tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-23 05:44:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into master

Browse Source
This commit is contained in:
Michael Boelen 2019-12-06 15:35:46 +01:00 committed by GitHub
commit 24c5a9fcea
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 218 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG.md
View File

@ -55,10 +55,12 @@ Using the relevant options, the scan will change base on the intended goal.
- New test: PROC-3802 - check presence of prelink tooling - New test: PROC-3802 - check presence of prelink tooling
- New report key: openssh_daemon_running - New report key: openssh_daemon_running
- New command: lynis generate systemd-units - New command: lynis generate systemd-units
- Sending USR1 signal to Lynis process will show active status
- Measure timing of tests and report slow tests (10+ seconds) - Measure timing of tests and report slow tests (10+ seconds)
- Initial support for Clear Linux OS - Initial support for Clear Linux OS
- Added end-of-life data for Arch Linux and Debian - Added end-of-life data for Arch Linux and Debian
- Detection and end-of-life data added for Amazon Linux - Detection and end-of-life data added for Amazon Linux
- Detection of linux-lts on Arch Linux
### Changed ### Changed
- Function: CheckItem() now returns only exit code (ITEM_FOUND is dropped) - Function: CheckItem() now returns only exit code (ITEM_FOUND is dropped)
@ -70,6 +72,7 @@ Using the relevant options, the scan will change base on the intended goal.
- AUTH-9266 - skip .pam-old files in /etc/pam.d - AUTH-9266 - skip .pam-old files in /etc/pam.d
- AUTH-9282 - fix: temporary variable was overwritten - AUTH-9282 - fix: temporary variable was overwritten
- AUTH-9408 - added support for pam_tally2 to log failed logins - AUTH-9408 - added support for pam_tally2 to log failed logins
- BANN-7126 - additional words for login banner are accepted
- CONT-8106 - support newer 'docker info' output - CONT-8106 - support newer 'docker info' output
- CRYP-8002 - gather kernel entropy on Linux systems - CRYP-8002 - gather kernel entropy on Linux systems
- FILE-6374 - changed log and allow root location to be changed - FILE-6374 - changed log and allow root location to be changed
@ -87,6 +90,7 @@ Using the relevant options, the scan will change base on the intended goal.
- KRNL-5820 - extended check to include limits.d directory - KRNL-5820 - extended check to include limits.d directory
- LOGG-2154 - added support for rsyslog configurations - LOGG-2154 - added support for rsyslog configurations
- MAIL-8804 - replaced static strings with translation-aware strings - MAIL-8804 - replaced static strings with translation-aware strings
- MALW-3280 - Kaspersky detection added
- NAME-4402 - check if /etc/hosts exists before performing test - NAME-4402 - check if /etc/hosts exists before performing test
- NAME-4404 - improved screen and log output - NAME-4404 - improved screen and log output
- NAME-4408 - corrected Report function call - NAME-4408 - corrected Report function call
@ -95,6 +99,7 @@ Using the relevant options, the scan will change base on the intended goal.
- PROC-3612 - show 'Not found' instead of 'OK' - PROC-3612 - show 'Not found' instead of 'OK'
- PROC-3614 - show 'Not found' instead of 'OK' - PROC-3614 - show 'Not found' instead of 'OK'
- SCHD-7702 - removed hardening points - SCHD-7702 - removed hardening points
- SINT-7010 - limit test to only macOS systems
- SSH-7402 - detect other SSH daemons like dropbear - SSH-7402 - detect other SSH daemons like dropbear
- SSH-7406 - strip OpenSSH patch version and remove characters (carriage return) - SSH-7406 - strip OpenSSH patch version and remove characters (carriage return)
- SSH-7408 - changed text in suggestion and report - SSH-7408 - changed text in suggestion and report
@ -108,6 +113,7 @@ Using the relevant options, the scan will change base on the intended goal.
- Use only locations from PATH environment variable, unless it is not defined - Use only locations from PATH environment variable, unless it is not defined
- Show tip to use 'lynis generate hostids' when host IDs are missing - Show tip to use 'lynis generate hostids' when host IDs are missing
- The 'show changelog' command works again for newer versions - The 'show changelog' command works again for newer versions
- Improved screen output in several tests
- Several code cleanups, simplification of commands, and code standardization - Several code cleanups, simplification of commands, and code standardization
- Tests using lsof may ignore individual threads (if supported) - Tests using lsof may ignore individual threads (if supported)
- Do not show tool tips when quiet option is used - Do not show tool tips when quiet option is used

35
include/functions
View File

@ -98,6 +98,7 @@
# ShowComplianceFinding Display a particular finding regarding compliance or a security standard # ShowComplianceFinding Display a particular finding regarding compliance or a security standard
# ShowSymlinkPath Show a path behind a symlink # ShowSymlinkPath Show a path behind a symlink
# SkipAtomicTest Test if a subtest needs to be skipped # SkipAtomicTest Test if a subtest needs to be skipped
# Status Show execution status, such as active test being performed
# StoreNginxSettings Save parsed nginx settings to file # StoreNginxSettings Save parsed nginx settings to file
# TestValue Evaluate a value in a string or key # TestValue Evaluate a value in a string or key
# ViewCategories Show available category of tests # ViewCategories Show available category of tests
@ -1281,6 +1282,9 @@
CHECK_PERMISSION=$(echo "-${CHECK_PERMISSION}" | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}') CHECK_PERMISSION=$(echo "-${CHECK_PERMISSION}" | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}')
fi fi
# Add leading zeros if necessary
CHECK_PERMISSION=$(echo "${CHECK_PERMISSION}" | ${AWKBINARY} '{printf "%03d",$1}')
# First try stat command # First try stat command
LogText "Test: checking if file ${CHECKFILE} is ${CHECK_PERMISSION}" LogText "Test: checking if file ${CHECKFILE} is ${CHECK_PERMISSION}"
if [ -n "${STATBINARY}" ]; then if [ -n "${STATBINARY}" ]; then
@ -1299,7 +1303,11 @@
*) *)
# Only use find when OS is NOT AIX and binaries are NOT busybox # Only use find when OS is NOT AIX and binaries are NOT busybox
if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then
DATA=$(${FINDBINARY} ${CHECKFILE} -printf "%m") if [ -d ${CHECKFILE} ]; then
DATA=$(${FINDBINARY} ${CHECKFILE} -maxdepth 0 -printf "%m")
else
DATA=$(${FINDBINARY} ${CHECKFILE} -printf "%m")
fi
fi fi
;; ;;
esac esac
@ -1317,13 +1325,16 @@
# Convert permissions to octal when needed # Convert permissions to octal when needed
case ${DATA} in case ${DATA} in
"r"|"w"|"x"|"-") [-r][-w][-x][-r][-w][-x][-r][-w][-x] )
LogText "Converting value ${DATA} to octal" LogText "Converting value ${DATA} to octal"
DATA=$(echo ${DATA} | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}') # add a dummy character as first character so it looks like output is a normal file
if [ "${DATA}" = "0" ]; then DATA="000"; fi DATA=$(echo "-${DATA}" | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}')
;; ;;
esac esac
# Add leading zeros if necessary
DATA=$(echo "${DATA}" | ${AWKBINARY} '{printf "%03d",$1}')
if [ -n "${DATA}" ]; then if [ -n "${DATA}" ]; then
if [ "${DATA}" = "${CHECK_PERMISSION}" ]; then if [ "${DATA}" = "${CHECK_PERMISSION}" ]; then
LogText "Outcome: correct permissions (${DATA})" LogText "Outcome: correct permissions (${DATA})"
@ -3383,6 +3394,22 @@
} }
################################################################################
# Name : Status()
# Description : Reports back the status of tool
#
# Returns : text to screen
# Notes : kill --signal USR1 <PID> or pkill --signal USR1 lynis
################################################################################
Status() {
echo ""
echo "Date / time : $(date "+%Y-%m-%d %H:%M:%S")"
echo "Active test : ${TEST_NO:-NONE}"
echo ""
}
################################################################################ ################################################################################
# Name : StoreNginxSettings() # Name : StoreNginxSettings()
# Description : Store parsed settings from nginx (by ParseNginx) # Description : Store parsed settings from nginx (by ParseNginx)

7
include/osdetection
View File

@ -206,6 +206,13 @@
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="Ubuntu" OS_NAME="Ubuntu"
;; ;;
"raspbian")
LINUX_VERSION="Raspbian"
OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="Raspbian"
;;
"rhel") "rhel")
LINUX_VERSION="RHEL" LINUX_VERSION="RHEL"
OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')

2
include/parameters
View File

@ -387,7 +387,7 @@
UPLOAD_DATA=1 UPLOAD_DATA=1
;; ;;
--usecwd) --usecwd | --use-cwd)
USE_CWD=1 USE_CWD=1
;; ;;

2
include/profiles
View File

@ -46,7 +46,7 @@
fi fi
# Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character) # Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character)
DATA=$(grep -v '^$\|^ \|^#\|^config:' ${PROFILE} | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | od -An -ta | sed 's/ /!space!/g') DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | od -An -ta | sed 's/ /!space!/g')
if ! IsEmpty "${DATA}"; then if ! IsEmpty "${DATA}"; then
DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information." DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information."
LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile." LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile."

77
include/tests_authentication
View File

@ -478,10 +478,10 @@
done done
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
LogText "Result: sudoers file found (${SUDOERS_FILE})" LogText "Result: sudoers file found (${SUDOERS_FILE})"
Display --indent 2 --text "- sudoers file" --result "${STATUS_FOUND}" --color GREEN Display --indent 2 --text "- Sudoers file(s)" --result "${STATUS_FOUND}" --color GREEN
else else
LogText "Result: sudoers file NOT found" LogText "Result: sudoers file NOT found"
Display --indent 2 --text "- sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW Display --indent 2 --text "- Sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi fi
fi fi
# #
@ -499,13 +499,27 @@
FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10) FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10)
FIND2=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}') FIND2=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}')
LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND2}" LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND2}"
if [ "${FIND}" = "rwxrwx---" -o "${FIND}" = "rwxr-x---" -o "${FIND}" = "rwx------" ] && [ "${FIND2}" = "00" ]; then case "${FIND}" in
LogText "Result: directory ${SUDOERS_D} permissions/ownership OK" rwx[r-][w-][x-]--- )
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN LogText "Result: directory ${SUDOERS_D} permissions OK"
else if [ "${FIND2}" = "00" ]; then
LogText "Result: directory has possibly unsafe permissions/ownership" LogText "Result: directory ${SUDOERS_D} ownership OK"
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN
fi else
LogText "Result: directory ${SUDOERS_D} has possibly unsafe ownership"
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
fi
;;
* )
LogText "Result: directory ${SUDOERS_D} has possibly unsafe permissions"
if [ "${FIND2}" = "00" ]; then
LogText "Result: directory ${SUDOERS_D} ownership OK"
else
LogText "Result: directory ${SUDOERS_D} has possibly unsafe ownership"
fi
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
;;
esac
SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)" SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)"
fi fi
for f in ${SUDO_CONFIG_FILES}; do for f in ${SUDO_CONFIG_FILES}; do
@ -513,13 +527,27 @@
FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10) FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10)
FIND2=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}') FIND2=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}')
LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND2}" LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND2}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ] && [ "${FIND2}" = "00" ]; then case "${FIND}" in
LogText "Result: file ${f} permissions/ownership OK" r[w-]-[r-][w-]---- )
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN LogText "Result: file ${f} permissions OK"
else if [ "${FIND2}" = "00" ]; then
LogText "Result: file has possibly unsafe permissions/ownership" LogText "Result: file ${f} ownership OK"
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN
fi else
LogText "Result: file ${f} has possibly unsafe ownership"
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED
fi
;;
* )
LogText "Result: file ${f} has possibly unsafe permissions"
if [ "${FIND2}" = "00" ]; then
LogText "Result: file ${f} ownership OK"
else
LogText "Result: file ${f} has possibly unsafe ownership"
fi
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED
;;
esac
done done
fi fi
# #
@ -1469,13 +1497,16 @@
LogText "Test: checking /etc/doas.conf permissions" LogText "Test: checking /etc/doas.conf permissions"
FIND=$(ls -l ${DOAS_FILE} | ${CUTBINARY} -c 2-10) FIND=$(ls -l ${DOAS_FILE} | ${CUTBINARY} -c 2-10)
LogText "Result: Found /etc/doas.conf file permissions: ${FIND}" LogText "Result: Found /etc/doas.conf file permissions: ${FIND}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then case "${FIND}" in
LogText "Result: file /etc/doas.conf has correct permissions" r[w-]-[r-][w-]---- )
Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_OK}" --color GREEN LogText "Result: file /etc/doas.conf has correct permissions"
else Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_OK}" --color GREEN
LogText "Result: file has possibly unsafe file permissions" ;;
Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_WARNING}" --color RED * )
fi LogText "Result: file has possibly unsafe file permissions"
Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_WARNING}" --color RED
;;
esac
fi fi
# #
################################################################################# #################################################################################

2
include/tests_banners
View File

@ -27,7 +27,7 @@
################################################################################# #################################################################################
# #
BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd" BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence forbidden intrusion law legal monitor owner policy policies privacy private prohibited record restricted secure subject system terms unauthorized" LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited record restricted secure subject system terms warning"
# #
################################################################################# #################################################################################
# #

6
include/tests_crypto
View File

@ -138,9 +138,9 @@
FOUND=0 FOUND=0
# cryptsetup only works as root # cryptsetup only works as root
if [ -n "${LSBLKBINARY}" -a -n "${CRYPTSETUPBINARY}" -a ${FORENSICS_MODE} -eq 0 ]; then if [ -n "${LSBLKBINARY}" ] && [ -n "${CRYPTSETUPBINARY}" ] && [ ${FORENSICS_MODE} -eq 0 ]; then
for BLOCK_DEV in $(${LSBLKBINARY} --noheadings --list --paths -o NAME); do for BLOCK_DEV in $(${LSBLKBINARY} --noheadings --list -o NAME 2> /dev/null | cut -d' ' -f1); do
if ${CRYPTSETUPBINARY} isLuks ${BLOCK_DEV} 2> /dev/null; then if ${CRYPTSETUPBINARY} isLuks $(${FINDBINARY} /dev/ -name "${BLOCK_DEV}" 2> /dev/null) 2> /dev/null; then
LogText "Result: Found LUKS encrypted block device: ${BLOCK_DEV}" LogText "Result: Found LUKS encrypted block device: ${BLOCK_DEV}"
Report "encryption[]=luks,block_device,${BLOCK_DEV}" Report "encryption[]=luks,block_device,${BLOCK_DEV}"
FOUND=$((FOUND +1)) FOUND=$((FOUND +1))

14
include/tests_homedirs
View File

@ -58,9 +58,9 @@
# Check if users' home directories permissions are 750 or more restrictive # Check if users' home directories permissions are 750 or more restrictive
FOUND=0 FOUND=0
USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
while read -r LINE; do while read -r LINE; do
USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f2)
if [ -d "${DIR}" ]; then if [ -d "${DIR}" ]; then
WRITE_GROUP_PERM=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c6) WRITE_GROUP_PERM=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c6)
OTHER_PERMS=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c8-10) OTHER_PERMS=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c8-10)
@ -72,7 +72,7 @@
fi fi
fi fi
done << EOF done << EOF
$USERDATA ${USERDATA}
EOF EOF
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then
@ -92,10 +92,10 @@ EOF
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check if users own their home directories # Check if users own their home directories
FOUND=0 FOUND=0
USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
while read -r LINE; do while read -r LINE; do
USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f2)
if [ -d ${DIR} ]; then if [ -d ${DIR} ]; then
OWNER=$(ls -ld ${DIR} | awk -F" " '{ print $3 }') OWNER=$(ls -ld ${DIR} | awk -F" " '{ print $3 }')
if [ ! "${OWNER}" = "${USER}" ]; then if [ ! "${OWNER}" = "${USER}" ]; then
@ -106,7 +106,7 @@ EOF
fi fi
fi fi
done << EOF done << EOF
$USERDATA ${USERDATA}
EOF EOF
if [ ${FOUND} -eq 1 ]; then if [ ${FOUND} -eq 1 ]; then

8
include/tests_kernel
View File

@ -445,7 +445,6 @@
# check likely main config file for systemd: ${ROOTDIR}etc/systemd/coredump.conf for ProcessSizeMax=0 and Storage=none # check likely main config file for systemd: ${ROOTDIR}etc/systemd/coredump.conf for ProcessSizeMax=0 and Storage=none
SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l) SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l) SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_BASE_STORAGE_FOUND=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g') SYSD_CORED_BASE_STORAGE_FOUND=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
SYSD_CORED_BASE_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}') SYSD_CORED_BASE_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
SYSD_CORED_BASE_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}') SYSD_CORED_BASE_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
@ -454,11 +453,9 @@
# while there could be multiple files overwriting each other, we are checking the number of occurrences # while there could be multiple files overwriting each other, we are checking the number of occurrences
SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l) SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l) SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g') SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
SYSD_CORED_SUB_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}') SYSD_CORED_SUB_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
SYSD_CORED_SUB_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}') SYSD_CORED_SUB_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
if ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \ if ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \ ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
( [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \ ( [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
@ -498,7 +495,6 @@
# use tail -1 in the following commands to get the last entry, which is the one that counts (in case of profile.d/ probably counts) # use tail -1 in the following commands to get the last entry, which is the one that counts (in case of profile.d/ probably counts)
ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
ULIMIT_C_VALUE_SUB="$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" ULIMIT_C_VALUE_SUB="$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" = "0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE}" = "0" ] ); then if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" = "0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE}" = "0" ] ); then
LogText "Result: core dumps are disabled by 'ulimit -c 0' in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh" LogText "Result: core dumps are disabled by 'ulimit -c 0' in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh"
Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DISABLED}" --color GREEN Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DISABLED}" --color GREEN
@ -522,8 +518,8 @@
LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists" LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists"
LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*" LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*"
# using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${ROOTDIR}etc/security/limits.conf.d" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1)
FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${ROOTDIR}etc/security/limits.conf.d" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1)
IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)" IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)"
IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)" IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)"

17
include/tests_malware
View File

@ -33,6 +33,7 @@
CLAMSCAN_INSTALLED=0 CLAMSCAN_INSTALLED=0
ESET_DAEMON_RUNNING=0 ESET_DAEMON_RUNNING=0
FRESHCLAM_DAEMON_RUNNING=0 FRESHCLAM_DAEMON_RUNNING=0
KASPERSKY_SCANNER_RUNNING=0
MCAFEE_SCANNER_RUNNING=0 MCAFEE_SCANNER_RUNNING=0
MALWARE_SCANNER_INSTALLED=0 MALWARE_SCANNER_INSTALLED=0
SOPHOS_SCANNER_RUNNING=0 SOPHOS_SCANNER_RUNNING=0
@ -155,6 +156,22 @@
Report "malware_scanner[]=cylance-protect" Report "malware_scanner[]=cylance-protect"
fi fi
# Kaspersky products
LogText "Test: checking process wdserver or klnagent (Kaspersky)"
# wdserver is too generic to match on, so we want to ensure that it is related to Kaspersky first
if [ -x /opt/kaspersky/kesl/libexec/kesl_launcher.sh ]; then
if IsRunning "wdserver"; then KASPERSKY_SCANNER_RUNNING=1; fi
else
if IsRunning "klnagent"; then KASPERSKY_SCANNER_RUNNING=1; fi
fi
if [ ${KASPERSKY_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Kaspersky" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found Kaspersky"
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=kaspersky"
fi
# McAfee products # McAfee products
LogText "Test: checking process cma or cmdagent (McAfee)" LogText "Test: checking process cma or cmdagent (McAfee)"
# cma is too generic to match on, so we want to ensure that it is related to McAfee first # cma is too generic to match on, so we want to ensure that it is related to McAfee first

83
include/tests_php
View File

@ -29,25 +29,60 @@
# Possible locations of php.ini # Possible locations of php.ini
PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \ PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \
${ROOTDIR}etc/php/php.ini ${ROOTDIR}etc/php5.5/php.ini ${ROOTDIR}etc/php5.6/php.ini ${ROOTDIR}etc/php7.0/php.ini ${ROOTDIR}etc/php7.1/php.ini ${ROOTDIR}etc/php7.2/php.ini \ ${ROOTDIR}etc/php/php.ini \
${ROOTDIR}etc/php/cgi-php5/php.ini ${ROOTDIR}etc/php/cli-php5/php.ini ${ROOTDIR}etc/php/apache2-php5/php.ini \ ${ROOTDIR}etc/php5.5/php.ini \
${ROOTDIR}etc/php/apache2-php5.5/php.ini ${ROOTDIR}etc/php/apache2-php5.6/php.ini ${ROOTDIR}etc/php/apache2-php7.0/php.ini ${ROOTDIR}etc/php/apache2-php7.1/php.ini \ ${ROOTDIR}etc/php5.6/php.ini \
${ROOTDIR}etc/php/cgi-php7.1/php.ini ${ROOTDIR}etc/php/apache2-php7.1/php.ini ${ROOTDIR}etc/php/cgi-php5.5/php.ini ${ROOTDIR}etc/php/cgi-php5.6/php.ini ${ROOTDIR}etc/php/cgi-php7.0/php.ini \ ${ROOTDIR}etc/php7.0/php.ini \
${ROOTDIR}etc/php/cli-php7.1/php.ini ${ROOTDIR}etc/php/cli-php5.5/php.ini ${ROOTDIR}etc/php/cli-php5.6/php.ini ${ROOTDIR}etc/php/cli-php7.0/php.ini \ ${ROOTDIR}etc/php7.1/php.ini \
${ROOTDIR}etc/php/embed-php7.1/php.ini ${ROOTDIR}etc/php/embed-php5.5/php.ini ${ROOTDIR}etc/php/embed-php5.6/php.ini ${ROOTDIR}etc/php/embed-php7.0/php.ini \ ${ROOTDIR}etc/php7.2/php.ini \
${ROOTDIR}etc/php/fpm-php7.1/php.ini ${ROOTDIR}etc/php/fpm-php5.5/php.ini ${ROOTDIR}etc/php/fpm-php5.6/php.ini ${ROOTDIR}etc/php/fpm-php7.0/php.ini \ ${ROOTDIR}etc/php7.3/php.ini \
${ROOTDIR}etc/php/cgi-php5/php.ini \
${ROOTDIR}etc/php/cli-php5/php.ini \
${ROOTDIR}etc/php/apache2-php5/php.ini \
${ROOTDIR}etc/php/apache2-php5.5/php.ini \
${ROOTDIR}etc/php/apache2-php5.6/php.ini \
${ROOTDIR}etc/php/apache2-php7.0/php.ini \
${ROOTDIR}etc/php/apache2-php7.1/php.ini \
${ROOTDIR}etc/php/apache2-php7.2/php.ini \
${ROOTDIR}etc/php/apache2-php7.3/php.ini \
${ROOTDIR}etc/php/cgi-php5.5/php.ini \
${ROOTDIR}etc/php/cgi-php5.6/php.ini \
${ROOTDIR}etc/php/cgi-php7.0/php.ini \
${ROOTDIR}etc/php/cgi-php7.1/php.ini \
${ROOTDIR}etc/php/cgi-php7.2/php.ini \
${ROOTDIR}etc/php/cgi-php7.3/php.ini \
${ROOTDIR}etc/php/cli-php5.5/php.ini \
${ROOTDIR}etc/php/cli-php5.6/php.ini \
${ROOTDIR}etc/php/cli-php7.0/php.ini \
${ROOTDIR}etc/php/cli-php7.1/php.ini \
${ROOTDIR}etc/php/cli-php7.2/php.ini \
${ROOTDIR}etc/php/cli-php7.3/php.ini \
${ROOTDIR}etc/php/embed-php5.5/php.ini \
${ROOTDIR}etc/php/embed-php5.6/php.ini \
${ROOTDIR}etc/php/embed-php7.0/php.ini \
${ROOTDIR}etc/php/embed-php7.1/php.ini \
${ROOTDIR}etc/php/embed-php7.2/php.ini \
${ROOTDIR}etc/php/embed-php7.3/php.ini \
${ROOTDIR}etc/php/fpm-php7.3/php.ini \
${ROOTDIR}etc/php/fpm-php7.2/php.ini \
${ROOTDIR}etc/php/fpm-php7.1/php.ini \
${ROOTDIR}etc/php/fpm-php7.0/php.ini \
${ROOTDIR}etc/php/fpm-php5.5/php.ini \
${ROOTDIR}etc/php/fpm-php5.6/php.ini \
${ROOTDIR}etc/php5/cgi/php.ini \ ${ROOTDIR}etc/php5/cgi/php.ini \
${ROOTDIR}etc/php5/cli/php.ini \ ${ROOTDIR}etc/php5/cli/php.ini \
${ROOTDIR}etc/php5/cli-php5.4/php.ini ${ROOTDIR}etc/php5/cli-php5.5/php.ini ${ROOTDIR}etc/php5/cli-php5.6/php.ini \ ${ROOTDIR}etc/php5/cli-php5.4/php.ini ${ROOTDIR}etc/php5/cli-php5.5/php.ini ${ROOTDIR}etc/php5/cli-php5.6/php.ini \
${ROOTDIR}etc/php5/apache2/php.ini \ ${ROOTDIR}etc/php5/apache2/php.ini \
${ROOTDIR}etc/php5/fpm/php.ini \ ${ROOTDIR}etc/php5/fpm/php.ini \
${ROOTDIR}private/etc/php.ini \ ${ROOTDIR}private/etc/php.ini \
${ROOTDIR}etc/php/7.2/apache2/php.ini \
${ROOTDIR}etc/php/7.1/apache2/php.ini \
${ROOTDIR}etc/php/7.0/apache2/php.ini \ ${ROOTDIR}etc/php/7.0/apache2/php.ini \
${ROOTDIR}etc/php/7.2/cli/php.ini ${ROOTDIR}etc/php/7.2/fpm/php.ini \ ${ROOTDIR}etc/php/7.1/apache2/php.ini \
${ROOTDIR}etc/php/7.1/cli/php.ini ${ROOTDIR}etc/php/7.1/fpm/php.ini \ ${ROOTDIR}etc/php/7.2/apache2/php.ini \
${ROOTDIR}etc/php/7.3/apache2/php.ini \
${ROOTDIR}etc/php/7.0/cli/php.ini ${ROOTDIR}etc/php/7.0/fpm/php.ini \ ${ROOTDIR}etc/php/7.0/cli/php.ini ${ROOTDIR}etc/php/7.0/fpm/php.ini \
${ROOTDIR}etc/php/7.1/cli/php.ini ${ROOTDIR}etc/php/7.1/fpm/php.ini \
${ROOTDIR}etc/php/7.2/cli/php.ini ${ROOTDIR}etc/php/7.2/fpm/php.ini \
${ROOTDIR}etc/php/7.3/cli/php.ini ${ROOTDIR}etc/php/7.3/fpm/php.ini \
${ROOTDIR}var/www/conf/php.ini \ ${ROOTDIR}var/www/conf/php.ini \
${ROOTDIR}usr/local/etc/php.ini ${ROOTDIR}usr/local/lib/php.ini \ ${ROOTDIR}usr/local/etc/php.ini ${ROOTDIR}usr/local/lib/php.ini \
${ROOTDIR}usr/local/etc/php5/cgi/php.ini \ ${ROOTDIR}usr/local/etc/php5/cgi/php.ini \
@ -55,6 +90,8 @@
${ROOTDIR}usr/local/php56/lib/php.ini \ ${ROOTDIR}usr/local/php56/lib/php.ini \
${ROOTDIR}usr/local/php70/lib/php.ini \ ${ROOTDIR}usr/local/php70/lib/php.ini \
${ROOTDIR}usr/local/php71/lib/php.ini \ ${ROOTDIR}usr/local/php71/lib/php.ini \
${ROOTDIR}usr/local/php72/lib/php.ini \
${ROOTDIR}usr/local/php73/lib/php.ini \
${ROOTDIR}usr/local/zend/etc/php.ini \ ${ROOTDIR}usr/local/zend/etc/php.ini \
${ROOTDIR}usr/pkg/etc/php.ini \ ${ROOTDIR}usr/pkg/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \
@ -62,6 +99,8 @@
${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
${ROOTDIR}opt/alt/php44/etc/php.ini \ ${ROOTDIR}opt/alt/php44/etc/php.ini \
${ROOTDIR}opt/alt/php51/etc/php.ini \ ${ROOTDIR}opt/alt/php51/etc/php.ini \
${ROOTDIR}opt/alt/php52/etc/php.ini \ ${ROOTDIR}opt/alt/php52/etc/php.ini \
@ -71,24 +110,29 @@
${ROOTDIR}opt/alt/php56/etc/php.ini \ ${ROOTDIR}opt/alt/php56/etc/php.ini \
${ROOTDIR}opt/alt/php70/etc/php.ini \ ${ROOTDIR}opt/alt/php70/etc/php.ini \
${ROOTDIR}opt/alt/php71/etc/php.ini \ ${ROOTDIR}opt/alt/php71/etc/php.ini \
${ROOTDIR}opt/alt/php72/etc/php.ini \
${ROOTDIR}opt/alt/php73/etc/php.ini \
${ROOTDIR}etc/opt/remi/php56/php.ini \ ${ROOTDIR}etc/opt/remi/php56/php.ini \
${ROOTDIR}etc/opt/remi/php70/php.ini \ ${ROOTDIR}etc/opt/remi/php70/php.ini \
${ROOTDIR}etc/opt/remi/php71/php.ini \ ${ROOTDIR}etc/opt/remi/php71/php.ini \
${ROOTDIR}etc/opt/remi/php72/php.ini" ${ROOTDIR}etc/opt/remi/php72/php.ini \
${ROOTDIR}etc/opt/remi/php73/php.ini"
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
PHPINILOCS="${PHPINILOCS} \ PHPINILOCS="${PHPINILOCS} \
${ROOTDIR}etc/php-5.6.ini ${ROOTDIR}etc/php-7.0.ini ${ROOTDIR}etc/php-7.1.ini ${ROOTDIR}etc/php-7.2.ini" ${ROOTDIR}etc/php-5.6.ini ${ROOTDIR}etc/php-7.0.ini ${ROOTDIR}etc/php-7.1.ini ${ROOTDIR}etc/php-7.2.ini ${ROOTDIR}etc/php-7.3.ini"
PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \ PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \
${ROOTDIR}etc/php/7.0/cli/conf.d \ ${ROOTDIR}etc/php/7.0/cli/conf.d \
${ROOTDIR}etc/php/7.1/cli/conf.d \ ${ROOTDIR}etc/php/7.1/cli/conf.d \
${ROOTDIR}etc/php/7.2/cli/conf.d \ ${ROOTDIR}etc/php/7.2/cli/conf.d \
${ROOTDIR}etc/php/7.3/cli/conf.d \
${ROOTDIR}etc/php/7.0/fpm/conf.d \ ${ROOTDIR}etc/php/7.0/fpm/conf.d \
${ROOTDIR}etc/php/7.1/fpm/conf.d \ ${ROOTDIR}etc/php/7.1/fpm/conf.d \
${ROOTDIR}etc/php/7.2/fpm/conf.d \ ${ROOTDIR}etc/php/7.2/fpm/conf.d \
${ROOTDIR}etc/php/7.3/fpm/conf.d \
${ROOTDIR}etc/php.d \ ${ROOTDIR}etc/php.d \
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \
${ROOTDIR}opt/alt/php44/etc/php.d.all \ ${ROOTDIR}opt/alt/php44/etc/php.d.all \
${ROOTDIR}opt/alt/php51/etc/php.d.all \ ${ROOTDIR}opt/alt/php51/etc/php.d.all \
${ROOTDIR}opt/alt/php52/etc/php.d.all \ ${ROOTDIR}opt/alt/php52/etc/php.d.all \
@ -97,10 +141,17 @@
${ROOTDIR}opt/alt/php55/etc/php.d.all \ ${ROOTDIR}opt/alt/php55/etc/php.d.all \
${ROOTDIR}opt/alt/php56/etc/php.d.all \ ${ROOTDIR}opt/alt/php56/etc/php.d.all \
${ROOTDIR}opt/alt/php70/etc/php.d.all \ ${ROOTDIR}opt/alt/php70/etc/php.d.all \
${ROOTDIR}opt/alt/php71/etc/php.d.all" ${ROOTDIR}opt/alt/php71/etc/php.d.all \
${ROOTDIR}opt/alt/php72/etc/php.d.all \
${ROOTDIR}opt/alt/php73/etc/php.d.all \
${ROOTDIR}usr/local/lib/php.conf.d \
${ROOTDIR}usr/local/php70/lib/php.conf.d \
${ROOTDIR}usr/local/php71/lib/php.conf.d \
${ROOTDIR}usr/local/php72/lib/php.conf.d \
${ROOTDIR}usr/local/php73/lib/php.conf.d"
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
PHPINIDIRS="${PHPINIDIRS} \ PHPINIDIRS="${PHPINIDIRS} \
${ROOTDIR}etc/php-5.6 ${ROOTDIR}etc/php-7.0 ${ROOTDIR}etc/php-7.1 ${ROOTDIR}etc/php-7.2" ${ROOTDIR}etc/php-5.6 ${ROOTDIR}etc/php-7.0 ${ROOTDIR}etc/php-7.1 ${ROOTDIR}etc/php-7.2 ${ROOTDIR}etc/php-7.3"
# #
################################################################################# #################################################################################
# #

3
include/tests_ports_packages
View File

@ -1248,7 +1248,8 @@
LogText "Test: Checking how many kernel packages are installed" LogText "Test: Checking how many kernel packages are installed"
if [ -n "${DPKGBINARY}" ]; then if [ -n "${DPKGBINARY}" ]; then
KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} "linux-image-[0-9]" | ${WCBINARY} -l) KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]"
KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${EGREPBINARY} "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l)
if [ ${KERNELS} -eq 0 ]; then if [ ${KERNELS} -eq 0 ]; then
LogText "Result: found no kernels from dpkg -l output, which is unexpected" LogText "Result: found no kernels from dpkg -l output, which is unexpected"
ReportException "KRNL-5840:2" "Could not find any kernel packages from DPKG output" ReportException "KRNL-5840:2" "Could not find any kernel packages from DPKG output"

19
include/tests_printers_spools
View File

@ -117,14 +117,17 @@
LogText "Test: Checking CUPS configuration file permissions" LogText "Test: Checking CUPS configuration file permissions"
FIND=$(${LSBINARY} -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10) FIND=$(${LSBINARY} -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10)
LogText "Result: found ${FIND}" LogText "Result: found ${FIND}"
if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then case "${FIND}" in
Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN r[w-]-[r-][w-]---- )
AddHP 1 1 Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
else AddHP 1 1
Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED ;;
ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict." * )
AddHP 1 2 Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED
fi ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict."
AddHP 1 2
;;
esac
fi fi
# #
################################################################################# #################################################################################

1
include/tests_time
View File

@ -487,6 +487,7 @@
ReportWarning "${TEST_NO}" "Found world writable configuration file" "${FILE}" "" ReportWarning "${TEST_NO}" "Found world writable configuration file" "${FILE}" ""
fi fi
Report "ntp_config_file[]=${FILE}" Report "ntp_config_file[]=${FILE}"
NTP_CONFIG_FOUND=1
fi fi
done done
fi fi

8
lynis
View File

@ -43,8 +43,8 @@
PROGRAM_WEBSITE="https://cisofy.com/lynis/" PROGRAM_WEBSITE="https://cisofy.com/lynis/"
# Version details # Version details
PROGRAM_RELEASE_DATE="2019-07-14" PROGRAM_RELEASE_DATE="2019-11-18"
PROGRAM_RELEASE_TIMESTAMP=1563094548 PROGRAM_RELEASE_TIMESTAMP=1574071362
PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release
PROGRAM_VERSION="3.0.0" PROGRAM_VERSION="3.0.0"
@ -248,7 +248,8 @@
# #
################################################################################# #################################################################################
# #
trap CleanUp INT trap CleanUp INT TERM
trap Status USR1
# Use safe umask for the files we create # Use safe umask for the files we create
umask 027 umask 027
@ -770,7 +771,6 @@ ${NORMAL}
if [ ${UPDATE_AVAILABLE} -eq 0 ]; then if [ ${UPDATE_AVAILABLE} -eq 0 ]; then
ReportSuggestion "LYNIS" "This release is more than 4 months old. Consider upgrading" ReportSuggestion "LYNIS" "This release is more than 4 months old. Consider upgrading"
fi fi
UPDATE_AVAILABLE=1
OLD_RELEASE=1 OLD_RELEASE=1
fi fi

6
lynis.8
View File

@ -1,4 +1,4 @@
.TH Lynis 8 "21 Aug 2019" "1.30" "Unix System Administrator's Manual" .TH Lynis 8 "4 Dec 2019" "1.31" "Unix System Administrator's Manual"
.SH "NAME" .SH "NAME"
@ -126,9 +126,9 @@ Tests are only performed if they belong to the defined category. Use the command
.TP .TP
.B \-\-tests\-from\-group "<group>" .B \-\-tests\-from\-group "<group>"
Similar to \-\-tests\-from\-category. Only perform tests from a particular group. Similar to \-\-tests\-from\-category. Only perform tests from a particular group.
Use 'show categories' to determine valid options. Use 'show groups' to determine valid options.
.TP .TP
.B \-\-usecwd .B \-\-use-cwd
Run from the current working directory. Run from the current working directory.
.TP .TP
.B \-\-upload .B \-\-upload