detection of ArcoLinux
### Changed
- DBS-1882 - Redis configuration file path added for FreeBSD (/usr/local/etc/redis.conf)
- DBS-1882 - Check /snap directory location for Redis configuration file
---------------------------------------------------------------------------------
## Lynis 3.1.0 (2024-03-11)
### Added
- Translation: Indonesian
### Changed
- MALW-3280 - Correction to detect com.avast.daemon
- OS detection added for Guix System, macOS Ventura (13.x)/Sonoma (14.x), NXP LSDK, OpenEmbedded "nodistro", and The Yocto Projects distro "Poky"
- Updated Amazon Linux EOL dates and addition of Amazon Linux 2023
- STATUS_NOT_ACTIVE variable added to translation files
- End-of-life dates updated
- Fixing missing or erroneous test number comments
- Detection of SentinelOne corrected
- Wazuh for file integrity and tooling
- Updated parsing output of arch-audit
- Added support for SentinelOne detection
- Replacing deprecated option -i for xargs
- Path detection for PostgreSQL improved
---------------------------------------------------------------------------------
## Lynis 3.0.9 (2023-08-03)
### Changed
- DBS-1820 - Added newer style format for Mongo authorization setting
- FILE-6410 - Locations added for plocate
- SSH-7408 - Only test Compression if sshd version < 7.4
- Improved fetching timestamp
- Minor changes such as typos
---------------------------------------------------------------------------------

1
db/languages/az
View File

@ -82,6 +82,7 @@ STATUS_FOUND="Tapıldı"
#STATUS_MEDIUM="MEDIUM"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="Yox"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"

1
db/languages/cn
View File

@ -83,6 +83,7 @@ STATUS_FOUND="找到"
#STATUS_MEDIUM="MEDIUM"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="没有"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"

1
db/languages/da
View File

@ -83,6 +83,7 @@ STATUS_FOUND="FUNDET"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="INGEN"
STATUS_NO="NEJ"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
STATUS_NOT_ENABLED="IKKE AKTIVERET"

1
db/languages/de
View File

@ -84,6 +84,7 @@ STATUS_NO="NEIN"
STATUS_NO_UPDATE="KEINE AKTUALISIERUNG"
STATUS_NON_DEFAULT="NICHT STANDARD"
STATUS_NONE="NICHTS"
STATUS_NOT_ACTIVE="NOT ACTIVE"
STATUS_NOT_CONFIGURED="NICHT KONFIGURIERT"
STATUS_NOT_DISABLED="NICHT DEAKTIVIERT"
STATUS_NOT_ENABLED="NICHT AKTIVIERT"

1
db/languages/en
View File

@ -84,6 +84,7 @@ STATUS_NO="NO"
STATUS_NO_UPDATE="NO UPDATE"
STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="NONE"
STATUS_NOT_ACTIVE="NOT ACTIVE"
STATUS_NOT_CONFIGURED="NOT CONFIGURED"
STATUS_NOT_DISABLED="NOT DISABLED"
STATUS_NOT_ENABLED="NOT ENABLED"

1
db/languages/es
View File

@ -85,6 +85,7 @@ STATUS_NO_UPDATE="SIN ACTUALIZACIÓN"
STATUS_NO="NO"
STATUS_NON_DEFAULT="NO POR DEFECTO"
STATUS_NONE="NINGUNO"
STATUS_NOT_ACTIVE="NOT ACTIVE"
STATUS_NOT_CONFIGURED="NO CONFIGURADO"
STATUS_NOT_DISABLED="NO DESHABILITADO"
STATUS_NOT_ENABLED="NO HABILITADO"

1
db/languages/fi
View File

@ -83,6 +83,7 @@ STATUS_FOUND="LÖYTYNYT"
STATUS_NO="EI"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="EI MITÄÄN"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"

1
db/languages/fr
View File

@ -84,6 +84,7 @@ STATUS_NO="NON"
STATUS_NO_UPDATE="PAS DE MISE A JOUR"
STATUS_NON_DEFAULT="PAS PAR DÉFAUT"
STATUS_NONE="AUCUN"
STATUS_NOT_ACTIVE="NOT ACTIVE"
STATUS_NOT_CONFIGURED="NON CONFIGURÉ"
STATUS_NOT_DISABLED="NON DESACTIVÉ"
STATUS_NOT_ENABLED="NON ACTIVÉ"

1
db/languages/gr
View File

@ -82,6 +82,7 @@ STATUS_FOUND="ΒΡΕΘΗΚΕ"
#STATUS_MEDIUM="MEDIUM"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="ΚΑΝΕΝΑ"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"

1
db/languages/he
View File

@ -82,6 +82,7 @@ STATUS_FOUND="נמצא"
#STATUS_MEDIUM="MEDIUM"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="אין כלל"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"

1
db/languages/hu
View File

@ -83,6 +83,7 @@ STATUS_FOUND="FOUND"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NO="NEM"
STATUS_NONE="NONE"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"

107
db/languages/id Normal file
View File

@ -0,0 +1,107 @@
ERROR_NO_LICENSE="Tidak ada kunci lisensi yang dikonfigurasi"
ERROR_NO_UPLOAD_SERVER="Tidak ada server unggahan yang dikonfigurasi"
GEN_CHECKING="Memeriksa"
GEN_CURRENT_VERSION="Versi sekarang"
GEN_DEBUG_MODE="Debug mode"
GEN_INITIALIZE_PROGRAM="Inisialisasi program"
GEN_LATEST_VERSION="Versi terbaru"
GEN_PHASE="fase"
GEN_PLUGINS_ENABLED="Plugin diaktifkan"
GEN_UPDATE_AVAILABLE="update tersedia"
GEN_VERBOSE_MODE="Verbose mode"
GEN_WHAT_TO_DO="Apa yang harus dilakukan"
NOTE_EXCEPTIONS_FOUND="Pengecualian ditemukan"
NOTE_EXCEPTIONS_FOUND_DETAILED="Beberapa peristiwa atau informasi luar biasa ditemukan"
NOTE_PLUGINS_TAKE_TIME="Note: plugin memiliki pengujian yang lebih ekstensif dan mungkin memerlukan waktu beberapa menit untuk menyelesaikannya"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Tes yang dilewati karena mode non-istimewa"
#SECTION_ACCOUNTING="Accounting"
#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
#SECTION_BASICS="Basics"
#SECTION_BOOT_AND_SERVICES="Boot and services"
#SECTION_CONTAINERS="Containers"
#SECTION_CRYPTOGRAPHY="Cryptography"
SECTION_CUSTOM_TESTS="Tes kustom"
#SECTION_DATABASES="Databases"
#SECTION_DATA_UPLOAD="Data upload"
#SECTION_DOWNLOADS="Downloads"
#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
#SECTION_FILE_INTEGRITY="Software: file integrity"
#SECTION_FILE_PERMISSIONS="File Permissions"
#SECTION_FILE_SYSTEMS="File systems"
#SECTION_FIREWALLS="Software: firewalls"
#SECTION_GENERAL="General"
#SECTION_HARDENING="Hardening"
#SECTION_HOME_DIRECTORIES="Home directories"
#SECTION_IMAGE="Image"
#SECTION_INITIALIZING_PROGRAM="Initializing program"
#SECTION_INSECURE_SERVICES="Insecure services"
#SECTION_KERNEL_HARDENING="Kernel Hardening"
#SECTION_KERNEL="Kernel"
#SECTION_LDAP_SERVICES="LDAP Services"
#SECTION_LOGGING_AND_FILES="Logging and files"
SECTION_MALWARE="Software: Malware"
SECTION_MEMORY_AND_PROCESSES="Memory and Processes"
SECTION_NAME_SERVICES="Name services"
SECTION_NETWORKING="Networking"
SECTION_PERMISSIONS="Permissions"
SECTION_PORTS_AND_PACKAGES="Ports and packages"
SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
SECTION_PROGRAM_DETAILS="Program Details"
SECTION_SCHEDULED_TASKS="Scheduled tasks"
SECTION_SECURITY_FRAMEWORKS="Security frameworks"
SECTION_SHELLS="Shells"
SECTION_SNMP_SUPPORT="SNMP Support"
SECTION_SOFTWARE="Software"
SECTION_SQUID_SUPPORT="Squid Support"
SECTION_SSH_SUPPORT="SSH Support"
SECTION_STORAGE="Storage"
SECTION_SYSTEM_INTEGRITY="Software: System integrity"
SECTION_SYSTEM_TOOLING="Software: System tooling"
SECTION_SYSTEM_TOOLS="System tools"
SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization"
SECTION_USB_DEVICES="USB Devices"
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
SECTION_VIRTUALIZATION="Virtualization"
SECTION_WEBSERVER="Software: webserver"
STATUS_ACTIVE="ACTIVE"
STATUS_CHECK_NEEDED="CHECK NEEDED"
STATUS_DEBUG="DEBUG"
STATUS_DEFAULT="DEFAULT"
STATUS_DIFFERENT="DIFFERENT"
STATUS_DISABLED="DISABLED"
STATUS_DONE="DONE"
STATUS_ENABLED="ENABLED"
STATUS_ERROR="ERROR"
STATUS_EXPOSED="EXPOSED"
STATUS_FAILED="FAILED"
STATUS_FILES_FOUND="FILES FOUND"
STATUS_FOUND="FOUND"
STATUS_HARDENED="HARDENED"
STATUS_INSTALLED="INSTALLED"
STATUS_LOCAL_ONLY="LOCAL ONLY"
STATUS_MEDIUM="MEDIUM"
STATUS_NO="NO"
STATUS_NO_UPDATE="NO UPDATE"
STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="NONE"
STATUS_NOT_CONFIGURED="NOT CONFIGURED"
STATUS_NOT_DISABLED="NOT DISABLED"
STATUS_NOT_ENABLED="NOT ENABLED"
STATUS_NOT_FOUND="NOT FOUND"
STATUS_NOT_RUNNING="NOT RUNNING"
STATUS_OFF="OFF"
STATUS_OK="OK"
STATUS_ON="ON"
STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED"
STATUS_PROTECTED="PROTECTED"
STATUS_RUNNING="RUNNING"
STATUS_SKIPPED="SKIPPED"
STATUS_SUGGESTION="SUGGESTION"
STATUS_UNKNOWN="UNKNOWN"
STATUS_UNSAFE="UNSAFE"
STATUS_UPDATE_AVAILABLE="UPDATE TERSEDIA"
STATUS_WARNING="WARNING"
STATUS_WEAK="WEAK"
STATUS_YES="YES"
TEXT_UPDATE_AVAILABLE="update tersedia"
TEXT_YOU_CAN_HELP_LOGFILE="Anda dapat membantu dengan memberikan file log Anda"

1
db/languages/it
View File

@ -83,6 +83,7 @@ STATUS_FOUND="TROVATO"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="NESSUNO"
STATUS_NO="NO"
STATUS_NOT_ACTIVE="NOT ACTIVE"
STATUS_NOT_CONFIGURED="NON CONFIGURATO"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"

1
db/languages/ja
View File

@ -83,6 +83,7 @@ STATUS_FOUND="見つかりました"
STATUS_NO="いいえ"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="なし"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"

1
db/languages/ko
View File

@ -83,6 +83,7 @@ STATUS_FOUND="발견"
STATUS_NO="아니오"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="없음"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"

1
db/languages/nb-NO
View File

@ -83,6 +83,7 @@ STATUS_FOUND="FUNNET"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NO="NEI"
STATUS_NONE="INGEN"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"

1
db/languages/nl
View File

@ -83,6 +83,7 @@ STATUS_FOUND="GEVONDEN"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NO="NEE"
STATUS_NONE="GEEN"
STATUS_NOT_ACTIVE="NOT ACTIVE"
STATUS_NOT_CONFIGURED="NIET GECONFIGUREERD"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"

1
db/languages/pl
View File

@ -83,6 +83,7 @@
#STATUS_NON_DEFAULT="NON DEFAULT"
#STATUS_NONE="NONE"
#STATUS_NO="NO"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"

1
db/languages/pt
View File

@ -83,6 +83,7 @@ STATUS_FOUND="ENCONTRADO"
STATUS_NO="NÃO"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="NENHUM"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"

1
db/languages/ru
View File

@ -82,6 +82,7 @@ STATUS_LOCAL_ONLY="ТОЛЬКО ЛОКАЛЬНО"
STATUS_MEDIUM="СРЕДНИЙ"
STATUS_NON_DEFAULT="НЕ ПО УМОЛЧАНИЮ"
STATUS_NONE="Отсутствует"
STATUS_NOT_ACTIVE="NOT ACTIVE"
STATUS_NOT_CONFIGURED="НЕ СКОНФИГУРИРОВАНО"
STATUS_NOT_DISABLED="НЕ ОТКЛЮЧЕНО"
STATUS_NOT_ENABLED="НЕ ВКЛЮЧЕНО"

1
db/languages/se
View File

@ -83,6 +83,7 @@ STATUS_FOUND="HITTAD"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="INGEN"
STATUS_NO="NEJ"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"

1
db/languages/sk
View File

@ -83,6 +83,7 @@ STATUS_FOUND="NÁJDENÉ"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="ŽIADNE"
STATUS_NO="NIE"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"

171
db/languages/tr
View File

@ -1,107 +1,108 @@
ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmamış"
ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmamış"
GEN_CHECKING="Kontrol ediyor"
GEN_CURRENT_VERSION="Mevcut Sürüm"
ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmadı"
ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmadı"
GEN_CHECKING=" Denetleniyor"
GEN_CURRENT_VERSION="Geçerli sürüm"
GEN_DEBUG_MODE="Hata ayıklama modu"
GEN_INITIALIZE_PROGRAM="Program başlatılıyor"
GEN_LATEST_VERSION="Son sürüm"
GEN_PHASE="faz"
GEN_PLUGINS_ENABLED="Yapılandırılmış eklentiler"
GEN_UPDATE_AVAILABLE="güncelleme mevcut"
GEN_VERBOSE_MODE="Detay modu"
GEN_LATEST_VERSION="En son sürüm"
GEN_PHASE="evre"
GEN_PLUGINS_ENABLED="Etkinleştirilen eklentiler"
GEN_UPDATE_AVAILABLE="güncelleme var"
GEN_VERBOSE_MODE="Ayrıntılı mod"
GEN_WHAT_TO_DO="Yapılması gerekenler"
NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai durumlar ve bilgiler bulundu"
NOTE_EXCEPTIONS_FOUND="İstisnalar bulundu"
NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha detaylı testler içermektedir ve tamamlanmaları uzun sürebilir"
NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai olaylar veya bilgiler bulundu"
NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha kapsamlı testlere sahiptir ve tamamlanması birkaç dakika sürebilir"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Yetkisiz çalışma nedeniyle atlanan testler"
#SECTION_ACCOUNTING="Accounting"
#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
#SECTION_BASICS="Basics"
#SECTION_BOOT_AND_SERVICES="Boot and services"
#SECTION_CONTAINERS="Containers"
#SECTION_CRYPTOGRAPHY="Cryptography"
SECTION_ACCOUNTING="Hesaplama"
SECTION_BANNERS_AND_IDENTIFICATION="Afişler ve tanımlama"
SECTION_BASICS="Temel Bilgiler"
SECTION_BOOT_AND_SERVICES="Önyükleme ve hizmetler"
SECTION_CONTAINERS="Konteynerler"
SECTION_CRYPTOGRAPHY="Kriptografi"
SECTION_CUSTOM_TESTS="Özel testler"
#SECTION_DATABASES="Databases"
#SECTION_DATA_UPLOAD="Data upload"
#SECTION_DOWNLOADS="Downloads"
#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
#SECTION_FILE_INTEGRITY="Software: file integrity"
#SECTION_FILE_PERMISSIONS="File Permissions"
#SECTION_FILE_SYSTEMS="File systems"
#SECTION_FIREWALLS="Software: firewalls"
#SECTION_GENERAL="General"
#SECTION_HARDENING="Hardening"
#SECTION_HOME_DIRECTORIES="Home directories"
#SECTION_IMAGE="Image"
#SECTION_INITIALIZING_PROGRAM="Initializing program"
#SECTION_INSECURE_SERVICES="Insecure services"
#SECTION_KERNEL_HARDENING="Kernel Hardening"
#SECTION_KERNEL="Kernel"
#SECTION_LDAP_SERVICES="LDAP Services"
#SECTION_LOGGING_AND_FILES="Logging and files"
SECTION_MALWARE="Kötücül yazılım"
SECTION_MEMORY_AND_PROCESSES="Bellek ve Prosesler"
#SECTION_NAME_SERVICES="Name services"
#SECTION_NETWORKING="Networking"
#SECTION_PERMISSIONS="Permissions"
#SECTION_PORTS_AND_PACKAGES="Ports and packages"
#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
#SECTION_PROGRAM_DETAILS="Program Details"
#SECTION_SCHEDULED_TASKS="Scheduled tasks"
#SECTION_SECURITY_FRAMEWORKS="Security frameworks"
#SECTION_SHELLS="Shells"
#SECTION_SNMP_SUPPORT="SNMP Support"
#SECTION_SOFTWARE="Software"
#SECTION_SQUID_SUPPORT="Squid Support"
#SECTION_SSH_SUPPORT="SSH Support"
#SECTION_STORAGE="Storage"
#SECTION_SYSTEM_INTEGRITY="Software: System integrity"
#SECTION_SYSTEM_TOOLING="Software: System tooling"
#SECTION_SYSTEM_TOOLS="System tools"
#SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization"
#SECTION_USB_DEVICES="USB Devices"
#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
#SECTION_VIRTUALIZATION="Virtualization"
#SECTION_WEBSERVER="Software: webserver"
#STATUS_ACTIVE="ACTIVE"
#STATUS_CHECK_NEEDED="CHECK NEEDED"
#STATUS_DEBUG="DEBUG"
#STATUS_DEFAULT="DEFAULT"
#STATUS_DIFFERENT="DIFFERENT"
STATUS_DISABLED="ETKİSİZLEŞTİRİLMİŞ"
SECTION_DATA_UPLOAD="Veri yükleme"
SECTION_DATABASES="Veri tabanları"
SECTION_DOWNLOADS="İndirilenler"
SECTION_EMAIL_AND_MESSAGING="Yazılım: e-posta ve mesajlaşma"
SECTION_FILE_INTEGRITY="Yazılım: dosya bütünlüğü"
SECTION_FILE_PERMISSIONS="Dosya izinleri"
SECTION_FILE_SYSTEMS="Dosya sistemleri"
SECTION_FIREWALLS="Yazılım: güvenlik duvarları"
SECTION_GENERAL="Genel"
SECTION_HARDENING="Sıkılaştırma"
SECTION_HOME_DIRECTORIES="Ev dizinleri"
SECTION_IMAGE="Kalıp"
SECTION_INITIALIZING_PROGRAM="Program başlatılıyor"
SECTION_INSECURE_SERVICES="Güvensiz hizmetler"
SECTION_KERNEL="Çekirdek"
SECTION_KERNEL_HARDENING="Çekirdek Sıkılaştırma"
SECTION_LDAP_SERVICES="LDAP Hizmetleri"
SECTION_LOGGING_AND_FILES="Günlük kaydı ve dosyalar"
SECTION_MALWARE="Yazılım: Kötü Amaçlı Yazılım"
SECTION_MEMORY_AND_PROCESSES="Bellek ve Süreçler"
SECTION_NAME_SERVICES="Ad hizmetleri"
SECTION_NETWORKING="Ağ İletişimi"
SECTION_PERMISSIONS="İzinler"
SECTION_PORTS_AND_PACKAGES="Bağlantı noktaları ve paketler"
SECTION_PRINTERS_AND_SPOOLS="Yazıcılar ve Biriktiriciler"
SECTION_PROGRAM_DETAILS="Program Ayrıntıları"
SECTION_SCHEDULED_TASKS="Zamanlanan görevler"
SECTION_SECURITY_FRAMEWORKS="Güvenlik çerçeveleri"
SECTION_SHELLS="Kabuklar"
SECTION_SNMP_SUPPORT="SNMP Desteği"
SECTION_SOFTWARE="Yazılım"
SECTION_SQUID_SUPPORT="Squid Desteği"
SECTION_SSH_SUPPORT="SSH Desteği"
SECTION_STORAGE="Depolama"
SECTION_SYSTEM_INTEGRITY="Yazılım: Sistem bütünlüğü"
SECTION_SYSTEM_TOOLING="Yazılım: Sistem araçları"
SECTION_SYSTEM_TOOLS="Sistem araçları"
SECTION_TIME_AND_SYNCHRONIZATION="Zaman ve Eşzamanlama"
SECTION_USB_DEVICES="USB Aygıtları"
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Kullanıcılar, Gruplar ve Kimlik Doğrulama"
SECTION_VIRTUALIZATION="Sanallaştırma"
SECTION_WEBSERVER="Yazılım: web sunucusu"
STATUS_ACTIVE=" ETKİN"
STATUS_CHECK_NEEDED=" DENETİM GEREKLI"
STATUS_DEBUG="HATA AYIKLAMA"
STATUS_DEFAULT="ÖNTANIMLI"
STATUS_DIFFERENT="FARKLI"
STATUS_DISABLED="DEVRE DIŞI BIRAKILDI"
STATUS_DONE="TAMAMLANDI"
STATUS_ENABLED="ETKİNLEŞTİRİLMİŞ"
STATUS_ENABLED="ETKİNLEŞTİRİL"
STATUS_ERROR="HATA"
#STATUS_EXPOSED="EXPOSED"
#STATUS_FAILED="FAILED"
#STATUS_FILES_FOUND="FILES FOUND"
STATUS_EXPOSED="AÇIKTA BIRAKILDI"
STATUS_FAILED="BAŞARISIZ"
STATUS_FILES_FOUND="DOSYALAR BULUNDU"
STATUS_FOUND="BULUNDU"
#STATUS_HARDENED="HARDENED"
#STATUS_INSTALLED="INSTALLED"
#STATUS_LOCAL_ONLY="LOCAL ONLY"
#STATUS_MEDIUM="MEDIUM"
STATUS_HARDENED="SIKILAŞTIRILDI"
STATUS_INSTALLED="KURULU"
STATUS_LOCAL_ONLY="YALNIZCA YEREL"
STATUS_MEDIUM="ORTA"
STATUS_NO="HAYIR"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NO_UPDATE="GÜNCELLEME YOK"
STATUS_NON_DEFAULT="ÖNTANIMLI OLMAYAN"
STATUS_NONE="YOK"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
STATUS_NOT_ACTIVE="ETKİN DEĞİL"
STATUS_NOT_CONFIGURED="YAPILANDIRILMADI"
STATUS_NOT_DISABLED="DEVRE DIŞI BIRAKILMADI"
STATUS_NOT_ENABLED="ETKİNLEŞTİRİLMEDİ"
STATUS_NOT_FOUND="BULUNAMADI"
STATUS_NOT_RUNNING="ÇALIŞMIYOR"
#STATUS_NO_UPDATE="NO UPDATE"
STATUS_OFF="KAPALI"
STATUS_OK="TAMAM"
STATUS_ON="AÇIK"
#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED"
#STATUS_PROTECTED="PROTECTED"
STATUS_PARTIALLY_HARDENED="KISMEN SIKILAŞTIRILDI"
STATUS_PROTECTED="KORUMALI"
STATUS_RUNNING="ÇALIŞIYOR"
STATUS_SKIPPED="ATLANDI"
STATUS_SUGGESTION="ÖNERİ"
STATUS_UNKNOWN="BİLİNMİYOR"
#STATUS_UNSAFE="UNSAFE"
#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE"
STATUS_UNSAFE="GÜVENLİ DEĞİL"
STATUS_UPDATE_AVAILABLE="GÜNCELLEME VAR"
STATUS_WARNING="UYARI"
#STATUS_WEAK="WEAK"
STATUS_WEAK="ZAYIF"
STATUS_YES="EVET"
TEXT_UPDATE_AVAILABLE="güncelleme mevcut"
TEXT_YOU_CAN_HELP_LOGFILE="Log dosyanızı göndererek yardımcı olabilirsiniz"
TEXT_UPDATE_AVAILABLE="güncelleme var"
TEXT_YOU_CAN_HELP_LOGFILE="Günlük dosyanızı göndererek yardımcı olabilirsiniz"

42
db/software-eol.db
View File

@ -14,8 +14,29 @@
# For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1.
# Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching.
#
# AIX - https://www.ibm.com/support/pages/aix-support-lifecycle-information
#
os:AIX 7300-02:2026-11-30:1796032800:
os:AIX 7300-01:2025-12-31:1767175200:
os:AIX 7300-00:2024-12-31:1735639200:
os:AIX 7200-05::-1:
os:AIX 7200-04:2022-11-30:1669802400:
os:AIX 7200-03:2021-09-30:1632996000:
os:AIX 7200-02:2020-10-31:1604138400:
os:AIX 7200-01:2019-11-30:1575108000:
os:AIX 7200-00:2018-12-30:1546164000:
os:AIX 7100:2023-04-30:1682848800:
os:AIX 6:2017-04-30:1493546400:
os:AIX 5:2012-04-30:1335780000:
os:AIX 4:2003-12-31:1072864800:
os:AIX 3:1997-12-31:883562400:
#
# Alpine - https://alpinelinux.org/releases/
#
os:Alpine 3.19:2025-11-01:1761955200
os:Alpine 3.18:2025-05-09:1746748800
os:Alpine 3.17:2024-11-22:1732233600
os:Alpine 3.16:2024-05-23:1716422400
os:Alpine 3.15:2023-11-01:1698793200
os:Alpine 3.14:2023-05-01:1682899200
os:Alpine 3.13:2022-11-01:1667275200
@ -28,8 +49,9 @@ os:Alpine 3.8:2020-05-01:1588305600
# Amazon Linux
#
# Note: shortest entry is listed at end due to regular expression matching being used
os:Amazon Linux 2:2023-06-26:1687730400:
os:Amazon Linux:2020-06-30:1593468000:
os:Amazon Linux 2023:2028-03-15:1836691200:
os:Amazon Linux 2:2025-06-30:1751241600:
os:Amazon Linux:2023-12-31:1703980800:
#
# Arch Linux
#
@ -40,16 +62,19 @@ os:Arch Linux::-1:
os:CentOS release 5:2017-03-31:1490911200:
os:CentOS release 6:2020-11-30:1606690800:
os:CentOS Linux 7:2024-06-30:1719698400:
os:CentOS Linux 8:2029-05-31:1874872800:
os:CentOS Linux 8:2021-12-31:1640905200:
#
# Debian - https://wiki.debian.org/DebianReleases#Production_Releases
# https://wiki.debian.org/LTS
#
os:Debian 5.0:2012-02-06:1328482800:
os:Debian 6.0:2016-02-29:1456700400:
os:Debian 7:2018-05-31:1527717600:
os:Debian 8:2020-06-30:1593468000:
os:Debian 9:2022-01-01:1640991600:
os:Debian 10:2022-01-01:1640991600:
os:Debian 9:2022-06-30:1656547200:
os:Debian 10:2022-09-10:1665266400:
os:Debian 11:2024-07-01:1719784800:
os:Debian 12:2028-06-30:1845936000:
#
# Fedora - https://fedoraproject.org/wiki/End_of_life
#
@ -134,6 +159,7 @@ os:Mageia 4:2015-09-19:1442613600
os:Mageia 5:2017-12-31:1514674800
os:Mageia 6:2019-09-30:1569794400
os:Mageia 7:2020-12-30:1609282800
os:Mageia 8::-1
#
# NetBSD - https://www.netbsd.org/support/security/release.html and
# https://www.netbsd.org/releases/formal.html
@ -196,6 +222,11 @@ os:OpenBSD 6.4:2019-10-17:1571270400:
os:OpenBSD 6.5:2020-05-19:1589846400:
os:OpenBSD 6.6:2020-10-01:1601510400:
os:OpenBSD 6.7:2021-05-01:1619827200:
os:OpenBSD 6.8:2021-10-14:1665698400:
os:OpenBSD 6.9:2022-04-21:1650492000:
os:OpenBSD 7.0:2022-10-20:1666216800:
os:OpenBSD 7.1:2023-05-01:1682892000:
os:OpenBSD 7.2::-1
#
# Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/
#
@ -239,6 +270,7 @@ os:Ubuntu 18.04:2023-05-01:1682892000:
os:Ubuntu 18.10:2019-07-18:1563400800:
os:Ubuntu 19.04:2020-01-01:1577833200:
os:Ubuntu 20.04:2025-04-01:1743458400:
os:Ubuntu 22.04:2027-04-01:1806537600:
#
# OmniosCE - https://omniosce.org/releasenotes.html
#

7
db/tests.db
View File

@ -148,6 +148,7 @@ FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running:
FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status
FINT-4340:test:security:file_integrity:Linux:Check dm-integrity status
FINT-4341:test:security:file_integrity:Linux:Check dm-verity status
FINT-4344:test:security:file_integrity::Wazuh syscheck daemon running:
FINT-4350:test:security:file_integrity::File integrity software installed:
FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512):
FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module:
@ -204,7 +205,7 @@ INSE-8200:test:security:insecure_services::Usage of TCP wrappers:
INSE-8300:test:security:insecure_services::Presence of rsh client:
INSE-8302:test:security:insecure_services::Presence of rsh server:
INSE-8310:test:security:insecure_services::Presence of telnet client:
INSE-8312:test:security:insecure_services::Presence of telnet server:
INSE-8322:test:security:insecure_services::Presence of telnet server:
INSE-8314:test:security:insecure_services::Presence of NIS client:
INSE-8316:test:security:insecure_services::Presence of NIS server:
INSE-8318:test:security:insecure_services::Presence of TFTP client:
@ -275,6 +276,7 @@ MALW-3284:test:security:malware::Check for clamd:
MALW-3286:test:security:malware::Check for freshclam:
MALW-3288:test:security:malware::Check for ClamXav:
MALW-3290:test:security:malware::Presence of malware scanner:
MALW-3291:test:security:malware::Check for Microsoft Defender Antivirus:
NAME-4016:test:security:nameservices::Check /etc/resolv.conf default domain:
NAME-4018:test:security:nameservices::Check /etc/resolv.conf search domains:
NAME-4020:test:security:nameservices::Check non default options:
@ -437,8 +439,9 @@ TOOL-5102:test:security:tooling::Check for presence of Fail2ban:
TOOL-5104:test:security:tooling::Enabled tests for Fail2ban:
TOOL-5120:test:security:tooling::Presence of Snort IDS:
TOOL-5122:test:security:tooling::Snort IDS configuration file:
TOOL-5128:test:security:tooling::Check for active Wazuh daemon:
TOOL-5130:test:security:tooling::Check for active Suricata daemon:
TOOL-5160:test:security:tooling::Check for active OSSEC daemon:
TOOL-5126:test:security:tooling::Check for active OSSEC daemon:
TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling:
USB-1000:test:security:storage:Linux:Check if USB storage is disabled:
USB-2000:test:security:storage:Linux:Check USB authorizations:

2
default.prf
View File

@ -197,7 +197,7 @@ config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//k
config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.perf_event_paranoid;3|4;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.perf_event_paranoid;2|3|4;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;

11
include/binaries
View File

@ -169,7 +169,6 @@
domainname) DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;;
xbps-query) XBPSBINARY="${BINARY}"; LogText " Found known binary: xbps (package management) - ${BINARY}" ;;
egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;;
equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;;
evmctl) EVMCTLBINARY=${BINARY}; LogText " Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;;
exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;;
@ -337,11 +336,19 @@
Report "binaries_sgid_count=${SGID_BINARIES}"
Report "binary_paths=${BINARY_PATHS_FOUND}"
# If grep is capable of extended regexp, use that instead of egrep to avoid annoying warning
if [ "${GREPBINARY:-}" ] ; then
${GREPBINARY} --help 2> /dev/null | ${GREPBINARY} -e "extended-regexp" > /dev/null
if [ $? -eq 0 ] ; then
EGREPBINARY="${GREPBINARY} -E"
fi
fi
# Test if the basic system tools are defined. These will be used during the audit.
[ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found"
[ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found"
[ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found"
[ "${EGREPBINARY:-}" ] || ExitFatal "egrep binary not found"
[ "${FINDBINARY:-}" ] || ExitFatal "find binary not found"
[ "${GREPBINARY:-}" ] || ExitFatal "grep binary not found"
[ "${HEADBINARY:-}" ] || ExitFatal "head binary not found"

1
include/consts
View File

@ -169,6 +169,7 @@ ETC_PATHS="/etc /usr/local/etc"
MACHINEID=""
MACHINE_ROLE=""
MALWARE_SCANNER_INSTALLED=0
MDATPBINARY=""
MIN_PASSWORD_LENGTH=-1
MONGODB_RUNNING=0
MOUNTBINARY=""

10
include/functions
View File

@ -1315,7 +1315,7 @@
return 2
else
for CHECK_PERMISSION in ${CHECKPERMISSION_FULL}; do
DATA=$(echo ${CHECK_PERMISSION} | ${EGREPBINARY} "[rwx]")
DATA=$(echo ${CHECK_PERMISSION} | ${GREPBINARY} -E "[rwx]")
if [ $? -eq 0 ]; then
# add a dummy character as first character so it looks like output is a normal file
CHECK_PERMISSION=$(echo "-${CHECK_PERMISSION}" | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}')
@ -1608,7 +1608,7 @@
# This search is not foolproof
LogText "Performing simple ps scan (busybox)"
PSOPTIONS=" -o args="
FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${EGREPBINARY:-egrep} "( |/)${search}" | ${GREPBINARY:-grep} -v "grep")
FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${GREPBINARY:-grep} -E "( |/)${search}" | ${GREPBINARY:-grep} -v "grep")
else
if [ -n "${users}" ]; then
for u in ${users}; do
@ -2086,6 +2086,10 @@
elif [ -n "${PKGINFOBINARY}" ]; then
output=$(${PKGINFOBINARY} -q -e ${package} >/dev/null 2>&1)
exit_code=$? # 0=package installed, 1=package not installed
# Slackware also has RPM for some reason and that's why this test precedes the RPMBINARY test
elif [ "${OS_NAME}" = "Slackware Linux" -a -d "${ROOTDIR}/var/lib/pkgtools/packages" ]; then
output=$( ls ${ROOTDIR}/var/lib/pkgtools/packages/ 2> /dev/null | ${GREPBINARY} "^${package}-[^-]\+-[^-]\+-[^-]\+$" )
exit_code=$?
elif [ -n "${RPMBINARY}" ]; then
output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1)
exit_code=$?
@ -2099,7 +2103,7 @@
output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii")
exit_code=$?
elif [ -n "${APKBINARY}" ]; then
output=$(${APKBINARY} search ${package} 2> /dev/null | ${GREPBINARY} ${package})
output=$(${APKBINARY} list --installed ${package} 2> /dev/null | ${GREPBINARY} ${package})
exit_code=$?
else
if [ "${package}" != "__dummy__" ]; then

57
include/osdetection
View File

@ -64,6 +64,8 @@
10.15 | 10.15.[0-9]*) OS_FULLNAME="macOS Catalina (${OS_VERSION})" ;;
11 | 11.[0-9]*) OS_FULLNAME="macOS Big Sur (${OS_VERSION})" ;;
12 | 12.[0-9]*) OS_FULLNAME="macOS Monterey (${OS_VERSION})" ;;
13 | 13.[0-9]*) OS_FULLNAME="macOS Ventura (${OS_VERSION})" ;;
14 | 14.[0-9]*) OS_FULLNAME="macOS Sonoma (${OS_VERSION})" ;;
*) echo "Unknown macOS version. Do you know what version it is? Create an issue at ${PROGRAM_SOURCE}" ;;
esac
else
@ -158,6 +160,11 @@
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"altlinux")
LINUX_VERSION="ALT Linux"
OS_NAME="altlinux"
OS_VERSION=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"amzn")
LINUX_VERSION="Amazon Linux"
OS_NAME="Amazon Linux"
@ -174,11 +181,22 @@
OS_FULLNAME="Arch Linux 32"
OS_VERSION="Rolling release"
;;
"arcolinux")
LINUX_VERSION="ArcoLinux"
OS_FULLNAME="ArcoLinux"
OS_VERSION="Rolling release"
;;
"artix")
LINUX_VERSION="Artix Linux"
OS_FULLNAME="Artix Linux"
OS_VERSION="Rolling release"
;;
"athena")
LINUX_VERSION="Athena OS"
OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"bunsenlabs")
LINUX_VERSION="BunsenLabs"
OS_NAME="BunsenLabs"
@ -260,6 +278,12 @@
OS_NAME="Gentoo Linux"
OS_VERSION="Rolling release"
;;
"guix")
LINUX_VERSION="Guix"
OS_FULLNAME="Guix System"
OS_NAME="Guix"
OS_VERSION="Rolling release"
;;
"ipfire")
LINUX_VERSION="IPFire"
OS_NAME="IPFire"
@ -278,6 +302,11 @@
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"lsdk")
LINUX_VERSION="NXP LSDK"
OS_NAME="NXP LSDK"
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"mageia")
LINUX_VERSION="Mageia"
OS_NAME="Mageia"
@ -308,6 +337,18 @@
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"nobara")
LINUX_VERSION="Nobara"
OS_NAME="Nobara Linux"
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"nodistro")
LINUX_VERSION="openembedded"
OS_NAME="OpenEmbedded"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"opensuse-tumbleweed")
LINUX_VERSION="openSUSE Tumbleweed"
# It's rolling release but has a snapshot version (the date of the snapshot)
@ -324,12 +365,26 @@
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="openSUSE"
;;
"osmc")
LINUX_VERSION="OSMC"
LINUX_VERSION_LIKE="Debian"
OS_NAME="Open Source Media Center"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"parrot")
LINUX_VERSION="Parrot"
OS_NAME="Parrot GNU/Linux"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"poky")
LINUX_VERSION="Poky"
OS_NAME="openembedded"
LINUX_VERSION_LIKE="openembedded"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"pop")
LINUX_VERSION="Pop!_OS"
LINUX_VERSION_LIKE="Ubuntu"
@ -401,7 +456,7 @@
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
*)
ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the the contents (cat /etc/os-release): ${PROGRAM_SOURCE}"
ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the contents (cat /etc/os-release): ${PROGRAM_SOURCE}"
;;
esac
fi

34
include/tests_authentication
View File

@ -42,9 +42,9 @@
LogText "Test: Searching accounts with UID 0"
# Check if device is a QNAP, as the root user is called admin, and not root
if [ ${QNAP_DEVICE} -eq 1 ]; then
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${GREPBINARY} -E -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
else
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${GREPBINARY} -E -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
fi
if [ -n "${FIND}" ]; then
Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED
@ -163,7 +163,7 @@
LogText "Test: Checking login shells"
if [ -f ${ROOTDIR}etc/master.passwd ]; then
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent
FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${GREPBINARY} -E -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
else
@ -499,13 +499,13 @@
Register --test-no AUTH-9240 --weight L --network NO --category security --description "Query NIS+ authentication support"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus")
FIND=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} -E "compat|nisplus")
if [ -z "${FIND}" ]; then
LogText "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
else
FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
FIND2=$(${GREPBINARY} -E "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
FIND3=$(${GREPBINARY} -E "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
LogText "Result: NIS+ authentication enabled"
Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
@ -526,13 +526,13 @@
Register --test-no AUTH-9242 --weight L --network NO --category security --description "Query NIS authentication support"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus")
FIND=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} -E "compat|nis" | ${GREPBINARY} -v "nisplus")
if [ -z "${FIND}" ]; then
LogText "Result: NIS authentication not enabled"
Display --indent 2 --text "- NIS authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
else
FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
FIND2=$(${GREPBINARY} -E "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
FIND3=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
LogText "Result: NIS authentication enabled"
Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
@ -717,7 +717,7 @@
if [ ${FOUND} -eq 0 ]; then
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: no PAM modules for password strength testing found"
ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc or libpam-passwdqc"
AddHP 0 3
else
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN
@ -737,7 +737,7 @@
LogText "Result: file ${ROOTDIR}etc/pam.conf exists"
Display --indent 2 --text "- PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN
LogText "Test: searching PAM configuration files"
FIND=$(${EGREPBINARY} -v "^#" ${ROOTDIR}etc/pam.conf | ${EGREPBINARY} -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g')
FIND=$(${GREPBINARY} -E -v "^#" ${ROOTDIR}etc/pam.conf | ${GREPBINARY} -E -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g')
if [ -z "${FIND}" ]; then
LogText "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)"
else
@ -1017,7 +1017,7 @@
LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}"
LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
# Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
FIND=$(${EGREPBINARY} -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
FIND=$(${GREPBINARY} -E -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
if [ -n "${FIND}" ]; then
for ACCOUNT in ${FIND}; do
LogText "Result: password of user ${ACCOUNT} has been expired"
@ -1109,8 +1109,8 @@
TEST_PERFORMED=1
LogText "Result: file ${ROOTDIR}etc/inittab exists"
LogText "Test: checking presence sulogin for single user mode"
FIND=$(${EGREPBINARY} "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
FIND=$(${GREPBINARY} -E "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
FIND2=$(${GREPBINARY} -E "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found sulogin, so single user is protected"
@ -1147,7 +1147,7 @@
# Mark test as performed only when at least 1 target exists (e.g. Ubuntu 14.04 has limited systemd support)
TEST_PERFORMED=1
LogText "Result: found target ${I}"
FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin")
FIND=$(${GREPBINARY} -E "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin")
if [ "${FIND}" = "" ]; then
LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication"
else
@ -1486,7 +1486,7 @@
Register --test-no AUTH-9402 --weight L --network NO --category security --description "Query LDAP authentication support"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f ${ROOTDIR}etc/nsswitch.conf ]; then
FIND=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap")
FIND=$(${GREPBINARY} -E "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap")
if [ "${FIND}" = "" ]; then
LogText "Result: LDAP authentication not enabled"
Display --indent 2 --text "- LDAP authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
@ -1514,7 +1514,7 @@
LogText "Result: file ${FILE} exists, LDAP being used"
LDAP_CLIENT_CONFIG_FILE="${FILE}"
LogText "Test: checking LDAP servers in file ${FILE}"
FIND=$(${EGREPBINARY} "^host " ${FILE} | ${AWKBINARY} '{ print $2 }')
FIND=$(${GREPBINARY} -E "^host " ${FILE} | ${AWKBINARY} '{ print $2 }')
for SERVER in ${FIND}; do
Display --indent 6 --text "LDAP server: ${SERVER}"
LogText "Result: found LDAP server ${SERVER}"

2
include/tests_banners
View File

@ -27,7 +27,7 @@
#################################################################################
#
BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited record restricted secure subject system terms warning"
LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited prosecute record report restricted secure subject system terms warning"
#
#################################################################################
#

14
include/tests_boot_services
View File

@ -460,7 +460,7 @@
BOOT_LOADER_FOUND=1
Display --indent 2 --text "- Checking presence LILO" --result "${STATUS_OK}" --color GREEN
LogText "Checking password option LILO"
FIND=$(${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#")
FIND=$(${GREPBINARY} -E 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#")
if [ -z "${FIND}" ]; then
if [ "${MACHINE_ROLE}" = "server" -o "${MACHINE_ROLE}" = "workstation" ]; then
Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED
@ -605,7 +605,7 @@
else
# FreeBSD (Read /etc/rc.conf file for enabled services)
LogText "Searching for services at startup (rc.conf)"
FIND=$(${EGREPBINARY} -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
FIND=$(${GREPBINARY} -E -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${GREPBINARY} -E -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
fi
COUNT=0
for ITEM in ${FIND}; do
@ -715,7 +715,7 @@
if [ -n "${CHKCONFIGBINARY}" ]; then
LogText "Result: chkconfig binary found, trying that to discover information"
LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
FIND=$(${CHKCONFIGBINARY} --list | ${GREPBINARY} -E '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
COUNT=0
Report "boot_service_tool=chkconfig"
for ITEM in ${FIND}; do
@ -947,7 +947,7 @@
if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then
LogText "Result: file /usr/lib/systemd/system/rescue.service"
LogText "Test: checking presence sulogin for single user mode"
FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service)
FIND=$(${GREPBINARY} -E "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service)
if [ -n "${FIND}" ]; then
FOUND=1
LogText "Result: found sulogin, so single user is protected"
@ -981,14 +981,14 @@
Report "running_service[]=${ITEM}"
COUNT=$((COUNT + 1 ))
done
LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons"
LogText "Note: Run rcctl ls all | grep -E '^(pf|check_quotas|library_aslr)$' to see all daemons"
Display --indent 2 --text "- Check running daemons (rcctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found ${COUNT} running daemons"
LogText "Result: Found ${COUNT} running daemons"
# OpenBSD (Ask rcctl(8) for enabled daemons)
LogText "Searching for enabled daemons (rcctl)"
FIND=$(${RCCTLBINARY} ls on | ${EGREPBINARY} -v '^(pf|check_quotas|library_aslr)$')
FIND=$(${RCCTLBINARY} ls on | ${GREPBINARY} -E -v '^(pf|check_quotas|library_aslr)$')
COUNT=0
Report "boot_service_tool=rcctl"
for ITEM in ${FIND}; do
@ -996,7 +996,7 @@
Report "boot_service[]=${ITEM}"
COUNT=$((COUNT + 1 ))
done
LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons"
LogText "Note: Run rcctl ls all | grep -E '^(pf|check_quotas|library_aslr)$' to see all daemons"
Display --indent 2 --text "- Check enabled daemons at boot (rcctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot"
LogText "Result: Found ${COUNT} enabled daemons at boot"

4
include/tests_containers
View File

@ -107,7 +107,7 @@
LogText "Result: disabling further Docker tests as docker version gave exit code other than zero (0)"
RUN_DOCKER_TESTS=0
fi
FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} "^WARNING:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g')
FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} -E "^WARNING:|^ERROR:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g')
if [ ! "${FIND}" = "" ]; then
LogText "Result: found warning(s) in output"
for I in ${FIND}; do
@ -137,7 +137,7 @@
# Check total of containers
LogText "Test: checking total amount of Docker containers"
DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${EGREPBINARY} "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }')
DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${GREPBINARY} -E "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }')
if [ -z "${DOCKER_CONTAINERS_TOTAL}" ]; then
DOCKER_CONTAINERS_TOTAL=0
fi

4
include/tests_crypto
View File

@ -54,7 +54,7 @@
LASTSUBDIR=""
LogText "Result: found directory ${DIR}"
# Search for certificate files
FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${GREPBINARY} -E ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
for FILE in ${FILES}; do
FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g')
# See if we need to skip this path
@ -80,7 +80,7 @@
if [ ${CANREAD} -eq 1 ]; then
# Only check the files that are not installed by a package, unless enabled by profile
if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then
echo ${FILE} | ${EGREPBINARY} -q ".cer$|.der$"
echo ${FILE} | ${GREPBINARY} -E -q ".cer$|.der$"
CER_DER=$?
OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then

29
include/tests_databases
View File

@ -45,7 +45,7 @@
# Description : Check if MySQL is being used
Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep")
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep")
if [ -z "${FIND}" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: MySQL process not active"
@ -85,7 +85,7 @@
LogText "Test: Trying to login to local MySQL server without password"
# "-u root --password=" avoids ~/.my.cnf authentication settings
# "plugin = 'mysql_native_password' AND authentication_string = ''" avoids false positives when secure plugins are used
# "plugin = 'mysql_native_password' AND authentication_string = ''" avoids false positives when secure plugins are used
FIND=$(${MYSQLCLIENTBINARY} --default-auth=mysql_native_password --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql > /dev/null 2>&1; echo $?)
if [ "${FIND}" = "0" ]; then
LogText "Result: Login succeeded, no MySQL root password set!"
@ -186,8 +186,10 @@
# Test : DBS-1826
# Description : Check if PostgreSQL is being used
Register --test-no DBS-1826 --weight L --network NO --category security --description "Checking active PostgreSQL processes"
for PROCES in postgres postmaster
do
if [ ${SKIPTEST} -eq 0 ]; then
if IsRunning "postgres"; then
if IsRunning "${PROCES}"; then
Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: PostgreSQL is active"
POSTGRESQL_RUNNING=1
@ -195,9 +197,10 @@
Report "postgresql_running=${POSTGRESQL_RUNNING}"
else
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: PostgreSQL process not active"
LogText "Result: PostgreSQL process ${PROCES} not active"
fi
fi
done
#
#################################################################################
#
@ -211,13 +214,15 @@
# Arch /var/lib/postgres/data/postgresql.conf
# CentOS/Fedora /var/lib/pgsql/data/postgresql.conf
# Ubuntu /etc/postgresql/x.y/main/postgresql.conf
# FreeBSD /var/db/postgres/data[0-9][0-9]/postgresql.conf
if [ "${POSTGRESQL_RUNNING}" -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="PostgreSQL not installed or not running"; fi
Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration"
if [ ${SKIPTEST} -eq 0 ]; then
FIND_PATHS="${ROOTDIR}etc/postgres ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data"
CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g")
FIND_PATHS=$(${LSBINARY} -d ${ROOTDIR}usr/local/pgsql/data* 2> /dev/null)
FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data ${ROOTDIR}var/lib/pgsql/data ${ROOTDIR}var/db/postgres/data[0-9][0-9]"
CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -I'{}' sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g")
for CF in ${CONFIG_FILES}; do
Report "postgresql_config_file[]=${CF}"
LogText "Found configuration file (${CF})"
@ -226,7 +231,7 @@
ReportWarning "${TEST_NO}" "PostgreSQL configuration file ${CF} is world readable and might leak sensitive details" "${CF}" "Use chmod 600 to change file permissions"
else
LogText "Result: great, configuration file ${CF} is not world readable"
fi
fi
done
fi
#
@ -244,7 +249,7 @@
# reco: recovery (optional)
Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep")
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep")
if [ -z "${FIND}" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: Oracle process(es) not active"
@ -311,10 +316,16 @@
if [ ${REDIS_RUNNING} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; SKIPREASON="Redis not running"; fi
Register --test-no DBS-1882 --weight L --network NO --preqs-met "${PREQS_MET}" --skip-reason "${SKIPREASON}" --category security --description "Redis configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
PATHS="${ROOTDIR}etc/redis ${ROOTDIR}usr/local/etc/redis ${ROOTDIR}usr/local/redis/etc"
PATHS="${ROOTDIR}etc/redis ${ROOTDIR}usr/local/etc ${ROOTDIR}usr/local/etc/redis ${ROOTDIR}usr/local/redis/etc"
if [ ${QNAP_DEVICE} -eq 1 ]; then
PATHS="${PATHS} ${ROOTDIR}share/CACHEDEV1_DATA/.qpkg/QKVM/usr/etc/redis.conf"
fi
if [ -d "${ROOTDIR}snap" ]; then
for SNAP_PATH in $(${FINDBINARY} ${ROOTDIR}snap -name 'redis.conf' -type f | ${SEDBINARY} 's/redis.conf$//g'); do
PATHS="${PATHS} ${SNAP_PATH}"
done
fi
ALLFILES=$(${LSBINARY} ${ROOTDIR}etc/redis.conf 2> /dev/null)
FOUND=0
for DIR in ${PATHS}; do

27
include/tests_file_integrity
View File

@ -104,7 +104,7 @@
if [ -n "${AIDEBINARY}" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of AIDE database and size check"
if [ ${SKIPTEST} -eq 0 ]; then
AIDE_DB=$(${EGREPBINARY} '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://")
AIDE_DB=$(${GREPBINARY} -E '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://")
if case ${AIDE_DB} in @@*) ;; *) false;; esac; then
I=$(${GREPBINARY} "@@define.*DBDIR" ${AIDECONFIG} | ${AWKBINARY} '{print $3}')
AIDE_DB=$(echo ${AIDE_DB} | ${SEDBINARY} "s#.*}#${I}#")
@ -330,7 +330,7 @@
ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
for DEVICE in /dev/mapper/*; do
if [ -e "${DEVICE}" ]; then
FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*INTEGRITY')
FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*INTEGRITY')
if [ ! -z "${FIND}" ]; then
FOUND=1
LogText "Result: found dm-integrity device ${DEVICE}"
@ -370,7 +370,7 @@
ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
for DEVICE in /dev/mapper/*; do
if [ -e "${DEVICE}" ]; then
FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*VERITY')
FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*VERITY')
if [ ! -z "${FIND}" ]; then
FOUND=1
LogText "Result: found dm-verity device ${DEVICE}"
@ -398,13 +398,32 @@
fi
#
#################################################################################
#
# Test : FINT-4344
# Description : Check if Wazuh system integrity tool is running
Register --test-no FINT-4344 --weight L --network NO --category security --description "Wazuh syscheck daemon running"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if Wazuh syscheck daemon is running"
if IsRunning "wazuh-syscheckd"; then
LogText "Result: syscheck (Wazuh) active"
Report "file_integrity_tool[]=wazuh"
FILE_INT_TOOL="wazuh-syscheck"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Wazuh (syscheck)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: syscheck (Wazuh) is not active"
if IsVerbose; then Display --indent 4 --text "- Wazuh" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
#################################################################################
#
# Test : FINT-4402 (was FINT-4316)
# Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)")
FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${GREPBINARY} -E "= .*(sha256|sha512)")
if [ -z "${FIND}" ]; then
LogText "Result: No SHA256 or SHA512 found for creating checksums"
Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW

2
include/tests_file_permissions
View File

@ -35,7 +35,7 @@
FOUND=0
for PROFILE in ${PROFILES}; do
LogText "Using profile ${PROFILE} for baseline."
FILES=$(${EGREPBINARY} '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1)
FILES=$(${GREPBINARY} -E '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1)
for F in ${FILES}; do
LogText "Test: checking file/directory ${F}"
if [ -f "${F}" ]; then

14
include/tests_filesystems
View File

@ -356,7 +356,7 @@
# Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least
# https://www.kernel.org/doc/html/latest/filesystems/proc.html#chapter-4-configuring-procfs
LogText "Test: check proc mount with incorrect mount options"
FIND=$(${MOUNTBINARY} | ${EGREPBINARY} "${ROOTDIR}proc " | ${EGREPBINARY} -o "hidepid=([0-9]|[a-z][a-z]*)")
FIND=$(${MOUNTBINARY} | ${GREPBINARY} -E "${ROOTDIR}proc " | ${GREPBINARY} -E -o "hidepid=([0-9]|[a-z][a-z]*)")
if [ "${FIND}" = "hidepid=4" -o "${FIND}" = "hidepid=ptraceable" ]; then # https://lwn.net/Articles/817137/
Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN
LogText "Result: proc mount mounted with ${FIND}"
@ -504,7 +504,7 @@
fi
LogText "Test: Checking acl option on xfs root file system"
FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr')
FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${GREPBINARY} -E 'no_acl|no_user_xattr')
if [ -z "${FIND}" ]; then
FOUND=1
# some other tests to do ?
@ -638,7 +638,7 @@
NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} -l)
NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} -l)
NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} -l)
NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} -l)
NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${GREPBINARY} -E -v '^\(ro[,)]' | ${WCBINARY} -l)
LogText "Result: Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS}, of total ${NMOUNTS}"
Display --indent 2 --text "- Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS} of total ${NMOUNTS}"
fi
@ -814,13 +814,13 @@
AVAILABLE_MODPROBE_FS=""
for FS in ${LIST_FS_NOT_SUPPORTED}; do
# Check if filesystem is present in modprobe output
FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | ${TAILBINARY} -1)
FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${GREPBINARY} -E "/${FS}.ko" | ${TAILBINARY} -1)
if [ -n "${FIND}" ]; then
LogText "Result: found ${FS} support in the kernel (output = ${FIND})"
Debug "Module ${FS} present in the kernel"
LogText "Test: Checking if ${FS} is active"
# Check if FS is present in lsmod output
FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}")
FIND=$(${LSMODBINARY} | ${GREPBINARY} -E "^${FS}")
if IsEmpty "${FIND}"; then
LogText "Result: module ${FS} is currently not loaded in the kernel."
AddHP 2 3
@ -837,8 +837,8 @@
fi
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
if [ -n "${FIND}" ]; then
FIND1=$(${EGREPBINARY} "^blacklist \+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} "^install \+${FS} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND1=$(${GREPBINARY} -E "^blacklist \+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${GREPBINARY} -E "^install \+${FS} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN
LogText "Result: module ${FS} is blacklisted"

6
include/tests_firewalls
View File

@ -112,7 +112,7 @@
TABLES="filter"
for TABLE in ${TABLES}; do
LogText "Test: gathering information from table ${TABLE}"
FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1')
FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${GREPBINARY} -E -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1')
done
echo "${FIND}" | while read -r line; do
@ -154,7 +154,7 @@
if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${GREPBINARY} -E -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
if [ -n "${FIND}" ]; then
FIREWALL_ACTIVE=1
if [ ${FIND} -le 5 ]; then
@ -506,7 +506,7 @@
Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration"
if [ ${SKIPTEST} -eq 0 ]; then
# Check for empty ruleset
NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${GREPBINARY} -E -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
if [ ${NFT_RULES_LENGTH} -le 3 ]; then
FIREWALL_EMPTY_RULESET=1
LogText "Result: this firewall set has 3 rules or less and is considered to be empty"

2
include/tests_hardening
View File

@ -99,7 +99,7 @@
else
Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED
fi
ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC"
ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC, Wazuh"
AddHP 1 3
LogText "Result: no malware scanner found"
fi

4
include/tests_homedirs
View File

@ -57,7 +57,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Check if users' home directories permissions are 750 or more restrictive
FOUND=0
USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
USERDATA=$(${GREPBINARY} -E -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
while read -r LINE; do
USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
@ -93,7 +93,7 @@ EOF
if [ ${SKIPTEST} -eq 0 ]; then
# Check if users own their home directories
FOUND=0
USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
USERDATA=$(${GREPBINARY} -E -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
while read -r LINE; do
USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)

6
include/tests_insecure_services
View File

@ -298,7 +298,7 @@
#if [ ${SKIPTEST} -eq 0 ]; then
# # Check presence of Rsh Trust Files
# FOUND=0
# for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do
# for LINE in $(${CAT_BINARY} /etc/passwd | ${GREPBINARY} -E -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do
# USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
# DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
# if [ -d ${DIR} ]; then
@ -371,7 +371,7 @@
#
#################################################################################
#
# Test : INSE-8312
# Test : INSE-8322
# Description : Check if telnet server is installed
Register --test-no INSE-8322 --package-manager-required --weight L --network NO --category security --description "Check if telnet server is installed"
if [ ${SKIPTEST} -eq 0 ]; then
@ -492,6 +492,8 @@
#
#################################################################################
#
# Test : INSE-8050
# Description : Check for insecure services on macOS
if [ -n "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi
Register --test-no INSE-8050 --os "macOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS"
if [ ${SKIPTEST} -eq 0 ]; then

20
include/tests_kernel
View File

@ -49,7 +49,7 @@
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
ReportException "${TEST_NO}:01"
else
FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
FIND2=$(${ECHOCMD} ${FIND} | ${GREPBINARY} -E "runlevel5|graphical")
if HasData "${FIND2}"; then
LogText "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
@ -401,7 +401,7 @@
elif [ -e ${ROOTDIR}etc/rpi-issue ]; then
FINDKERNEL="raspberrypi-kernel"
LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian"
elif $(${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then
elif $(${GREPBINARY} -E -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then
FINDKERNEL="linux-image-$(uname -r)"
LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No"
else
@ -414,8 +414,8 @@
else
LogText "Result: found kernel '${FINDKERNEL}' which will be used for further testing"
LogText "Test: Using apt-cache policy to determine if there is an update available"
FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${GREPBINARY} -E 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${GREPBINARY} -E 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
LogText "Kernel installed: ${FINDINSTALLED}"
LogText "Kernel candidate: ${FINDCANDIDATE}"
if IsEmpty "${FINDINSTALLED}"; then
@ -692,7 +692,7 @@
else
# Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Sort based on versions (-v) and then find the last item
# Note: ignore a rescue kernel (e.g. CentOS)
FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${TAILBINARY} -1)
FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue-' | ${TAILBINARY} -1)
LogText "Result: found ${FOUND_VMLINUZ}"
fi
@ -826,7 +826,7 @@
LogText "Check: try to find raspberrypi-kernel file in ${APT_ARCHIVE_DIRECTORY} and extract package date from file name"
FOUND_KERNEL_DATE=$(${FINDBINARY} ${APT_ARCHIVE_DIRECTORY} -name "raspberrypi-kernel*" -printf "%T@ %Tc %p\n" 2> /dev/null \
| ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${EGREPBINARY} -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g')
| ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${GREPBINARY} -E -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g')
if [ -n "${FOUND_KERNEL_DATE}" ]; then
FOUND_KERNEL_IN_SECONDS=$(date -d "${FOUND_KERNEL_DATE}" "+%s" 2> /dev/null)
@ -851,21 +851,21 @@
next="month"
fi
elif [ "$next" = "month" ]; then
if [ $(${ECHOCMD} "${part}" | ${EGREPBINARY} -c "[A-Z][a-z]") -ge 1 ]; then
if [ $(${ECHOCMD} "${part}" | ${GREPBINARY} -E -c "[A-Z][a-z]") -ge 1 ]; then
UNAME_DATE_MONTH="${part}"
next="day"
fi
elif [ "${next}" = "day" ]; then
if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c "[0-9][0-9]") -ge 1 ]; then
UNAME_DATE_DAY="${part}"
next="time"
fi
elif [ "${next}" = "time" ]; then
if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c ":[0-9][0-9]:") -ge 1 ]; then
if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c ":[0-9][0-9]:") -ge 1 ]; then
next="year"
fi
elif [ "${next}" = "year" ]; then
if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c "[0-9][0-9]") -ge 1 ]; then
UNAME_DATE_YEAR="${part}"
break
fi

57
include/tests_logging
View File

@ -28,6 +28,7 @@
METALOG_RUNNING=0
RFC3195D_RUNNING=0
RSYSLOG_RUNNING=0
WAZUH_AGENT_RUNNING=0
SOLARIS_LOGHOST=""
SOLARIS_LOGHOST_FOUND=0
SOLARIS_LOGHOST_LOCALHOST=0
@ -45,7 +46,7 @@
Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for a logging daemon"
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep")
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep")
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED
LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
@ -220,6 +221,23 @@
fi
#
#################################################################################
#
# Test : LOGG-2144
# Description : Check for wazuh-agent presence on Linux systems
Register --test-no LOGG-2144 --os Linux --weight L --network NO --category security --description "Checking wazuh-agent"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Result: Searching for wazuh-agent instances in the process list"
if IsRunning "wazuh-agent"; then
LogText "Result: Found wazuh-agent in process list"
Display --indent 4 --text "- Checking wazuh-agent status" --result "${STATUS_FOUND}" --color GREEN
WAZUH_AGENT_RUNNING=1
else
LogText "Result: wazuh-agent NOT found in process list"
Display --indent 4 --text "- Checking wazuh-agent daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : LOGG-2146
# Description : Check for logrotate (/etc/logrotate.conf and logrotate.d)
@ -261,7 +279,7 @@
Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which files are rotated with logrotate and if they exist"
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }')
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }')
if [ -z "${FIND}" ]; then
LogText "Result: nothing found"
else
@ -280,7 +298,7 @@
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which directories can be found in logrotate configuration"
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
if IsEmpty "${FIND}"; then
LogText "Result: nothing found"
else
@ -345,7 +363,7 @@
if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ] && [ -n "${SOLARIS_LOGHOST}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2153 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking loghost is localhost"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${EGREPBINARY} "::1|127.0.0.1|127.1")
FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} -E "::1|127.0.0.1|127.1")
if [ -n "${FIND}" ]; then
SOLARIS_LOGHOST_LOCALHOST=1
LogText "Result: loghost entry is localhost (default)"
@ -371,7 +389,7 @@
TARGET="${ROOTDIR}etc/rsyslog.conf"
if [ -f ${TARGET} ]; then
LogText "Test: analyzing file ${TARGET} for remote target"
DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
if [ -z "${DATA}" ]; then
LogText "Result: no remote target found"
else
@ -391,7 +409,7 @@
for F in ${FILES}; do
F=$(echo ${F} | ${SEDBINARY} 's/:space:/ /g')
LogText "Test: analyzing file ${F} for remote target"
DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
if [ -n "${DATA}" ]; then
LogText "Result: found remote target"
REMOTE_LOGGING_ENABLED=1
@ -403,7 +421,7 @@
done
else
# Check new style configuration (omrelp/omfwd). This can be all on one line or even split over multiple lines.
DATA=$(${EGREPBINARY} "target=\"([a-zA-Z0-9\-])" ${F})
DATA=$(${GREPBINARY} -E "target=\"([a-zA-Z0-9\-])" ${F})
if [ -n "${DATA}" ]; then
LogText "Result: most likely remote log host is used, as keyword 'target' is used"
REMOTE_LOGGING_ENABLED=1
@ -424,7 +442,7 @@
if [ -f ${SYSLOGD_CONF} ]; then
LogText "Test: check if logs are also logged to a remote logging host"
FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
FIND=$(${GREPBINARY} -E "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
if [ -n "${FIND}" ]; then
FIND2=$(echo "${FIND}" | ${GREPBINARY} -v "@loghost")
if [ ${SOLARIS_LOGHOST_LOCALHOST} -eq 1 ] && [ -z "${FIND2}" ]; then
@ -435,9 +453,9 @@
fi
else
# Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${GREPBINARY} -E "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
for DESTINATION in ${DESTINATIONS}; do
FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${GREPBINARY} -E "destination\(${DESTINATION}\)")
if [ -n "${FIND2}" ]; then
LogText "Result: found destination ${DESTINATION} configured for remote logging"
REMOTE_LOGGING_ENABLED=1
@ -446,6 +464,21 @@
fi
fi
# Test wazuh-agent configuration for syslog configuration
if [ ${WAZUH_AGENT_RUNNING} ]; then
WAZUH_AGENT_CONF="/var/ossec/etc/ossec.conf"
fi
if [ -f ${WAZUH_AGENT_CONF} ]; then
LogText "Test: Checking Wazuh agent configuration for remote syslog forwarding"
FIND=$(${EGREPBINARY} '<location>/var/log/syslog</location>' ${WAZUH_AGENT_CONF})
if [ "${FIND}" ]; then
DESTINATION=$(${EGREPBINARY} -o '<address>([A-Za-z0-9\.\-\_]*)</address>' ${WAZUH_AGENT_CONF} | sed 's/<address>//' | sed 's/<\/address>//')
LogText "Result: found destination ${DESTINATION} configured for remote logging with wazuh"
REMOTE_LOGGING_ENABLED=1
fi
fi
# Show result
if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
Report "remote_syslog_configured=0"
@ -539,7 +572,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking open log files with lsof"
if [ -n "${LSOFBINARY}" ]; then
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${GREPBINARY} -E -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
for I in ${FIND}; do
LogText "Found logfile: ${I}"
done
@ -572,7 +605,7 @@
LSOF_GREP="${LSOF_GREP}|anacron|awk|run-parts"
fi
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${EGREPBINARY} -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${GREPBINARY} -E -vw "${LSOF_GREP}" | ${GREPBINARY} -E -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
if [ -n "${FIND}" ]; then
LogText "Result: found one or more files which are deleted, but still in use"
for I in ${FIND}; do

12
include/tests_mac_frameworks
View File

@ -158,10 +158,14 @@
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
fi
Display --indent 8 --text "Current SELinux mode: ${FIND}"
PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
LogText "Permissive SELinux object types: ${PERMISSIVE}"
if [ -n "${SEMANAGEBINARY}" ]; then
PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
LogText "Permissive SELinux object types: ${PERMISSIVE}"
else
LogText "Result: semanage binary NOT found, can't analyse permissive domains"
fi
UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ')
INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ')
NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l)

10
include/tests_mail_messaging
View File

@ -70,18 +70,18 @@
unset FIND FIND2 FIND3 FIND4
# Local Only
FIND=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^nonlocal')
FIND=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^nonlocal')
# Internet Host
FIND2=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^dnslookup_relay_to_domains')
FIND2=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^dnslookup_relay_to_domains')
# Smarthost or Satellite
FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost')
FIND3=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^smarthost')
if [ -n "${FIND}" ]; then
EXIM_TYPE="LOCAL ONLY"
elif [ -n "${FIND2}" ]; then
EXIM_TYPE="INTERNET HOST"
elif [ -n "${FIND3}" ]; then
FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^hub_user_smarthost')
FIND4=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^hub_user_smarthost')
if [ -n "${FIND4}" ]; then
EXIM_TYPE="SATELLITE"
else
@ -415,7 +415,7 @@
Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check smtpd status"
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep")
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep")
if [ ! "${FIND}" = "" ]; then
LogText "Result: found running smtpd process"
Display --indent 2 --text "- OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN

47
include/tests_malware
View File

@ -39,6 +39,7 @@
MALWARE_SCANNER_INSTALLED=0
MALWARE_DAEMON_RUNNING=0
ROOTKIT_SCANNER_FOUND=0
SENTINELONE_SCANNER_RUNNING=0
SOPHOS_SCANNER_RUNNING=0
SYMANTEC_SCANNER_RUNNING=0
SYNOLOGY_DAEMON_RUNNING=0
@ -52,16 +53,12 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence McAfee VirusScan for Command Line"
if [ -x /usr/local/uvscan/uvscan ]; then
Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color GREEN
Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line (deprecated)" --result "${STATUS_FOUND}" --color RED
LogText "Result: Found ${MCAFEECLBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
Report "malware_scanner[]=mcafeecl"
else
LogText "Result: McAfee VirusScan for Command Line not found"
fi
AddHP 0 2
LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another antivirus instead."
fi
fi
#
#################################################################################
#
# Test : MALW-3275
@ -128,7 +125,7 @@
# Avast (macOS)
LogText "Test: checking process com.avast.daemon"
if IsRunning "com.avast.daemon"; then
if IsRunning --full "com.avast.daemon"; then
FOUND=1
AVAST_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
@ -231,6 +228,20 @@
Report "malware_scanner[]=mcafee"
fi
# SentinelOne
LogText "Text: checking process sentineld (SentinelOne)"
if IsRunning "sentineld"; then SENTINELONE_SCANNER_RUNNING=1; fi # macOS
if IsRunning "s1-agent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Linux
if IsRunning "SentinelAgent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Windows
if [ ${SENTINELONE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} SentinelOne" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found SentinelOne"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=sentinelone"
fi
# Sophos savscand/SophosScanD
LogText "Test: checking process savscand"
if IsRunning "savscand"; then
@ -354,6 +365,24 @@
fi
#
#################################################################################
#
# Test : MALW-3291
# Description : Check if Microsoft Defender Antivirus is installed
Register --test-no MALW-3291 --weight L --network NO --category security --description "Check for mdatp"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence mdatp"
if [ ! "${MDATPBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Microsoft Defender Antivirus" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${MDATPBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
Report "malware_scanner[]=mdatp"
else
LogText "Result: mdatp couldn't be found"
fi
fi
#
#################################################################################
#
# Test : MALW-3286
# Description : Check running freshclam if clamd process is running

10
include/tests_nameservices
View File

@ -339,7 +339,7 @@
Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Trying to determine version from banner"
FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*")
FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${GREPBINARY} -E "[0-9].[0-9].[0-9]*")
if [ "${FIND}" = "" ]; then
LogText "Result: no useful information in banner found"
Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN
@ -485,7 +485,7 @@
LogText "Result: ypldap is running"
Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN
else
ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
ReportSuggestion "${TEST_NO}" "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
fi
else
LogText "Result: ypbind is not active"
@ -571,7 +571,7 @@
Register --test-no NAME-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check duplicate line in /etc/hosts"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts"
OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${EGREPBINARY} -v '^(#|$)' | ${EGREPBINARY} "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d)
OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E -v '^(#|$)' | ${GREPBINARY} -E "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d)
if [ -z "${OUTPUT}" ]; then
LogText "Result: OK, no duplicate lines found"
Display --indent 4 --text "- Duplicate entries in hosts file" --result "${STATUS_NONE}" --color GREEN
@ -592,7 +592,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check /etc/hosts contains an entry for this server name"
if [ -n "${HOSTNAME}" ]; then
DATA=$(${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME})
DATA=$(${GREPBINARY} -E -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME})
if [ -n "${DATA}" ]; then
LogText "Result: Found entry for ${HOSTNAME} in ${ROOTDIR}etc/hosts"
Display --indent 4 --text "- Presence of configured hostname in /etc/hosts" --result "${STATUS_FOUND}" --color GREEN
@ -615,7 +615,7 @@
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check server hostname not locally mapped in ${ROOTDIR}etc/hosts"
DATA=$(${EGREPBINARY} -v '^(#|$)' ${ROOTDIR}etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME})
DATA=$(${GREPBINARY} -E -v '^(#|$)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME})
if [ -n "${DATA}" ]; then
LogText "Result: Found this server hostname mapped to a local address"
LogText "Output: ${DATA}"

6
include/tests_networking
View File

@ -280,7 +280,7 @@
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
if [ $SKIPTEST -eq 0 ]; then
LogText "Test: Searching default gateway(s)"
FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
FIND=$(${NETSTATBINARY} -rn | ${GREPBINARY} -E "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
if [ -n "${FIND}" ]; then
for I in ${FIND}; do
LogText "Result: Found default gateway ${I}"
@ -750,7 +750,7 @@
UNCOMMON_PROTOCOL_DISABLED=0
# First check modprobe.conf
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
DATA=$(${GREPBINARY} "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.conf)
DATA=$(${GREPBINARY} "^install \+${P} \+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.conf)
if [ -n "${DATA}" ]; then
LogText "Result: found ${P} module disabled via modprobe.conf"
UNCOMMON_PROTOCOL_DISABLED=1
@ -759,7 +759,7 @@
# Then additional modprobe configuration files
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
# Return file names (-l) and suppress errors (-s)
DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/*)
DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/*)
if [ -n "${DATA}" ]; then
UNCOMMON_PROTOCOL_DISABLED=1
for F in ${DATA}; do

18
include/tests_php
View File

@ -285,9 +285,9 @@
# Test : PHP-2368
# Description : Check php register_globals option
# Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed)
if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${EGREPBINARY}" ]; then
if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${GREPBINARY}" ]; then
if [ -f "${PHPINIFILE}" ]; then
FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])")
FIND=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^(4.|5.[0-3])")
if [ -z "${FIND}" ]; then
PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals"
else
@ -305,7 +305,7 @@
Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP register_globals option"
FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
FIND=$(${GREPBINARY} -E -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ -n "${FIND}" ]; then
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
ReportWarning "${TEST_NO}" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
@ -338,7 +338,7 @@
;;
esac
LogText "Test: Checking file ${FILE}"
FIND=$(${EGREPBINARY} -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;')
FIND=$(${GREPBINARY} -E -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;')
if HasData "${FIND}"; then
LogText "Result: found a a possible match on expose_php setting"
LogText "Data: ${FIND}"
@ -367,7 +367,7 @@
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP enable_dl option"
FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
FIND=$(${GREPBINARY} -E -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ -n "${FIND}" ]; then
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW
Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls"
@ -389,7 +389,7 @@
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP allow_url_fopen option"
FIND=$(${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
FIND=$(${GREPBINARY} -E -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW
LogText "Result: allow_url_fopen option is turned on, which can be used for downloads via PHP and is a security risk"
@ -412,7 +412,7 @@
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP allow_url_include option"
FIND=$(${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
FIND=$(${GREPBINARY} -E -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW
Report "Result: allow_url_include option is turned on, which can be used for downloads via PHP and is a risk"
@ -436,7 +436,7 @@
#if [ ${SKIPTEST} -eq 0 ]; then
# FOUND=0
# SIMULATION=0
# MAJOR_VERSION=$(echo ${PHPVERSION} | ${EGREPBINARY} "^7")
# MAJOR_VERSION=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^7")
# if [ "${OS}" = "OpenBSD" ]; then
# FOUND=1 # On OpenBSD, Suhosin is hard linked into PHP
# SIMULATION=off
@ -519,7 +519,7 @@
;;
esac
LogText "Test: Checking file ${FILE}"
FIND=$(${EGREPBINARY} -i "^listen = [0-9]{1,5}$" ${FILE})
FIND=$(${GREPBINARY} -E -i "^listen = [0-9]{1,5}$" ${FILE})
if HasData "${FIND}"; then
LogText "Result: found listen on just a port number"
LogText "Data: ${FIND}"

25
include/tests_ports_packages
View File

@ -127,11 +127,15 @@
LogText "Test: Querying brew to get package list"
Display --indent 4 --text "- Querying brew for installed packages"
LogText "Output:"; LogText "-----"
GPACKAGES=$(brew list)
for J in ${GPACKAGES}; do
LogText "Found package ${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
done
GPACKAGES=$(brew list --versions)
while IFS= read -r PKG; do
PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f1)
PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f2)
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done << EOF
$GPACKAGES
EOF
else
LogText "Result: brew can NOT be found on this system"
fi
@ -347,12 +351,13 @@
Register --test-no PKGS-7322 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Discover vulnerable packages with arch-audit"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking arch-audit output for vulnerable packages"
FIND=$(${ARCH_AUDIT_BINARY} | ${SEDBINARY} 's/\.\..*$//' | ${SEDBINARY} 's/, //g' | ${SEDBINARY} 's/\(\["\|"\]\)//g' | ${SEDBINARY} 's/""/,/g' | ${AWKBINARY} '{ if($1=="Package") { print $2"|"$6"|"}}' | ${AWKBINARY} -F'|' 'NF>1{a[$1] = a[$1]","$2}END{for(i in a){print i""a[i]"|"}}' | ${SEDBINARY} 's/,/|cve=/' | ${SORTBINARY})
FIND=$(${ARCH_AUDIT_BINARY} | ${SEDBINARY} 's/ High risk!//' | ${SEDBINARY} 's/ Medium risk!//' | ${SEDBINARY} 's/ Low risk!//' | ${SEDBINARY} 's/\.\..*$//' | ${SEDBINARY} 's/, /,/g' | ${SEDBINARY} 's/\(\["\|"\]\)//g' | ${SEDBINARY} 's/""/,/g' | ${AWKBINARY} '{if ($0 ~ /is affected by CVE\-/) {print $1"|"$5"|"} else {ORS=""; print $1"|"; for (i=5; i<=NF; i++)print $i; print "\n"; ORS="\n"}}'| ${AWKBINARY} -F'|' 'NF>1{a[$1] = a[$1]","$2}END{for(i in a){print i""a[i]"|"}}' | ${SEDBINARY} 's/,CVE-/|cve=CVE-/' | ${SORTBINARY})
if [ -z "${FIND}" ]; then
LogText "Result: no vulnerable packages found with arch-audit"
AddHP 10 10
else
LogText "Result: found one or more vulnerable packages"
VULNERABLE_PACKAGES_FOUND=1
for ITEM in ${FIND}; do
LogText "Found line: ${ITEM}"
Report "vulnerable_package[]=${ITEM}"
@ -836,7 +841,7 @@
Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: YUM package update management"
FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$")
FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -E "^[0-9]+$")
if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
LogText "Result: YUM package update management failed"
Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED
@ -1030,7 +1035,7 @@
if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then
if [ -f ${ROOTDIR}etc/apt/sources.list ]; then
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
FIND=$(${GREPBINARY} -E "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
if [ -n "${FIND}" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN
@ -1043,7 +1048,7 @@
fi
if [ -d /etc/apt/sources.list.d ]; then
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
FIND=$(${GREPBINARY} -E -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
if [ -n "${FIND}" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN
@ -1338,7 +1343,7 @@
if [ "${DPKGBINARY}" ]; then
TESTED=1
KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]"
KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${EGREPBINARY} "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l)
KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} -E "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l)
if [ ${KERNELS} -eq 0 ]; then
LogText "Result: found no kernels from dpkg -l output, which is unexpected"
elif [ ${KERNELS} -gt 5 ]; then

6
include/tests_printers_spoolers
View File

@ -144,14 +144,14 @@
LogText "Test: Checking CUPS daemon listening network addresses"
# Search for Port statement
FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE})
FIND=$(${GREPBINARY} -E "^Port 631" ${CUPSD_CONFIG_FILE})
if [ -n "${FIND}" ]; then
LogText "Result: found CUPS listening on port 631 (most likely all interfaces)"
PORT_FOUND=1
fi
# Checking network addresses
FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
FIND=$(${GREPBINARY} -E "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
COUNT=0
for ITEM in ${FIND}; do
LogText "Result: found network address: ${ITEM}"
@ -222,7 +222,7 @@
QDAEMON_CONFIG_FILE="${ROOTDIR}etc/qconfig"
FileIsReadable ${QDAEMON_CONFIG_FILE}
if [ ${CANREAD} -eq 1 ]; then
FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device")
FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${GREPBINARY} -E "backend|device")
if [ -n "${FIND}" ]; then
LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN

16
include/tests_scheduling
View File

@ -35,7 +35,7 @@
# Description : Check cron daemon
Register --test-no SCHD-7702 --weight L --network NO --category security --description "Check status of cron daemon"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )")
FIND=$(${PSBINARY} aux | ${GREPBINARY} -E "( cron$|/cron(d)? )")
if IsEmpty "${FIND}"; then
LogText "Result: no cron daemon found"
else
@ -55,12 +55,12 @@
BAD_FILE_PERMISSIONS=0
BAD_FILE_OWNERSHIP=0
FindCronJob() {
sCRONJOBS=$(${EGREPBINARY} '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
sCRONJOBS=$(${GREPBINARY} -E '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
}
CRONTAB_FILE="${ROOTDIR}etc/crontab"
if [ -f ${CRONTAB_FILE} ]; then
${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab"
${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab"
if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FindCronJob ${CRONTAB_FILE}
@ -86,7 +86,7 @@
if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
if [ "${FILENAME}" = "lynis" ]; then ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
FindCronJob ${FILE}
if HasData "${sCRONJOBS}"; then
for K in ${sCRONJOBS}; do
@ -121,7 +121,7 @@
if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${FILE}"; Report "insecure_fileperms_cronjob[]=${FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${FILE}"; Report "bad_fileowner_cronjob[]=${FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
if [ "${FILENAME}" = "lynis" ]; then ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
LogText "Result: Found cronjob (${I}): ${FILE}"
Report "cronjob[]=${FILE}"
done
@ -141,7 +141,7 @@
FIND=$(${FINDBINARY} /var/spool/cron/crontabs -xdev -type f -print 2> /dev/null)
for I in ${FIND}; do
if FileIsReadable ${I}; then
${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
${GREPBINARY} -E -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
FindCronJob ${I}
for FILE in ${sCRONJOBS}; do
LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${FILE})"
@ -154,7 +154,7 @@
FIND=$(find ${ROOTDIR}var/spool/cron -type f -print)
for I in ${FIND}; do
if FileIsReadable ${I}; then
${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
${GREPBINARY} -E -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
FindCronJob ${I}
for FILE in ${sCRONJOBS}; do
LogText "Found cronjob in ${ROOTDIR}var/spool/cron: ${I} (${FILE})"
@ -169,7 +169,7 @@
if [ "${OS}" = "Linux" ]; then
if [ -f /etc/anacrontab ]; then
LogText "Test: checking anacrontab"
sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
sANACRONJOBS=$(${GREPBINARY} -E '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
if [ -n "${sANACRONJOBS}" ]; then
Report "scheduler[]=anacron"
for I in ${sANACRONJOBS}; do

2
include/tests_shells
View File

@ -52,7 +52,7 @@
Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking console TTYs"
FIND=$(${EGREPBINARY} '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure')
FIND=$(${GREPBINARY} -E '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN
LogText "Result: console is secured against single user mode without password."

2
include/tests_squid
View File

@ -42,7 +42,7 @@
LogText "Test: Searching for a Squid daemon"
FOUND=0
# Check running processes
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep")
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "(squid|squid3) " | ${GREPBINARY} -v "grep")
if [ -n "${FIND}" ]; then
SQUID_DAEMON_RUNNING=1
LogText "Result: Squid daemon is running"

4
include/tests_ssh
View File

@ -299,7 +299,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# AllowUsers
FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
FIND=$(${GREPBINARY} -E -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
if [ -n "${FIND}" ]; then
LogText "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- OpenSSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
@ -310,7 +310,7 @@
fi
# AllowGroups
FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
FIND=$(${GREPBINARY} -E -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
if [ -n "${FIND}" ]; then
LogText "Result: AllowUsers set ${FIND}"
Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN

8
include/tests_storage
View File

@ -38,8 +38,8 @@
if [ -d "${ROOTDIR}etc/modprobe.d" ]; then
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
if [ -n "${FIND}" ]; then
FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND1=$(${GREPBINARY} -E "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${GREPBINARY} -E "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found firewire ohci driver in disabled state"
@ -49,8 +49,8 @@
fi
fi
if [ -f "${ROOTDIR}etc/modprobe.conf" ]; then
FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
FIND1=$(${GREPBINARY} -E -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
FIND2=$(${GREPBINARY} -E -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found firewire ohci driver in disabled state"

2
include/tests_system_integrity
View File

@ -30,6 +30,8 @@
#
#################################################################################
#
# Test : SINT-7010
# Description : System Integrity Status
if [ -x ${ROOTDIR}/usr/bin/csrutil ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No CSrutil binary found"; fi
Register --test-no SINT-7010 --os MacOS --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight H --network NO --category security --description "System Integrity Status"
if [ ${SKIPTEST} -eq 0 ]; then

18
include/tests_time
View File

@ -139,7 +139,7 @@
for I in ${CRONTAB_FILES}; do
if [ -f ${I} ]; then
LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}"
FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#')
FIND=$(${GREPBINARY} -E "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#')
if [ -n "${FIND}" ]; then
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
@ -161,10 +161,10 @@
for I in ${CRON_DIRS}; do
for J in "${I}"/*; do # iterate over folders in a safe way
# Check: regular file, readable and not called .placeholder
FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$')
FIND=$(echo "${J}" | ${GREPBINARY} -E '/.placeholder$')
if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then
LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}"
FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#")
FIND=$("${GREPBINARY}" -E "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#")
if [ -n "${FIND}" ]; then
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}"
@ -232,7 +232,7 @@
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check the status of time synchronization via timedatectl"
FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes")
FIND=$(${TIMEDATECTL} status | ${GREPBINARY} -E "(NTP|System clock) synchronized: yes")
if [ -z "${FIND}" ]; then
LogText "Result: time not synchronized via NTP"
ReportSuggestion "${TEST_NO}" "Check timedatectl output. Synchronization via NTP is enabled, but status reflects it is not synchronized"
@ -273,7 +273,7 @@
else
for ITEM in ${FIND}; do
LogText "Found stratum 16 peer: ${ITEM}"
FIND2=$(${EGREPBINARY} "^ntp-ignore-stratum-16-peer=${ITEM}" ${PROFILE})
FIND2=$(${GREPBINARY} -E "^ntp-ignore-stratum-16-peer=${ITEM}" ${PROFILE})
if IsEmpty "${FIND2}"; then
COUNT=$((COUNT + 1))
Report "ntp_stratum_16_peer[]=${ITEM}"
@ -303,7 +303,7 @@
Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking unreliable ntp peers"
FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g')
FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} -E "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN
LogText "Result: No unreliable peers found"
@ -371,7 +371,7 @@
Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking preferred time source"
FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} '^x')
FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} -E '^x')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_OK}" --color GREEN
LogText "Result: No falsetickers found (items preceding with an 'x')"
@ -455,7 +455,7 @@
else
LogText "Result: ${FILE} is not empty, which is fine"
Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN
sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} | ${EGREPBINARY} -v "^127." | ${EGREPBINARY} -v "^::1")
sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} | ${GREPBINARY} -E -v "^127." | ${GREPBINARY} -E -v "^::1")
for I in ${sFIND}; do
FIND=$(${GREPBINARY} ^${I} ${FILE} | wc -l)
if [ ${FIND} -gt 0 ]; then
@ -553,7 +553,7 @@
Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers"
if [ ${SKIPTEST} -eq 0 ]; then
# Format is "xx/yy peers valid, ..."
FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1)
FIND=$(${NTPCTLBINARY} -s status | ${GREPBINARY} -E -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1)
if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then
ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status"
fi

35
include/tests_tooling
View File

@ -259,8 +259,8 @@
# # Check email alert configuration
# LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}"
#
# FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
# FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
# FIND=$(${GREPBINARY} -E "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
# FIND2=$(${GREPBINARY} -E "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
#
# if [ -n "${FIND}" ]; then
# FAIL2BAN_EMAIL=1
@ -400,7 +400,7 @@
#
#################################################################################
#
# Test : TOOL-5160
# Test : TOOL-5126
# Description : Check for OSSEC
Register --test-no TOOL-5126 --weight L --network NO --category security --description "Check for active OSSEC daemon"
if [ ${SKIPTEST} -eq 0 ]; then
@ -428,6 +428,35 @@
fi
#
#################################################################################
#
# Test : TOOL-5128
# Description : Check for Wazuh daemon
Register --test-no TOOL-5128 --weight L --network NO --category security --description "Check for active Wazuh daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Server side
if IsRunning "wazuh-analysisd"; then
IDS_IPS_TOOL_FOUND=1
Report "ids_ips_tooling[]=wazuh"
Report "ids_ips_tooling[]=wazuh-analysisd"
LogText "Result: Wazuh analysis daemon is active"
Display --indent 2 --text "- Checking presence of Wazuh (analysis)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: Wazuh analysis daemon not active"
fi
# Client side
if IsRunning "wazuh-agentd"; then
IDS_IPS_TOOL_FOUND=1
Report "ids_ips_tooling[]=wazuh"
Report "ids_ips_tooling[]=wazuh-agentd"
LogText "Result: Wazuh agent daemon is active"
Display --indent 2 --text "- Checking presence of Wazuh (agent)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: Wazuh agent daemon not active"
fi
fi
#
#################################################################################
#
# Test : TOOL-5190
# Description : Check for an IDS/IPS tool

12
include/tests_usb
View File

@ -54,8 +54,8 @@
if [ -d /etc/modprobe.d ]; then
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
if [ -n "${FIND}" ]; then
FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
FIND=$(${GREPBINARY} -E -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${GREPBINARY} -E -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state (blacklisted)"
@ -65,7 +65,7 @@
fi
fi
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
FIND=$(${GREPBINARY} -E "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
if [ -n "${FIND}" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state"
@ -316,11 +316,11 @@
Display --indent 4 --text "- RuleFile" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1
USBGUARD_RULES_ALLOW=$(${EGREPBINARY} -c "^allow" ${USBGUARD_RULES})
USBGUARD_RULES_ALLOW=$(${GREPBINARY} -E -c "^allow" ${USBGUARD_RULES})
Display --indent 6 --text "- Controllers & Devices allow" --result "${USBGUARD_RULES_ALLOW}" --color WHITE
USBGUARD_RULES_BLOCK=$(${EGREPBINARY} -c "^block" ${USBGUARD_RULES})
USBGUARD_RULES_BLOCK=$(${GREPBINARY} -E -c "^block" ${USBGUARD_RULES})
Display --indent 6 --text "- Controllers & Devices block" --result "${USBGUARD_RULES_BLOCK}" --color WHITE
USBGUARD_RULES_REJECT=$(${EGREPBINARY} -c "^reject" ${USBGUARD_RULES})
USBGUARD_RULES_REJECT=$(${GREPBINARY} -E -c "^reject" ${USBGUARD_RULES})
Display --indent 6 --text "- Controllers & Devices reject" --result "${USBGUARD_RULES_REJECT}" --color WHITE
else
LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)"

45
include/tests_webservers
View File

@ -48,6 +48,8 @@
TMPFILE="${TEMP_FILE}"
CreateTempFile || ExitFatal
TMPFILE2="${TEMP_FILE}"
CreateTempFile || ExitFatal
TMPFILE3="${TEMP_FILE}"
#
#################################################################################
#
@ -63,7 +65,7 @@
Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE
else
LogText "Test: Scanning for Apache binary"
IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache')
IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} -E '[aA]pache')
if IsEmpty "${IS_APACHE}"; then
LogText "Result: ${HTTPDBINARY} is not Apache"
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE
@ -203,7 +205,7 @@
#if [ ${SKIPTEST} -eq 0 ]; then
# # Testing Debian style
# LogText "Test: searching loaded/enabled Apache modules"
# apachectl -t -D DUMP_MODULES 2>&1 | ${EGREPBINARY} -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //'
# apachectl -t -D DUMP_MODULES 2>&1 | ${GREPBINARY} -E -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //'
# for I in ${APACHE_MODULES_ENABLED_LOCS}; do
# LogText "Test: checking ${I}"
# if [ -d ${I} ]; then
@ -300,8 +302,42 @@
#
#################################################################################
#
# Test : HTTP-6660 TODO
# Test : HTTP-6660
# Description : Search for "TraceEnable off" in configuration files
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6660 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Apache security setting: TraceEnable"
if [ ${SKIPTEST} -eq 0 ]; then
for DIR in ${sTEST_APACHE_TARGETS}; do
if [ -d ${DIR} ]; then
find ${DIR} -name "*.conf" -print >> ${TMPFILE3}
fi
done
# Check all Apache conf-files for TraceEnable
if [ -f ${TMPFILE3} ]; then
Display --indent 2 --text '- Checking TraceEnable setting in:'
for APACHE_CONFFILE in $(cat ${TMPFILE3}); do
TRACEENABLE=$( ${GREPBINARY} -i -E '^TraceEnable' ${APACHE_CONFFILE} | ${AWKBINARY} '{print $2}' )
if [ ! ${TRACEENABLE} ]; then
LogText "Result: no TraceEnable setting found in ${APACHE_CONFFILE}"
Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_NOT_FOUND}" --color WHITE
else
TRACEENABLED_SETTING=$( echo ${TRACEENABLE} | tr 'A-Z' 'a-z' )
if [ x${TRACEENABLED_SETTING} == x'off' ]; then
LogText "Result: found TraceEnable setting set to 'off' in ${APACHE_CONFFILE}"
Report "Apache setting: 'TraceEnable Off' in ${APACHE_CONFFILE}"
Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: found TraceEnable setting set to '"${TRACEENABLE}"' in ${APACHE_CONFFILE}"
Report "Apache setting: 'TraceEnable "${TRACEENABLE}"' in ${APACHE_CONFFILE}"
Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Consider setting 'TraceEnable Off' in ${APACHE_CONFFILE}" "Set TraceEnable to 'On' or 'extended' for testing and diagnostic purposes only."
fi
fi
done
rm -f ${TMPFILE3}
fi
fi
#
#################################################################################
#
@ -381,7 +417,7 @@
done
# Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx
SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})")
SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${GREPBINARY} -E -v "(application|audio|image|text|video)/" | ${GREPBINARY} -E -v "({|})")
for I in ${SORTFILE}; do
I=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g')
Report "nginx_config_option[]=${I}";
@ -608,6 +644,7 @@
# Remove temp file (double check)
if [ -n "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
if [ -n "${TMPFILE3}" ]; then if [ -f ${TMPFILE3} ]; then rm -f ${TMPFILE3}; fi; fi
WaitForKeyPress

14
lynis
View File

@ -43,16 +43,16 @@
PROGRAM_WEBSITE="https://cisofy.com/lynis/"
# Version details
PROGRAM_RELEASE_DATE="2022-05-17"
PROGRAM_RELEASE_TIMESTAMP=1652791205
PROGRAM_RELEASE_TYPE="release" # pre-release or release
PROGRAM_VERSION="3.0.8"
PROGRAM_RELEASE_DATE="2024-03-18"
PROGRAM_RELEASE_TIMESTAMP=1710671337
PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release
PROGRAM_VERSION="3.1.2"
# Source, documentation and license
PROGRAM_SOURCE="https://github.com/CISOfy/lynis"
PROGRAM_PACKAGE="https://packages.cisofy.com/"
PROGRAM_DOCUMENTATION="https://cisofy.com/docs/"
PROGRAM_COPYRIGHT="2007-2021, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
PROGRAM_COPYRIGHT="2007-2024, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software."
@ -217,10 +217,10 @@
# Extract the short notation of the language (first two characters).
if [ -x "$(command -v locale 2> /dev/null)" ]; then
LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | egrep "^[a-z]{2}$")
LANGUAGE=$(locale | grep -E "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | grep -E "^[a-z]{2}$")
# Try locale command if shell variable had no value
if [ -z "${DISPLAY_LANG}" ]; then
DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2)
DISPLAY_LANG=$(locale | grep -E "^LANG=" | cut -d= -f2)
fi
else
LANGUAGE="en"