Merge pull request #3 from gcsgithub/soedev

Soedev

CHANGELOG.md

@@ -1,11 +1,87 @@
 # Lynis Changelog
 
-## Lynis 3.0.0 (not released yet)
+## Lynis 3.0.2 (not released yet)
+
+### Added
+- AUTH-9284 - Scan for locked user accounts in /etc/passwd
+- TOOL-5130 - Check for active Suricata daemon
+- OS detection of Flatcar, IPFire, Mageia, NixOS, ROSA Linux, SLES (extended), Void Linux, Zorin OS
+- OS detection of OpenIndiana (Hipster and Legacy), Shillix, SmartOS, Tribblix, and others
+- EOL dates for Alpine, macOS, Mageia, OmniosCE, and Solaris 11
+- Support for Solaris svcs (service manager)
+- Enumeration of Solaris services
+- LOGG-2153 - Loghost configuration
+
+### Changed
+- ACCT-9626 - Detect sysstat systemd unit
+- BOOT-5184 - extended test with support for Solaris
+- KRNL-5830 - Improved reboot test by ignoring known bad values
+- KRNL-5830 - Ignore rescue kernel such as on CentOS systems
+- KRNL-5830 - Detection of Alpine Linux kernel
+- NETW-2400 - Compatibility change for hostname check
+- NETW-3012 - Support for Solaris
+- PKGS-7410 - Don't show exception if no kernels were found on the disk
+- TIME-3185 - Supports now checking files at multiple locations (systemd)
+- ParseNginx function: Support include on absolute paths
+- ParseNginx function: Ignore empty included wildcards
+- Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux
+- HostID: Use first e1000 interface and break after match
+- Translations extended and updated
+- Test if pgrep exists before using it
+- Better support for busybox shell
+- Small code enhancements
+
+---------------------------------------------------------------------------------
+
+## Lynis 3.0.1 (2020-10-05)
+
+### Added
+- Detection of Alpine Linux
+- Detection of CloudLinux
+- Detection of Kali Linux
+- Detection of Linux Mint
+- Detection of macOS Big Sur (11.0)
+- Detection of Pop!_OS
+- Detection of PHP 7.4
+- Malware detection tool: Microsoft Defender ATP
+- New flag: --slow-warning to allow tests more time before showing a warning
+- Test TIME-3185 to check systemd-timesyncd synchronized time
+- rsh host file permissions
+
+### Changed
+- AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions
+- BOOT-5122 - Presence check for grub.d added
+- CRYP-7902 - Added support for certificates in DER format
+- CRYP-7931 - Added data to report
+- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted)
+- FILE-6430 - Don't grep nonexistent modprobe.d files
+- FIRE-4535 - Set initial firewall state
+- INSE-8312 - Corrected text on screen
+- KRNL-5728 - Handle zipped kernel configuration correctly
+- KRNL-5830 - Improved version detection for non-symlinked kernel
+- MALW-3280 - Extended detection of BitDefender
+- TIME-3104 - Find more time synchronization commands
+- TIME-3182 - Corrected detection of time peers
+- Fix: hostid generation routine would sometimes show too short IDs
+- Fix: language detection
+- Generic improvements for macOS
+- German translation updated
+- End-of-life database updated
+- Several minor code enhancements
+
+---------------------------------------------------------------------------------
+
+## Lynis 3.0.0 (2020-06-18)
 
 This is a major release of Lynis and includes several big changes.
 Some of these changes may break your current usage of the tool, so test before
 deployment!
 
+### Security issues
+This release resolves two security issues
+* CVE-2020-13882 - Discovered by Sander Bos, code submission by Katarina Durechova
+* CVE-2019-13033 - Discovered by Sander Bos
+
 ### Breaking change: Non-interactive by default
 Lynis now runs non-interactive by default, to be more in line with the Unix
 philosophy. So the previously used '--quick' option is now default, and the tool
@@ -46,21 +122,40 @@ Using the relevant options, the scan will change base on the intended goal.
 - New option: --usecwd - run from the current working directory
 - New profile option: disable-plugin - disables a single plugin
 - New profile option: ssl-certificate-paths-to-ignore - ignore a path
+- New test: AUTH-9229 - check used password hashing methods
+- New test: AUTH-9230 - check group password hashing rounds
+- New test: BOOT-5109 - test presence rEFInd boot loader
+- New test: BOOT-5264 - run systemd-analyze security
 - New test: CRYP-7930 - test for LUKS encryption
+- New test: CRYP-7931 - determine if system uses encrypted swap
+- New test: CRYP-8004 - presence of hardware random number generator
+- New test: CRYP-8005 - presence of software random number generator
 - New test: DBS-1828  - PostgreSQL configuration files
+- New test: FILE-6394 - test virtual memory swappiness (Linux)
 - New test: FINT-4316 - presence of AIDE database and size test
+- New test: FINT-4340 - check dm-integrity status (Linux)
+- New test: FINT-4341 - verify status of dm-verity (Linux)
 - New test: INSE-8314 - test for NIS client
 - New test: INSE-8316 - test for NIS server
-- New test: NETW-3200 - determine avilable network protocols
+- New test: NETW-2400 - test hostname for valid characters and length
+- New test: NETW-2706 - check DNSSEC (systemd)
+- New test: NETW-3200 - determine enabled network protocols
+- New test: PHP-2382 - detect listen option in PHP (FPM)
 - New test: PROC-3802 - check presence of prelink tooling
+- New test: TIME-3180 - report if ntpctl cannot communicate with OpenNTPD
+- New test: TIME-3181 - check status of OpenNTPD time synchronisation
+- New test: TIME-3182 - check OpenNTPD has working peers
 - New report key: openssh_daemon_running
 - New command: lynis generate systemd-units
 - Sending USR1 signal to Lynis process will show active status
 - Measure timing of tests and report slow tests (10+ seconds)
 - Initial support for Clear Linux OS
+- Initial support for PureOS
+- Support for X Binary Package (xbps)
 - Added end-of-life data for Arch Linux and Debian
 - Detection and end-of-life data added for Amazon Linux
 - Detection of linux-lts on Arch Linux
+- Translations: Russian added
 
 ### Changed
 - Function: CheckItem() now returns only exit code (ITEM_FOUND is dropped)
@@ -68,13 +163,23 @@ Using the relevant options, the scan will change base on the intended goal.
 - Function: PackageIsInstalled extended with pacman support
 - Profiles: unused options removed
 - Profiles: message is displayed when old format "key:value" is used
+- Binaries: skip pacman when it is the game instead of package manager
 - Security: the 'nounset' (set -u) parameter is now activated by default
+- AUTH-9228 - HP-UX support
+- AUTH-9234 - NetBSD support
+- AUTH-9252 - corrected permission check
 - AUTH-9266 - skip .pam-old files in /etc/pam.d
+- AUTH-9268 - Perform test also on DragonFly, FreeBSD, and NetBSD
 - AUTH-9282 - fix: temporary variable was overwritten
 - AUTH-9408 - added support for pam_tally2 to log failed logins
+- AUTH-9489 - test removed as it is merged with AUTH-9218
 - BANN-7126 - additional words for login banner are accepted
+- BOOT-5122 - check for defined password in all GRUB configuration files
 - CONT-8106 - support newer 'docker info' output
+- CRYP-7902 - optionally check also certificates provided by packages
 - CRYP-8002 - gather kernel entropy on Linux systems
+- FILE-6310 - support for HP-UX
+- FILE-6330 - corrected description
 - FILE-6374 - changed log and allow root location to be changed
 - FILE-6374 - corrected condition to find 'defaults' flag in /etc/fstab
 - FILE-6430 - minor code improvements and show suggestion with more details
@@ -90,9 +195,13 @@ Using the relevant options, the scan will change base on the intended goal.
 - INSE-8318 - test for TFTP client tools
 - INSE-8320 - test for TFTP server tools
 - INSE-8342 - renamed to INSE-8304
+- KRNL-5788 - don't complain about missing /vmlinuz for Raspi
 - KRNL-5820 - extended check to include limits.d directory
 - KRNL-5830 - skip test partially when running non-privileged
+- KRNL-5830 - detect required reboots on Raspbian
 - LOGG-2154 - added support for rsyslog configurations
+- LOGG-2190 - skip mysqld related entries
+- MACF-6234 - SELinux tests extended
 - MAIL-8804 - replaced static strings with translation-aware strings
 - MALW-3280 - Kaspersky detection added
 - MALW-3280 - CrowdStrike falcon-sensor detection added
@@ -100,19 +209,26 @@ Using the relevant options, the scan will change base on the intended goal.
 - NAME-4404 - improved screen and log output
 - NAME-4408 - corrected Report function call
 - NETW-3032 - small rewrite of test and extended with addrwatch
+- PHP-2372 - don't look in the cli configuration files
+- PKGS-7388 - only perform check for Debian/Ubuntu/Mint
 - PKGS-7410 - use multiple package managers when available
 - PKGS-7410 - added support for Zypper to test number of kernels
+- PRNT-2308 - check also for Port and SSLListen statements
 - PROC-3602 - allow different root directory
 - PROC-3612 - show 'Not found' instead of 'OK'
 - PROC-3614 - show 'Not found' instead of 'OK'
+- PROC-3802 - limit to Linux only (prelink package check)
 - SCHD-7702 - removed hardening points
 - SINT-7010 - limit test to only macOS systems
 - SSH-7402 - detect other SSH daemons like dropbear
 - SSH-7406 - strip OpenSSH patch version and remove characters (carriage return)
 - SSH-7408 - changed text in suggestion and report
 - SSH-7408 - added forced-commands-only option
+- SSH-7408 - VerifyReverseMapping removed (deprecated)
+- SSH-7408 - corrected OpenSSH server version check
 - STRG-1840 - renamed to USB-1000
 - STRG-1842 - added default authorized devices and renamed to USB-2000
+- TIME-3104 - use find to discover files in cron directories
 - TOOL-5002 - differentiate between a discovered binary and running process
 - TOOL-5160 - added support for OSSEC agent daemon
 - Perform additional check to ensure pacman package manager is used
@@ -120,11 +236,14 @@ Using the relevant options, the scan will change base on the intended goal.
 - Use only locations from PATH environment variable, unless it is not defined
 - Show tip to use 'lynis generate hostids' when host IDs are missing
 - The 'show changelog' command works again for newer versions
-- Improved screen output in several tests
 - Several code cleanups, simplification of commands, and code standardization
 - Tests using lsof may ignore individual threads (if supported)
+- Corrected end-of-life detection for CentOS 7 and CentOS 8
+- Tests can require detected package manager (--package-manager-required)
 - Do not show tool tips when quiet option is used
+- Improved screen output in several tests
 - Extended output of 'lynis update info'
+- Improved support for NetBSD
 - Test if profiles are readable
 - systemd service file adjusted
 - bash completion script extended
@@ -339,7 +458,7 @@ Tests:
 * [AUTH-9308] - Made 'sulogin' more generic for systemd rescue shell
 * [DNS-1600]  - Initial work on DNSSEC validation testing
 * [NETW-2704] - Added support for local resolver 127.0.0.53
-* [PHP-2379]  - Suhosin test disbled
+* [PHP-2379]  - Suhosin test disabled
 * [SSH-7408]  - Removed 'DELAYED' from OpenSSH Compression setting
 * [TIME-3160] - Improvements to detect step-tickers file and entries
 
@@ -586,7 +705,7 @@ Changes:
 * Renamed some variables to better indicate their purpose (counting, data type)
 * Removal of unused code and comments
 * Deleted unused tests from database file
-* Correct levels of identation
+* Correct levels of indentation
 * Support for older mac OS X versions (Lion and Mountain Lion)
 * Initialized variables for more binaries
 * Additional sysctls are tested
@@ -1247,7 +1366,7 @@ Functions
 * AddSetting            - New function to store settings (lynis show settings)
 * ContainsString        - New function to search for a string in another one
 * Display               - Added --debug, showing details on screen in debug mode
-                        - Reset identation for lines which are too long
+                        - Reset indentation for lines which are too long
 * DisplayToolTip        - New function to display tooltips
 * IsDebug               - Check for usage of --debug
 * IsDeveloperMode       - Status for development and debugging (--developer)
@@ -1320,7 +1439,7 @@ release.
 ------------
 The biggest change in this release is the optimization of several functions. It
 allows for better detection, and dealing with the quirks, of every single
-operating system. Some functions were fortified to handle unexcepted results
+operating system. Some functions were fortified to handle unexpected results
 better, like missing a particular binary, or not returning the hostname.
 
 This release also enables tests to be shorter, by adding new functions. Some
@@ -1598,7 +1717,7 @@ Added tests for CSF's lfd utility for integrity monitoring on directories and
 files. Related tests are FINT-4334 and FINT-4336.
 
 Added support for Chrony time daemon and timesync daemon. Additionally NTP
-sychronization status is checked when it is enabled.
+synchronization status is checked when it is enabled.
 
 Improved single user mode protection on the rescue.service file.
 
@@ -2180,7 +2299,7 @@ Lynis 1.4.2 (2014-02-19)
  Changes:
  - Ignore interfaces aliases for HostID
  - Extended umask tests with pam_umask entries [AUTH-9328]
- - Check for supressed version on Squid [SQD-3680]
+ - Check for suppressed version on Squid [SQD-3680]
 
 ---------------------------------------------------------------------------------
 
@@ -2193,7 +2312,7 @@ Lynis 1.4.1 (2014-02-15)
  - Added 64 bits locations for Apache modules
  - Add start of new category to logfile
  - Extended sysstat test with /etc/cron.d/sysstat [ACCT-9626]
- - Extended cron job tests with entries start with asterix (*) [SCHD-7704]
+ - Extended cron job tests with entries start with asterisk (*) [SCHD-7704]
  - Additional check for multiple umask entries (like RHEL 6.x) [AUTH-9328]
  - Adjusted PHP test for register_globals (explicit test) [PHP-2368]
  - Small adjustments for upcoming plugin support
@@ -2320,7 +2439,7 @@ Lynis 1.3.6 (2013-12-03)
  - Adjusted PHP check to find ini files [PHP-2211]
  - Skip Apache test for NetBSD [HTTP-6622]
  - Skip test http version check for NetBSD [HTTP-6624]
- - Additional check to supress sort error [HTTP-6626]
+ - Additional check to suppress sort error [HTTP-6626]
  - Improved the way binaries are checked (less disk reads)
  - Adjusted ReportWarning() function to skip impact rating
  - Improved report on screen by leaving out date/time and type
@@ -2356,7 +2475,7 @@ Lynis 1.3.5 (2013-11-19)
  - Added suggestion about BIND version [NAME-4210]
  - Merged test NTP daemon test TIME-3108 into TIME-3104
  - Improved support for Arch Linux (output, detection)
- - Extended common list of directories with SSL certifcates in profile
+ - Extended common list of directories with SSL certificates in profile
  - New function GetHostID() to determine an unique identifier of the machine
  - Added a tests_custom file template
  - Perform file permissions test on tests_custom file
@@ -2399,7 +2518,7 @@ Lynis 1.3.3 (2013-10-24)
 Lynis 1.3.2 (2013-10-09)
 
  New:
- - Test for PowerDNS authoritive servers (master/slave status) [NAME-4238]
+ - Test for PowerDNS authoritative servers (master/slave status) [NAME-4238]
 
  Changes:
  - CUPS test extended with hardening rules [PRNT-2308]
@@ -2446,7 +2565,7 @@ Lynis 1.3.0 (2011-12-25)
  - Fixed incorrect warning for single user mode [AUTH-9308]
  - Improved output for stratum 16 time servers [TIME-3116]
  - Added suggestion and screen output for kernel hardening [KRNL-6000]
- - Screen layout optimalizations and log file improvements
+ - Screen layout optimizations and log file improvements
  - Improved list/layout of scan options
  - Improved binary check for compilers
  - Added configuration option in scan profile (show_tool_tips, default true)
@@ -3009,7 +3128,7 @@ Lynis 1.1.5 (2008-06-10)
  - Improved FreeBSD pkg_info output, logging output and report data [PKG-7302]
  - Changed shell history file test, searching files with maxdepth 1 [HOME-9310]
  - Extended iptables test, to check Linux kernel configuration file [FIRE-4511]
- - Added report warning to promicuous test [NETW-3014]
+ - Added report warning to promiscuous test [NETW-3014]
  - Fixed yellow color when being used at text display
  - Several logging improvements and cleanups
 
@@ -3078,11 +3197,11 @@ Lynis 1.1.2 (2008-05-11)
  - Improved LILO test and removed double message
  - Fixed incorrect message when using --help parameter
  - Improved portaudit test (FreeBSD) to show unique packages only
- - Updated man page, FAQ, extended documention with plugin information
+ - Updated man page, FAQ, extended documentation with plugin information
  - Added several php.ini file locations (MacOS X, OpenBSD, OpenSuSE)
 
  ** Special release notes [package/ports]: **
- - Added several default paths to check for usuable an INCLUDE directory. This
+ - Added several default paths to check for usable INCLUDE directory. This
    should make packaging Lynis easier for downstream package providers.
  - When no profile is set, Lynis will check first /etc/lynis/default.prf,
    before setting default.prf (in current work directory) as profile to use.
@@ -3141,7 +3260,7 @@ Lynis 1.0.9 (2008-03-24)
  - Added available shells from /etc/shells to report file
  - Updated man page
  - Fixed option in main help window for --man option
- - Code improvement, splitting up sections to seperated files
+ - Code improvement, splitting up sections to separated files
 
 ---------------------------------------------------------------------------------
 
@@ -3157,7 +3276,7 @@ Lynis 1.0.8 (2008-02-10)
  - Changed old temporary files check
  - Changed test to include ubuntu security repository
  - Moved UID check to avoid PID creation as non root user
- - Moved most functions to seperated files and several code cleanups
+ - Moved most functions to separated files and several code cleanups
  - Improved logging output
  - Extended FreeBSD (Copyright file) test
  - Changed indentation for many tests
@@ -3201,7 +3320,7 @@ Lynis 1.0.7 (2008-01-28)
  - Updated year number in program and support files
  - Added new function Display, to use indentation within lines
  - Added function RemovePIDFile before some exit routines, to clean up PID file
- - Extracted profile support, parameter support to seperated files
+ - Extracted profile support, parameter support to separated files
  - Created file tests_ports_packages for Ports and Packages
  - Deleted lynis.spec file, since it was not working and will be rewritten later
 
@@ -3354,7 +3473,7 @@ Lynis 1.0.0 (2007-11-08)
  - Test: query nameservers and test connectivity
  - Test: check promiscuous interfaces (FreeBSD)
  - Test: check sticky bit on /tmp directory
- - Test: check debian.org security brance in /etc/apt/sources.list
+ - Test: check debian.org security branch in /etc/apt/sources.list
  - Test: check kernel update on Debian
  - Test: query default Linux run level
  - Test: query chkconfig to see which services start at boot

CONTRIBUTING.md

@@ -1,3 +1,4 @@
+
 # Contributions
 
 ## Helping out
@@ -6,13 +7,13 @@
 Run the tool in debug mode (use lynis audit system --profile developer.prf) and see if it shows any error.
 
 ### Report bugs
-Create an GitHub issue on the issue tracker
+Create a GitHub issue on the issue tracker.
 
 ### Suggest changes (pull request)
 When you find something that can be improved, fork the project and create a pull request.
 
 ### Translations
-See the db/languages directory
+See the db/languages directory.
 
 
 ## Developer Guidelines
@@ -26,17 +27,17 @@ To ensure all pull requests can be easily checked and merged, here are some tips
 ## Code Guidelines
 
 ### General
-Identation should be 4 spaces (no tab character).
+Indentation should be 4 spaces (no tab character).
 
 ### Comments
 Comments: use # sign followed by a space. When needed, create a comment block.
-Blank lines: allowed, one line maximum
+Blank lines: allowed, one line maximum.
 
 ### Functions
 All functions use CamelCase to clearly show a difference between shell built-in commands, or external commands.
 
 ### Variables
-Variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1)
+Variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1).
 
 
 ## Pull Requests
@@ -56,7 +57,7 @@ to this repository, you agree that you:
 
 4. Allow the project the [Unlimited Rights](#Unlimited-Rights) to your contribution
 
-If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com)
+If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com).
 
 
 ## Unlimited Rights
@@ -67,6 +68,6 @@ software or computer software documentation in whole or in part, in any manner
 and for any purpose whatsoever, and to have or authorize others to do so.
 
 If you want to be named in as a contributor in the CONTRIBUTOR file, then include
-this notition in your pull request. Preferred format: Full Name, and your e-mail
+this notation in your pull request. Preferred format: Full Name, and your e-mail
 address).
 

CONTRIBUTORS.md

@@ -46,6 +46,7 @@ These people made a significant impact to the development of Lynis:
 * Mikko Lehtisalo, Finland
 * Steve Bosek, France
 * Thomas Siebel, Germany
+* Topi Miettinen, Finland
 * Zach Crownover
 
 

FAQ

@@ -98,4 +98,4 @@
 
 
 ================================================================================
- Lynis - Copyright 2007-2019, Michael Boelen, CISOfy - https://cisofy.com
+ Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com

HAPPY_USERS.md

@@ -2,7 +2,7 @@
 
 ## Community
 
-Since 2007 the Lynis project helped many system administrators and security
+Since 2007, the Lynis project helped many system administrators and security
 professionals to scan their systems and perform system hardening. Happy users
 and contributors are the foundation of a healthy project.
 
@@ -33,3 +33,6 @@ installed on all my systems to uncover unexpected configuration issues. The
 valuable feedback and contributions give me the energy to continue to work on
 its development, even after 12+ years!
 
+* Catalyst.net IT - January 2020
+Lynis gave us great insight in to the security state of our systems, as well as where we can improve.
+

INSTALL

@@ -6,7 +6,7 @@
 ================================================================================
 
   Author:                   2007-2013, Michael Boelen (michael.boelen@cisofy.com)
-                            2013-2016, CISOfy development team
+                            2013-now, CISOfy development team
   Description:              Security and system auditing tool
   Web site:                 https://cisofy.com
   Support:                  See 'Support' and https://cisofy.com/support/
@@ -48,4 +48,4 @@
 
 
 ================================================================================
- Lynis - Copyright 2007-2019, Michael Boelen, CISOfy - https://cisofy.com
+ Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com

README.md

@@ -1,4 +1,5 @@
 
+
 [![Linux Security Expert badge](https://badges.linuxsecurity.expert/tools/ranking/lynis.svg)](https://linuxsecurity.expert/tools/lynis/)
 [![Build Status](https://travis-ci.org/CISOfy/lynis.svg?branch=master)](https://travis-ci.org/CISOfy/lynis)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/96/badge)](https://bestpractices.coreinfrastructure.org/projects/96)
@@ -14,7 +15,7 @@ Do you like this software? **Star the project** and become a [stargazer](https:/
 
 > Lynis - Security auditing and hardening tool, for UNIX-based systems.
 
-Lynis is a security auditing for system based on UNIX like Linux, macOS, BSD, and others. It performs an **in-depth security scan** and runs on the system itself. The primary goal is to test security defenses and **provide tips for further system hardening**. It will also scan for general system information, vulnerable software packages, and possible configuration issues. Lynis was commonly used by system administrators and auditors to assess the security defenses of their systems. Besides the "blue team", nowadays penetration testers also have Lynis in their toolkit.
+Lynis is a security auditing tool for systems based on UNIX like Linux, macOS, BSD, and others. It performs an **in-depth security scan** and runs on the system itself. The primary goal is to test security defenses and **provide tips for further system hardening**. It will also scan for general system information, vulnerable software packages, and possible configuration issues. Lynis was commonly used by system administrators and auditors to assess the security defenses of their systems. Besides the "blue team," nowadays penetration testers also have Lynis in their toolkit.
 
 We believe software should be **simple**, **updated on a regular basis**, and **open**. You should be able to trust, understand, and have the option to change the software. Many agree with us, as the software is being used by thousands every day to protect their systems.
 
@@ -55,11 +56,14 @@ Typical users of the software:
 
 If you want to run the software as `root`, we suggest changing the ownership of the files. Use `chown -R 0:0` to recursively alter the owner and group and set it to user ID `0` (`root`).
 
-### Package
+### Software Package
 
-Stable releases of Lynis are packaged and made available as RPM or DEB package. The [CISOfy software repository](https://packages.cisofy.com) can be used to install Lynis on systems running:
+For Linux, BSD, and macOS, there is typically a package available. The Lynis project also provides packages in RPM or DEB format. The [CISOfy software repository](https://packages.cisofy.com) can be used to install Lynis on systems running:
 `CentOS`, `Debian`, `Fedora`, `OEL`, `openSUSE`, `RHEL`, `Ubuntu`, and others.
 
+Some distributions may also have Lynis in their software repository: [![Repology](https://repology.org/badge/tiny-repos/lynis.svg)](https://repology.org/project/lynis/versions)
+If they don't provide an up-to-date version, consider the CISOfy repository, tarball (website), or GitHub release.
+
 ### Enterprise Version
 
 This software component is also part of an enterprise solution. Same quality, yet with more functionality.
@@ -100,7 +104,7 @@ Lynis is collecting some awards and we are proud of that.
 
 > We love contributors.
 
-Do you have something to share? Or help out with translating Lynis into your own language? Create an issue or pull request on GitHub, or send us an e-mail: lynis-dev@cisofy.com.
+Do you have something to share? Want to help out with translating Lynis into your own language? Create an issue or pull request on GitHub, or send us an e-mail: lynis-dev@cisofy.com.
 
 More details can be found in the [Contributors Guide](https://github.com/CISOfy/lynis/blob/master/CONTRIBUTING.md).
 

db/languages/de

@@ -1,38 +1,91 @@
-GEN_PHASE="Phase"
+ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet"
+ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet"
 GEN_CHECKING="Überprüfung"
 GEN_CURRENT_VERSION="Aktuelle Version"
 GEN_DEBUG_MODE="Debug-Modus"
-GEN_INITIALIZE_PROGRAM="Initiiere Programm"
+GEN_INITIALIZE_PROGRAM="Initialisiere Programm"
+GEN_LATEST_VERSION="Aktuellste Version"
+GEN_PHASE="Phase"
 GEN_PLUGINS_ENABLED="Plugins aktiviert"
-GEN_VERBOSE_MODE="Ausführlicher Modus"
 GEN_UPDATE_AVAILABLE="Aktualisierung verfügbar"
+GEN_VERBOSE_MODE="Ausführlicher Modus"
 GEN_WHAT_TO_DO="Was zu tun ist"
 NOTE_EXCEPTIONS_FOUND="Abweichungen gefunden"
 NOTE_EXCEPTIONS_FOUND_DETAILED="Einige außergewöhnliche Ereignisse oder Informationen wurden gefunden"
 NOTE_PLUGINS_TAKE_TIME="Beachte: Plugins beinhalten eingehendere Tests und können mehrere Minuten benötigen, bis sie abgeschlossen sind"
+NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus"
+SECTION_ACCOUNTING="Accounting"
+SECTION_BANNERS_AND_IDENTIFICATION="Banner und Identifizierung"
+SECTION_BASICS="Grundlegendes"
+SECTION_BOOT_AND_SERVICES="Systemstart und Dienste"
+SECTION_CONTAINERS="Container"
+SECTION_CRYPTOGRAPHY="Kryptographie"
 SECTION_CUSTOM_TESTS="Benutzerdefinierte Tests"
-SECTION_MALWARE="Malware"
+SECTION_DATA_UPLOAD="Daten hochladen"
-SECTION_MEMORY_AND_PROCESSES="Speicher und Prozesse"
+SECTION_DATABASES="Datenbanken"
+SECTION_DOWNLOADS="Downloads"
+SECTION_EMAIL_AND_MESSAGING="Software: E-Mail und Messaging"
+SECTION_FILE_INTEGRITY="Software: Dateintegrität"
+SECTION_FILE_PERMISSIONS="Dateiberechtigungen"
+SECTION_FILE_SYSTEMS="Dateisysteme"
+SECTION_FIREWALLS="Software: Firewalls"
+SECTION_GENERAL="Allgemein"
+SECTION_HARDENING="Härtung"
+SECTION_HOME_DIRECTORIES="Heimatverzeichnisse"
+SECTION_IMAGE="Image"
+SECTION_INITIALIZING_PROGRAM="Initialisiere Programm"
+SECTION_INSECURE_SERVICES="Unsichere Dienste"
+SECTION_KERNEL="Kernel"
+SECTION_KERNEL_HARDENING="Kernelhärtung"
+SECTION_LDAP_SERVICES="LDAP Dienste"
+SECTION_LOGGING_AND_FILES="Logs und Logdateien"
+SECTION_MALWARE="Software: Malware"
+SECTION_MEMORY_AND_PROCESSES="Software: Speicher und Prozesse"
+SECTION_NAME_SERVICES="Namensauflösung"
+SECTION_NETWORKING="Netzwerk"
+SECTION_PERMISSIONS="Berechtigungen"
+SECTION_PORTS_AND_PACKAGES="Ports und Pakete"
+SECTION_PRINTERS_AND_SPOOLS="Drucker und Warteschlange"
+SECTION_PROGRAM_DETAILS="Programmdetails"
+SECTION_SCHEDULED_TASKS="Geplante Aufgaben"
+SECTION_SECURITY_FRAMEWORKS="Sicherheitsframeworks"
+SECTION_SHELLS="Shells"
+SECTION_SNMP_SUPPORT="SNMP Unterstützung"
+SECTION_SOFTWARE="Software"
+SECTION_SQUID_SUPPORT="Squid"
+SECTION_SSH_SUPPORT="SSH"
+SECTION_STORAGE="Speicher"
+SECTION_SYSTEM_INTEGRITY="Software: Systemintegrität"
+SECTION_SYSTEM_TOOLING="Software: Systemwerkzeuge"
+SECTION_SYSTEM_TOOLS="Systemwerkzeuge"
+SECTION_TIME_AND_SYNCHRONIZATION="Zeit und Zeitsynchronisierung"
+SECTION_USB_DEVICES="USB Geräte"
+SECTION_USERS_GROUPS_AND_AUTHENTICATION="Benutzer, Gruppen und Authentifizierung"
+SECTION_VIRTUALIZATION="Virtualisierung"
+SECTION_WEBSERVER="Software: Webserver"
+STATUS_ACTIVE="AKTIV"
+STATUS_DISABLED="DEAKTIVIERT"
 STATUS_DONE="FERTIG"
+STATUS_ENABLED="AKTIVIERT"
+STATUS_ERROR="FEHLER"
+STATUS_FAILED="FEHLERHAFT"
 STATUS_FOUND="GEFUNDEN"
-STATUS_YES="JA"
+STATUS_INSTALLED="INSTALLIERT"
 STATUS_NO="NEIN"
+STATUS_NONE="NICHTS"
+STATUS_NOT_CONFIGURED="NICHT KONFIGURIERT"
+STATUS_NOT_ENABLED="NICHT AKTIVIERT"
+STATUS_NOT_FOUND="NICHT GEFUNDEN"
+STATUS_NOT_RUNNING="LÄUFT NICHT"
 STATUS_OFF="AUS"
 STATUS_OK="OK"
 STATUS_ON="AN"
-STATUS_NONE="NICHTS"
-STATUS_NOT_FOUND="NICHT GEFUNDEN"
-STATUS_NOT_RUNNING="LÄUFT NICHT"
 STATUS_RUNNING="LÄUFT"
 STATUS_SKIPPED="ÜBERSPRUNGEN"
 STATUS_SUGGESTION="VORSCHLAG"
 STATUS_UNKNOWN="UNBEKANNT"
 STATUS_WARNING="WARNUNG"
-TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen"
+STATUS_WEAK="SCHWACH"
+STATUS_YES="JA"
 TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar"
-NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus"
+TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen"
-STATUS_DISABLED="DEAKTIVIERT"
-STATUS_ENABLED="AKTIVIERT"
-STATUS_ERROR="FEHLER"
-ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet"
-ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet"

db/languages/de-AT

@@ -0,0 +1 @@
+de

db/languages/en

@@ -14,32 +14,86 @@ NOTE_EXCEPTIONS_FOUND="Exceptions found"
 NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found"
 NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete"
 NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode"
+SECTION_ACCOUNTING="Accounting"
+SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
+SECTION_BASICS="Basics"
+SECTION_BOOT_AND_SERVICES="Boot and services"
+SECTION_CONTAINERS="Containers"
+SECTION_CRYPTOGRAPHY="Cryptography"
 SECTION_CUSTOM_TESTS="Custom tests"
 SECTION_DATA_UPLOAD="Data upload"
+SECTION_DATABASES="Databases"
+SECTION_DOWNLOADS="Downloads"
+SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
+SECTION_FILE_INTEGRITY="Software: file integrity"
+SECTION_FILE_PERMISSIONS="File Permissions"
+SECTION_FILE_SYSTEMS="File systems"
+SECTION_FIREWALLS="Software: firewalls"
+SECTION_GENERAL="General"
+SECTION_HARDENING="Hardening"
+SECTION_HOME_DIRECTORIES="Home directories"
+SECTION_IMAGE="Image"
 SECTION_INITIALIZING_PROGRAM="Initializing program"
-SECTION_MALWARE="Malware"
+SECTION_INSECURE_SERVICES="Insecure services"
+SECTION_KERNEL="Kernel"
+SECTION_KERNEL_HARDENING="Kernel Hardening"
+SECTION_LDAP_SERVICES="LDAP Services"
+SECTION_LOGGING_AND_FILES="Logging and files"
+SECTION_MALWARE="Software: Malware"
 SECTION_MEMORY_AND_PROCESSES="Memory and Processes"
+SECTION_NAME_SERVICES="Name services"
+SECTION_NETWORKING="Networking"
+SECTION_PERMISSIONS="Permissions"
+SECTION_PORTS_AND_PACKAGES="Ports and packages"
+SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
+SECTION_PROGRAM_DETAILS="Program Details"
+SECTION_SCHEDULED_TASKS="Scheduled tasks"
+SECTION_SECURITY_FRAMEWORKS="Security frameworks"
+SECTION_SHELLS="Shells"
+SECTION_SNMP_SUPPORT="SNMP Support"
+SECTION_SOFTWARE="Software"
+SECTION_SQUID_SUPPORT="Squid Support"
+SECTION_SSH_SUPPORT="SSH Support"
+SECTION_STORAGE="Storage"
+SECTION_SYSTEM_INTEGRITY="Software: System integrity"
+SECTION_SYSTEM_TOOLING="Software: System tooling"
 SECTION_SYSTEM_TOOLS="System tools"
+SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization"
+SECTION_USB_DEVICES="USB Devices"
+SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
+SECTION_VIRTUALIZATION="Virtualization"
+SECTION_WEBSERVER="Software: webserver"
+STATUS_ACTIVE="ACTIVE"
+STATUS_DEBUG="DEBUG"
+STATUS_DEFAULT="DEFAULT"
+STATUS_DIFFERENT="DIFFERENT"
 STATUS_DISABLED="DISABLED"
 STATUS_DONE="DONE"
 STATUS_ENABLED="ENABLED"
 STATUS_ERROR="ERROR"
 STATUS_FAILED="FAILED"
+STATUS_FILES_FOUND="FILES FOUND"
 STATUS_FOUND="FOUND"
+STATUS_INSTALLED="INSTALLED"
+STATUS_NO="NO"
+STATUS_NO_UPDATE="NO UPDATE"
+STATUS_NONE="NONE"
+STATUS_NOT_CONFIGURED="NOT CONFIGURED"
+STATUS_NOT_DISABLED="NOT DISABLED"
+STATUS_NOT_ENABLED="NOT ENABLED"
+STATUS_NOT_FOUND="NOT FOUND"
+STATUS_NOT_RUNNING="NOT RUNNING"
 STATUS_OFF="OFF"
 STATUS_OK="OK"
 STATUS_ON="ON"
-STATUS_NO="NO"
+STATUS_PROTECTED="PROTECTED"
-STATUS_NONE="NONE"
-STATUS_NOT_CONFIGURED="NOT CONFIGURED"
-STATUS_NOT_FOUND="NOT FOUND"
-STATUS_NOT_RUNNING="NOT RUNNING"
 STATUS_RUNNING="RUNNING"
 STATUS_SKIPPED="SKIPPED"
 STATUS_SUGGESTION="SUGGESTION"
 STATUS_UNKNOWN="UNKNOWN"
+STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE"
 STATUS_WARNING="WARNING"
 STATUS_WEAK="WEAK"
 STATUS_YES="YES"
-TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
 TEXT_UPDATE_AVAILABLE="update available"
+TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"

db/languages/fr

@@ -1,38 +1,99 @@
+ERROR_NO_LICENSE="Pas de clé de licence configurée"
+ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré"
 GEN_CHECKING="Vérification"
 GEN_CURRENT_VERSION="Version actuelle"
-GEN_DEBUG_MODE="mode debug"
+GEN_DEBUG_MODE="mode débug"
 GEN_INITIALIZE_PROGRAM="Initialisation"
+GEN_LATEST_VERSION="Dernière version"
 GEN_PHASE="phase"
 GEN_PLUGINS_ENABLED="Plugins activés"
-GEN_VERBOSE_MODE="mode verbeux"
 GEN_UPDATE_AVAILABLE="mise à jour disponible"
+GEN_VERBOSE_MODE="mode verbeux"
 GEN_WHAT_TO_DO="Que faire"
 NOTE_EXCEPTIONS_FOUND="Exceptions trouvées"
 NOTE_EXCEPTIONS_FOUND_DETAILED="Des événements ou informations exceptionnels ont été trouvés"
-NOTE_PLUGINS_TAKE_TIME="Note: les plugins ont des tests plus poussés et peuvent prendre plusieurs minutes"
+NOTE_PLUGINS_TAKE_TIME="Note : Les plugins ont des tests plus poussés qui peuvent prendre plusieurs minutes"
 NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Tests ignorés faute de privilèges"
-SECTION_CUSTOM_TESTS="Tests Personnalisés"
+SECTION_ACCOUNTING="Comptes"
-SECTION_MALWARE="Malware"
+SECTION_BANNERS_AND_IDENTIFICATION="Bannières et identification"
-SECTION_MEMORY_AND_PROCESSES="Mémoire et Processus"
+SECTION_BASICS="Basics"
+SECTION_BOOT_AND_SERVICES="Démarrage et services"
+SECTION_CONTAINERS="Conteneurs"
+SECTION_CRYPTOGRAPHY="Cryptographie"
+SECTION_CUSTOM_TESTS="Tests personnalisés"
+SECTION_DATA_UPLOAD="Téléchargement de données"
+SECTION_DATABASES="Bases de données"
+SECTION_DOWNLOADS="Téléchargements"
+SECTION_EMAIL_AND_MESSAGING="Logiciel : Email et messagerie"
+SECTION_FILE_INTEGRITY="Logiciel : Intégrité de fichier"
+SECTION_FILE_PERMISSIONS="Permissions de fichier"
+SECTION_FILE_SYSTEMS="Systèmes de fichier"
+SECTION_FIREWALLS="Logiciel : Pare-feu"
+SECTION_GENERAL="Général"
+SECTION_HARDENING="Hardening"
+SECTION_HOME_DIRECTORIES="Dossiers personnels"
+SECTION_IMAGE="Image"
+SECTION_INITIALIZING_PROGRAM="Initialisation du programme"
+SECTION_INSECURE_SERVICES="Services non sécurisés"
+SECTION_KERNEL="Noyau"
+SECTION_KERNEL_HARDENING="Kernel Hardening"
+SECTION_LDAP_SERVICES="Services LDAP"
+SECTION_LOGGING_AND_FILES="Journalisation et fichiers"
+SECTION_MALWARE="Logiciel : Malveillant"
+SECTION_MEMORY_AND_PROCESSES="Mémoire et processus"
+SECTION_NAME_SERVICES="Services de noms"
+SECTION_NETWORKING="Mise en réseau"
+SECTION_PERMISSIONS="Permissions"
+SECTION_PORTS_AND_PACKAGES="Ports et packages"
+SECTION_PRINTERS_AND_SPOOLS="Imprimantes et serveurs d'impression"
+SECTION_PROGRAM_DETAILS="Détails du programme"
+SECTION_SCHEDULED_TASKS="Tâches planifiées"
+SECTION_SECURITY_FRAMEWORKS="Frameworks de sécurité"
+SECTION_SHELLS="Shells"
+SECTION_SNMP_SUPPORT="Prise en charge SNMP"
+SECTION_SOFTWARE="Logiciel"
+SECTION_SQUID_SUPPORT="Prise en charge Squid"
+SECTION_SSH_SUPPORT="Prise en charge SSH"
+SECTION_STORAGE="Stockage"
+SECTION_SYSTEM_INTEGRITY="Logiciel : Intégrité du système"
+SECTION_SYSTEM_TOOLING="Logiciel : System tooling"
+SECTION_SYSTEM_TOOLS="Outils système"
+SECTION_TIME_AND_SYNCHRONIZATION="Heure et synchronisation"
+SECTION_USB_DEVICES="Périphériques USB"
+SECTION_USERS_GROUPS_AND_AUTHENTICATION="Utilisateurs, groupes et authentification"
+SECTION_VIRTUALIZATION="Virtualisation"
+SECTION_WEBSERVER="Logiciel : Serveur web"
+STATUS_ACTIVE="ACTIF"
+STATUS_DEBUG="DÉBUG"
+STATUS_DEFAULT="PAR DÉFAUT"
+STATUS_DIFFERENT="DIFFÉRENT"
+STATUS_DISABLED="DÉSACTIVÉ"
 STATUS_DONE="FAIT"
+STATUS_ENABLED="ACTIVÉ"
+STATUS_ERROR="ERREUR"
+STATUS_FAILED="ÉCHOUÉ"
+STATUS_FILES_FOUND="FICHIERS TROUVÉS"
 STATUS_FOUND="TROUVÉ"
-STATUS_YES="OUI"
+STATUS_INSTALLED="INSTALLÉ"
 STATUS_NO="NON"
+STATUS_NO_UPDATE="PAS DE MISE A JOUR"
+STATUS_NONE="AUCUN"
+STATUS_NOT_CONFIGURED="NON CONFIGURÉ"
+STATUS_NOT_DISABLED="NON DESACTIVÉ"
+STATUS_NOT_ENABLED="NON ACTIVÉ"
+STATUS_NOT_FOUND="NON TROUVÉ"
+STATUS_NOT_RUNNING="NON LANCÉ"
 STATUS_OFF="OFF"
 STATUS_OK="OK"
 STATUS_ON="ON"
-STATUS_NONE="AUCUN"
+STATUS_PROTECTED="PROTÉGÉ"
-STATUS_NOT_FOUND="NON TROUVÉ"
+STATUS_RUNNING="EN COURS"
-STATUS_NOT_RUNNING="NON LANCÉ"
-STATUS_RUNNING="EN COURS":
 STATUS_SKIPPED="IGNORÉ"
 STATUS_SUGGESTION="SUGGESTION"
 STATUS_UNKNOWN="INCONNU"
-STATUS_WARNING="ATTENTION"
+STATUS_UPDATE_AVAILABLE="MISE A JOUR DISPONIBLE"
-TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal"
+STATUS_WARNING="AVERTISSEMENT"
+STATUS_WEAK="FAIBLE"
+STATUS_YES="OUI"
 TEXT_UPDATE_AVAILABLE="Mise à jour disponible"
-STATUS_DISABLED="DÉSACTIVÉ"
+TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal"
-STATUS_ENABLED="ACTIVÉ"
-STATUS_ERROR="ERREUR"
-ERROR_NO_LICENSE="Pas de clé de licence configurée"
-ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré"

db/languages/it

@@ -1,38 +1,48 @@
+ERROR_NO_LICENSE="Nessuna chiave di licenza configurata"
+ERROR_NO_UPLOAD_SERVER="Nessun server di upload configurato"
 GEN_CHECKING="Controllo"
 GEN_CURRENT_VERSION="Versione corrente"
 GEN_DEBUG_MODE="Modalità Debug"
 GEN_INITIALIZE_PROGRAM="Inizializzando il programma"
+GEN_LATEST_VERSION="Versione ultima"
 GEN_PHASE="fase"
 GEN_PLUGINS_ENABLED="Plugin abilitati"
-GEN_VERBOSE_MODE="Modalità Verbose"
 GEN_UPDATE_AVAILABLE="aggiornamento disponibile"
+GEN_VERBOSE_MODE="Modalità Verbose"
 GEN_WHAT_TO_DO="Cosa fare"
 NOTE_EXCEPTIONS_FOUND="Trovate Eccezioni"
 NOTE_EXCEPTIONS_FOUND_DETAILED="Sono stati rilevati alcuni eventi o informazioni eccezionali"
 NOTE_PLUGINS_TAKE_TIME="Nota: i plugin sono sottoposti a test più estesi e possono richiedere alcuni minuti per il completamento"
+NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Test saltati a causa della modalità di esecuzione non privilegiata"
 SECTION_CUSTOM_TESTS="Test su misura (Custom)"
+SECTION_DOWNLOADS="Scaricamenti"
+SECTION_GENERAL="Generale"
+SECTION_INITIALIZING_PROGRAM="Inizializzando il programma"
+SECTION_INSECURE_SERVICES="Service insicuri"
 SECTION_MALWARE="Malware"
 SECTION_MEMORY_AND_PROCESSES="Memoria e Processi"
+SECTION_STORAGE="Spazio di archiviazione"
+SECTION_TIME_AND_SYNCHRONIZATION="Tempo and Sincronizzazione"
+STATUS_DISABLED="DISABILITATO"
 STATUS_DONE="FATTO"
+STATUS_ENABLED="ABILITATO"
+STATUS_ERROR="ERRORE"
+STATUS_FAILED="FALLITO"
 STATUS_FOUND="TROVATO"
-STATUS_YES="SI"
 STATUS_NO="NO"
+STATUS_NONE="NESSUNO"
+STATUS_NOT_CONFIGURED="NON CONFIGURATO"
+STATUS_NOT_FOUND="NON TROVATO"
+STATUS_NOT_RUNNING="NON IN ESECUZIONE"
 STATUS_OFF="OFF"
 STATUS_OK="OK"
 STATUS_ON="ON"
-STATUS_NONE="NESSUNO"
-STATUS_NOT_FOUND="NON TROVATO"
-STATUS_NOT_RUNNING="NON IN ESECUZIONE"
 STATUS_RUNNING="IN ESECUZIONE"
 STATUS_SKIPPED="SALTATO"
 STATUS_SUGGESTION="SUGGERIMENTO"
 STATUS_UNKNOWN="SCONOSCIUTO"
 STATUS_WARNING="ATTENZIONE"
-TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log"
+STATUS_WEAK="DEBOLE"
+STATUS_YES="SI"
 TEXT_UPDATE_AVAILABLE="aggiornamento disponibile"
-NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Test saltati a causa della modalità di esecuzione non privilegiata"
+TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log"
-STATUS_DISABLED="DISABILITATO"
-STATUS_ENABLED="ABILITATO"
-STATUS_ERROR="ERRORE"
-ERROR_NO_LICENSE="Nessuna chiave di licenza configurata"
-ERROR_NO_UPLOAD_SERVER="Nessun server di upload configurato"

db/languages/nl

@@ -1,38 +1,45 @@
+ERROR_NO_LICENSE="Geen licentiecode geconfigureerd"
+ERROR_NO_UPLOAD_SERVER="Geen upload server geconfigureerd"
 GEN_CHECKING="Zoeken naar"
+GEN_CURRENT_VERSION="Huidige versie"
+GEN_DEBUG_MODE="Debug modus"
+GEN_INITIALIZE_PROGRAM="Programma initialiseren"
+GEN_LATEST_VERSION="Laatste versie"
 GEN_PHASE="fase"
-GEN_INITIALIZE_PROGRAM="Initialiseren van programma"
+GEN_PLUGINS_ENABLED="Plugins geactiveerd"
-NOTE_PLUGINS_TAKE_TIME="Plugins hebben uitgebreidere testen en kunnen derhalve enkele minuten duren"
+GEN_VERBOSE_MODE="Verbose modus"
-NOTE_EXCEPTIONS_FOUND="Uitzonderingen gevonden"
+GEN_UPDATE_AVAILABLE="Update beschikbaar"
-SECTION_CUSTOM_TESTS="Eigen Testen"
+GEN_WHAT_TO_DO="Wat te doen"
+NOTE_EXCEPTIONS_FOUND="Bijzonderheden gevonden"
+NOTE_EXCEPTIONS_FOUND_DETAILED="Enkele bijzondere gebeurtenissen of informatie gevonden"
+NOTE_PLUGINS_TAKE_TIME="Let op: plugins hebben uitgebreidere testen en kunnen daardoor enkele minuten duren"
+NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Overgeslagen testen vanwege beperkte rechten"
+SECTION_CUSTOM_TESTS="Eigen testen"
+SECTION_DATA_UPLOAD="Data upload"
+SECTION_INITIALIZING_PROGRAM="Programma initialiseren"
 SECTION_MALWARE="Kwaadaardige software (malware)"
 SECTION_MEMORY_AND_PROCESSES="Geheugen en Processen"
-STATUS_DONE="KLAAR"
+SECTION_SYSTEM_TOOLS="Systeem gereedschap"
 STATUS_DISABLED="UITGESCHAKELD"
+STATUS_DONE="KLAAR"
 STATUS_ENABLED="INGESCHAKELD"
+STATUS_ERROR="FOUT"
+STATUS_FAILED="MISLUKT"
 STATUS_FOUND="GEVONDEN"
-STATUS_NO="NEE"
+STATUS_OFF="UIT"
-STATUS_NONE="GEEN"
-STATUS_NOT_FOUND="NIET GEVONDEN"
-STATUS_NOT_RUNNING="NIET ACTIEF"
 STATUS_OK="OK"
 STATUS_ON="AAN"
-STATUS_OFF="UIT"
+STATUS_NO="NEE"
-STATUS_YES="JA"
+STATUS_NONE="GEEN"
+STATUS_NOT_CONFIGURED="NIET GECONFIGUREERD"
+STATUS_NOT_FOUND="NIET GEVONDEN"
+STATUS_NOT_RUNNING="NIET ACTIEF"
 STATUS_RUNNING="ACTIEF"
 STATUS_SKIPPED="OVERGESLAGEN"
 STATUS_SUGGESTION="SUGGESTIE"
 STATUS_UNKNOWN="ONBEKEND"
 STATUS_WARNING="WAARSCHUWING"
-GEN_CURRENT_VERSION="Huidige versie"
+STATUS_WEAK="ZWAK"
-GEN_DEBUG_MODE="Debug mode"
+STATUS_YES="JA"
-GEN_PLUGINS_ENABLED="Plugins geactiveerd"
-GEN_VERBOSE_MODE="Verbose mode"
-GEN_UPDATE_AVAILABLE="update beschikbaar"
-GEN_WHAT_TO_DO="Wat te doen"
-NOTE_EXCEPTIONS_FOUND_DETAILED="Enkele uitzonderingen gevonden"
-NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Overgeslagen testen vanwege beperkte rechten"
 TEXT_YOU_CAN_HELP_LOGFILE="Help mee door je logbestand te delen"
 TEXT_UPDATE_AVAILABLE="update beschikbaar"
-STATUS_ERROR="FOUT"
-ERROR_NO_LICENSE="geen licentiecode configureerd"
-ERROR_NO_UPLOAD_SERVER="geen server configureerd voor uploads"

db/languages/ru

@@ -1,38 +1,38 @@
-GEN_CHECKING="Checking"
+GEN_CHECKING="Проверка"
-GEN_CURRENT_VERSION="Current version"
+GEN_CURRENT_VERSION="Текущая версия"
-GEN_DEBUG_MODE="Debug mode"
+GEN_DEBUG_MODE="Режим отладки"
-GEN_INITIALIZE_PROGRAM="Initializing program"
+GEN_INITIALIZE_PROGRAM="Инициализация программы"
-GEN_PHASE="phase"
+GEN_PHASE="Стадия"
-GEN_PLUGINS_ENABLED="Plugins enabled"
+GEN_PLUGINS_ENABLED="Плагины включены"
-GEN_VERBOSE_MODE="Verbose mode"
+GEN_VERBOSE_MODE="Подробный режим"
-GEN_UPDATE_AVAILABLE="update available"
+GEN_UPDATE_AVAILABLE="доступно обновление"
-GEN_WHAT_TO_DO="What to do"
+GEN_WHAT_TO_DO="Что сделать"
-NOTE_EXCEPTIONS_FOUND="Exceptions found"
+NOTE_EXCEPTIONS_FOUND="Найдены исключения"
-NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found"
+NOTE_EXCEPTIONS_FOUND_DETAILED="Были найдены некоторые исключительные события или информация"
-NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete"
+NOTE_PLUGINS_TAKE_TIME="Примечание: плагины имеют более обширные тесты и могут занять несколько минут до завершения"
-SECTION_CUSTOM_TESTS="Custom Tests"
+SECTION_CUSTOM_TESTS="Пользовательские тесты"
-SECTION_MALWARE="Malware"
+SECTION_MALWARE="Вредоносное ПО"
-SECTION_MEMORY_AND_PROCESSES="Memory and Processes"
+SECTION_MEMORY_AND_PROCESSES="Память и процессы"
-STATUS_DONE="DONE"
+STATUS_DONE="Завершено"
-STATUS_FOUND="FOUND"
+STATUS_FOUND="Найдено"
-STATUS_YES="YES"
+STATUS_YES="ДА"
-STATUS_NO="NO"
+STATUS_NO="НЕТ"
-STATUS_OFF="OFF"
+STATUS_OFF="Выключено"
-STATUS_OK="OK"
+STATUS_OK="ОК"
-STATUS_ON="ON"
+STATUS_ON="Включено"
-STATUS_NONE="NONE"
+STATUS_NONE="Отсутствует"
-STATUS_NOT_FOUND="NOT FOUND"
+STATUS_NOT_FOUND="НЕ НАЙДЕНО"
-STATUS_NOT_RUNNING="NOT RUNNING"
+STATUS_NOT_RUNNING="НЕ ЗАПУЩЕНО"
-STATUS_RUNNING="RUNNING"
+STATUS_RUNNING="ЗАПУЩЕНО"
-STATUS_SKIPPED="SKIPPED"
+STATUS_SKIPPED="ПРОПУЩЕНО"
-STATUS_SUGGESTION="SUGGESTION"
+STATUS_SUGGESTION="ПРЕДЛОЖЕНИЕ"
-STATUS_UNKNOWN="UNKNOWN"
+STATUS_UNKNOWN="НЕИЗВЕСТНО"
-STATUS_WARNING="WARNING"
+STATUS_WARNING="ПРЕДУПРЕЖДЕНИЕ"
-TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
+TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь предоставив ваш лог-файл"
-TEXT_UPDATE_AVAILABLE="update available"
+TEXT_UPDATE_AVAILABLE="доступно обновление"
-NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode"
+NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Тесты пропущены из-за использования непривилегированного режима"
-STATUS_DISABLED="DISABLED"
+STATUS_DISABLED="ОТКЛЮЧЕНО"
-STATUS_ENABLED="ENABLED"
+STATUS_ENABLED="ВКЛЮЧЕНО"
-STATUS_ERROR="ERROR"
+STATUS_ERROR="ОШИБКА"
-ERROR_NO_LICENSE="No license key configured"
+ERROR_NO_LICENSE="Лицензионный ключ не настроен"
-ERROR_NO_UPLOAD_SERVER="No upload server configured"
+ERROR_NO_UPLOAD_SERVER="Загрузочный сервер не настроен"

db/software-eol.db

@@ -4,25 +4,40 @@
 # This file has 4 fields:
 # 1) category
 # 2) name
-# 3) date (human-readable)
+# 3) date (human-readable) or empty
-# 4) converted date (seconds since epoch)
+# 4) converted date (seconds since epoch) or -1
 #
 # Date can be converted on Linux using: date "+%s" --date=2020-01-01
+# Seconds since epoch can be verified using: date -d @1467324000 +'%Y-%m-%d'
+#
+# Notes:
+# For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1.
+# Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching.
+#
+# Alpine - https://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases
+#
+os:Alpine 3.12:2022-05-01:1651377600
+os:Alpine 3.11:2021-11-01:1635739200
+os:Alpine 3.10:2021-05-01:1619841600
+os:Alpine 3.9:2020-11-01:1604203200
+os:Alpine 3.8:2020-05-01:1588305600
 #
 # Amazon Linux
 #
-os:Amazon Linux:2020-06-30:1593468000:
+# Note: shortest entry is listed at end due to regular expression matching being used
 os:Amazon Linux 2:2023-06-26:1687730400:
+os:Amazon Linux:2020-06-30:1593468000:
 #
 # Arch Linux
 #
-os:Arch Linux:2286-11-20:9999999999:
+os:Arch Linux::-1:
 #
 # CentOS
 #
 os:CentOS release 5:2017-03-31:1490911200:
 os:CentOS release 6:2020-11-30:1606690800:
-os:CentOS Linux release 7:2024-06-30:1719698400:
+os:CentOS Linux 7:2024-06-30:1719698400:
+os:CentOS Linux 8:2029-05-31:1874872800:
 #
 # Debian - https://wiki.debian.org/DebianReleases#Production_Releases
 #
@@ -33,35 +48,157 @@ os:Debian 8:2020-06-30:1593468000:
 os:Debian 9:2022-01-01:1640991600:
 os:Debian 10:2022-01-01:1640991600:
 #
+# Fedora - https://fedoraproject.org/wiki/End_of_life
+#
+os:Fedora release 25:2017-12-12:1513033200:
+os:Fedora release 26:2018-05-29:1527544800:
+os:Fedora release 27:2018-11-30:1543532400:
+os:Fedora release 28:2019-05-28:1558994400:
+os:Fedora release 29:2019-11-26:1574722800:
+os:Fedora release 30:2020-05-26:1590444000:
+#
 # FreeBSD - https://www.freebsd.org/security/unsupported.html
 #
-os:FreeBSD 9.3:2014-12-31:0:
+os:FreeBSD 9.3:2014-12-31:1419980400:
-os:FreeBSD 10.0:2015-02-28:0:
+os:FreeBSD 10.0:2015-02-28:1425078000:
-os:FreeBSD 10.1:2016-12-31:0:
+os:FreeBSD 10.1:2016-12-31:1483138800:
-os:FreeBSD 10.2:2016-12-31:0:
+os:FreeBSD 10.2:2016-12-31:1483138800:
-os:FreeBSD 10.3:2018-04-30:0:
+os:FreeBSD 10.3:2018-04-30:1525039200:
-os:FreeBSD 10.4:2018-10-31:0:
+os:FreeBSD 10.4:2018-10-31:1540940400:
-os:FreeBSD 11.0:2017-11-30:0:
+os:FreeBSD 11.0:2017-11-30:1511996400:
-os:FreeBSD 11.1:2018-09-30:0:
+os:FreeBSD 11.1:2018-09-30:1538258400:
+os:FreeBSD 11.2:2019-10-31:1572476400:
+os:FreeBSD 12.0:2020-02-29:1582930800:
+#
+# Linux Mint
+#
+os:Linux Mint 18:2021-04-01:1617228000:
+os:Linux Mint 19:2023-04-01:1680300000:
+os:Linux Mint 20:2025-04-01:1743458400:
+#
+# macOS - https://support.apple.com/en_US/downloads/macos and
+#         https://apple.stackexchange.com/a/282788 and
+#         https://en.wikipedia.org/wiki/Category:MacOS_versions
+#
+os:Mac OS X 10.0 \(Cheetah\):2002-09-18:1032300000:
+os:Mac OS X 10.1 \(Puma\):2003-11-10:1068418800:
+os:Mac OS X 10.2 \(Jaguar\):2005-05-16:1116194400:
+os:Mac OS X 10.3 \(Panther\):2007-11-15:1195081200:
+os:Mac OS X 10.4 \(Tiger\):2009-09-10:1252533600:
+os:Mac OS X 10.5 \(Leopard\):2011-06-23:1308780000:
+os:Mac OS X 10.6 \(Snow Leopard\):2013-12-16:1387148400:
+os:Mac OS X 10.7 \(Lion\):2014-11-17:1416178800:
+os:Mac OS X 10.8 \(Mountain Lion\):2015-10-21:1445378400:
+os:Mac OS X 10.9 \(Mavericks\):2016-10-24:1477260000:
+os:Mac OS X 10.10 \(Yosemite\):2017-10-31:1509404400:
+os:Mac OS X 10.11 \(El Capitan\):2018-10-30:1540854000:
+os:macOS Sierra \(10.12\):2016-10-24:1477260000:
+os:macOS Sierra \(10.12.1\):2016-12-13:1481583600:
+os:macOS Sierra \(10.12.2\):2017-01-23:1485126000:
+os:macOS Sierra \(10.12.3\):2017-03-27:1490565600:
+os:macOS Sierra \(10.12.4\):2017-05-15:1494799200:
+os:macOS Sierra \(10.12.5\):2017-07-19:1500415200:
+os:macOS Sierra \(10.12.6\):2019-10-29:1572303600:
+os:macOS High Sierra \(10.13\):2017-10-31:1509404400:
+os:macOS High Sierra \(10.13.1\):2017-12-06:1512514800:
+os:macOS High Sierra \(10.13.2\):2018-01-23:1516662000:
+os:macOS High Sierra \(10.13.3\):2018-03-29:1522274400:
+os:macOS High Sierra \(10.13.4\):2018-06-01:1527804000:
+os:macOS High Sierra \(10.13.5\):2018-07-09:1531087200:
+os:macOS High Sierra \(10.13.6\)::-1:
+os:macOS Mojave \(10.14\):2018-10-30:1540854000:
+os:macOS Mojave \(10.14.1\):2018-12-05:1543964400:
+os:macOS Mojave \(10.14.2\):2019-01-22:1548111600:
+os:macOS Mojave \(10.14.3\):2019-03-25:1553468400:
+os:macOS Mojave \(10.14.4\):2019-05-13:1557698400:
+os:macOS Mojave \(10.14.5\):2019-07-22:1563746400:
+os:macOS Mojave \(10.14.6\)::-1:
+os:macOS Catalina \(10.15\):2019-10-29:1572303600:
+os:macOS Catalina \(10.15.1\):2019-12-10:1575932400:
+os:macOS Catalina \(10.15.2\):2020-01-28:1580166000:
+os:macOS Catalina \(10.15.3\):2020-03-24:1585004400:
+os:macOS Catalina \(10.15.4\):2020-05-26:1590444000:
+os:macOS Catalina \(10.15.5\):2020-07-15:1594764000:
+os:macOS Catalina \(10.15.6\):2020-09-24:1600898400:
+os:macOS Catalina \(10.15.7\)::-1:
+#
+# Mageia - https://www.mageia.org/en/support/
+#
+os:Mageia 1:2012-12-01:1354316400
+os:Mageia 2:2013-11-22:1385074800
+os:Mageia 3:2014-11-26:1416956400
+os:Mageia 4:2015-09-19:1442613600
+os:Mageia 5:2017-12-31:1514674800
+os:Mageia 6:2019-09-30:1569794400
+os:Mageia 7:2020-12-30:1609282800
+#
+# NetBSD - https://www.netbsd.org/support/security/release.html and
+#          https://www.netbsd.org/releases/formal.html
+#
+os:NetBSD 2.0:2008-01-19:1200697200:
+os:NetBSD 2.0.1:2008-01-19:1200697200:
+os:NetBSD 2.0.2:2008-01-19:1200697200:
+os:NetBSD 2.0.3:2008-01-19:1200697200:
+os:NetBSD 2.1:2008-01-19:1200697200:
+os:NetBSD 3.0:2009-09-29:1254175200:
+os:NetBSD 3.0.1:2009-09-29:1254175200:
+os:NetBSD 3.0.2:2009-09-29:1254175200:
+os:NetBSD 3.1:2009-09-29:1254175200:
+os:NetBSD 4.0:2012-11-17:1353106800:
+os:NetBSD 4.0.1:2012-11-17:1353106800:
+os:NetBSD 5.0:2015-11-17:1447714800:
+os:NetBSD 5.0.1:2015-10-17:1445032800:
+os:NetBSD 5.0.2:2015-10-17:1445032800:
+os:NetBSD 5.1:2015-10-17:1445032800:
+os:NetBSD 5.1.1:2015-10-17:1445032800:
+os:NetBSD 5.1.2:2015-10-17:1445032800:
+os:NetBSD 5.1.3:2015-10-17:1445032800:
+os:NetBSD 5.1.4:2015-10-17:1445032800:
+os:NetBSD 5.1.5:2015-10-17:1445032800:
+os:NetBSD 5.2.1:2015-10-17:1445032800:
+os:NetBSD 5.2.2:2015-10-17:1445032800:
+os:NetBSD 5.2.3:2015-10-17:1445032800:
+os:NetBSD 6.0:2017-09-17:1505599200:
+os:NetBSD 6.0.1:2017-09-17:1505599200:
+os:NetBSD 6.0.2:2017-09-17:1505599200:
+os:NetBSD 6.0.3:2017-09-17:1505599200:
+os:NetBSD 6.0.4:2017-09-17:1505599200:
+os:NetBSD 6.0.5:2017-09-17:1505599200:
+os:NetBSD 6.1:2017-09-17:1505599200:
+os:NetBSD 6.1.1:2017-09-17:1505599200:
+os:NetBSD 6.1.2:2017-09-17:1505599200:
+os:NetBSD 6.1.3:2017-09-17:1505599200:
+os:NetBSD 6.1.4:2017-09-17:1505599200:
+os:NetBSD 6.1.5:2017-09-17:1505599200:
+os:NetBSD 7.0:2020-03-14:1584162000:
+os:NetBSD 7.0.1:2020-03-14:1584162000:
+os:NetBSD 7.0.2:2020-03-14:1584162000:
+os:NetBSD 7.1:2020-03-14:1584162000:
+os:NetBSD 7.1.1:2020-03-14:1584162000:
+os:NetBSD 7.1.1:2020-03-14:1584162000:
+os:NetBSD 7.2:2020-03-14:1584162000:
+os:NetBSD 8.0::-1:
+os:NetBSD 8.1::-1:
+os:NetBSD 9.0::-1:
 #
 # OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history
 #
-os:OpenBSD 5.8:2016-09-01:0:
+os:OpenBSD 5.8:2016-09-01:1472680800:
-os:OpenBSD 5.9:2017-04-11:0:
+os:OpenBSD 5.9:2017-04-11:1491861600:
+os:OpenBSD 6.0:2017-09-10:1505001600:
+os:OpenBSD 6.1:2018-04-15:1523750400:
+os:OpenBSD 6.2:2018-10-18:1539820800:
+os:OpenBSD 6.3:2019-05-03:1556841600:
+os:OpenBSD 6.4:2019-10-17:1571270400:
+os:OpenBSD 6.5:2020-05-19:1589846400:
+os:OpenBSD 6.6:2020-10-01:1601510400:
+os:OpenBSD 6.7:2021-05-01:1619827200:
 #
-# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack
+# Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/
 #
-os:Ubuntu 14.04:2019-05-01:1556661600:
+os:Red Hat Enterprise Linux Server release 6:2020-11-30:1606690800:
-os:Ubuntu 14.10:2015-07-01:0:
+os:Red Hat Enterprise Linux 7:2024-06-30:1719698400:
-os:Ubuntu 15.04:2016-01-01:0:
+os:Red Hat Enterprise Linux 8:2029-05-07:1872799200:
-os:Ubuntu 15.10:2016-07-01:0:
-os:Ubuntu 16.04:2021-05-01:1619820000:
-os:Ubuntu 16.10:2017-07-01:1498860000:
-os:Ubuntu 17.04:2018-01-01:1514761200:
-os:Ubuntu 17.10:2018-07-01:1530396000:
-os:Ubuntu 18.04:2023-05-01:1682892000:
-os:Ubuntu 18.10:2019-07-18:1563400800:
-os:Ubuntu 19.04:2020-01-01:1577833200:
 #
 # Slackware - https://en.wikipedia.org/wiki/Slackware#Releases
 #
@@ -78,3 +215,42 @@ os:Slackware Linux 12.2:2013-12-09:1386540000:
 os:Slackware Linux 13.0:2018-07-05:1530738000:
 os:Slackware Linux 13.1:2018-07-05:1530738000:
 os:Slackware Linux 13.37:2018-07-05:1530738000:
+#
+# SuSE - https://www.suse.com/lifecycle/
+#
+os:SUSE Linux Enterprise Server 12:2024-10-31:1730329200:
+os:SUSE Linux Enterprise Server 15:2028-07-31:1848607200:
+#
+# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and
+#          https://wiki.ubuntu.com/Releases
+#
+os:Ubuntu 14.04:2019-05-01:1556661600:
+os:Ubuntu 14.10:2015-07-01:1435701600:
+os:Ubuntu 15.04:2016-01-01:1451602800:
+os:Ubuntu 15.10:2016-07-01:1467324000:
+os:Ubuntu 16.04:2021-05-01:1619820000:
+os:Ubuntu 16.10:2017-07-01:1498860000:
+os:Ubuntu 17.04:2018-01-01:1514761200:
+os:Ubuntu 17.10:2018-07-01:1530396000:
+os:Ubuntu 18.04:2023-05-01:1682892000:
+os:Ubuntu 18.10:2019-07-18:1563400800:
+os:Ubuntu 19.04:2020-01-01:1577833200:
+os:Ubuntu 20.04:2025-04-01:1743458400:
+#
+# OmniosCE - https://omniosce.org/releasenotes.html
+#
+os:OmniOS Community Edition v11 r151022:2020-05-11:1589148000:
+os:OmniOS Community Edition v11 r151024:2018-11-04:1541286000:
+os:OmniOS Community Edition v11 r151026:2019-05-05:1557007200:
+os:OmniOS Community Edition v11 r151028:2019-11-04:1572822000:
+os:OmniOS Community Edition v11 r151030::-1:
+os:OmniOS Community Edition v11 r151032:2020-11-03:1604358000:
+os:OmniOS Community Edition v11 r151034::-1:
+#
+## Oracle Solaris - https://www.oracle.com/us/support/library/lifetime-support-hardware-301321.pdf (p. 34)
+#                   The list below contains Premier Support End only
+#
+os:Oracle Solaris 11.3:2021-01-01:1609455600:
+os:Oracle Solaris 11.4:2031-11-01:1951254000:
+#
+# EOF

db/tests.db

@@ -22,6 +22,8 @@ AUTH-9218:test:security:authentication:FreeBSD:Check harmful login shells:
 AUTH-9222:test:security:authentication::Check for non unique groups:
 AUTH-9226:test:security:authentication::Check non unique group names:
 AUTH-9228:test:security:authentication::Check password file consistency with pwck:
+AUTH-9229:test:security:authentication::Check password hashing methods:
+AUTH-9230:test:security:authentication::Check group password hashing rounds:
 AUTH-9234:test:security:authentication::Query user accounts:
 AUTH-9240:test:security:authentication::Query NIS+ authentication support:
 AUTH-9242:test:security:authentication::Query NIS authentication support:
@@ -35,6 +37,7 @@ AUTH-9268:test:security:authentication::Checking presence pam.d files:
 AUTH-9278:test:security:authentication::Checking LDAP pam status:
 AUTH-9282:test:security:authentication::Checking password protected account without expire date:
 AUTH-9283:test:security:authentication::Checking accounts without password:
+AUTH-9284:test:security:authentication::Checking locked user accounts in /etc/passwd:
 AUTH-9286:test:security:authentication::Checking user password aging:
 AUTH-9288:test:security:authentication::Checking for expired passwords:
 AUTH-9304:test:security:authentication:Solaris:Check single user login configuration:
@@ -47,7 +50,6 @@ AUTH-9406:test:security:authentication::Query LDAP servers in client configurati
 AUTH-9408:test:security:authentication::Logging of failed login attempts via /etc/login.defs:
 AUTH-9409:test:security:authentication:OpenBSD:Check for doas file:
 AUTH-9410:test:security:authentication:OpenBSD:Check for doas file permissions:
-AUTH-9489:test:security:authentication:DragonFly:Check login shells for passwordless accounts:
 BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file:
 BANN-7124:test:security:banners::Check issue banner file:
 BANN-7126:test:security:banners::Check issue banner file contents:
@@ -57,6 +59,7 @@ BOOT-5102:test:security:boot_services:AIX:Check for AIX boot device:
 BOOT-5104:test:security:boot_services::Determine service manager:
 BOOT-5106:test:security:boot_services:MacOS:Check EFI boot file on macOS:
 BOOT-5108:test:security:boot_services:Linux:Test Syslinux boot loader:
+BOOT-5109:test:security:boot_services:Linux:Test rEFInd boot loader:
 BOOT-5116:test:security:boot_services::Check if system is booted in UEFI mode:
 BOOT-5117:test:security:boot_services:Linux:Check for systemd-boot boot loader:
 BOOT-5121:test:security:boot_services::Check for GRUB boot loader presence:
@@ -68,14 +71,16 @@ BOOT-5142:test:security:boot_services::Check SPARC Improved boot loader (SILO):
 BOOT-5155:test:security:boot_services::Check for YABOOT boot loader configuration file:
 BOOT-5159:test:security:boot_services:OpenBSD:Check for OpenBSD boot loader presence:
 BOOT-5165:test:security:boot_services:FreeBSD:Check for FreeBSD boot services:
+BOOT-5170:test:security:boot_services:Solaris:Check for Solaris boot daemons:
 BOOT-5177:test:security:boot_services:Linux:Check for Linux boot and running services:
 BOOT-5180:test:security:boot_services:Linux:Check for Linux boot services (Debian style):
-BOOT-5184:test:security:boot_services:Linux:Check permissions for boot files/scripts:
+BOOT-5184:test:security:boot_services::Check permissions for boot files/scripts:
 BOOT-5202:test:security:boot_services::Check uptime of system:
 BOOT-5260:test:security:boot_services::Check single user mode for systemd:
 BOOT-5261:test:security:boot_services:DragonFly:Check for DragonFly boot loader presence:
 BOOT-5262:test:security:boot_services:OpenBSD:Check for OpenBSD boot daemons:
 BOOT-5263:test:security:boot_services:OpenBSD:Check permissions for boot files/scripts:
+BOOT-5264:test:security:boot_services:Linux:Run systemd-analyze security:
 CONT-8004:test:security:containers:Solaris:Query running Solaris zones:
 CONT-8102:test:security:containers::Checking Docker status and information:
 CONT-8104:test:security:containers::Checking Docker info for any warnings:
@@ -85,7 +90,10 @@ CONT-8108:test:security:containers::Check file permissions for Docker files:
 CORE-1000:test:performance:system_integrity::Check all system binaries:
 CRYP-7902:test:security:crypto::Check expire date of SSL certificates:
 CRYP-7930:test:security:crypto:Linux:Determine if system uses LUKS encryption:
+CRYP-7931:test:security:crypto:Linux:Determine if system uses encrypted swap:
 CRYP-8002:test:security:crypto:Linux:Gather kernel entropy:
+CRYP-8004:test:security:crypto:Linux:Presence of hardware random number generators:
+CRYP-8005:test:security:crypto:Linux:Presence of software pseudo random number generators:
 DNS-1600:test:security:dns::Validating that the DNSSEC signatures are checked:
 DBS-1804:test:security:databases::Checking active MySQL process:
 DBS-1816:test:security:databases::Checking MySQL root password:
@@ -116,6 +124,7 @@ FILE-6368:test:security:filesystems:Linux:Checking ACL support on root file syst
 FILE-6372:test:security:filesystems:Linux:Checking / mount options:
 FILE-6374:test:security:filesystems:Linux:Linux mount options:
 FILE-6376:test:security:filesystems:Linux:Determine if /var/tmp is bound to /tmp:
+FILE-6394:test:performance:filesystems:Linux:Test swappiness of virtual memory:
 FILE-6410:test:security:filesystems::Checking Locate database:
 FILE-6430:test:security:filesystems::Disable mounting of some filesystems:
 FILE-6439:test:security:filesystems:DragonFly:Checking HAMMER PFS mounts:
@@ -132,6 +141,9 @@ FINT-4330:test:security:file_integrity::mtree availability:
 FINT-4334:test:security:file_integrity::Check lfd daemon status:
 FINT-4336:test:security:file_integrity::Check lfd configuration status:
 FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running:
+FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status
+FINT-4340:test:security:file_integrity:Linux:Check dm-integrity status
+FINT-4341:test:security:file_integrity:Linux:Check dm-verity status
 FINT-4350:test:security:file_integrity::File integrity software installed:
 FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512):
 FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module:
@@ -218,6 +230,7 @@ LOGG-2146:test:security:logging::Checking logrotate.conf and logrotate.d:
 LOGG-2148:test:security:logging::Checking logrotated files:
 LOGG-2150:test:security:logging::Checking directories in logrotate configuration:
 LOGG-2152:test:security:logging::Checking loghost:
+LOGG-2153:test:security:logging::Checking loghost is not localhost:
 LOGG-2154:test:security:logging::Checking syslog configuration file:
 LOGG-2160:test:security:logging::Checking /etc/newsyslog.conf:
 LOGG-2162:test:security:logging::Checking directories in /etc/newsyslog.conf:
@@ -271,16 +284,18 @@ NAME-4210:test:security:nameservices::Check DNS banner:
 NAME-4230:test:security:nameservices::Check PowerDNS status:
 NAME-4232:test:security:nameservices::Search PowerDNS configuration file:
 NAME-4236:test:security:nameservices::Check PowerDNS backends:
-NAME-4238:test:security:nameservices::Check PowerDNS authoritive status:
+NAME-4238:test:security:nameservices::Check PowerDNS authoritative status:
 NAME-4304:test:security:nameservices::Check NIS ypbind status:
 NAME-4306:test:security:nameservices::Check NIS domain:
 NAME-4402:test:security:nameservices::Check duplicate line in /etc/hosts:
 NAME-4404:test:security:nameservices::Check /etc/hosts contains an entry for this server name:
 NAME-4406:test:security:nameservices::Check server hostname mapping:
 NAME-4408:test:security:nameservices::Check localhost to IP mapping:
+NETW-2400:test:basics:networking::Test hostname for valid characters and length:
 NETW-2600:test:security:networking:Linux:Checking IPv6 configuration:
 NETW-2704:test:security:networking::Basic nameserver configuration tests:
 NETW-2705:test:security:networking::Check availability two nameservers:
+NETW-2706:test:security:networking::Check DNSSEC status:
 NETW-3001:test:security:networking::Find default gateway (route):
 NETW-3004:test:security:networking::Search available network interfaces:
 NETW-3006:test:security:networking::Get network MAC addresses:
@@ -300,6 +315,7 @@ PHP-2374:test:security:php::Check PHP enable_dl option:
 PHP-2376:test:security:php::Check PHP allow_url_fopen option:
 PHP-2378:test:security:php::Check PHP allow_url_include option:
 PHP-2379:test:security:php::Check PHP suhosin extension status:
+PHP-2382:test:security:php::Check PHP listen option:
 PKGS-7301:test:security:ports_packages::Query NetBSD pkg:
 PKGS-7302:test:security:ports_packages::Query FreeBSD/NetBSD pkg_info:
 PKGS-7303:test:security:ports_packages::Query brew package manager:
@@ -403,11 +419,16 @@ TIME-3136:test:security:time:Linux:Check NTP protocol version:
 TIME-3148:test:performance:time:Linux:Check TZ variable:
 TIME-3160:test:security:time:Linux:Check empty NTP step-tickers:
 TIME-3170:test:security:time::Check configuration files:
+TIME-3180:test:security:time::Report if ntpctl cannot communicate with OpenNTPD:
+TIME-3181:test:security:time::Check status of OpenNTPD time synchronisation
+TIME-3182:test:security:time::Check OpenNTPD has working peers
+TIME-3185:test:security:time::Check systemd-timesyncd synchronized time
 TOOL-5002:test:security:tooling::Checking for automation tools:
 TOOL-5102:test:security:tooling::Check for presence of Fail2ban:
 TOOL-5104:test:security:tooling::Enabled tests for Fail2ban:
 TOOL-5120:test:security:tooling::Presence of Snort IDS:
 TOOL-5122:test:security:tooling::Snort IDS configuration file:
+TOOL-5130:test:security:tooling::Check for active Suricata daemon:
 TOOL-5160:test:security:tooling::Check for active OSSEC daemon:
 TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling:
 USB-1000:test:security:storage:Linux:Check if USB storage is disabled:

default.prf

@@ -93,8 +93,9 @@ skip-plugins=no
 #skip-upgrade-test=yes
 
 # Locations where to search for SSL certificates (separate paths with a colon)
-ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/var/www:/srv/www
+ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
 ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
+ssl-certificate-include-packages=no
 
 # Scan type - how deep the audit should be (light, normal or full)
 test-scan-mode=full
@@ -151,7 +152,7 @@ plugin=users
 #
 # Kernel options
 # ---------------
-# configdate=, followed by:
+# config-data=, followed by:
 #
 # - Type                     = Set to 'sysctl'
 # - Setting                  = value of sysctl key (e.g. kernel.sysrq)
@@ -302,6 +303,11 @@ permfile=/etc/motd:rw-r--r--:root:root:WARN:
 permfile=/etc/passwd:rw-r--r--:root:-:WARN:
 permfile=/etc/passwd-:rw-r--r--:root:-:WARN:
 permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN:
+permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN:
+permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN:
+permfile=/root/.rhosts:rw-------:root:root:WARN:
+permfile=/root/.rlogin:rw-------:root:root:WARN:
+permfile=/root/.shosts:rw-------:root:root:WARN:
 
 # These permissions differ by OS
 #permfile=/etc/gshadow:---------:root:-:WARN:

extras/bash_completion.d/lynis

@@ -126,7 +126,7 @@ _lynis()
         report)
             return 0
             ;;
-        settiings)
+        settings)
             return 0
             ;;
         tests)
@@ -179,7 +179,7 @@ _lynis()
         *)
             COMPREPLY=( $( compgen -W ' \
                 --auditor --cronjob --debug --quick --quiet --logfile --no-colors --no-log --pentest --reverse-colors \
-                --tests --tests-from-category --tests-from-group --upload --verbose' -- "$cur" ) )
+                --tests --tests-from-category --tests-from-group --upload --verbose --slow-warning' -- "$cur" ) )
             ;;
     esac
 

include/binaries

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -30,7 +30,7 @@
 #################################################################################
 #
     if [ ${CHECK_BINARIES} -eq 1 ]; then
-        InsertSection "System Tools"
+        InsertSection "${SECTION_SYSTEM_TOOLS}"
         Display --indent 2 --text "- Scanning available tools..."
         LogText "Start scanning for available audit binaries and tools..."
 
@@ -74,6 +74,10 @@
             fi
         done
 
+        NSUID_BINARIES=0
+        NSGID_BINARIES=0
+        SUID_BINARIES=
+        SGID_BINARIES=
         # Now perform binary detection
         for SCANDIR in ${BIN_PATHS}; do
             SCANDIR=$(echo "${SCANDIR}" | sed 's/!!space!!/ /g')
@@ -115,6 +119,14 @@
                         COUNT=$((COUNT + 1))
                         BINARY="${SCANDIR}/${FILENAME}"
                         DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} "
+                        if [ -u "${BINARY}" ]; then
+                            NSUID_BINARIES=$((NSUID_BINARIES + 1))
+                            SUID_BINARIES="${SUID_BINARIES}${BINARY} "
+                        fi
+                        if [ -g "${BINARY}" ]; then
+                            NSGID_BINARIES=$((NSGID_BINARIES + 1))
+                            SGID_BINARIES="${SGID_BINARIES}${BINARY} "
+                        fi
                         # Optimized, much quicker (limited file access needed)
                         case ${FILENAME} in
                             aa-status)              AASTATUSBINARY=${BINARY};          LogText "  Found known binary: aa-status (apparmor component) - ${BINARY}" ;;
@@ -154,8 +166,10 @@
                             docker)                 DOCKERBINARY="${BINARY}";          LogText "  Found known binary: docker (container technology) - ${BINARY}" ;;
                             domainname)             DOMAINNAMEBINARY="${BINARY}";      LogText "  Found known binary: domainname (NIS domain) - ${BINARY}" ;;
                             dpkg)                   DPKGBINARY="${BINARY}";            LogText "  Found known binary: dpkg (package management) - ${BINARY}" ;;
+                            xbps-query)             XBPSBINARY="${BINARY}";            LogText "  Found known binary: xbps (package management) - ${BINARY}" ;;
                             egrep)                  EGREPBINARY=${BINARY};             LogText "  Found known binary: egrep (text search) - ${BINARY}" ;;
                             equery)                 EQUERYBINARY="${BINARY}";          LogText "  Found known binary: query (package manager) - ${BINARY}" ;;
+                            evmctl)                 EVMCTLBINARY=${BINARY};            LogText "  Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;;
                             exim)                   EXIMBINARY="${BINARY}";            EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText "  Found known binary ${BINARY} (version ${EXIMVERSION})" ;;
                             fail2ban-server)        FAIL2BANBINARY="${BINARY}";        LogText "  Found known binary: fail2ban (IPS tool) - ${BINARY}" ;;
                             file)                   FILEBINARY="${BINARY}";            LogText "  Found known binary: file (file type detection) - ${BINARY}" ;;
@@ -174,6 +188,7 @@
                             httpd2-prefork)         HTTPDBINARY=${BINARY};             LogText "  Found known binary: apache2 (web server) - ${BINARY}" ;;
                             initctl)                INITCTLBINARY=${BINARY};           SERVICE_MANAGER="upstart";  LogText "  Found known binary: initctl (client to upstart init) - ${BINARY}" ;;
                             ifconfig)               IFCONFIGBINARY="${BINARY}";        LogText "  Found known binary: ipconfig (IP configuration) - ${BINARY}" ;;
+                            integritysetup)         INTEGRITYSETUPBINARY="${BINARY}";  LogText "  Found known binary: integritysetup (dm-integrity setup tool) - ${BINARY}" ;;
                             ip)                     IPBINARY="${BINARY}";              LogText "  Found known binary: ip (IP configuration) - ${BINARY}" ;;
                             ipf)                    IPFBINARY="${BINARY}";             LogText "  Found known binary: ipf (firewall) - ${BINARY}" ;;
                             iptables)               IPTABLESBINARY="${BINARY}";        LogText "  Found known binary: iptables (firewall) - ${BINARY}" ;;
@@ -204,6 +219,7 @@
                             maldet)                 LMDBINARY="${BINARY}";             MALWARE_SCANNER_INSTALLED=1;           LogText "  Found known binary: maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;;
                             md5)                    MD5BINARY="${BINARY}";             LogText "  Found known binary: md5 (hash tool) - ${BINARY}" ;;
                             md5sum)                 MD5BINARY="${BINARY}";             LogText "  Found known binary: md5sum (hash tool) - ${BINARY}" ;;
+                            mdatp)                  MDATPBINARY="${BINARY}";           MALWARE_SCANNER_INSTALLED=1;           LogText "  Found known binary: mdatp (Microsoft Defender ATP, malware scanner) - ${BINARY}" ;;
                             modprobe)               MODPROBEBINARY="${BINARY}";        LogText "  Found known binary: modprobe (kernel modules) - ${BINARY}" ;;
                             mount)                  MOUNTBINARY="${BINARY}";           LogText "  Found known binary: mount (disk utility) - ${BINARY}" ;;
                             mtree)                  MTREEBINARY="${BINARY}";           LogText "  Found known binary: mtree (mapping directory tree) - ${BINARY}" ;;
@@ -212,15 +228,22 @@
                             netstat)                NETSTATBINARY="${BINARY}";         LogText "  Found known binary: netstat (network statistics) - ${BINARY}" ;;
                             nft)                    NFTBINARY="${BINARY}";             LogText "  Found known binary: nft (nftables client) - ${BINARY}" ;;
                             nmap)                   NMAPBINARY="${BINARY}";            NMAPVERSION=$(${BINARY} -V | grep "^Nmap version" | awk '{ print $3 }'); LogText "Found ${BINARY} (version ${NMAPVERSION})" ;;
+                            ntpctl)                 NTPCTLBINARY="${BINARY}";                LogText "  Found known binary: ntpctl (openntpd client) - ${BINARY}" ;;
                             ntpq)                   NTPQBINARY="${BINARY}";            LogText "  Found known binary ntpq (time daemon client) - ${BINARY}" ;;
                             osiris)                 OSIRISBINARY="${BINARY}";          LogText "  Found known binary: osiris - ${BINARY}" ;;
                             openssl)                OPENSSLBINARY="${BINARY}";         OPENSSLVERSION=$(${BINARY} version 2> /dev/null | head -n 1 | awk '{ print $2 }' | xargs); LogText "Found ${BINARY} (version ${OPENSSLVERSION})" ;;
-                            pacman)                 PACMANBINARY="${BINARY}";          LogText "  Found known binary: pacman (package manager) - ${BINARY}" ;;
+                            pacman)
+                                if [ -z "$(echo "${BINARY}" | grep -E "/usr(/local)?/games")" ]; then
+                                    PACMANBINARY="${BINARY}"
+                                    LogText "  Found known binary: pacman (package manager) - ${BINARY}"
+                                fi
+                            ;;
                             perl)                   PERLBINARY="${BINARY}";            PERLVERSION=$(${BINARY} -V:version | sed 's/^version=//' | sed 's/;//' | xargs); LogText "Found ${BINARY} (version ${PERLVERSION})" ;;
                             pgrep)                  PGREPBINARY="${BINARY}";           LogText "  Found known binary: pgrep (search in process list) - ${BINARY}" ;;
                             php)                    PHPBINARY="${BINARY}";             PHPVERSION=$(${BINARY} -v | awk '{ if ($1=="PHP") { print $2 }}' | head -1); LogText "Found known binary: php (programming language interpreter) - ${BINARY} (version ${PHPVERSION})" ;;
                             pkg)                    PKG_BINARY="${BINARY}";            LogText "  Found known binary: pkg (software package administration) - ${BINARY}" ;;
                             pkg_admin)              PKGADMINBINARY="${BINARY}";        LogText "  Found known binary: pkg_admin (software package administration) - ${BINARY}" ;;
+                            pkg_info)               PKGINFOBINARY="${BINARY}";         LogText "  Found known binary: pkg_info (software package information) - ${BINARY}" ;;
                             postconf)               POSTCONFBINARY="${BINARY}";        LogText "  Found known binary: postconf (postfix configuration) - ${BINARY}" ;;
                             postfix)                POSTFIXBINARY="${BINARY}";         LogText "  Found known binary: postfix (postfix binary) - ${BINARY}" ;;
                             prelink)                PRELINKBINARY="${BINARY}";         LogText "  Found known binary: prelink (system optimizer) - ${BINARY}" ;;
@@ -233,6 +256,7 @@
                             python3)                PYTHON3BINARY="${BINARY}";         PYTHON3VERSION=$(${BINARY}  --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;;
                             rcctl)                  RCCTLBINARY="${BINARY}";           LogText "  Found known binary: rcctl (services and daemons configuration and control) - ${BINARY}" ;;
                             readlink)               READLINKBINARY="${BINARY}";        LogText "  Found known binary: readlink (follows symlinks) - ${BINARY}" ;;
+                            resolvectl)             RESOLVECTLBINARY="${BINARY}";      LogText "  Found known binary: resolvectl (systemd-resolved DNS resolver manager) - ${BINARY}" ;;
                             rkhunter)               RKHUNTERBINARY="${BINARY}";        MALWARE_SCANNER_INSTALLED=1;           LogText "  Found known binary: rkhunter (malware scanner) - ${BINARY}" ;;
                             rootsh)                 ROOTSHBINARY="${BINARY}";          LogText "  Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;;
                             rpcinfo)                RPCINFOBINARY="${BINARY}";         LogText "  Found known binary: rpcinfo (RPC information) - ${BINARY}" ;;
@@ -243,7 +267,8 @@
                             samhain)                SAMHAINBINARY="${BINARY}";         LogText "  Found known binary: samhain (integrity tool) - ${BINARY}" ;;
                             service)                SERVICEBINARY="${BINARY}";         LogText "  Found known binary: service (system services) - ${BINARY}" ;;
                             sed)                    SEDBINARY="${BINARY}";             LogText "  Found known binary: sed (text stream editor) - ${BINARY}" ;;
-                            sestatus)               SESTATUSBINARY="${BINARY}";        LogText "  Found known binary: sestatus (SELinux client) - ${BINARY}" ;;
+                            semanage)               SEMANAGEBINARY="${BINARY}";        LogText "  Found known binary: semanage (SELinux policy management tool) - ${BINARY}" ;;
+                            sestatus)               SESTATUSBINARY="${BINARY}";        LogText "  Found known binary: sestatus (SELinux status tool) - ${BINARY}" ;;
                             slocate)                LOCATEBINARY="${BINARY}";          LogText "  Found known binary: slocate (file database) - ${BINARY}" ;;
                             smbd)                   SMBDBINARY="${BINARY}";            if [ "${OS}" = "macOS" ]; then SMBDVERSION="unknown"; else SMBDVERSION=$(${BINARY} -V | grep "^Version" | awk '{ print $2 }'); fi; LogText "Found ${BINARY} (version ${SMBDVERSION})" ;;
                             smtpctl)                SMTPCTLBINARY="${BINARY}";         LogText "  Found known binary: smtpctl (OpenSMTPD client) - ${BINARY}" ;;
@@ -260,19 +285,25 @@
                             sha256|sha256sum)       SHA256SUMBINARY="${BINARY}";       LogText "  Found known binary: sha256/sha256sum (crypto hashing) - ${BINARY}" ;;
                             ssh-keyscan)            SSHKEYSCANBINARY="${BINARY}";      LogText "  Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;;
                             suricata)               SURICATABINARY="${BINARY}";        LogText "  Found known binary: suricata (IDS) - ${BINARY}" ;;
+                            swapon)                 SWAPONBINARY="${BINARY}";          LogText "  Found known binary: swapon (swap device tool) - ${BINARY}" ;;
+                            svcs)                   SVCSBINARY="${BINARY}" ;           LogText "  Found known binary: svcs (service manager) - ${BINARY}" ;;
                             swupd)                  SWUPDBINARY="${BINARY}";           LogText "  Found known binary: swupd (package manager) - ${BINARY}" ;;
+                            synoavd)                SYNOAVDBINARY=${BINARY};           LogText "  Found known binary: synoavd (Synology AV scanner) - ${BINARY}" ;;
                             sysctl)                 SYSCTLBINARY="${BINARY}";          LogText "  Found known binary: sysctl (kernel parameters) - ${BINARY}" ;;
                             syslog-ng)              SYSLOGNGBINARY="${BINARY}";        SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;;
                             systemctl)              SYSTEMCTLBINARY="${BINARY}";       LogText "  Found known binary: systemctl (client to systemd) - ${BINARY}" ;;
+                            systemd-analyze)        SYSTEMDANALYZEBINARY="${BINARY}";  LogText "  Found known binary: systemd-analyze (systemd service analysis tool) - ${BINARY}" ;;
                             tail)                   TAILBINARY="${BINARY}";            LogText "  Found known binary: tail (text filter) - ${BINARY}" ;;
                             timedatectl)            TIMEDATECTL="${BINARY}";           LogText "  Found known binary: timedatectl (timedate client) - ${BINARY}" ;;
                             tomoyo-init)            TOMOYOINITBINARY=${BINARY};        LogText "  Found known binary: tomoyo-init (tomoyo component) - ${BINARY}" ;;
+                            tomoyo-pstree)          TOMOYOPSTREEBINARY=${BINARY};      LogText "  Found known binary: tomoyo-pstree (tomoyo process tree) - ${BINARY}" ;;
                             tr)                     TRBINARY="${BINARY}";              LogText "  Found known binary: tr (text transformation) - ${BINARY}" ;;
                             tripwire)               TRIPWIREBINARY="${BINARY}";        LogText "  Found known binary: tripwire (file integrity) - ${BINARY}" ;;
                             tune2fs)                TUNE2FSBINARY="${BINARY}";         LogText "  Found known binary: tune2fs (file system tool) - ${BINARY}" ;;
                             uname)                  UNAMEBINARY="${BINARY}";           LogText "  Found known binary: uname (operating system details) - ${BINARY}" ;;
                             uniq)                   UNIQBINARY="${BINARY}";            LogText "  Found known binary: uniq (text manipulation utility) - ${BINARY}";;
                             usbguard)               USBGUARDBINARY="${BINARY}";        LogText "  Found known binary: usbguard (USB security tool) - ${BINARY}" ;;
+                            veritysetup)            VERITYSETUPBINARY="${BINARY}";     LogText "  Found known binary: veritysetup (dm-verity setup tool) - ${BINARY}" ;;
                             vgdisplay)              VGDISPLAYBINARY="${BINARY}";       LogText "  Found known binary: vgdisplay (LVM tool) - ${BINARY}" ;;
                             vmtoolsd)               VMWARETOOLSDBINARY="${BINARY}";    LogText "  Found known binary: vmtoolsd (VMWare tools) - ${BINARY}" ;;
                             wc)                     WCBINARY="${BINARY}";              LogText "  Found known binary: wc (word count) - ${BINARY}" ;;
@@ -296,12 +327,17 @@
         BINARY_SCAN_FINISHED=1
         BINARY_PATHS_FOUND=$(echo ${BINARY_PATHS_FOUND} | sed 's/^, //g' | sed 's/, /,/g')
         LogText "Discovered directories: ${BINARY_PATHS_FOUND}"
-        LogText "Result: found ${COUNT} binaries"
+        LogText "Result: found ${COUNT} binaries including ${NSUID_BINARIES} set-uid and ${NSGID_BINARIES} set-gid"
+        LogText "Result: set-uid binaries: ${SUID_BINARIES}"
+        LogText "Result: set-gid binaries: ${SGID_BINARIES}"
         Report "binaries_count=${COUNT}"
+        Report "binaries_suid_count=${SUID_BINARIES}"
+        Report "binaries_sgid_count=${SGID_BINARIES}"
         Report "binary_paths=${BINARY_PATHS_FOUND}"
 
         # Test if the basic system tools are defined. These will be used during the audit.
         [ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found"
+        [ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found"
         [ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found"
         [ "${EGREPBINARY:-}" ] || ExitFatal "grep binary not found"
         [ "${FINDBINARY:-}" ] || ExitFatal "find binary not found"

include/consts

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -33,10 +33,6 @@ BIN_PATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \
 
 ETC_PATHS="/etc /usr/local/etc"
 
-# Do not use specific language, fall back to default
-# Some tools with translated strings are very hard to parse
-unset LANG
-
 #
 #################################################################################
 #
@@ -62,6 +58,7 @@ unset LANG
     APPLICATION_FIREWALL_ACTIVE=0
     BINARY_SCAN_FINISHED=0
     BLKIDBINARY=""
+    BOOTCTLBINARY=""
     CAT_BINARY=""
     CFAGENTBINARY=""
     CHECK=0
@@ -85,6 +82,7 @@ unset LANG
     CONTROL_URL_PROTOCOL=""
     CONTAINER_TYPE=""
     CREATE_REPORT_FILE=1
+    CRYPTSETUPBINARY=""
     CSUMBINARY=""
     CURRENT_TS=0
     CUSTOM_URL_APPEND=""
@@ -98,16 +96,19 @@ unset LANG
     DEBSUMSBINARY=""
     DEVELOPER_MODE=0
     DEVOPS_MODE=0
+    DIGBINARY=""
     DISABLED_PLUGINS=""
     DISCOVERED_BINARIES=""
     DMIDECODEBINARY=""
     DNFBINARY=""
+    DNSDOMAINNAMEBINARY=""
     DOCKERBINARY=""
     DOCKER_DAEMON_RUNNING=0
     DPKGBINARY=""
     ECHOCMD=""
     ERROR_ON_WARNINGS=0
     EQUERYBINARY=""
+    EVMCTLBINARY=""
     EXIMBINARY=""
     FAIL2BANBINARY=""
     FILEBINARY=""
@@ -124,6 +125,7 @@ unset LANG
     GRSEC_FOUND=0
     GRUBCONFFILE=""
     GRUB2INSTALLBINARY=""
+    HAS_PACKAGE_MANAGER=0
     HAS_SYSTEMD=0
     HEADBINARY=""
     HELPER=""
@@ -132,6 +134,7 @@ unset LANG
     HTTPDBINARY=""
     IDS_IPS_TOOL_FOUND=0
     IFCONFIGBINARY=""
+    INTEGRITYSETUPBINARY=""
     IPBINARY=""
     IPFBINARY=""
     IPTABLESBINARY=""
@@ -148,7 +151,9 @@ unset LANG
     LOCATEBINARY=""
     LOGFILE=""
     LOGDIR=""
+    LOGROTATEBINARY=""
     LOGTEXT=1
+    LSBLKBINARY=""
     LSMODBINARY=""
     LSOFBINARY=""
     LSOF_EXTRA_OPTIONS=""
@@ -192,6 +197,7 @@ unset LANG
     NGINX_RETURN_FOUND=0
     NGINX_ROOT_FOUND=0
     NGINX_WEAK_SSL_PROTOCOL_FOUND=0
+    NTPCTLBINARY=""
     NTPD_ROLE=""
     NTPQBINARY=""
     OPENSSLBINARY=""
@@ -205,6 +211,7 @@ unset LANG
     OS_REDHAT_OR_CLONE=0
     OSIRISBINARY=""
     PACMANBINARY=""
+    PAM_PASSWORD_PWHISTORY_AMOUNT=""
     PASSWORD_MAXIMUM_DAYS=-1
     PASSWORD_MINIMUM_DAYS=-1
     PAM_2F_AUTH_ENABLED=0
@@ -220,6 +227,7 @@ unset LANG
     PGREPBINARY=""
     PIDFILE=""
     PKG_BINARY=""
+    PKGINFOBINARY=""
     PKGADMINBINARY=""
     PLUGINDIR=""
     PLUGIN_PHASE=0
@@ -238,6 +246,7 @@ unset LANG
     REFRESH_REPOSITORIES=1
     REMOTE_LOGGING_ENABLED=0
     RESOLV_DOMAINNAME=""
+    RESOLVECTLBINARY=""
     RKHUNTERBINARY=""
     ROOTDIR="/"
     ROOTSHBINARY=""
@@ -273,16 +282,20 @@ unset LANG
     SKIP_VM_DETECTION=0
     SKIPREASON=""
     SKIPPED_TESTS_ROOTONLY=""
+    SLOW_TEST_THRESHOLD=10
     SMTPCTLBINARY=""
     SNORTBINARY=""
+    SSBINARY=""
     SSHKEYSCANBINARY=""
     SSHKEYSCANFOUND=0
+    SSL_CERTIFICATE_INCLUDE_PACKAGES=0
     SSL_CERTIFICATE_PATHS=""
     SSL_CERTIFICATE_PATHS_TO_IGNORE=""
     STUNNELBINARY=""
     SWUPDBINARY=""
     SYSLOGNGBINARY=""
     SYSTEMCTLBINARY=""
+    SYSTEMDANALYZEBINARY=""
     SYSTEM_IS_NOTEBOOK=255
     TEMP_FILE=""
     TEMP_FILES=""
@@ -292,6 +305,7 @@ unset LANG
     TEST_GROUP_TO_CHECK="all"
     TESTS_EXECUTED=""
     TESTS_SKIPPED=""
+    TIMEDATECTL=""
     TMPFILE=""
     TOMOYOINITBINARY=""
     TOOLTIP_SHOWED=0
@@ -317,11 +331,13 @@ unset LANG
     USBGUARD_ROOT=""
     VALUE=""
     VERBOSE=0
+    VERITYSETUPBINARY=""
     VGDISPLAYBINARY=""
     VMTYPE=""
     VULNERABLE_PACKAGES_FOUND=0
     WCBINARY=""
     XARGSBINARY=""
+    XBPSBINARY=""
     YUMBINARY=""
     ZYPPERBINARY=""
 

include/data_upload

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -77,6 +77,10 @@
         ExitFatal
     else
         Output "License key = ${LICENSE_KEY}"
+        # Create a temporary file to use during upload (prevent license key being displayed in process table)
+        CreateTempFile || ExitFatal
+        LICENSE_KEY_FILE="${TEMP_FILE}"
+        echo "${LICENSE_KEY}" | ${TRBINARY} -cd '[a-f0-9-]' > ${LICENSE_KEY_FILE}
     fi
 
 
@@ -129,8 +133,9 @@
 
         # License check
 
-        LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null"
+        LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null"
-        UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null)
+        UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null)
+
         EXITCODE=$?
         LogText "Exit code: ${EXITCODE}"
         if [ ${EXITCODE} -gt 0 ]; then
@@ -225,10 +230,10 @@
             Output "${WHITE}Found hostid: ${HOSTID}${NORMAL}"
             # Try to connect
             Output "Uploading data.."
-            LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
+            LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
-            LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
+            LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}"
             LogText "Tip: to just retry an upload, use: lynis upload-only"
-            UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null)
+            UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null)
             EXITCODE=$?
             LogText "Exit code: ${EXITCODE}"
             if [ ${EXITCODE} -gt 0 ]; then

include/functions

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -38,7 +38,7 @@
 #    DigitsOnly                 Return only the digits from a string
 #    DirectoryExists            Check if a directory exists on the disk
 #    DiscoverProfiles           Determine available profiles on system
-#    Display                    Output text to screen with colors and identation
+#    Display                    Output text to screen with colors and indentation
 #    DisplayError               Show an error on screen
 #    DisplayException           Show an exception on screen
 #    DisplayManual              Output text to screen without any layout
@@ -1089,12 +1089,13 @@
                 ;;
 
                 "Solaris")
-                    INTERFACES_TO_TEST="e1000g1 net0"
+                    INTERFACES_TO_TEST="net0 e1000g1 e1000g0"
                     FOUND=0
                     for I in ${INTERFACES_TO_TEST}; do
                          FIND=$(${IFCONFIGBINARY} -a | grep "^${I}")
                          if [ ! "${FIND}" = "" ]; then
                              FOUND=1; LogText "Found interface ${I} on Solaris"
+                             break
                          fi
                     done
                     if [ ${FOUND} -eq 1 ]; then
@@ -1107,7 +1108,7 @@
                             ReportException "GetHostID" "Can not find sha1/sha1sum or openssl"
                         fi
                     else
-                        ReportException "GetHostID" "No interface found op Solaris to create HostID"
+                        ReportException "GetHostID" "No interface found on Solaris to create HostID"
                     fi
                 ;;
 
@@ -1286,11 +1287,12 @@
                 CHECK_PERMISSION=$(echo "${CHECK_PERMISSION}" | ${AWKBINARY} '{printf "%03d",$1}')
 
                 # First try stat command
-                LogText "Test: checking if file ${CHECKFILE} is ${CHECK_PERMISSION}"
+                LogText "Test: checking if file ${CHECKFILE} has the permissions set to ${CHECK_PERMISSION} or more restrictive"
                 if [ -n "${STATBINARY}" ]; then
 
                     case ${OS} in
-                        *BSD)
+                        *BSD | "macOS")
+                            # BSD and macOS have no --format, only short notation
                             DATA=$(${STATBINARY} -f "%OLp" ${CHECKFILE})
                         ;;
                         *)
@@ -1344,7 +1346,7 @@
                 DATA=$(echo "${DATA}" | ${AWKBINARY} '{printf "%03d",$1}')
 
                 if [ -n "${DATA}" ]; then
-                    if [ "${DATA}" = "${CHECK_PERMISSION}" ]; then
+                    if [ "${DATA}" -le "${CHECK_PERMISSION}" ]; then
                         LogText "Outcome: correct permissions (${DATA})"
                         return 0
                     fi
@@ -1516,6 +1518,7 @@
     # Returns     : 0 (process is running), 1 (process not running)
     #               RUNNING (1 = running, 0 = not running) - will be deprecated
     # Notes       : PSOPTIONS are declared globally, to prevent testing each call
+    #               Fallback is used on binaries as IsRunning is used for 'show' command
     ################################################################################
 
     IsRunning() {
@@ -1545,44 +1548,43 @@
 
         if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi
         RUNNING=0
-        # AIX does not fully support pgrep options, so using ps instead
+        if [ -x "${PGREPBINARY}" ] && [ "${OS}" != "AIX" ]; then
-        if [ -n "${PGREPBINARY}" ] && [ "${OS}" != "AIX" ]; then
             # When --user is used, perform a search using the -u option
             # Initialize users for strict mode
             if [ -n "${users:-}" ]; then
                 for u in ${users}; do
-                    user_uid=$(getent passwd "${u}" 2> /dev/null | ${AWKBINARY} -F: '{print $3}')
+                    user_uid=$(getent passwd "${u}" 2> /dev/null | ${AWKBINARY:-awk} -F: '{print $3}')
                     # Only perform search if user exists and we had no match yet
                     if [ -n "${user_uid}" ]; then
                         if [ -z "${FIND}" ]; then
                             LogText "Performing pgrep scan using uid ${user_uid}"
-                            FIND=$(${PGREPBINARY} ${pgrep_options} -u "${user_uid}" "${search}" | ${TRBINARY} '\n' ' ')
+                            FIND=$(${PGREPBINARY:-pgrep} ${pgrep_options} -u "${user_uid}" "${search}" | ${TRBINARY:-tr} '\n' ' ')
                         fi
                     fi
                 done
             else
                 LogText "Performing pgrep scan without uid"
-                FIND=$(${PGREPBINARY} ${pgrep_options} "${search}" | ${TRBINARY} '\n' ' ')
+                FIND=$(${PGREPBINARY:-pgrep} ${pgrep_options} "${search}" | ${TRBINARY:-tr} '\n' ' ')
             fi
         else
             if [ "${SHELL_IS_BUSYBOX}" -eq 1 ]; then
                 # This search is not foolproof
                 LogText "Performing simple ps scan (busybox)"
                 PSOPTIONS=" -o args="
-                FIND=$(${PSBINARY} ${PSOPTIONS} | ${EGREPBINARY} "( |/)${search}" | ${GREPBINARY} -v "grep")
+                FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${EGREPBINARY:-egrep} "( |/)${search}" | ${GREPBINARY:-grep} -v "grep")
             else
                 if [ -n "${users}" ]; then
                     for u in ${users}; do
-                        user_uid=$(getent passwd "${u}" 2> /dev/null | ${AWKBINARY} -F: '{print $3}')
+                        user_uid=$(getent passwd "${u}" 2> /dev/null | ${AWKBINARY:-awk} -F: '{print $3}')
                         # Only perform search if user exists and we had no match yet
                         if [ -n "${user_uid}" ]; then
                             if [ -z "${FIND}" ]; then
                                 if [ ${PARTIAL_SEARCH} -eq 1 ]; then
                                     LogText "Performing ps scan using partial match and for uid ${user_uid}"
-                                    FIND=$(${PSBINARY} -u "${user_uid}" -o comm= "${search}" | ${AWKBINARY} -v pattern="${search}" '$0 ~ pattern {print}')
+                                    FIND=$(${PSBINARY:-ps} -u "${user_uid}" -o comm= "${search}" | ${AWKBINARY:-awk} -v pattern="${search}" '$0 ~ pattern {print}')
                                 else
                                     LogText "Performing ps scan using exact match and for uid ${user_uid}"
-                                    FIND=$(${PSBINARY} -u "${user_uid}" -o comm= "${search}" | ${AWKBINARY} -v pattern="^${search}$" '$0 ~ pattern {print}')
+                                    FIND=$(${PSBINARY:-ps} -u "${user_uid}" -o comm= "${search}" | ${AWKBINARY:-awk} -v pattern="^${search}$" '$0 ~ pattern {print}')
                                 fi
                             fi
                         fi
@@ -1595,10 +1597,10 @@
                     esac
                     if [ ${PARTIAL_SEARCH} -eq 1 ]; then
                         LogText "Performing ps scan using partial match and without uid"
-                        FIND=$(${PSBINARY} ${PSOPTIONS} | ${AWKBINARY} -v pattern="${search}" '$0 ~ pattern {print}')
+                        FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${AWKBINARY:-awk} -v pattern="${search}" '$0 ~ pattern {print}')
                     else
                         LogText "Performing ps scan using exact match and without uid"
-                        FIND=$(${PSBINARY} ${PSOPTIONS} | ${AWKBINARY} -v pattern="^${search}$" '$0 ~ pattern {print}')
+                        FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${AWKBINARY:-awk} -v pattern="^${search}$" '$0 ~ pattern {print}')
                     fi
                 fi
             fi
@@ -1774,14 +1776,11 @@
         # dmidecode
         # Values: VMware Virtual Platform / VirtualBox
         if [ -z "${SHORT}" ]; then
-            if [ -x /usr/bin/dmidecode ]; then DMIDECODE_BINARY="/usr/bin/dmidecode"
+            # Try to find dmidecode in case we did not check binaries (e.g. lynis show environment)
-            elif [ -x /usr/sbin/dmidecode ]; then DMIDECODE_BINARY="/usr/sbin/dmidecode"
+            if [ ${CHECK_BINARIES} -eq 0 ]; then DMIDECODEBINARY=$(command -v dmidecode 2> /dev/null); fi
-            else
+            if [ -n "${DMIDECODEBINARY}" -a -x "${DMIDECODEBINARY}" -a ${PRIVILEGED} -eq 1 ]; then
-                DMIDECODE_BINARY=""
-            fi
-            if [ ! "${DMIDECODE_BINARY}" = "" -a ${PRIVILEGED} -eq 1 ]; then
                 LogText "Test: trying to guess virtualization with dmidecode"
-                FIND=$(/usr/sbin/dmidecode -s system-product-name | awk '{ print $1 }')
+                FIND=$(${DMIDECODEBINARY} -s system-product-name | awk '{ print $1 }')
                 if [ -n "${FIND}" ]; then
                     LogText "Result: found ${FIND}"
                     SHORT="${FIND}"
@@ -1794,6 +1793,7 @@
         else
             LogText "Result: skipped dmidecode test, as we already found machine type"
         fi
+
         # Other options
         # SaltStack: salt-call grains.get virtual
         # < needs snippet >
@@ -1864,7 +1864,7 @@
         fi
 
         # Check if we caught some string along all tests
-        if [ ! "${SHORT}" = "" ]; then
+        if [ -n "${SHORT}" ]; then
             # Lowercase and see if we found a match
             SHORT=$(echo ${SHORT} | awk '{ print $1 }' | tr '[:upper:]' '[:lower:]')
 
@@ -2020,6 +2020,7 @@
     PackageIsInstalled() {
         exit_code=255
 
+        # First parameter is package name (or __dummy__ for initial test to see if package manager is available and works as expected)
         if [ $# -eq 1 ]; then
             package="$1"
         else
@@ -2041,6 +2042,9 @@
         elif [ -n "${PKG_BINARY}" ]; then
             output=$(${PKG_BINARY} -N info ${package} >/dev/null 2>&1)
             exit_code=$?  # 0=package installed, 70=invalid package
+        elif [ -n "${PKGINFOBINARY}" ]; then
+            output=$(${PKGINFOBINARY} -q -e ${package} >/dev/null 2>&1)
+            exit_code=$?  # 0=package installed, 1=package not installed
         elif [ -n "${RPMBINARY}" ]; then
             output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1)
             exit_code=$?
@@ -2050,8 +2054,25 @@
         elif [ -n "${ZYPPERBINARY}" ]; then
             output=$(${ZYPPERBINARY} --quiet --non-interactive search --installed -i ${package} 2> /dev/null | grep "^i")
             if [ -n "${output}" ]; then exit_code=0; else exit_code=1; fi
+        elif [ -n "${XBPSBINARY}" ]; then
+            output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii")
+            exit_code=$?
         else
-            ReportException "PackageIsInstalled:01"
+            if [ "${package}" != "__dummy__" ]; then
+                ReportException "PackageIsInstalled:01 (test=${TEST_NO:-unknown})"
+            fi
+        fi
+
+        # Give thumbs up if dummy package is used during initial test for package manager availability
+        if [ "${package}" = "__dummy__" ]; then
+            # There should be no positive match on this dummy package
+            if [ ${exit_code} -eq 0 ]; then
+                exit_code=1
+            elif [ ${exit_code} -eq 255 ]; then
+                exit_code=1
+            else
+                exit_code=0
+            fi
         fi
 
         return ${exit_code}
@@ -2159,7 +2180,8 @@
         for I in ${FIND}; do
             I=$(echo ${I} | sed 's/:space:/ /g' | sed 's/;$//' | sed 's/ #.*$//')
             OPTION=$(echo ${I} | awk '{ print $1 }')
-            VALUE=$(echo ${I}| cut -d' ' -f2-)
+            # Use quotes here to prevent wildcard expansion
+            VALUE=$(echo "${I}"| cut -d' ' -f2-)
             LogText "Result: found option ${OPTION} in ${CONFIG_FILE} with value '${VALUE}'"
             STORE_SETTING=1
             case ${OPTION} in
@@ -2282,9 +2304,25 @@
                         done
                         if [ ${FOUND} -eq 0 ]; then NGINX_CONF_FILES_ADDITIONS="${NGINX_CONF_FILES_ADDITIONS} ${VALUE}"; fi
                     # Check for additional config files included as follows
-                    # "include sites-enabled/*.conf"
+                    # "include sites-enabled/*.conf" (relative path)
-                    elif [ $(echo ${VALUE} | grep -F -c "*.conf") -gt 0 ]; then
+                    # "include /etc/nginx/sites-enabled/*.conf" (absolute path)
-                        for FOUND_CONF in $(ls ${CONFIG_FILE%nginx.conf}${VALUE%;*}); do
+                    elif [ $(echo "${VALUE}" | grep -F -c "*.conf") -gt 0 ]; then
+                        # Check if path is absolute or relative
+                        case $VALUE in
+                            /*)
+                                # Absolute path, so wildcard pattern is already correct
+                                CONF_WILDCARD=${VALUE%;*}
+                            ;;
+                            *)
+                                # Relative path, so construct absolute path for wildcard pattern
+                                CONF_WILDCARD=${CONFIG_FILE%nginx.conf}${VALUE%;*}
+                            ;;
+                        esac
+                        for FOUND_CONF in ${CONF_WILDCARD}; do
+                            if [ "${FOUND_CONF}" = "${CONF_WILDCARD}" ]; then
+                                LogText "Found no match for wildcard pattern: ${CONF_WILDCARD}"
+                                break
+                            fi
                             FOUND=0
                             for CONF in ${NGINX_CONF_FILES}; do
                                 if [ "${CONF}" = "${FOUND_CONF}" ]; then FOUND=1; LogText "Found this file already in our configuration files array, not adding to queue"; fi
@@ -2494,8 +2532,8 @@
     Register() {
         # Do not insert a log break, if previous test was not logged
         if [ ${SKIPLOGTEST} -eq 0 ]; then LogTextBreak; fi
-        ROOT_ONLY=0; SKIPTEST=0; SKIPLOGTEST=0; SKIPREASON=""; TEST_NEED_OS=""; PREQS_MET=""
+        ROOT_ONLY=0; SKIPTEST=0; SKIPLOGTEST=0; SKIPREASON=""; PREQS_MET=""
-        TEST_CATEGORY=""; TEST_NEED_NETWORK=""; TEST_NEED_PLATFORM=""
+        TEST_CATEGORY=""; TEST_NEED_NETWORK=""; TEST_NEED_OS=""; TEST_NEED_PKG_MGR=0; TEST_NEED_PLATFORM=""
         TOTAL_TESTS=$((TOTAL_TESTS + 1))
         while [ $# -ge 1 ]; do
             case $1 in
@@ -2519,6 +2557,9 @@
                     shift
                     TEST_NEED_OS=$1
                 ;;
+                --package-manager-required)
+                    TEST_NEED_PKG_MGR=1
+                ;;
                 --preqs-met)
                     shift
                     PREQS_MET=$1
@@ -2562,7 +2603,7 @@
         CURRENT_TS=$(GetTimestamp)
         if [ ${PREVIOUS_TS} -gt 0 ]; then
             SLOW_TEST=0
-            TIME_THRESHOLD=10  # seconds
+            TIME_THRESHOLD=$SLOW_TEST_THRESHOLD  # seconds
 
             # Calculate timing and determine if we use seconds or nanoseconds (more precise)
             TIME_DIFF=$((CURRENT_TS - PREVIOUS_TS))
@@ -2631,6 +2672,9 @@
         # Check for correct hardware platform
         if [ ${SKIPTEST} -eq 0 -a -n "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi
 
+        # Check for required (and discovered) package manager
+        if [ ${SKIPTEST} -eq 0 -a ${TEST_NEED_PKG_MGR} -eq 1 -a ${HAS_PACKAGE_MANAGER} -eq 0 ]; then SKIPTEST=1; SKIPREASON="Requires a known package manager to test presence of a particular package"; fi
+
         # Not all prerequisites met, like missing tool
         if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; if [ -z "${SKIPREASON}" ]; then SKIPREASON="Prerequisites not met (ie missing tool, other type of Linux distribution)"; fi; fi
 
@@ -3641,4 +3685,4 @@
 
 #================================================================================
 # Lynis is part of Lynis Enterprise and released under GPLv3 license
-# Copyright 2007-2019 - Michael Boelen, CISOfy - https://cisofy.com
+# Copyright 2007-2020 - Michael Boelen, CISOfy - https://cisofy.com

include/helper_audit_dockerfile

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -44,7 +44,7 @@ fi
 ##################################################################################################
 #
 
-    InsertSection "Image"
+    InsertSection "${SECTION_IMAGE}"
 
     PKGMGR=""
     FIND=$(grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g')
@@ -93,7 +93,7 @@ fi
 #
 ##################################################################################################
 #
-    InsertSection "Basics"
+    InsertSection "${SECTION_BASICS}"
 
     MAINTAINER=$(grep -E -i "*MAINTAINER" ${AUDIT_FILE} | sed 's/=/ /g' | cut -d'"' -f 2)
     if [ -z "${MAINTAINER}" ]; then
@@ -127,7 +127,7 @@ fi
 #
 ##################################################################################################
 #
-    InsertSection "Software"
+    InsertSection "${SECTION_SOFTWARE}"
 
     case $PKGMGR in
     "apt")
@@ -166,7 +166,7 @@ fi
 #
 ##################################################################################################
 #
-    InsertSection "Downloads"
+    InsertSection "${SECTION_DOWNLOADS}"
 
     FILE_DOWNLOAD=0
 
@@ -217,7 +217,7 @@ fi
 #
 ##################################################################################################
 #
-    InsertSection "Permissions"
+    InsertSection "${SECTION_PERMISSIONS}"
 
     FIND=$(grep -i "chmod 777" ${AUDIT_FILE})
     if HasData "${FIND}"; then

include/helper_configure

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -72,7 +72,7 @@
             ExitFatal
         fi
 
-        FIND=$(echo ${HELPER_PARAMERS} | grep " ")
+        FIND=$(echo ${HELPER_PARAMS} | grep " ")
         if [ ! "${FIND}" = "" ]; then ${ECHOCMD} "Found invalid character (space) in configuration string"; ExitFatal; fi
 
         CONFIGURE_SETTINGS=$(echo $2 | sed 's/:/ /g')

include/helper_generate

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -51,8 +51,10 @@ if [ $# -gt 0 ]; then
                 ;;
                 *)
                     # xxd does not exist on FreeBSD
-                    HOSTID=$(head -c20 < /dev/urandom | hexdump -ve '"%.2x"')
+                    # Note: hexdump may omit leading or trailing zeroes.
-                    HOSTID2=$(head -c32 < /dev/urandom | hexdump -ve '"%.2x"')
+                    # Take 100 characters as input, turn to hex, then take first 40/64.
+                    HOSTID=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c40)
+                    HOSTID2=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c64)
                 ;;
             esac
 

include/helper_show

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -30,7 +30,7 @@
 
 COMMANDS="audit configure generate show update upload-only"
 HELPERS="audit configure show update"
-OPTIONS="--auditor\n--cronjob (--cron)\n--debug\n--developer\n--devops\n--forensics\n--help (-h)\n--log-file\n--manpage (--man)\n--no-colors\n--no-log\n--pentest\n--profile\n--plugin-dir\n--quick (-Q)\n--quiet (-q)\n--report-file\n--reverse-colors\n--skip-plugins\n--tests\n--tests-from-category\n--tests-from-group\n--usecwd\n--upload\n--verbose\n--version (-V)\n--wait\n--warnings-only"
+OPTIONS="--auditor\n--cronjob (--cron)\n--debug\n--developer\n--devops\n--forensics\n--help (-h)\n--log-file\n--manpage (--man)\n--no-colors\n--no-log\n--no-plugins\n--pentest\n--profile\n--plugin-dir\n--quick (-Q)\n--quiet (-q)\n--report-file\n--reverse-colors\n--tests\n--tests-from-category\n--tests-from-group\n--usecwd\n--upload\n--verbose\n--version (-V)\n--wait\n--warnings-only"
 
 SHOW_ARGS="categories changelog commands dbdir details environment eol groups help hostids includedir language license logfile man options os pidfile plugindir profiles release releasedate report settings tests version workdir"
 SHOW_HELP="lynis show ${BROWN}categories${NORMAL}              (display test categories)
@@ -245,7 +245,7 @@ if [ $# -gt 0 ]; then
                 shift
                 if [ $# -eq 1 ]; then
                     TESTID="$1"
-                    awk -v search="Performing test ID $TESTID" '$0 ~ search {++f;p=1}p&&f==1;/===---/{p=0}' ${LOGFILE}
+                    awk -v search="Performing test ID $TESTID" '$0 ~ search {++f;p=1}p&&f==1;/====/{p=0}' ${LOGFILE}
                 fi
             fi
             ;;
@@ -265,14 +265,15 @@ if [ $# -gt 0 ]; then
             fi
             ;;
         "eol")
+            ${ECHOCMD} "Operating-system=${OS_FULLNAME}"
             if [ ${EOL} -eq 0 ]; then
-                ${ECHOCMD} "OS end-of-life: No"
+                ${ECHOCMD} "End-of-life=No"
             elif [ ${EOL} -eq 1 ]; then
-                ${ECHOCMD} "OS end-of-life: Yes"
+                ${ECHOCMD} "End-of-life=Yes"
             elif [ ${EOL} -eq 255 ]; then
-                ${ECHOCMD} "OS end-of-life: Not tested"
+                ${ECHOCMD} "End-of-life=Not tested"
             else
-                ${ECHOCMD} "OS end-of-life: Unknown"
+                ${ECHOCMD} "End-of-life=Unknown"
             fi
             ;;
         "groups")

include/helper_system_remote_scan

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com

include/helper_update

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com

include/osdetection

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -62,6 +62,7 @@
                     10.13 | 10.13.[0-9]*) OS_FULLNAME="macOS High Sierra (${OS_VERSION})" ;;
                     10.14 | 10.14.[0-9]*) OS_FULLNAME="macOS Mojave (${OS_VERSION})" ;;
                     10.15 | 10.15.[0-9]*) OS_FULLNAME="macOS Catalina (${OS_VERSION})" ;;
+                    11.0 | 11.0[0-9]*) OS_FULLNAME="macOS Big Sur (${OS_VERSION})" ;;
                     *) echo "Unknown macOS version. Do you know what version it is? Create an issue at ${PROGRAM_SOURCE}" ;;
                 esac
             else
@@ -139,12 +140,18 @@
 
             # Generic
             if [ -e /etc/os-release ]; then
+                OS_FULLNAME=$(awk -F= '/^PRETTY_NAME=/ {print substr($2,2,length($2)-2)}' /etc/os-release)
                 OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                 if [ -n "${OS_ID}" ]; then
                     case ${OS_ID} in
+                        "alpine")
+                            LINUX_VERSION="Alpine Linux"
+                            OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "amzn")
                             LINUX_VERSION="Amazon Linux"
-                            OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_NAME="Amazon Linux"
                             OS_REDHAT_OR_CLONE=1
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
@@ -156,30 +163,83 @@
                         ;;
                         "centos")
                             LINUX_VERSION="CentOS"
-                            OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_NAME="CentOS Linux"
                             OS_REDHAT_OR_CLONE=1
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                         ;;
                         "clear-linux-os")
                             LINUX_VERSION="Clear Linux OS"
-                            OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_NAME="Clear Linux OS"
                             OS_REDHAT_OR_CLONE=1
                             OS_VERSION="Rolling release"
                         ;;
+                        "cloudlinux")
+                            LINUX_VERSION="CloudLinux"
+                            OS_NAME="CloudLinux"
+                            OS_REDHAT_OR_CLONE=1
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "coreos")
                             LINUX_VERSION="CoreOS"
-                            OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_NAME="CoreOS Linux"
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                         ;;
                         "debian")
                             LINUX_VERSION="Debian"
-                            OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_NAME="Debian"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
+                        "elementary")
+                            LINUX_VERSION="elementary OS"
+                            OS_NAME="elementary OS"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
+                        "endeavouros")
+                            LINUX_VERSION="EndeavourOS"
+                            OS_NAME="EndeavourOS"
+                            OS_VERSION="Rolling release"
+                            OS_VERSION_FULL="Rolling release"
+                        ;;
+                        "fedora")
+                            LINUX_VERSION="Fedora"
+                            OS_NAME="Fedora Linux"
+                            OS_REDHAT_OR_CLONE=1
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
+                        "flatcar")
+                            LINUX_VERSION="Flatcar"
+                            LINUX_VERSION_LIKE="CoreOS"
+                            OS_NAME="Flatcar Linux"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
+                        "gentoo")
+                            LINUX_VERSION="Gentoo"
+                            OS_NAME="Gentoo Linux"
+                            OS_VERSION="Rolling release"
+                        ;;
+                        "ipfire")
+                            LINUX_VERSION="IPFire"
+                            OS_NAME="IPFire"
+                            OS_VERSION=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
+                        "kali")
+                            LINUX_VERSION="Kali"
+                            OS_NAME="Kali Linux"
+                            OS_VERSION="Rolling release"
+                        ;;
+                        "linuxmint")
+                            LINUX_VERSION="Linux Mint"
+                            OS_NAME="Linux Mint"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
+                        "mageia")
+                            LINUX_VERSION="Mageia"
+                            OS_NAME="Mageia"
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
-                            OS_NAME="Debian"
                         ;;
                         "manjaro")
                             LINUX_VERSION="Manjaro"
@@ -187,55 +247,100 @@
                             OS_NAME="Manjaro"
                             OS_VERSION="Rolling release"
                         ;;
+                        "nixos")
+                            LINUX_VERSION="NixOS"
+                            OS_NAME="NixOS"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
+                        "ol")
+                            LINUX_VERSION="Oracle Linux"
+                            OS_NAME="Oracle Linux"
+                            OS_REDHAT_OR_CLONE=1
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "opensuse-tumbleweed")
                             LINUX_VERSION="openSUSE Tumbleweed"
-                            OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             # It's rolling release but has a snapshot version (the date of the snapshot)
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_NAME="openSUSE"
                         ;;
                         "opensuse-leap")
                             LINUX_VERSION="openSUSE Leap"
-                            OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_NAME="openSUSE"
                         ;;
-                        "ubuntu")
+                        "pop")
-                            LINUX_VERSION="Ubuntu"
+                            LINUX_VERSION="Pop!_OS"
-                            OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
-                            OS_NAME="Ubuntu"
+                            OS_NAME="Pop!_OS"
+                        ;;
+                        "pureos")
+                            LINUX_VERSION="PureOS"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_NAME="PureOS"
                         ;;
                         "raspbian")
                             LINUX_VERSION="Raspbian"
-                            OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_NAME="Raspbian"
                         ;;
                         "rhel")
                             LINUX_VERSION="RHEL"
-                            OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_NAME="RHEL"
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_FULLNAME="${OS_NAME} ${OS_VERSION_FULL}"
                             OS_REDHAT_OR_CLONE=1
                         ;;
+                        "rosa")
+                            LINUX_VERSION="ROSA Linux"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_NAME="ROSA Linux"
+                        ;;
                         "slackware")
                             LINUX_VERSION="Slackware"
-                            OS_FULLNAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_NAME="Slackware Linux"
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                         ;;
+                        "sles")
+                            LINUX_VERSION="SLES"
+                            OS_NAME="openSUSE"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
+                        "ubuntu")
+                            LINUX_VERSION="Ubuntu"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_NAME="Ubuntu"
+                        ;;
+                        "void")
+                            LINUX_VERSION="Void Linux"
+                            OS_VERSION="Rolling release"
+                            OS_NAME="Void Linux"
+                        ;;
+                        "zorin")
+                            LINUX_VERSION="Zorin OS"
+                            OS_NAME="Zorin OS"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         *)
-                            ReportException "OS Detection" "Unknown OS found in /etc/os-release"
+                            ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}"
                         ;;
                     esac
                 fi
             fi
 
+            # Alpine
+            if [ -e "/etc/alpine-release" ]; then LINUX_VERSION="Alpine Linux"; OS_VERSION=$(cat /etc/alpine-release); fi
+
             # Amazon
             if [ -z "${LINUX_VERSION}" -a -e "/etc/system-release" ]; then
                 FIND=$(grep "^Amazon" /etc/system-release)
@@ -337,13 +442,6 @@
                     LINUX_VERSION="Fedora"
                 fi
 
-                # Mageia (has also /etc/megaia-release)
-                FIND=$(grep "Mageia" /etc/redhat-release)
-                if [ ! "${FIND}" = "" ]; then
-                    OS_FULLNAME=$(grep "^Mageia" /etc/redhat-release)
-                    OS_VERSION=$(grep "^Mageia" /etc/redhat-release | awk '{ if ($2=="release") { print $3 } }')
-                    LINUX_VERSION="Mageia"
-                fi
 
                 # Oracle Enterprise Linux
                 FIND=$(grep "Enterprise Linux Enterprise Linux Server" /etc/redhat-release)
@@ -481,12 +579,89 @@
             SYSCTL_READKEY=""
         ;;
 
-        # Solaris / OpenSolaris
+        # Solaris / OpenSolaris / Ilumos ...
         SunOS)
             OS="Solaris"
+            OS_KERNELVERSION=$(uname -v)
+            OPENSOLARIS=0
+
+            if [ -f /etc/os-release ]; then
+                OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                OS_VERSION=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                OS_FULLNAME=$(awk -F= '/^PRETTY_NAME=/ {print substr($2,2,length($2)-2)}' /etc/os-release)
+                case "${OS_ID}" in
+                    "solaris")
+                        OS_NAME="Oracle Solaris"
+                        ;;
+                    "omnios")
+                        OS_NAME="OmniOS"
+                        OPENSOLARIS=1
+                        ;;
+                    "tribblix")
+                        OS_NAME="Tribblix"
+                        OS_FULLNAME="Tribblix ${OS_VERSION}"
+                        OPENSOLARIS=1 
+                        ;;
+                    "*")
+                        ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}"
+                        ;;
+                esac
+            elif [ "$(uname -o 2> /dev/null)" == "illumos" ]; then
+                OPENSOLARIS=1
+        
+                # Solaris has a free form text file with release information
+                if grep "OpenIndiana" /etc/release > /dev/null; then
+                    OS_NAME="OpenIndiana"
+                    if grep "Hipster" /etc/release > /dev/null; then
+                        OS_VERSION="$(tr ' ' '\n' < /etc/release  | grep '[[:digit:]]\.[[:digit:]]')"
+                        OS_FULLNAME="OpenIndiana Hipster $OS_VERSION"
+                    else
+                        OS_VERSION="Unknown"
+                        OS_FULLNAME="OpenIndiana (unknown edition)"
+                    fi
+                elif grep "OmniOS" /etc/release > /dev/null; then
+                    OS_NAME="OmniOS"
+                    OS_VERSION="$(tr ' ' '\n' < /etc/release  | grep 'r[[:digit:]]')"
+                    if grep "Community Edition" /etc/release > /dev/null; then
+                        OS_FULLNAME="OmniOS Community Edition v11 $OS_VERSION"
+                    fi
+                elif grep "SmartOS" /etc/release > /dev/null; then
+                    OS_NAME="SmartOS"
+                    OS_VERSION="-"
+                    OS_FULLNAME="SmartOS"
+                else
+                    OS_NAME="Unknown Illumos"
+                fi
+            elif grep "SchilliX" /etc/release > /dev/null; then
+                OS_NAME="SchilliX"
+                OS_FULLNAME="$(head -n 1 /etc/release | xargs)"
+                OS_VERSION="$(echo "$OS_FULLNAME" | cut -d '-' -f 2)"
+
+                OPENSOLARIS=1
+            elif head -n 1 < /etc/release | grep "Oracle Solaris" > /dev/null; then
+                OS_NAME="Oracle Solaris"
+                OS_FULLNAME="$(head -n 1 /etc/release | xargs)"
+                OS_VERSION="$(head -n 1 < /etc/release | xargs | cut -d ' ' -f 3)"
+            elif head -n 1 < /etc/release | xargs | grep "^Solaris " > /dev/null; then
+                OS_NAME="Sun Solaris"
+                # Example of /etc/release:
+                #   Solaris 10 5/08
+                #   ...
+                #   Solaris 10 10/09 (Update 8)
+                # The first line does not contain the "Update" number,
+                # only if present.
+                if tail -1 < /etc/release | xargs | grep "^Solaris " > /dev/null; then
+                    OS_FULLNAME=$(tail -1 < /etc/release | xargs)
+                else
+                    OS_FULLNAME=$(head -1 < /etc/release | xargs)
+                fi
+                OS_VERSION=$(echo "$OS_FULLNAME" | cut -d ' ' -f 2,3)
+            else  # Old behaviour
                 OS_NAME="Sun Solaris"
                 OS_FULLNAME=$(uname -s -r)
                 OS_VERSION=$(uname -r)
+            fi
+
             HARDWARE=$(uname -m)
             if [ -x /usr/bin/isainfo ]; then
                 # Returns 32, 64
@@ -572,6 +747,7 @@
             EOL_TIMESTAMP=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $4}}' ${DBDIR}/software-eol.db | head -n 1)
             if [ -n "${EOL_TIMESTAMP}" ]; then
                 EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1)
+                if [ -n "${EOL_DATE}" ]; then
                     NOW=$(date "+%s")
                     if [ -n "${NOW}" ]; then
                         if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then
@@ -580,6 +756,9 @@
                             EOL=0
                         fi
                     fi
+                else
+                    EOL=0
+                fi
             fi
         fi
     fi

include/parameters

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -270,7 +270,7 @@
             ;;
 
             # Don't use colors
-            --no-colors | --nocolors | --no-colours | --nocolours)
+            --no-colors | --nocolors | --no-colour | --nocolour)
                 COLORS=0
                 RemoveColors
             ;;
@@ -280,6 +280,11 @@
                 LOGFILE="/dev/null"
             ;;
 
+            # Skip execution of plugins
+            --no-plugins | --noplugins | --skip-plugins)
+                SKIP_PLUGINS=1
+            ;;
+
             --pen-test | --pentest)
                 PENTESTINGMODE=1
             ;;
@@ -332,7 +337,7 @@
             ;;
 
             # Strip the colors which aren't clearly visible on light backgrounds
-            --reverse-colors| --reverse-colours)
+            --reverse-colors | --reverse-colour)
                 BLUE="${NORMAL}";
                 SECTION="${NORMAL}";
                 NOTICE="${NORMAL}";
@@ -359,11 +364,6 @@
                 fi
             ;;
 
-            # Skip execution of plugins
-            --skip-plugins | --no-plugins | --noplugins)
-                SKIP_PLUGINS=1
-            ;;
-
             # Only scan these tests
             --tests)
                 shift
@@ -423,6 +423,23 @@
                 QUIET=1
             ;;
 
+            # Warning when test is slow
+            --slow-warning)
+                if [ $# -gt 1 ]; then
+                    shift
+
+                    if [ "$1" -gt 0 ] 2>/dev/null; then
+                        SLOW_TEST_THRESHOLD="$1"
+                    else
+                        echo "Argument has to be number."
+                        exit 1
+                    fi
+                else
+                    echo "Specify threshold as number of seconds above which should Lynis warn about long test."
+                    exit 1
+                fi
+            ;;
+
             --tests-category | --tests-categories | --view-categories | --list-categories | --show-categories)
                 echo "Error: Deprecated option ($1)"
                 exit 1

include/profiles

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -35,23 +35,32 @@
 
         # Show deprecation message for old config entries such as 'config:' and 'apache:'
         FOUND=0
-        DATA=$(grep -E "^[a-z-]{1,}:" ${PROFILE} | od -An -ta | sed 's/ /!space!/g')  # od -An (no file offset), -ta (named character, to be on safe side)
+        DATA=$(grep -E "^[a-z-]{1,}:" ${PROFILE})
         if ! IsEmpty "${DATA}"; then FOUND=1; fi
 
         if [ ${FOUND} -eq 1 ]; then
+            Display --text " "
+            Display --text "=================================================================================================="
             DisplayWarning "Your profile contains old-style configuration entries. See log file for more details and how to convert these entries"
-            LogText "Your profile has one or more configuration items that are in an old format (lines starting with key:value). They need to be converted into the new format (key=value)."
+            Display --indent 2 --text "* ${RED}ISSUE${NORMAL}"
-            LogText "Tip: Use grep to see the relevant matches (grep -E \"^[a-z-]{1,}:\" custom.prf)"
+            Display --indent 2 --text "Your profile has one or more lines that are in an old format (key:value). They need to be converted into the new format (key=value) or disabled."
-            sleep 30
+            Display --text " "
+            Display --indent 2 --text "* ${GREEN}HOW TO RESOLVE${NORMAL}"
+            Display --indent 2 --text "Use grep to see the relevant matches (grep -E \"^[a-z-]{1,}:\" custom.prf)"
+            Display --text " "
+            Display --text "=================================================================================================="
+            Display --text " "
+            LogText "Insight: Profile '${PROFILE}' contains one or more old-style configuration entries"
+            ReportWarning "GEN-0020" "Your profile contains one or more old-style configuration entries"
+            sleep 10
         fi
 
         # Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character)
-        DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | od -An -ta | sed 's/ /!space!/g')
+        DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-')
         if ! IsEmpty "${DATA}"; then
             DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information."
             LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile."
-            for I in ${DATA}; do
+            for I in $(printf ${DATA} | od -An -ta); do
-                I=$(echo ${I} | sed 's/!space!/ /g')
                 LogText "Output: ${I}"
             done
             LogText "Suggestion: comment incorrect lines with a '#' and try again. Open a GitHub issue if valid characters are blocked"
@@ -367,6 +376,13 @@
                     AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates"
                 ;;
 
+                # Check also certificates provided by packages?
+                ssl-certificate-include-packages)
+                    FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SSL_CERTIFICATE_INCLUDE_PACKAGES=1
+                    Debug "Check also certificates provided by packages set to ${SSL_CERTIFICATE_INCLUDE_PACKAGES}"
+                ;;
+
+
                 # Set strict mode for development and quality purposes
                 strict)
                     FIND=$(echo "${VALUE}" | grep -E "^(1|true|yes)") && SET_STRICT=1
@@ -532,7 +548,7 @@
 #################################################################################
 #
     if [ -n "${DEPRECATED_OPTION}" ]; then
-        ReportWarning "LYNIS" "One or more deprecated options used" "${DEPRECATED_OPTION}" "Update your profile"
+        ReportWarning "GEN-0030" "One or more deprecated options used in profile" "${DEPRECATED_OPTION}" "Update your profile"
     fi
 #
 #################################################################################
@@ -540,7 +556,6 @@
 
     Display --indent 2 --text "- Checking profiles..." --result "DONE" --color GREEN
 
-LogTextBreak
 
 #================================================================================
 # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com

include/report

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -151,14 +151,14 @@
             fi
 
             # Show suggestions from logfile
-            SSUGGESTIONS=$(${GREPBINARY} 'Suggestion: ' ${LOGFILE} | sed 's/ /!space!/g')
+            SUGGESTIONS=$(${GREPBINARY} 'Suggestion: ' ${LOGFILE} | sed 's/ /!space!/g')
 
-            if [ -z "${SSUGGESTIONS}" ]; then
+            if [ -z "${SUGGESTIONS}" ]; then
                 echo "  ${OK}No suggestions${NORMAL}"; echo ""
             else
                 echo "  ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):"
                 echo "  ${WHITE}----------------------------${NORMAL}"
-                for SUGGESTION in ${SSUGGESTIONS}; do
+                for SUGGESTION in ${SUGGESTIONS}; do
                     SOLUTION=""
                     SHOWSUGGESTION=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://')
                     ADDLINK=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//' | ${AWKBINARY} -F: '{print $1}')
@@ -183,7 +183,7 @@
                 done
             fi
             # Show tip on how to continue (next steps)
-            if [ ! "${SWARNINGS}" = "" -o ! "${SSUGGESTIONS}" = "" ]; then
+            if [ ! "${SWARNINGS}" = "" -o ! "${SUGGESTIONS}" = "" ]; then
                 echo "  ${CYAN}Follow-up${NORMAL}:"
                 echo "  ${WHITE}----------------------------${NORMAL}"
                 echo "  ${WHITE}-${NORMAL} Show details of a test (lynis show details TEST-ID)"

include/tests_accounting

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -18,7 +18,7 @@
 #
 #################################################################################
 #
-    InsertSection "Accounting"
+    InsertSection "${SECTION_ACCOUNTING}"
 #
 #################################################################################
 #
@@ -123,8 +123,19 @@
                 Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE
                 ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (cron disabled)"
             fi
+        elif [ -f "${ROOTDIR}lib/systemd/system/sysstat.service" ] || [ -f "${ROOTDIR}etc/systemd/system/sysstat.service" ]; then
+            LogText "Result: sysstat systemd unit found"
+            if [ -L "${ROOTDIR}etc/systemd/system/multi-user.target.wants/sysstat.service" ]; then
+                # Assuming -collect.timer and -summary.timer are enabled as well,
+                # as they are usually in the install section.
+                LogText "Result: sysstat enabled via systemd"
+                Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN
             else
-            LogText "Result: sysstat not found via ${ROOTDIR}etc/default/sysstat or ${ROOTDIR}etc/cron.d/sysstat"
+                LogText "Result: sysstat disabled via systemd"
+                Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE
+            fi
+        else
+            LogText "Result: sysstat not found via ${ROOTDIR}etc/default/sysstat or ${ROOTDIR}etc/cron.d/sysstat or as a systemd unit"
             Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_NOT_FOUND}" --color YELLOW
             ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (no results)"
         fi
@@ -413,4 +424,4 @@ WaitForKeyPress
 
 #
 #================================================================================
-# Lynis - Copyright 2007-2019, Michael Boelen / CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020, Michael Boelen / CISOfy - https://cisofy.com

include/tests_authentication

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -31,7 +31,7 @@
 #
 #################################################################################
 #
-    InsertSection "Users, Groups and Authentication"
+    InsertSection "${SECTION_USERS_GROUPS_AND_AUTHENTICATION}"
 
     # Test        : AUTH-9204
     # Description : Check users with UID zero (0)
@@ -157,51 +157,7 @@
     # Test        : AUTH-9218
     # Description : Check login shells for passwordless accounts
     # Notes       : Results should be checked
-    Register --test-no AUTH-9218 --os FreeBSD --weight L --network NO --category security --description "Check login shells for passwordless accounts"
+    Register --test-no AUTH-9218 --os "DragonFly FreeBSD NetBSD OpenBSD" --root-only YES --weight L --network NO --category security --description "Check login shells for passwordless accounts"
-    if [ ${SKIPTEST} -eq 0 ]; then
-        FOUND=0
-        LogText "Test: Checking login shells"
-        if [ -f ${ROOTDIR}etc/master.passwd ]; then
-            # Check for all shells, except: (/usr)/sbin/nologin /nonexistent
-            FIND=$(${GREPBINARY} "[a-z]:\*:" /etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
-            if [ "${FIND}" = "" ]; then
-                Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
-            else
-                Display --indent 2 --text "- Login shells" --result "${STATUS_WARNING}" --color RED
-                for LINE in ${FIND}; do
-                    LINE=$(echo ${LINE} | ${SEDBINARY} 's/!space!/ /g')
-                    SHELL=$(echo ${LINE} | ${AWKBINARY} -F: '{ print $10 }')
-                    LogText "Output: ${LINE}"
-                    if [ -z "${SHELL}" ]; then
-                        LogText "Result: found no shell on line"
-                    else
-                        LogText "Result: found possible harmful shell ${SHELL}"
-                        if [ -f ${SHELL} ]; then
-                            LogText "Result: shell ${SHELL} does exist"
-                            FOUND=1
-                        else
-                            LogText "Result: shell ${SHELL} does not exist"
-                            ReportSuggestion "${TEST_NO}" "Determine if account is needed, as shell ${SHELL} does not exist"
-                        fi
-                    fi
-                done
-                if [ ${FOUND} -eq 1 ]; then
-                    ReportWarning "${TEST_NO}" "Possible harmful shell found (for passwordless account!)"
-                fi
-            fi
-          else
-            Display --indent 2 --text "- Login shells" --result "${STATUS_SKIPPED}" --color WHITE
-            LogText "Result: No /etc/master.passwd file found"
-        fi
-        unset LINE SHELL
-    fi
-#
-#################################################################################
-#
-    # Test        : AUTH-9489
-    # Description : Check login shells for passwordless accounts
-    # Notes       : Results should be checked
-    Register --test-no AUTH-9489 --os DragonFly --weight L --network NO --category security --description "Check login shells for passwordless accounts"
     if [ ${SKIPTEST} -eq 0 ]; then
         FOUND=0
         LogText "Test: Checking login shells"
@@ -302,7 +258,7 @@
                 FIND=$(${ROOTDIR}usr/sbin/pwck -q -r 2> /dev/null; echo $?)
                 TESTED=1
             ;;
-            "Solaris")
+            "Solaris" | "HP-UX")
                 FIND=$(${ROOTDIR}usr/sbin/pwck 2> /dev/null; echo $?)
                 TESTED=1
             ;;
@@ -325,13 +281,132 @@
     fi
 #
 #################################################################################
+#
+    # Test        : AUTH-9229
+    # Description : Check password hashing methods vs. recommendations in crypt(5)
+    # Notes       : Applicable to all Unix-like OS
+    #               Requires read access to /etc/shadow (if it exists)
+
+    ParsePasswordEntry() {
+        METHOD=$1
+        case ${METHOD} in
+            1:\* | 1:x | 0: | *:!* | *LOCK*)
+                # disabled | shadowed | no password | locked account (can be literal *LOCK* or something like LOCKED)
+                ;;
+            *:\$5\$*| *:\$6\$*)
+                # sha256crypt | sha512crypt: check number of rounds, should be >5000
+                ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp')
+                if [ -z "${ROUNDS}" ]; then
+                    echo 'sha256crypt/sha512crypt(default<=5000rounds)'
+                elif [ "${ROUNDS}" -le 5000 ]; then
+                    echo 'sha256crypt/sha512crypt(<=5000rounds)'
+                fi
+                ;;
+            *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*)
+                # yescrypt | gost-yescrypt | bcrypt | scrypt
+                ;;
+            *:_*)
+                echo bsdicrypt
+                ;;
+            *:\$1\$*)
+                echo md5crypt
+                ;;
+            *:\$3\$*)
+                echo NT
+                ;;
+            *:\$md5*)
+                echo SunMD5
+                ;;
+            *:\$sha1*)
+                echo sha1crypt
+                ;;
+            13:* | 178:*)
+                echo bigcrypt/descrypt
+                ;;
+            *)
+                echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com"
+                ;;
+        esac
+    }
+
+    Register --test-no AUTH-9229 --root-only YES --weight L --network NO --category security --description "Check password hashing methods"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        LogText "Test: Checking password hashing methods"
+        SHADOW="";
+        if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW="${ROOTDIR}etc/shadow"; fi
+        FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do
+            ParsePasswordEntry ${METHOD}
+        done | ${SORTBINARY} -u | ${TRBINARY} '\n' ' ')
+        if [ -z "${FIND}" ]; then
+            Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN
+            LogText "Result: no poor password hashing methods found"
+            AddHP 2 2
+        else
+            Display --indent 2 --text "- Password hashing methods" --result "${STATUS_SUGGESTION}" --color YELLOW
+            LogText "Result: poor password hashing methods found: ${FIND}"
+            ReportSuggestion "${TEST_NO}" "Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values"
+            AddHP 0 2
+        fi
+    fi
+#
+#################################################################################
+#
+    # Test        : AUTH-9230
+    # Description : Check group password hashing rounds in login.defs
+    # Notes       : Applicable to all Unix-like OS
+    PREQS_MET="NO"
+    if [ -f ${ROOTDIR}etc/login.defs ]; then
+        PREQS_MET="YES"
+    fi
+    Register --test-no AUTH-9230 --preqs-met ${PREQS_MET} --root-only NO --weight L --network NO --category security --description "Check group password hashing rounds"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        LogText "Test: Checking SHA_CRYPT_MIN_ROUNDS option in ${ROOTDIR}etc/login.defs"
+        FIND=$(${GREPBINARY} "^SHA_CRYPT_MIN_ROUNDS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="SHA_CRYPT_MIN_ROUNDS") { print $2 } }')
+        if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
+            LogText "Result: number of minimum rounds used by the encryption algorithm is not configured"
+            Display --indent 2 --text "- Checking minimum group password hashing rounds" --result "${STATUS_DISABLED}" --color YELLOW
+            ReportSuggestion "${TEST_NO}" "Configure minimum encryption algorithm rounds in /etc/login.defs"
+            AddHP 0 2
+        elif [ "${FIND}" -lt 5000 ]; then
+            LogText "Result: low number of minimum encryption algorithm rounds found: ${FIND}"
+            PASSWORD_MINIMUM_ROUNDS=${FIND}
+            Display --indent 2 --text "- Group password hashing rounds (minimum)"  --result "${STATUS_SUGGESTION}" --color YELLOW
+            AddHP 1 2
+        else
+            LogText "Result: number of encryption algorithm rounds is ${FIND}"
+            PASSWORD_MINIMUM_ROUNDS=${FIND}
+            Display --indent 2 --text "- Group password hashing rounds (minimum)" --result CONFIGURED --color GREEN
+            AddHP 2 2
+        fi
+
+        LogText "Test: Checking SHA_CRYPT_MAX_ROUNDS option in ${ROOTDIR}etc/login.defs"
+        FIND=$(${GREPBINARY} "^SHA_CRYPT_MAX_ROUNDS" ${ROOTDIR}etc/login.defs | ${AWKBINARY} '{ if ($1=="SHA_CRYPT_MAX_ROUNDS") { print $2 } }')
+        if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
+            LogText "Result: number of maximum rounds used by the encryption algorithm is not configured"
+            Display --indent 2 --text "- Checking maximum group password hashing rounds" --result "${STATUS_DISABLED}" --color YELLOW
+            ReportSuggestion "${TEST_NO}" "Configure maximum encryption algorithm rounds in /etc/login.defs"
+            AddHP 0 2
+        elif [ "${FIND}" -lt 10000 ]; then
+            LogText "Result: low number of maximum encryption algorithm rounds found: ${FIND}"
+            PASSWORD_MINIMUM_ROUNDS=${FIND}
+            Display --indent 2 --text "- Group password hashing rounds (maximum)"  --result "${STATUS_SUGGESTION}" --color YELLOW
+            AddHP 1 2
+        else
+            LogText "Result: number of encryption algorithm rounds is ${FIND}"
+            PASSWORD_MINIMUM_ROUNDS=${FIND}
+            Display --indent 2 --text "- Group password hashing rounds (maximum)" --result CONFIGURED --color GREEN
+            AddHP 2 2
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : AUTH-9234
     # Description : Query user accounts
     # Notes       : AIX: 100+
     #               HPUX: 100+
     #               macOS doesn't have any user info in /etc/passwd, users are managed with opendirectoryd)
-    #               OpenBSD/NetBSD: unknown
+    #               OpenBSD/NetBSD: 1000-60000, excluding 32767 (default)
     #               Arch Linux / CentOS / Ubuntu: 1000+
     Register --test-no AUTH-9234 --weight L --network NO --category security --description "Query user accounts"
     if [ ${SKIPTEST} -eq 0 ]; then
@@ -373,9 +448,21 @@
                 fi
             ;;
 
-            "OpenBSD")
+            "NetBSD"|"OpenBSD")
-                LogText "OpenBSD real users output (ID = 0, or 1000-60000, but not 32767):"
+                if [ -f ${ROOTDIR}etc/usermgmt.conf ]; then
-                FIND=$(${AWKBINARY} -F: '($3 >= 1000 && $3 <= 60000 && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd)
+                    UID_RANGE=$(${GREPBINARY} "^range" ${ROOTDIR}etc/usermgmt.conf | ${AWKBINARY} '{ sub(/\.\./, "-", $2); print $2 }')
+                fi
+                if [ -n "${UID_RANGE}" ]; then
+                    LogText "Result: found configured user id range specified: ${UID_RANGE}"
+                    UID_MIN=$(echo $UID_RANGE | ${AWKBINARY} -F- '{ print $1 }')
+                    UID_MAX=$(echo $UID_RANGE | ${AWKBINARY} -F- '{ print $2 }')
+                else
+                    UID_MIN=1000
+                    UID_MAX=60000
+                    LogText "Result: no configured user id range specified; using default ${UID_MIN}-${UID_MAX}"
+                fi
+                LogText "${OS} real users output (ID = 0, or ${UID_MIN}-${UID_MAX}, but not 32767):"
+                FIND=$(${AWKBINARY} -v UID_MIN="${UID_MIN}" -v UID_MAX="${UID_MAX}" -F: '($3 >= UID_MIN && $3 <= UID_MAX && $3 != 32767) || ($3 == 0) { print $1","$3 }' /etc/passwd)
             ;;
 
             "Solaris")
@@ -415,7 +502,7 @@
             FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus")
             if [ -z "${FIND}" ]; then
                 LogText "Result: NIS+ authentication not enabled"
-                Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE
+                Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
             else
                 FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
                 FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
@@ -424,7 +511,7 @@
                     Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
                 else
                     LogText "Result: NIS+ authentication not enabled"
-                    Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE
+                    Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
                 fi
             fi
           else
@@ -442,7 +529,7 @@
             FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus")
             if [ -z "${FIND}" ]; then
                 LogText "Result: NIS authentication not enabled"
-                Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE
+                Display --indent 2 --text "- NIS authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
             else
                 FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
                 FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
@@ -451,7 +538,7 @@
                     Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
                 else
                     LogText "Result: NIS authentication not enabled"
-                    Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE
+                    Display --indent 2 --text "- NIS authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
                 fi
             fi
         else
@@ -497,7 +584,7 @@
         if [ -d "${SUDOERS_D}" ]; then
             LogText "Test: checking drop-in directory (${SUDOERS_D})"
             FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10)
-            FIND2=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}')
+            FIND2=$(${LSBINARY} -lnd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}')
             LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND2}"
             case "${FIND}" in
                 rwx[r-][w-][x-]--- )
@@ -525,7 +612,7 @@
         for f in ${SUDO_CONFIG_FILES}; do
             LogText "Test: checking file (${f})"
             FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10)
-            FIND2=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}')
+            FIND2=$(${LSBINARY} -ln ${f} | ${AWKBINARY} '{print $3$4}')
             LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND2}"
             case "${FIND}" in
                 r[w-]-[r-][w-]---- )
@@ -677,7 +764,7 @@
             LogText "Result: directory /etc/pam.d exists"
             Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN
             LogText "Test: searching PAM configuration files"
-            FIND=$(${FINDBINARY} ${ROOTDIR}etc/pam.d -not -name "*.pam-old" -type f -print | sort)
+            FIND=$(${FINDBINARY} ${ROOTDIR}etc/pam.d \! -name "*.pam-old" -type f -print | sort)
             for FILE in ${FIND}; do
                 LogText "Found file: ${FILE}"
             done
@@ -691,9 +778,9 @@
 #
     # Test        : AUTH-9268
     # Description : Searching available PAM files
-    # Notes       : PAM is used on AIX, FreeBSD, Linux, HPUX, Solaris
+    # Notes       : PAM is used on AIX, FreeBSD, Linux, HPUX, NetBSD, Solaris
-    if [ ${OS} = "AIX" -o ${OS} = "Linux" -o ${OS} = "HPUX" -o ${OS} = "Solaris" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    OS_USES_PAM="AIX DragonFly FreeBSD Linux HPUX NetBSD Solaris"
-    Register --test-no AUTH-9268 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking presence pam.d files"
+    Register --test-no AUTH-9268 --os "${OS_USES_PAM}" --weight L --network NO --category security --description "Checking presence pam.d files"
     if [ ${SKIPTEST} -eq 0 ]; then
         FOUND=0
         LogText "Test: Searching pam modules"
@@ -762,7 +849,7 @@
 #
 #################################################################################
 #
-    # Test        : AUTH-9282 and AUTH-9283
+    # Test        : AUTH-9282, AUTH-9283, and AUTH-9284
     # Note        : Every Linux based operating system seem to have different passwd
     #               options, so we have to check the version first.
     if [ "${OS}" = "Linux" ]; then
@@ -772,23 +859,27 @@
                     PREQS_MET="YES"
                     FIND_P=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
                     FIND2=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
+                    FIND3=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq)
                     ;;
                 *)
                     PREQS_MET="YES"
                     FIND_P=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
                     FIND2=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
+                    FIND3=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq)
                     ;;
             esac
         elif [ "${OS_REDHAT_OR_CLONE}" -eq 1 ]; then
             PREQS_MET="YES"
             FIND_P=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $1 }' ; done)
             FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done)
+            FIND3=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="L" || $2=="LK") print $1 }' | sort | uniq ; done)
         else
             LogText "Result: skipping test for this Linux version"
             ReportManual "AUTH-9282:01"
             PREQS_MET="NO"
             FIND_P=""
             FIND2=""
+            FIND3=""
         fi
     else
         PREQS_MET="NO"
@@ -811,11 +902,10 @@
             ReportSuggestion "${TEST_NO}" "When possible set expire dates for all password protected accounts"
         fi
     fi
-#
+
-#################################################################################
-#
     # Test        : AUTH-9283
     # Description : Search passwordless accounts
+    # Notes       : requires FIND2 variable
     Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking accounts without password"
     if [ "${SKIPTEST}" -eq 0 ]; then
         LogText "Test: Checking passwordless accounts"
@@ -832,6 +922,38 @@
             ReportWarning "${TEST_NO}" "Found accounts without password"
         fi
     fi
+
+    # Test        : AUTH-9284
+    # Description : Check locked user accounts in /etc/passwd
+    # Notes       : requires FIND3 variable
+    Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check locked user accounts in /etc/passwd"
+    if [ "${SKIPTEST}" -eq 0 ]; then
+        LogText "Test: Checking locked accounts"
+        NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' ${ROOTDIR}etc/passwd | ${SORTBINARY} | ${UNIQBINARY})
+        LOCKED_NON_SYSTEM_ACCOUNTS=0
+        for account in ${FIND3}; do
+            if echo "${NON_SYSTEM_ACCOUNTS}" | ${GREPBINARY} -w "${account}" > /dev/null ; then
+                LOCKED_NON_SYSTEM_ACCOUNTS=$((LOCKED_NON_SYSTEM_ACCOUNTS + 1))
+            fi
+        done
+        if [ ${LOCKED_NON_SYSTEM_ACCOUNTS} -eq 0 ]; then
+            LogText "Result: all accounts seem to be unlocked"
+            Display --indent 2 --text "- Locked accounts" --result "${STATUS_OK}" --color GREEN
+        else
+            LogText "Result: found one or more locked accounts"
+            for account in ${FIND3}; do
+                if echo "${NON_SYSTEM_ACCOUNTS}" | ${GREPBINARY} -w "${account}" > /dev/null ; then
+                    LogText "Locked account: ${account}"
+                    Report "locked_account[]=${account}"
+                fi
+            done
+            Display --indent 2 --text "- Locked accounts" --result "${STATUS_FOUND}" --color RED
+            ReportSuggestion "${TEST_NO}" "Look at the locked accounts and consider removing them"
+        fi
+        unset account LOCKED_NON_SYSTEM_ACCOUNTS NON_SYSTEM_ACCOUNTS
+    fi
+
+    unset FIND1 FIND2 FIND3
 #
 #################################################################################
 #
@@ -946,7 +1068,7 @@
     # Test        : AUTH-9306
     # Description : Check if authentication is needed to boot the system
     # Notes       : :d_boot_authenticate: is a good option for production machines to
-    #               avoid unauthorized booting of systems. Option :d_boot_autentication@:
+    #               avoid unauthorized booting of systems. Option :d_boot_authentication@:
     #               disabled a required login.
     Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --category security --description "Check single boot authentication"
     if [ ${SKIPTEST} -eq 0 ]; then
@@ -1353,7 +1475,7 @@
         if [ ${FOUND} -eq 1 ]; then
             Display --indent 2 --text "- Checking account locking" --result "${STATUS_ENABLED}" --color GREEN
         else
-            Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW
+            Display --indent 2 --text "- Checking account locking" --result "${STATUS_NOT_ENABLED}" --color YELLOW
         fi
     fi
 #
@@ -1367,7 +1489,7 @@
             FIND=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap")
             if [ "${FIND}" = "" ]; then
                 LogText "Result: LDAP authentication not enabled"
-                Display --indent 2 --text "- LDAP authentication support" --result "NOT ENABLED" --color WHITE
+                Display --indent 2 --text "- LDAP authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
             else
                 LogText "Result: LDAP authentication enabled"
                 Display --indent 2 --text "- LDAP authentication support" --result "${STATUS_ENABLED}" --color GREEN

include/tests_banners

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Banners and identification"
+    InsertSection "${SECTION_BANNERS_AND_IDENTIFICATION}"
 #
 #################################################################################
 #

include/tests_boot_services

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Boot and services"
+    InsertSection "${SECTION_BOOT_AND_SERVICES}"
 #
 #################################################################################
 #
@@ -139,6 +139,13 @@
                     SERVICE_MANAGER="launchd"
                 fi
             ;;
+            "Solaris")
+                if [ -n "${ROOTDIR}usr/bin/svcs" ]; then
+                    SERVICE_MANAGER="SMF (svcs)"
+                elif [ -d "${ROOTDIR}etc/init.d" ]; then
+                    SERVICE_MANAGER="SysV Init"
+                fi
+            ;;
             *)
                 LogText "Result: unknown service manager"
             ;;
@@ -182,6 +189,21 @@
     fi
 #
 #################################################################################
+#
+    # Test        : BOOT-5109
+    # Description : Check for rEFInd
+    Register --test-no BOOT-5109 --os "Linux" --weight L --network NO --root-only YES --category security --description "Check rEFInd as bootloader"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        BOOT_LOADER_SEARCHED=1
+        FileExists ${ROOTDIR}boot/refind_linux.conf
+        if [ ${FILE_FOUND} -eq 1 ]; then
+            LogText "Result: found rEFInd"
+            BOOT_LOADER="rEFInd"
+            BOOT_LOADER_FOUND=1
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : BOOT-5116
     # Description : Check if system is booted in UEFI mode
@@ -316,34 +338,50 @@
     Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for GRUB boot password"
     if [ ${SKIPTEST} -eq 0 ]; then
         FOUND=0
-        LogText "Found file ${GRUBCONFFILE}, proceeding with tests."
+
-        FileIsReadable ${GRUBCONFFILE}
+        if [ -d "${ROOTDIR}etc/grub.d" ]; then
-        if [ ${CANREAD} -eq 1 ]; then
+            CONF_FILES=$(${FINDBINARY} "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]')
-            FIND=$(${GREPBINARY} 'password --md5' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
+            CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}"
-            FIND2=$(${GREPBINARY} 'password --encrypted' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
+        else
-            FIND3=$(${GREPBINARY} 'set superusers' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
+            CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg"
-            FIND4=$(${GREPBINARY} 'password_pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
+        fi
-            FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${GRUBCONFFILE} | ${GREPBINARY} -v '^#')
+
+        for FILE in ${CONF_FILES}; do
+            if [ -f "${FILE}" ]; then
+                LogText "Found file ${FILE}, proceeding with tests."
+                if FileIsReadable "${FILE}"; then
+                    FIND=$(${GREPBINARY} 'password --md5' ${FILE} | ${GREPBINARY} -v '^#')
+                    FIND2=$(${GREPBINARY} 'password --encrypted' ${FILE} | ${GREPBINARY} -v '^#')
+                    FIND3=$(${GREPBINARY} 'set superusers' ${FILE} | ${GREPBINARY} -v '^#')
+                    FIND4=$(${GREPBINARY} 'password_pbkdf2' ${FILE} | ${GREPBINARY} -v '^#')
+                    FIND5=$(${GREPBINARY} 'grub.pbkdf2' ${FILE} | ${GREPBINARY} -v '^#')
                     # GRUB1: Password should be set (MD5 or SHA1)
                     if [ -n "${FIND}" -o -n "${FIND2}" ]; then
                         FOUND=1
                     # GRUB2: Superusers AND password should be defined
                     elif [ -n "${FIND3}" ]; then
                         if [ -n "${FIND4}" -o -n "${FIND5}" ]; then FOUND=1; fi
+                    else
+                        LogText "Result: did not find hashed password line in this file"
                     fi
+                else
+                    LogText "Result: Can not read '${FILE}' (no permission?)"
+                fi
+            else
+                LogText "Result: File '${FILE}' does not exist"
+            fi
+        done
         if [ ${FOUND} -eq 1 ]; then
                 Display --indent 4 --text "- Checking for password protection" --result "${STATUS_OK}" --color GREEN
                 LogText "Result: GRUB has password protection."
                 AddHP 4 4
         else
                 Display --indent 4 --text "- Checking for password protection" --result "${STATUS_NONE}" --color RED
-                LogText "Result: Didn't find hashed password line in GRUB boot file!"
+                LogText "Result: Didn't find hashed password line in GRUB configuration"
-                ReportSuggestion "${TEST_NO}" "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)"
+                ReportSuggestion "${TEST_NO}" "Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password)"
                 AddHP 0 2
         fi
-        else
+        unset CONF_FILES FILE FIND FIND2 FIND3 FIND4 FIND5 FOUND
-            LogText "Result: Can not read ${GRUBCONFFILE} (no permission)"
-        fi
     fi
 #
 #################################################################################
@@ -555,6 +593,55 @@
     fi
 #
 #################################################################################
+#
+    # Test        : BOOT-5170
+    # Description : Check for Solaris boot daemons
+    Register --test-no BOOT-5170 --os Solaris --weight L --network NO --category security --description "Check for Solaris boot daemons"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        if [ -n "${SVCSBINARY}" ]; then
+            LogText "Result: Using svcs binary to check for daemons"
+            LogText "SysV style services may be incorrectly counted as running."
+
+            Report "running_service_tool=svcs"
+
+            # For the documentation of the states (field $1) see
+            # "Managing System Services in Oracle Solaris 11.4" pp. 24, available
+            # at https://docs.oracle.com/cd/E37838_01/pdf/E60998.pdf
+
+            FIND=$("${SVCSBINARY}" -Ha | ${AWKBINARY} '{ if ($1 == "online" || $1 == "legacy_run") print $3 }')
+            COUNT=0
+            for ITEM in ${FIND}; do
+                LogText "Found running daemon: ${ITEM}"
+                Report "running_service[]=${ITEM}"
+                COUNT=$((COUNT + 1 ))
+            done
+            Display --indent 2 --text "- Check running daemons (svcs)" --result "${STATUS_DONE}" --color GREEN
+            Display --indent 8 --text "Result: found ${COUNT} running daemons"
+            LogText "Result: Found ${COUNT} running daemons"
+
+            LogText "Searching for enabled daemons (svcs)"
+            Report "boot_service_tool=svcs"
+
+            FIND=$("${SVCSBINARY}" -Ha | ${AWKBINARY} '{ if ($1 != "disabled" && $1 != "uninitialized") print $3 }')
+            COUNT=0
+            for ITEM in ${FIND}; do
+                LogText "Found enabled daemon at boot: ${ITEM}"
+                Report "boot_service[]=${ITEM}"
+                COUNT=$((COUNT + 1 ))
+            done
+            LogText "Note: Run svcs -a see all services"
+            Display --indent 2 --text "- Check enabled daemons at boot (svcs)" --result "${STATUS_DONE}" --color GREEN
+            Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot"
+            LogText "Result: Found ${COUNT} enabled daemons at boot"
+        fi
+    fi
+#
+#################################################################################
+#
+    # Test        : BOOT-5171
+    # Description : Check for services with errors on solaris
+#
+#################################################################################
 #
     # Test        : BOOT-5177
     # Description : Check for Linux boot services (systemd and chkconfig)
@@ -579,7 +666,7 @@
             LogText "Hint: Run systemctl --full --type=service to see all services"
             Display --indent 2 --text "- Check running services (systemctl)" --result "${STATUS_DONE}" --color GREEN
             Display --indent 8 --text "Result: found ${COUNT} running services"
-            LogText "Result: Found ${COUNT} enabled services"
+            LogText "Result: Found ${COUNT} running services"
 
             # Services at boot
             LogText "Searching for enabled services (systemctl services only)"
@@ -594,7 +681,7 @@
             LogText "Hint: Run systemctl list-unit-files --type=service to see all services"
             Display --indent 2 --text "- Check enabled services at boot (systemctl)" --result "${STATUS_DONE}" --color GREEN
             Display --indent 8 --text "Result: found ${COUNT} enabled services"
-            LogText "Result: Found ${COUNT} running services"
+            LogText "Result: Found ${COUNT} enabled services"
 
         else
 
@@ -655,7 +742,7 @@
 #
     # Test        : BOOT-5184
     # Description : Check world writable startup scripts
-    Register --test-no BOOT-5184 --os Linux --weight L --network NO --category security --description "Check permissions for boot files/scripts"
+    Register --test-no BOOT-5184 --os "Linux Solaris" --weight L --network NO --category security --description "Check permissions for boot files/scripts"
     if [ ${SKIPTEST} -eq 0 ]; then
         FOUND=0
         CHECKDIRS="${ROOTDIR}etc/init.d ${ROOTDIR}etc/rc.d ${ROOTDIR}etc/rcS.d"
@@ -822,7 +909,7 @@
 #
     # Test        : BOOT-5260
     # Description : Check single user mode for systemd
-    Register --test-no BOOT-5260 --weight L --network NO --category security --description "Check single user mode for systemd"
+    Register --test-no BOOT-5260 --os Linux --weight L --network NO --category security --description "Check single user mode for systemd"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Searching /usr/lib/systemd/system/rescue.service"
         if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then
@@ -959,6 +1046,44 @@
     fi
 #
 #################################################################################
+#
+    # Test        : BOOT-5264
+    # Description : Run systemd-analyze security
+    if [ -z "${SYSTEMDANALYZEBINARY}" ]; then SKIPREASON="systemd-analyze not available"; PREQS_MET="NO";
+    else
+        SYSTEMD_VERSION=$("${SYSTEMDANALYZEBINARY}" --version | ${AWKBINARY} '/^systemd / {print $2}')
+        if [ "${SYSTEMD_VERSION}" -ge 240 ]; then PREQS_MET="YES"; else SKIPREASON="systemd-analyze too old (v${SYSTEMD_VERSION}), need at least v240"; PREQS_MET="NO"; fi
+    fi
+    Register --test-no BOOT-5264 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --os Linux --weight L --network NO --category security --description "Run systemd-analyze security"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        LogText "Test: Run systemd-analyze security"
+        Display --indent 2 --text "- Running 'systemd-analyze security'"
+        ${SYSTEMDANALYZEBINARY} security | while read UNIT EXPOSURE PREDICATE HAPPY; do
+            if [ "${UNIT}" = "UNIT" ]; then
+                continue
+            fi
+            COLOR="BLACK"
+            case ${PREDICATE} in
+                PERFECT | SAFE | OK)
+                    COLOR=GREEN
+                ;;
+                MEDIUM)
+                    COLOR=WHITE
+                ;;
+                EXPOSED)
+                    COLOR=YELLOW
+                ;;
+                UNSAFE | DANGEROUS)
+                    COLOR=RED
+                ;;
+            esac
+            Display --indent 8 --text "- ${UNIT}:" --result "${PREDICATE}" --color "${COLOR}"
+            LogText "Result: ${UNIT}: ${EXPOSURE} ${PREDICATE}"
+        done
+        ReportSuggestion "${TEST_NO}" "Consider hardening system services" "Run '${SYSTEMDANALYZEBINARY} security SERVICE' for each service"
+    fi
+#
+#################################################################################
 #
 
 Report "boot_loader=${BOOT_LOADER}"

include/tests_containers

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Containers"
+    InsertSection "${SECTION_CONTAINERS}"
 #
 #################################################################################
 #
@@ -226,4 +226,4 @@ WaitForKeyPress
 
 #
 #================================================================================
-# Lynis - Copyright 2007-2019, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com

include/tests_crypto

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,11 @@
 #
 #################################################################################
 #
-    InsertSection "Cryptography"
+    RNG_FOUND=0
+#
+#################################################################################
+#
+    InsertSection "${SECTION_CRYPTOGRAPHY}"
 #
 #################################################################################
 #
@@ -50,7 +54,7 @@
                     LASTSUBDIR=""
                     LogText "Result: found directory ${DIR}"
                     # Search for certificate files
-                    FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
+                    FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
                     for FILE in ${FILES}; do
                         FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g')
                         # See if we need to skip this path
@@ -63,7 +67,7 @@
                             SKIP=0
                             # Now check if this path is on the to-be-ignored list
                             for D in ${SSL_CERTIFICATE_PATHS_TO_IGNORE}; do
-                                if Equals "${D}" "${SUBDIR}"; then
+                                if ContainsString "${D}" "${SUBDIR}"; then
                                     SKIP=1
                                     LogText "Result: skipping directory (${SUBDIR}) as it is on ignore list"
                                 fi
@@ -74,18 +78,25 @@
                             COUNT_DIR=$((COUNT_DIR + 1))
                             FileIsReadable "${FILE}"
                             if [ ${CANREAD} -eq 1 ]; then
-                                # Only check the files that are not installed by a package
+                                # Only check the files that are not installed by a package, unless enabled by profile
-                                if ! FileInstalledByPackage "${FILE}"; then
+                                if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then
+                                    echo ${FILE} | ${EGREPBINARY} --quiet ".cer$|.der$"
+                                    CER_DER=$?
                                     OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
-                                    if [ $? -eq 0 ]; then
+                                    if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then
                                         LogText "Result: file is a certificate file"
-                                        FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
+                                        if [ ${CER_DER} -eq 0 ]; then
+                                            SSL_DER_OPT="-inform der"
+                                        else
+                                            SSL_DER_OPT=
+                                        fi
+                                        FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
                                         if [ $? -eq 0 ]; then
                                             # Check certificate where 'end date' has been expired
-                                            FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
+                                            FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
                                             EXIT_CODE=$?
-                                            CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
+                                            CERT_CN=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
-                                            CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
+                                            CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
                                             Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
                                             if [ ${EXIT_CODE} -eq 0 ]; then 
                                                 LogText "Result: certificate ${FILE} seems to be correct and still valid"
@@ -173,6 +184,39 @@
     fi
 #
 #################################################################################
+#
+    # Test        : CRYP-7931
+    # Description : Determine if system uses encrypted swap
+    if [ -e "${SWAPONBINARY}" -a -e "${CRYPTSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    Register --test-no CRYP-7931 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Determine if system uses encrypted swap"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        ENCRYPTED_SWAPS=0
+        UNENCRYPTED_SWAPS=0
+        # Redirect errors, as RHEL 5/6 and others don't have the --show option
+        SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings 2> /dev/null)
+        if [ $? -eq 0 ]; then
+            for BLOCK_DEV in ${SWAPS}; do
+                if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then
+                    LogText "Result: Found LUKS encrypted swap device: ${BLOCK_DEV}"
+                    ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
+                    Report "encrypted_swap[]=${BLOCK_DEV},LUKS"
+                elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" 2> /dev/null | ${GREPBINARY} --quiet "cipher:"; then
+                    LogText "Result: Found non-LUKS encrypted swap device: ${BLOCK_DEV}"
+                    ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
+                    Report "encrypted_swap[]=${BLOCK_DEV},other"
+                else
+                    LogText "Result: Found unencrypted swap device: ${BLOCK_DEV}"
+                    UNENCRYPTED_SWAPS=$((UNENCRYPTED_SWAPS +1))
+                    Report "non_encrypted_swap[]=${BLOCK_DEV}"
+                fi
+            done
+            Display --indent 2 --text "- Found ${ENCRYPTED_SWAPS} encrypted and ${UNENCRYPTED_SWAPS} unencrypted swap devices in use." --result OK --color WHITE
+        else
+            LogText "Result: skipping testing as swapon returned an error."
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : CRYP-8002
     # Description : Gather available kernel entropy
@@ -194,6 +238,64 @@
     fi
 #
 #################################################################################
+#
+    # Test        : CRYP-8004
+    # Description : Test for presence of hardware random number generators
+    Register --test-no CRYP-8004 --os Linux --weight L --network NO --root-only NO --category security --description "Presence of hardware random number generators"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        LogText "Test: looking for ${ROOTDIR}sys/class/misc/hw_random/rng_current"
+        if [ -f "${ROOTDIR}sys/class/misc/hw_random/rng_current" ]; then
+            DATA=$(${HEADBINARY} -n 1 ${ROOTDIR}sys/class/misc/hw_random/rng_current | ${TRBINARY} -d '[[:cntrl:]]')
+            if [ "${DATA}" != "none" ]; then
+                LogText "Result: positive match, found RNG: ${DATA}"
+                if IsRunning "rngd"; then
+                    Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_YES}" --color GREEN
+                    LogText "Result: rngd is running"
+                    RNG_FOUND=1
+                else
+                    Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW
+                    # TODO - enable suggestion when website has listing for this control
+                    # ReportSuggestion "${TEST_NO}" "Utilize hardware random number generation by running rngd"
+                fi
+            else
+                Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW
+                LogText "Result: no HW RNG available"
+            fi
+        else
+            Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color RED
+            LogText "Result: could not find ${ROOTDIR}sys/class/misc/hw_random/rng_current"
+        fi
+    fi
+#
+#################################################################################
+#
+    # Test        : CRYP-8005
+    # Description : Test for presence of software pseudo random number generators
+    Register --test-no CRYP-8005 --os Linux --weight L --network NO --root-only NO --category security --description "Presence of software pseudo random number generators"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        LogText "Test: looking for software pseudo random number generators"
+        FOUND=""
+        for SERVICE in audio-entropyd haveged jitterentropy-rngd; do
+            # Using --full as jitterentropy-rngd would otherwise not match
+            if IsRunning --full "${SERVICE}"; then
+                FOUND="${FOUND} ${SERVICE}"
+            fi
+        done
+        if [ -z "${FOUND}" ]; then
+            Display --indent 2 --text "- SW prng" --result "${STATUS_NO}" --color YELLOW
+            # ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators"
+        else
+            RNG_FOUND=1
+            Display --indent 2 --text "- SW prng" --result "${STATUS_YES}" --color GREEN
+            LogText "Result: found ${FOUND} running"
+        fi
+    fi
+#
+#################################################################################
+#
+    Report "rng_found=${RNG_FOUND}"
+#
+#################################################################################
 #
 
 WaitForKeyPress

include/tests_databases

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -39,7 +39,7 @@
 #
 #################################################################################
 #
-    InsertSection "Databases"
+    InsertSection "${SECTION_DATABASES}"
 
     # Test        : DBS-1804
     # Description : Check if MySQL is being used
@@ -86,7 +86,7 @@
 
         # "-u root --password=" avoids ~/.my.cnf authentication settings
         # "plugin = 'mysql_native_password' AND authentication_string = ''" avoids false positives when secure plugins are used 
-        FIND=$(${MYSQLCLIENTBINARY} --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql 2>/dev/null; echo $?)
+        FIND=$(${MYSQLCLIENTBINARY} --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql > /dev/null 2>&1; echo $?)
         if [ "${FIND}" = "0" ]; then
            LogText "Result: Login succeeded, no MySQL root password set!"
            ReportWarning "${TEST_NO}" "No MySQL root password set"

include/tests_dns

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -45,11 +45,11 @@
 #
 #            if [ "${GOOD}" = "${TIMEOUT}" -a "${BAD}" = "${TIMEOUT}" ]; then
 #                LogText "Result: received timeout, can't determine DNSSEC validation"
-#                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
+#                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKNOWN}" --color YELLOW
 #                #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout"
 #            elif [ -z "${GOOD}" -a -n "${BAD}" ]; then
 #                LogText "Result: good signature failed, yet bad signature was accepted"
-#                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW
+#                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKNOWN}" --color YELLOW
 #                #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted"
 #            elif [ -n "${GOOD}" -a -n "${BAD}" ]; then
 #                Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW

include/tests_file_integrity

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -25,7 +25,7 @@
 #
 #################################################################################
 #
-    InsertSection "Software: file integrity"
+    InsertSection "${SECTION_FILE_INTEGRITY}"
     Display --indent 2 --text "- Checking file integrity tools"
 #
 #################################################################################
@@ -297,6 +297,107 @@
     fi
 #
 #################################################################################
+#
+    # Test        : FINT-4339
+    # Description : Check IMA/EVM status
+    if [ ! -z "${EVMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No evmctl binary found"; fi
+    Register --test-no FINT-4339 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check IMA/EVM status"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        if [ -e /sys/kernel/security/ima ]; then
+            FOUND=$(${CAT_BINARY} /sys/kernel/security/ima/runtime_measurements_count)
+        fi
+        if [ "${FOUND}" -ne 1 ]; then
+            LogText "Result: EVM tools found but IMA/EVM disabled"
+            Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_DISABLED}" --color YELLOW
+        else
+            LogText "Result: EVM tools found, IMA/EVM enabled"
+            FILE_INT_TOOL="evmctl"
+            FILE_INT_TOOL_FOUND=1
+            Display --indent 2 --text "- IMA/EVM (status)" --result "${STATUS_ENABLED}" --color GREEN
+        fi
+    fi
+#
+#################################################################################
+#
+    # Test        : FINT-4340
+    # Description : Check dm-integrity status
+    if [ ! -z "${INTEGRITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No integritysetup binary found"; fi
+    Register --test-no FINT-4340 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-integrity status"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        ROOTPROTECTED=0
+	ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
+	for DEVICE in /dev/mapper/*; do
+	    if [ -e "${DEVICE}" ]; then
+		FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*INTEGRITY')
+		if [ ! -z "${FIND}" ]; then
+		    FOUND=1
+		    LogText "Result: found dm-integrity device ${DEVICE}"
+		    if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then
+			ROOTPROTECTED=1
+		    fi
+		fi
+	    fi
+	done
+        if [ "${FOUND}" -ne 1 ]; then
+            LogText "Result: dm-integrity tools found but no active devices"
+            Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_DISABLED}" --color WHITE
+        else
+            LogText "Result: dm-integrity tools found, active devices"
+	    if [ ${ROOTPROTECTED} -eq 1 ]; then
+		LogText "Result: root filesystem is protected by dm-integrity"
+		Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN
+	    else
+		LogText "Result: root filesystem is not protected by dm-integrity but active devices found"
+		Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_FOUND}" --color YELLOW
+	    fi
+            FILE_INT_TOOL="dm-integrity"
+            FILE_INT_TOOL_FOUND=1
+            Display --indent 2 --text "- dm-integrity (status)" --result "${STATUS_ENABLED}" --color GREEN
+        fi
+    fi
+#
+#################################################################################
+#
+    # Test        : FINT-4341
+    # Description : Check dm-verity status
+    if [ ! -z "${VERITYSETUPBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No veritysetup binary found"; fi
+    Register --test-no FINT-4341 --os Linux --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Check dm-verity status"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        ROOTPROTECTED=0
+	ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
+	for DEVICE in /dev/mapper/*; do
+	    if [ -e "${DEVICE}" ]; then
+		FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*VERITY')
+		if [ ! -z "${FIND}" ]; then
+		    FOUND=1
+		    LogText "Result: found dm-verity device ${DEVICE}"
+		    if [ "${DEVICE}" = "${ROOTDEVICE}" ]; then
+			ROOTPROTECTED=1
+		    fi
+		fi
+	    fi
+	done
+        if [ "${FOUND}" -ne 1 ]; then
+            LogText "Result: dm-verity tools found but no active devices"
+            Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_DISABLED}" --color WHITE
+        else
+            LogText "Result: dm-verity tools found, active devices"
+	    if [ ${ROOTPROTECTED} -eq 1 ]; then
+		LogText "Result: root filesystem is protected by dm-verity"
+		Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_ENABLED}" --color GREEN
+	    else
+		LogText "Result: root filesystem is not protected by dm-verity but active devices found"
+		Display --indent 2 --text "- dm-verity (status)" --result "${STATUS_FOUND}" --color YELLOW
+	    fi
+            FILE_INT_TOOL="dm-verity"
+            FILE_INT_TOOL_FOUND=1
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : FINT-4402 (was FINT-4316)
     # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
@@ -340,4 +441,4 @@
     WaitForKeyPress
 #
 #================================================================================
-# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com

include/tests_file_permissions

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "File Permissions"
+    InsertSection "${SECTION_FILE_PERMISSIONS}"
 #
 #################################################################################
 #
@@ -72,4 +72,4 @@ WaitForKeyPress
 
 #
 #================================================================================
-# Lynis - Copyright 2007-2019, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com

include/tests_filesystems

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -28,7 +28,7 @@
 #
 #################################################################################
 #
-    InsertSection "File systems"
+    InsertSection "${SECTION_FILE_SYSTEMS}"
 #
 #################################################################################
 #
@@ -50,6 +50,7 @@
                 LogText "Result: directory ${I} exists"
                 case "${OS}" in
                     "AIX") FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($2==MP) { print $2 }}') ;;
+                    "HP-UX") FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($1==MP) { print $1 }}') ;;
                     *) FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($3==MP) { print $3 }}') ;;
                 esac
 
@@ -211,10 +212,11 @@
 #################################################################################
 #
     # Test        : FILE-6330
-    # Description : Query all ZFS mounts from /etc/fstab
+    # Description : Query ZFS mounts
+    # Note        : mount -p does not work under Linux
     Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --category security --description "Checking ZFS file systems"
     if [ ${SKIPTEST} -eq 0 ]; then
-        LogText "Test: Query /etc/fstab for available ZFS mount points"
+        LogText "Test: Discover for available ZFS mount points"
         FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}')
         if [ -z "${FIND}" ]; then
             Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE
@@ -554,16 +556,18 @@
     #            ---------------------------------------------------------
     #               Mount point              nodev  noexec  nosuid
     #               /boot                      v      v       v
+    #               /dev                              v       v
     #               /dev/shm                   v      v       v
     #               /home                      v              v
+    #               /run                       v              v
     #               /tmp                       v      v       v
-    #               /var                                      v
+    #               /var                       v              v
     #               /var/log                   v      v       v
     #               /var/log/audit             v      v       v
     #               /var/tmp                   v      v       v
     #            ---------------------------------------------------------
 
-    FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid"
+    FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev:noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /run:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nodev,nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid"
     Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Linux mount options"
     if [ ${SKIPTEST} -eq 0 ]; then
         if [ -f ${ROOTDIR}etc/fstab ]; then
@@ -577,9 +581,14 @@
                         FS_FSTAB=""
                     fi
                 fi
+                if [ -z "${FS_FSTAB}" ]; then # not found in fstab, check if mounted otherwise
+                    FS_FSTAB=$(mount | ${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($3==fs) { print $6 } }')
+                    FOUND_FLAGS=$(mount | ${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $3==fs) { print $6 } }' | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
+                else
+                    FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
+                fi
                 if [ -n "${FS_FSTAB}" ]; then
                     # In awk using caret/circumflex as first character between brackets, means 'not' (instead of beginning of line)
-                    FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($1~"[^#]" && $2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
                     LogText "File system:    ${FILESYSTEM}"
                     LogText "Expected flags: ${EXPECTED_FLAGS}"
                     LogText "Found flags:    ${FOUND_FLAGS}"
@@ -620,6 +629,13 @@
                 fi
             done
         fi
+        NMOUNTS=$(mount | ${WCBINARY} -l)
+        NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} -l)
+        NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} -l)
+        NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} -l)
+        NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} -l)
+        LogText "Result: Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS}, of total ${NMOUNTS}"
+        Display --indent 2 --text "- Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS} of total ${NMOUNTS}"
     fi
 #
 #################################################################################
@@ -653,7 +669,6 @@
     # Description : Check for nodirtime option
 
     # Want to contribute to Lynis? Create this test
-
 #
 #################################################################################
 #
@@ -661,7 +676,6 @@
     # Description : Check for relatime
 
     # Want to contribute to Lynis? Create this test
-
 #
 #################################################################################
 #
@@ -674,11 +688,36 @@
 #
 #################################################################################
 #
-    # Test        : FILE-6394 TODO
+    # Test        : FILE-6394
     # Description : Check vm.swappiness (Linux)
-
+    Register --test-no FILE-6394 --os Linux --weight L --network NO --category security --description "Determine level of swappiness."
-    # Want to contribute to Lynis? Create this test
+    if [ ${SKIPTEST} -eq 0 ]; then
-
+        SWAPLEVEL=$(${CAT_BINARY} /proc/sys/vm/swappiness)
+        LogText "Test: checking level of vm.swappiness: ${SWAPLEVEL}"
+        PHYSDISK=$(${LSBLKBINARY} | ${GREPBINARY} -E 'disk|SWAP' | ${GREPBINARY} -B1 SWAP | ${HEADBINARY} -n1 | ${AWKBINARY} '{print $1}')
+        if [ ${SWAPLEVEL} -gt 60 ]; then
+            LogText "Result: vm.swappiness=${SWAPLEVEL} meaning that swapping is more frequent than default."
+            # Check if swap is on a HDD or SDD for frequent swapping
+            if [ -d "/sys/block/${PHYSDISK}" ]; then
+                HDDORSDD=$(${CAT_BINARY} "/sys/block/${PHYSDISK}/queue/rotational")
+                if [ ${HDDORSDD} -eq 1 ]; then
+                    ReportSuggestion "${TEST_NO}" "vm.swappiness set to: ${SWAPLEVEL} > 60 (default) - consider installing an SSD for swap partition for better performance."
+                fi
+            fi
+        elif [ ${SWAPLEVEL} -eq 0 ]; then
+            LogText "Result: vm.swappiness=${SWAPLEVEL} meaning swapping is disabled."
+            ReportSuggestion "${TEST_NO}" "vm.swappiness set to: ${SWAPLEVEL}. Consider setting value to minimum of 1 for minimizing swappiness, but not quite disabling it. Will prevent OOM killer from killing processes when running out of physical memory."
+        elif [ ${SWAPLEVEL} -eq 1 ]; then
+            LogText "Result: vm.swappiness=${SWAPLEVEL} meaning that swapping can still occur but at very minimum."
+        elif [ ${SWAPLEVEL} -eq 10 ]; then
+            LogText "Result: vm.swappiness=${SWAPLEVEL} which is the preferred setting for database servers."
+        elif [ ${SWAPLEVEL} -lt 60 ]; then
+            LogText "Result: vm.swappiness=${SWAPLEVEL} meaning that swapping is less frequent than default. This is only recommended for servers."
+        else
+            LogText "Result: vm.swappiness=${SWAPLEVEL} which is the standard level of swappiness and works well for desktop systems."
+        fi
+        if IsVerbose; then Display --indent 2 --text "- Swappiness: ${SWAPLEVEL}" --result "INFO" --color WHITE; fi
+    fi
 #
 #################################################################################
 #
@@ -791,6 +830,15 @@
                     AddHP 3 3
                     if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi
                 fi
+                FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
+                if [ -n "${FIND}" ]; then
+		                FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
+		                FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
+                    if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
+                        Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN
+                        LogText "Result: module ${FS} is blacklisted"
+                    fi
+		            fi
             done
             if [ ${FOUND} -eq 1 ]; then
                 Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}"

include/tests_firewalls

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Software: firewalls"
+    InsertSection "${SECTION_FIREWALLS}"
 #
 #################################################################################
 #
@@ -407,6 +407,8 @@
     Register --test-no FIRE-4534 --weight L --os "macOS" --network NO --category security --description "Check for presence of outbound firewalls on macOS"
     if [ ${SKIPTEST} -eq 0 ]; then
 
+        FOUND=0
+
         # Little Snitch Daemon (macOS)
         LogText "Test: checking process Little Snitch Daemon"
         if IsRunning --full "Little Snitch Daemon"; then
@@ -537,7 +539,7 @@
     Register --test-no FIRE-4590 --weight L --network NO --category security --description "Check firewall status"
     if [ ${SKIPTEST} -eq 0 ]; then
         if [ ${FIREWALL_ACTIVE} -eq 1 ]; then
-            Display --indent 2 --text "- Checking host based firewall" --result "ACTIVE" --color GREEN
+            Display --indent 2 --text "- Checking host based firewall" --result "${STATUS_ACTIVE}" --color GREEN
             LogText "Result: host based firewall or packet filter is active"
             Report "manual[]=Verify if there is a formal process for testing and applying firewall rules"
             Report "manual[]=Verify all traffic is filtered the right way between the different security zones"
@@ -546,7 +548,7 @@
             Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic"
             AddHP 5 5
         else
-            Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW
+            Display --indent 2 --text "- Checking host based firewall" --result "${STATUS_NOT_ACTIVE}" --color YELLOW
             LogText "Result: no host based firewall/packet filter found or configured"
             ReportSuggestion "${TEST_NO}" "Configure a firewall/packet filter to filter incoming and outgoing traffic"
             AddHP 0 5

include/tests_hardening

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -18,7 +18,7 @@
 #
 #################################################################################
 #
-    InsertSection "Hardening"
+    InsertSection "${SECTION_HARDENING}"
 
     # COMPILER_INSTALLED is initialized before
     HARDEN_COMPILERS_NEEDED=0

include/tests_homedirs

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Home directories"
+    InsertSection "${SECTION_HOME_DIRECTORIES}"
 #
 #################################################################################
 #

include/tests_insecure_services

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Insecure services"
+    InsertSection "${SECTION_INSECURE_SERVICES}"
 #
 #################################################################################
 #
@@ -37,7 +37,7 @@
 #
     # Test        : INSE-8000
     # Description : Check for installed inetd package
-    Register --test-no INSE-8000 --weight L --network NO --category security --description "Installed inetd package"
+    Register --test-no INSE-8000 --package-manager-required --weight L --network NO --category security --description "Installed inetd package"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check for installed inetd daemon
         LogText "Test: Checking if inetd is installed"
@@ -63,11 +63,11 @@
         LogText "Test: Searching for active inet daemon"
         if IsRunning "inetd"; then
             LogText "Result: inetd is running"
-            Display --indent 4 --text "- inetd status" --result "ACTIVE" --color GREEN
+            Display --indent 4 --text "- inetd status" --result "${STATUS_ACTIVE}" --color GREEN
             INETD_ACTIVE=1
         else
             LogText "Result: inetd is NOT running"
-            Display --indent 4 --text "- inetd status" --result "NOT ACTIVE" --color GREEN
+            Display --indent 4 --text "- inetd status" --result "${STATUS_NOT_ACTIVE}" --color GREEN
         fi
     fi
 #
@@ -134,7 +134,7 @@
 #
     # Test        : INSE-8100
     # Description : Check for installed xinetd daemon
-    Register --test-no INSE-8100 --weight L --network NO --category security --description "Check for installed xinetd daemon"
+    Register --test-no INSE-8100 --package-manager-required --weight L --network NO --category security --description "Check for installed xinetd daemon"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check for installed xinetd daemon
         LogText "Test: Checking for installed xinetd daemon"
@@ -158,11 +158,11 @@
         LogText "Test: Searching for active extended internet services daemon (xinetd)"
         if IsRunning "xinetd"; then
             LogText "Result: xinetd is running"
-            Display --indent 4 --text "- xinetd status" --result "ACTIVE" --color GREEN
+            Display --indent 4 --text "- xinetd status" --result "${STATUS_ACTIVE}" --color GREEN
             XINETD_ACTIVE=1
         else
             LogText "Result: xinetd is NOT running"
-            Display --indent 4 --text "- xinetd status" --result "NOT ACTIVE" --color GREEN
+            Display --indent 4 --text "- xinetd status" --result "${STATUS_NOT_ACTIVE}" --color GREEN
         fi
     fi
 #
@@ -250,7 +250,7 @@
     # Test        : INSE-8200
     # Description : Check if tcp_wrappers is installed when inetd/xinetd is active
     if [ ${INETD_ACTIVE} -eq 1 -o ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-    Register --test-no INSE-8200 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active"
+    Register --test-no INSE-8200 --package-manager-required --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking if tcp_wrappers is installed"
         FOUND=0
@@ -272,7 +272,7 @@
 #
     # Test        : INSE-8300
     # Description : Check if rsh client is installed
-    Register --test-no INSE-8300 --weight L --network NO --category security --description "Check if rsh client is installed"
+    Register --test-no INSE-8300 --package-manager-required --weight L --network NO --category security --description "Check if rsh client is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking if rsh client is installed"
         FOUND=0
@@ -328,7 +328,7 @@
 #
     # Test        : INSE-8304
     # Description : Check if rsh server is installed
-    Register --test-no INSE-8304 --weight L --network NO --category security --description "Check if rsh server is installed"
+    Register --test-no INSE-8304 --package-manager-required --weight L --network NO --category security --description "Check if rsh server is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check if rsh server is installed
         LogText "Test: Checking if rsh server is installed"
@@ -352,7 +352,7 @@
 #
     # Test        : INSE-8310
     # Description : Check if telnet client is installed
-    Register --test-no INSE-8310 --weight L --network NO --category security --description "Check if telnet client is installed"
+    Register --test-no INSE-8310 --package-manager-required --weight L --network NO --category security --description "Check if telnet client is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check if telnet client is installed
         LogText "Test: Checking if telnet client is installed"
@@ -373,7 +373,7 @@
 #
     # Test        : INSE-8312
     # Description : Check if telnet server is installed
-    Register --test-no INSE-8322 --weight L --network NO --category security --description "Check if telnet server is installed"
+    Register --test-no INSE-8322 --package-manager-required --weight L --network NO --category security --description "Check if telnet server is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check if TFTP server is installed
         LogText "Test: Checking if telnet server is installed"
@@ -385,7 +385,7 @@
         if [ ${FOUND} -eq 1 ]; then
             LogText "Result: telnet server is installed"
             Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_FOUND}" --color YELLOW
-            ReportSuggestion "${TEST_NO}" "Removing the ${FOUND} package and replace with SSH when possible"
+            ReportSuggestion "${TEST_NO}" "Removing the telnet server package and replace with SSH when possible"
             Report "insecure_service[]=telnet-server"
         else
             LogText "Result: telnet server is NOT installed"
@@ -398,7 +398,7 @@
 #
     # Test        : INSE-8314
     # Description : Check if NIS client is installed
-    Register --test-no INSE-8314 --weight L --network NO --category security --description "Check if NIS client is installed"
+    Register --test-no INSE-8314 --package-manager-required --weight L --network NO --category security --description "Check if NIS client is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         FOUND=""
         LogText "Test: Checking if NIS client is installed"
@@ -422,7 +422,7 @@
 #
     # Test        : INSE-8316
     # Description : Check if NIS server is installed
-    Register --test-no INSE-8316 --weight L --network NO --category security --description "Check if NIS server is installed"
+    Register --test-no INSE-8316 --package-manager-required --weight L --network NO --category security --description "Check if NIS server is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         FOUND=""
         LogText "Test: Checking if NIS server is installed"
@@ -446,7 +446,7 @@
 #
     # Test        : INSE-8318
     # Description : Check if TFTP client is installed
-    Register --test-no INSE-8318 --weight L --network NO --category security --description "Check if TFTP client is installed"
+    Register --test-no INSE-8318 --package-manager-required --weight L --network NO --category security --description "Check if TFTP client is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking if TFTP client is installed"
         FOUND=""
@@ -470,7 +470,7 @@
 #
     # Test        : INSE-8320
     # Description : Check if TFTP server is installed
-    Register --test-no INSE-8320 --weight L --network NO --category security --description "Check if TFTP server is installed"
+    Register --test-no INSE-8320 --package-manager-required --weight L --network NO --category security --description "Check if TFTP server is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking if TFTP server is installed"
         FOUND=""

include/tests_kernel

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Kernel"
+    InsertSection "${SECTION_KERNEL}"
 #
 #################################################################################
 #
@@ -31,6 +31,7 @@
     LINUXCONFIGFILE=""
     LINUXCONFIGFILE_ZIPPED=0
     LIMITS_DIRECTORY="${ROOTDIR}etc/security/limits.d"
+    APT_ARCHIVE_DIRECTORY="${ROOTDIR}var/cache/apt/archives"
 #
 #################################################################################
 #
@@ -102,8 +103,7 @@
     # Description : Check CPU options and support (PAE, No eXecute, eXecute Disable)
     # More info   : pae and nx bit are both visible on AMD and Intel CPU's if supported
 
-    if [ "${HARDWARE}" = "x86_64" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    Register --test-no KRNL-5677 --platform x86_64 --os Linux --weight L --network NO --category security --description "Check CPU options and support"
-    Register --test-no KRNL-5677 --preqs-met "${PREQS_MET}" --os Linux --weight L --network NO --category security --description "Check CPU options and support"
     if [ ${SKIPTEST} -eq 0 ]; then
         Display --indent 2 --text "- Checking CPU support (NX/PAE)"
         LogText "Test: Checking /proc/cpuinfo"
@@ -235,12 +235,13 @@
     Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config"
     if [ ${SKIPTEST} -eq 0 ]; then
         CHECKFILE="${ROOTDIR}boot/config-$(uname -r)"
+        CHECKFILE_ZIPPED="${ROOTDIR}proc/config.gz"
         if [ -f ${CHECKFILE} ]; then
             LINUXCONFIGFILE="${CHECKFILE}"
             LogText "Result: found config (${LINUXCONFIGFILE})"
             Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
-        elif [ -f ${ROOTDIR}proc/config.gz ]; then
+        elif [ -f ${CHECKFILE_ZIPPED} ]; then
-            LINUXCONFIGFILE="${CHECKFILE}"
+            LINUXCONFIGFILE="${CHECKFILE_ZIPPED}"
             LINUXCONFIGFILE_ZIPPED=1
             LogText "Result: found config: ${ROOTDIR}proc/config.gz (compressed)"
             Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN
@@ -392,6 +393,12 @@
             elif [ -e ${ROOTDIR}dev/grsec ]; then
                 FINDKERNEL=linux-image-$(uname -r)
                 LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
+            elif [ -e ${ROOTDIR}etc/rpi-issue ]; then
+                FINDKERNEL=raspberrypi-kernel
+                LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian"
+            elif `${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf`; then
+                FINDKERNEL=linux-image-$(uname -r)
+                LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No"
             else
                 LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz.  Unable to check whether kernel is up-to-date."
                 ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz"
@@ -478,13 +485,13 @@
                  ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ) || \
                  ( [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] ) || \
                  ( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then
-                LogText "Result: core dumps are explicitely enabled in systemd configuration files"
+                LogText "Result: core dumps are explicitly enabled in systemd configuration files"
                 ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/systemd/coredump.conf ('ProcessSizeMax=0', 'Storage=none')"
                 Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color RED
                 AddHP 0 1
             else
                 LogText "Result: core dumps are not disabled in systemd configuration. Didn't find settings 'ProcessSizeMax=0' and 'Storage=none'"
-                Display --indent 4 --text "- configuration in systemd conf files" --result "DEFAULT" --color WHITE
+                Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_DEFAULT}" --color WHITE
                 AddHP 0 1
             fi
         fi
@@ -501,7 +508,7 @@
                 AddHP 1 1
             elif [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ -z "${ULIMIT_C_VALUE}" ]; then
                 LogText "Result: core dumps are not disabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. Didn't find setting 'ulimit -c 0'"
-                Display --indent 4 --text "- configuration in etc/profile" --result "DEFAULT" --color WHITE
+                Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DEFAULT}" --color WHITE
                 AddHP 0 1
             elif ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE_SUB}" = "unlimited" ] || [ "${ULIMIT_C_VALUE_SUB}" != "0" ] ) ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE}" = "unlimited" ] || [ "${ULIMIT_C_VALUE}" != "0" ] ) ); then
                 LogText "Result: core dumps are enabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. A value higher than 0 is configured for 'ulimit -c'"
@@ -509,7 +516,7 @@
                 AddHP 0 1
             else
                 LogText "Result: ERROR - something went wrong. Unexpected result during check of ${ROOTDIR}etc/profile and ${ROOTDIR}etc/profile.d/*.sh config files. Please report on Github!"
-                Display --indent 4 --text "- configuration in etc/profile" --result "ERROR" --color YELLOW
+                Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ERROR}" --color YELLOW
             fi
         fi
         # Limits option
@@ -531,8 +538,8 @@
                 FIND2="hard core enabled"
             fi
 
-            IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)"
+            IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
-            IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)"
+            IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
 
             if [ "${FIND2}" = "hard core disabled" ]; then
                 LogText "Result: core dumps are hard disabled"
@@ -580,18 +587,18 @@
         fi
         if [ "${FIND}" = "2" ]; then
             LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)"
-            Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color WHITE
+            Display --indent 4 --text "- Checking setuid core dumps configuration" --result "${STATUS_PROTECTED}" --color WHITE
             AddHP 1 1
         elif [ "${FIND}" = "1" ]; then
             LogText "Result: all programs can perform core dumps (value 1, for debugging)"
-            Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW
+            Display --indent 2 --text "- Checking setuid core dumps configuration" --result "${STATUS_DEBUG}" --color YELLOW
             ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump"
             AddHP 0 1
         else
             # 0 - (default) - traditional behaviour. Any process which has changed privilege levels or is execute only will not be dumped
             # https://www.kernel.org/doc/Documentation/sysctl/fs.txt
             LogText "Result: found default option (0), no execute only program or program with changed privilege levels can dump"
-            Display --indent 4 --text "- Checking setuid core dumps configuration" --result DISABLED --color GREEN
+            Display --indent 4 --text "- Checking setuid core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN
             AddHP 1 1
         fi
     fi
@@ -624,7 +631,7 @@
         fi
 
         # Check if /boot exists
-        if [ ${PRIVILEGED} -eq 1 -a -d "${ROOTDIR}boot" ]; then
+        if [ -d "${ROOTDIR}boot" ]; then
             LogText "Result: /boot exists, performing more tests from here"
             FIND=$(${LSBINARY} ${ROOTDIR}boot/* 2> /dev/null)
             if [ -n "${FIND}" ]; then
@@ -650,30 +657,47 @@
                     else
                         ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data"
                     fi
-                elif [ -f ${ROOTDIR}boot/vmlinuz-linux -o -f ${ROOTDIR}boot/vmlinuz-linux-lts -o -f $(ls -t ${ROOTDIR}boot/vm[l-]* 2> /dev/null | head -1) ]; then
+                elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then
-                    if [ -L ${ROOTDIR}boot/vmlinuz-linux ]; then
+                    if [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
-                        LogText "Result: found symlink ${ROOTDIR}boot/vmlinuz-linux"
+                        LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux"
-                        FOUND_VMLINUZ=$(readlink ${ROOTDIR}boot/vmlinuz-linux)
+                        FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux
-                        LogText "Result: symlinked target is ${FOUND_VMLINUZ}"
-                        VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's/^vmlinuz-//')
                     elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then
-                        LogText "Result: found boot/vmlinuz-linux-lts"
+                        LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux-lts"
                         FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux-lts
+                    elif [ -f ${ROOTDIR}boot/vmlinuz-lts ]; then
+                        LogText "Result: found ${ROOTDIR}boot/vmlinuz-lts"
+                        FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-lts
                     else
-                        # Match on /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default
+                        # Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Get newest file (ls -t and pipe into head)
-                        FOUND_VMLINUZ=$(ls -t ${ROOTDIR}boot/vm[l-]* 2> /dev/null | head -1)
+                        # Note: ignore a rescue kernel (e.g. CentOS)
+                        FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${HEADBINARY} -1)
+                        LogText "Result: found ${FOUND_VMLINUZ}"
                     fi
 
+                    VERSION_ON_DISK=""
                     if [ -L "${FOUND_VMLINUZ}" ]; then
                         LogText "Result: found a symlink, retrieving destination"
                         FOUND_VMLINUZ=$(readlink "${FOUND_VMLINUZ}")
                         LogText "Result: destination file is ${FOUND_VMLINUZ}"
-                        VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's/^vmlinuz-//')
+                        VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//')
                         LogText "Result: version derived from file name is '${VERSION_ON_DISK}'"
+                    elif [ -f "${FOUND_VMLINUZ}" ]; then
+                        VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//' | ${SEDBINARY} '$s/-\?\(linux\)\?-\?\(lts\)\?//')
+                        LogText "Result: version derived from file name is '${VERSION_ON_DISK}'"
+
                     fi
 
+                    # Data check: perform reset if we found a version but looks incomplete
+                    # Example: Arch Linux will return only 'linux' as its version after it discovered /boot/vmlinuz-linux
+                    case ${VERSION_ON_DISK} in
+                        "linux" | "linux-lts")
+                            LogText "Result: reset of version (${VERSION_ON_DISK}) as it looks incomplete"
+                            VERSION_ON_DISK=""
+                        ;;
+                    esac
+
+                    # If we did not find the version yet, see if we can extract it from the magic data that 'file' returns
                     if [ -z "${VERSION_ON_DISK}" ]; then
-                        LogText "Result: found ${FOUND_VMLINUZ}"
                         LogText "Test: checking kernel version on disk"
                         NEXTLINE=0
                         VERSION_ON_DISK=""
@@ -686,6 +710,12 @@
                                 if [ "${I}" = "version" ]; then NEXTLINE=1; fi
                             fi
                         done
+                    fi
+
+                    # Last check if we finally got a version or not
+                    if [ -z "${VERSION_ON_DISK}" ]; then
+                        LogText "Result: could not find the version on disk"
+                        ReportException "${TEST_NO}:4" "Could not find the kernel version"
                     else
                         LogText "Result: found version ${VERSION_ON_DISK}"
                         ACTIVE_KERNEL=$(uname -r)
@@ -698,10 +728,6 @@
                             LogText "Result: reboot needed, as there is a difference between active kernel and the one on disk"
                         fi
                     fi
-                    if [ -z "${VERSION_ON_DISK}" ]; then
-                        LogText "Result: could not find the version on disk"
-                        ReportException "${TEST_NO}:4" "Could not find the kernel version"
-                    fi
                 else
                     if [ -L ${ROOTDIR}boot/vmlinuz ]; then
                         LogText "Result: found symlink of ${ROOTDIR}boot/vmlinuz, skipping file"
@@ -767,6 +793,107 @@
             LogText "Result: /boot does not exist or not privileged to read files"
         fi
 
+        # Attempt to check for Raspbian if reboot is needed
+        # This check searches for apt package "raspberrypi-kernel-[package-date]", trys to extract the date of packaging from the filename
+        # and compares that date with the currently running kernel's build date (uname -v).
+        # Of course there can be a time difference between kernel build and kernel packaging, therefore a time difference of
+        # 3 days is accepted and it is assumed with only 3 days apart, this must be the same kernel version.
+        if [ ${REBOOT_NEEDED} -eq 2 ] && [ -d "${APT_ARCHIVE_DIRECTORY}" ]; then
+            LogText "Result: found folder ${APT_ARCHIVE_DIRECTORY}; assuming this is a debian based distribution"
+            LogText "Check: try to find raspberrypi-kernel file in ${APT_ARCHIVE_DIRECTORY} and extract package date from file name"
+
+            FOUND_KERNEL_DATE=$(${FINDBINARY} ${APT_ARCHIVE_DIRECTORY} -name "raspberrypi-kernel*" -printf "%T@ %Tc %p\n" 2> /dev/null \
+            | ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${EGREPBINARY} -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g')
+
+            if [ -n "${FOUND_KERNEL_DATE}" ]; then
+                FOUND_KERNEL_IN_SECONDS=$(date -d "${FOUND_KERNEL_DATE}" "+%s" 2> /dev/null)
+            else
+                LogText "Result: Skipping this test, as there was no package date to extract"
+            fi
+
+            if [ -n "${FOUND_KERNEL_IN_SECONDS}" ] && [ ${FOUND_KERNEL_IN_SECONDS} -gt 1 ]; then
+                LogText "Result: Got package date: ${FOUND_KERNEL_DATE} (= ${FOUND_KERNEL_IN_SECONDS} seconds)"
+                UNAME_OUTPUT="$(${UNAMEBINARY} -v 2> /dev/null)"
+            else
+                LogText "Result: Skipping this test, as extracting the seconds of package date failed"
+            fi
+            
+            if [ -n "${UNAME_OUTPUT}" ]; then
+                LogText "Result: Got an output from 'uname -v'"
+                LogText "Check: Trying to extract kernel build date from 'uname -v' output"
+                next=""
+                for part in ${UNAME_OUTPUT}; do
+                    if [ -z "$next" ]; then
+                        if [ "${part}" = "Mon" ] || [ "${part}" = "Tue" ] || [ "${part}" = "Wed" ] || [ "${part}" = "Thu" ] || [ "${part}" = "Fri" ] || [ "${part}" = "Sat" ] || [ "${part}" = "Sun" ]; then
+                            next="month"
+                        fi
+                    elif [ "$next" = "month" ]; then
+                        if [ $(${ECHOCMD} "${part}" | ${EGREPBINARY} -c "[A-Z][a-z]") -ge 1 ]; then
+                            UNAME_DATE_MONTH="${part}"
+                            next="day"
+                        fi
+                    elif [ "${next}" = "day" ]; then
+                        if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
+                            UNAME_DATE_DAY="${part}"
+                            next="time"
+                        fi
+                    elif [ "${next}" = "time" ]; then
+                        if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c ":[0-9][0-9]:") -ge 1 ]; then
+                            next="year"
+                        fi
+                    elif [ "${next}" = "year" ]; then
+                        if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
+                            UNAME_DATE_YEAR="${part}"
+                            break
+                        fi
+                    fi
+                done
+                if [ -n "${UNAME_DATE_MONTH}" ] && [ -n "${UNAME_DATE_DAY}" ] && [ -n "${UNAME_DATE_YEAR}" ]; then
+                    LogText "Result: Extracted kernel build date is: ${UNAME_DATE_DAY} ${UNAME_DATE_MONTH} ${UNAME_DATE_YEAR}"
+                    UNAME_DATE_IN_SECONDS=$(date -d "${UNAME_DATE_DAY} ${UNAME_DATE_MONTH} ${UNAME_DATE_YEAR}" "+%s" 2> /dev/null)
+                    LogText "Check: Comparing kernel build date in seconds (${UNAME_DATE_IN_SECONDS}s) with package date in seconds (${FOUND_KERNEL_IN_SECONDS}s)"
+                    if [ -n "${UNAME_DATE_IN_SECONDS}" ] && [ ${FOUND_KERNEL_IN_SECONDS} -ge ${UNAME_DATE_IN_SECONDS} ]; then
+                        LogText "Result: package creation date is older than running kernel. Hence, this check should be valid."
+                        LogText "Check if package create date and kernel build date are not more than 3 days apart."
+
+                        SECONDS_APART=$(( ${FOUND_KERNEL_IN_SECONDS} - ${UNAME_DATE_IN_SECONDS} ))
+                        if [ ${SECONDS_APART} -ge 60 ]; then
+                            MINUTES_APART=$(( ${SECONDS_APART} / 60 ))
+                            if [ ${MINUTES_APART} -ge 60 ]; then
+                                DAYS_APART=$(( ${MINUTES_APART} / 60 ))
+                                if [ ${DAYS_APART} -ge 24 ]; then DAYS_APART=$(( ${DAYS_APART} / 24 )); else DAYS_APART=0; fi
+                            else
+                                DAYS_APART=0
+                            fi
+                        else
+                            DAYS_APART=0
+                        fi
+                        # assuming kernels are packaged definitely within 3 days. ACCEPTED_TIME_DIFF needs a value in seconds
+                        ACCEPTED_TIME_DIFF=$((3 * 24 * 60 * 60))
+                        if [ ${FOUND_KERNEL_IN_SECONDS} -le $((${UNAME_DATE_IN_SECONDS} + ${ACCEPTED_TIME_DIFF})) ]; then
+                            LogText "Result: package create date and kernel build date are only ${DAYS_APART} day(s) apart."
+                            LogText "Result: Assuming no reboot needed."
+                            REBOOT_NEEDED=0
+                        else
+                            LogText "Result: package create date and kernel build date are ${DAYS_APART} day(s) apart."
+                            LogText "Result: Assuming reboot is needed."
+                            REBOOT_NEEDED=1
+                        fi
+                    else
+                        LogText "Result: Package's create date is older than running kernel, which is unexpected. Might not be a valid test. Skipping..."
+                    fi
+                else
+                    LogText "Result: Could not extract Day, Month and Year from 'uname -v' output"
+                fi
+            else
+                LogText "Result: Did not get output from 'uname -v'. Skipping test."
+            fi
+                
+            
+        else
+            LogText "Result: /var/cache/apt/archives/ does not exist"
+        fi
+
         # Display discovered status
         if [ ${REBOOT_NEEDED} -eq 0 ]; then
             Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_NO}" --color GREEN
@@ -787,4 +914,4 @@ WaitForKeyPress
 
 #
 #================================================================================
-# Lynis - Copyright 2007-2019, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com

include/tests_kernel_hardening

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,13 +22,13 @@
 #
 #################################################################################
 #
-    InsertSection "Kernel Hardening"
+    InsertSection "${SECTION_KERNEL_HARDENING}"
 #
 #################################################################################
 #
     # Test        : KRNL-6000
     # Description : Check sysctl parameters
-    # Sysctl      : net.ipv4.icmp_ingore_bogus_error_responses (=1)
+    # Sysctl      : net.ipv4.icmp_ignore_bogus_error_responses (=1)
     if [ ! "${SYSCTL_READKEY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile"
     if [ ${SKIPTEST} -eq 0 ]; then
@@ -89,7 +89,7 @@
                         AddHP ${tFINDhp} ${tFINDhp}
                     else
                         LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}"
-                        Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED
+                        Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_DIFFERENT}" --color RED
                         AddHP 0 ${tFINDhp}
                         FOUND=1
                         N=$((N + 1))

include/tests_ldap

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "LDAP Services"
+    InsertSection "${SECTION_LDAP_SERVICES}"
 #
 #################################################################################
 #

include/tests_logging

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -28,7 +28,9 @@
     METALOG_RUNNING=0
     RFC3195D_RUNNING=0
     RSYSLOG_RUNNING=0
+    SOLARIS_LOGHOST=""
     SOLARIS_LOGHOST_FOUND=0
+    SOLARIS_LOGHOST_LOCALHOST=0
     SYSLOG_DAEMON_PRESENT=0
     SYSLOG_DAEMON_RUNNING=0
     SYSLOG_NG_RUNNING=0
@@ -36,7 +38,7 @@
 #
 #################################################################################
 #
-    InsertSection "Logging and files"
+    InsertSection "${SECTION_LOGGING_AND_FILES}"
 
     # Test        : LOGG-2130
     # Description : Check for a running syslog daemon
@@ -305,6 +307,7 @@
         LogText "Result: Checking for loghost in /etc/inet/hosts"
         FIND=$(${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#")
         if [ -n "${FIND}" ]; then
+            SOLARIS_LOGHOST="${FIND}"
             SOLARIS_LOGHOST_FOUND=1
             LogText "Result: Found loghost entry in /etc/inet/hosts"
         else
@@ -314,6 +317,7 @@
             LogText "Result: Checking for loghost via name resolving"
             FIND=$(getent hosts loghost | ${GREPBINARY} loghost)
             if [ -n "${FIND}" ]; then
+                SOLARIS_LOGHOST="${FIND}"
                 SOLARIS_LOGHOST_FOUND=1
                 LogText "Result: name resolving was successful"
                 LogText "Output: ${FIND}"
@@ -334,6 +338,26 @@
     fi
 #
 #################################################################################
+#
+    # Test        : LOGG-2153
+    # Description : Check Solaris 'loghost' entry is not localhost, meaning
+    #               remote logging is not configured.
+    if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ] && [ -n "${SOLARIS_LOGHOST}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    Register --test-no LOGG-2153 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking loghost is localhost"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${EGREPBINARY} "::1|127.0.0.1|127.1")
+        if [ -n "${FIND}" ]; then
+            SOLARIS_LOGHOST_LOCALHOST=1
+            LogText "Result: loghost entry is localhost (default)"
+            Display --indent 4 --text "- Checking loghost entry is localhost" --result "${STATUS_YES}" --color YELLOW
+            ReportSuggestion "${TEST_NO}" "Set loghost entry to a remote location to enable remote logging."
+        else
+            Display --indent 4 --text "- Checking loghost entry is localhost" --result "${STATUS_NO}" --color GREEN
+        fi
+    fi
+
+#
+#################################################################################
 #
     # Test        : LOGG-2154
     # Description : Check to see if remote logging is enabled
@@ -402,8 +426,13 @@
             LogText "Test: check if logs are also logged to a remote logging host"
             FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
             if [ -n "${FIND}" ]; then
+                FIND2=$(echo "${FIND}" | ${GREPBINARY} -v "@loghost")
+                if [ SOLARIS_LOGHOST_LOCALHOST -eq 1 ] && [ -z "${FIND2}" ]; then
+                    LogText "Result: remote logging enabled to loghost, but loghost is localhost"
+                else
                     LogText "Result: remote logging enabled"
                     REMOTE_LOGGING_ENABLED=1
+                fi
             else
                 # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
                 DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
@@ -423,7 +452,7 @@
             LogText "Result: no remote logging found"
             ReportSuggestion "${TEST_NO}" "Enable logging to an external logging host for archiving purposes and additional protection"
             AddHP 1 3
-            Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
+            Display --indent 2 --text "- Checking remote logging" --result "${STATUS_NOT_ENABLED}" --color YELLOW
         else
             Report "remote_syslog_configured=1"
             AddHP 5 5
@@ -534,12 +563,7 @@
         LSOF_GREP="WARNING|Output information"
 
         # MySQL versions prior to 5.6 leave lots of deleted in-use files in /tmp, ignoring those
-        if [ -n "${DPKGBINARY}" ]; then
+        LSOF_GREP="${LSOF_GREP}|mysqld"
-            EARLY_MYSQL=$(${DPKGBINARY} -l | ${EGREPBINARY} mysql-server-5.[0-5])
-        elif [ -n "${RPMBINARY}" ]; then
-            EARLY_MYSQL=$(${RPMBINARY} -qa mariadb | ${EGREPBINARY} mariadb-5.[0-5])
-        fi
-        if [ -n "${EARLY_MYSQL}" ]; then LSOF_GREP="${LSOF_GREP}|mysqld"; fi
 
         # grsecurity causes Fail2Ban to hold onto deleted in-use files in /var/tmp
         if [ ${GRSEC_FOUND} -eq 1 ]; then LSOF_GREP="${LSOF_GREP}|fail2ban"; fi
@@ -555,7 +579,7 @@
                 LogText "Found deleted file: ${I}"
                 Report "deleted_file[]=${I}"
             done
-            Display --indent 2 --text "- Checking deleted files in use" --result "FILES FOUND" --color YELLOW
+            Display --indent 2 --text "- Checking deleted files in use" --result "${STATUS_FILES_FOUND}" --color YELLOW
             ReportSuggestion "${TEST_NO}" "Check what deleted files are still in use and why."
         else
             LogText "Result: no deleted files found"

include/tests_mac_frameworks

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -24,7 +24,7 @@
     SELINUXFOUND=0
     TOMOYOFOUND=0
 
-    InsertSection "Security frameworks"
+    InsertSection "${SECTION_SECURITY_FRAMEWORKS}"
 #
 #################################################################################
 #
@@ -75,6 +75,12 @@
                     Report "apparmor_enabled=1"
                     Report "apparmor_policy_loaded=1"
                     AddHP 3 3
+                    # ignore kernel threads (Parent PID = 2 [kthreadd])
+                    NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} -l)
+                    Display --indent 8 --text "Found ${NUNCONFINED} unconfined processes"
+                    for PROCESS in $(${PSBINARY} -N --ppid 2 -o label:1,pid,comm | ${GREPBINARY} '^unconfined' | ${TRBINARY} ' ' ':'); do
+                        LogText "Result: Unconfined process: ${PROCESS}"
+                    done
                 elif [ $? -eq 4 ]; then
                     LogText "Result: Can not determine status, most likely due to lacking permissions"
                     Display --indent 4 --text "- Checking AppArmor status" --result "${STATUS_UNKNOWN}" --color RED
@@ -152,6 +158,17 @@
                 Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
             fi
             Display --indent 8 --text "Current SELinux mode: ${FIND}"
+            PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
+            NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
+            Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
+            LogText "Permissive SELinux object types: ${PERMISSIVE}"
+            UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ')
+            INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ')
+            NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l)
+            NINITRC=$(${PSBINARY} -eo label | ${GREPBINARY} '[i]nitrc_t' | ${WCBINARY} -l)
+            Display --indent 8 --text "Found ${NUNCONFINED} unconfined and ${NINITRC} initrc_t processes"
+            LogText "Unconfined processes: ${UNCONFINED}"
+            LogText "Processes with initrc_t type: ${INITRC}"
         else
             LogText "Result: SELinux framework is disabled"
             Display --indent 4 --text "- Checking SELinux status" --result "${STATUS_DISABLED}" --color YELLOW
@@ -189,6 +206,13 @@
             LogText "Result: TOMOYO Linux is enabled"
             Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_ENABLED}" --color GREEN
             Report "tomoyo_enabled=1"
+            if [ ! -z ${TOMOYOPSTREEBINARY} ]; then
+                NUNCONFINED=$(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^  3 ' | ${WCBINARY} -l)
+                Display --indent 8 --text "Found ${NUNCONFINED} unconfined (not profile 3) processes"
+                for PROCESS in $(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^  3 ' | ${SEDBINARY} -e 's/+-//g' -e 's/^ *//g' -e 's/ \+/:/g' | ${SORTBINARY}); do
+                    LogText "Result: Unconfined process: ${PROCESS}"
+                done
+            fi
             AddHP 3 3
         else
             LogText "Result: TOMOYO Linux is disabled"

include/tests_mail_messaging

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Software: e-mail and messaging"
+    InsertSection "${SECTION_EMAIL_AND_MESSAGING}"
 #
 #################################################################################
 #
@@ -61,7 +61,7 @@
     # Test        : MAIL-8804
     # Description : Exim configuration options
     if [ ${EXIM_RUNNING} -eq 1 -a ! "${EXIMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-    Register --test-no MAIL-8803 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Exim configuration options"
+    Register --test-no MAIL-8804 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Exim configuration options"
     if [ ${SKIPTEST} -eq 0 -a ${EXIM_RUNNING} -eq 1 ]; then
         LogText "Test: Exim configuration options"
 

include/tests_malware

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Software: ${SECTION_MALWARE}"
+    InsertSection "${SECTION_MALWARE}"
 #
 #################################################################################
 #
@@ -39,6 +39,7 @@
     MALWARE_SCANNER_INSTALLED=0
     SOPHOS_SCANNER_RUNNING=0
     SYMANTEC_SCANNER_RUNNING=0
+    SYNOLOGY_DAEMON_RUNNING=0
 #
 #################################################################################
 #
@@ -102,28 +103,6 @@
     if [ ${SKIPTEST} -eq 0 ]; then
         FOUND=0
 
-        # ESET security products
-        LogText "Test: checking process esets_daemon"
-        if IsRunning "esets_daemon"; then
-            FOUND=1
-            ESET_DAEMON_RUNNING=1
-            MALWARE_SCANNER_INSTALLED=1
-            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi
-            LogText "Result: found ESET security product"
-            Report "malware_scanner[]=eset"
-        fi
-
-        # Bitdefender (macOS)
-        LogText "Test: checking process epagd"
-        if IsRunning "epagd"; then
-            FOUND=1
-            BITDEFENDER_DAEMON_RUNNING=1
-            MALWARE_SCANNER_INSTALLED=1
-            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi
-            LogText "Result: found Bitdefender security product"
-            Report "malware_scanner[]=bitdefender"
-        fi
-
         # Avast (macOS)
         LogText "Test: checking process com.avast.daemon"
         if IsRunning "com.avast.daemon"; then
@@ -146,6 +125,17 @@
             Report "malware_scanner[]=avira"
         fi
 
+        # Bitdefender (macOS)
+        LogText "Test: checking process epagd"
+        if IsRunning "bdagentd" || IsRunning "epagd"; then
+            FOUND=1
+            BITDEFENDER_DAEMON_RUNNING=1
+            MALWARE_SCANNER_INSTALLED=1
+            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi
+            LogText "Result: found Bitdefender security product"
+            Report "malware_scanner[]=bitdefender"
+        fi
+
         # CrowdStrike falcon-sensor
         LogText "Test: checking process falcon-sensor (CrowdStrike)"
         if IsRunning "falcon-sensor"; then
@@ -168,6 +158,17 @@
             Report "malware_scanner[]=cylance-protect"
         fi
 
+        # ESET security products
+        LogText "Test: checking process esets_daemon"
+        if IsRunning "esets_daemon"; then
+            FOUND=1
+            ESET_DAEMON_RUNNING=1
+            MALWARE_SCANNER_INSTALLED=1
+            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi
+            LogText "Result: found ESET security product"
+            Report "malware_scanner[]=eset"
+        fi
+
         # Kaspersky products
         LogText "Test: checking process wdserver or klnagent (Kaspersky)"
         # wdserver is too generic to match on, so we want to ensure that it is related to Kaspersky first
@@ -239,6 +240,17 @@
             Report "malware_scanner[]=symantec"
         fi
 
+        # Synology Antivirus Essential
+        LogText "Test: checking process synoavd"
+        if IsRunning "synoavd"; then
+            FOUND=1
+            SYNOLOGY_DAEMON_RUNNING=1
+            MALWARE_SCANNER_INSTALLED=1
+            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Synology Antivirus Essential" --result "${STATUS_FOUND}" --color GREEN; fi
+            LogText "Result: found Synology Antivirus Essential"
+            Report "malware_scanner[]=synoavd"
+        fi
+
         # TrendMicro (macOS)
         LogText "Test: checking process TmccMac to test for Trend Micro anti-virus (macOS)"
         if IsRunning "TmccMac"; then

include/tests_memory_processes

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -118,7 +118,7 @@
 #
     # Test        : PROC-3802
     # Description : Check presence of prelink tooling
-    Register --test-no PROC-3802 --weight L --network NO --category security --description "Check presence of prelink tooling"
+    Register --test-no PROC-3802 --package-manager-required --os Linux --weight L --network NO --category security --description "Check presence of prelink tooling"
     if [ ${SKIPTEST} -eq 0 ]; then
         if PackageIsInstalled "prelink"; then
             LogText "Result: prelink packages is installed"

include/tests_nameservices

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Name services"
+    InsertSection "${SECTION_NAME_SERVICES}"
 #
 #################################################################################
 #

include/tests_networking

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -31,7 +31,56 @@
 #
 #################################################################################
 #
-    InsertSection "Networking"
+    InsertSection "${SECTION_NETWORKING}"
+#
+#################################################################################
+#
+    # Test        : NETW-2400
+    # Description : Test hostname for valid characters and length
+    # Notes       : FQDN: max 253 characters
+    #             : component: a-z, 0-9, hyphen, not start with hyphen, max 63 characters
+    #               dots allowed as separator
+    Register --test-no NETW-2400 --weight L --network YES --category basics --description "Hostname length and value check"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        # Test first the fully qualified domain name
+        if [ ${#FQDN} -gt 253 ]; then
+            # Too long
+            LogText "Result: FQDN is more than 253 characters"
+            Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_WARNING}" --color RED
+            ReportWarning "${TEST_NO}" "Hostname is too long (more than 253 characters)"
+        elif [ ${#FQDN} -eq 0 ]; then
+            # FQDN not defined
+            LogText "Result: FQDN is not defined"
+            if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_UNKNOWN}" --color YELLOW; fi
+        else
+            # Fine
+            LogText "Result: FQDN is defined and not longer than 253 characters (${#FQDN} characters)"
+            if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_OK}" --color GREEN; fi
+        fi
+        # Now test short hostname
+        if [ ${#HOSTNAME} -eq 0 ]; then
+            if IsVerbose; then Display --indent 2 --text "- Hostname (FQDN length)" --result "${STATUS_NONE}" --color RED; fi
+            LogText "Result: hostname is not defined"
+        else
+            # Test length
+            if [ ${#HOSTNAME} -gt 63 ]; then
+                LogText "Result: hostname is more than 63 characters"
+                Display --indent 2 --text "- Hostname (length)" --result "${STATUS_WARNING}" --color RED
+            else
+                LogText "Result: hostnamed is defined and not longer than 63 characters"
+            fi
+            # Test valid characters (normally a dot should not be in the name, but we can't be 100% sure we have short name)
+            FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[:alnum:]\.\-')
+            if [ -z "${FIND}" ]; then
+                LogText "Result: good, no unexpected characters discovered in hostname"
+                if IsVerbose; then Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_OK}" --color GREEN; fi
+            else
+                LogText "Result: unexpected characters discovered in hostname (characters: ${FIND}), which may impact network connectivity"
+                Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_WARNING}" --color RED
+                ReportWarning "${TEST_NO}" "Hostname contains invalid characters" "hostname" "text:See log file for invalid characters"
+            fi
+        fi
+    fi
 #
 #################################################################################
 #
@@ -91,7 +140,7 @@
             Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE
             STATUS=$(echo ${IPV6_MODE} | ${TRBINARY} '[:lower:]' '[:upper:]')
             Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE
-            if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi
+            if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="${STATUS_YES}"; else STATUS="${STATUS_NO}"; fi
             LogText "Result: IPv6 only configuration: ${STATUS}"
             Display --indent 6 --text "IPv6 only" --result "${STATUS}" --color WHITE
         else
@@ -189,6 +238,40 @@
     fi
 #
 #################################################################################
+#
+    # Test        : NETW-2706
+    # Description : Check systemd-resolve output and upstream DNSSEC status
+    # Notes       : Ubuntu 16.04 uses systemd-resolve, newer ones most likely resolvectl
+    if [ -n "${RESOLVECTLBINARY}" ]; then
+        PREQS_MET="YES"
+        RESOLVE_CMD="${RESOLVECTLBINARY}"
+        RESOLVE_CMD_PARAM="statistics"
+    elif [ -n "$(command -v systemd-resolve 2> /dev/null)" ]; then
+        PREQS_MET="YES"
+        RESOLVE_CMD="$(command -v systemd-resolve 2> /dev/null)"
+        RESOLVE_CMD_PARAM="--statistics"
+    else
+        PREQS_MET="NO"
+    fi
+    Register --test-no NETW-2706 --preqs-met "${PREQS_MET}" --weight L --network YES --category security --description "Check systemd-resolved and upstream DNSSEC status"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        SKIP=0
+        DNSSEC_STATUS=$(${RESOLVE_CMD} ${RESOLVE_CMD_PARAM} 2> /dev/null | ${AWKBINARY} -F ":" '/DNSSEC supported/ { print $2 }' | ${TRBINARY} -d ' ')
+        if [ "${DNSSEC_STATUS}" = "yes" ]; then
+            Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_YES}" --color GREEN
+            LogText "Result: DNSSEC supported by systemd-resolved and upstream DNS servers"
+        elif [ "${DNSSEC_STATUS}" = "no" ]; then
+            Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_NO}" --color YELLOW
+            LogText "Result: DNSSEC not supported by systemd-resolved or upstream DNS servers"
+        else
+            Display --indent 4 --text "- DNSSEC supported (systemd-resolved)" --result "${STATUS_UNKNOWN}" --color RED
+            LogText "Result: command '${RESOLVE_CMD} ${RESOLVE_CMD_PARAM}' returned an error. Please run command manually to check for details."
+        fi
+    else
+        LogText "Result: Test most likely skipped due to not having resolvectl"
+    fi
+#
+#################################################################################
 #
     # Test        : NETW-3001
     # Description : Find default gateway (route)
@@ -429,6 +512,15 @@
                     ReportException "${TEST_NO}:3" "netstat missing to gather listening ports"
                 fi
             ;;
+            Solaris)
+                if [ -n "${NETSTATBINARY}" ]; then
+                    LogText "Test: Retrieving netstat information to find listening ports"
+                    FIND=$(${NETSTATBINARY} -an -P udp | ${AWKBINARY} '{ if($7=="LISTEN") { print $1"|udp|LISTEN|" }}')
+                    FIND2=$(${NETSTATBINARY} -an -P tcp | ${AWKBINARY} '{ if($7=="LISTEN") { print $1"|tcp|LISTEN|" }}')
+                else
+                    ReportException "${TEST_NO}:4" "netstat missing to gather listening ports"
+                fi
+            ;;
             *)
                 # Got this exception? Provide your details and output of netstat or any other tool to determine this information.
                 ReportException "${TEST_NO}:2" "Unclear what method to use, to determine listening port information"
@@ -600,7 +692,7 @@
             Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_RUNNING}" --color WHITE
             DHCP_CLIENT_RUNNING=1
         else
-            Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE
+            Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_NOT_ACTIVE}" --color WHITE
         fi
     fi
 #
@@ -641,40 +733,44 @@
 #
     # Test        : NETW-3200
     # Description : Determine available network protocols
+    # Notes       : See all available supported modules: ls -d /lib/modules/$(uname -r )/kernel/net
+    #               To see active/enabled protocols: ls -d /proc/sys/net
     Register --test-no NETW-3200 --weight L --network YES --category security --description "Determine available network protocols"
     if [ ${SKIPTEST} -eq 0 ]; then
         TESTED=0
+        FOUND_UNCOMMON_PROTOCOL_ENABLED=0
         case ${OS} in
             Linux)
                 TESTED=1
                 LogText "Test: checking the status of some network protocols that typically are not used"
                 UNCOMMON_PROTOCOLS="dccp sctp rds tipc"
                 for P in ${UNCOMMON_PROTOCOLS}; do
+                    LogText "Test: now checking module '${P}'"
                     if ! SkipAtomicTest "${TEST_NO}:${P}"; then
-                        FOUND_UNCOMMON_PROTOCOL=0
+                        UNCOMMON_PROTOCOL_DISABLED=0
+                        # First check modprobe.conf
                         if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
                             DATA=$(${GREPBINARY} "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.conf)
                             if [ -n "${DATA}" ]; then
-                                LogText "Result: found ${P} module loaded via modprobe.conf"
+                                LogText "Result: found ${P} module disabled via modprobe.conf"
-                                FOUND_UNCOMMON_PROTOCOL=1
+                                UNCOMMON_PROTOCOL_DISABLED=1
                             fi
                         fi
+                        # Then additional modprobe configuration files
                         if [ -d ${ROOTDIR}etc/modprobe.d ]; then
                             DATA=$(${GREPBINARY} --files-with-matches --no-messages "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.d/*)
                             if [ -n "${DATA}" ]; then
-                                FOUND_UNCOMMON_PROTOCOL=1
+                                UNCOMMON_PROTOCOL_DISABLED=1
                                 for F in ${DATA}; do
-                                    LogText "Result: found ${P} module loaded via ${F}"
+                                    LogText "Result: found ${P} module disabled via ${F}"
                                 done
                             fi
                         fi
 
-                        # Although a protocol may not been enabled using install, it can be loaded. This may be revealed using /proc
+                        if [ ${UNCOMMON_PROTOCOL_DISABLED} -eq 0 ]; then
-                        #/proc/sys/net/
+                            ReportSuggestion "${TEST_NO}" "Determine if protocol '${P}' is really needed on this system"
-
-                        if [ ${FOUND_UNCOMMON_PROTOCOL} -eq 1 ]; then
-                            ReportSuggestion "${TEST_NO}" "Determine if network protocol ${P} needs to be used on this system"
                             Report "uncommon_network_protocol_enabled=${P}"
+                            FOUND_UNCOMMON_PROTOCOL_ENABLED=1
                         fi
                     fi
                 done
@@ -686,7 +782,7 @@
             ;;
         esac
         if [ ${TESTED} -eq 1 ]; then
-            if [ ${FOUND_UNCOMMON_PROTOCOL} -eq 1 ]; then
+            if [ ${FOUND_UNCOMMON_PROTOCOL_ENABLED} -eq 1 ]; then
                 Display --indent 2 --text "- Uncommon network protocols" --result "${FOUND}" --color YELLOW
             else
                 Display --indent 2 --text "- Uncommon network protocols" --result "${STATUS_NOT_FOUND}" --color GREEN
@@ -698,7 +794,6 @@
 #################################################################################
 #
 
-
 WaitForKeyPress
 
 #

include/tests_php

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -36,6 +36,7 @@
                 ${ROOTDIR}etc/php7.1/php.ini \
                 ${ROOTDIR}etc/php7.2/php.ini \
                 ${ROOTDIR}etc/php7.3/php.ini \
+                ${ROOTDIR}etc/php7.4/php.ini \
                 ${ROOTDIR}etc/php/cgi-php5/php.ini \
                 ${ROOTDIR}etc/php/cli-php5/php.ini \
                 ${ROOTDIR}etc/php/apache2-php5/php.ini \
@@ -45,24 +46,29 @@
                 ${ROOTDIR}etc/php/apache2-php7.1/php.ini \
                 ${ROOTDIR}etc/php/apache2-php7.2/php.ini \
                 ${ROOTDIR}etc/php/apache2-php7.3/php.ini \
+                ${ROOTDIR}etc/php/apache2-php7.4/php.ini \
                 ${ROOTDIR}etc/php/cgi-php5.5/php.ini \
                 ${ROOTDIR}etc/php/cgi-php5.6/php.ini \
                 ${ROOTDIR}etc/php/cgi-php7.0/php.ini \
                 ${ROOTDIR}etc/php/cgi-php7.1/php.ini \
                 ${ROOTDIR}etc/php/cgi-php7.2/php.ini \
                 ${ROOTDIR}etc/php/cgi-php7.3/php.ini \
+                ${ROOTDIR}etc/php/cgi-php7.4/php.ini \
                 ${ROOTDIR}etc/php/cli-php5.5/php.ini \
                 ${ROOTDIR}etc/php/cli-php5.6/php.ini \
                 ${ROOTDIR}etc/php/cli-php7.0/php.ini \
                 ${ROOTDIR}etc/php/cli-php7.1/php.ini \
                 ${ROOTDIR}etc/php/cli-php7.2/php.ini \
                 ${ROOTDIR}etc/php/cli-php7.3/php.ini \
+                ${ROOTDIR}etc/php/cli-php7.4/php.ini \
                 ${ROOTDIR}etc/php/embed-php5.5/php.ini \
                 ${ROOTDIR}etc/php/embed-php5.6/php.ini \
                 ${ROOTDIR}etc/php/embed-php7.0/php.ini \
                 ${ROOTDIR}etc/php/embed-php7.1/php.ini \
                 ${ROOTDIR}etc/php/embed-php7.2/php.ini \
                 ${ROOTDIR}etc/php/embed-php7.3/php.ini \
+                ${ROOTDIR}etc/php/embed-php7.4/php.ini \
+                ${ROOTDIR}etc/php/fpm-php7.4/php.ini \
                 ${ROOTDIR}etc/php/fpm-php7.3/php.ini \
                 ${ROOTDIR}etc/php/fpm-php7.2/php.ini \
                 ${ROOTDIR}etc/php/fpm-php7.1/php.ini \
@@ -71,7 +77,9 @@
                 ${ROOTDIR}etc/php/fpm-php5.6/php.ini \
                 ${ROOTDIR}etc/php5/cgi/php.ini \
                 ${ROOTDIR}etc/php5/cli/php.ini \
-                ${ROOTDIR}etc/php5/cli-php5.4/php.ini ${ROOTDIR}etc/php5/cli-php5.5/php.ini ${ROOTDIR}etc/php5/cli-php5.6/php.ini \
+                ${ROOTDIR}etc/php5/cli-php5.4/php.ini \
+                ${ROOTDIR}etc/php5/cli-php5.5/php.ini \
+                ${ROOTDIR}etc/php5/cli-php5.6/php.ini \
                 ${ROOTDIR}etc/php5/apache2/php.ini \
                 ${ROOTDIR}etc/php5/fpm/php.ini \
                 ${ROOTDIR}private/etc/php.ini \
@@ -79,12 +87,20 @@
                 ${ROOTDIR}etc/php/7.1/apache2/php.ini \
                 ${ROOTDIR}etc/php/7.2/apache2/php.ini \
                 ${ROOTDIR}etc/php/7.3/apache2/php.ini \
-                ${ROOTDIR}etc/php/7.0/cli/php.ini ${ROOTDIR}etc/php/7.0/fpm/php.ini \
+                ${ROOTDIR}etc/php/7.4/apache2/php.ini \
-                ${ROOTDIR}etc/php/7.1/cli/php.ini ${ROOTDIR}etc/php/7.1/fpm/php.ini \
+                ${ROOTDIR}etc/php/7.0/cli/php.ini \
-                ${ROOTDIR}etc/php/7.2/cli/php.ini ${ROOTDIR}etc/php/7.2/fpm/php.ini \
+                ${ROOTDIR}etc/php/7.0/fpm/php.ini \
-                ${ROOTDIR}etc/php/7.3/cli/php.ini ${ROOTDIR}etc/php/7.3/fpm/php.ini \
+                ${ROOTDIR}etc/php/7.1/cli/php.ini \
+                ${ROOTDIR}etc/php/7.1/fpm/php.ini \
+                ${ROOTDIR}etc/php/7.2/cli/php.ini \
+                ${ROOTDIR}etc/php/7.2/fpm/php.ini \
+                ${ROOTDIR}etc/php/7.3/cli/php.ini \
+                ${ROOTDIR}etc/php/7.3/fpm/php.ini \
+                ${ROOTDIR}etc/php/7.4/cli/php.ini \
+                ${ROOTDIR}etc/php/7.4/fpm/php.ini \
                 ${ROOTDIR}var/www/conf/php.ini \
-                ${ROOTDIR}usr/local/etc/php.ini ${ROOTDIR}usr/local/lib/php.ini \
+                ${ROOTDIR}usr/local/etc/php.ini \
+                ${ROOTDIR}usr/local/lib/php.ini \
                 ${ROOTDIR}usr/local/etc/php5/cgi/php.ini \
                 ${ROOTDIR}usr/local/php54/lib/php.ini \
                 ${ROOTDIR}usr/local/php56/lib/php.ini \
@@ -92,6 +108,7 @@
                 ${ROOTDIR}usr/local/php71/lib/php.ini \
                 ${ROOTDIR}usr/local/php72/lib/php.ini \
                 ${ROOTDIR}usr/local/php73/lib/php.ini \
+                ${ROOTDIR}usr/local/php74/lib/php.ini \
                 ${ROOTDIR}usr/local/zend/etc/php.ini \
                 ${ROOTDIR}usr/pkg/etc/php.ini \
                 ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \
@@ -101,6 +118,7 @@
                 ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
                 ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
                 ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
+                ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \
                 ${ROOTDIR}opt/alt/php44/etc/php.ini \
                 ${ROOTDIR}opt/alt/php51/etc/php.ini \
                 ${ROOTDIR}opt/alt/php52/etc/php.ini \
@@ -112,27 +130,42 @@
                 ${ROOTDIR}opt/alt/php71/etc/php.ini \
                 ${ROOTDIR}opt/alt/php72/etc/php.ini \
                 ${ROOTDIR}opt/alt/php73/etc/php.ini \
+                ${ROOTDIR}opt/alt/php74/etc/php.ini \
                 ${ROOTDIR}etc/opt/remi/php56/php.ini \
                 ${ROOTDIR}etc/opt/remi/php70/php.ini \
                 ${ROOTDIR}etc/opt/remi/php71/php.ini \
                 ${ROOTDIR}etc/opt/remi/php72/php.ini \
-                ${ROOTDIR}etc/opt/remi/php73/php.ini"
+                ${ROOTDIR}etc/opt/remi/php73/php.ini \
+                ${ROOTDIR}etc/opt/remi/php74/php.ini"
     # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
     PHPINILOCS="${PHPINILOCS} \
-                ${ROOTDIR}etc/php-5.6.ini ${ROOTDIR}etc/php-7.0.ini ${ROOTDIR}etc/php-7.1.ini ${ROOTDIR}etc/php-7.2.ini ${ROOTDIR}etc/php-7.3.ini"
+                ${ROOTDIR}etc/php-5.6.ini \
+                ${ROOTDIR}etc/php-7.0.ini \
+                ${ROOTDIR}etc/php-7.1.ini \
+                ${ROOTDIR}etc/php-7.2.ini \
+                ${ROOTDIR}etc/php-7.3.ini \
+                ${ROOTDIR}etc/php-7.4.ini"
 
     PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \
                 ${ROOTDIR}etc/php/7.0/cli/conf.d \
                 ${ROOTDIR}etc/php/7.1/cli/conf.d \
                 ${ROOTDIR}etc/php/7.2/cli/conf.d \
                 ${ROOTDIR}etc/php/7.3/cli/conf.d \
+                ${ROOTDIR}etc/php/7.4/cli/conf.d \
                 ${ROOTDIR}etc/php/7.0/fpm/conf.d \
                 ${ROOTDIR}etc/php/7.1/fpm/conf.d \
                 ${ROOTDIR}etc/php/7.2/fpm/conf.d \
                 ${ROOTDIR}etc/php/7.3/fpm/conf.d \
+                ${ROOTDIR}etc/php/7.4/fpm/conf.d \
                 ${ROOTDIR}etc/php.d \
-                ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
+                ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \
-                ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \
+                ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \
+                ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d \
+                ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
+                ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \
+                ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \
+                ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \
+                ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.d \
                 ${ROOTDIR}opt/alt/php44/etc/php.d.all \
                 ${ROOTDIR}opt/alt/php51/etc/php.d.all \
                 ${ROOTDIR}opt/alt/php52/etc/php.d.all \
@@ -144,14 +177,21 @@
                 ${ROOTDIR}opt/alt/php71/etc/php.d.all \
                 ${ROOTDIR}opt/alt/php72/etc/php.d.all \
                 ${ROOTDIR}opt/alt/php73/etc/php.d.all \
+                ${ROOTDIR}opt/alt/php74/etc/php.d.all \
                 ${ROOTDIR}usr/local/lib/php.conf.d \
                 ${ROOTDIR}usr/local/php70/lib/php.conf.d \
                 ${ROOTDIR}usr/local/php71/lib/php.conf.d \
                 ${ROOTDIR}usr/local/php72/lib/php.conf.d \
-                ${ROOTDIR}usr/local/php73/lib/php.conf.d"
+                ${ROOTDIR}usr/local/php73/lib/php.conf.d \
+                ${ROOTDIR}usr/local/php74/lib/php.conf.d"
     # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
     PHPINIDIRS="${PHPINIDIRS} \
-                ${ROOTDIR}etc/php-5.6 ${ROOTDIR}etc/php-7.0 ${ROOTDIR}etc/php-7.1 ${ROOTDIR}etc/php-7.2 ${ROOTDIR}etc/php-7.3"
+                ${ROOTDIR}etc/php-5.6 \
+                ${ROOTDIR}etc/php-7.0 \
+                ${ROOTDIR}etc/php-7.1 \
+                ${ROOTDIR}etc/php-7.2 \
+                ${ROOTDIR}etc/php-7.3 \
+                ${ROOTDIR}etc/php-7.4"
 #
 #################################################################################
 #
@@ -291,6 +331,12 @@
     if [ ${SKIPTEST} -eq 0 ]; then
         FOUND=0
         for FILE in ${PHPINI_ALLFILES}; do
+            # Don't look at this setting in cli configuration
+            case "${FILE}" in
+                */cli/*)
+                    continue
+                    ;;
+            esac
             LogText "Test: Checking file ${FILE}"
             FIND=$(${EGREPBINARY} -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;')
             if HasData "${FIND}"; then
@@ -457,6 +503,42 @@
     #fi
 #
 #################################################################################
+#
+    # Test        : PHP-2382
+    # Description : Check listen option
+    # Background  : https://github.com/CISOfy/lynis/issues/837
+    if [ -n "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    Register --test-no PHP-2382 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP expose_php option"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        for FILE in ${PHPINI_ALLFILES}; do
+            # Don't look at this setting in cli configuration
+            case "${FILE}" in
+                */cli/*)
+                    continue
+                    ;;
+            esac
+            LogText "Test: Checking file ${FILE}"
+            FIND=$(${EGREPBINARY} -i "^listen = [0-9]{1,5}$" ${FILE})
+            if HasData "${FIND}"; then
+                LogText "Result: found listen on just a port number"
+                LogText "Data: ${FIND}"
+                LogText "Note: when possible, limit access to just localhost, so it can't be accessed from outside"
+                FOUND=1
+            fi
+        done
+
+        if [ ${FOUND} -eq 1 ]; then
+            Display --indent 4 --text "- Checking listen option" --result "${STATUS_SUGGESTION}" --color YELLOW
+            #ReportSuggestion "${TEST_NO}" "Limit the listening of FastCGI to just localhost or a local socket" "listen = 127.0.0.1:9000" "-"
+            AddHP 1 3
+        else
+            Display --indent 4 --text "- Checking listen option" --result "${STATUS_OK}" --color GREEN
+            AddHP 2 2
+        fi
+    fi
+#
+#################################################################################
 #
 
 WaitForKeyPress

include/tests_ports_packages

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Ports and packages"
+    InsertSection "${SECTION_PORTS_AND_PACKAGES}"
     PACKAGE_MGR_PKG=0
     PACKAGE_AUDIT_TOOL=""
     PACKAGE_AUDIT_TOOL_FOUND=0
@@ -38,7 +38,7 @@
     # Test        : PKGS-7301
     # Description : Query FreeBSD pkg
     if [ -x ${ROOTDIR}usr/sbin/pkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-    Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query NetBSD pkg"
+    Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query FreeBSD pkg"
     if [ ${SKIPTEST} -eq 0 ]; then
         FIND=$(pkg -N 2>&1; echo $?)
         if [ "${FIND}" = "0" ]; then
@@ -982,9 +982,19 @@
 #################################################################################
 #
     # Test        : PKGS-7388
-    # Description : Check security repository in Debian/ubuntu apt sources.list file
+    # Description : Check security repository in Debian/Ubuntu apt sources.list file
-    if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    PREQS_MET="NO"
-    Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check security repository in Debian/ubuntu apt sources.list file"
+    if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then
+        case "${LINUX_VERSION}" in
+            "Debian" | "Linux Mint" | "Ubuntu")
+                PREQS_MET="YES"
+            ;;
+            *)
+                LogText "Skipping test, although sources.list or sources.list.d exists. This specific OS version most likely has no security repository"
+            ;;
+        esac
+    fi
+    Register --test-no PKGS-7388 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check security repository in apt sources.list file"
     if [ $SKIPTEST -eq 0 ]; then
         FOUND=0
         if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then
@@ -1222,7 +1232,7 @@
             ReportSuggestion "${TEST_NO}" "Install a package audit tool to determine vulnerable packages"
             LogText "Result: no package audit tool found"
         else
-            Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN
+            Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_INSTALLED}" --color GREEN
             Display --indent 4 --text "Found: ${PACKAGE_AUDIT_TOOL}"
             LogText "Result: found package audit tool: ${PACKAGE_AUDIT_TOOL}"
         fi
@@ -1279,7 +1289,7 @@
             KERNELS=$(${ZYPPERBINARY} --non-interactive -n se --type package --match-exact --installed-only "kernel-default" 2> /dev/null | ${GREPBINARY} "kernel-default" | ${WCBINARY} -l)
             if [ ${KERNELS} -eq 0 ]; then
                 LogText "Result: found no kernels from zypper output, which is unexpected."
-                ReportException "KRNL-5840:3" "Could not find any kernel packages via package manager. Maybe using a different kernel package?"
+                ReportException "${TEST_NO}" "Could not find any kernel packages via package manager. Maybe using a different kernel package?"
             elif [ ${KERNELS} -gt 3 ]; then
                 LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
                 ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages"
@@ -1289,7 +1299,19 @@
         fi
 
         if [ ${KERNELS} -eq 0 -a ${TESTED} -eq 1 ]; then
-            ReportException "KRNL-5840:1" "Could not find any kernel packages via package manager"
+            # Only report exception if there are kernels actually there. For example, LXC use the kernel of host system
+            case "${OS}" in
+                "Linux")
+                    if [ -d "${ROOTDIR}boot" ]; then
+                        if [ -z "$(${FINDBINARY} /boot -maxdepth 1 -type f -name 'vmlinuz*' -print -quit)" ]; then
+                            ReportException "${TEST_NO}" "Could not find any kernel packages via package manager"
+                        fi
+                    fi
+                ;;
+                *)
+                    ReportException "${TEST_NO}" "Could not find any kernel packages via package manager"
+                ;;
+            esac
         fi
 
         Report "installed_kernel_packages=${KERNELS}"
@@ -1347,7 +1369,7 @@
                 Display --indent 2 --text "- Toolkit for automatic upgrades (${UNATTENDED_UPGRADES_TOOL})" --result "${STATUS_FOUND}" --color GREEN
             else
                 AddHP 1 5
-                Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOTFOUND}" --color YELLOW
+                Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOT_FOUND}" --color YELLOW
                 LogText "Result: no toolkit for automatic updates discovered"
                 ReportSuggestion "${TEST_NO}" "Consider using a tool to automatically apply upgrades"
             fi

include/tests_printers_spoolers

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -34,7 +34,7 @@
 #
 #################################################################################
 #
-    InsertSection "Printers and Spools"
+    InsertSection "${SECTION_PRINTERS_AND_SPOOLS}"
 #
 #################################################################################
 #
@@ -134,23 +134,31 @@
 #
     # Test        : PRNT-2308
     # Description : Check CUPS daemon network configuration
+    # Notes       : Listen and SSLListen can be used
     if [ ${CUPSD_FOUND} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd network configuration"
     if [ ${SKIPTEST} -eq 0 ]; then
         FOUND=0
         # Checking network addresses
         LogText "Test: Checking CUPS daemon listening network addresses"
-        FIND=$(${GREPBINARY} "^Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
+        FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
         COUNT=0
         for ITEM in ${FIND}; do
-            LogText "Found network address: ${ITEM}"
+            LogText "Result: found network address: ${ITEM}"
             COUNT=$((COUNT + 1))
             FOUND=1
         done
 
-        # Check if daemon is only running on localhost
+        # Search for Port statement
+        FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE})
+        if [ -n "${FIND}" ]; then
+            LogText "Result: found CUPS listening on port 631 (most likely all interfaces)"
+            FOUND=1
+        fi
+
+        # Check if daemon might be running on localhost
         if [ ${FOUND} -eq 0 ]; then
-            LogText "Result: no listen statement found in CUPS configuration file"
+            LogText "Result: CUPS does not look to be listening on a network port"
         elif [ ${COUNT} -eq 1 ]; then
             if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then
                 LogText "Result: CUPS daemon only running on localhost"

include/tests_scheduling

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Scheduled tasks"
+    InsertSection "${SECTION_SCHEDULED_TASKS}"
 #
 #################################################################################
 #

include/tests_shells

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -23,7 +23,7 @@
 #################################################################################
 #
     IDLE_TIMEOUT=0
-    InsertSection "Shells"
+    InsertSection "${SECTION_SHELLS}"
 #
 #################################################################################
 #
@@ -115,7 +115,7 @@
         if IsRunning "autolog"; then
             IDLE_TIMEOUT=1
             LogText "Result: found autolog process to kill idle sessions"
-            Report="session_timeout_method[]=autolog"
+            Report "session_timeout_method[]=autolog"
             IDLE_TIMEOUT_METHOD="autolog"
         fi
 
@@ -282,4 +282,4 @@ WaitForKeyPress
 
 #
 #================================================================================
-# Lynis - Copyright 2007-2019, CISOfy - http://cisofy.com
+# Lynis - Copyright 2007-2020, CISOfy - http://cisofy.com

include/tests_snmp

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -28,7 +28,7 @@
 #
 #################################################################################
 #
-    InsertSection "SNMP Support"
+    InsertSection "${SECTION_SNMP_SUPPORT}"
 
     # Test        : SNMP-3302
     # Description : Check for a running SNMP daemon
@@ -104,4 +104,4 @@ WaitForKeyPress
 
 #
 #================================================================================
-# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com

include/tests_squid

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -29,7 +29,7 @@
 #
 #################################################################################
 #
-    InsertSection "Squid Support"
+    InsertSection "${SECTION_SQUID_SUPPORT}"
 #
 #################################################################################
 #
@@ -325,4 +325,4 @@ WaitForKeyPress
 
 #
 #================================================================================
-# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com

include/tests_ssh

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -34,7 +34,7 @@
 #
 #################################################################################
 #
-    InsertSection "SSH Support"
+    InsertSection "${SECTION_SSH_SUPPORT}"
 #
 #################################################################################
 #
@@ -117,7 +117,7 @@
     # Test        : SSH-7408
     # Description : Check SSH specific defined options
     # Notes       : Instead of parsing the configuration file, we query the SSH daemon itself
-    if [ ${OPENSSHD_RUNNING} -eq 1 -a -n "${SSH_DAEMON_OPTIONS_FILE}" -a ${OPENSSHD_VERSION_MAJOR} -ge 5 -a ${OPENSSHD_VERSION_MINOR} -ge 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ ${OPENSSHD_RUNNING} -eq 1 -a -n "${SSH_DAEMON_OPTIONS_FILE}" -a \( ${OPENSSHD_VERSION_MAJOR} -gt 5 -o ${OPENSSHD_VERSION_MAJOR} -eq 5 -a ${OPENSSHD_VERSION_MINOR} -ge 1 \) ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH specific defined options"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking specific defined options in ${SSH_DAEMON_OPTIONS_FILE}"
@@ -151,7 +151,6 @@
                 StrictModes:YES,,NO:=\
                 TCPKeepAlive:NO,,YES:=\
                 UseDNS:NO,,YES:=\
-                VerifyReverseMapping:YES,,NO:=\
                 X11Forwarding:NO,,YES:=\
                 AllowAgentForwarding:NO,,YES:="
 

include/tests_storage

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -18,7 +18,7 @@
 #
 #################################################################################
 #
-    InsertSection "Storage"
+    InsertSection "${SECTION_STORAGE}"
 #
 #################################################################################
 #
@@ -59,7 +59,7 @@
 
         if [ ${FOUND} -eq 0 ]; then
             LogText "Result: firewire ohci driver is not explicitly disabled"
-            Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "NOT DISABLED" --color WHITE
+            Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "${STATUS_NOT_DISABLED}" --color WHITE
             ReportSuggestion "${TEST_NO}" "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft"
             # after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u
             AddHP 2 3
@@ -77,4 +77,4 @@ WaitForKeyPress
 
 #
 #================================================================================
-# Lynis - Copyright 2007-2019, CISOfy, Michael Boelen - https://cisofy.com
+# Lynis - Copyright 2007-2020, CISOfy, Michael Boelen - https://cisofy.com

include/tests_storage_nfs

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com

include/tests_system_integrity

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -25,7 +25,7 @@
 #
 #################################################################################
 #
-    InsertSection "Software: system integrity"
+    InsertSection "${SECTION_SYSTEM_INTEGRITY}"
     Display --indent 2 --text "- Checking file integrity tools"
 #
 #################################################################################
@@ -51,4 +51,4 @@
     WaitForKeyPress
 #
 #================================================================================
-# Lynis - Copyright 2007-2019 Michael Boelen, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com

include/tests_time

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Time and Synchronization"
+    InsertSection "${SECTION_TIME_AND_SYNCHRONIZATION}"
 #
 #################################################################################
 #
@@ -36,6 +36,7 @@
     NTP_CONFIG_TYPE_EVENTBASED=0
     NTP_CONFIG_TYPE_STARTUP=0
     NTPD_RUNNING=0 # Specific for ntpd
+    OPENNTPD_COMMUNICATION=0 # if ntpctl can communicate
     SYSTEMD_NTP_ENABLED=0
 #
 #################################################################################
@@ -79,9 +80,36 @@
             Display --indent 2 --text "- NTP daemon found: dntpd" --result "${STATUS_FOUND}" --color GREEN
         fi
 
-        # Check running processes
+        # Check for OpenNTPD, ntpctl comes with a "regular" install
-        FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "grep")
+        if [ -n "${NTPCTLBINARY}" ]; then
-        if [ -n "${FIND}" ]; then
+            # In contrast to timectl, "synchronised: yes" is not grepped.
+            # Reason: openntpd syncs only if large time corrections are not required or -s is passed.
+            #         This might be not intended by the administrator (-s is NOT the default!)
+            FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" | ${GREPBINARY} -v "grep")
+            # Status code 0 is when communication over the socket is successful
+            if ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null; then
+                FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd"
+                LogText "result: found openntpd (method: ntpctl)"
+                OPENNTPD_COMMUNICATION=1
+            elif [ -n "${FIND}" ] ; then
+                # Reasons for ntpctl to fail might be someone spawned a new process thus overwriting the socket,
+                # then ended it, but another openntpd process is still running
+                FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd"
+                LogText "result: found openntpd (method: ps)"
+            else
+                LogText "result: running openntpd not found, but ntpctl is installed"
+            fi
+
+            if [ "${NTP_DAEMON}" = "openntpd" ]; then
+                Display --indent 2 --text "- NTP daemon found: OpenNTPD" --result "${STATUS_FOUND}" --color GREEN
+            fi
+        fi
+
+        # Check running processes (ntpd from ntp.org)
+        # As checking by process name is ambiguous (openntpd has the same process name),
+        # this check will be skipped if openntpd has been found.
+        FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "ntpd: " | ${GREPBINARY} -v "grep")
+        if [ "${NTP_DAEMON}" != "openntpd" ] && [  -n "${FIND}" ]; then
             FOUND=1; NTPD_RUNNING=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1
             NTP_DAEMON="ntpd"
             LogText "Result: found running NTP daemon in process list"
@@ -95,70 +123,54 @@
         fi
 
         # Check timedate daemon (systemd)
-        if [ -n "${TIMEDATECTL}" ]; then
+        FIND=$(${PSBINARY} ax | ${GREPBINARY} "systemd-timesyncd" | ${GREPBINARY} -v "grep")
-            FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes")
         if [  -n "${FIND}" ]; then
-                # Check for systemd-timesyncd
-                if [ -f ${ROOTDIR}etc/systemd/timesyncd.conf ]; then
-                    LogText "Result: found ${ROOTDIR}etc/systemd/timesyncd.conf"
             FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
             Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN
-                    SYSTEMD_NTP_ENABLED=1
+            LogText "Result: Found running systemd-timesyncd in process list"
-                else
-                    LogText "Result: ${ROOTDIR}etc/systemd/timesyncd.conf does not exist"
-                fi
-            else
-                LogText "Result: time synchronization not performed according timedatectl command"
-            fi
-        else
-            LogText "Result: timedatectl command not available on this system"
         fi
 
         # Check crontab for OpenBSD/FreeBSD
         # Check anacrontab for Linux
         CRONTAB_FILES="/etc/anacrontab /etc/crontab"
+        # Regex for matching multiple time synchronisation binaries
+        # Partial sanity check for sntp and ntpdig, but this does not consider all corner cases
+        CRONTAB_REGEX='ntpdate|rdate|sntp.+-(s|j|--adj)|ntpdig.+-(S|s)'
         for I in ${CRONTAB_FILES}; do
             if [ -f ${I} ]; then
-                LogText "Test: checking for ntpdate or rdate in crontab file ${I}"
+                LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}"
-                FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#')
+                FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#')
                 if [ -n "${FIND}" ]; then
                     FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
                     Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
-                    LogText "Result: found ntpdate or rdate reference in crontab file ${I}"
+                    LogText "Result: found ntpdate, rdate, sntp or ntpdig reference in crontab file ${I}"
                 else
                     #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_NOT_FOUND}" --color WHITE
-                    LogText "Result: no ntpdate or rdate reference found in crontab file ${I}"
+                    LogText "Result: no ntpdate, rdate, sntp or ntpdig reference found in crontab file ${I}"
                 fi
             else
                 LogText "Result: crontab file ${I} not found"
             fi
         done
 
-        # Don't run check in cron job directory on Solaris
+        # Notes: only test for normal files. File /etc/cron.d/FIFO on solaris is a special file and test may hang
-        # /etc/cron.d/FIFO is a special file and test get stuck at this file
+        # Linux systems may have a .placeholder file
         FOUND_IN_CRON=0
 
         # Check cron jobs
         for I in ${CRON_DIRS}; do
-            if [ -d ${I} ]; then
+            for J in "${I}"/*; do  # iterate over folders in a safe way
-                if FileIsReadable ${I}; then
+                # Check: regular file, readable and not called .placeholder
-                    FIND=$(${LSBINARY} ${I} | ${GREPBINARY} -v FIFO)
+                FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$')
+                if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then
+                    LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}"
+                    FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#")
                     if [ -n "${FIND}" ]; then
-                        for J in ${FIND}; do
-                            LogText "Test: checking for ntpdate or rdate in ${I}/${J}"
-                            FIND2=$(${EGREPBINARY} "rdate|ntpdate" ${I}/${J} | ${GREPBINARY} -v "^#")
-                            if [ -n "${FIND2}" ]; then
-                                LogText "Positive match found: ${FIND2}"
                         FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
+                        LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}"
+                    fi
                 fi
             done
-                    else
-                        LogText "Result: ${I} is empty, skipping search in directory"
-                    fi
-                else
-                    LogText "Result: could not search in directory due to permissions"
-                fi
-            fi
         done
 
         if [ ${FOUND_IN_CRON} -eq 1 ]; then
@@ -476,7 +488,8 @@
     #               Other should preferably have no access, or read-only at max
 
     FILE_ARRAY="${ROOTDIR}etc/chrony.conf ${ROOTDIR}usr/pkg/etc/chrony.conf \
-        ${ROOTDIR}etc/inet/ntp.conf ${ROOTDIR}etc/ntp.conf ${ROOTDIR}usr/local/etc/ntp.conf"
+        ${ROOTDIR}etc/inet/ntp.conf ${ROOTDIR}etc/ntp.conf ${ROOTDIR}usr/local/etc/ntp.conf\
+        ${ROOTDIR}etc/ntpd.conf ${ROOTDIR}etc/openntpd/ntpd.conf ${ROOTDIR}usr/local/etc/ntpd.conf"
 
     Register --test-no TIME-3170 --weight L --network NO --category security --description "Check configuration files"
     if [ ${SKIPTEST} -eq 0 ]; then
@@ -494,6 +507,106 @@
 #
 #################################################################################
 #
+    # Test        : TIME-3180
+    # Description : Report if ntpctl cannot communicate with OpenNTPD
+    if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ]; then
+        PREQS_MET="YES"
+    else
+        PREQS_MET="NO"
+    fi
+    Register --test-no TIME-3180 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Report if ntpctl cannot communicate with OpenNTPD"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        if [ "${OPENNTPD_COMMUNICATION}" -eq 0 ]; then
+            ReportWarning "${TEST_NO}" "OpenNTPD found, but ntpctl cannot communicate with" "${NTPCTLBINARY} -s status" "Restart OpenNTPD"
+        fi
+    fi
+#
+#################################################################################
+#
+    # Test        : TIME-3181
+    # Description : Check status of OpenNTPD time synchronisation
+    if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
+        PREQS_MET="YES"
+    else
+        PREQS_MET="NO"
+    fi
+
+    Register --test-no TIME-3181 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check status of OpenNTPD time synchronisation"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FIND=$(${NTPCTLBINARY} -s status | ${GREPBINARY} "clock synced" )
+        if [ -z "${FIND}" ]; then
+            ReportWarning "${TEST_NO}" "OpenNTPD is not synchronising system time" "${NTPCTLBINARY} -s status" "text:Set time manually once or check network connectivity."
+        fi
+    fi
+#
+#################################################################################
+#
+    # Test        : TIME-3182
+    # Description : Check OpenNTPD has working peers
+
+    if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
+        PREQS_MET="YES"
+    else
+        PREQS_MET="NO"
+    fi
+
+    Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        # Format is "xx/yy peers valid, ..."
+        FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1)
+        if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then
+            ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status"
+        fi
+    fi
+
+#
+#################################################################################
+#
+
+    # Test        : TIME-3185
+    # Description : Check systemd-timesyncd synchronized time
+
+    if [ "${NTP_DAEMON}" = "systemd-timesyncd" ]; then
+        PREQS_MET="YES"
+    else
+        PREQS_MET="NO"
+    fi
+
+
+    Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time"
+    SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized"
+       
+    if [ ${SKIPTEST} -eq 0 ]; then
+        # On earlier systemd versions (237), '/run/systemd/timesync/synchronized' does not exist, so use '/var/lib/systemd/timesync/clock'
+        if [ ! -e "${SYNCHRONIZED_FILE}" ]; then
+            SYNCHRONIZED_FILE="/var/lib/systemd/timesync/clock"
+        fi
+        # DynamicUser=yes moves the clock file to '/var/lib/private/systemd/timesync/clock'
+        if [ ! -e "${SYNCHRONIZED_FILE}" ]; then
+            SYNCHRONIZED_FILE="/var/lib/private/systemd/timesync/clock"
+        fi
+        if [ -e "${SYNCHRONIZED_FILE}" ]; then
+           FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") ))
+           # Check if last sync was more than 2048 seconds (= the default of systemd) ago
+           if [ "${FIND}" -ge 2048 ]; then
+               COLOR=RED
+               ReportWarning "${TEST_NO}" "systemd-timesyncd did not synchronized the time recently."
+           else
+               COLOR=GREEN
+           fi
+           Display --indent 2 --text "- Last time synchronization" --result "${FIND}s" --color "${COLOR}"
+           LogText "Result: systemd-timesyncd synchronized time ${FIND} seconds ago."
+        else
+           Display --indent 2 --text "- Last time synchronization" --result "${STATUS_NOT_FOUND}" --color RED
+           ReportWarning "${TEST_NO}" "systemd-timesyncd never successfully synchronized time"
+        fi
+    fi
+    unset SYNCHRONIZED_FILE
+
+#
+#################################################################################
+#
+
     Report "ntp_config_found=${NTP_CONFIG_FOUND}"
     Report "ntp_config_type_daemon=${NTP_CONFIG_TYPE_DAEMON}"
     Report "ntp_config_type_eventbased=${NTP_CONFIG_TYPE_EVENTBASED}"

include/tests_tooling

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -37,7 +37,7 @@
 #
 #################################################################################
 #
-    InsertSection "Software: System tooling"
+    InsertSection "${SECTION_SYSTEM_TOOLING}"
 #
 #################################################################################
 #
@@ -372,6 +372,33 @@
     fi
 #
 #################################################################################
+#
+    # Test        : TOOL-5130
+    # Description : Check for Suricata
+    Register --test-no TOOL-5130 --weight L --network NO --category security --description "Check for active Suricata daemon"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        # Suricata presence
+        if [ -n "${SURICATABINARY}" ]; then
+            Report "ids_ips_tooling[]=suricata"
+            LogText "Result: Suricata is installed (${SURICATABINARY})"
+            # Suricata status
+            # Suricata sets its process name to Suricata-Main on Linux, but this might differ on other platforms,
+            # so fall back to checking the full commandline instead if the first test fails
+            if IsRunning "Suricata-Main" || IsRunning --full "${SURICATABINARY} "; then
+                # Only satisfy test TOOL-5190 if Suricata is actually running
+                IDS_IPS_TOOL_FOUND=1
+                LogText "Result: Suricata daemon is active"
+                Display --indent 2 --text "- Checking Suricata status" --result "${STATUS_RUNNING}" --color GREEN
+            else
+                LogText "Result: Suricata daemon not active"
+                Display --indent 2 --text "- Checking Suricata status" --result "${STATUS_NOT_RUNNING}" --color YELLOW
+            fi
+        else
+            LogText "Result: Suricata not installed (suricata not found)"
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : TOOL-5160
     # Description : Check for OSSEC

include/tests_usb

@@ -19,7 +19,7 @@
 #
 #################################################################################
 #
-    InsertSection "USB Devices"
+    InsertSection "${SECTION_USB_DEVICES}"
 #
 #################################################################################
 #
@@ -73,7 +73,7 @@
         fi
         if [ ${FOUND} -eq 0 ]; then
             LogText "Result: usb-storage driver is not explicitly disabled"
-            Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE
+            Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_NOT_DISABLED}" --color WHITE
             if [ "${USBGUARD_FOUND}" -eq "0" ]; then
                 ReportSuggestion "${TEST_NO}" "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft"
             fi
@@ -91,22 +91,26 @@
     # Description : Check USB authorizations
     Register --test-no USB-2000 --os Linux --weight L --network NO --category security --description "Check USB authorizations"
     if [ ${SKIPTEST} -eq 0 ]; then
-        LogText "Test: Checking USB devices authorization to connect to the system"
         FOUND=0
-        USBDEVICESPATH="${ROOTDIR}sys/bus/usb/devices/usb"
+        USBDEVICESPATH="${ROOTDIR}sys/bus/usb/devices"
-        for device in "${USBDEVICESPATH}"*; do
+        LogText "Test: checking presence of USB devices path (${USBDEVICESPATH})"
+        if [ -d "${USBDEVICESPATH}" ]; then
+
+            LogText "Test: Checking USB devices authorization to connect to the system"
+            for device in $(find ${USBDEVICESPATH} -name "usb*" -type l -print); do
                 if [ -e "${device}/authorized" -o -e "${device}/authorized_default" ]; then
                     if [ "$(cat "${device}/authorized_default")" = "1" ]; then
                         FOUND=1
-                    LogText "Test: ${device} is authorized by default"
+                        LogText "Test: ${device} is authorized by default (authorized_default=1)"
                         Report "usb_authorized_default_device[]=${device}"
-                elif [ "$(cat "${device}/authorized")" = "1" ]; then
+                    fi
+                    if [ "$(cat "${device}/authorized")" = "1" ]; then
                         FOUND=1
-                    LogText "Test: ${device} is authorized currently"
+                        LogText "Test: ${device} is authorized currently (authorized=1)"
                         Report "usb_authorized_device[]=${device}"
                     fi
                 else
-                LogText "Test: ${device} is authorized by default"
+                    LogText "Test: no authorized or authorized_default file, assuming ${device} is authorized by default"
                     Report "usb_authorized_default_device[]=${device}"
                     FOUND=1
                 fi
@@ -115,7 +119,7 @@
             if [ ${FOUND} -eq 1 ]; then
                 LogText "Result: Some USB devices are authorized by default (or temporary) to connect to the system"
                 Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_ENABLED}" --color YELLOW
-            # To-Be-Added: create documentation and enable the suggestion
+                # TODO: create documentation and enable the suggestion
                 #if [ ${USBGUARD_FOUND} -eq 0 ]; then
                 #   ReportSuggestion "${TEST_NO}" "Disable USB devices authorization, to prevent unauthorized storage or data theft"
                 #fi
@@ -125,6 +129,9 @@
                 Display --indent 2 --text "- Checking USB devices authorization" --result "${STATUS_DISABLED}" --color GREEN
                 AddHP 3 3
             fi
+        else
+            LogText "Result: devices path does not exist"
+        fi
     fi
 
 #

include/tests_virtualization

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Virtualization"
+    InsertSection "${SECTION_VIRTUALIZATION}"
 #
 #################################################################################
 #

include/tests_webservers

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com
@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Software: webserver"
+    InsertSection "${SECTION_WEBSERVER}"
 #
 #################################################################################
 #

include/tool_tips

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Copyright 2007-2013, Michael Boelen
-# Copyright 2007-2019, CISOfy
+# Copyright 2007-2020, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com

lynis

@@ -43,16 +43,16 @@
     PROGRAM_WEBSITE="https://cisofy.com/lynis/"
 
     # Version details
-    PROGRAM_RELEASE_DATE="2019-11-18"
+    PROGRAM_RELEASE_DATE="2020-10-05"
-    PROGRAM_RELEASE_TIMESTAMP=1574071362
+    PROGRAM_RELEASE_TIMESTAMP=1601896929
     PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release
-    PROGRAM_VERSION="3.0.0"
+    PROGRAM_VERSION="3.0.2"
 
     # Source, documentation and license
     PROGRAM_SOURCE="https://github.com/CISOfy/lynis"
     PROGRAM_PACKAGE="https://packages.cisofy.com/"
     PROGRAM_DOCUMENTATION="https://cisofy.com/docs/"
-    PROGRAM_COPYRIGHT="2007-2019, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
+    PROGRAM_COPYRIGHT="2007-2020, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
     PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
   welcome to redistribute it under the terms of the GNU General Public License.
   See the LICENSE file for details about using this software."
@@ -216,7 +216,7 @@
 
     # Extract the short notation of the language (first two characters).
     if [ -x "$(command -v locale 2> /dev/null)" ]; then
-        LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | egrep "^[a-z]{2}$")
+        LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | egrep "^[a-z]{2}$")
         # Try locale command if shell variable had no value
         if [ -z "${DISPLAY_LANG}" ]; then
             DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2)
@@ -241,6 +241,11 @@
         echo "Could not find languages directory (file: ${DBDIR}/languages/en)"
         exit 1
     fi
+
+    # Now that we have determined the language, we unset it from shell
+    # Some tools with translated strings are very hard to parse
+    unset LANG
+
 #
 #################################################################################
 #
@@ -267,21 +272,21 @@
     # Disable logging if no alternative was provided
     if [ ${PRIVILEGED} -eq 0 ]; then
         if [ -z "${LOGFILE}" ]; then
-            # Try creating a log file in temporary directory
+            # Try creating a log file in home directory
-            if [ ! -f /tmp/lynis.log ]; then
+            if [ ! -f "$HOME/lynis.log" ]; then
-                if [ -L /tmp/lynis.log ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
+                if [ -L "$HOME/lynis.log" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
-                touch /tmp/lynis.log
+                touch "$HOME/lynis.log"
-                if [ $? -eq 0 ]; then LOGFILE="/tmp/lynis.log"; else LOGFILE="/dev/null"; fi
+                if [ $? -eq 0 ]; then LOGFILE="$HOME/lynis.log"; else LOGFILE="/dev/null"; fi
             else
-                LOGFILE="/tmp/lynis.log"
+                LOGFILE="$HOME/lynis.log"
             fi
         else
             if [ -L "${LOGFILE}" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
         fi
         if [ -z "${REPORTFILE}" ]; then
-            touch /tmp/lynis-report.dat
+            touch "$HOME/lynis-report.dat"
-            if [ -L /tmp/lynis-report.dat ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
+            if [ -L "$HOME/lynis-report.dat" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
-            if [ $? -eq 0 ]; then REPORTFILE="/tmp/lynis-report.dat"; else REPORTFILE="/dev/null"; fi
+            if [ $? -eq 0 ]; then REPORTFILE="$HOME/lynis-report.dat"; else REPORTFILE="/dev/null"; fi
         else
             if [ -L "${REPORTFILE}" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi
         fi
@@ -436,7 +441,6 @@ ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${
 
     ${WHITE}Layout options${NORMAL}
     ${GRAY}--no-colors${NORMAL}                       : Don't use colors in output
-    ${GRAY}--no-colours${NORMAL}                      : Don't use colours in output
     ${GRAY}--quiet (-q)${NORMAL}                      : No output
     ${GRAY}--reverse-colors${NORMAL}                  : Optimize color display for light backgrounds
     ${GRAY}--reverse-colours${NORMAL}                 : Optimize colour display for light backgrounds
@@ -449,6 +453,7 @@ ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${
     ${GRAY}--verbose${NORMAL}                         : Show more details on screen
     ${GRAY}--version (-V)${NORMAL}                    : Display version number and quit
     ${GRAY}--wait${NORMAL}                            : Wait between a set of tests
+    ${GRAY}--slow-warning ${BROWN}<seconds>${NORMAL}  : Threshold for slow test warning in seconds (default 10)
 
     ${WHITE}Enterprise options${NORMAL}
     ${GRAY}--plugindir ${BROWN}<path>${NORMAL}                : Define path of available plugins
@@ -506,7 +511,7 @@ ${NORMAL}
 #
     SafePerms ${INCLUDEDIR}/osdetection
     . ${INCLUDEDIR}/osdetection
-    Display --indent 2 --text "- Detecting OS... " --result DONE --color GREEN
+    Display --indent 2 --text "- Detecting OS... " --result "${STATUS_DONE}" --color GREEN
 
     # Check hostname
     case ${OS} in
@@ -525,6 +530,7 @@ ${NORMAL}
     if [ "${OS}" = "Linux" -a "${HOSTNAME}" = "${FQDN}" ]; then
         FQDN=$(hostname -f 2> /dev/null)
     fi
+
 #
 #################################################################################
 #
@@ -536,7 +542,7 @@ ${NORMAL}
     CDATE=$(date "+%Y-%m-%d %H:%M:%S")
     if [ ${LOGTEXT} -eq 1 ]; then echo "${CDATE} Starting ${PROGRAM_NAME} ${PROGRAM_VERSION} with PID ${OURPID}, build date ${PROGRAM_RELEASE_DATE}" > ${LOGFILE}; fi
     if [ $? -gt 0 ]; then
-        Display --indent 2 --text "- Clearing log file (${LOGFILE})... " --result WARNING --color RED
+        Display --indent 2 --text "- Clearing log file (${LOGFILE})... " --result "${STATUS_WARNING}" --color RED
         echo "${WARNING}Fatal error${NORMAL}: problem while writing to log file. Check location and permissions."
         RemovePIDFile
         exit 1
@@ -569,6 +575,7 @@ ${NORMAL}
     fi
     Report "test_category=${TEST_CATEGORY_TO_CHECK}"
     Report "test_group=${TEST_GROUP_TO_CHECK}"
+
 #
 #################################################################################
 #
@@ -582,7 +589,7 @@ ${NORMAL}
     if [ ${SET_STRICT} -eq 0 ]; then
         set +u  # Allow uninitialized variables
     else
-        set -u  # Do not allow unitialized variables
+        set -u  # Do not allow uninitialized variables
     fi
 
     # Import a different language when configured
@@ -631,6 +638,7 @@ ${NORMAL}
         echo "Make sure to execute ${PROGRAM_NAME} from untarred directory or check your installation."
         exit 1
     fi
+
 #
 #################################################################################
 #
@@ -720,7 +728,7 @@ ${NORMAL}
     fi
 
     if [ -z "${PROGRAM_AC}" -o -z "${PROGRAM_LV}" ]; then
-        Display --indent 2 --text "- Program update status... " --result UNKNOWN --color YELLOW
+        Display --indent 2 --text "- Program update status... " --result "${STATUS_UNKNOWN}" --color YELLOW
         LogText "Result: Update check failed. No network connection?"
         LogText "Info: to perform an automatic update check, outbound DNS connections should be allowed (TXT record)."
         # Set both to safe values
@@ -733,13 +741,13 @@ ${NORMAL}
             PROGRAM_MINVERSION=$((PROGRAM_LV - 10))
             LogText "Minimum required version   : ${PROGRAM_MINVERSION}"
             if [ ${PROGRAM_MINVERSION} -gt ${PROGRAM_AC} ]; then
-                Display --indent 2 --text "- Program update status... " --result "WARNING" --color RED
+                Display --indent 2 --text "- Program update status... " --result "${STATUS_WARNING}" --color RED
                 LogText "Result: This version is VERY outdated. Newer ${PROGRAM_NAME} release available!"
                 ReportWarning "LYNIS" "Version of Lynis is very old and should be updated"
                 Report "lynis_update_available=1"
                 UPDATE_AVAILABLE=1
             else
-                Display --indent 2 --text "- Program update status... " --result "UPDATE AVAILABLE" --color YELLOW
+                Display --indent 2 --text "- Program update status... " --result "${STATUS_UPDATE_AVAILABLE}" --color YELLOW
                 LogText "Result: newer ${PROGRAM_NAME} release available!"
                 ReportSuggestion "LYNIS" "Version of Lynis outdated, consider upgrading to the latest version"
                 Report "lynis_update_available=1"
@@ -747,11 +755,11 @@ ${NORMAL}
             fi
         else
             if [ ${UPDATE_CHECK_SKIPPED} -eq 0 ]; then
-                Display --indent 2 --text "- Program update status... " --result "NO UPDATE" --color GREEN
+                Display --indent 2 --text "- Program update status... " --result "${STATUS_NO_UPDATE}" --color GREEN
                 LogText "No ${PROGRAM_NAME} update available."
                 Report "lynis_update_available=0"
             else
-                Display --indent 2 --text "- Program update status... " --result "SKIPPED" --color YELLOW
+                Display --indent 2 --text "- Program update status... " --result "${STATUS_SKIPPED}" --color YELLOW
                 LogText "Update check skipped due to constraints (e.g. missing dig binary)"
                 Report "lynis_update_available=-1"
             fi
@@ -771,7 +779,7 @@ ${NORMAL}
     if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then
         # Show if release is old, only if we didn't show it with normal update check
         if [ ${UPDATE_AVAILABLE} -eq 0 ]; then
-            ReportSuggestion "LYNIS" "This release is more than 4 months old. Consider upgrading"
+            ReportSuggestion "LYNIS" "This release is more than 4 months old. Check the website or GitHub to see if there is an update available."
         fi
         OLD_RELEASE=1
     fi
@@ -818,6 +826,14 @@ ${NORMAL}
 #
 #################################################################################
 #
+    # Test if we have a package manager available by testing for a dummy package (should not exist)
+    if PackageIsInstalled "__dummy__"; then
+        HAS_PACKAGE_MANAGER=1
+        LogText "Informational: package manager is used"
+    else
+        LogText "Informational: no known package manager for this system"
+    fi
+
     # Use hardware detection capabilities
     IsVirtualMachine
     if IsContainer; then
@@ -846,12 +862,12 @@ ${NORMAL}
 #################################################################################
 #
     if IsVerbose; then
-        InsertSection "Program Details"
+        InsertSection "${SECTION_PROGRAM_DETAILS}"
-        Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "YES" --color GREEN
+        Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "${STATUS_YES}" --color GREEN
         if IsDebug; then
-            Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "YES" --color GREEN
+            Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "${STATUS_YES}" --color GREEN
         else
-            Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "NO" --color RED
+            Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "${STATUS_NO}" --color RED
         fi
     fi
 #
@@ -941,7 +957,7 @@ ${NORMAL}
         RunPlugins 1
 
         if [ ${N_PLUGIN_ENABLED} -eq 0 ]; then
-            Display --indent 2 --text "- ${GEN_PLUGINS_ENABLED}" --result "NONE" --color WHITE
+            Display --indent 2 --text "- ${GEN_PLUGINS_ENABLED}" --result "${STATUS_NONE}" --color WHITE
             Report "plugins_enabled=0"
         else
             Report "plugins_enabled=1"
@@ -981,7 +997,7 @@ ${NORMAL}
             LogText "Info: perform tests from all categories"
 
             INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
-                           filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spools \
+                           filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \
                            mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
                            insecure_services banners scheduling accounting time crypto virtualization containers \
                            mac_frameworks file_integrity tooling malware file_permissions homedirs \
@@ -1001,8 +1017,8 @@ ${NORMAL}
                     LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)"
                     ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}"
                     # Insert a section and warn user also on screen
-                    InsertSection "General"
+                    InsertSection "${SECTION_GENERAL}"
-                    Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "SKIPPED" --color RED
+                    Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "${STATUS_SKIPPED}" --color RED
                 fi
             else
                 echo "Error: Can't find file (category: ${INCLUDE_TEST})"
@@ -1027,10 +1043,10 @@ ${NORMAL}
             else
                 LogText "Exception: skipping custom tests, file has bad permissions (should be 640, 600 or 400)"
                 ReportWarning "NONE" "Invalid permissions on custom tests file"
-                Display --indent 2 --text "- Running custom tests... " --result "WARNING" --color RED
+                Display --indent 2 --text "- Running custom tests... " --result "${STATUS_WARNING}" --color RED
             fi
         else
-            Display --indent 2 --text "- Running custom tests... " --result "NONE" --color WHITE
+            Display --indent 2 --text "- Running custom tests... " --result "${STATUS_NONE}" --color WHITE
         fi
     fi
 #
@@ -1063,7 +1079,7 @@ ${NORMAL}
     if [ ${SKIP_PLUGINS} -eq 0 ]; then
         RunPlugins 2
         if [ ${N_PLUGIN_ENABLED} -gt 1 ]; then
-            Display --indent 2 --text "- Plugins (phase 2)" --result "DONE" --color GREEN
+            Display --indent 2 --text "- Plugins (phase 2)" --result "${STATUS_DONE}" --color GREEN
         fi
     fi
 #
@@ -1133,4 +1149,4 @@ ${NORMAL}
 
 #
 #================================================================================
-# Lynis - Copyright 2007-2019, Michael Boelen, CISOfy - https://cisofy.com
+# Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com

lynis.8

@@ -1,4 +1,4 @@
-.TH Lynis 8 "4 Dec 2019" "1.31" "Unix System Administrator's Manual"
+.TH Lynis 8 "14 Feb 2020" "1.32" "Unix System Administrator's Manual"
 
 
 .SH "NAME"
@@ -91,6 +91,9 @@ Disable colored output.
 Redirect all logging information to /dev/null, prevents sensitive information to
 be written to disk.
 .TP
+.B \-\-no\-plugins
+Do not run any of the enabled plugins.
+.TP
 .B \-\-pentest
 Run a non-privileged scan, usually used for penetration testing. Some of the
 tests will be skipped if they require root permissions.
@@ -113,16 +116,13 @@ Provide an alternative name for report file.
 .B \-\-reverse\-colors
 Optimize screen output for light backgrounds.
 .TP
-.B \-\-skip\-plugins
-Do not run plugins.
-.TP
 .B \-\-tests TEST-IDs
 Only run the specific test(s). When using multiple tests, add quotes around the
 line.
 .TP
 .B \-\-tests\-from\-category "<category>"
 Tests are only performed if they belong to the defined category. Use the command
-'show categories' to determine all valid options.
+\ 'show categories' to determine all valid options.
 .TP
 .B \-\-tests\-from\-group "<group>"
 Similar to \-\-tests\-from\-category. Only perform tests from a particular group.

plugins/plugin_pam_phase1

@@ -6,12 +6,12 @@
 #-----------------------------------------------------
 # PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com>
 # PLUGIN_CATEGORY=authentication
-# PLUGIN_DATE=2019-07-26
+# PLUGIN_DATE=2020-03-21
 # PLUGIN_DESC=PAM
 # PLUGIN_NAME=pam
 # PLUGIN_PACKAGE=all
 # PLUGIN_REQUIRED_TESTS=
-# PLUGIN_VERSION=1.0.4
+# PLUGIN_VERSION=1.0.5
 #-----------------------------------------------------
 #########################################################################
 #
@@ -77,12 +77,12 @@
         if [ -d ${PAM_DIRECTORY} ]; then
             LogText "Result: ${PAM_DIRECTORY} exists"
             if [ ! "${OS}" = "FreeBSD" -a ! "${OS}" = "NetBSD" ]; then
-                FIND_FILES=$(find ${PAM_DIRECTORY} -not -name "*.pam-old" -type f -print)
+                FIND_FILES=$(find ${PAM_DIRECTORY} \! -name "*.pam-old" -type f -print)
             else
                 if [ -f ${PAM_DIRECTORY}/README ]; then
                     LogText "Skipped checking ${OS} ${PAM_DIRECTORY}/README as a PAM file"
                 fi
-                FIND_FILES=$(find ${PAM_DIRECTORY} -not -name "README" -not -name "*.pam-old" -type f -print)
+                FIND_FILES=$(find ${PAM_DIRECTORY} \! -name "README" \! -name "*.pam-old" -type f -print)
             fi
 
             for PAM_FILE in ${FIND_FILES}; do
@@ -96,7 +96,7 @@
                         PAM_CONTROL_OPTIONS="-"
                         PAM_MODULE="-"
                         PAM_MODULE_OPTIONS="-"
-                        PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }')
+                        PAM_TYPE=$(echo ${LINE} | awk '{ print $1 }' | sed 's/^ *-//g')
                         PARSELINE=0
                         case ${PAM_TYPE} in
                             "@include")
@@ -271,6 +271,7 @@
                                 pam_securetty) ;;
                                 pam_securityserver) ;;
                                 pam_self) ;;
+                                pam_selinux) ;;
                                 pam_shells) ;;
                                 pam_skey) ;;
                                 pam_ssh)

plugins/plugin_systemd_phase1

@@ -1,27 +1,17 @@
 #!/bin/sh
 
-#########################################################################
-#
-# This component is part of Lynis Enterprise. No parts may be copied,
-# distributed or used without written permission of CISOfy. Users who
-# have an active license are permitted to use this component as part
-# of the service. This software component may only be used in combination
-# with Lynis and Lynis Enterprise.
-#
-# Copyright 2016, CISOfy - https://cisofy.com
-#
 #########################################################################
 #
 #    * DO NOT REMOVE *
 #-----------------------------------------------------
 # PLUGIN_AUTHOR=Michael Boelen <michael.boelen@cisofy.com>
 # PLUGIN_CATEGORY=essentials
-# PLUGIN_DATE=2017-04-30
+# PLUGIN_DATE=2020-03-23
 # PLUGIN_DESC=Tests related to systemd tooling
 # PLUGIN_NAME=systemd
 # PLUGIN_PACKAGE=community
 # PLUGIN_REQUIRED_TESTS=
-# PLUGIN_VERSION=1.0.2
+# PLUGIN_VERSION=1.0.4
 #-----------------------------------------------------
 #
 #########################################################################
@@ -36,7 +26,7 @@
 #
     # Test        : PLGN-3800
     # Description : Gather systemctl exit code
-    if [ ! "${SYSTEMCTLBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${SYSTEMCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3800 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemctl exit code" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
         FIND=$(${SYSTEMCTLBINARY} > /dev/null)
@@ -54,17 +44,17 @@
     # Description : Query systemd version and options
     # Notes       : version can also be gathered with systemctl show | grep ^Version=
     #               features with systemctl show | grep ^Features=
-    if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3802 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd version and options" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
         FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -1)
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
             SYSTEMD_VERSION=${FIND}
             Report "systemd_version=${FIND}"
             LogText "Result: found systemd version ${FIND}"
         fi
-        FIND=`${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1`
+        FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1)
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
             Report "systemd_builtin_components=${FIND}"
             LogText "Result: found builtin components list"
         fi
@@ -74,11 +64,11 @@
 #
     # Test        : PLGN-3804
     # Description : Gather all systemd unit files
-    if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3804 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd unit files and their status" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=`${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }'`
+        FIND=$(${SYSTEMCTLBINARY} --no-legend list-unit-files 2> /dev/null | ${AWKBINARY} '{ print $1"|"$2"|" }')
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
             LogText "Result: found systemd unit files via systemctl list-unit-files"
             for I in ${FIND}; do
                 LogText "Output: ${I}"
@@ -91,11 +81,11 @@
 #
     # Test        : PLGN-3806
     # Description : Gather all failed systemd units
-    if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3806 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather failed systemd units" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=`${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }'`
+        FIND=$(${SYSTEMCTLBINARY} --no-legend --state=failed 2> /dev/null | ${AWKBINARY} '{ if ($4=="failed" && $5=="failed") { print $2 } }')
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
             LogText "Result: found systemd unit files via systemctl list-unit-files"
             for I in ${FIND}; do
                 LogText "Output: ${I}"
@@ -108,11 +98,11 @@
 #
     # Test        : PLGN-3808
     # Description : Gather machine ID
-    if [ -f /etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -f ${ROOTDIR}etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3808 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd machine ID" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=$(cat /etc/machine-id | head -1)
+        FIND=$(cat ${ROOTDIR}etc/machine-id | head -1)
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
             SYSTEMD_MACHINEID="${FIND}"
             LogText "Result: found machine ID: ${SYSTEMD_MACHINEID}"
         fi
@@ -122,11 +112,11 @@
 #
     # Test        : PLGN-3810
     # Description : Query main systemd binaries
-    if [ ! "${FINDBINARY}" = "" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${FINDBINARY}" -a -d /usr/lib/systemd -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3810 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query main systemd binaries" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
         FIND=$(${FINDBINARY} ${ROOTDIR}usr/lib/systemd -maxdepth 1 -type f -name "systemd-*" -printf "%f|")
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
             Report "systemd_binaries=${FIND}"
             LogText "Result: found systemd binaries in /usr/lib/systemd"
         else
@@ -138,29 +128,29 @@
 #
     # Test        : PLGN-3812
     # Description : Query journal for boot related information
-    if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 209 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 209 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3812 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
         FIND=$(${JOURNALCTLBINARY} --list-boots | wc -l)
         LogText "Output: number of boots listed in journal is ${FIND}"
-        if [ ! "${FIND}" = "" ]; then Report "journal_bootlogs=${FIND}"; fi
+        if [ -n "${FIND}" ]; then Report "journal_bootlogs=${FIND}"; fi
         FIND=$(${JOURNALCTLBINARY} --list-boots | head -1 | awk '{ print $4 }')
         LogText "Output: oldest boot date in journal is ${FIND}"
-        if [ ! "${FIND}" = "" ]; then Report "journal_oldest_bootdate=${FIND}"; fi
+        if [ -n "${FIND}" ]; then Report "journal_oldest_bootdate=${FIND}"; fi
     fi
 #
 #################################################################################
 #
     # Test        : PLGN-3814
     # Description : Journal integrity
-    if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3814 --preqs-met ${PREQS_MET} --weight L --network NO --description "Verify journal integrity" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
         FIND=$(${JOURNALCTLBINARY} --verify 2>&1 | grep FAIL | sed 's/[[:space:]]/:space:/g')
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
             Report "journal_contains_errors=1"
             for I in ${FIND}; do
-                LINE=`echo ${I} | sed 's/:space:/ /g'`
+                LINE=$(echo ${I} | sed 's/:space:/ /g')
                 LogText "Output (fails): ${LINE}"
             done
           else
@@ -173,10 +163,10 @@
 #
     # Test        : PLGN-3816
     # Description : Journal sizing
-    if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3816 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal for boot related information" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=`${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 }}'`
+        FIND=$(${JOURNALCTLBINARY} --disk-usage | awk '{ if ($1=="Journals") { print $4 } else if ($1=="Archived") { print $7 }}')
         Report "journal_disk_size=${FIND}"
         LogText "Result: journals are ${FIND} in size"
     fi
@@ -185,10 +175,10 @@
 #
     # Test        : PLGN-3818
     # Description : Journal meta data
-    if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3818 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query journal meta data" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=`${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g'`
+        FIND=$(${JOURNALCTLBINARY} --header | sed 's/^$/|/g' | tr '\n' ',' | sed 's/[[:space:]]//g')
         Report "journal_meta_data=${FIND}"
     fi
 #
@@ -196,7 +186,7 @@
 #
     # Test        : PLGN-3820
     # Description : Journal FSS (Forward Secure Sealing) configuration
-    if [ ! "${JOURNALCTLBINARY}" = "" -a ! "${SYSTEMD_MACHINEID}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${JOURNALCTLBINARY}" -a -n "${SYSTEMD_MACHINEID}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3820 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for journal FSS configuration" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
         FILE="/var/log/journal/${SYSTEMD_MACHINEID}/fss"
@@ -211,11 +201,11 @@
 #
     # Test        : PLGN-3830
     # Description : Query systemd status
-    if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3830 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
         FIND=$(${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -1)
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
             Report "systemd_status=${FIND}"
             LogText "Result: found systemd status = ${FIND}"
         fi
@@ -228,8 +218,8 @@
     if [ ! "${SYSTEMCTLBINARY}" = "" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3832 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status for processes which can not be found" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=`${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }'`
+        FIND=$(${SYSTEMCTLBINARY} --no-legend --all --state=not-found 2> /dev/null | awk '{ print $1 }')
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
             for I in ${FIND}; do
                 Report "systemd_unit_not_found[]=${I}"
             done
@@ -240,11 +230,11 @@
 #
     # Test        : PLGN-3834
     # Description : Gather units from systemd which can not be found
-    if [ ! "${SYSTEMCTLBINARY}" = "" -a ! "${AWKBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${SYSTEMCTLBINARY}" -a -n "${AWKBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3834 --preqs-met ${PREQS_MET} --weight L --network NO --description "Collect service units which can not be found in systemd" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=`${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}'`
+        FIND=$(${SYSTEMCTLBINARY} list-units -t service --all | ${AWKBINARY} '{ if ($3=="not-found") { print $2 }}')
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
             LogText "Result: found one or more services with faulty state"
             for I in ${FIND}; do
                 LogText "Result: service seems to be faulty (not-found) ${I}"
@@ -261,8 +251,8 @@
     Register --test-no PLGN-3856 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check if systemd-coredump is used" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
         SYSTEMD_COREDUMP_USED=1
-        FIND=`cat /proc/sys/kernel/core_pattern | grep systemd-coredump`
+        FIND=$(cat /proc/sys/kernel/core_pattern | grep systemd-coredump)
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
             LogText "Result: systemd uses systemd-coredump to handle coredumps"
             Report "systemd_coredump_used=1"
         fi
@@ -278,11 +268,11 @@
 #
     # Test        : PLGN-3860
     # Description : Query coredumps from journalctl since Yesterday
-    if [ ! "${JOURNALCTLBINARY}" = "" -a ${SYSTEMD_COREDUMP_USED} -eq 1 -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    if [ -n "${JOURNALCTLBINARY}" -a ${SYSTEMD_COREDUMP_USED} -eq 1 -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3860 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query coredumps from journals since Yesterday" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
         FIND=$(${JOURNALCTLBINARY} SYSLOG_IDENTIFIER=systemd-coredump --since=yesterday -o cat 2> /dev/null)
-        if [ ! "${FIND}" = "" ]; then
+        if [ -n "${FIND}" ]; then
             Report "journal_coredumps_lastday=1"
             LogText "Result: found recent coredumps"
         else