From 62419033f5049a39e177953a54e180bfe0123211 Mon Sep 17 00:00:00 2001 From: Kristian Schuster Date: Sat, 19 Oct 2019 00:34:25 +0200 Subject: [PATCH 01/20] fix for #781 - run lsblk without --paths --- include/tests_crypto | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/tests_crypto b/include/tests_crypto index 77be22f2..96dc067a 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -138,9 +138,9 @@ FOUND=0 # cryptsetup only works as root - if [ -n "${LSBLKBINARY}" -a -n "${CRYPTSETUPBINARY}" -a ${FORENSICS_MODE} -eq 0 ]; then - for BLOCK_DEV in $(${LSBLKBINARY} --noheadings --list --paths -o NAME); do - if ${CRYPTSETUPBINARY} isLuks ${BLOCK_DEV} 2> /dev/null; then + if [ -n "${LSBLKBINARY}" ] && [ -n "${CRYPTSETUPBINARY}" ] && [ ${FORENSICS_MODE} -eq 0 ]; then + for BLOCK_DEV in $(${LSBLKBINARY} --noheadings --list -o NAME 2> /dev/null | cut -d' ' -f1); do + if ${CRYPTSETUPBINARY} isLuks $(${FINDBINARY} /dev/ -name "${BLOCK_DEV}" 2> /dev/null) 2> /dev/null; then LogText "Result: Found LUKS encrypted block device: ${BLOCK_DEV}" Report "encryption[]=luks,block_device,${BLOCK_DEV}" FOUND=$((FOUND +1)) From ace2e27237b1866b456b9e6aea859778d2bbb601 Mon Sep 17 00:00:00 2001 From: Kristian Schuster Date: Sun, 20 Oct 2019 19:55:34 +0200 Subject: [PATCH 02/20] KRNL-5840: add detection for proxmox and raspi kernel --- include/tests_ports_packages | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index eef56596..94116e6e 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1248,7 +1248,8 @@ LogText "Test: Checking how many kernel packages are installed" if [ -n "${DPKGBINARY}" ]; then - KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} "linux-image-[0-9]" | ${WCBINARY} -l) + KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]" + KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${EGREPBINARY} "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l) if [ ${KERNELS} -eq 0 ]; then LogText "Result: found no kernels from dpkg -l output, which is unexpected" ReportException "KRNL-5840:2" "Could not find any kernel packages from DPKG output" From 66a754fa1849b1f1b9d1bb1c341e6cdb09451a86 Mon Sep 17 00:00:00 2001 From: Kristian Schuster Date: Sun, 20 Oct 2019 20:21:54 +0200 Subject: [PATCH 03/20] OS-Detection: add raspian detection --- include/osdetection | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/osdetection b/include/osdetection index db7b9e92..cf9d1eac 100644 --- a/include/osdetection +++ b/include/osdetection @@ -206,6 +206,13 @@ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Ubuntu" ;; + "raspbian") + LINUX_VERSION="Raspbian" + OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_NAME="Raspbian" + ;; "rhel") LINUX_VERSION="RHEL" OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') From 62feaf3fffc591ef18b7adbc063d696b01ac66ce Mon Sep 17 00:00:00 2001 From: Kristian Schuster Date: Tue, 22 Oct 2019 20:07:56 +0200 Subject: [PATCH 04/20] do set variable NTP_CONFIG_FOUND if ntp config is found --- include/tests_time | 1 + 1 file changed, 1 insertion(+) diff --git a/include/tests_time b/include/tests_time index 4f24da5c..4513cb9a 100644 --- a/include/tests_time +++ b/include/tests_time @@ -487,6 +487,7 @@ ReportWarning "${TEST_NO}" "Found world writable configuration file" "${FILE}" "" fi Report "ntp_config_file[]=${FILE}" + NTP_CONFIG_FOUND=1 fi done fi From 6dad2f476e3ab5386cf573b962f9af58a20fb60f Mon Sep 17 00:00:00 2001 From: Dave Vehrs Date: Wed, 23 Oct 2019 12:31:20 -0600 Subject: [PATCH 05/20] Updated permissions checks --- include/functions | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/include/functions b/include/functions index b96bb070..ea5a2bd3 100644 --- a/include/functions +++ b/include/functions @@ -1281,6 +1281,9 @@ CHECK_PERMISSION=$(echo "-${CHECK_PERMISSION}" | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}') fi + # Add leading zeros if necessary + CHECK_PERMISSION=$(echo "${CHECK_PERMISSION}" | ${AWKBINARY} '{printf "%03d",$1}') + # First try stat command LogText "Test: checking if file ${CHECKFILE} is ${CHECK_PERMISSION}" if [ -n "${STATBINARY}" ]; then @@ -1299,7 +1302,11 @@ *) # Only use find when OS is NOT AIX and binaries are NOT busybox if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then - DATA=$(${FINDBINARY} ${CHECKFILE} -printf "%m") + if [ -d ${CHECKFILE} ]; then + DATA=$(${FINDBINARY} ${CHECKFILE} -maxdepth 0 -printf "%m") + else + DATA=$(${FINDBINARY} ${CHECKFILE} -printf "%m") + fi fi ;; esac @@ -1317,13 +1324,16 @@ # Convert permissions to octal when needed case ${DATA} in - "r"|"w"|"x"|"-") + [-r][-w][-x][-r][-w][-x][-r][-w][-x] ) LogText "Converting value ${DATA} to octal" - DATA=$(echo ${DATA} | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}') - if [ "${DATA}" = "0" ]; then DATA="000"; fi + # add a dummy character as first character so it looks like output is a normal file + DATA=$(echo "-${DATA}" | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}') ;; esac + # Add leading zeros if necessary + DATA=$(echo "${DATA}" | ${AWKBINARY} '{printf "%03d",$1}') + if [ -n "${DATA}" ]; then if [ "${DATA}" = "${CHECK_PERMISSION}" ]; then LogText "Outcome: correct permissions (${DATA})" From e6bf111f41e2a235c23593e649a08565daacb1e5 Mon Sep 17 00:00:00 2001 From: Dave Vehrs Date: Wed, 23 Oct 2019 14:47:03 -0600 Subject: [PATCH 06/20] Updated tests for file permissions to case statements --- include/tests_authentication | 77 ++++++++++++++++++++++++----------- include/tests_printers_spools | 19 +++++---- 2 files changed, 65 insertions(+), 31 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 7458c487..b29ff65d 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -478,10 +478,10 @@ done if [ ${FOUND} -eq 1 ]; then LogText "Result: sudoers file found (${SUDOERS_FILE})" - Display --indent 2 --text "- sudoers file" --result "${STATUS_FOUND}" --color GREEN + Display --indent 2 --text "- Sudoers file(s)" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: sudoers file NOT found" - Display --indent 2 --text "- sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW + Display --indent 2 --text "- Sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW fi fi # @@ -499,13 +499,27 @@ FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10) FIND2=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}') LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND2}" - if [ "${FIND}" = "rwxrwx---" -o "${FIND}" = "rwxr-x---" -o "${FIND}" = "rwx------" ] && [ "${FIND2}" = "00" ]; then - LogText "Result: directory ${SUDOERS_D} permissions/ownership OK" - Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN - else - LogText "Result: directory has possibly unsafe permissions/ownership" - Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED - fi + case "${FIND}" in + rwx[r-][w-][x-]--- ) + LogText "Result: directory ${SUDOERS_D} permissions OK" + if [ "${FIND2}" = "00" ]; then + LogText "Result: directory ${SUDOERS_D} ownership OK" + Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: directory ${SUDOERS_D} has possibly unsafe ownership" + Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED + fi + ;; + * ) + LogText "Result: directory ${SUDOERS_D} has possibly unsafe permissions" + if [ "${FIND2}" = "00" ]; then + LogText "Result: directory ${SUDOERS_D} ownership OK" + else + LogText "Result: directory ${SUDOERS_D} has possibly unsafe ownership" + fi + Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED + ;; + esac SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)" fi for f in ${SUDO_CONFIG_FILES}; do @@ -513,13 +527,27 @@ FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10) FIND2=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}') LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND2}" - if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ] && [ "${FIND2}" = "00" ]; then - LogText "Result: file ${f} permissions/ownership OK" - Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN - else - LogText "Result: file has possibly unsafe permissions/ownership" - Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED - fi + case "${FIND}" in + r[w-]-[r-][w-]---- ) + LogText "Result: file ${f} permissions OK" + if [ "${FIND2}" = "00" ]; then + LogText "Result: file ${f} ownership OK" + Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: file ${f} has possibly unsafe ownership" + Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED + fi + ;; + * ) + LogText "Result: file ${f} has possibly unsafe permissions" + if [ "${FIND2}" = "00" ]; then + LogText "Result: file ${f} ownership OK" + else + LogText "Result: file ${f} has possibly unsafe ownership" + fi + Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED + ;; + esac done fi # @@ -1469,13 +1497,16 @@ LogText "Test: checking /etc/doas.conf permissions" FIND=$(ls -l ${DOAS_FILE} | ${CUTBINARY} -c 2-10) LogText "Result: Found /etc/doas.conf file permissions: ${FIND}" - if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then - LogText "Result: file /etc/doas.conf has correct permissions" - Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_OK}" --color GREEN - else - LogText "Result: file has possibly unsafe file permissions" - Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_WARNING}" --color RED - fi + case "${FIND}" in + r[w-]-[r-][w-]---- ) + LogText "Result: file /etc/doas.conf has correct permissions" + Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_OK}" --color GREEN + ;; + * ) + LogText "Result: file has possibly unsafe file permissions" + Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_WARNING}" --color RED + ;; + esac fi # ################################################################################# diff --git a/include/tests_printers_spools b/include/tests_printers_spools index e2026bc5..d7483d63 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -117,14 +117,17 @@ LogText "Test: Checking CUPS configuration file permissions" FIND=$(${LSBINARY} -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10) LogText "Result: found ${FIND}" - if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then - Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN - AddHP 1 1 - else - Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED - ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict." - AddHP 1 2 - fi + case "${FIND}" in + r[w-]-[r-][w-]---- ) + Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN + AddHP 1 1 + ;; + * ) + Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED + ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict." + AddHP 1 2 + ;; + esac fi # ################################################################################# From 32ee01681080b25e2f8888b11458209af7c1fade Mon Sep 17 00:00:00 2001 From: Kristian Schuster Date: Wed, 23 Oct 2019 23:06:03 +0200 Subject: [PATCH 07/20] fix: forgot to replace test folder with correct folder from variable --- include/tests_kernel | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index f5a896ba..b9cec302 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -522,8 +522,8 @@ LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists" LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*" # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. - FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${ROOTDIR}etc/security/limits.conf.d" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) - FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${ROOTDIR}etc/security/limits.conf.d" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) + FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) + FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)" IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)" From d97221b851e0cb33903f09e8e2859f740049cd34 Mon Sep 17 00:00:00 2001 From: Kristian Schuster Date: Thu, 24 Oct 2019 00:14:42 +0200 Subject: [PATCH 08/20] added additional php folders to check, plus added PHP72 and PHP73 --- include/tests_php | 83 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 67 insertions(+), 16 deletions(-) diff --git a/include/tests_php b/include/tests_php index d2303c2c..b58d1758 100644 --- a/include/tests_php +++ b/include/tests_php @@ -29,25 +29,60 @@ # Possible locations of php.ini PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \ - ${ROOTDIR}etc/php/php.ini ${ROOTDIR}etc/php5.5/php.ini ${ROOTDIR}etc/php5.6/php.ini ${ROOTDIR}etc/php7.0/php.ini ${ROOTDIR}etc/php7.1/php.ini ${ROOTDIR}etc/php7.2/php.ini \ - ${ROOTDIR}etc/php/cgi-php5/php.ini ${ROOTDIR}etc/php/cli-php5/php.ini ${ROOTDIR}etc/php/apache2-php5/php.ini \ - ${ROOTDIR}etc/php/apache2-php5.5/php.ini ${ROOTDIR}etc/php/apache2-php5.6/php.ini ${ROOTDIR}etc/php/apache2-php7.0/php.ini ${ROOTDIR}etc/php/apache2-php7.1/php.ini \ - ${ROOTDIR}etc/php/cgi-php7.1/php.ini ${ROOTDIR}etc/php/apache2-php7.1/php.ini ${ROOTDIR}etc/php/cgi-php5.5/php.ini ${ROOTDIR}etc/php/cgi-php5.6/php.ini ${ROOTDIR}etc/php/cgi-php7.0/php.ini \ - ${ROOTDIR}etc/php/cli-php7.1/php.ini ${ROOTDIR}etc/php/cli-php5.5/php.ini ${ROOTDIR}etc/php/cli-php5.6/php.ini ${ROOTDIR}etc/php/cli-php7.0/php.ini \ - ${ROOTDIR}etc/php/embed-php7.1/php.ini ${ROOTDIR}etc/php/embed-php5.5/php.ini ${ROOTDIR}etc/php/embed-php5.6/php.ini ${ROOTDIR}etc/php/embed-php7.0/php.ini \ - ${ROOTDIR}etc/php/fpm-php7.1/php.ini ${ROOTDIR}etc/php/fpm-php5.5/php.ini ${ROOTDIR}etc/php/fpm-php5.6/php.ini ${ROOTDIR}etc/php/fpm-php7.0/php.ini \ + ${ROOTDIR}etc/php/php.ini \ + ${ROOTDIR}etc/php5.5/php.ini \ + ${ROOTDIR}etc/php5.6/php.ini \ + ${ROOTDIR}etc/php7.0/php.ini \ + ${ROOTDIR}etc/php7.1/php.ini \ + ${ROOTDIR}etc/php7.2/php.ini \ + ${ROOTDIR}etc/php7.3/php.ini \ + ${ROOTDIR}etc/php/cgi-php5/php.ini \ + ${ROOTDIR}etc/php/cli-php5/php.ini \ + ${ROOTDIR}etc/php/apache2-php5/php.ini \ + ${ROOTDIR}etc/php/apache2-php5.5/php.ini \ + ${ROOTDIR}etc/php/apache2-php5.6/php.ini \ + ${ROOTDIR}etc/php/apache2-php7.0/php.ini \ + ${ROOTDIR}etc/php/apache2-php7.1/php.ini \ + ${ROOTDIR}etc/php/apache2-php7.2/php.ini \ + ${ROOTDIR}etc/php/apache2-php7.3/php.ini \ + ${ROOTDIR}etc/php/cgi-php5.5/php.ini \ + ${ROOTDIR}etc/php/cgi-php5.6/php.ini \ + ${ROOTDIR}etc/php/cgi-php7.0/php.ini \ + ${ROOTDIR}etc/php/cgi-php7.1/php.ini \ + ${ROOTDIR}etc/php/cgi-php7.2/php.ini \ + ${ROOTDIR}etc/php/cgi-php7.3/php.ini \ + ${ROOTDIR}etc/php/cli-php5.5/php.ini \ + ${ROOTDIR}etc/php/cli-php5.6/php.ini \ + ${ROOTDIR}etc/php/cli-php7.0/php.ini \ + ${ROOTDIR}etc/php/cli-php7.1/php.ini \ + ${ROOTDIR}etc/php/cli-php7.2/php.ini \ + ${ROOTDIR}etc/php/cli-php7.3/php.ini \ + ${ROOTDIR}etc/php/embed-php5.5/php.ini \ + ${ROOTDIR}etc/php/embed-php5.6/php.ini \ + ${ROOTDIR}etc/php/embed-php7.0/php.ini \ + ${ROOTDIR}etc/php/embed-php7.1/php.ini \ + ${ROOTDIR}etc/php/embed-php7.2/php.ini \ + ${ROOTDIR}etc/php/embed-php7.3/php.ini \ + ${ROOTDIR}etc/php/fpm-php7.3/php.ini \ + ${ROOTDIR}etc/php/fpm-php7.2/php.ini \ + ${ROOTDIR}etc/php/fpm-php7.1/php.ini \ + ${ROOTDIR}etc/php/fpm-php7.0/php.ini \ + ${ROOTDIR}etc/php/fpm-php5.5/php.ini \ + ${ROOTDIR}etc/php/fpm-php5.6/php.ini \ ${ROOTDIR}etc/php5/cgi/php.ini \ ${ROOTDIR}etc/php5/cli/php.ini \ ${ROOTDIR}etc/php5/cli-php5.4/php.ini ${ROOTDIR}etc/php5/cli-php5.5/php.ini ${ROOTDIR}etc/php5/cli-php5.6/php.ini \ ${ROOTDIR}etc/php5/apache2/php.ini \ ${ROOTDIR}etc/php5/fpm/php.ini \ ${ROOTDIR}private/etc/php.ini \ - ${ROOTDIR}etc/php/7.2/apache2/php.ini \ - ${ROOTDIR}etc/php/7.1/apache2/php.ini \ ${ROOTDIR}etc/php/7.0/apache2/php.ini \ - ${ROOTDIR}etc/php/7.2/cli/php.ini ${ROOTDIR}etc/php/7.2/fpm/php.ini \ - ${ROOTDIR}etc/php/7.1/cli/php.ini ${ROOTDIR}etc/php/7.1/fpm/php.ini \ + ${ROOTDIR}etc/php/7.1/apache2/php.ini \ + ${ROOTDIR}etc/php/7.2/apache2/php.ini \ + ${ROOTDIR}etc/php/7.3/apache2/php.ini \ ${ROOTDIR}etc/php/7.0/cli/php.ini ${ROOTDIR}etc/php/7.0/fpm/php.ini \ + ${ROOTDIR}etc/php/7.1/cli/php.ini ${ROOTDIR}etc/php/7.1/fpm/php.ini \ + ${ROOTDIR}etc/php/7.2/cli/php.ini ${ROOTDIR}etc/php/7.2/fpm/php.ini \ + ${ROOTDIR}etc/php/7.3/cli/php.ini ${ROOTDIR}etc/php/7.3/fpm/php.ini \ ${ROOTDIR}var/www/conf/php.ini \ ${ROOTDIR}usr/local/etc/php.ini ${ROOTDIR}usr/local/lib/php.ini \ ${ROOTDIR}usr/local/etc/php5/cgi/php.ini \ @@ -55,6 +90,8 @@ ${ROOTDIR}usr/local/php56/lib/php.ini \ ${ROOTDIR}usr/local/php70/lib/php.ini \ ${ROOTDIR}usr/local/php71/lib/php.ini \ + ${ROOTDIR}usr/local/php72/lib/php.ini \ + ${ROOTDIR}usr/local/php73/lib/php.ini \ ${ROOTDIR}usr/local/zend/etc/php.ini \ ${ROOTDIR}usr/pkg/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \ @@ -62,6 +99,8 @@ ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \ + ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \ + ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \ ${ROOTDIR}opt/alt/php44/etc/php.ini \ ${ROOTDIR}opt/alt/php51/etc/php.ini \ ${ROOTDIR}opt/alt/php52/etc/php.ini \ @@ -71,24 +110,29 @@ ${ROOTDIR}opt/alt/php56/etc/php.ini \ ${ROOTDIR}opt/alt/php70/etc/php.ini \ ${ROOTDIR}opt/alt/php71/etc/php.ini \ + ${ROOTDIR}opt/alt/php72/etc/php.ini \ + ${ROOTDIR}opt/alt/php73/etc/php.ini \ ${ROOTDIR}etc/opt/remi/php56/php.ini \ ${ROOTDIR}etc/opt/remi/php70/php.ini \ ${ROOTDIR}etc/opt/remi/php71/php.ini \ - ${ROOTDIR}etc/opt/remi/php72/php.ini" + ${ROOTDIR}etc/opt/remi/php72/php.ini \ + ${ROOTDIR}etc/opt/remi/php73/php.ini" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINILOCS="${PHPINILOCS} \ - ${ROOTDIR}etc/php-5.6.ini ${ROOTDIR}etc/php-7.0.ini ${ROOTDIR}etc/php-7.1.ini ${ROOTDIR}etc/php-7.2.ini" + ${ROOTDIR}etc/php-5.6.ini ${ROOTDIR}etc/php-7.0.ini ${ROOTDIR}etc/php-7.1.ini ${ROOTDIR}etc/php-7.2.ini ${ROOTDIR}etc/php-7.3.ini" PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \ ${ROOTDIR}etc/php/7.0/cli/conf.d \ ${ROOTDIR}etc/php/7.1/cli/conf.d \ ${ROOTDIR}etc/php/7.2/cli/conf.d \ + ${ROOTDIR}etc/php/7.3/cli/conf.d \ ${ROOTDIR}etc/php/7.0/fpm/conf.d \ ${ROOTDIR}etc/php/7.1/fpm/conf.d \ ${ROOTDIR}etc/php/7.2/fpm/conf.d \ + ${ROOTDIR}etc/php/7.3/fpm/conf.d \ ${ROOTDIR}etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \ - ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \ ${ROOTDIR}opt/alt/php44/etc/php.d.all \ ${ROOTDIR}opt/alt/php51/etc/php.d.all \ ${ROOTDIR}opt/alt/php52/etc/php.d.all \ @@ -97,10 +141,17 @@ ${ROOTDIR}opt/alt/php55/etc/php.d.all \ ${ROOTDIR}opt/alt/php56/etc/php.d.all \ ${ROOTDIR}opt/alt/php70/etc/php.d.all \ - ${ROOTDIR}opt/alt/php71/etc/php.d.all" + ${ROOTDIR}opt/alt/php71/etc/php.d.all \ + ${ROOTDIR}opt/alt/php72/etc/php.d.all \ + ${ROOTDIR}opt/alt/php73/etc/php.d.all \ + ${ROOTDIR}usr/local/lib/php.conf.d \ + ${ROOTDIR}usr/local/php70/lib/php.conf.d \ + ${ROOTDIR}usr/local/php71/lib/php.conf.d \ + ${ROOTDIR}usr/local/php72/lib/php.conf.d \ + ${ROOTDIR}usr/local/php73/lib/php.conf.d" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINIDIRS="${PHPINIDIRS} \ - ${ROOTDIR}etc/php-5.6 ${ROOTDIR}etc/php-7.0 ${ROOTDIR}etc/php-7.1 ${ROOTDIR}etc/php-7.2" + ${ROOTDIR}etc/php-5.6 ${ROOTDIR}etc/php-7.0 ${ROOTDIR}etc/php-7.1 ${ROOTDIR}etc/php-7.2 ${ROOTDIR}etc/php-7.3" # ################################################################################# # From 8353483d1dcc89be5eecf032b474a6045b7f3782 Mon Sep 17 00:00:00 2001 From: Marzal <2069735+Marzal@users.noreply.github.com> Date: Tue, 29 Oct 2019 18:47:07 +0100 Subject: [PATCH 09/20] grep doesn't work with '\|' in AIX. grep -E is more POSIX compliant. --- include/profiles | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/profiles b/include/profiles index d05dcbb3..f1bfb326 100644 --- a/include/profiles +++ b/include/profiles @@ -46,7 +46,7 @@ fi # Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character) - DATA=$(grep -v '^$\|^ \|^#\|^config:' ${PROFILE} | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | od -An -ta | sed 's/ /!space!/g') + DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | od -An -ta | sed 's/ /!space!/g') if ! IsEmpty "${DATA}"; then DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information." LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile." From 9de822767454e68b4a79574bcb058eee78f32287 Mon Sep 17 00:00:00 2001 From: Neil Mayhew Date: Tue, 15 Oct 2019 12:06:29 -0600 Subject: [PATCH 10/20] Fix for false positive for some users on HOME-9306 Closes #773 Patch from @church1e --- include/tests_homedirs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/tests_homedirs b/include/tests_homedirs index 9b8c9c64..4830b9a3 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -57,9 +57,9 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if users' home directories permissions are 750 or more restrictive FOUND=0 - for LINE in $(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }'); do + for LINE in $(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print $1 ":" $6}'); do USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) - DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) + DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f2) if [ -d "${DIR}" ]; then WRITE_GROUP_PERM=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c6) OTHER_PERMS=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c8-10) @@ -89,9 +89,9 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if users own their home directories FOUND=0 - for LINE in $(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }'); do + for LINE in $(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print $1 ":" $6}'); do USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) - DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) + DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f2) if [ -d ${DIR} ]; then OWNER=$(ls -ld ${DIR} | awk -F" " '{ print $3 }') if [ ! "${OWNER}" = "${USER}" ]; then From 2b8f761efa685b5e36e1eb20efef6766dbfb84b9 Mon Sep 17 00:00:00 2001 From: fbomj Date: Wed, 6 Nov 2019 21:49:54 +0100 Subject: [PATCH 11/20] MALW-3280: Kaspersky detection --- include/tests_malware | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/include/tests_malware b/include/tests_malware index b260c488..e8d680c1 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -33,6 +33,7 @@ CLAMSCAN_INSTALLED=0 ESET_DAEMON_RUNNING=0 FRESHCLAM_DAEMON_RUNNING=0 + KASPERSKY_SCANNER_RUNNING=0 MCAFEE_SCANNER_RUNNING=0 MALWARE_SCANNER_INSTALLED=0 SOPHOS_SCANNER_RUNNING=0 @@ -155,6 +156,22 @@ Report "malware_scanner[]=cylance-protect" fi + # Kaspersky products + LogText "Test: checking process wdserver or klnagent (Kaspersky)" + # wdserver is too generic to match on, so we want to ensure that it is related to Kaspersky first + if [ -x /opt/kaspersky/kesl/libexec/kesl_launcher.sh ]; then + if IsRunning "wdserver"; then KASPERSKY_SCANNER_RUNNING=1; fi + else + if IsRunning "klnagent"; then KASPERSKY_SCANNER_RUNNING=1; fi + fi + if [ ${KASPERSKY_SCANNER_RUNNING} -eq 1 ]; then + FOUND=1 + if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Kaspersky" --result "${STATUS_FOUND}" --color GREEN; fi + LogText "Result: Found Kaspersky" + MALWARE_SCANNER_INSTALLED=1 + Report "malware_scanner[]=kaspersky" + fi + # McAfee products LogText "Test: checking process cma or cmdagent (McAfee)" # cma is too generic to match on, so we want to ensure that it is related to McAfee first From cb52e9bfbe2bbfcacb7db9c26c4373d02366be9b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 18 Nov 2019 08:00:03 +0100 Subject: [PATCH 12/20] Also cleanup when Lynis process is terminated --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index dcc7de05..85cf5807 100755 --- a/lynis +++ b/lynis @@ -248,7 +248,7 @@ # ################################################################################# # - trap CleanUp INT + trap CleanUp INT TERM # Use safe umask for the files we create umask 027 From a07fcb3348b499eea4684a37d0aab0dbb0095e5f Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 18 Nov 2019 10:19:43 +0100 Subject: [PATCH 13/20] Add USR1 trap to show status such as active test --- include/functions | 17 +++++++++++++++++ lynis | 1 + 2 files changed, 18 insertions(+) diff --git a/include/functions b/include/functions index b96bb070..0c258907 100644 --- a/include/functions +++ b/include/functions @@ -98,6 +98,7 @@ # ShowComplianceFinding Display a particular finding regarding compliance or a security standard # ShowSymlinkPath Show a path behind a symlink # SkipAtomicTest Test if a subtest needs to be skipped +# Status Show execution status, such as active test being performed # StoreNginxSettings Save parsed nginx settings to file # TestValue Evaluate a value in a string or key # ViewCategories Show available category of tests @@ -3383,6 +3384,22 @@ } + ################################################################################ + # Name : Status() + # Description : Reports back the status of tool + # + # Returns : text to screen + # Notes : kill --signal USR1 or pkill --signal USR1 lynis + ################################################################################ + + Status() { + echo "" + echo "Date / time : $(date "+%Y-%m-%d %H:%M:%S")" + echo "Active test : ${TEST_NO:-NONE}" + echo "" + } + + ################################################################################ # Name : StoreNginxSettings() # Description : Store parsed settings from nginx (by ParseNginx) diff --git a/lynis b/lynis index 85cf5807..db50a3f3 100755 --- a/lynis +++ b/lynis @@ -249,6 +249,7 @@ ################################################################################# # trap CleanUp INT TERM + trap Status USR1 # Use safe umask for the files we create umask 027 From f81ff3d7d6634ffa2f19dfde2250b88b252c5b9a Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 18 Nov 2019 10:20:31 +0100 Subject: [PATCH 14/20] Removed empty lines --- include/tests_kernel | 4 ---- 1 file changed, 4 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index f5a896ba..8a1914cd 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -445,7 +445,6 @@ # check likely main config file for systemd: ${ROOTDIR}etc/systemd/coredump.conf for ProcessSizeMax=0 and Storage=none SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l) SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l) - SYSD_CORED_BASE_STORAGE_FOUND=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g') SYSD_CORED_BASE_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}') SYSD_CORED_BASE_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}') @@ -454,11 +453,9 @@ # while there could be multiple files overwriting each other, we are checking the number of occurrences SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l) SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l) - SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g') SYSD_CORED_SUB_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}') SYSD_CORED_SUB_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}') - if ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \ ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \ ( [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \ @@ -498,7 +495,6 @@ # use tail -1 in the following commands to get the last entry, which is the one that counts (in case of profile.d/ probably counts) ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" ULIMIT_C_VALUE_SUB="$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" - if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" = "0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE}" = "0" ] ); then LogText "Result: core dumps are disabled by 'ulimit -c 0' in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh" Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DISABLED}" --color GREEN From 189b7a04baa7eaed38388d1f00c981c6815882a6 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 18 Nov 2019 10:21:21 +0100 Subject: [PATCH 15/20] Updated log --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b80c0816..a6041cf0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -55,10 +55,12 @@ Using the relevant options, the scan will change base on the intended goal. - New test: PROC-3802 - check presence of prelink tooling - New report key: openssh_daemon_running - New command: lynis generate systemd-units +- Sending USR1 signal to Lynis process will show active status - Measure timing of tests and report slow tests (10+ seconds) - Initial support for Clear Linux OS - Added end-of-life data for Arch Linux and Debian - Detection and end-of-life data added for Amazon Linux +- Detection of linux-lts on Arch Linux ### Changed - Function: CheckItem() now returns only exit code (ITEM_FOUND is dropped) @@ -87,6 +89,7 @@ Using the relevant options, the scan will change base on the intended goal. - KRNL-5820 - extended check to include limits.d directory - LOGG-2154 - added support for rsyslog configurations - MAIL-8804 - replaced static strings with translation-aware strings +- MALW-3280 - Kaspersky detection added - NAME-4402 - check if /etc/hosts exists before performing test - NAME-4404 - improved screen and log output - NAME-4408 - corrected Report function call @@ -95,6 +98,7 @@ Using the relevant options, the scan will change base on the intended goal. - PROC-3612 - show 'Not found' instead of 'OK' - PROC-3614 - show 'Not found' instead of 'OK' - SCHD-7702 - removed hardening points +- SINT-7010 - limit test to only macOS systems - SSH-7402 - detect other SSH daemons like dropbear - SSH-7406 - strip OpenSSH patch version and remove characters (carriage return) - SSH-7408 - changed text in suggestion and report @@ -108,6 +112,7 @@ Using the relevant options, the scan will change base on the intended goal. - Use only locations from PATH environment variable, unless it is not defined - Show tip to use 'lynis generate hostids' when host IDs are missing - The 'show changelog' command works again for newer versions +- Improved screen output in several tests - Several code cleanups, simplification of commands, and code standardization - Tests using lsof may ignore individual threads (if supported) - Do not show tool tips when quiet option is used From 61b78c1cf3d9d5fa4f5bf968063e3931be336572 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 18 Nov 2019 11:03:38 +0100 Subject: [PATCH 16/20] Only show message about 4+ months old if there is actually an update available. --- lynis | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lynis b/lynis index db50a3f3..081833bb 100755 --- a/lynis +++ b/lynis @@ -43,8 +43,8 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2019-07-14" - PROGRAM_RELEASE_TIMESTAMP=1563094548 + PROGRAM_RELEASE_DATE="2019-11-18" + PROGRAM_RELEASE_TIMESTAMP=1574071362 PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release PROGRAM_VERSION="3.0.0" @@ -771,7 +771,6 @@ ${NORMAL} if [ ${UPDATE_AVAILABLE} -eq 0 ]; then ReportSuggestion "LYNIS" "This release is more than 4 months old. Consider upgrading" fi - UPDATE_AVAILABLE=1 OLD_RELEASE=1 fi From 51b7a207c5a1213bf019811e23847c1e40c8198b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 4 Dec 2019 08:01:22 +0100 Subject: [PATCH 17/20] Corrected text for groups and prefer --use-cwd instead of --usecwd --- lynis.8 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lynis.8 b/lynis.8 index 2f424209..719e82c7 100644 --- a/lynis.8 +++ b/lynis.8 @@ -1,4 +1,4 @@ -.TH Lynis 8 "21 Aug 2019" "1.30" "Unix System Administrator's Manual" +.TH Lynis 8 "4 Dec 2019" "1.31" "Unix System Administrator's Manual" .SH "NAME" @@ -126,9 +126,9 @@ Tests are only performed if they belong to the defined category. Use the command .TP .B \-\-tests\-from\-group "" Similar to \-\-tests\-from\-category. Only perform tests from a particular group. -Use 'show categories' to determine valid options. +Use 'show groups' to determine valid options. .TP -.B \-\-usecwd +.B \-\-use-cwd Run from the current working directory. .TP .B \-\-upload From 15ae5ea0c1c48fdd2d1c7601c3471ce0910861c8 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 4 Dec 2019 08:01:56 +0100 Subject: [PATCH 18/20] Added alias --use-cwd as that is more in line with other options (instead of --usecwd) --- include/parameters | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/parameters b/include/parameters index 048b992d..b8676b4c 100644 --- a/include/parameters +++ b/include/parameters @@ -387,7 +387,7 @@ UPLOAD_DATA=1 ;; - --usecwd) + --usecwd | --use-cwd) USE_CWD=1 ;; From 6421c2e419c6ab164c657529419561289758ed70 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 6 Dec 2019 09:49:06 +0100 Subject: [PATCH 19/20] [BANN-7126] additional words for login banner are accepted --- include/tests_banners | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_banners b/include/tests_banners index dde7a67e..f9f26104 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -27,7 +27,7 @@ ################################################################################# # BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd" - LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence forbidden intrusion law legal monitor owner policy policies privacy private prohibited record restricted secure subject system terms unauthorized" + LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited record restricted secure subject system terms warning" # ################################################################################# # From f93be8a44d8b46e19bb96d7001d30ef1aa4ca7d1 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 6 Dec 2019 09:49:14 +0100 Subject: [PATCH 20/20] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a6041cf0..52b4788d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -72,6 +72,7 @@ Using the relevant options, the scan will change base on the intended goal. - AUTH-9266 - skip .pam-old files in /etc/pam.d - AUTH-9282 - fix: temporary variable was overwritten - AUTH-9408 - added support for pam_tally2 to log failed logins +- BANN-7126 - additional words for login banner are accepted - CONT-8106 - support newer 'docker info' output - CRYP-8002 - gather kernel entropy on Linux systems - FILE-6374 - changed log and allow root location to be changed