Merge branch 'master' into add-suricata-ids-ips-test

CHANGELOG.md

@@ -3,7 +3,24 @@
 ## Lynis 3.0.2 (not released yet)
 
 ### Added
-- New test: TOOL-5130 - Check for active Suricata daemon
+- AUTH-9284 - Scan for locked user accounts in /etc/passwd
+- TOOL-5130 - Check for active Suricata daemon
+- Detection of Flatcar, Mageia, ROSA Linux, SLES (extended), Void Linux, Zorin OS
+- Alpine, macOS and Mageia EOL dates
+
+### Changed
+- KRNL-5830 - Improved reboot test by ignoring known bad values
+- KRNL-5830 - Ignore rescue kernel such as on CentOS systems
+- KRNL-5830 - Detection of Alpine Linux kernel
+- PKGS-7410 - Don't show exception if no kernels were found on the disk
+- TIME-3185 - Supports now checking files at multiple locations (systemd)
+- ParseNginx function: Support include on absolute paths
+- ParseNginx function: Ignore empty included wildcards
+- Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux
+- French translation file improved and translations extended
+- Test if pgrep exists before using it
+- Better support for busybox shell
+- Small code enhancements
 
 ---------------------------------------------------------------------------------
 

db/languages/en

@@ -14,12 +14,55 @@ NOTE_EXCEPTIONS_FOUND="Exceptions found"
 NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found"
 NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete"
 NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode"
+SECTION_ACCOUNTING="Accounting"
+SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
+SECTION_BASICS="Basics"
+SECTION_BOOT_AND_SERVICES="Boot and services"
+SECTION_CONTAINERS="Containers"
+SECTION_CRYPTOGRAPHY="Cryptography"
 SECTION_CUSTOM_TESTS="Custom tests"
 SECTION_DATA_UPLOAD="Data upload"
+SECTION_DATABASES="Databases"
+SECTION_DOWNLOADS="Downloads"
+SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
+SECTION_FILE_INTEGRITY="Software: file integrity"
+SECTION_FILE_PERMISSIONS="File Permissions"
+SECTION_FILE_SYSTEMS="File systems"
+SECTION_FIREWALLS="Software: firewalls"
+SECTION_GENERAL="General"
+SECTION_HARDENING="Hardening"
+SECTION_HOME_DIRECTORIES="Home directories"
+SECTION_IMAGE="Image"
 SECTION_INITIALIZING_PROGRAM="Initializing program"
-SECTION_MALWARE="Malware"
+SECTION_INSECURE_SERVICES="Insecure services"
+SECTION_KERNEL="Kernel"
+SECTION_KERNEL_HARDENING="Kernel Hardening"
+SECTION_LDAP_SERVICES="LDAP Services"
+SECTION_LOGGING_AND_FILES="Logging and files"
+SECTION_MALWARE="Software: Malware"
 SECTION_MEMORY_AND_PROCESSES="Memory and Processes"
+SECTION_NAME_SERVICES="Name services"
+SECTION_NETWORKING="Networking"
+SECTION_PERMISSIONS="Permissions"
+SECTION_PORTS_AND_PACKAGES="Ports and packages"
+SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
+SECTION_PROGRAM_DETAILS="Program Details"
+SECTION_SCHEDULED_TASKS="Scheduled tasks"
+SECTION_SECURITY_FRAMEWORKS="Security frameworks"
+SECTION_SHELLS="Shells"
+SECTION_SNMP_SUPPORT="SNMP Support"
+SECTION_SOFTWARE="Software"
+SECTION_SQUID_SUPPORT="Squid Support"
+SECTION_SSH_SUPPORT="SSH Support"
+SECTION_STORAGE="Storage"
+SECTION_SYSTEM_INTEGRITY="Software: System integrity"
+SECTION_SYSTEM_TOOLING="Software: System tooling"
 SECTION_SYSTEM_TOOLS="System tools"
+SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization"
+SECTION_USB_DEVICES="USB Devices"
+SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
+SECTION_VIRTUALIZATION="Virtualization"
+SECTION_WEBSERVER="Software: webserver"
 STATUS_DISABLED="DISABLED"
 STATUS_DONE="DONE"
 STATUS_ENABLED="ENABLED"

db/languages/fr

@@ -1,38 +1,88 @@
+ERROR_NO_LICENSE="Pas de clé de licence configurée"
+ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré"
 GEN_CHECKING="Vérification"
 GEN_CURRENT_VERSION="Version actuelle"
-GEN_DEBUG_MODE="mode debug"
+GEN_DEBUG_MODE="mode débug"
 GEN_INITIALIZE_PROGRAM="Initialisation"
+GEN_LATEST_VERSION="Dernière version"
 GEN_PHASE="phase"
 GEN_PLUGINS_ENABLED="Plugins activés"
-GEN_VERBOSE_MODE="mode verbeux"
 GEN_UPDATE_AVAILABLE="mise à jour disponible"
+GEN_VERBOSE_MODE="mode verbeux"
 GEN_WHAT_TO_DO="Que faire"
 NOTE_EXCEPTIONS_FOUND="Exceptions trouvées"
 NOTE_EXCEPTIONS_FOUND_DETAILED="Des événements ou informations exceptionnels ont été trouvés"
-NOTE_PLUGINS_TAKE_TIME="Note: les plugins ont des tests plus poussés et peuvent prendre plusieurs minutes"
+NOTE_PLUGINS_TAKE_TIME="Note : Les plugins ont des tests plus poussés qui peuvent prendre plusieurs minutes"
 NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Tests ignorés faute de privilèges"
-SECTION_CUSTOM_TESTS="Tests Personnalisés"
-SECTION_MALWARE="Malware"
-SECTION_MEMORY_AND_PROCESSES="Mémoire et Processus"
+SECTION_ACCOUNTING="Comptes"
+SECTION_BANNERS_AND_IDENTIFICATION="Bannières et identification"
+SECTION_BASICS="Basics"
+SECTION_BOOT_AND_SERVICES="Démarrage et services"
+SECTION_CONTAINERS="Conteneurs"
+SECTION_CRYPTOGRAPHY="Cryptographie"
+SECTION_CUSTOM_TESTS="Tests personnalisés"
+SECTION_DATA_UPLOAD="Téléchargement de données"
+SECTION_DATABASES="Bases de données"
+SECTION_DOWNLOADS="Téléchargements"
+SECTION_EMAIL_AND_MESSAGING="Logiciel : Email et messagerie"
+SECTION_FILE_INTEGRITY="Logiciel : Intégrité de fichier"
+SECTION_FILE_PERMISSIONS="Permissions de fichier"
+SECTION_FILE_SYSTEMS="Systèmes de fichier"
+SECTION_FIREWALLS="Logiciel : Pare-feux"
+SECTION_GENERAL="Général"
+SECTION_HARDENING="Hardening"
+SECTION_HOME_DIRECTORIES="Home directories"
+SECTION_IMAGE="Image"
+SECTION_INITIALIZING_PROGRAM="Initialisation du programme"
+SECTION_INSECURE_SERVICES="Services non sécurisés"
+SECTION_KERNEL="Noyau"
+SECTION_KERNEL_HARDENING="Kernel Hardening"
+SECTION_LDAP_SERVICES="Services LDAP"
+SECTION_LOGGING_AND_FILES="Journalisation et fichiers"
+SECTION_MALWARE="Logiciel : Malware"
+SECTION_MEMORY_AND_PROCESSES="Mémoire et processus"
+SECTION_NAME_SERVICES="Services de noms"
+SECTION_NETWORKING="Mise en réseau"
+SECTION_PERMISSIONS="Permissions"
+SECTION_PORTS_AND_PACKAGES="Ports et packages"
+SECTION_PRINTERS_AND_SPOOLS="Imprimantes et serveurs d'impression"
+SECTION_PROGRAM_DETAILS="Détails du programme"
+SECTION_SCHEDULED_TASKS="Tâches planifiées"
+SECTION_SECURITY_FRAMEWORKS="Security frameworks"
+SECTION_SHELLS="Shells"
+SECTION_SNMP_SUPPORT="Prise en charge SNMP"
+SECTION_SOFTWARE="Logiciel"
+SECTION_SQUID_SUPPORT="Prise en charge Squid"
+SECTION_SSH_SUPPORT="Prise en charge SSH"
+SECTION_STORAGE="Stockage"
+SECTION_SYSTEM_INTEGRITY="Logiciel : Intégrité du système"
+SECTION_SYSTEM_TOOLING="Logiciel : System tooling"
+SECTION_SYSTEM_TOOLS="Outils système"
+SECTION_TIME_AND_SYNCHRONIZATION="Heure et synchronisation"
+SECTION_USB_DEVICES="Périphériques USB"
+SECTION_USERS_GROUPS_AND_AUTHENTICATION="Utilisateurs, groupes et authentification"
+SECTION_VIRTUALIZATION="Virtualisation"
+SECTION_WEBSERVER="Logiciel : Serveur web"
+STATUS_DISABLED="DÉSACTIVÉ"
 STATUS_DONE="FAIT"
+STATUS_ENABLED="ACTIVÉ"
+STATUS_ERROR="ERREUR"
+STATUS_FAILED="ÉCHOUÉ"
 STATUS_FOUND="TROUVÉ"
-STATUS_YES="OUI"
 STATUS_NO="NON"
+STATUS_NONE="AUCUN"
+STATUS_NOT_CONFIGURED="NON CONFIGURÉ"
+STATUS_NOT_FOUND="NON TROUVÉ"
+STATUS_NOT_RUNNING="NON LANCÉ"
 STATUS_OFF="OFF"
 STATUS_OK="OK"
 STATUS_ON="ON"
-STATUS_NONE="AUCUN"
-STATUS_NOT_FOUND="NON TROUVÉ"
-STATUS_NOT_RUNNING="NON LANCÉ"
-STATUS_RUNNING="EN COURS":
+STATUS_RUNNING="EN COURS"
 STATUS_SKIPPED="IGNORÉ"
 STATUS_SUGGESTION="SUGGESTION"
 STATUS_UNKNOWN="INCONNU"
-STATUS_WARNING="ATTENTION"
-TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal"
+STATUS_WARNING="AVERTISSEMENT"
+STATUS_WEAK="FAIBLE"
+STATUS_YES="OUI"
 TEXT_UPDATE_AVAILABLE="Mise à jour disponible"
-STATUS_DISABLED="DÉSACTIVÉ"
-STATUS_ENABLED="ACTIVÉ"
-STATUS_ERROR="ERREUR"
-ERROR_NO_LICENSE="Pas de clé de licence configurée"
-ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré"
+TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal"

db/languages/it

@@ -1,38 +1,48 @@
+ERROR_NO_LICENSE="Nessuna chiave di licenza configurata"
+ERROR_NO_UPLOAD_SERVER="Nessun server di upload configurato"
 GEN_CHECKING="Controllo"
 GEN_CURRENT_VERSION="Versione corrente"
 GEN_DEBUG_MODE="Modalità Debug"
 GEN_INITIALIZE_PROGRAM="Inizializzando il programma"
+GEN_LATEST_VERSION="Versione ultima"
 GEN_PHASE="fase"
 GEN_PLUGINS_ENABLED="Plugin abilitati"
-GEN_VERBOSE_MODE="Modalità Verbose"
 GEN_UPDATE_AVAILABLE="aggiornamento disponibile"
+GEN_VERBOSE_MODE="Modalità Verbose"
 GEN_WHAT_TO_DO="Cosa fare"
 NOTE_EXCEPTIONS_FOUND="Trovate Eccezioni"
 NOTE_EXCEPTIONS_FOUND_DETAILED="Sono stati rilevati alcuni eventi o informazioni eccezionali"
 NOTE_PLUGINS_TAKE_TIME="Nota: i plugin sono sottoposti a test più estesi e possono richiedere alcuni minuti per il completamento"
+NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Test saltati a causa della modalità di esecuzione non privilegiata"
 SECTION_CUSTOM_TESTS="Test su misura (Custom)"
+SECTION_DOWNLOADS="Scaricamenti"
+SECTION_GENERAL="Generale"
+SECTION_INITIALIZING_PROGRAM="Inizializzando il programma"
+SECTION_INSECURE_SERVICES="Service insicuri"
 SECTION_MALWARE="Malware"
 SECTION_MEMORY_AND_PROCESSES="Memoria e Processi"
+SECTION_STORAGE="Spazio di archiviazione"
+SECTION_TIME_AND_SYNCHRONIZATION="Tempo and Sincronizzazione"
+STATUS_DISABLED="DISABILITATO"
 STATUS_DONE="FATTO"
+STATUS_ENABLED="ABILITATO"
+STATUS_ERROR="ERRORE"
+STATUS_FAILED="FALLITO"
 STATUS_FOUND="TROVATO"
-STATUS_YES="SI"
 STATUS_NO="NO"
+STATUS_NONE="NESSUNO"
+STATUS_NOT_CONFIGURED="NON CONFIGURATO"
+STATUS_NOT_FOUND="NON TROVATO"
+STATUS_NOT_RUNNING="NON IN ESECUZIONE"
 STATUS_OFF="OFF"
 STATUS_OK="OK"
 STATUS_ON="ON"
-STATUS_NONE="NESSUNO"
-STATUS_NOT_FOUND="NON TROVATO"
-STATUS_NOT_RUNNING="NON IN ESECUZIONE"
 STATUS_RUNNING="IN ESECUZIONE"
 STATUS_SKIPPED="SALTATO"
 STATUS_SUGGESTION="SUGGERIMENTO"
 STATUS_UNKNOWN="SCONOSCIUTO"
 STATUS_WARNING="ATTENZIONE"
-TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log"
+STATUS_WEAK="DEBOLE"
+STATUS_YES="SI"
 TEXT_UPDATE_AVAILABLE="aggiornamento disponibile"
-NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Test saltati a causa della modalità di esecuzione non privilegiata"
-STATUS_DISABLED="DISABILITATO"
-STATUS_ENABLED="ABILITATO"
-STATUS_ERROR="ERRORE"
-ERROR_NO_LICENSE="Nessuna chiave di licenza configurata"
-ERROR_NO_UPLOAD_SERVER="Nessun server di upload configurato"
+TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log"

db/software-eol.db

@@ -14,6 +14,14 @@
 # For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1.
 # Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching.
 #
+# Alpine - https://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases
+#
+os:Alpine 3.12:2022-05-01:1651377600
+os:Alpine 3.11:2021-11-01:1635739200
+os:Alpine 3.10:2021-05-01:1619841600
+os:Alpine 3.9:2020-11-01:1604203200
+os:Alpine 3.8:2020-05-01:1588305600
+#
 # Amazon Linux
 #
 # Note: shortest entry is listed at end due to regular expression matching being used
@@ -68,6 +76,62 @@ os:Linux Mint 18:2021-04-01:1617228000:
 os:Linux Mint 19:2023-04-01:1680300000:
 os:Linux Mint 20:2025-04-01:1743458400:
 #
+# macOS - https://support.apple.com/en_US/downloads/macos and
+#         https://apple.stackexchange.com/a/282788 and
+#         https://en.wikipedia.org/wiki/Category:MacOS_versions
+#
+os:Mac OS X 10.0 \(Cheetah\):2002-09-18:1032300000:
+os:Mac OS X 10.1 \(Puma\):2003-11-10:1068418800:
+os:Mac OS X 10.2 \(Jaguar\):2005-05-16:1116194400:
+os:Mac OS X 10.3 \(Panther\):2007-11-15:1195081200:
+os:Mac OS X 10.4 \(Tiger\):2009-09-10:1252533600:
+os:Mac OS X 10.5 \(Leopard\):2011-06-23:1308780000:
+os:Mac OS X 10.6 \(Snow Leopard\):2013-12-16:1387148400:
+os:Mac OS X 10.7 \(Lion\):2014-11-17:1416178800:
+os:Mac OS X 10.8 \(Mountain Lion\):2015-10-21:1445378400:
+os:Mac OS X 10.9 \(Mavericks\):2016-10-24:1477260000:
+os:Mac OS X 10.10 \(Yosemite\):2017-10-31:1509404400:
+os:Mac OS X 10.11 \(El Capitan\):2018-10-30:1540854000:
+os:macOS Sierra \(10.12\):2016-10-24:1477260000:
+os:macOS Sierra \(10.12.1\):2016-12-13:1481583600:
+os:macOS Sierra \(10.12.2\):2017-01-23:1485126000:
+os:macOS Sierra \(10.12.3\):2017-03-27:1490565600:
+os:macOS Sierra \(10.12.4\):2017-05-15:1494799200:
+os:macOS Sierra \(10.12.5\):2017-07-19:1500415200:
+os:macOS Sierra \(10.12.6\):2019-10-29:1572303600:
+os:macOS High Sierra \(10.13\):2017-10-31:1509404400:
+os:macOS High Sierra \(10.13.1\):2017-12-06:1512514800:
+os:macOS High Sierra \(10.13.2\):2018-01-23:1516662000:
+os:macOS High Sierra \(10.13.3\):2018-03-29:1522274400:
+os:macOS High Sierra \(10.13.4\):2018-06-01:1527804000:
+os:macOS High Sierra \(10.13.5\):2018-07-09:1531087200:
+os:macOS High Sierra \(10.13.6\)::-1:
+os:macOS Mojave \(10.14\):2018-10-30:1540854000:
+os:macOS Mojave \(10.14.1\):2018-12-05:1543964400:
+os:macOS Mojave \(10.14.2\):2019-01-22:1548111600:
+os:macOS Mojave \(10.14.3\):2019-03-25:1553468400:
+os:macOS Mojave \(10.14.4\):2019-05-13:1557698400:
+os:macOS Mojave \(10.14.5\):2019-07-22:1563746400:
+os:macOS Mojave \(10.14.6\)::-1:
+os:macOS Catalina \(10.15\):2019-10-29:1572303600:
+os:macOS Catalina \(10.15.1\):2019-12-10:1575932400:
+os:macOS Catalina \(10.15.2\):2020-01-28:1580166000:
+os:macOS Catalina \(10.15.3\):2020-03-24:1585004400:
+os:macOS Catalina \(10.15.4\):2020-05-26:1590444000:
+os:macOS Catalina \(10.15.5\):2020-07-15:1594764000:
+os:macOS Catalina \(10.15.6\):2020-09-24:1600898400:
+os:macOS Catalina \(10.15.7\)::-1:
+#
+# Mageia - https://www.mageia.org/en/support/
+#
+os:Mageia 1:2012-12-01:1354316400
+os:Mageia 2:2013-11-22:1385074800
+os:Mageia 3:2014-11-26:1416956400
+os:Mageia 4:2015-09-19:1442613600
+os:Mageia 5:2017-12-31:1514674800
+os:Mageia 6:2019-09-30:1569794400
+os:Mageia 7:2020-12-30:1609282800
+#
 # NetBSD - https://www.netbsd.org/support/security/release.html and
 #          https://www.netbsd.org/releases/formal.html
 #

db/tests.db

@@ -37,6 +37,7 @@ AUTH-9268:test:security:authentication::Checking presence pam.d files:
 AUTH-9278:test:security:authentication::Checking LDAP pam status:
 AUTH-9282:test:security:authentication::Checking password protected account without expire date:
 AUTH-9283:test:security:authentication::Checking accounts without password:
+AUTH-9284:test:security:authentication::Checking locked user accounts in /etc/passwd:
 AUTH-9286:test:security:authentication::Checking user password aging:
 AUTH-9288:test:security:authentication::Checking for expired passwords:
 AUTH-9304:test:security:authentication:Solaris:Check single user login configuration:

include/binaries

@@ -30,7 +30,7 @@
 #################################################################################
 #
     if [ ${CHECK_BINARIES} -eq 1 ]; then
-        InsertSection "System Tools"
+        InsertSection "${SECTION_SYSTEM_TOOLS}"
         Display --indent 2 --text "- Scanning available tools..."
         LogText "Start scanning for available audit binaries and tools..."
 
@@ -287,6 +287,7 @@
                             suricata)               SURICATABINARY="${BINARY}";        LogText "  Found known binary: suricata (IDS) - ${BINARY}" ;;
                             swapon)                 SWAPONBINARY="${BINARY}";          LogText "  Found known binary: swapon (swap device tool) - ${BINARY}" ;;
                             swupd)                  SWUPDBINARY="${BINARY}";           LogText "  Found known binary: swupd (package manager) - ${BINARY}" ;;
+                            synoavd)                SYNOAVDBINARY=${BINARY};           LogText "  Found known binary: synoavd (Synology AV scanner) - ${BINARY}" ;;
                             sysctl)                 SYSCTLBINARY="${BINARY}";          LogText "  Found known binary: sysctl (kernel parameters) - ${BINARY}" ;;
                             syslog-ng)              SYSLOGNGBINARY="${BINARY}";        SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;;
                             systemctl)              SYSTEMCTLBINARY="${BINARY}";       LogText "  Found known binary: systemctl (client to systemd) - ${BINARY}" ;;

include/consts

@@ -58,6 +58,7 @@ ETC_PATHS="/etc /usr/local/etc"
     APPLICATION_FIREWALL_ACTIVE=0
     BINARY_SCAN_FINISHED=0
     BLKIDBINARY=""
+    BOOTCTLBINARY=""
     CAT_BINARY=""
     CFAGENTBINARY=""
     CHECK=0
@@ -81,6 +82,7 @@ ETC_PATHS="/etc /usr/local/etc"
     CONTROL_URL_PROTOCOL=""
     CONTAINER_TYPE=""
     CREATE_REPORT_FILE=1
+    CRYPTSETUPBINARY=""
     CSUMBINARY=""
     CURRENT_TS=0
     CUSTOM_URL_APPEND=""
@@ -99,12 +101,14 @@ ETC_PATHS="/etc /usr/local/etc"
     DISCOVERED_BINARIES=""
     DMIDECODEBINARY=""
     DNFBINARY=""
+    DNSDOMAINNAMEBINARY=""
     DOCKERBINARY=""
     DOCKER_DAEMON_RUNNING=0
     DPKGBINARY=""
     ECHOCMD=""
     ERROR_ON_WARNINGS=0
     EQUERYBINARY=""
+    EVMCTLBINARY=""
     EXIMBINARY=""
     FAIL2BANBINARY=""
     FILEBINARY=""
@@ -130,6 +134,7 @@ ETC_PATHS="/etc /usr/local/etc"
     HTTPDBINARY=""
     IDS_IPS_TOOL_FOUND=0
     IFCONFIGBINARY=""
+    INTEGRITYSETUPBINARY=""
     IPBINARY=""
     IPFBINARY=""
     IPTABLESBINARY=""
@@ -148,6 +153,7 @@ ETC_PATHS="/etc /usr/local/etc"
     LOGDIR=""
     LOGROTATEBINARY=""
     LOGTEXT=1
+    LSBLKBINARY=""
     LSMODBINARY=""
     LSOFBINARY=""
     LSOF_EXTRA_OPTIONS=""
@@ -191,6 +197,7 @@ ETC_PATHS="/etc /usr/local/etc"
     NGINX_RETURN_FOUND=0
     NGINX_ROOT_FOUND=0
     NGINX_WEAK_SSL_PROTOCOL_FOUND=0
+    NTPCTLBINARY=""
     NTPD_ROLE=""
     NTPQBINARY=""
     OPENSSLBINARY=""
@@ -204,6 +211,7 @@ ETC_PATHS="/etc /usr/local/etc"
     OS_REDHAT_OR_CLONE=0
     OSIRISBINARY=""
     PACMANBINARY=""
+    PAM_PASSWORD_PWHISTORY_AMOUNT=""
     PASSWORD_MAXIMUM_DAYS=-1
     PASSWORD_MINIMUM_DAYS=-1
     PAM_2F_AUTH_ENABLED=0
@@ -238,6 +246,7 @@ ETC_PATHS="/etc /usr/local/etc"
     REFRESH_REPOSITORIES=1
     REMOTE_LOGGING_ENABLED=0
     RESOLV_DOMAINNAME=""
+    RESOLVECTLBINARY=""
     RKHUNTERBINARY=""
     ROOTDIR="/"
     ROOTSHBINARY=""
@@ -276,6 +285,7 @@ ETC_PATHS="/etc /usr/local/etc"
     SLOW_TEST_THRESHOLD=10
     SMTPCTLBINARY=""
     SNORTBINARY=""
+    SSBINARY=""
     SSHKEYSCANBINARY=""
     SSHKEYSCANFOUND=0
     SSL_CERTIFICATE_INCLUDE_PACKAGES=0
@@ -285,6 +295,7 @@ ETC_PATHS="/etc /usr/local/etc"
     SWUPDBINARY=""
     SYSLOGNGBINARY=""
     SYSTEMCTLBINARY=""
+    SYSTEMDANALYZEBINARY=""
     SYSTEM_IS_NOTEBOOK=255
     TEMP_FILE=""
     TEMP_FILES=""
@@ -294,6 +305,7 @@ ETC_PATHS="/etc /usr/local/etc"
     TEST_GROUP_TO_CHECK="all"
     TESTS_EXECUTED=""
     TESTS_SKIPPED=""
+    TIMEDATECTL=""
     TMPFILE=""
     TOMOYOINITBINARY=""
     TOOLTIP_SHOWED=0
@@ -319,6 +331,7 @@ ETC_PATHS="/etc /usr/local/etc"
     USBGUARD_ROOT=""
     VALUE=""
     VERBOSE=0
+    VERITYSETUPBINARY=""
     VGDISPLAYBINARY=""
     VMTYPE=""
     VULNERABLE_PACKAGES_FOUND=0

include/functions

@@ -1547,8 +1547,7 @@
 
         if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi
         RUNNING=0
-        # AIX does not fully support pgrep options, so using ps instead
-        if [ "${OS}" != "AIX" ]; then
+        if [ -x "${PGREPBINARY}" ] && [ "${OS}" != "AIX" ]; then
             # When --user is used, perform a search using the -u option
             # Initialize users for strict mode
             if [ -n "${users:-}" ]; then
@@ -2180,7 +2179,8 @@
         for I in ${FIND}; do
             I=$(echo ${I} | sed 's/:space:/ /g' | sed 's/;$//' | sed 's/ #.*$//')
             OPTION=$(echo ${I} | awk '{ print $1 }')
-            VALUE=$(echo ${I}| cut -d' ' -f2-)
+            # Use quotes here to prevent wildcard expansion
+            VALUE=$(echo "${I}"| cut -d' ' -f2-)
             LogText "Result: found option ${OPTION} in ${CONFIG_FILE} with value '${VALUE}'"
             STORE_SETTING=1
             case ${OPTION} in
@@ -2303,9 +2303,25 @@
                         done
                         if [ ${FOUND} -eq 0 ]; then NGINX_CONF_FILES_ADDITIONS="${NGINX_CONF_FILES_ADDITIONS} ${VALUE}"; fi
                     # Check for additional config files included as follows
-                    # "include sites-enabled/*.conf"
-                    elif [ $(echo ${VALUE} | grep -F -c "*.conf") -gt 0 ]; then
-                        for FOUND_CONF in $(ls ${CONFIG_FILE%nginx.conf}${VALUE%;*}); do
+                    # "include sites-enabled/*.conf" (relative path)
+                    # "include /etc/nginx/sites-enabled/*.conf" (absolute path)
+                    elif [ $(echo "${VALUE}" | grep -F -c "*.conf") -gt 0 ]; then
+                        # Check if path is absolute or relative
+                        case $VALUE in
+                            /*)
+                                # Absolute path, so wildcard pattern is already correct
+                                CONF_WILDCARD=${VALUE%;*}
+                            ;;
+                            *)
+                                # Relative path, so construct absolute path for wildcard pattern
+                                CONF_WILDCARD=${CONFIG_FILE%nginx.conf}${VALUE%;*}
+                            ;;
+                        esac
+                        for FOUND_CONF in ${CONF_WILDCARD}; do
+                            if [ "${FOUND_CONF}" = "${CONF_WILDCARD}" ]; then
+                                LogText "Found no match for wildcard pattern: ${CONF_WILDCARD}"
+                                break
+                            fi
                             FOUND=0
                             for CONF in ${NGINX_CONF_FILES}; do
                                 if [ "${CONF}" = "${FOUND_CONF}" ]; then FOUND=1; LogText "Found this file already in our configuration files array, not adding to queue"; fi

include/helper_audit_dockerfile

@@ -44,7 +44,7 @@ fi
 ##################################################################################################
 #
 
-    InsertSection "Image"
+    InsertSection "${SECTION_IMAGE}"
 
     PKGMGR=""
     FIND=$(grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g')
@@ -93,7 +93,7 @@ fi
 #
 ##################################################################################################
 #
-    InsertSection "Basics"
+    InsertSection "${SECTION_BASICS}"
 
     MAINTAINER=$(grep -E -i "*MAINTAINER" ${AUDIT_FILE} | sed 's/=/ /g' | cut -d'"' -f 2)
     if [ -z "${MAINTAINER}" ]; then
@@ -127,7 +127,7 @@ fi
 #
 ##################################################################################################
 #
-    InsertSection "Software"
+    InsertSection "${SECTION_SOFTWARE}"
 
     case $PKGMGR in
     "apt")
@@ -166,7 +166,7 @@ fi
 #
 ##################################################################################################
 #
-    InsertSection "Downloads"
+    InsertSection "${SECTION_DOWNLOADS}"
 
     FILE_DOWNLOAD=0
 
@@ -217,7 +217,7 @@ fi
 #
 ##################################################################################################
 #
-    InsertSection "Permissions"
+    InsertSection "${SECTION_PERMISSIONS}"
 
     FIND=$(grep -i "chmod 777" ${AUDIT_FILE})
     if HasData "${FIND}"; then

include/osdetection

@@ -196,6 +196,12 @@
                             OS_REDHAT_OR_CLONE=1
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                         ;;
+                        "flatcar")
+                            LINUX_VERSION="Flatcar"
+                            LINUX_VERSION_LIKE="CoreOS"
+                            OS_NAME="Flatcar Linux"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "gentoo")
                             LINUX_VERSION="Gentoo"
                             OS_NAME="Gentoo Linux"
@@ -212,6 +218,12 @@
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                         ;;
+                        "mageia")
+                            LINUX_VERSION="Mageia"
+                            OS_NAME="Mageia"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "manjaro")
                             LINUX_VERSION="Manjaro"
                             OS_FULLNAME="Manjaro Linux"
@@ -255,24 +267,47 @@
                         ;;
                         "rhel")
                             LINUX_VERSION="RHEL"
-                            OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_NAME="RHEL"
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_FULLNAME="${OS_NAME} ${OS_VERSION_FULL}"
                             OS_REDHAT_OR_CLONE=1
                         ;;
+                        "rosa")
+                            LINUX_VERSION="ROSA Linux"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_NAME="ROSA Linux"
+                        ;;
                         "slackware")
                             LINUX_VERSION="Slackware"
                             OS_NAME="Slackware Linux"
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                         ;;
+                        "sles")
+                            LINUX_VERSION="SLES"
+                            OS_NAME="openSUSE"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "ubuntu")
                             LINUX_VERSION="Ubuntu"
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_NAME="Ubuntu"
                         ;;
+                        "void")
+                            LINUX_VERSION="Void Linux"
+                            OS_VERSION="Rolling release"
+                            OS_NAME="Void Linux"
+                        ;;
+                        "zorin")
+                            LINUX_VERSION="Zorin OS"
+                            OS_NAME="Zorin OS"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         *)
                             ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}"
                         ;;
@@ -384,13 +419,6 @@
                     LINUX_VERSION="Fedora"
                 fi
 
-                # Mageia (has also /etc/megaia-release)
-                FIND=$(grep "Mageia" /etc/redhat-release)
-                if [ ! "${FIND}" = "" ]; then
-                    OS_FULLNAME=$(grep "^Mageia" /etc/redhat-release)
-                    OS_VERSION=$(grep "^Mageia" /etc/redhat-release | awk '{ if ($2=="release") { print $3 } }')
-                    LINUX_VERSION="Mageia"
-                fi
 
                 # Oracle Enterprise Linux
                 FIND=$(grep "Enterprise Linux Enterprise Linux Server" /etc/redhat-release)

include/tests_accounting

@@ -18,7 +18,7 @@
 #
 #################################################################################
 #
-    InsertSection "Accounting"
+    InsertSection "${SECTION_ACCOUNTING}"
 #
 #################################################################################
 #

include/tests_authentication

@@ -31,7 +31,7 @@
 #
 #################################################################################
 #
-    InsertSection "Users, Groups and Authentication"
+    InsertSection "${SECTION_USERS_GROUPS_AND_AUTHENTICATION}"
 
     # Test        : AUTH-9204
     # Description : Check users with UID zero (0)
@@ -859,23 +859,27 @@
                     PREQS_MET="YES"
                     FIND_P=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
                     FIND2=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
+                    FIND3=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq)
                     ;;
                 *)
                     PREQS_MET="YES"
                     FIND_P=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }')
                     FIND2=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }')
+                    FIND3=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq)
                     ;;
             esac
         elif [ "${OS_REDHAT_OR_CLONE}" -eq 1 ]; then
             PREQS_MET="YES"
             FIND_P=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $1 }' ; done)
             FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done)
+            FIND3=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="L" || $2=="LK") print $1 }' | sort | uniq ; done)
         else
             LogText "Result: skipping test for this Linux version"
             ReportManual "AUTH-9282:01"
             PREQS_MET="NO"
             FIND_P=""
             FIND2=""
+            FIND3=""
         fi
      else
         PREQS_MET="NO"
@@ -921,6 +925,36 @@
     fi
 #
 #################################################################################
+#
+    # Test        : AUTH-9284
+    # Description : Check locked user accounts in /etc/passwd
+    Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check locked user accounts in /etc/passwd"
+    if [ "${SKIPTEST}" -eq 0 ]; then
+        LogText "Test: Checking locked accounts"
+        NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' /etc/passwd | sort | uniq)
+        LOCKED_NON_SYSTEM_ACCOUNTS=0
+        for account in ${FIND3};do
+            if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then
+                LOCKED_NON_SYSTEM_ACCOUNTS=$((LOCKED_NON_SYSTEM_ACCOUNTS+1))
+            fi
+        done
+        if [ $LOCKED_NON_SYSTEM_ACCOUNTS -eq 0 ]; then
+            LogText "Result: all accounts seem to be unlocked"
+            Display --indent 2 --text "- Locked accounts" --result "${STATUS_OK}" --color GREEN
+        else
+            LogText "Result: found one or more locked accounts"
+            for account in ${FIND3}; do
+                if echo "${NON_SYSTEM_ACCOUNTS}" | grep -w "${account}" > /dev/null ; then
+                    LogText "Locked account: ${account}"
+                    Report "locked_account[]=${account}"
+                fi
+            done
+            Display --indent 2 --text "- Locked accounts" --result "${STATUS_WARNING}" --color RED
+            ReportSuggestion "${TEST_NO}" "Look at the locked accounts and consider removing them"
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : AUTH-9286
     # Description : Check user password aging

include/tests_banners

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Banners and identification"
+    InsertSection "${SECTION_BANNERS_AND_IDENTIFICATION}"
 #
 #################################################################################
 #

include/tests_boot_services

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Boot and services"
+    InsertSection "${SECTION_BOOT_AND_SERVICES}"
 #
 #################################################################################
 #

include/tests_containers

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Containers"
+    InsertSection "${SECTION_CONTAINERS}"
 #
 #################################################################################
 #

include/tests_crypto

@@ -26,7 +26,7 @@
 #
 #################################################################################
 #
-    InsertSection "Cryptography"
+    InsertSection "${SECTION_CRYPTOGRAPHY}"
 #
 #################################################################################
 #
@@ -245,7 +245,7 @@
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: looking for ${ROOTDIR}sys/class/misc/hw_random/rng_current"
         if [ -f "${ROOTDIR}sys/class/misc/hw_random/rng_current" ]; then
-            DATA=$(${HEADBINARY} --lines=1 ${ROOTDIR}sys/class/misc/hw_random/rng_current | ${TRBINARY} -d '[[:cntrl:]]')
+            DATA=$(${HEADBINARY} -n 1 ${ROOTDIR}sys/class/misc/hw_random/rng_current | ${TRBINARY} -d '[[:cntrl:]]')
             if [ "${DATA}" != "none" ]; then
                 LogText "Result: positive match, found RNG: ${DATA}"
                 if IsRunning "rngd"; then

include/tests_databases

@@ -39,7 +39,7 @@
 #
 #################################################################################
 #
-    InsertSection "Databases"
+    InsertSection "${SECTION_DATABASES}"
 
     # Test        : DBS-1804
     # Description : Check if MySQL is being used

include/tests_file_integrity

@@ -25,7 +25,7 @@
 #
 #################################################################################
 #
-    InsertSection "Software: file integrity"
+    InsertSection "${SECTION_FILE_INTEGRITY}"
     Display --indent 2 --text "- Checking file integrity tools"
 #
 #################################################################################

include/tests_file_permissions

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "File Permissions"
+    InsertSection "${SECTION_FILE_PERMISSIONS}"
 #
 #################################################################################
 #

include/tests_filesystems

@@ -28,7 +28,7 @@
 #
 #################################################################################
 #
-    InsertSection "File systems"
+    InsertSection "${SECTION_FILE_SYSTEMS}"
 #
 #################################################################################
 #
@@ -629,11 +629,11 @@
                 fi
             done
         fi
-        NMOUNTS=$(mount | ${WCBINARY} --lines)
-        NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} --lines)
-        NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} --lines)
-        NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} --lines)
-        NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} --lines)
+        NMOUNTS=$(mount | ${WCBINARY} -l)
+        NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} -l)
+        NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} -l)
+        NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} -l)
+        NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} -l)
         LogText "Result: Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS}, of total ${NMOUNTS}"
         Display --indent 2 --text "- Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS} of total ${NMOUNTS}"
     fi

include/tests_firewalls

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Software: firewalls"
+    InsertSection "${SECTION_FIREWALLS}"
 #
 #################################################################################
 #

include/tests_hardening

@@ -18,7 +18,7 @@
 #
 #################################################################################
 #
-    InsertSection "Hardening"
+    InsertSection "${SECTION_HARDENING}"
 
     # COMPILER_INSTALLED is initialized before
     HARDEN_COMPILERS_NEEDED=0

include/tests_homedirs

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Home directories"
+    InsertSection "${SECTION_HOME_DIRECTORIES}"
 #
 #################################################################################
 #

include/tests_insecure_services

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Insecure services"
+    InsertSection "${SECTION_INSECURE_SERVICES}"
 #
 #################################################################################
 #

include/tests_kernel

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Kernel"
+    InsertSection "${SECTION_KERNEL}"
 #
 #################################################################################
 #
@@ -664,9 +664,13 @@
                     elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then
                         LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux-lts"
                         FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux-lts
+                    elif [ -f ${ROOTDIR}boot/vmlinuz-lts ]; then
+                        LogText "Result: found ${ROOTDIR}boot/vmlinuz-lts"
+                        FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-lts
                     else
-                        # Match on /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default
-                        FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)
+                        # Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Get newest file (ls -t and pipe into head)
+                        # Note: ignore a rescue kernel (e.g. CentOS)
+                        FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${HEADBINARY} -1)
                         LogText "Result: found ${FOUND_VMLINUZ}"
                     fi
 
@@ -678,10 +682,21 @@
                         VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//')
                         LogText "Result: version derived from file name is '${VERSION_ON_DISK}'"
                     elif [ -f "${FOUND_VMLINUZ}" ]; then
-                        VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//')
+                        VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//' | ${SEDBINARY} '$s/-\?\(linux\)\?-\?\(lts\)\?//')
                         LogText "Result: version derived from file name is '${VERSION_ON_DISK}'"
+
                     fi
 
+                    # Data check: perform reset if we found a version but looks incomplete
+                    # Example: Arch Linux will return only 'linux' as its version after it discovered /boot/vmlinuz-linux
+                    case ${VERSION_ON_DISK} in
+                        "linux" | "linux-lts")
+                            LogText "Result: reset of version (${VERSION_ON_DISK}) as it looks incomplete"
+                            VERSION_ON_DISK=""
+                        ;;
+                    esac
+
+                    # If we did not find the version yet, see if we can extract it from the magic data that 'file' returns
                     if [ -z "${VERSION_ON_DISK}" ]; then
                         LogText "Test: checking kernel version on disk"
                         NEXTLINE=0
@@ -697,6 +712,7 @@
                         done
                     fi
 
+                    # Last check if we finally got a version or not
                     if [ -z "${VERSION_ON_DISK}" ]; then
                         LogText "Result: could not find the version on disk"
                         ReportException "${TEST_NO}:4" "Could not find the kernel version"

include/tests_kernel_hardening

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Kernel Hardening"
+    InsertSection "${SECTION_KERNEL_HARDENING}"
 #
 #################################################################################
 #

include/tests_ldap

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "LDAP Services"
+    InsertSection "${SECTION_LDAP_SERVICES}"
 #
 #################################################################################
 #

include/tests_logging

@@ -36,7 +36,7 @@
 #
 #################################################################################
 #
-    InsertSection "Logging and files"
+    InsertSection "${SECTION_LOGGING_AND_FILES}"
 
     # Test        : LOGG-2130
     # Description : Check for a running syslog daemon

include/tests_mac_frameworks

@@ -24,7 +24,7 @@
     SELINUXFOUND=0
     TOMOYOFOUND=0
 
-    InsertSection "Security frameworks"
+    InsertSection "${SECTION_SECURITY_FRAMEWORKS}"
 #
 #################################################################################
 #
@@ -76,7 +76,7 @@
                     Report "apparmor_policy_loaded=1"
                     AddHP 3 3
                     # ignore kernel threads (Parent PID = 2 [kthreadd])
-                    NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} --lines)
+                    NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} -l)
                     Display --indent 8 --text "Found ${NUNCONFINED} unconfined processes"
                     for PROCESS in $(${PSBINARY} -N --ppid 2 -o label:1,pid,comm | ${GREPBINARY} '^unconfined' | ${TRBINARY} ' ' ':'); do
                         LogText "Result: Unconfined process: ${PROCESS}"
@@ -159,13 +159,13 @@
             fi
             Display --indent 8 --text "Current SELinux mode: ${FIND}"
             PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
-            NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} --lines)
+            NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
             Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
             LogText "Permissive SELinux object types: ${PERMISSIVE}"
             UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ')
             INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ')
-            NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} --lines)
-            NINITRC=$(${PSBINARY} -eo label | ${GREPBINARY} '[i]nitrc_t' | ${WCBINARY} --lines)
+            NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l)
+            NINITRC=$(${PSBINARY} -eo label | ${GREPBINARY} '[i]nitrc_t' | ${WCBINARY} -l)
             Display --indent 8 --text "Found ${NUNCONFINED} unconfined and ${NINITRC} initrc_t processes"
             LogText "Unconfined processes: ${UNCONFINED}"
             LogText "Processes with initrc_t type: ${INITRC}"
@@ -207,7 +207,7 @@
             Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_ENABLED}" --color GREEN
             Report "tomoyo_enabled=1"
             if [ ! -z ${TOMOYOPSTREEBINARY} ]; then
-                NUNCONFINED=$(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^  3 ' | ${WCBINARY} --lines)
+                NUNCONFINED=$(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^  3 ' | ${WCBINARY} -l)
                 Display --indent 8 --text "Found ${NUNCONFINED} unconfined (not profile 3) processes"
                 for PROCESS in $(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^  3 ' | ${SEDBINARY} -e 's/+-//g' -e 's/^ *//g' -e 's/ \+/:/g' | ${SORTBINARY}); do
                     LogText "Result: Unconfined process: ${PROCESS}"

include/tests_mail_messaging

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Software: e-mail and messaging"
+    InsertSection "${SECTION_EMAIL_AND_MESSAGING}"
 #
 #################################################################################
 #

include/tests_malware

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Software: ${SECTION_MALWARE}"
+    InsertSection "${SECTION_MALWARE}"
 #
 #################################################################################
 #
@@ -39,6 +39,7 @@
     MALWARE_SCANNER_INSTALLED=0
     SOPHOS_SCANNER_RUNNING=0
     SYMANTEC_SCANNER_RUNNING=0
+    SYNOLOGY_DAEMON_RUNNING=0
 #
 #################################################################################
 #
@@ -239,6 +240,17 @@
             Report "malware_scanner[]=symantec"
         fi
 
+        # Synology Antivirus Essential
+        LogText "Test: checking process synoavd"
+        if IsRunning "synoavd"; then
+            FOUND=1
+            SYNOLOGY_DAEMON_RUNNING=1
+            MALWARE_SCANNER_INSTALLED=1
+            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Synology Antivirus Essential" --result "${STATUS_FOUND}" --color GREEN; fi
+            LogText "Result: found Synology Antivirus Essential"
+            Report "malware_scanner[]=synoavd"
+        fi
+
         # TrendMicro (macOS)
         LogText "Test: checking process TmccMac to test for Trend Micro anti-virus (macOS)"
         if IsRunning "TmccMac"; then

include/tests_nameservices

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Name services"
+    InsertSection "${SECTION_NAME_SERVICES}"
 #
 #################################################################################
 #

include/tests_networking

@@ -31,7 +31,7 @@
 #
 #################################################################################
 #
-    InsertSection "Networking"
+    InsertSection "${SECTION_NETWORKING}"
 #
 #################################################################################
 #

include/tests_ports_packages

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Ports and packages"
+    InsertSection "${SECTION_PORTS_AND_PACKAGES}"
     PACKAGE_MGR_PKG=0
     PACKAGE_AUDIT_TOOL=""
     PACKAGE_AUDIT_TOOL_FOUND=0
@@ -1289,7 +1289,7 @@
             KERNELS=$(${ZYPPERBINARY} --non-interactive -n se --type package --match-exact --installed-only "kernel-default" 2> /dev/null | ${GREPBINARY} "kernel-default" | ${WCBINARY} -l)
             if [ ${KERNELS} -eq 0 ]; then
                 LogText "Result: found no kernels from zypper output, which is unexpected."
-                ReportException "KRNL-5840:3" "Could not find any kernel packages via package manager. Maybe using a different kernel package?"
+                ReportException "${TEST_NO}" "Could not find any kernel packages via package manager. Maybe using a different kernel package?"
             elif [ ${KERNELS} -gt 3 ]; then
                 LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
                 ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages"
@@ -1299,7 +1299,19 @@
         fi
 
         if [ ${KERNELS} -eq 0 -a ${TESTED} -eq 1 ]; then
-            ReportException "KRNL-5840:1" "Could not find any kernel packages via package manager"
+            # Only report exception if there are kernels actually there. For example, LXC use the kernel of host system
+            case "${OS}" in
+                "Linux")
+                    if [ -d "${ROOTDIR}boot" ]; then
+                        if [ -z "$(${FINDBINARY} /boot -maxdepth 1 -type f -name 'vmlinuz*' -print -quit)" ]; then
+                            ReportException "${TEST_NO}" "Could not find any kernel packages via package manager"
+                        fi
+                    fi
+                ;;
+                *)
+                    ReportException "${TEST_NO}" "Could not find any kernel packages via package manager"
+                ;;
+            esac
         fi
 
         Report "installed_kernel_packages=${KERNELS}"

include/tests_printers_spoolers

@@ -34,7 +34,7 @@
 #
 #################################################################################
 #
-    InsertSection "Printers and Spools"
+    InsertSection "${SECTION_PRINTERS_AND_SPOOLS}"
 #
 #################################################################################
 #

include/tests_scheduling

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Scheduled tasks"
+    InsertSection "${SECTION_SCHEDULED_TASKS}"
 #
 #################################################################################
 #

include/tests_shells

@@ -23,7 +23,7 @@
 #################################################################################
 #
     IDLE_TIMEOUT=0
-    InsertSection "Shells"
+    InsertSection "${SECTION_SHELLS}"
 #
 #################################################################################
 #

include/tests_snmp

@@ -28,7 +28,7 @@
 #
 #################################################################################
 #
-    InsertSection "SNMP Support"
+    InsertSection "${SECTION_SNMP_SUPPORT}"
 
     # Test        : SNMP-3302
     # Description : Check for a running SNMP daemon

include/tests_squid

@@ -29,7 +29,7 @@
 #
 #################################################################################
 #
-    InsertSection "Squid Support"
+    InsertSection "${SECTION_SQUID_SUPPORT}"
 #
 #################################################################################
 #

include/tests_ssh

@@ -34,7 +34,7 @@
 #
 #################################################################################
 #
-    InsertSection "SSH Support"
+    InsertSection "${SECTION_SSH_SUPPORT}"
 #
 #################################################################################
 #

include/tests_storage

@@ -18,7 +18,7 @@
 #
 #################################################################################
 #
-    InsertSection "Storage"
+    InsertSection "${SECTION_STORAGE}"
 #
 #################################################################################
 #

include/tests_system_integrity

@@ -25,7 +25,7 @@
 #
 #################################################################################
 #
-    InsertSection "Software: system integrity"
+    InsertSection "${SECTION_SYSTEM_INTEGRITY}"
     Display --indent 2 --text "- Checking file integrity tools"
 #
 #################################################################################

include/tests_time

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Time and Synchronization"
+    InsertSection "${SECTION_TIME_AND_SYNCHRONIZATION}"
 #
 #################################################################################
 #
@@ -575,7 +575,16 @@
 
     Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time"
     SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized"
+       
     if [ ${SKIPTEST} -eq 0 ]; then
+        # On earlier systemd versions (237), '/run/systemd/timesync/synchronized' does not exist, so use '/var/lib/systemd/timesync/clock'
+        if [ ! -e "${SYNCHRONIZED_FILE}" ]; then
+            SYNCHRONIZED_FILE="/var/lib/systemd/timesync/clock"
+        fi
+        # DynamicUser=yes moves the clock file to '/var/lib/private/systemd/timesync/clock'
+        if [ ! -e "${SYNCHRONIZED_FILE}" ]; then
+            SYNCHRONIZED_FILE="/var/lib/private/systemd/timesync/clock"
+        fi
         if [ -e "${SYNCHRONIZED_FILE}" ]; then
            FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") ))
            # Check if last sync was more than 2048 seconds (= the default of systemd) ago

include/tests_tooling

@@ -37,7 +37,7 @@
 #
 #################################################################################
 #
-    InsertSection "Software: System tooling"
+    InsertSection "${SECTION_SYSTEM_TOOLING}"
 #
 #################################################################################
 #

include/tests_usb

@@ -19,7 +19,7 @@
 #
 #################################################################################
 #
-    InsertSection "USB Devices"
+    InsertSection "${SECTION_USB_DEVICES}"
 #
 #################################################################################
 #

include/tests_virtualization

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Virtualization"
+    InsertSection "${SECTION_VIRTUALIZATION}"
 #
 #################################################################################
 #

include/tests_webservers

@@ -22,7 +22,7 @@
 #
 #################################################################################
 #
-    InsertSection "Software: webserver"
+    InsertSection "${SECTION_WEBSERVER}"
 #
 #################################################################################
 #

lynis

@@ -45,8 +45,8 @@
     # Version details
     PROGRAM_RELEASE_DATE="2020-10-05"
     PROGRAM_RELEASE_TIMESTAMP=1601896929
-    PROGRAM_RELEASE_TYPE="release" # pre-release or release
-    PROGRAM_VERSION="3.0.1"
+    PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release
+    PROGRAM_VERSION="3.0.2"
 
     # Source, documentation and license
     PROGRAM_SOURCE="https://github.com/CISOfy/lynis"
@@ -862,7 +862,7 @@ ${NORMAL}
 #################################################################################
 #
     if IsVerbose; then
-        InsertSection "Program Details"
+        InsertSection "${SECTION_PROGRAM_DETAILS}"
         Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "YES" --color GREEN
         if IsDebug; then
             Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "YES" --color GREEN
@@ -1017,7 +1017,7 @@ ${NORMAL}
                     LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)"
                     ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}"
                     # Insert a section and warn user also on screen
-                    InsertSection "General"
+                    InsertSection "${SECTION_GENERAL}"
                     Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "SKIPPED" --color RED
                 fi
             else