tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-28 08:14:10 +02:00
Code Issues Packages Projects Releases Wiki Activity

Check LINUX_VERSION_LIKE in various tests

Browse Source 
This affects:
BOOT-5180, KRNL-5622, KRNL-5788, PKGS-7388, PKGS-7390, PKGS-7394,
PKGS-7366, and PKGS-7420.
This commit is contained in:
Simon Biewald 2020-08-15 16:44:34 +01:00
parent 3abc39598a
commit 4a03c61343
3 changed files with 65 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
include/tests_boot_services
View File

@ -656,7 +656,13 @@
# Test : BOOT-5180 # Test : BOOT-5180
# Description : Check for Linux boot services (Debian style) # Description : Check for Linux boot services (Debian style)
# Notes : Debian 8+ shows runlevel 5 # Notes : Debian 8+ shows runlevel 5
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] ||
[ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for Linux boot services (Debian style)" Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for Linux boot services (Debian style)"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Runlevel check # Runlevel check

9
include/tests_kernel
View File

@ -81,7 +81,7 @@
fi fi
else else
LogText "Result: file ${ROOTDIR}etc/inittab not found" LogText "Result: file ${ROOTDIR}etc/inittab not found"
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
LogText "Test: Checking run level with who -r, for Debian based systems" LogText "Test: Checking run level with who -r, for Debian based systems"
FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }') FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }')
if HasData "${FIND}"; then if HasData "${FIND}"; then
@ -368,7 +368,12 @@
# #
# Test : KRNL-5788 # Test : KRNL-5788
# Description : Checking availability new kernel # Description : Checking availability new kernel
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] ||
[ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel" Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
HAS_VMLINUZ=0 HAS_VMLINUZ=0

86
include/tests_ports_packages
View File

@ -600,8 +600,8 @@
# #
# Test : PKGS-7366 # Test : PKGS-7366
# Description : Checking if debsecan is installed and enabled on Debian systems # Description : Checking if debsecan is installed and enabled on Debian systems
if [ -n "${DEBSECANBINARY}" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -n "${DEBSECANBINARY}" ] && ( [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] ); then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsecan utility" Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Checking for debsecan utility"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -n "${DEBSECANBINARY}" ]; then if [ -n "${DEBSECANBINARY}" ]; then
LogText "Result: debsecan utility is installed" LogText "Result: debsecan utility is installed"
@ -986,7 +986,9 @@
PREQS_MET="NO" PREQS_MET="NO"
if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then
case "${LINUX_VERSION}" in case "${LINUX_VERSION}" in
"Debian" | "Linux Mint" | "Ubuntu") "Debian" | "Linux Mint" | "Ubuntu" | "Pop!_OS")
# Todo: PureOS (not rolling) has security repositories
# Todo: Debian sid does not have a security repository.
PREQS_MET="YES" PREQS_MET="YES"
;; ;;
*) *)
@ -1042,7 +1044,13 @@
# #
# Test : PKGS-7390 # Test : PKGS-7390
# Description : Check Ubuntu database consistency # Description : Check Ubuntu database consistency
if [ "${LINUX_VERSION}" = "Ubuntu" -a -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if ([ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] ||
[ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]) && [ -x "${ROOTDIR}usr/bin/apt-get" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency" Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Package database consistency by running apt-get check" LogText "Test: Package database consistency by running apt-get check"
@ -1191,7 +1199,13 @@
# #
# Test : PKGS-7394 # Test : PKGS-7394
# Description : Check Ubuntu upgradeable packages # Description : Check Ubuntu upgradeable packages
if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if ([ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] ||
[ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]) && [ -x "${ROOTDIR}usr/bin/apt-get" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Ubuntu updates" Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Ubuntu updates"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking ${ROOTDIR}usr/bin/apt-show-versions" LogText "Test: checking ${ROOTDIR}usr/bin/apt-show-versions"
@ -1317,37 +1331,39 @@
case "${OS}" in case "${OS}" in
"Linux") "Linux")
case "${LINUX_VERSION}" in for DIST in CentOS Debian Fedora RHEL Ubuntu; do
"CentOS" | "Debian" | "Fedora" | "RHEL" | "Ubuntu") if [ "${LINUX_VERSION}" = "${DIST}" ] || [ "${LINUX_VERSION_LIKE}" = "${DIST}" ]; then
UNATTENDED_UPGRADES_OPTION_AVAILABLE=1 UNATTENDED_UPGRADES_OPTION_AVAILABLE=1
# Test available tools for Linux fi
if [ -f "${ROOTDIR}bin/auter" ]; then done
UNATTENDED_UPGRADES_TOOL="auter"
UNATTENDED_UPGRADES_TOOLKIT=1 if [ $UNATTENDED_UPGRADES_OPTION_AVAILABLE -eq 1 ]; then
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" # Test available tools for Linux
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" if [ -f "${ROOTDIR}bin/auter" ]; then
fi UNATTENDED_UPGRADES_TOOL="auter"
if [ -f "${ROOTDIR}sbin/yum-cron" ]; then UNATTENDED_UPGRADES_TOOLKIT=1
UNATTENDED_UPGRADES_TOOL="yum-cron" LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
UNATTENDED_UPGRADES_TOOLKIT=1 Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" fi
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" if [ -f "${ROOTDIR}sbin/yum-cron" ]; then
fi UNATTENDED_UPGRADES_TOOL="yum-cron"
if [ -f "${ROOTDIR}usr/bin/dnf-automatic" ]; then UNATTENDED_UPGRADES_TOOLKIT=1
UNATTENDED_UPGRADES_TOOL="dnf-automatic" LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
UNATTENDED_UPGRADES_TOOLKIT=1 Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" fi
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" if [ -f "${ROOTDIR}usr/bin/dnf-automatic" ]; then
fi UNATTENDED_UPGRADES_TOOL="dnf-automatic"
if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then UNATTENDED_UPGRADES_TOOLKIT=1
UNATTENDED_UPGRADES_TOOL="unattended-upgrade" LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
UNATTENDED_UPGRADES_TOOLKIT=1 Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" fi
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then
fi UNATTENDED_UPGRADES_TOOL="unattended-upgrade"
;; UNATTENDED_UPGRADES_TOOLKIT=1
esac LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
fi
fi
;; ;;
esac esac