From 5b09da0d9878096d45f04b858c4f65e674369ab4 Mon Sep 17 00:00:00 2001 From: Katka Durechova Date: Sat, 27 Oct 2018 20:19:08 +0200 Subject: [PATCH 001/355] Store log and data file in home directory for non-privileged usage --- lynis | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/lynis b/lynis index f2926cce..5956290b 100755 --- a/lynis +++ b/lynis @@ -236,21 +236,21 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta # Disable logging if no alternative was provided if [ ${PRIVILEGED} -eq 0 ]; then if [ -z "${LOGFILE}" ]; then - # Try creating a log file in temporary directory - if [ ! -f /tmp/lynis.log ]; then - if [ -L /tmp/lynis.log ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi - touch /tmp/lynis.log - if [ $? -eq 0 ]; then LOGFILE="/tmp/lynis.log"; else LOGFILE="/dev/null"; fi + # Try creating a log file in home directory + if [ ! -f "$HOME/lynis.log" ]; then + if [ -L "$HOME/lynis.log" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi + touch "$HOME/lynis.log" + if [ $? -eq 0 ]; then LOGFILE="$HOME/lynis.log"; else LOGFILE="/dev/null"; fi else - LOGFILE="/tmp/lynis.log" + LOGFILE="$HOME/lynis.log" fi else if [ -L "${LOGFILE}" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi fi if [ -z "${REPORTFILE}" ]; then - touch /tmp/lynis-report.dat - if [ -L /tmp/lynis-report.dat ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi - if [ $? -eq 0 ]; then REPORTFILE="/tmp/lynis-report.dat"; else REPORTFILE="/dev/null"; fi + touch "$HOME/lynis-report.dat" + if [ -L "$HOME/lynis-report.dat" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi + if [ $? -eq 0 ]; then REPORTFILE="$HOME/lynis-report.dat"; else REPORTFILE="/dev/null"; fi else if [ -L "${REPORTFILE}" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi fi From 40acdc111d34b7ed040f4cb652f65ca7ed22afd6 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Mon, 6 Jan 2020 21:22:00 +0200 Subject: [PATCH 002/355] Added CRYP-8004 --- include/tests_crypto | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/include/tests_crypto b/include/tests_crypto index 44f19cdc..9c40ff47 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -194,6 +194,33 @@ fi # ################################################################################# +# + # Test : CRYP-8004 + # Description : Test for HWRNG & rngd + Register --test-no CRYP-8004 --os Linux --weight L --network NO --root-only NO --category security --description "Test for HWRNG & rngd" + if [ ${SKIPTEST} -eq 0 ]; then + if [ -f ${ROOTDIR}sys/class/misc/hw_random/rng_current ]; then + DATA=$(${CAT_BINARY} ${ROOTDIR}sys/class/misc/hw_random/rng_current) + if [ "${DATA}" != "none" ]; then + LogText "Result: found HW RNG: ${DATA}" + if IsRunning "rngd"; then + Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_YES}" --color GREEN + LogText "Result: rngd is running" + else + Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Utilize HW RNG by running rngd" + fi + else + Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color RED + LogText "Result: no HW RNG available" + fi + else + Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color RED + LogText "Result: could not find ${ROOTDIR}sys/class/misc/hw_random/rng_current" + fi + fi +# +################################################################################# # WaitForKeyPress From 618a8430174ba1b912fc0df5d8bfe1b9cbcdb9c0 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Tue, 7 Jan 2020 22:27:27 +0200 Subject: [PATCH 003/355] KRNL-5788 in Raspi: don't complain about missing /vmlinuz The Raspberry Pi kernels reside within raspberrypi-kernel package[1]. [1] https://www.raspberrypi.org/documentation/linux/kernel/updating.md --- include/tests_kernel | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/tests_kernel b/include/tests_kernel index fbd1ff85..5f5ce856 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -392,6 +392,9 @@ elif [ -e ${ROOTDIR}dev/grsec ]; then FINDKERNEL=linux-image-$(uname -r) LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" + elif [ -e ${ROOTDIR}etc/rpi-issue ]; then + FINDKERNEL=raspberrypi-kernel + LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian" else LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz" From c58e296bd36b8705714ab8a3c1bbafa25cf07816 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Wed, 8 Jan 2020 18:53:15 +0100 Subject: [PATCH 004/355] add openntpd detection and a few tests for it --- include/binaries | 1 + include/tests_time | 96 ++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 93 insertions(+), 4 deletions(-) diff --git a/include/binaries b/include/binaries index f567ed1f..ec633f02 100644 --- a/include/binaries +++ b/include/binaries @@ -212,6 +212,7 @@ netstat) NETSTATBINARY="${BINARY}"; LogText " Found known binary: netstat (network statistics) - ${BINARY}" ;; nft) NFTBINARY="${BINARY}"; LogText " Found known binary: nft (nftables client) - ${BINARY}" ;; nmap) NMAPBINARY="${BINARY}"; NMAPVERSION=$(${BINARY} -V | grep "^Nmap version" | awk '{ print $3 }'); LogText "Found ${BINARY} (version ${NMAPVERSION})" ;; + ntpctl) NTPCTLBINARY="${BINARY}"; LogText " Found known binary: ntpctl (openntpd client) - ${BINARY}" ;; ntpq) NTPQBINARY="${BINARY}"; LogText " Found known binary ntpq (time daemon client) - ${BINARY}" ;; osiris) OSIRISBINARY="${BINARY}"; LogText " Found known binary: osiris - ${BINARY}" ;; openssl) OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=$(${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs); LogText "Found ${BINARY} (version ${OPENSSLVERSION})" ;; diff --git a/include/tests_time b/include/tests_time index d3bda505..d5169d9e 100644 --- a/include/tests_time +++ b/include/tests_time @@ -36,6 +36,7 @@ NTP_CONFIG_TYPE_EVENTBASED=0 NTP_CONFIG_TYPE_STARTUP=0 NTPD_RUNNING=0 # Specific for ntpd + OPENNTPD_COMMUNICATION=0 # if ntpctl can communicate SYSTEMD_NTP_ENABLED=0 # ################################################################################# @@ -79,9 +80,37 @@ Display --indent 2 --text "- NTP daemon found: dntpd" --result "${STATUS_FOUND}" --color GREEN fi - # Check running processes - FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "grep") - if [ -n "${FIND}" ]; then + # Check for OpenNTPD, ntpctl comes with a "regular" install + if [ -n ${NTPCTLBINARY} ]; then + # In contrast to timectl, "synchronised: yes" is not grepped. + # Reason: openntpd syncs only if large time corrections are not required or -s is passed. + # This might be not intended by the administrator (-s is NOT the default!) + FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" | ${GREPBINARY} -v "grep") + ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null + # Status code 0 is when communication over the socket is successfull + if [ "$?" -eq 0 ]; then + FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd" + LogText "result: found openntpd (method: ntpctl)" + OPENNTPD_COMMUNICATION=1 + elif [ -n "${FIND}" ] ; then + # Reasons for ntpctl to fail might be someone spawned a new process thus overwriting the socket, + # then ended it, but another openntpd process is still running + FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd" + LogText "result: found openntpd (method: ps)" + else + LogText "result: running openntpd not found, but ntpctl is instaalled" + fi + + if [ "${NTP_DAEMON}" == "openntpd" ]; then + Display --indent 2 --text "- NTP daemon found: OpenNTPD" --result "${STATUS_FOUND}" --color GREEN + fi + fi + + # Check running processes (ntpd from ntp.org) + # As checking by process name is ambigiouse (openntpd has the same process name), + # this check will be skipped if openntpd has been found. + FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "ntpd: " | ${GREPBINARY} -v "grep") + if [ "${NTP_DAEMON}" != "openntpd" ] && [ -n "${FIND}" ]; then FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1 NTP_DAEMON="ntpd" LogText "Result: found running NTP daemon in process list" @@ -476,7 +505,8 @@ # Other should preferably have no access, or read-only at max FILE_ARRAY="${ROOTDIR}etc/chrony.conf ${ROOTDIR}usr/pkg/etc/chrony.conf \ - ${ROOTDIR}etc/inet/ntp.conf ${ROOTDIR}etc/ntp.conf ${ROOTDIR}usr/local/etc/ntp.conf" + ${ROOTDIR}etc/inet/ntp.conf ${ROOTDIR}etc/ntp.conf ${ROOTDIR}usr/local/etc/ntp.conf\ + ${ROOTDIR}etc/ntpd.conf ${ROOTDIR}etc/openntpd/ntpd.conf ${ROOTDIR}usr/local/etc/ntpd.conf" Register --test-no TIME-3170 --weight L --network NO --category security --description "Check configuration files" if [ ${SKIPTEST} -eq 0 ]; then @@ -494,6 +524,64 @@ # ################################################################################# # + # Test : TIME-3180 + # Description : Report if ntpctl cannot communicate with OpenNTPD + + if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ]; then + PREQS_MET="YES" + else + PREQS_MET="NO" + fi + + Register --test-no TIME-3180 --weight L --network NO --category security --description "Report if ntpctl cannot communicate with OpenNTPD" + if [ ${SKIPTEST} -eq 0 ]; then + if [ "${OPENNTPD_COMMUNICATION}" -eq 0 ]; then + ReportWarning "${TEST_NO}" "OpenNTPD found, but ntpctl cannot communicate with" "${NTPCTLBINARY} -s status" "Restart OpenNTPD" + fi + fi +# +################################################################################# +# + # Test : TIME-3181 + # Description : Check status of OpenNTPD time synchronisation + + if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then + PREQS_MET="YES" + else + PREQS_MET="NO" + fi + + Register --test-no TIME-3181 --weight L --network NO --category security --description "Check status of OpenNTPD time synchronisation" + if [ ${SKIPTEST} -eq 0 ]; then + FIND=$(${NTPCTLBINARY} -s status | ${GREPBINARY} "clock synced" ) + if [ -z "${FIND}" ]; then + ReportWarning "${TEST_NO}" "OpenNTPD is not synchronising system time" "${NTPCTLBINARY} -s status" "text:Set time manually once or check network connectivity." + fi + fi +# +################################################################################# +# + # Test : TIME-3182 + # Description : Check OpenNTPD has working peers + + if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then + PREQS_MET="YES" + else + PREQS_MET="NO" + fi + + Register --test-no TIME-3182 --weight L --network NO --category security --description "Check OpenNTPD has working peers" + if [ ${SKIPTEST} -eq 0 ]; then + # Format is "xx/yy peers valid, ..." + FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o "[0-9]{1,4}/" | ${EGREPBINARY} -o "[0-9]{1,4}" ) + if [ -n "${FIND}" ] || [ "${FIND}" -eq 0 ]; then + ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status" + fi + fi +# +################################################################################# +# + Report "ntp_config_found=${NTP_CONFIG_FOUND}" Report "ntp_config_type_daemon=${NTP_CONFIG_TYPE_DAEMON}" Report "ntp_config_type_eventbased=${NTP_CONFIG_TYPE_EVENTBASED}" From d3287bd7effe3f7d7648c848eac1ca17a46d63ce Mon Sep 17 00:00:00 2001 From: gfelkel <60182072+gfelkel@users.noreply.github.com> Date: Wed, 22 Jan 2020 16:31:49 +0100 Subject: [PATCH 005/355] FILE-6310 for HP-UX MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit HP-UX: /usr/sbin/mount reports "/home on /dev/…", so $1 has to be used --- include/tests_filesystems | 1 + 1 file changed, 1 insertion(+) diff --git a/include/tests_filesystems b/include/tests_filesystems index 798978e7..c709a79a 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -50,6 +50,7 @@ LogText "Result: directory ${I} exists" case "${OS}" in "AIX") FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($2==MP) { print $2 }}') ;; + "HP-UX") FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($1==MP) { print $1 }}') ;; *) FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($3==MP) { print $3 }}') ;; esac From 5bce9d598cc546933739ec21c471a40e6e237cde Mon Sep 17 00:00:00 2001 From: gfelkel <60182072+gfelkel@users.noreply.github.com> Date: Thu, 23 Jan 2020 13:30:46 +0100 Subject: [PATCH 006/355] AUTH-9228 for HP-UX HP-UX also has /usr/sbin/pwck. For trusted systems, two additional options -s (check inconsistencies with the protected password database) and -l (check encrypted password lengths that are greater than 8 characters) are available. --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 786bec64..21bcf719 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -302,7 +302,7 @@ FIND=$(${ROOTDIR}usr/sbin/pwck -q -r 2> /dev/null; echo $?) TESTED=1 ;; - "Solaris") + "Solaris"|"HP-UX") FIND=$(${ROOTDIR}usr/sbin/pwck 2> /dev/null; echo $?) TESTED=1 ;; From 79a29381a4e708c4cbd38d831d4b2d5ad546d97e Mon Sep 17 00:00:00 2001 From: Kristian Schuster Date: Sun, 26 Jan 2020 19:13:26 +0100 Subject: [PATCH 007/355] restructered test and fixed vmlinuz detection --- include/tests_kernel | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index 0f72525e..e7b6b742 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -624,7 +624,7 @@ fi # Check if /boot exists - if [ ${PRIVILEGED} -eq 1 -a -d "${ROOTDIR}boot" ]; then + if [ -d "${ROOTDIR}boot" ]; then LogText "Result: /boot exists, performing more tests from here" FIND=$(${LSBINARY} ${ROOTDIR}boot/* 2> /dev/null) if [ -n "${FIND}" ]; then @@ -650,18 +650,17 @@ else ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data" fi - elif [ -f ${ROOTDIR}boot/vmlinuz-linux -o -f ${ROOTDIR}boot/vmlinuz-linux-lts -o -f $(ls -t ${ROOTDIR}boot/vm[l-]* 2> /dev/null | head -1) ]; then - if [ -L ${ROOTDIR}boot/vmlinuz-linux ]; then - LogText "Result: found symlink ${ROOTDIR}boot/vmlinuz-linux" - FOUND_VMLINUZ=$(readlink ${ROOTDIR}boot/vmlinuz-linux) - LogText "Result: symlinked target is ${FOUND_VMLINUZ}" - VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's/^vmlinuz-//') + elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then + if [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then + LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux" + FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then - LogText "Result: found boot/vmlinuz-linux-lts" + LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux-lts" FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux-lts else # Match on /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default - FOUND_VMLINUZ=$(ls -t ${ROOTDIR}boot/vm[l-]* 2> /dev/null | head -1) + FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1) + LogText "Result: found ${FOUND_VMLINUZ}" fi if [ -L "${FOUND_VMLINUZ}" ]; then @@ -673,7 +672,6 @@ fi if [ -z "${VERSION_ON_DISK}" ]; then - LogText "Result: found ${FOUND_VMLINUZ}" LogText "Test: checking kernel version on disk" NEXTLINE=0 VERSION_ON_DISK="" @@ -686,6 +684,11 @@ if [ "${I}" = "version" ]; then NEXTLINE=1; fi fi done + fi + + if [ -z "${VERSION_ON_DISK}" ]; then + LogText "Result: could not find the version on disk" + ReportException "${TEST_NO}:4" "Could not find the kernel version" else LogText "Result: found version ${VERSION_ON_DISK}" ACTIVE_KERNEL=$(uname -r) @@ -698,10 +701,6 @@ LogText "Result: reboot needed, as there is a difference between active kernel and the one on disk" fi fi - if [ -z "${VERSION_ON_DISK}" ]; then - LogText "Result: could not find the version on disk" - ReportException "${TEST_NO}:4" "Could not find the kernel version" - fi else if [ -L ${ROOTDIR}boot/vmlinuz ]; then LogText "Result: found symlink of ${ROOTDIR}boot/vmlinuz, skipping file" From af70303aeb9566ca1bed564f8e655720e60b4a5e Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 14 Feb 2020 11:49:32 +0100 Subject: [PATCH 008/355] Set preferred option to skip plugin executiont o --no-plugins, as that is more in line with the other 'no' options --- include/helper_show | 2 +- include/parameters | 10 +++++----- lynis.8 | 8 ++++---- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/include/helper_show b/include/helper_show index 923f4496..fc21ead9 100644 --- a/include/helper_show +++ b/include/helper_show @@ -30,7 +30,7 @@ COMMANDS="audit configure generate show update upload-only" HELPERS="audit configure show update" -OPTIONS="--auditor\n--cronjob (--cron)\n--debug\n--developer\n--devops\n--forensics\n--help (-h)\n--log-file\n--manpage (--man)\n--no-colors\n--no-log\n--pentest\n--profile\n--plugin-dir\n--quick (-Q)\n--quiet (-q)\n--report-file\n--reverse-colors\n--skip-plugins\n--tests\n--tests-from-category\n--tests-from-group\n--usecwd\n--upload\n--verbose\n--version (-V)\n--wait\n--warnings-only" +OPTIONS="--auditor\n--cronjob (--cron)\n--debug\n--developer\n--devops\n--forensics\n--help (-h)\n--log-file\n--manpage (--man)\n--no-colors\n--no-log\n--no-plugins\n--pentest\n--profile\n--plugin-dir\n--quick (-Q)\n--quiet (-q)\n--report-file\n--reverse-colors\n--tests\n--tests-from-category\n--tests-from-group\n--usecwd\n--upload\n--verbose\n--version (-V)\n--wait\n--warnings-only" SHOW_ARGS="categories changelog commands dbdir details environment eol groups help hostids includedir language license logfile man options os pidfile plugindir profiles release releasedate report settings tests version workdir" SHOW_HELP="lynis show ${BROWN}categories${NORMAL} (display test categories) diff --git a/include/parameters b/include/parameters index b8676b4c..77a6084f 100644 --- a/include/parameters +++ b/include/parameters @@ -280,6 +280,11 @@ LOGFILE="/dev/null" ;; + # Skip execution of plugins + --no-plugins | --noplugins | --skip-plugins) + SKIP_PLUGINS=1 + ;; + --pen-test | --pentest) PENTESTINGMODE=1 ;; @@ -359,11 +364,6 @@ fi ;; - # Skip execution of plugins - --skip-plugins | --no-plugins | --noplugins) - SKIP_PLUGINS=1 - ;; - # Only scan these tests --tests) shift diff --git a/lynis.8 b/lynis.8 index 719e82c7..717a6c4a 100644 --- a/lynis.8 +++ b/lynis.8 @@ -1,4 +1,4 @@ -.TH Lynis 8 "4 Dec 2019" "1.31" "Unix System Administrator's Manual" +.TH Lynis 8 "14 Feb 2020" "1.32" "Unix System Administrator's Manual" .SH "NAME" @@ -91,6 +91,9 @@ Disable colored output. Redirect all logging information to /dev/null, prevents sensitive information to be written to disk. .TP +.B \-\-no\-plugins +Do not run any of the enabled plugins. +.TP .B \-\-pentest Run a non-privileged scan, usually used for penetration testing. Some of the tests will be skipped if they require root permissions. @@ -113,9 +116,6 @@ Provide an alternative name for report file. .B \-\-reverse\-colors Optimize screen output for light backgrounds. .TP -.B \-\-skip\-plugins -Do not run plugins. -.TP .B \-\-tests TEST-IDs Only run the specific test(s). When using multiple tests, add quotes around the line. From 5ca8baf7a8b3a31a4893d8130fa85f085d3b1ef2 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 15 Feb 2020 14:09:23 +0100 Subject: [PATCH 009/355] [USB-2000] improved testing for USB devices and filtering out possible incorrect state --- include/tests_usb | 67 ++++++++++++++++++++++++++--------------------- 1 file changed, 37 insertions(+), 30 deletions(-) diff --git a/include/tests_usb b/include/tests_usb index 24c74982..1c6cae6d 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -91,39 +91,46 @@ # Description : Check USB authorizations Register --test-no USB-2000 --os Linux --weight L --network NO --category security --description "Check USB authorizations" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Checking USB devices authorization to connect to the system" FOUND=0 - USBDEVICESPATH="${ROOTDIR}sys/bus/usb/devices/usb" - for device in "${USBDEVICESPATH}"*; do - if [ -e "${device}/authorized" -o -e "${device}/authorized_default" ]; then - if [ "$(cat "${device}/authorized_default")" = "1" ]; then - FOUND=1 - LogText "Test: ${device} is authorized by default" - Report "usb_authorized_default_device[]=${device}" - elif [ "$(cat "${device}/authorized")" = "1" ]; then - FOUND=1 - LogText "Test: ${device} is authorized currently" - Report "usb_authorized_device[]=${device}" - fi - else - LogText "Test: ${device} is authorized by default" - Report "usb_authorized_default_device[]=${device}" - FOUND=1 - fi - done + USBDEVICESPATH="${ROOTDIR}sys/bus/usb/devices" + LogText "Test: checking presence of USB devices path (${USBDEVICESPATH})" + if [ -d "${USBDEVICESPATH}" ]; then - if [ ${FOUND} -eq 1 ]; then - LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system" - Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW - # To-Be-Added: create documentation and enable the suggestion - #if [ ${USBGUARD_FOUND} -eq 0 ]; then - # ReportSuggestion "${TEST_NO}" "Disable USB devices authorization, to prevent unauthorized storage or data theft" - #fi - AddHP 0 3 + LogText "Test: Checking USB devices authorization to connect to the system" + for device in $(find ${USBDEVICESPATH} -name "usb*" -type l -print); do + if [ -e "${device}/authorized" -o -e "${device}/authorized_default" ]; then + if [ "$(cat "${device}/authorized_default")" = "1" ]; then + FOUND=1 + LogText "Test: ${device} is authorized by default (authorized_default=1)" + Report "usb_authorized_default_device[]=${device}" + fi + if [ "$(cat "${device}/authorized")" = "1" ]; then + FOUND=1 + LogText "Test: ${device} is authorized currently (authorized=1)" + Report "usb_authorized_device[]=${device}" + fi + else + LogText "Test: no authorized or authorized_default file, assuming ${device} is authorized by default" + Report "usb_authorized_default_device[]=${device}" + FOUND=1 + fi + done + + if [ ${FOUND} -eq 1 ]; then + LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system" + Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW + # TODO: create documentation and enable the suggestion + #if [ ${USBGUARD_FOUND} -eq 0 ]; then + # ReportSuggestion "${TEST_NO}" "Disable USB devices authorization, to prevent unauthorized storage or data theft" + #fi + AddHP 0 3 + else + LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system" + Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 + fi else - LogText "Result: None USB devices are authorized by default (or temporary) to connect to the system" - Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 + LogText "Result: devices path does not exist" fi fi From 3bbe34ea736968e572dbc65aaec2d91e217c6eff Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 15 Feb 2020 14:09:56 +0100 Subject: [PATCH 010/355] [CRYP-8004] enhanced after pulling in initital test --- db/tests.db | 1 + include/tests_crypto | 16 +++++++++------- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/db/tests.db b/db/tests.db index cbe892b9..e057c06e 100644 --- a/db/tests.db +++ b/db/tests.db @@ -86,6 +86,7 @@ CORE-1000:test:performance:system_integrity::Check all system binaries: CRYP-7902:test:security:crypto::Check expire date of SSL certificates: CRYP-7930:test:security:crypto:Linux:Determine if system uses LUKS encryption: CRYP-8002:test:security:crypto:Linux:Gather kernel entropy: +CRYP-8004:test:security:crypto:Linux:Presence of hardware number generator: DNS-1600:test:security:dns::Validating that the DNSSEC signatures are checked: DBS-1804:test:security:databases::Checking active MySQL process: DBS-1816:test:security:databases::Checking MySQL root password: diff --git a/include/tests_crypto b/include/tests_crypto index 9c40ff47..548ba0a0 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -196,22 +196,24 @@ ################################################################################# # # Test : CRYP-8004 - # Description : Test for HWRNG & rngd - Register --test-no CRYP-8004 --os Linux --weight L --network NO --root-only NO --category security --description "Test for HWRNG & rngd" + # Description : Test for presence of random number generators + Register --test-no CRYP-8004 --os Linux --weight L --network NO --root-only NO --category security --description "Presence of random number generators" if [ ${SKIPTEST} -eq 0 ]; then - if [ -f ${ROOTDIR}sys/class/misc/hw_random/rng_current ]; then - DATA=$(${CAT_BINARY} ${ROOTDIR}sys/class/misc/hw_random/rng_current) + LogText "Test: looking for ${ROOTDIR}sys/class/misc/hw_random/rng_current" + if [ -f "${ROOTDIR}sys/class/misc/hw_random/rng_current" ]; then + DATA=$(${HEADBINARY} --lines=1 ${ROOTDIR}sys/class/misc/hw_random/rng_current | ${TRBINARY} -d '[[:cntrl:]]') if [ "${DATA}" != "none" ]; then - LogText "Result: found HW RNG: ${DATA}" + LogText "Result: positive match, found RNG: ${DATA}" if IsRunning "rngd"; then Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_YES}" --color GREEN LogText "Result: rngd is running" else Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW - ReportSuggestion "${TEST_NO}" "Utilize HW RNG by running rngd" + # TODO - enable suggestion when website has listing for this control + # ReportSuggestion "${TEST_NO}" "Utilize hardware random number generation by running rngd" fi else - Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color RED + Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW LogText "Result: no HW RNG available" fi else From d81cc71790144ed9ff354748254d300d297f3da6 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 15 Feb 2020 14:10:48 +0100 Subject: [PATCH 011/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 34fa7423..6538e1cd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -47,6 +47,7 @@ Using the relevant options, the scan will change base on the intended goal. - New profile option: disable-plugin - disables a single plugin - New profile option: ssl-certificate-paths-to-ignore - ignore a path - New test: CRYP-7930 - test for LUKS encryption +- New test: CRYP-8004 - presence of hardware random number generator - New test: DBS-1828 - PostgreSQL configuration files - New test: FINT-4316 - presence of AIDE database and size test - New test: INSE-8314 - test for NIS client From 91ad10d464dab3450e3107f95e7de649b15d2d1b Mon Sep 17 00:00:00 2001 From: Nicolas CARPi Date: Tue, 18 Feb 2020 22:19:45 +0100 Subject: [PATCH 012/355] Remove the test for ssh config VerifyReverseMapping This option is deprecated since 2003. Having it in a config file raises a warning and UseDNS (that is on by default) includes the VerifyReverseMapping check. See https://github.com/openssh/openssh-portable/commit/3a961dc0d36c1f87788b707130f6d07709822d38 See #528 --- include/tests_ssh | 1 - 1 file changed, 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index 5c8b3775..44424b3a 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -151,7 +151,6 @@ StrictModes:YES,,NO:=\ TCPKeepAlive:NO,,YES:=\ UseDNS:NO,,YES:=\ - VerifyReverseMapping:YES,,NO:=\ X11Forwarding:NO,,YES:=\ AllowAgentForwarding:NO,,YES:=" From 42b2831f758cd5a229a4615f1ffc8a500394ebd4 Mon Sep 17 00:00:00 2001 From: Kevin Date: Fri, 21 Feb 2020 08:04:08 +0100 Subject: [PATCH 013/355] add basic xbps/void support --- include/binaries | 1 + include/functions | 3 +++ 2 files changed, 4 insertions(+) diff --git a/include/binaries b/include/binaries index f567ed1f..0eaf6acb 100644 --- a/include/binaries +++ b/include/binaries @@ -154,6 +154,7 @@ docker) DOCKERBINARY="${BINARY}"; LogText " Found known binary: docker (container technology) - ${BINARY}" ;; domainname) DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;; dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;; + xbps-query) XBPSBINARY="${BINARY}"; LogText " Found known binary: xbps (package management) - ${BINARY}" ;; egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;; equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;; exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;; diff --git a/include/functions b/include/functions index de40a427..7b31cdc3 100644 --- a/include/functions +++ b/include/functions @@ -2050,6 +2050,9 @@ elif [ -n "${ZYPPERBINARY}" ]; then output=$(${ZYPPERBINARY} --quiet --non-interactive search --installed -i ${package} 2> /dev/null | grep "^i") if [ -n "${output}" ]; then exit_code=0; else exit_code=1; fi + elif [ -n "${XBPSBINARY}" ]; then + output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii") + exit_code=$? else ReportException "PackageIsInstalled:01" fi From 35e568e695da2a0d37854f2b769cb438747e3e58 Mon Sep 17 00:00:00 2001 From: Skactor Date: Mon, 24 Feb 2020 20:44:05 +0800 Subject: [PATCH 014/355] Update tests_ports_packages Incorrect constant name spelling --- include/tests_ports_packages | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 4d037bf7..326bd94f 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1347,7 +1347,7 @@ Display --indent 2 --text "- Toolkit for automatic upgrades (${UNATTENDED_UPGRADES_TOOL})" --result "${STATUS_FOUND}" --color GREEN else AddHP 1 5 - Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOTFOUND}" --color YELLOW + Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOT_FOUND}" --color YELLOW LogText "Result: no toolkit for automatic updates discovered" ReportSuggestion "${TEST_NO}" "Consider using a tool to automatically apply upgrades" fi From d8a3bc8afae3430abc1b1c366d77496c0e06d17a Mon Sep 17 00:00:00 2001 From: maczniak Date: Mon, 24 Feb 2020 23:17:09 +0900 Subject: [PATCH 015/355] fix CISOfy/lynis#844 --- include/tests_ssh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index 5c8b3775..36de9c4b 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -117,7 +117,7 @@ # Test : SSH-7408 # Description : Check SSH specific defined options # Notes : Instead of parsing the configuration file, we query the SSH daemon itself - if [ ${OPENSSHD_RUNNING} -eq 1 -a -n "${SSH_DAEMON_OPTIONS_FILE}" -a ${OPENSSHD_VERSION_MAJOR} -ge 5 -a ${OPENSSHD_VERSION_MINOR} -ge 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${OPENSSHD_RUNNING} -eq 1 -a -n "${SSH_DAEMON_OPTIONS_FILE}" -a \( ${OPENSSHD_VERSION_MAJOR} -gt 5 -o ${OPENSSHD_VERSION_MAJOR} -eq 5 -a ${OPENSSHD_VERSION_MINOR} -ge 1 \) ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH specific defined options" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking specific defined options in ${SSH_DAEMON_OPTIONS_FILE}" From fc7c5fb7234ffa4e7ac26b1094e44b6b2fb6a2eb Mon Sep 17 00:00:00 2001 From: Skactor Date: Tue, 25 Feb 2020 15:48:55 +0800 Subject: [PATCH 016/355] Update tests_shells Write function as variable due to careless error --- include/tests_shells | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_shells b/include/tests_shells index f440da5a..d4b3d9a3 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -115,7 +115,7 @@ if IsRunning "autolog"; then IDLE_TIMEOUT=1 LogText "Result: found autolog process to kill idle sessions" - Report="session_timeout_method[]=autolog" + Report "session_timeout_method[]=autolog" IDLE_TIMEOUT_METHOD="autolog" fi From 22ceeaa9262000234b8209d29e14e3ce73d67e5b Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Tue, 3 Mar 2020 13:56:33 -0600 Subject: [PATCH 017/355] Added detection of PureOS in /etc/os-release --- include/osdetection | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/osdetection b/include/osdetection index cf9d1eac..5a136732 100644 --- a/include/osdetection +++ b/include/osdetection @@ -180,6 +180,13 @@ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Debian" ;; + "pureos") + LINUX_VERSION="PureOS" + OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_NAME="PureOS" + ;; "manjaro") LINUX_VERSION="Manjaro" OS_FULLNAME="Manjaro Linux" From e008907ff1242f6055a4591f75eae73ea53e1d3a Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 4 Mar 2020 14:51:13 +0100 Subject: [PATCH 018/355] Remove 's' from word 'colours' --- include/parameters | 4 ++-- lynis | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/include/parameters b/include/parameters index bdbbfae5..0edae1cd 100644 --- a/include/parameters +++ b/include/parameters @@ -270,7 +270,7 @@ ;; # Don't use colors - --no-colors | --nocolors | --no-colours | --nocolours) + --no-colors | --nocolors | --no-colour | --nocolour) COLORS=0 RemoveColors ;; @@ -337,7 +337,7 @@ ;; # Strip the colors which aren't clearly visible on light backgrounds - --reverse-colors| --reverse-colours) + --reverse-colors| --reverse-colour) BLUE="${NORMAL}"; SECTION="${NORMAL}"; NOTICE="${NORMAL}"; diff --git a/lynis b/lynis index 66a56acc..f39dd7af 100755 --- a/lynis +++ b/lynis @@ -436,7 +436,6 @@ ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${ ${WHITE}Layout options${NORMAL} ${GRAY}--no-colors${NORMAL} : Don't use colors in output - ${GRAY}--no-colours${NORMAL} : Don't use colours in output ${GRAY}--quiet (-q)${NORMAL} : No output ${GRAY}--reverse-colors${NORMAL} : Optimize color display for light backgrounds ${GRAY}--reverse-colours${NORMAL} : Optimize colour display for light backgrounds From 5faf69af1611ce046de3a9e4dd088bb4806f3bdc Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 4 Mar 2020 15:02:39 +0100 Subject: [PATCH 019/355] Code enhancement to avoid repetition --- include/osdetection | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/include/osdetection b/include/osdetection index 35d0b576..dc6eacae 100644 --- a/include/osdetection +++ b/include/osdetection @@ -139,12 +139,12 @@ # Generic if [ -e /etc/os-release ]; then + OS_FULLNAME=$(awk -F= '/^PRETTY_NAME=/ {print substr($2,2,length($2)-2)}' /etc/os-release) OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') if [ -n "${OS_ID}" ]; then case ${OS_ID} in "amzn") LINUX_VERSION="Amazon Linux" - OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Amazon Linux" OS_REDHAT_OR_CLONE=1 OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') @@ -156,34 +156,29 @@ ;; "centos") LINUX_VERSION="CentOS" - OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="CentOS Linux" OS_REDHAT_OR_CLONE=1 OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; "clear-linux-os") LINUX_VERSION="Clear Linux OS" - OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Clear Linux OS" OS_REDHAT_OR_CLONE=1 OS_VERSION="Rolling release" ;; "coreos") LINUX_VERSION="CoreOS" - OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="CoreOS Linux" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; "debian") LINUX_VERSION="Debian" - OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Debian" ;; "pureos") LINUX_VERSION="PureOS" - OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="PureOS" @@ -196,27 +191,23 @@ ;; "opensuse-tumbleweed") LINUX_VERSION="openSUSE Tumbleweed" - OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') # It's rolling release but has a snapshot version (the date of the snapshot) OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="openSUSE" ;; "opensuse-leap") LINUX_VERSION="openSUSE Leap" - OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="openSUSE" ;; "ubuntu") LINUX_VERSION="Ubuntu" - OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Ubuntu" ;; "raspbian") LINUX_VERSION="Raspbian" - OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Raspbian" @@ -231,7 +222,6 @@ ;; "slackware") LINUX_VERSION="Slackware" - OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Slackware Linux" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') From 4d1a170e84225174b8fde01a23f88dfaa16c89c0 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 4 Mar 2020 15:03:23 +0100 Subject: [PATCH 020/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6538e1cd..d9163527 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -59,6 +59,7 @@ Using the relevant options, the scan will change base on the intended goal. - Sending USR1 signal to Lynis process will show active status - Measure timing of tests and report slow tests (10+ seconds) - Initial support for Clear Linux OS +- Initial support for PureOS - Added end-of-life data for Arch Linux and Debian - Detection and end-of-life data added for Amazon Linux - Detection of linux-lts on Arch Linux From c0158da38ea4b95c4789b072447a820f288ee2f3 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 4 Mar 2020 15:04:54 +0100 Subject: [PATCH 021/355] Corrected test ID --- include/tests_mail_messaging | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index 63b43804..dbe449af 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -61,7 +61,7 @@ # Test : MAIL-8804 # Description : Exim configuration options if [ ${EXIM_RUNNING} -eq 1 -a ! "${EXIMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no MAIL-8803 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Exim configuration options" + Register --test-no MAIL-8804 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Exim configuration options" if [ ${SKIPTEST} -eq 0 -a ${EXIM_RUNNING} -eq 1 ]; then LogText "Test: Exim configuration options" From 28bd36d9c6d0d695f0b92459407cf11a91411694 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 4 Mar 2020 15:09:10 +0100 Subject: [PATCH 022/355] Added Fedora --- include/osdetection | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/include/osdetection b/include/osdetection index dc6eacae..5d65aa51 100644 --- a/include/osdetection +++ b/include/osdetection @@ -173,9 +173,15 @@ ;; "debian") LINUX_VERSION="Debian" + OS_NAME="Debian" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') - OS_NAME="Debian" + ;; + "fedora") + LINUX_VERSION="Fedora" + OS_NAME="Fedora Linux" + OS_REDHAT_OR_CLONE=1 + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; "pureos") LINUX_VERSION="PureOS" From 24ca3c20459c93385994d9b8e2d2b6b24a32ec1b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 4 Mar 2020 19:38:22 +0100 Subject: [PATCH 023/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d9163527..4b00ec84 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -113,6 +113,7 @@ Using the relevant options, the scan will change base on the intended goal. - SSH-7406 - strip OpenSSH patch version and remove characters (carriage return) - SSH-7408 - changed text in suggestion and report - SSH-7408 - added forced-commands-only option +- SSH-7408 - VerifyReverseMapping removed (deprecated) - STRG-1840 - renamed to USB-1000 - STRG-1842 - added default authorized devices and renamed to USB-2000 - TOOL-5002 - differentiate between a discovered binary and running process From 0593c69f2f434e79c5e3af1cdd1e5e0ffd714543 Mon Sep 17 00:00:00 2001 From: Nicolas CARPi Date: Thu, 5 Mar 2020 00:53:27 +0100 Subject: [PATCH 024/355] Skip the PHP cli configuration file when looking for expose_php The expose_php configuration option is only relevant for non-cli PHP and thus lynis should not look for it in config files that are for cli Fix #849 --- CHANGELOG.md | 1 + include/tests_php | 2 ++ 2 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b00ec84..34dc6829 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -102,6 +102,7 @@ Using the relevant options, the scan will change base on the intended goal. - NAME-4404 - improved screen and log output - NAME-4408 - corrected Report function call - NETW-3032 - small rewrite of test and extended with addrwatch +- PHP-2372 - don't look in the cli configuration files - PKGS-7410 - use multiple package managers when available - PKGS-7410 - added support for Zypper to test number of kernels - PROC-3602 - allow different root directory diff --git a/include/tests_php b/include/tests_php index d84b181a..6e4d44f9 100644 --- a/include/tests_php +++ b/include/tests_php @@ -291,6 +291,8 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 for FILE in ${PHPINI_ALLFILES}; do + # Don't look at this setting in cli configuration + if [[ ${FILE} == *"/cli/"* ]]; then continue; fi LogText "Test: Checking file ${FILE}" FIND=$(${EGREPBINARY} -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;') if HasData "${FIND}"; then From 600cb84310b0b97aad7184b5224fdc3ba18a04be Mon Sep 17 00:00:00 2001 From: Nicolas CARPi Date: Thu, 5 Mar 2020 21:42:54 +0100 Subject: [PATCH 025/355] Use a POSIX implementation to check for substring This works with all shells, even busybox. --- include/tests_php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/include/tests_php b/include/tests_php index 6e4d44f9..120b7dcb 100644 --- a/include/tests_php +++ b/include/tests_php @@ -292,7 +292,11 @@ FOUND=0 for FILE in ${PHPINI_ALLFILES}; do # Don't look at this setting in cli configuration - if [[ ${FILE} == *"/cli/"* ]]; then continue; fi + case "${FILE}" in + */cli/*) + continue + ;; + esac LogText "Test: Checking file ${FILE}" FIND=$(${EGREPBINARY} -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;') if HasData "${FIND}"; then From 30a456c5f44fe57f705e2958d01c8c4b08691880 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 11 Mar 2020 15:56:32 +0100 Subject: [PATCH 026/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b00ec84..d22601fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -60,6 +60,7 @@ Using the relevant options, the scan will change base on the intended goal. - Measure timing of tests and report slow tests (10+ seconds) - Initial support for Clear Linux OS - Initial support for PureOS +- Support for X Binary Package (xbps) - Added end-of-life data for Arch Linux and Debian - Detection and end-of-life data added for Amazon Linux - Detection of linux-lts on Arch Linux From 0b0b0ea90515c42062d43d244016dceee6889147 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 12 Mar 2020 16:01:11 +0100 Subject: [PATCH 027/355] Style improvement --- include/parameters | 2 +- include/tests_authentication | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/parameters b/include/parameters index 0edae1cd..2d9ef14d 100644 --- a/include/parameters +++ b/include/parameters @@ -337,7 +337,7 @@ ;; # Strip the colors which aren't clearly visible on light backgrounds - --reverse-colors| --reverse-colour) + --reverse-colors | --reverse-colour) BLUE="${NORMAL}"; SECTION="${NORMAL}"; NOTICE="${NORMAL}"; diff --git a/include/tests_authentication b/include/tests_authentication index 21bcf719..a20f8976 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -302,7 +302,7 @@ FIND=$(${ROOTDIR}usr/sbin/pwck -q -r 2> /dev/null; echo $?) TESTED=1 ;; - "Solaris"|"HP-UX") + "Solaris" | "HP-UX") FIND=$(${ROOTDIR}usr/sbin/pwck 2> /dev/null; echo $?) TESTED=1 ;; From 7a1719ef75d8ef714ab77ed283e35c3d3d89dd8b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 12 Mar 2020 16:01:19 +0100 Subject: [PATCH 028/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d22601fe..518b9d60 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -72,6 +72,7 @@ Using the relevant options, the scan will change base on the intended goal. - Profiles: unused options removed - Profiles: message is displayed when old format "key:value" is used - Security: the 'nounset' (set -u) parameter is now activated by default +- AUTH-9228 - HP-UX support - AUTH-9266 - skip .pam-old files in /etc/pam.d - AUTH-9282 - fix: temporary variable was overwritten - AUTH-9408 - added support for pam_tally2 to log failed logins From 7c01b9784b8a9ac286525dbaad437d65378101ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Dequ=C3=A8nes=20=28Duck=29?= Date: Tue, 17 Mar 2020 12:01:21 +0900 Subject: [PATCH 029/355] Fix quote syntax error in manpage Quotes have a special meaning when used at the start of line. --- lynis.8 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis.8 b/lynis.8 index 717a6c4a..3d674e74 100644 --- a/lynis.8 +++ b/lynis.8 @@ -122,7 +122,7 @@ line. .TP .B \-\-tests\-from\-category "" Tests are only performed if they belong to the defined category. Use the command -'show categories' to determine all valid options. +\ 'show categories' to determine all valid options. .TP .B \-\-tests\-from\-group "" Similar to \-\-tests\-from\-category. Only perform tests from a particular group. From d1db448c515b9aa5de34bf37c90395b9c9daee4b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 17 Mar 2020 13:02:59 +0100 Subject: [PATCH 030/355] Skip pacman when it is the game instead of package manager --- CHANGELOG.md | 1 + include/binaries | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 518b9d60..501729b4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -71,6 +71,7 @@ Using the relevant options, the scan will change base on the intended goal. - Function: PackageIsInstalled extended with pacman support - Profiles: unused options removed - Profiles: message is displayed when old format "key:value" is used +- Binaries: skip pacman when it is the game instead of package manager - Security: the 'nounset' (set -u) parameter is now activated by default - AUTH-9228 - HP-UX support - AUTH-9266 - skip .pam-old files in /etc/pam.d diff --git a/include/binaries b/include/binaries index 0eaf6acb..3f5d72ea 100644 --- a/include/binaries +++ b/include/binaries @@ -216,7 +216,12 @@ ntpq) NTPQBINARY="${BINARY}"; LogText " Found known binary ntpq (time daemon client) - ${BINARY}" ;; osiris) OSIRISBINARY="${BINARY}"; LogText " Found known binary: osiris - ${BINARY}" ;; openssl) OPENSSLBINARY="${BINARY}"; OPENSSLVERSION=$(${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs); LogText "Found ${BINARY} (version ${OPENSSLVERSION})" ;; - pacman) PACMANBINARY="${BINARY}"; LogText " Found known binary: pacman (package manager) - ${BINARY}" ;; + pacman) + if [ -z "$(echo "${BINARY}" | grep -E "/usr(/local)?/games")" ]; then + PACMANBINARY="${BINARY}" + LogText " Found known binary: pacman (package manager) - ${BINARY}" + fi + ;; perl) PERLBINARY="${BINARY}"; PERLVERSION=$(${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs); LogText "Found ${BINARY} (version ${PERLVERSION})" ;; pgrep) PGREPBINARY="${BINARY}"; LogText " Found known binary: pgrep (search in process list) - ${BINARY}" ;; php) PHPBINARY="${BINARY}"; PHPVERSION=$(${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1); LogText "Found known binary: php (programming language interpreter) - ${BINARY} (version ${PHPVERSION})" ;; From 6e3e93d5854960dee1e7516922647c303e4094b8 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 17 Mar 2020 16:05:14 +0100 Subject: [PATCH 031/355] [PKGS-7388] only perform check for Debian, Mint, Ubuntu --- CHANGELOG.md | 1 + include/tests_ports_packages | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 258b806e..9535b64a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -106,6 +106,7 @@ Using the relevant options, the scan will change base on the intended goal. - NAME-4408 - corrected Report function call - NETW-3032 - small rewrite of test and extended with addrwatch - PHP-2372 - don't look in the cli configuration files +- PKGS-7388 - only perform check for Debian/Ubuntu/Mint - PKGS-7410 - use multiple package managers when available - PKGS-7410 - added support for Zypper to test number of kernels - PROC-3602 - allow different root directory diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 326bd94f..f2291a03 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -983,7 +983,15 @@ # # Test : PKGS-7388 # Description : Check security repository in Debian/ubuntu apt sources.list file - if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then + case "${LINUX_VERSION}" in + "Debian" | "Linux Mint" | "Ubuntu") PREQS_MET="YES" ;; + *) + PREQS_MET="NO" + LogText "Skipping test, although sources.list or sources.list.d exists. This specific OS version most likely has no security repository" + ;; + esac + fi Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check security repository in Debian/ubuntu apt sources.list file" if [ $SKIPTEST -eq 0 ]; then FOUND=0 From eaafbb642e232ba70fa5209df64deae1bf709a7f Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 18 Mar 2020 11:37:06 +0100 Subject: [PATCH 032/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9535b64a..ae4fbfc6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -80,6 +80,7 @@ Using the relevant options, the scan will change base on the intended goal. - BANN-7126 - additional words for login banner are accepted - CONT-8106 - support newer 'docker info' output - CRYP-8002 - gather kernel entropy on Linux systems +- FILE-6310 - support for HP-UX - FILE-6374 - changed log and allow root location to be changed - FILE-6374 - corrected condition to find 'defaults' flag in /etc/fstab - FILE-6430 - minor code improvements and show suggestion with more details From cc78713c6a989d974d4403653d0d3f46f51c7882 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 18 Mar 2020 11:43:29 +0100 Subject: [PATCH 033/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ae4fbfc6..65bfdad5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -96,6 +96,7 @@ Using the relevant options, the scan will change base on the intended goal. - INSE-8318 - test for TFTP client tools - INSE-8320 - test for TFTP server tools - INSE-8342 - renamed to INSE-8304 +- KRNL-5788 - don't complain about missing /vmlinuz for Raspi - KRNL-5820 - extended check to include limits.d directory - KRNL-5830 - skip test partially when running non-privileged - LOGG-2154 - added support for rsyslog configurations From bc4146555ceaaf03c924ef9263050d8caee2f580 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 19 Mar 2020 10:51:02 +0100 Subject: [PATCH 034/355] [PKGS-7388] Only perform test when all conditions are correct --- include/tests_ports_packages | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index f2291a03..484607e4 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -982,17 +982,19 @@ ################################################################################# # # Test : PKGS-7388 - # Description : Check security repository in Debian/ubuntu apt sources.list file + # Description : Check security repository in Debian/Ubuntu apt sources.list file + PREQS_MET="NO" if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then case "${LINUX_VERSION}" in - "Debian" | "Linux Mint" | "Ubuntu") PREQS_MET="YES" ;; + "Debian" | "Linux Mint" | "Ubuntu") + PREQS_MET="YES" + ;; *) - PREQS_MET="NO" LogText "Skipping test, although sources.list or sources.list.d exists. This specific OS version most likely has no security repository" ;; esac fi - Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check security repository in Debian/ubuntu apt sources.list file" + Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check security repository in apt sources.list file" if [ $SKIPTEST -eq 0 ]; then FOUND=0 if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then From e5c1f2f303b1dbf56486369d09f24707ced25acb Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 19 Mar 2020 11:01:22 +0100 Subject: [PATCH 035/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 65bfdad5..72354de0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -121,6 +121,7 @@ Using the relevant options, the scan will change base on the intended goal. - SSH-7408 - changed text in suggestion and report - SSH-7408 - added forced-commands-only option - SSH-7408 - VerifyReverseMapping removed (deprecated) +- SSH-7408 - corrected OpenSSH server version check - STRG-1840 - renamed to USB-1000 - STRG-1842 - added default authorized devices and renamed to USB-2000 - TOOL-5002 - differentiate between a discovered binary and running process From f15fbfa6edf650ad359781008a799a7c5924f0f9 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Thu, 19 Mar 2020 15:12:04 +0200 Subject: [PATCH 036/355] Check if /vmlinuz is missing due to /etc/kernel-img.conf If /etc/kernel-img.conf has the line do_symlinks=No, Debian (probably also Ubuntu) kernel packages will not update /vmlinuz etc. symlinks. In that case, guess the kernel from uname -r. Signed-off-by: Topi Miettinen --- include/tests_kernel | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/tests_kernel b/include/tests_kernel index 369d3727..225ab5e4 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -395,6 +395,9 @@ elif [ -e ${ROOTDIR}etc/rpi-issue ]; then FINDKERNEL=raspberrypi-kernel LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian" + elif `${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf`; then + FINDKERNEL=linux-image-$(uname -r) + LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No" else LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz" From 80a67914c3945a36204e998576fbdf81227f502f Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Thu, 19 Mar 2020 15:25:59 +0200 Subject: [PATCH 037/355] Fix logging of running and enabled services Log lines for running and enabled services were mixed up, fix. Signed-off-by: Topi Miettinen --- include/tests_boot_services | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index 2c239b64..f96afbfb 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -579,7 +579,7 @@ LogText "Hint: Run systemctl --full --type=service to see all services" Display --indent 2 --text "- Check running services (systemctl)" --result "${STATUS_DONE}" --color GREEN Display --indent 8 --text "Result: found ${COUNT} running services" - LogText "Result: Found ${COUNT} enabled services" + LogText "Result: Found ${COUNT} running services" # Services at boot LogText "Searching for enabled services (systemctl services only)" @@ -594,7 +594,7 @@ LogText "Hint: Run systemctl list-unit-files --type=service to see all services" Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "${STATUS_DONE}" --color GREEN Display --indent 8 --text "Result: found ${COUNT} enabled services" - LogText "Result: Found ${COUNT} running services" + LogText "Result: Found ${COUNT} enabled services" else From 3aaeeea856f6e939c5b8d50d995e9e3eaa80fb35 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Thu, 19 Mar 2020 15:42:16 +0200 Subject: [PATCH 038/355] Check for rEFInd boot loader Detect rEFInd boot loader (https://www.rodsbooks.com/refind/). Signed-off-by: Topi Miettinen --- db/tests.db | 1 + include/tests_boot_services | 15 +++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/db/tests.db b/db/tests.db index e057c06e..359760b9 100644 --- a/db/tests.db +++ b/db/tests.db @@ -57,6 +57,7 @@ BOOT-5102:test:security:boot_services:AIX:Check for AIX boot device: BOOT-5104:test:security:boot_services::Determine service manager: BOOT-5106:test:security:boot_services:MacOS:Check EFI boot file on macOS: BOOT-5108:test:security:boot_services:Linux:Test Syslinux boot loader: +BOOT-5109:test:security:boot_services:Linux:Test rEFInd boot loader: BOOT-5116:test:security:boot_services::Check if system is booted in UEFI mode: BOOT-5117:test:security:boot_services:Linux:Check for systemd-boot boot loader: BOOT-5121:test:security:boot_services::Check for GRUB boot loader presence: diff --git a/include/tests_boot_services b/include/tests_boot_services index 2c239b64..bc8ae321 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -182,6 +182,21 @@ fi # ################################################################################# +# + # Test : BOOT-5109 + # Description : Check for rEFInd + Register --test-no BOOT-5109 --os "Linux" --weight L --network NO --root-only YES --category security --description "Check rEFInd as bootloader" + if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 + FileExists ${ROOTDIR}boot/refind_linux.conf + if [ ${FILE_FOUND} -eq 1 ]; then + LogText "Result: found rEFInd" + BOOT_LOADER="rEFInd" + BOOT_LOADER_FOUND=1 + fi + fi +# +################################################################################# # # Test : BOOT-5116 # Description : Check if system is booted in UEFI mode From 00a31c6dbd1b142f5807c5e71997df0a8482acbe Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 19 Mar 2020 15:29:01 +0100 Subject: [PATCH 039/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 72354de0..7d1a5d85 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,6 +46,7 @@ Using the relevant options, the scan will change base on the intended goal. - New option: --usecwd - run from the current working directory - New profile option: disable-plugin - disables a single plugin - New profile option: ssl-certificate-paths-to-ignore - ignore a path +- New test: BOOT-5109 - Test presence rEFInd boot loader - New test: CRYP-7930 - test for LUKS encryption - New test: CRYP-8004 - presence of hardware random number generator - New test: DBS-1828 - PostgreSQL configuration files From 72e8f572bf51ef9b9e09506624cc0a9f9143a9a9 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Thu, 19 Mar 2020 16:31:20 +0200 Subject: [PATCH 040/355] Harden mount options for /var, check also /dev and /run There should not be any need for char/block devices in /var, so propose nodev. Sockets are not affected. Check also /dev for noexec,nosuid and /run for nodev,nosuid. Historically there was /dev/MAKEDEV script but that's long gone. In case a file system is not found in /etc/fstab, check if they are mounted otherwise (e.g. via systemd mount units). Signed-off-by: Topi Miettinen --- include/tests_filesystems | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index c709a79a..89166aa0 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -555,16 +555,18 @@ # --------------------------------------------------------- # Mount point nodev noexec nosuid # /boot v v v + # /dev v v # /dev/shm v v v # /home v v + # /run v v # /tmp v v v - # /var v + # /var v v # /var/log v v v # /var/log/audit v v v # /var/tmp v v v # --------------------------------------------------------- - FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid" + FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev:noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /run:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nodev,nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid" Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Linux mount options" if [ ${SKIPTEST} -eq 0 ]; then if [ -f ${ROOTDIR}etc/fstab ]; then @@ -578,9 +580,14 @@ FS_FSTAB="" fi fi + if [ -z "${FS_FSTAB}" ]; then # not found in fstab, check if mounted otherwise + FS_FSTAB=$(mount | ${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($3==fs) { print $6 } }') + FOUND_FLAGS=$(mount | ${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $3==fs) { print $6 } }' | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') + else + FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') + fi if [ -n "${FS_FSTAB}" ]; then # In awk using caret/circumflex as first character between brackets, means 'not' (instead of beginning of line) - FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') LogText "File system: ${FILESYSTEM}" LogText "Expected flags: ${EXPECTED_FLAGS}" LogText "Found flags: ${FOUND_FLAGS}" From ddcf9bc713cc38be6dd683888626c0941f14c156 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 19 Mar 2020 15:52:03 +0100 Subject: [PATCH 041/355] [BOOT-5122] check for defined password in all GRUB configuration files --- CHANGELOG.md | 1 + include/tests_boot_services | 56 ++++++++++++++++++++++--------------- 2 files changed, 35 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d1a5d85..a61a85b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -79,6 +79,7 @@ Using the relevant options, the scan will change base on the intended goal. - AUTH-9282 - fix: temporary variable was overwritten - AUTH-9408 - added support for pam_tally2 to log failed logins - BANN-7126 - additional words for login banner are accepted +- BOOT-5122 - check for defined password in all GRUB configuration files - CONT-8106 - support newer 'docker info' output - CRYP-8002 - gather kernel entropy on Linux systems - FILE-6310 - support for HP-UX diff --git a/include/tests_boot_services b/include/tests_boot_services index 5430a76b..f28cc69b 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -331,34 +331,46 @@ Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for GRUB boot password" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - LogText "Found file ${GRUBCONFFILE}, proceeding with tests." - FileIsReadable ${GRUBCONFFILE} - if [ ${CANREAD} -eq 1 ]; then - FIND=$(${GREPBINARY} 'password --md5' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') - FIND2=$(${GREPBINARY} 'password --encrypted' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') - FIND3=$(${GREPBINARY} 'set superusers' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') - FIND4=$(${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') - FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#') - # GRUB1: Password should be set (MD5 or SHA1) - if [ -n "${FIND}" -o -n "${FIND2}" ]; then - FOUND=1 - # GRUB2: Superusers AND password should be defined - elif [ -n "${FIND3}" ]; then - if [ -n "${FIND4}" -o -n "${FIND5}" ]; then FOUND=1; fi + + CONF_FILES=$(${FINDBINARY} /etc/grub.d -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') + CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}" + + for FILE in ${CONF_FILES}; do + if [ -f "${FILE}" ]; then + LogText "Found file ${FILE}, proceeding with tests." + if FileIsReadable "${FILE}"; then + FIND=$(${GREPBINARY} 'password --md5' ${FILE} | ${GREPBINARY} -v '^#') + FIND2=$(${GREPBINARY} 'password --encrypted' ${FILE} | ${GREPBINARY} -v '^#') + FIND3=$(${GREPBINARY} 'set superusers' ${FILE} | ${GREPBINARY} -v '^#') + FIND4=$(${GREPBINARY} 'password_pbkdf2' ${FILE} | ${GREPBINARY} -v '^#') + FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${FILE} | ${GREPBINARY} -v '^#') + # GRUB1: Password should be set (MD5 or SHA1) + if [ -n "${FIND}" -o -n "${FIND2}" ]; then + FOUND=1 + # GRUB2: Superusers AND password should be defined + elif [ -n "${FIND3}" ]; then + if [ -n "${FIND4}" -o -n "${FIND5}" ]; then FOUND=1; fi + else + LogText "Result: did not find hashed password line in this file" + fi + else + LogText "Result: Can not read '${FILE}' (no permission?)" + fi + else + LogText "Result: File '${FILE}' does not exist" fi - if [ ${FOUND} -eq 1 ]; then + done + if [ ${FOUND} -eq 1 ]; then Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN LogText "Result: GRUB has password protection." AddHP 4 4 - else - Display --indent 4 --text "- Checking for password protection" --result "${STATUS_NONE}" --color RED - LogText "Result: Didn't find hashed password line in GRUB boot file!" - ReportSuggestion "${TEST_NO}" "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)" - AddHP 0 2 - fi else - LogText "Result: Can not read ${GRUBCONFFILE} (no permission)" + Display --indent 4 --text "- Checking for password protection" --result "${STATUS_NONE}" --color RED + LogText "Result: Didn't find hashed password line in GRUB configuration" + ReportSuggestion "${TEST_NO}" "Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password)" + AddHP 0 2 fi + unset CONF_FILES FILE FIND FIND2 FIND3 FIND4 FIND5 FOUND fi # ################################################################################# From fb9cdb5c435963b24ea98a729b133fb7714c1592 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Thu, 19 Mar 2020 19:45:37 +0200 Subject: [PATCH 042/355] Enhance SELinux checks Display and log: permissive types (rules are not enforced), unconfined processes (not confined by rules) and processes with initrc_t type (generic type with weak rules). Signed-off-by: Topi Miettinen --- include/binaries | 3 ++- include/tests_mac_frameworks | 11 +++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/include/binaries b/include/binaries index 3f5d72ea..a14434a1 100644 --- a/include/binaries +++ b/include/binaries @@ -249,7 +249,8 @@ samhain) SAMHAINBINARY="${BINARY}"; LogText " Found known binary: samhain (integrity tool) - ${BINARY}" ;; service) SERVICEBINARY="${BINARY}"; LogText " Found known binary: service (system services) - ${BINARY}" ;; sed) SEDBINARY="${BINARY}"; LogText " Found known binary: sed (text stream editor) - ${BINARY}" ;; - sestatus) SESTATUSBINARY="${BINARY}"; LogText " Found known binary: sestatus (SELinux client) - ${BINARY}" ;; + semanage) SEMANAGEBINARY="${BINARY}"; LogText " Found known binary: semanage (SELinux policy management tool) - ${BINARY}" ;; + sestatus) SESTATUSBINARY="${BINARY}"; LogText " Found known binary: sestatus (SELinux status tool) - ${BINARY}" ;; slocate) LOCATEBINARY="${BINARY}"; LogText " Found known binary: slocate (file database) - ${BINARY}" ;; smbd) SMBDBINARY="${BINARY}"; if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=$(${BINARY} -V | grep "^Version" | awk '{ print $2 }'); fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;; smtpctl) SMTPCTLBINARY="${BINARY}"; LogText " Found known binary: smtpctl (OpenSMTPD client) - ${BINARY}" ;; diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 972bbb8a..aded40d3 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -152,6 +152,17 @@ Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED fi Display --indent 8 --text "Current SELinux mode: ${FIND}" + PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ') + NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} --lines) + Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types" + LogText "Permissive SELinux object types: ${PERMISSIVE}" + UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ') + INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ') + NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} --lines) + NINITRC=$(${PSBINARY} -eo label | ${GREPBINARY} '[i]nitrc_t' | ${WCBINARY} --lines) + Display --indent 8 --text "Found ${NUNCONFINED} unconfined and ${NINITRC} initrc_t processes" + LogText "Unconfined processes: ${UNCONFINED}" + LogText "Processes with initrc_t type: ${INITRC}" else LogText "Result: SELinux framework is disabled" Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW From 9087de0dacbe3184f8dbe86e1a7525a44dda8473 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Thu, 19 Mar 2020 20:55:23 +0200 Subject: [PATCH 043/355] pam: ignore leading dash PAM rules may have a leading '-' character to indicate that if the module is missing, the error will be ignored, so let's ignore it in the check. Signed-off-by: Topi Miettinen --- plugins/plugin_pam_phase1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/plugin_pam_phase1 b/plugins/plugin_pam_phase1 index 361918de..50a86a6f 100644 --- a/plugins/plugin_pam_phase1 +++ b/plugins/plugin_pam_phase1 @@ -96,7 +96,7 @@ PAM_CONTROL_OPTIONS="-" PAM_MODULE="-" PAM_MODULE_OPTIONS="-" - PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }') + PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }' | sed 's/^ *-//g') PARSELINE=0 case ${PAM_TYPE} in "@include") From 34ec6a1edf4d52e148916655b5e203c5bebac836 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Thu, 19 Mar 2020 21:17:04 +0200 Subject: [PATCH 044/355] pam: pam_selinux is known good module Signed-off-by: Topi Miettinen --- plugins/plugin_pam_phase1 | 1 + 1 file changed, 1 insertion(+) diff --git a/plugins/plugin_pam_phase1 b/plugins/plugin_pam_phase1 index 361918de..61b8c09b 100644 --- a/plugins/plugin_pam_phase1 +++ b/plugins/plugin_pam_phase1 @@ -271,6 +271,7 @@ pam_securetty) ;; pam_securityserver) ;; pam_self) ;; + pam_selinux) ;; pam_shells) ;; pam_skey) ;; pam_ssh) From 6de9c31cf54c9be5fd7524fc5fcdfa42994a45f6 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Thu, 19 Mar 2020 21:25:50 +0200 Subject: [PATCH 045/355] Fix journalctl output parsing for recent journalctls Process output from journalctl (v245) like: "Archived and active journals take up xxx.xM in the file system." Signed-off-by: Topi Miettinen --- plugins/plugin_systemd_phase1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/plugin_systemd_phase1 b/plugins/plugin_systemd_phase1 index 9d424915..0c73f45d 100644 --- a/plugins/plugin_systemd_phase1 +++ b/plugins/plugin_systemd_phase1 @@ -176,7 +176,7 @@ if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}'` + FIND=`${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 } else if ($1=="Archived") { print $7 }}'` Report "journal_disk_size=${FIND}" LogText "Result: journals are ${FIND} in size" fi From 820d2ec60774e558f24f09357827d98d0c766efe Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Thu, 19 Mar 2020 23:53:57 +0200 Subject: [PATCH 046/355] Check DNSSEC status with resolvectl when available 'resolvectl statistics' shows if DNSSEC is supported by systemd-resolved and upstream DNS servers. Signed-off-by: Topi Miettinen --- db/tests.db | 1 + include/binaries | 1 + include/tests_networking | 25 +++++++++++++++++++++++++ 3 files changed, 27 insertions(+) diff --git a/db/tests.db b/db/tests.db index 359760b9..e45d2d9a 100644 --- a/db/tests.db +++ b/db/tests.db @@ -283,6 +283,7 @@ NAME-4408:test:security:nameservices::Check localhost to IP mapping: NETW-2600:test:security:networking:Linux:Checking IPv6 configuration: NETW-2704:test:security:networking::Basic nameserver configuration tests: NETW-2705:test:security:networking::Check availability two nameservers: +NETW-2705:test:security:networking::Check DNSSEC status: NETW-3001:test:security:networking::Find default gateway (route): NETW-3004:test:security:networking::Search available network interfaces: NETW-3006:test:security:networking::Get network MAC addresses: diff --git a/include/binaries b/include/binaries index 3f5d72ea..cd91cab1 100644 --- a/include/binaries +++ b/include/binaries @@ -239,6 +239,7 @@ python3) PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;; rcctl) RCCTLBINARY="${BINARY}"; LogText " Found known binary: rcctl (services and daemons configuration and control) - ${BINARY}" ;; readlink) READLINKBINARY="${BINARY}"; LogText " Found known binary: readlink (follows symlinks) - ${BINARY}" ;; + resolvectl) RESOLVECTLBINARY="${BINARY}"; LogText " Found known binary: resolvectl (systemd-resolved DNS resolver manager) - ${BINARY}" ;; rkhunter) RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;; rootsh) ROOTSHBINARY="${BINARY}"; LogText " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;; rpcinfo) RPCINFOBINARY="${BINARY}"; LogText " Found known binary: rpcinfo (RPC information) - ${BINARY}" ;; diff --git a/include/tests_networking b/include/tests_networking index 51bed912..9f78bca4 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -189,6 +189,31 @@ fi # ################################################################################# +# + # Test : NETW-2706 + # Description : Check systemd-resolved and upstream DNSSEC status + if [ -n "${RESOLVECTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no NETW-2706 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check systemd-resolved and upstream DNSSEC status" + if [ ${SKIPTEST} -eq 0 ]; then + SKIP=0 + if [ -n "${RESOLVECTLBINARY}" ]; then + DNSSEC_STATUS=$(${RESOLVECTLBINARY} statistics | ${AWKBINARY} -F ":" '/DNSSEC supported/ { print $2 }' | ${TRBINARY} -d ' ') + if [ "${DNSSEC_STATUS}" = "yes" ]; then + Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_OK}" --color GREEN + LogText "Result: DNSSEC supported by systemd-resolved and upstream DNS servers" + else + Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_WARNING}" --color RED + LogText "Result: DNSSEC not supported by systemd-resolved or upstream DNS servers" + fi + else + Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_SKIPPED}" --color YELLOW + LogText "Result: resolvectl not installed, test can't be fully performed" + fi + else + LogText "Result: Test most likely skipped due to not having resolvectl" + fi +# +################################################################################# # # Test : NETW-3001 # Description : Find default gateway (route) From 8f37edb62699316e2992a9c768b83cfde17d01ed Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 20 Mar 2020 09:46:08 +0100 Subject: [PATCH 047/355] Update tests.db Corrected test ID --- db/tests.db | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/tests.db b/db/tests.db index e45d2d9a..d051c77d 100644 --- a/db/tests.db +++ b/db/tests.db @@ -283,7 +283,7 @@ NAME-4408:test:security:nameservices::Check localhost to IP mapping: NETW-2600:test:security:networking:Linux:Checking IPv6 configuration: NETW-2704:test:security:networking::Basic nameserver configuration tests: NETW-2705:test:security:networking::Check availability two nameservers: -NETW-2705:test:security:networking::Check DNSSEC status: +NETW-2706:test:security:networking::Check DNSSEC status: NETW-3001:test:security:networking::Find default gateway (route): NETW-3004:test:security:networking::Search available network interfaces: NETW-3006:test:security:networking::Get network MAC addresses: From 1f3467f69a8af76bb774011eb9c37aa90ca3cc64 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 20 Mar 2020 09:47:57 +0100 Subject: [PATCH 048/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a61a85b7..981fecb0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,6 +53,7 @@ Using the relevant options, the scan will change base on the intended goal. - New test: FINT-4316 - presence of AIDE database and size test - New test: INSE-8314 - test for NIS client - New test: INSE-8316 - test for NIS server +- New test: NETW-2706 - check DNSSEC (systemd) - New test: NETW-3200 - determine avilable network protocols - New test: PROC-3802 - check presence of prelink tooling - New report key: openssh_daemon_running From 626e2a9ab9a1bd2ac65b092e34477cb3c36baf42 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 20 Mar 2020 14:13:21 +0100 Subject: [PATCH 049/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 981fecb0..135200bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -103,6 +103,7 @@ Using the relevant options, the scan will change base on the intended goal. - KRNL-5820 - extended check to include limits.d directory - KRNL-5830 - skip test partially when running non-privileged - LOGG-2154 - added support for rsyslog configurations +- MACF-6234 - SELinux tests extended - MAIL-8804 - replaced static strings with translation-aware strings - MALW-3280 - Kaspersky detection added - MALW-3280 - CrowdStrike falcon-sensor detection added From 38310223a6177a15f556957ab4bf5279bca3d454 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 20 Mar 2020 14:50:25 +0100 Subject: [PATCH 050/355] Updated date/year --- FAQ | 2 +- INSTALL | 4 ++-- include/binaries | 2 +- include/consts | 2 +- include/data_upload | 2 +- include/functions | 4 ++-- include/helper_audit_dockerfile | 2 +- include/helper_configure | 2 +- include/helper_generate | 2 +- include/helper_show | 2 +- include/helper_system_remote_scan | 2 +- include/helper_update | 2 +- include/osdetection | 2 +- include/parameters | 2 +- include/profiles | 2 +- include/report | 2 +- include/tests_accounting | 4 ++-- include/tests_authentication | 2 +- include/tests_banners | 2 +- include/tests_boot_services | 2 +- include/tests_containers | 4 ++-- include/tests_crypto | 2 +- include/tests_databases | 2 +- include/tests_dns | 2 +- include/tests_file_integrity | 4 ++-- include/tests_file_permissions | 4 ++-- include/tests_filesystems | 2 +- include/tests_firewalls | 2 +- include/tests_hardening | 2 +- include/tests_homedirs | 2 +- include/tests_insecure_services | 2 +- include/tests_kernel | 4 ++-- include/tests_kernel_hardening | 2 +- include/tests_ldap | 2 +- include/tests_logging | 2 +- include/tests_mac_frameworks | 2 +- include/tests_mail_messaging | 2 +- include/tests_malware | 2 +- include/tests_memory_processes | 2 +- include/tests_nameservices | 2 +- include/tests_networking | 2 +- include/tests_php | 2 +- include/tests_ports_packages | 2 +- include/tests_printers_spools | 2 +- include/tests_scheduling | 2 +- include/tests_shells | 4 ++-- include/tests_snmp | 4 ++-- include/tests_squid | 4 ++-- include/tests_ssh | 2 +- include/tests_storage | 4 ++-- include/tests_storage_nfs | 2 +- include/tests_system_integrity | 4 ++-- include/tests_time | 2 +- include/tests_tooling | 2 +- include/tests_virtualization | 2 +- include/tests_webservers | 2 +- include/tool_tips | 2 +- lynis | 8 ++++---- 58 files changed, 73 insertions(+), 73 deletions(-) diff --git a/FAQ b/FAQ index 80f8b934..f2891428 100644 --- a/FAQ +++ b/FAQ @@ -98,4 +98,4 @@ ================================================================================ - Lynis - Copyright 2007-2019, Michael Boelen, CISOfy - https://cisofy.com + Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com diff --git a/INSTALL b/INSTALL index 1f7784fa..b79a8b35 100644 --- a/INSTALL +++ b/INSTALL @@ -6,7 +6,7 @@ ================================================================================ Author: 2007-2013, Michael Boelen (michael.boelen@cisofy.com) - 2013-2016, CISOfy development team + 2013-now, CISOfy development team Description: Security and system auditing tool Web site: https://cisofy.com Support: See 'Support' and https://cisofy.com/support/ @@ -48,4 +48,4 @@ ================================================================================ - Lynis - Copyright 2007-2019, Michael Boelen, CISOfy - https://cisofy.com + Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/binaries b/include/binaries index 7c8477e7..89e2fddd 100644 --- a/include/binaries +++ b/include/binaries @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/consts b/include/consts index 9d99f606..ac76f36f 100644 --- a/include/consts +++ b/include/consts @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/data_upload b/include/data_upload index cdc84ff0..6718d6d3 100644 --- a/include/data_upload +++ b/include/data_upload @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/functions b/include/functions index 7b31cdc3..ed1a58eb 100644 --- a/include/functions +++ b/include/functions @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -3644,4 +3644,4 @@ #================================================================================ # Lynis is part of Lynis Enterprise and released under GPLv3 license -# Copyright 2007-2019 - Michael Boelen, CISOfy - https://cisofy.com +# Copyright 2007-2020 - Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/helper_audit_dockerfile b/include/helper_audit_dockerfile index a0efca38..05d24c24 100644 --- a/include/helper_audit_dockerfile +++ b/include/helper_audit_dockerfile @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/helper_configure b/include/helper_configure index 4e0dd654..ebd7f706 100644 --- a/include/helper_configure +++ b/include/helper_configure @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/helper_generate b/include/helper_generate index 30044705..67b58b66 100644 --- a/include/helper_generate +++ b/include/helper_generate @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/helper_show b/include/helper_show index fc21ead9..3e1b130c 100644 --- a/include/helper_show +++ b/include/helper_show @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/helper_system_remote_scan b/include/helper_system_remote_scan index 15aaf249..8f9df294 100644 --- a/include/helper_system_remote_scan +++ b/include/helper_system_remote_scan @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/helper_update b/include/helper_update index dedbed4d..cc5f672c 100644 --- a/include/helper_update +++ b/include/helper_update @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/osdetection b/include/osdetection index 5d65aa51..12502e20 100644 --- a/include/osdetection +++ b/include/osdetection @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/parameters b/include/parameters index 2d9ef14d..8668b683 100644 --- a/include/parameters +++ b/include/parameters @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/profiles b/include/profiles index f1bfb326..767f3b79 100644 --- a/include/profiles +++ b/include/profiles @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/report b/include/report index 815dfd03..29f45643 100644 --- a/include/report +++ b/include/report @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_accounting b/include/tests_accounting index 4d05f4d6..91fca1a0 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -413,4 +413,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2019, Michael Boelen / CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2020, Michael Boelen / CISOfy - https://cisofy.com diff --git a/include/tests_authentication b/include/tests_authentication index a20f8976..02a3bb74 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_banners b/include/tests_banners index 7fa94da6..60fa3c2e 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_boot_services b/include/tests_boot_services index f28cc69b..0b72ab0a 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_containers b/include/tests_containers index cda52da7..a9a18836 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -226,4 +226,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2019, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com diff --git a/include/tests_crypto b/include/tests_crypto index 548ba0a0..6a9cb5f2 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_databases b/include/tests_databases index f950fa9c..ace3fd67 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_dns b/include/tests_dns index 7e6109f5..e21a2aef 100644 --- a/include/tests_dns +++ b/include/tests_dns @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 36201fcf..7a5658ac 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -340,4 +340,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_file_permissions b/include/tests_file_permissions index 35e28753..e9e859fd 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -72,4 +72,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2019, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com diff --git a/include/tests_filesystems b/include/tests_filesystems index c709a79a..502e4227 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_firewalls b/include/tests_firewalls index 67f21020..20f87e1e 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_hardening b/include/tests_hardening index 8b8ae452..2f88b179 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_homedirs b/include/tests_homedirs index 13a91d86..09f4601c 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 61a66066..3bc8dfdf 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_kernel b/include/tests_kernel index 225ab5e4..a308e645 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -792,4 +792,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2019, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index 9599a708..59a5f846 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_ldap b/include/tests_ldap index 63e26e58..26d11965 100644 --- a/include/tests_ldap +++ b/include/tests_ldap @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_logging b/include/tests_logging index 9c2ae9a6..7f254147 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index aded40d3..d6d40a6b 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index dbe449af..3a65765c 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_malware b/include/tests_malware index d983b17f..a5ed3e06 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_memory_processes b/include/tests_memory_processes index 6c1bf558..0b0fff6f 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_nameservices b/include/tests_nameservices index 59983cac..df41fbc9 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_networking b/include/tests_networking index 9f78bca4..7c288000 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_php b/include/tests_php index 120b7dcb..a452781a 100644 --- a/include/tests_php +++ b/include/tests_php @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 484607e4..f63f2793 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_printers_spools b/include/tests_printers_spools index 148bc007..161c9fb3 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_scheduling b/include/tests_scheduling index 98b29932..a7b3f5c2 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_shells b/include/tests_shells index d4b3d9a3..6f39e1fd 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -282,4 +282,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2019, CISOfy - http://cisofy.com +# Lynis - Copyright 2007-2020, CISOfy - http://cisofy.com diff --git a/include/tests_snmp b/include/tests_snmp index 6253f542..d8ce450d 100644 --- a/include/tests_snmp +++ b/include/tests_snmp @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -104,4 +104,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_squid b/include/tests_squid index 075ecbb4..f94befa0 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -325,4 +325,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_ssh b/include/tests_ssh index 3c1d379a..bd02440c 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_storage b/include/tests_storage index 8cf13b78..6de4f15d 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -77,4 +77,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2019, CISOfy, Michael Boelen - https://cisofy.com +# Lynis - Copyright 2007-2020, CISOfy, Michael Boelen - https://cisofy.com diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index 3d3ceab5..6aaafc79 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_system_integrity b/include/tests_system_integrity index 8b6910c1..7a21925b 100644 --- a/include/tests_system_integrity +++ b/include/tests_system_integrity @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -51,4 +51,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_time b/include/tests_time index d3bda505..fcbe145b 100644 --- a/include/tests_time +++ b/include/tests_time @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_tooling b/include/tests_tooling index 00c37369..7fed8460 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_virtualization b/include/tests_virtualization index 825eefeb..3902defc 100644 --- a/include/tests_virtualization +++ b/include/tests_virtualization @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_webservers b/include/tests_webservers index 54db20d7..188a6031 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tool_tips b/include/tool_tips index 4f2f3b6e..6ff7534e 100644 --- a/include/tool_tips +++ b/include/tool_tips @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2019, CISOfy +# Copyright 2007-2020, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/lynis b/lynis index f39dd7af..12eea7fb 100755 --- a/lynis +++ b/lynis @@ -43,8 +43,8 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2019-11-18" - PROGRAM_RELEASE_TIMESTAMP=1574071362 + PROGRAM_RELEASE_DATE="2020-03-20" + PROGRAM_RELEASE_TIMESTAMP=1584711965 PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release PROGRAM_VERSION="3.0.0" @@ -52,7 +52,7 @@ PROGRAM_SOURCE="https://github.com/CISOfy/lynis" PROGRAM_PACKAGE="https://packages.cisofy.com/" PROGRAM_DOCUMENTATION="https://cisofy.com/docs/" - PROGRAM_COPYRIGHT="2007-2019, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}" + PROGRAM_COPYRIGHT="2007-2020, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}" PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License. See the LICENSE file for details about using this software." @@ -1132,4 +1132,4 @@ ${NORMAL} # #================================================================================ -# Lynis - Copyright 2007-2019, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com From 27cdcec7416a4869e166a00432fe880165a831a6 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 20 Mar 2020 14:57:28 +0100 Subject: [PATCH 051/355] Add CentOS 7 (Core) --- db/software-eol.db | 1 + 1 file changed, 1 insertion(+) diff --git a/db/software-eol.db b/db/software-eol.db index 0c185153..d0452616 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -23,6 +23,7 @@ os:Arch Linux:2286-11-20:9999999999: os:CentOS release 5:2017-03-31:1490911200: os:CentOS release 6:2020-11-30:1606690800: os:CentOS Linux release 7:2024-06-30:1719698400: +os:CentOS Linux 7 (Core):2024-06-30:1719698400: # # Debian - https://wiki.debian.org/DebianReleases#Production_Releases # From 1f8b5fafde1fb5dd4f8c5231240e3a8cf1afa39f Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 20 Mar 2020 14:57:56 +0100 Subject: [PATCH 052/355] Add OS to 'show eol' and make output easier to parse --- include/helper_show | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/include/helper_show b/include/helper_show index 3e1b130c..b78da175 100644 --- a/include/helper_show +++ b/include/helper_show @@ -265,14 +265,15 @@ if [ $# -gt 0 ]; then fi ;; "eol") + ${ECHOCMD} "Operating-system=${OS_FULLNAME}" if [ ${EOL} -eq 0 ]; then - ${ECHOCMD} "OS end-of-life: No" + ${ECHOCMD} "End-of-life=No" elif [ ${EOL} -eq 1 ]; then - ${ECHOCMD} "OS end-of-life: Yes" + ${ECHOCMD} "End-of-life=Yes" elif [ ${EOL} -eq 255 ]; then - ${ECHOCMD} "OS end-of-life: Not tested" + ${ECHOCMD} "End-of-life=Not tested" else - ${ECHOCMD} "OS end-of-life: Unknown" + ${ECHOCMD} "End-of-life=Unknown" fi ;; "groups") From c2cdf54d0c907268328c692d930c862706fa34e8 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Fri, 20 Mar 2020 19:03:21 +0200 Subject: [PATCH 053/355] Add myself as contributor As requested by Michael Boelen, add my humble name to the list of contributors. Thank you Michael for this great software! Signed-off-by: Topi Miettinen --- CONTRIBUTORS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index 63136d63..419c3e72 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -46,6 +46,7 @@ These people made a significant impact to the development of Lynis: * Mikko Lehtisalo, Finland * Steve Bosek, France * Thomas Siebel, Germany +* Topi Miettinen, Finland * Zach Crownover From 724acf1be5c2cad92c9ca9ea6e7be0cbdc3a32e5 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 20 Mar 2020 19:33:10 +0100 Subject: [PATCH 054/355] Added CentOS 8 end-of-life --- db/software-eol.db | 1 + 1 file changed, 1 insertion(+) diff --git a/db/software-eol.db b/db/software-eol.db index d0452616..a3aaa93c 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -24,6 +24,7 @@ os:CentOS release 5:2017-03-31:1490911200: os:CentOS release 6:2020-11-30:1606690800: os:CentOS Linux release 7:2024-06-30:1719698400: os:CentOS Linux 7 (Core):2024-06-30:1719698400: +os:CentOS Linux 8 (Core):2029-05-31:1874872800: # # Debian - https://wiki.debian.org/DebianReleases#Production_Releases # From af03c07d9fd81225d8c975c62e352d01e4c88e9a Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 20 Mar 2020 19:39:49 +0100 Subject: [PATCH 055/355] Shortened CentOS 7/8 strings to allow match and added note --- db/software-eol.db | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/db/software-eol.db b/db/software-eol.db index a3aaa93c..eb5353ff 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -9,6 +9,9 @@ # # Date can be converted on Linux using: date "+%s" --date=2020-01-01 # +# Note: Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. +# As this does not properly match, shorter string is used for matching. +# # Amazon Linux # os:Amazon Linux:2020-06-30:1593468000: @@ -22,9 +25,8 @@ os:Arch Linux:2286-11-20:9999999999: # os:CentOS release 5:2017-03-31:1490911200: os:CentOS release 6:2020-11-30:1606690800: -os:CentOS Linux release 7:2024-06-30:1719698400: -os:CentOS Linux 7 (Core):2024-06-30:1719698400: -os:CentOS Linux 8 (Core):2029-05-31:1874872800: +os:CentOS Linux 7:2024-06-30:1719698400: +os:CentOS Linux 8:2029-05-31:1874872800: # # Debian - https://wiki.debian.org/DebianReleases#Production_Releases # From 52344913d3ac3fe1c7120a9c4395d5a3f961e314 Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Thu, 19 Mar 2020 15:41:35 -0500 Subject: [PATCH 056/355] Add a way to signify undetermined EOL Replace setting an artificaly high date and converted date for operating systems with no EOL (rolling) or the EOL is still to be determined. This makes it easier for humans and saves making a comparison (when using an artifically high converted time) will always be false (EOL=0). An example entry os:AGreatOS 2.0::-1: The converted time (seconds since the epoch) could be specified as zero but this typically means the OS is out of date (now), A value of -1 is a convention indicating no EOL. --- db/software-eol.db | 5 ++++- include/osdetection | 16 ++++++++++------ 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/db/software-eol.db b/db/software-eol.db index d0452616..124334e9 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -9,6 +9,9 @@ # # Date can be converted on Linux using: date "+%s" --date=2020-01-01 # +# Note: For rolling releases or releases that do not (currently have an +# EOL date, leave field three empty and set field four to -1. +# # Amazon Linux # os:Amazon Linux:2020-06-30:1593468000: @@ -16,7 +19,7 @@ os:Amazon Linux 2:2023-06-26:1687730400: # # Arch Linux # -os:Arch Linux:2286-11-20:9999999999: +os:Arch Linux::-1: # # CentOS # diff --git a/include/osdetection b/include/osdetection index 12502e20..08fd931e 100644 --- a/include/osdetection +++ b/include/osdetection @@ -575,13 +575,17 @@ EOL_TIMESTAMP=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $4}}' ${DBDIR}/software-eol.db | head -n 1) if [ -n "${EOL_TIMESTAMP}" ]; then EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1) - NOW=$(date "+%s") - if [ -n "${NOW}" ]; then - if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then - EOL=1 - else - EOL=0 + if [ -n "${EOL_DATE}" ]; then + NOW=$(date "+%s") + if [ -n "${NOW}" ]; then + if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then + EOL=1 + else + EOL=0 + fi fi + else + EOL=0 fi fi fi From 50fc3f816a87824f0891b25d099b7270743e99fa Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Thu, 19 Mar 2020 15:58:50 -0500 Subject: [PATCH 057/355] Add NetBSD EOL data --- db/software-eol.db | 49 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/db/software-eol.db b/db/software-eol.db index 124334e9..a1eb43c7 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -48,6 +48,55 @@ os:FreeBSD 10.4:2018-10-31:0: os:FreeBSD 11.0:2017-11-30:0: os:FreeBSD 11.1:2018-09-30:0: # +# NetBSD - https://www.netbsd.org/support/security/release.html and +# https://www.netbsd.org/releases/formal.html +# +os:NetBSD 2.0:2008-01-19:0: +os:NetBSD 2.0.1:2008-01-19:0: +os:NetBSD 2.0.2:2008-01-19:0: +os:NetBSD 2.0.3:2008-01-19:0: +os:NetBSD 2.1:2008-01-19:0: +os:NetBSD 3.0:2009-09-29:0: +os:NetBSD 3.0.1:2009-09-29:0: +os:NetBSD 3.0.2:2009-09-29:0: +os:NetBSD 3.1:2009-09-29:0: +os:NetBSD 4.0:2012-11-17:0: +os:NetBSD 4.0.1:2012-11-17:0: +os:NetBSD 5.0:2015-11-17:0: +os:NetBSD 5.0.1:2015-10-17:0: +os:NetBSD 5.0.2:2015-10-17:0: +os:NetBSD 5.1:2015-10-17:0: +os:NetBSD 5.1.1:2015-10-17:0: +os:NetBSD 5.1.2:2015-10-17:0: +os:NetBSD 5.1.3:2015-10-17:0: +os:NetBSD 5.1.4:2015-10-17:0: +os:NetBSD 5.1.5:2015-10-17:0: +os:NetBSD 5.2.1:2015-10-17:0: +os:NetBSD 5.2.2:2015-10-17:0: +os:NetBSD 5.2.3:2015-10-17:0: +os:NetBSD 6.0:2017-09-17:0: +os:NetBSD 6.0.1:2017-09-17:0: +os:NetBSD 6.0.2:2017-09-17:0: +os:NetBSD 6.0.3:2017-09-17:0: +os:NetBSD 6.0.4:2017-09-17:0: +os:NetBSD 6.0.5:2017-09-17:0: +os:NetBSD 6.1:2017-09-17:0: +os:NetBSD 6.1.1:2017-09-17:0: +os:NetBSD 6.1.2:2017-09-17:0: +os:NetBSD 6.1.3:2017-09-17:0: +os:NetBSD 6.1.4:2017-09-17:0: +os:NetBSD 6.1.5:2017-09-17:0: +os:NetBSD 7.0:2020-03-14:1584162000: +os:NetBSD 7.0.1:2020-03-14:1584162000: +os:NetBSD 7.0.2:2020-03-14:1584162000: +os:NetBSD 7.1:2020-03-14:1584162000: +os:NetBSD 7.1.1:2020-03-14:1584162000: +os:NetBSD 7.1.1:2020-03-14:1584162000: +os:NetBSD 7.2:2020-03-14:1584162000: +os:NetBSD 8.0::-1: +os:NetBSD 8.1::-1: +os:NetBSD 9.0::-1: +# # OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history # os:OpenBSD 5.8:2016-09-01:0: From 6356b3adb180d05f71514ea91455d513586ae71e Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 20 Mar 2020 19:43:18 +0100 Subject: [PATCH 058/355] Updated log --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 135200bb..cb92e253 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -135,10 +135,11 @@ Using the relevant options, the scan will change base on the intended goal. - Use only locations from PATH environment variable, unless it is not defined - Show tip to use 'lynis generate hostids' when host IDs are missing - The 'show changelog' command works again for newer versions -- Improved screen output in several tests - Several code cleanups, simplification of commands, and code standardization - Tests using lsof may ignore individual threads (if supported) +- Corrected end-of-life detection for CentOS 7 and CentOS 8 - Do not show tool tips when quiet option is used +- Improved screen output in several tests - Extended output of 'lynis update info' - Test if profiles are readable - systemd service file adjusted From 32d1155953a04afafdbc31590ff1ae9f840bd37c Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Thu, 19 Mar 2020 17:10:37 -0500 Subject: [PATCH 059/355] Fix uses of non-standard find not operator Use ! rather than the non-standard -not find(1) operator. --- include/tests_authentication | 2 +- plugins/plugin_pam_phase1 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 02a3bb74..b4520035 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -677,7 +677,7 @@ LogText "Result: directory /etc/pam.d exists" Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN LogText "Test: searching PAM configuration files" - FIND=$(${FINDBINARY} ${ROOTDIR}etc/pam.d -not -name "*.pam-old" -type f -print | sort) + FIND=$(${FINDBINARY} ${ROOTDIR}etc/pam.d \! -name "*.pam-old" -type f -print | sort) for FILE in ${FIND}; do LogText "Found file: ${FILE}" done diff --git a/plugins/plugin_pam_phase1 b/plugins/plugin_pam_phase1 index 361918de..46f2e67a 100644 --- a/plugins/plugin_pam_phase1 +++ b/plugins/plugin_pam_phase1 @@ -77,12 +77,12 @@ if [ -d ${PAM_DIRECTORY} ]; then LogText "Result: ${PAM_DIRECTORY} exists" if [ ! "${OS}" = "FreeBSD" -a ! "${OS}" = "NetBSD" ]; then - FIND_FILES=$(find ${PAM_DIRECTORY} -not -name "*.pam-old" -type f -print) + FIND_FILES=$(find ${PAM_DIRECTORY} \! -name "*.pam-old" -type f -print) else if [ -f ${PAM_DIRECTORY}/README ]; then LogText "Skipped checking ${OS} ${PAM_DIRECTORY}/README as a PAM file" fi - FIND_FILES=$(find ${PAM_DIRECTORY} -not -name "README" -not -name "*.pam-old" -type f -print) + FIND_FILES=$(find ${PAM_DIRECTORY} \! -name "README" \! -name "*.pam-old" -type f -print) fi for PAM_FILE in ${FIND_FILES}; do From 9c5451d29db6d3bba7abe580896f249a8464f6b6 Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Thu, 19 Mar 2020 21:30:10 -0500 Subject: [PATCH 060/355] Make BOOT-5260 Linux only Linux is the only OS with systemd so no need to check for systemd single user mode on other operatings systems. --- include/tests_boot_services | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index 0b72ab0a..f280cb86 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -849,7 +849,7 @@ # # Test : BOOT-5260 # Description : Check single user mode for systemd - Register --test-no BOOT-5260 --weight L --network NO --category security --description "Check single user mode for systemd" + Register --test-no BOOT-5260 --os Linux --weight L --network NO --category security --description "Check single user mode for systemd" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching /usr/lib/systemd/system/rescue.service" if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then From e98fcb9b73f7f1054e07d920de9b5ac19e30a8a3 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Fri, 20 Mar 2020 22:26:51 +0200 Subject: [PATCH 061/355] Fix developer profile Initialialize a few variables to let --profile developer.prf pass. Signed-off-by: Topi Miettinen --- include/consts | 2 ++ include/tests_kernel | 1 + 2 files changed, 3 insertions(+) diff --git a/include/consts b/include/consts index ac76f36f..3969aad5 100644 --- a/include/consts +++ b/include/consts @@ -98,6 +98,7 @@ unset LANG DEBSUMSBINARY="" DEVELOPER_MODE=0 DEVOPS_MODE=0 + DIGBINARY="" DISABLED_PLUGINS="" DISCOVERED_BINARIES="" DMIDECODEBINARY="" @@ -148,6 +149,7 @@ unset LANG LOCATEBINARY="" LOGFILE="" LOGDIR="" + LOGROTATEBINARY="" LOGTEXT=1 LSMODBINARY="" LSOFBINARY="" diff --git a/include/tests_kernel b/include/tests_kernel index a308e645..4948e0dd 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -669,6 +669,7 @@ LogText "Result: found ${FOUND_VMLINUZ}" fi + VERSION_ON_DISK="" if [ -L "${FOUND_VMLINUZ}" ]; then LogText "Result: found a symlink, retrieving destination" FOUND_VMLINUZ=$(readlink "${FOUND_VMLINUZ}") From 4a51ad031b371dd60ed79f125fa68b787d31a840 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Sat, 21 Mar 2020 12:50:38 +0200 Subject: [PATCH 062/355] Check password hashing methods Manual page crypt(5) gives recommendations for choosing password hashing methods, so let's check if there are weakly encrypted passwords in the system. Signed-off-by: Topi Miettinen --- db/tests.db | 1 + include/binaries | 1 + include/tests_authentication | 61 ++++++++++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+) diff --git a/db/tests.db b/db/tests.db index d051c77d..fce9a691 100644 --- a/db/tests.db +++ b/db/tests.db @@ -22,6 +22,7 @@ AUTH-9218:test:security:authentication:FreeBSD:Check harmful login shells: AUTH-9222:test:security:authentication::Check for non unique groups: AUTH-9226:test:security:authentication::Check non unique group names: AUTH-9228:test:security:authentication::Check password file consistency with pwck: +AUTH-9229:test:security:authentication::Check password hashing methods: AUTH-9234:test:security:authentication::Query user accounts: AUTH-9240:test:security:authentication::Query NIS+ authentication support: AUTH-9242:test:security:authentication::Query NIS authentication support: diff --git a/include/binaries b/include/binaries index 89e2fddd..af5882a5 100644 --- a/include/binaries +++ b/include/binaries @@ -310,6 +310,7 @@ # Test if the basic system tools are defined. These will be used during the audit. [ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found" + [ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found" [ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found" [ "${EGREPBINARY:-}" ] || ExitFatal "grep binary not found" [ "${FINDBINARY:-}" ] || ExitFatal "find binary not found" diff --git a/include/tests_authentication b/include/tests_authentication index 02a3bb74..9d992d49 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -325,6 +325,67 @@ fi # ################################################################################# +# + # Test : AUTH-9229 + # Description : Check password hashing methods vs. recommendations in crypt(5) + # Notes : Applicable to all Unix-like OS + Register --test-no AUTH-9229 --weight L --network NO --category security --description "Check password hashing methods" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking password hashing methods" + if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW=${ROOTDIR}etc/shadow; else SHADOW=""; fi + FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do + case ${METHOD} in + 1:\* | 1:x | 0: | *:!*) + # disabled | shadowed | no password | locked account + ;; + *:\$5\$*| *:\$6\$*) + # sha256crypt | sha512crypt: check number of rounds, should be >5000 + ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') + if [ -z "${ROUNDS}" ]; then + echo 'sha256crypt/sha512crypt(default<=5000rounds)' + elif [ "${ROUNDS}" -le 5000 ]; then + echo 'sha256crypt/sha512crypt(<=5000rounds)' + fi + ;; + *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) + # yescrypt | gost-yescrypt | bcrypt | scrypt + ;; + *:_*) + echo bsdicrypt + ;; + *:\$1\$*) + echo md5crypt + ;; + *:\$3\$*) + echo NT + ;; + *:\$md5*) + echo SunMD5 + ;; + *:\$sha1*) + echo sha1crypt + ;; + 13:* | 178:*) + echo bigcrypt/descrypt + ;; + *) + echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com" + ;; + esac + done | ${SORTBINARY} --unique | ${TRBINARY} '\n' ' ') + if [ -z "${FIND}" ]; then + Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN + LogText "Result: no poor password hashing methods found" + AddHP 2 2 + else + Display --indent 2 --text "- Password hashing methods" --result "${STATUS_SUGGESTION}" --color YELLOW + LogText "Result: poor password hashing methods found: ${FIND}" + ReportSuggestion "${TEST_NO}" "Change ${ROOTDIR}etc/login.defs password ENCRYPT_METHOD and SHA_CRYPT_MIN_ROUNDS to more secure values, check also PAM configuration, expire passwords to encrypt with new values" + AddHP 0 2 + fi + fi +# +################################################################################# # # Test : AUTH-9234 # Description : Query user accounts From 695eef64ade2ce3413c16ce91105787460d0708b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 21 Mar 2020 14:09:11 +0100 Subject: [PATCH 063/355] Updated version --- plugins/plugin_pam_phase1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/plugin_pam_phase1 b/plugins/plugin_pam_phase1 index 81c758c1..9aada629 100644 --- a/plugins/plugin_pam_phase1 +++ b/plugins/plugin_pam_phase1 @@ -6,12 +6,12 @@ #----------------------------------------------------- # PLUGIN_AUTHOR=Michael Boelen # PLUGIN_CATEGORY=authentication -# PLUGIN_DATE=2019-07-26 +# PLUGIN_DATE=2020-03-21 # PLUGIN_DESC=PAM # PLUGIN_NAME=pam # PLUGIN_PACKAGE=all # PLUGIN_REQUIRED_TESTS= -# PLUGIN_VERSION=1.0.4 +# PLUGIN_VERSION=1.0.5 #----------------------------------------------------- ######################################################################### # From 26a54991ba6a09f1fcc5f8f68cb9ae64539c8230 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Sat, 21 Mar 2020 14:12:06 +0200 Subject: [PATCH 064/355] Check for software pseudo random number generators Check for running audio-entropyd, havegd or jitterentropy-rngd. Signed-off-by: Topi Miettinen --- db/tests.db | 3 ++- include/tests_crypto | 26 ++++++++++++++++++++++++-- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/db/tests.db b/db/tests.db index d051c77d..76884a45 100644 --- a/db/tests.db +++ b/db/tests.db @@ -87,7 +87,8 @@ CORE-1000:test:performance:system_integrity::Check all system binaries: CRYP-7902:test:security:crypto::Check expire date of SSL certificates: CRYP-7930:test:security:crypto:Linux:Determine if system uses LUKS encryption: CRYP-8002:test:security:crypto:Linux:Gather kernel entropy: -CRYP-8004:test:security:crypto:Linux:Presence of hardware number generator: +CRYP-8004:test:security:crypto:Linux:Presence of hardware random number generators: +CRYP-8005:test:security:crypto:Linux:Presence of software pseudo random number generators: DNS-1600:test:security:dns::Validating that the DNSSEC signatures are checked: DBS-1804:test:security:databases::Checking active MySQL process: DBS-1816:test:security:databases::Checking MySQL root password: diff --git a/include/tests_crypto b/include/tests_crypto index 6a9cb5f2..5c2a0804 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -196,8 +196,8 @@ ################################################################################# # # Test : CRYP-8004 - # Description : Test for presence of random number generators - Register --test-no CRYP-8004 --os Linux --weight L --network NO --root-only NO --category security --description "Presence of random number generators" + # Description : Test for presence of hardware random number generators + Register --test-no CRYP-8004 --os Linux --weight L --network NO --root-only NO --category security --description "Presence of hardware random number generators" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: looking for ${ROOTDIR}sys/class/misc/hw_random/rng_current" if [ -f "${ROOTDIR}sys/class/misc/hw_random/rng_current" ]; then @@ -223,6 +223,28 @@ fi # ################################################################################# +# + # Test : CRYP-8005 + # Description : Test for presence of software pseudo random number generators + Register --test-no CRYP-8005 --os Linux --weight L --network NO --root-only NO --category security --description "Presence of software pseudo random number generators" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: looking for software pseudo random number generators" + FOUND="" + for SERVICE in audio-entropyd havegd jitterentropy-rngd; do + if IsRunning "${SERVICE}" --full; then + FOUND="${FOUND} ${SERVICE}" + fi + done + if [ -z "${FOUND}" ]; then + Display --indent 2 --text "- SW prng" --result "${STATUS_NO}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators" + else + Display --indent 2 --text "- SW prng" --result "${STATUS_YES}" --color GREEN + LogText "Result: found ${FOUND} running" + fi + fi +# +################################################################################# # WaitForKeyPress From e0e2096a25a45a3ea03133cb2247a638f564ec49 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Sat, 21 Mar 2020 17:14:55 +0200 Subject: [PATCH 065/355] Enhance AppArmor check Count and log unconfined processes which have no AppArmor profile applied. Signed-off-by: Topi Miettinen --- include/tests_mac_frameworks | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index d6d40a6b..94f2065d 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -75,6 +75,12 @@ Report "apparmor_enabled=1" Report "apparmor_policy_loaded=1" AddHP 3 3 + # ignore kernel threads (Parent PID = 2 [kthreadd]) + NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} --lines) + Display --indent 8 --text "Found ${NUNCONFINED} unconfined processes" + for PROCESS in $(${PSBINARY} -N --ppid 2 -o label:1,pid,comm | ${GREPBINARY} '^unconfined' | ${TRBINARY} ' ' ':'); do + LogText "Result: Unconfined process: ${PROCESS}" + done elif [ $? -eq 4 ]; then LogText "Result: Can not determine status, most likely due to lacking permissions" Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED From f3426697777d87de31d6229ebecd875a2fc2f0c4 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 21 Mar 2020 18:53:05 +0100 Subject: [PATCH 066/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cb92e253..3023dc5b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -49,6 +49,7 @@ Using the relevant options, the scan will change base on the intended goal. - New test: BOOT-5109 - Test presence rEFInd boot loader - New test: CRYP-7930 - test for LUKS encryption - New test: CRYP-8004 - presence of hardware random number generator +- New test: CRYP-8005 - presence of software random number generator - New test: DBS-1828 - PostgreSQL configuration files - New test: FINT-4316 - presence of AIDE database and size test - New test: INSE-8314 - test for NIS client From 044c78452b84758a741855a319c0dade2c64a9b2 Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Thu, 19 Mar 2020 16:38:37 -0500 Subject: [PATCH 067/355] Add AUTH-9234 for NetBSD --- include/tests_authentication | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index b4520035..2b3fcae3 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -331,7 +331,7 @@ # Notes : AIX: 100+ # HPUX: 100+ # macOS doesn't have any user info in /etc/passwd, users are managed with opendirectoryd) - # OpenBSD/NetBSD: unknown + # OpenBSD/NetBSD: 1000-60000, excluding 32767 (default) # Arch Linux / CentOS / Ubuntu: 1000+ Register --test-no AUTH-9234 --weight L --network NO --category security --description "Query user accounts" if [ ${SKIPTEST} -eq 0 ]; then @@ -373,6 +373,23 @@ fi ;; + "NetBSD") + if [ -f ${ROOTDIR}etc/usermgmt.conf ]; then + UID_RANGE=$(${GREPBINARY} "^range" ${ROOTDIR}etc/usermgmt.conf | ${AWKBINARY} '{ sub(/\.\./, "-", $2); print $2 }') + fi + if [ -n "${UID_RANGE}" ]; then + LogText "Result: found configured user id range specified: ${UID_RANGE}" + UID_MIN=$(echo $UID_RANGE | ${AWKBINARY} -F- '{ print $1 }') + UID_MAX=$(echo $UID_RANGE | ${AWKBINARY} -F- '{ print $2 }') + else + UID_MIN=1000 + UID_MAX=60000 + LogText "Result: no configured user id range specified; using default ${UID_MIN}-${UID_MAX}" + fi + LogText "NetBSD real users output (ID = 0, or ${UID_MIN}-${UID_MAX}, but not 32767):" + FIND=$(${AWKBINARY} -v UID_MIN="${UID_MIN}" -v UID_MAX="${UID_MAX}" -F: '($3 >= UID_MIN && $3 <= UID_MAX && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd) + ;; + "OpenBSD") LogText "OpenBSD real users output (ID = 0, or 1000-60000, but not 32767):" FIND=$(${AWKBINARY} -F: '($3 >= 1000 && $3 <= 60000 && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd) From f56c3b5f94c57732ceffe306eb12db4b50df095c Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Sat, 21 Mar 2020 16:16:34 -0500 Subject: [PATCH 068/355] Combine NetBSD and OpenBSD AUTH-9234 check Both NetBSD and OpenBSD have `useradd(8)`, so they can share logic checking `/etc/usermgmt.conf` for the default user UID range. --- include/tests_authentication | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 2b3fcae3..9496380b 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -373,7 +373,7 @@ fi ;; - "NetBSD") + "NetBSD"|"OpenBSD") if [ -f ${ROOTDIR}etc/usermgmt.conf ]; then UID_RANGE=$(${GREPBINARY} "^range" ${ROOTDIR}etc/usermgmt.conf | ${AWKBINARY} '{ sub(/\.\./, "-", $2); print $2 }') fi @@ -386,15 +386,10 @@ UID_MAX=60000 LogText "Result: no configured user id range specified; using default ${UID_MIN}-${UID_MAX}" fi - LogText "NetBSD real users output (ID = 0, or ${UID_MIN}-${UID_MAX}, but not 32767):" + LogText "${OS} real users output (ID = 0, or ${UID_MIN}-${UID_MAX}, but not 32767):" FIND=$(${AWKBINARY} -v UID_MIN="${UID_MIN}" -v UID_MAX="${UID_MAX}" -F: '($3 >= UID_MIN && $3 <= UID_MAX && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd) ;; - "OpenBSD") - LogText "OpenBSD real users output (ID = 0, or 1000-60000, but not 32767):" - FIND=$(${AWKBINARY} -F: '($3 >= 1000 && $3 <= 60000 && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd) - ;; - "Solaris") LogText "Solaris real users output (ID =0, or 100+, but not 60001/65534):" FIND=$(${AWKBINARY} -F: '($3 >= 100 && $3 != 60001 && $3 != 65534) || ($3 == 0) { print $1","$3 }' /etc/passwd) From 33ba896b41b194ceced8a29910f172f18f4f0644 Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Sat, 21 Mar 2020 19:30:07 -0500 Subject: [PATCH 069/355] Add FreeBSD and NetBSD to AUTH-9268 Add FreeBSD and NetBSD as both support PAM. Simplify the PREQS_MET test by using a case rather than a long if or. --- include/tests_authentication | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index b4520035..d2a23f9e 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -691,8 +691,13 @@ # # Test : AUTH-9268 # Description : Searching available PAM files - # Notes : PAM is used on AIX, FreeBSD, Linux, HPUX, Solaris - if [ ${OS} = "AIX" -o ${OS} = "Linux" -o ${OS} = "HPUX" -o ${OS} = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + # Notes : PAM is used on AIX, FreeBSD, Linux, HPUX, NetBSD, Solaris + case "${OS}" in + "AIX"|"FreeBSD"|"Linux"|"HPUX"|"NetBSD"|"Solaris") + PREQS_MET="YES" ;; + *) + PREQS_MET="NO" ;; + esac Register --test-no AUTH-9268 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking presence pam.d files" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 From 203a4d34801ec37200d2ec190328f6c27ad71b78 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Sun, 22 Mar 2020 11:18:00 +0200 Subject: [PATCH 070/355] Check IMA/EVM status Check for evmctl (Extended Verification Module) tool and system IMA (Integrity Measurement Architecture) status. Signed-off-by: Topi Miettinen --- db/tests.db | 1 + include/binaries | 1 + include/tests_file_integrity | 22 ++++++++++++++++++++++ 3 files changed, 24 insertions(+) diff --git a/db/tests.db b/db/tests.db index 76884a45..44a9a410 100644 --- a/db/tests.db +++ b/db/tests.db @@ -135,6 +135,7 @@ FINT-4330:test:security:file_integrity::mtree availability: FINT-4334:test:security:file_integrity::Check lfd daemon status: FINT-4336:test:security:file_integrity::Check lfd configuration status: FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running: +FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status FINT-4350:test:security:file_integrity::File integrity software installed: FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512): FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module: diff --git a/include/binaries b/include/binaries index 89e2fddd..b538eb56 100644 --- a/include/binaries +++ b/include/binaries @@ -157,6 +157,7 @@ xbps-query) XBPSBINARY="${BINARY}"; LogText " Found known binary: xbps (package management) - ${BINARY}" ;; egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;; equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;; + evmctl) EVMCTLBINARY=${BINARY}; LogText " Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;; exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;; fail2ban-server) FAIL2BANBINARY="${BINARY}"; LogText " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;; file) FILEBINARY="${BINARY}"; LogText " Found known binary: file (file type detection) - ${BINARY}" ;; diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 7a5658ac..a387c248 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -297,6 +297,28 @@ fi # ################################################################################# +# + # Test : FINT-4339 + # Description : Check IMA/EVM status + if [ ! -z "${EVMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No evmctl binary found"; fi + Register --test-no FINT-4339 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check IMA/EVM status" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + if [ -e /sys/kernel/security/ima ]; then + FOUND=$(${CAT_BINARY} /sys/kernel/security/ima) + fi + if [ "${FOUND}" -ne 1 ]; then + LogText "Result: EVM tools found but IMA/EVM disabled" + Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_DISABLED}" --color YELLOW + else + LogText "Result: EVM tools found, IMA/EVM enabled" + FILE_INT_TOOL="evmctl" + FILE_INT_TOOL_FOUND=1 + Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_ENABLED}" --color GREEN + fi + fi +# +################################################################################# # # Test : FINT-4402 (was FINT-4316) # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums From a067c4211afbf8ced99e20de9b13e8c8526ea9fa Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 22 Mar 2020 15:16:31 +0100 Subject: [PATCH 071/355] Updated log --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3023dc5b..2237cc5e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -77,7 +77,9 @@ Using the relevant options, the scan will change base on the intended goal. - Binaries: skip pacman when it is the game instead of package manager - Security: the 'nounset' (set -u) parameter is now activated by default - AUTH-9228 - HP-UX support +- AUTH-9234 - NetBSD support - AUTH-9266 - skip .pam-old files in /etc/pam.d +- AUTH-9268 - Perform test also on FreeBSD and NetBSD - AUTH-9282 - fix: temporary variable was overwritten - AUTH-9408 - added support for pam_tally2 to log failed logins - BANN-7126 - additional words for login banner are accepted From 8ea39314f2a028bca4ff53842258459c8ca018d3 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Mon, 23 Mar 2020 10:35:38 +0200 Subject: [PATCH 072/355] Check for dm-integrity and dm-verity Detect tools for dm-integrity and dm-verity, check if some devices in /dev/mapper/* use them and especially the system root device. Signed-off-by: Topi Miettinen --- db/tests.db | 2 + include/binaries | 2 + include/tests_file_integrity | 79 ++++++++++++++++++++++++++++++++++++ 3 files changed, 83 insertions(+) diff --git a/db/tests.db b/db/tests.db index 44a9a410..3fc66b9a 100644 --- a/db/tests.db +++ b/db/tests.db @@ -136,6 +136,8 @@ FINT-4334:test:security:file_integrity::Check lfd daemon status: FINT-4336:test:security:file_integrity::Check lfd configuration status: FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running: FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status +FINT-4340:test:security:file_integrity:Linux:Check dm-integrity status +FINT-4341:test:security:file_integrity:Linux:Check dm-verity status FINT-4350:test:security:file_integrity::File integrity software installed: FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512): FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module: diff --git a/include/binaries b/include/binaries index b538eb56..bae053d2 100644 --- a/include/binaries +++ b/include/binaries @@ -176,6 +176,7 @@ httpd2-prefork) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;; initctl) INITCTLBINARY=${BINARY}; SERVICE_MANAGER="upstart"; LogText " Found known binary: initctl (client to upstart init) - ${BINARY}" ;; ifconfig) IFCONFIGBINARY="${BINARY}"; LogText " Found known binary: ipconfig (IP configuration) - ${BINARY}" ;; + integritysetup) INTEGRITYSETUPBINARY="${BINARY}"; LogText " Found known binary: integritysetup (dm-integrity setup tool) - ${BINARY}" ;; ip) IPBINARY="${BINARY}"; LogText " Found known binary: ip (IP configuration) - ${BINARY}" ;; ipf) IPFBINARY="${BINARY}"; LogText " Found known binary: ipf (firewall) - ${BINARY}" ;; iptables) IPTABLESBINARY="${BINARY}"; LogText " Found known binary: iptables (firewall) - ${BINARY}" ;; @@ -282,6 +283,7 @@ uname) UNAMEBINARY="${BINARY}"; LogText " Found known binary: uname (operating system details) - ${BINARY}" ;; uniq) UNIQBINARY="${BINARY}"; LogText " Found known binary: uniq (text manipulation utility) - ${BINARY}";; usbguard) USBGUARDBINARY="${BINARY}"; LogText " Found known binary: usbguard (USB security tool) - ${BINARY}" ;; + veritysetup) VERITYSETUPBINARY="${BINARY}"; LogText " Found known binary: veritysetup (dm-verity setup tool) - ${BINARY}" ;; vgdisplay) VGDISPLAYBINARY="${BINARY}"; LogText " Found known binary: vgdisplay (LVM tool) - ${BINARY}" ;; vmtoolsd) VMWARETOOLSDBINARY="${BINARY}"; LogText " Found known binary: vmtoolsd (VMWare tools) - ${BINARY}" ;; wc) WCBINARY="${BINARY}"; LogText " Found known binary: wc (word count) - ${BINARY}" ;; diff --git a/include/tests_file_integrity b/include/tests_file_integrity index a387c248..dc32411d 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -319,6 +319,85 @@ fi # ################################################################################# +# + # Test : FINT-4340 + # Description : Check dm-integrity status + if [ ! -z "${INTEGRITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No integritysetup binary found"; fi + Register --test-no FINT-4340 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-integrity status" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + ROOTPROTECTED=0 + ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }') + for DEVICE in /dev/mapper/*; do + if [ -e "${DEVICE}" ]; then + FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*INTEGRITY') + if [ ! -z "${FIND}" ]; then + FOUND=1 + LogText "Result: found dm-integrity device ${DEVICE}" + if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then + ROOTPROTECTED=1 + fi + fi + fi + done + if [ "${FOUND}" -ne 1 ]; then + LogText "Result: dm-integrity tools found but no active devices" + Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_DISABLED}" --color WHITE + else + LogText "Result: dm-integrity tools found, active devices" + if [ ${ROOTPROTECTED} -eq 1 ]; then + LogText "Result: root filesystem is protected by dm-integrity" + Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN + else + LogText "Result: root filesystem is not protected by dm-integrity but active devices found" + Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_FOUND}" --color YELLOW + fi + FILE_INT_TOOL="dm-integrity" + FILE_INT_TOOL_FOUND=1 + Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : FINT-4341 + # Description : Check dm-verity status + if [ ! -z "${VERITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No veritysetup binary found"; fi + Register --test-no FINT-4341 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-verity status" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + ROOTPROTECTED=0 + ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }') + for DEVICE in /dev/mapper/*; do + if [ -e "${DEVICE}" ]; then + FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*VERITY') + if [ ! -z "${FIND}" ]; then + FOUND=1 + LogText "Result: found dm-verity device ${DEVICE}" + if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then + ROOTPROTECTED=1 + fi + fi + fi + done + if [ "${FOUND}" -ne 1 ]; then + LogText "Result: dm-verity tools found but no active devices" + Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_DISABLED}" --color WHITE + else + LogText "Result: dm-verity tools found, active devices" + if [ ${ROOTPROTECTED} -eq 1 ]; then + LogText "Result: root filesystem is protected by dm-verity" + Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_ENABLED}" --color GREEN + else + LogText "Result: root filesystem is not protected by dm-verity but active devices found" + Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_FOUND}" --color YELLOW + fi + FILE_INT_TOOL="dm-verity" + FILE_INT_TOOL_FOUND=1 + fi + fi +# +################################################################################# # # Test : FINT-4402 (was FINT-4316) # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums From 17ac4d2c1cfc1aa8432401cae834779874d3e734 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 23 Mar 2020 10:44:45 +0100 Subject: [PATCH 073/355] [AUTH-9252] corrected permission check --- CHANGELOG.md | 1 + include/tests_authentication | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2237cc5e..84f15898 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -78,6 +78,7 @@ Using the relevant options, the scan will change base on the intended goal. - Security: the 'nounset' (set -u) parameter is now activated by default - AUTH-9228 - HP-UX support - AUTH-9234 - NetBSD support +- AUTH-9252 - corrected permission check - AUTH-9266 - skip .pam-old files in /etc/pam.d - AUTH-9268 - Perform test also on FreeBSD and NetBSD - AUTH-9282 - fix: temporary variable was overwritten diff --git a/include/tests_authentication b/include/tests_authentication index f0b61ba2..d3f9d3aa 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -509,7 +509,7 @@ if [ -d "${SUDOERS_D}" ]; then LogText "Test: checking drop-in directory (${SUDOERS_D})" FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10) - FIND2=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}') + FIND2=$(${LSBINARY} -lnd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}') LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND2}" case "${FIND}" in rwx[r-][w-][x-]--- ) @@ -537,7 +537,7 @@ for f in ${SUDO_CONFIG_FILES}; do LogText "Test: checking file (${f})" FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10) - FIND2=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}') + FIND2=$(${LSBINARY} -ln ${f} | ${AWKBINARY} '{print $3$4}') LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND2}" case "${FIND}" in r[w-]-[r-][w-]---- ) From 410206619aecc57bfd73904252f5f03356533e18 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 23 Mar 2020 11:30:10 +0100 Subject: [PATCH 074/355] Removed restriction for using the plugin and code style improvements --- plugins/plugin_systemd_phase1 | 90 ++++++++++++++++------------------- 1 file changed, 40 insertions(+), 50 deletions(-) diff --git a/plugins/plugin_systemd_phase1 b/plugins/plugin_systemd_phase1 index 0c73f45d..4e183f88 100644 --- a/plugins/plugin_systemd_phase1 +++ b/plugins/plugin_systemd_phase1 @@ -1,27 +1,17 @@ #!/bin/sh -######################################################################### -# -# This component is part of Lynis Enterprise. No parts may be copied, -# distributed or used without written permission of CISOfy. Users who -# have an active license are permitted to use this component as part -# of the service. This software component may only be used in combination -# with Lynis and Lynis Enterprise. -# -# Copyright 2016, CISOfy - https://cisofy.com -# ######################################################################### # # * DO NOT REMOVE * #----------------------------------------------------- # PLUGIN_AUTHOR=Michael Boelen # PLUGIN_CATEGORY=essentials -# PLUGIN_DATE=2017-04-30 +# PLUGIN_DATE=2020-03-23 # PLUGIN_DESC=Tests related to systemd tooling # PLUGIN_NAME=systemd # PLUGIN_PACKAGE=community # PLUGIN_REQUIRED_TESTS= -# PLUGIN_VERSION=1.0.2 +# PLUGIN_VERSION=1.0.4 #----------------------------------------------------- # ######################################################################### @@ -36,7 +26,7 @@ # # Test : PLGN-3800 # Description : Gather systemctl exit code - if [ ! "${SYSTEMCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${SYSTEMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3800 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemctl exit code" --progress if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${SYSTEMCTLBINARY} > /dev/null) @@ -54,17 +44,17 @@ # Description : Query systemd version and options # Notes : version can also be gathered with systemctl show | grep ^Version= # features with systemctl show | grep ^Features= - if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3802 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd version and options" --progress if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -1) - if [ ! "${FIND}" = "" ]; then + if [ -n "${FIND}" ]; then SYSTEMD_VERSION=${FIND} Report "systemd_version=${FIND}" LogText "Result: found systemd version ${FIND}" fi - FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1` - if [ ! "${FIND}" = "" ]; then + FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1) + if [ -n "${FIND}" ]; then Report "systemd_builtin_components=${FIND}" LogText "Result: found builtin components list" fi @@ -74,11 +64,11 @@ # # Test : PLGN-3804 # Description : Gather all systemd unit files - if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3804 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd unit files and their status" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }'` - if [ ! "${FIND}" = "" ]; then + FIND=$(${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }') + if [ -n "${FIND}" ]; then LogText "Result: found systemd unit files via systemctl list-unit-files" for I in ${FIND}; do LogText "Output: ${I}" @@ -91,11 +81,11 @@ # # Test : PLGN-3806 # Description : Gather all failed systemd units - if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3806 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather failed systemd units" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }'` - if [ ! "${FIND}" = "" ]; then + FIND=$(${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }') + if [ -n "${FIND}" ]; then LogText "Result: found systemd unit files via systemctl list-unit-files" for I in ${FIND}; do LogText "Output: ${I}" @@ -108,11 +98,11 @@ # # Test : PLGN-3808 # Description : Gather machine ID - if [ -f /etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -f ${ROOTDIR}etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3808 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd machine ID" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(cat /etc/machine-id | head -1) - if [ ! "${FIND}" = "" ]; then + FIND=$(cat ${ROOTDIR}etc/machine-id | head -1) + if [ -n "${FIND}" ]; then SYSTEMD_MACHINEID="${FIND}" LogText "Result: found machine ID: ${SYSTEMD_MACHINEID}" fi @@ -122,11 +112,11 @@ # # Test : PLGN-3810 # Description : Query main systemd binaries - if [ ! "${FINDBINARY}" = "" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${FINDBINARY}" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3810 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query main systemd binaries" --progress if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${FINDBINARY} ${ROOTDIR}usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|") - if [ ! "${FIND}" = "" ]; then + if [ -n "${FIND}" ]; then Report "systemd_binaries=${FIND}" LogText "Result: found systemd binaries in /usr/lib/systemd" else @@ -138,29 +128,29 @@ # # Test : PLGN-3812 # Description : Query journal for boot related information - if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 209 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 209 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3812 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${JOURNALCTLBINARY} --list-boots | wc -l) LogText "Output: number of boots listed in journal is ${FIND}" - if [ ! "${FIND}" = "" ]; then Report "journal_bootlogs=${FIND}"; fi + if [ -n "${FIND}" ]; then Report "journal_bootlogs=${FIND}"; fi FIND=$(${JOURNALCTLBINARY} --list-boots | head -1 | awk '{ print $4 }') LogText "Output: oldest boot date in journal is ${FIND}" - if [ ! "${FIND}" = "" ]; then Report "journal_oldest_bootdate=${FIND}"; fi + if [ -n "${FIND}" ]; then Report "journal_oldest_bootdate=${FIND}"; fi fi # ################################################################################# # # Test : PLGN-3814 # Description : Journal integrity - if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3814 --preqs-met ${PREQS_MET} --weight L --network NO --description "Verify journal integrity" --progress if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${JOURNALCTLBINARY} --verify 2>&1 | grep FAIL | sed 's/[[:space:]]/:space:/g') - if [ ! "${FIND}" = "" ]; then + if [ -n "${FIND}" ]; then Report "journal_contains_errors=1" for I in ${FIND}; do - LINE=`echo ${I} | sed 's/:space:/ /g'` + LINE=$(echo ${I} | sed 's/:space:/ /g') LogText "Output (fails): ${LINE}" done else @@ -173,10 +163,10 @@ # # Test : PLGN-3816 # Description : Journal sizing - if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 } else if ($1=="Archived") { print $7 }}'` + FIND=$(${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 } else if ($1=="Archived") { print $7 }}') Report "journal_disk_size=${FIND}" LogText "Result: journals are ${FIND} in size" fi @@ -185,10 +175,10 @@ # # Test : PLGN-3818 # Description : Journal meta data - if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal meta data" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g'` + FIND=$(${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g') Report "journal_meta_data=${FIND}" fi # @@ -196,7 +186,7 @@ # # Test : PLGN-3820 # Description : Journal FSS (Forward Secure Sealing) configuration - if [ ! "${JOURNALCTLBINARY}" = "" -a ! "${SYSTEMD_MACHINEID}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${JOURNALCTLBINARY}" -a -n "${SYSTEMD_MACHINEID}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3820 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for journal FSS configuration" --progress if [ ${SKIPTEST} -eq 0 ]; then FILE="/var/log/journal/${SYSTEMD_MACHINEID}/fss" @@ -211,11 +201,11 @@ # # Test : PLGN-3830 # Description : Query systemd status - if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3830 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status" --progress if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -1) - if [ ! "${FIND}" = "" ]; then + if [ -n "${FIND}" ]; then Report "systemd_status=${FIND}" LogText "Result: found systemd status = ${FIND}" fi @@ -228,8 +218,8 @@ if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3832 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status for processes which can not be found" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }'` - if [ ! "${FIND}" = "" ]; then + FIND=$(${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }') + if [ -n "${FIND}" ]; then for I in ${FIND}; do Report "systemd_unit_not_found[]=${I}" done @@ -240,11 +230,11 @@ # # Test : PLGN-3834 # Description : Gather units from systemd which can not be found - if [ ! "${SYSTEMCTLBINARY}" = "" -a ! "${AWKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${SYSTEMCTLBINARY}" -a -n "${AWKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3834 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collect service units which can not be found in systemd" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}'` - if [ ! "${FIND}" = "" ]; then + FIND=$(${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}') + if [ -n "${FIND}" ]; then LogText "Result: found one or more services with faulty state" for I in ${FIND}; do LogText "Result: service seems to be faulty (not-found) ${I}" @@ -261,8 +251,8 @@ Register --test-no PLGN-3856 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check if systemd-coredump is used" --progress if [ ${SKIPTEST} -eq 0 ]; then SYSTEMD_COREDUMP_USED=1 - FIND=`cat /proc/sys/kernel/core_pattern | grep systemd-coredump` - if [ ! "${FIND}" = "" ]; then + FIND=$(cat /proc/sys/kernel/core_pattern | grep systemd-coredump) + if [ -n "${FIND}" ]; then LogText "Result: systemd uses systemd-coredump to handle coredumps" Report "systemd_coredump_used=1" fi @@ -278,11 +268,11 @@ # # Test : PLGN-3860 # Description : Query coredumps from journalctl since Yesterday - if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_COREDUMP_USED} -eq 1 -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_COREDUMP_USED} -eq 1 -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3860 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${JOURNALCTLBINARY} SYSLOG_IDENTIFIER=systemd-coredump --since=yesterday -o cat 2> /dev/null) - if [ ! "${FIND}" = "" ]; then + if [ -n "${FIND}" ]; then Report "journal_coredumps_lastday=1" LogText "Result: found recent coredumps" else From 4e35b91ab2de333a8b9027a564a8f3a2f59cf743 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 23 Mar 2020 12:50:31 +0100 Subject: [PATCH 075/355] Updated log --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 84f15898..639e23e1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,7 +46,8 @@ Using the relevant options, the scan will change base on the intended goal. - New option: --usecwd - run from the current working directory - New profile option: disable-plugin - disables a single plugin - New profile option: ssl-certificate-paths-to-ignore - ignore a path -- New test: BOOT-5109 - Test presence rEFInd boot loader +- New test: AUTH-9229 - check used password hashing methods +- New test: BOOT-5109 - test presence rEFInd boot loader - New test: CRYP-7930 - test for LUKS encryption - New test: CRYP-8004 - presence of hardware random number generator - New test: CRYP-8005 - presence of software random number generator From 17bbaa8f7a54b30fdda8cf367593964a31ddcda6 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 23 Mar 2020 13:19:10 +0100 Subject: [PATCH 076/355] [AUTH-9229] make test only available for root --- include/tests_authentication | 80 ++++++++++++++++++------------------ 1 file changed, 41 insertions(+), 39 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 0cc831ad..d8efe6e2 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -329,50 +329,52 @@ # Test : AUTH-9229 # Description : Check password hashing methods vs. recommendations in crypt(5) # Notes : Applicable to all Unix-like OS - Register --test-no AUTH-9229 --weight L --network NO --category security --description "Check password hashing methods" + # Requires read access to /etc/shadow (if it exists) + Register --test-no AUTH-9229 --root-only YES --weight L --network NO --category security --description "Check password hashing methods" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking password hashing methods" - if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW=${ROOTDIR}etc/shadow; else SHADOW=""; fi - FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do - case ${METHOD} in - 1:\* | 1:x | 0: | *:!*) - # disabled | shadowed | no password | locked account - ;; - *:\$5\$*| *:\$6\$*) - # sha256crypt | sha512crypt: check number of rounds, should be >5000 - ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') - if [ -z "${ROUNDS}" ]; then - echo 'sha256crypt/sha512crypt(default<=5000rounds)' - elif [ "${ROUNDS}" -le 5000 ]; then - echo 'sha256crypt/sha512crypt(<=5000rounds)' - fi - ;; - *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) - # yescrypt | gost-yescrypt | bcrypt | scrypt - ;; - *:_*) - echo bsdicrypt - ;; - *:\$1\$*) - echo md5crypt - ;; - *:\$3\$*) - echo NT - ;; - *:\$md5*) - echo SunMD5 - ;; - *:\$sha1*) - echo sha1crypt - ;; - 13:* | 178:*) - echo bigcrypt/descrypt - ;; + SHADOW=""; + if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW="${ROOTDIR}etc/shadow"; fi + FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do + case ${METHOD} in + 1:\* | 1:x | 0: | *:!*) + # disabled | shadowed | no password | locked account + ;; + *:\$5\$*| *:\$6\$*) + # sha256crypt | sha512crypt: check number of rounds, should be >5000 + ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') + if [ -z "${ROUNDS}" ]; then + echo 'sha256crypt/sha512crypt(default<=5000rounds)' + elif [ "${ROUNDS}" -le 5000 ]; then + echo 'sha256crypt/sha512crypt(<=5000rounds)' + fi + ;; + *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) + # yescrypt | gost-yescrypt | bcrypt | scrypt + ;; + *:_*) + echo bsdicrypt + ;; + *:\$1\$*) + echo md5crypt + ;; + *:\$3\$*) + echo NT + ;; + *:\$md5*) + echo SunMD5 + ;; + *:\$sha1*) + echo sha1crypt + ;; + 13:* | 178:*) + echo bigcrypt/descrypt + ;; *) echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com" ;; - esac - done | ${SORTBINARY} --unique | ${TRBINARY} '\n' ' ') + esac + done | ${SORTBINARY} --unique | ${TRBINARY} '\n' ' ') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN LogText "Result: no poor password hashing methods found" From 08f57c557d78f580e19971c6a7f99a5a99b00bf9 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 23 Mar 2020 13:20:41 +0100 Subject: [PATCH 077/355] Updated log --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 639e23e1..86959483 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,6 +53,8 @@ Using the relevant options, the scan will change base on the intended goal. - New test: CRYP-8005 - presence of software random number generator - New test: DBS-1828 - PostgreSQL configuration files - New test: FINT-4316 - presence of AIDE database and size test +- New test: FINT-4340 - check dm-integrity status (Linux) +- New test: FINT-4341 - verify status of dm-verity (Linux) - New test: INSE-8314 - test for NIS client - New test: INSE-8316 - test for NIS server - New test: NETW-2706 - check DNSSEC (systemd) From 7d1fe1231a564a30f5a926b5eadb38dc3e22de86 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 23 Mar 2020 14:29:47 +0100 Subject: [PATCH 078/355] [CRYP-8005] added haveged, match against process name instead of full command line, code cleanup --- include/tests_crypto | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/include/tests_crypto b/include/tests_crypto index 5c2a0804..09507aac 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -229,13 +229,13 @@ Register --test-no CRYP-8005 --os Linux --weight L --network NO --root-only NO --category security --description "Presence of software pseudo random number generators" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: looking for software pseudo random number generators" - FOUND="" - for SERVICE in audio-entropyd havegd jitterentropy-rngd; do - if IsRunning "${SERVICE}" --full; then - FOUND="${FOUND} ${SERVICE}" - fi - done - if [ -z "${FOUND}" ]; then + FOUND="" + for SERVICE in audio-entropyd havegd haveged jitterentropy-rngd; do + if IsRunning "${SERVICE}"; then + FOUND="${FOUND} ${SERVICE}" + fi + done + if [ -z "${FOUND}" ]; then Display --indent 2 --text "- SW prng" --result "${STATUS_NO}" --color YELLOW ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators" else From 1e74f9be9a0c010ea63b7b0dd7d59d9933eb06c1 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 23 Mar 2020 15:55:40 +0100 Subject: [PATCH 079/355] Fixed 'lynis show details' output --- include/helper_show | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/helper_show b/include/helper_show index b78da175..e251aad0 100644 --- a/include/helper_show +++ b/include/helper_show @@ -245,7 +245,7 @@ if [ $# -gt 0 ]; then shift if [ $# -eq 1 ]; then TESTID="$1" - awk -v search="Performing test ID $TESTID" '$0 ~ search {++f;p=1}p&&f==1;/===---/{p=0}' ${LOGFILE} + awk -v search="Performing test ID $TESTID" '$0 ~ search {++f;p=1}p&&f==1;/====/{p=0}' ${LOGFILE} fi fi ;; From 7bba7bd4af22a959a1a058e76bb4689f748491a6 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 23 Mar 2020 16:13:39 +0100 Subject: [PATCH 080/355] Removed incorrect process name from list, enable --full as it is required for matching jitterentropy-rngd --- include/tests_crypto | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/tests_crypto b/include/tests_crypto index 09507aac..466f6b52 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -230,8 +230,9 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: looking for software pseudo random number generators" FOUND="" - for SERVICE in audio-entropyd havegd haveged jitterentropy-rngd; do - if IsRunning "${SERVICE}"; then + for SERVICE in audio-entropyd haveged jitterentropy-rngd; do + # Using --full as jitterentropy-rngd would otherwise not match + if IsRunning --full "${SERVICE}"; then FOUND="${FOUND} ${SERVICE}" fi done From 8913374092acf285b492abcffde3d97406ec88f1 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Thu, 19 Mar 2020 22:40:54 +0200 Subject: [PATCH 081/355] Run 'systemd-analyze security' 'systemd-analyze security' (available since systemd v240) makes a nice overall evaluation of hardening levels of services in a system. More details can be found with 'systemd-analyze security SERVICE' for each service. Signed-off-by: Topi Miettinen --- CHANGELOG.md | 1 + db/tests.db | 1 + include/binaries | 1 + include/tests_boot_services | 38 +++++++++++++++++++++++++++++++++++++ 4 files changed, 41 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 86959483..3ca72710 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -48,6 +48,7 @@ Using the relevant options, the scan will change base on the intended goal. - New profile option: ssl-certificate-paths-to-ignore - ignore a path - New test: AUTH-9229 - check used password hashing methods - New test: BOOT-5109 - test presence rEFInd boot loader +- New test: BOOT-5264 - run systemd-analyze security - New test: CRYP-7930 - test for LUKS encryption - New test: CRYP-8004 - presence of hardware random number generator - New test: CRYP-8005 - presence of software random number generator diff --git a/db/tests.db b/db/tests.db index 79cfe6ce..34af6fdd 100644 --- a/db/tests.db +++ b/db/tests.db @@ -78,6 +78,7 @@ BOOT-5260:test:security:boot_services::Check single user mode for systemd: BOOT-5261:test:security:boot_services:DragonFly:Check for DragonFly boot loader presence: BOOT-5262:test:security:boot_services:OpenBSD:Check for OpenBSD boot daemons: BOOT-5263:test:security:boot_services:OpenBSD:Check permissions for boot files/scripts: +BOOT-5264:test:security:boot_services:Linux:Run systemd-analyze security: CONT-8004:test:security:containers:Solaris:Query running Solaris zones: CONT-8102:test:security:containers::Checking Docker status and information: CONT-8104:test:security:containers::Checking Docker info for any warnings: diff --git a/include/binaries b/include/binaries index 2327368e..8b754146 100644 --- a/include/binaries +++ b/include/binaries @@ -274,6 +274,7 @@ sysctl) SYSCTLBINARY="${BINARY}"; LogText " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;; syslog-ng) SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;; systemctl) SYSTEMCTLBINARY="${BINARY}"; LogText " Found known binary: systemctl (client to systemd) - ${BINARY}" ;; + systemd-analyze) SYSTEMDANALYZEBINARY="${BINARY}"; LogText " Found known binary: systemd-analyze (systemd service analysis tool) - ${BINARY}" ;; tail) TAILBINARY="${BINARY}"; LogText " Found known binary: tail (text filter) - ${BINARY}" ;; timedatectl) TIMEDATECTL="${BINARY}"; LogText " Found known binary: timedatectl (timedate client) - ${BINARY}" ;; tomoyo-init) TOMOYOINITBINARY=${BINARY}; LogText " Found known binary: tomoyo-init (tomoyo component) - ${BINARY}" ;; diff --git a/include/tests_boot_services b/include/tests_boot_services index f280cb86..8ad83d7c 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -986,6 +986,44 @@ fi # ################################################################################# +# + # Test : BOOT-5264 + # Description : Run systemd-analyze security + if [ -z "${SYSTEMDANALYZEBINARY}" ]; then SKIPREASON="systemd-analyze not available"; PREQS_MET="NO"; + else + SYSTEMD_VERSION=$("${SYSTEMDANALYZEBINARY}" --version | ${AWKBINARY} '/^systemd / {print $2}') + if [ "${SYSTEMD_VERSION}" -ge 240 ]; then PREQS_MET="YES"; else SKIPREASON="systemd-analyze too old (v${SYSTEMD_VERSION}), need at least v240"; PREQS_MET="NO"; fi + fi + Register --test-no BOOT-5264 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --os Linux --weight L --network NO --category security --description "Run systemd-analyze security" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Run systemd-analyze security" + Display --indent 2 --text "- Running 'systemd-analyze security'" + ${SYSTEMDANALYZEBINARY} security | while read UNIT EXPOSURE PREDICATE HAPPY; do + if [ "${UNIT}" = "UNIT" ]; then + continue + fi + COLOR="BLACK" + case ${PREDICATE} in + PERFECT | SAFE | OK) + COLOR=GREEN + ;; + MEDIUM) + COLOR=WHITE + ;; + EXPOSED) + COLOR=YELLOW + ;; + UNSAFE | DANGEROUS) + COLOR=RED + ;; + esac + Display --indent 8 --text "- ${UNIT}:" --result "${PREDICATE}" --color "${COLOR}" + LogText "Result: ${UNIT}: ${EXPOSURE} ${PREDICATE}" + done + ReportSuggestion "${TEST_NO}" "Consider hardening system services" "Run '${SYSTEMDANALYZEBINARY} security SERVICE' for each service" + fi +# +################################################################################# # Report "boot_loader=${BOOT_LOADER}" From 0da82a18cbf05bd990016e7f0ab94694a54e5a69 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Thu, 19 Mar 2020 20:31:47 +0200 Subject: [PATCH 082/355] FS module tests: check if modules are blacklisted Check if FS modules are blacklisted. Signed-off-by: Topi Miettinen --- include/tests_filesystems | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/tests_filesystems b/include/tests_filesystems index 502e4227..0d528a0d 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -792,6 +792,12 @@ AddHP 3 3 if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi fi + FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then + Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN + LogText "Result: module ${FS} is blacklisted" + fi done if [ ${FOUND} -eq 1 ]; then Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}" From e09fe98b893dc69ac5fad65829c8b0c52f232f98 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Mon, 23 Mar 2020 18:41:58 +0200 Subject: [PATCH 083/355] Enhance TOMOYO Linux check Count and log unconfined processes, which are not using policy profile 3. Signed-off-by: Topi Miettinen --- include/binaries | 1 + include/tests_mac_frameworks | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/include/binaries b/include/binaries index 2327368e..4e0cda05 100644 --- a/include/binaries +++ b/include/binaries @@ -277,6 +277,7 @@ tail) TAILBINARY="${BINARY}"; LogText " Found known binary: tail (text filter) - ${BINARY}" ;; timedatectl) TIMEDATECTL="${BINARY}"; LogText " Found known binary: timedatectl (timedate client) - ${BINARY}" ;; tomoyo-init) TOMOYOINITBINARY=${BINARY}; LogText " Found known binary: tomoyo-init (tomoyo component) - ${BINARY}" ;; + tomoyo-pstree) TOMOYOPSTREEBINARY=${BINARY}; LogText " Found known binary: tomoyo-pstree (tomoyo process tree) - ${BINARY}" ;; tr) TRBINARY="${BINARY}"; LogText " Found known binary: tr (text transformation) - ${BINARY}" ;; tripwire) TRIPWIREBINARY="${BINARY}"; LogText " Found known binary: tripwire (file integrity) - ${BINARY}" ;; tune2fs) TUNE2FSBINARY="${BINARY}"; LogText " Found known binary: tune2fs (file system tool) - ${BINARY}" ;; diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 94f2065d..3f23c77e 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -206,6 +206,13 @@ LogText "Result: TOMOYO Linux is enabled" Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_ENABLED}" --color GREEN Report "tomoyo_enabled=1" + if [ ! -z ${TOMOYOPSTREEBINARY} ]; then + NUNCONFINED=$(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${WCBINARY} --lines) + Display --indent 8 --text "Found ${NUNCONFINED} unconfined (not profile 3) processes" + for PROCESS in $(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${SEDBINARY} -e 's/+-//g' -e 's/^ *//g' -e 's/ \+/:/g' | ${SORTBINARY}); do + LogText "Result: Unconfined process: ${PROCESS}" + done + fi AddHP 3 3 else LogText "Result: TOMOYO Linux is disabled" From 6818db5e127e732db432a119c9894c663995ed5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 24 Mar 2020 11:43:34 +0100 Subject: [PATCH 084/355] add AUTH-9230 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- db/tests.db | 1 + 1 file changed, 1 insertion(+) diff --git a/db/tests.db b/db/tests.db index 79cfe6ce..220d76e1 100644 --- a/db/tests.db +++ b/db/tests.db @@ -23,6 +23,7 @@ AUTH-9222:test:security:authentication::Check for non unique groups: AUTH-9226:test:security:authentication::Check non unique group names: AUTH-9228:test:security:authentication::Check password file consistency with pwck: AUTH-9229:test:security:authentication::Check password hashing methods: +AUTH-9230:test:security:authentication::Check group password hashing rounds: AUTH-9234:test:security:authentication::Query user accounts: AUTH-9240:test:security:authentication::Query NIS+ authentication support: AUTH-9242:test:security:authentication::Query NIS authentication support: From 5341fa7b29dbd32db32a11934d1b2eef3c022d72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 24 Mar 2020 11:44:14 +0100 Subject: [PATCH 085/355] AUTH-9229 isnt related to login.defs, add AUTH-9230 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/tests_authentication | 52 +++++++++++++++++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index d8efe6e2..c5c71eee 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -382,12 +382,62 @@ else Display --indent 2 --text "- Password hashing methods" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Result: poor password hashing methods found: ${FIND}" - ReportSuggestion "${TEST_NO}" "Change ${ROOTDIR}etc/login.defs password ENCRYPT_METHOD and SHA_CRYPT_MIN_ROUNDS to more secure values, check also PAM configuration, expire passwords to encrypt with new values" + ReportSuggestion "${TEST_NO}" "Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values" AddHP 0 2 fi fi # ################################################################################# +# + # Test : AUTH-9230 + # Description : Check group password hashing rounds in login.defs + # Notes : Applicable to all Unix-like OS + PREQS_MET="NO" + if [ -f ${ROOTDIR}etc/login.defs ]; then + PREQS_MET="YES" + fi + Register --test-no AUTH-9230 --root-only NO --weight L --network NO --category security --description "Check group password hashing rounds" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking SHA_CRYPT_MIN_ROUNDS option in ${ROOTDIR}etc/login.defs" + FIND=$(${GREPBINARY} "^SHA_CRYPT_MIN_ROUNDS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="SHA_CRYPT_MIN_ROUNDS") { print $2 } }') + if [ -z "${FIND}" -o "${FIND}" = "0" ]; then + LogText "Result: number of minimum rounds used by the encryption algorithm is not configured" + Display --indent 2 --text "- Checking minimum group password hashing rounds" --result "${STATUS_DISABLED}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Configure minimum encryption algorithm rounds in /etc/login.defs" + AddHP 0 2 + elif [ "${FIND}" -lt 5000 ]; then + LogText "Result: low number of minimum encryption algorithm rounds found: ${FIND}" + PASSWORD_MINIMUM_ROUNDS=${FIND} + Display --indent 2 --text "- Group password hashing rounds (minimum)" --result "${STATUS_SUGGESTION}" --color YELLOW + AddHP 1 2 + else + LogText "Result: number of encryption algorithm rounds is ${FIND}" + PASSWORD_MINIMUM_ROUNDS=${FIND} + Display --indent 2 --text "- Group password hashing rounds (minimum)" --result CONFIGURED --color GREEN + AddHP 2 2 + fi + + LogText "Test: Checking SHA_CRYPT_MAX_ROUNDS option in ${ROOTDIR}etc/login.defs" + FIND=$(${GREPBINARY} "^SHA_CRYPT_MAX_ROUNDS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="SHA_CRYPT_MAX_ROUNDS") { print $2 } }') + if [ -z "${FIND}" -o "${FIND}" = "0" ]; then + LogText "Result: number of maximum rounds used by the encryption algorithm is not configured" + Display --indent 2 --text "- Checking maximum group password hashing rounds" --result "${STATUS_DISABLED}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Configure maximum encryption algorithm rounds in /etc/login.defs" + AddHP 0 2 + elif [ "${FIND}" -lt 10000 ]; then + LogText "Result: low number of maximum encryption algorithm rounds found: ${FIND}" + PASSWORD_MINIMUM_ROUNDS=${FIND} + Display --indent 2 --text "- Group password hashing rounds (maximum)" --result "${STATUS_SUGGESTION}" --color YELLOW + AddHP 1 2 + else + LogText "Result: number of encryption algorithm rounds is ${FIND}" + PASSWORD_MINIMUM_ROUNDS=${FIND} + Display --indent 2 --text "- Group password hashing rounds (maximum)" --result CONFIGURED --color GREEN + AddHP 2 2 + fi + fi +# +################################################################################# # # Test : AUTH-9234 # Description : Query user accounts From 0b9e2d85d6a593bc4f71565d9756d129a1859e27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 24 Mar 2020 11:44:54 +0100 Subject: [PATCH 086/355] fix tabs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/tests_authentication | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index c5c71eee..c3c072f5 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -488,15 +488,15 @@ "NetBSD"|"OpenBSD") if [ -f ${ROOTDIR}etc/usermgmt.conf ]; then - UID_RANGE=$(${GREPBINARY} "^range" ${ROOTDIR}etc/usermgmt.conf | ${AWKBINARY} '{ sub(/\.\./, "-", $2); print $2 }') + UID_RANGE=$(${GREPBINARY} "^range" ${ROOTDIR}etc/usermgmt.conf | ${AWKBINARY} '{ sub(/\.\./, "-", $2); print $2 }') fi - if [ -n "${UID_RANGE}" ]; then + if [ -n "${UID_RANGE}" ]; then LogText "Result: found configured user id range specified: ${UID_RANGE}" UID_MIN=$(echo $UID_RANGE | ${AWKBINARY} -F- '{ print $1 }') UID_MAX=$(echo $UID_RANGE | ${AWKBINARY} -F- '{ print $2 }') else UID_MIN=1000 - UID_MAX=60000 + UID_MAX=60000 LogText "Result: no configured user id range specified; using default ${UID_MIN}-${UID_MAX}" fi LogText "${OS} real users output (ID = 0, or ${UID_MIN}-${UID_MAX}, but not 32767):" From bc09f921f0a8d28f2ff19df8c359f5be71c064f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 24 Mar 2020 11:53:50 +0100 Subject: [PATCH 087/355] fix indentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index c3c072f5..ce821fba 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -410,7 +410,7 @@ PASSWORD_MINIMUM_ROUNDS=${FIND} Display --indent 2 --text "- Group password hashing rounds (minimum)" --result "${STATUS_SUGGESTION}" --color YELLOW AddHP 1 2 - else + else LogText "Result: number of encryption algorithm rounds is ${FIND}" PASSWORD_MINIMUM_ROUNDS=${FIND} Display --indent 2 --text "- Group password hashing rounds (minimum)" --result CONFIGURED --color GREEN From 1d9a8874061f03a8838b05d630c4a2ee48aeb86a Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 24 Mar 2020 13:25:22 +0100 Subject: [PATCH 088/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3ca72710..ffd31b5e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -47,6 +47,7 @@ Using the relevant options, the scan will change base on the intended goal. - New profile option: disable-plugin - disables a single plugin - New profile option: ssl-certificate-paths-to-ignore - ignore a path - New test: AUTH-9229 - check used password hashing methods +- New test: AUTH-9230 - check group password hashing rounds - New test: BOOT-5109 - test presence rEFInd boot loader - New test: BOOT-5264 - run systemd-analyze security - New test: CRYP-7930 - test for LUKS encryption From 5e821687af6025980d9a94f5520b8bf849bcd0dc Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 24 Mar 2020 13:33:24 +0100 Subject: [PATCH 089/355] Added new tests --- CHANGELOG.md | 3 +++ db/tests.db | 3 +++ 2 files changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ffd31b5e..9342a4f5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -62,6 +62,9 @@ Using the relevant options, the scan will change base on the intended goal. - New test: NETW-2706 - check DNSSEC (systemd) - New test: NETW-3200 - determine avilable network protocols - New test: PROC-3802 - check presence of prelink tooling +- New test: TIME-3180 - report if ntpctl cannot communicate with OpenNTPD +- New test: TIME-3181 - check status of OpenNTPD time synchronisation +- New test: TIME-3182 - check OpenNTPD has working peers - New report key: openssh_daemon_running - New command: lynis generate systemd-units - Sending USR1 signal to Lynis process will show active status diff --git a/db/tests.db b/db/tests.db index 43a48c12..d401424c 100644 --- a/db/tests.db +++ b/db/tests.db @@ -413,6 +413,9 @@ TIME-3136:test:security:time:Linux:Check NTP protocol version: TIME-3148:test:performance:time:Linux:Check TZ variable: TIME-3160:test:security:time:Linux:Check empty NTP step-tickers: TIME-3170:test:security:time::Check configuration files: +TIME-3180:test:security:time::Report if ntpctl cannot communicate with OpenNTPD: +TIME-3181:test:security:time::Check status of OpenNTPD time synchronisation +TIME-3182:test:security:time::Check OpenNTPD has working peers TOOL-5002:test:security:tooling::Checking for automation tools: TOOL-5102:test:security:tooling::Check for presence of Fail2ban: TOOL-5104:test:security:tooling::Enabled tests for Fail2ban: From 339e0c3207f5c4064bc9efa8172c6606779b6ec9 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Wed, 25 Mar 2020 09:18:16 +0200 Subject: [PATCH 090/355] [FILE-6374]: Summarize unhardened file system Report total numbers of unhardened filesystems. Signed-off-by: Topi Miettinen --- include/tests_filesystems | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/tests_filesystems b/include/tests_filesystems index 70efd2cc..38b4c0d0 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -628,6 +628,13 @@ fi done fi + NMOUNTS=$(mount | ${WCBINARY} --lines) + NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} --lines) + NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} --lines) + NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} --lines) + NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} --lines) + LogText "Result: Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS}, of total ${NMOUNTS}" + Display --indent 2 --text "- Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS} of total ${NMOUNTS}" fi # ################################################################################# From f644927a4209cf2caf27c6a8152c9bf6c610676c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 25 Mar 2020 10:11:25 +0100 Subject: [PATCH 091/355] Improved warning message with 'how to resolve' --- include/profiles | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/include/profiles b/include/profiles index 767f3b79..5b940150 100644 --- a/include/profiles +++ b/include/profiles @@ -39,10 +39,19 @@ if ! IsEmpty "${DATA}"; then FOUND=1; fi if [ ${FOUND} -eq 1 ]; then + Display --text " " + Display --text "==================================================================================================" DisplayWarning "Your profile contains old-style configuration entries. See log file for more details and how to convert these entries" - LogText "Your profile has one or more configuration items that are in an old format (lines starting with key:value). They need to be converted into the new format (key=value)." - LogText "Tip: Use grep to see the relevant matches (grep -E \"^[a-z-]{1,}:\" custom.prf)" - sleep 30 + Display --indent 2 --text "* ${RED}ISSUE${NORMAL}" + Display --indent 2 --text "Your profile has one or more lines that are in an old format (key:value). They need to be converted into the new format (key=value) or disabled." + Display --text " " + Display --indent 2 --text "* ${GREEN}HOW TO RESOLVE${NORMAL}" + Display --indent 2 --text "Use grep to see the relevant matches (grep -E \"^[a-z-]{1,}:\" custom.prf)" + Display --text " " + Display --text "==================================================================================================" + Display --text " " + ReportWarning "GEN-0020" "Your profile contains one or more old-style configuration entries" + sleep 10 fi # Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character) From 9b978a3581a0fed053c33b8ef1b4877d261cb1ce Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 25 Mar 2020 15:03:21 +0100 Subject: [PATCH 092/355] Add specific control ID for warnings regarding usage of deprecated options --- include/profiles | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/profiles b/include/profiles index 5b940150..328d4d49 100644 --- a/include/profiles +++ b/include/profiles @@ -541,7 +541,7 @@ ################################################################################# # if [ -n "${DEPRECATED_OPTION}" ]; then - ReportWarning "LYNIS" "One or more deprecated options used" "${DEPRECATED_OPTION}" "Update your profile" + ReportWarning "GEN-0030" "One or more deprecated options used in profile" "${DEPRECATED_OPTION}" "Update your profile" fi # ################################################################################# From 04c969752a9a309f681e5da6ac2757488f3c39ff Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 25 Mar 2020 15:15:42 +0100 Subject: [PATCH 093/355] [NETW-3200] corrected test --- include/tests_networking | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/include/tests_networking b/include/tests_networking index 7c288000..c19505c1 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -669,37 +669,39 @@ Register --test-no NETW-3200 --weight L --network YES --category security --description "Determine available network protocols" if [ ${SKIPTEST} -eq 0 ]; then TESTED=0 + FOUND_UNCOMMON_PROTOCOL_ENABLED=0 case ${OS} in Linux) TESTED=1 LogText "Test: checking the status of some network protocols that typically are not used" UNCOMMON_PROTOCOLS="dccp sctp rds tipc" for P in ${UNCOMMON_PROTOCOLS}; do + LogText "Test: now checking module '${P}'" if ! SkipAtomicTest "${TEST_NO}:${P}"; then - FOUND_UNCOMMON_PROTOCOL=0 + UNCOMMON_PROTOCOL_DISABLED=0 + # First check modprobe.conf if [ -f ${ROOTDIR}etc/modprobe.conf ]; then DATA=$(${GREPBINARY} "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.conf) if [ -n "${DATA}" ]; then - LogText "Result: found ${P} module loaded via modprobe.conf" - FOUND_UNCOMMON_PROTOCOL=1 + LogText "Result: found ${P} module disabled via modprobe.conf" + UNCOMMON_PROTOCOL_DISABLED=1 fi fi + # Then additional modprobe configuration files if [ -d ${ROOTDIR}etc/modprobe.d ]; then DATA=$(${GREPBINARY} --files-with-matches --no-messages "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.d/*) if [ -n "${DATA}" ]; then - FOUND_UNCOMMON_PROTOCOL=1 + UNCOMMON_PROTOCOL_DISABLED=1 for F in ${DATA}; do - LogText "Result: found ${P} module loaded via ${F}" + LogText "Result: found ${P} module disabled via ${F}" done fi fi - # Although a protocol may not been enabled using install, it can be loaded. This may be revealed using /proc - #/proc/sys/net/ - - if [ ${FOUND_UNCOMMON_PROTOCOL} -eq 1 ]; then - ReportSuggestion "${TEST_NO}" "Determine if network protocol ${P} needs to be used on this system" + if [ ${UNCOMMON_PROTOCOL_DISABLED} -eq 0 ]; then + ReportSuggestion "${TEST_NO}" "Determine if protocol '${P}' is really needed on this system" Report "uncommon_network_protocol_enabled=${P}" + FOUND_UNCOMMON_PROTOCOL_ENABLED=1 fi fi done @@ -711,7 +713,7 @@ ;; esac if [ ${TESTED} -eq 1 ]; then - if [ ${FOUND_UNCOMMON_PROTOCOL} -eq 1 ]; then + if [ ${FOUND_UNCOMMON_PROTOCOL_ENABLED} -eq 1 ]; then Display --indent 2 --text "- Uncommon network protocols" --result "${FOUND}" --color YELLOW else Display --indent 2 --text "- Uncommon network protocols" --result "${STATUS_NOT_FOUND}" --color GREEN From 1e52ed0c0d948c9cfe231959648090b5c49e9fa4 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 25 Mar 2020 15:19:21 +0100 Subject: [PATCH 094/355] Added notes to NETW-3200 for future extending this test --- include/tests_networking | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/tests_networking b/include/tests_networking index c19505c1..b182f605 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -666,6 +666,8 @@ # # Test : NETW-3200 # Description : Determine available network protocols + # Notes : See all available supported modules: ls -d /lib/modules/$(uname -r )/kernel/net + # To see active/enabled protocols: ls -d /proc/sys/net Register --test-no NETW-3200 --weight L --network YES --category security --description "Determine available network protocols" if [ ${SKIPTEST} -eq 0 ]; then TESTED=0 From daa9c42ec083c7d05a8ecb569c2cb06c1dbd70a4 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 25 Mar 2020 15:19:30 +0100 Subject: [PATCH 095/355] Updated log --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9342a4f5..340f597f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -60,7 +60,7 @@ Using the relevant options, the scan will change base on the intended goal. - New test: INSE-8314 - test for NIS client - New test: INSE-8316 - test for NIS server - New test: NETW-2706 - check DNSSEC (systemd) -- New test: NETW-3200 - determine avilable network protocols +- New test: NETW-3200 - determine enabled network protocols - New test: PROC-3802 - check presence of prelink tooling - New test: TIME-3180 - report if ntpctl cannot communicate with OpenNTPD - New test: TIME-3181 - check status of OpenNTPD time synchronisation From b8cdb04772aac01bbdaec89d49cd22bc6325e4b8 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 25 Mar 2020 19:33:55 +0100 Subject: [PATCH 096/355] Corrected requirements to run tests --- include/tests_time | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/include/tests_time b/include/tests_time index ba2e40c1..23fd0965 100644 --- a/include/tests_time +++ b/include/tests_time @@ -81,7 +81,7 @@ fi # Check for OpenNTPD, ntpctl comes with a "regular" install - if [ -n ${NTPCTLBINARY} ]; then + if [ -n "${NTPCTLBINARY}" ]; then # In contrast to timectl, "synchronised: yes" is not grepped. # Reason: openntpd syncs only if large time corrections are not required or -s is passed. # This might be not intended by the administrator (-s is NOT the default!) @@ -526,14 +526,12 @@ # # Test : TIME-3180 # Description : Report if ntpctl cannot communicate with OpenNTPD - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ]; then PREQS_MET="YES" else PREQS_MET="NO" fi - - Register --test-no TIME-3180 --weight L --network NO --category security --description "Report if ntpctl cannot communicate with OpenNTPD" + Register --test-no TIME-3180 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Report if ntpctl cannot communicate with OpenNTPD" if [ ${SKIPTEST} -eq 0 ]; then if [ "${OPENNTPD_COMMUNICATION}" -eq 0 ]; then ReportWarning "${TEST_NO}" "OpenNTPD found, but ntpctl cannot communicate with" "${NTPCTLBINARY} -s status" "Restart OpenNTPD" @@ -544,14 +542,13 @@ # # Test : TIME-3181 # Description : Check status of OpenNTPD time synchronisation - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then PREQS_MET="YES" else PREQS_MET="NO" fi - Register --test-no TIME-3181 --weight L --network NO --category security --description "Check status of OpenNTPD time synchronisation" + Register --test-no TIME-3181 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check status of OpenNTPD time synchronisation" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${NTPCTLBINARY} -s status | ${GREPBINARY} "clock synced" ) if [ -z "${FIND}" ]; then @@ -570,7 +567,7 @@ PREQS_MET="NO" fi - Register --test-no TIME-3182 --weight L --network NO --category security --description "Check OpenNTPD has working peers" + Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers" if [ ${SKIPTEST} -eq 0 ]; then # Format is "xx/yy peers valid, ..." FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o "[0-9]{1,4}/" | ${EGREPBINARY} -o "[0-9]{1,4}" ) From 603d5b16a282b6c2f646bae450002e385bd91b3f Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 25 Mar 2020 19:40:05 +0100 Subject: [PATCH 097/355] [FINT-4339] define what file to check for --- include/tests_file_integrity | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_file_integrity b/include/tests_file_integrity index dc32411d..728c2616 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -305,7 +305,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 if [ -e /sys/kernel/security/ima ]; then - FOUND=$(${CAT_BINARY} /sys/kernel/security/ima) + FOUND=$(${CAT_BINARY} /sys/kernel/security/ima/runtime_measurements_count) fi if [ "${FOUND}" -ne 1 ]; then LogText "Result: EVM tools found but IMA/EVM disabled" From 5c5cc43c6f7effe83adc8eeb65e7202e5ce10a73 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Fri, 27 Mar 2020 13:00:09 +0200 Subject: [PATCH 098/355] Check if system uses encrypted swap devices Add test CRYP-7931 to check if the system uses any encrypted swap devices. Signed-off-by: Topi Miettinen --- CHANGELOG.md | 1 + db/tests.db | 1 + include/binaries | 1 + include/tests_crypto | 25 +++++++++++++++++++++++++ 4 files changed, 28 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 340f597f..1686e0db 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -51,6 +51,7 @@ Using the relevant options, the scan will change base on the intended goal. - New test: BOOT-5109 - test presence rEFInd boot loader - New test: BOOT-5264 - run systemd-analyze security - New test: CRYP-7930 - test for LUKS encryption +- New test: CRYP-7931 - determine if system uses encrypted swap - New test: CRYP-8004 - presence of hardware random number generator - New test: CRYP-8005 - presence of software random number generator - New test: DBS-1828 - PostgreSQL configuration files diff --git a/db/tests.db b/db/tests.db index d401424c..9b978fa5 100644 --- a/db/tests.db +++ b/db/tests.db @@ -89,6 +89,7 @@ CONT-8108:test:security:containers::Check file permissions for Docker files: CORE-1000:test:performance:system_integrity::Check all system binaries: CRYP-7902:test:security:crypto::Check expire date of SSL certificates: CRYP-7930:test:security:crypto:Linux:Determine if system uses LUKS encryption: +CRYP-7931:test:security:crypto:Linux:Determine if system uses encrypted swap: CRYP-8002:test:security:crypto:Linux:Gather kernel entropy: CRYP-8004:test:security:crypto:Linux:Presence of hardware random number generators: CRYP-8005:test:security:crypto:Linux:Presence of software pseudo random number generators: diff --git a/include/binaries b/include/binaries index 16096fe4..08b9b4d4 100644 --- a/include/binaries +++ b/include/binaries @@ -271,6 +271,7 @@ sha256|sha256sum) SHA256SUMBINARY="${BINARY}"; LogText " Found known binary: sha256/sha256sum (crypto hashing) - ${BINARY}" ;; ssh-keyscan) SSHKEYSCANBINARY="${BINARY}"; LogText " Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;; suricata) SURICATABINARY="${BINARY}"; LogText " Found known binary: suricata (IDS) - ${BINARY}" ;; + swapon) SWAPONBINARY="${BINARY}"; LogText " Found known binary: swapon (swap device tool) - ${BINARY}" ;; swupd) SWUPDBINARY="${BINARY}"; LogText " Found known binary: swupd (package manager) - ${BINARY}" ;; sysctl) SYSCTLBINARY="${BINARY}"; LogText " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;; syslog-ng) SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;; diff --git a/include/tests_crypto b/include/tests_crypto index 466f6b52..47c03451 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -173,6 +173,31 @@ fi # ################################################################################# +# + # Test : CRYP-7931 + # Description : Determine if system uses encrypted swap + if [ -e "${SWAPONBINARY}" -a -e "${CRYPTSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no CRYP-7931 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Determine if system uses encrypted swap" + if [ ${SKIPTEST} -eq 0 ]; then + ENCRYPTED_SWAPS=0 + UNENCRYPTED_SWAPS=0 + SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings) + for BLOCK_DEV in ${SWAPS}; do + if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then + LogText "Result: Found LUKS encrypted swap device: ${BLOCK_DEV}" + ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1)) + elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" | ${GREPBINARY} --quiet "cipher:"; then + LogText "Result: Found non-LUKS encrypted swap device: ${BLOCK_DEV}" + ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1)) + else + LogText "Result: Found unencrypted swap device: ${BLOCK_DEV}" + UNENCRYPTED_SWAPS=$((UNENCRYPTED_SWAPS +1)) + fi + done + Display --indent 2 --text "- Found ${ENCRYPTED_SWAPS} encrypted and ${UNENCRYPTED_SWAPS} unencrypted swap devices in use." --result OK --color WHITE + fi +# +################################################################################# # # Test : CRYP-8002 # Description : Gather available kernel entropy From e7da240022de8fe7857a3fde9d24339b331c5bdb Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Sat, 28 Mar 2020 13:40:36 +0200 Subject: [PATCH 099/355] README.md: add repology badge Show downstream usage for various versions of Lynis. Signed-off-by: Topi Miettinen --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index c4e10b88..dc4f0e45 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ [![Linux Security Expert badge](https://badges.linuxsecurity.expert/tools/ranking/lynis.svg)](https://linuxsecurity.expert/tools/lynis/) [![Build Status](https://travis-ci.org/CISOfy/lynis.svg?branch=master)](https://travis-ci.org/CISOfy/lynis) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/96/badge)](https://bestpractices.coreinfrastructure.org/projects/96) +[![Packaging status](https://repology.org/badge/tiny-repos/lynis.svg)](https://repology.org/project/lynis/versions) [Documentation] [Documentation]: https://cisofy.com/documentation/lynis/ From 4732b640aeb5b1009401fecc477860995db4bd4d Mon Sep 17 00:00:00 2001 From: Sander Date: Sat, 28 Mar 2020 19:23:00 +0000 Subject: [PATCH 100/355] Adding test FILE-6394 --- include/tests_filesystems | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 38b4c0d0..51d22760 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -689,11 +689,35 @@ # ################################################################################# # - # Test : FILE-6394 TODO + # Test : FILE-6394 # Description : Check vm.swappiness (Linux) - - # Want to contribute to Lynis? Create this test - + Register --test-no FILE-6394 --os Linux --weight L --network NO --category security --description "Determine level of swappiness." + if [ ${SKIPTEST} -eq 0 ]; then + SWAPLEVEL=$(${CAT_BINARY} /proc/sys/vm/swappiness) + LogText "Test: checking level of vm.swappiness: ${SWAPLEVEL}" + PHYSDISK=$(${LSBLKBINARY} | ${GREPBINARY} -E 'disk|SWAP' | ${GREPBINARY} -B1 SWAP | ${HEADBINARY} -n1 | ${AWKBINARY} '{print $1}') + if [ ${SWAPLEVEL} -gt 60 ]; then + LogText "Result: vm.swappiness=${SWAPLEVEL} meaning that swapping is more frequent than default." + # Check if swap is on a HDD or SDD for frequent swapping + if [ -d /sys/block/${PHYSDISK} ]; then + HDDORSDD=$(${CAT_BINARY} /sys/block/${PHYSDISK}/queue/rotational) + if [ ${HDDORSDD} -eq 1 ]; then + ReportSuggestion "${TEST_NO}" "vm.swappiness set to: ${SWAPLEVEL} > 60 (default) - consider installing an SSD for swap partition for better performance." + fi + fi + elif [ ${SWAPLEVEL} -eq 0 ]; then + LogText "Result: vm.swappiness=${SWAPLEVEL} meaning swapping is disabled." + ReportSuggestion "${TEST_NO}" "vm.swappiness set to: ${SWAPLEVEL}. Consider setting value to minimum of 1 for minimizing swappiness, but not quite disabling it. Will prevent OOM killer from killing processes when running out of physical memory." + elif [ ${SWAPLEVEL} -eq 1]; then + LogText "Result: vm.swappiness=${SWAPLEVEL} meaning that swapping can still occur but at very minimum." + elif [ ${SWAPLEVEL} -eq 10 ]; then + LogText "Result: vm.swappiness=${SWAPLEVEL} which is the preferred setting for database servers." + elif [ ${SWAPLEVEL} -lt 60 ]; then + LogText "Result: vm.swappiness=${SWAPLEVEL} meaning that swapping is less frequent than default. This is only recommended for servers." + else + LogText "Result: vm.swappiness=${SWAPLEVEL} which is the standard level of swappiness and works well for desktop systems." + fi + fi # ################################################################################# # From 18daa9f4955e0f5e1009321bd24a8002aab392e6 Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Sun, 29 Mar 2020 15:06:36 -0500 Subject: [PATCH 101/355] AUTH-9229 Do not use long options for sort Use the standard `sort(1)` short option `-u` rather than `--unique`, since not all versions support long options. --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index ce821fba..2e14c7f0 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -374,7 +374,7 @@ echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com" ;; esac - done | ${SORTBINARY} --unique | ${TRBINARY} '\n' ' ') + done | ${SORTBINARY} -u | ${TRBINARY} '\n' ' ') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN LogText "Result: no poor password hashing methods found" From 90b17121baf55a233a5819a0c5f8ba7fe5a387ba Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Sun, 29 Mar 2020 15:31:41 -0500 Subject: [PATCH 102/355] Fix AUTH-9230 for systems without /etc/login.defs This fixes a bug where it was determined that /etc/login.defs didn't exist as a prerequisite but then wasn't used to skip the test. Prevents warnings from `grep(1)` for "no such file or directory". --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index ce821fba..81842b63 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -396,7 +396,7 @@ if [ -f ${ROOTDIR}etc/login.defs ]; then PREQS_MET="YES" fi - Register --test-no AUTH-9230 --root-only NO --weight L --network NO --category security --description "Check group password hashing rounds" + Register --test-no AUTH-9230 --preqs-met ${PREQS_MET} --root-only NO --weight L --network NO --category security --description "Check group password hashing rounds" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking SHA_CRYPT_MIN_ROUNDS option in ${ROOTDIR}etc/login.defs" FIND=$(${GREPBINARY} "^SHA_CRYPT_MIN_ROUNDS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="SHA_CRYPT_MIN_ROUNDS") { print $2 } }') From f13d919dfa9379969e14dbd11e296c37c7792945 Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Sun, 29 Mar 2020 16:19:25 -0500 Subject: [PATCH 103/355] PROC-3802 Only check for prelink package on Linux The prelink package is Linux specific no need to check for it on non-Linux systems. --- include/tests_memory_processes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_memory_processes b/include/tests_memory_processes index 0b0fff6f..65473cf4 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -118,7 +118,7 @@ # # Test : PROC-3802 # Description : Check presence of prelink tooling - Register --test-no PROC-3802 --weight L --network NO --category security --description "Check presence of prelink tooling" + Register --test-no PROC-3802 --os Linux --weight L --network NO --category security --description "Check presence of prelink tooling" if [ ${SKIPTEST} -eq 0 ]; then if PackageIsInstalled "prelink"; then LogText "Result: prelink packages is installed" From 677f0c32fa844bc309db4a1bae5c71d97e2a2cdf Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 30 Mar 2020 12:11:58 +0200 Subject: [PATCH 104/355] Move Repology link and text change for packages --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index dc4f0e45..096890d4 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,6 @@ [![Linux Security Expert badge](https://badges.linuxsecurity.expert/tools/ranking/lynis.svg)](https://linuxsecurity.expert/tools/lynis/) [![Build Status](https://travis-ci.org/CISOfy/lynis.svg?branch=master)](https://travis-ci.org/CISOfy/lynis) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/96/badge)](https://bestpractices.coreinfrastructure.org/projects/96) -[![Packaging status](https://repology.org/badge/tiny-repos/lynis.svg)](https://repology.org/project/lynis/versions) [Documentation] [Documentation]: https://cisofy.com/documentation/lynis/ @@ -58,9 +57,11 @@ If you want to run the software as `root`, we suggest changing the ownership of ### Package -Stable releases of Lynis are packaged and made available as RPM or DEB package. The [CISOfy software repository](https://packages.cisofy.com) can be used to install Lynis on systems running: +For Linux, BSD, macOS, there is typically a package available. The Lynis project also provides packages in RPM or DEB format. The [CISOfy software repository](https://packages.cisofy.com) can be used to install Lynis on systems running: `CentOS`, `Debian`, `Fedora`, `OEL`, `openSUSE`, `RHEL`, `Ubuntu`, and others. +Some distributions may have Lynis is their repository available. Use the overview by [![Repology](https://repology.org/badge/tiny-repos/lynis.svg)](https://repology.org/project/lynis/versions) to see if they are up-to-date. Otherwise consider the CISOfy repository, tarball (website), or GitHub releases. + ### Enterprise Version This software component is also part of an enterprise solution. Same quality, yet with more functionality. From 49b8779cb55ba9985cdad75d70af071a60bbb438 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 30 Mar 2020 12:14:40 +0200 Subject: [PATCH 105/355] Improved text about software packages --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 096890d4..ccc5a4d3 100644 --- a/README.md +++ b/README.md @@ -55,12 +55,13 @@ Typical users of the software: If you want to run the software as `root`, we suggest changing the ownership of the files. Use `chown -R 0:0` to recursively alter the owner and group and set it to user ID `0` (`root`). -### Package +### Software Package For Linux, BSD, macOS, there is typically a package available. The Lynis project also provides packages in RPM or DEB format. The [CISOfy software repository](https://packages.cisofy.com) can be used to install Lynis on systems running: `CentOS`, `Debian`, `Fedora`, `OEL`, `openSUSE`, `RHEL`, `Ubuntu`, and others. -Some distributions may have Lynis is their repository available. Use the overview by [![Repology](https://repology.org/badge/tiny-repos/lynis.svg)](https://repology.org/project/lynis/versions) to see if they are up-to-date. Otherwise consider the CISOfy repository, tarball (website), or GitHub releases. +Some distributions may also have Lynis in their software repository: [![Repology](https://repology.org/badge/tiny-repos/lynis.svg)](https://repology.org/project/lynis/versions) +If they don't provide an up-to-date version, consider the CISOfy repository, tarball (website), or GitHub release. ### Enterprise Version From 9a1bbbc69ae817d4d59b0d58a40b9bc434b32a63 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 30 Mar 2020 16:08:31 +0200 Subject: [PATCH 106/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 340f597f..1cae9172 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -130,6 +130,7 @@ Using the relevant options, the scan will change base on the intended goal. - PROC-3602 - allow different root directory - PROC-3612 - show 'Not found' instead of 'OK' - PROC-3614 - show 'Not found' instead of 'OK' +- PROC-3802 - limit to Linux only (prelink package check) - SCHD-7702 - removed hardening points - SINT-7010 - limit test to only macOS systems - SSH-7402 - detect other SSH daemons like dropbear From 2b1d5fa46ffe7c9794fe8fc972040d722a35b17c Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Mon, 30 Mar 2020 14:09:28 -0500 Subject: [PATCH 107/355] Add NetBSD pkgsrc pkg_info to known binaries The NetBSD pkgsrc package management system uses pkg_info for determining information about packages. This is also the command used in PKGS-7302. --- include/binaries | 1 + 1 file changed, 1 insertion(+) diff --git a/include/binaries b/include/binaries index 16096fe4..5884fc0c 100644 --- a/include/binaries +++ b/include/binaries @@ -230,6 +230,7 @@ php) PHPBINARY="${BINARY}"; PHPVERSION=$(${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1); LogText "Found known binary: php (programming language interpreter) - ${BINARY} (version ${PHPVERSION})" ;; pkg) PKG_BINARY="${BINARY}"; LogText " Found known binary: pkg (software package administration) - ${BINARY}" ;; pkg_admin) PKGADMINBINARY="${BINARY}"; LogText " Found known binary: pkg_admin (software package administration) - ${BINARY}" ;; + pkg_info) PKGINFOBINARY="${BINARY}"; LogText " Found known binary: pkg_info (software package information) - ${BINARY}" ;; postconf) POSTCONFBINARY="${BINARY}"; LogText " Found known binary: postconf (postfix configuration) - ${BINARY}" ;; postfix) POSTFIXBINARY="${BINARY}"; LogText " Found known binary: postfix (postfix binary) - ${BINARY}" ;; prelink) PRELINKBINARY="${BINARY}"; LogText " Found known binary: prelink (system optimizer) - ${BINARY}" ;; From eb7dbab1ee55f24a300b58ef845edc18d443f68a Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Mon, 30 Mar 2020 14:12:36 -0500 Subject: [PATCH 108/355] Add pkg_info to PackageIsInstalled The `pkg_info` command is used on a system using NetBSD pkgsrc to determine which packages are installed. --- include/functions | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/functions b/include/functions index ed1a58eb..5b60419f 100644 --- a/include/functions +++ b/include/functions @@ -2041,6 +2041,9 @@ elif [ -n "${PKG_BINARY}" ]; then output=$(${PKG_BINARY} -N info ${package} >/dev/null 2>&1) exit_code=$? # 0=package installed, 70=invalid package + elif [ -n "${PKGINFOBINARY}" ]; then + output=$(${PKGINFOBINARY} -q -e ${package} >/dev/null 2>&1) + exit_code=$? # 0=package installed, 1=package not installed elif [ -n "${RPMBINARY}" ]; then output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1) exit_code=$? From 94915ac2fe9d27c8c2ae7d54dee72f40139187a8 Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Mon, 30 Mar 2020 14:23:58 -0500 Subject: [PATCH 109/355] Fix PKGS-7301 message nit The comment is correct. It is FreeBSD pkg not NetBSD pkg. --- include/tests_ports_packages | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index f63f2793..286da608 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -38,7 +38,7 @@ # Test : PKGS-7301 # Description : Query FreeBSD pkg if [ -x ${ROOTDIR}usr/sbin/pkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query NetBSD pkg" + Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query FreeBSD pkg" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(pkg -N 2>&1; echo $?) if [ "${FIND}" = "0" ]; then From 53ad72e791ea378e4974e2db1eb416d4ee537455 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 31 Mar 2020 16:25:27 +0200 Subject: [PATCH 110/355] Removed unneeded complexity regarding dmidecode, as binary checks are already done at this point --- include/functions | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/include/functions b/include/functions index 5b60419f..fd47cd3d 100644 --- a/include/functions +++ b/include/functions @@ -1774,14 +1774,9 @@ # dmidecode # Values: VMware Virtual Platform / VirtualBox if [ -z "${SHORT}" ]; then - if [ -x /usr/bin/dmidecode ]; then DMIDECODE_BINARY="/usr/bin/dmidecode" - elif [ -x /usr/sbin/dmidecode ]; then DMIDECODE_BINARY="/usr/sbin/dmidecode" - else - DMIDECODE_BINARY="" - fi - if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then + if [ -n "${DMIDECODEBINARY}" -a -x "${DMIDECODEBINARY}" -a ${PRIVILEGED} -eq 1 ]; then LogText "Test: trying to guess virtualization with dmidecode" - FIND=$(/usr/sbin/dmidecode -s system-product-name | awk '{ print $1 }') + FIND=$(${DMIDECODEBINARY} -s system-product-name | awk '{ print $1 }') if [ -n "${FIND}" ]; then LogText "Result: found ${FIND}" SHORT="${FIND}" @@ -1794,6 +1789,7 @@ else LogText "Result: skipped dmidecode test, as we already found machine type" fi + # Other options # SaltStack: salt-call grains.get virtual # < needs snippet > From 5f13de96a415fdcea8fd79a7538083a419033139 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 31 Mar 2020 16:25:33 +0200 Subject: [PATCH 111/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1cae9172..39e93961 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -154,6 +154,7 @@ Using the relevant options, the scan will change base on the intended goal. - Do not show tool tips when quiet option is used - Improved screen output in several tests - Extended output of 'lynis update info' +- Improved support for NetBSD - Test if profiles are readable - systemd service file adjusted - bash completion script extended From a38e2b535e09ec12e58a9243ef942c9f778acb7a Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 31 Mar 2020 16:31:41 +0200 Subject: [PATCH 112/355] Corrected case where binaries were not checked while we do want to use dmidecode if it available --- include/functions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/functions b/include/functions index fd47cd3d..63cc4864 100644 --- a/include/functions +++ b/include/functions @@ -1774,6 +1774,8 @@ # dmidecode # Values: VMware Virtual Platform / VirtualBox if [ -z "${SHORT}" ]; then + # Try to find dmidecode in case we did not check binaries (e.g. lynis show environment) + if [ ${CHECK_BINARIES} -eq 0 ]; then DMIDECODEBINARY=$(command -v dmidecode 2> /dev/null); fi if [ -n "${DMIDECODEBINARY}" -a -x "${DMIDECODEBINARY}" -a ${PRIVILEGED} -eq 1 ]; then LogText "Test: trying to guess virtualization with dmidecode" FIND=$(${DMIDECODEBINARY} -s system-product-name | awk '{ print $1 }') From 179f7d3442d4821972e77fe3355e3bb479981f4a Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Tue, 31 Mar 2020 17:55:49 +0300 Subject: [PATCH 113/355] Enhance binaries report Report also number of set-uid and set-gid binaries found. Signed-off-by: Topi Miettinen --- include/binaries | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/include/binaries b/include/binaries index 5884fc0c..5f23f13a 100644 --- a/include/binaries +++ b/include/binaries @@ -74,6 +74,10 @@ fi done + NSUID_BINARIES=0 + NSGID_BINARIES=0 + SUID_BINARIES= + SGID_BINARIES= # Now perform binary detection for SCANDIR in ${BIN_PATHS}; do SCANDIR=$(echo "${SCANDIR}" | sed 's/!!space!!/ /g') @@ -115,6 +119,14 @@ COUNT=$((COUNT + 1)) BINARY="${SCANDIR}/${FILENAME}" DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} " + if [ -u ${BINARY} ]; then + NSUID_BINARIES=$((NSUID_BINARIES + 1)) + SUID_BINARIES="${SUID_BINARIES}${BINARY} " + fi + if [ -g ${BINARY} ]; then + NSGID_BINARIES=$((NSGID_BINARIES + 1)) + SGID_BINARIES="${SGID_BINARIES}${BINARY} " + fi # Optimized, much quicker (limited file access needed) case ${FILENAME} in aa-status) AASTATUSBINARY=${BINARY}; LogText " Found known binary: aa-status (apparmor component) - ${BINARY}" ;; @@ -311,8 +323,10 @@ BINARY_SCAN_FINISHED=1 BINARY_PATHS_FOUND=$(echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/, /,/g') LogText "Discovered directories: ${BINARY_PATHS_FOUND}" - LogText "Result: found ${COUNT} binaries" - Report "binaries_count=${COUNT}" + LogText "Result: found ${COUNT} binaries including ${NSUID_BINARIES} set-uid and ${NSGID_BINARIES} set-gid" + LogText "Result: set-uid binaries: ${SUID_BINARIES}" + LogText "Result: set-gid binaries: ${SGID_BINARIES}" + Report "binaries_count=${COUNT} suid_count=${SUID_BINARIES} sgid_count=${SGID_BINARIES}" Report "binary_paths=${BINARY_PATHS_FOUND}" # Test if the basic system tools are defined. These will be used during the audit. From c5914c4e0f5a6d48034107c0627a3e2e8f640210 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 1 Apr 2020 11:48:39 +0200 Subject: [PATCH 114/355] Split count values so they are reported as individual items --- include/binaries | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/binaries b/include/binaries index 5f23f13a..4555378d 100644 --- a/include/binaries +++ b/include/binaries @@ -326,7 +326,9 @@ LogText "Result: found ${COUNT} binaries including ${NSUID_BINARIES} set-uid and ${NSGID_BINARIES} set-gid" LogText "Result: set-uid binaries: ${SUID_BINARIES}" LogText "Result: set-gid binaries: ${SGID_BINARIES}" - Report "binaries_count=${COUNT} suid_count=${SUID_BINARIES} sgid_count=${SGID_BINARIES}" + Report "binaries_count=${COUNT}" + Report "binaries_suid_count=${SUID_BINARIES}" + Report "binaries_sgid_count=${SGID_BINARIES}" Report "binary_paths=${BINARY_PATHS_FOUND}" # Test if the basic system tools are defined. These will be used during the audit. From 7e3c9448df1bea8344597bcc4a1732c51430bf1a Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 1 Apr 2020 16:16:31 +0200 Subject: [PATCH 115/355] [TIME-3104] search for files using find and strip potential characters that may be unexpected --- include/tests_time | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/include/tests_time b/include/tests_time index 23fd0965..7c15d0a3 100644 --- a/include/tests_time +++ b/include/tests_time @@ -163,22 +163,28 @@ fi done - # Don't run check in cron job directory on Solaris - # /etc/cron.d/FIFO is a special file and test get stuck at this file + # Notes: only test for normal files. File /etc/cron.d/FIFO on solaris is a special file and test may hang + # Linux systems may have a .placeholder file FOUND_IN_CRON=0 # Check cron jobs for I in ${CRON_DIRS}; do if [ -d ${I} ]; then if FileIsReadable ${I}; then - FIND=$(${LSBINARY} ${I} | ${GREPBINARY} -v FIFO) + FIND=$(${FINDBINARY} ${I} -type f -a ! -name ".placeholder" -print 2> /dev/null | ${SEDBINARY} 's/ /__space__/g' | ${TRBINARY} '\n' '\0' | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} '\0' ' ') if [ -n "${FIND}" ]; then for J in ${FIND}; do - LogText "Test: checking for ntpdate or rdate in ${I}/${J}" - FIND2=$(${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#") - if [ -n "${FIND2}" ]; then - LogText "Positive match found: ${FIND2}" - FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 + # Place back spaces if needed + J=$(echo ${J} | ${SEDBINARY} 's/__space__/ /g') + LogText "Test: checking for ntpdate or rdate in ${J}" + if FileIsReadable ${J}; then + FIND2=$(${EGREPBINARY} "rdate|ntpdate" "${J}" | ${GREPBINARY} -v "^#") + if [ -n "${FIND2}" ]; then + LogText "Positive match found: ${FIND2}" + FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 + fi + else + LogText "Result: could not test in file '${J}' as it is not readable" fi done else From f232b4f9bbb1592b37d2af4938f940b03a61d54d Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 1 Apr 2020 16:18:03 +0200 Subject: [PATCH 116/355] Added quotes --- include/tests_filesystems | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 51d22760..aabdc2be 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -580,7 +580,7 @@ FS_FSTAB="" fi fi - if [ -z "${FS_FSTAB}" ]; then # not found in fstab, check if mounted otherwise + if [ -z "${FS_FSTAB}" ]; then # not found in fstab, check if mounted otherwise FS_FSTAB=$(mount | ${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($3==fs) { print $6 } }') FOUND_FLAGS=$(mount | ${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $3==fs) { print $6 } }' | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') else @@ -668,7 +668,6 @@ # Description : Check for nodirtime option # Want to contribute to Lynis? Create this test - # ################################################################################# # @@ -676,7 +675,6 @@ # Description : Check for relatime # Want to contribute to Lynis? Create this test - # ################################################################################# # @@ -695,12 +693,12 @@ if [ ${SKIPTEST} -eq 0 ]; then SWAPLEVEL=$(${CAT_BINARY} /proc/sys/vm/swappiness) LogText "Test: checking level of vm.swappiness: ${SWAPLEVEL}" - PHYSDISK=$(${LSBLKBINARY} | ${GREPBINARY} -E 'disk|SWAP' | ${GREPBINARY} -B1 SWAP | ${HEADBINARY} -n1 | ${AWKBINARY} '{print $1}') + PHYSDISK=$(${LSBLKBINARY} | ${GREPBINARY} -E 'disk|SWAP' | ${GREPBINARY} -B1 SWAP | ${HEADBINARY} -n1 | ${AWKBINARY} '{print $1}') if [ ${SWAPLEVEL} -gt 60 ]; then LogText "Result: vm.swappiness=${SWAPLEVEL} meaning that swapping is more frequent than default." - # Check if swap is on a HDD or SDD for frequent swapping - if [ -d /sys/block/${PHYSDISK} ]; then - HDDORSDD=$(${CAT_BINARY} /sys/block/${PHYSDISK}/queue/rotational) + # Check if swap is on a HDD or SDD for frequent swapping + if [ -d "/sys/block/${PHYSDISK}" ]; then + HDDORSDD=$(${CAT_BINARY} "/sys/block/${PHYSDISK}/queue/rotational") if [ ${HDDORSDD} -eq 1 ]; then ReportSuggestion "${TEST_NO}" "vm.swappiness set to: ${SWAPLEVEL} > 60 (default) - consider installing an SSD for swap partition for better performance." fi @@ -708,7 +706,7 @@ elif [ ${SWAPLEVEL} -eq 0 ]; then LogText "Result: vm.swappiness=${SWAPLEVEL} meaning swapping is disabled." ReportSuggestion "${TEST_NO}" "vm.swappiness set to: ${SWAPLEVEL}. Consider setting value to minimum of 1 for minimizing swappiness, but not quite disabling it. Will prevent OOM killer from killing processes when running out of physical memory." - elif [ ${SWAPLEVEL} -eq 1]; then + elif [ ${SWAPLEVEL} -eq 1 ]; then LogText "Result: vm.swappiness=${SWAPLEVEL} meaning that swapping can still occur but at very minimum." elif [ ${SWAPLEVEL} -eq 10 ]; then LogText "Result: vm.swappiness=${SWAPLEVEL} which is the preferred setting for database servers." @@ -717,6 +715,7 @@ else LogText "Result: vm.swappiness=${SWAPLEVEL} which is the standard level of swappiness and works well for desktop systems." fi + if IsVerbose; then Display --indent 2 --text "- Swappiness: ${SWAPLEVEL}" --result "INFO" --color WHITE; fi fi # ################################################################################# From 4cf21ebdcc3310265fd923907b08080f6af0f346 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 1 Apr 2020 16:19:09 +0200 Subject: [PATCH 117/355] Added FILE-6394 --- db/tests.db | 1 + 1 file changed, 1 insertion(+) diff --git a/db/tests.db b/db/tests.db index d401424c..48430806 100644 --- a/db/tests.db +++ b/db/tests.db @@ -122,6 +122,7 @@ FILE-6368:test:security:filesystems:Linux:Checking ACL support on root file syst FILE-6372:test:security:filesystems:Linux:Checking / mount options: FILE-6374:test:security:filesystems:Linux:Linux mount options: FILE-6376:test:security:filesystems:Linux:Determine if /var/tmp is bound to /tmp: +FILE-6394:test:performance:filesystems:Linux:Test swappiness of virtual memory: FILE-6410:test:security:filesystems::Checking Locate database: FILE-6430:test:security:filesystems::Disable mounting of some filesystems: FILE-6439:test:security:filesystems:DragonFly:Checking HAMMER PFS mounts: From c309ad7bdc1f365eca3e28b33a3a647fc2c91355 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 1 Apr 2020 16:19:54 +0200 Subject: [PATCH 118/355] Updated log --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 39e93961..e3afdbfb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -54,6 +54,7 @@ Using the relevant options, the scan will change base on the intended goal. - New test: CRYP-8004 - presence of hardware random number generator - New test: CRYP-8005 - presence of software random number generator - New test: DBS-1828 - PostgreSQL configuration files +- New test: FILE-6394 - test virtual memory swappiness (Linux) - New test: FINT-4316 - presence of AIDE database and size test - New test: FINT-4340 - check dm-integrity status (Linux) - New test: FINT-4341 - verify status of dm-verity (Linux) @@ -141,6 +142,7 @@ Using the relevant options, the scan will change base on the intended goal. - SSH-7408 - corrected OpenSSH server version check - STRG-1840 - renamed to USB-1000 - STRG-1842 - added default authorized devices and renamed to USB-2000 +- TIME-3104 - use find to discover files in cron directories - TOOL-5002 - differentiate between a discovered binary and running process - TOOL-5160 - added support for OSSEC agent daemon - Perform additional check to ensure pacman package manager is used From 4432f9304485c0c1615b8772d19065c5fc7e7e4c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 1 Apr 2020 16:32:52 +0200 Subject: [PATCH 119/355] [LOGG-2190] skip mysqld related entries --- include/tests_logging | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/include/tests_logging b/include/tests_logging index 7f254147..292940e3 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -534,12 +534,7 @@ LSOF_GREP="WARNING|Output information" # MySQL versions prior to 5.6 leave lots of deleted in-use files in /tmp, ignoring those - if [ -n "${DPKGBINARY}" ]; then - EARLY_MYSQL=$(${DPKGBINARY} -l | ${EGREPBINARY} mysql-server-5.[0-5]) - elif [ -n "${RPMBINARY}" ]; then - EARLY_MYSQL=$(${RPMBINARY} -qa mariadb | ${EGREPBINARY} mariadb-5.[0-5]) - fi - if [ -n "${EARLY_MYSQL}" ]; then LSOF_GREP="${LSOF_GREP}|mysqld"; fi + LSOF_GREP="${LSOF_GREP}|mysqld" # grsecurity causes Fail2Ban to hold onto deleted in-use files in /var/tmp if [ ${GRSEC_FOUND} -eq 1 ]; then LSOF_GREP="${LSOF_GREP}|fail2ban"; fi From 2c4ed62ef6cf82ae2af5c0ea2b4f39001f1ec32a Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 1 Apr 2020 16:32:59 +0200 Subject: [PATCH 120/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e3afdbfb..40844409 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -116,6 +116,7 @@ Using the relevant options, the scan will change base on the intended goal. - KRNL-5820 - extended check to include limits.d directory - KRNL-5830 - skip test partially when running non-privileged - LOGG-2154 - added support for rsyslog configurations +- LOGG-2190 - skip mysqld related entries - MACF-6234 - SELinux tests extended - MAIL-8804 - replaced static strings with translation-aware strings - MALW-3280 - Kaspersky detection added From 156f740ff2fae6a39bc763e66df2ea17cd87d5b7 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 1 Apr 2020 19:02:11 +0200 Subject: [PATCH 121/355] The IsRunning function may have not everything defined early on, so added a fallback --- include/functions | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/include/functions b/include/functions index 63cc4864..b99fdc53 100644 --- a/include/functions +++ b/include/functions @@ -1546,7 +1546,7 @@ if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi RUNNING=0 # AIX does not fully support pgrep options, so using ps instead - if [ -n "${PGREPBINARY}" ] && [ "${OS}" != "AIX" ]; then + if [ "${OS}" != "AIX" ]; then # When --user is used, perform a search using the -u option # Initialize users for strict mode if [ -n "${users:-}" ]; then @@ -1556,33 +1556,33 @@ if [ -n "${user_uid}" ]; then if [ -z "${FIND}" ]; then LogText "Performing pgrep scan using uid ${user_uid}" - FIND=$(${PGREPBINARY} ${pgrep_options} -u "${user_uid}" "${search}" | ${TRBINARY} '\n' ' ') + FIND=$(${PGREPBINARY:-pgrep} ${pgrep_options} -u "${user_uid}" "${search}" | ${TRBINARY:-tr} '\n' ' ') fi fi done else LogText "Performing pgrep scan without uid" - FIND=$(${PGREPBINARY} ${pgrep_options} "${search}" | ${TRBINARY} '\n' ' ') + FIND=$(${PGREPBINARY:-pgrep} ${pgrep_options} "${search}" | ${TRBINARY} '\n' ' ') fi else if [ "${SHELL_IS_BUSYBOX}" -eq 1 ]; then # This search is not foolproof LogText "Performing simple ps scan (busybox)" PSOPTIONS=" -o args=" - FIND=$(${PSBINARY} ${PSOPTIONS} | ${EGREPBINARY} "( |/)${search}" | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${EGREPBINARY:-egrep} "( |/)${search}" | ${GREPBINARY:-grep} -v "grep") else if [ -n "${users}" ]; then for u in ${users}; do - user_uid=$(getent passwd "${u}" 2> /dev/null | ${AWKBINARY} -F: '{print $3}') + user_uid=$(getent passwd "${u}" 2> /dev/null | ${AWKBINARY:-awk} -F: '{print $3}') # Only perform search if user exists and we had no match yet if [ -n "${user_uid}" ]; then if [ -z "${FIND}" ]; then if [ ${PARTIAL_SEARCH} -eq 1 ]; then LogText "Performing ps scan using partial match and for uid ${user_uid}" - FIND=$(${PSBINARY} -u "${user_uid}" -o comm= "${search}" | ${AWKBINARY} -v pattern="${search}" '$0 ~ pattern {print}') + FIND=$(${PSBINARY:-ps} -u "${user_uid}" -o comm= "${search}" | ${AWKBINARY:-awk} -v pattern="${search}" '$0 ~ pattern {print}') else LogText "Performing ps scan using exact match and for uid ${user_uid}" - FIND=$(${PSBINARY} -u "${user_uid}" -o comm= "${search}" | ${AWKBINARY} -v pattern="^${search}$" '$0 ~ pattern {print}') + FIND=$(${PSBINARY:-ps} -u "${user_uid}" -o comm= "${search}" | ${AWKBINARY:-awk} -v pattern="^${search}$" '$0 ~ pattern {print}') fi fi fi @@ -1595,10 +1595,10 @@ esac if [ ${PARTIAL_SEARCH} -eq 1 ]; then LogText "Performing ps scan using partial match and without uid" - FIND=$(${PSBINARY} ${PSOPTIONS} | ${AWKBINARY} -v pattern="${search}" '$0 ~ pattern {print}') + FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${AWKBINARY:-awk} -v pattern="${search}" '$0 ~ pattern {print}') else LogText "Performing ps scan using exact match and without uid" - FIND=$(${PSBINARY} ${PSOPTIONS} | ${AWKBINARY} -v pattern="^${search}$" '$0 ~ pattern {print}') + FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${AWKBINARY:-awk} -v pattern="^${search}$" '$0 ~ pattern {print}') fi fi fi From b5a2d11738cf72691f3b09c48a4c647a4c499277 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 2 Apr 2020 09:28:41 +0200 Subject: [PATCH 122/355] Added fallback for awk/tr, small code enhancement, added note --- include/functions | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/include/functions b/include/functions index b99fdc53..492ade27 100644 --- a/include/functions +++ b/include/functions @@ -1516,6 +1516,7 @@ # Returns : 0 (process is running), 1 (process not running) # RUNNING (1 = running, 0 = not running) - will be deprecated # Notes : PSOPTIONS are declared globally, to prevent testing each call + # Fallback is used on binaries as IsRunning is used for 'show' command ################################################################################ IsRunning() { @@ -1548,10 +1549,10 @@ # AIX does not fully support pgrep options, so using ps instead if [ "${OS}" != "AIX" ]; then # When --user is used, perform a search using the -u option - # Initialize users for strict mode + # Initialize users for strict mode if [ -n "${users:-}" ]; then for u in ${users}; do - user_uid=$(getent passwd "${u}" 2> /dev/null | ${AWKBINARY} -F: '{print $3}') + user_uid=$(getent passwd "${u}" 2> /dev/null | ${AWKBINARY:-awk} -F: '{print $3}') # Only perform search if user exists and we had no match yet if [ -n "${user_uid}" ]; then if [ -z "${FIND}" ]; then @@ -1562,7 +1563,7 @@ done else LogText "Performing pgrep scan without uid" - FIND=$(${PGREPBINARY:-pgrep} ${pgrep_options} "${search}" | ${TRBINARY} '\n' ' ') + FIND=$(${PGREPBINARY:-pgrep} ${pgrep_options} "${search}" | ${TRBINARY:-tr} '\n' ' ') fi else if [ "${SHELL_IS_BUSYBOX}" -eq 1 ]; then @@ -1862,7 +1863,7 @@ fi # Check if we caught some string along all tests - if [ ! "${SHORT}" = "" ]; then + if [ -n "${SHORT}" ]; then # Lowercase and see if we found a match SHORT=$(echo ${SHORT} | awk '{ print $1 }' | tr '[:upper:]' '[:lower:]') From 9642bcffc839f4713558f927f4202ce3dd3588fd Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Fri, 27 Mar 2020 11:25:31 +0200 Subject: [PATCH 123/355] [CRYP-7902] Optionally check also certificates provided by packages The package maintainers are not immune to mistakes or they might not always provide timely updates, so let's check (optionally) more certificates even if they are delivered by packages. I found three expired certificates in my Debian/unstable system, thanks to changed Lynis. Signed-off-by: Topi Miettinen --- CHANGELOG.md | 1 + default.prf | 3 ++- include/consts | 1 + include/profiles | 7 +++++++ include/tests_crypto | 4 ++-- 5 files changed, 13 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40844409..14d77906 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -95,6 +95,7 @@ Using the relevant options, the scan will change base on the intended goal. - BANN-7126 - additional words for login banner are accepted - BOOT-5122 - check for defined password in all GRUB configuration files - CONT-8106 - support newer 'docker info' output +- CRYP-7902 - optionally check also certificates provided by packages - CRYP-8002 - gather kernel entropy on Linux systems - FILE-6310 - support for HP-UX - FILE-6374 - changed log and allow root location to be changed diff --git a/default.prf b/default.prf index f59e50c2..6ff3eac2 100644 --- a/default.prf +++ b/default.prf @@ -93,8 +93,9 @@ skip-plugins=no #skip-upgrade-test=yes # Locations where to search for SSL certificates (separate paths with a colon) -ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www +ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive: +ssl-certificate-include-packages=no # Scan type - how deep the audit should be (light, normal or full) test-scan-mode=full diff --git a/include/consts b/include/consts index 3969aad5..80548c6b 100644 --- a/include/consts +++ b/include/consts @@ -279,6 +279,7 @@ unset LANG SNORTBINARY="" SSHKEYSCANBINARY="" SSHKEYSCANFOUND=0 + SSL_CERTIFICATE_INCLUDE_PACKAGES=0 SSL_CERTIFICATE_PATHS="" SSL_CERTIFICATE_PATHS_TO_IGNORE="" STUNNELBINARY="" diff --git a/include/profiles b/include/profiles index 328d4d49..da2124f7 100644 --- a/include/profiles +++ b/include/profiles @@ -376,6 +376,13 @@ AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates" ;; + # Check also certificates provided by packages? + ssl-certificate-include-packages) + FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SSL_CERTIFICATE_INCLUDE_PACKAGES=1 + Debug "Check also certificates provided by packages set to ${SSL_CERTIFICATE_INCLUDE_PACKAGES}" + ;; + + # Set strict mode for development and quality purposes strict) FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SET_STRICT=1 diff --git a/include/tests_crypto b/include/tests_crypto index 466f6b52..e001bb26 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -74,8 +74,8 @@ COUNT_DIR=$((COUNT_DIR + 1)) FileIsReadable "${FILE}" if [ ${CANREAD} -eq 1 ]; then - # Only check the files that are not installed by a package - if ! FileInstalledByPackage "${FILE}"; then + # Only check the files that are not installed by a package, unless enabled by profile + if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") if [ $? -eq 0 ]; then LogText "Result: file is a certificate file" From 1996b7e0c664bfc331c5de880c843da775525396 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 2 Apr 2020 13:14:51 +0200 Subject: [PATCH 124/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40844409..cf15b1d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -129,6 +129,7 @@ Using the relevant options, the scan will change base on the intended goal. - PKGS-7388 - only perform check for Debian/Ubuntu/Mint - PKGS-7410 - use multiple package managers when available - PKGS-7410 - added support for Zypper to test number of kernels +- PRNT-2308 - check also SSLListen statements - PROC-3602 - allow different root directory - PROC-3612 - show 'Not found' instead of 'OK' - PROC-3614 - show 'Not found' instead of 'OK' From 4fe1cb92a56f6e008d9bd040f4a0f2c1116fb333 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 2 Apr 2020 13:15:03 +0200 Subject: [PATCH 125/355] [PRNT-2308] check also SSLListen statements --- include/tests_printers_spools | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_printers_spools b/include/tests_printers_spools index 161c9fb3..18c48beb 100644 --- a/include/tests_printers_spools +++ b/include/tests_printers_spools @@ -134,13 +134,14 @@ # # Test : PRNT-2308 # Description : Check CUPS daemon network configuration + # Notes : Listen and SSLListen can be used if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd network configuration" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 # Checking network addresses LogText "Test: Checking CUPS daemon listening network addresses" - FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }') + FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }') COUNT=0 for ITEM in ${FIND}; do LogText "Found network address: ${ITEM}" From ca6fc134ddee6b408bf1381a4346b15b0791c8ab Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 2 Apr 2020 13:20:06 +0200 Subject: [PATCH 126/355] Renamed spools to spoolers --- include/{tests_printers_spools => tests_printers_spoolers} | 0 lynis | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename include/{tests_printers_spools => tests_printers_spoolers} (100%) diff --git a/include/tests_printers_spools b/include/tests_printers_spoolers similarity index 100% rename from include/tests_printers_spools rename to include/tests_printers_spoolers diff --git a/lynis b/lynis index 12eea7fb..881b8ade 100755 --- a/lynis +++ b/lynis @@ -980,7 +980,7 @@ ${NORMAL} LogText "Info: perform tests from all categories" INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \ - filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spools \ + filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \ mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \ insecure_services banners scheduling accounting time crypto virtualization containers \ mac_frameworks file_integrity tooling malware file_permissions homedirs \ From 6eb204a85d9e48adef4e8c62bbb794830060ac40 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 2 Apr 2020 14:45:44 +0200 Subject: [PATCH 127/355] [PRNT-2308] check for Port statement and minor adjustments to test --- include/tests_printers_spoolers | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/include/tests_printers_spoolers b/include/tests_printers_spoolers index 18c48beb..b8435493 100644 --- a/include/tests_printers_spoolers +++ b/include/tests_printers_spoolers @@ -144,14 +144,21 @@ FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }') COUNT=0 for ITEM in ${FIND}; do - LogText "Found network address: ${ITEM}" + LogText "Result: found network address: ${ITEM}" COUNT=$((COUNT + 1)) FOUND=1 done - # Check if daemon is only running on localhost + # Search for Port statement + FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE}) + if [ -n "${FIND}" ]; then + LogText "Result: found CUPS listening on port 631 (most likely all interfaces)" + FOUND=1 + fi + + # Check if daemon might be running on localhost if [ ${FOUND} -eq 0 ]; then - LogText "Result: no listen statement found in CUPS configuration file" + LogText "Result: CUPS does not look to be listening on a network port" elif [ ${COUNT} -eq 1 ]; then if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then LogText "Result: CUPS daemon only running on localhost" From 64033da973deb14d7632798904b5f24c06816390 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 2 Apr 2020 14:46:42 +0200 Subject: [PATCH 128/355] Updated log --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf15b1d8..87873b19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -129,7 +129,7 @@ Using the relevant options, the scan will change base on the intended goal. - PKGS-7388 - only perform check for Debian/Ubuntu/Mint - PKGS-7410 - use multiple package managers when available - PKGS-7410 - added support for Zypper to test number of kernels -- PRNT-2308 - check also SSLListen statements +- PRNT-2308 - check also for Port and SSLListen statements - PROC-3602 - allow different root directory - PROC-3612 - show 'Not found' instead of 'OK' - PROC-3614 - show 'Not found' instead of 'OK' From 38a5c2cb79bdf56352555f08472b9ea5c77d0e1f Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 2 Apr 2020 19:46:58 +0200 Subject: [PATCH 129/355] Added new test PHP-2382 --- CHANGELOG.md | 1 + db/tests.db | 1 + include/tests_php | 36 ++++++++++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 87873b19..805a18d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -62,6 +62,7 @@ Using the relevant options, the scan will change base on the intended goal. - New test: INSE-8316 - test for NIS server - New test: NETW-2706 - check DNSSEC (systemd) - New test: NETW-3200 - determine enabled network protocols +- New test: PHP-2382 - detect listen option in PHP (FPM) - New test: PROC-3802 - check presence of prelink tooling - New test: TIME-3180 - report if ntpctl cannot communicate with OpenNTPD - New test: TIME-3181 - check status of OpenNTPD time synchronisation diff --git a/db/tests.db b/db/tests.db index 48430806..ba9778d1 100644 --- a/db/tests.db +++ b/db/tests.db @@ -311,6 +311,7 @@ PHP-2374:test:security:php::Check PHP enable_dl option: PHP-2376:test:security:php::Check PHP allow_url_fopen option: PHP-2378:test:security:php::Check PHP allow_url_include option: PHP-2379:test:security:php::Check PHP suhosin extension status: +PHP-2382:test:security:php::Check PHP listen option: PKGS-7301:test:security:ports_packages::Query NetBSD pkg: PKGS-7302:test:security:ports_packages::Query FreeBSD/NetBSD pkg_info: PKGS-7303:test:security:ports_packages::Query brew package manager: diff --git a/include/tests_php b/include/tests_php index a452781a..0f498fff 100644 --- a/include/tests_php +++ b/include/tests_php @@ -463,6 +463,42 @@ #fi # ################################################################################# +# + # Test : PHP-2382 + # Description : Check listen option + # Background : https://github.com/CISOfy/lynis/issues/837 + if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no PHP-2382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + for FILE in ${PHPINI_ALLFILES}; do + # Don't look at this setting in cli configuration + case "${FILE}" in + */cli/*) + continue + ;; + esac + LogText "Test: Checking file ${FILE}" + FIND=$(${EGREPBINARY} -i "^listen = [0-9]{1,5}$" ${FILE}) + if HasData "${FIND}"; then + LogText "Result: found listen on just a port number" + LogText "Data: ${FIND}" + LogText "Note: when possible, limit access to just localhost, so it can't be accessed from outside" + FOUND=1 + fi + done + + if [ ${FOUND} -eq 1 ]; then + Display --indent 4 --text "- Checking listen option" --result "${STATUS_SUGGESTION}" --color YELLOW + #ReportSuggestion "${TEST_NO}" "Limit the listening of FastCGI to just localhost or a local socket" "listen = 127.0.0.1:9000" "-" + AddHP 1 3 + else + Display --indent 4 --text "- Checking listen option" --result "${STATUS_OK}" --color GREEN + AddHP 2 2 + fi + fi +# +################################################################################# # WaitForKeyPress From 52b72e7b0f8122541f4ffc3757238a6dd0dd6af7 Mon Sep 17 00:00:00 2001 From: Kristian S Date: Thu, 2 Apr 2020 21:29:18 +0200 Subject: [PATCH 130/355] extended test KRNL-5830 to detect required reboots on Raspbian --- CHANGELOG.md | 1 + include/tests_kernel | 102 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 103 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 805a18d7..3d6905a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -116,6 +116,7 @@ Using the relevant options, the scan will change base on the intended goal. - KRNL-5788 - don't complain about missing /vmlinuz for Raspi - KRNL-5820 - extended check to include limits.d directory - KRNL-5830 - skip test partially when running non-privileged +- KRNL-5830 - detect required reboots on Raspbian - LOGG-2154 - added support for rsyslog configurations - LOGG-2190 - skip mysqld related entries - MACF-6234 - SELinux tests extended diff --git a/include/tests_kernel b/include/tests_kernel index 4948e0dd..3a97ebde 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -31,6 +31,7 @@ LINUXCONFIGFILE="" LINUXCONFIGFILE_ZIPPED=0 LIMITS_DIRECTORY="${ROOTDIR}etc/security/limits.d" + APT_ARCHIVE_DIRECTORY="${ROOTDIR}var/cache/apt/archives" # ################################################################################# # @@ -773,6 +774,107 @@ LogText "Result: /boot does not exist or not privileged to read files" fi + # Attempt to check for Raspbian if reboot is needed + # This check searches for apt package "raspberrypi-kernel-[package-date]", trys to extract the date of packaging from the filename + # and compares that date with the currently running kernel's build date (uname -v). + # Of course there can be a time difference between kernel build and kernel packaging, therefor a time difference of + # 3 days is accepted and it is assumed with only 3 days apart, this must be the same kernel version. + if [ ${REBOOT_NEEDED} -eq 2 ] && [ -d "${APT_ARCHIVE_DIRECTORY}" ]; then + LogText "Result: found folder ${APT_ARCHIVE_DIRECTORY}; assuming this is a debian based distribution" + LogText "Check: try to find raspberrypi-kernel file in ${APT_ARCHIVE_DIRECTORY} and extract package date from file name" + + FOUND_KERNEL_DATE=$(${FINDBINARY} ${APT_ARCHIVE_DIRECTORY} -name "raspberrypi-kernel*" -printf "%T@ %Tc %p\n" 2> /dev/null \ + | ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${EGREPBINARY} -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g') + + if [ -n "${FOUND_KERNEL_DATE}" ]; then + FOUND_KERNEL_IN_SECONDS=$(date -d "${FOUND_KERNEL_DATE}" "+%s" 2> /dev/null) + else + LogText "Result: Skipping this test, as there was no package date to extract" + fi + + if [ -n "${FOUND_KERNEL_IN_SECONDS}" ] && [ ${FOUND_KERNEL_IN_SECONDS} -gt 1 ]; then + LogText "Result: Got package date: ${FOUND_KERNEL_DATE} (= ${FOUND_KERNEL_IN_SECONDS} seconds)" + UNAME_OUTPUT="$(${UNAMEBINARY} -v 2> /dev/null)" + else + LogText "Result: Skipping this test, as extracting the seconds of package date failed" + fi + + if [ -n "${UNAME_OUTPUT}" ]; then + LogText "Result: Got an output from 'uname -v'" + LogText "Check: Trying to extract kernel build date from 'uname -v' output" + next="" + for part in ${UNAME_OUTPUT}; do + if [ -z "$next" ]; then + if [ "${part}" = "Mon" ] || [ "${part}" = "Tue" ] || [ "${part}" = "Wed" ] || [ "${part}" = "Thu" ] || [ "${part}" = "Fri" ] || [ "${part}" = "Sat" ] || [ "${part}" = "Sun" ]; then + next="month" + fi + elif [ "$next" = "month" ]; then + if [ $(${ECHOCMD} "${part}" | ${EGREPBINARY} -c "[A-Z][a-z]") -ge 1 ]; then + UNAME_DATE_MONTH="${part}" + next="day" + fi + elif [ "${next}" = "day" ]; then + if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then + UNAME_DATE_DAY="${part}" + next="time" + fi + elif [ "${next}" = "time" ]; then + if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c ":[0-9][0-9]:") -ge 1 ]; then + next="year" + fi + elif [ "${next}" = "year" ]; then + if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then + UNAME_DATE_YEAR="${part}" + break + fi + fi + done + if [ -n "${UNAME_DATE_MONTH}" ] && [ -n "${UNAME_DATE_DAY}" ] && [ -n "${UNAME_DATE_YEAR}" ]; then + LogText "Result: Extracted kernel build date is: ${UNAME_DATE_DAY} ${UNAME_DATE_MONTH} ${UNAME_DATE_YEAR}" + UNAME_DATE_IN_SECONDS=$(date -d "${UNAME_DATE_DAY} ${UNAME_DATE_MONTH} ${UNAME_DATE_YEAR}" "+%s" 2> /dev/null) + LogText "Check: Comparing kernel build date in seconds (${UNAME_DATE_IN_SECONDS}s) with package date in seconds (${FOUND_KERNEL_IN_SECONDS}s)" + if [ -n "${UNAME_DATE_IN_SECONDS}" ] && [ ${FOUND_KERNEL_IN_SECONDS} -ge ${UNAME_DATE_IN_SECONDS} ]; then + LogText "Result: package creation date is older than running kernel. Hence, this check should be valid." + LogText "Check if package create date and kernel build date are not more than 3 days apart." + + SECONDS_APART=$(( ${FOUND_KERNEL_IN_SECONDS} - ${UNAME_DATE_IN_SECONDS} )) + if [ ${SECONDS_APART} -ge 60 ]; then + MINUTES_APART=$(( ${SECONDS_APART} / 60 )) + if [ ${MINUTES_APART} -ge 60 ]; then + DAYS_APART=$(( ${MINUTES_APART} / 60 )) + if [ ${DAYS_APART} -ge 24 ]; then DAYS_APART=$(( ${DAYS_APART} / 24 )); else DAYS_APART=0; fi + else + DAYS_APART=0 + fi + else + DAYS_APART=0 + fi + # assuming kernels are packaged definitely within 3 days. ACCEPTED_TIME_DIFF needs a value in seconds + ACCEPTED_TIME_DIFF=$((3 * 24 * 60 * 60)) + if [ ${FOUND_KERNEL_IN_SECONDS} -le $((${UNAME_DATE_IN_SECONDS} + ${ACCEPTED_TIME_DIFF})) ]; then + LogText "Result: package create date and kernel build date are only ${DAYS_APART} day(s) apart." + LogText "Result: Assuming no reboot needed." + REBOOT_NEEDED=0 + else + LogText "Result: package create date and kernel build date are ${DAYS_APART} day(s) apart." + LogText "Result: Assuming reboot is needed." + REBOOT_NEEDED=1 + fi + else + LogText "Result: Package's create date is older than running kernel, which is unexpected. Might not be a valid test. Skipping..." + fi + else + LogText "Result: Could not extract Day, Month and Year from 'uname -v' output" + fi + else + LogText "Result: Did not get output from 'uname -v'. Skipping test." + fi + + + else + LogText "Result: /var/cache/apt/archives/ does not exist" + fi + # Display discovered status if [ ${REBOOT_NEEDED} -eq 0 ]; then Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_NO}" --color GREEN From 4bcd695428d7fb81e6ab8000a1d906b2e5043a7c Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Thu, 2 Apr 2020 15:59:11 -0500 Subject: [PATCH 131/355] AUTH-9268 Add DragonFly DragonFly also supports PAM. Rework to use the `--os` option of `Register` rather than `--preqs-met` as the former can support a list. --- include/tests_authentication | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index d005882a..a0402042 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -817,13 +817,8 @@ # Test : AUTH-9268 # Description : Searching available PAM files # Notes : PAM is used on AIX, FreeBSD, Linux, HPUX, NetBSD, Solaris - case "${OS}" in - "AIX"|"FreeBSD"|"Linux"|"HPUX"|"NetBSD"|"Solaris") - PREQS_MET="YES" ;; - *) - PREQS_MET="NO" ;; - esac - Register --test-no AUTH-9268 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking presence pam.d files" + OS_USES_PAM="AIX DragonFly FreeBSD Linux HPUX NetBSD Solaris" + Register --test-no AUTH-9268 --os "${OS_USES_PAM}" --weight L --network NO --category security --description "Checking presence pam.d files" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 LogText "Test: Searching pam modules" From 6308682caee9a060e9915c8b85be36ef015ced7c Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Thu, 2 Apr 2020 14:00:23 -0500 Subject: [PATCH 132/355] Combine AUTH-9218 and AUTH-9489 These two tests are essentially identical. There is no need separate the DragonFly and FreeBSD tests. This will make it easier to add support for other BSD systems. --- db/tests.db | 1 - include/tests_authentication | 46 +----------------------------------- 2 files changed, 1 insertion(+), 46 deletions(-) diff --git a/db/tests.db b/db/tests.db index 48430806..6f1b9974 100644 --- a/db/tests.db +++ b/db/tests.db @@ -49,7 +49,6 @@ AUTH-9406:test:security:authentication::Query LDAP servers in client configurati AUTH-9408:test:security:authentication::Logging of failed login attempts via /etc/login.defs: AUTH-9409:test:security:authentication:OpenBSD:Check for doas file: AUTH-9410:test:security:authentication:OpenBSD:Check for doas file permissions: -AUTH-9489:test:security:authentication:DragonFly:Check login shells for passwordless accounts: BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file: BANN-7124:test:security:banners::Check issue banner file: BANN-7126:test:security:banners::Check issue banner file contents: diff --git a/include/tests_authentication b/include/tests_authentication index d005882a..74389ad8 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -157,51 +157,7 @@ # Test : AUTH-9218 # Description : Check login shells for passwordless accounts # Notes : Results should be checked - Register --test-no AUTH-9218 --os FreeBSD --weight L --network NO --category security --description "Check login shells for passwordless accounts" - if [ ${SKIPTEST} -eq 0 ]; then - FOUND=0 - LogText "Test: Checking login shells" - if [ -f ${ROOTDIR}etc/master.passwd ]; then - # Check for all shells, except: (/usr)/sbin/nologin /nonexistent - FIND=$(${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g') - if [ "${FIND}" = "" ]; then - Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN - else - Display --indent 2 --text "- Login shells" --result "${STATUS_WARNING}" --color RED - for LINE in ${FIND}; do - LINE=$(echo ${LINE} | ${SEDBINARY} 's/!space!/ /g') - SHELL=$(echo ${LINE} | ${AWKBINARY} -F: '{ print $10 }') - LogText "Output: ${LINE}" - if [ -z "${SHELL}" ]; then - LogText "Result: found no shell on line" - else - LogText "Result: found possible harmful shell ${SHELL}" - if [ -f ${SHELL} ]; then - LogText "Result: shell ${SHELL} does exist" - FOUND=1 - else - LogText "Result: shell ${SHELL} does not exist" - ReportSuggestion "${TEST_NO}" "Determine if account is needed, as shell ${SHELL} does not exist" - fi - fi - done - if [ ${FOUND} -eq 1 ]; then - ReportWarning "${TEST_NO}" "Possible harmful shell found (for passwordless account!)" - fi - fi - else - Display --indent 2 --text "- Login shells" --result "${STATUS_SKIPPED}" --color WHITE - LogText "Result: No /etc/master.passwd file found" - fi - unset LINE SHELL - fi -# -################################################################################# -# - # Test : AUTH-9489 - # Description : Check login shells for passwordless accounts - # Notes : Results should be checked - Register --test-no AUTH-9489 --os DragonFly --weight L --network NO --category security --description "Check login shells for passwordless accounts" + Register --test-no AUTH-9218 --os "DragonFly FreeBSD" --weight L --network NO --category security --description "Check login shells for passwordless accounts" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 LogText "Test: Checking login shells" From 50a60fed876d13cecb9c61d18d8b7ead93a88043 Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Thu, 2 Apr 2020 14:37:31 -0500 Subject: [PATCH 133/355] AUTH-9218 add requires root The `/etc/master.passwd` file on BSD systems is (or should be) read/write root only. Skip the test if not being run as root. --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 74389ad8..8099eb0c 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -157,7 +157,7 @@ # Test : AUTH-9218 # Description : Check login shells for passwordless accounts # Notes : Results should be checked - Register --test-no AUTH-9218 --os "DragonFly FreeBSD" --weight L --network NO --category security --description "Check login shells for passwordless accounts" + Register --test-no AUTH-9218 --os "DragonFly FreeBSD" --root-only YES --weight L --network NO --category security --description "Check login shells for passwordless accounts" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 LogText "Test: Checking login shells" From ac7ad92f227c5302ef46bee7d34fbf07dcf364b7 Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Thu, 2 Apr 2020 14:48:41 -0500 Subject: [PATCH 134/355] AUTH-9218 add NetBSD and OpenBSD All of the BSDs have `/etc/master.passwd`. --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 8099eb0c..41b47955 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -157,7 +157,7 @@ # Test : AUTH-9218 # Description : Check login shells for passwordless accounts # Notes : Results should be checked - Register --test-no AUTH-9218 --os "DragonFly FreeBSD" --root-only YES --weight L --network NO --category security --description "Check login shells for passwordless accounts" + Register --test-no AUTH-9218 --os "DragonFly FreeBSD NetBSD OpenBSD" --root-only YES --weight L --network NO --category security --description "Check login shells for passwordless accounts" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 LogText "Test: Checking login shells" From ddb7ff1762c103516d568fc9a04c86a59b5385d6 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 3 Apr 2020 09:37:52 +0200 Subject: [PATCH 135/355] [NETW-2706] redirect errors to stderr --- include/tests_networking | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_networking b/include/tests_networking index b182f605..ebca4ee2 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -197,7 +197,7 @@ if [ ${SKIPTEST} -eq 0 ]; then SKIP=0 if [ -n "${RESOLVECTLBINARY}" ]; then - DNSSEC_STATUS=$(${RESOLVECTLBINARY} statistics | ${AWKBINARY} -F ":" '/DNSSEC supported/ { print $2 }' | ${TRBINARY} -d ' ') + DNSSEC_STATUS=$(${RESOLVECTLBINARY} statistics 2> /dev/null | ${AWKBINARY} -F ":" '/DNSSEC supported/ { print $2 }' | ${TRBINARY} -d ' ') if [ "${DNSSEC_STATUS}" = "yes" ]; then Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_OK}" --color GREEN LogText "Result: DNSSEC supported by systemd-resolved and upstream DNS servers" From f25ffdbb1f2402a8aa896882be0a79fd2da763ae Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 3 Apr 2020 09:37:52 +0200 Subject: [PATCH 136/355] [NETW-2706] redirect errors to stderr --- include/tests_networking | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_networking b/include/tests_networking index b182f605..ebca4ee2 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -197,7 +197,7 @@ if [ ${SKIPTEST} -eq 0 ]; then SKIP=0 if [ -n "${RESOLVECTLBINARY}" ]; then - DNSSEC_STATUS=$(${RESOLVECTLBINARY} statistics | ${AWKBINARY} -F ":" '/DNSSEC supported/ { print $2 }' | ${TRBINARY} -d ' ') + DNSSEC_STATUS=$(${RESOLVECTLBINARY} statistics 2> /dev/null | ${AWKBINARY} -F ":" '/DNSSEC supported/ { print $2 }' | ${TRBINARY} -d ' ') if [ "${DNSSEC_STATUS}" = "yes" ]; then Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_OK}" --color GREEN LogText "Result: DNSSEC supported by systemd-resolved and upstream DNS servers" From e2ad71ffe5907dcce88ca3511b8db904b82b574c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 3 Apr 2020 09:46:56 +0200 Subject: [PATCH 137/355] Updated log --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 805a18d7..49c72a2d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -90,7 +90,7 @@ Using the relevant options, the scan will change base on the intended goal. - AUTH-9234 - NetBSD support - AUTH-9252 - corrected permission check - AUTH-9266 - skip .pam-old files in /etc/pam.d -- AUTH-9268 - Perform test also on FreeBSD and NetBSD +- AUTH-9268 - Perform test also on DragonFly, FreeBSD, and NetBSD - AUTH-9282 - fix: temporary variable was overwritten - AUTH-9408 - added support for pam_tally2 to log failed logins - BANN-7126 - additional words for login banner are accepted From 235dbd38058c3c4e7bf34b7f1d7e61712860b9e4 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 3 Apr 2020 09:50:03 +0200 Subject: [PATCH 138/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 49c72a2d..ffa6ba4f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -93,6 +93,7 @@ Using the relevant options, the scan will change base on the intended goal. - AUTH-9268 - Perform test also on DragonFly, FreeBSD, and NetBSD - AUTH-9282 - fix: temporary variable was overwritten - AUTH-9408 - added support for pam_tally2 to log failed logins +- AUTH-9489 - test removedd as it is merged with AUTH-9218 - BANN-7126 - additional words for login banner are accepted - BOOT-5122 - check for defined password in all GRUB configuration files - CONT-8106 - support newer 'docker info' output From 4680f94d11961269d3f944e1365e270e4ef9587c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 3 Apr 2020 14:02:52 +0200 Subject: [PATCH 139/355] [NETW-2706] allow usage of systemd-resolve and resolvectl, improved screen output and logging --- include/tests_networking | 37 +++++++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/include/tests_networking b/include/tests_networking index ebca4ee2..485a2238 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -191,23 +191,32 @@ ################################################################################# # # Test : NETW-2706 - # Description : Check systemd-resolved and upstream DNSSEC status - if [ -n "${RESOLVECTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NETW-2706 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check systemd-resolved and upstream DNSSEC status" + # Description : Check systemd-resolve output and upstream DNSSEC status + # Notes : Ubuntu 16.04 uses systemd-resolve, newer ones most likely resolvectl + if [ -n "${RESOLVECTLBINARY}" ]; then + PREQS_MET="YES" + RESOLVE_CMD="${RESOLVECTLBINARY}" + RESOLVE_CMD_PARAM="statistics" + elif [ -n "$(command -v systemd-resolve 2> /dev/null)" ]; then + PREQS_MET="YES" + RESOLVE_CMD="$(command -v systemd-resolve 2> /dev/null)" + RESOLVE_CMD_PARAM="--statistics" + else + PREQS_MET="NO" + fi + Register --test-no NETW-2706 --preqs-met "${PREQS_MET}" --weight L --network YES --category security --description "Check systemd-resolved and upstream DNSSEC status" if [ ${SKIPTEST} -eq 0 ]; then SKIP=0 - if [ -n "${RESOLVECTLBINARY}" ]; then - DNSSEC_STATUS=$(${RESOLVECTLBINARY} statistics 2> /dev/null | ${AWKBINARY} -F ":" '/DNSSEC supported/ { print $2 }' | ${TRBINARY} -d ' ') - if [ "${DNSSEC_STATUS}" = "yes" ]; then - Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_OK}" --color GREEN - LogText "Result: DNSSEC supported by systemd-resolved and upstream DNS servers" - else - Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_WARNING}" --color RED - LogText "Result: DNSSEC not supported by systemd-resolved or upstream DNS servers" - fi + DNSSEC_STATUS=$(${RESOLVE_CMD} ${RESOLVE_CMD_PARAM} 2> /dev/null | ${AWKBINARY} -F ":" '/DNSSEC supported/ { print $2 }' | ${TRBINARY} -d ' ') + if [ "${DNSSEC_STATUS}" = "yes" ]; then + Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_YES}" --color GREEN + LogText "Result: DNSSEC supported by systemd-resolved and upstream DNS servers" + elif [ "${DNSSEC_STATUS}" = "no" ]; then + Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_NO}" --color YELLOW + LogText "Result: DNSSEC not supported by systemd-resolved or upstream DNS servers" else - Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_SKIPPED}" --color YELLOW - LogText "Result: resolvectl not installed, test can't be fully performed" + Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_UNKNOWN}" --color RED + LogText "Result: command '${RESOLVE_CMD} ${RESOLVE_CMD_PARAM}' returned an error. Please run command manually to check for details." fi else LogText "Result: Test most likely skipped due to not having resolvectl" From 032bb6988e7b94415cbe202dd26177e94803859f Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 4 Apr 2020 15:28:04 +0200 Subject: [PATCH 140/355] Added new test NETW-2400 --- CHANGELOG.md | 1 + db/tests.db | 1 + include/tests_networking | 48 +++++++++++++++++++++++++++++++++++++++- 3 files changed, 49 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ffa6ba4f..fd54bf19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -60,6 +60,7 @@ Using the relevant options, the scan will change base on the intended goal. - New test: FINT-4341 - verify status of dm-verity (Linux) - New test: INSE-8314 - test for NIS client - New test: INSE-8316 - test for NIS server +- New test: NETW-2400 - test hostname for valid characters and length - New test: NETW-2706 - check DNSSEC (systemd) - New test: NETW-3200 - determine enabled network protocols - New test: PHP-2382 - detect listen option in PHP (FPM) diff --git a/db/tests.db b/db/tests.db index 26960c00..62857946 100644 --- a/db/tests.db +++ b/db/tests.db @@ -287,6 +287,7 @@ NAME-4402:test:security:nameservices::Check duplicate line in /etc/hosts: NAME-4404:test:security:nameservices::Check /etc/hosts contains an entry for this server name: NAME-4406:test:security:nameservices::Check server hostname mapping: NAME-4408:test:security:nameservices::Check localhost to IP mapping: +NETW-2400:test:basics:networking::Test hostname for valid characters and length: NETW-2600:test:security:networking:Linux:Checking IPv6 configuration: NETW-2704:test:security:networking::Basic nameserver configuration tests: NETW-2705:test:security:networking::Check availability two nameservers: diff --git a/include/tests_networking b/include/tests_networking index 485a2238..ea326ce0 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -34,6 +34,53 @@ InsertSection "Networking" # ################################################################################# +# + # Test : NETW-2400 + # Description : Test hostname for valid characters and length + # Notes : FQDN: max 253 characters + # : component: a-z, 0-9, hyphen, not start with hyphen, max 63 characters + # dots allowed as separator + Register --test-no NETW-2400 --weight L --network YES --category basics --description "Hostname length and value check" + if [ ${SKIPTEST} -eq 0 ]; then + # Test first the fully qualified domain name + if [ ${#FQDN} -gt 253 ]; then + # Too long + LogText "Result: FQDN is more than 253 characters" + Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_WARNING}" --color RED + ReportWarning "${TEST_NO}" "Hostname is too long (more than 253 characters)" + elif [ ${#FQDN} -eq 0 ]; then + # FQDN not defined + LogText "Result: FQDN is not defined" + if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_UNKNOWN}" --color YELLOW; fi + else + # Fine + LogText "Result: FQDN is defined and shorter than 253 characters (${#FQDN} characters)" + if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_OK}" --color GREEN; fi + fi + # Now test short hostname + if [ ${#HOSTNAME} -eq 0 ]; then + if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_NONE}" --color RED; fi + LogText "Result: hostname is not defined" + else + # Test length + if [ ${#HOSTNAME} -gt 63 ]; then + LogText "Result: hostname is more than 63 characters" + Display --indent 2 --text "- Hostname (length)" --result "${STATUS_WARNING}" --color RED + fi + # Test valid characters (normally a dot should not be in the name, but we can't be 100% sure we have short name) + FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[a-z0-9\.\-]') + if [ -z "${FIND}" ]; then + LogText "Result: good, no unexpected characters discovered in hostname" + if IsVerbose; then Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_OK}" --color GREEN; fi + else + LogText "Result: unexpected characters discovered in hostname (characters: ${FIND}), which may impact network connectivity" + Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_WARNING}" --color RED + ReportWarning "${TEST_NO}" "Hostname contains invalid characters" "hostname" "text:See log file for invalid characters" + fi + fi + fi +# +################################################################################# # # Test : NETW-2600 # Description : Gather IPv6 configuration @@ -736,7 +783,6 @@ ################################################################################# # - WaitForKeyPress # From 9da066592962fd6a6c1eb05d3231d7c3d077fc33 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 4 Apr 2020 15:56:00 +0200 Subject: [PATCH 141/355] [NETW-2400] Improved logging --- include/tests_networking | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/tests_networking b/include/tests_networking index ea326ce0..83a7aae0 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -54,7 +54,7 @@ if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_UNKNOWN}" --color YELLOW; fi else # Fine - LogText "Result: FQDN is defined and shorter than 253 characters (${#FQDN} characters)" + LogText "Result: FQDN is defined and not longer than 253 characters (${#FQDN} characters)" if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_OK}" --color GREEN; fi fi # Now test short hostname @@ -66,6 +66,8 @@ if [ ${#HOSTNAME} -gt 63 ]; then LogText "Result: hostname is more than 63 characters" Display --indent 2 --text "- Hostname (length)" --result "${STATUS_WARNING}" --color RED + else + LogText "Result: hostnamed is defined and not longer than 63 characters" fi # Test valid characters (normally a dot should not be in the name, but we can't be 100% sure we have short name) FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[a-z0-9\.\-]') From 49549f9155510442712711a6b2d0390ece24ccbc Mon Sep 17 00:00:00 2001 From: 0xD503 Date: Sun, 5 Apr 2020 22:01:29 +0100 Subject: [PATCH 142/355] Added Russian translation Added Russian localization --- db/languages/ru | 76 ++++++++++++++++++++++++------------------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/db/languages/ru b/db/languages/ru index e16f1062..5153a319 100644 --- a/db/languages/ru +++ b/db/languages/ru @@ -1,38 +1,38 @@ -GEN_CHECKING="Checking" -GEN_CURRENT_VERSION="Current version" -GEN_DEBUG_MODE="Debug mode" -GEN_INITIALIZE_PROGRAM="Initializing program" -GEN_PHASE="phase" -GEN_PLUGINS_ENABLED="Plugins enabled" -GEN_VERBOSE_MODE="Verbose mode" -GEN_UPDATE_AVAILABLE="update available" -GEN_WHAT_TO_DO="What to do" -NOTE_EXCEPTIONS_FOUND="Exceptions found" -NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found" -NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete" -SECTION_CUSTOM_TESTS="Custom Tests" -SECTION_MALWARE="Malware" -SECTION_MEMORY_AND_PROCESSES="Memory and Processes" -STATUS_DONE="DONE" -STATUS_FOUND="FOUND" -STATUS_YES="YES" -STATUS_NO="NO" -STATUS_OFF="OFF" -STATUS_OK="OK" -STATUS_ON="ON" -STATUS_NONE="NONE" -STATUS_NOT_FOUND="NOT FOUND" -STATUS_NOT_RUNNING="NOT RUNNING" -STATUS_RUNNING="RUNNING" -STATUS_SKIPPED="SKIPPED" -STATUS_SUGGESTION="SUGGESTION" -STATUS_UNKNOWN="UNKNOWN" -STATUS_WARNING="WARNING" -TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" -TEXT_UPDATE_AVAILABLE="update available" -NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode" -STATUS_DISABLED="DISABLED" -STATUS_ENABLED="ENABLED" -STATUS_ERROR="ERROR" -ERROR_NO_LICENSE="No license key configured" -ERROR_NO_UPLOAD_SERVER="No upload server configured" +GEN_CHECKING="Проверка" +GEN_CURRENT_VERSION="Текущая версия" +GEN_DEBUG_MODE="Режим отладки" +GEN_INITIALIZE_PROGRAM="Инициализация программы" +GEN_PHASE="Стадия" +GEN_PLUGINS_ENABLED="Плагины включены" +GEN_VERBOSE_MODE="Подробный режим" +GEN_UPDATE_AVAILABLE="доступно обновление" +GEN_WHAT_TO_DO="Что сделать" +NOTE_EXCEPTIONS_FOUND="Найдены исключения" +NOTE_EXCEPTIONS_FOUND_DETAILED="Были найдены некоторые исключительные события или информация" +NOTE_PLUGINS_TAKE_TIME="Примечание: плагины имеют более обширные тесты и могут занять несколько минут до завершения" +SECTION_CUSTOM_TESTS="Пользовательские тесты" +SECTION_MALWARE="Вредоносное ПО" +SECTION_MEMORY_AND_PROCESSES="Память и процессы" +STATUS_DONE="Завершено" +STATUS_FOUND="Найдено" +STATUS_YES="ДА" +STATUS_NO="НЕТ" +STATUS_OFF="Выключено" +STATUS_OK="ОК" +STATUS_ON="Включено" +STATUS_NONE="Отсутствует" +STATUS_NOT_FOUND="НЕ НАЙДЕНО" +STATUS_NOT_RUNNING="НЕ ЗАПУЩЕНО" +STATUS_RUNNING="ЗАПУЩЕНО" +STATUS_SKIPPED="ПРОПУЩЕНО" +STATUS_SUGGESTION="ПРЕДЛОЖЕНИЕ" +STATUS_UNKNOWN="НЕИЗВЕСТНО" +STATUS_WARNING="ПРЕДУПРЕЖДЕНИЕ" +TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь предоставив ваш лог-файл" +TEXT_UPDATE_AVAILABLE="доступно обновление" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Тесты пропущены из-за использования непривилегированного режима" +STATUS_DISABLED="ОТКЛЮЧЕНО" +STATUS_ENABLED="ВКЛЮЧЕНО" +STATUS_ERROR="ОШИБКА" +ERROR_NO_LICENSE="Лицензионный ключ не настроен" +ERROR_NO_UPLOAD_SERVER="Загрузочный сервер не настроен" From 798f5322f6908c80fb356b5022ce99012938e42b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 6 Apr 2020 16:23:31 +0200 Subject: [PATCH 143/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fd54bf19..3edd55cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -78,6 +78,7 @@ Using the relevant options, the scan will change base on the intended goal. - Added end-of-life data for Arch Linux and Debian - Detection and end-of-life data added for Amazon Linux - Detection of linux-lts on Arch Linux +- Translations: Russian added ### Changed - Function: CheckItem() now returns only exit code (ITEM_FOUND is dropped) From c368846a08d12901e7de43b525d3e055c7f67508 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 6 Apr 2020 20:47:45 +0200 Subject: [PATCH 144/355] Added support to require a detected and known package manager --- CHANGELOG.md | 1 + include/consts | 3 +++ include/functions | 27 ++++++++++++++++++++++++--- include/tests_insecure_services | 22 +++++++++++----------- lynis | 11 +++++++++++ 5 files changed, 50 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3edd55cc..f21bd306 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -159,6 +159,7 @@ Using the relevant options, the scan will change base on the intended goal. - Several code cleanups, simplification of commands, and code standardization - Tests using lsof may ignore individual threads (if supported) - Corrected end-of-life detection for CentOS 7 and CentOS 8 +- Tests can require detected package manager (--package-manager-required) - Do not show tool tips when quiet option is used - Improved screen output in several tests - Extended output of 'lynis update info' diff --git a/include/consts b/include/consts index 3969aad5..c1f65ea2 100644 --- a/include/consts +++ b/include/consts @@ -125,6 +125,7 @@ unset LANG GRSEC_FOUND=0 GRUBCONFFILE="" GRUB2INSTALLBINARY="" + HAS_PACKAGE_MANAGER=0 HAS_SYSTEMD=0 HEADBINARY="" HELPER="" @@ -222,6 +223,7 @@ unset LANG PGREPBINARY="" PIDFILE="" PKG_BINARY="" + PKGINFOBINARY="" PKGADMINBINARY="" PLUGINDIR="" PLUGIN_PHASE=0 @@ -324,6 +326,7 @@ unset LANG VULNERABLE_PACKAGES_FOUND=0 WCBINARY="" XARGSBINARY="" + XBPSBINARY="" YUMBINARY="" ZYPPERBINARY="" diff --git a/include/functions b/include/functions index 492ade27..58ddabe9 100644 --- a/include/functions +++ b/include/functions @@ -2019,6 +2019,7 @@ PackageIsInstalled() { exit_code=255 + # First parameter is package name (or __dummy__ for initial test to see if package manager is available and works as expected) if [ $# -eq 1 ]; then package="$1" else @@ -2056,7 +2057,21 @@ output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii") exit_code=$? else - ReportException "PackageIsInstalled:01" + if [ "${package}" != "__dummy__" ]; then + ReportException "PackageIsInstalled:01 (test=${TEST_NO:-unknown})" + fi + fi + + # Give thumbs up if dummy package is used during initial test for package manager availability + if [ "${package}" = "__dummy__" ]; then + # There should be no positive match on this dummy package + if [ ${exit_code} -eq 0 ]; then + exit_code=1 + elif [ ${exit_code} -eq 255 ]; then + exit_code=1 + else + exit_code=0 + fi fi return ${exit_code} @@ -2499,8 +2514,8 @@ Register() { # Do not insert a log break, if previous test was not logged if [ ${SKIPLOGTEST} -eq 0 ]; then LogTextBreak; fi - ROOT_ONLY=0; SKIPTEST=0; SKIPLOGTEST=0; SKIPREASON=""; TEST_NEED_OS=""; PREQS_MET="" - TEST_CATEGORY=""; TEST_NEED_NETWORK=""; TEST_NEED_PLATFORM="" + ROOT_ONLY=0; SKIPTEST=0; SKIPLOGTEST=0; SKIPREASON=""; PREQS_MET="" + TEST_CATEGORY=""; TEST_NEED_NETWORK=""; TEST_NEED_OS=""; TEST_NEED_PKG_MGR=0; TEST_NEED_PLATFORM="" TOTAL_TESTS=$((TOTAL_TESTS + 1)) while [ $# -ge 1 ]; do case $1 in @@ -2524,6 +2539,9 @@ shift TEST_NEED_OS=$1 ;; + --package-manager-required) + TEST_NEED_PKG_MGR=1 + ;; --preqs-met) shift PREQS_MET=$1 @@ -2636,6 +2654,9 @@ # Check for correct hardware platform if [ ${SKIPTEST} -eq 0 -a -n "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi + # Check for required (and discovered) package manager + if [ ${SKIPTEST} -eq 0 -a ${TEST_NEED_PKG_MGR} -eq 1 -a ${HAS_PACKAGE_MANAGER} -eq 0 ]; then SKIPTEST=1; SKIPREASON="Requires a known package manager to test presence of a particular package"; fi + # Not all prerequisites met, like missing tool if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; if [ -z "${SKIPREASON}" ]; then SKIPREASON="Prerequisites not met (ie missing tool, other type of Linux distribution)"; fi; fi diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 3bc8dfdf..5c8af1fc 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -37,7 +37,7 @@ # # Test : INSE-8000 # Description : Check for installed inetd package - Register --test-no INSE-8000 --weight L --network NO --category security --description "Installed inetd package" + Register --test-no INSE-8000 --package-manager-required --weight L --network NO --category security --description "Installed inetd package" if [ ${SKIPTEST} -eq 0 ]; then # Check for installed inetd daemon LogText "Test: Checking if inetd is installed" @@ -134,7 +134,7 @@ # # Test : INSE-8100 # Description : Check for installed xinetd daemon - Register --test-no INSE-8100 --weight L --network NO --category security --description "Check for installed xinetd daemon" + Register --test-no INSE-8100 --package-manager-required --weight L --network NO --category security --description "Check for installed xinetd daemon" if [ ${SKIPTEST} -eq 0 ]; then # Check for installed xinetd daemon LogText "Test: Checking for installed xinetd daemon" @@ -250,7 +250,7 @@ # Test : INSE-8200 # Description : Check if tcp_wrappers is installed when inetd/xinetd is active if [ ${INETD_ACTIVE} -eq 1 -o ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8200 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active" + Register --test-no INSE-8200 --package-manager-required --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if tcp_wrappers is installed" FOUND=0 @@ -272,7 +272,7 @@ # # Test : INSE-8300 # Description : Check if rsh client is installed - Register --test-no INSE-8300 --weight L --network NO --category security --description "Check if rsh client is installed" + Register --test-no INSE-8300 --package-manager-required --weight L --network NO --category security --description "Check if rsh client is installed" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if rsh client is installed" FOUND=0 @@ -328,7 +328,7 @@ # # Test : INSE-8304 # Description : Check if rsh server is installed - Register --test-no INSE-8304 --weight L --network NO --category security --description "Check if rsh server is installed" + Register --test-no INSE-8304 --package-manager-required --weight L --network NO --category security --description "Check if rsh server is installed" if [ ${SKIPTEST} -eq 0 ]; then # Check if rsh server is installed LogText "Test: Checking if rsh server is installed" @@ -352,7 +352,7 @@ # # Test : INSE-8310 # Description : Check if telnet client is installed - Register --test-no INSE-8310 --weight L --network NO --category security --description "Check if telnet client is installed" + Register --test-no INSE-8310 --package-manager-required --weight L --network NO --category security --description "Check if telnet client is installed" if [ ${SKIPTEST} -eq 0 ]; then # Check if telnet client is installed LogText "Test: Checking if telnet client is installed" @@ -373,7 +373,7 @@ # # Test : INSE-8312 # Description : Check if telnet server is installed - Register --test-no INSE-8322 --weight L --network NO --category security --description "Check if telnet server is installed" + Register --test-no INSE-8322 --package-manager-required --weight L --network NO --category security --description "Check if telnet server is installed" if [ ${SKIPTEST} -eq 0 ]; then # Check if TFTP server is installed LogText "Test: Checking if telnet server is installed" @@ -398,7 +398,7 @@ # # Test : INSE-8314 # Description : Check if NIS client is installed - Register --test-no INSE-8314 --weight L --network NO --category security --description "Check if NIS client is installed" + Register --test-no INSE-8314 --package-manager-required --weight L --network NO --category security --description "Check if NIS client is installed" if [ ${SKIPTEST} -eq 0 ]; then FOUND="" LogText "Test: Checking if NIS client is installed" @@ -422,7 +422,7 @@ # # Test : INSE-8316 # Description : Check if NIS server is installed - Register --test-no INSE-8316 --weight L --network NO --category security --description "Check if NIS server is installed" + Register --test-no INSE-8316 --package-manager-required --weight L --network NO --category security --description "Check if NIS server is installed" if [ ${SKIPTEST} -eq 0 ]; then FOUND="" LogText "Test: Checking if NIS server is installed" @@ -446,7 +446,7 @@ # # Test : INSE-8318 # Description : Check if TFTP client is installed - Register --test-no INSE-8318 --weight L --network NO --category security --description "Check if TFTP client is installed" + Register --test-no INSE-8318 --package-manager-required --weight L --network NO --category security --description "Check if TFTP client is installed" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if TFTP client is installed" FOUND="" @@ -470,7 +470,7 @@ # # Test : INSE-8320 # Description : Check if TFTP server is installed - Register --test-no INSE-8320 --weight L --network NO --category security --description "Check if TFTP server is installed" + Register --test-no INSE-8320 --package-manager-required --weight L --network NO --category security --description "Check if TFTP server is installed" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if TFTP server is installed" FOUND="" diff --git a/lynis b/lynis index 881b8ade..d5dca003 100755 --- a/lynis +++ b/lynis @@ -524,6 +524,7 @@ ${NORMAL} if [ "${OS}" = "Linux" -a "${HOSTNAME}" = "${FQDN}" ]; then FQDN=$(hostname -f 2> /dev/null) fi + # ################################################################################# # @@ -568,6 +569,7 @@ ${NORMAL} fi Report "test_category=${TEST_CATEGORY_TO_CHECK}" Report "test_group=${TEST_GROUP_TO_CHECK}" + # ################################################################################# # @@ -630,6 +632,7 @@ ${NORMAL} echo "Make sure to execute ${PROGRAM_NAME} from untarred directory or check your installation." exit 1 fi + # ################################################################################# # @@ -817,6 +820,14 @@ ${NORMAL} # ################################################################################# # + # Test if we have a package manager available by testing for a dummy package (should not exist) + if PackageIsInstalled "__dummy__"; then + HAS_PACKAGE_MANAGER=1 + LogText "Informational: package manager is used" + else + LogText "Informational: no known package manager for this system" + fi + # Use hardware detection capabilities IsVirtualMachine if IsContainer; then From be75a089a740b3dad7c1bc720922a59926b37f27 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 7 Apr 2020 10:53:39 +0200 Subject: [PATCH 145/355] [PROC-3802] added package manager routine as dependency --- include/tests_memory_processes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_memory_processes b/include/tests_memory_processes index 65473cf4..2454f320 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -118,7 +118,7 @@ # # Test : PROC-3802 # Description : Check presence of prelink tooling - Register --test-no PROC-3802 --os Linux --weight L --network NO --category security --description "Check presence of prelink tooling" + Register --test-no PROC-3802 --package-manager-required --os Linux --weight L --network NO --category security --description "Check presence of prelink tooling" if [ ${SKIPTEST} -eq 0 ]; then if PackageIsInstalled "prelink"; then LogText "Result: prelink packages is installed" From e4d491d57414bf53b2d6b1996c5a98b8c7830fd0 Mon Sep 17 00:00:00 2001 From: Martin Churchill Date: Wed, 8 Apr 2020 10:02:18 +0100 Subject: [PATCH 146/355] [CRYP-7902] Fixes issue #902 [CRYP-7902] Checks for SSL_CERTIFICATE_PATHS_TO_IGNORE fails to ignore sub-directories #902 --- include/tests_crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_crypto b/include/tests_crypto index 466f6b52..1726735a 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -63,7 +63,7 @@ SKIP=0 # Now check if this path is on the to-be-ignored list for D in ${SSL_CERTIFICATE_PATHS_TO_IGNORE}; do - if Equals "${D}" "${SUBDIR}"; then + if ContainsString "${D}" "${SUBDIR}"; then SKIP=1 LogText "Result: skipping directory (${SUBDIR}) as it is on ignore list" fi From 95b1ae044bd6aec13d994a9d65106bae6a061e22 Mon Sep 17 00:00:00 2001 From: Brian Ginsbach Date: Wed, 8 Apr 2020 15:55:45 -0500 Subject: [PATCH 147/355] KRNL-5677 use platform instead of preqs-met --- include/tests_kernel | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index 4948e0dd..c62fec91 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -102,8 +102,7 @@ # Description : Check CPU options and support (PAE, No eXecute, eXecute Disable) # More info : pae and nx bit are both visible on AMD and Intel CPU's if supported - if [ "${HARDWARE}" = "x86_64" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no KRNL-5677 --preqs-met "${PREQS_MET}" --os Linux --weight L --network NO --category security --description "Check CPU options and support" + Register --test-no KRNL-5677 --platform x86_64 --os Linux --weight L --network NO --category security --description "Check CPU options and support" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking CPU support (NX/PAE)" LogText "Test: Checking /proc/cpuinfo" From 51dfc34663b616b92ec1902f4474fff2129642a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 22 Apr 2020 10:34:58 +0200 Subject: [PATCH 148/355] accept more restrictive file permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/functions b/include/functions index 58ddabe9..8d5a5ef8 100644 --- a/include/functions +++ b/include/functions @@ -1286,7 +1286,7 @@ CHECK_PERMISSION=$(echo "${CHECK_PERMISSION}" | ${AWKBINARY} '{printf "%03d",$1}') # First try stat command - LogText "Test: checking if file ${CHECKFILE} is ${CHECK_PERMISSION}" + LogText "Test: checking if file ${CHECKFILE} has the permissions set to ${CHECK_PERMISSION} or more restrictive" if [ -n "${STATBINARY}" ]; then case ${OS} in @@ -1344,7 +1344,7 @@ DATA=$(echo "${DATA}" | ${AWKBINARY} '{printf "%03d",$1}') if [ -n "${DATA}" ]; then - if [ "${DATA}" = "${CHECK_PERMISSION}" ]; then + if [ "${DATA}" -le "${CHECK_PERMISSION}" ]; then LogText "Outcome: correct permissions (${DATA})" return 0 fi From fcdc07f8d9135b362f3198f31e9271b57baac767 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Sat, 25 Apr 2020 00:06:58 +0300 Subject: [PATCH 149/355] [CRYP-7902] Check also certificates in DER format Check also certificates in DER (*.cer, *.der) format. Add /etc/refind.d/keys to list of certificate paths. Signed-off-by: Topi Miettinen --- CHANGELOG.md | 1 + default.prf | 2 +- include/tests_crypto | 19 +++++++++++++------ 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b982ac53..6c3974a2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -101,6 +101,7 @@ Using the relevant options, the scan will change base on the intended goal. - BOOT-5122 - check for defined password in all GRUB configuration files - CONT-8106 - support newer 'docker info' output - CRYP-7902 - optionally check also certificates provided by packages +- CRYP-7902 - check also certificates in DER format - CRYP-8002 - gather kernel entropy on Linux systems - FILE-6310 - support for HP-UX - FILE-6374 - changed log and allow root location to be changed diff --git a/default.prf b/default.prf index 6ff3eac2..fff29512 100644 --- a/default.prf +++ b/default.prf @@ -93,7 +93,7 @@ skip-plugins=no #skip-upgrade-test=yes # Locations where to search for SSL certificates (separate paths with a colon) -ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www +ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive: ssl-certificate-include-packages=no diff --git a/include/tests_crypto b/include/tests_crypto index 02fa0a80..f1aa1bdf 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -50,7 +50,7 @@ LASTSUBDIR="" LogText "Result: found directory ${DIR}" # Search for certificate files - FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') + FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') for FILE in ${FILES}; do FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g') # See if we need to skip this path @@ -76,16 +76,23 @@ if [ ${CANREAD} -eq 1 ]; then # Only check the files that are not installed by a package, unless enabled by profile if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then + echo ${FILE} | ${EGREPBINARY} --quiet ".cer$|.der$" + CER_DER=$? OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") - if [ $? -eq 0 ]; then + if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then LogText "Result: file is a certificate file" - FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") + if [ ${CER_DER} -eq 0 ]; then + SSL_DER_OPT="-inform der" + else + SSL_DER_OPT= + fi + FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") if [ $? -eq 0 ]; then # Check certificate where 'end date' has been expired - FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null) + FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -checkend 0 -in "${FILE}" -enddate 2> /dev/null) EXIT_CODE=$? - CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') - CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') + CERT_CN=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') + CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|" if [ ${EXIT_CODE} -eq 0 ]; then LogText "Result: certificate ${FILE} seems to be correct and still valid" From f081a9ed7e78f5ef86ab97a3222dbf01ad8aa7d5 Mon Sep 17 00:00:00 2001 From: Jeremias Cordoba Date: Mon, 4 May 2020 15:51:03 -0700 Subject: [PATCH 150/355] Fix KRNL-5730 to properly check /proc/config.gz When KRNL-5728 locates the kernel config it does not properly set LINUXCONFIGFILE if config is found as /proc/config.gz. This causes KRNL-5730 to fail due to missing prereqs, despite a kernel config existing. Signed-off-by: Jeremias Cordoba --- include/tests_kernel | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index 72e5082b..e19a7679 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -235,12 +235,13 @@ Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config" if [ ${SKIPTEST} -eq 0 ]; then CHECKFILE="${ROOTDIR}boot/config-$(uname -r)" + CHECKFILE_ZIPPED="${ROOTDIR}proc/config.gz" if [ -f ${CHECKFILE} ]; then LINUXCONFIGFILE="${CHECKFILE}" LogText "Result: found config (${LINUXCONFIGFILE})" Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN - elif [ -f ${ROOTDIR}proc/config.gz ]; then - LINUXCONFIGFILE="${CHECKFILE}" + elif [ -f ${CHECKFILE_ZIPPED} ]; then + LINUXCONFIGFILE="${CHECKFILE_ZIPPED}" LINUXCONFIGFILE_ZIPPED=1 LogText "Result: found config: ${ROOTDIR}proc/config.gz (compressed)" Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN From 2b0a0ba2e1b98563d4984c7bcb59769672c11bd0 Mon Sep 17 00:00:00 2001 From: Aditya Shastri Date: Thu, 14 May 2020 20:50:43 -0700 Subject: [PATCH 151/355] Addedd OS detection for Oracle Linux --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index 08fd931e..7ad153d6 100644 --- a/include/osdetection +++ b/include/osdetection @@ -195,6 +195,12 @@ OS_NAME="Manjaro" OS_VERSION="Rolling release" ;; + "ol") + LINUX_VERSION="Oracle Linux" + OS_NAME="Oracle Linux" + OS_REDHAT_OR_CLONE=1 + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "opensuse-tumbleweed") LINUX_VERSION="openSUSE Tumbleweed" # It's rolling release but has a snapshot version (the date of the snapshot) From 859298cc2a67a2307809cf427f26d8d4f8e4f99a Mon Sep 17 00:00:00 2001 From: Daniel Fernandez <9469737+danielf-5@users.noreply.github.com> Date: Fri, 15 May 2020 23:56:43 -0500 Subject: [PATCH 152/355] Update README.md --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ccc5a4d3..67706f14 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ + [![Linux Security Expert badge](https://badges.linuxsecurity.expert/tools/ranking/lynis.svg)](https://linuxsecurity.expert/tools/lynis/) [![Build Status](https://travis-ci.org/CISOfy/lynis.svg?branch=master)](https://travis-ci.org/CISOfy/lynis) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/96/badge)](https://bestpractices.coreinfrastructure.org/projects/96) @@ -14,7 +15,7 @@ Do you like this software? **Star the project** and become a [stargazer](https:/ > Lynis - Security auditing and hardening tool, for UNIX-based systems. -Lynis is a security auditing for system based on UNIX like Linux, macOS, BSD, and others. It performs an **in-depth security scan** and runs on the system itself. The primary goal is to test security defenses and **provide tips for further system hardening**. It will also scan for general system information, vulnerable software packages, and possible configuration issues. Lynis was commonly used by system administrators and auditors to assess the security defenses of their systems. Besides the "blue team", nowadays penetration testers also have Lynis in their toolkit. +Lynis is a security auditing tool for systems based on UNIX like Linux, macOS, BSD, and others. It performs an **in-depth security scan** and runs on the system itself. The primary goal is to test security defenses and **provide tips for further system hardening**. It will also scan for general system information, vulnerable software packages, and possible configuration issues. Lynis was commonly used by system administrators and auditors to assess the security defenses of their systems. Besides the "blue team," nowadays penetration testers also have Lynis in their toolkit. We believe software should be **simple**, **updated on a regular basis**, and **open**. You should be able to trust, understand, and have the option to change the software. Many agree with us, as the software is being used by thousands every day to protect their systems. @@ -57,7 +58,7 @@ If you want to run the software as `root`, we suggest changing the ownership of ### Software Package -For Linux, BSD, macOS, there is typically a package available. The Lynis project also provides packages in RPM or DEB format. The [CISOfy software repository](https://packages.cisofy.com) can be used to install Lynis on systems running: +For Linux, BSD, and macOS, there is typically a package available. The Lynis project also provides packages in RPM or DEB format. The [CISOfy software repository](https://packages.cisofy.com) can be used to install Lynis on systems running: `CentOS`, `Debian`, `Fedora`, `OEL`, `openSUSE`, `RHEL`, `Ubuntu`, and others. Some distributions may also have Lynis in their software repository: [![Repology](https://repology.org/badge/tiny-repos/lynis.svg)](https://repology.org/project/lynis/versions) @@ -103,7 +104,7 @@ Lynis is collecting some awards and we are proud of that. > We love contributors. -Do you have something to share? Or help out with translating Lynis into your own language? Create an issue or pull request on GitHub, or send us an e-mail: lynis-dev@cisofy.com. +Do you have something to share? Want to help out with translating Lynis into your own language? Create an issue or pull request on GitHub, or send us an e-mail: lynis-dev@cisofy.com. More details can be found in the [Contributors Guide](https://github.com/CISOfy/lynis/blob/master/CONTRIBUTING.md). From b74977db53472a6320e266aeef648f977df3dc1d Mon Sep 17 00:00:00 2001 From: Daniel Fernandez <9469737+danielf-5@users.noreply.github.com> Date: Fri, 15 May 2020 23:57:31 -0500 Subject: [PATCH 153/355] Update HAPPY_USERS.md --- HAPPY_USERS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HAPPY_USERS.md b/HAPPY_USERS.md index 049a9689..57c363a9 100644 --- a/HAPPY_USERS.md +++ b/HAPPY_USERS.md @@ -2,7 +2,7 @@ ## Community -Since 2007 the Lynis project helped many system administrators and security +Since 2007, the Lynis project helped many system administrators and security professionals to scan their systems and perform system hardening. Happy users and contributors are the foundation of a healthy project. From be4fdb8bc46cfcf58b9bb2081ef88ee4fbb3e6cf Mon Sep 17 00:00:00 2001 From: Daniel Fernandez <9469737+danielf-5@users.noreply.github.com> Date: Fri, 15 May 2020 23:59:59 -0500 Subject: [PATCH 154/355] Update CONTRIBUTING.md --- CONTRIBUTING.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f31b9eb3..66a7b19b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,3 +1,4 @@ + # Contributions ## Helping out @@ -6,13 +7,13 @@ Run the tool in debug mode (use lynis audit system --profile developer.prf) and see if it shows any error. ### Report bugs -Create an GitHub issue on the issue tracker +Create a GitHub issue on the issue tracker. ### Suggest changes (pull request) When you find something that can be improved, fork the project and create a pull request. ### Translations -See the db/languages directory +See the db/languages directory. ## Developer Guidelines @@ -30,13 +31,13 @@ Identation should be 4 spaces (no tab character). ### Comments Comments: use # sign followed by a space. When needed, create a comment block. -Blank lines: allowed, one line maximum +Blank lines: allowed, one line maximum. ### Functions All functions use CamelCase to clearly show a difference between shell built-in commands, or external commands. ### Variables -Variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1) +Variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1). ## Pull Requests @@ -56,7 +57,7 @@ to this repository, you agree that you: 4. Allow the project the [Unlimited Rights](#Unlimited-Rights) to your contribution -If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com) +If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com). ## Unlimited Rights From f072f808a2a5f76566c8f49e87147f903c65c5a3 Mon Sep 17 00:00:00 2001 From: Jaimie <59117167+Jaimie85@users.noreply.github.com> Date: Wed, 20 May 2020 15:41:46 +0200 Subject: [PATCH 155/355] Update nl --- db/languages/nl | 51 ++++++++++++++++++++++++++++--------------------- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/db/languages/nl b/db/languages/nl index 21700617..31a694ee 100644 --- a/db/languages/nl +++ b/db/languages/nl @@ -1,38 +1,45 @@ +ERROR_NO_LICENSE="Geen licentiecode geconfigureerd" +ERROR_NO_UPLOAD_SERVER="Geen upload server geconfigureerd" GEN_CHECKING="Zoeken naar" +GEN_CURRENT_VERSION="Huidige versie" +GEN_DEBUG_MODE="Debug modus" +GEN_INITIALIZE_PROGRAM="Programma initialiseren" +GEN_LATEST_VERSION="Laatste versie" GEN_PHASE="fase" -GEN_INITIALIZE_PROGRAM="Initialiseren van programma" -NOTE_PLUGINS_TAKE_TIME="Plugins hebben uitgebreidere testen en kunnen derhalve enkele minuten duren" -NOTE_EXCEPTIONS_FOUND="Uitzonderingen gevonden" -SECTION_CUSTOM_TESTS="Eigen Testen" +GEN_PLUGINS_ENABLED="Plugins geactiveerd" +GEN_VERBOSE_MODE="Verbose modus" +GEN_UPDATE_AVAILABLE="Update beschikbaar" +GEN_WHAT_TO_DO="Wat te doen" +NOTE_EXCEPTIONS_FOUND="Bijzonderheden gevonden" +NOTE_EXCEPTIONS_FOUND_DETAILED="Enkele bijzondere gebeurtenissen of informatie gevonden" +NOTE_PLUGINS_TAKE_TIME="Let op: plugins hebben uitgebreidere testen en kunnen daardoor enkele minuten duren" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Overgeslagen testen vanwege beperkte rechten" +SECTION_CUSTOM_TESTS="Eigen testen" +SECTION_DATA_UPLOAD="Data upload" +SECTION_INITIALIZING_PROGRAM="Programma initialiseren" SECTION_MALWARE="Kwaadaardige software (malware)" SECTION_MEMORY_AND_PROCESSES="Geheugen en Processen" -STATUS_DONE="KLAAR" +SECTION_SYSTEM_TOOLS="Systeem gereedschap" STATUS_DISABLED="UITGESCHAKELD" +STATUS_DONE="KLAAR" STATUS_ENABLED="INGESCHAKELD" +STATUS_ERROR="FOUT" +STATUS_FAILED="MISLUKT" STATUS_FOUND="GEVONDEN" -STATUS_NO="NEE" -STATUS_NONE="GEEN" -STATUS_NOT_FOUND="NIET GEVONDEN" -STATUS_NOT_RUNNING="NIET ACTIEF" +STATUS_OFF="UIT" STATUS_OK="OK" STATUS_ON="AAN" -STATUS_OFF="UIT" -STATUS_YES="JA" +STATUS_NO="NEE" +STATUS_NONE="GEEN" +STATUS_NOT_CONFIGURED="NIET GECONFIGUREERD" +STATUS_NOT_FOUND="NIET GEVONDEN" +STATUS_NOT_RUNNING="NIET ACTIEF" STATUS_RUNNING="ACTIEF" STATUS_SKIPPED="OVERGESLAGEN" STATUS_SUGGESTION="SUGGESTIE" STATUS_UNKNOWN="ONBEKEND" STATUS_WARNING="WAARSCHUWING" -GEN_CURRENT_VERSION="Huidige versie" -GEN_DEBUG_MODE="Debug mode" -GEN_PLUGINS_ENABLED="Plugins geactiveerd" -GEN_VERBOSE_MODE="Verbose mode" -GEN_UPDATE_AVAILABLE="update beschikbaar" -GEN_WHAT_TO_DO="Wat te doen" -NOTE_EXCEPTIONS_FOUND_DETAILED="Enkele uitzonderingen gevonden" -NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Overgeslagen testen vanwege beperkte rechten" +STATUS_WEAK="ZWAK" +STATUS_YES="JA" TEXT_YOU_CAN_HELP_LOGFILE="Help mee door je logbestand te delen" TEXT_UPDATE_AVAILABLE="update beschikbaar" -STATUS_ERROR="FOUT" -ERROR_NO_LICENSE="geen licentiecode configureerd" -ERROR_NO_UPLOAD_SERVER="geen server configureerd voor uploads" From 9fdfc062dd17820114c2721f211f2c0f36bf5494 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 2 Jun 2020 14:09:49 +0200 Subject: [PATCH 156/355] Add Gentoo --- include/osdetection | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/osdetection b/include/osdetection index 7ad153d6..7483664b 100644 --- a/include/osdetection +++ b/include/osdetection @@ -183,6 +183,11 @@ OS_REDHAT_OR_CLONE=1 OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "gentoo") + LINUX_VERSION="Gentoo" + OS_NAME="Gentoo Linux" + OS_VERSION="Rolling release" + ;; "pureos") LINUX_VERSION="PureOS" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') From b285623ac2716d3adce9c444e3c9c2d5cf43dfbc Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 2 Jun 2020 16:30:43 +0200 Subject: [PATCH 157/355] Remove double space --- include/tests_filesystems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index aabdc2be..3ad603c5 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -236,7 +236,7 @@ # Description : Query all HAMMER PFS mounts from /etc/fstab Register --test-no FILE-6439 --os DragonFly --weight L --network NO --category security --description "Checking HAMMER PFS mounts" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Query /etc/fstab for available HAMMER PFS mount points" + LogText "Test: Query /etc/fstab for available HAMMER PFS mount points" FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "null") { print $1":"$2":"$3":"$4":" }}') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Querying HAMMER PFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE From 0b8c775a011ba7acf7a090ac54df165dd1b85062 Mon Sep 17 00:00:00 2001 From: Iain Cuthbertson Date: Tue, 2 Jun 2020 15:33:32 +0100 Subject: [PATCH 158/355] Adds uppercase option to the hostname validation regex --- include/tests_networking | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_networking b/include/tests_networking index 83a7aae0..420f26ea 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -70,7 +70,7 @@ LogText "Result: hostnamed is defined and not longer than 63 characters" fi # Test valid characters (normally a dot should not be in the name, but we can't be 100% sure we have short name) - FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[a-z0-9\.\-]') + FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[a-zA-Z0-9\.\-]') if [ -z "${FIND}" ]; then LogText "Result: good, no unexpected characters discovered in hostname" if IsVerbose; then Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_OK}" --color GREEN; fi From 05ea9f873d1e62c553242eb531d941c4ad06ae97 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 2 Jun 2020 16:34:35 +0200 Subject: [PATCH 159/355] [FILE-6330] corrected description --- include/tests_filesystems | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 3ad603c5..fe4ae167 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -212,10 +212,11 @@ ################################################################################# # # Test : FILE-6330 - # Description : Query all ZFS mounts from /etc/fstab + # Description : Query ZFS mounts + # Note : mount -p does not work under Linux Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --category security --description "Checking ZFS file systems" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Query /etc/fstab for available ZFS mount points" + LogText "Test: Discover for available ZFS mount points" FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE From 3d7de495cc6b67ab1870ac9e66f1690fd17a2be4 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 2 Jun 2020 16:34:42 +0200 Subject: [PATCH 160/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b982ac53..3c699f64 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -103,6 +103,7 @@ Using the relevant options, the scan will change base on the intended goal. - CRYP-7902 - optionally check also certificates provided by packages - CRYP-8002 - gather kernel entropy on Linux systems - FILE-6310 - support for HP-UX +- FILE-6330 - corrected description - FILE-6374 - changed log and allow root location to be changed - FILE-6374 - corrected condition to find 'defaults' flag in /etc/fstab - FILE-6430 - minor code improvements and show suggestion with more details From 10402538fab978a869a5ee660078480f7000cda8 Mon Sep 17 00:00:00 2001 From: Steve8291 Date: Thu, 11 Jun 2020 10:46:55 -0400 Subject: [PATCH 161/355] Fix typo in kernel options description --- default.prf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default.prf b/default.prf index 6ff3eac2..ce01db60 100644 --- a/default.prf +++ b/default.prf @@ -152,7 +152,7 @@ plugin=users # # Kernel options # --------------- -# configdate=, followed by: +# config-data=, followed by: # # - Type = Set to 'sysctl' # - Setting = value of sysctl key (e.g. kernel.sysrq) From b3e1fc67c8f21217bc5e2a9a60b3ab3920982864 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 15 Jun 2020 01:35:00 +0200 Subject: [PATCH 162/355] add Fedora EOL, update other releases MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- db/software-eol.db | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/db/software-eol.db b/db/software-eol.db index b3285487..426560c8 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -48,6 +48,8 @@ os:FreeBSD 10.3:2018-04-30:0: os:FreeBSD 10.4:2018-10-31:0: os:FreeBSD 11.0:2017-11-30:0: os:FreeBSD 11.1:2018-09-30:0: +os:FreeBSD 11.2:2019-10-31:1572476400: +os:FreeBSD 12.0:2020-02-29:1582930800: # # NetBSD - https://www.netbsd.org/support/security/release.html and # https://www.netbsd.org/releases/formal.html @@ -102,8 +104,17 @@ os:NetBSD 9.0::-1: # os:OpenBSD 5.8:2016-09-01:0: os:OpenBSD 5.9:2017-04-11:0: +os:OpenBSD 6.0:2017-09-10:0: +os:OpenBSD 6.1:2018-04-15:0: +os:OpenBSD 6.2:2018-10-18:0: +os:OpenBSD 6.3:2019-05-03:0: +os:OpenBSD 6.4:2019-10-17:0: +os:OpenBSD 6.5:2020-05-19:0: +os:OpenBSD 6.6:2020-10-01:0: +os:OpenBSD 6.7:2021-05-01:0: # -# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack +# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and +# https://wiki.ubuntu.com/Releases # os:Ubuntu 14.04:2019-05-01:1556661600: os:Ubuntu 14.10:2015-07-01:0: @@ -116,6 +127,7 @@ os:Ubuntu 17.10:2018-07-01:1530396000: os:Ubuntu 18.04:2023-05-01:1682892000: os:Ubuntu 18.10:2019-07-18:1563400800: os:Ubuntu 19.04:2020-01-01:1577833200: +os:Ubuntu 20.04:2025-04-01:1743458400 # # Slackware - https://en.wikipedia.org/wiki/Slackware#Releases # @@ -132,3 +144,12 @@ os:Slackware Linux 12.2:2013-12-09:1386540000: os:Slackware Linux 13.0:2018-07-05:1530738000: os:Slackware Linux 13.1:2018-07-05:1530738000: os:Slackware Linux 13.37:2018-07-05:1530738000: +# +# Fedora - https://fedoraproject.org/wiki/End_of_life +# +os:Fedora release 25:2017-12-12:1513033200 +os:Fedora release 26:2018-05-29:1527544800 +os:Fedora release 27:2018-11-30:1543532400 +os:Fedora release 28:2019-05-28:1558994400 +os:Fedora release 29:2019-11-26:1574722800 +os:Fedora release 30:2020-05-26:1590444000 From ca6326a12bf9af53a6e818bb60d9e09beb5bd485 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 15 Jun 2020 07:40:57 +0000 Subject: [PATCH 163/355] Update db/software-eol.db Co-authored-by: Jaimie <59117167+Jaimie85@users.noreply.github.com> --- db/software-eol.db | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/db/software-eol.db b/db/software-eol.db index 426560c8..6af4dba5 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -104,14 +104,14 @@ os:NetBSD 9.0::-1: # os:OpenBSD 5.8:2016-09-01:0: os:OpenBSD 5.9:2017-04-11:0: -os:OpenBSD 6.0:2017-09-10:0: -os:OpenBSD 6.1:2018-04-15:0: -os:OpenBSD 6.2:2018-10-18:0: -os:OpenBSD 6.3:2019-05-03:0: -os:OpenBSD 6.4:2019-10-17:0: -os:OpenBSD 6.5:2020-05-19:0: -os:OpenBSD 6.6:2020-10-01:0: -os:OpenBSD 6.7:2021-05-01:0: +os:OpenBSD 6.0:2017-09-10:1505001600: +os:OpenBSD 6.1:2018-04-15:1523750400: +os:OpenBSD 6.2:2018-10-18:1539820800: +os:OpenBSD 6.3:2019-05-03:1556841600: +os:OpenBSD 6.4:2019-10-17:1571270400: +os:OpenBSD 6.5:2020-05-19:1589846400: +os:OpenBSD 6.6:2020-10-01:1601510400: +os:OpenBSD 6.7:2021-05-01:1619827200: # # Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and # https://wiki.ubuntu.com/Releases From 41ad9d380c1255a2b7e77e8e50e19ff650e8db1a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 16 Jun 2020 09:05:55 +0200 Subject: [PATCH 164/355] update all EOL dates to seconds to epoch MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- db/software-eol.db | 97 +++++++++++++++++++++++----------------------- 1 file changed, 49 insertions(+), 48 deletions(-) diff --git a/db/software-eol.db b/db/software-eol.db index 6af4dba5..d55cfdaa 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -8,6 +8,7 @@ # 4) converted date (seconds since epoch) or -1 # # Date can be converted on Linux using: date "+%s" --date=2020-01-01 +# Seconds since epoch can be verified using: date -d @1467324000 +'%Y-%m-%d' # # Notes: # For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1. @@ -40,55 +41,55 @@ os:Debian 10:2022-01-01:1640991600: # # FreeBSD - https://www.freebsd.org/security/unsupported.html # -os:FreeBSD 9.3:2014-12-31:0: -os:FreeBSD 10.0:2015-02-28:0: -os:FreeBSD 10.1:2016-12-31:0: -os:FreeBSD 10.2:2016-12-31:0: -os:FreeBSD 10.3:2018-04-30:0: -os:FreeBSD 10.4:2018-10-31:0: -os:FreeBSD 11.0:2017-11-30:0: -os:FreeBSD 11.1:2018-09-30:0: +os:FreeBSD 9.3:2014-12-31:1419980400: +os:FreeBSD 10.0:2015-02-28:1425078000: +os:FreeBSD 10.1:2016-12-31:1483138800: +os:FreeBSD 10.2:2016-12-31:1483138800: +os:FreeBSD 10.3:2018-04-30:1525039200: +os:FreeBSD 10.4:2018-10-31:1540940400: +os:FreeBSD 11.0:2017-11-30:1511996400: +os:FreeBSD 11.1:2018-09-30:1538258400: os:FreeBSD 11.2:2019-10-31:1572476400: os:FreeBSD 12.0:2020-02-29:1582930800: # # NetBSD - https://www.netbsd.org/support/security/release.html and # https://www.netbsd.org/releases/formal.html # -os:NetBSD 2.0:2008-01-19:0: -os:NetBSD 2.0.1:2008-01-19:0: -os:NetBSD 2.0.2:2008-01-19:0: -os:NetBSD 2.0.3:2008-01-19:0: -os:NetBSD 2.1:2008-01-19:0: -os:NetBSD 3.0:2009-09-29:0: -os:NetBSD 3.0.1:2009-09-29:0: -os:NetBSD 3.0.2:2009-09-29:0: -os:NetBSD 3.1:2009-09-29:0: -os:NetBSD 4.0:2012-11-17:0: -os:NetBSD 4.0.1:2012-11-17:0: -os:NetBSD 5.0:2015-11-17:0: -os:NetBSD 5.0.1:2015-10-17:0: -os:NetBSD 5.0.2:2015-10-17:0: -os:NetBSD 5.1:2015-10-17:0: -os:NetBSD 5.1.1:2015-10-17:0: -os:NetBSD 5.1.2:2015-10-17:0: -os:NetBSD 5.1.3:2015-10-17:0: -os:NetBSD 5.1.4:2015-10-17:0: -os:NetBSD 5.1.5:2015-10-17:0: -os:NetBSD 5.2.1:2015-10-17:0: -os:NetBSD 5.2.2:2015-10-17:0: -os:NetBSD 5.2.3:2015-10-17:0: -os:NetBSD 6.0:2017-09-17:0: -os:NetBSD 6.0.1:2017-09-17:0: -os:NetBSD 6.0.2:2017-09-17:0: -os:NetBSD 6.0.3:2017-09-17:0: -os:NetBSD 6.0.4:2017-09-17:0: -os:NetBSD 6.0.5:2017-09-17:0: -os:NetBSD 6.1:2017-09-17:0: -os:NetBSD 6.1.1:2017-09-17:0: -os:NetBSD 6.1.2:2017-09-17:0: -os:NetBSD 6.1.3:2017-09-17:0: -os:NetBSD 6.1.4:2017-09-17:0: -os:NetBSD 6.1.5:2017-09-17:0: +os:NetBSD 2.0:2008-01-19:1200697200: +os:NetBSD 2.0.1:2008-01-19:1200697200: +os:NetBSD 2.0.2:2008-01-19:1200697200: +os:NetBSD 2.0.3:2008-01-19:1200697200: +os:NetBSD 2.1:2008-01-19:1200697200: +os:NetBSD 3.0:2009-09-29:1254175200: +os:NetBSD 3.0.1:2009-09-29:1254175200: +os:NetBSD 3.0.2:2009-09-29:1254175200: +os:NetBSD 3.1:2009-09-29:1254175200: +os:NetBSD 4.0:2012-11-17:1353106800: +os:NetBSD 4.0.1:2012-11-17:1353106800: +os:NetBSD 5.0:2015-11-17:1447714800: +os:NetBSD 5.0.1:2015-10-17:1445032800: +os:NetBSD 5.0.2:2015-10-17:1445032800: +os:NetBSD 5.1:2015-10-17:1445032800: +os:NetBSD 5.1.1:2015-10-17:1445032800: +os:NetBSD 5.1.2:2015-10-17:1445032800: +os:NetBSD 5.1.3:2015-10-17:1445032800: +os:NetBSD 5.1.4:2015-10-17:1445032800: +os:NetBSD 5.1.5:2015-10-17:1445032800: +os:NetBSD 5.2.1:2015-10-17:1445032800: +os:NetBSD 5.2.2:2015-10-17:1445032800: +os:NetBSD 5.2.3:2015-10-17:1445032800: +os:NetBSD 6.0:2017-09-17:1505599200: +os:NetBSD 6.0.1:2017-09-17:1505599200: +os:NetBSD 6.0.2:2017-09-17:1505599200: +os:NetBSD 6.0.3:2017-09-17:1505599200: +os:NetBSD 6.0.4:2017-09-17:1505599200: +os:NetBSD 6.0.5:2017-09-17:1505599200: +os:NetBSD 6.1:2017-09-17:1505599200: +os:NetBSD 6.1.1:2017-09-17:1505599200: +os:NetBSD 6.1.2:2017-09-17:1505599200: +os:NetBSD 6.1.3:2017-09-17:1505599200: +os:NetBSD 6.1.4:2017-09-17:1505599200: +os:NetBSD 6.1.5:2017-09-17:1505599200: os:NetBSD 7.0:2020-03-14:1584162000: os:NetBSD 7.0.1:2020-03-14:1584162000: os:NetBSD 7.0.2:2020-03-14:1584162000: @@ -102,8 +103,8 @@ os:NetBSD 9.0::-1: # # OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history # -os:OpenBSD 5.8:2016-09-01:0: -os:OpenBSD 5.9:2017-04-11:0: +os:OpenBSD 5.8:2016-09-01:1472680800: +os:OpenBSD 5.9:2017-04-11:1491861600: os:OpenBSD 6.0:2017-09-10:1505001600: os:OpenBSD 6.1:2018-04-15:1523750400: os:OpenBSD 6.2:2018-10-18:1539820800: @@ -117,9 +118,9 @@ os:OpenBSD 6.7:2021-05-01:1619827200: # https://wiki.ubuntu.com/Releases # os:Ubuntu 14.04:2019-05-01:1556661600: -os:Ubuntu 14.10:2015-07-01:0: -os:Ubuntu 15.04:2016-01-01:0: -os:Ubuntu 15.10:2016-07-01:0: +os:Ubuntu 14.10:2015-07-01:1435701600: +os:Ubuntu 15.04:2016-01-01:1451602800: +os:Ubuntu 15.10:2016-07-01:1467324000: os:Ubuntu 16.04:2021-05-01:1619820000: os:Ubuntu 16.10:2017-07-01:1498860000: os:Ubuntu 17.04:2018-01-01:1514761200: From 78e7ce36afbbcba56fd65723f4d455de4d19ed6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Thu, 18 Jun 2020 10:15:13 +0200 Subject: [PATCH 165/355] add RHEL 6,7,8 EOL dates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit (cherry picked from commit 6ce0aa41c64f8146716de25d613e66cf53f08b0e) Signed-off-by: Thomas Sjögren --- db/software-eol.db | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/db/software-eol.db b/db/software-eol.db index d55cfdaa..beb4eff1 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -114,6 +114,12 @@ os:OpenBSD 6.5:2020-05-19:1589846400: os:OpenBSD 6.6:2020-10-01:1601510400: os:OpenBSD 6.7:2021-05-01:1619827200: # +# Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/ +# +os:Red Hat Enterprise Linux Server release 6:2020-11-30:1606690800: +os:Red Hat Enterprise Linux 7:2024-06-30:1719698400: +os:Red Hat Enterprise Linux 8:2029-05-07:1872799200: +# # Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and # https://wiki.ubuntu.com/Releases # From 3b9eda53cc20e851c4456618f027bc9ea794ad30 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 18 Jun 2020 12:36:04 +0200 Subject: [PATCH 166/355] CVE-2019-13033 - Discovered by Sander Bos --- include/data_upload | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/include/data_upload b/include/data_upload index 6718d6d3..eae2b5cc 100644 --- a/include/data_upload +++ b/include/data_upload @@ -77,6 +77,10 @@ ExitFatal else Output "License key = ${LICENSE_KEY}" + # Create a temporary file to use during upload (prevent license key being displayed in process table) + CreateTempFile || ExitFatal + LICENSE_KEY_FILE="${TEMP_FILE}" + echo "${LICENSE_KEY}" | ${TRBINARY} -cd '[a-f0-9-]' > ${LICENSE_KEY_FILE} fi @@ -129,8 +133,9 @@ # License check - LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null" - UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null) + LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null" + UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null) + EXITCODE=$? LogText "Exit code: ${EXITCODE}" if [ ${EXITCODE} -gt 0 ]; then @@ -225,10 +230,10 @@ Output "${WHITE}Found hostid: ${HOSTID}${NORMAL}" # Try to connect Output "Uploading data.." - LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" - LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" + LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" + LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" LogText "Tip: to just retry an upload, use: lynis upload-only" - UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null) + UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null) EXITCODE=$? LogText "Exit code: ${EXITCODE}" if [ ${EXITCODE} -gt 0 ]; then From 3c3c4105b2086fc3ff556319cf0e3da08c8c1f95 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 18 Jun 2020 12:48:33 +0200 Subject: [PATCH 167/355] Updated log --- CHANGELOG.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c699f64..3198681e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,16 @@ # Lynis Changelog -## Lynis 3.0.0 (not released yet) +## Lynis 3.0.0 (2020-06-18) This is a major release of Lynis and includes several big changes. Some of these changes may break your current usage of the tool, so test before deployment! +### Security issues +This release resolves two security issues +* CVE-2020-13882 - Discovered by Sander Bos, code submission by Katarina Durechova +* CVE-2019-13033 - Discovered by Sander Bos + ### Breaking change: Non-interactive by default Lynis now runs non-interactive by default, to be more in line with the Unix philosophy. So the previously used '--quick' option is now default, and the tool From 05ef9547ae42c9885c84058c575b01ef9ec903cf Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 18 Jun 2020 12:51:54 +0200 Subject: [PATCH 168/355] Release 3.0.0 --- lynis | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lynis b/lynis index 2d79fa4f..1b3803dc 100755 --- a/lynis +++ b/lynis @@ -43,9 +43,9 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2020-03-20" - PROGRAM_RELEASE_TIMESTAMP=1584711965 - PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_RELEASE_DATE="2020-06-18" + PROGRAM_RELEASE_TIMESTAMP=1592477492 + PROGRAM_RELEASE_TYPE="release" # pre-release or release PROGRAM_VERSION="3.0.0" # Source, documentation and license From 6a9e94befb022530854c4b53496710fe344f7ad0 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 19 Jun 2020 11:10:22 +0200 Subject: [PATCH 169/355] Reordered items, added Kali Linux, improved exception message --- include/osdetection | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/include/osdetection b/include/osdetection index 7483664b..88aa8209 100644 --- a/include/osdetection +++ b/include/osdetection @@ -188,11 +188,10 @@ OS_NAME="Gentoo Linux" OS_VERSION="Rolling release" ;; - "pureos") - LINUX_VERSION="PureOS" - OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') - OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') - OS_NAME="PureOS" + "kali") + LINUX_VERSION="Kali" + OS_NAME="Kali Linux" + OS_VERSION="Rolling release" ;; "manjaro") LINUX_VERSION="Manjaro" @@ -217,11 +216,11 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="openSUSE" ;; - "ubuntu") - LINUX_VERSION="Ubuntu" + "pureos") + LINUX_VERSION="PureOS" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') - OS_NAME="Ubuntu" + OS_NAME="PureOS" ;; "raspbian") LINUX_VERSION="Raspbian" @@ -243,8 +242,14 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "ubuntu") + LINUX_VERSION="Ubuntu" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_NAME="Ubuntu" + ;; *) - ReportException "OS Detection" "Unknown OS found in /etc/os-release" + ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}" ;; esac fi From 57a2ae2b8dfba55002e4537816a66d217b1ad3ca Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 19 Jun 2020 11:11:37 +0200 Subject: [PATCH 170/355] Switch to pre-release --- lynis | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lynis b/lynis index 1b3803dc..9b0e5894 100755 --- a/lynis +++ b/lynis @@ -45,8 +45,8 @@ # Version details PROGRAM_RELEASE_DATE="2020-06-18" PROGRAM_RELEASE_TIMESTAMP=1592477492 - PROGRAM_RELEASE_TYPE="release" # pre-release or release - PROGRAM_VERSION="3.0.0" + PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_VERSION="3.0.1" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" From bd29a3e4e790d9825521ae9e9a04ffb3c01721d0 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 19 Jun 2020 11:11:47 +0200 Subject: [PATCH 171/355] Updated log --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3198681e..86887a24 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Lynis Changelog +## Lynis 3.0.1 (not released yet) + +### Changed +- Added Kali Linux +- Small code enhancements + +--------------------------------------------------------------------------------- + ## Lynis 3.0.0 (2020-06-18) This is a major release of Lynis and includes several big changes. From 6aa63f1c95190b5c7b198f3a28473c93c5676b7a Mon Sep 17 00:00:00 2001 From: Alexander Lackner Date: Sat, 20 Jun 2020 02:12:57 +0200 Subject: [PATCH 172/355] Update language files (de, de-AT, en) --- db/languages/de | 37 ++++++++++++++++++++++--------------- db/languages/de-AT | 1 + db/languages/en | 10 +++++----- 3 files changed, 28 insertions(+), 20 deletions(-) create mode 120000 db/languages/de-AT diff --git a/db/languages/de b/db/languages/de index 34b909e2..e1465aa2 100644 --- a/db/languages/de +++ b/db/languages/de @@ -1,38 +1,45 @@ -GEN_PHASE="Phase" +ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet" +ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet" GEN_CHECKING="Überprüfung" GEN_CURRENT_VERSION="Aktuelle Version" GEN_DEBUG_MODE="Debug-Modus" -GEN_INITIALIZE_PROGRAM="Initiiere Programm" +GEN_INITIALIZE_PROGRAM="Initialisiere Programm" +GEN_LATEST_VERSION="Aktuellste Version" +GEN_PHASE="Phase" GEN_PLUGINS_ENABLED="Plugins aktiviert" -GEN_VERBOSE_MODE="Ausführlicher Modus" GEN_UPDATE_AVAILABLE="Aktualisierung verfügbar" +GEN_VERBOSE_MODE="Ausführlicher Modus" GEN_WHAT_TO_DO="Was zu tun ist" -NOTE_EXCEPTIONS_FOUND="Abweichungen gefunden" NOTE_EXCEPTIONS_FOUND_DETAILED="Einige außergewöhnliche Ereignisse oder Informationen wurden gefunden" +NOTE_EXCEPTIONS_FOUND="Abweichungen gefunden" NOTE_PLUGINS_TAKE_TIME="Beachte: Plugins beinhalten eingehendere Tests und können mehrere Minuten benötigen, bis sie abgeschlossen sind" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus" SECTION_CUSTOM_TESTS="Benutzerdefinierte Tests" +SECTION_DATA_UPLOAD="Daten hochladen" +SECTION_INITIALIZING_PROGRAM="Initialisiere Programm" SECTION_MALWARE="Malware" SECTION_MEMORY_AND_PROCESSES="Speicher und Prozesse" +SECTION_SYSTEM_TOOLS="Systemwerkzeuge" +STATUS_DISABLED="DEAKTIVIERT" STATUS_DONE="FERTIG" +STATUS_ENABLED="AKTIVIERT" +STATUS_ERROR="FEHLER" +STATUS_FAILED="FEHLERHAFT" STATUS_FOUND="GEFUNDEN" -STATUS_YES="JA" STATUS_NO="NEIN" +STATUS_NONE="NICHTS" +STATUS_NOT_CONFIGURED="NICHT KONFIGURIERT" +STATUS_NOT_FOUND="NICHT GEFUNDEN" +STATUS_NOT_RUNNING="LÄUFT NICHT" STATUS_OFF="AUS" STATUS_OK="OK" STATUS_ON="AN" -STATUS_NONE="NICHTS" -STATUS_NOT_FOUND="NICHT GEFUNDEN" -STATUS_NOT_RUNNING="LÄUFT NICHT" STATUS_RUNNING="LÄUFT" STATUS_SKIPPED="ÜBERSPRUNGEN" STATUS_SUGGESTION="VORSCHLAG" STATUS_UNKNOWN="UNBEKANNT" STATUS_WARNING="WARNUNG" -TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen" +STATUS_WEAK="SCHWACH" +STATUS_YES="JA" TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar" -NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus" -STATUS_DISABLED="DEAKTIVIERT" -STATUS_ENABLED="AKTIVIERT" -STATUS_ERROR="FEHLER" -ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet" -ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet" +TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen" diff --git a/db/languages/de-AT b/db/languages/de-AT new file mode 120000 index 00000000..c42e816f --- /dev/null +++ b/db/languages/de-AT @@ -0,0 +1 @@ +de \ No newline at end of file diff --git a/db/languages/en b/db/languages/en index 716a584c..3a430644 100644 --- a/db/languages/en +++ b/db/languages/en @@ -10,8 +10,8 @@ GEN_PLUGINS_ENABLED="Plugins enabled" GEN_UPDATE_AVAILABLE="update available" GEN_VERBOSE_MODE="Verbose mode" GEN_WHAT_TO_DO="What to do" -NOTE_EXCEPTIONS_FOUND="Exceptions found" NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found" +NOTE_EXCEPTIONS_FOUND="Exceptions found" NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode" SECTION_CUSTOM_TESTS="Custom tests" @@ -26,14 +26,14 @@ STATUS_ENABLED="ENABLED" STATUS_ERROR="ERROR" STATUS_FAILED="FAILED" STATUS_FOUND="FOUND" -STATUS_OFF="OFF" -STATUS_OK="OK" -STATUS_ON="ON" STATUS_NO="NO" STATUS_NONE="NONE" STATUS_NOT_CONFIGURED="NOT CONFIGURED" STATUS_NOT_FOUND="NOT FOUND" STATUS_NOT_RUNNING="NOT RUNNING" +STATUS_OFF="OFF" +STATUS_OK="OK" +STATUS_ON="ON" STATUS_RUNNING="RUNNING" STATUS_SKIPPED="SKIPPED" STATUS_SUGGESTION="SUGGESTION" @@ -41,5 +41,5 @@ STATUS_UNKNOWN="UNKNOWN" STATUS_WARNING="WARNING" STATUS_WEAK="WEAK" STATUS_YES="YES" -TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" TEXT_UPDATE_AVAILABLE="update available" +TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" From 4a71989d2e519391b52bbf050851699724db3744 Mon Sep 17 00:00:00 2001 From: Alexander L Date: Sat, 20 Jun 2020 14:20:58 +0200 Subject: [PATCH 173/355] Update en Sorting --- db/languages/en | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/languages/en b/db/languages/en index 3a430644..7b697896 100644 --- a/db/languages/en +++ b/db/languages/en @@ -10,8 +10,8 @@ GEN_PLUGINS_ENABLED="Plugins enabled" GEN_UPDATE_AVAILABLE="update available" GEN_VERBOSE_MODE="Verbose mode" GEN_WHAT_TO_DO="What to do" -NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found" NOTE_EXCEPTIONS_FOUND="Exceptions found" +NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found" NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode" SECTION_CUSTOM_TESTS="Custom tests" From dfb02e41791d9cc11aef47aaa3874fc63c512da8 Mon Sep 17 00:00:00 2001 From: Alexander L Date: Sat, 20 Jun 2020 14:23:17 +0200 Subject: [PATCH 174/355] Update de Sorting --- db/languages/de | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/languages/de b/db/languages/de index e1465aa2..ef6711c8 100644 --- a/db/languages/de +++ b/db/languages/de @@ -10,8 +10,8 @@ GEN_PLUGINS_ENABLED="Plugins aktiviert" GEN_UPDATE_AVAILABLE="Aktualisierung verfügbar" GEN_VERBOSE_MODE="Ausführlicher Modus" GEN_WHAT_TO_DO="Was zu tun ist" -NOTE_EXCEPTIONS_FOUND_DETAILED="Einige außergewöhnliche Ereignisse oder Informationen wurden gefunden" NOTE_EXCEPTIONS_FOUND="Abweichungen gefunden" +NOTE_EXCEPTIONS_FOUND_DETAILED="Einige außergewöhnliche Ereignisse oder Informationen wurden gefunden" NOTE_PLUGINS_TAKE_TIME="Beachte: Plugins beinhalten eingehendere Tests und können mehrere Minuten benötigen, bis sie abgeschlossen sind" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus" SECTION_CUSTOM_TESTS="Benutzerdefinierte Tests" From b7b132721e166d9809e081e4c082a9e843b2d345 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Sat, 20 Jun 2020 17:08:56 +0200 Subject: [PATCH 175/355] check permissions of files used by rsh The old rsh (remote shell) grants access to users and hosts in the files /etc/hosts.equiv and ~/r(login|hosts). If attackers can write to those files, he can logon as a different user or even root (in case of roots .r(login|hosts) only) to the system. While the rsh daemon usually checks for non-root owners or write permissions, this may not be the case on any system. Those files might affect other services as well (rlogin, rcp, ...). As hostnames and usernames are not verified securely, the use of rsh and similar commands discouraged. It may still be in use on legacy systems even today, so it should be secured as much as possible if not possible to remove/replace. --- default.prf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/default.prf b/default.prf index 6ff3eac2..7f1a6899 100644 --- a/default.prf +++ b/default.prf @@ -303,6 +303,9 @@ permfile=/etc/motd:rw-r--r--:root:root:WARN: permfile=/etc/passwd:rw-r--r--:root:-:WARN: permfile=/etc/passwd-:rw-r--r--:root:-:WARN: permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN: +permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN: +permfile=/root/.rhosts:rw-------:root:root:WARN: +permfile=/root/.rlogin:rw-------:root:root:WARN: # These permissions differ by OS #permfile=/etc/gshadow:---------:root:-:WARN: From 5cd33746a0a0a7fc85c888c12215749117a661e0 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Sat, 20 Jun 2020 17:45:34 +0200 Subject: [PATCH 176/355] add (Open)SSH equivalents to rhost files SSH also supports host based authentication. In contrast to the totally insecure rsh, the hostnames are checked cryptographically. The authorization checks are still done with the same syntax as with rsh. In addition to the old rhosts/rlogin (and eqviv) file, SSH adds the slogin file. This must not be writable as well, as attackers could elevate their privileges. --- default.prf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/default.prf b/default.prf index 7f1a6899..26e10fc0 100644 --- a/default.prf +++ b/default.prf @@ -304,8 +304,10 @@ permfile=/etc/passwd:rw-r--r--:root:-:WARN: permfile=/etc/passwd-:rw-r--r--:root:-:WARN: permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN: permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN: +permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN: permfile=/root/.rhosts:rw-------:root:root:WARN: permfile=/root/.rlogin:rw-------:root:root:WARN: +permfile=/root/.shosts:rw-------:root:root:WARN: # These permissions differ by OS #permfile=/etc/gshadow:---------:root:-:WARN: From 06b3cbe52909fefab3800b7eafd1dcd348f79486 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 21 Jun 2020 12:36:36 +0200 Subject: [PATCH 177/355] Reordered items --- db/software-eol.db | 48 ++++++++++++++++++++++++---------------------- 1 file changed, 25 insertions(+), 23 deletions(-) diff --git a/db/software-eol.db b/db/software-eol.db index beb4eff1..997ad72e 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -39,6 +39,15 @@ os:Debian 8:2020-06-30:1593468000: os:Debian 9:2022-01-01:1640991600: os:Debian 10:2022-01-01:1640991600: # +# Fedora - https://fedoraproject.org/wiki/End_of_life +# +os:Fedora release 25:2017-12-12:1513033200 +os:Fedora release 26:2018-05-29:1527544800 +os:Fedora release 27:2018-11-30:1543532400 +os:Fedora release 28:2019-05-28:1558994400 +os:Fedora release 29:2019-11-26:1574722800 +os:Fedora release 30:2020-05-26:1590444000 +# # FreeBSD - https://www.freebsd.org/security/unsupported.html # os:FreeBSD 9.3:2014-12-31:1419980400: @@ -120,22 +129,6 @@ os:Red Hat Enterprise Linux Server release 6:2020-11-30:1606690800: os:Red Hat Enterprise Linux 7:2024-06-30:1719698400: os:Red Hat Enterprise Linux 8:2029-05-07:1872799200: # -# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and -# https://wiki.ubuntu.com/Releases -# -os:Ubuntu 14.04:2019-05-01:1556661600: -os:Ubuntu 14.10:2015-07-01:1435701600: -os:Ubuntu 15.04:2016-01-01:1451602800: -os:Ubuntu 15.10:2016-07-01:1467324000: -os:Ubuntu 16.04:2021-05-01:1619820000: -os:Ubuntu 16.10:2017-07-01:1498860000: -os:Ubuntu 17.04:2018-01-01:1514761200: -os:Ubuntu 17.10:2018-07-01:1530396000: -os:Ubuntu 18.04:2023-05-01:1682892000: -os:Ubuntu 18.10:2019-07-18:1563400800: -os:Ubuntu 19.04:2020-01-01:1577833200: -os:Ubuntu 20.04:2025-04-01:1743458400 -# # Slackware - https://en.wikipedia.org/wiki/Slackware#Releases # os:Slackware Linux 8.1:2012-08-01:1343768400: @@ -152,11 +145,20 @@ os:Slackware Linux 13.0:2018-07-05:1530738000: os:Slackware Linux 13.1:2018-07-05:1530738000: os:Slackware Linux 13.37:2018-07-05:1530738000: # -# Fedora - https://fedoraproject.org/wiki/End_of_life +# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and +# https://wiki.ubuntu.com/Releases # -os:Fedora release 25:2017-12-12:1513033200 -os:Fedora release 26:2018-05-29:1527544800 -os:Fedora release 27:2018-11-30:1543532400 -os:Fedora release 28:2019-05-28:1558994400 -os:Fedora release 29:2019-11-26:1574722800 -os:Fedora release 30:2020-05-26:1590444000 +os:Ubuntu 14.04:2019-05-01:1556661600: +os:Ubuntu 14.10:2015-07-01:1435701600: +os:Ubuntu 15.04:2016-01-01:1451602800: +os:Ubuntu 15.10:2016-07-01:1467324000: +os:Ubuntu 16.04:2021-05-01:1619820000: +os:Ubuntu 16.10:2017-07-01:1498860000: +os:Ubuntu 17.04:2018-01-01:1514761200: +os:Ubuntu 17.10:2018-07-01:1530396000: +os:Ubuntu 18.04:2023-05-01:1682892000: +os:Ubuntu 18.10:2019-07-18:1563400800: +os:Ubuntu 19.04:2020-01-01:1577833200: +os:Ubuntu 20.04:2025-04-01:1743458400 +# +# EOF \ No newline at end of file From f855fe7a047956336a0484e669d8202fd0cbfa04 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 21 Jun 2020 12:40:03 +0200 Subject: [PATCH 178/355] Added Linux Mint --- db/software-eol.db | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/db/software-eol.db b/db/software-eol.db index 997ad72e..5b74ad08 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -61,6 +61,12 @@ os:FreeBSD 11.1:2018-09-30:1538258400: os:FreeBSD 11.2:2019-10-31:1572476400: os:FreeBSD 12.0:2020-02-29:1582930800: # +# Linux Mint +# +os:Linux Mint 18:2021-04-01:1617228000: +os:Linux Mint 19:2023-04-01:1680300000: +os:Linux Mint 20:2025-04-01:1743458400: +# # NetBSD - https://www.netbsd.org/support/security/release.html and # https://www.netbsd.org/releases/formal.html # From 22644edc5031022a294711bf0714f25d47483ab7 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 21 Jun 2020 12:40:43 +0200 Subject: [PATCH 179/355] Added missing colons --- db/software-eol.db | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/db/software-eol.db b/db/software-eol.db index 5b74ad08..a5a1101e 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -41,12 +41,12 @@ os:Debian 10:2022-01-01:1640991600: # # Fedora - https://fedoraproject.org/wiki/End_of_life # -os:Fedora release 25:2017-12-12:1513033200 -os:Fedora release 26:2018-05-29:1527544800 -os:Fedora release 27:2018-11-30:1543532400 -os:Fedora release 28:2019-05-28:1558994400 -os:Fedora release 29:2019-11-26:1574722800 -os:Fedora release 30:2020-05-26:1590444000 +os:Fedora release 25:2017-12-12:1513033200: +os:Fedora release 26:2018-05-29:1527544800: +os:Fedora release 27:2018-11-30:1543532400: +os:Fedora release 28:2019-05-28:1558994400: +os:Fedora release 29:2019-11-26:1574722800: +os:Fedora release 30:2020-05-26:1590444000: # # FreeBSD - https://www.freebsd.org/security/unsupported.html # @@ -165,6 +165,6 @@ os:Ubuntu 17.10:2018-07-01:1530396000: os:Ubuntu 18.04:2023-05-01:1682892000: os:Ubuntu 18.10:2019-07-18:1563400800: os:Ubuntu 19.04:2020-01-01:1577833200: -os:Ubuntu 20.04:2025-04-01:1743458400 +os:Ubuntu 20.04:2025-04-01:1743458400: # # EOF \ No newline at end of file From 251cb979026a986e56f158bb9e28416136f4bcd5 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 21 Jun 2020 12:40:51 +0200 Subject: [PATCH 180/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 86887a24..5014a413 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ ### Changed - Added Kali Linux +- End-of-life database updated - Small code enhancements --------------------------------------------------------------------------------- From b2350f2f6c497a9e3fec173c0bb0257072fc1a5a Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 21 Jun 2020 12:52:50 +0200 Subject: [PATCH 181/355] Add log entry to help troubleshooting users that still use old-style configuration entries in profile --- include/profiles | 1 + 1 file changed, 1 insertion(+) diff --git a/include/profiles b/include/profiles index da2124f7..113250d1 100644 --- a/include/profiles +++ b/include/profiles @@ -50,6 +50,7 @@ Display --text " " Display --text "==================================================================================================" Display --text " " + LogText "Insight: Profile '${PROFILE}' contians one or more old-style configuration entries" ReportWarning "GEN-0020" "Your profile contains one or more old-style configuration entries" sleep 10 fi From aebd5ed9b340376dc9a3e19b0108217850d87d31 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 21 Jun 2020 12:57:05 +0200 Subject: [PATCH 182/355] Remove unneeded line in log to prevent double entry --- include/profiles | 1 - 1 file changed, 1 deletion(-) diff --git a/include/profiles b/include/profiles index 113250d1..2b0885ce 100644 --- a/include/profiles +++ b/include/profiles @@ -557,7 +557,6 @@ Display --indent 2 --text "- Checking profiles..." --result "DONE" --color GREEN -LogTextBreak #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com From 6d9b530bf493e83c423c7c4058b4bbb44a85db46 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 21 Jun 2020 13:14:08 +0200 Subject: [PATCH 183/355] [KRNL-5830] improved detection for non-symlinked kernel on disk --- include/tests_kernel | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/tests_kernel b/include/tests_kernel index 72e5082b..d445bb65 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -674,7 +674,10 @@ LogText "Result: found a symlink, retrieving destination" FOUND_VMLINUZ=$(readlink "${FOUND_VMLINUZ}") LogText "Result: destination file is ${FOUND_VMLINUZ}" - VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's/^vmlinuz-//') + VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//') + LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" + elif [ -f "${FOUND_VMLINUZ}" ]; then + VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//') LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" fi From 74c4298eab7ce660c896721c064218f66f563c83 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 21 Jun 2020 13:15:09 +0200 Subject: [PATCH 184/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5014a413..ee1b29bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Lynis 3.0.1 (not released yet) ### Changed +- KRNL-5830 - Improved version detection for non-symlinked kernel - Added Kali Linux - End-of-life database updated - Small code enhancements From c02ce49ce336abb146afc18d262bc7aab5365dc3 Mon Sep 17 00:00:00 2001 From: Steve8291 Date: Sun, 21 Jun 2020 10:47:28 -0400 Subject: [PATCH 185/355] fix stderr output from cryptsetup status Redirected stderr to /dev/null to silence output of `cryptsetup status /swap.img` This was causing error output from my cron script. Otherwise, if the swap file is not encrypted then the following error will be printed: `Device swap.img not found` --- include/tests_crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_crypto b/include/tests_crypto index 02fa0a80..ddf1406a 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -186,7 +186,7 @@ if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then LogText "Result: Found LUKS encrypted swap device: ${BLOCK_DEV}" ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1)) - elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" | ${GREPBINARY} --quiet "cipher:"; then + elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" 2> /dev/null | ${GREPBINARY} --quiet "cipher:"; then LogText "Result: Found non-LUKS encrypted swap device: ${BLOCK_DEV}" ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1)) else From a2f8bdc5f8b4c67338f7cf9995f74df06d572b27 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 22 Jun 2020 10:18:01 +0200 Subject: [PATCH 186/355] [BOOT-5122] presence check for grub.d added --- include/tests_boot_services | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index 8ad83d7c..fe5707e4 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -332,8 +332,12 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - CONF_FILES=$(${FINDBINARY} /etc/grub.d -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') - CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}" + if [ "${ROOTDIR}etc/grub.d" ]; then + CONF_FILES=$(${FINDBINARY} "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') + CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}" + else + CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg" + fi for FILE in ${CONF_FILES}; do if [ -f "${FILE}" ]; then From 6d6781a2ae9e57624ce834915fec6b040c5e4188 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 22 Jun 2020 10:18:56 +0200 Subject: [PATCH 187/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee1b29bc..3baafee1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Lynis 3.0.1 (not released yet) ### Changed +- BOOT-5122 - Presence check for grub.d added - KRNL-5830 - Improved version detection for non-symlinked kernel - Added Kali Linux - End-of-life database updated From 75738ceeab380e852739a9b78e0d907f3e611478 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 22 Jun 2020 10:25:02 +0200 Subject: [PATCH 188/355] Fix for language detection, unset LANG as right place --- CHANGELOG.md | 1 + include/consts | 4 ---- lynis | 5 +++++ 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3baafee1..deaac158 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ - BOOT-5122 - Presence check for grub.d added - KRNL-5830 - Improved version detection for non-symlinked kernel - Added Kali Linux +- Fix: language detection - End-of-life database updated - Small code enhancements diff --git a/include/consts b/include/consts index 7968ef1f..1a75ae68 100644 --- a/include/consts +++ b/include/consts @@ -33,10 +33,6 @@ BIN_PATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \ ETC_PATHS="/etc /usr/local/etc" -# Do not use specific language, fall back to default -# Some tools with translated strings are very hard to parse -unset LANG - # ################################################################################# # diff --git a/lynis b/lynis index 9b0e5894..76722baa 100755 --- a/lynis +++ b/lynis @@ -241,6 +241,11 @@ echo "Could not find languages directory (file: ${DBDIR}/languages/en)" exit 1 fi + + # Now that we have determined the language, we unset it from shell + # Some tools with translated strings are very hard to parse + unset LANG + # ################################################################################# # From c6cc6fb8c73b7ba8a46ad55efb16315ef8ee2f35 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 22 Jun 2020 14:27:30 +0200 Subject: [PATCH 189/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index deaac158..6f4b61a0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ ### Changed - BOOT-5122 - Presence check for grub.d added +- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) - KRNL-5830 - Improved version detection for non-symlinked kernel - Added Kali Linux - Fix: language detection From d7870e3f5cdf72f76e9560c61aba715fef800601 Mon Sep 17 00:00:00 2001 From: Alexander Lackner Date: Mon, 22 Jun 2020 20:44:58 +0200 Subject: [PATCH 190/355] Added macOS Big Sur (11.0) --- include/osdetection | 1 + 1 file changed, 1 insertion(+) diff --git a/include/osdetection b/include/osdetection index 88aa8209..f4d3b50d 100644 --- a/include/osdetection +++ b/include/osdetection @@ -62,6 +62,7 @@ 10.13 | 10.13.[0-9]*) OS_FULLNAME="macOS High Sierra (${OS_VERSION})" ;; 10.14 | 10.14.[0-9]*) OS_FULLNAME="macOS Mojave (${OS_VERSION})" ;; 10.15 | 10.15.[0-9]*) OS_FULLNAME="macOS Catalina (${OS_VERSION})" ;; + 11.0 | 11.0[0-9]*) OS_FULLNAME="macOS Big Sur (${OS_VERSION})" ;; *) echo "Unknown macOS version. Do you know what version it is? Create an issue at ${PROGRAM_SOURCE}" ;; esac else From 8596156ca16e3767638e4307a2dd9274b7a987f6 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 23 Jun 2020 10:36:32 +0200 Subject: [PATCH 191/355] Updated log --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f4b61a0..1397cee3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,12 +2,16 @@ ## Lynis 3.0.1 (not released yet) +### Added +- Detection of macOS Big Sur (11.0) +- Detection of Kali Linux + ### Changed - BOOT-5122 - Presence check for grub.d added - CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) - KRNL-5830 - Improved version detection for non-symlinked kernel -- Added Kali Linux - Fix: language detection +- German translation updated - End-of-life database updated - Small code enhancements From 44fb7efd6475fb149601b3979b80da62ebf58d66 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 23 Jun 2020 10:57:45 +0200 Subject: [PATCH 192/355] Strip quotes in locale output, e.g. macOS --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index 76722baa..492cc2f4 100755 --- a/lynis +++ b/lynis @@ -216,7 +216,7 @@ # Extract the short notation of the language (first two characters). if [ -x "$(command -v locale 2> /dev/null)" ]; then - LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | egrep "^[a-z]{2}$") + LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | egrep "^[a-z]{2}$") # Try locale command if shell variable had no value if [ -z "${DISPLAY_LANG}" ]; then DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2) From 610f70d5aa5a8e5930b7b0329e1e7c8347367f43 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 23 Jun 2020 13:56:13 +0200 Subject: [PATCH 193/355] [INSE-8312] corrected text --- include/tests_insecure_services | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 5c8af1fc..d6d87245 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -385,7 +385,7 @@ if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet server is installed" Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_FOUND}" --color YELLOW - ReportSuggestion "${TEST_NO}" "Removing the ${FOUND} package and replace with SSH when possible" + ReportSuggestion "${TEST_NO}" "Removing the telnet server package and replace with SSH when possible" Report "insecure_service[]=telnet-server" else LogText "Result: telnet server is NOT installed" From 36f86d76c441d5cfd090f637ca68388f5353c646 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 23 Jun 2020 13:57:14 +0200 Subject: [PATCH 194/355] [AUTH-9229] added option to look for LOCKED accounts --- include/tests_authentication | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index bf8cabe8..49ba49db 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -293,8 +293,8 @@ if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW="${ROOTDIR}etc/shadow"; fi FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do case ${METHOD} in - 1:\* | 1:x | 0: | *:!*) - # disabled | shadowed | no password | locked account + 1:\* | 1:x | 0: | *:!* | *LOCK*) + # disabled | shadowed | no password | locked account (can be literal *LOCK* or something like LOCKED) ;; *:\$5\$*| *:\$6\$*) # sha256crypt | sha512crypt: check number of rounds, should be >5000 From d61d7f5ab7e5ef785b2c9b514773318c0bd4571b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 23 Jun 2020 13:57:36 +0200 Subject: [PATCH 195/355] Updated log --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1397cee3..d09087be 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,8 +7,10 @@ - Detection of Kali Linux ### Changed +- AUTH-9229 - Added option for LOCKED accounts - BOOT-5122 - Presence check for grub.d added - CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) +- INSE-8312 - corrected text on screen - KRNL-5830 - Improved version detection for non-symlinked kernel - Fix: language detection - German translation updated From c707b7d100dd902e7f183812504bc24428420c64 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 24 Jun 2020 08:09:12 +0200 Subject: [PATCH 196/355] [MALW-3280] added additional BitDefender process --- include/tests_malware | 44 +++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/include/tests_malware b/include/tests_malware index a5ed3e06..5e3c6fca 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -102,28 +102,6 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - # ESET security products - LogText "Test: checking process esets_daemon" - if IsRunning "esets_daemon"; then - FOUND=1 - ESET_DAEMON_RUNNING=1 - MALWARE_SCANNER_INSTALLED=1 - if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi - LogText "Result: found ESET security product" - Report "malware_scanner[]=eset" - fi - - # Bitdefender (macOS) - LogText "Test: checking process epagd" - if IsRunning "epagd"; then - FOUND=1 - BITDEFENDER_DAEMON_RUNNING=1 - MALWARE_SCANNER_INSTALLED=1 - if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi - LogText "Result: found Bitdefender security product" - Report "malware_scanner[]=bitdefender" - fi - # Avast (macOS) LogText "Test: checking process com.avast.daemon" if IsRunning "com.avast.daemon"; then @@ -146,6 +124,17 @@ Report "malware_scanner[]=avira" fi + # Bitdefender (macOS) + LogText "Test: checking process epagd" + if IsRunning "bdagentd" || IsRunning "epagd"; then + FOUND=1 + BITDEFENDER_DAEMON_RUNNING=1 + MALWARE_SCANNER_INSTALLED=1 + if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi + LogText "Result: found Bitdefender security product" + Report "malware_scanner[]=bitdefender" + fi + # CrowdStrike falcon-sensor LogText "Test: checking process falcon-sensor (CrowdStrike)" if IsRunning "falcon-sensor"; then @@ -168,6 +157,17 @@ Report "malware_scanner[]=cylance-protect" fi + # ESET security products + LogText "Test: checking process esets_daemon" + if IsRunning "esets_daemon"; then + FOUND=1 + ESET_DAEMON_RUNNING=1 + MALWARE_SCANNER_INSTALLED=1 + if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi + LogText "Result: found ESET security product" + Report "malware_scanner[]=eset" + fi + # Kaspersky products LogText "Test: checking process wdserver or klnagent (Kaspersky)" # wdserver is too generic to match on, so we want to ensure that it is related to Kaspersky first From 0b655363226d09e8802cd12a93e392756d6f7920 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 24 Jun 2020 08:09:48 +0200 Subject: [PATCH 197/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d09087be..3fa1c226 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ - CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) - INSE-8312 - corrected text on screen - KRNL-5830 - Improved version detection for non-symlinked kernel +- MALW-3280 - Extended detection of BitDefender - Fix: language detection - German translation updated - End-of-life database updated From 18ec88d1749d65695fefc4fec0991e2681214758 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 24 Jun 2020 09:23:16 +0200 Subject: [PATCH 198/355] Updated log --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3fa1c226..67fd4932 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,8 @@ - AUTH-9229 - Added option for LOCKED accounts - BOOT-5122 - Presence check for grub.d added - CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) -- INSE-8312 - corrected text on screen +- INSE-8312 - Corrected text on screen +- KRNL-5728 - Handle zipped kernel configuration correctly - KRNL-5830 - Improved version detection for non-symlinked kernel - MALW-3280 - Extended detection of BitDefender - Fix: language detection From e3ccca4ac0dbedaf98cba26a3ec9bc630125d530 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Thu, 25 Jun 2020 15:33:31 +0200 Subject: [PATCH 199/355] add SUSE Linux Enterprise Server EOL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- db/software-eol.db | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/db/software-eol.db b/db/software-eol.db index a5a1101e..c42e244a 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -151,6 +151,11 @@ os:Slackware Linux 13.0:2018-07-05:1530738000: os:Slackware Linux 13.1:2018-07-05:1530738000: os:Slackware Linux 13.37:2018-07-05:1530738000: # +# SuSE - https://www.suse.com/lifecycle/ +# +os:SUSE Linux Enterprise Server 12:2024-10-31:1730329200: +os:SUSE Linux Enterprise Server 15:2028-07-31:1848607200: +# # Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and # https://wiki.ubuntu.com/Releases # @@ -167,4 +172,4 @@ os:Ubuntu 18.10:2019-07-18:1563400800: os:Ubuntu 19.04:2020-01-01:1577833200: os:Ubuntu 20.04:2025-04-01:1743458400: # -# EOF \ No newline at end of file +# EOF From 68c6bdff162de22480c61170bdce7c5dad0f51e1 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 26 Jun 2020 09:34:40 +0200 Subject: [PATCH 200/355] [AUTH-9229] escaped exclamation mark --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 49ba49db..1a78f8a2 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -293,7 +293,7 @@ if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW="${ROOTDIR}etc/shadow"; fi FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do case ${METHOD} in - 1:\* | 1:x | 0: | *:!* | *LOCK*) + 1:\* | 1:x | 0: | *:\!* | *LOCK*) # disabled | shadowed | no password | locked account (can be literal *LOCK* or something like LOCKED) ;; *:\$5\$*| *:\$6\$*) From 9f0bbf52ea761374b6ae70b3126c71d4c572b096 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 26 Jun 2020 09:44:39 +0200 Subject: [PATCH 201/355] [FIRE-4534] set initial state --- include/tests_firewalls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/tests_firewalls b/include/tests_firewalls index 20f87e1e..d3ff1e3d 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -407,6 +407,8 @@ Register --test-no FIRE-4534 --weight L --os "macOS" --network NO --category security --description "Check for presence of outbound firewalls on macOS" if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + # Little Snitch Daemon (macOS) LogText "Test: checking process Little Snitch Daemon" if IsRunning --full "Little Snitch Daemon"; then From f00637d43348b701705244d978926138e5da7d42 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 26 Jun 2020 09:45:09 +0200 Subject: [PATCH 202/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 67fd4932..d32bd9d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ - AUTH-9229 - Added option for LOCKED accounts - BOOT-5122 - Presence check for grub.d added - CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) +- FIRE-4535 - Set initial firewall state - INSE-8312 - Corrected text on screen - KRNL-5728 - Handle zipped kernel configuration correctly - KRNL-5830 - Improved version detection for non-symlinked kernel From 871f95cbf3afd86b4a197a8466b8e5d387284972 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 26 Jun 2020 09:53:23 +0200 Subject: [PATCH 203/355] Use BSD style format when calling stat --- include/functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/functions b/include/functions index 8d5a5ef8..4ff5b43a 100644 --- a/include/functions +++ b/include/functions @@ -1290,7 +1290,8 @@ if [ -n "${STATBINARY}" ]; then case ${OS} in - *BSD) + *BSD | "macOS") + # BSD and macOS have no --format, only short notation DATA=$(${STATBINARY} -f "%OLp" ${CHECKFILE}) ;; *) From ee3a3df60178c4bcf23a7784b8b7b3e12f3b9b3e Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 26 Jun 2020 09:54:05 +0200 Subject: [PATCH 204/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d32bd9d1..dcc594df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ - KRNL-5728 - Handle zipped kernel configuration correctly - KRNL-5830 - Improved version detection for non-symlinked kernel - MALW-3280 - Extended detection of BitDefender +- Generic improvements for macOS - Fix: language detection - German translation updated - End-of-life database updated From e6c6fdc9a8e0ea26d42d95cbeced60a0e039e4e7 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 26 Jun 2020 10:24:37 +0200 Subject: [PATCH 205/355] [AUTH-9229] Undo escaping exclamation mark and disabling test for AIX and macOS --- include/tests_authentication | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 1a78f8a2..e8f5c834 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -285,15 +285,24 @@ # Test : AUTH-9229 # Description : Check password hashing methods vs. recommendations in crypt(5) # Notes : Applicable to all Unix-like OS + # Does not work correctly on AIX and macOS (unknown why) # Requires read access to /etc/shadow (if it exists) - Register --test-no AUTH-9229 --root-only YES --weight L --network NO --category security --description "Check password hashing methods" + case ${OS} in + "AIX" | "macOS") + PREQS_MET="NO" + ;; + *) + PREQS_MET="YES" + ;; + esac + Register --test-no AUTH-9229 --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check password hashing methods" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking password hashing methods" SHADOW=""; if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW="${ROOTDIR}etc/shadow"; fi FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do case ${METHOD} in - 1:\* | 1:x | 0: | *:\!* | *LOCK*) + 1:\* | 1:x | 0: | *:!* | *LOCK*) # disabled | shadowed | no password | locked account (can be literal *LOCK* or something like LOCKED) ;; *:\$5\$*| *:\$6\$*) From 968aa931e4aa97428eb2bf71f8899ad829f2e858 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 26 Jun 2020 10:25:59 +0200 Subject: [PATCH 206/355] Bump release date --- lynis | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lynis b/lynis index 492cc2f4..10f736c5 100755 --- a/lynis +++ b/lynis @@ -43,8 +43,8 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2020-06-18" - PROGRAM_RELEASE_TIMESTAMP=1592477492 + PROGRAM_RELEASE_DATE="2020-06-26" + PROGRAM_RELEASE_TIMESTAMP=1593159916 PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release PROGRAM_VERSION="3.0.1" From 5c05fab0e96b9f00cd0babc0d38db6b9e59a8347 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 26 Jun 2020 10:26:10 +0200 Subject: [PATCH 207/355] Updated log --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dcc594df..e4079515 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,7 @@ - Detection of Kali Linux ### Changed -- AUTH-9229 - Added option for LOCKED accounts +- AUTH-9229 - Added option for LOCKED accounts, disabled test for AIX/macOS - BOOT-5122 - Presence check for grub.d added - CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) - FIRE-4535 - Set initial firewall state From dcf9bd0938885de930d99a1371e95a830e83bd6b Mon Sep 17 00:00:00 2001 From: Wes Price Date: Fri, 26 Jun 2020 12:29:21 -1000 Subject: [PATCH 208/355] [AUTH-9229] resolving syntax error on MacOS Catalina --- include/tests_authentication | 82 +++++++++++++++++++----------------- 1 file changed, 44 insertions(+), 38 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index e8f5c834..38d9caa1 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -295,50 +295,56 @@ PREQS_MET="YES" ;; esac + + function ParsePasswordEntry() { + METHOD=$1 + case ${METHOD} in + 1:\* | 1:x | 0: | *:!* | *LOCK*) + # disabled | shadowed | no password | locked account (can be literal *LOCK* or something like LOCKED) + ;; + *:\$5\$*| *:\$6\$*) + # sha256crypt | sha512crypt: check number of rounds, should be >5000 + ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') + if [ -z "${ROUNDS}" ]; then + echo 'sha256crypt/sha512crypt(default<=5000rounds)' + elif [ "${ROUNDS}" -le 5000 ]; then + echo 'sha256crypt/sha512crypt(<=5000rounds)' + fi + ;; + *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) + # yescrypt | gost-yescrypt | bcrypt | scrypt + ;; + *:_*) + echo bsdicrypt + ;; + *:\$1\$*) + echo md5crypt + ;; + *:\$3\$*) + echo NT + ;; + *:\$md5*) + echo SunMD5 + ;; + *:\$sha1*) + echo sha1crypt + ;; + 13:* | 178:*) + echo bigcrypt/descrypt + ;; + *) + echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com" + ;; + esac + } + Register --test-no AUTH-9229 --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check password hashing methods" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking password hashing methods" SHADOW=""; if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW="${ROOTDIR}etc/shadow"; fi FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do - case ${METHOD} in - 1:\* | 1:x | 0: | *:!* | *LOCK*) - # disabled | shadowed | no password | locked account (can be literal *LOCK* or something like LOCKED) - ;; - *:\$5\$*| *:\$6\$*) - # sha256crypt | sha512crypt: check number of rounds, should be >5000 - ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') - if [ -z "${ROUNDS}" ]; then - echo 'sha256crypt/sha512crypt(default<=5000rounds)' - elif [ "${ROUNDS}" -le 5000 ]; then - echo 'sha256crypt/sha512crypt(<=5000rounds)' - fi - ;; - *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) - # yescrypt | gost-yescrypt | bcrypt | scrypt - ;; - *:_*) - echo bsdicrypt - ;; - *:\$1\$*) - echo md5crypt - ;; - *:\$3\$*) - echo NT - ;; - *:\$md5*) - echo SunMD5 - ;; - *:\$sha1*) - echo sha1crypt - ;; - 13:* | 178:*) - echo bigcrypt/descrypt - ;; - *) - echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com" - ;; - esac + ParsePasswordEntry ${METHOD} done | ${SORTBINARY} -u | ${TRBINARY} '\n' ' ') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN From 96e7ba5aaa2f31d2879bc349dcee7ccf4f874386 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 27 Jun 2020 10:21:24 +0200 Subject: [PATCH 209/355] Activate test for all operating systems, remove function keyword --- include/tests_authentication | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 38d9caa1..3dbe08f7 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -285,18 +285,9 @@ # Test : AUTH-9229 # Description : Check password hashing methods vs. recommendations in crypt(5) # Notes : Applicable to all Unix-like OS - # Does not work correctly on AIX and macOS (unknown why) # Requires read access to /etc/shadow (if it exists) - case ${OS} in - "AIX" | "macOS") - PREQS_MET="NO" - ;; - *) - PREQS_MET="YES" - ;; - esac - function ParsePasswordEntry() { + ParsePasswordEntry() { METHOD=$1 case ${METHOD} in 1:\* | 1:x | 0: | *:!* | *LOCK*) @@ -338,7 +329,7 @@ esac } - Register --test-no AUTH-9229 --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check password hashing methods" + Register --test-no AUTH-9229 --root-only YES --weight L --network NO --category security --description "Check password hashing methods" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking password hashing methods" SHADOW=""; From b94a842e19f7b408fc4a8ede324cd32cf35af020 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 27 Jun 2020 10:21:31 +0200 Subject: [PATCH 210/355] Updated log --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e4079515..c62639b2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,7 @@ - Detection of Kali Linux ### Changed -- AUTH-9229 - Added option for LOCKED accounts, disabled test for AIX/macOS +- AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions - BOOT-5122 - Presence check for grub.d added - CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) - FIRE-4535 - Set initial firewall state From 5b11c468ebcfee6f4fb28eee1d2070188d4411b5 Mon Sep 17 00:00:00 2001 From: Chris Lynch Date: Sat, 27 Jun 2020 10:44:31 +0100 Subject: [PATCH 211/355] Fix for Issues #964 - Pop!_OS added to osdetection --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index f4d3b50d..ac099bde 100644 --- a/include/osdetection +++ b/include/osdetection @@ -217,6 +217,12 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="openSUSE" ;; + "pop") + LINUX_VERSION="Pop!_OS" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_NAME="Pop!_OS" + ;; "pureos") LINUX_VERSION="PureOS" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') From 0eaa9bc9c5f42ff5da396ca0f2eef0d05e1eef87 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 27 Jun 2020 13:31:52 +0200 Subject: [PATCH 212/355] Updated log --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c62639b2..b9541fb1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,8 +3,9 @@ ## Lynis 3.0.1 (not released yet) ### Added -- Detection of macOS Big Sur (11.0) - Detection of Kali Linux +- Detection of macOS Big Sur (11.0) +- Detection of Pop!_OS ### Changed - AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions From ea38da3439efca23bebc859679b7a63a7ec36450 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 28 Jun 2020 14:58:23 +0200 Subject: [PATCH 213/355] Add /etc/os-release detection of Linux Mint --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index ac099bde..783662ad 100644 --- a/include/osdetection +++ b/include/osdetection @@ -194,6 +194,12 @@ OS_NAME="Kali Linux" OS_VERSION="Rolling release" ;; + "linuxmint") + LINUX_VERSION="Linux Mint" + OS_NAME="Linux Mint" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "manjaro") LINUX_VERSION="Manjaro" OS_FULLNAME="Manjaro Linux" From ac28c281b6656300618ecc8538242b5c98105f5d Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 28 Jun 2020 14:58:32 +0200 Subject: [PATCH 214/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b9541fb1..4d38dade 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ ### Added - Detection of Kali Linux +- Detection of Linux Mint - Detection of macOS Big Sur (11.0) - Detection of Pop!_OS From 1da058d6defcbfa4729b99526fdafcd1ae5295ce Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 30 Jun 2020 09:01:29 +0200 Subject: [PATCH 215/355] Corrected Amazon Linux entries Switched entries and added a note. Due to matching by regular expression, the shortest match would otherwise always win. --- db/software-eol.db | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/db/software-eol.db b/db/software-eol.db index c42e244a..2412a203 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -16,8 +16,9 @@ # # Amazon Linux # -os:Amazon Linux:2020-06-30:1593468000: +# Note: shortest entry is listed at end due to regular expression matching being used os:Amazon Linux 2:2023-06-26:1687730400: +os:Amazon Linux:2020-06-30:1593468000: # # Arch Linux # From 9d523959529363c93e183bb523e4c467eb931070 Mon Sep 17 00:00:00 2001 From: Kepi Date: Thu, 2 Jul 2020 18:22:03 +0200 Subject: [PATCH 216/355] [FILE-6430] Don't grep nonexistant modprobe.d files We don't want to grep files in modprobe.d when dir is empty. Uses same approach as in USB-1000. --- include/tests_filesystems | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index fe4ae167..bfe451ab 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -830,12 +830,15 @@ AddHP 3 3 if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi fi - FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then - Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN - LogText "Result: module ${FS} is blacklisted" - fi + FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) + if [ -n "${FIND}" ]; then + FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then + Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN + LogText "Result: module ${FS} is blacklisted" + fi + fi done if [ ${FOUND} -eq 1 ]; then Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}" From f94817f66f4344e9fee676480bf4e04167ebc52c Mon Sep 17 00:00:00 2001 From: Kepi Date: Thu, 2 Jul 2020 22:47:13 +0200 Subject: [PATCH 217/355] Command line option for slow test threshold IMHO it should be OK to run long tests if we count with it. Example: lynis audit system --slow-warning 300 Will warn when test takes longer than 300 seconds, instead of default 10. --- extras/bash_completion.d/lynis | 2 +- include/consts | 1 + include/functions | 2 +- include/parameters | 17 +++++++++++++++++ lynis | 1 + 5 files changed, 21 insertions(+), 2 deletions(-) diff --git a/extras/bash_completion.d/lynis b/extras/bash_completion.d/lynis index 8732ede3..7eee7375 100644 --- a/extras/bash_completion.d/lynis +++ b/extras/bash_completion.d/lynis @@ -179,7 +179,7 @@ _lynis() *) COMPREPLY=( $( compgen -W ' \ --auditor --cronjob --debug --quick --quiet --logfile --no-colors --no-log --pentest --reverse-colors \ - --tests --tests-from-category --tests-from-group --upload --verbose' -- "$cur" ) ) + --tests --tests-from-category --tests-from-group --upload --verbose --slow-warning' -- "$cur" ) ) ;; esac diff --git a/include/consts b/include/consts index 1a75ae68..053147a4 100644 --- a/include/consts +++ b/include/consts @@ -273,6 +273,7 @@ ETC_PATHS="/etc /usr/local/etc" SKIP_VM_DETECTION=0 SKIPREASON="" SKIPPED_TESTS_ROOTONLY="" + SLOW_TEST_THRESHOLD=10 SMTPCTLBINARY="" SNORTBINARY="" SSHKEYSCANBINARY="" diff --git a/include/functions b/include/functions index 4ff5b43a..e0f75a64 100644 --- a/include/functions +++ b/include/functions @@ -2586,7 +2586,7 @@ CURRENT_TS=$(GetTimestamp) if [ ${PREVIOUS_TS} -gt 0 ]; then SLOW_TEST=0 - TIME_THRESHOLD=10 # seconds + TIME_THRESHOLD=$SLOW_TEST_THRESHOLD # seconds # Calculate timing and determine if we use seconds or nanoseconds (more precise) TIME_DIFF=$((CURRENT_TS - PREVIOUS_TS)) diff --git a/include/parameters b/include/parameters index 8668b683..242899e6 100644 --- a/include/parameters +++ b/include/parameters @@ -423,6 +423,23 @@ QUIET=1 ;; + # Warning when test is slow + --slow-warning) + if [ $# -gt 1 ]; then + shift + + if [ "$1" -gt 0 ] 2>/dev/null; then + SLOW_TEST_THRESHOLD="$1" + else + echo "Argument has to be number." + exit 1 + fi + else + echo "Specify threshold as number of seconds above which should Lynis warn about long test." + exit 1 + fi + ;; + --tests-category | --tests-categories | --view-categories | --list-categories | --show-categories) echo "Error: Deprecated option ($1)" exit 1 diff --git a/lynis b/lynis index 10f736c5..bfa1c308 100755 --- a/lynis +++ b/lynis @@ -453,6 +453,7 @@ ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${ ${GRAY}--verbose${NORMAL} : Show more details on screen ${GRAY}--version (-V)${NORMAL} : Display version number and quit ${GRAY}--wait${NORMAL} : Wait between a set of tests + ${GRAY}--slow-warning ${BROWN}${NORMAL} : Threshold for slow test warning in seconds (default 10) ${WHITE}Enterprise options${NORMAL} ${GRAY}--plugindir ${BROWN}${NORMAL} : Define path of available plugins From 7b6624f85dac6b6806495b0dcfff2d5d2b51d75a Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 6 Jul 2020 09:25:56 +0200 Subject: [PATCH 218/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d38dade..1ec27aec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ - KRNL-5728 - Handle zipped kernel configuration correctly - KRNL-5830 - Improved version detection for non-symlinked kernel - MALW-3280 - Extended detection of BitDefender +- Fix: hostid generation routine would sometimes show too short IDs - Generic improvements for macOS - Fix: language detection - German translation updated From 6eae35e564fba2183a1d6a2cddaa656d841756f9 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 6 Jul 2020 09:26:27 +0200 Subject: [PATCH 219/355] Fix for too short IDs due to hexdump output missing leading or trailing zeroes --- include/helper_generate | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/helper_generate b/include/helper_generate index 67b58b66..f3a8d909 100644 --- a/include/helper_generate +++ b/include/helper_generate @@ -51,8 +51,10 @@ if [ $# -gt 0 ]; then ;; *) # xxd does not exist on FreeBSD - HOSTID=$(head -c20 < /dev/urandom | hexdump -ve '"%.2x"') - HOSTID2=$(head -c32 < /dev/urandom | hexdump -ve '"%.2x"') + # Note: hexdump may omit leading or trailing zeroes. + # Take 100 characters as input, turn to hex, then take first 40/64. + HOSTID=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c40) + HOSTID2=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c64) ;; esac From 2c928a41510171bb87bedcb913216554a8d7b7ec Mon Sep 17 00:00:00 2001 From: Simon Erkelens Date: Tue, 7 Jul 2020 15:05:50 +1200 Subject: [PATCH 220/355] Update HAPPY_USERS.md --- HAPPY_USERS.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/HAPPY_USERS.md b/HAPPY_USERS.md index 57c363a9..53677c52 100644 --- a/HAPPY_USERS.md +++ b/HAPPY_USERS.md @@ -33,3 +33,6 @@ installed on all my systems to uncover unexpected configuration issues. The valuable feedback and contributions give me the energy to continue to work on its development, even after 12+ years! +* Catalyst.net IT - January 2020 +Lynis gave us great insight in to the security state of our systems, as well as where we can improve. + From 6355360972136ee8eb9d8781f8732fee2812d441 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 7 Jul 2020 12:29:57 +0200 Subject: [PATCH 221/355] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ec27aec..f54709c8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ - AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions - BOOT-5122 - Presence check for grub.d added - CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) +- FILE-6430 - Don't grep nonexistant modprobe.d files - FIRE-4535 - Set initial firewall state - INSE-8312 - Corrected text on screen - KRNL-5728 - Handle zipped kernel configuration correctly From de18ddc2c01b2d53a21d48c8497a7a08a7386bf0 Mon Sep 17 00:00:00 2001 From: Kepi Date: Thu, 2 Jul 2020 22:14:38 +0200 Subject: [PATCH 222/355] [functions] ParseNginx: Support include on absolute paths Includes can be absolute paths too. This is quick fix counting on fact that absolute paths have slash at start. --- include/functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/functions b/include/functions index 4ff5b43a..39ae7c92 100644 --- a/include/functions +++ b/include/functions @@ -2305,7 +2305,8 @@ # Check for additional config files included as follows # "include sites-enabled/*.conf" elif [ $(echo ${VALUE} | grep -F -c "*.conf") -gt 0 ]; then - for FOUND_CONF in $(ls ${CONFIG_FILE%nginx.conf}${VALUE%;*}); do + if [ "$(echo ${VALUE} | ${CUTBINARY} -c1)" != "/" ]; then VALUE=${CONFIG_FILE%nginx.conf}; fi + for FOUND_CONF in $(ls ${VALUE%;*}); do FOUND=0 for CONF in ${NGINX_CONF_FILES}; do if [ "${CONF}" = "${FOUND_CONF}" ]; then FOUND=1; LogText "Found this file already in our configuration files array, not adding to queue"; fi From a2e752a8db56032e38cc8c7b96830ceea90bf844 Mon Sep 17 00:00:00 2001 From: Kepi Date: Thu, 2 Jul 2020 22:22:34 +0200 Subject: [PATCH 223/355] [functions] ParseNginx: Ignore empty included wildcards Its ok to have empty directories included. We should not output errors with lsbinary unable to find anything there. --- include/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/functions b/include/functions index 39ae7c92..36113531 100644 --- a/include/functions +++ b/include/functions @@ -2306,7 +2306,7 @@ # "include sites-enabled/*.conf" elif [ $(echo ${VALUE} | grep -F -c "*.conf") -gt 0 ]; then if [ "$(echo ${VALUE} | ${CUTBINARY} -c1)" != "/" ]; then VALUE=${CONFIG_FILE%nginx.conf}; fi - for FOUND_CONF in $(ls ${VALUE%;*}); do + for FOUND_CONF in $(ls ${VALUE%;*} 2> /dev/null); do FOUND=0 for CONF in ${NGINX_CONF_FILES}; do if [ "${CONF}" = "${FOUND_CONF}" ]; then FOUND=1; LogText "Found this file already in our configuration files array, not adding to queue"; fi From b2be7c160e865252d0c589089e444a259576904f Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Thu, 9 Jul 2020 18:19:35 +0200 Subject: [PATCH 224/355] detect and test for timesyncd w/o working timedatectl On systems without dbus timedatectl does not work. Thus it is checked if timesyncd currently runs and when /run/systemd/timesyncd/synchronized was last modified. Timesyncd touches this file on any sucessfull synchronization. This is documented in systemd-timesyncd(8). The new test for successfull documentation has the id TIME-3185. --- include/tests_time | 57 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 17 deletions(-) diff --git a/include/tests_time b/include/tests_time index 7c15d0a3..1985aa44 100644 --- a/include/tests_time +++ b/include/tests_time @@ -124,23 +124,11 @@ fi # Check timedate daemon (systemd) - if [ -n "${TIMEDATECTL}" ]; then - FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes") - if [ -n "${FIND}" ]; then - # Check for systemd-timesyncd - if [ -f ${ROOTDIR}etc/systemd/timesyncd.conf ]; then - LogText "Result: found ${ROOTDIR}etc/systemd/timesyncd.conf" - FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd" - Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN - SYSTEMD_NTP_ENABLED=1 - else - LogText "Result: ${ROOTDIR}etc/systemd/timesyncd.conf does not exist" - fi - else - LogText "Result: time synchronization not performed according timedatectl command" - fi - else - LogText "Result: timedatectl command not available on this system" + FIND=$(${PSBINARY} ax | ${GREPBINARY} "systemd-timesyncd" | ${GREPBINARY} -v "grep") + if [ -n "${FIND}" ]; then + FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd" + Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found running systemd-timesyncd in process list" fi # Check crontab for OpenBSD/FreeBSD @@ -581,6 +569,41 @@ ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status" fi fi + +# +################################################################################# +# + + # Test : TIME-3185 + # Description : Check systemd-timesyncd synchronized time + + if [ "${NTP_DAEMON}" = "systemd-timesyncd" ]; then + PREQS_MET="YES" + else + PREQS_MET="NO" + fi + + + Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "time" --description "Check systemd-timesyncd synchronized time" + if [ ${SKIPTEST} -eq 0 ]; then + if [ -e /run/systemd/timesync/synchronized ]; then + FIND=$(( $(date +%s) - $(stat -L --format %Y /run/systemd/timesync/synchronized) )) + # Check if last sync was more than 2048 seconds (= the default of systemd) ago + if [ ${FIND} -ge 2048 ]; then + COLOR=RED + ReportWarning "${TEST_NO}" "systemd-timesyncd did not synchronized the time recently." + else + COLOR=GREEN + fi + Display --indent 2 --text "- Last time synchronization" --result "${FIND}s" --color "${COLOR}" + LogText "Result: systemd-timesyncd synchronized time ${FIND} seconds ago." + else + Display --indent 2 --text "- Last time synchronization" --result "${STATUS_NOT_FOUND}" --color RED + ReportWarning "${TEST_NO}" "systemd-timesyncd never successfully synchronized time" + fi + fi + + # ################################################################################# # From 38b6105c6061c01b7075a76c23a9e73a962692bf Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Thu, 9 Jul 2020 18:27:02 +0200 Subject: [PATCH 225/355] add new test to test database --- db/tests.db | 1 + include/tests_time | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/db/tests.db b/db/tests.db index 32347102..26fc8f87 100644 --- a/db/tests.db +++ b/db/tests.db @@ -419,6 +419,7 @@ TIME-3170:test:security:time::Check configuration files: TIME-3180:test:security:time::Report if ntpctl cannot communicate with OpenNTPD: TIME-3181:test:security:time::Check status of OpenNTPD time synchronisation TIME-3182:test:security:time::Check OpenNTPD has working peers +TIME-3185:test:security:time::Check systemd-timesyncd synchronized time TOOL-5002:test:security:tooling::Checking for automation tools: TOOL-5102:test:security:tooling::Check for presence of Fail2ban: TOOL-5104:test:security:tooling::Enabled tests for Fail2ban: diff --git a/include/tests_time b/include/tests_time index 1985aa44..1fb512ae 100644 --- a/include/tests_time +++ b/include/tests_time @@ -584,7 +584,7 @@ fi - Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "time" --description "Check systemd-timesyncd synchronized time" + Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time" if [ ${SKIPTEST} -eq 0 ]; then if [ -e /run/systemd/timesync/synchronized ]; then FIND=$(( $(date +%s) - $(stat -L --format %Y /run/systemd/timesync/synchronized) )) From df7c6257a56d54a001859c209b92f7e74589cd13 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Thu, 9 Jul 2020 18:41:09 +0200 Subject: [PATCH 226/355] compare correct stuff in openntpd tests I accidentially compared rubbish in the openntpd tests, thus they were not executed at all. Additionally, == was used instead of =. --- include/tests_time | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/tests_time b/include/tests_time index 7c15d0a3..79e7aa2e 100644 --- a/include/tests_time +++ b/include/tests_time @@ -532,7 +532,7 @@ # # Test : TIME-3180 # Description : Report if ntpctl cannot communicate with OpenNTPD - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ]; then + if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ]; then PREQS_MET="YES" else PREQS_MET="NO" @@ -548,7 +548,7 @@ # # Test : TIME-3181 # Description : Check status of OpenNTPD time synchronisation - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then + if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then PREQS_MET="YES" else PREQS_MET="NO" @@ -567,7 +567,7 @@ # Test : TIME-3182 # Description : Check OpenNTPD has working peers - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then + if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then PREQS_MET="YES" else PREQS_MET="NO" From 9107867fa1307a7ec65f250efbc2440665078fb0 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Thu, 9 Jul 2020 18:57:01 +0200 Subject: [PATCH 227/355] use correct regex and comparison to match peers --- include/tests_time | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_time b/include/tests_time index 79e7aa2e..eee5cbfc 100644 --- a/include/tests_time +++ b/include/tests_time @@ -576,8 +576,8 @@ Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers" if [ ${SKIPTEST} -eq 0 ]; then # Format is "xx/yy peers valid, ..." - FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o "[0-9]{1,4}/" | ${EGREPBINARY} -o "[0-9]{1,4}" ) - if [ -n "${FIND}" ] || [ "${FIND}" -eq 0 ]; then + FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1) + if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status" fi fi From d4639b3c6a98544269d5d7e59146de2e74ef1530 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Fri, 10 Jul 2020 00:29:35 +0200 Subject: [PATCH 228/355] find more cron ntp clients, iterate over cron files with glob --- include/tests_time | 42 ++++++++++++++++-------------------------- 1 file changed, 16 insertions(+), 26 deletions(-) diff --git a/include/tests_time b/include/tests_time index 7c15d0a3..842e3495 100644 --- a/include/tests_time +++ b/include/tests_time @@ -146,17 +146,20 @@ # Check crontab for OpenBSD/FreeBSD # Check anacrontab for Linux CRONTAB_FILES="/etc/anacrontab /etc/crontab" + # Regex for matching multiple time synchronisation binaries + # Partial sanity check for sntp and ntpdig, but this does not consider all corner cases + CRONTAB_REGEX='ntpdate|rdate|sntp.+-(s|j|--adj)|ntpdig.+-(S|s)' for I in ${CRONTAB_FILES}; do if [ -f ${I} ]; then - LogText "Test: checking for ntpdate or rdate in crontab file ${I}" - FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#') + LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}" + FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#') if [ -n "${FIND}" ]; then FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1 Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN - LogText "Result: found ntpdate or rdate reference in crontab file ${I}" + LogText "Result: found ntpdate, rdate, sntp or ntpdig reference in crontab file ${I}" else #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_NOT_FOUND}" --color WHITE - LogText "Result: no ntpdate or rdate reference found in crontab file ${I}" + LogText "Result: no ntpdate, rdate, sntp or ntpdig reference found in crontab file ${I}" fi else LogText "Result: crontab file ${I} not found" @@ -169,31 +172,18 @@ # Check cron jobs for I in ${CRON_DIRS}; do - if [ -d ${I} ]; then - if FileIsReadable ${I}; then - FIND=$(${FINDBINARY} ${I} -type f -a ! -name ".placeholder" -print 2> /dev/null | ${SEDBINARY} 's/ /__space__/g' | ${TRBINARY} '\n' '\0' | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} '\0' ' ') + for J in "${I}"/*; do # iterate over folders in a safe way + # Check: regular file, readable and not called .placeholder + FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$') + if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then + LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}" + FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#") if [ -n "${FIND}" ]; then - for J in ${FIND}; do - # Place back spaces if needed - J=$(echo ${J} | ${SEDBINARY} 's/__space__/ /g') - LogText "Test: checking for ntpdate or rdate in ${J}" - if FileIsReadable ${J}; then - FIND2=$(${EGREPBINARY} "rdate|ntpdate" "${J}" | ${GREPBINARY} -v "^#") - if [ -n "${FIND2}" ]; then - LogText "Positive match found: ${FIND2}" - FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 - fi - else - LogText "Result: could not test in file '${J}' as it is not readable" - fi - done - else - LogText "Result: ${I} is empty, skipping search in directory" + FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 + LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}" fi - else - LogText "Result: could not search in directory due to permissions" fi - fi + done done if [ ${FOUND_IN_CRON} -eq 1 ]; then From 092fe08c400a0b7eb4f6ace7ac4ebaf6c4c9bec6 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Fri, 10 Jul 2020 00:40:36 +0200 Subject: [PATCH 229/355] shellcheck: check exit code directly --- include/tests_time | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/tests_time b/include/tests_time index eee5cbfc..c85e2876 100644 --- a/include/tests_time +++ b/include/tests_time @@ -86,9 +86,8 @@ # Reason: openntpd syncs only if large time corrections are not required or -s is passed. # This might be not intended by the administrator (-s is NOT the default!) FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" | ${GREPBINARY} -v "grep") - ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null # Status code 0 is when communication over the socket is successfull - if [ "$?" -eq 0 ]; then + if ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null; then FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd" LogText "result: found openntpd (method: ntpctl)" OPENNTPD_COMMUNICATION=1 From 7ba220811f309ae69751821858e5b39bbc5c3cb7 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Fri, 10 Jul 2020 00:41:45 +0200 Subject: [PATCH 230/355] use = instead of == --- include/tests_time | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_time b/include/tests_time index c85e2876..153397e2 100644 --- a/include/tests_time +++ b/include/tests_time @@ -100,7 +100,7 @@ LogText "result: running openntpd not found, but ntpctl is instaalled" fi - if [ "${NTP_DAEMON}" == "openntpd" ]; then + if [ "${NTP_DAEMON}" = "openntpd" ]; then Display --indent 2 --text "- NTP daemon found: OpenNTPD" --result "${STATUS_FOUND}" --color GREEN fi fi From e27208a342aee4ac5c1c19cac0f27700201a7708 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Fri, 10 Jul 2020 00:48:12 +0200 Subject: [PATCH 231/355] use STATBINARY, put filename in variable --- include/tests_time | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/include/tests_time b/include/tests_time index 1fb512ae..e3cf4ac8 100644 --- a/include/tests_time +++ b/include/tests_time @@ -585,11 +585,12 @@ Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time" + SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized" if [ ${SKIPTEST} -eq 0 ]; then - if [ -e /run/systemd/timesync/synchronized ]; then - FIND=$(( $(date +%s) - $(stat -L --format %Y /run/systemd/timesync/synchronized) )) + if [ -e "${SYNCHRONIZED_FILE}" ]; then + FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") )) # Check if last sync was more than 2048 seconds (= the default of systemd) ago - if [ ${FIND} -ge 2048 ]; then + if [ "${FIND}" -ge 2048 ]; then COLOR=RED ReportWarning "${TEST_NO}" "systemd-timesyncd did not synchronized the time recently." else @@ -602,7 +603,7 @@ ReportWarning "${TEST_NO}" "systemd-timesyncd never successfully synchronized time" fi fi - + unset SYNCHRONIZED_FILE # ################################################################################# From baf5f7ad4d6456ecf21f9987f9140d08dd0025c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 21 Jul 2020 23:56:47 +0200 Subject: [PATCH 232/355] add Microsoft Defender ATP, malware scanner MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/binaries | 1 + 1 file changed, 1 insertion(+) diff --git a/include/binaries b/include/binaries index 6bbea4af..ae2c2824 100644 --- a/include/binaries +++ b/include/binaries @@ -219,6 +219,7 @@ maldet) LMDBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;; md5) MD5BINARY="${BINARY}"; LogText " Found known binary: md5 (hash tool) - ${BINARY}" ;; md5sum) MD5BINARY="${BINARY}"; LogText " Found known binary: md5sum (hash tool) - ${BINARY}" ;; + mdatp) MDATPBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: mdatp (Microsoft Defender ATP, malware scanner) - ${BINARY}" ;; modprobe) MODPROBEBINARY="${BINARY}"; LogText " Found known binary: modprobe (kernel modules) - ${BINARY}" ;; mount) MOUNTBINARY="${BINARY}"; LogText " Found known binary: mount (disk utility) - ${BINARY}" ;; mtree) MTREEBINARY="${BINARY}"; LogText " Found known binary: mtree (mapping directory tree) - ${BINARY}" ;; From 9b388518deb5a339f21d2d0997de718a77a1c68f Mon Sep 17 00:00:00 2001 From: 0ri0n Date: Sun, 26 Jul 2020 23:33:34 -0400 Subject: [PATCH 233/355] Add PHP 7.4 Detection Paths --- include/tests_php | 41 +++++++++++++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/include/tests_php b/include/tests_php index 0f498fff..cd19da63 100644 --- a/include/tests_php +++ b/include/tests_php @@ -36,6 +36,7 @@ ${ROOTDIR}etc/php7.1/php.ini \ ${ROOTDIR}etc/php7.2/php.ini \ ${ROOTDIR}etc/php7.3/php.ini \ + ${ROOTDIR}etc/php7.4/php.ini \ ${ROOTDIR}etc/php/cgi-php5/php.ini \ ${ROOTDIR}etc/php/cli-php5/php.ini \ ${ROOTDIR}etc/php/apache2-php5/php.ini \ @@ -45,24 +46,29 @@ ${ROOTDIR}etc/php/apache2-php7.1/php.ini \ ${ROOTDIR}etc/php/apache2-php7.2/php.ini \ ${ROOTDIR}etc/php/apache2-php7.3/php.ini \ + ${ROOTDIR}etc/php/apache2-php7.4/php.ini \ ${ROOTDIR}etc/php/cgi-php5.5/php.ini \ ${ROOTDIR}etc/php/cgi-php5.6/php.ini \ ${ROOTDIR}etc/php/cgi-php7.0/php.ini \ ${ROOTDIR}etc/php/cgi-php7.1/php.ini \ ${ROOTDIR}etc/php/cgi-php7.2/php.ini \ ${ROOTDIR}etc/php/cgi-php7.3/php.ini \ + ${ROOTDIR}etc/php/cgi-php7.4/php.ini \ ${ROOTDIR}etc/php/cli-php5.5/php.ini \ ${ROOTDIR}etc/php/cli-php5.6/php.ini \ ${ROOTDIR}etc/php/cli-php7.0/php.ini \ ${ROOTDIR}etc/php/cli-php7.1/php.ini \ ${ROOTDIR}etc/php/cli-php7.2/php.ini \ ${ROOTDIR}etc/php/cli-php7.3/php.ini \ + ${ROOTDIR}etc/php/cli-php7.4/php.ini \ ${ROOTDIR}etc/php/embed-php5.5/php.ini \ ${ROOTDIR}etc/php/embed-php5.6/php.ini \ ${ROOTDIR}etc/php/embed-php7.0/php.ini \ ${ROOTDIR}etc/php/embed-php7.1/php.ini \ ${ROOTDIR}etc/php/embed-php7.2/php.ini \ ${ROOTDIR}etc/php/embed-php7.3/php.ini \ + ${ROOTDIR}etc/php/embed-php7.4/php.ini \ + ${ROOTDIR}etc/php/fpm-php7.4/php.ini \ ${ROOTDIR}etc/php/fpm-php7.3/php.ini \ ${ROOTDIR}etc/php/fpm-php7.2/php.ini \ ${ROOTDIR}etc/php/fpm-php7.1/php.ini \ @@ -71,7 +77,9 @@ ${ROOTDIR}etc/php/fpm-php5.6/php.ini \ ${ROOTDIR}etc/php5/cgi/php.ini \ ${ROOTDIR}etc/php5/cli/php.ini \ - ${ROOTDIR}etc/php5/cli-php5.4/php.ini ${ROOTDIR}etc/php5/cli-php5.5/php.ini ${ROOTDIR}etc/php5/cli-php5.6/php.ini \ + ${ROOTDIR}etc/php5/cli-php5.4/php.ini \ + ${ROOTDIR}etc/php5/cli-php5.5/php.ini \ + ${ROOTDIR}etc/php5/cli-php5.6/php.ini \ ${ROOTDIR}etc/php5/apache2/php.ini \ ${ROOTDIR}etc/php5/fpm/php.ini \ ${ROOTDIR}private/etc/php.ini \ @@ -79,10 +87,12 @@ ${ROOTDIR}etc/php/7.1/apache2/php.ini \ ${ROOTDIR}etc/php/7.2/apache2/php.ini \ ${ROOTDIR}etc/php/7.3/apache2/php.ini \ + ${ROOTDIR}etc/php/7.4/apache2/php.ini \ ${ROOTDIR}etc/php/7.0/cli/php.ini ${ROOTDIR}etc/php/7.0/fpm/php.ini \ ${ROOTDIR}etc/php/7.1/cli/php.ini ${ROOTDIR}etc/php/7.1/fpm/php.ini \ ${ROOTDIR}etc/php/7.2/cli/php.ini ${ROOTDIR}etc/php/7.2/fpm/php.ini \ ${ROOTDIR}etc/php/7.3/cli/php.ini ${ROOTDIR}etc/php/7.3/fpm/php.ini \ + ${ROOTDIR}etc/php/7.4/cli/php.ini ${ROOTDIR}etc/php/7.4/fpm/php.ini \ ${ROOTDIR}var/www/conf/php.ini \ ${ROOTDIR}usr/local/etc/php.ini ${ROOTDIR}usr/local/lib/php.ini \ ${ROOTDIR}usr/local/etc/php5/cgi/php.ini \ @@ -92,6 +102,7 @@ ${ROOTDIR}usr/local/php71/lib/php.ini \ ${ROOTDIR}usr/local/php72/lib/php.ini \ ${ROOTDIR}usr/local/php73/lib/php.ini \ + ${ROOTDIR}usr/local/php74/lib/php.ini \ ${ROOTDIR}usr/local/zend/etc/php.ini \ ${ROOTDIR}usr/pkg/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \ @@ -101,6 +112,7 @@ ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \ + ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \ ${ROOTDIR}opt/alt/php44/etc/php.ini \ ${ROOTDIR}opt/alt/php51/etc/php.ini \ ${ROOTDIR}opt/alt/php52/etc/php.ini \ @@ -112,27 +124,42 @@ ${ROOTDIR}opt/alt/php71/etc/php.ini \ ${ROOTDIR}opt/alt/php72/etc/php.ini \ ${ROOTDIR}opt/alt/php73/etc/php.ini \ + ${ROOTDIR}opt/alt/php74/etc/php.ini \ ${ROOTDIR}etc/opt/remi/php56/php.ini \ ${ROOTDIR}etc/opt/remi/php70/php.ini \ ${ROOTDIR}etc/opt/remi/php71/php.ini \ ${ROOTDIR}etc/opt/remi/php72/php.ini \ - ${ROOTDIR}etc/opt/remi/php73/php.ini" + ${ROOTDIR}etc/opt/remi/php73/php.ini \ + ${ROOTDIR}etc/opt/remi/php74/php.ini" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINILOCS="${PHPINILOCS} \ - ${ROOTDIR}etc/php-5.6.ini ${ROOTDIR}etc/php-7.0.ini ${ROOTDIR}etc/php-7.1.ini ${ROOTDIR}etc/php-7.2.ini ${ROOTDIR}etc/php-7.3.ini" + ${ROOTDIR}etc/php-5.6.ini \ + ${ROOTDIR}etc/php-7.0.ini \ + ${ROOTDIR}etc/php-7.1.ini \ + ${ROOTDIR}etc/php-7.2.ini \ + ${ROOTDIR}etc/php-7.3.ini \ + ${ROOTDIR}etc/php-7.4.ini" PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \ ${ROOTDIR}etc/php/7.0/cli/conf.d \ ${ROOTDIR}etc/php/7.1/cli/conf.d \ ${ROOTDIR}etc/php/7.2/cli/conf.d \ ${ROOTDIR}etc/php/7.3/cli/conf.d \ + ${ROOTDIR}etc/php/7.4/cli/conf.d \ ${ROOTDIR}etc/php/7.0/fpm/conf.d \ ${ROOTDIR}etc/php/7.1/fpm/conf.d \ ${ROOTDIR}etc/php/7.2/fpm/conf.d \ ${ROOTDIR}etc/php/7.3/fpm/conf.d \ + ${ROOTDIR}etc/php/7.4/fpm/conf.d \ ${ROOTDIR}etc/php.d \ - ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \ - ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.d \ ${ROOTDIR}opt/alt/php44/etc/php.d.all \ ${ROOTDIR}opt/alt/php51/etc/php.d.all \ ${ROOTDIR}opt/alt/php52/etc/php.d.all \ @@ -144,11 +171,13 @@ ${ROOTDIR}opt/alt/php71/etc/php.d.all \ ${ROOTDIR}opt/alt/php72/etc/php.d.all \ ${ROOTDIR}opt/alt/php73/etc/php.d.all \ + ${ROOTDIR}opt/alt/php74/etc/php.d.all \ ${ROOTDIR}usr/local/lib/php.conf.d \ ${ROOTDIR}usr/local/php70/lib/php.conf.d \ ${ROOTDIR}usr/local/php71/lib/php.conf.d \ ${ROOTDIR}usr/local/php72/lib/php.conf.d \ - ${ROOTDIR}usr/local/php73/lib/php.conf.d" + ${ROOTDIR}usr/local/php73/lib/php.conf.d \ + ${ROOTDIR}usr/local/php74/lib/php.conf.d" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINIDIRS="${PHPINIDIRS} \ ${ROOTDIR}etc/php-5.6 ${ROOTDIR}etc/php-7.0 ${ROOTDIR}etc/php-7.1 ${ROOTDIR}etc/php-7.2 ${ROOTDIR}etc/php-7.3" From f988e573dbaef07c35589e18980c7e223bc98d6d Mon Sep 17 00:00:00 2001 From: 0ri0n Date: Mon, 27 Jul 2020 13:59:46 -0400 Subject: [PATCH 234/355] Add missing PHP 7.4 check for BSD --- include/tests_php | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/include/tests_php b/include/tests_php index cd19da63..32211f1a 100644 --- a/include/tests_php +++ b/include/tests_php @@ -88,13 +88,19 @@ ${ROOTDIR}etc/php/7.2/apache2/php.ini \ ${ROOTDIR}etc/php/7.3/apache2/php.ini \ ${ROOTDIR}etc/php/7.4/apache2/php.ini \ - ${ROOTDIR}etc/php/7.0/cli/php.ini ${ROOTDIR}etc/php/7.0/fpm/php.ini \ - ${ROOTDIR}etc/php/7.1/cli/php.ini ${ROOTDIR}etc/php/7.1/fpm/php.ini \ - ${ROOTDIR}etc/php/7.2/cli/php.ini ${ROOTDIR}etc/php/7.2/fpm/php.ini \ - ${ROOTDIR}etc/php/7.3/cli/php.ini ${ROOTDIR}etc/php/7.3/fpm/php.ini \ - ${ROOTDIR}etc/php/7.4/cli/php.ini ${ROOTDIR}etc/php/7.4/fpm/php.ini \ + ${ROOTDIR}etc/php/7.0/cli/php.ini \ + ${ROOTDIR}etc/php/7.0/fpm/php.ini \ + ${ROOTDIR}etc/php/7.1/cli/php.ini \ + ${ROOTDIR}etc/php/7.1/fpm/php.ini \ + ${ROOTDIR}etc/php/7.2/cli/php.ini \ + ${ROOTDIR}etc/php/7.2/fpm/php.ini \ + ${ROOTDIR}etc/php/7.3/cli/php.ini \ + ${ROOTDIR}etc/php/7.3/fpm/php.ini \ + ${ROOTDIR}etc/php/7.4/cli/php.ini \ + ${ROOTDIR}etc/php/7.4/fpm/php.ini \ ${ROOTDIR}var/www/conf/php.ini \ - ${ROOTDIR}usr/local/etc/php.ini ${ROOTDIR}usr/local/lib/php.ini \ + ${ROOTDIR}usr/local/etc/php.ini \ + ${ROOTDIR}usr/local/lib/php.ini \ ${ROOTDIR}usr/local/etc/php5/cgi/php.ini \ ${ROOTDIR}usr/local/php54/lib/php.ini \ ${ROOTDIR}usr/local/php56/lib/php.ini \ @@ -180,7 +186,12 @@ ${ROOTDIR}usr/local/php74/lib/php.conf.d" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINIDIRS="${PHPINIDIRS} \ - ${ROOTDIR}etc/php-5.6 ${ROOTDIR}etc/php-7.0 ${ROOTDIR}etc/php-7.1 ${ROOTDIR}etc/php-7.2 ${ROOTDIR}etc/php-7.3" + ${ROOTDIR}etc/php-5.6 \ + ${ROOTDIR}etc/php-7.0 \ + ${ROOTDIR}etc/php-7.1 \ + ${ROOTDIR}etc/php-7.2 \ + ${ROOTDIR}etc/php-7.3 \ + ${ROOTDIR}etc/php-7.4" # ################################################################################# # From 65cc4daa57f873368c2933a53ec8fb619c7a4c16 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 4 Aug 2020 09:26:50 +0200 Subject: [PATCH 235/355] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f54709c8..de8f2837 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ - Detection of Linux Mint - Detection of macOS Big Sur (11.0) - Detection of Pop!_OS +- Detection of PHP 7.4 ### Changed - AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions From c0ddfd0f77ac0ae57e20fda65a1fa06d79e70284 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 4 Aug 2020 09:39:05 +0200 Subject: [PATCH 236/355] Changed suggestion text for 4+ months old version --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index 10f736c5..963e6b0d 100755 --- a/lynis +++ b/lynis @@ -778,7 +778,7 @@ ${NORMAL} if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then # Show if release is old, only if we didn't show it with normal update check if [ ${UPDATE_AVAILABLE} -eq 0 ]; then - ReportSuggestion "LYNIS" "This release is more than 4 months old. Consider upgrading" + ReportSuggestion "LYNIS" "This release is more than 4 months old. Check the website or GitHub to see if there is an update available." fi OLD_RELEASE=1 fi From 138cce7f9c9ea5bb87c97527893d4e9b6457c995 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 5 Aug 2020 11:50:37 +0200 Subject: [PATCH 237/355] Update CHANGELOG.md --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index de8f2837..c4935044 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,8 @@ - Detection of Linux Mint - Detection of macOS Big Sur (11.0) - Detection of Pop!_OS -- Detection of PHP 7.4 +- Detection of PHP 7.4 +- Malware detection tool: Microsoft Defender ATP ### Changed - AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions From 33d8e8e00b94312e303dabb490d1165702380d8c Mon Sep 17 00:00:00 2001 From: Steve Kolenich Date: Thu, 6 Aug 2020 20:15:18 -0400 Subject: [PATCH 238/355] Adding Alpine Linux to OSDetection --- include/osdetection | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/osdetection b/include/osdetection index 783662ad..c2726d31 100644 --- a/include/osdetection +++ b/include/osdetection @@ -144,6 +144,12 @@ OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') if [ -n "${OS_ID}" ]; then case ${OS_ID} in + "alpine") + LINUX_VERSION="Alpine Linux" + OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "amzn") LINUX_VERSION="Amazon Linux" OS_NAME="Amazon Linux" @@ -268,6 +274,9 @@ fi fi + # Alpine + if [ -e "/etc/alpine-release" ]; then LINUX_VERSION="Alpine Linux"; OS_VERSION=$(cat /etc/alpine-release); fi + # Amazon if [ -z "${LINUX_VERSION}" -a -e "/etc/system-release" ]; then FIND=$(grep "^Amazon" /etc/system-release) From 7df0b8618b5cce39961b245a3c582af4294276d7 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 7 Aug 2020 11:56:19 +0200 Subject: [PATCH 239/355] Updated log --- CHANGELOG.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e2be50de..213fbe89 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,16 +3,21 @@ ## Lynis 3.0.1 (not released yet) ### Added +- Detection of Alpine Linux - Detection of Kali Linux - Detection of Linux Mint - Detection of macOS Big Sur (11.0) - Detection of Pop!_OS - Detection of PHP 7.4 - Malware detection tool: Microsoft Defender ATP +- New flag: --slow-warning to allow tests more time before showing a warning +- Test TIME-3185 to check systemd-timesyncd synchronized time +- rsh host file permissions ### Changed - AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions - BOOT-5122 - Presence check for grub.d added +- CRYP-7902 - Added support for certificates in DER format - CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) - FILE-6430 - Don't grep nonexistant modprobe.d files - FIRE-4535 - Set initial firewall state @@ -20,12 +25,14 @@ - KRNL-5728 - Handle zipped kernel configuration correctly - KRNL-5830 - Improved version detection for non-symlinked kernel - MALW-3280 - Extended detection of BitDefender +- TIME-3104 - Find more time synchronization commands +- TIME-3182 - Corrected detection of time peers - Fix: hostid generation routine would sometimes show too short IDs -- Generic improvements for macOS - Fix: language detection +- Generic improvements for macOS - German translation updated - End-of-life database updated -- Small code enhancements +- Several minor code enhancements --------------------------------------------------------------------------------- @@ -135,7 +142,6 @@ Using the relevant options, the scan will change base on the intended goal. - BOOT-5122 - check for defined password in all GRUB configuration files - CONT-8106 - support newer 'docker info' output - CRYP-7902 - optionally check also certificates provided by packages -- CRYP-7902 - check also certificates in DER format - CRYP-8002 - gather kernel entropy on Linux systems - FILE-6310 - support for HP-UX - FILE-6330 - corrected description From 48e794574a820072b06d194f739f88378213ccee Mon Sep 17 00:00:00 2001 From: Claudia Date: Sat, 8 Aug 2020 19:11:44 +0200 Subject: [PATCH 240/355] Add macOS EOL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Apple doesn’t disclose when it stops providing security updates for macOS versions. There’s no consensus on when the exact EOL date is. Lacking that information, I applied the following ruleset, which is driven by what people have observed, and seems pragmatic enough: - From Mac OS X 10.0 through 10.4, a version 10.N would be considered EOL on the day the first patch-level update 10.(N+2).1 for its N+2 successor was released. - Starting with 10.5, Apple began to support three versions at the same time. For 10.5 itself, the EOL date is difficult to pin down so I went with 2011-06-23, the date given by the English-language Wikipedia. - From 10.6 through 10.11, a version 10.N would be considered EOL on the day the first patch-level update 10.(N+3).1 for its N+3 successor was released. - Starting with macOS Sierra (10.12), Lynis counts the patch level. Any version 10.N.P can be considered EOL on the day 10.N.(P+1) is released. If that hasn’t happened, the EOL date is the day 10.(N+3).1 is released. If neither has been released, 10.N.P has no EOL date. --- db/software-eol.db | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/db/software-eol.db b/db/software-eol.db index 2412a203..7a487d45 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -68,6 +68,51 @@ os:Linux Mint 18:2021-04-01:1617228000: os:Linux Mint 19:2023-04-01:1680300000: os:Linux Mint 20:2025-04-01:1743458400: # +# macOS - https://support.apple.com/en_US/downloads/macos and +# https://apple.stackexchange.com/a/282788 and +# https://en.wikipedia.org/wiki/Category:MacOS_versions +# +os:Mac OS X 10.0 \(Cheetah\):2002-09-18:1032300000: +os:Mac OS X 10.1 \(Puma\):2003-11-10:1068418800: +os:Mac OS X 10.2 \(Jaguar\):2005-05-16:1116194400: +os:Mac OS X 10.3 \(Panther\):2007-11-15:1195081200: +os:Mac OS X 10.4 \(Tiger\):2009-09-10:1252533600: +os:Mac OS X 10.5 \(Leopard\):2011-06-23:1308780000: +os:Mac OS X 10.6 \(Snow Leopard\):2013-12-16:1387148400: +os:Mac OS X 10.7 \(Lion\):2014-11-17:1416178800: +os:Mac OS X 10.8 \(Mountain Lion\):2015-10-21:1445378400: +os:Mac OS X 10.9 \(Mavericks\):2016-10-24:1477260000: +os:Mac OS X 10.10 \(Yosemite\):2017-10-31:1509404400: +os:Mac OS X 10.11 \(El Capitan\):2018-10-30:1540854000: +os:macOS Sierra \(10.12\):2016-10-24:1477260000: +os:macOS Sierra \(10.12.1\):2016-12-13:1481583600: +os:macOS Sierra \(10.12.2\):2017-01-23:1485126000: +os:macOS Sierra \(10.12.3\):2017-03-27:1490565600: +os:macOS Sierra \(10.12.4\):2017-05-15:1494799200: +os:macOS Sierra \(10.12.5\):2017-07-19:1500415200: +os:macOS Sierra \(10.12.6\):2019-10-29:1572303600: +os:macOS High Sierra \(10.13\):2017-10-31:1509404400: +os:macOS High Sierra \(10.13.1\):2017-12-06:1512514800: +os:macOS High Sierra \(10.13.2\):2018-01-23:1516662000: +os:macOS High Sierra \(10.13.3\):2018-03-29:1522274400: +os:macOS High Sierra \(10.13.4\):2018-06-01:1527804000: +os:macOS High Sierra \(10.13.5\):2018-07-09:1531087200: +os:macOS High Sierra \(10.13.6\)::-1: +os:macOS Mojave \(10.14\):2018-10-30:1540854000: +os:macOS Mojave \(10.14.1\):2018-12-05:1543964400: +os:macOS Mojave \(10.14.2\):2019-01-22:1548111600: +os:macOS Mojave \(10.14.3\):2019-03-25:1553468400: +os:macOS Mojave \(10.14.4\):2019-05-13:1557698400: +os:macOS Mojave \(10.14.5\):2019-07-22:1563746400: +os:macOS Mojave \(10.14.6\)::-1: +os:macOS Catalina \(10.15\):2019-10-29:1572303600: +os:macOS Catalina \(10.15.1\):2019-12-10:1575932400: +os:macOS Catalina \(10.15.2\):2020-01-28:1580166000: +os:macOS Catalina \(10.15.3\):2020-03-24:1585004400: +os:macOS Catalina \(10.15.4\):2020-05-26:1590444000: +os:macOS Catalina \(10.15.5\):2020-07-15:1594764000: +os:macOS Catalina \(10.15.6\)::-1: +# # NetBSD - https://www.netbsd.org/support/security/release.html and # https://www.netbsd.org/releases/formal.html # From ec551d732d52e00cde12ee3d6d85ed699dca0d0e Mon Sep 17 00:00:00 2001 From: Steve Kolenich Date: Mon, 10 Aug 2020 12:26:55 -0400 Subject: [PATCH 241/355] Added Alpine Linux EOL dates --- db/software-eol.db | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/db/software-eol.db b/db/software-eol.db index 2412a203..63939bcb 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -14,6 +14,14 @@ # For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1. # Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching. # +# Alpine - https://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases +# +os:Alpine 3.12:2022-05-01:1651377600 +os:Alpine 3.11:2021-11-01:1635739200 +os:Alpine 3.10:2021-05-01:1619841600 +os:Alpine 3.9:2020-11-01:1604203200 +os:Alpine 3.8:2020-05-01:1588305600 +# # Amazon Linux # # Note: shortest entry is listed at end due to regular expression matching being used From f65f4d011b88f7e3d16daaabdd851c7ec3c8b08b Mon Sep 17 00:00:00 2001 From: Steve Kolenich Date: Mon, 10 Aug 2020 12:27:30 -0400 Subject: [PATCH 242/355] Improve detecting kernel version on disk Improve handling of kenrel files /boot/vmlinuz-linux-lts /boot/vmlinuz-linux /boot/vmlinuz-lts by updateing RegEx and adding elif this corrects issue where version is identified as 'linux' or 'lts' causing false report that a reboot is needed --- include/tests_kernel | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/tests_kernel b/include/tests_kernel index 011d02c6..56e7e46f 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -664,6 +664,9 @@ elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux-lts" FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux-lts + elif [ -f ${ROOTDIR}boot/vmlinuz-lts ]; then + LogText "Result: found ${ROOTDIR}boot/vmlinuz-lts" + FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-lts else # Match on /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1) @@ -678,7 +681,7 @@ VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//') LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" elif [ -f "${FOUND_VMLINUZ}" ]; then - VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//') + VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//' | ${SEDBINARY} '$s/-\?\(linux\)\?-\?\(lts\)\?//') LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" fi From 6bad6b058bcdcfd536bad57f05470304b9020b6f Mon Sep 17 00:00:00 2001 From: "danielorihuelarodriguez@gmail.com" Date: Mon, 10 Aug 2020 19:27:43 +0200 Subject: [PATCH 243/355] feature: gather locked accounts info --- include/tests_authentication | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/include/tests_authentication b/include/tests_authentication index 3dbe08f7..48877a35 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -859,23 +859,27 @@ PREQS_MET="YES" FIND_P=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }') FIND2=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }') + FIND3=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq) ;; *) PREQS_MET="YES" FIND_P=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }') FIND2=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }') + FIND3=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq) ;; esac elif [ "${OS_REDHAT_OR_CLONE}" -eq 1 ]; then PREQS_MET="YES" FIND_P=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $1 }' ; done) FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done) + FIND3=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq ; done) else LogText "Result: skipping test for this Linux version" ReportManual "AUTH-9282:01" PREQS_MET="NO" FIND_P="" FIND2="" + FIND3="" fi else PREQS_MET="NO" @@ -921,6 +925,31 @@ fi # ################################################################################# +# + # Test : AUTH-9284 + # Description : Search locked accounts + Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking locked accounts" + if [ "${SKIPTEST}" -eq 0 ]; then + LogText "Test: Checking locked accounts" + SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 <= 999 || $3 == 65534 {print $1}' /etc/passwd | sort | uniq) + if [ "${FIND3}" = "${SYSTEM_ACCOUNTS}" ]; then + LogText "Result: all accounts seem to be unlocked" + Display --indent 2 --text "- Locked accounts" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: found one or more locked accounts" + NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' /etc/passwd | sort | uniq) + for I in ${FIND3}; do + if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${I}" > /dev/null ; then + LogText "Locked account: ${I}" + Report "locked_account=${I}" + fi + done + Display --indent 2 --text "- Locked accounts" --result "${STATUS_WARNING}" --color RED + ReportWarning "${TEST_NO}" "Found locked accounts" + fi + fi +# +################################################################################# # # Test : AUTH-9286 # Description : Check user password aging From bd7131f6db22c17569d0ce24f75e1d4595c473c3 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Wed, 19 Aug 2020 20:47:09 +0000 Subject: [PATCH 244/355] Detect sysstat systemd unit --- include/tests_accounting | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/include/tests_accounting b/include/tests_accounting index 91fca1a0..354bef6b 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -123,8 +123,19 @@ Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (cron disabled)" fi + elif [ -f "${ROOTDIR}lib/systemd/system/sysstat.service" ] || [ -f "${ROOTDIR}etc/systemd/system/sysstat.service" ]; then + LogText "Result: sysstat systemd unit found" + if [ -L "${ROOTDIR}etc/systemd/system/multi-user.target.wants/sysstat.service" ]; then + # Assuming -collect.timer and -summary.timer are enabled as well, + # as they are usually in the install section. + LogText "Result: sysstat enabled via systemd" + Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN + else + LogText "Result: sysstat disabled via systemd" + Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE + fi else - LogText "Result: sysstat not found via ${ROOTDIR}etc/default/sysstat or ${ROOTDIR}etc/cron.d/sysstat" + LogText "Result: sysstat not found via ${ROOTDIR}etc/default/sysstat or ${ROOTDIR}etc/cron.d/sysstat or as a systemd unit" Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (no results)" fi From c857ee7cf2c3e11b37c84d41e50f7f39806a4a4f Mon Sep 17 00:00:00 2001 From: "danielorihuelarodriguez@gmail.com" Date: Sun, 23 Aug 2020 19:54:59 +0200 Subject: [PATCH 245/355] fix: take into account unlocked system accounts --- include/tests_authentication | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 48877a35..27b6b29f 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -931,17 +931,22 @@ Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking locked accounts" if [ "${SKIPTEST}" -eq 0 ]; then LogText "Test: Checking locked accounts" - SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 <= 999 || $3 == 65534 {print $1}' /etc/passwd | sort | uniq) - if [ "${FIND3}" = "${SYSTEM_ACCOUNTS}" ]; then + NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' /etc/passwd | sort | uniq) + LOCKED_NON_SYSTEM_ACCOUNTS=0 + for account in ${FIND3};do + if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then + LOCKED_NON_SYSTEM_ACCOUNTS=$((LOCKED_NON_SYSTEM_ACCOUNTS+1)) + fi + done + if [ $LOCKED_NON_SYSTEM_ACCOUNTS -eq 0 ]; then LogText "Result: all accounts seem to be unlocked" Display --indent 2 --text "- Locked accounts" --result "${STATUS_OK}" --color GREEN else LogText "Result: found one or more locked accounts" - NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' /etc/passwd | sort | uniq) - for I in ${FIND3}; do - if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${I}" > /dev/null ; then - LogText "Locked account: ${I}" - Report "locked_account=${I}" + for account in ${FIND3}; do + if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then + LogText "Locked account: ${account}" + Report "locked_account=${account}" fi done Display --indent 2 --text "- Locked accounts" --result "${STATUS_WARNING}" --color RED From dabac5bf89685fb137536409e26d186ec58a94d4 Mon Sep 17 00:00:00 2001 From: Jim Date: Sun, 23 Aug 2020 22:41:19 +0200 Subject: [PATCH 246/355] Change timesync sync file, fixes #1012 --- include/tests_time | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_time b/include/tests_time index eda41a6f..46db8d71 100644 --- a/include/tests_time +++ b/include/tests_time @@ -574,7 +574,7 @@ Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time" - SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized" + SYNCHRONIZED_FILE="/var/lib/systemd/timesync/clock" if [ ${SKIPTEST} -eq 0 ]; then if [ -e "${SYNCHRONIZED_FILE}" ]; then FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") )) From 84fd612c912aa46129d00fea93cb81362df55843 Mon Sep 17 00:00:00 2001 From: Jim Date: Mon, 24 Aug 2020 17:59:06 +0200 Subject: [PATCH 247/355] Add check for other clock files for earlier systemd versions --- include/tests_time | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/include/tests_time b/include/tests_time index 46db8d71..3c5a8477 100644 --- a/include/tests_time +++ b/include/tests_time @@ -574,8 +574,17 @@ Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time" - SYNCHRONIZED_FILE="/var/lib/systemd/timesync/clock" + SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized" + if [ ${SKIPTEST} -eq 0 ]; then + # On earlier systemd versions (237), '/run/systemd/timesync/synchronized' does not exist, so use '/var/lib/systemd/timesync/clock' + if [ ! -e "${SYNCHRONIZED_FILE}" ]; then + SYNCHRONIZED_FILE="/var/lib/systemd/timesync/clock" + fi + # DynamicUser=yes moves the clock file to '/var/lib/private/systemd/timesync/clock' + if [ ! -e "${SYNCHRONIZED_FILE}" ]; then + SYNCHRONIZED_FILE="/var/lib/private/systemd/timesync/clock" + fi if [ -e "${SYNCHRONIZED_FILE}" ]; then FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") )) # Check if last sync was more than 2048 seconds (= the default of systemd) ago From 6f6e21add230ae1bc156ea2de23eac9e45a6eec3 Mon Sep 17 00:00:00 2001 From: Jimver Date: Wed, 26 Aug 2020 16:38:35 +0200 Subject: [PATCH 248/355] Fix wildcard expansion, absolute path handling and output to stderr --- include/functions | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/include/functions b/include/functions index e0f75a64..60e213be 100644 --- a/include/functions +++ b/include/functions @@ -2180,7 +2180,8 @@ for I in ${FIND}; do I=$(echo ${I} | sed 's/:space:/ /g' | sed 's/;$//' | sed 's/ #.*$//') OPTION=$(echo ${I} | awk '{ print $1 }') - VALUE=$(echo ${I}| cut -d' ' -f2-) + # Use quotes here to prevent wildcard expansion + VALUE=$(echo "${I}"| cut -d' ' -f2-) LogText "Result: found option ${OPTION} in ${CONFIG_FILE} with value '${VALUE}'" STORE_SETTING=1 case ${OPTION} in @@ -2303,9 +2304,21 @@ done if [ ${FOUND} -eq 0 ]; then NGINX_CONF_FILES_ADDITIONS="${NGINX_CONF_FILES_ADDITIONS} ${VALUE}"; fi # Check for additional config files included as follows - # "include sites-enabled/*.conf" - elif [ $(echo ${VALUE} | grep -F -c "*.conf") -gt 0 ]; then - for FOUND_CONF in $(ls ${CONFIG_FILE%nginx.conf}${VALUE%;*}); do + # "include sites-enabled/*.conf" (relative path) + # "include /etc/nginx/sites-enabled/*.conf" (absolute path) + elif [ $(echo "${VALUE}" | grep -F -c "*.conf") -gt 0 ]; then + # Check if path is absolute or relative + case $VALUE in + /*) + # Absolute path, so list files directly from that path + CONF_LS=$(${LSBINARY} ${VALUE%;*} 2>/dev/null) # Will error if wildcard doesn't match anything, so pipe stderr to /dev/null + ;; + *) + # Relative path, so construct absolute path first to list files for + CONF_LS=$(${LSBINARY} ${CONFIG_FILE%nginx.conf}${VALUE%;*} 2>/dev/null) + ;; + esac + for FOUND_CONF in CONF_LS; do FOUND=0 for CONF in ${NGINX_CONF_FILES}; do if [ "${CONF}" = "${FOUND_CONF}" ]; then FOUND=1; LogText "Found this file already in our configuration files array, not adding to queue"; fi From cd94da34492ff18eb83b9f2dae89e8e68866ca3d Mon Sep 17 00:00:00 2001 From: Jimver Date: Thu, 27 Aug 2020 12:50:48 +0200 Subject: [PATCH 249/355] Use shell wildcard expansion now --- include/functions | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/include/functions b/include/functions index 60e213be..b88a7261 100644 --- a/include/functions +++ b/include/functions @@ -2310,15 +2310,20 @@ # Check if path is absolute or relative case $VALUE in /*) - # Absolute path, so list files directly from that path - CONF_LS=$(${LSBINARY} ${VALUE%;*} 2>/dev/null) # Will error if wildcard doesn't match anything, so pipe stderr to /dev/null + # Absolute path, so wildcard pattern is already correct + CONF_WILDCARD=${VALUE%;*} ;; *) - # Relative path, so construct absolute path first to list files for - CONF_LS=$(${LSBINARY} ${CONFIG_FILE%nginx.conf}${VALUE%;*} 2>/dev/null) + # Relative path, so construct absolute path for wildcard pattern + CONF_WILDCARD=${CONFIG_FILE%nginx.conf}${VALUE%;*} ;; esac - for FOUND_CONF in CONF_LS; do + for FOUND_CONF in ${CONF_WILDCARD}; do + if [ "${FOUND_CONF}" = "${CONF_WILDCARD}" ]; then + + LogText "Found no match for ${CONF_WILDCARD}" + break + fi FOUND=0 for CONF in ${NGINX_CONF_FILES}; do if [ "${CONF}" = "${FOUND_CONF}" ]; then FOUND=1; LogText "Found this file already in our configuration files array, not adding to queue"; fi From e6891feeb458055571a1d48c53009ebc99036708 Mon Sep 17 00:00:00 2001 From: Jimver Date: Thu, 27 Aug 2020 12:52:59 +0200 Subject: [PATCH 250/355] Remove newline --- include/functions | 1 - 1 file changed, 1 deletion(-) diff --git a/include/functions b/include/functions index b88a7261..f5eb2f98 100644 --- a/include/functions +++ b/include/functions @@ -2320,7 +2320,6 @@ esac for FOUND_CONF in ${CONF_WILDCARD}; do if [ "${FOUND_CONF}" = "${CONF_WILDCARD}" ]; then - LogText "Found no match for ${CONF_WILDCARD}" break fi From 554dd2d5e90ade460e2c8f318dde3d7e0031cdce Mon Sep 17 00:00:00 2001 From: Jimver Date: Thu, 27 Aug 2020 12:57:22 +0200 Subject: [PATCH 251/355] Better log message --- include/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/functions b/include/functions index f5eb2f98..4af4cd7b 100644 --- a/include/functions +++ b/include/functions @@ -2320,7 +2320,7 @@ esac for FOUND_CONF in ${CONF_WILDCARD}; do if [ "${FOUND_CONF}" = "${CONF_WILDCARD}" ]; then - LogText "Found no match for ${CONF_WILDCARD}" + LogText "Found no match for wildcard pattern: ${CONF_WILDCARD}" break fi FOUND=0 From 93a71539d58251b47f07783b4a7d97813460bb81 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Thu, 27 Aug 2020 21:44:40 +0200 Subject: [PATCH 252/355] Add support for Flatcar Container Linux Fixes cisofy/lynis#1014. Flatcar is a for of CoreOS. Thus the variable LINUX_VERSION_LIKE (introduced with #1004) for Flatcar is CoreOS. --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index c2726d31..d12cab48 100644 --- a/include/osdetection +++ b/include/osdetection @@ -190,6 +190,12 @@ OS_REDHAT_OR_CLONE=1 OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "flatcar") + LINUX_VERSION="Flatcar" + LINUX_VERSION_LIKE="CoreOS" + OS_NAME="Flatcar Linux" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "gentoo") LINUX_VERSION="Gentoo" OS_NAME="Gentoo Linux" From 5ca6b7ed7985d63bed1689121f7c4aad00fb53df Mon Sep 17 00:00:00 2001 From: "danielorihuelarodriguez@gmail.com" Date: Fri, 28 Aug 2020 23:19:37 +0200 Subject: [PATCH 253/355] feature: take into account LK Some distributions like CentOS 8 contains "LK" instead of "L" for locked users. --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 27b6b29f..7ef56982 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -872,7 +872,7 @@ PREQS_MET="YES" FIND_P=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $1 }' ; done) FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done) - FIND3=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq ; done) + FIND3=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="L" || $2=="LK") print $1 }' | sort | uniq ; done) else LogText "Result: skipping test for this Linux version" ReportManual "AUTH-9282:01" From a1f794cc75295fc458c0121903cfe82a1353ee78 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 3 Sep 2020 10:54:21 +0200 Subject: [PATCH 254/355] Don't provide suggestion to install pseudo rng at this moment --- include/tests_crypto | 44 +++++++++++++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 15 deletions(-) diff --git a/include/tests_crypto b/include/tests_crypto index ddf1406a..40828175 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -21,6 +21,10 @@ # Cryptography # ################################################################################# +# + RNG_FOUND=0 +# +################################################################################# # InsertSection "Cryptography" # @@ -181,20 +185,28 @@ if [ ${SKIPTEST} -eq 0 ]; then ENCRYPTED_SWAPS=0 UNENCRYPTED_SWAPS=0 - SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings) - for BLOCK_DEV in ${SWAPS}; do - if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then - LogText "Result: Found LUKS encrypted swap device: ${BLOCK_DEV}" - ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1)) - elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" 2> /dev/null | ${GREPBINARY} --quiet "cipher:"; then - LogText "Result: Found non-LUKS encrypted swap device: ${BLOCK_DEV}" - ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1)) - else - LogText "Result: Found unencrypted swap device: ${BLOCK_DEV}" - UNENCRYPTED_SWAPS=$((UNENCRYPTED_SWAPS +1)) - fi - done - Display --indent 2 --text "- Found ${ENCRYPTED_SWAPS} encrypted and ${UNENCRYPTED_SWAPS} unencrypted swap devices in use." --result OK --color WHITE + # Redirect errors, as RHEL 5/6 and others don't have the --show option + SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings 2> /dev/null) + if [ $? -eq 0 ]; then + for BLOCK_DEV in ${SWAPS}; do + if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then + LogText "Result: Found LUKS encrypted swap device: ${BLOCK_DEV}" + ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1)) + Report "encrypted_swap[]=${BLOCK_DEV},LUKS" + elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" 2> /dev/null | ${GREPBINARY} --quiet "cipher:"; then + LogText "Result: Found non-LUKS encrypted swap device: ${BLOCK_DEV}" + ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1)) + Report "encrypted_swap[]=${BLOCK_DEV},other" + else + LogText "Result: Found unencrypted swap device: ${BLOCK_DEV}" + UNENCRYPTED_SWAPS=$((UNENCRYPTED_SWAPS +1)) + Report "non_encrypted_swap[]=${BLOCK_DEV}" + fi + done + Display --indent 2 --text "- Found ${ENCRYPTED_SWAPS} encrypted and ${UNENCRYPTED_SWAPS} unencrypted swap devices in use." --result OK --color WHITE + else + LogText "Result: skipping testing as swapon returned an error." + fi fi # ################################################################################# @@ -232,6 +244,7 @@ if IsRunning "rngd"; then Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_YES}" --color GREEN LogText "Result: rngd is running" + RNG_FOUND=1 else Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW # TODO - enable suggestion when website has listing for this control @@ -263,8 +276,9 @@ done if [ -z "${FOUND}" ]; then Display --indent 2 --text "- SW prng" --result "${STATUS_NO}" --color YELLOW - ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators" + # ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators" else + RNG_FOUND=1 Display --indent 2 --text "- SW prng" --result "${STATUS_YES}" --color GREEN LogText "Result: found ${FOUND} running" fi From 768d8a62e8de6f63d5ace28b92dffed17a0a6061 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 2 Oct 2020 10:55:36 +0200 Subject: [PATCH 255/355] Updated log --- CHANGELOG.md | 3 ++- include/tests_crypto | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c4935044..3181544b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,8 @@ ### Changed - AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions - BOOT-5122 - Presence check for grub.d added -- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) +- CRYP-7931 - Redirect errors +- CRYP-7931 - Added data to report - FILE-6430 - Don't grep nonexistant modprobe.d files - FIRE-4535 - Set initial firewall state - INSE-8312 - Corrected text on screen diff --git a/include/tests_crypto b/include/tests_crypto index 40828175..976ba7b1 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -285,6 +285,10 @@ fi # ################################################################################# +# + Report "rng_found=${RNG_FOUND}" +# +################################################################################# # WaitForKeyPress From 5e0a4e685d84cf736c1c4795cd1b95bb24005eff Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 2 Oct 2020 10:57:58 +0200 Subject: [PATCH 256/355] Added CloudLinux --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index c2726d31..9910b307 100644 --- a/include/osdetection +++ b/include/osdetection @@ -173,6 +173,12 @@ OS_REDHAT_OR_CLONE=1 OS_VERSION="Rolling release" ;; + "cloudlinux") + LINUX_VERSION="CloudLinux" + OS_NAME="CloudLinux" + OS_REDHAT_OR_CLONE=1 + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "coreos") LINUX_VERSION="CoreOS" OS_NAME="CoreOS Linux" From 11be8b03ae5c2e79625e6c6af1ca3c773f478132 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 2 Oct 2020 10:58:06 +0200 Subject: [PATCH 257/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3181544b..5a28590a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Lynis 3.0.1 (not released yet) ### Added +- Detection of CloudLinux - Detection of Kali Linux - Detection of Linux Mint - Detection of macOS Big Sur (11.0) From 21b5493a1cb679d68e3da15ffdfc4f0a46a76776 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 5 Oct 2020 13:22:39 +0200 Subject: [PATCH 258/355] Release 3.0.1 --- CHANGELOG.md | 2 +- lynis | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 57a314b6..0728f8c9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Lynis Changelog -## Lynis 3.0.1 (not released yet) +## Lynis 3.0.1 (2020-10-05) ### Added - Detection of Alpine Linux diff --git a/lynis b/lynis index 09f6f727..4d5306ff 100755 --- a/lynis +++ b/lynis @@ -43,9 +43,9 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2020-06-26" - PROGRAM_RELEASE_TIMESTAMP=1593159916 - PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_RELEASE_DATE="2020-10-05" + PROGRAM_RELEASE_TIMESTAMP=1601896929 + PROGRAM_RELEASE_TYPE="release" # pre-release or release PROGRAM_VERSION="3.0.1" # Source, documentation and license From 85d36db113fc3584df9ef70b7ec8bb3abf835c45 Mon Sep 17 00:00:00 2001 From: Sergey Zhemoitel Date: Thu, 8 Oct 2020 23:06:35 +0300 Subject: [PATCH 259/355] Add ROSA Linux detection --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index 9910b307..66592a8f 100644 --- a/include/osdetection +++ b/include/osdetection @@ -273,6 +273,12 @@ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Ubuntu" ;; + "rosa") + LINUX_VERSION="ROSA Linux" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_NAME="ROSA Desktop Fresh R11.1" + ;; *) ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}" ;; From 15799cf57e28e60ce87b11b5a40565da8ccdb26a Mon Sep 17 00:00:00 2001 From: Timo Sigurdsson Date: Sun, 11 Oct 2020 02:25:37 +0200 Subject: [PATCH 260/355] Add test for Suricata IDS/IPS Commit 94e0a4e added a test for the Suricata binary, but the result appears to be used nowhere. Add a proper test for an active Suricata daemon in the IDS/IPS tooling section. Signed-off-by: Timo Sigurdsson --- include/tests_tooling | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/include/tests_tooling b/include/tests_tooling index 7fed8460..c70ac847 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -372,6 +372,33 @@ fi # ################################################################################# +# + # Test : TOOL-5130 + # Description : Check for Suricata + Register --test-no TOOL-5130 --weight L --network NO --category security --description "Check for active Suricata daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Suricata presence + if [ -n "${SURICATABINARY}" ]; then + Report "ids_ips_tooling[]=suricata" + LogText "Result: Suricata is installed (${SURICATABINARY})" + # Suricata status + # Suricata sets its process name to Suricata-Main on Linux, but this might differ on other platforms, + # so fall back to checking the full commandline instead if the first test fails + if IsRunning "Suricata-Main" || IsRunning --full "${SURICATABINARY} "; then + # Only satisfy test TOOL-5190 if Suricata is actually running + IDS_IPS_TOOL_FOUND=1 + LogText "Result: Suricata daemon is active" + Display --indent 2 --text "- Checking Suricata status" --result "${STATUS_RUNNING}" --color GREEN + else + LogText "Result: Suricata daemon not active" + Display --indent 2 --text "- Checking Suricata status" --result "${STATUS_NOT_RUNNING}" --color YELLOW + fi + else + LogText "Result: Suricata not installed (suricata not found)" + fi + fi +# +################################################################################# # # Test : TOOL-5160 # Description : Check for OSSEC From b7d5b8a4b90064da922c4d007ecec61a4f4c4115 Mon Sep 17 00:00:00 2001 From: Timo Sigurdsson Date: Sun, 11 Oct 2020 11:15:48 +0200 Subject: [PATCH 261/355] Update tests.db and CHANGELOG.md for new test TOOL-5130 Add the new test TOOL-5130 (Check for active Suricata daemon) to the tests database and update the changelog accordingly. Signed-off-by: Timo Sigurdsson --- CHANGELOG.md | 7 +++++++ db/tests.db | 1 + 2 files changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0728f8c9..a7f7e88f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Lynis Changelog +## Lynis 3.0.2 (not released yet) + +### Added +- New test: TOOL-5130 - Check for active Suricata daemon + +--------------------------------------------------------------------------------- + ## Lynis 3.0.1 (2020-10-05) ### Added diff --git a/db/tests.db b/db/tests.db index 26fc8f87..867fa4a5 100644 --- a/db/tests.db +++ b/db/tests.db @@ -425,6 +425,7 @@ TOOL-5102:test:security:tooling::Check for presence of Fail2ban: TOOL-5104:test:security:tooling::Enabled tests for Fail2ban: TOOL-5120:test:security:tooling::Presence of Snort IDS: TOOL-5122:test:security:tooling::Snort IDS configuration file: +TOOL-5130:test:security:tooling::Check for active Suricata daemon: TOOL-5160:test:security:tooling::Check for active OSSEC daemon: TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling: USB-1000:test:security:storage:Linux:Check if USB storage is disabled: From ba1cff941fdc41c06f2cabe494cac3420144e92b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 16 Oct 2020 13:02:01 +0200 Subject: [PATCH 262/355] Improved detection of kernel by ignoring known incorrect values --- include/tests_kernel | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/include/tests_kernel b/include/tests_kernel index 011d02c6..7bd11e59 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -680,8 +680,19 @@ elif [ -f "${FOUND_VMLINUZ}" ]; then VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//') LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" + fi + # Data check: perform reset if we found a version but looks incomplete + # Example: Arch Linux will return only 'linux' as its version after it discovered /boot/vmlinuz-linux + case ${VERSION_ON_DISK} in + "linux" | "linux-lts") + LogText "Result: reset of version (${VERSION_ON_DISK}) as it looks incomplete" + VERSION_ON_DISK="" + ;; + esac + + # If we did not find the version yet, see if we can extract it from the magic data that 'file' returns if [ -z "${VERSION_ON_DISK}" ]; then LogText "Test: checking kernel version on disk" NEXTLINE=0 @@ -697,6 +708,7 @@ done fi + # Last check if we finally got a version or not if [ -z "${VERSION_ON_DISK}" ]; then LogText "Result: could not find the version on disk" ReportException "${TEST_NO}:4" "Could not find the kernel version" From 1c0c9d78583b82ce2fe43aad6fc98634478c0bde Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 16 Oct 2020 13:02:35 +0200 Subject: [PATCH 263/355] Move to pre-release --- lynis | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lynis b/lynis index 4d5306ff..17cd9e91 100755 --- a/lynis +++ b/lynis @@ -45,8 +45,8 @@ # Version details PROGRAM_RELEASE_DATE="2020-10-05" PROGRAM_RELEASE_TIMESTAMP=1601896929 - PROGRAM_RELEASE_TYPE="release" # pre-release or release - PROGRAM_VERSION="3.0.1" + PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_VERSION="3.0.2" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" From 5d9c85a35cb26b04459f38e62fb5d805e2c193ea Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 16 Oct 2020 13:02:57 +0200 Subject: [PATCH 264/355] Preparations for 3.0.2 --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0728f8c9..5c85a577 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Lynis Changelog +## Lynis 3.0.2 (not released yet) + +### Changed +- KRNL-5830 - Improved reboot test by ignoring known bad values + +--------------------------------------------------------------------------------- + ## Lynis 3.0.1 (2020-10-05) ### Added From eaca6127eca8176d48479d8044847e942465c3c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane?= Date: Sat, 17 Oct 2020 00:04:09 +0200 Subject: [PATCH 265/355] Improvements and addition of strings --- db/languages/fr | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/db/languages/fr b/db/languages/fr index 51b4da41..848dd94e 100644 --- a/db/languages/fr +++ b/db/languages/fr @@ -1,38 +1,45 @@ +ERROR_NO_LICENSE="Pas de clé de licence configurée" +ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré" GEN_CHECKING="Vérification" GEN_CURRENT_VERSION="Version actuelle" GEN_DEBUG_MODE="mode debug" GEN_INITIALIZE_PROGRAM="Initialisation" +GEN_LATEST_VERSION="Dernière version" GEN_PHASE="phase" GEN_PLUGINS_ENABLED="Plugins activés" -GEN_VERBOSE_MODE="mode verbeux" GEN_UPDATE_AVAILABLE="mise à jour disponible" +GEN_VERBOSE_MODE="mode verbeux" GEN_WHAT_TO_DO="Que faire" NOTE_EXCEPTIONS_FOUND="Exceptions trouvées" NOTE_EXCEPTIONS_FOUND_DETAILED="Des événements ou informations exceptionnels ont été trouvés" -NOTE_PLUGINS_TAKE_TIME="Note: les plugins ont des tests plus poussés et peuvent prendre plusieurs minutes" +NOTE_PLUGINS_TAKE_TIME="Note : Les plugins ont des tests plus poussés et peuvent prendre plusieurs minutes" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Tests ignorés faute de privilèges" -SECTION_CUSTOM_TESTS="Tests Personnalisés" +SECTION_CUSTOM_TESTS="Tests personnalisés" +SECTION_DATA_UPLOAD="Téléchargement de données" +SECTION_INITIALIZING_PROGRAM="Initialisation du programme" SECTION_MALWARE="Malware" -SECTION_MEMORY_AND_PROCESSES="Mémoire et Processus" +SECTION_MEMORY_AND_PROCESSES="Mémoire et processus" +SECTION_SYSTEM_TOOLS="Outils système" +STATUS_DISABLED="DÉSACTIVÉ" STATUS_DONE="FAIT" +STATUS_ENABLED="ACTIVÉ" +STATUS_ERROR="ERREUR" +STATUS_FAILED="ÉCHOUÉ" STATUS_FOUND="TROUVÉ" -STATUS_YES="OUI" -STATUS_NO="NON" STATUS_OFF="OFF" STATUS_OK="OK" STATUS_ON="ON" +STATUS_NO="NON" STATUS_NONE="AUCUN" +STATUS_NOT_CONFIGURED="NON CONFIGURÉ" STATUS_NOT_FOUND="NON TROUVÉ" STATUS_NOT_RUNNING="NON LANCÉ" -STATUS_RUNNING="EN COURS": +STATUS_RUNNING="EN COURS" STATUS_SKIPPED="IGNORÉ" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="INCONNU" STATUS_WARNING="ATTENTION" +STATUS_WEAK="FAIBLE" +STATUS_YES="OUI" TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal" TEXT_UPDATE_AVAILABLE="Mise à jour disponible" -STATUS_DISABLED="DÉSACTIVÉ" -STATUS_ENABLED="ACTIVÉ" -STATUS_ERROR="ERREUR" -ERROR_NO_LICENSE="Pas de clé de licence configurée" -ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré" From 760460528b7141fb0f0741c4d76787a2ca406488 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 17 Oct 2020 12:55:20 +0200 Subject: [PATCH 266/355] Added variable --- include/consts | 1 + 1 file changed, 1 insertion(+) diff --git a/include/consts b/include/consts index 053147a4..2224057b 100644 --- a/include/consts +++ b/include/consts @@ -58,6 +58,7 @@ ETC_PATHS="/etc /usr/local/etc" APPLICATION_FIREWALL_ACTIVE=0 BINARY_SCAN_FINISHED=0 BLKIDBINARY="" + BOOTCTLBINARY="" CAT_BINARY="" CFAGENTBINARY="" CHECK=0 From 791800f95d1e1090efc0ba29d958fa1a6d80ab7d Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 17 Oct 2020 13:15:06 +0200 Subject: [PATCH 267/355] Added Zorin OS detection --- CHANGELOG.md | 3 +++ include/osdetection | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c85a577..17562153 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## Lynis 3.0.2 (not released yet) +### Added +- Detection of Zorin OS + ### Changed - KRNL-5830 - Improved reboot test by ignoring known bad values diff --git a/include/osdetection b/include/osdetection index 9910b307..843a932b 100644 --- a/include/osdetection +++ b/include/osdetection @@ -273,6 +273,13 @@ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Ubuntu" ;; + "zorin") + LINUX_VERSION="Zorin OS" + OS_NAME="Zorin OS" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; + *) ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}" ;; From 6238f5bc8f821ddc8aab371d9bb36e025c281c07 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 17 Oct 2020 13:26:11 +0200 Subject: [PATCH 268/355] Define RHEL as 'RHEL' --- include/osdetection | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/osdetection b/include/osdetection index 107ee28f..5aa5878b 100644 --- a/include/osdetection +++ b/include/osdetection @@ -255,7 +255,7 @@ ;; "rhel") LINUX_VERSION="RHEL" - OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_NAME="RHEL" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_FULLNAME="${OS_NAME} ${OS_VERSION_FULL}" From 577a8b201fbe03f19e6d04a2c5e2538f624eefc8 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 17 Oct 2020 13:26:39 +0200 Subject: [PATCH 269/355] Updated log --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 17562153..ee64679c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,10 +3,12 @@ ## Lynis 3.0.2 (not released yet) ### Added +- Detection of ROSA Linux - Detection of Zorin OS ### Changed - KRNL-5830 - Improved reboot test by ignoring known bad values +- Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux --------------------------------------------------------------------------------- From 61c6d5df8d156cdbfc670c3f641db06aa1b761db Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 17 Oct 2020 13:40:09 +0200 Subject: [PATCH 270/355] [PKGS-7410] Don't show exception if no kernels were found on the disk --- include/tests_ports_packages | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 286da608..e1071474 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1289,7 +1289,7 @@ KERNELS=$(${ZYPPERBINARY} --non-interactive -n se --type package --match-exact --installed-only "kernel-default" 2> /dev/null | ${GREPBINARY} "kernel-default" | ${WCBINARY} -l) if [ ${KERNELS} -eq 0 ]; then LogText "Result: found no kernels from zypper output, which is unexpected." - ReportException "KRNL-5840:3" "Could not find any kernel packages via package manager. Maybe using a different kernel package?" + ReportException "${TEST_NO}" "Could not find any kernel packages via package manager. Maybe using a different kernel package?" elif [ ${KERNELS} -gt 3 ]; then LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages" @@ -1299,7 +1299,19 @@ fi if [ ${KERNELS} -eq 0 -a ${TESTED} -eq 1 ]; then - ReportException "KRNL-5840:1" "Could not find any kernel packages via package manager" + # Only report exception if there are kernels actually there. For example, LXC use the kernel of host system + case "${OS}" in + "Linux") + if [ -d "${ROOTDIR}boot" ]; then + if [ -z "$(${FINDBINARY} /boot -maxdepth 1 -type f -name 'vmlinuz*' -print -quit)" ]; then + ReportException "${TEST_NO}" "Could not find any kernel packages via package manager" + fi + fi + ;; + *) + ReportException "${TEST_NO}" "Could not find any kernel packages via package manager" + ;; + esac fi Report "installed_kernel_packages=${KERNELS}" From 3b240d250d8762891aaa2265e77fd78d6f60fca4 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 17 Oct 2020 13:40:17 +0200 Subject: [PATCH 271/355] Updated log --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee64679c..0b486c6e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,9 @@ ### Changed - KRNL-5830 - Improved reboot test by ignoring known bad values +- PKGS-7410 - Don't show exception if no kernels were found on the disk - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux +- Small code enhancements --------------------------------------------------------------------------------- From 644683a0e4efabef007a3f3e6fe36d9eb2e7d3c3 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 17 Oct 2020 14:11:45 +0200 Subject: [PATCH 272/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0b486c6e..86974a3d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ - KRNL-5830 - Improved reboot test by ignoring known bad values - PKGS-7410 - Don't show exception if no kernels were found on the disk - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux +- French translation improved - Small code enhancements --------------------------------------------------------------------------------- From af57959d6a63fdbc501c3dc2dd475f1618d25759 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane?= Date: Mon, 19 Oct 2020 00:41:11 +0200 Subject: [PATCH 273/355] Add missing constants From #1035 issue --- include/consts | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/include/consts b/include/consts index 2224057b..bb1d63ff 100644 --- a/include/consts +++ b/include/consts @@ -82,6 +82,7 @@ ETC_PATHS="/etc /usr/local/etc" CONTROL_URL_PROTOCOL="" CONTAINER_TYPE="" CREATE_REPORT_FILE=1 + CRYPTSETUPBINARY="" CSUMBINARY="" CURRENT_TS=0 CUSTOM_URL_APPEND="" @@ -100,12 +101,14 @@ ETC_PATHS="/etc /usr/local/etc" DISCOVERED_BINARIES="" DMIDECODEBINARY="" DNFBINARY="" + DNSDOMAINNAMEBINARY="" DOCKERBINARY="" DOCKER_DAEMON_RUNNING=0 DPKGBINARY="" ECHOCMD="" ERROR_ON_WARNINGS=0 EQUERYBINARY="" + EVMCTLBINARY="" EXIMBINARY="" FAIL2BANBINARY="" FILEBINARY="" @@ -131,6 +134,7 @@ ETC_PATHS="/etc /usr/local/etc" HTTPDBINARY="" IDS_IPS_TOOL_FOUND=0 IFCONFIGBINARY="" + INTEGRITYSETUPBINARY="" IPBINARY="" IPFBINARY="" IPTABLESBINARY="" @@ -149,6 +153,7 @@ ETC_PATHS="/etc /usr/local/etc" LOGDIR="" LOGROTATEBINARY="" LOGTEXT=1 + LSBLKBINARY="" LSMODBINARY="" LSOFBINARY="" LSOF_EXTRA_OPTIONS="" @@ -192,6 +197,7 @@ ETC_PATHS="/etc /usr/local/etc" NGINX_RETURN_FOUND=0 NGINX_ROOT_FOUND=0 NGINX_WEAK_SSL_PROTOCOL_FOUND=0 + NTPCTLBINARY="" NTPD_ROLE="" NTPQBINARY="" OPENSSLBINARY="" @@ -205,6 +211,7 @@ ETC_PATHS="/etc /usr/local/etc" OS_REDHAT_OR_CLONE=0 OSIRISBINARY="" PACMANBINARY="" + PAM_PASSWORD_PWHISTORY_AMOUNT="" PASSWORD_MAXIMUM_DAYS=-1 PASSWORD_MINIMUM_DAYS=-1 PAM_2F_AUTH_ENABLED=0 @@ -239,6 +246,7 @@ ETC_PATHS="/etc /usr/local/etc" REFRESH_REPOSITORIES=1 REMOTE_LOGGING_ENABLED=0 RESOLV_DOMAINNAME="" + RESOLVECTLBINARY="" RKHUNTERBINARY="" ROOTDIR="/" ROOTSHBINARY="" @@ -277,6 +285,7 @@ ETC_PATHS="/etc /usr/local/etc" SLOW_TEST_THRESHOLD=10 SMTPCTLBINARY="" SNORTBINARY="" + SSBINARY="" SSHKEYSCANBINARY="" SSHKEYSCANFOUND=0 SSL_CERTIFICATE_INCLUDE_PACKAGES=0 @@ -286,6 +295,7 @@ ETC_PATHS="/etc /usr/local/etc" SWUPDBINARY="" SYSLOGNGBINARY="" SYSTEMCTLBINARY="" + SYSTEMDANALYZEBINARY="" SYSTEM_IS_NOTEBOOK=255 TEMP_FILE="" TEMP_FILES="" @@ -295,6 +305,7 @@ ETC_PATHS="/etc /usr/local/etc" TEST_GROUP_TO_CHECK="all" TESTS_EXECUTED="" TESTS_SKIPPED="" + TIMEDATECTL="" TMPFILE="" TOMOYOINITBINARY="" TOOLTIP_SHOWED=0 @@ -320,6 +331,7 @@ ETC_PATHS="/etc /usr/local/etc" USBGUARD_ROOT="" VALUE="" VERBOSE=0 + VERITYSETUPBINARY="" VGDISPLAYBINARY="" VMTYPE="" VULNERABLE_PACKAGES_FOUND=0 From f0ded6c2a3408d361145952234bfcd306eae0d23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 19 Oct 2020 12:07:16 +0200 Subject: [PATCH 274/355] add Mageia EOL dates and grep /etc/mageia-release MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- db/software-eol.db | 10 ++++++++++ include/osdetection | 8 ++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/db/software-eol.db b/db/software-eol.db index 2412a203..ea7d5888 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -68,6 +68,16 @@ os:Linux Mint 18:2021-04-01:1617228000: os:Linux Mint 19:2023-04-01:1680300000: os:Linux Mint 20:2025-04-01:1743458400: # +# Mageia - https://www.mageia.org/en/support/ +# +os:Mageia 1:2012-12-01:1354316400 +os:Mageia 2:2013-11-22:1385074800 +os:Mageia 3:2014-11-26:1416956400 +os:Mageia 4:2015-09-19:1442613600 +os:Mageia 5:2017-12-31:1514674800 +os:Mageia 6:2019-09-30:1569794400 +os:Mageia 7:2020-12-30:1609282800 +# # NetBSD - https://www.netbsd.org/support/security/release.html and # https://www.netbsd.org/releases/formal.html # diff --git a/include/osdetection b/include/osdetection index 5aa5878b..441ef6bd 100644 --- a/include/osdetection +++ b/include/osdetection @@ -396,11 +396,11 @@ LINUX_VERSION="Fedora" fi - # Mageia (has also /etc/megaia-release) - FIND=$(grep "Mageia" /etc/redhat-release) + # Mageia (/etc/redhat-release -> /etc/mageia-release link) + FIND=$(grep "Mageia" /etc/mageia-release) if [ ! "${FIND}" = "" ]; then - OS_FULLNAME=$(grep "^Mageia" /etc/redhat-release) - OS_VERSION=$(grep "^Mageia" /etc/redhat-release | awk '{ if ($2=="release") { print $3 } }') + OS_FULLNAME=$(grep "^Mageia" /etc/mageia-release) + OS_VERSION=$(grep "^Mageia" /etc/mageia-release | awk '{ if ($2=="release") { print $3 } }') LINUX_VERSION="Mageia" fi From 68e8ef862e4da525efc1b157e74e8789a50b32e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 19 Oct 2020 12:38:59 +0200 Subject: [PATCH 275/355] mageia got /etc/os-release MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/osdetection | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/include/osdetection b/include/osdetection index 441ef6bd..34667ca8 100644 --- a/include/osdetection +++ b/include/osdetection @@ -212,6 +212,12 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "mageia") + LINUX_VERSION="Mageia" + OS_NAME="Mageia" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "manjaro") LINUX_VERSION="Manjaro" OS_FULLNAME="Manjaro Linux" @@ -396,13 +402,6 @@ LINUX_VERSION="Fedora" fi - # Mageia (/etc/redhat-release -> /etc/mageia-release link) - FIND=$(grep "Mageia" /etc/mageia-release) - if [ ! "${FIND}" = "" ]; then - OS_FULLNAME=$(grep "^Mageia" /etc/mageia-release) - OS_VERSION=$(grep "^Mageia" /etc/mageia-release | awk '{ if ($2=="release") { print $3 } }') - LINUX_VERSION="Mageia" - fi # Oracle Enterprise Linux FIND=$(grep "Enterprise Linux Enterprise Linux Server" /etc/redhat-release) From 537624da15d2127007c5d21423d5265e92902aa8 Mon Sep 17 00:00:00 2001 From: Fabien Lehoussel Date: Mon, 19 Oct 2020 15:02:48 +0200 Subject: [PATCH 276/355] Fix wc command with --lines argument to be used with busybox --- include/tests_filesystems | 10 +++++----- include/tests_mac_frameworks | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index bfe451ab..3e103959 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -629,11 +629,11 @@ fi done fi - NMOUNTS=$(mount | ${WCBINARY} --lines) - NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} --lines) - NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} --lines) - NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} --lines) - NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} --lines) + NMOUNTS=$(mount | ${WCBINARY} -l) + NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} -l) + NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} -l) + NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} -l) + NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} -l) LogText "Result: Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS}, of total ${NMOUNTS}" Display --indent 2 --text "- Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS} of total ${NMOUNTS}" fi diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 3f23c77e..09c0e3ab 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -76,7 +76,7 @@ Report "apparmor_policy_loaded=1" AddHP 3 3 # ignore kernel threads (Parent PID = 2 [kthreadd]) - NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} --lines) + NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} -l) Display --indent 8 --text "Found ${NUNCONFINED} unconfined processes" for PROCESS in $(${PSBINARY} -N --ppid 2 -o label:1,pid,comm | ${GREPBINARY} '^unconfined' | ${TRBINARY} ' ' ':'); do LogText "Result: Unconfined process: ${PROCESS}" @@ -159,13 +159,13 @@ fi Display --indent 8 --text "Current SELinux mode: ${FIND}" PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ') - NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} --lines) + NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l) Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types" LogText "Permissive SELinux object types: ${PERMISSIVE}" UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ') INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ') - NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} --lines) - NINITRC=$(${PSBINARY} -eo label | ${GREPBINARY} '[i]nitrc_t' | ${WCBINARY} --lines) + NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l) + NINITRC=$(${PSBINARY} -eo label | ${GREPBINARY} '[i]nitrc_t' | ${WCBINARY} -l) Display --indent 8 --text "Found ${NUNCONFINED} unconfined and ${NINITRC} initrc_t processes" LogText "Unconfined processes: ${UNCONFINED}" LogText "Processes with initrc_t type: ${INITRC}" @@ -207,7 +207,7 @@ Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_ENABLED}" --color GREEN Report "tomoyo_enabled=1" if [ ! -z ${TOMOYOPSTREEBINARY} ]; then - NUNCONFINED=$(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${WCBINARY} --lines) + NUNCONFINED=$(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${WCBINARY} -l) Display --indent 8 --text "Found ${NUNCONFINED} unconfined (not profile 3) processes" for PROCESS in $(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${SEDBINARY} -e 's/+-//g' -e 's/^ *//g' -e 's/ \+/:/g' | ${SORTBINARY}); do LogText "Result: Unconfined process: ${PROCESS}" From ae7be7599ed6d5e98a68fb537e0d8f61375fbedb Mon Sep 17 00:00:00 2001 From: Fabien Lehoussel Date: Mon, 19 Oct 2020 15:09:43 +0200 Subject: [PATCH 277/355] Fix head cmd with busybox --- include/tests_crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_crypto b/include/tests_crypto index d4a90cc2..61074cdc 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -245,7 +245,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: looking for ${ROOTDIR}sys/class/misc/hw_random/rng_current" if [ -f "${ROOTDIR}sys/class/misc/hw_random/rng_current" ]; then - DATA=$(${HEADBINARY} --lines=1 ${ROOTDIR}sys/class/misc/hw_random/rng_current | ${TRBINARY} -d '[[:cntrl:]]') + DATA=$(${HEADBINARY} -n 1 ${ROOTDIR}sys/class/misc/hw_random/rng_current | ${TRBINARY} -d '[[:cntrl:]]') if [ "${DATA}" != "none" ]; then LogText "Result: positive match, found RNG: ${DATA}" if IsRunning "rngd"; then From bc85cbb0ba2a200509c0cc4fc56cdc1d27efc50b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 20 Oct 2020 11:49:05 +0200 Subject: [PATCH 278/355] add Void Linux MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/osdetection | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/osdetection b/include/osdetection index 5aa5878b..49dba032 100644 --- a/include/osdetection +++ b/include/osdetection @@ -279,6 +279,11 @@ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Ubuntu" ;; + "void") + LINUX_VERSION="Void Linux" + OS_VERSION="Rolling release" + OS_NAME="Void Linux" + ;; "zorin") LINUX_VERSION="Zorin OS" OS_NAME="Zorin OS" From 77b93ae73df0de716f7dd56f85a8c51406607a54 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 20 Oct 2020 13:06:40 +0200 Subject: [PATCH 279/355] Added SLES detection via /etc/os-release --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index 49dba032..eac5eadf 100644 --- a/include/osdetection +++ b/include/osdetection @@ -273,6 +273,12 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "sles") + LINUX_VERSION="SLES" + OS_NAME="openSUSE" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "ubuntu") LINUX_VERSION="Ubuntu" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') From afc4604b9f4cada6a4de588726a8c36773acd1eb Mon Sep 17 00:00:00 2001 From: Claudia Date: Tue, 20 Oct 2020 22:21:13 +0200 Subject: [PATCH 280/355] Update macOS EOL --- db/software-eol.db | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/db/software-eol.db b/db/software-eol.db index e8163b23..63baa280 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -111,7 +111,8 @@ os:macOS Catalina \(10.15.2\):2020-01-28:1580166000: os:macOS Catalina \(10.15.3\):2020-03-24:1585004400: os:macOS Catalina \(10.15.4\):2020-05-26:1590444000: os:macOS Catalina \(10.15.5\):2020-07-15:1594764000: -os:macOS Catalina \(10.15.6\)::-1: +os:macOS Catalina \(10.15.6\):2020-09-24:1600898400: +os:macOS Catalina \(10.15.7\)::-1: # # Mageia - https://www.mageia.org/en/support/ # From 3124a04ce9ace5a9bc650a70aac940b3bcacac9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 21 Oct 2020 11:27:44 +0200 Subject: [PATCH 281/355] require pgrep before usage MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/functions | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/functions b/include/functions index 8cd95aec..6964da20 100644 --- a/include/functions +++ b/include/functions @@ -1547,8 +1547,7 @@ if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi RUNNING=0 - # AIX does not fully support pgrep options, so using ps instead - if [ "${OS}" != "AIX" ]; then + if [ -x "${PGREPBINARY}" ] && [ "${OS}" != "AIX" ]; then # When --user is used, perform a search using the -u option # Initialize users for strict mode if [ -n "${users:-}" ]; then From 71c474f4550667c055691421bf4241d5fbc53ab3 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 21 Oct 2020 14:40:30 +0200 Subject: [PATCH 282/355] [KRNL-5830] ignore rescue kernel on systems such as CentOS --- include/tests_kernel | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index 7bd11e59..656048e9 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -665,8 +665,9 @@ LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux-lts" FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux-lts else - # Match on /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default - FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1) + # Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Get newest file (ls -t and pipe into head) + # Note: ignore a rescue kernel (e.g. CentOS) + FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${HEADBINARY} -1) LogText "Result: found ${FOUND_VMLINUZ}" fi From cd24f376410e4d5a845e065e4915516e98449199 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 21 Oct 2020 14:45:07 +0200 Subject: [PATCH 283/355] Updated log --- CHANGELOG.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 86974a3d..80cea215 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,12 +3,15 @@ ## Lynis 3.0.2 (not released yet) ### Added -- Detection of ROSA Linux -- Detection of Zorin OS +- Detection of Flatcar, Mageia, ROSA Linux, SLES (extended), Void Linux, Zorin OS +- macOS and Mageia EOL dates ### Changed - KRNL-5830 - Improved reboot test by ignoring known bad values +- KRNL-5830 - Ignore rescue kernel such as on CentOS systems - PKGS-7410 - Don't show exception if no kernels were found on the disk +- ParseNginx function: Support include on absolute paths +- ParseNginx function: Ignore empty included wildcards - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux - French translation improved - Small code enhancements From 1e9d3b45da6fb9aea3c9d2f666f2e77e87d6b016 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 21 Oct 2020 15:04:55 +0200 Subject: [PATCH 284/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 80cea215..74bb5be3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ - KRNL-5830 - Improved reboot test by ignoring known bad values - KRNL-5830 - Ignore rescue kernel such as on CentOS systems - PKGS-7410 - Don't show exception if no kernels were found on the disk +- TIME-3185 - Supports now checking files at multiple locations (systemd) - ParseNginx function: Support include on absolute paths - ParseNginx function: Ignore empty included wildcards - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux From c2e0c28912f479b816f04f78ce428172dae42645 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 21 Oct 2020 15:09:56 +0200 Subject: [PATCH 285/355] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 74bb5be3..a21e03bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ - ParseNginx function: Support include on absolute paths - ParseNginx function: Ignore empty included wildcards - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux +- Test if pgrep exists before using it - French translation improved - Small code enhancements From 67d04f25367bc069e717c7b811c0c6e13eeedcf6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane?= Date: Thu, 22 Oct 2020 00:13:42 +0200 Subject: [PATCH 286/355] Add translate function for all sections + add EN and FR up to date languages files --- db/languages/en | 45 ++++++++++++++++++++++++- db/languages/fr | 59 ++++++++++++++++++++++++++++----- include/binaries | 2 +- include/helper_audit_dockerfile | 10 +++--- include/tests_accounting | 2 +- include/tests_authentication | 2 +- include/tests_banners | 2 +- include/tests_boot_services | 2 +- include/tests_containers | 2 +- include/tests_crypto | 2 +- include/tests_databases | 2 +- include/tests_file_integrity | 2 +- include/tests_file_permissions | 2 +- include/tests_filesystems | 2 +- include/tests_firewalls | 2 +- include/tests_hardening | 2 +- include/tests_homedirs | 2 +- include/tests_insecure_services | 2 +- include/tests_kernel | 2 +- include/tests_kernel_hardening | 2 +- include/tests_ldap | 2 +- include/tests_logging | 2 +- include/tests_mac_frameworks | 2 +- include/tests_mail_messaging | 2 +- include/tests_malware | 2 +- include/tests_nameservices | 2 +- include/tests_networking | 2 +- include/tests_ports_packages | 2 +- include/tests_printers_spoolers | 2 +- include/tests_scheduling | 2 +- include/tests_shells | 2 +- include/tests_snmp | 2 +- include/tests_squid | 2 +- include/tests_ssh | 2 +- include/tests_storage | 2 +- include/tests_system_integrity | 2 +- include/tests_time | 2 +- include/tests_tooling | 2 +- include/tests_usb | 2 +- include/tests_virtualization | 2 +- include/tests_webservers | 2 +- lynis | 4 +-- 42 files changed, 140 insertions(+), 54 deletions(-) diff --git a/db/languages/en b/db/languages/en index 7b697896..7ab20590 100644 --- a/db/languages/en +++ b/db/languages/en @@ -14,12 +14,55 @@ NOTE_EXCEPTIONS_FOUND="Exceptions found" NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found" NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode" +SECTION_ACCOUNTING="Accounting" +SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification" +SECTION_BASICS="Basics" +SECTION_BOOT_AND_SERVICES="Boot and services" +SECTION_CONTAINERS="Containers" +SECTION_CRYPTOGRAPHY="Cryptography" SECTION_CUSTOM_TESTS="Custom tests" SECTION_DATA_UPLOAD="Data upload" +SECTION_DATABASES="Databases" +SECTION_DOWNLOADS="Downloads" +SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging" +SECTION_FILE_INTEGRITY="Software: file integrity" +SECTION_FILE_PERMISSIONS="File Permissions" +SECTION_FILE_SYSTEMS="File systems" +SECTION_FIREWALLS="Software: firewalls" +SECTION_GENERAL="General" +SECTION_HARDENING="Hardening" +SECTION_HOME_DIRECTORIES="Home directories" +SECTION_IMAGE="Image" SECTION_INITIALIZING_PROGRAM="Initializing program" -SECTION_MALWARE="Malware" +SECTION_INSECURE_SERVICES="Insecure services" +SECTION_KERNEL="Kernel" +SECTION_KERNEL_HARDENING="Kernel Hardening" +SECTION_LDAP_SERVICES="LDAP Services" +SECTION_LOGGING_AND_FILES="Logging and files" +SECTION_MALWARE="Software: Malware" SECTION_MEMORY_AND_PROCESSES="Memory and Processes" +SECTION_NAME_SERVICES="Name services" +SECTION_NETWORKING="Networking" +SECTION_PERMISSIONS="Permissions" +SECTION_PORTS_AND_PACKAGES="Ports and packages" +SECTION_PRINTERS_AND_SPOOLS="Printers and Spools" +SECTION_PROGRAM_DETAILS="Program Details" +SECTION_SCHEDULED_TASKS="Scheduled tasks" +SECTION_SECURITY_FRAMEWORKS="Security frameworks" +SECTION_SHELLS="Shells" +SECTION_SNMP_SUPPORT="SNMP Support" +SECTION_SOFTWARE="Software" +SECTION_SQUID_SUPPORT="Squid Support" +SECTION_SSH_SUPPORT="SSH Support" +SECTION_STORAGE="Storage" +SECTION_SYSTEM_INTEGRITY="Software: System integrity" +SECTION_SYSTEM_TOOLING="Software: System tooling" SECTION_SYSTEM_TOOLS="System tools" +SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization" +SECTION_USB_DEVICES="USB Devices" +SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" +SECTION_VIRTUALIZATION="Virtualization" +SECTION_WEBSERVER="Software: webserver" STATUS_DISABLED="DISABLED" STATUS_DONE="DONE" STATUS_ENABLED="ENABLED" diff --git a/db/languages/fr b/db/languages/fr index 848dd94e..0a867eee 100644 --- a/db/languages/fr +++ b/db/languages/fr @@ -2,7 +2,7 @@ ERROR_NO_LICENSE="Pas de clé de licence configurée" ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré" GEN_CHECKING="Vérification" GEN_CURRENT_VERSION="Version actuelle" -GEN_DEBUG_MODE="mode debug" +GEN_DEBUG_MODE="mode débug" GEN_INITIALIZE_PROGRAM="Initialisation" GEN_LATEST_VERSION="Dernière version" GEN_PHASE="phase" @@ -12,34 +12,77 @@ GEN_VERBOSE_MODE="mode verbeux" GEN_WHAT_TO_DO="Que faire" NOTE_EXCEPTIONS_FOUND="Exceptions trouvées" NOTE_EXCEPTIONS_FOUND_DETAILED="Des événements ou informations exceptionnels ont été trouvés" -NOTE_PLUGINS_TAKE_TIME="Note : Les plugins ont des tests plus poussés et peuvent prendre plusieurs minutes" +NOTE_PLUGINS_TAKE_TIME="Note : Les plugins ont des tests plus poussés qui peuvent prendre plusieurs minutes" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Tests ignorés faute de privilèges" +SECTION_ACCOUNTING="Comptes" +SECTION_BANNERS_AND_IDENTIFICATION="Bannières et identification" +SECTION_BASICS="Basics" +SECTION_BOOT_AND_SERVICES="Démarrage et services" +SECTION_CONTAINERS="Conteneurs" +SECTION_CRYPTOGRAPHY="Cryptographie" SECTION_CUSTOM_TESTS="Tests personnalisés" SECTION_DATA_UPLOAD="Téléchargement de données" +SECTION_DATABASES="Bases de données" +SECTION_DOWNLOADS="Téléchargements" +SECTION_EMAIL_AND_MESSAGING="Logiciel : Email et messagerie" +SECTION_FILE_INTEGRITY="Logiciel : Intégrité de fichier" +SECTION_FILE_PERMISSIONS="Permissions de fichier" +SECTION_FILE_SYSTEMS="Systèmes de fichier" +SECTION_FIREWALLS="Logiciel : Pare-feux" +SECTION_GENERAL="Général" +SECTION_HARDENING="Hardening" +SECTION_HOME_DIRECTORIES="Home directories" +SECTION_IMAGE="Image" SECTION_INITIALIZING_PROGRAM="Initialisation du programme" -SECTION_MALWARE="Malware" +SECTION_INSECURE_SERVICES="Services non sécurisés" +SECTION_KERNEL="Noyau" +SECTION_KERNEL_HARDENING="Kernel Hardening" +SECTION_LDAP_SERVICES="Services LDAP" +SECTION_LOGGING_AND_FILES="Journalisation et fichiers" +SECTION_MALWARE="Logiciel : Malware" SECTION_MEMORY_AND_PROCESSES="Mémoire et processus" +SECTION_NAME_SERVICES="Services de noms" +SECTION_NETWORKING="Mise en réseau" +SECTION_PERMISSIONS="Permissions" +SECTION_PORTS_AND_PACKAGES="Ports et packages" +SECTION_PRINTERS_AND_SPOOLS="Imprimantes et serveurs d'impression" +SECTION_PROGRAM_DETAILS="Détails du programme" +SECTION_SCHEDULED_TASKS="Tâches planifiées" +SECTION_SECURITY_FRAMEWORKS="Security frameworks" +SECTION_SHELLS="Shells" +SECTION_SNMP_SUPPORT="Prise en charge SNMP" +SECTION_SOFTWARE="Logiciel" +SECTION_SQUID_SUPPORT="Prise en charge Squid" +SECTION_SSH_SUPPORT="Prise en charge SSH" +SECTION_STORAGE="Stockage" +SECTION_SYSTEM_INTEGRITY="Logiciel : Intégrité du système" +SECTION_SYSTEM_TOOLING="Logiciel : System tooling" SECTION_SYSTEM_TOOLS="Outils système" +SECTION_TIME_AND_SYNCHRONIZATION="Heure et synchronisation" +SECTION_USB_DEVICES="Périphériques USB" +SECTION_USERS_GROUPS_AND_AUTHENTICATION="Utilisateurs, groupes et authentification" +SECTION_VIRTUALIZATION="Virtualisation" +SECTION_WEBSERVER="Logiciel : Serveur web" STATUS_DISABLED="DÉSACTIVÉ" STATUS_DONE="FAIT" STATUS_ENABLED="ACTIVÉ" STATUS_ERROR="ERREUR" STATUS_FAILED="ÉCHOUÉ" STATUS_FOUND="TROUVÉ" -STATUS_OFF="OFF" -STATUS_OK="OK" -STATUS_ON="ON" STATUS_NO="NON" STATUS_NONE="AUCUN" STATUS_NOT_CONFIGURED="NON CONFIGURÉ" STATUS_NOT_FOUND="NON TROUVÉ" STATUS_NOT_RUNNING="NON LANCÉ" +STATUS_OFF="OFF" +STATUS_OK="OK" +STATUS_ON="ON" STATUS_RUNNING="EN COURS" STATUS_SKIPPED="IGNORÉ" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="INCONNU" -STATUS_WARNING="ATTENTION" +STATUS_WARNING="AVERTISSEMENT" STATUS_WEAK="FAIBLE" STATUS_YES="OUI" -TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal" TEXT_UPDATE_AVAILABLE="Mise à jour disponible" +TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal" diff --git a/include/binaries b/include/binaries index ae2c2824..86a4a22f 100644 --- a/include/binaries +++ b/include/binaries @@ -30,7 +30,7 @@ ################################################################################# # if [ ${CHECK_BINARIES} -eq 1 ]; then - InsertSection "System Tools" + InsertSection "${SECTION_SYSTEM_TOOLS}" Display --indent 2 --text "- Scanning available tools..." LogText "Start scanning for available audit binaries and tools..." diff --git a/include/helper_audit_dockerfile b/include/helper_audit_dockerfile index 05d24c24..a71326ee 100644 --- a/include/helper_audit_dockerfile +++ b/include/helper_audit_dockerfile @@ -44,7 +44,7 @@ fi ################################################################################################## # - InsertSection "Image" + InsertSection "${SECTION_IMAGE}" PKGMGR="" FIND=$(grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g') @@ -93,7 +93,7 @@ fi # ################################################################################################## # - InsertSection "Basics" + InsertSection "${SECTION_BASICS}" MAINTAINER=$(grep -E -i "*MAINTAINER" ${AUDIT_FILE} | sed 's/=/ /g' | cut -d'"' -f 2) if [ -z "${MAINTAINER}" ]; then @@ -127,7 +127,7 @@ fi # ################################################################################################## # - InsertSection "Software" + InsertSection "${SECTION_SOFTWARE}" case $PKGMGR in "apt") @@ -166,7 +166,7 @@ fi # ################################################################################################## # - InsertSection "Downloads" + InsertSection "${SECTION_DOWNLOADS}" FILE_DOWNLOAD=0 @@ -217,7 +217,7 @@ fi # ################################################################################################## # - InsertSection "Permissions" + InsertSection "${SECTION_PERMISSIONS}" FIND=$(grep -i "chmod 777" ${AUDIT_FILE}) if HasData "${FIND}"; then diff --git a/include/tests_accounting b/include/tests_accounting index 91fca1a0..ea763789 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -18,7 +18,7 @@ # ################################################################################# # - InsertSection "Accounting" + InsertSection "${SECTION_ACCOUNTING}" # ################################################################################# # diff --git a/include/tests_authentication b/include/tests_authentication index 3dbe08f7..274cd4f4 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -31,7 +31,7 @@ # ################################################################################# # - InsertSection "Users, Groups and Authentication" + InsertSection "${SECTION_USERS_GROUPS_AND_AUTHENTICATION}" # Test : AUTH-9204 # Description : Check users with UID zero (0) diff --git a/include/tests_banners b/include/tests_banners index 60fa3c2e..f7e4d7e9 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Banners and identification" + InsertSection "${SECTION_BANNERS_AND_IDENTIFICATION}" # ################################################################################# # diff --git a/include/tests_boot_services b/include/tests_boot_services index fe5707e4..c86ca52c 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Boot and services" + InsertSection "${SECTION_BOOT_AND_SERVICES}" # ################################################################################# # diff --git a/include/tests_containers b/include/tests_containers index a9a18836..78c12c50 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Containers" + InsertSection "${SECTION_CONTAINERS}" # ################################################################################# # diff --git a/include/tests_crypto b/include/tests_crypto index d4a90cc2..4885fab0 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -26,7 +26,7 @@ # ################################################################################# # - InsertSection "Cryptography" + InsertSection "${SECTION_CRYPTOGRAPHY}" # ################################################################################# # diff --git a/include/tests_databases b/include/tests_databases index ace3fd67..fc44d690 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -39,7 +39,7 @@ # ################################################################################# # - InsertSection "Databases" + InsertSection "${SECTION_DATABASES}" # Test : DBS-1804 # Description : Check if MySQL is being used diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 728c2616..c06b1703 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -25,7 +25,7 @@ # ################################################################################# # - InsertSection "Software: file integrity" + InsertSection "${SECTION_FILE_INTEGRITY}" Display --indent 2 --text "- Checking file integrity tools" # ################################################################################# diff --git a/include/tests_file_permissions b/include/tests_file_permissions index e9e859fd..50ccdeee 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "File Permissions" + InsertSection "${SECTION_FILE_PERMISSIONS}" # ################################################################################# # diff --git a/include/tests_filesystems b/include/tests_filesystems index bfe451ab..8dc65acc 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -28,7 +28,7 @@ # ################################################################################# # - InsertSection "File systems" + InsertSection "${SECTION_FILE_SYSTEMS}" # ################################################################################# # diff --git a/include/tests_firewalls b/include/tests_firewalls index d3ff1e3d..4d0ba748 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Software: firewalls" + InsertSection "${SECTION_FIREWALLS}" # ################################################################################# # diff --git a/include/tests_hardening b/include/tests_hardening index 2f88b179..4feff7c6 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -18,7 +18,7 @@ # ################################################################################# # - InsertSection "Hardening" + InsertSection "${SECTION_HARDENING}" # COMPILER_INSTALLED is initialized before HARDEN_COMPILERS_NEEDED=0 diff --git a/include/tests_homedirs b/include/tests_homedirs index 09f4601c..c896bf86 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Home directories" + InsertSection "${SECTION_HOME_DIRECTORIES}" # ################################################################################# # diff --git a/include/tests_insecure_services b/include/tests_insecure_services index d6d87245..230d117e 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Insecure services" + InsertSection "${SECTION_INSECURE_SERVICES}" # ################################################################################# # diff --git a/include/tests_kernel b/include/tests_kernel index 656048e9..d0f5cdcd 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Kernel" + InsertSection "${SECTION_KERNEL}" # ################################################################################# # diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index 59a5f846..2b45394e 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Kernel Hardening" + InsertSection "${SECTION_KERNEL_HARDENING}" # ################################################################################# # diff --git a/include/tests_ldap b/include/tests_ldap index 26d11965..7558d491 100644 --- a/include/tests_ldap +++ b/include/tests_ldap @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "LDAP Services" + InsertSection "${SECTION_LDAP_SERVICES}" # ################################################################################# # diff --git a/include/tests_logging b/include/tests_logging index 292940e3..b6110263 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -36,7 +36,7 @@ # ################################################################################# # - InsertSection "Logging and files" + InsertSection "${SECTION_LOGGING_AND_FILES}" # Test : LOGG-2130 # Description : Check for a running syslog daemon diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 3f23c77e..5234ab36 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -24,7 +24,7 @@ SELINUXFOUND=0 TOMOYOFOUND=0 - InsertSection "Security frameworks" + InsertSection "${SECTION_SECURITY_FRAMEWORKS}" # ################################################################################# # diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index 3a65765c..cbbde8a0 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Software: e-mail and messaging" + InsertSection "${SECTION_EMAIL_AND_MESSAGING}" # ################################################################################# # diff --git a/include/tests_malware b/include/tests_malware index 5e3c6fca..3710be60 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Software: ${SECTION_MALWARE}" + InsertSection "${SECTION_MALWARE}" # ################################################################################# # diff --git a/include/tests_nameservices b/include/tests_nameservices index df41fbc9..46f4f1fb 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Name services" + InsertSection "${SECTION_NAME_SERVICES}" # ################################################################################# # diff --git a/include/tests_networking b/include/tests_networking index 420f26ea..9657a841 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -31,7 +31,7 @@ # ################################################################################# # - InsertSection "Networking" + InsertSection "${SECTION_NETWORKING}" # ################################################################################# # diff --git a/include/tests_ports_packages b/include/tests_ports_packages index e1071474..c2978be6 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Ports and packages" + InsertSection "${SECTION_PORTS_AND_PACKAGES}" PACKAGE_MGR_PKG=0 PACKAGE_AUDIT_TOOL="" PACKAGE_AUDIT_TOOL_FOUND=0 diff --git a/include/tests_printers_spoolers b/include/tests_printers_spoolers index b8435493..61304f87 100644 --- a/include/tests_printers_spoolers +++ b/include/tests_printers_spoolers @@ -34,7 +34,7 @@ # ################################################################################# # - InsertSection "Printers and Spools" + InsertSection "${SECTION_PRINTERS_AND_SPOOLS}" # ################################################################################# # diff --git a/include/tests_scheduling b/include/tests_scheduling index a7b3f5c2..b461ba95 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Scheduled tasks" + InsertSection "${SECTION_SCHEDULED_TASKS}" # ################################################################################# # diff --git a/include/tests_shells b/include/tests_shells index 6f39e1fd..89be9979 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -23,7 +23,7 @@ ################################################################################# # IDLE_TIMEOUT=0 - InsertSection "Shells" + InsertSection "${SECTION_SHELLS}" # ################################################################################# # diff --git a/include/tests_snmp b/include/tests_snmp index d8ce450d..0bf785f0 100644 --- a/include/tests_snmp +++ b/include/tests_snmp @@ -28,7 +28,7 @@ # ################################################################################# # - InsertSection "SNMP Support" + InsertSection "${SECTION_SNMP_SUPPORT}" # Test : SNMP-3302 # Description : Check for a running SNMP daemon diff --git a/include/tests_squid b/include/tests_squid index f94befa0..d62310a3 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -29,7 +29,7 @@ # ################################################################################# # - InsertSection "Squid Support" + InsertSection "${SECTION_SQUID_SUPPORT}" # ################################################################################# # diff --git a/include/tests_ssh b/include/tests_ssh index bd02440c..43c678b9 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -34,7 +34,7 @@ # ################################################################################# # - InsertSection "SSH Support" + InsertSection "${SECTION_SSH_SUPPORT}" # ################################################################################# # diff --git a/include/tests_storage b/include/tests_storage index 6de4f15d..89431aa0 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -18,7 +18,7 @@ # ################################################################################# # - InsertSection "Storage" + InsertSection "${SECTION_STORAGE}" # ################################################################################# # diff --git a/include/tests_system_integrity b/include/tests_system_integrity index 7a21925b..825f3d70 100644 --- a/include/tests_system_integrity +++ b/include/tests_system_integrity @@ -25,7 +25,7 @@ # ################################################################################# # - InsertSection "Software: system integrity" + InsertSection "${SECTION_SYSTEM_INTEGRITY}" Display --indent 2 --text "- Checking file integrity tools" # ################################################################################# diff --git a/include/tests_time b/include/tests_time index 3c5a8477..95c695bc 100644 --- a/include/tests_time +++ b/include/tests_time @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Time and Synchronization" + InsertSection "${SECTION_TIME_AND_SYNCHRONIZATION}" # ################################################################################# # diff --git a/include/tests_tooling b/include/tests_tooling index 7fed8460..26870934 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -37,7 +37,7 @@ # ################################################################################# # - InsertSection "Software: System tooling" + InsertSection "${SECTION_SYSTEM_TOOLING}" # ################################################################################# # diff --git a/include/tests_usb b/include/tests_usb index 1c6cae6d..92c81a32 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -19,7 +19,7 @@ # ################################################################################# # - InsertSection "USB Devices" + InsertSection "${SECTION_USB_DEVICES}" # ################################################################################# # diff --git a/include/tests_virtualization b/include/tests_virtualization index 3902defc..e4df170e 100644 --- a/include/tests_virtualization +++ b/include/tests_virtualization @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Virtualization" + InsertSection "${SECTION_VIRTUALIZATION}" # ################################################################################# # diff --git a/include/tests_webservers b/include/tests_webservers index 188a6031..45588492 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Software: webserver" + InsertSection "${SECTION_WEBSERVER}" # ################################################################################# # diff --git a/lynis b/lynis index 17cd9e91..e7af15da 100755 --- a/lynis +++ b/lynis @@ -862,7 +862,7 @@ ${NORMAL} ################################################################################# # if IsVerbose; then - InsertSection "Program Details" + InsertSection "${SECTION_PROGRAM_DETAILS}" Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "YES" --color GREEN if IsDebug; then Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "YES" --color GREEN @@ -1017,7 +1017,7 @@ ${NORMAL} LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)" ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}" # Insert a section and warn user also on screen - InsertSection "General" + InsertSection "${SECTION_GENERAL}" Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "SKIPPED" --color RED fi else From 4671fb7fb93598d38e315a7be6709752b553b995 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Thu, 22 Oct 2020 12:10:01 +0200 Subject: [PATCH 287/355] add Synology Antivirus Essential malware scanner MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/binaries | 1 + include/tests_malware | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/include/binaries b/include/binaries index 86a4a22f..a07d34ad 100644 --- a/include/binaries +++ b/include/binaries @@ -287,6 +287,7 @@ suricata) SURICATABINARY="${BINARY}"; LogText " Found known binary: suricata (IDS) - ${BINARY}" ;; swapon) SWAPONBINARY="${BINARY}"; LogText " Found known binary: swapon (swap device tool) - ${BINARY}" ;; swupd) SWUPDBINARY="${BINARY}"; LogText " Found known binary: swupd (package manager) - ${BINARY}" ;; + synoavd) SYNOAVDBINARY=${BINARY}; LogText " Found known binary: synoavd (Synology AV scanner) - ${BINARY}" ;; sysctl) SYSCTLBINARY="${BINARY}"; LogText " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;; syslog-ng) SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;; systemctl) SYSTEMCTLBINARY="${BINARY}"; LogText " Found known binary: systemctl (client to systemd) - ${BINARY}" ;; diff --git a/include/tests_malware b/include/tests_malware index 3710be60..3c2cd72d 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -39,6 +39,7 @@ MALWARE_SCANNER_INSTALLED=0 SOPHOS_SCANNER_RUNNING=0 SYMANTEC_SCANNER_RUNNING=0 + SYNOLOGY_DAEMON_RUNNING=0 # ################################################################################# # @@ -239,6 +240,17 @@ Report "malware_scanner[]=symantec" fi + # Synology Antivirus Essential + LogText "Test: checking process synoavd" + if IsRunning "synoavd"; then + FOUND=1 + SYNOLOGY_DAEMON_RUNNING=1 + MALWARE_SCANNER_INSTALLED=1 + if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Synology Antivirus Essential" --result "${STATUS_FOUND}" --color GREEN; fi + LogText "Result: found Synology Antivirus Essential" + Report "malware_scanner[]=synoavd" + fi + # TrendMicro (macOS) LogText "Test: checking process TmccMac to test for Trend Micro anti-virus (macOS)" if IsRunning "TmccMac"; then From 9f9fd51e1db93897bc58e29307478b378cdcb0e7 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 22 Oct 2020 13:26:46 +0200 Subject: [PATCH 288/355] Updated log --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a21e03bf..db5b05ea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,8 +14,9 @@ - ParseNginx function: Support include on absolute paths - ParseNginx function: Ignore empty included wildcards - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux +- French translation file improved and translations extended - Test if pgrep exists before using it -- French translation improved +- Better support for busybox shell - Small code enhancements --------------------------------------------------------------------------------- From 0467df631460ec65e1b3a8dbd8875cce2715357c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 22 Oct 2020 13:28:58 +0200 Subject: [PATCH 289/355] Updated log --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index db5b05ea..edb1f41e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,11 +4,12 @@ ### Added - Detection of Flatcar, Mageia, ROSA Linux, SLES (extended), Void Linux, Zorin OS -- macOS and Mageia EOL dates +- Alpine, macOS and Mageia EOL dates ### Changed - KRNL-5830 - Improved reboot test by ignoring known bad values - KRNL-5830 - Ignore rescue kernel such as on CentOS systems +- KRNL-5830 - Detection of Alpine Linux kernel - PKGS-7410 - Don't show exception if no kernels were found on the disk - TIME-3185 - Supports now checking files at multiple locations (systemd) - ParseNginx function: Support include on absolute paths From bd6e1d5d395536963a5d66a95c147435cd7d914b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 22 Oct 2020 14:17:01 +0200 Subject: [PATCH 290/355] Include AUTH-9284 and minor changes --- CHANGELOG.md | 1 + db/tests.db | 1 + include/tests_authentication | 8 ++++---- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index edb1f41e..69123178 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Lynis 3.0.2 (not released yet) ### Added +- AUTH-9284 - Scan for locked user accounts in /etc/passwd - Detection of Flatcar, Mageia, ROSA Linux, SLES (extended), Void Linux, Zorin OS - Alpine, macOS and Mageia EOL dates diff --git a/db/tests.db b/db/tests.db index 26fc8f87..6efe1a1a 100644 --- a/db/tests.db +++ b/db/tests.db @@ -37,6 +37,7 @@ AUTH-9268:test:security:authentication::Checking presence pam.d files: AUTH-9278:test:security:authentication::Checking LDAP pam status: AUTH-9282:test:security:authentication::Checking password protected account without expire date: AUTH-9283:test:security:authentication::Checking accounts without password: +AUTH-9284:test:security:authentication::Checking locked user accounts in /etc/passwd: AUTH-9286:test:security:authentication::Checking user password aging: AUTH-9288:test:security:authentication::Checking for expired passwords: AUTH-9304:test:security:authentication:Solaris:Check single user login configuration: diff --git a/include/tests_authentication b/include/tests_authentication index a3c97bff..6186881a 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -927,8 +927,8 @@ ################################################################################# # # Test : AUTH-9284 - # Description : Search locked accounts - Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking locked accounts" + # Description : Check locked user accounts in /etc/passwd + Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check locked user accounts in /etc/passwd" if [ "${SKIPTEST}" -eq 0 ]; then LogText "Test: Checking locked accounts" NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' /etc/passwd | sort | uniq) @@ -946,11 +946,11 @@ for account in ${FIND3}; do if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then LogText "Locked account: ${account}" - Report "locked_account=${account}" + Report "locked_account[]=${account}" fi done Display --indent 2 --text "- Locked accounts" --result "${STATUS_WARNING}" --color RED - ReportWarning "${TEST_NO}" "Found locked accounts" + ReportSuggestion "${TEST_NO}" "Look at the locked accounts and consider removing them" fi fi # From 299f531dcbef92545a0d3b50e017571ea5523916 Mon Sep 17 00:00:00 2001 From: Steve Kolenich Date: Thu, 22 Oct 2020 12:17:00 -0400 Subject: [PATCH 291/355] sorted italian language file --- db/languages/it | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/db/languages/it b/db/languages/it index 4ff32699..46ed8360 100644 --- a/db/languages/it +++ b/db/languages/it @@ -1,38 +1,38 @@ +ERROR_NO_LICENSE="Nessuna chiave di licenza configurata" +ERROR_NO_UPLOAD_SERVER="Nessun server di upload configurato" GEN_CHECKING="Controllo" GEN_CURRENT_VERSION="Versione corrente" GEN_DEBUG_MODE="Modalità Debug" GEN_INITIALIZE_PROGRAM="Inizializzando il programma" GEN_PHASE="fase" GEN_PLUGINS_ENABLED="Plugin abilitati" -GEN_VERBOSE_MODE="Modalità Verbose" GEN_UPDATE_AVAILABLE="aggiornamento disponibile" +GEN_VERBOSE_MODE="Modalità Verbose" GEN_WHAT_TO_DO="Cosa fare" NOTE_EXCEPTIONS_FOUND="Trovate Eccezioni" NOTE_EXCEPTIONS_FOUND_DETAILED="Sono stati rilevati alcuni eventi o informazioni eccezionali" NOTE_PLUGINS_TAKE_TIME="Nota: i plugin sono sottoposti a test più estesi e possono richiedere alcuni minuti per il completamento" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Test saltati a causa della modalità di esecuzione non privilegiata" SECTION_CUSTOM_TESTS="Test su misura (Custom)" SECTION_MALWARE="Malware" SECTION_MEMORY_AND_PROCESSES="Memoria e Processi" +STATUS_DISABLED="DISABILITATO" STATUS_DONE="FATTO" +STATUS_ENABLED="ABILITATO" +STATUS_ERROR="ERRORE" STATUS_FOUND="TROVATO" -STATUS_YES="SI" STATUS_NO="NO" -STATUS_OFF="OFF" -STATUS_OK="OK" -STATUS_ON="ON" STATUS_NONE="NESSUNO" STATUS_NOT_FOUND="NON TROVATO" STATUS_NOT_RUNNING="NON IN ESECUZIONE" +STATUS_OFF="OFF" +STATUS_OK="OK" +STATUS_ON="ON" STATUS_RUNNING="IN ESECUZIONE" STATUS_SKIPPED="SALTATO" STATUS_SUGGESTION="SUGGERIMENTO" STATUS_UNKNOWN="SCONOSCIUTO" STATUS_WARNING="ATTENZIONE" -TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log" +STATUS_YES="SI" TEXT_UPDATE_AVAILABLE="aggiornamento disponibile" -NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Test saltati a causa della modalità di esecuzione non privilegiata" -STATUS_DISABLED="DISABILITATO" -STATUS_ENABLED="ABILITATO" -STATUS_ERROR="ERRORE" -ERROR_NO_LICENSE="Nessuna chiave di licenza configurata" -ERROR_NO_UPLOAD_SERVER="Nessun server di upload configurato" +TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log" From 806ba69b36de5a46ef4a9a56fd941780176ca0b1 Mon Sep 17 00:00:00 2001 From: Steve Kolenich Date: Thu, 22 Oct 2020 14:27:14 -0400 Subject: [PATCH 292/355] Add values for Italian --- db/languages/it | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/db/languages/it b/db/languages/it index 46ed8360..e22b9837 100644 --- a/db/languages/it +++ b/db/languages/it @@ -4,6 +4,7 @@ GEN_CHECKING="Controllo" GEN_CURRENT_VERSION="Versione corrente" GEN_DEBUG_MODE="Modalità Debug" GEN_INITIALIZE_PROGRAM="Inizializzando il programma" +GEN_LATEST_VERSION="Versione ultima" GEN_PHASE="fase" GEN_PLUGINS_ENABLED="Plugin abilitati" GEN_UPDATE_AVAILABLE="aggiornamento disponibile" @@ -14,15 +15,23 @@ NOTE_EXCEPTIONS_FOUND_DETAILED="Sono stati rilevati alcuni eventi o informazioni NOTE_PLUGINS_TAKE_TIME="Nota: i plugin sono sottoposti a test più estesi e possono richiedere alcuni minuti per il completamento" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Test saltati a causa della modalità di esecuzione non privilegiata" SECTION_CUSTOM_TESTS="Test su misura (Custom)" +SECTION_DOWNLOADS="Scaricamenti" +SECTION_GENERAL="Generale" +SECTION_INITIALIZING_PROGRAM="Inizializzando il programma" +SECTION_INSECURE_SERVICES="Service insicuri" SECTION_MALWARE="Malware" SECTION_MEMORY_AND_PROCESSES="Memoria e Processi" +SECTION_STORAGE="Spazio di archiviazione" +SECTION_TIME_AND_SYNCHRONIZATION="Tempo and Sincronizzazione" STATUS_DISABLED="DISABILITATO" STATUS_DONE="FATTO" STATUS_ENABLED="ABILITATO" STATUS_ERROR="ERRORE" +STATUS_FAILED="FALLITO" STATUS_FOUND="TROVATO" STATUS_NO="NO" STATUS_NONE="NESSUNO" +STATUS_NOT_CONFIGURED="NON CONFIGURATO" STATUS_NOT_FOUND="NON TROVATO" STATUS_NOT_RUNNING="NON IN ESECUZIONE" STATUS_OFF="OFF" @@ -33,6 +42,7 @@ STATUS_SKIPPED="SALTATO" STATUS_SUGGESTION="SUGGERIMENTO" STATUS_UNKNOWN="SCONOSCIUTO" STATUS_WARNING="ATTENZIONE" +STATUS_WEAK="DEBOLE" STATUS_YES="SI" TEXT_UPDATE_AVAILABLE="aggiornamento disponibile" TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log" From 42a33fb1e2b69c42063c3d248305cd670c07f484 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 25 Oct 2020 18:47:41 +0100 Subject: [PATCH 293/355] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f930e8c..8a9cd525 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ - Alpine, macOS and Mageia EOL dates ### Changed +- ACCT-9626 - Detect sysstat systemd unit - KRNL-5830 - Improved reboot test by ignoring known bad values - KRNL-5830 - Ignore rescue kernel such as on CentOS systems - KRNL-5830 - Detection of Alpine Linux kernel From 499cf1cdb93f5a0d10db9cc9d4e949b4212ae313 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 25 Oct 2020 18:48:42 +0100 Subject: [PATCH 294/355] Small code enhancements --- include/tests_authentication | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 6186881a..4f43745a 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -849,7 +849,7 @@ # ################################################################################# # - # Test : AUTH-9282 and AUTH-9283 + # Test : AUTH-9282, AUTH-9283, and AUTH-9284 # Note : Every Linux based operating system seem to have different passwd # options, so we have to check the version first. if [ "${OS}" = "Linux" ]; then @@ -881,7 +881,7 @@ FIND2="" FIND3="" fi - else + else PREQS_MET="NO" fi @@ -902,11 +902,10 @@ ReportSuggestion "${TEST_NO}" "When possible set expire dates for all password protected accounts" fi fi -# -################################################################################# -# + # Test : AUTH-9283 # Description : Search passwordless accounts + # Notes : requires FIND2 variable Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking accounts without password" if [ "${SKIPTEST}" -eq 0 ]; then LogText "Test: Checking passwordless accounts" @@ -923,36 +922,38 @@ ReportWarning "${TEST_NO}" "Found accounts without password" fi fi -# -################################################################################# -# + # Test : AUTH-9284 # Description : Check locked user accounts in /etc/passwd + # Notes : requires FIND3 variable Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check locked user accounts in /etc/passwd" if [ "${SKIPTEST}" -eq 0 ]; then LogText "Test: Checking locked accounts" - NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' /etc/passwd | sort | uniq) + NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' ${ROOTDIR}etc/passwd | ${SORTBINARY} | ${UNIQBINARY}) LOCKED_NON_SYSTEM_ACCOUNTS=0 - for account in ${FIND3};do - if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then - LOCKED_NON_SYSTEM_ACCOUNTS=$((LOCKED_NON_SYSTEM_ACCOUNTS+1)) + for account in ${FIND3}; do + if echo "${NON_SYSTEM_ACCOUNTS}" | ${GREPBINARY} -w "${account}" > /dev/null ; then + LOCKED_NON_SYSTEM_ACCOUNTS=$((LOCKED_NON_SYSTEM_ACCOUNTS + 1)) fi done - if [ $LOCKED_NON_SYSTEM_ACCOUNTS -eq 0 ]; then + if [ ${LOCKED_NON_SYSTEM_ACCOUNTS} -eq 0 ]; then LogText "Result: all accounts seem to be unlocked" Display --indent 2 --text "- Locked accounts" --result "${STATUS_OK}" --color GREEN else LogText "Result: found one or more locked accounts" for account in ${FIND3}; do - if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then + if echo "${NON_SYSTEM_ACCOUNTS}" | ${GREPBINARY} -w "${account}" > /dev/null ; then LogText "Locked account: ${account}" Report "locked_account[]=${account}" fi done - Display --indent 2 --text "- Locked accounts" --result "${STATUS_WARNING}" --color RED + Display --indent 2 --text "- Locked accounts" --result "${STATUS_FOUND}" --color RED ReportSuggestion "${TEST_NO}" "Look at the locked accounts and consider removing them" fi + unset account LOCKED_NON_SYSTEM_ACCOUNTS NON_SYSTEM_ACCOUNTS fi + + unset FIND1 FIND2 FIND3 # ################################################################################# # From 8ee60cea3532e9100f30e2aff0a1a8586c5dbcc4 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Sat, 8 Aug 2020 22:16:23 +0000 Subject: [PATCH 295/355] Test if /etc/grub.d is a directory, instead always true --- include/tests_boot_services | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index fe5707e4..87871589 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -332,7 +332,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - if [ "${ROOTDIR}etc/grub.d" ]; then + if [ -d "${ROOTDIR}etc/grub.d" ]; then CONF_FILES=$(${FINDBINARY} "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}" else From 1a75d66ad990260e2ba46da68c6ad373bed6b822 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Sat, 8 Aug 2020 23:12:51 +0000 Subject: [PATCH 296/355] Use netstat on Solaris to gather listening ports --- include/tests_networking | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/tests_networking b/include/tests_networking index 420f26ea..c8208cd4 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -512,6 +512,15 @@ ReportException "${TEST_NO}:3" "netstat missing to gather listening ports" fi ;; + Solaris) + if [ -n "${NETSTATBINARY}" ]; then + LogText "Test: Retrieving netstat information to find listening ports" + FIND=$(${NETSTATBINARY} -an -P udp | ${AWKBINARY} '{ if($7=="LISTEN") { print $1"|udp|LISTEN|" }}') + FIND2=$(${NETSTATBINARY} -an -P tcp | ${AWKBINARY} '{ if($7=="LISTEN") { print $1"|tcp|LISTEN|" }}') + else + ReportException "${TEST_NO}:4" "netstat missing to gather listening ports" + fi + ;; *) # Got this exception? Provide your details and output of netstat or any other tool to determine this information. ReportException "${TEST_NO}:2" "Unclear what method to use, to determine listening port information" From e917269d011a2c314485a91ca340ea539ed47738 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Sun, 9 Aug 2020 00:35:12 +0000 Subject: [PATCH 297/355] Reduce tr hostname checking expression Solaris' tr does not support full regular expressions. --- include/tests_networking | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_networking b/include/tests_networking index 420f26ea..d41132f2 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -70,7 +70,7 @@ LogText "Result: hostnamed is defined and not longer than 63 characters" fi # Test valid characters (normally a dot should not be in the name, but we can't be 100% sure we have short name) - FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[a-zA-Z0-9\.\-]') + FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[:alpha:]' | ${TRBINARY} -d '.-') if [ -z "${FIND}" ]; then LogText "Result: good, no unexpected characters discovered in hostname" if IsVerbose; then Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_OK}" --color GREEN; fi From 1f3d0956a75a8eaca5d2acda4af93f190e1b2527 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Sun, 9 Aug 2020 02:35:26 +0000 Subject: [PATCH 298/355] Test if loghost is not localhost On Solaris, the name loghost can be used to point to remote log servers. By default loghost is configured to 127.0.0.1, logging to the local machine. Thus a new test - LOGG-2153 - is created to test if loghost is not localhost and LOGG-2154 is modified to ignore @loghost lines if loghost is localhost. --- db/tests.db | 1 + include/tests_logging | 33 +++++++++++++++++++++++++++++++-- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/db/tests.db b/db/tests.db index 26fc8f87..0a603749 100644 --- a/db/tests.db +++ b/db/tests.db @@ -228,6 +228,7 @@ LOGG-2146:test:security:logging::Checking logrotate.conf and logrotate.d: LOGG-2148:test:security:logging::Checking logrotated files: LOGG-2150:test:security:logging::Checking directories in logrotate configuration: LOGG-2152:test:security:logging::Checking loghost: +LOGG-2153:test:security:logging::Checking loghost is not localhost: LOGG-2154:test:security:logging::Checking syslog configuration file: LOGG-2160:test:security:logging::Checking /etc/newsyslog.conf: LOGG-2162:test:security:logging::Checking directories in /etc/newsyslog.conf: diff --git a/include/tests_logging b/include/tests_logging index 292940e3..c49c3f07 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -28,7 +28,9 @@ METALOG_RUNNING=0 RFC3195D_RUNNING=0 RSYSLOG_RUNNING=0 + SOLARIS_LOGHOST="" SOLARIS_LOGHOST_FOUND=0 + SOLARIS_LOGHOST_LOCALHOST=0 SYSLOG_DAEMON_PRESENT=0 SYSLOG_DAEMON_RUNNING=0 SYSLOG_NG_RUNNING=0 @@ -305,6 +307,7 @@ LogText "Result: Checking for loghost in /etc/inet/hosts" FIND=$(${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#") if [ -n "${FIND}" ]; then + SOLARIS_LOGHOST="${FIND}" SOLARIS_LOGHOST_FOUND=1 LogText "Result: Found loghost entry in /etc/inet/hosts" else @@ -314,6 +317,7 @@ LogText "Result: Checking for loghost via name resolving" FIND=$(getent hosts loghost | ${GREPBINARY} loghost) if [ -n "${FIND}" ]; then + SOLARIS_LOGHOST="${FIND" SOLARIS_LOGHOST_FOUND=1 LogText "Result: name resolving was successful" LogText "Output: ${FIND}" @@ -334,6 +338,26 @@ fi # ################################################################################# +# + # Test : LOGG-2153 + # Description : Check Solaris 'loghost' entry is not localhost, meaning + # remote logging is not configured. + if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ] && [ -n "${SOLARIS_LOGHOST}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no LOGG-2153 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking loghost is localhost" + if [ ${SKIPTEST} -eq 0 ]; then + FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${EGREPBINARY} "::1|127.0.0.1|127.1") + if [ -n "${FIND}" ]; then + SOLARIS_LOGHOST_LOCALHOST=1 + LogText "Result: loghost entry is localhost (default)" + Display --indent 4 --text "- Checking loghost entry is localhost" --result "${STATUS_YES}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Set loghost entry to a remote location to enable remote logging." + else + Display --indent 4 --text "- Checking loghost entry is localhost" --result "${STATUS_NO}" --color GREEN + fi + fi + +# +################################################################################# # # Test : LOGG-2154 # Description : Check to see if remote logging is enabled @@ -402,8 +426,13 @@ LogText "Test: check if logs are also logged to a remote logging host" FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@") if [ -n "${FIND}" ]; then - LogText "Result: remote logging enabled" - REMOTE_LOGGING_ENABLED=1 + FIND2=$(echo "${FIND}" | ${GREPBINARY} -v "@loghost") + if [ SOLARIS_LOGHOST_LOCALHOST -eq 1 ] && [ -z "${FIND2}" ]; then + LogText "Result: remote logging enabled to loghost, but loghost is localhost" + else + LogText "Result: remote logging enabled" + REMOTE_LOGGING_ENABLED=1 + fi else # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}') From 25278b6b38138e0ec4247d0f248053560304e23b Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Mon, 10 Aug 2020 21:09:50 +0000 Subject: [PATCH 299/355] Add support for Solaris services, run BOOT-5184 there The Solaris IPS service manager (svcs) is now detected, and services managed with it are enumerated. Test BOOT-5184 now runs on Solaris, too, as SysV init scripts are supported as well, even with IPS. SysV Init has been the traditional init system on Solaris. --- db/tests.db | 3 +- include/binaries | 1 + include/tests_boot_services | 58 ++++++++++++++++++++++++++++++++++++- 3 files changed, 60 insertions(+), 2 deletions(-) diff --git a/db/tests.db b/db/tests.db index 26fc8f87..abcef63c 100644 --- a/db/tests.db +++ b/db/tests.db @@ -70,9 +70,10 @@ BOOT-5142:test:security:boot_services::Check SPARC Improved boot loader (SILO): BOOT-5155:test:security:boot_services::Check for YABOOT boot loader configuration file: BOOT-5159:test:security:boot_services:OpenBSD:Check for OpenBSD boot loader presence: BOOT-5165:test:security:boot_services:FreeBSD:Check for FreeBSD boot services: +BOOT-5170:test:security:boot_services:Solaris:Check for Solaris boot daemons: BOOT-5177:test:security:boot_services:Linux:Check for Linux boot and running services: BOOT-5180:test:security:boot_services:Linux:Check for Linux boot services (Debian style): -BOOT-5184:test:security:boot_services:Linux:Check permissions for boot files/scripts: +BOOT-5184:test:security:boot_services:Linux Solaris:Check permissions for boot files/scripts: BOOT-5202:test:security:boot_services::Check uptime of system: BOOT-5260:test:security:boot_services::Check single user mode for systemd: BOOT-5261:test:security:boot_services:DragonFly:Check for DragonFly boot loader presence: diff --git a/include/binaries b/include/binaries index ae2c2824..b7c7d7e9 100644 --- a/include/binaries +++ b/include/binaries @@ -286,6 +286,7 @@ ssh-keyscan) SSHKEYSCANBINARY="${BINARY}"; LogText " Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;; suricata) SURICATABINARY="${BINARY}"; LogText " Found known binary: suricata (IDS) - ${BINARY}" ;; swapon) SWAPONBINARY="${BINARY}"; LogText " Found known binary: swapon (swap device tool) - ${BINARY}" ;; + svcs) SVCSBINARY="${BINARY}" ; LogText " Found known binary: svcs (service manager) - ${BINARY}" ;; swupd) SWUPDBINARY="${BINARY}"; LogText " Found known binary: swupd (package manager) - ${BINARY}" ;; sysctl) SYSCTLBINARY="${BINARY}"; LogText " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;; syslog-ng) SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;; diff --git a/include/tests_boot_services b/include/tests_boot_services index fe5707e4..85c3d659 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -139,6 +139,13 @@ SERVICE_MANAGER="launchd" fi ;; + "Solaris") + if [ -n "${ROOTDIR}usr/bin/svcs" ]; then + SERVICE_MANAGER="IPS" + elif [ -d "${ROOTDIR}etc/init.d" ]; then + SERVICE_MANAGER="SysV Init" + fi + ;; *) LogText "Result: unknown service manager" ;; @@ -586,6 +593,55 @@ fi # ################################################################################# +# + # Test : BOOT-5170 + # Description : Check for Solaris boot daemons + Register --test-no BOOT-5170 --os Solaris --weight L --network NO --category security --description "Check for Solaris boot daemons" + if [ ${SKIPTEST} -eq 0 ]; then + if [ -n "${SVCSBINARY}" ]; then + LogText "Result: Using svcs binary to check for daemons" + LogText "SysV style services may be incorrectly counted as running." + + Report "running_service_tool=svcs" + + # For the documentation of the states (field $1) see + # "Managing System Services in Oracle Solaris 11.4" pp. 24, available + # at https://docs.oracle.com/cd/E37838_01/pdf/E60998.pdf + + FIND=$("${SVCSBINARY}" -Ha | ${AWKBINARY} '{ if ($1 == "online" || $1 == "legacy_run") print $3 }') + COUNT=0 + for ITEM in ${FIND}; do + LogText "Found running daemon: ${ITEM}" + Report "running_service[]=${ITEM}" + COUNT=$((COUNT + 1 )) + done + Display --indent 2 --text "- Check running daemons (svcs)" --result "${STATUS_DONE}" --color GREEN + Display --indent 8 --text "Result: found ${COUNT} running daemons" + LogText "Result: Found ${COUNT} running daemons" + + LogText "Searching for enabled daemons (svcs)" + Report "boot_service_tool=svcs" + + FIND=$("${SVCSBINARY}" -Ha | ${AWKBINARY} '{ if ($1 != "disabled" && $1 != "uninitialized") print $3 }') + COUNT=0 + for ITEM in ${FIND}; do + LogText "Found enabled daemon at boot: ${ITEM}" + Report "boot_service[]=${ITEM}" + COUNT=$((COUNT + 1 )) + done + LogText "Note: Run svcs -a see all services" + Display --indent 2 --text "- Check enabled daemons at boot (svcs)" --result "${STATUS_DONE}" --color GREEN + Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot" + LogText "Result: Found ${COUNT} enabled daemons at boot" + fi + fi +# +################################################################################# +# + # Test : BOOT-5171 + # Description : Check for services with errors on solaris +# +################################################################################# # # Test : BOOT-5177 # Description : Check for Linux boot services (systemd and chkconfig) @@ -686,7 +742,7 @@ # # Test : BOOT-5184 # Description : Check world writable startup scripts - Register --test-no BOOT-5184 --os Linux --weight L --network NO --category security --description "Check permissions for boot files/scripts" + Register --test-no BOOT-5184 --os "Linux Solaris" --weight L --network NO --category security --description "Check permissions for boot files/scripts" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 CHECKDIRS="${ROOTDIR}etc/init.d ${ROOTDIR}etc/rc.d ${ROOTDIR}etc/rcS.d" From 3e3589291f7a9ca2ccb36e178fdc6521373fa2b6 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Wed, 28 Oct 2020 01:55:01 +0000 Subject: [PATCH 300/355] Use `od` only for displaying invalid characters The first od is removed, the second time is moved to right before echoing the characters. On certain OpenSolaris distributions, `od` always outputs spaces, even if the input is empty. The spaces would have been converted to !space!, thus Lynis detected invalid characters / old style configuration. Resolves cisofy/lynis#1065. Signed-off-by: Simon Biewald --- include/profiles | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/include/profiles b/include/profiles index 2b0885ce..835d7a16 100644 --- a/include/profiles +++ b/include/profiles @@ -35,7 +35,7 @@ # Show deprecation message for old config entries such as 'config:' and 'apache:' FOUND=0 - DATA=$(grep -E "^[a-z-]{1,}:" ${PROFILE} | od -An -ta | sed 's/ /!space!/g') # od -An (no file offset), -ta (named character, to be on safe side) + DATA=$(grep -E "^[a-z-]{1,}:" ${PROFILE}) if ! IsEmpty "${DATA}"; then FOUND=1; fi if [ ${FOUND} -eq 1 ]; then @@ -56,12 +56,11 @@ fi # Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character) - DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | od -An -ta | sed 's/ /!space!/g') + DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-') if ! IsEmpty "${DATA}"; then DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information." LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile." - for I in ${DATA}; do - I=$(echo ${I} | sed 's/!space!/ /g') + for I in $(printf ${DATA} | od -An -ta); do LogText "Output: ${I}" done LogText "Suggestion: comment incorrect lines with a '#' and try again. Open a GitHub issue if valid characters are blocked" From 8895eccea268860619efa36484137b17d218e555 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Sat, 31 Oct 2020 17:36:06 +0000 Subject: [PATCH 301/355] Use correct character class Signed-off-by: Simon Biewald --- include/tests_networking | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_networking b/include/tests_networking index d41132f2..d8020b0c 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -70,7 +70,7 @@ LogText "Result: hostnamed is defined and not longer than 63 characters" fi # Test valid characters (normally a dot should not be in the name, but we can't be 100% sure we have short name) - FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[:alpha:]' | ${TRBINARY} -d '.-') + FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[:alnum:]\.\-') if [ -z "${FIND}" ]; then LogText "Result: good, no unexpected characters discovered in hostname" if IsVerbose; then Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_OK}" --color GREEN; fi From acf7943936b44858d0a815f493ecd9c704047961 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:16:33 -0500 Subject: [PATCH 302/355] spelling: ambiguous Signed-off-by: Josh Soref --- include/tests_time | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_time b/include/tests_time index 95c695bc..1a262d82 100644 --- a/include/tests_time +++ b/include/tests_time @@ -106,7 +106,7 @@ fi # Check running processes (ntpd from ntp.org) - # As checking by process name is ambigiouse (openntpd has the same process name), + # As checking by process name is ambiguous (openntpd has the same process name), # this check will be skipped if openntpd has been found. FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "ntpd: " | ${GREPBINARY} -v "grep") if [ "${NTP_DAEMON}" != "openntpd" ] && [ -n "${FIND}" ]; then From 45a7006e6bd71c5853e3469cf4d8ee963fd86798 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:35:20 -0500 Subject: [PATCH 303/355] spelling: asterisk Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a9cd525..59a556fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2304,7 +2304,7 @@ Lynis 1.4.1 (2014-02-15) - Added 64 bits locations for Apache modules - Add start of new category to logfile - Extended sysstat test with /etc/cron.d/sysstat [ACCT-9626] - - Extended cron job tests with entries start with asterix (*) [SCHD-7704] + - Extended cron job tests with entries start with asterisk (*) [SCHD-7704] - Additional check for multiple umask entries (like RHEL 6.x) [AUTH-9328] - Adjusted PHP test for register_globals (explicit test) [PHP-2368] - Small adjustments for upcoming plugin support From 08c8d1b8f39dd32a554ffab08204ed8f84b7ab81 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:16:35 -0500 Subject: [PATCH 304/355] spelling: authentication Signed-off-by: Josh Soref --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 4f43745a..b27e59c7 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -1068,7 +1068,7 @@ # Test : AUTH-9306 # Description : Check if authentication is needed to boot the system # Notes : :d_boot_authenticate: is a good option for production machines to - # avoid unauthorized booting of systems. Option :d_boot_autentication@: + # avoid unauthorized booting of systems. Option :d_boot_authentication@: # disabled a required login. Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --category security --description "Check single boot authentication" if [ ${SKIPTEST} -eq 0 ]; then From f1cb5054c4bd2e94cdb8a765b6f2babe3abfbef5 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:16:37 -0500 Subject: [PATCH 305/355] spelling: authoritative Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- db/tests.db | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 59a556fe..eb30b047 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2510,7 +2510,7 @@ Lynis 1.3.3 (2013-10-24) Lynis 1.3.2 (2013-10-09) New: - - Test for PowerDNS authoritive servers (master/slave status) [NAME-4238] + - Test for PowerDNS authoritative servers (master/slave status) [NAME-4238] Changes: - CUPS test extended with hardening rules [PRNT-2308] diff --git a/db/tests.db b/db/tests.db index 6513bb0b..49b705a3 100644 --- a/db/tests.db +++ b/db/tests.db @@ -282,7 +282,7 @@ NAME-4210:test:security:nameservices::Check DNS banner: NAME-4230:test:security:nameservices::Check PowerDNS status: NAME-4232:test:security:nameservices::Search PowerDNS configuration file: NAME-4236:test:security:nameservices::Check PowerDNS backends: -NAME-4238:test:security:nameservices::Check PowerDNS authoritive status: +NAME-4238:test:security:nameservices::Check PowerDNS authoritative status: NAME-4304:test:security:nameservices::Check NIS ypbind status: NAME-4306:test:security:nameservices::Check NIS domain: NAME-4402:test:security:nameservices::Check duplicate line in /etc/hosts: From a92ceb34e1e1d088141a9876bf0d96541e923332 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:38:28 -0500 Subject: [PATCH 306/355] spelling: branch Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eb30b047..a66edc6c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3465,7 +3465,7 @@ Lynis 1.0.0 (2007-11-08) - Test: query nameservers and test connectivity - Test: check promiscuous interfaces (FreeBSD) - Test: check sticky bit on /tmp directory - - Test: check debian.org security brance in /etc/apt/sources.list + - Test: check debian.org security branch in /etc/apt/sources.list - Test: check kernel update on Debian - Test: query default Linux run level - Test: query chkconfig to see which services start at boot From a61882b26358b5a4cde4648142fbd5cbc39148ba Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:16:38 -0500 Subject: [PATCH 307/355] spelling: certificates Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a66edc6c..da5c4df1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2467,7 +2467,7 @@ Lynis 1.3.5 (2013-11-19) - Added suggestion about BIND version [NAME-4210] - Merged test NTP daemon test TIME-3108 into TIME-3104 - Improved support for Arch Linux (output, detection) - - Extended common list of directories with SSL certifcates in profile + - Extended common list of directories with SSL certificates in profile - New function GetHostID() to determine an unique identifier of the machine - Added a tests_custom file template - Perform file permissions test on tests_custom file From b0a5490a2e073a9ec2400ce3bedfecc6cb8c3336 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:16:40 -0500 Subject: [PATCH 308/355] spelling: contains Signed-off-by: Josh Soref --- include/profiles | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/profiles b/include/profiles index 2b0885ce..e7b9557a 100644 --- a/include/profiles +++ b/include/profiles @@ -50,7 +50,7 @@ Display --text " " Display --text "==================================================================================================" Display --text " " - LogText "Insight: Profile '${PROFILE}' contians one or more old-style configuration entries" + LogText "Insight: Profile '${PROFILE}' contains one or more old-style configuration entries" ReportWarning "GEN-0020" "Your profile contains one or more old-style configuration entries" sleep 10 fi From 6a28855364f2222be94cd41edd5cbe098df4b354 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:16:42 -0500 Subject: [PATCH 309/355] spelling: disabled Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index da5c4df1..06812b90 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -450,7 +450,7 @@ Tests: * [AUTH-9308] - Made 'sulogin' more generic for systemd rescue shell * [DNS-1600] - Initial work on DNSSEC validation testing * [NETW-2704] - Added support for local resolver 127.0.0.53 -* [PHP-2379] - Suhosin test disbled +* [PHP-2379] - Suhosin test disabled * [SSH-7408] - Removed 'DELAYED' from OpenSSH Compression setting * [TIME-3160] - Improvements to detect step-tickers file and entries From 70c1a72a59e9158a2ff51c591f79d4b2cb8b6212 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:16:44 -0500 Subject: [PATCH 310/355] spelling: documentation Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 06812b90..78e8ed18 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3189,7 +3189,7 @@ Lynis 1.1.2 (2008-05-11) - Improved LILO test and removed double message - Fixed incorrect message when using --help parameter - Improved portaudit test (FreeBSD) to show unique packages only - - Updated man page, FAQ, extended documention with plugin information + - Updated man page, FAQ, extended documentation with plugin information - Added several php.ini file locations (MacOS X, OpenBSD, OpenSuSE) ** Special release notes [package/ports]: ** From a007ad2fe0b3ff2ce82c24d2b9b8379a89152cde Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:16:45 -0500 Subject: [PATCH 311/355] spelling: explicitly Signed-off-by: Josh Soref --- include/tests_kernel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_kernel b/include/tests_kernel index b3ce61f7..34ac3bfd 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -485,7 +485,7 @@ ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ) || \ ( [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] ) || \ ( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then - LogText "Result: core dumps are explicitely enabled in systemd configuration files" + LogText "Result: core dumps are explicitly enabled in systemd configuration files" ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/systemd/coredump.conf ('ProcessSizeMax=0', 'Storage=none')" Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color RED AddHP 0 1 From ab1aa322accb4c0cc7f1586b4f03517a6c5bd0cf Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:16:51 -0500 Subject: [PATCH 312/355] spelling: ignore Signed-off-by: Josh Soref --- include/tests_kernel_hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index 2b45394e..e117a704 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -28,7 +28,7 @@ # # Test : KRNL-6000 # Description : Check sysctl parameters - # Sysctl : net.ipv4.icmp_ingore_bogus_error_responses (=1) + # Sysctl : net.ipv4.icmp_ignore_bogus_error_responses (=1) if [ ! "${SYSCTL_READKEY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile" if [ ${SKIPTEST} -eq 0 ]; then From eadd2a8ed8d084536b4d0043f79ca1e8aee598d4 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:16:47 -0500 Subject: [PATCH 313/355] spelling: indentation Signed-off-by: Josh Soref --- CHANGELOG.md | 4 ++-- CONTRIBUTING.md | 2 +- include/functions | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 78e8ed18..f12ed580 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -697,7 +697,7 @@ Changes: * Renamed some variables to better indicate their purpose (counting, data type) * Removal of unused code and comments * Deleted unused tests from database file -* Correct levels of identation +* Correct levels of indentation * Support for older mac OS X versions (Lion and Mountain Lion) * Initialized variables for more binaries * Additional sysctls are tested @@ -1358,7 +1358,7 @@ Functions * AddSetting - New function to store settings (lynis show settings) * ContainsString - New function to search for a string in another one * Display - Added --debug, showing details on screen in debug mode - - Reset identation for lines which are too long + - Reset indentation for lines which are too long * DisplayToolTip - New function to display tooltips * IsDebug - Check for usage of --debug * IsDeveloperMode - Status for development and debugging (--developer) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 66a7b19b..b3ea40ec 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -27,7 +27,7 @@ To ensure all pull requests can be easily checked and merged, here are some tips ## Code Guidelines ### General -Identation should be 4 spaces (no tab character). +Indentation should be 4 spaces (no tab character). ### Comments Comments: use # sign followed by a space. When needed, create a comment block. diff --git a/include/functions b/include/functions index 26916461..b72e7156 100644 --- a/include/functions +++ b/include/functions @@ -38,7 +38,7 @@ # DigitsOnly Return only the digits from a string # DirectoryExists Check if a directory exists on the disk # DiscoverProfiles Determine available profiles on system -# Display Output text to screen with colors and identation +# Display Output text to screen with colors and indentation # DisplayError Show an error on screen # DisplayException Show an exception on screen # DisplayManual Output text to screen without any layout From f14e12f688147d753f871b4969345db078fea74b Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:16:52 -0500 Subject: [PATCH 314/355] spelling: installed Signed-off-by: Josh Soref --- include/tests_time | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_time b/include/tests_time index 1a262d82..f4c8bee9 100644 --- a/include/tests_time +++ b/include/tests_time @@ -97,7 +97,7 @@ FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd" LogText "result: found openntpd (method: ps)" else - LogText "result: running openntpd not found, but ntpctl is instaalled" + LogText "result: running openntpd not found, but ntpctl is installed" fi if [ "${NTP_DAEMON}" = "openntpd" ]; then From 1cdb19c2c1bc7a176cedcc22ba9d94ffbb054178 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:16:54 -0500 Subject: [PATCH 315/355] spelling: nonexistent Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f12ed580..35f62b29 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -46,7 +46,7 @@ - CRYP-7902 - Added support for certificates in DER format - CRYP-7931 - Added data to report - CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) -- FILE-6430 - Don't grep nonexistant modprobe.d files +- FILE-6430 - Don't grep nonexistent modprobe.d files - FIRE-4535 - Set initial firewall state - INSE-8312 - Corrected text on screen - KRNL-5728 - Handle zipped kernel configuration correctly From e733713e3c25a4a0c1d5c5e645a0f4eceb29c3a1 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:52:56 -0500 Subject: [PATCH 316/355] spelling: notation Signed-off-by: Josh Soref --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b3ea40ec..5d9d4b00 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -68,6 +68,6 @@ software or computer software documentation in whole or in part, in any manner and for any purpose whatsoever, and to have or authorize others to do so. If you want to be named in as a contributor in the CONTRIBUTOR file, then include -this notition in your pull request. Preferred format: Full Name, and your e-mail +this notation in your pull request. Preferred format: Full Name, and your e-mail address). From a7cc21621b5de207ca9e39ef71bfa764100d52ee Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:44:07 -0500 Subject: [PATCH 317/355] spelling: optimizations Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 35f62b29..f682643a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2557,7 +2557,7 @@ Lynis 1.3.0 (2011-12-25) - Fixed incorrect warning for single user mode [AUTH-9308] - Improved output for stratum 16 time servers [TIME-3116] - Added suggestion and screen output for kernel hardening [KRNL-6000] - - Screen layout optimalizations and log file improvements + - Screen layout optimizations and log file improvements - Improved list/layout of scan options - Improved binary check for compilers - Added configuration option in scan profile (show_tool_tips, default true) From 2b26f13bedeead543883a699a39d35a37fe3cb48 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:16:56 -0500 Subject: [PATCH 318/355] spelling: params Signed-off-by: Josh Soref --- include/helper_configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/helper_configure b/include/helper_configure index ebd7f706..029ab4f7 100644 --- a/include/helper_configure +++ b/include/helper_configure @@ -72,7 +72,7 @@ ExitFatal fi - FIND=$(echo ${HELPER_PARAMERS} | grep " ") + FIND=$(echo ${HELPER_PARAMS} | grep " ") if [ ! "${FIND}" = "" ]; then ${ECHOCMD} "Found invalid character (space) in configuration string"; ExitFatal; fi CONFIGURE_SETTINGS=$(echo $2 | sed 's/:/ /g') From 5f38b03c53f157e14c8bb750505363fe56baef71 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:16:58 -0500 Subject: [PATCH 319/355] spelling: promiscuous Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f682643a..b699038e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3120,7 +3120,7 @@ Lynis 1.1.5 (2008-06-10) - Improved FreeBSD pkg_info output, logging output and report data [PKG-7302] - Changed shell history file test, searching files with maxdepth 1 [HOME-9310] - Extended iptables test, to check Linux kernel configuration file [FIRE-4511] - - Added report warning to promicuous test [NETW-3014] + - Added report warning to promiscuous test [NETW-3014] - Fixed yellow color when being used at text display - Several logging improvements and cleanups From 2f025e7727d5f32ff1847464bae68f7fa0698cb6 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:16:59 -0500 Subject: [PATCH 320/355] spelling: removed Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b699038e..fc087004 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -164,7 +164,7 @@ Using the relevant options, the scan will change base on the intended goal. - AUTH-9268 - Perform test also on DragonFly, FreeBSD, and NetBSD - AUTH-9282 - fix: temporary variable was overwritten - AUTH-9408 - added support for pam_tally2 to log failed logins -- AUTH-9489 - test removedd as it is merged with AUTH-9218 +- AUTH-9489 - test removed as it is merged with AUTH-9218 - BANN-7126 - additional words for login banner are accepted - BOOT-5122 - check for defined password in all GRUB configuration files - CONT-8106 - support newer 'docker info' output From c17a659dfe1f5222f9f0ae5a69b410feaf0c103e Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:45:43 -0500 Subject: [PATCH 321/355] spelling: separated Signed-off-by: Josh Soref --- CHANGELOG.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc087004..4c4089ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3252,7 +3252,7 @@ Lynis 1.0.9 (2008-03-24) - Added available shells from /etc/shells to report file - Updated man page - Fixed option in main help window for --man option - - Code improvement, splitting up sections to seperated files + - Code improvement, splitting up sections to separated files --------------------------------------------------------------------------------- @@ -3268,7 +3268,7 @@ Lynis 1.0.8 (2008-02-10) - Changed old temporary files check - Changed test to include ubuntu security repository - Moved UID check to avoid PID creation as non root user - - Moved most functions to seperated files and several code cleanups + - Moved most functions to separated files and several code cleanups - Improved logging output - Extended FreeBSD (Copyright file) test - Changed indentation for many tests @@ -3312,7 +3312,7 @@ Lynis 1.0.7 (2008-01-28) - Updated year number in program and support files - Added new function Display, to use indentation within lines - Added function RemovePIDFile before some exit routines, to clean up PID file - - Extracted profile support, parameter support to seperated files + - Extracted profile support, parameter support to separated files - Created file tests_ports_packages for Ports and Packages - Deleted lynis.spec file, since it was not working and will be rewritten later From 499dff24286e4889d732028085a2506c40097215 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:17:01 -0500 Subject: [PATCH 322/355] spelling: settings Signed-off-by: Josh Soref --- extras/bash_completion.d/lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extras/bash_completion.d/lynis b/extras/bash_completion.d/lynis index 7eee7375..5c816aea 100644 --- a/extras/bash_completion.d/lynis +++ b/extras/bash_completion.d/lynis @@ -126,7 +126,7 @@ _lynis() report) return 0 ;; - settiings) + settings) return 0 ;; tests) From f22e1928383b68b9204906816e18f2b3af74774a Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:17:05 -0500 Subject: [PATCH 323/355] spelling: successful Signed-off-by: Josh Soref --- include/tests_time | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_time b/include/tests_time index f4c8bee9..0d1d65cb 100644 --- a/include/tests_time +++ b/include/tests_time @@ -86,7 +86,7 @@ # Reason: openntpd syncs only if large time corrections are not required or -s is passed. # This might be not intended by the administrator (-s is NOT the default!) FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" | ${GREPBINARY} -v "grep") - # Status code 0 is when communication over the socket is successfull + # Status code 0 is when communication over the socket is successful if ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null; then FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd" LogText "result: found openntpd (method: ntpctl)" From 7157eb45f0fc9320a109d75e1d11405f19b4396c Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:17:03 -0500 Subject: [PATCH 324/355] spelling: suggestions Signed-off-by: Josh Soref --- include/report | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/report b/include/report index 29f45643..3d0c7fdf 100644 --- a/include/report +++ b/include/report @@ -151,14 +151,14 @@ fi # Show suggestions from logfile - SSUGGESTIONS=$(${GREPBINARY} 'Suggestion: ' ${LOGFILE} | sed 's/ /!space!/g') + SUGGESTIONS=$(${GREPBINARY} 'Suggestion: ' ${LOGFILE} | sed 's/ /!space!/g') - if [ -z "${SSUGGESTIONS}" ]; then + if [ -z "${SUGGESTIONS}" ]; then echo " ${OK}No suggestions${NORMAL}"; echo "" else echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):" echo " ${WHITE}----------------------------${NORMAL}" - for SUGGESTION in ${SSUGGESTIONS}; do + for SUGGESTION in ${SUGGESTIONS}; do SOLUTION="" SHOWSUGGESTION=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://') ADDLINK=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//' | ${AWKBINARY} -F: '{print $1}') @@ -183,7 +183,7 @@ done fi # Show tip on how to continue (next steps) - if [ ! "${SWARNINGS}" = "" -o ! "${SSUGGESTIONS}" = "" ]; then + if [ ! "${SWARNINGS}" = "" -o ! "${SUGGESTIONS}" = "" ]; then echo " ${CYAN}Follow-up${NORMAL}:" echo " ${WHITE}----------------------------${NORMAL}" echo " ${WHITE}-${NORMAL} Show details of a test (lynis show details TEST-ID)" From e9dc1ac92dda0975ef0392998800eee5239a1739 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:17:06 -0500 Subject: [PATCH 325/355] spelling: suppress Signed-off-by: Josh Soref --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c4089ac..c2188a6b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2291,7 +2291,7 @@ Lynis 1.4.2 (2014-02-19) Changes: - Ignore interfaces aliases for HostID - Extended umask tests with pam_umask entries [AUTH-9328] - - Check for supressed version on Squid [SQD-3680] + - Check for suppressed version on Squid [SQD-3680] --------------------------------------------------------------------------------- @@ -2431,7 +2431,7 @@ Lynis 1.3.6 (2013-12-03) - Adjusted PHP check to find ini files [PHP-2211] - Skip Apache test for NetBSD [HTTP-6622] - Skip test http version check for NetBSD [HTTP-6624] - - Additional check to supress sort error [HTTP-6626] + - Additional check to suppress sort error [HTTP-6626] - Improved the way binaries are checked (less disk reads) - Adjusted ReportWarning() function to skip impact rating - Improved report on screen by leaving out date/time and type From 8eae80c84088d8f4b15b277ba464d71eb249518e Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:17:10 -0500 Subject: [PATCH 326/355] spelling: synchronization Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c2188a6b..fb96e39e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1709,7 +1709,7 @@ Added tests for CSF's lfd utility for integrity monitoring on directories and files. Related tests are FINT-4334 and FINT-4336. Added support for Chrony time daemon and timesync daemon. Additionally NTP -sychronization status is checked when it is enabled. +synchronization status is checked when it is enabled. Improved single user mode protection on the rescue.service file. From 9d0e1938aac68b30cc4265229f8865828e643d70 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:55:36 -0500 Subject: [PATCH 327/355] spelling: therefore Signed-off-by: Josh Soref --- include/tests_kernel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_kernel b/include/tests_kernel index 34ac3bfd..3d3ac339 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -796,7 +796,7 @@ # Attempt to check for Raspbian if reboot is needed # This check searches for apt package "raspberrypi-kernel-[package-date]", trys to extract the date of packaging from the filename # and compares that date with the currently running kernel's build date (uname -v). - # Of course there can be a time difference between kernel build and kernel packaging, therefor a time difference of + # Of course there can be a time difference between kernel build and kernel packaging, therefore a time difference of # 3 days is accepted and it is assumed with only 3 days apart, this must be the same kernel version. if [ ${REBOOT_NEEDED} -eq 2 ] && [ -d "${APT_ARCHIVE_DIRECTORY}" ]; then LogText "Result: found folder ${APT_ARCHIVE_DIRECTORY}; assuming this is a debian based distribution" From f2415674a87ff66c58290594d6a9abd9c1e8971e Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:17:12 -0500 Subject: [PATCH 328/355] spelling: unexpected Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb96e39e..d60d7fc0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1431,7 +1431,7 @@ release. ------------ The biggest change in this release is the optimization of several functions. It allows for better detection, and dealing with the quirks, of every single -operating system. Some functions were fortified to handle unexcepted results +operating system. Some functions were fortified to handle unexpected results better, like missing a particular binary, or not returning the hostname. This release also enables tests to be shorter, by adding new functions. Some From fcb90cb389ae46d7ffc22dec35a0f6da62d21049 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:47:10 -0500 Subject: [PATCH 329/355] spelling: uninitialized Signed-off-by: Josh Soref --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index e7af15da..7ea78b0c 100755 --- a/lynis +++ b/lynis @@ -589,7 +589,7 @@ ${NORMAL} if [ ${SET_STRICT} -eq 0 ]; then set +u # Allow uninitialized variables else - set -u # Do not allow unitialized variables + set -u # Do not allow uninitialized variables fi # Import a different language when configured From 6435aeba8a6a2dcd96f2a939938b20874b5d8bb7 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:17:13 -0500 Subject: [PATCH 330/355] spelling: unknown Signed-off-by: Josh Soref --- include/tests_dns | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_dns b/include/tests_dns index e21a2aef..085168d4 100644 --- a/include/tests_dns +++ b/include/tests_dns @@ -45,11 +45,11 @@ # # if [ "${GOOD}" = "${TIMEOUT}" -a "${BAD}" = "${TIMEOUT}" ]; then # LogText "Result: received timeout, can't determine DNSSEC validation" -# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW +# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKNOWN}" --color YELLOW # #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout" # elif [ -z "${GOOD}" -a -n "${BAD}" ]; then # LogText "Result: good signature failed, yet bad signature was accepted" -# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW +# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKNOWN}" --color YELLOW # #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted" # elif [ -n "${GOOD}" -a -n "${BAD}" ]; then # Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW From 114170cdcae219fd4419be03e496958d1cf08d9b Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:18:19 -0500 Subject: [PATCH 331/355] spelling: usable Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d60d7fc0..fe96bbb4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3193,7 +3193,7 @@ Lynis 1.1.2 (2008-05-11) - Added several php.ini file locations (MacOS X, OpenBSD, OpenSuSE) ** Special release notes [package/ports]: ** - - Added several default paths to check for usuable an INCLUDE directory. This + - Added several default paths to check for usable an INCLUDE directory. This should make packaging Lynis easier for downstream package providers. - When no profile is set, Lynis will check first /etc/lynis/default.prf, before setting default.prf (in current work directory) as profile to use. From 358fc02402c32b91903247064ec93c5712984bd1 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Sun, 8 Nov 2020 23:24:47 -0500 Subject: [PATCH 332/355] Fix changelog message Signed-off-by: Josh Soref --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fe96bbb4..85b06981 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3193,7 +3193,7 @@ Lynis 1.1.2 (2008-05-11) - Added several php.ini file locations (MacOS X, OpenBSD, OpenSuSE) ** Special release notes [package/ports]: ** - - Added several default paths to check for usable an INCLUDE directory. This + - Added several default paths to check for usable INCLUDE directory. This should make packaging Lynis easier for downstream package providers. - When no profile is set, Lynis will check first /etc/lynis/default.prf, before setting default.prf (in current work directory) as profile to use. From f8178767374219a534513d447563b3cbdab5566b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 9 Nov 2020 14:14:35 +0100 Subject: [PATCH 333/355] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 85b06981..6ce2eca2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ - KRNL-5830 - Improved reboot test by ignoring known bad values - KRNL-5830 - Ignore rescue kernel such as on CentOS systems - KRNL-5830 - Detection of Alpine Linux kernel +- NETW-2400 - Compatibility change for hostname check - PKGS-7410 - Don't show exception if no kernels were found on the disk - TIME-3185 - Supports now checking files at multiple locations (systemd) - ParseNginx function: Support include on absolute paths From 3c31a08024a11f8d9e3ec989ab007a4192bde44d Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Mon, 9 Nov 2020 23:18:00 +0000 Subject: [PATCH 334/355] Do not incorrectly name SFM as IPS The "new" service manager was included with Solaris 10 and not 11. It is named "service management facility" (see smf(5) man page). There is no IPS service manager, the name is only used for the package manager of OpenSolaris and Solaris 11. Signed-off-by: Simon Biewald --- include/tests_boot_services | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index 85c3d659..474c04c2 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -141,7 +141,7 @@ ;; "Solaris") if [ -n "${ROOTDIR}usr/bin/svcs" ]; then - SERVICE_MANAGER="IPS" + SERVICE_MANAGER="SMF (svcs)" elif [ -d "${ROOTDIR}etc/init.d" ]; then SERVICE_MANAGER="SysV Init" fi From d388e5d26921a1a8fb0f445e00c58d152c5c4f63 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Wed, 4 Nov 2020 23:50:21 +0000 Subject: [PATCH 335/355] Add OpenSolaris and distribution detection New variable OPENSOLARIS to distringuish between Oracle Solaris and OpenSolaris derivates. The edge case of OpenSolaris itself is not yet solved, but OpenSolaris itself should be very rare these days. Currently detected and distinguished Solaris variants are: - Oracle Solaris >= 11 (exluding Solaris Express and OpenSolaris) - Solaris < 11 (as "Sun Solaris") - OmniosCE (but not old Omnios) - OpenIndiana - Shillix - SmartOS - Tribblix - "Unknown Illumos" for unknown distributions based on Illumos Lynis will fall back to "Sun Solaris" with "SunOS 5.X" for unknown distributions. --- include/osdetection | 85 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 81 insertions(+), 4 deletions(-) diff --git a/include/osdetection b/include/osdetection index b52ab188..793ae448 100644 --- a/include/osdetection +++ b/include/osdetection @@ -556,12 +556,89 @@ SYSCTL_READKEY="" ;; - # Solaris / OpenSolaris + # Solaris / OpenSolaris / Ilumos ... SunOS) OS="Solaris" - OS_NAME="Sun Solaris" - OS_FULLNAME=$(uname -s -r) - OS_VERSION=$(uname -r) + OS_KERNELVERSION=$(uname -v) + OPENSOLARIS=0 + + if [ -f /etc/os-release ]; then + OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_FULLNAME=$(awk -F= '/^PRETTY_NAME=/ {print substr($2,2,length($2)-2)}' /etc/os-release) + case "${OS_ID}" in + "solaris") + OS_NAME="Oracle Solaris" + ;; + "omnios") + OS_NAME="OmniOS" + OPENSOLARIS=1 + ;; + "tribblix") + OS_NAME="Tribblix" + OS_FULLNAME="Tribblix ${OS_VERSION}" + OPENSOLARIS=1 + ;; + "*") + ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}" + ;; + esac + elif [ "$(uname -o 2> /dev/null)" == "illumos" ]; then + OPENSOLARIS=1 + + # Solaris has a free form text file with release information + if grep "OpenIndiana" /etc/release > /dev/null; then + OS_NAME="OpenIndiana" + if grep "Hipster" /etc/release > /dev/null; then + OS_VERSION="$(tr ' ' '\n' < /etc/release | grep '[[:digit:]]\.[[:digit:]]')" + OS_FULLNAME="OpenIndiana Hipster $OS_VERSION" + else + OS_VERSION="Unknown" + OS_FULLNAME="OpenIndiana (unknown edition)" + fi + elif grep "OmniOS" /etc/release > /dev/null; then + OS_NAME="OmniOS" + OS_VERSION="$(tr ' ' '\n' < /etc/release | grep 'r[[:digit:]]')" + if grep "Community Edition" /etc/release > /dev/null; then + OS_FULLNAME="OmniOS Community Edition v11 $OS_VERSION" + fi + elif grep "SmartOS" /etc/release > /dev/null; then + OS_NAME="SmartOS" + OS_VERSION="-" + OS_FULLNAME="SmartOS" + else + OS_NAME="Unknown Illumos" + fi + elif grep "SchilliX" /etc/release > /dev/null; then + OS_NAME="SchilliX" + OS_FULLNAME="$(head -n 1 /etc/release | xargs)" + OS_VERSION="$(echo "$OS_FULLNAME" | cut -d '-' -f 2)" + + OPENSOLARIS=1 + elif head -n 1 < /etc/release | grep "Oracle Solaris" > /dev/null; then + OS_NAME="Oracle Solaris" + OS_FULLNAME="$(head -n 1 /etc/release | xargs)" + OS_VERSION="$(head -n 1 < /etc/release | xargs | cut -d ' ' -f 3)" + elif head -n 1 < /etc/release | xargs | grep "^Solaris " > /dev/null; then + OS_NAME="Sun Solaris" + # Example of /etc/release: + # Solaris 10 5/08 + # ... + # Solaris 10 10/09 (Update 8) + # The first line does not contain the "Update" number, + # only if present. + if tail -1 < /etc/release | xargs | grep "^Solaris " > /dev/null; then + OS_FULLNAME=$(tail -1 < /etc/release | xargs) + else + OS_FULLNAME=$(head -1 < /etc/release | xargs) + fi + OS_VERSION=$(echo "$OS_FULLNAME" | cut -d ' ' -f 2,3) + else # Old behaviour + OS_NAME="Sun Solaris" + OS_FULLNAME=$(uname -s -r) + OS_VERSION=$(uname -r) + fi + HARDWARE=$(uname -m) if [ -x /usr/bin/isainfo ]; then # Returns 32, 64 From 7cb84bf2a8521ab29193ca533388c7cc31864dba Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Wed, 4 Nov 2020 23:59:53 +0000 Subject: [PATCH 336/355] Add OmniosCE and Solaris EOL dates --- db/software-eol.db | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/db/software-eol.db b/db/software-eol.db index ea23509c..0c89b74b 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -237,4 +237,20 @@ os:Ubuntu 18.10:2019-07-18:1563400800: os:Ubuntu 19.04:2020-01-01:1577833200: os:Ubuntu 20.04:2025-04-01:1743458400: # +# OmniosCE - https://omniosce.org/releasenotes.html +# +os:OmniOS Community Edition v11 r151022:2020-05-11:1589148000: +os:OmniOS Community Edition v11 r151024:2018-11-04:1541286000: +os:OmniOS Community Edition v11 r151026:2019-05-05:1557007200: +os:OmniOS Community Edition v11 r151028:2019-11-04:1572822000: +os:OmniOS Community Edition v11 r151030::-1: +os:OmniOS Community Edition v11 r151032:2020-11-03:1604358000: +os:OmniOS Community Edition v11 r151034::-1: +# +## Oracle Solaris - https://www.oracle.com/us/support/library/lifetime-support-hardware-301321.pdf (p. 34) +# The list below contains Premier Support End only +# +os:Oracle Solaris 11.3:2021-01-01:1609455600: +os:Oracle Solaris 11.4:2031-11-01:1951254000: +# # EOF From 183af1d334ee6111f08d1e9d2539d959ef871c2f Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Thu, 12 Nov 2020 22:12:26 +0100 Subject: [PATCH 337/355] Add IPFire to osdetection Fixes cisofy/lynis#1040. Signed-off-by: Simon Biewald --- include/osdetection | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/osdetection b/include/osdetection index b52ab188..925beec2 100644 --- a/include/osdetection +++ b/include/osdetection @@ -207,6 +207,11 @@ OS_NAME="Gentoo Linux" OS_VERSION="Rolling release" ;; + "ipfire") + LINUX_VERSION="IPFire" + OS_NAME="IPFire" + OS_VERSION=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "kali") LINUX_VERSION="Kali" OS_NAME="Kali Linux" From 3f83b9ac86e5602dd57457230a1541f8082f25a4 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Thu, 12 Nov 2020 22:56:31 +0100 Subject: [PATCH 338/355] Add NixOS to osdetection Fixes cisofy/lynis#1068. Signed-off-by: Simon Biewald --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index 925beec2..26a95570 100644 --- a/include/osdetection +++ b/include/osdetection @@ -235,6 +235,12 @@ OS_NAME="Manjaro" OS_VERSION="Rolling release" ;; + "nixos") + LINUX_VERSION="NixOS" + OS_NAME="NixOS" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "ol") LINUX_VERSION="Oracle Linux" OS_NAME="Oracle Linux" From ba09fd9462507f7d4d843cb8b25b9bf852390321 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 13 Nov 2020 16:00:12 +0100 Subject: [PATCH 339/355] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ce2eca2..6f2b37bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ ### Added - AUTH-9284 - Scan for locked user accounts in /etc/passwd - TOOL-5130 - Check for active Suricata daemon -- Detection of Flatcar, Mageia, ROSA Linux, SLES (extended), Void Linux, Zorin OS +- Detection of Flatcar, IPFire, Mageia, NixOS, ROSA Linux, SLES (extended), Void Linux, Zorin OS - Alpine, macOS and Mageia EOL dates ### Changed From cbb2735e636a5671e6df685631abd3e073f4e944 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 13 Nov 2020 16:03:08 +0100 Subject: [PATCH 340/355] Update CHANGELOG.md --- CHANGELOG.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f2b37bc..bbf8e892 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,8 +5,9 @@ ### Added - AUTH-9284 - Scan for locked user accounts in /etc/passwd - TOOL-5130 - Check for active Suricata daemon -- Detection of Flatcar, IPFire, Mageia, NixOS, ROSA Linux, SLES (extended), Void Linux, Zorin OS -- Alpine, macOS and Mageia EOL dates +- OS detection of Flatcar, IPFire, Mageia, NixOS, ROSA Linux, SLES (extended), Void Linux, Zorin OS +- OS detection of OpenIndiana (Hipster and Legacy), Shillix, SmartOS, Tribblix, and others +- EOL dates for Alpine, macOS, Mageia, OmniosCE, and Solaris 11 ### Changed - ACCT-9626 - Detect sysstat systemd unit From 777da3a4eb4a097ecaa865db049e951bb854d708 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Sat, 14 Nov 2020 19:42:45 +0000 Subject: [PATCH 341/355] Extend German translation file Signed-off-by: Simon Biewald --- db/languages/de | 47 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 2 deletions(-) diff --git a/db/languages/de b/db/languages/de index ef6711c8..b0e7195f 100644 --- a/db/languages/de +++ b/db/languages/de @@ -14,12 +14,55 @@ NOTE_EXCEPTIONS_FOUND="Abweichungen gefunden" NOTE_EXCEPTIONS_FOUND_DETAILED="Einige außergewöhnliche Ereignisse oder Informationen wurden gefunden" NOTE_PLUGINS_TAKE_TIME="Beachte: Plugins beinhalten eingehendere Tests und können mehrere Minuten benötigen, bis sie abgeschlossen sind" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus" +SECTION_ACCOUNTING="Accounting" +SECTION_BANNERS_AND_IDENTIFICATION="Banner und Identifizierung" +SECTION_BASICS="Grundlegendes" +SECTION_BOOT_AND_SERVICES="Systemstart und Dienste" +SECTION_CONTAINERS="Container" +SECTION_CRYPTOGRAPHY="Kryptographie" SECTION_CUSTOM_TESTS="Benutzerdefinierte Tests" SECTION_DATA_UPLOAD="Daten hochladen" +SECTION_DATABASES="Datenbanken" +SECTION_DOWNLOADS="Downloads" +SECTION_EMAIL_AND_MESSAGING="Software: E-Mail und Messaging" +SECTION_FILE_INTEGRITY="Software: Dateintegrität" +SECTION_FILE_PERMISSIONS="Dateiberechtigungen" +SECTION_FILE_SYSTEMS="Dateisysteme" +SECTION_FIREWALLS="Software: Firewalls" +SECTION_GENERAL="Allgemein" +SECTION_HARDENING="Härtung" +SECTION_HOME_DIRECTORIES="Heimatverzeichnisse" +SECTION_IMAGE="Image" SECTION_INITIALIZING_PROGRAM="Initialisiere Programm" -SECTION_MALWARE="Malware" -SECTION_MEMORY_AND_PROCESSES="Speicher und Prozesse" +SECTION_INSECURE_SERVICES="Unsicheres Dienste" +SECTION_KERNEL="Kernel" +SECTION_KERNEL_HARDENING="Kernelhärtung" +SECTION_LDAP_SERVICES="LDAP Dienste" +SECTION_LOGGING_AND_FILES="Logs und Logdateien" +SECTION_MALWARE="Software: Malware" +SECTION_MEMORY_AND_PROCESSES="Software: Speicher und Prozesse" +SECTION_NAME_SERVICES="Namensauflösung" +SECTION_NETWORKING="Netzwerk" +SECTION_PERMISSIONS="Berechtigungen" +SECTION_PORTS_AND_PACKAGES="Ports und Pakete" +SECTION_PRINTERS_AND_SPOOLS="Drucker und Warteschlange" +SECTION_PROGRAM_DETAILS="Programmdetails" +SECTION_SCGEDULED_TASKS="Geplante Aufgaben" +SECTION_SECURITY_FRAMEWORKS="Sicherheitsframeworks" +SECTION_SHELLS="Shells" +SECTION_SNMP_SUPPORT="SNMP Unterstützung" +SECTION_SOFTWARE="Software" +SECTION_SQUID_SUPPORT="Squid" +SECTION_SSH_SUPPORT="SSH" +SECTION_STORAGE="Speicher" +SECTION_SYSTEM_INTEGRITY="Software: Systemintegrität" +SECTION_SYSTEM_TOOLING="Software: Systemwerkzeuge" SECTION_SYSTEM_TOOLS="Systemwerkzeuge" +SECTION_TIME_AND_SYNCHRONIZATION="Zeit und Zeitsynchronisierung" +SECTION_USB_DEVICES="USB Geräte" +SECTION_USERS_GROUPS_AND_AUTHENTICATION="Benutzer, Gruppen und Authentifizierung" +SECTION_VIRTUALIZATION="Virtualisierung" +SECTION_WEBSERVER="Software: Webserver" STATUS_DISABLED="DEAKTIVIERT" STATUS_DONE="FERTIG" STATUS_ENABLED="AKTIVIERT" From 7ec3b5b0d5fb8f4c91d97ae683a1d96f214b50b1 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Sat, 14 Nov 2020 20:24:06 +0000 Subject: [PATCH 342/355] Add more status strings (en and de) Signed-off-by: Simon Biewald --- db/languages/de | 3 +++ db/languages/en | 3 +++ 2 files changed, 6 insertions(+) diff --git a/db/languages/de b/db/languages/de index b0e7195f..cd71d5f0 100644 --- a/db/languages/de +++ b/db/languages/de @@ -63,15 +63,18 @@ SECTION_USB_DEVICES="USB Geräte" SECTION_USERS_GROUPS_AND_AUTHENTICATION="Benutzer, Gruppen und Authentifizierung" SECTION_VIRTUALIZATION="Virtualisierung" SECTION_WEBSERVER="Software: Webserver" +STATUS_ACTIVE="AKTIV" STATUS_DISABLED="DEAKTIVIERT" STATUS_DONE="FERTIG" STATUS_ENABLED="AKTIVIERT" STATUS_ERROR="FEHLER" STATUS_FAILED="FEHLERHAFT" STATUS_FOUND="GEFUNDEN" +STATUS_INSTALLED="INSTALLIERT" STATUS_NO="NEIN" STATUS_NONE="NICHTS" STATUS_NOT_CONFIGURED="NICHT KONFIGURIERT" +STATUS_NOT_ENABLED="NICHT AKTIVIERT" STATUS_NOT_FOUND="NICHT GEFUNDEN" STATUS_NOT_RUNNING="LÄUFT NICHT" STATUS_OFF="AUS" diff --git a/db/languages/en b/db/languages/en index 7ab20590..b5cbef6a 100644 --- a/db/languages/en +++ b/db/languages/en @@ -63,15 +63,18 @@ SECTION_USB_DEVICES="USB Devices" SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" SECTION_VIRTUALIZATION="Virtualization" SECTION_WEBSERVER="Software: webserver" +STATUS_ACTIVE="ACTIVE" STATUS_DISABLED="DISABLED" STATUS_DONE="DONE" STATUS_ENABLED="ENABLED" STATUS_ERROR="ERROR" STATUS_FAILED="FAILED" STATUS_FOUND="FOUND" +STATUS_INSTALLED="INSTALLED" STATUS_NO="NO" STATUS_NONE="NONE" STATUS_NOT_CONFIGURED="NOT CONFIGURED" +STATUS_NOT_ENABLED="NOT ENABLED" STATUS_NOT_FOUND="NOT FOUND" STATUS_NOT_RUNNING="NOT RUNNING" STATUS_OFF="OFF" From 0c686bb6ea4972423ad78c93f80449e1e862f6c1 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Sat, 14 Nov 2020 20:27:39 +0000 Subject: [PATCH 343/355] Use the new status strings in tests See-Also: HEAD^ Signed-off-by: Simon Biewald --- include/tests_authentication | 12 ++++++------ include/tests_firewalls | 4 ++-- include/tests_insecure_services | 8 ++++---- include/tests_networking | 2 +- include/tests_ports_packages | 2 +- 5 files changed, 14 insertions(+), 14 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index b27e59c7..ce2205ca 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -502,7 +502,7 @@ FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus") if [ -z "${FIND}" ]; then LogText "Result: NIS+ authentication not enabled" - Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE + Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE else FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") @@ -511,7 +511,7 @@ Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: NIS+ authentication not enabled" - Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE + Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE fi fi else @@ -529,7 +529,7 @@ FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus") if [ -z "${FIND}" ]; then LogText "Result: NIS authentication not enabled" - Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE + Display --indent 2 --text "- NIS authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE else FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") @@ -538,7 +538,7 @@ Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: NIS authentication not enabled" - Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE + Display --indent 2 --text "- NIS authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE fi fi else @@ -1475,7 +1475,7 @@ if [ ${FOUND} -eq 1 ]; then Display --indent 2 --text "- Checking account locking" --result "${STATUS_ENABLED}" --color GREEN else - Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW + Display --indent 2 --text "- Checking account locking" --result "${STATUS_NOT_ENABLED}" --color YELLOW fi fi # @@ -1489,7 +1489,7 @@ FIND=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap") if [ "${FIND}" = "" ]; then LogText "Result: LDAP authentication not enabled" - Display --indent 2 --text "- LDAP authentication support" --result "NOT ENABLED" --color WHITE + Display --indent 2 --text "- LDAP authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE else LogText "Result: LDAP authentication enabled" Display --indent 2 --text "- LDAP authentication support" --result "${STATUS_ENABLED}" --color GREEN diff --git a/include/tests_firewalls b/include/tests_firewalls index 4d0ba748..685f2452 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -539,7 +539,7 @@ Register --test-no FIRE-4590 --weight L --network NO --category security --description "Check firewall status" if [ ${SKIPTEST} -eq 0 ]; then if [ ${FIREWALL_ACTIVE} -eq 1 ]; then - Display --indent 2 --text "- Checking host based firewall" --result "ACTIVE" --color GREEN + Display --indent 2 --text "- Checking host based firewall" --result "${STATUS_ACTIVE}" --color GREEN LogText "Result: host based firewall or packet filter is active" Report "manual[]=Verify if there is a formal process for testing and applying firewall rules" Report "manual[]=Verify all traffic is filtered the right way between the different security zones" @@ -548,7 +548,7 @@ Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic" AddHP 5 5 else - Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW + Display --indent 2 --text "- Checking host based firewall" --result "${STATUS_NOT_ACTIVE}" --color YELLOW LogText "Result: no host based firewall/packet filter found or configured" ReportSuggestion "${TEST_NO}" "Configure a firewall/packet filter to filter incoming and outgoing traffic" AddHP 0 5 diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 230d117e..2ba308b3 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -63,11 +63,11 @@ LogText "Test: Searching for active inet daemon" if IsRunning "inetd"; then LogText "Result: inetd is running" - Display --indent 4 --text "- inetd status" --result "ACTIVE" --color GREEN + Display --indent 4 --text "- inetd status" --result "${STATUS_ACTIVE}" --color GREEN INETD_ACTIVE=1 else LogText "Result: inetd is NOT running" - Display --indent 4 --text "- inetd status" --result "NOT ACTIVE" --color GREEN + Display --indent 4 --text "- inetd status" --result "${STATUS_NOT_ACTIVE}" --color GREEN fi fi # @@ -158,11 +158,11 @@ LogText "Test: Searching for active extended internet services daemon (xinetd)" if IsRunning "xinetd"; then LogText "Result: xinetd is running" - Display --indent 4 --text "- xinetd status" --result "ACTIVE" --color GREEN + Display --indent 4 --text "- xinetd status" --result "${STATUS_ACTIVE}" --color GREEN XINETD_ACTIVE=1 else LogText "Result: xinetd is NOT running" - Display --indent 4 --text "- xinetd status" --result "NOT ACTIVE" --color GREEN + Display --indent 4 --text "- xinetd status" --result "${STATUS_NOT_ACTIVE}" --color GREEN fi fi # diff --git a/include/tests_networking b/include/tests_networking index 9e63088b..9bf5a082 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -683,7 +683,7 @@ Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_RUNNING}" --color WHITE DHCP_CLIENT_RUNNING=1 else - Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE + Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_NOT_ACTIVE}" --color WHITE fi fi # diff --git a/include/tests_ports_packages b/include/tests_ports_packages index c2978be6..2e827813 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1232,7 +1232,7 @@ ReportSuggestion "${TEST_NO}" "Install a package audit tool to determine vulnerable packages" LogText "Result: no package audit tool found" else - Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN + Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_INSTALLED}" --color GREEN Display --indent 4 --text "Found: ${PACKAGE_AUDIT_TOOL}" LogText "Result: found package audit tool: ${PACKAGE_AUDIT_TOOL}" fi From 7c475ddab0852da4e0164018e1b0339ad4deaf0a Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Sat, 14 Nov 2020 21:24:49 +0000 Subject: [PATCH 344/355] Fix typos Signed-off-by: Simon Biewald --- db/languages/de | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/db/languages/de b/db/languages/de index cd71d5f0..5d3f5be1 100644 --- a/db/languages/de +++ b/db/languages/de @@ -34,7 +34,7 @@ SECTION_HARDENING="Härtung" SECTION_HOME_DIRECTORIES="Heimatverzeichnisse" SECTION_IMAGE="Image" SECTION_INITIALIZING_PROGRAM="Initialisiere Programm" -SECTION_INSECURE_SERVICES="Unsicheres Dienste" +SECTION_INSECURE_SERVICES="Unsichere Dienste" SECTION_KERNEL="Kernel" SECTION_KERNEL_HARDENING="Kernelhärtung" SECTION_LDAP_SERVICES="LDAP Dienste" @@ -47,7 +47,7 @@ SECTION_PERMISSIONS="Berechtigungen" SECTION_PORTS_AND_PACKAGES="Ports und Pakete" SECTION_PRINTERS_AND_SPOOLS="Drucker und Warteschlange" SECTION_PROGRAM_DETAILS="Programmdetails" -SECTION_SCGEDULED_TASKS="Geplante Aufgaben" +SECTION_SCHEDULED_TASKS="Geplante Aufgaben" SECTION_SECURITY_FRAMEWORKS="Sicherheitsframeworks" SECTION_SHELLS="Shells" SECTION_SNMP_SUPPORT="SNMP Unterstützung" From 73f39baca8a0a82b2a5a6adcd61b4234470ee242 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Sat, 14 Nov 2020 22:54:43 +0000 Subject: [PATCH 345/355] Use first e1000 interface and break after match Fixes CISOfy/lynis#1075. Before this commit, the interfaces "e1000g1" and "net0" were allowed. The name "e1000g0" is appended to the list. After finding an interface, the loop is interrupted now. As previously "net0" was always used, even if another interface was available, the list is reordered to "net0 e1000g1 e1000g0" to not break previous generations. A typo is also fixed ("No interface found op Solaris ..." -> "No interface found on"). Signed-off-by: Simon Biewald --- include/functions | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/functions b/include/functions index b72e7156..c88674ba 100644 --- a/include/functions +++ b/include/functions @@ -1089,12 +1089,13 @@ ;; "Solaris") - INTERFACES_TO_TEST="e1000g1 net0" + INTERFACES_TO_TEST="net0 e1000g1 e1000g0" FOUND=0 for I in ${INTERFACES_TO_TEST}; do FIND=$(${IFCONFIGBINARY} -a | grep "^${I}") if [ ! "${FIND}" = "" ]; then FOUND=1; LogText "Found interface ${I} on Solaris" + break fi done if [ ${FOUND} -eq 1 ]; then @@ -1107,7 +1108,7 @@ ReportException "GetHostID" "Can not find sha1/sha1sum or openssl" fi else - ReportException "GetHostID" "No interface found op Solaris to create HostID" + ReportException "GetHostID" "No interface found on Solaris to create HostID" fi ;; From f695488ca83d319b252136429208440d86c7de98 Mon Sep 17 00:00:00 2001 From: Simon Biewald Date: Sat, 21 Nov 2020 01:17:49 +0100 Subject: [PATCH 346/355] Quote binary variables during SUID/GID enumeration Fixes cisofy/lynis#1078. Signed-off-by: Simon Biewald --- include/binaries | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/binaries b/include/binaries index a07d34ad..4ab0afb3 100644 --- a/include/binaries +++ b/include/binaries @@ -119,11 +119,11 @@ COUNT=$((COUNT + 1)) BINARY="${SCANDIR}/${FILENAME}" DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} " - if [ -u ${BINARY} ]; then + if [ -u "${BINARY}" ]; then NSUID_BINARIES=$((NSUID_BINARIES + 1)) SUID_BINARIES="${SUID_BINARIES}${BINARY} " fi - if [ -g ${BINARY} ]; then + if [ -g "${BINARY}" ]; then NSGID_BINARIES=$((NSGID_BINARIES + 1)) SGID_BINARIES="${SGID_BINARIES}${BINARY} " fi From d5d43c5d1cb566f556c44484147e858e06b9220f Mon Sep 17 00:00:00 2001 From: ElviaSchoultz <73860605+ElviaSchoultz@users.noreply.github.com> Date: Tue, 24 Nov 2020 08:45:58 +1100 Subject: [PATCH 347/355] Add EndeavourOS to osdetection. Fixes problem #1077 --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index 4b5c68e1..36dc47a3 100644 --- a/include/osdetection +++ b/include/osdetection @@ -190,6 +190,12 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "endeavouros") + LINUX_VERSION="EndeavourOS" + OS_NAME="EndeavourOS" + OS_VERSION="Rolling release" + OS_VERSION_FULL="Rolling release" + ;; "fedora") LINUX_VERSION="Fedora" OS_NAME="Fedora Linux" From 1d908e19ac1cd3b610ce07d032f5dd074114b58d Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 15 Dec 2020 14:15:26 +0100 Subject: [PATCH 348/355] Mark test as multi-OS by removing all values --- db/tests.db | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/tests.db b/db/tests.db index abcef63c..1e13efd9 100644 --- a/db/tests.db +++ b/db/tests.db @@ -73,7 +73,7 @@ BOOT-5165:test:security:boot_services:FreeBSD:Check for FreeBSD boot services: BOOT-5170:test:security:boot_services:Solaris:Check for Solaris boot daemons: BOOT-5177:test:security:boot_services:Linux:Check for Linux boot and running services: BOOT-5180:test:security:boot_services:Linux:Check for Linux boot services (Debian style): -BOOT-5184:test:security:boot_services:Linux Solaris:Check permissions for boot files/scripts: +BOOT-5184:test:security:boot_services::Check permissions for boot files/scripts: BOOT-5202:test:security:boot_services::Check uptime of system: BOOT-5260:test:security:boot_services::Check single user mode for systemd: BOOT-5261:test:security:boot_services:DragonFly:Check for DragonFly boot loader presence: From 4cf966018506fb3359dd4f5c0524623ccf86b9bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane?= Date: Wed, 16 Dec 2020 01:07:27 +0100 Subject: [PATCH 349/355] Adding and improvement translated strings --- include/tests_kernel | 16 ++++++++-------- include/tests_kernel_hardening | 2 +- include/tests_logging | 4 ++-- include/tests_networking | 2 +- include/tests_storage | 2 +- include/tests_usb | 2 +- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index 3d3ac339..119b276e 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -491,7 +491,7 @@ AddHP 0 1 else LogText "Result: core dumps are not disabled in systemd configuration. Didn't find settings 'ProcessSizeMax=0' and 'Storage=none'" - Display --indent 4 --text "- configuration in systemd conf files" --result "DEFAULT" --color WHITE + Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_DEFAULT}" --color WHITE AddHP 0 1 fi fi @@ -508,7 +508,7 @@ AddHP 1 1 elif [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ -z "${ULIMIT_C_VALUE}" ]; then LogText "Result: core dumps are not disabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. Didn't find setting 'ulimit -c 0'" - Display --indent 4 --text "- configuration in etc/profile" --result "DEFAULT" --color WHITE + Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DEFAULT}" --color WHITE AddHP 0 1 elif ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE_SUB}" = "unlimited" ] || [ "${ULIMIT_C_VALUE_SUB}" != "0" ] ) ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE}" = "unlimited" ] || [ "${ULIMIT_C_VALUE}" != "0" ] ) ); then LogText "Result: core dumps are enabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. A value higher than 0 is configured for 'ulimit -c'" @@ -516,7 +516,7 @@ AddHP 0 1 else LogText "Result: ERROR - something went wrong. Unexpected result during check of ${ROOTDIR}etc/profile and ${ROOTDIR}etc/profile.d/*.sh config files. Please report on Github!" - Display --indent 4 --text "- configuration in etc/profile" --result "ERROR" --color YELLOW + Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ERROR}" --color YELLOW fi fi # Limits option @@ -538,8 +538,8 @@ FIND2="hard core enabled" fi - IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)" - IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)" + IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" + IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" if [ "${FIND2}" = "hard core disabled" ]; then LogText "Result: core dumps are hard disabled" @@ -587,18 +587,18 @@ fi if [ "${FIND}" = "2" ]; then LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" - Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color WHITE + Display --indent 4 --text "- Checking setuid core dumps configuration" --result "${STATUS_PROTECTED}" --color WHITE AddHP 1 1 elif [ "${FIND}" = "1" ]; then LogText "Result: all programs can perform core dumps (value 1, for debugging)" - Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW + Display --indent 2 --text "- Checking setuid core dumps configuration" --result "${STATUS_DEBUG}" --color YELLOW ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump" AddHP 0 1 else # 0 - (default) - traditional behaviour. Any process which has changed privilege levels or is execute only will not be dumped # https://www.kernel.org/doc/Documentation/sysctl/fs.txt LogText "Result: found default option (0), no execute only program or program with changed privilege levels can dump" - Display --indent 4 --text "- Checking setuid core dumps configuration" --result DISABLED --color GREEN + Display --indent 4 --text "- Checking setuid core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN AddHP 1 1 fi fi diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index e117a704..c0887078 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -89,7 +89,7 @@ AddHP ${tFINDhp} ${tFINDhp} else LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}" - Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED + Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_DIFFERENT}" --color RED AddHP 0 ${tFINDhp} FOUND=1 N=$((N + 1)) diff --git a/include/tests_logging b/include/tests_logging index b6110263..bb3fa310 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -423,7 +423,7 @@ LogText "Result: no remote logging found" ReportSuggestion "${TEST_NO}" "Enable logging to an external logging host for archiving purposes and additional protection" AddHP 1 3 - Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW + Display --indent 2 --text "- Checking remote logging" --result "${STATUS_NOT_ENABLED}" --color YELLOW else Report "remote_syslog_configured=1" AddHP 5 5 @@ -550,7 +550,7 @@ LogText "Found deleted file: ${I}" Report "deleted_file[]=${I}" done - Display --indent 2 --text "- Checking deleted files in use" --result "FILES FOUND" --color YELLOW + Display --indent 2 --text "- Checking deleted files in use" --result "${STATUS_FILES_FOUND}" --color YELLOW ReportSuggestion "${TEST_NO}" "Check what deleted files are still in use and why." else LogText "Result: no deleted files found" diff --git a/include/tests_networking b/include/tests_networking index 867429ec..7a04305f 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -140,7 +140,7 @@ Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE STATUS=$(echo ${IPV6_MODE} | ${TRBINARY} '[:lower:]' '[:upper:]') Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE - if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi + if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="${STATUS_YES}"; else STATUS="${STATUS_NO}"; fi LogText "Result: IPv6 only configuration: ${STATUS}" Display --indent 6 --text "IPv6 only" --result "${STATUS}" --color WHITE else diff --git a/include/tests_storage b/include/tests_storage index 89431aa0..6ee1a78a 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -59,7 +59,7 @@ if [ ${FOUND} -eq 0 ]; then LogText "Result: firewire ohci driver is not explicitly disabled" - Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "NOT DISABLED" --color WHITE + Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "${STATUS_NOT_DISABLED}" --color WHITE ReportSuggestion "${TEST_NO}" "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft" # after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u AddHP 2 3 diff --git a/include/tests_usb b/include/tests_usb index 92c81a32..d99d5a66 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -73,7 +73,7 @@ fi if [ ${FOUND} -eq 0 ]; then LogText "Result: usb-storage driver is not explicitly disabled" - Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE + Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_NOT_DISABLED}" --color WHITE if [ "${USBGUARD_FOUND}" -eq "0" ]; then ReportSuggestion "${TEST_NO}" "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft" fi From ca53e9e15238f91214c764cf2c98001c6a3861a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane?= Date: Wed, 16 Dec 2020 01:11:33 +0100 Subject: [PATCH 350/355] Adding and improvement translated strings --- lynis | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/lynis b/lynis index 7ea78b0c..1cd6f9c0 100755 --- a/lynis +++ b/lynis @@ -511,7 +511,7 @@ ${NORMAL} # SafePerms ${INCLUDEDIR}/osdetection . ${INCLUDEDIR}/osdetection - Display --indent 2 --text "- Detecting OS... " --result DONE --color GREEN + Display --indent 2 --text "- Detecting OS... " --result "${STATUS_DONE}" --color GREEN # Check hostname case ${OS} in @@ -542,7 +542,7 @@ ${NORMAL} CDATE=$(date "+%Y-%m-%d %H:%M:%S") if [ ${LOGTEXT} -eq 1 ]; then echo "${CDATE} Starting ${PROGRAM_NAME} ${PROGRAM_VERSION} with PID ${OURPID}, build date ${PROGRAM_RELEASE_DATE}" > ${LOGFILE}; fi if [ $? -gt 0 ]; then - Display --indent 2 --text "- Clearing log file (${LOGFILE})... " --result WARNING --color RED + Display --indent 2 --text "- Clearing log file (${LOGFILE})... " --result "${STATUS_WARNING}" --color RED echo "${WARNING}Fatal error${NORMAL}: problem while writing to log file. Check location and permissions." RemovePIDFile exit 1 @@ -728,7 +728,7 @@ ${NORMAL} fi if [ -z "${PROGRAM_AC}" -o -z "${PROGRAM_LV}" ]; then - Display --indent 2 --text "- Program update status... " --result UNKNOWN --color YELLOW + Display --indent 2 --text "- Program update status... " --result "${STATUS_UNKNOWN}" --color YELLOW LogText "Result: Update check failed. No network connection?" LogText "Info: to perform an automatic update check, outbound DNS connections should be allowed (TXT record)." # Set both to safe values @@ -741,13 +741,13 @@ ${NORMAL} PROGRAM_MINVERSION=$((PROGRAM_LV - 10)) LogText "Minimum required version : ${PROGRAM_MINVERSION}" if [ ${PROGRAM_MINVERSION} -gt ${PROGRAM_AC} ]; then - Display --indent 2 --text "- Program update status... " --result "WARNING" --color RED + Display --indent 2 --text "- Program update status... " --result "${STATUS_WARNING}" --color RED LogText "Result: This version is VERY outdated. Newer ${PROGRAM_NAME} release available!" ReportWarning "LYNIS" "Version of Lynis is very old and should be updated" Report "lynis_update_available=1" UPDATE_AVAILABLE=1 else - Display --indent 2 --text "- Program update status... " --result "UPDATE AVAILABLE" --color YELLOW + Display --indent 2 --text "- Program update status... " --result "${STATUS_UPDATE_AVAILABLE}" --color YELLOW LogText "Result: newer ${PROGRAM_NAME} release available!" ReportSuggestion "LYNIS" "Version of Lynis outdated, consider upgrading to the latest version" Report "lynis_update_available=1" @@ -755,11 +755,11 @@ ${NORMAL} fi else if [ ${UPDATE_CHECK_SKIPPED} -eq 0 ]; then - Display --indent 2 --text "- Program update status... " --result "NO UPDATE" --color GREEN + Display --indent 2 --text "- Program update status... " --result "${STATUS_NO_UPDATE}" --color GREEN LogText "No ${PROGRAM_NAME} update available." Report "lynis_update_available=0" else - Display --indent 2 --text "- Program update status... " --result "SKIPPED" --color YELLOW + Display --indent 2 --text "- Program update status... " --result "${STATUS_SKIPPED}" --color YELLOW LogText "Update check skipped due to constraints (e.g. missing dig binary)" Report "lynis_update_available=-1" fi @@ -863,11 +863,11 @@ ${NORMAL} # if IsVerbose; then InsertSection "${SECTION_PROGRAM_DETAILS}" - Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "YES" --color GREEN + Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "${STATUS_YES}" --color GREEN if IsDebug; then - Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "YES" --color GREEN + Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "${STATUS_YES}" --color GREEN else - Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "NO" --color RED + Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "${STATUS_NO}" --color RED fi fi # @@ -957,7 +957,7 @@ ${NORMAL} RunPlugins 1 if [ ${N_PLUGIN_ENABLED} -eq 0 ]; then - Display --indent 2 --text "- ${GEN_PLUGINS_ENABLED}" --result "NONE" --color WHITE + Display --indent 2 --text "- ${GEN_PLUGINS_ENABLED}" --result "${STATUS_NONE}" --color WHITE Report "plugins_enabled=0" else Report "plugins_enabled=1" @@ -1018,7 +1018,7 @@ ${NORMAL} ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}" # Insert a section and warn user also on screen InsertSection "${SECTION_GENERAL}" - Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "SKIPPED" --color RED + Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "${STATUS_SKIPPED}" --color RED fi else echo "Error: Can't find file (category: ${INCLUDE_TEST})" @@ -1043,10 +1043,10 @@ ${NORMAL} else LogText "Exception: skipping custom tests, file has bad permissions (should be 640, 600 or 400)" ReportWarning "NONE" "Invalid permissions on custom tests file" - Display --indent 2 --text "- Running custom tests... " --result "WARNING" --color RED + Display --indent 2 --text "- Running custom tests... " --result "${STATUS_WARNING}" --color RED fi else - Display --indent 2 --text "- Running custom tests... " --result "NONE" --color WHITE + Display --indent 2 --text "- Running custom tests... " --result "${STATUS_NONE}" --color WHITE fi fi # @@ -1079,7 +1079,7 @@ ${NORMAL} if [ ${SKIP_PLUGINS} -eq 0 ]; then RunPlugins 2 if [ ${N_PLUGIN_ENABLED} -gt 1 ]; then - Display --indent 2 --text "- Plugins (phase 2)" --result "DONE" --color GREEN + Display --indent 2 --text "- Plugins (phase 2)" --result "${STATUS_DONE}" --color GREEN fi fi # From 8a320624599c9200f45649edca60d00b381c6ec7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane?= Date: Wed, 16 Dec 2020 01:13:01 +0100 Subject: [PATCH 351/355] Adding and improvement translated strings --- db/languages/en | 8 ++++++++ db/languages/fr | 19 +++++++++++++++---- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/db/languages/en b/db/languages/en index b5cbef6a..409b92d5 100644 --- a/db/languages/en +++ b/db/languages/en @@ -64,26 +64,34 @@ SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" SECTION_VIRTUALIZATION="Virtualization" SECTION_WEBSERVER="Software: webserver" STATUS_ACTIVE="ACTIVE" +STATUS_DEBUG="DEBUG" +STATUS_DEFAULT="DEFAULT" +STATUS_DIFFERENT="DIFFERENT" STATUS_DISABLED="DISABLED" STATUS_DONE="DONE" STATUS_ENABLED="ENABLED" STATUS_ERROR="ERROR" STATUS_FAILED="FAILED" +STATUS_FILES_FOUND="FILES FOUND" STATUS_FOUND="FOUND" STATUS_INSTALLED="INSTALLED" STATUS_NO="NO" +STATUS_NO_UPDATE="NO UPDATE" STATUS_NONE="NONE" STATUS_NOT_CONFIGURED="NOT CONFIGURED" +STATUS_NOT_DISABLED="NOT DISABLED" STATUS_NOT_ENABLED="NOT ENABLED" STATUS_NOT_FOUND="NOT FOUND" STATUS_NOT_RUNNING="NOT RUNNING" STATUS_OFF="OFF" STATUS_OK="OK" STATUS_ON="ON" +STATUS_PROTECTED="PROTECTED" STATUS_RUNNING="RUNNING" STATUS_SKIPPED="SKIPPED" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="UNKNOWN" +STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE" STATUS_WARNING="WARNING" STATUS_WEAK="WEAK" STATUS_YES="YES" diff --git a/db/languages/fr b/db/languages/fr index 0a867eee..8b99e548 100644 --- a/db/languages/fr +++ b/db/languages/fr @@ -28,10 +28,10 @@ SECTION_EMAIL_AND_MESSAGING="Logiciel : Email et messagerie" SECTION_FILE_INTEGRITY="Logiciel : Intégrité de fichier" SECTION_FILE_PERMISSIONS="Permissions de fichier" SECTION_FILE_SYSTEMS="Systèmes de fichier" -SECTION_FIREWALLS="Logiciel : Pare-feux" +SECTION_FIREWALLS="Logiciel : Pare-feu" SECTION_GENERAL="Général" SECTION_HARDENING="Hardening" -SECTION_HOME_DIRECTORIES="Home directories" +SECTION_HOME_DIRECTORIES="Dossiers personnels" SECTION_IMAGE="Image" SECTION_INITIALIZING_PROGRAM="Initialisation du programme" SECTION_INSECURE_SERVICES="Services non sécurisés" @@ -39,7 +39,7 @@ SECTION_KERNEL="Noyau" SECTION_KERNEL_HARDENING="Kernel Hardening" SECTION_LDAP_SERVICES="Services LDAP" SECTION_LOGGING_AND_FILES="Journalisation et fichiers" -SECTION_MALWARE="Logiciel : Malware" +SECTION_MALWARE="Logiciel : Malveillant" SECTION_MEMORY_AND_PROCESSES="Mémoire et processus" SECTION_NAME_SERVICES="Services de noms" SECTION_NETWORKING="Mise en réseau" @@ -48,7 +48,7 @@ SECTION_PORTS_AND_PACKAGES="Ports et packages" SECTION_PRINTERS_AND_SPOOLS="Imprimantes et serveurs d'impression" SECTION_PROGRAM_DETAILS="Détails du programme" SECTION_SCHEDULED_TASKS="Tâches planifiées" -SECTION_SECURITY_FRAMEWORKS="Security frameworks" +SECTION_SECURITY_FRAMEWORKS="Frameworks de sécurité" SECTION_SHELLS="Shells" SECTION_SNMP_SUPPORT="Prise en charge SNMP" SECTION_SOFTWARE="Logiciel" @@ -63,24 +63,35 @@ SECTION_USB_DEVICES="Périphériques USB" SECTION_USERS_GROUPS_AND_AUTHENTICATION="Utilisateurs, groupes et authentification" SECTION_VIRTUALIZATION="Virtualisation" SECTION_WEBSERVER="Logiciel : Serveur web" +STATUS_ACTIVE="ACTIF" +STATUS_DEBUG="DÉBUG" +STATUS_DEFAULT="PAR DÉFAUT" +STATUS_DIFFERENT="DIFFÉRENT" STATUS_DISABLED="DÉSACTIVÉ" STATUS_DONE="FAIT" STATUS_ENABLED="ACTIVÉ" STATUS_ERROR="ERREUR" STATUS_FAILED="ÉCHOUÉ" +STATUS_FILES_FOUND="FICHIERS TROUVÉS" STATUS_FOUND="TROUVÉ" +STATUS_INSTALLED="INSTALLÉ" STATUS_NO="NON" +STATUS_NO_UPDATE="PAS DE MISE A JOUR" STATUS_NONE="AUCUN" STATUS_NOT_CONFIGURED="NON CONFIGURÉ" +STATUS_NOT_DISABLED="NON DESACTIVÉ" +STATUS_NOT_ENABLED="NON ACTIVÉ" STATUS_NOT_FOUND="NON TROUVÉ" STATUS_NOT_RUNNING="NON LANCÉ" STATUS_OFF="OFF" STATUS_OK="OK" STATUS_ON="ON" +STATUS_PROTECTED="PROTÉGÉ" STATUS_RUNNING="EN COURS" STATUS_SKIPPED="IGNORÉ" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="INCONNU" +STATUS_UPDATE_AVAILABLE="MISE A JOUR DISPONIBLE" STATUS_WARNING="AVERTISSEMENT" STATUS_WEAK="FAIBLE" STATUS_YES="OUI" From 8fb98cb25c80ad4655887af7aefc99db7c508f87 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 17 Dec 2020 14:51:52 +0100 Subject: [PATCH 352/355] Only retrieve exit code Redirect output of the count and every error to /dev/null, so we only get the exit code --- include/tests_databases | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_databases b/include/tests_databases index fc44d690..9c8e1de0 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -86,7 +86,7 @@ # "-u root --password=" avoids ~/.my.cnf authentication settings # "plugin = 'mysql_native_password' AND authentication_string = ''" avoids false positives when secure plugins are used - FIND=$(${MYSQLCLIENTBINARY} --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql 2>/dev/null; echo $?) + FIND=$(${MYSQLCLIENTBINARY} --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql > /dev/null 2>&1; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: Login succeeded, no MySQL root password set!" ReportWarning "${TEST_NO}" "No MySQL root password set" From a26ebd3004fc13cff5d15c5de86e09cb0baf2e13 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 17 Dec 2020 20:17:52 +0100 Subject: [PATCH 353/355] Fix: missing curly bracket --- include/tests_logging | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_logging b/include/tests_logging index 4a15591d..acbbcf5b 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -317,7 +317,7 @@ LogText "Result: Checking for loghost via name resolving" FIND=$(getent hosts loghost | ${GREPBINARY} loghost) if [ -n "${FIND}" ]; then - SOLARIS_LOGHOST="${FIND" + SOLARIS_LOGHOST="${FIND}" SOLARIS_LOGHOST_FOUND=1 LogText "Result: name resolving was successful" LogText "Output: ${FIND}" From 44201f02abac47cdfb7aaf118f00c742fea03583 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 18 Dec 2020 14:04:58 +0100 Subject: [PATCH 354/355] Added elementary OS --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index 36dc47a3..1596ed10 100644 --- a/include/osdetection +++ b/include/osdetection @@ -190,6 +190,12 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "elementary") + LINUX_VERSION="elementary OS" + OS_NAME="elementary OS" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "endeavouros") LINUX_VERSION="EndeavourOS" OS_NAME="EndeavourOS" From 67abd13bbd796cd20cb9366ddb55fa8adab556c2 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 18 Dec 2020 14:08:04 +0100 Subject: [PATCH 355/355] Updated log --- CHANGELOG.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bbf8e892..e4797720 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,19 +8,25 @@ - OS detection of Flatcar, IPFire, Mageia, NixOS, ROSA Linux, SLES (extended), Void Linux, Zorin OS - OS detection of OpenIndiana (Hipster and Legacy), Shillix, SmartOS, Tribblix, and others - EOL dates for Alpine, macOS, Mageia, OmniosCE, and Solaris 11 +- Support for Solaris svcs (service manager) +- Enumeration of Solaris services +- LOGG-2153 - Loghost configuration ### Changed - ACCT-9626 - Detect sysstat systemd unit +- BOOT-5184 - extended test with support for Solaris - KRNL-5830 - Improved reboot test by ignoring known bad values - KRNL-5830 - Ignore rescue kernel such as on CentOS systems - KRNL-5830 - Detection of Alpine Linux kernel - NETW-2400 - Compatibility change for hostname check +- NETW-3012 - Support for Solaris - PKGS-7410 - Don't show exception if no kernels were found on the disk - TIME-3185 - Supports now checking files at multiple locations (systemd) - ParseNginx function: Support include on absolute paths - ParseNginx function: Ignore empty included wildcards - Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux -- French translation file improved and translations extended +- HostID: Use first e1000 interface and break after match +- Translations extended and updated - Test if pgrep exists before using it - Better support for busybox shell - Small code enhancements