tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into master

This commit is contained in:
Michael Boelen 2019-12-06 15:35:46 +01:00 committed by GitHub
parent d9013b13ac f93be8a44d
commit 24c5a9fcea
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 218 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG.md
View File

@ -55,10 +55,12 @@ Using the relevant options, the scan will change base on the intended goal.
- New test: PROC-3802 - check presence of prelink tooling
- New report key: openssh_daemon_running
- New command: lynis generate systemd-units
- Sending USR1 signal to Lynis process will show active status
- Measure timing of tests and report slow tests (10+ seconds)
- Initial support for Clear Linux OS
- Added end-of-life data for Arch Linux and Debian
- Detection and end-of-life data added for Amazon Linux
- Detection of linux-lts on Arch Linux
### Changed
- Function: CheckItem() now returns only exit code (ITEM_FOUND is dropped)
@ -70,6 +72,7 @@ Using the relevant options, the scan will change base on the intended goal.
- AUTH-9266 - skip .pam-old files in /etc/pam.d
- AUTH-9282 - fix: temporary variable was overwritten
- AUTH-9408 - added support for pam_tally2 to log failed logins
- BANN-7126 - additional words for login banner are accepted
- CONT-8106 - support newer 'docker info' output
- CRYP-8002 - gather kernel entropy on Linux systems
- FILE-6374 - changed log and allow root location to be changed
@ -87,6 +90,7 @@ Using the relevant options, the scan will change base on the intended goal.
- KRNL-5820 - extended check to include limits.d directory
- LOGG-2154 - added support for rsyslog configurations
- MAIL-8804 - replaced static strings with translation-aware strings
- MALW-3280 - Kaspersky detection added
- NAME-4402 - check if /etc/hosts exists before performing test
- NAME-4404 - improved screen and log output
- NAME-4408 - corrected Report function call
@ -95,6 +99,7 @@ Using the relevant options, the scan will change base on the intended goal.
- PROC-3612 - show 'Not found' instead of 'OK'
- PROC-3614 - show 'Not found' instead of 'OK'
- SCHD-7702 - removed hardening points
- SINT-7010 - limit test to only macOS systems
- SSH-7402 - detect other SSH daemons like dropbear
- SSH-7406 - strip OpenSSH patch version and remove characters (carriage return)
- SSH-7408 - changed text in suggestion and report
@ -108,6 +113,7 @@ Using the relevant options, the scan will change base on the intended goal.
- Use only locations from PATH environment variable, unless it is not defined
- Show tip to use 'lynis generate hostids' when host IDs are missing
- The 'show changelog' command works again for newer versions
- Improved screen output in several tests
- Several code cleanups, simplification of commands, and code standardization
- Tests using lsof may ignore individual threads (if supported)
- Do not show tool tips when quiet option is used

35
include/functions
View File

@ -98,6 +98,7 @@
# ShowComplianceFinding Display a particular finding regarding compliance or a security standard
# ShowSymlinkPath Show a path behind a symlink
# SkipAtomicTest Test if a subtest needs to be skipped
# Status Show execution status, such as active test being performed
# StoreNginxSettings Save parsed nginx settings to file
# TestValue Evaluate a value in a string or key
# ViewCategories Show available category of tests
@ -1281,6 +1282,9 @@
CHECK_PERMISSION=$(echo "-${CHECK_PERMISSION}" | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}')
fi
# Add leading zeros if necessary
CHECK_PERMISSION=$(echo "${CHECK_PERMISSION}" | ${AWKBINARY} '{printf "%03d",$1}')
# First try stat command
LogText "Test: checking if file ${CHECKFILE} is ${CHECK_PERMISSION}"
if [ -n "${STATBINARY}" ]; then
@ -1299,7 +1303,11 @@
*)
# Only use find when OS is NOT AIX and binaries are NOT busybox
if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then
DATA=$(${FINDBINARY} ${CHECKFILE} -printf "%m")
if [ -d ${CHECKFILE} ]; then
DATA=$(${FINDBINARY} ${CHECKFILE} -maxdepth 0 -printf "%m")
else
DATA=$(${FINDBINARY} ${CHECKFILE} -printf "%m")
fi
fi
;;
esac
@ -1317,13 +1325,16 @@
# Convert permissions to octal when needed
case ${DATA} in
"r"|"w"|"x"|"-")
[-r][-w][-x][-r][-w][-x][-r][-w][-x] )
LogText "Converting value ${DATA} to octal"
DATA=$(echo ${DATA} | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}')
if [ "${DATA}" = "0" ]; then DATA="000"; fi
# add a dummy character as first character so it looks like output is a normal file
DATA=$(echo "-${DATA}" | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}')
;;
esac
# Add leading zeros if necessary
DATA=$(echo "${DATA}" | ${AWKBINARY} '{printf "%03d",$1}')
if [ -n "${DATA}" ]; then
if [ "${DATA}" = "${CHECK_PERMISSION}" ]; then
LogText "Outcome: correct permissions (${DATA})"
@ -3383,6 +3394,22 @@
}
################################################################################
# Name : Status()
# Description : Reports back the status of tool
#
# Returns : text to screen
# Notes : kill --signal USR1 <PID> or pkill --signal USR1 lynis
################################################################################
Status() {
echo ""
echo "Date / time : $(date "+%Y-%m-%d %H:%M:%S")"
echo "Active test : ${TEST_NO:-NONE}"
echo ""
}
################################################################################
# Name : StoreNginxSettings()
# Description : Store parsed settings from nginx (by ParseNginx)

7
include/osdetection
View File

@ -206,6 +206,13 @@
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="Ubuntu"
;;
"raspbian")
LINUX_VERSION="Raspbian"
OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="Raspbian"
;;
"rhel")
LINUX_VERSION="RHEL"
OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')

2
include/parameters
View File

@ -387,7 +387,7 @@
UPLOAD_DATA=1
;;
--usecwd)
--usecwd | --use-cwd)
USE_CWD=1
;;

2
include/profiles
View File

@ -46,7 +46,7 @@
fi
# Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character)
DATA=$(grep -v '^$\|^ \|^#\|^config:' ${PROFILE} | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | od -An -ta | sed 's/ /!space!/g')
DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | od -An -ta | sed 's/ /!space!/g')
if ! IsEmpty "${DATA}"; then
DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information."
LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile."

77
include/tests_authentication
View File

@ -478,10 +478,10 @@
done
if [ ${FOUND} -eq 1 ]; then
LogText "Result: sudoers file found (${SUDOERS_FILE})"
Display --indent 2 --text "- sudoers file" --result "${STATUS_FOUND}" --color GREEN
Display --indent 2 --text "- Sudoers file(s)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: sudoers file NOT found"
Display --indent 2 --text "- sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW
Display --indent 2 --text "- Sudoers file" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
fi
#
@ -499,13 +499,27 @@
FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10)
FIND2=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}')
LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND2}"
if [ "${FIND}" = "rwxrwx---" -o "${FIND}" = "rwxr-x---" -o "${FIND}" = "rwx------" ] && [ "${FIND2}" = "00" ]; then
LogText "Result: directory ${SUDOERS_D} permissions/ownership OK"
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: directory has possibly unsafe permissions/ownership"
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
fi
case "${FIND}" in
rwx[r-][w-][x-]--- )
LogText "Result: directory ${SUDOERS_D} permissions OK"
if [ "${FIND2}" = "00" ]; then
LogText "Result: directory ${SUDOERS_D} ownership OK"
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: directory ${SUDOERS_D} has possibly unsafe ownership"
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
fi
;;
* )
LogText "Result: directory ${SUDOERS_D} has possibly unsafe permissions"
if [ "${FIND2}" = "00" ]; then
LogText "Result: directory ${SUDOERS_D} ownership OK"
else
LogText "Result: directory ${SUDOERS_D} has possibly unsafe ownership"
fi
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
;;
esac
SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)"
fi
for f in ${SUDO_CONFIG_FILES}; do
@ -513,13 +527,27 @@
FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10)
FIND2=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}')
LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND2}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ] && [ "${FIND2}" = "00" ]; then
LogText "Result: file ${f} permissions/ownership OK"
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: file has possibly unsafe permissions/ownership"
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED
fi
case "${FIND}" in
r[w-]-[r-][w-]---- )
LogText "Result: file ${f} permissions OK"
if [ "${FIND2}" = "00" ]; then
LogText "Result: file ${f} ownership OK"
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: file ${f} has possibly unsafe ownership"
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED
fi
;;
* )
LogText "Result: file ${f} has possibly unsafe permissions"
if [ "${FIND2}" = "00" ]; then
LogText "Result: file ${f} ownership OK"
else
LogText "Result: file ${f} has possibly unsafe ownership"
fi
Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED
;;
esac
done
fi
#
@ -1469,13 +1497,16 @@
LogText "Test: checking /etc/doas.conf permissions"
FIND=$(ls -l ${DOAS_FILE} | ${CUTBINARY} -c 2-10)
LogText "Result: Found /etc/doas.conf file permissions: ${FIND}"
if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then
LogText "Result: file /etc/doas.conf has correct permissions"
Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: file has possibly unsafe file permissions"
Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_WARNING}" --color RED
fi
case "${FIND}" in
r[w-]-[r-][w-]---- )
LogText "Result: file /etc/doas.conf has correct permissions"
Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_OK}" --color GREEN
;;
* )
LogText "Result: file has possibly unsafe file permissions"
Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_WARNING}" --color RED
;;
esac
fi
#
#################################################################################

2
include/tests_banners
View File

@ -27,7 +27,7 @@
#################################################################################
#
BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
LEGAL_BANNER_STRINGS="audit access authori connect enforce evidence forbidden intrusion law legal monitor owner policy policies privacy private prohibited record restricted secure subject system terms unauthorized"
LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited record restricted secure subject system terms warning"
#
#################################################################################
#

6
include/tests_crypto
View File

@ -138,9 +138,9 @@
FOUND=0
# cryptsetup only works as root
if [ -n "${LSBLKBINARY}" -a -n "${CRYPTSETUPBINARY}" -a ${FORENSICS_MODE} -eq 0 ]; then
for BLOCK_DEV in $(${LSBLKBINARY} --noheadings --list --paths -o NAME); do
if ${CRYPTSETUPBINARY} isLuks ${BLOCK_DEV} 2> /dev/null; then
if [ -n "${LSBLKBINARY}" ] && [ -n "${CRYPTSETUPBINARY}" ] && [ ${FORENSICS_MODE} -eq 0 ]; then
for BLOCK_DEV in $(${LSBLKBINARY} --noheadings --list -o NAME 2> /dev/null | cut -d' ' -f1); do
if ${CRYPTSETUPBINARY} isLuks $(${FINDBINARY} /dev/ -name "${BLOCK_DEV}" 2> /dev/null) 2> /dev/null; then
LogText "Result: Found LUKS encrypted block device: ${BLOCK_DEV}"
Report "encryption[]=luks,block_device,${BLOCK_DEV}"
FOUND=$((FOUND +1))

14
include/tests_homedirs
View File

@ -58,9 +58,9 @@
# Check if users' home directories permissions are 750 or more restrictive
FOUND=0
USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
while read -r LINE; do
while read -r LINE; do
USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f2)
if [ -d "${DIR}" ]; then
WRITE_GROUP_PERM=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c6)
OTHER_PERMS=$(${LSBINARY} -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c8-10)
@ -72,7 +72,7 @@
fi
fi
done << EOF
$USERDATA
${USERDATA}
EOF
if [ ${FOUND} -eq 1 ]; then
@ -92,10 +92,10 @@ EOF
if [ ${SKIPTEST} -eq 0 ]; then
# Check if users own their home directories
FOUND=0
USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
while read -r LINE; do
USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
while read -r LINE; do
USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f2)
if [ -d ${DIR} ]; then
OWNER=$(ls -ld ${DIR} | awk -F" " '{ print $3 }')
if [ ! "${OWNER}" = "${USER}" ]; then
@ -106,7 +106,7 @@ EOF
fi
fi
done << EOF
$USERDATA
${USERDATA}
EOF
if [ ${FOUND} -eq 1 ]; then

8
include/tests_kernel
View File

@ -445,7 +445,6 @@
# check likely main config file for systemd: ${ROOTDIR}etc/systemd/coredump.conf for ProcessSizeMax=0 and Storage=none
SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_BASE_STORAGE_FOUND=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
SYSD_CORED_BASE_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
SYSD_CORED_BASE_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
@ -454,11 +453,9 @@
# while there could be multiple files overwriting each other, we are checking the number of occurrences
SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
SYSD_CORED_SUB_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
SYSD_CORED_SUB_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
if ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
( [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
@ -498,7 +495,6 @@
# use tail -1 in the following commands to get the last entry, which is the one that counts (in case of profile.d/ probably counts)
ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
ULIMIT_C_VALUE_SUB="$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" = "0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE}" = "0" ] ); then
LogText "Result: core dumps are disabled by 'ulimit -c 0' in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh"
Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DISABLED}" --color GREEN
@ -522,8 +518,8 @@
LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists"
LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*"
# using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${ROOTDIR}etc/security/limits.conf.d" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1)
FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${ROOTDIR}etc/security/limits.conf.d" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1)
FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1)
FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1)
IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)"
IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)"

17
include/tests_malware
View File

@ -33,6 +33,7 @@
CLAMSCAN_INSTALLED=0
ESET_DAEMON_RUNNING=0
FRESHCLAM_DAEMON_RUNNING=0
KASPERSKY_SCANNER_RUNNING=0
MCAFEE_SCANNER_RUNNING=0
MALWARE_SCANNER_INSTALLED=0
SOPHOS_SCANNER_RUNNING=0
@ -155,6 +156,22 @@
Report "malware_scanner[]=cylance-protect"
fi
# Kaspersky products
LogText "Test: checking process wdserver or klnagent (Kaspersky)"
# wdserver is too generic to match on, so we want to ensure that it is related to Kaspersky first
if [ -x /opt/kaspersky/kesl/libexec/kesl_launcher.sh ]; then
if IsRunning "wdserver"; then KASPERSKY_SCANNER_RUNNING=1; fi
else
if IsRunning "klnagent"; then KASPERSKY_SCANNER_RUNNING=1; fi
fi
if [ ${KASPERSKY_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Kaspersky" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found Kaspersky"
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=kaspersky"
fi
# McAfee products
LogText "Test: checking process cma or cmdagent (McAfee)"
# cma is too generic to match on, so we want to ensure that it is related to McAfee first

83
include/tests_php
View File

@ -29,25 +29,60 @@
# Possible locations of php.ini
PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \
${ROOTDIR}etc/php/php.ini ${ROOTDIR}etc/php5.5/php.ini ${ROOTDIR}etc/php5.6/php.ini ${ROOTDIR}etc/php7.0/php.ini ${ROOTDIR}etc/php7.1/php.ini ${ROOTDIR}etc/php7.2/php.ini \
${ROOTDIR}etc/php/cgi-php5/php.ini ${ROOTDIR}etc/php/cli-php5/php.ini ${ROOTDIR}etc/php/apache2-php5/php.ini \
${ROOTDIR}etc/php/apache2-php5.5/php.ini ${ROOTDIR}etc/php/apache2-php5.6/php.ini ${ROOTDIR}etc/php/apache2-php7.0/php.ini ${ROOTDIR}etc/php/apache2-php7.1/php.ini \
${ROOTDIR}etc/php/cgi-php7.1/php.ini ${ROOTDIR}etc/php/apache2-php7.1/php.ini ${ROOTDIR}etc/php/cgi-php5.5/php.ini ${ROOTDIR}etc/php/cgi-php5.6/php.ini ${ROOTDIR}etc/php/cgi-php7.0/php.ini \
${ROOTDIR}etc/php/cli-php7.1/php.ini ${ROOTDIR}etc/php/cli-php5.5/php.ini ${ROOTDIR}etc/php/cli-php5.6/php.ini ${ROOTDIR}etc/php/cli-php7.0/php.ini \
${ROOTDIR}etc/php/embed-php7.1/php.ini ${ROOTDIR}etc/php/embed-php5.5/php.ini ${ROOTDIR}etc/php/embed-php5.6/php.ini ${ROOTDIR}etc/php/embed-php7.0/php.ini \
${ROOTDIR}etc/php/fpm-php7.1/php.ini ${ROOTDIR}etc/php/fpm-php5.5/php.ini ${ROOTDIR}etc/php/fpm-php5.6/php.ini ${ROOTDIR}etc/php/fpm-php7.0/php.ini \
${ROOTDIR}etc/php/php.ini \
${ROOTDIR}etc/php5.5/php.ini \
${ROOTDIR}etc/php5.6/php.ini \
${ROOTDIR}etc/php7.0/php.ini \
${ROOTDIR}etc/php7.1/php.ini \
${ROOTDIR}etc/php7.2/php.ini \
${ROOTDIR}etc/php7.3/php.ini \
${ROOTDIR}etc/php/cgi-php5/php.ini \
${ROOTDIR}etc/php/cli-php5/php.ini \
${ROOTDIR}etc/php/apache2-php5/php.ini \
${ROOTDIR}etc/php/apache2-php5.5/php.ini \
${ROOTDIR}etc/php/apache2-php5.6/php.ini \
${ROOTDIR}etc/php/apache2-php7.0/php.ini \
${ROOTDIR}etc/php/apache2-php7.1/php.ini \
${ROOTDIR}etc/php/apache2-php7.2/php.ini \
${ROOTDIR}etc/php/apache2-php7.3/php.ini \
${ROOTDIR}etc/php/cgi-php5.5/php.ini \
${ROOTDIR}etc/php/cgi-php5.6/php.ini \
${ROOTDIR}etc/php/cgi-php7.0/php.ini \
${ROOTDIR}etc/php/cgi-php7.1/php.ini \
${ROOTDIR}etc/php/cgi-php7.2/php.ini \
${ROOTDIR}etc/php/cgi-php7.3/php.ini \
${ROOTDIR}etc/php/cli-php5.5/php.ini \
${ROOTDIR}etc/php/cli-php5.6/php.ini \
${ROOTDIR}etc/php/cli-php7.0/php.ini \
${ROOTDIR}etc/php/cli-php7.1/php.ini \
${ROOTDIR}etc/php/cli-php7.2/php.ini \
${ROOTDIR}etc/php/cli-php7.3/php.ini \
${ROOTDIR}etc/php/embed-php5.5/php.ini \
${ROOTDIR}etc/php/embed-php5.6/php.ini \
${ROOTDIR}etc/php/embed-php7.0/php.ini \
${ROOTDIR}etc/php/embed-php7.1/php.ini \
${ROOTDIR}etc/php/embed-php7.2/php.ini \
${ROOTDIR}etc/php/embed-php7.3/php.ini \
${ROOTDIR}etc/php/fpm-php7.3/php.ini \
${ROOTDIR}etc/php/fpm-php7.2/php.ini \
${ROOTDIR}etc/php/fpm-php7.1/php.ini \
${ROOTDIR}etc/php/fpm-php7.0/php.ini \
${ROOTDIR}etc/php/fpm-php5.5/php.ini \
${ROOTDIR}etc/php/fpm-php5.6/php.ini \
${ROOTDIR}etc/php5/cgi/php.ini \
${ROOTDIR}etc/php5/cli/php.ini \
${ROOTDIR}etc/php5/cli-php5.4/php.ini ${ROOTDIR}etc/php5/cli-php5.5/php.ini ${ROOTDIR}etc/php5/cli-php5.6/php.ini \
${ROOTDIR}etc/php5/apache2/php.ini \
${ROOTDIR}etc/php5/fpm/php.ini \
${ROOTDIR}private/etc/php.ini \
${ROOTDIR}etc/php/7.2/apache2/php.ini \
${ROOTDIR}etc/php/7.1/apache2/php.ini \
${ROOTDIR}etc/php/7.0/apache2/php.ini \
${ROOTDIR}etc/php/7.2/cli/php.ini ${ROOTDIR}etc/php/7.2/fpm/php.ini \
${ROOTDIR}etc/php/7.1/cli/php.ini ${ROOTDIR}etc/php/7.1/fpm/php.ini \
${ROOTDIR}etc/php/7.1/apache2/php.ini \
${ROOTDIR}etc/php/7.2/apache2/php.ini \
${ROOTDIR}etc/php/7.3/apache2/php.ini \
${ROOTDIR}etc/php/7.0/cli/php.ini ${ROOTDIR}etc/php/7.0/fpm/php.ini \
${ROOTDIR}etc/php/7.1/cli/php.ini ${ROOTDIR}etc/php/7.1/fpm/php.ini \
${ROOTDIR}etc/php/7.2/cli/php.ini ${ROOTDIR}etc/php/7.2/fpm/php.ini \
${ROOTDIR}etc/php/7.3/cli/php.ini ${ROOTDIR}etc/php/7.3/fpm/php.ini \
${ROOTDIR}var/www/conf/php.ini \
${ROOTDIR}usr/local/etc/php.ini ${ROOTDIR}usr/local/lib/php.ini \
${ROOTDIR}usr/local/etc/php5/cgi/php.ini \
@ -55,6 +90,8 @@
${ROOTDIR}usr/local/php56/lib/php.ini \
${ROOTDIR}usr/local/php70/lib/php.ini \
${ROOTDIR}usr/local/php71/lib/php.ini \
${ROOTDIR}usr/local/php72/lib/php.ini \
${ROOTDIR}usr/local/php73/lib/php.ini \
${ROOTDIR}usr/local/zend/etc/php.ini \
${ROOTDIR}usr/pkg/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \
@ -62,6 +99,8 @@
${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
${ROOTDIR}opt/alt/php44/etc/php.ini \
${ROOTDIR}opt/alt/php51/etc/php.ini \
${ROOTDIR}opt/alt/php52/etc/php.ini \
@ -71,24 +110,29 @@
${ROOTDIR}opt/alt/php56/etc/php.ini \
${ROOTDIR}opt/alt/php70/etc/php.ini \
${ROOTDIR}opt/alt/php71/etc/php.ini \
${ROOTDIR}opt/alt/php72/etc/php.ini \
${ROOTDIR}opt/alt/php73/etc/php.ini \
${ROOTDIR}etc/opt/remi/php56/php.ini \
${ROOTDIR}etc/opt/remi/php70/php.ini \
${ROOTDIR}etc/opt/remi/php71/php.ini \
${ROOTDIR}etc/opt/remi/php72/php.ini"
${ROOTDIR}etc/opt/remi/php72/php.ini \
${ROOTDIR}etc/opt/remi/php73/php.ini"
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
PHPINILOCS="${PHPINILOCS} \
${ROOTDIR}etc/php-5.6.ini ${ROOTDIR}etc/php-7.0.ini ${ROOTDIR}etc/php-7.1.ini ${ROOTDIR}etc/php-7.2.ini"
${ROOTDIR}etc/php-5.6.ini ${ROOTDIR}etc/php-7.0.ini ${ROOTDIR}etc/php-7.1.ini ${ROOTDIR}etc/php-7.2.ini ${ROOTDIR}etc/php-7.3.ini"
PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \
${ROOTDIR}etc/php/7.0/cli/conf.d \
${ROOTDIR}etc/php/7.1/cli/conf.d \
${ROOTDIR}etc/php/7.2/cli/conf.d \
${ROOTDIR}etc/php/7.3/cli/conf.d \
${ROOTDIR}etc/php/7.0/fpm/conf.d \
${ROOTDIR}etc/php/7.1/fpm/conf.d \
${ROOTDIR}etc/php/7.2/fpm/conf.d \
${ROOTDIR}etc/php/7.3/fpm/conf.d \
${ROOTDIR}etc/php.d \
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \
${ROOTDIR}opt/alt/php44/etc/php.d.all \
${ROOTDIR}opt/alt/php51/etc/php.d.all \
${ROOTDIR}opt/alt/php52/etc/php.d.all \
@ -97,10 +141,17 @@
${ROOTDIR}opt/alt/php55/etc/php.d.all \
${ROOTDIR}opt/alt/php56/etc/php.d.all \
${ROOTDIR}opt/alt/php70/etc/php.d.all \
${ROOTDIR}opt/alt/php71/etc/php.d.all"
${ROOTDIR}opt/alt/php71/etc/php.d.all \
${ROOTDIR}opt/alt/php72/etc/php.d.all \
${ROOTDIR}opt/alt/php73/etc/php.d.all \
${ROOTDIR}usr/local/lib/php.conf.d \
${ROOTDIR}usr/local/php70/lib/php.conf.d \
${ROOTDIR}usr/local/php71/lib/php.conf.d \
${ROOTDIR}usr/local/php72/lib/php.conf.d \
${ROOTDIR}usr/local/php73/lib/php.conf.d"
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
PHPINIDIRS="${PHPINIDIRS} \
${ROOTDIR}etc/php-5.6 ${ROOTDIR}etc/php-7.0 ${ROOTDIR}etc/php-7.1 ${ROOTDIR}etc/php-7.2"
${ROOTDIR}etc/php-5.6 ${ROOTDIR}etc/php-7.0 ${ROOTDIR}etc/php-7.1 ${ROOTDIR}etc/php-7.2 ${ROOTDIR}etc/php-7.3"
#
#################################################################################
#

3
include/tests_ports_packages
View File

@ -1248,7 +1248,8 @@
LogText "Test: Checking how many kernel packages are installed"
if [ -n "${DPKGBINARY}" ]; then
KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} "linux-image-[0-9]" | ${WCBINARY} -l)
KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]"
KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${EGREPBINARY} "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l)
if [ ${KERNELS} -eq 0 ]; then
LogText "Result: found no kernels from dpkg -l output, which is unexpected"
ReportException "KRNL-5840:2" "Could not find any kernel packages from DPKG output"

19
include/tests_printers_spools
View File

@ -117,14 +117,17 @@
LogText "Test: Checking CUPS configuration file permissions"
FIND=$(${LSBINARY} -l ${CUPSD_CONFIG_FILE} | ${CUTBINARY} -c 2-10)
LogText "Result: found ${FIND}"
if [ "${FIND}" = "r--------" -o "${FIND}" = "rw-------" -o "${FIND}" = "rw-r-----" -o "${FIND}" = "rw-rw----" ]; then
Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
AddHP 1 1
else
Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict."
AddHP 1 2
fi
case "${FIND}" in
r[w-]-[r-][w-]---- )
Display --indent 4 --text "- File permissions" --result "${STATUS_OK}" --color GREEN
AddHP 1 1
;;
* )
Display --indent 4 --text "- File permissions" --result "${STATUS_WARNING}" --color RED
ReportSuggestion ${TEST_NO} "Access to CUPS configuration could be more strict."
AddHP 1 2
;;
esac
fi
#
#################################################################################

1
include/tests_time
View File

@ -487,6 +487,7 @@
ReportWarning "${TEST_NO}" "Found world writable configuration file" "${FILE}" ""
fi
Report "ntp_config_file[]=${FILE}"
NTP_CONFIG_FOUND=1
fi
done
fi

8
lynis
View File

@ -43,8 +43,8 @@
PROGRAM_WEBSITE="https://cisofy.com/lynis/"
# Version details
PROGRAM_RELEASE_DATE="2019-07-14"
PROGRAM_RELEASE_TIMESTAMP=1563094548
PROGRAM_RELEASE_DATE="2019-11-18"
PROGRAM_RELEASE_TIMESTAMP=1574071362
PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release
PROGRAM_VERSION="3.0.0"
@ -248,7 +248,8 @@
#
#################################################################################
#
trap CleanUp INT
trap CleanUp INT TERM
trap Status USR1
# Use safe umask for the files we create
umask 027
@ -770,7 +771,6 @@ ${NORMAL}
if [ ${UPDATE_AVAILABLE} -eq 0 ]; then
ReportSuggestion "LYNIS" "This release is more than 4 months old. Consider upgrading"
fi
UPDATE_AVAILABLE=1
OLD_RELEASE=1
fi

6
lynis.8
View File

@ -1,4 +1,4 @@
.TH Lynis 8 "21 Aug 2019" "1.30" "Unix System Administrator's Manual"
.TH Lynis 8 "4 Dec 2019" "1.31" "Unix System Administrator's Manual"
.SH "NAME"
@ -126,9 +126,9 @@ Tests are only performed if they belong to the defined category. Use the command
.TP
.B \-\-tests\-from\-group "<group>"
Similar to \-\-tests\-from\-category. Only perform tests from a particular group.
Use 'show categories' to determine valid options.
Use 'show groups' to determine valid options.
.TP
.B \-\-usecwd
.B \-\-use-cwd
Run from the current working directory.
.TP
.B \-\-upload