From d96628d9b1d116e3fa7d909e0d2b323653d5d6d7 Mon Sep 17 00:00:00 2001 From: Sander Date: Fri, 14 May 2021 11:56:48 +0000 Subject: [PATCH 001/282] Adding HTTP-6660 test --- include/tests_webservers | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/include/tests_webservers b/include/tests_webservers index 6e0a3b3d..d3634ece 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -48,6 +48,8 @@ TMPFILE="${TEMP_FILE}" CreateTempFile || ExitFatal TMPFILE2="${TEMP_FILE}" + CreateTempFile || ExitFatal + TMPFILE3="${TEMP_FILE}" # ################################################################################# # @@ -300,8 +302,42 @@ # ################################################################################# # - # Test : HTTP-6660 TODO + # Test : HTTP-6660 # Description : Search for "TraceEnable off" in configuration files + if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no HTTP-6660 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Apache security setting: TraceEnable" + if [ ${SKIPTEST} -eq 0 ]; then + for DIR in ${sTEST_APACHE_TARGETS}; do + if [ -d ${DIR} ]; then + find ${DIR} -name "*.conf" -print >> ${TMPFILE3} + fi + done + + # Check all Apache conf-files for TraceEnable + if [ -f ${TMPFILE3} ]; then + Display --indent 2 --text '- Checking TraceEnable setting in:' + for APACHE_CONFFILE in $(cat ${TMPFILE3}); do + TRACEENABLE=$( ${GREPBINARY} -i -E '^TraceEnable' ${APACHE_CONFFILE} | ${AWKBINARY} '{print $2}' ) + if [ ! ${TRACEENABLE} ]; then + LogText "Result: no TraceEnable setting found in ${APACHE_CONFFILE}" + Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_NOT_FOUND}" --color WHITE + else + TRACEENABLED_SETTING=$( echo ${TRACEENABLE} | tr 'A-Z' 'a-z' ) + if [ x${TRACEENABLED_SETTING} == x'off' ]; then + LogText "Result: found TraceEnable setting set to 'off' in ${APACHE_CONFFILE}" + Report "Apache setting: 'TraceEnable Off' in ${APACHE_CONFFILE}" + Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_FOUND}" --color GREEN + else + LogText "Result: found TraceEnable setting set to '"${TRACEENABLE}"' in ${APACHE_CONFFILE}" + Report "Apache setting: 'TraceEnable "${TRACEENABLE}"' in ${APACHE_CONFFILE}" + Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Consider setting 'TraceEnable Off' in ${APACHE_CONFFILE}" "Set TraceEnable to 'On' or 'extended' for testing and diagnostic purposes only." + fi + fi + done + rm -f ${TMPFILE3} + fi + fi # ################################################################################# # @@ -608,6 +644,7 @@ # Remove temp file (double check) if [ -n "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi + if [ -n "${TMPFILE3}" ]; then if [ -f ${TMPFILE3} ]; then rm -f ${TMPFILE3}; fi; fi WaitForKeyPress From 0298f519406fab873246ad751f19fd91e1aa7baf Mon Sep 17 00:00:00 2001 From: Sander Date: Sat, 15 May 2021 19:22:17 +0000 Subject: [PATCH 002/282] Added FILE-6398 test --- include/tests_filesystems | 42 +++++++++++++++++++++++++++++++++++---- 1 file changed, 38 insertions(+), 4 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index d3a6eaab..d2836480 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -721,11 +721,45 @@ # ################################################################################# # - # Test : FILE-6398 TODO + # Test : FILE-6398 # Description : Check if JBD (Journal Block Device) driver is loaded - - # Want to contribute to Lynis? Create this test - + Register --test-no FILE-6398 --os Linux --weight L --network NO --category security --description "Checking if JBD (Journal Block Device) driver is loaded" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking if JBD (Journal Block Device) driver is loaded" + NOTINUSE=0 + # Cannot check if driver is loaded/present if kernel is monolithic + if [ ${MONOLITHIC_KERNEL} -eq 0 ]; then + JBD=$(${LSMODBINARY} | ${GREPBINARY} ^jbd) + if [ -n "${JBD}" ]; then + LogText "Result: JBD driver is loaded" + INUSE=$(echo ${JBD} | ${AWKBINARY} '{if ($3 -ne 0) {print $4}}') + if [ -n "${INUSE}" ]; then + LogText "Result: JBD driver is in use by drivers: ${INUSE}" + Report "JBD driver is in use by drivers: ${INUSE}" + Display --indent 2 --text "- JBD driver loaded and in use" --result "${STATUS_OK}" --color GREEN + else + NOTINUSE=1 + LogText "Result: JBD driver loaded, but not in use" + Report "JBD driver is loaded, but not in use." + Display --indent 2 --text "- JBD driver loaded, but not in use" --result "${STATUS_SUGGESTION}" --color YELLOW + fi + else + NOTINUSE=2 + LogText "Result: JBD driver not loaded" + Report "JBD driver not loaded." + Display --indent 2 --text "- JBD driver is not loaded" --result "${STATUS_CHECK_NEEDED}" --color YELLOW + fi + if [ ${NOTINUSE} -eq 1 ]; then + ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is loaded but not in use." "You are currently not using any filesystems with journaling, i.e. you have greater risk of data corruption in case of system crash." + elif [ ${NOTINUSE} -eq 2 ]; then + ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is not loaded." "Since boot-time, you have not been using any filesystems with journaling. Alternatively, reason could be driver is blacklisted." + fi + else + LogText "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel." + Report "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel." + Display --indent 2 --text "- JBD driver: unable to check" --result "${STATUS_UNKNOWN}" --color RED + fi + fi # ################################################################################# # From b96e42d50bd23c052714ff6370b2a95131ab2972 Mon Sep 17 00:00:00 2001 From: Steve Kolenich Date: Wed, 1 Sep 2021 15:58:59 -0400 Subject: [PATCH 003/282] Update EOL for Alpine Linux release --- db/software-eol.db | 1 + 1 file changed, 1 insertion(+) diff --git a/db/software-eol.db b/db/software-eol.db index bebd4de8..010b6d67 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -16,6 +16,7 @@ # # Alpine - https://alpinelinux.org/releases/ # +os:Alpine 3.14:2023-05-01:1682899200 os:Alpine 3.13:2022-11-01:1667275200 os:Alpine 3.12:2022-05-01:1651377600 os:Alpine 3.11:2021-11-01:1635739200 From a4bee8a329c5c8880c81c22631e600f2aba35415 Mon Sep 17 00:00:00 2001 From: Steve Kolenich Date: Wed, 1 Sep 2021 16:00:01 -0400 Subject: [PATCH 004/282] Added two tests using apk (Alpine Package Keeper) to check for installed packages and packages that can be upgraded --- include/binaries | 1 + include/consts | 1 + include/functions | 3 ++ include/tests_ports_packages | 63 ++++++++++++++++++++++++++++++++++++ 4 files changed, 68 insertions(+) diff --git a/include/binaries b/include/binaries index fb8147ce..7aabba42 100644 --- a/include/binaries +++ b/include/binaries @@ -134,6 +134,7 @@ aide) AIDEBINARY=${BINARY}; LogText " Found known binary: aide (file integrity checker) - ${BINARY}" ;; apache2) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;; apt) APTBINARY=${BINARY}; LogText " Found known binary: apt (package manager) - ${BINARY}" ;; + apk) APKBINARY=${BINARY}; LogText " Found known binary: apk (package manager) - ${BINARY}" ;; arch-audit) ARCH_AUDIT_BINARY="${BINARY}"; LogText " Found known binary: arch-audit (auditing utility to test for vulnerable packages) - ${BINARY}" ;; auditd) AUDITDBINARY=${BINARY}; LogText " Found known binary: auditd (audit framework) - ${BINARY}" ;; awk) AWKBINARY=${BINARY}; LogText " Found known binary: awk (string tool) - ${BINARY}" ;; diff --git a/include/consts b/include/consts index 1dc3f893..5d618429 100644 --- a/include/consts +++ b/include/consts @@ -43,6 +43,7 @@ ETC_PATHS="/etc /usr/local/etc" # == Variable initializing == # APTBINARY="" + APKBINARY="" ARCH_AUDIT_BINARY="" AUDITORNAME="" AUDITCTLBINARY="" diff --git a/include/functions b/include/functions index 6c4d76c7..39fd9c15 100644 --- a/include/functions +++ b/include/functions @@ -2090,6 +2090,9 @@ elif [ -n "${XBPSBINARY}" ]; then output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii") exit_code=$? + elif [ -n "${APKBINARY}" ]; then + output=$(${APKBINARY} search ${package} 2> /dev/null | ${GREPBINARY} ${package}) + exit_code=$? else if [ "${package}" != "__dummy__" ]; then ReportException "PackageIsInstalled:01 (test=${TEST_NO:-unknown})" diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 2f0b98da..ee606e7b 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -466,6 +466,34 @@ fi # ################################################################################# +# + # Test : PKGS-7346 + # Description : Check Alpine Package Keeper (apk) + if [ -x ${ROOTDIR}/sbin/apk ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying apk" + if [ ${SKIPTEST} -eq 0 ]; then + COUNT=0 + Display --indent 4 --text "- Searching apk package manager" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found apk binary" + Report "package_manager[]=apk" + PACKAGE_MGR_PKG=1 + LogText "Test: Querying apk info -v to get package list" + Display --indent 6 --text "- Querying package manager" + LogText "Output:" + SPACKAGES=$(apk info -v | ${SEDBINARY} -r -e 's/([a-z,A-Z,0-9,_,-,.]{1,250})-([a-z,A-Z,0-9,.]+-r[a-z,A-Z,0-9]+)/\1,\2/' | sort) + for J in ${SPACKAGES}; do + COUNT=$((COUNT + 1)) + PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1) + PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2) + LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" + done + Report "installed_packages=${COUNT}" + else + LogText "Result: apk "${STATUS_NOT_FOUND}", test skipped" + fi +# +################################################################################# # # Test : PKGS-7346 # Description : Check packages which are removed, but still own configuration files, cron jobs etc @@ -1235,6 +1263,41 @@ # ################################################################################# +# + # Test : PKGS-7395 + # Description : Check Alpine upgradeable packages + if [ "${LINUX_VERSION}" = "Alpine Linux" ] && [ -x "${ROOTDIR}sbin/apk" ]; then + PREQS_MET="YES" + else + PREQS_MET="NO" + fi + + Register --test-no PKGS-7395 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Alpine updates" + if [ ${SKIPTEST} -eq 0 ]; then + if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then + LogText "Action: updating package repository with apk" + ${ROOTDIR}sbin/apk update + LogText "Result: apk finished" + else + LogText "Result: using a possibly outdated repository, as updating is disabled via configuration" + fi + LogText "Test: Checking packages which can be upgraded via apk version -l '<'" + FIND=$(${ROOTDIR}sbin/apk version -l '<' | ${GREPBINARY} '<' | ${SEDBINARY} 's/\s\+<\s/ Date: Mon, 8 Nov 2021 12:26:20 +0100 Subject: [PATCH 005/282] add symlink support to HasCorrectFilePermissions and IsWorldWritable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/functions | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/include/functions b/include/functions index 6c4d76c7..271faf19 100644 --- a/include/functions +++ b/include/functions @@ -1306,6 +1306,11 @@ if [ $# -ne 2 ]; then Fatal "Incorrect usage of HasCorrectFilePermissions"; fi CHECKFILE="$1" CHECKPERMISSION_FULL="$2" + # Check for symlink + if [ -L ${CHECKFILE} ]; then + ShowSymlinkPath ${CHECKFILE} + if [ ! "${SYMLINK}" = "" ]; then CHECKFILE="${SYMLINK}"; fi + fi if [ ! -d ${CHECKFILE} -a ! -f ${CHECKFILE} ]; then return 2 else @@ -2002,7 +2007,11 @@ if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldWritable function"; fi sFILE=$1 FileIsWorldWritable="" - + # Check for symlink + if [ -L ${sFILE} ]; then + ShowSymlinkPath ${sFILE} + if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi + fi # Only check if target is a file or directory if [ -f ${sFILE} -o -d ${sFILE} ]; then FINDVAL=$(ls -ld ${sFILE} | cut -c 9) From 3bfff0ca6297f202f196c672721d2c6f78df76df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 8 Nov 2021 13:29:38 +0100 Subject: [PATCH 006/282] present expected permission value in octal MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/functions | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/include/functions b/include/functions index 6c4d76c7..0ff661cf 100644 --- a/include/functions +++ b/include/functions @@ -1320,9 +1320,8 @@ CHECK_PERMISSION=$(echo "${CHECK_PERMISSION}" | ${AWKBINARY} '{printf "%03d",$1}') # First try stat command - LogText "Test: checking if file ${CHECKFILE} has the permissions set to ${CHECK_PERMISSION} or more restrictive" + LogText "Test: checking if file ${CHECKFILE} has the permissions set to ${CHECK_PERMISSION} (${CHECKPERMISSION_FULL}) or more restrictive" if [ -n "${STATBINARY}" ]; then - case ${OS} in *BSD | "macOS") # BSD and macOS have no --format, only short notation @@ -1388,7 +1387,7 @@ fi done - LogText "Outcome: permissions of file ${CHECKFILE} are not matching expected value (${DATA} != ${CHECKPERMISSION_FULL})" + LogText "Outcome: permissions of file ${CHECKFILE} are not matching expected value (${DATA} != ${CHECK_PERMISSION})" # No match, return exit code 1 return 1 fi From 0eb92f52912f15ec932a7b4c2da87fa34a16294e Mon Sep 17 00:00:00 2001 From: Adam Morris Date: Sat, 20 Nov 2021 05:19:37 +0000 Subject: [PATCH 007/282] Added the aarch64-linux-64 path This resolves Issue #1234 --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 2712aa34..a20c6736 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -25,7 +25,7 @@ LDAP_AUTH_ENABLED=0 LDAP_PAM_ENABLED=0 LDAP_CONF_LOCATIONS="${ROOTDIR}etc/ldap.conf ${ROOTDIR}etc/ldap/ldap.conf ${ROOTDIR}etc/openldap/ldap.conf ${ROOTDIR}usr/local/etc/ldap.conf ${ROOTDIR}usr/local/etc/openldap/ldap.conf" - PAM_FILE_LOCATIONS="${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security" + PAM_FILE_LOCATIONS="${ROOTDIR}usr/lib/aarch64-linux-gnu/security :${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security" SUDOERS_LOCATIONS="${ROOTDIR}etc/sudoers ${ROOTDIR}usr/local/etc/sudoers ${ROOTDIR}usr/pkg/etc/sudoers" SUDOERS_FILE="" # From 11306422ac8d4cd7e88bf82bcb0a3b2a29638ae6 Mon Sep 17 00:00:00 2001 From: Adam Morris Date: Sat, 20 Nov 2021 05:23:34 +0000 Subject: [PATCH 008/282] Corrected a minor typo --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index a20c6736..ab9ac4c4 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -25,7 +25,7 @@ LDAP_AUTH_ENABLED=0 LDAP_PAM_ENABLED=0 LDAP_CONF_LOCATIONS="${ROOTDIR}etc/ldap.conf ${ROOTDIR}etc/ldap/ldap.conf ${ROOTDIR}etc/openldap/ldap.conf ${ROOTDIR}usr/local/etc/ldap.conf ${ROOTDIR}usr/local/etc/openldap/ldap.conf" - PAM_FILE_LOCATIONS="${ROOTDIR}usr/lib/aarch64-linux-gnu/security :${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security" + PAM_FILE_LOCATIONS="${ROOTDIR}usr/lib/aarch64-linux-gnu/security ${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security" SUDOERS_LOCATIONS="${ROOTDIR}etc/sudoers ${ROOTDIR}usr/local/etc/sudoers ${ROOTDIR}usr/pkg/etc/sudoers" SUDOERS_FILE="" # From 6c5ddb9cc295d826ded63b2fa2e25d307cc7839c Mon Sep 17 00:00:00 2001 From: Rafael Grether <95718430+devnull-hub-lab@users.noreply.github.com> Date: Thu, 16 Dec 2021 15:41:18 -0300 Subject: [PATCH 009/282] Update mod_security module version Update ModSecurity version. Actual version: 3 Issue #1246 --- include/tests_webservers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_webservers b/include/tests_webservers index 6e0a3b3d..e0ca5737 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -288,7 +288,7 @@ Register --test-no HTTP-6643 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules" if [ ${SKIPTEST} -eq 0 ]; then # Check modules, module - if CheckItem "apache_module" "/mod_security2.so"; then + if CheckItem "apache_module" "/mod_security(2|3).so" ; then Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 else From f81aff384c19cb3d6e0a7ae51e655721297b28a0 Mon Sep 17 00:00:00 2001 From: Jens Christian Gram Date: Sat, 1 Jan 2022 17:53:06 +0100 Subject: [PATCH 010/282] Dont write over FIND variable. Fixes #1021 --- include/tests_printers_spoolers | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/include/tests_printers_spoolers b/include/tests_printers_spoolers index 18b88c0c..851b0edd 100644 --- a/include/tests_printers_spoolers +++ b/include/tests_printers_spoolers @@ -139,8 +139,18 @@ Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd network configuration" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - # Checking network addresses + PORT_FOUND=0 + LogText "Test: Checking CUPS daemon listening network addresses" + + # Search for Port statement + FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE}) + if [ -n "${FIND}" ]; then + LogText "Result: found CUPS listening on port 631 (most likely all interfaces)" + PORT_FOUND=1 + fi + + # Checking network addresses FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }') COUNT=0 for ITEM in ${FIND}; do @@ -149,17 +159,10 @@ FOUND=1 done - # Search for Port statement - FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE}) - if [ -n "${FIND}" ]; then - LogText "Result: found CUPS listening on port 631 (most likely all interfaces)" - FOUND=1 - fi - # Check if daemon might be running on localhost - if [ ${FOUND} -eq 0 ]; then + if [ ${FOUND} -eq 0 -a ${PORT_FOUND} -eq 0 ]; then LogText "Result: CUPS does not look to be listening on a network port" - elif [ ${COUNT} -eq 1 ]; then + elif [ ${COUNT} -eq 1 -a ${PORT_FOUND} -eq 0 ]; then if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then LogText "Result: CUPS daemon only running on localhost" AddHP 2 2 From 7f3ed088cdbc5501ae9fa4307e7cd302f45ae169 Mon Sep 17 00:00:00 2001 From: Steve Kolenich Date: Tue, 11 Jan 2022 09:13:12 -0500 Subject: [PATCH 011/282] Update EOL for Alpine Linux release --- db/software-eol.db | 1 + 1 file changed, 1 insertion(+) diff --git a/db/software-eol.db b/db/software-eol.db index 010b6d67..3b412698 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -16,6 +16,7 @@ # # Alpine - https://alpinelinux.org/releases/ # +os:Alpine 3.15:2023-11-01:1169879680 os:Alpine 3.14:2023-05-01:1682899200 os:Alpine 3.13:2022-11-01:1667275200 os:Alpine 3.12:2022-05-01:1651377600 From 3153c89c87770485f4988ab3ca87541263af7331 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Wed, 12 Jan 2022 19:09:42 +0200 Subject: [PATCH 012/282] Check for pam_faillock in AUTH-9408 pam_tally2 was removed in PAM 1.5.0 and pam_faillock has replaced it. --- include/tests_authentication | 38 ++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 2712aa34..7d6546d6 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -1533,31 +1533,49 @@ # Description : Logging of failed login attempts Register --test-no AUTH-9408 --weight L --network NO --category security --description "Logging of failed login attempts" if [ ${SKIPTEST} -eq 0 ]; then - if [ -f "${ROOTDIR}etc/pam.conf" ]; then + if [ -f "${ROOTDIR}etc/pam.conf" -o -d "${ROOTDIR}etc/pam.d" ]; then FOUND_PAM_TALLY2=0 FOUND_TALLYLOG=0 - if [ -s "${ROOTDIR}var/log/tallylog" ]; then + FOUND_PAM_FAILLOCK=0 + FOUND_FAILLOCKDIR=0 + if [ -d "${ROOTDIR}var/run/faillock" ]; then + FOUND_FAILLOCKDIR=1 + LogText "Result: found ${ROOTDIR}var/run/faillock directory" + elif [ -s "${ROOTDIR}var/log/tallylog" ]; then FOUND_TALLYLOG=1 LogText "Result: found ${ROOTDIR}var/log/tallylog with a size bigger than zero" else - LogText "Result: did not find ${ROOTDIR}var/log/tallylog on disk or its file size is zero bytes" + LogText "Result: did not find ${ROOTDIR}var/run/faillock directory or ${ROOTDIR}var/log/tallylog file on disk or its file size is zero bytes" fi - # Determine if pam_tally2 is available + # Determine if pam_faillock is available for D in $(GetReportData --key "pam_module\\\[\\\]"); do - if ContainsString "pam_tally2" "${D}"; then - LogText "Result: found pam_tally2 module on disk" - FOUND_PAM_TALLY2=1 + if ContainsString "pam_faillock" "${D}"; then + LogText "Result: found pam_faillock module on disk" + FOUND_PAM_FAILLOCK=1 fi done - if [ ${FOUND_PAM_TALLY2} -eq 1 -a ${FOUND_TALLYLOG} -eq 1 ]; then + if [ ${FOUND_PAM_FAILLOCK} -eq 0 ]; then + # Determine if pam_tally2 is available + for D in $(GetReportData --key "pam_module\\\[\\\]"); do + if ContainsString "pam_tally2" "${D}"; then + LogText "Result: found pam_tally2 module on disk" + FOUND_PAM_TALLY2=1 + fi + done + fi + if [ ${FOUND_PAM_FAILLOCK} -eq 1 -a ${FOUND_FAILLOCKDIR} -eq 1 ]; then + LogText "Outcome: authentication failures are logged using pam_faillock" + AUTH_FAILED_LOGINS_LOGGED=1 + Report "auth_failed_logins_tooling[]=pam_faillock" + elif [ ${FOUND_PAM_TALLY2} -eq 1 -a ${FOUND_TALLYLOG} -eq 1 ]; then LogText "Outcome: authentication failures are logged using pam_tally2" AUTH_FAILED_LOGINS_LOGGED=1 Report "auth_failed_logins_tooling[]=pam_tally2" else - LogText "Outcome: it looks like pam_tally2 is not configured to log failed login attempts" + LogText "Outcome: it looks like pam_faillock or pam_tally2 is not configured to log failed login attempts" fi - unset FOUND_PAM_TALLY2 FOUND_TALLYLOG + unset FOUND_PAM_TALLY2 FOUND_TALLYLOG FOUND_PAM_FAILLOCK FOUND_FAILLOCKDIR fi # Also check /etc/logins.defs, although its usage decreased over the years if [ -f ${ROOTDIR}etc/login.defs ]; then From 6ae2accb9d811f0489fb98e4db93732c2e7ee1e0 Mon Sep 17 00:00:00 2001 From: myersg86 Date: Sat, 15 Jan 2022 12:14:57 -0700 Subject: [PATCH 013/282] Fix typo in README.md README.md:51: sytems -> systems --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 197e59c9..4fa3900e 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ There are multiple options available to install Lynis. ### Software Package -For sytems running Linux, BSD, and macOS, there is typically a package available. This is the preferred method of obtaining Lynis, as it is quick to install and easy to update. The Lynis project itself also provides [packages](https://packages.cisofy.com/) in RPM or DEB format suitable for systems systems running: +For systems running Linux, BSD, and macOS, there is typically a package available. This is the preferred method of obtaining Lynis, as it is quick to install and easy to update. The Lynis project itself also provides [packages](https://packages.cisofy.com/) in RPM or DEB format suitable for systems systems running: `CentOS`, `Debian`, `Fedora`, `OEL`, `openSUSE`, `RHEL`, `Ubuntu`, and others. Some distributions may also have Lynis in their software repository: [![Repology](https://repology.org/badge/tiny-repos/lynis.svg)](https://repology.org/project/lynis/versions) From 2e6415a3b3987f3b7c5e383fa5c0f7771f5af85d Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Sun, 23 Jan 2022 10:36:55 +0200 Subject: [PATCH 014/282] perf_event_paranoid -> 2|3 The value of 3 was introduced in c76a4ca and the source was this[1]. The documentation in the source notes that the value of 3 requires a patch for the Linux kernel. Vanilla kernel has the "maximum" value of 2[2]. [1] https://docs.clip-os.org/clipos/kernel.html#sysctl-security-tuning [2] https://www.kernel.org/doc/html/v5.7/admin-guide/sysctl/kernel.html#perf-event-paranoid --- default.prf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default.prf b/default.prf index aadc4495..79c0a48c 100644 --- a/default.prf +++ b/default.prf @@ -197,7 +197,7 @@ config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//k config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; -config-data=sysctl;kernel.perf_event_paranoid;3;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; +config-data=sysctl;kernel.perf_event_paranoid;2|3;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; From 521487310f569e76c1f6c0c16ea63a60a398b719 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Tue, 25 Jan 2022 09:55:52 +0100 Subject: [PATCH 015/282] check /boot/vmlinuz as a symlink in the reboot test --- include/tests_kernel | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/tests_kernel b/include/tests_kernel index 610fd325..875e7401 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -663,7 +663,10 @@ ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data" fi elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then - if [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then + if [ -f ${ROOTDIR}boot/vmlinuz ]; then + LogText "Result: found ${ROOTDIR}boot/vmlinuz" + FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz + elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux" FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then From 12ad1ca6bdea1f322001a0d2452469fd326fd3c3 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Tue, 25 Jan 2022 18:59:36 +0200 Subject: [PATCH 016/282] KRNL-5830: Check for /var/run/needs_restarting Creating this file was introduced in slackpkg version 15.0.10. --- include/tests_kernel | 38 +++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index 610fd325..1eed32ad 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -615,25 +615,29 @@ Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel" if [ ${SKIPTEST} -eq 0 ]; then REBOOT_NEEDED=2 - FILE="${ROOTDIR}var/run/reboot-required.pkgs" - LogText "Test: Checking presence ${FILE}" - if [ -f ${FILE} ]; then - LogText "Result: file ${FILE} exists" - FIND=$(${WCBINARY} -l < ${FILE}) - if [ "${FIND}" = "0" ]; then - LogText "Result: No reboot needed (file empty)" - REBOOT_NEEDED=0 + for FILE in "${ROOTDIR}var/run/reboot-required.pkgs" "${ROOTDIR}var/run/needs_restarting" + do + LogText "Test: Checking presence ${FILE}" + if [ -f ${FILE} ]; then + LogText "Result: file ${FILE} exists" + FIND=$(${WCBINARY} -l < ${FILE}) + if [ "${FIND}" = "0" ]; then + LogText "Result: No reboot needed (file empty)" + REBOOT_NEEDED=0 + break + else + PKGSCOUNT=$(${WCBINARY} -l < ${FILE}) + LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" + for I in ${FIND}; do + LogText "Package: ${I}" + done + REBOOT_NEEDED=1 + break + fi else - PKGSCOUNT=$(${WCBINARY} -l < ${FILE}) - LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" - for I in ${FIND}; do - LogText "Package: ${I}" - done - REBOOT_NEEDED=1 + LogText "Result: file ${FILE} not found" fi - else - LogText "Result: file ${FILE} not found" - fi + done # Check if /boot exists if [ -d "${ROOTDIR}boot" ]; then From 98f57d6d76bbf202c29f647e16f5b8f760c06f03 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 31 Jan 2022 13:29:11 +0100 Subject: [PATCH 017/282] Added MALW-3274 to detect McAfee VirusScan Command Line Scanner --- db/tests.db | 1 + include/tests_malware | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/db/tests.db b/db/tests.db index c9c4797f..522441f4 100644 --- a/db/tests.db +++ b/db/tests.db @@ -265,6 +265,7 @@ MAIL-8838:test:security:mail_messaging::Check dovecot process: MAIL-8860:test:security:mail_messaging::Check Qmail status: MAIL-8880:test:security:mail_messaging::Check Sendmail status: MAIL-8920:test:security:mail_messaging::Check OpenSMTPD status: +MALW-3274:test:security:malware::Check for McAfee VirusScan Command Line Scanner: MALW-3275:test:security:malware::Check for chkrootkit: MALW-3276:test:security:malware::Check for Rootkit Hunter: MALW-3278:test:security:malware::Check for LMD: diff --git a/include/tests_malware b/include/tests_malware index cb13ca96..40336fa5 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -45,6 +45,24 @@ TRENDMICRO_DSA_DAEMON_RUNNING=0 # ################################################################################# +# + # Test : MALW-3274 + # Description : Check for installed tool (McAfee VirusScan for Command Line) + Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking presence McAfee VirusScan for Command Line" + if [ -x /usr/local/uvscan/uvscan ]; then + Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found ${MCAFEECLBINARY}" + MALWARE_SCANNER_INSTALLED=1 + AddHP 2 2 + Report "malware_scanner[]=mcafeecl" + else + LogText "Result: McAfee VirusScan for Command Line not found" + fi + fi +# +################################################################################# # # Test : MALW-3275 # Description : Check for installed tool (chkrootkit) From 558e3bb586c58f175c86f139d55da460a9b1c8ff Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 31 Jan 2022 13:30:43 +0100 Subject: [PATCH 018/282] Switch to pre-release --- CHANGELOG.md | 7 +++++++ lynis | 8 ++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3d43492a..acfa1b28 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Lynis Changelog +## Lynis 3.0.8 (not released yet) + +### Added +- MALW-3274 - Detect McAfee VirusScan Command Line Scanner + +--------------------------------------------------------------------------------- + ## Lynis 3.0.7 (2022-01-18) ### Added diff --git a/lynis b/lynis index a9bef803..c15a78c7 100755 --- a/lynis +++ b/lynis @@ -43,10 +43,10 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2022-01-18" - PROGRAM_RELEASE_TIMESTAMP=1642512096 - PROGRAM_RELEASE_TYPE="release" # pre-release or release - PROGRAM_VERSION="3.0.7" + PROGRAM_RELEASE_DATE="2022-01-31" + PROGRAM_RELEASE_TIMESTAMP=1643632222 + PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_VERSION="3.0.8" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" From e5f5750bfab9511bc4b45d5f424900f04ff7cbcf Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 31 Jan 2022 13:55:55 +0100 Subject: [PATCH 019/282] Improved log message --- include/tests_ssh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index 7f31c348..de3209ee 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -74,7 +74,7 @@ LogText "Result: ${I}/sshd_config exists" if [ ${FOUND} -eq 1 ]; then ReportException "${TEST_NO}:01" - LogText "Result: we already had found another sshd_config file. Using this new file then." + LogText "Result: we already found another sshd_config file. Using this new file instead of the previous one." fi FileIsReadable ${I}/sshd_config if [ ${CANREAD} -eq 1 ]; then From ac853a03fb8b0ae84f2ff0fb87860898004b6dad Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 31 Jan 2022 15:08:30 +0100 Subject: [PATCH 020/282] Updated log --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index acfa1b28..e9b0c71d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,9 @@ ### Added - MALW-3274 - Detect McAfee VirusScan Command Line Scanner +### Changed +- KRNL-5830 - Check for /var/run/needs_restarting (Slackware) + --------------------------------------------------------------------------------- ## Lynis 3.0.7 (2022-01-18) From b4287df9c64b721136f59cb52101d5e766273edf Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 31 Jan 2022 15:58:07 +0100 Subject: [PATCH 021/282] Corrected timestamp for Alpine 3.15 --- db/software-eol.db | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/software-eol.db b/db/software-eol.db index 3b412698..f8242d35 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -16,7 +16,7 @@ # # Alpine - https://alpinelinux.org/releases/ # -os:Alpine 3.15:2023-11-01:1169879680 +os:Alpine 3.15:2023-11-01:1698793200 os:Alpine 3.14:2023-05-01:1682899200 os:Alpine 3.13:2022-11-01:1667275200 os:Alpine 3.12:2022-05-01:1651377600 From ce4a0ce6bb3e4be5ad51b2fb054c4be5352abe74 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 31 Jan 2022 16:00:11 +0100 Subject: [PATCH 022/282] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e9b0c71d..f291d7d0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ ### Added - MALW-3274 - Detect McAfee VirusScan Command Line Scanner +- EOL for Alpine Linux 3.14 and 3.15 ### Changed - KRNL-5830 - Check for /var/run/needs_restarting (Slackware) From 83296d6e8f9eb07ac48bfa2190f8cec8ce9de2f5 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 31 Jan 2022 16:39:09 +0100 Subject: [PATCH 023/282] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f291d7d0..08a78b09 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ ### Changed - KRNL-5830 - Check for /var/run/needs_restarting (Slackware) +- KRNL-5830 - Add a presence check for /boot/vmlinuz --------------------------------------------------------------------------------- From b0ca58895bf72b432b75989426859ca84b678acc Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 31 Jan 2022 17:07:41 +0100 Subject: [PATCH 024/282] [KRNL-5788] Only run relevant tests and improved logging --- include/tests_kernel | 77 ++++++++++++++++++++++++-------------------- 1 file changed, 42 insertions(+), 35 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index 569b2b89..c1977985 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -368,14 +368,14 @@ # # Test : KRNL-5788 # Description : Checking availability new kernel - if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || - [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then + if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then PREQS_MET="YES" else PREQS_MET="NO" fi Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel" if [ ${SKIPTEST} -eq 0 ]; then + FINDKERNEL="" HAS_VMLINUZ=0 LogText "Test: Searching apt-cache, to determine if a newer kernel is available" if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then @@ -384,62 +384,69 @@ if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then HAS_VMLINUZ=1 if [ -f ${ROOTDIR}vmlinuz ]; then - FINDVMLINUZ=${ROOTDIR}vmlinuz + FINDVMLINUZ="${ROOTDIR}vmlinuz" else - FINDVMLINUZ=${ROOTDIR}boot/vmlinuz + FINDVMLINUZ="${ROOTDIR}boot/vmlinuz" fi LogText "Result: found ${FINDVMLINUZ}" LogText "Test: checking readlink location of ${FINDVMLINUZ}" FINDKERNFILE=$(readlink -f ${FINDVMLINUZ}) LogText "Output: readlink reported file ${FINDKERNFILE}" - LogText "Test: checking package from dpkg -S" + LogText "Test: checking relevant package using output from dpkg -S" FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}') LogText "Output: dpkg -S reported package ${FINDKERNEL}" elif [ -e ${ROOTDIR}dev/grsec ]; then - FINDKERNEL=linux-image-$(uname -r) + FINDKERNEL="linux-image-$(uname -r)" LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" elif [ -e ${ROOTDIR}etc/rpi-issue ]; then - FINDKERNEL=raspberrypi-kernel + FINDKERNEL="raspberrypi-kernel" LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian" - elif `${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf`; then - FINDKERNEL=linux-image-$(uname -r) + elif $(${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then + FINDKERNEL="linux-image-$(uname -r)" LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No" else - LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." + LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz" fi - LogText "Test: Using apt-cache policy to determine if there is an update available" - FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') - FINDCAND=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') - LogText "Kernel installed: ${FINDINST}" - LogText "Kernel candidate: ${FINDCAND}" - if IsEmpty "${FINDINST}"; then - Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW - LogText "Result: Exception occurred, no output from apt-cache policy" - if [ ${HAS_VMLINUZ} -eq 1 ]; then - ReportException "${TEST_NO}:01" - ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty" - fi - LogText "Result: apt-cache policy did not return an installed kernel version" + + if IsEmpty "${FINDKERNEL}"; then + LogText "Result: could not check kernel update status as kernel is unknown" else - if [ "${FINDINST}" = "${FINDCAND}" ]; then - if [ -e /dev/grsec ]; then - Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN - LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" - ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch" - else - Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN - LogText "Result: no kernel update available" + LogText "Result: found kernel '${FINDKERNEL}' which will be used for further testing" + LogText "Test: Using apt-cache policy to determine if there is an update available" + FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + LogText "Kernel installed: ${FINDINSTALLED}" + LogText "Kernel candidate: ${FINDCANDIDATE}" + if IsEmpty "${FINDINSTALLED}"; then + Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW + LogText "Result: Exception occurred, no output from apt-cache policy" + if [ ${HAS_VMLINUZ} -eq 1 ]; then + ReportException "${TEST_NO}:01" "Found vmlinuz (${FINDVMLINUZ}) but could not determine the installed kernel using apt-cache policy" + ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty" fi + LogText "Result: apt-cache policy did not return an installed kernel version" else - Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW - LogText "Result: kernel update available according 'apt-cache policy'." - ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update" + if [ "${FINDINSTALLED}" = "${FINDCANDIDATE}" ]; then + if [ -e /dev/grsec ]; then + Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN + LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" + ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch" + else + Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN + LogText "Result: no kernel update available" + fi + else + Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW + LogText "Result: kernel update available according 'apt-cache policy'." + ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update" + fi fi fi else - LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests." + LogText "Result: could NOT find ${ROOTDIR}usr/bin/apt-cache, skipped other tests." fi + unset FINDCANDIDATE FINDINSTALLED FINDKERNEL HAS_VMLINUZ fi # ################################################################################# From 546693636d315d47dd8f488e7c11ac1f9e94df29 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 31 Jan 2022 17:08:08 +0100 Subject: [PATCH 025/282] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 08a78b09..87dcb228 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ - EOL for Alpine Linux 3.14 and 3.15 ### Changed +- KRNL-5788 - Only run relevant tests and improved logging - KRNL-5830 - Check for /var/run/needs_restarting (Slackware) - KRNL-5830 - Add a presence check for /boot/vmlinuz From 14fd7dabc8537922543147d280158cab5735ef3e Mon Sep 17 00:00:00 2001 From: Robert Frohl Date: Fri, 4 Feb 2022 13:41:31 +0100 Subject: [PATCH 026/282] [KRNL-5820] additional path for security/limits.conf Changes the user facing output to display a full path, allowing the user to better grasp which security/limits.conf file is affected. fix issue #1264 --- include/tests_kernel | 109 ++++++++++++++++++++++--------------------- 1 file changed, 57 insertions(+), 52 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index c1977985..52d72f8f 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -532,62 +532,67 @@ fi fi # Limits option - LogText "Test: Checking presence ${ROOTDIR}etc/security/limits.conf" - if [ -f "${ROOTDIR}etc/security/limits.conf" ]; then - LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists" - LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*" - # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. - FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) - FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) - FIND3=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1) + ROOTDIR_BACKUP=$ROOTDIR + for ALTERNATIVE_DIR in "/usr/" "/"; do + ROOTDIR=$ALTERNATIVE_DIR + LogText "Test: Checking presence ${ROOTDIR}etc/security/limits.conf" + if [ -f "${ROOTDIR}etc/security/limits.conf" ]; then + LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists" + LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*" + # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. + FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) + FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) + FIND3=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1) - # When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file. - if [ "${FIND3}" = "core dumps disabled" ]; then - FIND1="soft core disabled" - FIND2="hard core disabled" - elif [ "${FIND3}" = "core dumps enabled" ]; then - FIND1="soft core enabled" - FIND2="hard core enabled" - fi - - IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" - IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" - - if [ "${FIND2}" = "hard core disabled" ]; then - LogText "Result: core dumps are hard disabled" - Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN" - if [ "${FIND1}" = "soft core disabled" ]; then - Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" - else - Display --indent 4 --text "- 'soft' config in security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN" + # When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file. + if [ "${FIND3}" = "core dumps disabled" ]; then + FIND1="soft core disabled" + FIND2="hard core disabled" + elif [ "${FIND3}" = "core dumps enabled" ]; then + FIND1="soft core enabled" + FIND2="hard core enabled" + fi + + IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" + IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" + + if [ "${FIND2}" = "hard core disabled" ]; then + LogText "Result: core dumps are hard disabled" + Display --indent 4 --text "- 'hard' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN" + if [ "${FIND1}" = "soft core disabled" ]; then + Display --indent 4 --text "- 'soft' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" + else + Display --indent 4 --text "- 'soft' config in ${ROOTDIR}etc/security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN" + fi + AddHP 3 3 + elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then + LogText "Result: core dumps (soft and hard) are enabled" + Display --indent 4 --text "- 'hard' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" + Display --indent 4 --text "- 'soft' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" + ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file" + AddHP 0 3 + elif [ "${FIND1}" = "soft core disabled" ]; then + LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})" + Display --indent 4 --text "- 'hard' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" + Display --indent 4 --text "- 'soft' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" + AddHP 2 3 + elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then + LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})" + Display --indent 4 --text "- 'hard' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" + Display --indent 4 --text "- 'soft' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" + AddHP 0 3 + else + LogText "Result: core dumps are not explicitly disabled" + Display --indent 4 --text "- 'hard' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" + Display --indent 4 --text "- 'soft' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" + ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/security/limits.conf file" + AddHP 1 3 fi - AddHP 3 3 - elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then - LogText "Result: core dumps (soft and hard) are enabled" - Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" - Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" - ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file" - AddHP 0 3 - elif [ "${FIND1}" = "soft core disabled" ]; then - LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})" - Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" - Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" - AddHP 2 3 - elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then - LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})" - Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" - Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" - AddHP 0 3 else - LogText "Result: core dumps are not explicitly disabled" - Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" - Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" - ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/security/limits.conf file" - AddHP 1 3 + LogText "Result: file ${ROOTDIR}etc/security/limits.conf does not exist, skipping test" fi - else - LogText "Result: file ${ROOTDIR}etc/security/limits.conf does not exist, skipping test" - fi + done + ROOTDIR=$ROOTDIR_BACKUP # Sysctl option LogText "Test: Checking sysctl value of fs.suid_dumpable" From 66f93f0275a8188537934186ee5a44e5c0262f75 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 10 Feb 2022 09:35:41 +0100 Subject: [PATCH 027/282] Removed bashism: == --- include/osdetection | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/osdetection b/include/osdetection index c91c69ec..d9b8a41c 100644 --- a/include/osdetection +++ b/include/osdetection @@ -678,7 +678,7 @@ ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}" ;; esac - elif [ "$(uname -o 2> /dev/null)" == "illumos" ]; then + elif [ "$(uname -o 2> /dev/null)" = "illumos" ]; then OPENSOLARIS=1 # Solaris has a free form text file with release information From b744cffdf230de946926c77e55ec6fa01dad74dd Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 10 Feb 2022 14:20:25 +0100 Subject: [PATCH 028/282] Updated log --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 87dcb228..6ccbd452 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,12 +4,20 @@ ### Added - MALW-3274 - Detect McAfee VirusScan Command Line Scanner +- PKGS-7346 Check Alpine Package Keeper (apk) +- PKGS-7395 Check Alpine upgradeable packages - EOL for Alpine Linux 3.14 and 3.15 ### Changed +- AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2) +- FILE-7524 - Test enhanced to support symlinks +- HTTP-6643 - Support ModSecurity version 2 and 3 - KRNL-5788 - Only run relevant tests and improved logging - KRNL-5830 - Check for /var/run/needs_restarting (Slackware) - KRNL-5830 - Add a presence check for /boot/vmlinuz +- PRNT-2308 - Bugfix that prevented test from storing values correctly +- Extended location of PAM files for AARCH64 +- Some messages in log improved --------------------------------------------------------------------------------- From f64f17f90bdc5c3eb98b7f35a39dfffe3d8e9e58 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 10 Feb 2022 14:24:15 +0100 Subject: [PATCH 029/282] Update tests.db --- db/tests.db | 2 ++ 1 file changed, 2 insertions(+) diff --git a/db/tests.db b/db/tests.db index 522441f4..fe16ef9c 100644 --- a/db/tests.db +++ b/db/tests.db @@ -323,6 +323,7 @@ PHP-2376:test:security:php::Check PHP allow_url_fopen option: PHP-2378:test:security:php::Check PHP allow_url_include option: PHP-2379:test:security:php::Check PHP suhosin extension status: PHP-2382:test:security:php::Check PHP listen option: +PKGS-7200:test:security:ports_packages:Linux:Check Alpine Package Keeper (apk): PKGS-7301:test:security:ports_packages::Query NetBSD pkg: PKGS-7302:test:security:ports_packages::Query FreeBSD/NetBSD pkg_info: PKGS-7303:test:security:ports_packages::Query brew package manager: @@ -359,6 +360,7 @@ PKGS-7390:test:security:ports_packages:Linux:Check Ubuntu database consistency: PKGS-7392:test:security:ports_packages:Linux:Check for Debian/Ubuntu security updates: PKGS-7393:test:security:ports_packages::Check for Gentoo vulnerable packages: PKGS-7394:test:security:ports_packages:Linux:Check for Ubuntu updates: +PKGS-7395:test:security:ports_packages:Linux:Check Alpine upgradeable packages: PKGS-7398:test:security:ports_packages::Check for package audit tool: PKGS-7410:test:security:ports_packages::Count installed kernel packages: PKGS-7420:test:security:ports_packages::Detect toolkit to automatically download and apply upgrades: From 4f382331b3d7d141c49a971050d3a9b61a94c511 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 10 Feb 2022 14:26:38 +0100 Subject: [PATCH 030/282] Renumbered new test PKGS-7346 to PKGS-7200 --- include/tests_ports_packages | 56 ++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 54d849e2..9ca1948d 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -34,6 +34,34 @@ Display --indent 2 --text "- Searching package managers" # ################################################################################# +# + # Test : PKGS-7200 + # Description : Check Alpine Package Keeper (apk) + if [ -x ${ROOTDIR}/sbin/apk ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no PKGS-7200 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying apk" + if [ ${SKIPTEST} -eq 0 ]; then + COUNT=0 + Display --indent 4 --text "- Searching apk package manager" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found apk binary" + Report "package_manager[]=apk" + PACKAGE_MGR_PKG=1 + LogText "Test: Querying apk info -v to get package list" + Display --indent 6 --text "- Querying package manager" + LogText "Output:" + SPACKAGES=$(apk info -v | ${SEDBINARY} -r -e 's/([a-z,A-Z,0-9,_,-,.]{1,250})-([a-z,A-Z,0-9,.]+-r[a-z,A-Z,0-9]+)/\1,\2/' | sort) + for J in ${SPACKAGES}; do + COUNT=$((COUNT + 1)) + PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1) + PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2) + LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" + done + Report "installed_packages=${COUNT}" + else + LogText "Result: apk "${STATUS_NOT_FOUND}", test skipped" + fi +# +################################################################################# # # Test : PKGS-7301 # Description : Query FreeBSD pkg @@ -466,34 +494,6 @@ fi # ################################################################################# -# - # Test : PKGS-7346 - # Description : Check Alpine Package Keeper (apk) - if [ -x ${ROOTDIR}/sbin/apk ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying apk" - if [ ${SKIPTEST} -eq 0 ]; then - COUNT=0 - Display --indent 4 --text "- Searching apk package manager" --result "${STATUS_FOUND}" --color GREEN - LogText "Result: Found apk binary" - Report "package_manager[]=apk" - PACKAGE_MGR_PKG=1 - LogText "Test: Querying apk info -v to get package list" - Display --indent 6 --text "- Querying package manager" - LogText "Output:" - SPACKAGES=$(apk info -v | ${SEDBINARY} -r -e 's/([a-z,A-Z,0-9,_,-,.]{1,250})-([a-z,A-Z,0-9,.]+-r[a-z,A-Z,0-9]+)/\1,\2/' | sort) - for J in ${SPACKAGES}; do - COUNT=$((COUNT + 1)) - PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1) - PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2) - LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" - INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" - done - Report "installed_packages=${COUNT}" - else - LogText "Result: apk "${STATUS_NOT_FOUND}", test skipped" - fi -# -################################################################################# # # Test : PKGS-7346 # Description : Check packages which are removed, but still own configuration files, cron jobs etc From 4098236412d5f846f43576a35ac8694ed4783ce8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wojciech=20Bana=C5=9B?= Date: Mon, 14 Feb 2022 13:23:20 +0100 Subject: [PATCH 031/282] #1270 added finding configuration files in the "etc" directory, even if they are symlinks --- include/tests_authentication | 4 ++-- include/tests_boot_services | 8 ++++---- include/tests_databases | 2 +- include/tests_kernel | 14 +++++++------- include/tests_logging | 2 +- include/tests_scheduling | 4 ++-- include/tests_shells | 4 ++-- include/tests_squid | 2 +- 8 files changed, 20 insertions(+), 20 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 46d1735b..0552d646 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -607,7 +607,7 @@ Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED ;; esac - SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)" + SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} -L ${SUDOERS_D} -type f -print)" fi for f in ${SUDO_CONFIG_FILES}; do LogText "Test: checking file (${f})" @@ -764,7 +764,7 @@ LogText "Result: directory /etc/pam.d exists" Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN LogText "Test: searching PAM configuration files" - FIND=$(${FINDBINARY} ${ROOTDIR}etc/pam.d \! -name "*.pam-old" -type f -print | sort) + FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/pam.d \! -name "*.pam-old" -type f -print | sort) for FILE in ${FIND}; do LogText "Found file: ${FILE}" done diff --git a/include/tests_boot_services b/include/tests_boot_services index 4a5fb3df..5901cd70 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -347,7 +347,7 @@ FOUND=0 if [ -d "${ROOTDIR}etc/grub.d" ]; then - CONF_FILES=$(${FINDBINARY} "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') + CONF_FILES=$(${FINDBINARY} -L "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}" else CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg" @@ -785,7 +785,7 @@ if [ -d ${DIR} ]; then LogText "Result: directory ${DIR} found" LogText "Test: checking for available files in directory" - FIND=$(${FINDBINARY} ${DIR} -type f -print | ${SORTBINARY}) + FIND=$(${FINDBINARY} -L ${DIR} -type f -print | ${SORTBINARY}) if [ -n "${FIND}" ]; then LogText "Result: found files in directory, checking permissions now" for FILE in ${FIND}; do @@ -809,7 +809,7 @@ for NO in 0 1 2 3 4 5 6; do LogText "Test: Checking ${ROOTDIR}etc/rc${NO}.d scripts for writable bit" if [ -d ${ROOTDIR}etc/rc${NO}.d ]; then - FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc${NO}.d -type f -print | ${SORTBINARY}) + FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/rc${NO}.d -type f -print | ${SORTBINARY}) for I in ${FIND}; do if IsWorldWritable ${I}; then FOUND=1 @@ -1017,7 +1017,7 @@ LogText "Result: directory ${DIR} found" LogText "Test: checking for available files in directory" # OpenBSD uses symlinks to create another instance of daemons - FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print | ${SORTBINARY}) + FIND=$(${FINDBINARY} -L ${CHECKDIR} -type f -print | ${SORTBINARY}) if [ -n "${FIND}" ]; then LogText "Result: found files in directory, checking permissions now" for FILE in ${FIND}; do diff --git a/include/tests_databases b/include/tests_databases index 9a8755bf..f5bc22ae 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -204,7 +204,7 @@ Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration" if [ ${SKIPTEST} -eq 0 ]; then FIND_PATHS="${ROOTDIR}etc/postgres ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data" - CONFIG_FILES=$(${FINDBINARY} ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g") + CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g") for CF in ${CONFIG_FILES}; do Report "postgresql_config_file[]=${CF}" LogText "Found configuration file (${CF})" diff --git a/include/tests_kernel b/include/tests_kernel index c1977985..a0db4676 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -470,9 +470,9 @@ # check conf files in possibly existing coredump.conf.d folders # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. # while there could be multiple files overwriting each other, we are checking the number of occurrences - SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l) - SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l) - SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g') + SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l) + SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l) + SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g') SYSD_CORED_SUB_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}') SYSD_CORED_SUB_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}') if ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \ @@ -513,7 +513,7 @@ LogText "Test: Checking if 'ulimit -c 0' exists in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh" # use tail -1 in the following commands to get the last entry, which is the one that counts (in case of profile.d/ probably counts) ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" - ULIMIT_C_VALUE_SUB="$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" + ULIMIT_C_VALUE_SUB="$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" = "0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE}" = "0" ] ); then LogText "Result: core dumps are disabled by 'ulimit -c 0' in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh" Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DISABLED}" --color GREEN @@ -537,9 +537,9 @@ LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists" LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*" # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. - FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) - FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) - FIND3=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1) + FIND1=$(${FINDBINARY} -L "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) + FIND2=$(${FINDBINARY} -L "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) + FIND3=$(${FINDBINARY} -L "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1) # When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file. if [ "${FIND3}" = "core dumps disabled" ]; then diff --git a/include/tests_logging b/include/tests_logging index 7b3c203b..b6acdbe5 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -387,7 +387,7 @@ fi TARGET="${ROOTDIR}etc/rsyslog.d" if [ -d ${TARGET} ]; then - FILES=$(${FINDBINARY} ${TARGET} -type f -print0 | ${TRBINARY} -cd '[:print:]\0' | ${SEDBINARY} 's/[[:blank:]]/:space:/g' | ${TRBINARY} '\0' ' ') + FILES=$(${FINDBINARY} -L ${TARGET} -type f -print0 | ${TRBINARY} -cd '[:print:]\0' | ${SEDBINARY} 's/[[:blank:]]/:space:/g' | ${TRBINARY} '\0' ' ') for F in ${FILES}; do F=$(echo ${F} | ${SEDBINARY} 's/:space:/ /g') LogText "Test: analyzing file ${F} for remote target" diff --git a/include/tests_scheduling b/include/tests_scheduling index 196a2e77..3aa004c6 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -77,7 +77,7 @@ if FileIsReadable ${DIR}; then LogText "Result: found directory ${DIR}" LogText "Test: searching files in ${DIR}" - FIND=$(${FINDBINARY} ${DIR} -type f -print | ${GREPBINARY} -v ".placeholder") + FIND=$(${FINDBINARY} -L ${DIR} -type f -print | ${GREPBINARY} -v ".placeholder") if IsEmpty "${FIND}"; then LogText "Result: no files found in ${DIR}" else @@ -112,7 +112,7 @@ LogText "Result: found directory ${I}" if FileIsReadable ${I}; then LogText "Test: searching files in ${I}" - FIND=$(${FINDBINARY} ${I} -type f -print 2> /dev/null | ${GREPBINARY} -v ".placeholder") + FIND=$(${FINDBINARY} -L ${I} -type f -print 2> /dev/null | ${GREPBINARY} -v ".placeholder") if [ -z "${FIND}" ]; then LogText "Result: no files found in ${I}" else diff --git a/include/tests_shells b/include/tests_shells index 9598cfbc..8ecbde2c 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -167,9 +167,9 @@ FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null) if [ -n "${FIND}" ]; then # Determine if we can find a TMOUT value - FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }') + FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }') # Determine if the value is exported (with export, readonly, or typeset) - FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }') + FIND2=$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }') if [ -n "${FIND}" ]; then N=0; IDLE_TIMEOUT=1 for I in ${FIND}; do diff --git a/include/tests_squid b/include/tests_squid index c6b5174a..c486108c 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -131,7 +131,7 @@ Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}" - FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)) + FIND=$(find -L ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \)) if [ -n "${FIND}" ]; then LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords" Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED From e2781677baef3508d135ff79d16927225effab7c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 14 Mar 2022 11:48:30 +0100 Subject: [PATCH 032/282] [KRNL-5820] small changes to prevent using ROOTDIR and resetting it, also showing additional paths in screen output --- include/tests_kernel | 51 +++++++++++++++++++++----------------------- 1 file changed, 24 insertions(+), 27 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index 52d72f8f..ffc5b9e0 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -520,29 +520,27 @@ AddHP 1 1 elif [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ -z "${ULIMIT_C_VALUE}" ]; then LogText "Result: core dumps are not disabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. Didn't find setting 'ulimit -c 0'" - Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DEFAULT}" --color WHITE + Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_DEFAULT}" --color WHITE AddHP 0 1 elif ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE_SUB}" = "unlimited" ] || [ "${ULIMIT_C_VALUE_SUB}" != "0" ] ) ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE}" = "unlimited" ] || [ "${ULIMIT_C_VALUE}" != "0" ] ) ); then LogText "Result: core dumps are enabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. A value higher than 0 is configured for 'ulimit -c'" - Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ENABLED}" --color RED + Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ENABLED}" --color RED AddHP 0 1 else LogText "Result: ERROR - something went wrong. Unexpected result during check of ${ROOTDIR}etc/profile and ${ROOTDIR}etc/profile.d/*.sh config files. Please report on Github!" - Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ERROR}" --color YELLOW + Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ERROR}" --color YELLOW fi fi # Limits option - ROOTDIR_BACKUP=$ROOTDIR - for ALTERNATIVE_DIR in "/usr/" "/"; do - ROOTDIR=$ALTERNATIVE_DIR - LogText "Test: Checking presence ${ROOTDIR}etc/security/limits.conf" - if [ -f "${ROOTDIR}etc/security/limits.conf" ]; then - LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists" - LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*" + for DIR in "/" "/usr/"; do + LogText "Test: Checking presence ${DIR}etc/security/limits.conf" + if [ -f "${DIR}etc/security/limits.conf" ]; then + LogText "Result: file ${DIR}etc/security/limits.conf exists" + LogText "Test: Checking if core dumps are disabled in ${DIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*" # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. - FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) - FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) - FIND3=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1) + FIND1=$(${FINDBINARY} "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1) + FIND2=$(${FINDBINARY} "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1) + FIND3=$(${FINDBINARY} "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1) # When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file. if [ "${FIND3}" = "core dumps disabled" ]; then @@ -558,41 +556,40 @@ if [ "${FIND2}" = "hard core disabled" ]; then LogText "Result: core dumps are hard disabled" - Display --indent 4 --text "- 'hard' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN" + Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN" if [ "${FIND1}" = "soft core disabled" ]; then - Display --indent 4 --text "- 'soft' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" + Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" else - Display --indent 4 --text "- 'soft' config in ${ROOTDIR}etc/security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN" + Display --indent 4 --text "- 'soft' config in ${DIR}etc/security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN" fi AddHP 3 3 elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then LogText "Result: core dumps (soft and hard) are enabled" - Display --indent 4 --text "- 'hard' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" - Display --indent 4 --text "- 'soft' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" + Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" + Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED" ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file" AddHP 0 3 elif [ "${FIND1}" = "soft core disabled" ]; then LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})" - Display --indent 4 --text "- 'hard' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" - Display --indent 4 --text "- 'soft' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" + Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" + Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN" AddHP 2 3 elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})" - Display --indent 4 --text "- 'hard' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" - Display --indent 4 --text "- 'soft' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" + Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" + Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)" AddHP 0 3 else LogText "Result: core dumps are not explicitly disabled" - Display --indent 4 --text "- 'hard' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" - Display --indent 4 --text "- 'soft' configuration in ${ROOTDIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" - ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/security/limits.conf file" + Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" + Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE" + ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${DIR}etc/security/limits.conf file" AddHP 1 3 fi else - LogText "Result: file ${ROOTDIR}etc/security/limits.conf does not exist, skipping test" + LogText "Result: file ${DIR}etc/security/limits.conf does not exist, skipping test for this file" fi done - ROOTDIR=$ROOTDIR_BACKUP # Sysctl option LogText "Test: Checking sysctl value of fs.suid_dumpable" From 5cd4b239b58e53bfb7d0d9b57abaccc638c44bed Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 14 Mar 2022 11:49:41 +0100 Subject: [PATCH 033/282] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ccbd452..83d058b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ - FILE-7524 - Test enhanced to support symlinks - HTTP-6643 - Support ModSecurity version 2 and 3 - KRNL-5788 - Only run relevant tests and improved logging +- KRNL-5820 - Additional path for security/limits.conf - KRNL-5830 - Check for /var/run/needs_restarting (Slackware) - KRNL-5830 - Add a presence check for /boot/vmlinuz - PRNT-2308 - Bugfix that prevented test from storing values correctly From 34d99f72f6f55053ba445847568d88eeeee1ff59 Mon Sep 17 00:00:00 2001 From: Skia Date: Thu, 17 Mar 2022 23:28:34 +0100 Subject: [PATCH 034/282] osdetection: add PostmarketOS --- include/osdetection | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/osdetection b/include/osdetection index d9b8a41c..29c3e69e 100644 --- a/include/osdetection +++ b/include/osdetection @@ -337,6 +337,13 @@ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Pop!_OS" ;; + "postmarketos") + LINUX_VERSION="PostmarketOS" + LINUX_VERSION_LIKE="Alpine" + OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "pureos") LINUX_VERSION="PureOS" LINUX_VERSION_LIKE="Debian" From f315c0b3257a301fe17b3a8904190df36d853940 Mon Sep 17 00:00:00 2001 From: mab974 <12948653+mab974@users.noreply.github.com> Date: Wed, 13 Apr 2022 13:42:21 +0400 Subject: [PATCH 035/282] osdetection: add Koozali #1274 --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index d9b8a41c..ecd34865 100644 --- a/include/osdetection +++ b/include/osdetection @@ -271,6 +271,12 @@ OS_NAME="Kali Linux" OS_VERSION="Rolling release" ;; + "koozali") + LINUX_VERSION="Koozali" + OS_NAME="Koozali SME Server" + OS_REDHAT_OR_CLONE=1 + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "linuxmint") LINUX_VERSION="Linux Mint" LINUX_VERSION_LIKE="Ubuntu" From e124499e27d48b85ca5fc2734247c47b94ee8ba5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 4 May 2022 10:51:35 +0200 Subject: [PATCH 036/282] Only test Compression if sshd version < 7.4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/tests_ssh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/include/tests_ssh b/include/tests_ssh index de3209ee..fb784d83 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -135,7 +135,6 @@ SSHOPS="AllowTcpForwarding:NO,LOCAL,YES:=\ ClientAliveCountMax:2,4,16:<\ ClientAliveInterval:300,600,900:<\ - Compression:NO,,YES:=\ FingerprintHash:SHA256,MD5,:=\ GatewayPorts:NO,,YES:=\ IgnoreRhosts:YES,,NO:=\ @@ -158,12 +157,12 @@ # OpenSSH had some options removed over time. Based on the version we add some additional options to check if [ ${OPENSSHD_VERSION_MAJOR} -lt 7 ]; then LogText "Result: added additional options for OpenSSH 6.x and lower" - SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:= Protocol:2,,1:=" + SSHOPS="${SSHOPS} Compression:(DELAYED|NO),,YES:= UsePrivilegeSeparation:SANDBOX,YES,NO:= Protocol:2,,1:=" elif [ ${OPENSSHD_VERSION_MAJOR} -eq 7 ]; then # Protocol 1 support removed (OpenSSH 7.4 and later) if [ ${OPENSSHD_VERSION_MINOR} -lt 4 ]; then LogText "Result: added additional options for OpenSSH < 7.4" - SSHOPS="${SSHOPS} Protocol:2,,1:=" + SSHOPS="${SSHOPS} Compression:(DELAYED|NO),,YES:= Protocol:2,,1:=" fi # UsePrivilegedSeparation removed (OpenSSH 7.5 and later) if [ ${OPENSSHD_VERSION_MINOR} -lt 5 ]; then From 975712a6164fcd9fe57202c9705eeadfb7c6b7f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Sun, 15 May 2022 23:58:43 +0200 Subject: [PATCH 037/282] add plocate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/tests_filesystems | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 480ba40a..ab6191aa 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -744,7 +744,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking locate database" FOUND=0 - LOCATE_DBS="${ROOTDIR}var/lib/mlocate/mlocate.db ${ROOTDIR}var/lib/locate/locatedb ${ROOTDIR}var/lib/locatedb ${ROOTDIR}var/lib/slocate/slocate.db ${ROOTDIR}var/cache/locate/locatedb ${ROOTDIR}var/db/locate.database" + LOCATE_DBS="${ROOTDIR}var/cache/locate/locatedb ${ROOTDIR}var/db/locate.database ${ROOTDIR}var/lib/locate/locatedb ${ROOTDIR}var/lib/locatedb ${ROOTDIR}var/lib/mlocate/mlocate.db ${ROOTDIR}var/lib/plocate/plocate.db ${ROOTDIR}var/lib/slocate/slocate.db" for FILE in ${LOCATE_DBS}; do if [ -f ${FILE} ]; then LogText "Result: locate database found (${FILE})" From 8d9cdb22f413f2b2c941ae4750ca40411ce8a194 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 17 May 2022 15:07:48 +0200 Subject: [PATCH 038/282] Release 3.0.8 --- CHANGELOG.md | 2 +- lynis | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 83d058b7..8e63943e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Lynis Changelog -## Lynis 3.0.8 (not released yet) +## Lynis 3.0.8 (2022-05-17) ### Added - MALW-3274 - Detect McAfee VirusScan Command Line Scanner diff --git a/lynis b/lynis index c15a78c7..cf7d6bc6 100755 --- a/lynis +++ b/lynis @@ -43,9 +43,9 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2022-01-31" - PROGRAM_RELEASE_TIMESTAMP=1643632222 - PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_RELEASE_DATE="2022-05-17" + PROGRAM_RELEASE_TIMESTAMP=1652791205 + PROGRAM_RELEASE_TYPE="release" # pre-release or release PROGRAM_VERSION="3.0.8" # Source, documentation and license From 225338a92359773e7bfa8e2c21ab2aa9bd7b5990 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 18 May 2022 18:02:34 +0200 Subject: [PATCH 039/282] use systemctl get-default instead of following links MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/tests_kernel | 40 ++++++++++++++-------------------------- 1 file changed, 14 insertions(+), 26 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index ad914bfb..61f8ae73 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -41,28 +41,17 @@ if [ ${SKIPTEST} -eq 0 ]; then # Checking if we can find the systemd default target LogText "Test: Checking for systemd default.target" - if [ -L ${ROOTDIR}etc/systemd/system/default.target ]; then - LogText "Result: symlink found" - if HasData "${READLINKBINARY}"; then - FIND=$(${READLINKBINARY} ${ROOTDIR}etc/systemd/system/default.target) - if ! HasData "${FIND}"; then - LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target" - ReportException "${TEST_NO}:01" - else - FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical") - if HasData "${FIND2}"; then - LogText "Result: Found match on runlevel5/graphical" - Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN - Report "linux_default_runlevel=5" - else - LogText "Result: No match found on runlevel, defaulting to runlevel 3" - Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN - Report "linux_default_runlevel=3" - fi - fi + if [ $(${SYSTEMCTLBINARY} get-default) ]; then + FIND=$(${SYSTEMCTLBINARY} get-default) + FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical") + if HasData "${FIND2}"; then + LogText "Result: Found match on runlevel5/graphical" + Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN + Report "linux_default_runlevel=5" else - LogText "Result: No readlink binary, can't determine where symlink is pointing to" - Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW + LogText "Result: No match found on runlevel, defaulting to runlevel 3" + Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN + Report "linux_default_runlevel=3" fi else LogText "Result: no systemd found, so trying inittab" @@ -467,7 +456,7 @@ SYSD_CORED_BASE_STORAGE_FOUND=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g') SYSD_CORED_BASE_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}') SYSD_CORED_BASE_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}') - # check conf files in possibly existing coredump.conf.d folders + # check conf files in possibly existing coredump.conf.d folders # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. # while there could be multiple files overwriting each other, we are checking the number of occurrences SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l) @@ -531,7 +520,7 @@ Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ERROR}" --color YELLOW fi fi - + # Limits options for DIR in "/" "/usr/"; do LogText "Test: Checking presence ${DIR}etc/security/limits.conf" @@ -840,7 +829,7 @@ else LogText "Result: Skipping this test, as extracting the seconds of package date failed" fi - + if [ -n "${UNAME_OUTPUT}" ]; then LogText "Result: Got an output from 'uname -v'" LogText "Check: Trying to extract kernel build date from 'uname -v' output" @@ -911,8 +900,7 @@ else LogText "Result: Did not get output from 'uname -v'. Skipping test." fi - - + else LogText "Result: /var/cache/apt/archives/ does not exist" fi From b3436629ce061489c4f999bdcfcd0fd52af7a061 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 20 Jun 2022 09:54:29 +0200 Subject: [PATCH 040/282] add check for ESET oaeventd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/tests_malware | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_malware b/include/tests_malware index 40336fa5..4fa901d9 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -186,8 +186,8 @@ fi # ESET security products - LogText "Test: checking process esets_daemon" - if IsRunning "esets_daemon"; then + LogText "Test: checking process esets_daemon or oaeventd (ESET)" + if IsRunning "esets_daemon" || IsRunning "oaeventd"; then FOUND=1 ESET_DAEMON_RUNNING=1 MALWARE_DAEMON_RUNNING=1 From 74fdee1e33c1cf1c43662f4a385f739b82b4407a Mon Sep 17 00:00:00 2001 From: Fionn Fitzmaurice Date: Tue, 12 Jul 2022 20:53:03 +0800 Subject: [PATCH 041/282] Support Arch Linux ARM detection --- include/osdetection | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/osdetection b/include/osdetection index d9b8a41c..c9503b46 100644 --- a/include/osdetection +++ b/include/osdetection @@ -169,6 +169,11 @@ OS_FULLNAME="Arch Linux" OS_VERSION="Rolling release" ;; + "archarm") + LINUX_VERSION="Arch Linux ARM" + OS_FULLNAME="Arch Linux ARM" + OS_VERSION="Rolling release" + ;; "arch32") LINUX_VERSION="Arch Linux 32" OS_FULLNAME="Arch Linux 32" From e4cd5eaede8309cf1af9c6e902e64bf61407b0a6 Mon Sep 17 00:00:00 2001 From: Zafer Balkan Date: Wed, 20 Jul 2022 21:41:55 +0300 Subject: [PATCH 042/282] Added Wazuh Agent as a malware scanner/antivirus Solves https://github.com/CISOfy/lynis/issues/1304 Wazuh is a fork of OSSEC and is being actively maintained. Wazuh agent has capabilities to detect and prevent malware acting as an EDR. Therefore, it seems feasible to add wazuh-agent to the accepted antivirus products. https://documentation.wazuh.com/current/user-manual/capabilities/anomalies-detection/index.html https://documentation.wazuh.com/current/pci-dss/rootkit-detection.html --- include/tests_malware | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/include/tests_malware b/include/tests_malware index 40336fa5..3ddc9277 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -308,6 +308,17 @@ Report "malware_scanner[]=trend-micro-av" fi + # Wazuh agent + LogText "Test: checking process wazuh-agent to test for Wazuh agent" + if IsRunning "wazuh-agent"; then + if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Wazuh agent" --result "${STATUS_FOUND}" --color GREEN; fi + LogText "Result: found Wazuh component" + FOUND=1 + MALWARE_DAEMON_RUNNING=1 + MALWARE_SCANNER_INSTALLED=1 + Report "malware_scanner[]=wazuh" + fi + if [ ${FOUND} -eq 0 ]; then LogText "Result: no commercial anti-virus tools found" AddHP 0 3 From 32a39eaaf884444baa7b5ec76a87b8e2990906ae Mon Sep 17 00:00:00 2001 From: Zafer Balkan Date: Wed, 20 Jul 2022 21:50:26 +0300 Subject: [PATCH 043/282] Added Wazuh agent as a rootkit scanner Wazuh is a fork of OSSEC and is being actively maintained. Wazuh agent has capabilities to detect and prevent rootkits. Therefore, it seems feasible to add wazuh-agent to the accepted rootkit detection products. https://documentation.wazuh.com/current/pci-dss/rootkit-detection.html --- include/tests_malware | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/tests_malware b/include/tests_malware index 3ddc9277..237b7cc1 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -43,6 +43,7 @@ SYMANTEC_SCANNER_RUNNING=0 SYNOLOGY_DAEMON_RUNNING=0 TRENDMICRO_DSA_DAEMON_RUNNING=0 + WAZUH_DAEMON_RUNNING=0 # ################################################################################# # @@ -314,8 +315,10 @@ if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Wazuh agent" --result "${STATUS_FOUND}" --color GREEN; fi LogText "Result: found Wazuh component" FOUND=1 + WAZUH_DAEMON_RUNNING=1 MALWARE_DAEMON_RUNNING=1 MALWARE_SCANNER_INSTALLED=1 + ROOTKIT_SCANNER_FOUND=1 Report "malware_scanner[]=wazuh" fi From 3140a245da2c709e379c34ca6f3495428f0c7e5e Mon Sep 17 00:00:00 2001 From: Zafer Balkan Date: Fri, 5 Aug 2022 15:45:35 +0300 Subject: [PATCH 044/282] Added wazuh-agent as a remote syslog capability --- include/tests_logging | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/include/tests_logging b/include/tests_logging index b6acdbe5..ed87ff17 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -28,6 +28,7 @@ METALOG_RUNNING=0 RFC3195D_RUNNING=0 RSYSLOG_RUNNING=0 + WAZUH_AGENT_RUNNING=0 SOLARIS_LOGHOST="" SOLARIS_LOGHOST_FOUND=0 SOLARIS_LOGHOST_LOCALHOST=0 @@ -220,6 +221,23 @@ fi # ################################################################################# +# + # Test : LOGG-2144 + # Description : Check for wazuh-agent presence on Linux systems + Register --test-no LOGG-2144 --os Linux --weight L --network NO --category security --description "Checking wazuh-agent" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Result: Searching for wazuh-agent instances in the process list" + if IsRunning "wazuh-agent"; then + LogText "Result: Found wazuh-agent in process list" + Display --indent 4 --text "- Checking wazuh-agent status" --result "${STATUS_FOUND}" --color GREEN + WAZUH_AGENT_RUNNING=1 + else + LogText "Result: wazuh-agent NOT found in process list" + Display --indent 4 --text "- Checking wazuh-agent daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE + fi + fi +# +################################################################################# # # Test : LOGG-2146 # Description : Check for logrotate (/etc/logrotate.conf and logrotate.d) @@ -446,6 +464,21 @@ fi fi + # Test wazuh-agent configuration for syslog configuration + if [ ${WAZUH_AGENT_RUNNING} ]; then + WAZUH_AGENT_CONF="/var/ossec/etc/ossec.conf" + fi + + if [ -f ${WAZUH_AGENT_CONF} ]; then + LogText "Test: Checking Wazuh agent configuration for remote syslog forwarding" + FIND=$(${EGREPBINARY} '/var/log/syslog' ${WAZUH_AGENT_CONF}) + if [ "${FIND}" ]; then + DESTINATION=$(${EGREPBINARY} -o '
([A-Za-z0-9\.\-\_]*)
' ${WAZUH_AGENT_CONF} | sed 's/
//' | sed 's/<\/address>//') + LogText "Result: found destination ${DESTINATION} configured for remote logging with wazuh" + REMOTE_LOGGING_ENABLED=1 + fi + fi + # Show result if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then Report "remote_syslog_configured=0" From a19f532ddf0bd5b6cdd30ff518bfc98e3aea5e93 Mon Sep 17 00:00:00 2001 From: Nick Anderson Date: Wed, 17 Aug 2022 14:03:21 -0500 Subject: [PATCH 045/282] Fixed typo in Group for FINT-4316 Closes #1323 --- db/tests.db | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/tests.db b/db/tests.db index fe16ef9c..e4dc8fbd 100644 --- a/db/tests.db +++ b/db/tests.db @@ -136,7 +136,7 @@ FILE-7524:test:security:file_permissions::Perform file permissions check: FINT-4310:test:security:file_integrity::AFICK availability: FINT-4314:test:security:file_integrity::AIDE availability: FINT-4315:test:security:file_integrity::Check AIDE configuration file: -FINT-4316:test:security:file_integirty::Presence of AIDE database and size check: +FINT-4316:test:security:file_integrity::Presence of AIDE database and size check: FINT-4318:test:security:file_integrity::Osiris availability: FINT-4322:test:security:file_integrity::Samhain availability: FINT-4326:test:security:file_integrity::Tripwire availability: From fe5990f20875d85ce8fcdbc06f4a760cddd5a5b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 23 Aug 2022 11:56:25 +0200 Subject: [PATCH 046/282] remove whitespaces MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/tests_databases | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_databases b/include/tests_databases index f5bc22ae..7c829cd3 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -85,7 +85,7 @@ LogText "Test: Trying to login to local MySQL server without password" # "-u root --password=" avoids ~/.my.cnf authentication settings - # "plugin = 'mysql_native_password' AND authentication_string = ''" avoids false positives when secure plugins are used + # "plugin = 'mysql_native_password' AND authentication_string = ''" avoids false positives when secure plugins are used FIND=$(${MYSQLCLIENTBINARY} --default-auth=mysql_native_password --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql > /dev/null 2>&1; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: Login succeeded, no MySQL root password set!" @@ -213,7 +213,7 @@ ReportWarning "${TEST_NO}" "PostgreSQL configuration file ${CF} is world readable and might leak sensitive details" "${CF}" "Use chmod 600 to change file permissions" else LogText "Result: great, configuration file ${CF} is not world readable" - fi + fi done fi # From fc62b39f34b32f5d31502578f4f9a78b494b331d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 23 Aug 2022 11:57:05 +0200 Subject: [PATCH 047/282] find redis.conf if /snap directory exists MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/tests_databases | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/tests_databases b/include/tests_databases index 7c829cd3..153e74ac 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -302,6 +302,12 @@ if [ ${QNAP_DEVICE} -eq 1 ]; then PATHS="${PATHS} ${ROOTDIR}share/CACHEDEV1_DATA/.qpkg/QKVM/usr/etc/redis.conf" fi + if [ -d "/snap" ]; then + for SNAP_PATH in $(${FINDBINARY} /snap -name 'redis.conf' -type f); do + PATHS="${PATHS} ${SNAP_PATH}" + done + fi + ALLFILES=$(${LSBINARY} ${ROOTDIR}etc/redis.conf 2> /dev/null) FOUND=0 for DIR in ${PATHS}; do From 4f6eeb7537077d145860e19f83d44f59d182ea2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 24 Aug 2022 10:17:54 +0200 Subject: [PATCH 048/282] remove file from path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/tests_databases | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_databases b/include/tests_databases index 153e74ac..34bace85 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -303,7 +303,7 @@ PATHS="${PATHS} ${ROOTDIR}share/CACHEDEV1_DATA/.qpkg/QKVM/usr/etc/redis.conf" fi if [ -d "/snap" ]; then - for SNAP_PATH in $(${FINDBINARY} /snap -name 'redis.conf' -type f); do + for SNAP_PATH in $(${FINDBINARY} /snap -name 'redis.conf' -type f | ${SEDBINARY} 's/redis.conf$//g'); do PATHS="${PATHS} ${SNAP_PATH}" done fi From 622f53247da81d64e8b5170baf0f6cb4e785353f Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 24 Aug 2022 11:42:22 +0000 Subject: [PATCH 049/282] [DBS-1820] added newer style format for Mongo authorization setting --- include/tests_databases | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/include/tests_databases b/include/tests_databases index f5bc22ae..e973d23f 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -127,12 +127,25 @@ for FILE in ${MONGO_CONF_FILES}; do if [ -f ${FILE} ]; then LogText "Result: found MongoDB configuration file (${FILE})" - LogText "Test: determine authorization setting in new style YAML format" - AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: enabled" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)") - if HasData "${AUTH_IN_CONFIG}"; then - LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format)" - MONGODB_AUTHORIZATION_ENABLED=1 - else + # YAML with quotes + if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then + LogText "Test: determine authorization setting in new style YAML format" + AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: \"enabled\"" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)") + if HasData "${AUTH_IN_CONFIG}"; then + LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format with quotes)" + MONGODB_AUTHORIZATION_ENABLED=1 + fi + fi + # YAML without quotes + if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then + AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: enabled" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)") + if HasData "${AUTH_IN_CONFIG}"; then + LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format without quotes)" + MONGODB_AUTHORIZATION_ENABLED=1 + fi + fi + # Old style + if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then LogText "Result: did NOT find authorization option enabled in configuration file (with YAML format)" LogText "Test: now searching for old style configuration (auth = true) in configuration file" AUTH_IN_CONFIG=$(${GREPBINARY} "auth = true" ${FILE} | ${GREPBINARY} -v "noauth" | ${GREPBINARY} -E -v "(^#|#auth)") From b53d6a80d706d29aaf7a03a31138b024230c49df Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 24 Aug 2022 11:43:37 +0000 Subject: [PATCH 050/282] Updated log --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8e63943e..ad1cbeb8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Lynis Changelog +## Lynis 3.0.9 (not released yet) + +### Changed +- DBS-1820 - added newer style format for Mongo authorization setting + +--------------------------------------------------------------------------------- + ## Lynis 3.0.8 (2022-05-17) ### Added From 73d43c25eb290e8879a590c8534202bcd400caeb Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 17 Sep 2022 14:49:26 +0000 Subject: [PATCH 051/282] Moved section to discover current timestamp related to issue #1329 --- include/osdetection | 43 ++++++++++++++++++++++++++++++------------- lynis | 10 +--------- 2 files changed, 31 insertions(+), 22 deletions(-) diff --git a/include/osdetection b/include/osdetection index d9b8a41c..989b1b38 100644 --- a/include/osdetection +++ b/include/osdetection @@ -777,10 +777,26 @@ ECHONB="" case ${OS} in - "AIX") ECHOCMD="echo"; ECHONB="printf" ;; - "DragonFly"|"FreeBSD"|"NetBSD") ECHOCMD="echo -e"; ECHONB="echo -n" ;; - "macOS" | "Mac OS X") ECHOCMD="echo"; ECHONB="/bin/echo -n" ;; - "Solaris") ECHOCMD="echo" ; test -f /usr/ucb/echo && ECHONB="/usr/ucb/echo -n" ;; + "AIX") + ECHOCMD="echo"; + ECHONB="printf" + ;; + "DragonFly"|"FreeBSD"|"NetBSD") + ECHOCMD="echo -e" + ECHONB="echo -n" + NOW=$(date "+%s") + ;; + "macOS" | "Mac OS X") + ECHOCMD="echo" + ECHONB="/bin/echo -n" + NOW=$(date "+%s") + ;; + + "Solaris") + ECHOCMD="echo" + test -f /usr/ucb/echo && ECHONB="/usr/ucb/echo -n" + NOW=$(nawk 'BEGIN{print srand()}') + ;; "Linux") # Check if dash is used (Debian/Ubuntu) DEFAULT_SHELL=$(ls -l /bin/sh | awk -F'>' '{print $2}') @@ -788,10 +804,14 @@ " dash") ECHOCMD="/bin/echo -e" ;; *) ECHOCMD="echo -e" ;; esac + NOW=$(date "+%s") + ;; + *) + ECHOCMD="echo -e" + NOW=$(date "+%s") ;; - *) ECHOCMD="echo -e" ;; esac - + # Check if we have full featured commands, or are using BusyBox as a shell if [ -x /bin/busybox ]; then if [ -L /bin/ps ]; then @@ -820,13 +840,10 @@ if [ -n "${EOL_TIMESTAMP}" ]; then EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1) if [ -n "${EOL_DATE}" ]; then - NOW=$(date "+%s") - if [ -n "${NOW}" ]; then - if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then - EOL=1 - else - EOL=0 - fi + if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then + EOL=1 + else + EOL=0 fi else EOL=0 diff --git a/lynis b/lynis index cf7d6bc6..ab8c479e 100755 --- a/lynis +++ b/lynis @@ -514,7 +514,7 @@ ${NORMAL} . ${INCLUDEDIR}/osdetection Display --indent 2 --text "- Detecting OS... " --result "${STATUS_DONE}" --color GREEN - # Check hostname + # Check hostname and get timestamp case ${OS} in HP-UX) HOSTNAME=$(hostname) ;; @@ -531,7 +531,6 @@ ${NORMAL} if [ "${OS}" = "Linux" -a "${HOSTNAME}" = "${FQDN}" ]; then FQDN=$(hostname -f 2> /dev/null) fi - # ################################################################################# # @@ -789,13 +788,6 @@ ${NORMAL} fi fi - # Test for older releases, without testing via update mechanism - if [ "${OS}" = "Solaris" ]; then - NOW=$(nawk 'BEGIN{print srand()}') - else - NOW=$(date "+%s") - fi - OLD_RELEASE=0 TIME_DIFFERENCE_CHECK=10368000 # 4 months RELEASE_PLUS_TIMEDIFF=$((PROGRAM_RELEASE_TIMESTAMP + TIME_DIFFERENCE_CHECK)) From 2c27a8fdce2ec5142d9472345d4545385b658202 Mon Sep 17 00:00:00 2001 From: Massacre Networks <81653728+MassacreNetworks@users.noreply.github.com> Date: Sat, 24 Sep 2022 19:11:40 +0300 Subject: [PATCH 052/282] expected variable $NOW --- lynis | 1 + 1 file changed, 1 insertion(+) diff --git a/lynis b/lynis index ab8c479e..3f6d3b84 100755 --- a/lynis +++ b/lynis @@ -791,6 +791,7 @@ ${NORMAL} OLD_RELEASE=0 TIME_DIFFERENCE_CHECK=10368000 # 4 months RELEASE_PLUS_TIMEDIFF=$((PROGRAM_RELEASE_TIMESTAMP + TIME_DIFFERENCE_CHECK)) + NOW=$(date "+%s") if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then # Show if release is old, only if we didn't show it with normal update check if [ ${UPDATE_AVAILABLE} -eq 0 ]; then From 49bbf25abe606f3ff598f5ff58ffdddcc59ec949 Mon Sep 17 00:00:00 2001 From: Ximalas Date: Mon, 26 Sep 2022 10:05:39 +0200 Subject: [PATCH 053/282] Update tests_database: Redis configuration file On FreeBSD the Redis configuration file is typically stored as /usr/local/etc/redis.conf. --- include/tests_databases | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_databases b/include/tests_databases index e973d23f..7a3252c0 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -311,7 +311,7 @@ if [ ${REDIS_RUNNING} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; SKIPREASON="Redis not running"; fi Register --test-no DBS-1882 --weight L --network NO --preqs-met "${PREQS_MET}" --skip-reason "${SKIPREASON}" --category security --description "Redis configuration file" if [ ${SKIPTEST} -eq 0 ]; then - PATHS="${ROOTDIR}etc/redis ${ROOTDIR}usr/local/etc/redis ${ROOTDIR}usr/local/redis/etc" + PATHS="${ROOTDIR}etc/redis ${ROOTDIR}usr/local/etc ${ROOTDIR}usr/local/etc/redis ${ROOTDIR}usr/local/redis/etc" if [ ${QNAP_DEVICE} -eq 1 ]; then PATHS="${PATHS} ${ROOTDIR}share/CACHEDEV1_DATA/.qpkg/QKVM/usr/etc/redis.conf" fi From 98ac5a562ad6f347bcde307d56466b2668251908 Mon Sep 17 00:00:00 2001 From: HansHoogerwerf Date: Mon, 17 Oct 2022 15:46:40 +0200 Subject: [PATCH 054/282] Verify the linux OS supports nanoseconds Add extra check to verify the linux OS supports nanoseconds. This might not be the case with certain busybox implementations. --- include/functions | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/include/functions b/include/functions index 5b211707..db4c7ef8 100644 --- a/include/functions +++ b/include/functions @@ -2562,15 +2562,17 @@ GetTimestamp() { ts=0 - case "${OS}" in - "Linux") - ts=$(date "+%s%N") - ;; - *) - ts=$(date "+%s") - ;; - esac - echo $ts + # Detect if the implementation of date supports nanoseconds, + if [ "${OS}" = "Linux" ]; then + current_nanoseconds=$(date "+%N") + # Verify if the result of the command is a number + if [ -n "$current_nanoseconds" ] && [ "$current_nanoseconds" -eq "$current_nanoseconds" ] 2>/dev/null; then + ts=$(date "+%s%N") + else + ts=$(date "+%s") + fi + fi + echo $ts } Register() { From ff26dca83a0f788ac7853b73e9d42cec49846aa7 Mon Sep 17 00:00:00 2001 From: HansHoogerwerf Date: Mon, 17 Oct 2022 16:24:59 +0200 Subject: [PATCH 055/282] Fix simple mistake --- include/functions | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/include/functions b/include/functions index db4c7ef8..5ae9b978 100644 --- a/include/functions +++ b/include/functions @@ -2562,17 +2562,19 @@ GetTimestamp() { ts=0 - # Detect if the implementation of date supports nanoseconds, - if [ "${OS}" = "Linux" ]; then - current_nanoseconds=$(date "+%N") - # Verify if the result of the command is a number + # Detect if the implementation of date supports nanoseconds, + if [ "${OS}" = "Linux" ]; then + current_nanoseconds=$(date "+%N") + # Verify if the result of the command is a number if [ -n "$current_nanoseconds" ] && [ "$current_nanoseconds" -eq "$current_nanoseconds" ] 2>/dev/null; then ts=$(date "+%s%N") else - ts=$(date "+%s") - fi + ts=$(date "+%s") + fi + else + ts=$(date "+%s") fi - echo $ts + echo $ts } Register() { From bbe135d56f13f3c05a4a328c504639c6568de8b2 Mon Sep 17 00:00:00 2001 From: HansHoogerwerf Date: Mon, 17 Oct 2022 16:27:21 +0200 Subject: [PATCH 056/282] Fix space --- include/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/functions b/include/functions index 5ae9b978..38cc46b3 100644 --- a/include/functions +++ b/include/functions @@ -2567,7 +2567,7 @@ current_nanoseconds=$(date "+%N") # Verify if the result of the command is a number if [ -n "$current_nanoseconds" ] && [ "$current_nanoseconds" -eq "$current_nanoseconds" ] 2>/dev/null; then - ts=$(date "+%s%N") + ts=$(date "+%s%N") else ts=$(date "+%s") fi From 59a3c4b5368cdbd96ba7cdddf0dce5410b30163c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 24 Oct 2022 16:22:27 +0200 Subject: [PATCH 057/282] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad1cbeb8..bd37121c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ ### Changed - DBS-1820 - added newer style format for Mongo authorization setting +- Extra check to verify if nanoseconds are supported by the date command --------------------------------------------------------------------------------- From 8e9a95d88797a4349263a797bcd0aa243f0bdbec Mon Sep 17 00:00:00 2001 From: Alan Gonzalez <2751993+alangonzalez@users.noreply.github.com> Date: Fri, 28 Oct 2022 14:08:26 -0400 Subject: [PATCH 058/282] Update profiles --- include/profiles | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/profiles b/include/profiles index 6bf7758a..325ec887 100644 --- a/include/profiles +++ b/include/profiles @@ -56,7 +56,7 @@ fi # Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character) - DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-') + DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[a-zA-Z0-9]/\[\]\(\)_\|,\.:;= \n\r-') if ! IsEmpty "${DATA}"; then DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information." LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile." @@ -68,7 +68,7 @@ fi # Now parse the profile and filter out unwanted characters - DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g') + DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[a-zA-Z0-9]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g') for CONFIGOPTION in ${DATA}; do if ContainsString "^config:" "${CONFIGOPTION}"; then # Old style configuration From 4edbce250b31fcdd5cfeb309326fa2a171801c1d Mon Sep 17 00:00:00 2001 From: Alan Gonzalez <2751993+alangonzalez@users.noreply.github.com> Date: Fri, 28 Oct 2022 14:45:05 -0400 Subject: [PATCH 059/282] Update profiles --- include/profiles | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/profiles b/include/profiles index 325ec887..6d7c0aa7 100644 --- a/include/profiles +++ b/include/profiles @@ -352,7 +352,7 @@ # Which tests to skip (skip-test=ABCD-1234 or skip-test=ABCD-1234:subtest) skip-test) - STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]') + STRING=$(echo ${VALUE} | awk '{print toupper($0)}') SKIP_TESTS="${SKIP_TESTS} ${STRING}" ;; @@ -371,7 +371,7 @@ ssl-certificate-paths-to-ignore) # Retrieve paths to ignore when searching for certificates. Strip special characters, replace possible spaces - SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[:cntrl:]' | sed 's/ /__space__/g' | tr ':' ' ') + SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[\001-\037]' | sed 's/ /__space__/g' | tr ':' ' ') Debug "SSL paths to ignore: ${SSL_CERTIFICATE_PATHS_TO_IGNORE}" AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates" ;; @@ -479,7 +479,7 @@ # Deprecated: skip tests test_skip_always) - STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]') + STRING=$(echo ${VALUE} | awk '{print toupper($0)}') SKIP_TESTS="${SKIP_TESTS} ${STRING}" LogText "[deprecated option] Tests to be skipped: ${VALUE}" DisplayToolTip "Replace deprecated option 'test_skip_always' and replace with 'skip-test' (add to custom.prf)" From 051052cc153bd78adfb1b41cb0949dcae08ca82e Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Thu, 17 Nov 2022 18:47:44 +0200 Subject: [PATCH 060/282] Added Slackware support for PackageIsInstalled() function --- include/functions | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/functions b/include/functions index 38cc46b3..f27211d0 100644 --- a/include/functions +++ b/include/functions @@ -2086,6 +2086,10 @@ elif [ -n "${PKGINFOBINARY}" ]; then output=$(${PKGINFOBINARY} -q -e ${package} >/dev/null 2>&1) exit_code=$? # 0=package installed, 1=package not installed + # Slackware also has RPM for some reason and that's why this test precedes the RPMBINARY test + elif [ "${OS_NAME}" = "Slackware Linux" -a -d "${ROOTDIR}/var/lib/pkgtools/packages" ]; then + output=$( ls ${ROOTDIR}/var/lib/pkgtools/packages/ 2> /dev/null | ${GREPBINARY} "^${package}-[^-]\+-[^-]\+-[^-]\+$" ) + exit_code=$? elif [ -n "${RPMBINARY}" ]; then output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1) exit_code=$? From 91ff939d19e0dd3b229809188b8b1cc8c7a49f31 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Tue, 3 Jan 2023 17:53:23 +0200 Subject: [PATCH 061/282] KRNL-5820: Accept ulimit with -H parameter also --- include/tests_kernel | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index ad914bfb..e3acedce 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -512,8 +512,8 @@ if [ -f "${ROOTDIR}etc/profile" ]; then LogText "Test: Checking if 'ulimit -c 0' exists in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh" # use tail -1 in the following commands to get the last entry, which is the one that counts (in case of profile.d/ probably counts) - ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" - ULIMIT_C_VALUE_SUB="$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" + ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -H\?c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" + ULIMIT_C_VALUE_SUB="$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -H\?c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')" if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" = "0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE}" = "0" ] ); then LogText "Result: core dumps are disabled by 'ulimit -c 0' in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh" Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DISABLED}" --color GREEN From 31c22f2daa59963823e3821b281f178d342f4afb Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Thu, 5 Jan 2023 14:43:29 +0200 Subject: [PATCH 062/282] Added "prosecute" & "report" to LEGAL_BANNER_STRINGS https://xkcd.com/838/ --- include/tests_banners | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_banners b/include/tests_banners index cd148f30..0694e9de 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -27,7 +27,7 @@ ################################################################################# # BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd" - LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited record restricted secure subject system terms warning" + LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited prosecute record report restricted secure subject system terms warning" # ################################################################################# # From e618acaf965a3778b5ee9121a3c27f1d65e730ec Mon Sep 17 00:00:00 2001 From: noci2012 Date: Sun, 8 Jan 2023 00:40:36 +0100 Subject: [PATCH 063/282] Update some EOL date --- db/software-eol.db | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/db/software-eol.db b/db/software-eol.db index f8242d35..c01890a5 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -40,7 +40,7 @@ os:Arch Linux::-1: os:CentOS release 5:2017-03-31:1490911200: os:CentOS release 6:2020-11-30:1606690800: os:CentOS Linux 7:2024-06-30:1719698400: -os:CentOS Linux 8:2029-05-31:1874872800: +os:CentOS Linux 8:2021-12-31:1640905200: # # Debian - https://wiki.debian.org/DebianReleases#Production_Releases # @@ -48,8 +48,9 @@ os:Debian 5.0:2012-02-06:1328482800: os:Debian 6.0:2016-02-29:1456700400: os:Debian 7:2018-05-31:1527717600: os:Debian 8:2020-06-30:1593468000: -os:Debian 9:2022-01-01:1640991600: -os:Debian 10:2022-01-01:1640991600: +os:Debian 9:2022-07-01:1656626400: +os:Debian 10:2022-09-10:1665266400: +os:Debian 11:2024-07-01:1719784800: # # Fedora - https://fedoraproject.org/wiki/End_of_life # @@ -134,6 +135,7 @@ os:Mageia 4:2015-09-19:1442613600 os:Mageia 5:2017-12-31:1514674800 os:Mageia 6:2019-09-30:1569794400 os:Mageia 7:2020-12-30:1609282800 +os:Mageia 8::-1 # # NetBSD - https://www.netbsd.org/support/security/release.html and # https://www.netbsd.org/releases/formal.html @@ -195,7 +197,12 @@ os:OpenBSD 6.3:2019-05-03:1556841600: os:OpenBSD 6.4:2019-10-17:1571270400: os:OpenBSD 6.5:2020-05-19:1589846400: os:OpenBSD 6.6:2020-10-01:1601510400: -os:OpenBSD 6.7:2021-05-01:1619827200: +os:Open166569840021-05-01:1619827200: +os:OpenBSD 6.8:2021-10-14:1665698400: +os:OpenBSD 6.9:2022-04-21:1650492000: +os:OpenBSD 7.0:2022-10-20:1666216800: +os:OpenBSD 7.1:2023-05-01:1682892000: +os:OpenBSD 7.2::-1 # # Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/ # From b64f7c8f53860514ec7e3716b0fb9231cf85ac25 Mon Sep 17 00:00:00 2001 From: noci2012 Date: Sun, 8 Jan 2023 00:41:56 +0100 Subject: [PATCH 064/282] Typo in previous paste --- db/software-eol.db | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/software-eol.db b/db/software-eol.db index c01890a5..fc565be3 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -197,7 +197,7 @@ os:OpenBSD 6.3:2019-05-03:1556841600: os:OpenBSD 6.4:2019-10-17:1571270400: os:OpenBSD 6.5:2020-05-19:1589846400: os:OpenBSD 6.6:2020-10-01:1601510400: -os:Open166569840021-05-01:1619827200: +os:OpenBSD 6.7:2021-05-01:1619827200: os:OpenBSD 6.8:2021-10-14:1665698400: os:OpenBSD 6.9:2022-04-21:1650492000: os:OpenBSD 7.0:2022-10-20:1666216800: From ef3a8338a07febf0a56421d8536c18917ef0b1f5 Mon Sep 17 00:00:00 2001 From: al-lac Date: Fri, 27 Jan 2023 15:12:17 +0100 Subject: [PATCH 065/282] osdetection: add macOS Ventura --- include/osdetection | 1 + 1 file changed, 1 insertion(+) diff --git a/include/osdetection b/include/osdetection index 989b1b38..bed25033 100644 --- a/include/osdetection +++ b/include/osdetection @@ -64,6 +64,7 @@ 10.15 | 10.15.[0-9]*) OS_FULLNAME="macOS Catalina (${OS_VERSION})" ;; 11 | 11.[0-9]*) OS_FULLNAME="macOS Big Sur (${OS_VERSION})" ;; 12 | 12.[0-9]*) OS_FULLNAME="macOS Monterey (${OS_VERSION})" ;; + 13 | 13.[0-9]*) OS_FULLNAME="macOS Ventura (${OS_VERSION})" ;; *) echo "Unknown macOS version. Do you know what version it is? Create an issue at ${PROGRAM_SOURCE}" ;; esac else From 349975103fae73567cec495d0c9bddcba9b2fc9d Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 23 Feb 2023 13:17:25 +0100 Subject: [PATCH 066/282] tests_mac_frameworks: check for existance of semanage binary. It's not installed everywhere, causing this error message: /usr/share/lynis/include/tests_mac_frameworks: line 161: permissive: command not found /usr/share/lynis/include/tests_mac_frameworks: line 162: permissive: command not found --- include/tests_mac_frameworks | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index cda343ad..ca454529 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -158,10 +158,14 @@ Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED fi Display --indent 8 --text "Current SELinux mode: ${FIND}" - PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ') - NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l) - Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types" - LogText "Permissive SELinux object types: ${PERMISSIVE}" + if [ -x "$SEMANAGEBINARY" ]; then + PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ') + NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l) + Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types" + LogText "Permissive SELinux object types: ${PERMISSIVE}" + else + LogText "Result: semanage binary NOT found, can't analyse permissive domains" + fi UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ') INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ') NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l) From 02ad15862d2dae7f4e8434556467a1b6ca5490fe Mon Sep 17 00:00:00 2001 From: DemurAIdev Date: Mon, 6 Mar 2023 11:45:01 +0700 Subject: [PATCH 067/282] ID Languages add --- db/languages/id | 107 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 db/languages/id diff --git a/db/languages/id b/db/languages/id new file mode 100644 index 00000000..4a7b26f4 --- /dev/null +++ b/db/languages/id @@ -0,0 +1,107 @@ +ERROR_NO_LICENSE="Tidak ada kunci lisensi yang dikonfigurasi" +ERROR_NO_UPLOAD_SERVER="Tidak ada server unggahan yang dikonfigurasi" +GEN_CHECKING="Memeriksa" +GEN_CURRENT_VERSION="Versi sekarang" +GEN_DEBUG_MODE="Debug mode" +GEN_INITIALIZE_PROGRAM="Inisialisasi program" +GEN_LATEST_VERSION="Versi terbaru" +GEN_PHASE="fase" +GEN_PLUGINS_ENABLED="Plugin diaktifkan" +GEN_UPDATE_AVAILABLE="update tersedia" +GEN_VERBOSE_MODE="Verbose mode" +GEN_WHAT_TO_DO="Apa yang harus dilakukan" +NOTE_EXCEPTIONS_FOUND="Pengecualian ditemukan" +NOTE_EXCEPTIONS_FOUND_DETAILED="Beberapa peristiwa atau informasi luar biasa ditemukan" +NOTE_PLUGINS_TAKE_TIME="Note: plugin memiliki pengujian yang lebih ekstensif dan mungkin memerlukan waktu beberapa menit untuk menyelesaikannya" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Tes yang dilewati karena mode non-istimewa" +#SECTION_ACCOUNTING="Accounting" +#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification" +#SECTION_BASICS="Basics" +#SECTION_BOOT_AND_SERVICES="Boot and services" +#SECTION_CONTAINERS="Containers" +#SECTION_CRYPTOGRAPHY="Cryptography" +SECTION_CUSTOM_TESTS="Tes kustom" +#SECTION_DATABASES="Databases" +#SECTION_DATA_UPLOAD="Data upload" +#SECTION_DOWNLOADS="Downloads" +#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging" +#SECTION_FILE_INTEGRITY="Software: file integrity" +#SECTION_FILE_PERMISSIONS="File Permissions" +#SECTION_FILE_SYSTEMS="File systems" +#SECTION_FIREWALLS="Software: firewalls" +#SECTION_GENERAL="General" +#SECTION_HARDENING="Hardening" +#SECTION_HOME_DIRECTORIES="Home directories" +#SECTION_IMAGE="Image" +#SECTION_INITIALIZING_PROGRAM="Initializing program" +#SECTION_INSECURE_SERVICES="Insecure services" +#SECTION_KERNEL_HARDENING="Kernel Hardening" +#SECTION_KERNEL="Kernel" +#SECTION_LDAP_SERVICES="LDAP Services" +#SECTION_LOGGING_AND_FILES="Logging and files" +SECTION_MALWARE="Software: Malware" +SECTION_MEMORY_AND_PROCESSES="Memory and Processes" +SECTION_NAME_SERVICES="Name services" +SECTION_NETWORKING="Networking" +SECTION_PERMISSIONS="Permissions" +SECTION_PORTS_AND_PACKAGES="Ports and packages" +SECTION_PRINTERS_AND_SPOOLS="Printers and Spools" +SECTION_PROGRAM_DETAILS="Program Details" +SECTION_SCHEDULED_TASKS="Scheduled tasks" +SECTION_SECURITY_FRAMEWORKS="Security frameworks" +SECTION_SHELLS="Shells" +SECTION_SNMP_SUPPORT="SNMP Support" +SECTION_SOFTWARE="Software" +SECTION_SQUID_SUPPORT="Squid Support" +SECTION_SSH_SUPPORT="SSH Support" +SECTION_STORAGE="Storage" +SECTION_SYSTEM_INTEGRITY="Software: System integrity" +SECTION_SYSTEM_TOOLING="Software: System tooling" +SECTION_SYSTEM_TOOLS="System tools" +SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization" +SECTION_USB_DEVICES="USB Devices" +SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" +SECTION_VIRTUALIZATION="Virtualization" +SECTION_WEBSERVER="Software: webserver" +STATUS_ACTIVE="ACTIVE" +STATUS_CHECK_NEEDED="CHECK NEEDED" +STATUS_DEBUG="DEBUG" +STATUS_DEFAULT="DEFAULT" +STATUS_DIFFERENT="DIFFERENT" +STATUS_DISABLED="DISABLED" +STATUS_DONE="DONE" +STATUS_ENABLED="ENABLED" +STATUS_ERROR="ERROR" +STATUS_EXPOSED="EXPOSED" +STATUS_FAILED="FAILED" +STATUS_FILES_FOUND="FILES FOUND" +STATUS_FOUND="FOUND" +STATUS_HARDENED="HARDENED" +STATUS_INSTALLED="INSTALLED" +STATUS_LOCAL_ONLY="LOCAL ONLY" +STATUS_MEDIUM="MEDIUM" +STATUS_NO="NO" +STATUS_NO_UPDATE="NO UPDATE" +STATUS_NON_DEFAULT="NON DEFAULT" +STATUS_NONE="NONE" +STATUS_NOT_CONFIGURED="NOT CONFIGURED" +STATUS_NOT_DISABLED="NOT DISABLED" +STATUS_NOT_ENABLED="NOT ENABLED" +STATUS_NOT_FOUND="NOT FOUND" +STATUS_NOT_RUNNING="NOT RUNNING" +STATUS_OFF="OFF" +STATUS_OK="OK" +STATUS_ON="ON" +STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED" +STATUS_PROTECTED="PROTECTED" +STATUS_RUNNING="RUNNING" +STATUS_SKIPPED="SKIPPED" +STATUS_SUGGESTION="SUGGESTION" +STATUS_UNKNOWN="UNKNOWN" +STATUS_UNSAFE="UNSAFE" +STATUS_UPDATE_AVAILABLE="UPDATE TERSEDIA" +STATUS_WARNING="WARNING" +STATUS_WEAK="WEAK" +STATUS_YES="YES" +TEXT_UPDATE_AVAILABLE="update tersedia" +TEXT_YOU_CAN_HELP_LOGFILE="Anda dapat membantu dengan memberikan file log Anda" From fe0b40c98d08f35481bb6b1ab64276958355a379 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 10 Mar 2023 10:46:04 +0100 Subject: [PATCH 068/282] support perf_event_paranoid=4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- default.prf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default.prf b/default.prf index aadc4495..6cffcc1e 100644 --- a/default.prf +++ b/default.prf @@ -197,7 +197,7 @@ config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//k config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; -config-data=sysctl;kernel.perf_event_paranoid;3;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; +config-data=sysctl;kernel.perf_event_paranoid;3|4;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; From 833508a59017ee9e4a44829e10f17a9fc7cbadbf Mon Sep 17 00:00:00 2001 From: xnoguer Date: Wed, 5 Apr 2023 15:58:26 -0400 Subject: [PATCH 069/282] Adding php.ini files for versions 8.0, 8.1 and 8.2 --- include/tests_php | 68 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 64 insertions(+), 4 deletions(-) diff --git a/include/tests_php b/include/tests_php index 23738198..90fde471 100644 --- a/include/tests_php +++ b/include/tests_php @@ -37,6 +37,9 @@ ${ROOTDIR}etc/php7.2/php.ini \ ${ROOTDIR}etc/php7.3/php.ini \ ${ROOTDIR}etc/php7.4/php.ini \ + ${ROOTDIR}etc/php8.0/php.ini \ + ${ROOTDIR}etc/php8.1/php.ini \ + ${ROOTDIR}etc/php8.2/php.ini \ ${ROOTDIR}etc/php/cgi-php5/php.ini \ ${ROOTDIR}etc/php/cli-php5/php.ini \ ${ROOTDIR}etc/php/apache2-php5/php.ini \ @@ -47,6 +50,9 @@ ${ROOTDIR}etc/php/apache2-php7.2/php.ini \ ${ROOTDIR}etc/php/apache2-php7.3/php.ini \ ${ROOTDIR}etc/php/apache2-php7.4/php.ini \ + ${ROOTDIR}etc/php/apache2-php8.0/php.ini \ + ${ROOTDIR}etc/php/apache2-php8.1/php.ini \ + ${ROOTDIR}etc/php/apache2-php8.2/php.ini \ ${ROOTDIR}etc/php/cgi-php5.5/php.ini \ ${ROOTDIR}etc/php/cgi-php5.6/php.ini \ ${ROOTDIR}etc/php/cgi-php7.0/php.ini \ @@ -54,6 +60,9 @@ ${ROOTDIR}etc/php/cgi-php7.2/php.ini \ ${ROOTDIR}etc/php/cgi-php7.3/php.ini \ ${ROOTDIR}etc/php/cgi-php7.4/php.ini \ + ${ROOTDIR}etc/php/cgi-php8.0/php.ini \ + ${ROOTDIR}etc/php/cgi-php8.1/php.ini \ + ${ROOTDIR}etc/php/cgi-php8.2/php.ini \ ${ROOTDIR}etc/php/cli-php5.5/php.ini \ ${ROOTDIR}etc/php/cli-php5.6/php.ini \ ${ROOTDIR}etc/php/cli-php7.0/php.ini \ @@ -61,6 +70,9 @@ ${ROOTDIR}etc/php/cli-php7.2/php.ini \ ${ROOTDIR}etc/php/cli-php7.3/php.ini \ ${ROOTDIR}etc/php/cli-php7.4/php.ini \ + ${ROOTDIR}etc/php/cli-php8.0/php.ini \ + ${ROOTDIR}etc/php/cli-php8.1/php.ini \ + ${ROOTDIR}etc/php/cli-php8.2/php.ini \ ${ROOTDIR}etc/php/embed-php5.5/php.ini \ ${ROOTDIR}etc/php/embed-php5.6/php.ini \ ${ROOTDIR}etc/php/embed-php7.0/php.ini \ @@ -68,6 +80,12 @@ ${ROOTDIR}etc/php/embed-php7.2/php.ini \ ${ROOTDIR}etc/php/embed-php7.3/php.ini \ ${ROOTDIR}etc/php/embed-php7.4/php.ini \ + ${ROOTDIR}etc/php/embed-php8.0/php.ini \ + ${ROOTDIR}etc/php/embed-php8.1/php.ini \ + ${ROOTDIR}etc/php/embed-php8.2/php.ini \ + ${ROOTDIR}etc/php/fpm-php8.2/php.ini \ + ${ROOTDIR}etc/php/fpm-php8.1/php.ini \ + ${ROOTDIR}etc/php/fpm-php8.0/php.ini \ ${ROOTDIR}etc/php/fpm-php7.4/php.ini \ ${ROOTDIR}etc/php/fpm-php7.3/php.ini \ ${ROOTDIR}etc/php/fpm-php7.2/php.ini \ @@ -88,6 +106,9 @@ ${ROOTDIR}etc/php/7.2/apache2/php.ini \ ${ROOTDIR}etc/php/7.3/apache2/php.ini \ ${ROOTDIR}etc/php/7.4/apache2/php.ini \ + ${ROOTDIR}etc/php/8.0/apache2/php.ini \ + ${ROOTDIR}etc/php/8.1/apache2/php.ini \ + ${ROOTDIR}etc/php/8.2/apache2/php.ini \ ${ROOTDIR}etc/php/7.0/cli/php.ini \ ${ROOTDIR}etc/php/7.0/fpm/php.ini \ ${ROOTDIR}etc/php/7.1/cli/php.ini \ @@ -98,6 +119,12 @@ ${ROOTDIR}etc/php/7.3/fpm/php.ini \ ${ROOTDIR}etc/php/7.4/cli/php.ini \ ${ROOTDIR}etc/php/7.4/fpm/php.ini \ + ${ROOTDIR}etc/php/8.0/cli/php.ini \ + ${ROOTDIR}etc/php/8.0/fpm/php.ini \ + ${ROOTDIR}etc/php/8.1/cli/php.ini \ + ${ROOTDIR}etc/php/8.1/fpm/php.ini \ + ${ROOTDIR}etc/php/8.2/cli/php.ini \ + ${ROOTDIR}etc/php/8.2/fpm/php.ini \ ${ROOTDIR}var/www/conf/php.ini \ ${ROOTDIR}usr/local/etc/php.ini \ ${ROOTDIR}usr/local/lib/php.ini \ @@ -109,6 +136,9 @@ ${ROOTDIR}usr/local/php72/lib/php.ini \ ${ROOTDIR}usr/local/php73/lib/php.ini \ ${ROOTDIR}usr/local/php74/lib/php.ini \ + ${ROOTDIR}usr/local/php80/lib/php.ini \ + ${ROOTDIR}usr/local/php81/lib/php.ini \ + ${ROOTDIR}usr/local/php82/lib/php.ini \ ${ROOTDIR}usr/local/zend/etc/php.ini \ ${ROOTDIR}usr/pkg/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \ @@ -119,6 +149,9 @@ ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \ + ${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.ini \ + ${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.ini \ + ${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.ini \ ${ROOTDIR}opt/alt/php44/etc/php.ini \ ${ROOTDIR}opt/alt/php51/etc/php.ini \ ${ROOTDIR}opt/alt/php52/etc/php.ini \ @@ -131,12 +164,18 @@ ${ROOTDIR}opt/alt/php72/etc/php.ini \ ${ROOTDIR}opt/alt/php73/etc/php.ini \ ${ROOTDIR}opt/alt/php74/etc/php.ini \ + ${ROOTDIR}opt/alt/php80/etc/php.ini \ + ${ROOTDIR}opt/alt/php81/etc/php.ini \ + ${ROOTDIR}opt/alt/php82/etc/php.ini \ ${ROOTDIR}etc/opt/remi/php56/php.ini \ ${ROOTDIR}etc/opt/remi/php70/php.ini \ ${ROOTDIR}etc/opt/remi/php71/php.ini \ ${ROOTDIR}etc/opt/remi/php72/php.ini \ ${ROOTDIR}etc/opt/remi/php73/php.ini \ - ${ROOTDIR}etc/opt/remi/php74/php.ini" + ${ROOTDIR}etc/opt/remi/php74/php.ini \ + ${ROOTDIR}etc/opt/remi/php80/php.ini \ + ${ROOTDIR}etc/opt/remi/php81/php.ini \ + ${ROOTDIR}etc/opt/remi/php82/php.ini" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINILOCS="${PHPINILOCS} \ ${ROOTDIR}etc/php-5.6.ini \ @@ -144,7 +183,10 @@ ${ROOTDIR}etc/php-7.1.ini \ ${ROOTDIR}etc/php-7.2.ini \ ${ROOTDIR}etc/php-7.3.ini \ - ${ROOTDIR}etc/php-7.4.ini" + ${ROOTDIR}etc/php-7.4.ini \ + ${ROOTDIR}etc/php-8.0.ini \ + ${ROOTDIR}etc/php-8.1.ini \ + ${ROOTDIR}etc/php-8.2.ini" PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \ ${ROOTDIR}etc/php/7.0/cli/conf.d \ @@ -152,11 +194,17 @@ ${ROOTDIR}etc/php/7.2/cli/conf.d \ ${ROOTDIR}etc/php/7.3/cli/conf.d \ ${ROOTDIR}etc/php/7.4/cli/conf.d \ + ${ROOTDIR}etc/php/8.0/cli/conf.d \ + ${ROOTDIR}etc/php/8.1/cli/conf.d \ + ${ROOTDIR}etc/php/8.2/cli/conf.d \ ${ROOTDIR}etc/php/7.0/fpm/conf.d \ ${ROOTDIR}etc/php/7.1/fpm/conf.d \ ${ROOTDIR}etc/php/7.2/fpm/conf.d \ ${ROOTDIR}etc/php/7.3/fpm/conf.d \ ${ROOTDIR}etc/php/7.4/fpm/conf.d \ + ${ROOTDIR}etc/php/8.0/fpm/conf.d \ + ${ROOTDIR}etc/php/8.1/fpm/conf.d \ + ${ROOTDIR}etc/php/8.2/fpm/conf.d \ ${ROOTDIR}etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \ @@ -166,6 +214,9 @@ ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.d \ ${ROOTDIR}opt/alt/php44/etc/php.d.all \ ${ROOTDIR}opt/alt/php51/etc/php.d.all \ ${ROOTDIR}opt/alt/php52/etc/php.d.all \ @@ -178,12 +229,18 @@ ${ROOTDIR}opt/alt/php72/etc/php.d.all \ ${ROOTDIR}opt/alt/php73/etc/php.d.all \ ${ROOTDIR}opt/alt/php74/etc/php.d.all \ + ${ROOTDIR}opt/alt/php80/etc/php.d.all \ + ${ROOTDIR}opt/alt/php81/etc/php.d.all \ + ${ROOTDIR}opt/alt/php82/etc/php.d.all \ ${ROOTDIR}usr/local/lib/php.conf.d \ ${ROOTDIR}usr/local/php70/lib/php.conf.d \ ${ROOTDIR}usr/local/php71/lib/php.conf.d \ ${ROOTDIR}usr/local/php72/lib/php.conf.d \ ${ROOTDIR}usr/local/php73/lib/php.conf.d \ - ${ROOTDIR}usr/local/php74/lib/php.conf.d" + ${ROOTDIR}usr/local/php74/lib/php.conf.d \ + ${ROOTDIR}usr/local/php80/lib/php.conf.d \ + ${ROOTDIR}usr/local/php81/lib/php.conf.d \ + ${ROOTDIR}usr/local/php82/lib/php.conf.d" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINIDIRS="${PHPINIDIRS} \ ${ROOTDIR}etc/php-5.6 \ @@ -191,7 +248,10 @@ ${ROOTDIR}etc/php-7.1 \ ${ROOTDIR}etc/php-7.2 \ ${ROOTDIR}etc/php-7.3 \ - ${ROOTDIR}etc/php-7.4" + ${ROOTDIR}etc/php-7.4 \ + ${ROOTDIR}etc/php-8.0 \ + ${ROOTDIR}etc/php-8.1 \ + ${ROOTDIR}etc/php-8.2" # ################################################################################# # From fd64aa24d64b1281c4d72bc63db80538988caffc Mon Sep 17 00:00:00 2001 From: xnoguer Date: Tue, 18 Apr 2023 16:46:19 -0400 Subject: [PATCH 070/282] Adding test MALW-3291 in order to solve issue 1322 (related to issue 994) --- db/tests.db | 1 + include/consts | 1 + include/tests_malware | 18 ++++++++++++++++++ 3 files changed, 20 insertions(+) diff --git a/db/tests.db b/db/tests.db index e4dc8fbd..206b6008 100644 --- a/db/tests.db +++ b/db/tests.db @@ -275,6 +275,7 @@ MALW-3284:test:security:malware::Check for clamd: MALW-3286:test:security:malware::Check for freshclam: MALW-3288:test:security:malware::Check for ClamXav: MALW-3290:test:security:malware::Presence of malware scanner: +MALW-3291:test:security:malware::Check for Microsoft Defender Antivirus: NAME-4016:test:security:nameservices::Check /etc/resolv.conf default domain: NAME-4018:test:security:nameservices::Check /etc/resolv.conf search domains: NAME-4020:test:security:nameservices::Check non default options: diff --git a/include/consts b/include/consts index 5d618429..714f4a92 100644 --- a/include/consts +++ b/include/consts @@ -169,6 +169,7 @@ ETC_PATHS="/etc /usr/local/etc" MACHINEID="" MACHINE_ROLE="" MALWARE_SCANNER_INSTALLED=0 + MDATPBINARY="" MIN_PASSWORD_LENGTH=-1 MONGODB_RUNNING=0 MOUNTBINARY="" diff --git a/include/tests_malware b/include/tests_malware index 40336fa5..04f7ea76 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -354,6 +354,24 @@ fi # ################################################################################# +# + # Test : MALW-3291 + # Description : Check if Microsoft Defender Antivirus is installed + Register --test-no MALW-3291 --weight L --network NO --category security --description "Check for mdatp" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking presence mdatp" + if [ ! "${MDATPBINARY}" = "" ]; then + Display --indent 2 --text "- Checking Microsoft Defender Antivirus" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found ${MDATPBINARY}" + MALWARE_SCANNER_INSTALLED=1 + AddHP 2 2 + Report "malware_scanner[]=mdatp" + else + LogText "Result: mdatp couldn't be found" + fi + fi +# +################################################################################# # # Test : MALW-3286 # Description : Check running freshclam if clamd process is running From 6f1797fb59c23ad4f545ca5ef458ff56199d8152 Mon Sep 17 00:00:00 2001 From: xnoguer Date: Sun, 23 Apr 2023 17:38:21 -0400 Subject: [PATCH 071/282] Using grep -E --- include/binaries | 2 -- include/functions | 9 +++++++-- include/tests_authentication | 32 ++++++++++++++++---------------- include/tests_boot_services | 14 +++++++------- include/tests_containers | 2 +- include/tests_crypto | 4 ++-- include/tests_databases | 4 ++-- include/tests_file_integrity | 8 ++++---- include/tests_file_permissions | 2 +- include/tests_filesystems | 14 +++++++------- include/tests_firewalls | 6 +++--- include/tests_homedirs | 4 ++-- include/tests_insecure_services | 2 +- include/tests_kernel | 18 +++++++++--------- include/tests_logging | 24 ++++++++++++------------ include/tests_mail_messaging | 10 +++++----- include/tests_nameservices | 8 ++++---- include/tests_networking | 2 +- include/tests_php | 18 +++++++++--------- include/tests_ports_packages | 8 ++++---- include/tests_printers_spoolers | 6 +++--- include/tests_scheduling | 16 ++++++++-------- include/tests_shells | 2 +- include/tests_squid | 2 +- include/tests_ssh | 4 ++-- include/tests_storage | 8 ++++---- include/tests_time | 18 +++++++++--------- include/tests_tooling | 4 ++-- include/tests_usb | 12 ++++++------ include/tests_webservers | 6 +++--- 30 files changed, 136 insertions(+), 133 deletions(-) diff --git a/include/binaries b/include/binaries index 7aabba42..c8fdc1e2 100644 --- a/include/binaries +++ b/include/binaries @@ -169,7 +169,6 @@ domainname) DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;; dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;; xbps-query) XBPSBINARY="${BINARY}"; LogText " Found known binary: xbps (package management) - ${BINARY}" ;; - egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;; equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;; evmctl) EVMCTLBINARY=${BINARY}; LogText " Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;; exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;; @@ -341,7 +340,6 @@ [ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found" [ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found" [ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found" - [ "${EGREPBINARY:-}" ] || ExitFatal "egrep binary not found" [ "${FINDBINARY:-}" ] || ExitFatal "find binary not found" [ "${GREPBINARY:-}" ] || ExitFatal "grep binary not found" [ "${HEADBINARY:-}" ] || ExitFatal "head binary not found" diff --git a/include/functions b/include/functions index 38cc46b3..841586be 100644 --- a/include/functions +++ b/include/functions @@ -1315,7 +1315,7 @@ return 2 else for CHECK_PERMISSION in ${CHECKPERMISSION_FULL}; do - DATA=$(echo ${CHECK_PERMISSION} | ${EGREPBINARY} "[rwx]") + DATA=$(echo ${CHECK_PERMISSION} | ${GREPBINARY} -E "[rwx]") if [ $? -eq 0 ]; then # add a dummy character as first character so it looks like output is a normal file CHECK_PERMISSION=$(echo "-${CHECK_PERMISSION}" | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}') @@ -1608,7 +1608,7 @@ # This search is not foolproof LogText "Performing simple ps scan (busybox)" PSOPTIONS=" -o args=" - FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${EGREPBINARY:-egrep} "( |/)${search}" | ${GREPBINARY:-grep} -v "grep") + FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${GREPBINARY:-grep} -E "( |/)${search}" | ${GREPBINARY:-grep} -v "grep") else if [ -n "${users}" ]; then for u in ${users}; do @@ -3103,6 +3103,11 @@ unsafe=1 LogText "Security alert: file is not owned by active user, but can write to it" fi + # File is not owned by active user, and not readable by him + if [ ! -O "${FILE}" -a ! -r "${FILE}" ]; then + unsafe=1 + LogText "Security alert: file is not readable by active user" + fi fi # Check file permissions diff --git a/include/tests_authentication b/include/tests_authentication index 0552d646..3ec54d64 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -42,9 +42,9 @@ LogText "Test: Searching accounts with UID 0" # Check if device is a QNAP, as the root user is called admin, and not root if [ ${QNAP_DEVICE} -eq 1 ]; then - FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') + FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${GREPBINARY} -E -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') else - FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') + FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${GREPBINARY} -E -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') fi if [ -n "${FIND}" ]; then Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED @@ -163,7 +163,7 @@ LogText "Test: Checking login shells" if [ -f ${ROOTDIR}etc/master.passwd ]; then # Check for all shells, except: (/usr)/sbin/nologin /nonexistent - FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g') + FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${GREPBINARY} -E -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN else @@ -499,13 +499,13 @@ Register --test-no AUTH-9240 --weight L --network NO --category security --description "Query NIS+ authentication support" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/nsswitch.conf ]; then - FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus") + FIND=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} -E "compat|nisplus") if [ -z "${FIND}" ]; then LogText "Result: NIS+ authentication not enabled" Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE else - FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") - FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") + FIND2=$(${GREPBINARY} -E "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") + FIND3=$(${GREPBINARY} -E "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") if [ -n "${FIND2}" -o -n "${FIND3}" ]; then LogText "Result: NIS+ authentication enabled" Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN @@ -526,13 +526,13 @@ Register --test-no AUTH-9242 --weight L --network NO --category security --description "Query NIS authentication support" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/nsswitch.conf ]; then - FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus") + FIND=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} -E "compat|nis" | ${GREPBINARY} -v "nisplus") if [ -z "${FIND}" ]; then LogText "Result: NIS authentication not enabled" Display --indent 2 --text "- NIS authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE else - FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") - FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") + FIND2=$(${GREPBINARY} -E "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") + FIND3=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") if [ -n "${FIND2}" -o -n "${FIND3}" ]; then LogText "Result: NIS authentication enabled" Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN @@ -737,7 +737,7 @@ LogText "Result: file ${ROOTDIR}etc/pam.conf exists" Display --indent 2 --text "- PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN LogText "Test: searching PAM configuration files" - FIND=$(${EGREPBINARY} -v "^#" ${ROOTDIR}etc/pam.conf | ${EGREPBINARY} -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g') + FIND=$(${GREPBINARY} -E -v "^#" ${ROOTDIR}etc/pam.conf | ${GREPBINARY} -E -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g') if [ -z "${FIND}" ]; then LogText "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)" else @@ -1017,7 +1017,7 @@ LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}" LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)" # Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed) - FIND=$(${EGREPBINARY} -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}') + FIND=$(${GREPBINARY} -E -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}') if [ -n "${FIND}" ]; then for ACCOUNT in ${FIND}; do LogText "Result: password of user ${ACCOUNT} has been expired" @@ -1109,8 +1109,8 @@ TEST_PERFORMED=1 LogText "Result: file ${ROOTDIR}etc/inittab exists" LogText "Test: checking presence sulogin for single user mode" - FIND=$(${EGREPBINARY} "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab) - FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab) + FIND=$(${GREPBINARY} -E "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab) + FIND2=$(${GREPBINARY} -E "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab) if [ -n "${FIND}" -o -n "${FIND2}" ]; then FOUND=1 LogText "Result: found sulogin, so single user is protected" @@ -1147,7 +1147,7 @@ # Mark test as performed only when at least 1 target exists (e.g. Ubuntu 14.04 has limited systemd support) TEST_PERFORMED=1 LogText "Result: found target ${I}" - FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin") + FIND=$(${GREPBINARY} -E "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin") if [ "${FIND}" = "" ]; then LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication" else @@ -1486,7 +1486,7 @@ Register --test-no AUTH-9402 --weight L --network NO --category security --description "Query LDAP authentication support" if [ ${SKIPTEST} -eq 0 ]; then if [ -f ${ROOTDIR}etc/nsswitch.conf ]; then - FIND=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap") + FIND=$(${GREPBINARY} -E "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap") if [ "${FIND}" = "" ]; then LogText "Result: LDAP authentication not enabled" Display --indent 2 --text "- LDAP authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE @@ -1514,7 +1514,7 @@ LogText "Result: file ${FILE} exists, LDAP being used" LDAP_CLIENT_CONFIG_FILE="${FILE}" LogText "Test: checking LDAP servers in file ${FILE}" - FIND=$(${EGREPBINARY} "^host " ${FILE} | ${AWKBINARY} '{ print $2 }') + FIND=$(${GREPBINARY} -E "^host " ${FILE} | ${AWKBINARY} '{ print $2 }') for SERVER in ${FIND}; do Display --indent 6 --text "LDAP server: ${SERVER}" LogText "Result: found LDAP server ${SERVER}" diff --git a/include/tests_boot_services b/include/tests_boot_services index 5901cd70..967b98a6 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -460,7 +460,7 @@ BOOT_LOADER_FOUND=1 Display --indent 2 --text "- Checking presence LILO" --result "${STATUS_OK}" --color GREEN LogText "Checking password option LILO" - FIND=$(${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#") + FIND=$(${GREPBINARY} -E 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#") if [ -z "${FIND}" ]; then if [ "${MACHINE_ROLE}" = "server" -o "${MACHINE_ROLE}" = "workstation" ]; then Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED @@ -605,7 +605,7 @@ else # FreeBSD (Read /etc/rc.conf file for enabled services) LogText "Searching for services at startup (rc.conf)" - FIND=$(${EGREPBINARY} -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//') + FIND=$(${GREPBINARY} -E -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${GREPBINARY} -E -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//') fi COUNT=0 for ITEM in ${FIND}; do @@ -715,7 +715,7 @@ if [ -n "${CHKCONFIGBINARY}" ]; then LogText "Result: chkconfig binary found, trying that to discover information" LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)" - FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }') + FIND=$(${CHKCONFIGBINARY} --list | ${GREPBINARY} -E '3:on|5:on' | ${AWKBINARY} '{ print $1 }') COUNT=0 Report "boot_service_tool=chkconfig" for ITEM in ${FIND}; do @@ -947,7 +947,7 @@ if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then LogText "Result: file /usr/lib/systemd/system/rescue.service" LogText "Test: checking presence sulogin for single user mode" - FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service) + FIND=$(${GREPBINARY} -E "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service) if [ -n "${FIND}" ]; then FOUND=1 LogText "Result: found sulogin, so single user is protected" @@ -981,14 +981,14 @@ Report "running_service[]=${ITEM}" COUNT=$((COUNT + 1 )) done - LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons" + LogText "Note: Run rcctl ls all | grep -E '^(pf|check_quotas|library_aslr)$' to see all daemons" Display --indent 2 --text "- Check running daemons (rcctl)" --result "${STATUS_DONE}" --color GREEN Display --indent 8 --text "Result: found ${COUNT} running daemons" LogText "Result: Found ${COUNT} running daemons" # OpenBSD (Ask rcctl(8) for enabled daemons) LogText "Searching for enabled daemons (rcctl)" - FIND=$(${RCCTLBINARY} ls on | ${EGREPBINARY} -v '^(pf|check_quotas|library_aslr)$') + FIND=$(${RCCTLBINARY} ls on | ${GREPBINARY} -E -v '^(pf|check_quotas|library_aslr)$') COUNT=0 Report "boot_service_tool=rcctl" for ITEM in ${FIND}; do @@ -996,7 +996,7 @@ Report "boot_service[]=${ITEM}" COUNT=$((COUNT + 1 )) done - LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons" + LogText "Note: Run rcctl ls all | grep -E '^(pf|check_quotas|library_aslr)$' to see all daemons" Display --indent 2 --text "- Check enabled daemons at boot (rcctl)" --result "${STATUS_DONE}" --color GREEN Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot" LogText "Result: Found ${COUNT} enabled daemons at boot" diff --git a/include/tests_containers b/include/tests_containers index af10997d..a02ea268 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -137,7 +137,7 @@ # Check total of containers LogText "Test: checking total amount of Docker containers" - DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${EGREPBINARY} "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }') + DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${GREPBINARY} -E "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }') if [ -z "${DOCKER_CONTAINERS_TOTAL}" ]; then DOCKER_CONTAINERS_TOTAL=0 fi diff --git a/include/tests_crypto b/include/tests_crypto index 89ad1e62..a643b6c0 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -54,7 +54,7 @@ LASTSUBDIR="" LogText "Result: found directory ${DIR}" # Search for certificate files - FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') + FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${GREPBINARY} -E ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') for FILE in ${FILES}; do FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g') # See if we need to skip this path @@ -80,7 +80,7 @@ if [ ${CANREAD} -eq 1 ]; then # Only check the files that are not installed by a package, unless enabled by profile if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then - echo ${FILE} | ${EGREPBINARY} -q ".cer$|.der$" + echo ${FILE} | ${GREPBINARY} -E -q ".cer$|.der$" CER_DER=$? OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then diff --git a/include/tests_databases b/include/tests_databases index e973d23f..181dac6c 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -45,7 +45,7 @@ # Description : Check if MySQL is being used Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${PSBINARY} ax | ${EGREPBINARY} "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep") if [ -z "${FIND}" ]; then if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: MySQL process not active" @@ -244,7 +244,7 @@ # reco: recovery (optional) Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep") if [ -z "${FIND}" ]; then if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: Oracle process(es) not active" diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 8a38b97e..daf49196 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -104,7 +104,7 @@ if [ -n "${AIDEBINARY}" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of AIDE database and size check" if [ ${SKIPTEST} -eq 0 ]; then - AIDE_DB=$(${EGREPBINARY} '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://") + AIDE_DB=$(${GREPBINARY} -E '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://") if case ${AIDE_DB} in @@*) ;; *) false;; esac; then I=$(${GREPBINARY} "@@define.*DBDIR" ${AIDECONFIG} | ${AWKBINARY} '{print $3}') AIDE_DB=$(echo ${AIDE_DB} | ${SEDBINARY} "s#.*}#${I}#") @@ -330,7 +330,7 @@ ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }') for DEVICE in /dev/mapper/*; do if [ -e "${DEVICE}" ]; then - FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*INTEGRITY') + FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*INTEGRITY') if [ ! -z "${FIND}" ]; then FOUND=1 LogText "Result: found dm-integrity device ${DEVICE}" @@ -370,7 +370,7 @@ ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }') for DEVICE in /dev/mapper/*; do if [ -e "${DEVICE}" ]; then - FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*VERITY') + FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*VERITY') if [ ! -z "${FIND}" ]; then FOUND=1 LogText "Result: found dm-verity device ${DEVICE}" @@ -404,7 +404,7 @@ if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)") + FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${GREPBINARY} -E "= .*(sha256|sha512)") if [ -z "${FIND}" ]; then LogText "Result: No SHA256 or SHA512 found for creating checksums" Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW diff --git a/include/tests_file_permissions b/include/tests_file_permissions index 32598f45..924dad12 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -35,7 +35,7 @@ FOUND=0 for PROFILE in ${PROFILES}; do LogText "Using profile ${PROFILE} for baseline." - FILES=$(${EGREPBINARY} '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1) + FILES=$(${GREPBINARY} -E '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1) for F in ${FILES}; do LogText "Test: checking file/directory ${F}" if [ -f "${F}" ]; then diff --git a/include/tests_filesystems b/include/tests_filesystems index ab6191aa..93af33ed 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -356,7 +356,7 @@ # Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least # https://www.kernel.org/doc/html/latest/filesystems/proc.html#chapter-4-configuring-procfs LogText "Test: check proc mount with incorrect mount options" - FIND=$(${MOUNTBINARY} | ${EGREPBINARY} "${ROOTDIR}proc " | ${EGREPBINARY} -o "hidepid=([0-9]|[a-z][a-z]*)") + FIND=$(${MOUNTBINARY} | ${GREPBINARY} -E "${ROOTDIR}proc " | ${GREPBINARY} -E -o "hidepid=([0-9]|[a-z][a-z]*)") if [ "${FIND}" = "hidepid=4" -o "${FIND}" = "hidepid=ptraceable" ]; then # https://lwn.net/Articles/817137/ Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN LogText "Result: proc mount mounted with ${FIND}" @@ -504,7 +504,7 @@ fi LogText "Test: Checking acl option on xfs root file system" - FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr') + FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${GREPBINARY} -E 'no_acl|no_user_xattr') if [ -z "${FIND}" ]; then FOUND=1 # some other tests to do ? @@ -638,7 +638,7 @@ NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} -l) NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} -l) NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} -l) - NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} -l) + NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${GREPBINARY} -E -v '^\(ro[,)]' | ${WCBINARY} -l) LogText "Result: Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS}, of total ${NMOUNTS}" Display --indent 2 --text "- Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS} of total ${NMOUNTS}" fi @@ -814,13 +814,13 @@ AVAILABLE_MODPROBE_FS="" for FS in ${LIST_FS_NOT_SUPPORTED}; do # Check if filesystem is present in modprobe output - FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | ${TAILBINARY} -1) + FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${GREPBINARY} -E "/${FS}.ko" | ${TAILBINARY} -1) if [ -n "${FIND}" ]; then LogText "Result: found ${FS} support in the kernel (output = ${FIND})" Debug "Module ${FS} present in the kernel" LogText "Test: Checking if ${FS} is active" # Check if FS is present in lsmod output - FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}") + FIND=$(${LSMODBINARY} | ${GREPBINARY} -E "^${FS}") if IsEmpty "${FIND}"; then LogText "Result: module ${FS} is currently not loaded in the kernel." AddHP 2 3 @@ -837,8 +837,8 @@ fi FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) if [ -n "${FIND}" ]; then - FIND1=$(${EGREPBINARY} "^blacklist \+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} "^install \+${FS} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND1=$(${GREPBINARY} -E "^blacklist \+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${GREPBINARY} -E "^install \+${FS} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN LogText "Result: module ${FS} is blacklisted" diff --git a/include/tests_firewalls b/include/tests_firewalls index 44d6c441..6852b536 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -112,7 +112,7 @@ TABLES="filter" for TABLE in ${TABLES}; do LogText "Test: gathering information from table ${TABLE}" - FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') + FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${GREPBINARY} -E -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') done echo "${FIND}" | while read -r line; do @@ -154,7 +154,7 @@ if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ') + FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${GREPBINARY} -E -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ') if [ -n "${FIND}" ]; then FIREWALL_ACTIVE=1 if [ ${FIND} -le 5 ]; then @@ -506,7 +506,7 @@ Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration" if [ ${SKIPTEST} -eq 0 ]; then # Check for empty ruleset - NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l) + NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${GREPBINARY} -E -v "table|chain|;$|}$|^$" | ${WCBINARY} -l) if [ ${NFT_RULES_LENGTH} -le 3 ]; then FIREWALL_EMPTY_RULESET=1 LogText "Result: this firewall set has 3 rules or less and is considered to be empty" diff --git a/include/tests_homedirs b/include/tests_homedirs index 3e5f1b78..77de47f4 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -57,7 +57,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if users' home directories permissions are 750 or more restrictive FOUND=0 - USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') + USERDATA=$(${GREPBINARY} -E -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') while read -r LINE; do USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) @@ -93,7 +93,7 @@ EOF if [ ${SKIPTEST} -eq 0 ]; then # Check if users own their home directories FOUND=0 - USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') + USERDATA=$(${GREPBINARY} -E -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') while read -r LINE; do USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) diff --git a/include/tests_insecure_services b/include/tests_insecure_services index f01966f2..c86070c0 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -298,7 +298,7 @@ #if [ ${SKIPTEST} -eq 0 ]; then # # Check presence of Rsh Trust Files # FOUND=0 - # for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do + # for LINE in $(${CAT_BINARY} /etc/passwd | ${GREPBINARY} -E -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do # USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) # DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) # if [ -d ${DIR} ]; then diff --git a/include/tests_kernel b/include/tests_kernel index ad914bfb..bba8080f 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -49,7 +49,7 @@ LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target" ReportException "${TEST_NO}:01" else - FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical") + FIND2=$(${ECHOCMD} ${FIND} | ${GREPBINARY} -E "runlevel5|graphical") if HasData "${FIND2}"; then LogText "Result: Found match on runlevel5/graphical" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN @@ -401,7 +401,7 @@ elif [ -e ${ROOTDIR}etc/rpi-issue ]; then FINDKERNEL="raspberrypi-kernel" LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian" - elif $(${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then + elif $(${GREPBINARY} -E -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then FINDKERNEL="linux-image-$(uname -r)" LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No" else @@ -414,8 +414,8 @@ else LogText "Result: found kernel '${FINDKERNEL}' which will be used for further testing" LogText "Test: Using apt-cache policy to determine if there is an update available" - FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') - FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${GREPBINARY} -E 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${GREPBINARY} -E 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') LogText "Kernel installed: ${FINDINSTALLED}" LogText "Kernel candidate: ${FINDCANDIDATE}" if IsEmpty "${FINDINSTALLED}"; then @@ -826,7 +826,7 @@ LogText "Check: try to find raspberrypi-kernel file in ${APT_ARCHIVE_DIRECTORY} and extract package date from file name" FOUND_KERNEL_DATE=$(${FINDBINARY} ${APT_ARCHIVE_DIRECTORY} -name "raspberrypi-kernel*" -printf "%T@ %Tc %p\n" 2> /dev/null \ - | ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${EGREPBINARY} -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g') + | ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${GREPBINARY} -E -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g') if [ -n "${FOUND_KERNEL_DATE}" ]; then FOUND_KERNEL_IN_SECONDS=$(date -d "${FOUND_KERNEL_DATE}" "+%s" 2> /dev/null) @@ -851,21 +851,21 @@ next="month" fi elif [ "$next" = "month" ]; then - if [ $(${ECHOCMD} "${part}" | ${EGREPBINARY} -c "[A-Z][a-z]") -ge 1 ]; then + if [ $(${ECHOCMD} "${part}" | ${GREPBINARY} -E -c "[A-Z][a-z]") -ge 1 ]; then UNAME_DATE_MONTH="${part}" next="day" fi elif [ "${next}" = "day" ]; then - if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then + if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c "[0-9][0-9]") -ge 1 ]; then UNAME_DATE_DAY="${part}" next="time" fi elif [ "${next}" = "time" ]; then - if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c ":[0-9][0-9]:") -ge 1 ]; then + if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c ":[0-9][0-9]:") -ge 1 ]; then next="year" fi elif [ "${next}" = "year" ]; then - if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then + if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c "[0-9][0-9]") -ge 1 ]; then UNAME_DATE_YEAR="${part}" break fi diff --git a/include/tests_logging b/include/tests_logging index b6acdbe5..04bee67d 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -45,7 +45,7 @@ Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for a logging daemon" - FIND=$(${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep") if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal" @@ -261,7 +261,7 @@ Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which files are rotated with logrotate and if they exist" - FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }') + FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }') if [ -z "${FIND}" ]; then LogText "Result: nothing found" else @@ -280,7 +280,7 @@ Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which directories can be found in logrotate configuration" - FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u) + FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u) if IsEmpty "${FIND}"; then LogText "Result: nothing found" else @@ -345,7 +345,7 @@ if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ] && [ -n "${SOLARIS_LOGHOST}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2153 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking loghost is localhost" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${EGREPBINARY} "::1|127.0.0.1|127.1") + FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} -E "::1|127.0.0.1|127.1") if [ -n "${FIND}" ]; then SOLARIS_LOGHOST_LOCALHOST=1 LogText "Result: loghost entry is localhost (default)" @@ -371,7 +371,7 @@ TARGET="${ROOTDIR}etc/rsyslog.conf" if [ -f ${TARGET} ]; then LogText "Test: analyzing file ${TARGET} for remote target" - DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g') + DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g') if [ -z "${DATA}" ]; then LogText "Result: no remote target found" else @@ -391,7 +391,7 @@ for F in ${FILES}; do F=$(echo ${F} | ${SEDBINARY} 's/:space:/ /g') LogText "Test: analyzing file ${F} for remote target" - DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g') + DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g') if [ -n "${DATA}" ]; then LogText "Result: found remote target" REMOTE_LOGGING_ENABLED=1 @@ -403,7 +403,7 @@ done else # Check new style configuration (omrelp/omfwd). This can be all on one line or even split over multiple lines. - DATA=$(${EGREPBINARY} "target=\"([a-zA-Z0-9\-])" ${F}) + DATA=$(${GREPBINARY} -E "target=\"([a-zA-Z0-9\-])" ${F}) if [ -n "${DATA}" ]; then LogText "Result: most likely remote log host is used, as keyword 'target' is used" REMOTE_LOGGING_ENABLED=1 @@ -424,7 +424,7 @@ if [ -f ${SYSLOGD_CONF} ]; then LogText "Test: check if logs are also logged to a remote logging host" - FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@") + FIND=$(${GREPBINARY} -E "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@") if [ -n "${FIND}" ]; then FIND2=$(echo "${FIND}" | ${GREPBINARY} -v "@loghost") if [ ${SOLARIS_LOGHOST_LOCALHOST} -eq 1 ] && [ -z "${FIND2}" ]; then @@ -435,9 +435,9 @@ fi else # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination - DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}') + DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${GREPBINARY} -E "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}') for DESTINATION in ${DESTINATIONS}; do - FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)") + FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${GREPBINARY} -E "destination\(${DESTINATION}\)") if [ -n "${FIND2}" ]; then LogText "Result: found destination ${DESTINATION} configured for remote logging" REMOTE_LOGGING_ENABLED=1 @@ -539,7 +539,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking open log files with lsof" if [ -n "${LSOFBINARY}" ]; then - FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$") + FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${GREPBINARY} -E -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$") for I in ${FIND}; do LogText "Found logfile: ${I}" done @@ -572,7 +572,7 @@ LSOF_GREP="${LSOF_GREP}|anacron|awk|run-parts" fi - FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${EGREPBINARY} -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) + FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${GREPBINARY} -E -vw "${LSOF_GREP}" | ${GREPBINARY} -E -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) if [ -n "${FIND}" ]; then LogText "Result: found one or more files which are deleted, but still in use" for I in ${FIND}; do diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index a8e9ec3b..8d4ae929 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -70,18 +70,18 @@ unset FIND FIND2 FIND3 FIND4 # Local Only - FIND=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^nonlocal') + FIND=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^nonlocal') # Internet Host - FIND2=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^dnslookup_relay_to_domains') + FIND2=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^dnslookup_relay_to_domains') # Smarthost or Satellite - FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost') + FIND3=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^smarthost') if [ -n "${FIND}" ]; then EXIM_TYPE="LOCAL ONLY" elif [ -n "${FIND2}" ]; then EXIM_TYPE="INTERNET HOST" elif [ -n "${FIND3}" ]; then - FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^hub_user_smarthost') + FIND4=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^hub_user_smarthost') if [ -n "${FIND4}" ]; then EXIM_TYPE="SATELLITE" else @@ -415,7 +415,7 @@ Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check smtpd status" - FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep") if [ ! "${FIND}" = "" ]; then LogText "Result: found running smtpd process" Display --indent 2 --text "- OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN diff --git a/include/tests_nameservices b/include/tests_nameservices index 8c483d08..c35b4171 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -339,7 +339,7 @@ Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Trying to determine version from banner" - FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*") + FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${GREPBINARY} -E "[0-9].[0-9].[0-9]*") if [ "${FIND}" = "" ]; then LogText "Result: no useful information in banner found" Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN @@ -571,7 +571,7 @@ Register --test-no NAME-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check duplicate line in /etc/hosts" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts" - OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${EGREPBINARY} -v '^(#|$)' | ${EGREPBINARY} "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d) + OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E -v '^(#|$)' | ${GREPBINARY} -E "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d) if [ -z "${OUTPUT}" ]; then LogText "Result: OK, no duplicate lines found" Display --indent 4 --text "- Duplicate entries in hosts file" --result "${STATUS_NONE}" --color GREEN @@ -592,7 +592,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check /etc/hosts contains an entry for this server name" if [ -n "${HOSTNAME}" ]; then - DATA=$(${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME}) + DATA=$(${GREPBINARY} -E -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME}) if [ -n "${DATA}" ]; then LogText "Result: Found entry for ${HOSTNAME} in ${ROOTDIR}etc/hosts" Display --indent 4 --text "- Presence of configured hostname in /etc/hosts" --result "${STATUS_FOUND}" --color GREEN @@ -615,7 +615,7 @@ Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check server hostname not locally mapped in ${ROOTDIR}etc/hosts" - DATA=$(${EGREPBINARY} -v '^(#|$)' ${ROOTDIR}etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME}) + DATA=$(${GREPBINARY} -E -v '^(#|$)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME}) if [ -n "${DATA}" ]; then LogText "Result: Found this server hostname mapped to a local address" LogText "Output: ${DATA}" diff --git a/include/tests_networking b/include/tests_networking index 7faf7125..116f3760 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -280,7 +280,7 @@ Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)" if [ $SKIPTEST -eq 0 ]; then LogText "Test: Searching default gateway(s)" - FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2) + FIND=$(${NETSTATBINARY} -rn | ${GREPBINARY} -E "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2) if [ -n "${FIND}" ]; then for I in ${FIND}; do LogText "Result: Found default gateway ${I}" diff --git a/include/tests_php b/include/tests_php index 23738198..858bc14b 100644 --- a/include/tests_php +++ b/include/tests_php @@ -285,9 +285,9 @@ # Test : PHP-2368 # Description : Check php register_globals option # Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed) - if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${EGREPBINARY}" ]; then + if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${GREPBINARY} -E" ]; then if [ -f "${PHPINIFILE}" ]; then - FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])") + FIND=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^(4.|5.[0-3])") if [ -z "${FIND}" ]; then PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals" else @@ -305,7 +305,7 @@ Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP register_globals option" - FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') + FIND=$(${GREPBINARY} -E -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') if [ -n "${FIND}" ]; then Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED ReportWarning "${TEST_NO}" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" @@ -338,7 +338,7 @@ ;; esac LogText "Test: Checking file ${FILE}" - FIND=$(${EGREPBINARY} -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;') + FIND=$(${GREPBINARY} -E -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;') if HasData "${FIND}"; then LogText "Result: found a a possible match on expose_php setting" LogText "Data: ${FIND}" @@ -367,7 +367,7 @@ Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP enable_dl option" - FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') + FIND=$(${GREPBINARY} -E -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') if [ -n "${FIND}" ]; then Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls" @@ -389,7 +389,7 @@ Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP allow_url_fopen option" - FIND=$(${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') + FIND=$(${GREPBINARY} -E -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW LogText "Result: allow_url_fopen option is turned on, which can be used for downloads via PHP and is a security risk" @@ -412,7 +412,7 @@ Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP allow_url_include option" - FIND=$(${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') + FIND=$(${GREPBINARY} -E -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW Report "Result: allow_url_include option is turned on, which can be used for downloads via PHP and is a risk" @@ -436,7 +436,7 @@ #if [ ${SKIPTEST} -eq 0 ]; then # FOUND=0 # SIMULATION=0 - # MAJOR_VERSION=$(echo ${PHPVERSION} | ${EGREPBINARY} "^7") + # MAJOR_VERSION=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^7") # if [ "${OS}" = "OpenBSD" ]; then # FOUND=1 # On OpenBSD, Suhosin is hard linked into PHP # SIMULATION=off @@ -519,7 +519,7 @@ ;; esac LogText "Test: Checking file ${FILE}" - FIND=$(${EGREPBINARY} -i "^listen = [0-9]{1,5}$" ${FILE}) + FIND=$(${GREPBINARY} -E -i "^listen = [0-9]{1,5}$" ${FILE}) if HasData "${FIND}"; then LogText "Result: found listen on just a port number" LogText "Data: ${FIND}" diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 9ca1948d..0e938cfe 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -836,7 +836,7 @@ Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: YUM package update management" - FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$") + FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -E "^[0-9]+$") if [ -z "${FIND}" -o "${FIND}" = "0" ]; then LogText "Result: YUM package update management failed" Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED @@ -1030,7 +1030,7 @@ if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then if [ -f ${ROOTDIR}etc/apt/sources.list ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file" - FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') + FIND=$(${GREPBINARY} -E "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') if [ -n "${FIND}" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN @@ -1043,7 +1043,7 @@ fi if [ -d /etc/apt/sources.list.d ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory" - FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') + FIND=$(${GREPBINARY} -E -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') if [ -n "${FIND}" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN @@ -1338,7 +1338,7 @@ if [ "${DPKGBINARY}" ]; then TESTED=1 KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]" - KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${EGREPBINARY} "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l) + KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} -E "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l) if [ ${KERNELS} -eq 0 ]; then LogText "Result: found no kernels from dpkg -l output, which is unexpected" elif [ ${KERNELS} -gt 5 ]; then diff --git a/include/tests_printers_spoolers b/include/tests_printers_spoolers index 851b0edd..d9318c3b 100644 --- a/include/tests_printers_spoolers +++ b/include/tests_printers_spoolers @@ -144,14 +144,14 @@ LogText "Test: Checking CUPS daemon listening network addresses" # Search for Port statement - FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE}) + FIND=$(${GREPBINARY} -E "^Port 631" ${CUPSD_CONFIG_FILE}) if [ -n "${FIND}" ]; then LogText "Result: found CUPS listening on port 631 (most likely all interfaces)" PORT_FOUND=1 fi # Checking network addresses - FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }') + FIND=$(${GREPBINARY} -E "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }') COUNT=0 for ITEM in ${FIND}; do LogText "Result: found network address: ${ITEM}" @@ -222,7 +222,7 @@ QDAEMON_CONFIG_FILE="${ROOTDIR}etc/qconfig" FileIsReadable ${QDAEMON_CONFIG_FILE} if [ ${CANREAD} -eq 1 ]; then - FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device") + FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${GREPBINARY} -E "backend|device") if [ -n "${FIND}" ]; then LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}" Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN diff --git a/include/tests_scheduling b/include/tests_scheduling index 3aa004c6..10fa0766 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -35,7 +35,7 @@ # Description : Check cron daemon Register --test-no SCHD-7702 --weight L --network NO --category security --description "Check status of cron daemon" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )") + FIND=$(${PSBINARY} aux | ${GREPBINARY} -E "( cron$|/cron(d)? )") if IsEmpty "${FIND}"; then LogText "Result: no cron daemon found" else @@ -55,12 +55,12 @@ BAD_FILE_PERMISSIONS=0 BAD_FILE_OWNERSHIP=0 FindCronJob() { - sCRONJOBS=$(${EGREPBINARY} '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY}) + sCRONJOBS=$(${GREPBINARY} -E '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY}) } CRONTAB_FILE="${ROOTDIR}etc/crontab" if [ -f ${CRONTAB_FILE} ]; then - ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab" + ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab" if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi FindCronJob ${CRONTAB_FILE} @@ -86,7 +86,7 @@ if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}') - if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi + if [ "${FILENAME}" = "lynis" ]; then ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi FindCronJob ${FILE} if HasData "${sCRONJOBS}"; then for K in ${sCRONJOBS}; do @@ -121,7 +121,7 @@ if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${FILE}"; Report "insecure_fileperms_cronjob[]=${FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${FILE}"; Report "bad_fileowner_cronjob[]=${FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}') - if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi + if [ "${FILENAME}" = "lynis" ]; then ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi LogText "Result: Found cronjob (${I}): ${FILE}" Report "cronjob[]=${FILE}" done @@ -141,7 +141,7 @@ FIND=$(${FINDBINARY} /var/spool/cron/crontabs -xdev -type f -print 2> /dev/null) for I in ${FIND}; do if FileIsReadable ${I}; then - ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" + ${GREPBINARY} -E -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" FindCronJob ${I} for FILE in ${sCRONJOBS}; do LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${FILE})" @@ -154,7 +154,7 @@ FIND=$(find ${ROOTDIR}var/spool/cron -type f -print) for I in ${FIND}; do if FileIsReadable ${I}; then - ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" + ${GREPBINARY} -E -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" FindCronJob ${I} for FILE in ${sCRONJOBS}; do LogText "Found cronjob in ${ROOTDIR}var/spool/cron: ${I} (${FILE})" @@ -169,7 +169,7 @@ if [ "${OS}" = "Linux" ]; then if [ -f /etc/anacrontab ]; then LogText "Test: checking anacrontab" - sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY}) + sANACRONJOBS=$(${GREPBINARY} -E '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY}) if [ -n "${sANACRONJOBS}" ]; then Report "scheduler[]=anacron" for I in ${sANACRONJOBS}; do diff --git a/include/tests_shells b/include/tests_shells index 8ecbde2c..b046b608 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -52,7 +52,7 @@ Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking console TTYs" - FIND=$(${EGREPBINARY} '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure') + FIND=$(${GREPBINARY} -E '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN LogText "Result: console is secured against single user mode without password." diff --git a/include/tests_squid b/include/tests_squid index c486108c..1eb43955 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -42,7 +42,7 @@ LogText "Test: Searching for a Squid daemon" FOUND=0 # Check running processes - FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "(squid|squid3) " | ${GREPBINARY} -v "grep") if [ -n "${FIND}" ]; then SQUID_DAEMON_RUNNING=1 LogText "Result: Squid daemon is running" diff --git a/include/tests_ssh b/include/tests_ssh index fb784d83..6ab6f193 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -299,7 +299,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 # AllowUsers - FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') + FIND=$(${GREPBINARY} -E -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') if [ -n "${FIND}" ]; then LogText "Result: AllowUsers set, with value ${FIND}" Display --indent 4 --text "- OpenSSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN @@ -310,7 +310,7 @@ fi # AllowGroups - FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') + FIND=$(${GREPBINARY} -E -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') if [ -n "${FIND}" ]; then LogText "Result: AllowUsers set ${FIND}" Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN diff --git a/include/tests_storage b/include/tests_storage index ac60502c..29785e6c 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -38,8 +38,8 @@ if [ -d "${ROOTDIR}etc/modprobe.d" ]; then FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) if [ -n "${FIND}" ]; then - FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND1=$(${GREPBINARY} -E "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${GREPBINARY} -E "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then FOUND=1 LogText "Result: found firewire ohci driver in disabled state" @@ -49,8 +49,8 @@ fi fi if [ -f "${ROOTDIR}etc/modprobe.conf" ]; then - FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#") + FIND1=$(${GREPBINARY} -E -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#") + FIND2=$(${GREPBINARY} -E -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#") if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then FOUND=1 LogText "Result: found firewire ohci driver in disabled state" diff --git a/include/tests_time b/include/tests_time index df9a86b7..7ff6755e 100644 --- a/include/tests_time +++ b/include/tests_time @@ -139,7 +139,7 @@ for I in ${CRONTAB_FILES}; do if [ -f ${I} ]; then LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}" - FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#') + FIND=$(${GREPBINARY} -E "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#') if [ -n "${FIND}" ]; then FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1 Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN @@ -161,10 +161,10 @@ for I in ${CRON_DIRS}; do for J in "${I}"/*; do # iterate over folders in a safe way # Check: regular file, readable and not called .placeholder - FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$') + FIND=$(echo "${J}" | ${GREPBINARY} -E '/.placeholder$') if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}" - FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#") + FIND=$("${GREPBINARY} -E" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#") if [ -n "${FIND}" ]; then FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}" @@ -232,7 +232,7 @@ Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check the status of time synchronization via timedatectl" - FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes") + FIND=$(${TIMEDATECTL} status | ${GREPBINARY} -E "(NTP|System clock) synchronized: yes") if [ -z "${FIND}" ]; then LogText "Result: time not synchronized via NTP" ReportSuggestion "${TEST_NO}" "Check timedatectl output. Synchronization via NTP is enabled, but status reflects it is not synchronized" @@ -273,7 +273,7 @@ else for ITEM in ${FIND}; do LogText "Found stratum 16 peer: ${ITEM}" - FIND2=$(${EGREPBINARY} "^ntp-ignore-stratum-16-peer=${ITEM}" ${PROFILE}) + FIND2=$(${GREPBINARY} -E "^ntp-ignore-stratum-16-peer=${ITEM}" ${PROFILE}) if IsEmpty "${FIND2}"; then COUNT=$((COUNT + 1)) Report "ntp_stratum_16_peer[]=${ITEM}" @@ -303,7 +303,7 @@ Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking unreliable ntp peers" - FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g') + FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} -E "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN LogText "Result: No unreliable peers found" @@ -371,7 +371,7 @@ Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking preferred time source" - FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} '^x') + FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} -E '^x') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_OK}" --color GREEN LogText "Result: No falsetickers found (items preceding with an 'x')" @@ -455,7 +455,7 @@ else LogText "Result: ${FILE} is not empty, which is fine" Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN - sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} | ${EGREPBINARY} -v "^127." | ${EGREPBINARY} -v "^::1") + sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} | ${GREPBINARY} -E -v "^127." | ${GREPBINARY} -E -v "^::1") for I in ${sFIND}; do FIND=$(${GREPBINARY} ^${I} ${FILE} | wc -l) if [ ${FIND} -gt 0 ]; then @@ -553,7 +553,7 @@ Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers" if [ ${SKIPTEST} -eq 0 ]; then # Format is "xx/yy peers valid, ..." - FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1) + FIND=$(${NTPCTLBINARY} -s status | ${GREPBINARY} -E -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1) if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status" fi diff --git a/include/tests_tooling b/include/tests_tooling index 083f5045..30c506c0 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -259,8 +259,8 @@ # # Check email alert configuration # LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}" # - # FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}) - # FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}) + # FIND=$(${GREPBINARY} -E "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}) + # FIND2=$(${GREPBINARY} -E "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}) # # if [ -n "${FIND}" ]; then # FAIL2BAN_EMAIL=1 diff --git a/include/tests_usb b/include/tests_usb index d99d5a66..81c184df 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -54,8 +54,8 @@ if [ -d /etc/modprobe.d ]; then FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) if [ -n "${FIND}" ]; then - FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*) + FIND=$(${GREPBINARY} -E -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${GREPBINARY} -E -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*) if [ -n "${FIND}" -o -n "${FIND2}" ]; then FOUND=1 LogText "Result: found usb-storage driver in disabled state (blacklisted)" @@ -65,7 +65,7 @@ fi fi if [ -f ${ROOTDIR}etc/modprobe.conf ]; then - FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#") + FIND=$(${GREPBINARY} -E "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#") if [ -n "${FIND}" ]; then FOUND=1 LogText "Result: found usb-storage driver in disabled state" @@ -316,11 +316,11 @@ Display --indent 4 --text "- RuleFile" --result "${STATUS_FOUND}" --color GREEN AddHP 1 1 - USBGUARD_RULES_ALLOW=$(${EGREPBINARY} -c "^allow" ${USBGUARD_RULES}) + USBGUARD_RULES_ALLOW=$(${GREPBINARY} -E -c "^allow" ${USBGUARD_RULES}) Display --indent 6 --text "- Controllers & Devices allow" --result "${USBGUARD_RULES_ALLOW}" --color WHITE - USBGUARD_RULES_BLOCK=$(${EGREPBINARY} -c "^block" ${USBGUARD_RULES}) + USBGUARD_RULES_BLOCK=$(${GREPBINARY} -E -c "^block" ${USBGUARD_RULES}) Display --indent 6 --text "- Controllers & Devices block" --result "${USBGUARD_RULES_BLOCK}" --color WHITE - USBGUARD_RULES_REJECT=$(${EGREPBINARY} -c "^reject" ${USBGUARD_RULES}) + USBGUARD_RULES_REJECT=$(${GREPBINARY} -E -c "^reject" ${USBGUARD_RULES}) Display --indent 6 --text "- Controllers & Devices reject" --result "${USBGUARD_RULES_REJECT}" --color WHITE else LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)" diff --git a/include/tests_webservers b/include/tests_webservers index e0ca5737..1dbde636 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -63,7 +63,7 @@ Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE else LogText "Test: Scanning for Apache binary" - IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache') + IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} -E '[aA]pache') if IsEmpty "${IS_APACHE}"; then LogText "Result: ${HTTPDBINARY} is not Apache" Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE @@ -203,7 +203,7 @@ #if [ ${SKIPTEST} -eq 0 ]; then # # Testing Debian style # LogText "Test: searching loaded/enabled Apache modules" - # apachectl -t -D DUMP_MODULES 2>&1 | ${EGREPBINARY} -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //' + # apachectl -t -D DUMP_MODULES 2>&1 | ${GREPBINARY} -E -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //' # for I in ${APACHE_MODULES_ENABLED_LOCS}; do # LogText "Test: checking ${I}" # if [ -d ${I} ]; then @@ -381,7 +381,7 @@ done # Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx - SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})") + SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${GREPBINARY} -E -v "(application|audio|image|text|video)/" | ${GREPBINARY} -E -v "({|})") for I in ${SORTFILE}; do I=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g') Report "nginx_config_option[]=${I}"; From 09c03ce222c03996b652142bb89cc541b28a3243 Mon Sep 17 00:00:00 2001 From: xnoguer Date: Sun, 23 Apr 2023 17:40:16 -0400 Subject: [PATCH 072/282] Using grep -E --- lynis | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/lynis b/lynis index 3f6d3b84..5aa219b7 100755 --- a/lynis +++ b/lynis @@ -148,13 +148,25 @@ # Perform a basic check for permissions. After including functions, using SafePerms() IGNORE_FILE_PERMISSION_ISSUES=0 - FILES_TO_CHECK="consts functions" + FILES_TO_CHECK="consts functions parameters binaries osdetection data_upload" ISSUE=0 ISSUE_TYPE="" SHOWPERMERROR=0 for FILE in ${FILES_TO_CHECK}; do + SUGGESTED_PERMS=640 + if [ ${PRIVILEGED} -eq 0 ]; then + SUGGESTED_PERMS=644 + fi + + # First check if files are readable so the shell can execute them + if [ ! -r ${INCLUDEDIR}/${FILE} ]; then + ISSUE=1 + ISSUE_TYPE="perms" + echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to ${SUGGESTED_PERMS}."; echo " Command: chmod ${SUGGESTED_PERMS} ${INCLUDEDIR}/${FILE}" + fi + PERMS=$(ls -l ${INCLUDEDIR}/${FILE} | cut -c 2-10) GROUPPERMS=$(ls -l ${INCLUDEDIR}/${FILE} | cut -c 5-7) GROUPOWNERID=$(ls -n ${INCLUDEDIR}/${FILE} | awk '{ print $4 }') @@ -163,11 +175,11 @@ # Check permissions of include/X file (400, 600, 640, 644) if [ "${PERMS}" = "rwxrwxrwx" ]; then - ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}" + ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to ${SUGGESTED_PERMS}."; echo " Command: chmod ${SUGGESTED_PERMS} ${INCLUDEDIR}/${FILE}" elif [ ! "${PERMS}" = "r--------" -a ! "${PERMS}" = "rw-------" -a ! "${PERMS}" = "rw-r-----" -a ! "${PERMS}" = "rw-r--r--" ]; then # If group ID equals user ID, we consider permissions to be fine (probably default umask) if [ ! "${GROUPOWNERID}" = "${OWNERID}" ]; then - ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}" + ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to ${SUGGESTED_PERMS}."; echo " Command: chmod ${SUGGESTED_PERMS} ${INCLUDEDIR}/${FILE}" fi fi @@ -193,7 +205,7 @@ if [ ${ISSUE} -eq 1 ]; then printf "\n[X] Security check failed\n\n Why do I see this error?\n -------------------------------\n This is a protection mechanism to prevent the root user from executing user created files. The files may be altered, or including malicious pieces of script.\n\n What can I do?\n ---------------------\n Option 1) Check if a trusted user created the files (e.g. due to using Git, Homebrew or similar).\n If you trust these files, you can decide to continue this run by pressing ENTER.\n" if [ "${ISSUE_TYPE}" = "perms" ]; then - printf "\n Option 2) Change permissions of the related files.\n\n Commands (full directory):\n # chmod 640 include/*\n # ./lynis audit system" + printf "\n Option 2) Change permissions of the related files.\n\n Commands (full directory):\n # chmod ${SUGGESTED_PERMS} include/*\n # ./lynis audit system" elif [ "${ISSUE_TYPE}" = "owner" ]; then printf "\n Option 2) Change ownership of the related files (or full directory).\n\n Commands (full directory):\n # cd ..\n # chown -R 0:0 lynis\n # cd lynis\n # ./lynis audit system" fi @@ -217,10 +229,10 @@ # Extract the short notation of the language (first two characters). if [ -x "$(command -v locale 2> /dev/null)" ]; then - LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | egrep "^[a-z]{2}$") + LANGUAGE=$(locale | grep -E "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | grep -E "^[a-z]{2}$") # Try locale command if shell variable had no value if [ -z "${DISPLAY_LANG}" ]; then - DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2) + DISPLAY_LANG=$(locale | grep -E "^LANG=" | cut -d= -f2) fi else LANGUAGE="en" @@ -1036,7 +1048,7 @@ ${NORMAL} if SafeFile ${INCLUDE_FILE}; then . ${INCLUDE_FILE} else - LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)" + LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 644, 640, 600 or 400)" ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}" # Insert a section and warn user also on screen InsertSection "${SECTION_GENERAL}" @@ -1063,7 +1075,7 @@ ${NORMAL} LogText "Result: file permissions fine, running custom tests" . ${INCLUDEDIR}/tests_custom else - LogText "Exception: skipping custom tests, file has bad permissions (should be 640, 600 or 400)" + LogText "Exception: skipping custom tests, file has bad permissions (should be 644, 640, 600 or 400)" ReportWarning "NONE" "Invalid permissions on custom tests file" Display --indent 2 --text "- Running custom tests... " --result "${STATUS_WARNING}" --color RED fi From c7b73837db1f68820befd06a63f2ab855a00d5f9 Mon Sep 17 00:00:00 2001 From: xnoguer Date: Sun, 23 Apr 2023 17:44:44 -0400 Subject: [PATCH 073/282] Removing changes from another branch --- include/functions | 5 ----- 1 file changed, 5 deletions(-) diff --git a/include/functions b/include/functions index 841586be..9c52044b 100644 --- a/include/functions +++ b/include/functions @@ -3103,11 +3103,6 @@ unsafe=1 LogText "Security alert: file is not owned by active user, but can write to it" fi - # File is not owned by active user, and not readable by him - if [ ! -O "${FILE}" -a ! -r "${FILE}" ]; then - unsafe=1 - LogText "Security alert: file is not readable by active user" - fi fi # Check file permissions From ea9c6dbcc8c6db00160db7691e7407ed83fab361 Mon Sep 17 00:00:00 2001 From: xnoguer Date: Sun, 23 Apr 2023 17:51:58 -0400 Subject: [PATCH 074/282] Removing --- lynis | 22 +++++----------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/lynis b/lynis index 5aa219b7..1f401b97 100755 --- a/lynis +++ b/lynis @@ -148,25 +148,13 @@ # Perform a basic check for permissions. After including functions, using SafePerms() IGNORE_FILE_PERMISSION_ISSUES=0 - FILES_TO_CHECK="consts functions parameters binaries osdetection data_upload" + FILES_TO_CHECK="consts functions" ISSUE=0 ISSUE_TYPE="" SHOWPERMERROR=0 for FILE in ${FILES_TO_CHECK}; do - SUGGESTED_PERMS=640 - if [ ${PRIVILEGED} -eq 0 ]; then - SUGGESTED_PERMS=644 - fi - - # First check if files are readable so the shell can execute them - if [ ! -r ${INCLUDEDIR}/${FILE} ]; then - ISSUE=1 - ISSUE_TYPE="perms" - echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to ${SUGGESTED_PERMS}."; echo " Command: chmod ${SUGGESTED_PERMS} ${INCLUDEDIR}/${FILE}" - fi - PERMS=$(ls -l ${INCLUDEDIR}/${FILE} | cut -c 2-10) GROUPPERMS=$(ls -l ${INCLUDEDIR}/${FILE} | cut -c 5-7) GROUPOWNERID=$(ls -n ${INCLUDEDIR}/${FILE} | awk '{ print $4 }') @@ -229,10 +217,10 @@ # Extract the short notation of the language (first two characters). if [ -x "$(command -v locale 2> /dev/null)" ]; then - LANGUAGE=$(locale | grep -E "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | grep -E "^[a-z]{2}$") + LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | grep -E "^[a-z]{2}$") # Try locale command if shell variable had no value if [ -z "${DISPLAY_LANG}" ]; then - DISPLAY_LANG=$(locale | grep -E "^LANG=" | cut -d= -f2) + DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2) fi else LANGUAGE="en" @@ -1048,7 +1036,7 @@ ${NORMAL} if SafeFile ${INCLUDE_FILE}; then . ${INCLUDE_FILE} else - LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 644, 640, 600 or 400)" + LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)" ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}" # Insert a section and warn user also on screen InsertSection "${SECTION_GENERAL}" @@ -1075,7 +1063,7 @@ ${NORMAL} LogText "Result: file permissions fine, running custom tests" . ${INCLUDEDIR}/tests_custom else - LogText "Exception: skipping custom tests, file has bad permissions (should be 644, 640, 600 or 400)" + LogText "Exception: skipping custom tests, file has bad permissions (should be 640, 600 or 400)" ReportWarning "NONE" "Invalid permissions on custom tests file" Display --indent 2 --text "- Running custom tests... " --result "${STATUS_WARNING}" --color RED fi From 25a5d7af40070566cebc6a19c8f4841aabca100e Mon Sep 17 00:00:00 2001 From: xnoguer Date: Sun, 23 Apr 2023 17:53:22 -0400 Subject: [PATCH 075/282] Removing --- lynis | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lynis b/lynis index 1f401b97..a92e3556 100755 --- a/lynis +++ b/lynis @@ -163,11 +163,11 @@ # Check permissions of include/X file (400, 600, 640, 644) if [ "${PERMS}" = "rwxrwxrwx" ]; then - ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to ${SUGGESTED_PERMS}."; echo " Command: chmod ${SUGGESTED_PERMS} ${INCLUDEDIR}/${FILE}" + ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}" elif [ ! "${PERMS}" = "r--------" -a ! "${PERMS}" = "rw-------" -a ! "${PERMS}" = "rw-r-----" -a ! "${PERMS}" = "rw-r--r--" ]; then # If group ID equals user ID, we consider permissions to be fine (probably default umask) if [ ! "${GROUPOWNERID}" = "${OWNERID}" ]; then - ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to ${SUGGESTED_PERMS}."; echo " Command: chmod ${SUGGESTED_PERMS} ${INCLUDEDIR}/${FILE}" + ISSUE=1; ISSUE_TYPE="perms"; echo "[!] Change file permissions of ${INCLUDEDIR}/${FILE} to 640."; echo " Command: chmod 640 ${INCLUDEDIR}/${FILE}" fi fi @@ -217,10 +217,10 @@ # Extract the short notation of the language (first two characters). if [ -x "$(command -v locale 2> /dev/null)" ]; then - LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | grep -E "^[a-z]{2}$") + LANGUAGE=$(locale | grep -E "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | grep -E "^[a-z]{2}$") # Try locale command if shell variable had no value if [ -z "${DISPLAY_LANG}" ]; then - DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2) + DISPLAY_LANG=$(locale | grep -E "^LANG=" | cut -d= -f2) fi else LANGUAGE="en" From 346b843662376002e34c2e92a1914ae5233c56b0 Mon Sep 17 00:00:00 2001 From: xnoguer Date: Sun, 23 Apr 2023 17:54:01 -0400 Subject: [PATCH 076/282] Removing --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index a92e3556..3a628424 100755 --- a/lynis +++ b/lynis @@ -193,7 +193,7 @@ if [ ${ISSUE} -eq 1 ]; then printf "\n[X] Security check failed\n\n Why do I see this error?\n -------------------------------\n This is a protection mechanism to prevent the root user from executing user created files. The files may be altered, or including malicious pieces of script.\n\n What can I do?\n ---------------------\n Option 1) Check if a trusted user created the files (e.g. due to using Git, Homebrew or similar).\n If you trust these files, you can decide to continue this run by pressing ENTER.\n" if [ "${ISSUE_TYPE}" = "perms" ]; then - printf "\n Option 2) Change permissions of the related files.\n\n Commands (full directory):\n # chmod ${SUGGESTED_PERMS} include/*\n # ./lynis audit system" + printf "\n Option 2) Change permissions of the related files.\n\n Commands (full directory):\n # chmod 640 include/*\n # ./lynis audit system" elif [ "${ISSUE_TYPE}" = "owner" ]; then printf "\n Option 2) Change ownership of the related files (or full directory).\n\n Commands (full directory):\n # cd ..\n # chown -R 0:0 lynis\n # cd lynis\n # ./lynis audit system" fi From c845cecb6fb709d3bc81e0519688ff2bd5a5fe61 Mon Sep 17 00:00:00 2001 From: xnoguer Date: Sun, 23 Apr 2023 19:00:16 -0400 Subject: [PATCH 077/282] Fixing test --- include/tests_php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_php b/include/tests_php index 858bc14b..04502f68 100644 --- a/include/tests_php +++ b/include/tests_php @@ -285,7 +285,7 @@ # Test : PHP-2368 # Description : Check php register_globals option # Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed) - if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${GREPBINARY} -E" ]; then + if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${GREPBINARY}" ]; then if [ -f "${PHPINIFILE}" ]; then FIND=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^(4.|5.[0-3])") if [ -z "${FIND}" ]; then From 7d494da5c49e9ac48bedf8043bd002aa213f879b Mon Sep 17 00:00:00 2001 From: xnoguer Date: Tue, 25 Apr 2023 10:06:02 -0400 Subject: [PATCH 078/282] Checking for errors, not only warning in docker info output --- include/tests_containers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_containers b/include/tests_containers index af10997d..c8d23b2a 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -107,7 +107,7 @@ LogText "Result: disabling further Docker tests as docker version gave exit code other than zero (0)" RUN_DOCKER_TESTS=0 fi - FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} "^WARNING:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g') + FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} -E "^WARNING:|^ERROR:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g') if [ ! "${FIND}" = "" ]; then LogText "Result: found warning(s) in output" for I in ${FIND}; do From 68da1d2b923d39bba4d56ad4b1f10c17e52b9dca Mon Sep 17 00:00:00 2001 From: xnoguer Date: Wed, 26 Apr 2023 17:38:42 -0400 Subject: [PATCH 079/282] Fixing test on kernel major and minor version --- include/tests_filesystems | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index ab6191aa..fe0877a3 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -346,7 +346,13 @@ LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}') LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}') if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then - if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then + PREQS_MET="YES"; + elif [ ${LINUX_KERNEL_MAJOR} -ge 4 ]; then + PREQS_MET="YES"; + else + PREQS_MET="NO"; + fi else PREQS_MET="NO"; fi From e1cb35f28fdc4d9340087f581c5408cc629679d6 Mon Sep 17 00:00:00 2001 From: xnoguer Date: Thu, 27 Apr 2023 17:31:32 -0400 Subject: [PATCH 080/282] Adding package libpam-passwdqc as suggestion --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 0552d646..4f3e8287 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -717,7 +717,7 @@ if [ ${FOUND} -eq 0 ]; then Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Result: no PAM modules for password strength testing found" - ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc" + ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc or libpam-passwdqc" AddHP 0 3 else Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN From dde2299e69810261c3f1e181ce82bf93c07397ae Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 2 May 2023 08:42:59 +0000 Subject: [PATCH 081/282] Updated log --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad1cbeb8..ab464ab6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,11 @@ ## Lynis 3.0.9 (not released yet) ### Changed -- DBS-1820 - added newer style format for Mongo authorization setting +- DBS-1820 - Added newer style format for Mongo authorization setting +- FILE-6410 - Locations added for plocate +- SSH-7408 - Only test Compression if sshd version < 7.4 +- Improved fetching timestamp +- Minor changes such as typos --------------------------------------------------------------------------------- From 87624e7c758dd3f208f40405863b198b3dd36080 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 2 May 2023 08:47:25 +0000 Subject: [PATCH 082/282] Release version 3.0.9 --- CHANGELOG.md | 2 +- lynis | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ab464ab6..eba36baf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Lynis Changelog -## Lynis 3.0.9 (not released yet) +## Lynis 3.0.9 (2023-05-02) ### Changed - DBS-1820 - Added newer style format for Mongo authorization setting diff --git a/lynis b/lynis index 3f6d3b84..2378b4cd 100755 --- a/lynis +++ b/lynis @@ -43,10 +43,10 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2022-05-17" - PROGRAM_RELEASE_TIMESTAMP=1652791205 + PROGRAM_RELEASE_DATE="2023-05-02" + PROGRAM_RELEASE_TIMESTAMP=1683017189 PROGRAM_RELEASE_TYPE="release" # pre-release or release - PROGRAM_VERSION="3.0.8" + PROGRAM_VERSION="3.0.9" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" From 2b82fa6ebad1d82ba41acdce50dbdbb7aae56abe Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Tue, 2 May 2023 16:22:13 -0400 Subject: [PATCH 083/282] osdetection: add OpenEmbedded and Poky Signed-off-by: Armin Kuster --- include/osdetection | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/include/osdetection b/include/osdetection index 989b1b38..e5974e5f 100644 --- a/include/osdetection +++ b/include/osdetection @@ -308,6 +308,12 @@ OS_REDHAT_OR_CLONE=1 OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "nodistro") + LINUX_VERSION="openembedded" + OS_NAME="OpenEmbedded" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "opensuse-tumbleweed") LINUX_VERSION="openSUSE Tumbleweed" # It's rolling release but has a snapshot version (the date of the snapshot) @@ -330,6 +336,14 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "poky") + LINUX_VERSION="Poky" + OS_NAME="openembedded" + LINUX_VERSION_LIKE="openembedded" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + + ;; "pop") LINUX_VERSION="Pop!_OS" LINUX_VERSION_LIKE="Ubuntu" From 8ac8629bfe3dcf1168b99baf5c3a3f99d1298eac Mon Sep 17 00:00:00 2001 From: Ian Chesal Date: Wed, 10 May 2023 17:02:33 -0400 Subject: [PATCH 084/282] feat(editorconfig): Add a .editorconfig file to the project Modern editors read this file and use it to enforce formatting consistency in files for a project. See: https://editorconfig.org/ Settings were made accoring to what is written in the CONTRIBUTING.md file. --- .editorconfig | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .editorconfig diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 00000000..d630ab92 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,7 @@ +# See: https://editorconfig.org/ + +root = true + +[*] +indent_style = space +indent_size = 4 From 1aba2b14090d2ccaeffe3bdb9d0a187f1bb96b79 Mon Sep 17 00:00:00 2001 From: Ian Chesal Date: Wed, 10 May 2023 17:04:57 -0400 Subject: [PATCH 085/282] feat(cos): Add detection for Google's Container-Optimized OS --- include/osdetection | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/osdetection b/include/osdetection index 989b1b38..eeeb120d 100644 --- a/include/osdetection +++ b/include/osdetection @@ -208,6 +208,11 @@ OS_NAME="CoreOS Linux" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "cos") + LINUX_VERSION="Container-Optimized OS" + OS_NAME="Container-Optimized OS from Google" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "debian") LINUX_VERSION="Debian" OS_NAME="Debian" From ae129b24beb9e9fc3cde7f45e33fea41a694efd5 Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Thu, 18 May 2023 22:02:30 +0000 Subject: [PATCH 086/282] Adding missing test number for suggestion --- include/tests_nameservices | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_nameservices b/include/tests_nameservices index 8c483d08..5431b0ff 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -485,7 +485,7 @@ LogText "Result: ypldap is running" Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN else - ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead" + ReportSuggestion "${TEST_NO}" "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead" fi else LogText "Result: ypbind is not active" From 6fdfa0a0129e2866ebdc233d771722d09034d9cc Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Fri, 19 May 2023 23:12:39 +0000 Subject: [PATCH 087/282] Replacing deprecated option -i --- include/tests_databases | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_databases b/include/tests_databases index e973d23f..dbc1d857 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -216,8 +216,8 @@ Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration" if [ ${SKIPTEST} -eq 0 ]; then - FIND_PATHS="${ROOTDIR}etc/postgres ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data" - CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g") + FIND_PATHS="${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data" + CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -I{} sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g") for CF in ${CONFIG_FILES}; do Report "postgresql_config_file[]=${CF}" LogText "Found configuration file (${CF})" From dbf263dbbd218e6bdf19e7d096c9595e40a8fee1 Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Sat, 20 May 2023 15:58:12 +0000 Subject: [PATCH 088/282] Looking for configuration files in all /usr/local/pgsql/data* directories --- include/tests_databases | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_databases b/include/tests_databases index e973d23f..aeacaa4a 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -216,7 +216,8 @@ Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration" if [ ${SKIPTEST} -eq 0 ]; then - FIND_PATHS="${ROOTDIR}etc/postgres ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data" + FIND_PATHS=$(${LSBINARY} -d ${ROOTDIR}usr/local/pgsql/data* 2> /dev/null) + FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data" CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g") for CF in ${CONFIG_FILES}; do Report "postgresql_config_file[]=${CF}" From 9f36e17ee0afd881468c496da3d1ae4ba80956b3 Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Tue, 23 May 2023 15:07:42 +0000 Subject: [PATCH 089/282] Added tests considering Wazuh for file integrity and tooling --- db/tests.db | 2 ++ include/tests_file_integrity | 19 +++++++++++++++++++ include/tests_hardening | 2 +- include/tests_tooling | 29 +++++++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 1 deletion(-) diff --git a/db/tests.db b/db/tests.db index e4dc8fbd..69a68bc9 100644 --- a/db/tests.db +++ b/db/tests.db @@ -148,6 +148,7 @@ FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running: FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status FINT-4340:test:security:file_integrity:Linux:Check dm-integrity status FINT-4341:test:security:file_integrity:Linux:Check dm-verity status +FINT-4344:test:security:file_integrity::Wazuh syscheck daemon running: FINT-4350:test:security:file_integrity::File integrity software installed: FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512): FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module: @@ -437,6 +438,7 @@ TOOL-5102:test:security:tooling::Check for presence of Fail2ban: TOOL-5104:test:security:tooling::Enabled tests for Fail2ban: TOOL-5120:test:security:tooling::Presence of Snort IDS: TOOL-5122:test:security:tooling::Snort IDS configuration file: +TOOL-5128:test:security:tooling::Check for active Wazuh daemon: TOOL-5130:test:security:tooling::Check for active Suricata daemon: TOOL-5160:test:security:tooling::Check for active OSSEC daemon: TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling: diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 8a38b97e..a0bf497f 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -398,6 +398,25 @@ fi # ################################################################################# +# + # Test : FINT-4344 + # Description : Check if Wazuh system integrity tool is running + Register --test-no FINT-4344 --weight L --network NO --category security --description "Wazuh syscheck daemon running" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking if Wazuh syscheck daemon is running" + if IsRunning "wazuh-syscheckd"; then + LogText "Result: syscheck (Wazuh) active" + Report "file_integrity_tool[]=wazuh" + FILE_INT_TOOL="wazuh-syscheck" + FILE_INT_TOOL_FOUND=1 + Display --indent 4 --text "- Wazuh (syscheck)" --result "${STATUS_FOUND}" --color GREEN + else + LogText "Result: syscheck (Wazuh) is not active" + if IsVerbose; then Display --indent 4 --text "- Wazuh" --result "${STATUS_NOT_FOUND}" --color WHITE; fi + fi + fi +# +################################################################################# # # Test : FINT-4402 (was FINT-4316) # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums diff --git a/include/tests_hardening b/include/tests_hardening index c414edb6..8ca04d6d 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -99,7 +99,7 @@ else Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED fi - ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC" + ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC, Wazuh" AddHP 1 3 LogText "Result: no malware scanner found" fi diff --git a/include/tests_tooling b/include/tests_tooling index 083f5045..2ef9f81b 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -428,6 +428,35 @@ fi # ################################################################################# +# + # Test : TOOL-5128 + # Description : Check for Wazuh daemon + Register --test-no TOOL-5128 --weight L --network NO --category security --description "Check for active Wazuh daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Server side + if IsRunning "wazuh-analysisd"; then + IDS_IPS_TOOL_FOUND=1 + Report "ids_ips_tooling[]=wazuh" + Report "ids_ips_tooling[]=wazuh-analysisd" + LogText "Result: Wazuh analysis daemon is active" + Display --indent 2 --text "- Checking presence of Wazuh (analysis)" --result "${STATUS_FOUND}" --color GREEN + else + LogText "Result: Wazuh analysis daemon not active" + fi + + # Client side + if IsRunning "wazuh-agentd"; then + IDS_IPS_TOOL_FOUND=1 + Report "ids_ips_tooling[]=wazuh" + Report "ids_ips_tooling[]=wazuh-agentd" + LogText "Result: Wazuh agent daemon is active" + Display --indent 2 --text "- Checking presence of Wazuh (agent)" --result "${STATUS_FOUND}" --color GREEN + else + LogText "Result: Wazuh agent daemon not active" + fi + fi +# +################################################################################# # # Test : TOOL-5190 # Description : Check for an IDS/IPS tool From 1e70cd0b9252f4d0e2b231c2b7c482cbee6560f0 Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Tue, 30 May 2023 08:04:36 +0000 Subject: [PATCH 090/282] Fixing missing or erroneous test number comments --- include/tests_insecure_services | 4 +++- include/tests_system_integrity | 2 ++ include/tests_tooling | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/include/tests_insecure_services b/include/tests_insecure_services index f01966f2..b27ff168 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -371,7 +371,7 @@ # ################################################################################# # - # Test : INSE-8312 + # Test : INSE-8322 # Description : Check if telnet server is installed Register --test-no INSE-8322 --package-manager-required --weight L --network NO --category security --description "Check if telnet server is installed" if [ ${SKIPTEST} -eq 0 ]; then @@ -492,6 +492,8 @@ # ################################################################################# # + # Test : INSE-8050 + # Description : Check for insecure services on macOS if [ -n "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi Register --test-no INSE-8050 --os "macOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS" if [ ${SKIPTEST} -eq 0 ]; then diff --git a/include/tests_system_integrity b/include/tests_system_integrity index befe09a0..9c5b1e51 100644 --- a/include/tests_system_integrity +++ b/include/tests_system_integrity @@ -30,6 +30,8 @@ # ################################################################################# # + # Test : SINT-7010 + # Description : System Integrity Status if [ -x ${ROOTDIR}/usr/bin/csrutil ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No CSrutil binary found"; fi Register --test-no SINT-7010 --os MacOS --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight H --network NO --category security --description "System Integrity Status" if [ ${SKIPTEST} -eq 0 ]; then diff --git a/include/tests_tooling b/include/tests_tooling index 083f5045..cda48616 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -400,7 +400,7 @@ # ################################################################################# # - # Test : TOOL-5160 + # Test : TOOL-5126 # Description : Check for OSSEC Register --test-no TOOL-5126 --weight L --network NO --category security --description "Check for active OSSEC daemon" if [ ${SKIPTEST} -eq 0 ]; then From aa7085bf929bac4d454ed8f4c5dad413d3234f3d Mon Sep 17 00:00:00 2001 From: Ben Perry Date: Tue, 30 May 2023 18:19:46 +1000 Subject: [PATCH 091/282] Update tests_malware --- include/tests_malware | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/include/tests_malware b/include/tests_malware index 40336fa5..41814b43 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -39,6 +39,7 @@ MALWARE_SCANNER_INSTALLED=0 MALWARE_DAEMON_RUNNING=0 ROOTKIT_SCANNER_FOUND=0 + SENTINELONE_SCANNER_FOUND=0 SOPHOS_SCANNER_RUNNING=0 SYMANTEC_SCANNER_RUNNING=0 SYNOLOGY_DAEMON_RUNNING=0 @@ -231,6 +232,20 @@ Report "malware_scanner[]=mcafee" fi + # SentinelOne + LogText "Text: checking process sentineld (SentinelOne)" + if isRunning "sentineld"; then SENTINELONE_SCANNER_RUNNING=1; fi # macOS + if isRunning "s1-agent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Linux + if isRunning "SentinelAgent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Windows + if [ ${SENTINELONE_SCANNER_RUNNING} -eq 1 ]; then + FOUND=1 + if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} SentinelOne" --result "${STATUS_FOUND}" --color GREEN; fi + LogText "Result: Found SentinelOne" + MALWARE_DAEMON_RUNNING=1 + MALWARE_SCANNER_INSTALLED=1 + Report "malware_scanner[]=sentinelone" + fi + # Sophos savscand/SophosScanD LogText "Test: checking process savscand" if IsRunning "savscand"; then From b16b4628c7d7bb585c50e7a0f8d7f75fc2308cf4 Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Tue, 30 May 2023 08:38:17 +0000 Subject: [PATCH 092/282] Fixing test numbers in db/tests.db with the actual numbers used for those tests --- db/tests.db | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/db/tests.db b/db/tests.db index e4dc8fbd..5e7acf4c 100644 --- a/db/tests.db +++ b/db/tests.db @@ -204,7 +204,7 @@ INSE-8200:test:security:insecure_services::Usage of TCP wrappers: INSE-8300:test:security:insecure_services::Presence of rsh client: INSE-8302:test:security:insecure_services::Presence of rsh server: INSE-8310:test:security:insecure_services::Presence of telnet client: -INSE-8312:test:security:insecure_services::Presence of telnet server: +INSE-8322:test:security:insecure_services::Presence of telnet server: INSE-8314:test:security:insecure_services::Presence of NIS client: INSE-8316:test:security:insecure_services::Presence of NIS server: INSE-8318:test:security:insecure_services::Presence of TFTP client: @@ -438,7 +438,7 @@ TOOL-5104:test:security:tooling::Enabled tests for Fail2ban: TOOL-5120:test:security:tooling::Presence of Snort IDS: TOOL-5122:test:security:tooling::Snort IDS configuration file: TOOL-5130:test:security:tooling::Check for active Suricata daemon: -TOOL-5160:test:security:tooling::Check for active OSSEC daemon: +TOOL-5126:test:security:tooling::Check for active OSSEC daemon: TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling: USB-1000:test:security:storage:Linux:Check if USB storage is disabled: USB-2000:test:security:storage:Linux:Check USB authorizations: From 6963e4e408fcebc16e00d5e286abfefd93627423 Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Tue, 30 May 2023 14:56:11 +0000 Subject: [PATCH 093/282] Updating parsing of arch-audit since arch-audit modified its output --- include/tests_ports_packages | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 9ca1948d..6ffe1b54 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -347,12 +347,13 @@ Register --test-no PKGS-7322 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Discover vulnerable packages with arch-audit" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking arch-audit output for vulnerable packages" - FIND=$(${ARCH_AUDIT_BINARY} | ${SEDBINARY} 's/\.\..*$//' | ${SEDBINARY} 's/, //g' | ${SEDBINARY} 's/\(\["\|"\]\)//g' | ${SEDBINARY} 's/""/,/g' | ${AWKBINARY} '{ if($1=="Package") { print $2"|"$6"|"}}' | ${AWKBINARY} -F'|' 'NF>1{a[$1] = a[$1]","$2}END{for(i in a){print i""a[i]"|"}}' | ${SEDBINARY} 's/,/|cve=/' | ${SORTBINARY}) + FIND=$(${ARCH_AUDIT_BINARY} | ${SEDBINARY} 's/ High risk!//' | ${SEDBINARY} 's/ Medium risk!//' | ${SEDBINARY} 's/ Low risk!//' | ${SEDBINARY} 's/\.\..*$//' | ${SEDBINARY} 's/, /,/g' | ${SEDBINARY} 's/\(\["\|"\]\)//g' | ${SEDBINARY} 's/""/,/g' | ${AWKBINARY} '{if ($0 ~ /is affected by CVE\-/) {print $1"|"$5"|"} else {ORS=""; print $1"|"; for (i=5; i<=NF; i++)print $i; print "\n"; ORS="\n"}}'| ${AWKBINARY} -F'|' 'NF>1{a[$1] = a[$1]","$2}END{for(i in a){print i""a[i]"|"}}' | ${SEDBINARY} 's/,CVE-/|cve=CVE-/' | ${SORTBINARY}) if [ -z "${FIND}" ]; then LogText "Result: no vulnerable packages found with arch-audit" AddHP 10 10 else LogText "Result: found one or more vulnerable packages" + VULNERABLE_PACKAGES_FOUND=1 for ITEM in ${FIND}; do LogText "Found line: ${ITEM}" Report "vulnerable_package[]=${ITEM}" From d26a98ca1921a99508267d333107e8121a970c99 Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Fri, 2 Jun 2023 09:16:28 +0000 Subject: [PATCH 094/282] Checking debsums default file to make sure cron jobs are enabled --- include/tests_ports_packages | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 9ca1948d..1028d8fb 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -671,9 +671,20 @@ # Check in /etc/cron.hourly, daily, weekly, monthly etc COUNT=$(find /etc/cron* -name debsums | wc -l) if [ ${COUNT} -gt 0 ]; then - LogText "Result: Cron job is configured for debsums utility." - Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN - AddHP 3 3 + CRON_CHECK="" + if [ -f ${ROOTDIR}etc/default/debsums ]; then + CRON_CHECK=$(${GREPBINARY} CRON_CHECK /etc/default/debsums|${AWKBINARY} -F "=" '{print $2}') + fi + if [ "${CRON_CHECK}" = "daily" ] || [ "${CRON_CHECK}" = "weekly" ] || [ "${CRON_CHECK}" = "monthly" ]; then + LogText "Result: Cron job is configured for debsums utility." + Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN + AddHP 3 3 + else + LogText "Result: Cron job is not configured for debsums utility." + Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW + AddHP 1 3 + ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regularly via a cron job (CRON_CHECK in default file)." + fi else LogText "Result: Cron job is not configured for debsums utility." Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW From be5a63a45bd3454ed5bdd3f96a2f287c228307dd Mon Sep 17 00:00:00 2001 From: Jay Keller <70912302+digitalcheetah@users.noreply.github.com> Date: Sat, 10 Jun 2023 11:03:48 +0000 Subject: [PATCH 095/282] Update osdetection with Guix Closes issue #1379 --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index 989b1b38..4c51a7a8 100644 --- a/include/osdetection +++ b/include/osdetection @@ -260,6 +260,12 @@ OS_NAME="Gentoo Linux" OS_VERSION="Rolling release" ;; + "guix") + LINUX_VERSION="Guix" + OS_FULLNAME="Guix System" + OS_NAME="Guix" + OS_VERSION="Rolling release" + ;; "ipfire") LINUX_VERSION="IPFire" OS_NAME="IPFire" From 5214132e97313bc0660317605e816d2b72296617 Mon Sep 17 00:00:00 2001 From: Jay Keller <70912302+digitalcheetah@users.noreply.github.com> Date: Sat, 10 Jun 2023 11:20:10 +0000 Subject: [PATCH 096/282] Update osdetection with LSDK This should close issue #1393. --- include/osdetection | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/osdetection b/include/osdetection index 989b1b38..fe92c500 100644 --- a/include/osdetection +++ b/include/osdetection @@ -278,6 +278,11 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "lsdk") + LINUX_VERSION="NXP LSDK" + OS_NAME="NXP LSDK" + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "mageia") LINUX_VERSION="Mageia" OS_NAME="Mageia" From 6e3cea8c87c04dce721b8c7afa9027a810af5f96 Mon Sep 17 00:00:00 2001 From: rpmbuild Date: Sun, 30 Jul 2023 09:37:10 +0200 Subject: [PATCH 097/282] use grep -E instead of egrep if possible --- include/binaries | 9 +++++++++ include/tests_time | 2 +- lynis | 4 ++-- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/include/binaries b/include/binaries index 7aabba42..8b174eed 100644 --- a/include/binaries +++ b/include/binaries @@ -337,6 +337,15 @@ Report "binaries_sgid_count=${SGID_BINARIES}" Report "binary_paths=${BINARY_PATHS_FOUND}" + # If grep is capable of extended regexp, use that instead of egrep to avoid annoying warning + if [ "${GREPBINARY:-}" ] ; then + ${GREPBINARY} --help | ${GREPBINARY} -e "extended-regexp" > /dev/null + if [ $? -eq 0 ] ; then + EGREPBINARY="${GREPBINARY} -E" + fi + fi + + # Test if the basic system tools are defined. These will be used during the audit. [ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found" [ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found" diff --git a/include/tests_time b/include/tests_time index df9a86b7..f20beed8 100644 --- a/include/tests_time +++ b/include/tests_time @@ -164,7 +164,7 @@ FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$') if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}" - FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#") + FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#") if [ -n "${FIND}" ]; then FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}" diff --git a/lynis b/lynis index 3f6d3b84..fd891d8e 100755 --- a/lynis +++ b/lynis @@ -217,10 +217,10 @@ # Extract the short notation of the language (first two characters). if [ -x "$(command -v locale 2> /dev/null)" ]; then - LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | egrep "^[a-z]{2}$") + LANGUAGE=$(locale | grep -e "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | grep -E -e "^[a-z]{2}$") # Try locale command if shell variable had no value if [ -z "${DISPLAY_LANG}" ]; then - DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2) + DISPLAY_LANG=$(locale | grep -e "^LANG=" | cut -d= -f2) fi else LANGUAGE="en" From e797d2d3bf59e9ab5bbdcd5cc7a5c1668500370f Mon Sep 17 00:00:00 2001 From: "Samuel Henrique (samueloph)" Date: Wed, 2 Aug 2023 17:19:58 +0000 Subject: [PATCH 098/282] Update Amazon Linux EOL dates and add Amazon Linux 2023 Sources: AL2023 EOL: https://docs.aws.amazon.com/linux/al2023/release-notes/support-info-by-support-statement.html#support-info-by-support-statement-eol AL2 EOL: https://aws.amazon.com/amazon-linux-2/faqs/ AL EOL: https://aws.amazon.com/blogs/aws/update-on-amazon-linux-ami-end-of-life/ --- db/software-eol.db | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/db/software-eol.db b/db/software-eol.db index f8242d35..ff33a056 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -28,8 +28,9 @@ os:Alpine 3.8:2020-05-01:1588305600 # Amazon Linux # # Note: shortest entry is listed at end due to regular expression matching being used -os:Amazon Linux 2:2023-06-26:1687730400: -os:Amazon Linux:2020-06-30:1593468000: +os:Amazon Linux 2023:2028-03-15:1836691200: +os:Amazon Linux 2:2025-06-30:1751241600: +os:Amazon Linux:2023-12-31:1703980800: # # Arch Linux # From a23853eebd86573a3af9c889250cd7f916d2e3cd Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:24:18 +0200 Subject: [PATCH 099/282] Add STATUS_NOT_ACTIVE --- db/languages/en | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/en b/db/languages/en index 3fc11069..52ace1f7 100644 --- a/db/languages/en +++ b/db/languages/en @@ -84,6 +84,7 @@ STATUS_NO="NO" STATUS_NO_UPDATE="NO UPDATE" STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="NONE" +STATUS_NOT_ACTIVE="NOT ACTIVE" STATUS_NOT_CONFIGURED="NOT CONFIGURED" STATUS_NOT_DISABLED="NOT DISABLED" STATUS_NOT_ENABLED="NOT ENABLED" From e1bcfe955e3ad5b1f339eb584f83a8aae6ad919b Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:24:47 +0200 Subject: [PATCH 100/282] Add STATUS_NOT_ACTIVE --- db/languages/az | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/az b/db/languages/az index ffdf4254..24a0ca70 100644 --- a/db/languages/az +++ b/db/languages/az @@ -82,6 +82,7 @@ STATUS_FOUND="Tapıldı" #STATUS_MEDIUM="MEDIUM" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="Yox" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From c3bdaa1e08b9bec567558046f4205d1e52a8f258 Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:25:13 +0200 Subject: [PATCH 101/282] Add STATUS_NOT_ACTIVE --- db/languages/cn | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/cn b/db/languages/cn index 76f181ca..11826db3 100644 --- a/db/languages/cn +++ b/db/languages/cn @@ -83,6 +83,7 @@ STATUS_FOUND="找到" #STATUS_MEDIUM="MEDIUM" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="没有" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From 59d4261ab1c7e633eec70e4956634f9d58f13e09 Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:25:30 +0200 Subject: [PATCH 102/282] Add STATUS_NOT_ACTIVE --- db/languages/da | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/da b/db/languages/da index 21cac946..1bd77089 100644 --- a/db/languages/da +++ b/db/languages/da @@ -83,6 +83,7 @@ STATUS_FOUND="FUNDET" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="INGEN" STATUS_NO="NEJ" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" STATUS_NOT_ENABLED="IKKE AKTIVERET" From 03bbf37faba788cabc4b86c01125a35fb2d2b955 Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:25:47 +0200 Subject: [PATCH 103/282] Add STATUS_NOT_ACTIVE --- db/languages/de | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/de b/db/languages/de index fad25db9..942693a3 100644 --- a/db/languages/de +++ b/db/languages/de @@ -84,6 +84,7 @@ STATUS_NO="NEIN" STATUS_NO_UPDATE="KEINE AKTUALISIERUNG" STATUS_NON_DEFAULT="NICHT STANDARD" STATUS_NONE="NICHTS" +STATUS_NOT_ACTIVE="NOT ACTIVE" STATUS_NOT_CONFIGURED="NICHT KONFIGURIERT" STATUS_NOT_DISABLED="NICHT DEAKTIVIERT" STATUS_NOT_ENABLED="NICHT AKTIVIERT" From ae1903ca2b0f75fae4de64ffd32bbb43c25b0188 Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:26:14 +0200 Subject: [PATCH 104/282] Add STATUS_NOT_ACTIVE --- db/languages/es | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/es b/db/languages/es index fceb261f..1ad53db5 100644 --- a/db/languages/es +++ b/db/languages/es @@ -85,6 +85,7 @@ STATUS_NO_UPDATE="SIN ACTUALIZACIÓN" STATUS_NO="NO" STATUS_NON_DEFAULT="NO POR DEFECTO" STATUS_NONE="NINGUNO" +STATUS_NOT_ACTIVE="NOT ACTIVE" STATUS_NOT_CONFIGURED="NO CONFIGURADO" STATUS_NOT_DISABLED="NO DESHABILITADO" STATUS_NOT_ENABLED="NO HABILITADO" From 2eb902c87e578d343941a74617692f9e0072e9b3 Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:26:32 +0200 Subject: [PATCH 105/282] Add STATUS_NOT_ACTIVE --- db/languages/fi | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/fi b/db/languages/fi index 85e6593a..e8dc3564 100644 --- a/db/languages/fi +++ b/db/languages/fi @@ -83,6 +83,7 @@ STATUS_FOUND="LÖYTYNYT" STATUS_NO="EI" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="EI MITÄÄN" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From 07864eb469d1a5605d43836a0913a231e053e291 Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:26:51 +0200 Subject: [PATCH 106/282] Add STATUS_NOT_ACTIVE --- db/languages/fr | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/fr b/db/languages/fr index d85d643d..d0be5c99 100644 --- a/db/languages/fr +++ b/db/languages/fr @@ -84,6 +84,7 @@ STATUS_NO="NON" STATUS_NO_UPDATE="PAS DE MISE A JOUR" STATUS_NON_DEFAULT="PAS PAR DÉFAUT" STATUS_NONE="AUCUN" +STATUS_NOT_ACTIVE="NOT ACTIVE" STATUS_NOT_CONFIGURED="NON CONFIGURÉ" STATUS_NOT_DISABLED="NON DESACTIVÉ" STATUS_NOT_ENABLED="NON ACTIVÉ" From 5db08f896c69e1e0d74dbd7e35f9bb8fe05b49fb Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:27:08 +0200 Subject: [PATCH 107/282] Add STATUS_NOT_ACTIVE --- db/languages/gr | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/gr b/db/languages/gr index 8d285f96..15c3e509 100644 --- a/db/languages/gr +++ b/db/languages/gr @@ -82,6 +82,7 @@ STATUS_FOUND="ΒΡΕΘΗΚΕ" #STATUS_MEDIUM="MEDIUM" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="ΚΑΝΕΝΑ" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From 7ada6c3166458285394c416033a595baaa7aae7c Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:27:25 +0200 Subject: [PATCH 108/282] Add STATUS_NOT_ACTIVE --- db/languages/he | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/he b/db/languages/he index 83859123..9755bcf7 100644 --- a/db/languages/he +++ b/db/languages/he @@ -82,6 +82,7 @@ STATUS_FOUND="נמצא" #STATUS_MEDIUM="MEDIUM" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="אין כלל" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From f4b7556f6cd0b38e9194535c797aabad8ab3e900 Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:27:40 +0200 Subject: [PATCH 109/282] Add STATUS_NOT_ACTIVE --- db/languages/hu | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/hu b/db/languages/hu index 1d055bd8..90ae29e1 100644 --- a/db/languages/hu +++ b/db/languages/hu @@ -83,6 +83,7 @@ STATUS_FOUND="FOUND" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NO="NEM" STATUS_NONE="NONE" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From 3d1969f3acf1155053b41fe3928d04a5ffb8bee4 Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:27:55 +0200 Subject: [PATCH 110/282] Add STATUS_NOT_ACTIVE --- db/languages/it | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/it b/db/languages/it index 3f3a8853..26ff3076 100644 --- a/db/languages/it +++ b/db/languages/it @@ -83,6 +83,7 @@ STATUS_FOUND="TROVATO" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="NESSUNO" STATUS_NO="NO" +STATUS_NOT_ACTIVE="NOT ACTIVE" STATUS_NOT_CONFIGURED="NON CONFIGURATO" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From 2538a02c97ebf0ba69b3200a8e0b2ccc39f75410 Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:28:10 +0200 Subject: [PATCH 111/282] Add STATUS_NOT_ACTIVE --- db/languages/ja | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/ja b/db/languages/ja index 3e3de50c..846b1eb1 100644 --- a/db/languages/ja +++ b/db/languages/ja @@ -83,6 +83,7 @@ STATUS_FOUND="見つかりました" STATUS_NO="いいえ" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="なし" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From 98f8318256771c795ca145461f86ba3e0cea00cc Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:28:25 +0200 Subject: [PATCH 112/282] Add STATUS_NOT_ACTIVE --- db/languages/ko | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/ko b/db/languages/ko index dba75b76..72d31d79 100644 --- a/db/languages/ko +++ b/db/languages/ko @@ -83,6 +83,7 @@ STATUS_FOUND="발견" STATUS_NO="아니오" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="없음" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From 4c8af4da3b527746c0e04f6124da975321d3b3d4 Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:28:41 +0200 Subject: [PATCH 113/282] Add STATUS_NOT_ACTIVE --- db/languages/nb-NO | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/nb-NO b/db/languages/nb-NO index 84ddf269..ea3e8832 100644 --- a/db/languages/nb-NO +++ b/db/languages/nb-NO @@ -83,6 +83,7 @@ STATUS_FOUND="FUNNET" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NO="NEI" STATUS_NONE="INGEN" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From 0102139e256720ec0842ab0db1ce13119145ef00 Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:28:53 +0200 Subject: [PATCH 114/282] Add STATUS_NOT_ACTIVE --- db/languages/nl | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/nl b/db/languages/nl index 4c22b9fe..cdb92423 100644 --- a/db/languages/nl +++ b/db/languages/nl @@ -83,6 +83,7 @@ STATUS_FOUND="GEVONDEN" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NO="NEE" STATUS_NONE="GEEN" +STATUS_NOT_ACTIVE="NOT ACTIVE" STATUS_NOT_CONFIGURED="NIET GECONFIGUREERD" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From 03e23ac43cad01355cec830d3f93f889e8128ec1 Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:29:10 +0200 Subject: [PATCH 115/282] Add STATUS_NOT_ACTIVE --- db/languages/pl | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/pl b/db/languages/pl index 200bac79..887d0a7d 100644 --- a/db/languages/pl +++ b/db/languages/pl @@ -83,6 +83,7 @@ #STATUS_NON_DEFAULT="NON DEFAULT" #STATUS_NONE="NONE" #STATUS_NO="NO" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From e69f02e8357701db5ac0d591a3fd2599fa3df242 Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:29:23 +0200 Subject: [PATCH 116/282] Add STATUS_NOT_ACTIVE --- db/languages/pt | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/pt b/db/languages/pt index 740fab6a..483fabd6 100644 --- a/db/languages/pt +++ b/db/languages/pt @@ -83,6 +83,7 @@ STATUS_FOUND="ENCONTRADO" STATUS_NO="NÃO" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="NENHUM" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From ead7df73fe92ffc5eafe76a5484fdca5df3983ed Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:29:39 +0200 Subject: [PATCH 117/282] Add STATUS_NOT_ACTIVE --- db/languages/ru | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/ru b/db/languages/ru index c24603b6..55a4717b 100644 --- a/db/languages/ru +++ b/db/languages/ru @@ -82,6 +82,7 @@ STATUS_LOCAL_ONLY="ТОЛЬКО ЛОКАЛЬНО" STATUS_MEDIUM="СРЕДНИЙ" STATUS_NON_DEFAULT="НЕ ПО УМОЛЧАНИЮ" STATUS_NONE="Отсутствует" +STATUS_NOT_ACTIVE="NOT ACTIVE" STATUS_NOT_CONFIGURED="НЕ СКОНФИГУРИРОВАНО" STATUS_NOT_DISABLED="НЕ ОТКЛЮЧЕНО" STATUS_NOT_ENABLED="НЕ ВКЛЮЧЕНО" From e36fd3a5c0e60f3a53b233c77255f913937e0a6f Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:29:52 +0200 Subject: [PATCH 118/282] Add STATUS_NOT_ACTIVE --- db/languages/se | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/se b/db/languages/se index d77717b4..e5a90859 100644 --- a/db/languages/se +++ b/db/languages/se @@ -83,6 +83,7 @@ STATUS_FOUND="HITTAD" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="INGEN" STATUS_NO="NEJ" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From e2ad42711523d6c939fadf7b8bdabea8d03490f9 Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:30:05 +0200 Subject: [PATCH 119/282] Add STATUS_NOT_ACTIVE --- db/languages/sk | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/sk b/db/languages/sk index 7f021ade..45a18943 100644 --- a/db/languages/sk +++ b/db/languages/sk @@ -83,6 +83,7 @@ STATUS_FOUND="NÁJDENÉ" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="ŽIADNE" STATUS_NO="NIE" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From b2b6cd057eab9727ce8fc300e6b54e1021d81993 Mon Sep 17 00:00:00 2001 From: Amaury Korb <92906119+amkorb@users.noreply.github.com> Date: Wed, 2 Aug 2023 23:30:17 +0200 Subject: [PATCH 120/282] Add STATUS_NOT_ACTIVE --- db/languages/tr | 1 + 1 file changed, 1 insertion(+) diff --git a/db/languages/tr b/db/languages/tr index 62dcb514..585cfed5 100644 --- a/db/languages/tr +++ b/db/languages/tr @@ -83,6 +83,7 @@ STATUS_FOUND="BULUNDU" STATUS_NO="HAYIR" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="YOK" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" From c65da1aec9894e18645d3e760fd3bf179278f770 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 3 Aug 2023 11:44:41 +0000 Subject: [PATCH 121/282] Release 3.0.9 --- CHANGELOG.md | 2 +- lynis | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eba36baf..eb3a4677 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Lynis Changelog -## Lynis 3.0.9 (2023-05-02) +## Lynis 3.0.9 (2023-08-03) ### Changed - DBS-1820 - Added newer style format for Mongo authorization setting diff --git a/lynis b/lynis index 2378b4cd..d538deda 100755 --- a/lynis +++ b/lynis @@ -43,8 +43,8 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2023-05-02" - PROGRAM_RELEASE_TIMESTAMP=1683017189 + PROGRAM_RELEASE_DATE="2023-08-03" + PROGRAM_RELEASE_TIMESTAMP=1691062820 PROGRAM_RELEASE_TYPE="release" # pre-release or release PROGRAM_VERSION="3.0.9" From 5e8755c15f2e54d5d6f9500e14cc746bf8b05d82 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 3 Aug 2023 15:42:02 +0200 Subject: [PATCH 122/282] Update CHANGELOG.md --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index eb3a4677..248c1528 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Lynis Changelog +## Lynis 3.1.0 (not released yet) + +### Changed +- STATUS_NOT_ACTIVE variable added to translation files + +--------------------------------------------------------------------------------- + ## Lynis 3.0.9 (2023-08-03) ### Changed From 66d1e90bf4dd40bb5829c53e1d81676718d6d9f2 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 3 Aug 2023 23:43:36 +0200 Subject: [PATCH 123/282] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 248c1528..3612e209 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Lynis 3.1.0 (not released yet) ### Changed +- Updated Amazon Linux EOL dates and addition of Amazon Linux 2023 - STATUS_NOT_ACTIVE variable added to translation files --------------------------------------------------------------------------------- From 5e7aa8eb1a131fb5bcdbe4dd92c70e4aee884766 Mon Sep 17 00:00:00 2001 From: Samuel Henrique Date: Fri, 4 Aug 2023 19:00:31 +0100 Subject: [PATCH 124/282] software-eol.db: Add new Debian/Ubuntu releases and update EOL dates --- db/software-eol.db | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/db/software-eol.db b/db/software-eol.db index ff33a056..1d861c66 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -44,13 +44,16 @@ os:CentOS Linux 7:2024-06-30:1719698400: os:CentOS Linux 8:2029-05-31:1874872800: # # Debian - https://wiki.debian.org/DebianReleases#Production_Releases +# https://wiki.debian.org/LTS # os:Debian 5.0:2012-02-06:1328482800: os:Debian 6.0:2016-02-29:1456700400: os:Debian 7:2018-05-31:1527717600: os:Debian 8:2020-06-30:1593468000: -os:Debian 9:2022-01-01:1640991600: -os:Debian 10:2022-01-01:1640991600: +os:Debian 9:2022-06-30:1656547200: +os:Debian 10:2024-06-30:1719705600: +os:Debian 11:2026-06-30:1782777600: +os:Debian 12:2028-06-30:1845936000: # # Fedora - https://fedoraproject.org/wiki/End_of_life # @@ -240,6 +243,7 @@ os:Ubuntu 18.04:2023-05-01:1682892000: os:Ubuntu 18.10:2019-07-18:1563400800: os:Ubuntu 19.04:2020-01-01:1577833200: os:Ubuntu 20.04:2025-04-01:1743458400: +os:Ubuntu 22.04:2027-04-01:1806537600: # # OmniosCE - https://omniosce.org/releasenotes.html # From 461edd3e1f2708801ac987617a03b730eb10d362 Mon Sep 17 00:00:00 2001 From: al-lac Date: Mon, 7 Aug 2023 09:55:28 +0200 Subject: [PATCH 125/282] Add OS support for macOS Sonoma (14.x) --- include/osdetection | 1 + 1 file changed, 1 insertion(+) diff --git a/include/osdetection b/include/osdetection index bed25033..0f88c7f0 100644 --- a/include/osdetection +++ b/include/osdetection @@ -65,6 +65,7 @@ 11 | 11.[0-9]*) OS_FULLNAME="macOS Big Sur (${OS_VERSION})" ;; 12 | 12.[0-9]*) OS_FULLNAME="macOS Monterey (${OS_VERSION})" ;; 13 | 13.[0-9]*) OS_FULLNAME="macOS Ventura (${OS_VERSION})" ;; + 14 | 14.[0-9]*) OS_FULLNAME="macOS Sonoma (${OS_VERSION})" ;; *) echo "Unknown macOS version. Do you know what version it is? Create an issue at ${PROGRAM_SOURCE}" ;; esac else From 9d9cedee4ef4b1ab79d7288cb9bb3242d92b4939 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 8 Aug 2023 09:11:02 +0000 Subject: [PATCH 126/282] Only quote binary, not the option -E --- include/tests_time | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_time b/include/tests_time index 7ff6755e..b68bc102 100644 --- a/include/tests_time +++ b/include/tests_time @@ -164,7 +164,7 @@ FIND=$(echo "${J}" | ${GREPBINARY} -E '/.placeholder$') if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}" - FIND=$("${GREPBINARY} -E" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#") + FIND=$("${GREPBINARY}" -E "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#") if [ -n "${FIND}" ]; then FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}" From f74428a3d7a57536959f25824cadf64c1cd5e9e9 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 8 Aug 2023 11:09:37 +0000 Subject: [PATCH 127/282] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3612e209..fffcfe4f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ ### Changed - Updated Amazon Linux EOL dates and addition of Amazon Linux 2023 - STATUS_NOT_ACTIVE variable added to translation files +- MALW-3280 - Correction to detect com.avast.daemon --------------------------------------------------------------------------------- From 0d77a367c59a0b5f1bdcb46380a518519160503b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 8 Aug 2023 11:15:34 +0000 Subject: [PATCH 128/282] [MALW-3280] Correction to detect com.avast.daemon --- include/tests_malware | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_malware b/include/tests_malware index 40336fa5..2b3b6cb6 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -128,7 +128,7 @@ # Avast (macOS) LogText "Test: checking process com.avast.daemon" - if IsRunning "com.avast.daemon"; then + if IsRunning --full "com.avast.daemon"; then FOUND=1 AVAST_DAEMON_RUNNING=1 MALWARE_DAEMON_RUNNING=1 From 1bfcc9b1469fab0884df3d3a581089ebc79b79b9 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 13 Sep 2023 16:07:41 +0200 Subject: [PATCH 129/282] Update tests_malware Corrected variable --- include/tests_malware | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_malware b/include/tests_malware index 41814b43..b016a46d 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -39,7 +39,7 @@ MALWARE_SCANNER_INSTALLED=0 MALWARE_DAEMON_RUNNING=0 ROOTKIT_SCANNER_FOUND=0 - SENTINELONE_SCANNER_FOUND=0 + SENTINELONE_SCANNER_RUNNING=0 SOPHOS_SCANNER_RUNNING=0 SYMANTEC_SCANNER_RUNNING=0 SYNOLOGY_DAEMON_RUNNING=0 From bf197ffd7fb949adcbc00b1136c6d3cf6bd3001a Mon Sep 17 00:00:00 2001 From: Stefan Baumgartner Date: Sun, 17 Sep 2023 10:24:52 +0200 Subject: [PATCH 130/282] Update tests_malware Fix incorrect "IsRunning" invocations for SentinelOne detection. --- include/tests_malware | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/tests_malware b/include/tests_malware index 9798fbff..87a721bc 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -234,9 +234,9 @@ # SentinelOne LogText "Text: checking process sentineld (SentinelOne)" - if isRunning "sentineld"; then SENTINELONE_SCANNER_RUNNING=1; fi # macOS - if isRunning "s1-agent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Linux - if isRunning "SentinelAgent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Windows + if IsRunning "sentineld"; then SENTINELONE_SCANNER_RUNNING=1; fi # macOS + if IsRunning "s1-agent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Linux + if IsRunning "SentinelAgent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Windows if [ ${SENTINELONE_SCANNER_RUNNING} -eq 1 ]; then FOUND=1 if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} SentinelOne" --result "${STATUS_FOUND}" --color GREEN; fi From bc36b3ec63bfebcc45ebf9a4dd2f550726de8c1e Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Tue, 19 Sep 2023 16:12:52 +0000 Subject: [PATCH 131/282] Avoiding warning because of hyphen. Due to changes in grep 3.8 --- include/tests_kernel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_kernel b/include/tests_kernel index bba8080f..201d803e 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -692,7 +692,7 @@ else # Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Sort based on versions (-v) and then find the last item # Note: ignore a rescue kernel (e.g. CentOS) - FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${TAILBINARY} -1) + FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue-' | ${TAILBINARY} -1) LogText "Result: found ${FOUND_VMLINUZ}" fi From 04a73a9c19bfe5e707cb1f8aeb0ba8f6dbf9a6f7 Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Tue, 19 Sep 2023 16:46:20 +0000 Subject: [PATCH 132/282] Reverting change from another PR --- include/tests_php | 65 +++-------------------------------------------- 1 file changed, 4 insertions(+), 61 deletions(-) diff --git a/include/tests_php b/include/tests_php index beb1eca3..b5f53d9a 100644 --- a/include/tests_php +++ b/include/tests_php @@ -37,9 +37,6 @@ ${ROOTDIR}etc/php7.2/php.ini \ ${ROOTDIR}etc/php7.3/php.ini \ ${ROOTDIR}etc/php7.4/php.ini \ - ${ROOTDIR}etc/php8.0/php.ini \ - ${ROOTDIR}etc/php8.1/php.ini \ - ${ROOTDIR}etc/php8.2/php.ini \ ${ROOTDIR}etc/php/cgi-php5/php.ini \ ${ROOTDIR}etc/php/cli-php5/php.ini \ ${ROOTDIR}etc/php/apache2-php5/php.ini \ @@ -50,9 +47,6 @@ ${ROOTDIR}etc/php/apache2-php7.2/php.ini \ ${ROOTDIR}etc/php/apache2-php7.3/php.ini \ ${ROOTDIR}etc/php/apache2-php7.4/php.ini \ - ${ROOTDIR}etc/php/apache2-php8.0/php.ini \ - ${ROOTDIR}etc/php/apache2-php8.1/php.ini \ - ${ROOTDIR}etc/php/apache2-php8.2/php.ini \ ${ROOTDIR}etc/php/cgi-php5.5/php.ini \ ${ROOTDIR}etc/php/cgi-php5.6/php.ini \ ${ROOTDIR}etc/php/cgi-php7.0/php.ini \ @@ -60,9 +54,6 @@ ${ROOTDIR}etc/php/cgi-php7.2/php.ini \ ${ROOTDIR}etc/php/cgi-php7.3/php.ini \ ${ROOTDIR}etc/php/cgi-php7.4/php.ini \ - ${ROOTDIR}etc/php/cgi-php8.0/php.ini \ - ${ROOTDIR}etc/php/cgi-php8.1/php.ini \ - ${ROOTDIR}etc/php/cgi-php8.2/php.ini \ ${ROOTDIR}etc/php/cli-php5.5/php.ini \ ${ROOTDIR}etc/php/cli-php5.6/php.ini \ ${ROOTDIR}etc/php/cli-php7.0/php.ini \ @@ -70,9 +61,6 @@ ${ROOTDIR}etc/php/cli-php7.2/php.ini \ ${ROOTDIR}etc/php/cli-php7.3/php.ini \ ${ROOTDIR}etc/php/cli-php7.4/php.ini \ - ${ROOTDIR}etc/php/cli-php8.0/php.ini \ - ${ROOTDIR}etc/php/cli-php8.1/php.ini \ - ${ROOTDIR}etc/php/cli-php8.2/php.ini \ ${ROOTDIR}etc/php/embed-php5.5/php.ini \ ${ROOTDIR}etc/php/embed-php5.6/php.ini \ ${ROOTDIR}etc/php/embed-php7.0/php.ini \ @@ -80,12 +68,6 @@ ${ROOTDIR}etc/php/embed-php7.2/php.ini \ ${ROOTDIR}etc/php/embed-php7.3/php.ini \ ${ROOTDIR}etc/php/embed-php7.4/php.ini \ - ${ROOTDIR}etc/php/embed-php8.0/php.ini \ - ${ROOTDIR}etc/php/embed-php8.1/php.ini \ - ${ROOTDIR}etc/php/embed-php8.2/php.ini \ - ${ROOTDIR}etc/php/fpm-php8.2/php.ini \ - ${ROOTDIR}etc/php/fpm-php8.1/php.ini \ - ${ROOTDIR}etc/php/fpm-php8.0/php.ini \ ${ROOTDIR}etc/php/fpm-php7.4/php.ini \ ${ROOTDIR}etc/php/fpm-php7.3/php.ini \ ${ROOTDIR}etc/php/fpm-php7.2/php.ini \ @@ -106,9 +88,6 @@ ${ROOTDIR}etc/php/7.2/apache2/php.ini \ ${ROOTDIR}etc/php/7.3/apache2/php.ini \ ${ROOTDIR}etc/php/7.4/apache2/php.ini \ - ${ROOTDIR}etc/php/8.0/apache2/php.ini \ - ${ROOTDIR}etc/php/8.1/apache2/php.ini \ - ${ROOTDIR}etc/php/8.2/apache2/php.ini \ ${ROOTDIR}etc/php/7.0/cli/php.ini \ ${ROOTDIR}etc/php/7.0/fpm/php.ini \ ${ROOTDIR}etc/php/7.1/cli/php.ini \ @@ -119,12 +98,6 @@ ${ROOTDIR}etc/php/7.3/fpm/php.ini \ ${ROOTDIR}etc/php/7.4/cli/php.ini \ ${ROOTDIR}etc/php/7.4/fpm/php.ini \ - ${ROOTDIR}etc/php/8.0/cli/php.ini \ - ${ROOTDIR}etc/php/8.0/fpm/php.ini \ - ${ROOTDIR}etc/php/8.1/cli/php.ini \ - ${ROOTDIR}etc/php/8.1/fpm/php.ini \ - ${ROOTDIR}etc/php/8.2/cli/php.ini \ - ${ROOTDIR}etc/php/8.2/fpm/php.ini \ ${ROOTDIR}var/www/conf/php.ini \ ${ROOTDIR}usr/local/etc/php.ini \ ${ROOTDIR}usr/local/lib/php.ini \ @@ -136,9 +109,6 @@ ${ROOTDIR}usr/local/php72/lib/php.ini \ ${ROOTDIR}usr/local/php73/lib/php.ini \ ${ROOTDIR}usr/local/php74/lib/php.ini \ - ${ROOTDIR}usr/local/php80/lib/php.ini \ - ${ROOTDIR}usr/local/php81/lib/php.ini \ - ${ROOTDIR}usr/local/php82/lib/php.ini \ ${ROOTDIR}usr/local/zend/etc/php.ini \ ${ROOTDIR}usr/pkg/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \ @@ -164,18 +134,12 @@ ${ROOTDIR}opt/alt/php72/etc/php.ini \ ${ROOTDIR}opt/alt/php73/etc/php.ini \ ${ROOTDIR}opt/alt/php74/etc/php.ini \ - ${ROOTDIR}opt/alt/php80/etc/php.ini \ - ${ROOTDIR}opt/alt/php81/etc/php.ini \ - ${ROOTDIR}opt/alt/php82/etc/php.ini \ ${ROOTDIR}etc/opt/remi/php56/php.ini \ ${ROOTDIR}etc/opt/remi/php70/php.ini \ ${ROOTDIR}etc/opt/remi/php71/php.ini \ ${ROOTDIR}etc/opt/remi/php72/php.ini \ ${ROOTDIR}etc/opt/remi/php73/php.ini \ - ${ROOTDIR}etc/opt/remi/php74/php.ini \ - ${ROOTDIR}etc/opt/remi/php80/php.ini \ - ${ROOTDIR}etc/opt/remi/php81/php.ini \ - ${ROOTDIR}etc/opt/remi/php82/php.ini" + ${ROOTDIR}etc/opt/remi/php74/php.ini" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINILOCS="${PHPINILOCS} \ ${ROOTDIR}etc/php-5.6.ini \ @@ -183,10 +147,7 @@ ${ROOTDIR}etc/php-7.1.ini \ ${ROOTDIR}etc/php-7.2.ini \ ${ROOTDIR}etc/php-7.3.ini \ - ${ROOTDIR}etc/php-7.4.ini \ - ${ROOTDIR}etc/php-8.0.ini \ - ${ROOTDIR}etc/php-8.1.ini \ - ${ROOTDIR}etc/php-8.2.ini" + ${ROOTDIR}etc/php-7.4.ini" PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \ ${ROOTDIR}etc/php/7.0/cli/conf.d \ @@ -194,17 +155,11 @@ ${ROOTDIR}etc/php/7.2/cli/conf.d \ ${ROOTDIR}etc/php/7.3/cli/conf.d \ ${ROOTDIR}etc/php/7.4/cli/conf.d \ - ${ROOTDIR}etc/php/8.0/cli/conf.d \ - ${ROOTDIR}etc/php/8.1/cli/conf.d \ - ${ROOTDIR}etc/php/8.2/cli/conf.d \ ${ROOTDIR}etc/php/7.0/fpm/conf.d \ ${ROOTDIR}etc/php/7.1/fpm/conf.d \ ${ROOTDIR}etc/php/7.2/fpm/conf.d \ ${ROOTDIR}etc/php/7.3/fpm/conf.d \ ${ROOTDIR}etc/php/7.4/fpm/conf.d \ - ${ROOTDIR}etc/php/8.0/fpm/conf.d \ - ${ROOTDIR}etc/php/8.1/fpm/conf.d \ - ${ROOTDIR}etc/php/8.2/fpm/conf.d \ ${ROOTDIR}etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \ @@ -214,9 +169,6 @@ ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.d \ - ${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.d \ - ${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.d \ - ${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.d \ ${ROOTDIR}opt/alt/php44/etc/php.d.all \ ${ROOTDIR}opt/alt/php51/etc/php.d.all \ ${ROOTDIR}opt/alt/php52/etc/php.d.all \ @@ -229,18 +181,12 @@ ${ROOTDIR}opt/alt/php72/etc/php.d.all \ ${ROOTDIR}opt/alt/php73/etc/php.d.all \ ${ROOTDIR}opt/alt/php74/etc/php.d.all \ - ${ROOTDIR}opt/alt/php80/etc/php.d.all \ - ${ROOTDIR}opt/alt/php81/etc/php.d.all \ - ${ROOTDIR}opt/alt/php82/etc/php.d.all \ ${ROOTDIR}usr/local/lib/php.conf.d \ ${ROOTDIR}usr/local/php70/lib/php.conf.d \ ${ROOTDIR}usr/local/php71/lib/php.conf.d \ ${ROOTDIR}usr/local/php72/lib/php.conf.d \ ${ROOTDIR}usr/local/php73/lib/php.conf.d \ - ${ROOTDIR}usr/local/php74/lib/php.conf.d \ - ${ROOTDIR}usr/local/php80/lib/php.conf.d \ - ${ROOTDIR}usr/local/php81/lib/php.conf.d \ - ${ROOTDIR}usr/local/php82/lib/php.conf.d" + ${ROOTDIR}usr/local/php74/lib/php.conf.d" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINIDIRS="${PHPINIDIRS} \ ${ROOTDIR}etc/php-5.6 \ @@ -248,10 +194,7 @@ ${ROOTDIR}etc/php-7.1 \ ${ROOTDIR}etc/php-7.2 \ ${ROOTDIR}etc/php-7.3 \ - ${ROOTDIR}etc/php-7.4 \ - ${ROOTDIR}etc/php-8.0 \ - ${ROOTDIR}etc/php-8.1 \ - ${ROOTDIR}etc/php-8.2" + ${ROOTDIR}etc/php-7.4" # ################################################################################# # From a5dbda51b9b44d9f2131271d8dfae0784fbf17c9 Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Tue, 19 Sep 2023 16:47:23 +0000 Subject: [PATCH 133/282] Reverting change from another PR --- include/tests_php | 3 --- 1 file changed, 3 deletions(-) diff --git a/include/tests_php b/include/tests_php index b5f53d9a..04502f68 100644 --- a/include/tests_php +++ b/include/tests_php @@ -119,9 +119,6 @@ ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \ - ${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.ini \ - ${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.ini \ - ${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.ini \ ${ROOTDIR}opt/alt/php44/etc/php.ini \ ${ROOTDIR}opt/alt/php51/etc/php.ini \ ${ROOTDIR}opt/alt/php52/etc/php.ini \ From 83e9ee4e0cb72f2d899d899f8e69c6bb6088f201 Mon Sep 17 00:00:00 2001 From: D3vil0p3r Date: Sun, 1 Oct 2023 13:15:37 +0200 Subject: [PATCH 134/282] added Athena OS detection --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index b09bd2f0..97490723 100644 --- a/include/osdetection +++ b/include/osdetection @@ -181,6 +181,12 @@ OS_FULLNAME="Artix Linux" OS_VERSION="Rolling release" ;; + "athena") + LINUX_VERSION="Athena OS" + OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "bunsenlabs") LINUX_VERSION="BunsenLabs" OS_NAME="BunsenLabs" From ddd6e703063a9c03764b2538ee18749ef5be0bd5 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 7 Oct 2023 11:35:09 +0200 Subject: [PATCH 135/282] Update CHANGELOG.md --- CHANGELOG.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fffcfe4f..807bbc51 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,17 @@ ## Lynis 3.1.0 (not released yet) ### Changed +- MALW-3280 - Correction to detect com.avast.daemon +- OS detection added for Guix System, macOS Ventura (13.x)/Sonoma (14.x), NXP LSDK, OpenEmbedded "nodistro", and The Yocto Projects distro "Poky" - Updated Amazon Linux EOL dates and addition of Amazon Linux 2023 - STATUS_NOT_ACTIVE variable added to translation files -- MALW-3280 - Correction to detect com.avast.daemon +- End-of-life dates updated +- Fixing missing or erroneous test number comments +- Wazuh for file integrity and tooling +- Updated parsing output of arch-audit +- Added support for SentinelOne detection +- Replacing deprecated option -i for xargs +- Path detection for PostgreSQL improved --------------------------------------------------------------------------------- From 01d38785285417f751f4abc22f18965c7d529e73 Mon Sep 17 00:00:00 2001 From: Steve Kolenich Date: Thu, 7 Dec 2023 10:36:43 -0500 Subject: [PATCH 136/282] Added Alpine Linux EOL dates --- db/software-eol.db | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/db/software-eol.db b/db/software-eol.db index 880b3279..e113bf53 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -16,6 +16,10 @@ # # Alpine - https://alpinelinux.org/releases/ # +os:Alpine 3.19:2025-11-01:1761955200 +os:Alpine 3.18:2025-05-09:1746748800 +os:Alpine 3.17:2024-11-22:1732233600 +os:Alpine 3.16:2024-05-23:1716422400 os:Alpine 3.15:2023-11-01:1698793200 os:Alpine 3.14:2023-05-01:1682899200 os:Alpine 3.13:2022-11-01:1667275200 From 90ece5444507578dceb25ff34236bea259134a62 Mon Sep 17 00:00:00 2001 From: Hugo Rodrigues Date: Wed, 13 Dec 2023 12:40:05 +0000 Subject: [PATCH 137/282] Fixed Alpine Linux installed package detection --- include/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/functions b/include/functions index 9c52044b..71a938c4 100644 --- a/include/functions +++ b/include/functions @@ -2099,7 +2099,7 @@ output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii") exit_code=$? elif [ -n "${APKBINARY}" ]; then - output=$(${APKBINARY} search ${package} 2> /dev/null | ${GREPBINARY} ${package}) + output=$(${APKBINARY} list --installed ${package} 2> /dev/null | ${GREPBINARY} ${package}) exit_code=$? else if [ "${package}" != "__dummy__" ]; then From d73378077796b899d7788c43ecfc706735edda09 Mon Sep 17 00:00:00 2001 From: Simon Taylor Date: Thu, 14 Dec 2023 16:09:03 +0200 Subject: [PATCH 138/282] Add files via upload --- software-eol.db | 276 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 276 insertions(+) create mode 100644 software-eol.db diff --git a/software-eol.db b/software-eol.db new file mode 100644 index 00000000..41a5af1b --- /dev/null +++ b/software-eol.db @@ -0,0 +1,276 @@ +# +# End-of-life for operating systems and software +# +# This file has 4 fields: +# 1) category +# 2) name +# 3) date (human-readable) or empty +# 4) converted date (seconds since epoch) or -1 +# +# Date can be converted on Linux using: date "+%s" --date=2020-01-01 +# Seconds since epoch can be verified using: date -d @1467324000 +'%Y-%m-%d' +# +# Notes: +# For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1. +# Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching. +# +# AIX - https://www.ibm.com/support/pages/aix-support-lifecycle-information +# +os:AIX 7300-02:2026-11-30:1796032800: +os:AIX 7300-01:2025-12-31:1767175200: +os:AIX 7300-00:2024-12-31:1735639200: +os:AIX 7200-05::-1: +os:AIX 7200-04:2022-11-30:1669802400: +os:AIX 7200-03:2021-09-30:1632996000: +os:AIX 7200-02:2020-10-31:1604138400: +os:AIX 7200-01:2019-11-30:1575108000: +os:AIX 7200-00:2018-12-30:1546164000: +os:AIX 7100:2023-04-30:1682848800: +os:AIX 6:2017-04-30:1493546400: +os:AIX 5:2012-04-30:1335780000: +os:AIX 4:2003-12-31:1072864800: +os:AIX 3:1997-12-31:883562400: +# +# Alpine - https://alpinelinux.org/releases/ +# +os:Alpine 3.15:2023-11-01:1698793200 +os:Alpine 3.14:2023-05-01:1682899200 +os:Alpine 3.13:2022-11-01:1667275200 +os:Alpine 3.12:2022-05-01:1651377600 +os:Alpine 3.11:2021-11-01:1635739200 +os:Alpine 3.10:2021-05-01:1619841600 +os:Alpine 3.9:2020-11-01:1604203200 +os:Alpine 3.8:2020-05-01:1588305600 +# +# Amazon Linux +# +# Note: shortest entry is listed at end due to regular expression matching being used +os:Amazon Linux 2:2023-06-26:1687730400: +os:Amazon Linux:2020-06-30:1593468000: +# +# Arch Linux +# +os:Arch Linux::-1: +# +# CentOS +# +os:CentOS release 5:2017-03-31:1490911200: +os:CentOS release 6:2020-11-30:1606690800: +os:CentOS Linux 7:2024-06-30:1719698400: +os:CentOS Linux 8:2029-05-31:1874872800: +# +# Debian - https://wiki.debian.org/DebianReleases#Production_Releases +# +os:Debian 5.0:2012-02-06:1328482800: +os:Debian 6.0:2016-02-29:1456700400: +os:Debian 7:2018-05-31:1527717600: +os:Debian 8:2020-06-30:1593468000: +os:Debian 9:2022-01-01:1640991600: +os:Debian 10:2022-01-01:1640991600: +# +# Fedora - https://fedoraproject.org/wiki/End_of_life +# +os:Fedora release 25:2017-12-12:1513033200: +os:Fedora release 26:2018-05-29:1527544800: +os:Fedora release 27:2018-11-30:1543532400: +os:Fedora release 28:2019-05-28:1558994400: +os:Fedora release 29:2019-11-26:1574722800: +os:Fedora release 30:2020-05-26:1590444000: +# +# FreeBSD - https://www.freebsd.org/security/unsupported.html +# +os:FreeBSD 9.3:2014-12-31:1419980400: +os:FreeBSD 10.0:2015-02-28:1425078000: +os:FreeBSD 10.1:2016-12-31:1483138800: +os:FreeBSD 10.2:2016-12-31:1483138800: +os:FreeBSD 10.3:2018-04-30:1525039200: +os:FreeBSD 10.4:2018-10-31:1540940400: +os:FreeBSD 11.0:2017-11-30:1511996400: +os:FreeBSD 11.1:2018-09-30:1538258400: +os:FreeBSD 11.2:2019-10-31:1572476400: +os:FreeBSD 12.0:2020-02-29:1582930800: +# +# Linux Mint +# +os:Linux Mint 18:2021-04-01:1617228000: +os:Linux Mint 19:2023-04-01:1680300000: +os:Linux Mint 20:2025-04-01:1743458400: +# +# macOS - https://support.apple.com/en_US/downloads/macos and +# https://apple.stackexchange.com/a/282788 and +# https://en.wikipedia.org/wiki/Category:MacOS_versions +# +os:Mac OS X 10.0 \(Cheetah\):2002-09-18:1032300000: +os:Mac OS X 10.1 \(Puma\):2003-11-10:1068418800: +os:Mac OS X 10.2 \(Jaguar\):2005-05-16:1116194400: +os:Mac OS X 10.3 \(Panther\):2007-11-15:1195081200: +os:Mac OS X 10.4 \(Tiger\):2009-09-10:1252533600: +os:Mac OS X 10.5 \(Leopard\):2011-06-23:1308780000: +os:Mac OS X 10.6 \(Snow Leopard\):2013-12-16:1387148400: +os:Mac OS X 10.7 \(Lion\):2014-11-17:1416178800: +os:Mac OS X 10.8 \(Mountain Lion\):2015-10-21:1445378400: +os:Mac OS X 10.9 \(Mavericks\):2016-10-24:1477260000: +os:Mac OS X 10.10 \(Yosemite\):2017-10-31:1509404400: +os:Mac OS X 10.11 \(El Capitan\):2018-10-30:1540854000: +os:macOS Sierra \(10.12\):2016-10-24:1477260000: +os:macOS Sierra \(10.12.1\):2016-12-13:1481583600: +os:macOS Sierra \(10.12.2\):2017-01-23:1485126000: +os:macOS Sierra \(10.12.3\):2017-03-27:1490565600: +os:macOS Sierra \(10.12.4\):2017-05-15:1494799200: +os:macOS Sierra \(10.12.5\):2017-07-19:1500415200: +os:macOS Sierra \(10.12.6\):2019-10-29:1572303600: +os:macOS High Sierra \(10.13\):2017-10-31:1509404400: +os:macOS High Sierra \(10.13.1\):2017-12-06:1512514800: +os:macOS High Sierra \(10.13.2\):2018-01-23:1516662000: +os:macOS High Sierra \(10.13.3\):2018-03-29:1522274400: +os:macOS High Sierra \(10.13.4\):2018-06-01:1527804000: +os:macOS High Sierra \(10.13.5\):2018-07-09:1531087200: +os:macOS High Sierra \(10.13.6\)::-1: +os:macOS Mojave \(10.14\):2018-10-30:1540854000: +os:macOS Mojave \(10.14.1\):2018-12-05:1543964400: +os:macOS Mojave \(10.14.2\):2019-01-22:1548111600: +os:macOS Mojave \(10.14.3\):2019-03-25:1553468400: +os:macOS Mojave \(10.14.4\):2019-05-13:1557698400: +os:macOS Mojave \(10.14.5\):2019-07-22:1563746400: +os:macOS Mojave \(10.14.6\)::-1: +os:macOS Catalina \(10.15\):2019-10-29:1572303600: +os:macOS Catalina \(10.15.1\):2019-12-10:1575932400: +os:macOS Catalina \(10.15.2\):2020-01-28:1580166000: +os:macOS Catalina \(10.15.3\):2020-03-24:1585004400: +os:macOS Catalina \(10.15.4\):2020-05-26:1590444000: +os:macOS Catalina \(10.15.5\):2020-07-15:1594764000: +os:macOS Catalina \(10.15.6\):2020-09-24:1600898400: +os:macOS Catalina \(10.15.7\)::-1: +# +# Mageia - https://www.mageia.org/en/support/ +# +os:Mageia 1:2012-12-01:1354316400 +os:Mageia 2:2013-11-22:1385074800 +os:Mageia 3:2014-11-26:1416956400 +os:Mageia 4:2015-09-19:1442613600 +os:Mageia 5:2017-12-31:1514674800 +os:Mageia 6:2019-09-30:1569794400 +os:Mageia 7:2020-12-30:1609282800 +# +# NetBSD - https://www.netbsd.org/support/security/release.html and +# https://www.netbsd.org/releases/formal.html +# +os:NetBSD 2.0:2008-01-19:1200697200: +os:NetBSD 2.0.1:2008-01-19:1200697200: +os:NetBSD 2.0.2:2008-01-19:1200697200: +os:NetBSD 2.0.3:2008-01-19:1200697200: +os:NetBSD 2.1:2008-01-19:1200697200: +os:NetBSD 3.0:2009-09-29:1254175200: +os:NetBSD 3.0.1:2009-09-29:1254175200: +os:NetBSD 3.0.2:2009-09-29:1254175200: +os:NetBSD 3.1:2009-09-29:1254175200: +os:NetBSD 4.0:2012-11-17:1353106800: +os:NetBSD 4.0.1:2012-11-17:1353106800: +os:NetBSD 5.0:2015-11-17:1447714800: +os:NetBSD 5.0.1:2015-10-17:1445032800: +os:NetBSD 5.0.2:2015-10-17:1445032800: +os:NetBSD 5.1:2015-10-17:1445032800: +os:NetBSD 5.1.1:2015-10-17:1445032800: +os:NetBSD 5.1.2:2015-10-17:1445032800: +os:NetBSD 5.1.3:2015-10-17:1445032800: +os:NetBSD 5.1.4:2015-10-17:1445032800: +os:NetBSD 5.1.5:2015-10-17:1445032800: +os:NetBSD 5.2.1:2015-10-17:1445032800: +os:NetBSD 5.2.2:2015-10-17:1445032800: +os:NetBSD 5.2.3:2015-10-17:1445032800: +os:NetBSD 6.0:2017-09-17:1505599200: +os:NetBSD 6.0.1:2017-09-17:1505599200: +os:NetBSD 6.0.2:2017-09-17:1505599200: +os:NetBSD 6.0.3:2017-09-17:1505599200: +os:NetBSD 6.0.4:2017-09-17:1505599200: +os:NetBSD 6.0.5:2017-09-17:1505599200: +os:NetBSD 6.1:2017-09-17:1505599200: +os:NetBSD 6.1.1:2017-09-17:1505599200: +os:NetBSD 6.1.2:2017-09-17:1505599200: +os:NetBSD 6.1.3:2017-09-17:1505599200: +os:NetBSD 6.1.4:2017-09-17:1505599200: +os:NetBSD 6.1.5:2017-09-17:1505599200: +os:NetBSD 7.0:2020-03-14:1584162000: +os:NetBSD 7.0.1:2020-03-14:1584162000: +os:NetBSD 7.0.2:2020-03-14:1584162000: +os:NetBSD 7.1:2020-03-14:1584162000: +os:NetBSD 7.1.1:2020-03-14:1584162000: +os:NetBSD 7.1.1:2020-03-14:1584162000: +os:NetBSD 7.2:2020-03-14:1584162000: +os:NetBSD 8.0::-1: +os:NetBSD 8.1::-1: +os:NetBSD 9.0::-1: +# +# OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history +# +os:OpenBSD 5.8:2016-09-01:1472680800: +os:OpenBSD 5.9:2017-04-11:1491861600: +os:OpenBSD 6.0:2017-09-10:1505001600: +os:OpenBSD 6.1:2018-04-15:1523750400: +os:OpenBSD 6.2:2018-10-18:1539820800: +os:OpenBSD 6.3:2019-05-03:1556841600: +os:OpenBSD 6.4:2019-10-17:1571270400: +os:OpenBSD 6.5:2020-05-19:1589846400: +os:OpenBSD 6.6:2020-10-01:1601510400: +os:OpenBSD 6.7:2021-05-01:1619827200: +# +# Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/ +# +os:Red Hat Enterprise Linux Server release 6:2020-11-30:1606690800: +os:Red Hat Enterprise Linux 7:2024-06-30:1719698400: +os:Red Hat Enterprise Linux 8:2029-05-07:1872799200: +# +# Slackware - https://en.wikipedia.org/wiki/Slackware#Releases +# +os:Slackware Linux 8.1:2012-08-01:1343768400: +os:Slackware Linux 9.0:2012-08-01:1343768400: +os:Slackware Linux 9.1:2012-08-01:1343768400: +os:Slackware Linux 10.0:2012-08-01:1343768400: +os:Slackware Linux 10.1:2012-08-01:1343768400: +os:Slackware Linux 10.2:2012-08-01:1343768400: +os:Slackware Linux 11.0:2012-08-01:1343768400: +os:Slackware Linux 12.0:2012-08-01:1343768400: +os:Slackware Linux 12.1:2013-12-09:1386540000: +os:Slackware Linux 12.2:2013-12-09:1386540000: +os:Slackware Linux 13.0:2018-07-05:1530738000: +os:Slackware Linux 13.1:2018-07-05:1530738000: +os:Slackware Linux 13.37:2018-07-05:1530738000: +# +# SuSE - https://www.suse.com/lifecycle/ +# +os:SUSE Linux Enterprise Server 12:2024-10-31:1730329200: +os:SUSE Linux Enterprise Server 15:2028-07-31:1848607200: +# +# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and +# https://wiki.ubuntu.com/Releases +# +os:Ubuntu 14.04:2019-05-01:1556661600: +os:Ubuntu 14.10:2015-07-01:1435701600: +os:Ubuntu 15.04:2016-01-01:1451602800: +os:Ubuntu 15.10:2016-07-01:1467324000: +os:Ubuntu 16.04:2021-05-01:1619820000: +os:Ubuntu 16.10:2017-07-01:1498860000: +os:Ubuntu 17.04:2018-01-01:1514761200: +os:Ubuntu 17.10:2018-07-01:1530396000: +os:Ubuntu 18.04:2023-05-01:1682892000: +os:Ubuntu 18.10:2019-07-18:1563400800: +os:Ubuntu 19.04:2020-01-01:1577833200: +os:Ubuntu 20.04:2025-04-01:1743458400: +# +# OmniosCE - https://omniosce.org/releasenotes.html +# +os:OmniOS Community Edition v11 r151022:2020-05-11:1589148000: +os:OmniOS Community Edition v11 r151024:2018-11-04:1541286000: +os:OmniOS Community Edition v11 r151026:2019-05-05:1557007200: +os:OmniOS Community Edition v11 r151028:2019-11-04:1572822000: +os:OmniOS Community Edition v11 r151030::-1: +os:OmniOS Community Edition v11 r151032:2020-11-03:1604358000: +os:OmniOS Community Edition v11 r151034::-1: +# +## Oracle Solaris - https://www.oracle.com/us/support/library/lifetime-support-hardware-301321.pdf (p. 34) +# The list below contains Premier Support End only +# +os:Oracle Solaris 11.3:2021-01-01:1609455600: +os:Oracle Solaris 11.4:2031-11-01:1951254000: +# +# EOF From beb64d0c6710f0a2eff6bb4ad60f017476f9475c Mon Sep 17 00:00:00 2001 From: Decrypt Date: Thu, 29 Feb 2024 10:40:46 +0100 Subject: [PATCH 139/282] Update .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index e53091c1..a9cbffac 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ .bzrignore custom.prf *.swp +.DS_Store From 767b8917ca64f6fead04676f9a9ca80be316dca4 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 6 Mar 2024 11:38:06 +0100 Subject: [PATCH 140/282] Update .gitignore --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index a9cbffac..ef5bbe6b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ .bzr .bzrignore +.DS_Store custom.prf *.swp -.DS_Store From 9ee5b7142b29c2404a6b5ecb5b86606510f52de0 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 6 Mar 2024 14:32:57 +0000 Subject: [PATCH 141/282] Update changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 807bbc51..f1da1f2c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## Lynis 3.1.0 (not released yet) +### Added +- Translation: Indonesian + ### Changed - MALW-3280 - Correction to detect com.avast.daemon - OS detection added for Guix System, macOS Ventura (13.x)/Sonoma (14.x), NXP LSDK, OpenEmbedded "nodistro", and The Yocto Projects distro "Poky" From e2e0998e9ebfa94e6f4bf4cfa503811967e959c7 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 11 Mar 2024 09:49:33 +0000 Subject: [PATCH 142/282] Release 3.1.0 --- CHANGELOG.md | 3 ++- lynis | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f1da1f2c..369cb8a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Lynis Changelog -## Lynis 3.1.0 (not released yet) +## Lynis 3.1.0 (2024-03-11) ### Added - Translation: Indonesian @@ -12,6 +12,7 @@ - STATUS_NOT_ACTIVE variable added to translation files - End-of-life dates updated - Fixing missing or erroneous test number comments +- Detection of SentinelOne corrected - Wazuh for file integrity and tooling - Updated parsing output of arch-audit - Added support for SentinelOne detection diff --git a/lynis b/lynis index ab769b24..fd4dea60 100755 --- a/lynis +++ b/lynis @@ -43,10 +43,10 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2023-08-03" - PROGRAM_RELEASE_TIMESTAMP=1691062820 + PROGRAM_RELEASE_DATE="2024-03-11" + PROGRAM_RELEASE_TIMESTAMP=1710148530 PROGRAM_RELEASE_TYPE="release" # pre-release or release - PROGRAM_VERSION="3.0.9" + PROGRAM_VERSION="3.1.0" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" From 126b8053aa08b739f5d41a0ace498fd82e7e79b1 Mon Sep 17 00:00:00 2001 From: Florian Sonnenschein Date: Mon, 11 Mar 2024 12:14:31 +0100 Subject: [PATCH 143/282] PKGS-7303: Added version numbers to brew packages. This allows lynis enterprise to render the software packages in the webinterface. --- include/tests_ports_packages | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 81babdc3..5fded96e 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -127,11 +127,15 @@ LogText "Test: Querying brew to get package list" Display --indent 4 --text "- Querying brew for installed packages" LogText "Output:"; LogText "-----" - GPACKAGES=$(brew list) - for J in ${GPACKAGES}; do - LogText "Found package ${J}" - INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" - done + GPACKAGES=$(brew list --versions) + while IFS= read -r PKG; do + PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f1) + PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f2) + LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" + done << EOF +$GPACKAGES +EOF else LogText "Result: brew can NOT be found on this system" fi From 0b7e8c3bfe82ae650c0b625f32ae42e592b6e7cd Mon Sep 17 00:00:00 2001 From: Florian Sonnenschein Date: Mon, 11 Mar 2024 10:25:46 +0100 Subject: [PATCH 144/282] Added CRYP-7932 to determine if the system has enabled macOS FileVault. --- include/tests_crypto | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/include/tests_crypto b/include/tests_crypto index a643b6c0..b7279163 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -217,6 +217,27 @@ fi # ################################################################################# +# + # Test : CRYP-7932 + # Description : Determine if system has enabled macOS FileVault encryption + Register --test-no CRYP-7932 --os macOS --weight L --network NO --category crypto --description "Determine if system has enabled macOS FileVault encryption" + if [ ${SKIPTEST} -eq 0 ]; then + filevault_status=$(fdesetup status) + + case "$filevault_status" in + *"FileVault is On."*) + LogText "Result: FileVault is enabled." + Display --indent 2 --text "- FileVault is enabled." --result "${STATUS_OK}" --color GREEN + Report "encryption[]=filevault" + ;; + *) + LogText "Result: FileVault is not enabled." + Display --indent 2 --text "- FileVault is not enabled." --result "${STATUS_WARNING}" --color RED + ;; + esac + fi +# +################################################################################# # # Test : CRYP-8002 # Description : Gather available kernel entropy From e23898b52bafd1b772ba93e69f2e8637d7266520 Mon Sep 17 00:00:00 2001 From: Florian Sonnenschein Date: Mon, 11 Mar 2024 12:21:51 +0100 Subject: [PATCH 145/282] Added PKGS-7305 Query macOS Apps in /Applications and Apple CoreServices and add them to the Report --- include/tests_ports_packages | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 81babdc3..d5625446 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -158,6 +158,29 @@ LogText "Result: emerge can NOT be found on this system" fi # +################################################################################# +# + # Test : PKGS-7305 + # Description : Query macOS Apps in /Applications and CoreServices + Register --test-no PKGS-7305 --os macOS --weight L --network NO --category security --description "Query macOS Apps in /Applications and CoreServices" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Querying Apps in /Applications" + Display --indent 4 --text "- Querying macOS Apps in /Applications" + LogText "Output:"; LogText "-----" + for APP in /Applications/*.app; do + PACKAGE_NAME=$(basename "$APP" .app) + PACKAGE_VERSION=$(defaults read "$APP/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A") + LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" + done + Display --indent 4 --text "- Querying Apple CoreServices" + for CS in /Library/Apple/System/Library/CoreServices/*.app; do + PACKAGE_NAME=$(basename "$CS" .app) + PACKAGE_VERSION=$(defaults read "$CS/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A") + LogText "Found CoreServices: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" + done + fi # ################################################################################# # From 998007c9713482ef698f137b4700a4dfbc6e4f8a Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 12 Mar 2024 08:39:59 +0100 Subject: [PATCH 146/282] Update CHANGELOG.md --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 369cb8a7..72c6598b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Lynis Changelog +## Lynis 3.1.1 (not released yet) + +### Changed +- DBS-1882 - Redis configuration file path added for FreeBSD (/usr/local/etc/redis.conf) + +--------------------------------------------------------------------------------- + ## Lynis 3.1.0 (2024-03-11) ### Added From 6aa69919bedd3dbedf43deb8c103023078c3c45d Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 12 Mar 2024 08:40:32 +0100 Subject: [PATCH 147/282] Switch to pre-release --- lynis | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lynis b/lynis index fd4dea60..5446bcb6 100755 --- a/lynis +++ b/lynis @@ -43,10 +43,10 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2024-03-11" + PROGRAM_RELEASE_DATE="2024-03-12" PROGRAM_RELEASE_TIMESTAMP=1710148530 - PROGRAM_RELEASE_TYPE="release" # pre-release or release - PROGRAM_VERSION="3.1.0" + PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_VERSION="3.1.1" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" From 1d3de505798c2a0fc150d9488eefe5f3ce386deb Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 12 Mar 2024 13:38:04 +0100 Subject: [PATCH 148/282] Update tests_databases --- include/tests_databases | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_databases b/include/tests_databases index 34bace85..bcf0a3a6 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -302,8 +302,8 @@ if [ ${QNAP_DEVICE} -eq 1 ]; then PATHS="${PATHS} ${ROOTDIR}share/CACHEDEV1_DATA/.qpkg/QKVM/usr/etc/redis.conf" fi - if [ -d "/snap" ]; then - for SNAP_PATH in $(${FINDBINARY} /snap -name 'redis.conf' -type f | ${SEDBINARY} 's/redis.conf$//g'); do + if [ -d "${ROOTDIR}snap" ]; then + for SNAP_PATH in $(${FINDBINARY} ${ROOTDIR}snap -name 'redis.conf' -type f | ${SEDBINARY} 's/redis.conf$//g'); do PATHS="${PATHS} ${SNAP_PATH}" done fi From 990a590f3c6120f639b696a40add5cb4a8037cb8 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 12 Mar 2024 13:41:07 +0100 Subject: [PATCH 149/282] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 72c6598b..e7370a26 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ ### Changed - DBS-1882 - Redis configuration file path added for FreeBSD (/usr/local/etc/redis.conf) +- DBS-1882 - Check /snap directory location for Redis configuration file --------------------------------------------------------------------------------- From a2649bd5001a4f714b2e4e3a70f06f86d0b2befd Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 17 Mar 2024 10:28:13 +0000 Subject: [PATCH 150/282] Added ArcoLinux --- include/osdetection | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/osdetection b/include/osdetection index b09bd2f0..61f290d7 100644 --- a/include/osdetection +++ b/include/osdetection @@ -176,6 +176,11 @@ OS_FULLNAME="Arch Linux 32" OS_VERSION="Rolling release" ;; + "arcolinux") + LINUX_VERSION="ArcoLinux" + OS_FULLNAME="ArcoLinux" + OS_VERSION="Rolling release" + ;; "artix") LINUX_VERSION="Artix Linux" OS_FULLNAME="Artix Linux" From 60afce6d8110ee9e88ac9e9d0e0346b1cf222b5e Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 17 Mar 2024 10:29:40 +0000 Subject: [PATCH 151/282] Release 3.1.1 --- CHANGELOG.md | 5 ++++- lynis | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e7370a26..1f3028dd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,9 @@ # Lynis Changelog -## Lynis 3.1.1 (not released yet) +## Lynis 3.1.1 (2024-03-17) + +### Added +- Detection of ArcoLinux ### Changed - DBS-1882 - Redis configuration file path added for FreeBSD (/usr/local/etc/redis.conf) diff --git a/lynis b/lynis index 5446bcb6..055939bc 100755 --- a/lynis +++ b/lynis @@ -43,9 +43,9 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2024-03-12" - PROGRAM_RELEASE_TIMESTAMP=1710148530 - PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_RELEASE_DATE="2024-03-17" + PROGRAM_RELEASE_TIMESTAMP=1710671337 + PROGRAM_RELEASE_TYPE="release" # pre-release or release PROGRAM_VERSION="3.1.1" # Source, documentation and license From 9b40ce578119b552eb972af75d5efaeac7e36ba9 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 18 Mar 2024 09:27:09 +0000 Subject: [PATCH 152/282] Merged files and moved AIX changes to the right file --- db/software-eol.db | 17 +++ software-eol.db | 276 --------------------------------------------- 2 files changed, 17 insertions(+), 276 deletions(-) delete mode 100644 software-eol.db diff --git a/db/software-eol.db b/db/software-eol.db index e113bf53..342db780 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -14,6 +14,23 @@ # For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1. # Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching. # +# AIX - https://www.ibm.com/support/pages/aix-support-lifecycle-information +# +os:AIX 7300-02:2026-11-30:1796032800: +os:AIX 7300-01:2025-12-31:1767175200: +os:AIX 7300-00:2024-12-31:1735639200: +os:AIX 7200-05::-1: +os:AIX 7200-04:2022-11-30:1669802400: +os:AIX 7200-03:2021-09-30:1632996000: +os:AIX 7200-02:2020-10-31:1604138400: +os:AIX 7200-01:2019-11-30:1575108000: +os:AIX 7200-00:2018-12-30:1546164000: +os:AIX 7100:2023-04-30:1682848800: +os:AIX 6:2017-04-30:1493546400: +os:AIX 5:2012-04-30:1335780000: +os:AIX 4:2003-12-31:1072864800: +os:AIX 3:1997-12-31:883562400: +# # Alpine - https://alpinelinux.org/releases/ # os:Alpine 3.19:2025-11-01:1761955200 diff --git a/software-eol.db b/software-eol.db deleted file mode 100644 index 41a5af1b..00000000 --- a/software-eol.db +++ /dev/null @@ -1,276 +0,0 @@ -# -# End-of-life for operating systems and software -# -# This file has 4 fields: -# 1) category -# 2) name -# 3) date (human-readable) or empty -# 4) converted date (seconds since epoch) or -1 -# -# Date can be converted on Linux using: date "+%s" --date=2020-01-01 -# Seconds since epoch can be verified using: date -d @1467324000 +'%Y-%m-%d' -# -# Notes: -# For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1. -# Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching. -# -# AIX - https://www.ibm.com/support/pages/aix-support-lifecycle-information -# -os:AIX 7300-02:2026-11-30:1796032800: -os:AIX 7300-01:2025-12-31:1767175200: -os:AIX 7300-00:2024-12-31:1735639200: -os:AIX 7200-05::-1: -os:AIX 7200-04:2022-11-30:1669802400: -os:AIX 7200-03:2021-09-30:1632996000: -os:AIX 7200-02:2020-10-31:1604138400: -os:AIX 7200-01:2019-11-30:1575108000: -os:AIX 7200-00:2018-12-30:1546164000: -os:AIX 7100:2023-04-30:1682848800: -os:AIX 6:2017-04-30:1493546400: -os:AIX 5:2012-04-30:1335780000: -os:AIX 4:2003-12-31:1072864800: -os:AIX 3:1997-12-31:883562400: -# -# Alpine - https://alpinelinux.org/releases/ -# -os:Alpine 3.15:2023-11-01:1698793200 -os:Alpine 3.14:2023-05-01:1682899200 -os:Alpine 3.13:2022-11-01:1667275200 -os:Alpine 3.12:2022-05-01:1651377600 -os:Alpine 3.11:2021-11-01:1635739200 -os:Alpine 3.10:2021-05-01:1619841600 -os:Alpine 3.9:2020-11-01:1604203200 -os:Alpine 3.8:2020-05-01:1588305600 -# -# Amazon Linux -# -# Note: shortest entry is listed at end due to regular expression matching being used -os:Amazon Linux 2:2023-06-26:1687730400: -os:Amazon Linux:2020-06-30:1593468000: -# -# Arch Linux -# -os:Arch Linux::-1: -# -# CentOS -# -os:CentOS release 5:2017-03-31:1490911200: -os:CentOS release 6:2020-11-30:1606690800: -os:CentOS Linux 7:2024-06-30:1719698400: -os:CentOS Linux 8:2029-05-31:1874872800: -# -# Debian - https://wiki.debian.org/DebianReleases#Production_Releases -# -os:Debian 5.0:2012-02-06:1328482800: -os:Debian 6.0:2016-02-29:1456700400: -os:Debian 7:2018-05-31:1527717600: -os:Debian 8:2020-06-30:1593468000: -os:Debian 9:2022-01-01:1640991600: -os:Debian 10:2022-01-01:1640991600: -# -# Fedora - https://fedoraproject.org/wiki/End_of_life -# -os:Fedora release 25:2017-12-12:1513033200: -os:Fedora release 26:2018-05-29:1527544800: -os:Fedora release 27:2018-11-30:1543532400: -os:Fedora release 28:2019-05-28:1558994400: -os:Fedora release 29:2019-11-26:1574722800: -os:Fedora release 30:2020-05-26:1590444000: -# -# FreeBSD - https://www.freebsd.org/security/unsupported.html -# -os:FreeBSD 9.3:2014-12-31:1419980400: -os:FreeBSD 10.0:2015-02-28:1425078000: -os:FreeBSD 10.1:2016-12-31:1483138800: -os:FreeBSD 10.2:2016-12-31:1483138800: -os:FreeBSD 10.3:2018-04-30:1525039200: -os:FreeBSD 10.4:2018-10-31:1540940400: -os:FreeBSD 11.0:2017-11-30:1511996400: -os:FreeBSD 11.1:2018-09-30:1538258400: -os:FreeBSD 11.2:2019-10-31:1572476400: -os:FreeBSD 12.0:2020-02-29:1582930800: -# -# Linux Mint -# -os:Linux Mint 18:2021-04-01:1617228000: -os:Linux Mint 19:2023-04-01:1680300000: -os:Linux Mint 20:2025-04-01:1743458400: -# -# macOS - https://support.apple.com/en_US/downloads/macos and -# https://apple.stackexchange.com/a/282788 and -# https://en.wikipedia.org/wiki/Category:MacOS_versions -# -os:Mac OS X 10.0 \(Cheetah\):2002-09-18:1032300000: -os:Mac OS X 10.1 \(Puma\):2003-11-10:1068418800: -os:Mac OS X 10.2 \(Jaguar\):2005-05-16:1116194400: -os:Mac OS X 10.3 \(Panther\):2007-11-15:1195081200: -os:Mac OS X 10.4 \(Tiger\):2009-09-10:1252533600: -os:Mac OS X 10.5 \(Leopard\):2011-06-23:1308780000: -os:Mac OS X 10.6 \(Snow Leopard\):2013-12-16:1387148400: -os:Mac OS X 10.7 \(Lion\):2014-11-17:1416178800: -os:Mac OS X 10.8 \(Mountain Lion\):2015-10-21:1445378400: -os:Mac OS X 10.9 \(Mavericks\):2016-10-24:1477260000: -os:Mac OS X 10.10 \(Yosemite\):2017-10-31:1509404400: -os:Mac OS X 10.11 \(El Capitan\):2018-10-30:1540854000: -os:macOS Sierra \(10.12\):2016-10-24:1477260000: -os:macOS Sierra \(10.12.1\):2016-12-13:1481583600: -os:macOS Sierra \(10.12.2\):2017-01-23:1485126000: -os:macOS Sierra \(10.12.3\):2017-03-27:1490565600: -os:macOS Sierra \(10.12.4\):2017-05-15:1494799200: -os:macOS Sierra \(10.12.5\):2017-07-19:1500415200: -os:macOS Sierra \(10.12.6\):2019-10-29:1572303600: -os:macOS High Sierra \(10.13\):2017-10-31:1509404400: -os:macOS High Sierra \(10.13.1\):2017-12-06:1512514800: -os:macOS High Sierra \(10.13.2\):2018-01-23:1516662000: -os:macOS High Sierra \(10.13.3\):2018-03-29:1522274400: -os:macOS High Sierra \(10.13.4\):2018-06-01:1527804000: -os:macOS High Sierra \(10.13.5\):2018-07-09:1531087200: -os:macOS High Sierra \(10.13.6\)::-1: -os:macOS Mojave \(10.14\):2018-10-30:1540854000: -os:macOS Mojave \(10.14.1\):2018-12-05:1543964400: -os:macOS Mojave \(10.14.2\):2019-01-22:1548111600: -os:macOS Mojave \(10.14.3\):2019-03-25:1553468400: -os:macOS Mojave \(10.14.4\):2019-05-13:1557698400: -os:macOS Mojave \(10.14.5\):2019-07-22:1563746400: -os:macOS Mojave \(10.14.6\)::-1: -os:macOS Catalina \(10.15\):2019-10-29:1572303600: -os:macOS Catalina \(10.15.1\):2019-12-10:1575932400: -os:macOS Catalina \(10.15.2\):2020-01-28:1580166000: -os:macOS Catalina \(10.15.3\):2020-03-24:1585004400: -os:macOS Catalina \(10.15.4\):2020-05-26:1590444000: -os:macOS Catalina \(10.15.5\):2020-07-15:1594764000: -os:macOS Catalina \(10.15.6\):2020-09-24:1600898400: -os:macOS Catalina \(10.15.7\)::-1: -# -# Mageia - https://www.mageia.org/en/support/ -# -os:Mageia 1:2012-12-01:1354316400 -os:Mageia 2:2013-11-22:1385074800 -os:Mageia 3:2014-11-26:1416956400 -os:Mageia 4:2015-09-19:1442613600 -os:Mageia 5:2017-12-31:1514674800 -os:Mageia 6:2019-09-30:1569794400 -os:Mageia 7:2020-12-30:1609282800 -# -# NetBSD - https://www.netbsd.org/support/security/release.html and -# https://www.netbsd.org/releases/formal.html -# -os:NetBSD 2.0:2008-01-19:1200697200: -os:NetBSD 2.0.1:2008-01-19:1200697200: -os:NetBSD 2.0.2:2008-01-19:1200697200: -os:NetBSD 2.0.3:2008-01-19:1200697200: -os:NetBSD 2.1:2008-01-19:1200697200: -os:NetBSD 3.0:2009-09-29:1254175200: -os:NetBSD 3.0.1:2009-09-29:1254175200: -os:NetBSD 3.0.2:2009-09-29:1254175200: -os:NetBSD 3.1:2009-09-29:1254175200: -os:NetBSD 4.0:2012-11-17:1353106800: -os:NetBSD 4.0.1:2012-11-17:1353106800: -os:NetBSD 5.0:2015-11-17:1447714800: -os:NetBSD 5.0.1:2015-10-17:1445032800: -os:NetBSD 5.0.2:2015-10-17:1445032800: -os:NetBSD 5.1:2015-10-17:1445032800: -os:NetBSD 5.1.1:2015-10-17:1445032800: -os:NetBSD 5.1.2:2015-10-17:1445032800: -os:NetBSD 5.1.3:2015-10-17:1445032800: -os:NetBSD 5.1.4:2015-10-17:1445032800: -os:NetBSD 5.1.5:2015-10-17:1445032800: -os:NetBSD 5.2.1:2015-10-17:1445032800: -os:NetBSD 5.2.2:2015-10-17:1445032800: -os:NetBSD 5.2.3:2015-10-17:1445032800: -os:NetBSD 6.0:2017-09-17:1505599200: -os:NetBSD 6.0.1:2017-09-17:1505599200: -os:NetBSD 6.0.2:2017-09-17:1505599200: -os:NetBSD 6.0.3:2017-09-17:1505599200: -os:NetBSD 6.0.4:2017-09-17:1505599200: -os:NetBSD 6.0.5:2017-09-17:1505599200: -os:NetBSD 6.1:2017-09-17:1505599200: -os:NetBSD 6.1.1:2017-09-17:1505599200: -os:NetBSD 6.1.2:2017-09-17:1505599200: -os:NetBSD 6.1.3:2017-09-17:1505599200: -os:NetBSD 6.1.4:2017-09-17:1505599200: -os:NetBSD 6.1.5:2017-09-17:1505599200: -os:NetBSD 7.0:2020-03-14:1584162000: -os:NetBSD 7.0.1:2020-03-14:1584162000: -os:NetBSD 7.0.2:2020-03-14:1584162000: -os:NetBSD 7.1:2020-03-14:1584162000: -os:NetBSD 7.1.1:2020-03-14:1584162000: -os:NetBSD 7.1.1:2020-03-14:1584162000: -os:NetBSD 7.2:2020-03-14:1584162000: -os:NetBSD 8.0::-1: -os:NetBSD 8.1::-1: -os:NetBSD 9.0::-1: -# -# OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history -# -os:OpenBSD 5.8:2016-09-01:1472680800: -os:OpenBSD 5.9:2017-04-11:1491861600: -os:OpenBSD 6.0:2017-09-10:1505001600: -os:OpenBSD 6.1:2018-04-15:1523750400: -os:OpenBSD 6.2:2018-10-18:1539820800: -os:OpenBSD 6.3:2019-05-03:1556841600: -os:OpenBSD 6.4:2019-10-17:1571270400: -os:OpenBSD 6.5:2020-05-19:1589846400: -os:OpenBSD 6.6:2020-10-01:1601510400: -os:OpenBSD 6.7:2021-05-01:1619827200: -# -# Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/ -# -os:Red Hat Enterprise Linux Server release 6:2020-11-30:1606690800: -os:Red Hat Enterprise Linux 7:2024-06-30:1719698400: -os:Red Hat Enterprise Linux 8:2029-05-07:1872799200: -# -# Slackware - https://en.wikipedia.org/wiki/Slackware#Releases -# -os:Slackware Linux 8.1:2012-08-01:1343768400: -os:Slackware Linux 9.0:2012-08-01:1343768400: -os:Slackware Linux 9.1:2012-08-01:1343768400: -os:Slackware Linux 10.0:2012-08-01:1343768400: -os:Slackware Linux 10.1:2012-08-01:1343768400: -os:Slackware Linux 10.2:2012-08-01:1343768400: -os:Slackware Linux 11.0:2012-08-01:1343768400: -os:Slackware Linux 12.0:2012-08-01:1343768400: -os:Slackware Linux 12.1:2013-12-09:1386540000: -os:Slackware Linux 12.2:2013-12-09:1386540000: -os:Slackware Linux 13.0:2018-07-05:1530738000: -os:Slackware Linux 13.1:2018-07-05:1530738000: -os:Slackware Linux 13.37:2018-07-05:1530738000: -# -# SuSE - https://www.suse.com/lifecycle/ -# -os:SUSE Linux Enterprise Server 12:2024-10-31:1730329200: -os:SUSE Linux Enterprise Server 15:2028-07-31:1848607200: -# -# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and -# https://wiki.ubuntu.com/Releases -# -os:Ubuntu 14.04:2019-05-01:1556661600: -os:Ubuntu 14.10:2015-07-01:1435701600: -os:Ubuntu 15.04:2016-01-01:1451602800: -os:Ubuntu 15.10:2016-07-01:1467324000: -os:Ubuntu 16.04:2021-05-01:1619820000: -os:Ubuntu 16.10:2017-07-01:1498860000: -os:Ubuntu 17.04:2018-01-01:1514761200: -os:Ubuntu 17.10:2018-07-01:1530396000: -os:Ubuntu 18.04:2023-05-01:1682892000: -os:Ubuntu 18.10:2019-07-18:1563400800: -os:Ubuntu 19.04:2020-01-01:1577833200: -os:Ubuntu 20.04:2025-04-01:1743458400: -# -# OmniosCE - https://omniosce.org/releasenotes.html -# -os:OmniOS Community Edition v11 r151022:2020-05-11:1589148000: -os:OmniOS Community Edition v11 r151024:2018-11-04:1541286000: -os:OmniOS Community Edition v11 r151026:2019-05-05:1557007200: -os:OmniOS Community Edition v11 r151028:2019-11-04:1572822000: -os:OmniOS Community Edition v11 r151030::-1: -os:OmniOS Community Edition v11 r151032:2020-11-03:1604358000: -os:OmniOS Community Edition v11 r151034::-1: -# -## Oracle Solaris - https://www.oracle.com/us/support/library/lifetime-support-hardware-301321.pdf (p. 34) -# The list below contains Premier Support End only -# -os:Oracle Solaris 11.3:2021-01-01:1609455600: -os:Oracle Solaris 11.4:2031-11-01:1951254000: -# -# EOF From f5b85c65e99f11399dd8f5d5084792db02d980e4 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 18 Mar 2024 09:28:51 +0000 Subject: [PATCH 153/282] Switch to pre-release --- CHANGELOG.md | 7 +++++++ lynis | 6 +++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1f3028dd..74b939e0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Lynis Changelog +## Lynis 3.1.2 (not released yet) + +### Changed +- Correction of software EOL database and inclusion of AIX entries + +--------------------------------------------------------------------------------- + ## Lynis 3.1.1 (2024-03-17) ### Added diff --git a/lynis b/lynis index 055939bc..9ae06b67 100755 --- a/lynis +++ b/lynis @@ -43,10 +43,10 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2024-03-17" + PROGRAM_RELEASE_DATE="2024-03-18" PROGRAM_RELEASE_TIMESTAMP=1710671337 - PROGRAM_RELEASE_TYPE="release" # pre-release or release - PROGRAM_VERSION="3.1.1" + PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_VERSION="3.1.2" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" From 6f81b6502b978135ecda8a28c51881cc15daa0be Mon Sep 17 00:00:00 2001 From: Erasure5959 <154384607+Erasure5959@users.noreply.github.com> Date: Mon, 18 Mar 2024 15:21:27 +0200 Subject: [PATCH 154/282] Update osdetection - add support for OSMC Add detection support for OSMC. --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index 61f290d7..579538bb 100644 --- a/include/osdetection +++ b/include/osdetection @@ -348,6 +348,12 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="openSUSE" ;; + "osmc") + LINUX_VERSION="OSMC" + LINUX_VERSION_LIKE="Debian" + OS_NAME="Open Source Media Center" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "parrot") LINUX_VERSION="Parrot" OS_NAME="Parrot GNU/Linux" From 6476036b023b006ed84af16420ac08e65216a42c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 18 Mar 2024 14:28:09 +0100 Subject: [PATCH 155/282] Update CHANGELOG.md --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 74b939e0..5fd046bf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## Lynis 3.1.2 (not released yet) +### Added +- Detection of Open Source Media Center (OSMC) + ### Changed - Correction of software EOL database and inclusion of AIX entries From 967b9f1ec7ff504c91805bbf6f8e6ff170d05173 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 19 Mar 2024 11:53:28 +0100 Subject: [PATCH 156/282] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5fd046bf..f6dfd05b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Lynis 3.1.2 (not released yet) ### Added +- Detection of Athena OS - Detection of Open Source Media Center (OSMC) ### Changed From f36e39063a1410c24d1a2f85284600004154bd44 Mon Sep 17 00:00:00 2001 From: Ikko Eltociear Ashimine Date: Fri, 22 Mar 2024 14:42:14 +0900 Subject: [PATCH 157/282] Update osdetection minor fix --- include/osdetection | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/osdetection b/include/osdetection index ef4bd587..22648dde 100644 --- a/include/osdetection +++ b/include/osdetection @@ -445,7 +445,7 @@ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; *) - ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the the contents (cat /etc/os-release): ${PROGRAM_SOURCE}" + ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the contents (cat /etc/os-release): ${PROGRAM_SOURCE}" ;; esac fi From 58d084ef71333cb4302a560426a538507e40b74e Mon Sep 17 00:00:00 2001 From: TCH Date: Tue, 26 Mar 2024 20:50:50 +0100 Subject: [PATCH 158/282] Update osdetection --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index ef4bd587..e5789c88 100644 --- a/include/osdetection +++ b/include/osdetection @@ -332,6 +332,12 @@ OS_REDHAT_OR_CLONE=1 OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "nobara") + LINUX_VERSION="Nobara" + OS_NAME="Nobara Linux" + OS_REDHAT_OR_CLONE=1 + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "nodistro") LINUX_VERSION="openembedded" OS_NAME="OpenEmbedded" From afd0eaddf07e9950eedbded537a96dda6cfe44d1 Mon Sep 17 00:00:00 2001 From: Tobias Svenblad <59305921+tsvenbla@users.noreply.github.com> Date: Thu, 28 Mar 2024 22:01:14 +0200 Subject: [PATCH 159/282] Added regex for NETW-3200 in tests_networking Changed the check /bin/true to /bin/(true|false) to be more inclusive and get rid of false positives. --- include/tests_networking | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_networking b/include/tests_networking index 116f3760..44a65708 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -750,7 +750,7 @@ UNCOMMON_PROTOCOL_DISABLED=0 # First check modprobe.conf if [ -f ${ROOTDIR}etc/modprobe.conf ]; then - DATA=$(${GREPBINARY} "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.conf) + DATA=$(${GREPBINARY} "^install \+${P} \+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.conf) if [ -n "${DATA}" ]; then LogText "Result: found ${P} module disabled via modprobe.conf" UNCOMMON_PROTOCOL_DISABLED=1 @@ -759,7 +759,7 @@ # Then additional modprobe configuration files if [ -d ${ROOTDIR}etc/modprobe.d ]; then # Return file names (-l) and suppress errors (-s) - DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/*) + DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/*) if [ -n "${DATA}" ]; then UNCOMMON_PROTOCOL_DISABLED=1 for F in ${DATA}; do From 48cb2c7cb89e09ad4c56607bd39ce52eafba639f Mon Sep 17 00:00:00 2001 From: Constacalm <163557834+Constacalm@users.noreply.github.com> Date: Mon, 1 Apr 2024 14:48:23 +0300 Subject: [PATCH 160/282] Update osdetection (ALT Linux) Consider to update osdetection script to detect ALT Linux distro in issue #1465 (https://github.com/CISOfy/lynis/issues/1465) --- include/osdetection | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/osdetection b/include/osdetection index ef4bd587..3aab00ab 100644 --- a/include/osdetection +++ b/include/osdetection @@ -160,6 +160,11 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "altlinux") + LINUX_VERSION="ALT Linux" + OS_NAME="altlinux" + OS_VERSION=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "amzn") LINUX_VERSION="Amazon Linux" OS_NAME="Amazon Linux" From 75818a636cd07461974e2eb3d9838d3d722c87b1 Mon Sep 17 00:00:00 2001 From: vk6xebec <59078659+vk6xebec@users.noreply.github.com> Date: Sun, 7 Apr 2024 11:02:14 +0800 Subject: [PATCH 161/282] McAfee antivirus has been deprecated As of 1 Oct 2023, McAfee antivirus for Linux has been deprecated https://www.mcafee.com/support/?locale=no-NO&articleId=TS103384&page=shell&shell=article-view --- include/tests_malware | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/include/tests_malware b/include/tests_malware index 87a721bc..a4a51315 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -46,23 +46,18 @@ TRENDMICRO_DSA_DAEMON_RUNNING=0 # ################################################################################# -# - # Test : MALW-3274 - # Description : Check for installed tool (McAfee VirusScan for Command Line) - Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking presence McAfee VirusScan for Command Line" - if [ -x /usr/local/uvscan/uvscan ]; then - Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color GREEN - LogText "Result: Found ${MCAFEECLBINARY}" - MALWARE_SCANNER_INSTALLED=1 - AddHP 2 2 - Report "malware_scanner[]=mcafeecl" - else - LogText "Result: McAfee VirusScan for Command Line not found" - fi - fi -# +# Test : MALW-3274 +# Description : Check for installed tool (McAfee VirusScan for Command Line) +Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line" +if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking presence McAfee VirusScan for Command Line" + if [ -x /usr/local/uvscan/uvscan ]; then + Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color RED + LogText "Result: Found ${MCAFEECLBINARY}" + MALWARE_SCANNER_INSTALLED=0 + AddHP 0 2 + LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another antivirus instead." +fi ################################################################################# # # Test : MALW-3275 From 22ce0b40c325aeb5566c16eb65f025a72db4a308 Mon Sep 17 00:00:00 2001 From: vk6xebec <59078659+vk6xebec@users.noreply.github.com> Date: Sun, 7 Apr 2024 11:16:46 +0800 Subject: [PATCH 162/282] Update tests_php to include PHP8.3 and 8.4 PHP 8.3 is the latest version. 8.4 is the upcoming version --- include/tests_php | 43 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 5 deletions(-) diff --git a/include/tests_php b/include/tests_php index beb1eca3..bbda37b8 100644 --- a/include/tests_php +++ b/include/tests_php @@ -40,6 +40,8 @@ ${ROOTDIR}etc/php8.0/php.ini \ ${ROOTDIR}etc/php8.1/php.ini \ ${ROOTDIR}etc/php8.2/php.ini \ + ${ROOTDIR}etc/php8.3/php.ini \ + ${ROOTDIR}etc/php8.4/php.ini \ ${ROOTDIR}etc/php/cgi-php5/php.ini \ ${ROOTDIR}etc/php/cli-php5/php.ini \ ${ROOTDIR}etc/php/apache2-php5/php.ini \ @@ -53,6 +55,8 @@ ${ROOTDIR}etc/php/apache2-php8.0/php.ini \ ${ROOTDIR}etc/php/apache2-php8.1/php.ini \ ${ROOTDIR}etc/php/apache2-php8.2/php.ini \ + ${ROOTDIR}etc/php/apache2-php8.3/php.ini \ + ${ROOTDIR}etc/php/apache2-php8.4/php.ini \ ${ROOTDIR}etc/php/cgi-php5.5/php.ini \ ${ROOTDIR}etc/php/cgi-php5.6/php.ini \ ${ROOTDIR}etc/php/cgi-php7.0/php.ini \ @@ -73,6 +77,8 @@ ${ROOTDIR}etc/php/cli-php8.0/php.ini \ ${ROOTDIR}etc/php/cli-php8.1/php.ini \ ${ROOTDIR}etc/php/cli-php8.2/php.ini \ + ${ROOTDIR}etc/php/cli-php8.3/php.ini \ + ${ROOTDIR}etc/php/cli-php8.4/php.ini \ ${ROOTDIR}etc/php/embed-php5.5/php.ini \ ${ROOTDIR}etc/php/embed-php5.6/php.ini \ ${ROOTDIR}etc/php/embed-php7.0/php.ini \ @@ -83,6 +89,8 @@ ${ROOTDIR}etc/php/embed-php8.0/php.ini \ ${ROOTDIR}etc/php/embed-php8.1/php.ini \ ${ROOTDIR}etc/php/embed-php8.2/php.ini \ + ${ROOTDIR}etc/php/embed-php8.3/php.ini \ + ${ROOTDIR}etc/php/embed-php8.4/php.ini \ ${ROOTDIR}etc/php/fpm-php8.2/php.ini \ ${ROOTDIR}etc/php/fpm-php8.1/php.ini \ ${ROOTDIR}etc/php/fpm-php8.0/php.ini \ @@ -109,6 +117,8 @@ ${ROOTDIR}etc/php/8.0/apache2/php.ini \ ${ROOTDIR}etc/php/8.1/apache2/php.ini \ ${ROOTDIR}etc/php/8.2/apache2/php.ini \ + ${ROOTDIR}etc/php/8.3/apache2/php.ini \ + ${ROOTDIR}etc/php/8.4/apache2/php.ini \ ${ROOTDIR}etc/php/7.0/cli/php.ini \ ${ROOTDIR}etc/php/7.0/fpm/php.ini \ ${ROOTDIR}etc/php/7.1/cli/php.ini \ @@ -125,6 +135,10 @@ ${ROOTDIR}etc/php/8.1/fpm/php.ini \ ${ROOTDIR}etc/php/8.2/cli/php.ini \ ${ROOTDIR}etc/php/8.2/fpm/php.ini \ + ${ROOTDIR}etc/php/8.3/cli/php.ini \ + ${ROOTDIR}etc/php/8.3/fpm/php.ini \ + ${ROOTDIR}etc/php/8.4/cli/php.ini \ + ${ROOTDIR}etc/php/8.4/fpm/php.ini \ ${ROOTDIR}var/www/conf/php.ini \ ${ROOTDIR}usr/local/etc/php.ini \ ${ROOTDIR}usr/local/lib/php.ini \ @@ -139,6 +153,8 @@ ${ROOTDIR}usr/local/php80/lib/php.ini \ ${ROOTDIR}usr/local/php81/lib/php.ini \ ${ROOTDIR}usr/local/php82/lib/php.ini \ + ${ROOTDIR}usr/local/php83/lib/php.ini \ + ${ROOTDIR}usr/local/php84/lib/php.ini \ ${ROOTDIR}usr/local/zend/etc/php.ini \ ${ROOTDIR}usr/pkg/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \ @@ -152,6 +168,8 @@ ${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.ini \ + ${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.ini \ + ${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.ini \ ${ROOTDIR}opt/alt/php44/etc/php.ini \ ${ROOTDIR}opt/alt/php51/etc/php.ini \ ${ROOTDIR}opt/alt/php52/etc/php.ini \ @@ -167,6 +185,8 @@ ${ROOTDIR}opt/alt/php80/etc/php.ini \ ${ROOTDIR}opt/alt/php81/etc/php.ini \ ${ROOTDIR}opt/alt/php82/etc/php.ini \ + ${ROOTDIR}opt/alt/php83/etc/php.ini \ + ${ROOTDIR}opt/alt/php84/etc/php.ini \ ${ROOTDIR}etc/opt/remi/php56/php.ini \ ${ROOTDIR}etc/opt/remi/php70/php.ini \ ${ROOTDIR}etc/opt/remi/php71/php.ini \ @@ -175,7 +195,9 @@ ${ROOTDIR}etc/opt/remi/php74/php.ini \ ${ROOTDIR}etc/opt/remi/php80/php.ini \ ${ROOTDIR}etc/opt/remi/php81/php.ini \ - ${ROOTDIR}etc/opt/remi/php82/php.ini" + ${ROOTDIR}etc/opt/remi/php82/php.ini\ + ${ROOTDIR}etc/opt/remi/php83/php.ini \ + ${ROOTDIR}etc/opt/remi/php84/php.ini" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINILOCS="${PHPINILOCS} \ ${ROOTDIR}etc/php-5.6.ini \ @@ -186,8 +208,9 @@ ${ROOTDIR}etc/php-7.4.ini \ ${ROOTDIR}etc/php-8.0.ini \ ${ROOTDIR}etc/php-8.1.ini \ - ${ROOTDIR}etc/php-8.2.ini" - + ${ROOTDIR}etc/php-8.2.ini\ + ${ROOTDIR}etc/php-8.3.ini\ + ${ROOTDIR}etc/php-8.4.ini" PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \ ${ROOTDIR}etc/php/7.0/cli/conf.d \ ${ROOTDIR}etc/php/7.1/cli/conf.d \ @@ -205,6 +228,8 @@ ${ROOTDIR}etc/php/8.0/fpm/conf.d \ ${ROOTDIR}etc/php/8.1/fpm/conf.d \ ${ROOTDIR}etc/php/8.2/fpm/conf.d \ + ${ROOTDIR}etc/php/8.3/fpm/conf.d \ + ${ROOTDIR}etc/php/8.4/fpm/conf.d \ ${ROOTDIR}etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \ @@ -217,6 +242,8 @@ ${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.d \ ${ROOTDIR}opt/alt/php44/etc/php.d.all \ ${ROOTDIR}opt/alt/php51/etc/php.d.all \ ${ROOTDIR}opt/alt/php52/etc/php.d.all \ @@ -232,6 +259,8 @@ ${ROOTDIR}opt/alt/php80/etc/php.d.all \ ${ROOTDIR}opt/alt/php81/etc/php.d.all \ ${ROOTDIR}opt/alt/php82/etc/php.d.all \ + ${ROOTDIR}opt/alt/php83/etc/php.d.all \ + ${ROOTDIR}opt/alt/php84/etc/php.d.all \ ${ROOTDIR}usr/local/lib/php.conf.d \ ${ROOTDIR}usr/local/php70/lib/php.conf.d \ ${ROOTDIR}usr/local/php71/lib/php.conf.d \ @@ -240,7 +269,9 @@ ${ROOTDIR}usr/local/php74/lib/php.conf.d \ ${ROOTDIR}usr/local/php80/lib/php.conf.d \ ${ROOTDIR}usr/local/php81/lib/php.conf.d \ - ${ROOTDIR}usr/local/php82/lib/php.conf.d" + ${ROOTDIR}usr/local/php82/lib/php.conf.d \ + ${ROOTDIR}usr/local/php83/lib/php.conf.d \ + ${ROOTDIR}usr/local/php84/lib/php.conf.d" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINIDIRS="${PHPINIDIRS} \ ${ROOTDIR}etc/php-5.6 \ @@ -251,7 +282,9 @@ ${ROOTDIR}etc/php-7.4 \ ${ROOTDIR}etc/php-8.0 \ ${ROOTDIR}etc/php-8.1 \ - ${ROOTDIR}etc/php-8.2" + ${ROOTDIR}etc/php-8.2 \ + ${ROOTDIR}etc/php-8.3 \ + ${ROOTDIR}etc/php-8.4" # ################################################################################# # From c9f89cd5f41bfbcb8f6d3cf720c4aa2da3e3feb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?O=C4=9Fuz=20Ersen?= Date: Wed, 10 Apr 2024 13:20:24 +0300 Subject: [PATCH 163/282] Update tr --- db/languages/tr | 172 ++++++++++++++++++++++++------------------------ 1 file changed, 86 insertions(+), 86 deletions(-) diff --git a/db/languages/tr b/db/languages/tr index 585cfed5..3df59a53 100644 --- a/db/languages/tr +++ b/db/languages/tr @@ -1,108 +1,108 @@ -ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmamış" -ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmamış" -GEN_CHECKING="Kontrol ediyor" -GEN_CURRENT_VERSION="Mevcut Sürüm" +ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmadı" +ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmadı" +GEN_CHECKING=" Denetleniyor" +GEN_CURRENT_VERSION="Geçerli sürüm" GEN_DEBUG_MODE="Hata ayıklama modu" GEN_INITIALIZE_PROGRAM="Program başlatılıyor" -GEN_LATEST_VERSION="Son sürüm" -GEN_PHASE="faz" -GEN_PLUGINS_ENABLED="Yapılandırılmış eklentiler" -GEN_UPDATE_AVAILABLE="güncelleme mevcut" -GEN_VERBOSE_MODE="Detay modu" +GEN_LATEST_VERSION="En son sürüm" +GEN_PHASE="evre" +GEN_PLUGINS_ENABLED="Etkinleştirilen eklentiler" +GEN_UPDATE_AVAILABLE="güncelleme var" +GEN_VERBOSE_MODE="Ayrıntılı mod" GEN_WHAT_TO_DO="Yapılması gerekenler" -NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai durumlar ve bilgiler bulundu" NOTE_EXCEPTIONS_FOUND="İstisnalar bulundu" -NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha detaylı testler içermektedir ve tamamlanmaları uzun sürebilir" +NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai olaylar veya bilgiler bulundu" +NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha kapsamlı testlere sahiptir ve tamamlanması birkaç dakika sürebilir" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Yetkisiz çalışma nedeniyle atlanan testler" -#SECTION_ACCOUNTING="Accounting" -#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification" -#SECTION_BASICS="Basics" -#SECTION_BOOT_AND_SERVICES="Boot and services" -#SECTION_CONTAINERS="Containers" -#SECTION_CRYPTOGRAPHY="Cryptography" +SECTION_ACCOUNTING="Hesaplama" +SECTION_BANNERS_AND_IDENTIFICATION="Afişler ve tanımlama" +SECTION_BASICS="Temel Bilgiler" +SECTION_BOOT_AND_SERVICES="Önyükleme ve hizmetler" +SECTION_CONTAINERS="Konteynerler" +SECTION_CRYPTOGRAPHY="Kriptografi" SECTION_CUSTOM_TESTS="Özel testler" -#SECTION_DATABASES="Databases" -#SECTION_DATA_UPLOAD="Data upload" -#SECTION_DOWNLOADS="Downloads" -#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging" -#SECTION_FILE_INTEGRITY="Software: file integrity" -#SECTION_FILE_PERMISSIONS="File Permissions" -#SECTION_FILE_SYSTEMS="File systems" -#SECTION_FIREWALLS="Software: firewalls" -#SECTION_GENERAL="General" -#SECTION_HARDENING="Hardening" -#SECTION_HOME_DIRECTORIES="Home directories" -#SECTION_IMAGE="Image" -#SECTION_INITIALIZING_PROGRAM="Initializing program" -#SECTION_INSECURE_SERVICES="Insecure services" -#SECTION_KERNEL_HARDENING="Kernel Hardening" -#SECTION_KERNEL="Kernel" -#SECTION_LDAP_SERVICES="LDAP Services" -#SECTION_LOGGING_AND_FILES="Logging and files" -SECTION_MALWARE="Kötücül yazılım" -SECTION_MEMORY_AND_PROCESSES="Bellek ve Prosesler" -#SECTION_NAME_SERVICES="Name services" -#SECTION_NETWORKING="Networking" -#SECTION_PERMISSIONS="Permissions" -#SECTION_PORTS_AND_PACKAGES="Ports and packages" -#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools" -#SECTION_PROGRAM_DETAILS="Program Details" -#SECTION_SCHEDULED_TASKS="Scheduled tasks" -#SECTION_SECURITY_FRAMEWORKS="Security frameworks" -#SECTION_SHELLS="Shells" -#SECTION_SNMP_SUPPORT="SNMP Support" -#SECTION_SOFTWARE="Software" -#SECTION_SQUID_SUPPORT="Squid Support" -#SECTION_SSH_SUPPORT="SSH Support" -#SECTION_STORAGE="Storage" -#SECTION_SYSTEM_INTEGRITY="Software: System integrity" -#SECTION_SYSTEM_TOOLING="Software: System tooling" -#SECTION_SYSTEM_TOOLS="System tools" -#SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization" -#SECTION_USB_DEVICES="USB Devices" -#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" -#SECTION_VIRTUALIZATION="Virtualization" -#SECTION_WEBSERVER="Software: webserver" -#STATUS_ACTIVE="ACTIVE" -#STATUS_CHECK_NEEDED="CHECK NEEDED" -#STATUS_DEBUG="DEBUG" -#STATUS_DEFAULT="DEFAULT" -#STATUS_DIFFERENT="DIFFERENT" -STATUS_DISABLED="ETKİSİZLEŞTİRİLMİŞ" +SECTION_DATA_UPLOAD="Veri yükleme" +SECTION_DATABASES="Veri tabanları" +SECTION_DOWNLOADS="İndirilenler" +SECTION_EMAIL_AND_MESSAGING="Yazılım: e-posta ve mesajlaşma" +SECTION_FILE_INTEGRITY="Yazılım: dosya bütünlüğü" +SECTION_FILE_PERMISSIONS="Dosya izinleri" +SECTION_FILE_SYSTEMS="Dosya sistemleri" +SECTION_FIREWALLS="Yazılım: güvenlik duvarları" +SECTION_GENERAL="Genel" +SECTION_HARDENING="Sıkılaştırma" +SECTION_HOME_DIRECTORIES="Ev dizinleri" +SECTION_IMAGE="Kalıp" +SECTION_INITIALIZING_PROGRAM="Program başlatılıyor" +SECTION_INSECURE_SERVICES="Güvensiz hizmetler" +SECTION_KERNEL="Çekirdek" +SECTION_KERNEL_HARDENING="Çekirdek Sıkılaştırma" +SECTION_LDAP_SERVICES="LDAP Hizmetleri" +SECTION_LOGGING_AND_FILES="Günlük kaydı ve dosyalar" +SECTION_MALWARE="Yazılım: Kötü Amaçlı Yazılım" +SECTION_MEMORY_AND_PROCESSES="Bellek ve Süreçler" +SECTION_NAME_SERVICES="Ad hizmetleri" +SECTION_NETWORKING="Ağ İletişimi" +SECTION_PERMISSIONS="İzinler" +SECTION_PORTS_AND_PACKAGES="Bağlantı noktaları ve paketler" +SECTION_PRINTERS_AND_SPOOLS="Yazıcılar ve Biriktiriciler" +SECTION_PROGRAM_DETAILS="Program Ayrıntıları" +SECTION_SCHEDULED_TASKS="Zamanlanan görevler" +SECTION_SECURITY_FRAMEWORKS="Güvenlik çerçeveleri" +SECTION_SHELLS="Kabuklar" +SECTION_SNMP_SUPPORT="SNMP Desteği" +SECTION_SOFTWARE="Yazılım" +SECTION_SQUID_SUPPORT="Squid Desteği" +SECTION_SSH_SUPPORT="SSH Desteği" +SECTION_STORAGE="Depolama" +SECTION_SYSTEM_INTEGRITY="Yazılım: Sistem bütünlüğü" +SECTION_SYSTEM_TOOLING="Yazılım: Sistem araçları" +SECTION_SYSTEM_TOOLS="Sistem araçları" +SECTION_TIME_AND_SYNCHRONIZATION="Zaman ve Eşzamanlama" +SECTION_USB_DEVICES="USB Aygıtları" +SECTION_USERS_GROUPS_AND_AUTHENTICATION="Kullanıcılar, Gruplar ve Kimlik Doğrulama" +SECTION_VIRTUALIZATION="Sanallaştırma" +SECTION_WEBSERVER="Yazılım: web sunucusu" +STATUS_ACTIVE=" ETKİN" +STATUS_CHECK_NEEDED=" DENETİM GEREKLI" +STATUS_DEBUG="HATA AYIKLAMA" +STATUS_DEFAULT="ÖNTANIMLI" +STATUS_DIFFERENT="FARKLI" +STATUS_DISABLED="DEVRE DIŞI BIRAKILDI" STATUS_DONE="TAMAMLANDI" -STATUS_ENABLED="ETKİNLEŞTİRİLMİŞ" +STATUS_ENABLED="ETKİNLEŞTİRİLDİ" STATUS_ERROR="HATA" -#STATUS_EXPOSED="EXPOSED" -#STATUS_FAILED="FAILED" -#STATUS_FILES_FOUND="FILES FOUND" +STATUS_EXPOSED="AÇIKTA BIRAKILDI" +STATUS_FAILED="BAŞARISIZ" +STATUS_FILES_FOUND="DOSYALAR BULUNDU" STATUS_FOUND="BULUNDU" -#STATUS_HARDENED="HARDENED" -#STATUS_INSTALLED="INSTALLED" -#STATUS_LOCAL_ONLY="LOCAL ONLY" -#STATUS_MEDIUM="MEDIUM" +STATUS_HARDENED="SIKILAŞTIRILDI" +STATUS_INSTALLED="KURULU" +STATUS_LOCAL_ONLY="YALNIZCA YEREL" +STATUS_MEDIUM="ORTA" STATUS_NO="HAYIR" -#STATUS_NON_DEFAULT="NON DEFAULT" +STATUS_NO_UPDATE="GÜNCELLEME YOK" +STATUS_NON_DEFAULT="ÖNTANIMLI OLMAYAN" STATUS_NONE="YOK" -STATUS_NOT_ACTIVE="NOT ACTIVE" -#STATUS_NOT_CONFIGURED="NOT CONFIGURED" -#STATUS_NOT_DISABLED="NOT DISABLED" -#STATUS_NOT_ENABLED="NOT ENABLED" +STATUS_NOT_ACTIVE="ETKİN DEĞİL" +STATUS_NOT_CONFIGURED="YAPILANDIRILMADI" +STATUS_NOT_DISABLED="DEVRE DIŞI BIRAKILMADI" +STATUS_NOT_ENABLED="ETKİNLEŞTİRİLMEDİ" STATUS_NOT_FOUND="BULUNAMADI" STATUS_NOT_RUNNING="ÇALIŞMIYOR" -#STATUS_NO_UPDATE="NO UPDATE" STATUS_OFF="KAPALI" STATUS_OK="TAMAM" STATUS_ON="AÇIK" -#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED" -#STATUS_PROTECTED="PROTECTED" +STATUS_PARTIALLY_HARDENED="KISMEN SIKILAŞTIRILDI" +STATUS_PROTECTED="KORUMALI" STATUS_RUNNING="ÇALIŞIYOR" STATUS_SKIPPED="ATLANDI" STATUS_SUGGESTION="ÖNERİ" STATUS_UNKNOWN="BİLİNMİYOR" -#STATUS_UNSAFE="UNSAFE" -#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE" +STATUS_UNSAFE="GÜVENLİ DEĞİL" +STATUS_UPDATE_AVAILABLE="GÜNCELLEME VAR" STATUS_WARNING="UYARI" -#STATUS_WEAK="WEAK" +STATUS_WEAK="ZAYIF" STATUS_YES="EVET" -TEXT_UPDATE_AVAILABLE="güncelleme mevcut" -TEXT_YOU_CAN_HELP_LOGFILE="Log dosyanızı göndererek yardımcı olabilirsiniz" +TEXT_UPDATE_AVAILABLE="güncelleme var" +TEXT_YOU_CAN_HELP_LOGFILE="Günlük dosyanızı göndererek yardımcı olabilirsiniz" From 8d7c30fd9a0d07632287135aec2f255271099bb7 Mon Sep 17 00:00:00 2001 From: katleese Date: Mon, 29 Apr 2024 10:21:59 +0200 Subject: [PATCH 164/282] changed AllowUsers to AllowGroups in test SSH-7440 --- include/tests_ssh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index 6ab6f193..43bf7145 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -312,7 +312,7 @@ # AllowGroups FIND=$(${GREPBINARY} -E -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') if [ -n "${FIND}" ]; then - LogText "Result: AllowUsers set ${FIND}" + LogText "Result: AllowGroups set ${FIND}" Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN FOUND=1 else From aec1f594324d073cd0582c2da5f6ccbb160d1415 Mon Sep 17 00:00:00 2001 From: gonzalo Date: Sat, 4 May 2024 07:52:47 +0200 Subject: [PATCH 165/282] Update binaries Fix a showing error for grep --help on OpenBSD. Discovered by me, fixed by @mboelen --- include/binaries | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/binaries b/include/binaries index b495013c..a2b4895a 100644 --- a/include/binaries +++ b/include/binaries @@ -338,7 +338,7 @@ # If grep is capable of extended regexp, use that instead of egrep to avoid annoying warning if [ "${GREPBINARY:-}" ] ; then - ${GREPBINARY} --help | ${GREPBINARY} -e "extended-regexp" > /dev/null + ${GREPBINARY} --help 2> /dev/null | ${GREPBINARY} -e "extended-regexp" > /dev/null if [ $? -eq 0 ] ; then EGREPBINARY="${GREPBINARY} -E" fi From 740baf29af6d2204c2c9d0fd40c29deb7a9e54f3 Mon Sep 17 00:00:00 2001 From: "Andre @ ARK-ICT" Date: Thu, 9 May 2024 20:45:45 +0200 Subject: [PATCH 166/282] postgresDB fixes for almalinux, rockylinux and freebsd. Tested on almalinux8/9, rockylinux9 and freebsd13 --- include/tests_databases | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/include/tests_databases b/include/tests_databases index 10bbc36a..82e3fa10 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -186,8 +186,10 @@ # Test : DBS-1826 # Description : Check if PostgreSQL is being used Register --test-no DBS-1826 --weight L --network NO --category security --description "Checking active PostgreSQL processes" + for PROCES in postgres postmaster + do if [ ${SKIPTEST} -eq 0 ]; then - if IsRunning "postgres"; then + if IsRunning "${PROCES}"; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_FOUND}" --color GREEN LogText "Result: PostgreSQL is active" POSTGRESQL_RUNNING=1 @@ -195,9 +197,10 @@ Report "postgresql_running=${POSTGRESQL_RUNNING}" else if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi - LogText "Result: PostgreSQL process not active" + LogText "Result: PostgreSQL process ${PROCES} not active" fi fi + done # ################################################################################# # @@ -211,14 +214,15 @@ # Arch /var/lib/postgres/data/postgresql.conf # CentOS/Fedora /var/lib/pgsql/data/postgresql.conf # Ubuntu /etc/postgresql/x.y/main/postgresql.conf + # FreeBSD /var/db/postgres/data[0-9][0-9]/postgresql.conf if [ "${POSTGRESQL_RUNNING}" -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="PostgreSQL not installed or not running"; fi Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration" if [ ${SKIPTEST} -eq 0 ]; then FIND_PATHS=$(${LSBINARY} -d ${ROOTDIR}usr/local/pgsql/data* 2> /dev/null) - FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data" - CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g") + FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data ${ROOTDIR}var/lib/pgsql/data ${ROOTDIR}var/db/postgres/data[0-9][0-9]" + CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -I'{}' sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g") for CF in ${CONFIG_FILES}; do Report "postgresql_config_file[]=${CF}" LogText "Found configuration file (${CF})" From 353b1e0bbf5987e60ac62e8d01adae844b0f36da Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 10 May 2024 12:58:41 +0200 Subject: [PATCH 167/282] Update CHANGELOG.md --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f6dfd05b..74ed8b0f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,8 @@ - Detection of Open Source Media Center (OSMC) ### Changed -- Correction of software EOL database and inclusion of AIX entries +- Correction of software EOL database and inclusion of AIX entries +- DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD --------------------------------------------------------------------------------- From 0ff7965a80d0fa300cf518385a90d69655381af5 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 10 May 2024 14:49:47 +0200 Subject: [PATCH 168/282] Update lynis Update the copyright line (year), it was very outdated --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index 9ae06b67..ee6cc596 100755 --- a/lynis +++ b/lynis @@ -52,7 +52,7 @@ PROGRAM_SOURCE="https://github.com/CISOfy/lynis" PROGRAM_PACKAGE="https://packages.cisofy.com/" PROGRAM_DOCUMENTATION="https://cisofy.com/docs/" - PROGRAM_COPYRIGHT="2007-2021, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}" + PROGRAM_COPYRIGHT="2007-2024, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}" PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License. See the LICENSE file for details about using this software." From b8064bc5def38b4e098f4f09c94489949a42fab3 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 14 May 2024 06:50:26 +0000 Subject: [PATCH 169/282] Don't reset status of malware scanner, as there might be two available. Small change to format --- include/tests_malware | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/include/tests_malware b/include/tests_malware index 7d6f7baf..0857ef43 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -46,18 +46,19 @@ TRENDMICRO_DSA_DAEMON_RUNNING=0 # ################################################################################# -# Test : MALW-3274 -# Description : Check for installed tool (McAfee VirusScan for Command Line) -Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line" -if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking presence McAfee VirusScan for Command Line" - if [ -x /usr/local/uvscan/uvscan ]; then - Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color RED - LogText "Result: Found ${MCAFEECLBINARY}" - MALWARE_SCANNER_INSTALLED=0 - AddHP 0 2 - LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another antivirus instead." -fi +# + # Test : MALW-3274 + # Description : Check for installed tool (McAfee VirusScan for Command Line) + Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking presence McAfee VirusScan for Command Line" + if [ -x /usr/local/uvscan/uvscan ]; then + Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line (deprecated)" --result "${STATUS_FOUND}" --color RED + LogText "Result: Found ${MCAFEECLBINARY}" + AddHP 0 2 + LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another antivirus instead." + fi + fi ################################################################################# # # Test : MALW-3275 From eeec52b1604ef850c7d8b63dab0a72bb197a3000 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 14 May 2024 11:40:50 +0200 Subject: [PATCH 170/282] Update tests_mac_frameworks Changed check from is executable to is not empty --- include/tests_mac_frameworks | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index ca454529..207a98f5 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -158,7 +158,7 @@ Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED fi Display --indent 8 --text "Current SELinux mode: ${FIND}" - if [ -x "$SEMANAGEBINARY" ]; then + if [ -n "${SEMANAGEBINARY}" ]; then PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ') NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l) Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types" From ba4cd63bdac6a3c613d27ef887c6950954d8ac65 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 14 May 2024 12:23:36 +0000 Subject: [PATCH 171/282] Added KDE Neon --- include/osdetection | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/osdetection b/include/osdetection index ea8ccedf..33790905 100644 --- a/include/osdetection +++ b/include/osdetection @@ -325,6 +325,13 @@ OS_NAME="Manjaro" OS_VERSION="Rolling release" ;; + "neon") + LINUX_VERSION="KDE Neon" + LINUX_VERSION_LIKE="Ubuntu" + OS_NAME="KDE Neon" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "nethserver") LINUX_VERSION="NethServer" OS_NAME="NethServer" From 79632bfbe5512d24e8a6c732471c7bfe78029f68 Mon Sep 17 00:00:00 2001 From: Florian Sonnenschein Date: Tue, 14 May 2024 16:02:51 +0200 Subject: [PATCH 172/282] - Deleted "filevault_status" variable - Now checks if "fdesetup" exists - Add some hardening points (AddHP): 3 of 3 when enabled, 0 of 3, when not. --- include/tests_crypto | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/include/tests_crypto b/include/tests_crypto index b7279163..7b77b707 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -222,19 +222,25 @@ # Description : Determine if system has enabled macOS FileVault encryption Register --test-no CRYP-7932 --os macOS --weight L --network NO --category crypto --description "Determine if system has enabled macOS FileVault encryption" if [ ${SKIPTEST} -eq 0 ]; then - filevault_status=$(fdesetup status) - - case "$filevault_status" in - *"FileVault is On."*) - LogText "Result: FileVault is enabled." - Display --indent 2 --text "- FileVault is enabled." --result "${STATUS_OK}" --color GREEN - Report "encryption[]=filevault" - ;; - *) - LogText "Result: FileVault is not enabled." - Display --indent 2 --text "- FileVault is not enabled." --result "${STATUS_WARNING}" --color RED - ;; - esac + if command -v fdesetup &> /dev/null; then + case $(fdesetup status) in + *"FileVault is On."*) + LogText "Result: FileVault is enabled." + Display --indent 2 --text "- FileVault is enabled." --result "${STATUS_OK}" --color GREEN + Report "encryption[]=filevault" + AddHP 3 3 + ;; + *) + LogText "Result: FileVault is not enabled." + Display --indent 2 --text "- FileVault is not enabled." --result "${STATUS_WARNING}" --color RED + AddHP 0 3 + ;; + esac + else + LogText "Result: fdesetup command not found. Unable to determine FileVault status." + Display --indent 2 --text "- Unable to determine FileVault status (fdesetup command not found)." --result "${STATUS_WARNING}" --color YELLOW + AddHP 0 3 + fi fi # ################################################################################# From 4f5ede1e42cf73aa6bbe8e2b45b9b95d4b702106 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 14 May 2024 19:32:54 +0200 Subject: [PATCH 173/282] Update CHANGELOG.md --- CHANGELOG.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 74ed8b0f..ae2dffc9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,12 +3,41 @@ ## Lynis 3.1.2 (not released yet) ### Added +- Detection of ALT Linux - Detection of Athena OS +- Detection of Container-Optimized OS from Google +- Detection of Koozali SME Server +- Detection of Nobara Linux - Detection of Open Source Media Center (OSMC) +- Detection of PostmarketOS +- CRYP-7932 - macOS FileVault encryption test +- FILE-6398 - Check if JBD (Journal Block Device) driver is loaded +- FINT-4344 - Wazuh system running state +- PKGS-7305 - Query macOS Apps in /Applications and CoreServices +- File added: .editorconfig, which is used by editors to standardize formatting ### Changed - Correction of software EOL database and inclusion of AIX entries - DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD +- KRNL-5622 - Use systemctl get-default instead of following link #1296 +- FILE-6344 - Test kernel version (major/minor) +- PKGS-7303 - Added version numbers to brew packages. +- Support sysctl value perf_event_paranoid -> 2|3 #1260 +- Update of Turkish translation +- Grammar and spell improvements +- Improved package detection on Alpine Linux +- Slackware support to check installed packges (functionPackageIsInstalled()) +- Added words prosecute/report to LEGAL_BANNER_STRINGS +- Busybox support: Replace newer tr command syntax with older ascii specific operations +- Added Wazuh as a malware scanner/antivirus and rootkit detection tool +- AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc) +- CONT-8104 - Checking for errors, not only warning in docker info output +- LOGG-2144 - Check for wazuh-agent presence on Linux systems +- MACF-6234 - Test if semanage binary is available +- MALW-3200 - ESET Endpoint Antivirus added +- MALW-3280 - McAfee Antivirus for Linux deprecated +- MALW-3291 - Check if Microsoft Defender Antivirus is installe +- NETW-3200 - Added regex to allow both /bin/true as /bin/false --------------------------------------------------------------------------------- From 9fcd3bdeb356f5989ad5b0062e53216d0a214f63 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 15 May 2024 13:42:53 +0200 Subject: [PATCH 174/282] Update CHANGELOG.md --- CHANGELOG.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ae2dffc9..f53f6618 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,11 +18,7 @@ ### Changed - Correction of software EOL database and inclusion of AIX entries -- DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD -- KRNL-5622 - Use systemctl get-default instead of following link #1296 -- FILE-6344 - Test kernel version (major/minor) -- PKGS-7303 - Added version numbers to brew packages. -- Support sysctl value perf_event_paranoid -> 2|3 #1260 +- Support sysctl value perf_event_paranoid -> 2|3 - Update of Turkish translation - Grammar and spell improvements - Improved package detection on Alpine Linux @@ -32,12 +28,17 @@ - Added Wazuh as a malware scanner/antivirus and rootkit detection tool - AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc) - CONT-8104 - Checking for errors, not only warning in docker info output +- DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD +- FILE-6344 - Test kernel version (major/minor) +- KRNL-5622 - Use systemctl get-default instead of following link - LOGG-2144 - Check for wazuh-agent presence on Linux systems - MACF-6234 - Test if semanage binary is available - MALW-3200 - ESET Endpoint Antivirus added - MALW-3280 - McAfee Antivirus for Linux deprecated - MALW-3291 - Check if Microsoft Defender Antivirus is installe - NETW-3200 - Added regex to allow both /bin/true as /bin/false +- PKGS-7303 - Added version numbers to brew packages +- PKGS-7370 - Cron job check for debsums improved --------------------------------------------------------------------------------- From 1a26005b506d2c5dbf0ce2b403dd3b612b2cb374 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 15 May 2024 14:12:54 +0200 Subject: [PATCH 175/282] Update consts Setting variables --- include/consts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/consts b/include/consts index 714f4a92..faf41987 100644 --- a/include/consts +++ b/include/consts @@ -299,7 +299,9 @@ ETC_PATHS="/etc /usr/local/etc" SSL_CERTIFICATE_INCLUDE_PACKAGES=0 SSL_CERTIFICATE_PATHS="" SSL_CERTIFICATE_PATHS_TO_IGNORE="" + STATUS_NOT_ACTIVE="" STUNNELBINARY="" + SURICATABINARY="" SWUPDBINARY="" SYSLOGNGBINARY="" SYSTEMCTLBINARY="" From 24679bee9a4a42142f9922f986577c97d746e258 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 15 May 2024 12:23:23 +0000 Subject: [PATCH 176/282] Do not unset SKIPREASON, as it is cleared at the beginning of the function --- include/functions | 1 - 1 file changed, 1 deletion(-) diff --git a/include/functions b/include/functions index 11ea3df4..66cdceb1 100644 --- a/include/functions +++ b/include/functions @@ -2762,7 +2762,6 @@ if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Reason to skip: ${SKIPREASON}"; fi TESTS_SKIPPED="${TEST_NO}|${TESTS_SKIPPED}" fi - unset SKIPREASON # Save timestamp for next time the Register function is called PREVIOUS_TEST="${TEST_NO}" From ac526be452c6e09d179680e3aa5e587ac47d5619 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Wed, 14 Feb 2024 21:12:55 +0200 Subject: [PATCH 177/282] Added initial version of a Kerberos plugin --- default.prf | 1 + include/binaries | 1 + plugins/plugin_krb5_phase1 | 121 +++++++++++++++++++++++++++++++++++++ 3 files changed, 123 insertions(+) create mode 100644 plugins/plugin_krb5_phase1 diff --git a/default.prf b/default.prf index ec043417..0e90fa04 100644 --- a/default.prf +++ b/default.prf @@ -144,6 +144,7 @@ plugin=software plugin=system-integrity plugin=systemd plugin=users +plugin=krb5 # Disable a particular plugin (will overrule an enabled plugin) #disable-plugin=authentication diff --git a/include/binaries b/include/binaries index a2b4895a..b65d5159 100644 --- a/include/binaries +++ b/include/binaries @@ -196,6 +196,7 @@ iptables-save) IPTABLESSAVEBINARY="${BINARY}"; LogText " Found known binary: iptables-save (firewall) - ${BINARY}" ;; istat) ISTATBINARY="${BINARY}"; LogText " Found known binary: istat (file information) - ${BINARY}" ;; journalctl) JOURNALCTLBINARY="${BINARY}"; LogText " Found known binary: journalctl (systemd journal) - ${BINARY}" ;; + kadmin.local) KADMINLOCALBINARY="${BINARY}"; LogText " Found known binary: kadmin.local (krb5) - ${BINARY}" ;; kldstat) KLDSTATBINARY="${BINARY}"; LogText " Found known binary: kldstat (kernel modules) - ${BINARY}" ;; kstat) KSTATBINARY="${BINARY}"; LogText " Found known binary: kstat (kernel statistics) - ${BINARY}" ;; launchctl) LAUNCHCTL_BINARY="${BINARY}"; SERVICE_MANAGER="launchd"; LogText " Found known binary: launchctl (launchd client) - ${BINARY}" ;; diff --git a/plugins/plugin_krb5_phase1 b/plugins/plugin_krb5_phase1 new file mode 100644 index 00000000..5a480dcb --- /dev/null +++ b/plugins/plugin_krb5_phase1 @@ -0,0 +1,121 @@ +#!/bin/sh + +######################################################################### +# +# * DO NOT REMOVE * +#----------------------------------------------------- +# PLUGIN_AUTHOR="pyllyukko" +# PLUGIN_CATEGORY=security +# PLUGIN_DATE=2024-02-14 +# PLUGIN_DESC=Kerberos +# PLUGIN_NAME=krb5 +# PLUGIN_REQUIRED_TESTS= +# PLUGIN_VERSION=0.1 +#----------------------------------------------------- +# +######################################################################### +# + + # Test for the prerequisites first + if [ -n "${KADMINLOCALBINARY}" ] + then + PREQS_MET="YES" + # Make sure krb5 debugging doesn't mess up the output + unset KRB5_TRACE + PRINCS="$(${KADMINLOCALBINARY} listprincs | ${TRBINARY:-tr} '\n' ' ')" + if [ -z "${PRINCS}" ] + then + PREQS_MET="NO" + fi + else + PREQS_MET="NO" + fi + + # Test : KRB5-0001 + # Description : Check that Kerberos principals have passwords that expire + Register --test-no KRB5-0001 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire" --progress + if [ ${SKIPTEST} -eq 0 ]; then + for I in ${PRINCS} + do + FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Password expiration date:')" + if [ "${FIND}" = "Password expiration date: [never]" ] + then + LogText "Result: Kerberos principal ${I} has a password/key that never expires" + fi + done + fi +# +################################################################################# +# + + # Test : KRB5-0002 + # Description : Check last password change for Kerberos principals + Register --test-no KRB5-0002 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals" --progress + if [ ${SKIPTEST} -eq 0 ]; then + for I in ${PRINCS} + do + FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n '/^Last password change:\s\+/s/^Last password change:\s\+//p')" + if [ "${FIND}" = "[never]" ] + then + LogText "Result: Kerberos principal ${I} has a password/key that has never been changed" + else + J="$(date -d "${FIND}" +%s)" + if [ ${J} -lt $((NOW - 60 * 60 * 24 * 365)) ] + then + LogText "Result: Kerberos principal ${I} has had a password/key change over a year ago" + fi + fi + done + fi + +# +################################################################################# +# + + # Test : KRB5-0003 + # Description : Check that Kerberos principals have a policy associated to them + Register --test-no KRB5-0003 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them" --progress + if [ ${SKIPTEST} -eq 0 ]; then + for I in ${PRINCS} + do + FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Policy:')" + if [ "${FIND}" = "Policy: [none]" ] + then + LogText "Result: Kerberos principal ${I} does not have a policy associated to it" + fi + done + fi + +# +################################################################################# +# + + # Test : KRB5-0004 + # Description : Check various attributes for Kerberos principals + Register --test-no KRB5-0004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals" --progress + if [ ${SKIPTEST} -eq 0 ]; then + for I in ${PRINCS} + do + J="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n 's/^Attributes:\s\+\(.\+\)$/\1/p')" + if ContainsString "^K/M@" "${I}" || \ + ContainsString "^kadmin/admin@" "${I}" || \ + ContainsString "^kadmin/changepw@" "${I}" || \ + ContainsString "^krbtgt/" "${I}" + then + if ! ContainsString "\bLOCKDOWN_KEYS\b" "${J}" + then + LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute" + fi + fi + done + fi + +# +################################################################################# +# + +unset PRINCS +unset I +unset J + +#EOF From 4d5b41cb4e92365c27b4e738ba70f8d9f4cf9f8a Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Thu, 22 Feb 2024 11:59:02 +0200 Subject: [PATCH 178/282] plugin_krb5_phase1: Added few more tests * Check that admin principals have disallow_tgt_based attribute * Check that regular user principals have requires_pre_auth and disallow_svr attributes * Check for weak crypto * Use kdb5_util for this --- include/binaries | 1 + plugins/plugin_krb5_phase1 | 33 +++++++++++++++++++++++++++++++-- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/include/binaries b/include/binaries index b65d5159..46359b3c 100644 --- a/include/binaries +++ b/include/binaries @@ -197,6 +197,7 @@ istat) ISTATBINARY="${BINARY}"; LogText " Found known binary: istat (file information) - ${BINARY}" ;; journalctl) JOURNALCTLBINARY="${BINARY}"; LogText " Found known binary: journalctl (systemd journal) - ${BINARY}" ;; kadmin.local) KADMINLOCALBINARY="${BINARY}"; LogText " Found known binary: kadmin.local (krb5) - ${BINARY}" ;; + kdb5_util) KDB5UTILBINARY="${BINARY}"; LogText " Found known binary: kdb5_util (krb5) - ${BINARY}" ;; kldstat) KLDSTATBINARY="${BINARY}"; LogText " Found known binary: kldstat (kernel modules) - ${BINARY}" ;; kstat) KSTATBINARY="${BINARY}"; LogText " Found known binary: kstat (kernel statistics) - ${BINARY}" ;; launchctl) LAUNCHCTL_BINARY="${BINARY}"; SERVICE_MANAGER="launchd"; LogText " Found known binary: launchctl (launchd client) - ${BINARY}" ;; diff --git a/plugins/plugin_krb5_phase1 b/plugins/plugin_krb5_phase1 index 5a480dcb..625a3bc9 100644 --- a/plugins/plugin_krb5_phase1 +++ b/plugins/plugin_krb5_phase1 @@ -10,14 +10,14 @@ # PLUGIN_DESC=Kerberos # PLUGIN_NAME=krb5 # PLUGIN_REQUIRED_TESTS= -# PLUGIN_VERSION=0.1 +# PLUGIN_VERSION=0.2 #----------------------------------------------------- # ######################################################################### # # Test for the prerequisites first - if [ -n "${KADMINLOCALBINARY}" ] + if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ] then PREQS_MET="YES" # Make sure krb5 debugging doesn't mess up the output @@ -106,10 +106,39 @@ then LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute" fi + elif ContainsString "/admin@" "${I}" + then + if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}" + then + LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute" + fi + elif ContainsString "^[^/$]+@" "${I}" + then + if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}" + then + LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute" + fi fi done fi +# +################################################################################# +# + + # Test : KRB5-0005 + # Description : Check for weak crypto + Register --test-no KRB5-0005 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto" --progress + if [ ${SKIPTEST} -eq 0 ]; then + FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}') + while read I J + do + LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}" + done << EOF +${FIND} +EOF + fi + # ################################################################################# # From 5182ce31fb5e3dc6a73952a43f13447670ebd2b0 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Wed, 15 May 2024 21:51:44 +0300 Subject: [PATCH 179/282] Changed the Kerberos plugin into a category According to @mboelen's recommendations: https://github.com/CISOfy/lynis/pull/1456#issuecomment-2110761098 --- db/languages/en | 1 + .../tests_kerberos | 92 +++++++++++++------ lynis | 2 +- 3 files changed, 67 insertions(+), 28 deletions(-) rename plugins/plugin_krb5_phase1 => include/tests_kerberos (53%) diff --git a/db/languages/en b/db/languages/en index 52ace1f7..689cc57e 100644 --- a/db/languages/en +++ b/db/languages/en @@ -63,6 +63,7 @@ SECTION_USB_DEVICES="USB Devices" SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" SECTION_VIRTUALIZATION="Virtualization" SECTION_WEBSERVER="Software: webserver" +SECTION_KERBEROS="Kerberos" STATUS_ACTIVE="ACTIVE" STATUS_CHECK_NEEDED="CHECK NEEDED" STATUS_DEBUG="DEBUG" diff --git a/plugins/plugin_krb5_phase1 b/include/tests_kerberos similarity index 53% rename from plugins/plugin_krb5_phase1 rename to include/tests_kerberos index 625a3bc9..494a01b1 100644 --- a/plugins/plugin_krb5_phase1 +++ b/include/tests_kerberos @@ -1,22 +1,14 @@ #!/bin/sh -######################################################################### -# -# * DO NOT REMOVE * -#----------------------------------------------------- -# PLUGIN_AUTHOR="pyllyukko" -# PLUGIN_CATEGORY=security -# PLUGIN_DATE=2024-02-14 -# PLUGIN_DESC=Kerberos -# PLUGIN_NAME=krb5 -# PLUGIN_REQUIRED_TESTS= -# PLUGIN_VERSION=0.2 -#----------------------------------------------------- +InsertSection "${SECTION_KERBEROS}" + # ######################################################################### # - # Test for the prerequisites first + # Test : KRB-1000 + # Description : Check that Kerberos principals have passwords that expire + Register --test-no KRB-1000 --weight L --network NO --description "Check for Kerberos KDC tools" if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ] then PREQS_MET="YES" @@ -30,10 +22,16 @@ else PREQS_MET="NO" fi + if [ "${PREQS_MET}" = "YES" ]; then + Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_FOUND}" --color GREEN + else + Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_NOT_FOUND}" --color WHITE + fi - # Test : KRB5-0001 + # Test : KRB-1010 # Description : Check that Kerberos principals have passwords that expire - Register --test-no KRB5-0001 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire" --progress + Register --test-no KRB-1010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire" + FOUND=0 if [ ${SKIPTEST} -eq 0 ]; then for I in ${PRINCS} do @@ -41,59 +39,84 @@ if [ "${FIND}" = "Password expiration date: [never]" ] then LogText "Result: Kerberos principal ${I} has a password/key that never expires" + FOUND=1 fi done fi + if [ ${FOUND} -eq 1 ]; then + Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_WARNING}" --color RED + ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have expiring passwords" + else + Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_OK}" --color GREEN + fi # ################################################################################# # - # Test : KRB5-0002 + # Test : KRB-1020 # Description : Check last password change for Kerberos principals - Register --test-no KRB5-0002 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals" --progress + Register --test-no KRB-1020 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals" if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 for I in ${PRINCS} do FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n '/^Last password change:\s\+/s/^Last password change:\s\+//p')" if [ "${FIND}" = "[never]" ] then LogText "Result: Kerberos principal ${I} has a password/key that has never been changed" + FOUND=1 else J="$(date -d "${FIND}" +%s)" if [ ${J} -lt $((NOW - 60 * 60 * 24 * 365)) ] then LogText "Result: Kerberos principal ${I} has had a password/key change over a year ago" + FOUND=1 fi fi done + if [ ${FOUND} -eq 1 ]; then + Display --indent 4 --text "- Principals with late password change" --result "${STATUS_WARNING}" --color RED + ReportSuggestion "${TEST_NO}" "Enforce frequent password/key change for your Kerberos principals" + else + Display --indent 4 --text "- Principals with late password change" --result "${STATUS_OK}" --color GREEN + fi fi # ################################################################################# # - # Test : KRB5-0003 + # Test : KRB-1030 # Description : Check that Kerberos principals have a policy associated to them - Register --test-no KRB5-0003 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them" --progress + Register --test-no KRB5-1030 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them" if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 for I in ${PRINCS} do FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Policy:')" if [ "${FIND}" = "Policy: [none]" ] then LogText "Result: Kerberos principal ${I} does not have a policy associated to it" + FOUND=1 fi done + if [ ${FOUND} -eq 1 ]; then + Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_WARNING}" --color RED + ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have a policy associated to them" + else + Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_OK}" --color GREEN + fi fi # ################################################################################# # - # Test : KRB5-0004 + # Test : KRB-1040 # Description : Check various attributes for Kerberos principals - Register --test-no KRB5-0004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals" --progress + Register --test-no KRB5-1040 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals" if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 for I in ${PRINCS} do J="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n 's/^Attributes:\s\+\(.\+\)$/\1/p')" @@ -105,38 +128,53 @@ if ! ContainsString "\bLOCKDOWN_KEYS\b" "${J}" then LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute" + FOUND=1 fi elif ContainsString "/admin@" "${I}" then if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}" then LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute" + FOUND=1 fi elif ContainsString "^[^/$]+@" "${I}" then if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}" then LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute" + FOUND=1 fi fi done + if [ ${FOUND} -eq 1 ]; then + Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_WARNING}" --color RED + ReportSuggestion "${TEST_NO}" "Harden your Kerberos principals with appropriate attributes" + else + Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_OK}" --color GREEN + fi fi # ################################################################################# # - # Test : KRB5-0005 + # Test : KRB-1050 # Description : Check for weak crypto - Register --test-no KRB5-0005 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto" --progress + Register --test-no KRB-1050 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}') - while read I J - do - LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}" - done << EOF + if [ -n "${FIND}" ]; then + while read I J + do + LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}" + done << EOF ${FIND} EOF + Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_WARNING}" --color RED + ReportSuggestion "${TEST_NO}" "Remove weak (des|arcfour|cbc|sha1) cryptographic keys from principals" + else + Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_OK}" --color GREEN + fi fi # diff --git a/lynis b/lynis index ee6cc596..95135e92 100755 --- a/lynis +++ b/lynis @@ -1018,7 +1018,7 @@ ${NORMAL} if [ "${TEST_GROUP_TO_CHECK}" = "all" ]; then LogText "Info: perform tests from all categories" - INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \ + INCLUDE_TESTS="boot_services kernel memory_processes authentication kerberos shells \ filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \ mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \ insecure_services banners scheduling accounting time crypto virtualization containers \ From 05b15f4209e6995fcea26aba8fc4638989944196 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 15 May 2024 20:15:09 +0000 Subject: [PATCH 180/282] Update language files for recent changes --- db/languages/az | 1 + db/languages/cn | 1 + db/languages/da | 1 + db/languages/de | 1 + db/languages/es | 1 + db/languages/fi | 1 + db/languages/fr | 1 + db/languages/gr | 1 + db/languages/he | 1 + db/languages/hu | 1 + db/languages/id | 2 ++ db/languages/it | 1 + db/languages/ja | 1 + db/languages/ko | 1 + db/languages/nb-NO | 1 + db/languages/nl | 1 + db/languages/pl | 1 + db/languages/pt | 1 + db/languages/ru | 1 + db/languages/se | 1 + db/languages/sk | 1 + db/languages/tr | 1 + 22 files changed, 23 insertions(+) diff --git a/db/languages/az b/db/languages/az index 24a0ca70..d5fce57b 100644 --- a/db/languages/az +++ b/db/languages/az @@ -106,3 +106,4 @@ STATUS_WARNING="Xəbərdarlıq" STATUS_YES="Bəli" TEXT_UPDATE_AVAILABLE="yeniləmə mövcud" TEXT_YOU_CAN_HELP_LOGFILE="qeydləri gönderib kömek eyleyin" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/cn b/db/languages/cn index 11826db3..2ca49dde 100644 --- a/db/languages/cn +++ b/db/languages/cn @@ -107,3 +107,4 @@ STATUS_WARNING="警告" STATUS_YES="是" TEXT_UPDATE_AVAILABLE="有可以更新的版本" TEXT_YOU_CAN_HELP_LOGFILE="你可以通过记录日志来帮忙" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/da b/db/languages/da index 1bd77089..b5c86332 100644 --- a/db/languages/da +++ b/db/languages/da @@ -106,3 +106,4 @@ STATUS_WEAK="SVAG" STATUS_YES="JA" TEXT_UPDATE_AVAILABLE="opdatering tilgængelig" TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjælpe ved at bidrage med din logfil" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/de b/db/languages/de index 942693a3..7932153a 100644 --- a/db/languages/de +++ b/db/languages/de @@ -106,3 +106,4 @@ STATUS_WEAK="SCHWACH" STATUS_YES="JA" TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar" TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/es b/db/languages/es index 1ad53db5..cbaf7a4e 100644 --- a/db/languages/es +++ b/db/languages/es @@ -107,3 +107,4 @@ STATUS_WEAK="DÉBIL" STATUS_YES="SÍ" TEXT_UPDATE_AVAILABLE="Actualización disponible" TEXT_YOU_CAN_HELP_LOGFILE="Puedes ayudar compartiendo tu archivo de registro" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/fi b/db/languages/fi index e8dc3564..4b4e73c9 100644 --- a/db/languages/fi +++ b/db/languages/fi @@ -106,3 +106,4 @@ STATUS_WARNING="VAROITUS" STATUS_YES="KYLLÄ" TEXT_UPDATE_AVAILABLE="päivitys saatavilla" TEXT_YOU_CAN_HELP_LOGFILE="Voit auttaa toimittamalla lokitiedoston" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/fr b/db/languages/fr index d0be5c99..353b55e7 100644 --- a/db/languages/fr +++ b/db/languages/fr @@ -106,3 +106,4 @@ STATUS_WEAK="FAIBLE" STATUS_YES="OUI" TEXT_UPDATE_AVAILABLE="Mise à jour disponible" TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/gr b/db/languages/gr index 15c3e509..2a45d7be 100644 --- a/db/languages/gr +++ b/db/languages/gr @@ -106,3 +106,4 @@ STATUS_WARNING="ΠΡΟΣΟΧΗ" STATUS_YES="ΝΑΙ" TEXT_UPDATE_AVAILABLE="διαθέσιμη ενημέρωση" TEXT_YOU_CAN_HELP_LOGFILE="Μπορείτε να βοηθήσετε παρέχοντας το αρχείο καταγραφής" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/he b/db/languages/he index 9755bcf7..ceeb17d8 100644 --- a/db/languages/he +++ b/db/languages/he @@ -106,3 +106,4 @@ STATUS_WARNING="אזהרה" STATUS_YES="כן" TEXT_UPDATE_AVAILABLE="עדכון זמין" TEXT_YOU_CAN_HELP_LOGFILE="ניתן לעזור על ידי שליחת קובץ הלוג" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/hu b/db/languages/hu index 90ae29e1..402b5272 100644 --- a/db/languages/hu +++ b/db/languages/hu @@ -106,3 +106,4 @@ STATUS_WARNING="FIGYELMEZTETÉS" STATUS_YES="IGEN" TEXT_UPDATE_AVAILABLE="frissítés elérhető" TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/id b/db/languages/id index 4a7b26f4..b9b7b42c 100644 --- a/db/languages/id +++ b/db/languages/id @@ -105,3 +105,5 @@ STATUS_WEAK="WEAK" STATUS_YES="YES" TEXT_UPDATE_AVAILABLE="update tersedia" TEXT_YOU_CAN_HELP_LOGFILE="Anda dapat membantu dengan memberikan file log Anda" +#SECTION_KERBEROS="Kerberos" +#STATUS_NOT_ACTIVE="NOT ACTIVE" diff --git a/db/languages/it b/db/languages/it index 26ff3076..0e4c0f19 100644 --- a/db/languages/it +++ b/db/languages/it @@ -106,3 +106,4 @@ STATUS_WEAK="DEBOLE" STATUS_YES="SI" TEXT_UPDATE_AVAILABLE="aggiornamento disponibile" TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/ja b/db/languages/ja index 846b1eb1..4bdcf67d 100644 --- a/db/languages/ja +++ b/db/languages/ja @@ -106,3 +106,4 @@ STATUS_WARNING="警告" STATUS_YES="はい" TEXT_UPDATE_AVAILABLE="アップデートが利用可能" TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/ko b/db/languages/ko index 72d31d79..1c7cbca4 100644 --- a/db/languages/ko +++ b/db/languages/ko @@ -106,3 +106,4 @@ STATUS_WEAK="취약" STATUS_YES="예" TEXT_UPDATE_AVAILABLE="업데이트 가능" TEXT_YOU_CAN_HELP_LOGFILE="로그 파일을 제공하면 도움을 받을 수 있습니다" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/nb-NO b/db/languages/nb-NO index ea3e8832..4bba067b 100644 --- a/db/languages/nb-NO +++ b/db/languages/nb-NO @@ -106,3 +106,4 @@ STATUS_WARNING="ADVARSEL" STATUS_YES="JA" TEXT_UPDATE_AVAILABLE="oppdatering tilgjengelig" TEXT_YOU_CAN_HELP_LOGFILE="Du kan bidra ved å laste opp din loggfil" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/nl b/db/languages/nl index cdb92423..9600ba89 100644 --- a/db/languages/nl +++ b/db/languages/nl @@ -106,3 +106,4 @@ STATUS_WEAK="ZWAK" STATUS_YES="JA" TEXT_UPDATE_AVAILABLE="update beschikbaar" TEXT_YOU_CAN_HELP_LOGFILE="Help mee door je logbestand te delen" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/pl b/db/languages/pl index 887d0a7d..ad7d45f4 100644 --- a/db/languages/pl +++ b/db/languages/pl @@ -106,3 +106,4 @@ STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_YES="YES" #TEXT_UPDATE_AVAILABLE="update available" #TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/pt b/db/languages/pt index 483fabd6..8592e700 100644 --- a/db/languages/pt +++ b/db/languages/pt @@ -106,3 +106,4 @@ STATUS_WARNING="ATENÇÃO" STATUS_YES="SIM" TEXT_UPDATE_AVAILABLE="Atualização disponível" TEXT_YOU_CAN_HELP_LOGFILE="Você pode ajudar fornecendo seu arquivo de log" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/ru b/db/languages/ru index 55a4717b..92402178 100644 --- a/db/languages/ru +++ b/db/languages/ru @@ -106,3 +106,4 @@ STATUS_WEAK="СЛАБЫЙ" STATUS_YES="ДА" TEXT_UPDATE_AVAILABLE="доступно обновление" TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь, предоставив ваш лог-файл" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/se b/db/languages/se index e5a90859..73418df1 100644 --- a/db/languages/se +++ b/db/languages/se @@ -106,3 +106,4 @@ STATUS_WARNING="VARNING" STATUS_YES="JA" TEXT_UPDATE_AVAILABLE="uppdatering tillgänglig" TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjälpa till genom att bidra med din loggfil" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/sk b/db/languages/sk index 45a18943..be3d28bf 100644 --- a/db/languages/sk +++ b/db/languages/sk @@ -106,3 +106,4 @@ STATUS_WARNING="VAROVANIE" STATUS_YES="ÁNO" TEXT_UPDATE_AVAILABLE="aktualizácia k dispozícii" TEXT_YOU_CAN_HELP_LOGFILE="Môžete pomôcť poskytnutím log súboru" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/tr b/db/languages/tr index 3df59a53..707b6bc3 100644 --- a/db/languages/tr +++ b/db/languages/tr @@ -106,3 +106,4 @@ STATUS_WEAK="ZAYIF" STATUS_YES="EVET" TEXT_UPDATE_AVAILABLE="güncelleme var" TEXT_YOU_CAN_HELP_LOGFILE="Günlük dosyanızı göndererek yardımcı olabilirsiniz" +#SECTION_KERBEROS="Kerberos" From 7ad42d689f6089e6c93667b5a793476a2e9ca90d Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 15 May 2024 20:29:28 +0000 Subject: [PATCH 181/282] Fix for line that gave error --- include/tests_malware | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_malware b/include/tests_malware index b01b3855..70c1ff59 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -185,7 +185,7 @@ # ESET security products LogText "Test: checking process esets_daemon or oaeventd (ESET)" - if IsRunning "esets_daemon" || IsRunning "oaeventd"; then + if IsRunning "esets_daemon" || IsRunning "oaeventd"; then FOUND=1 ESET_DAEMON_RUNNING=1 MALWARE_DAEMON_RUNNING=1 From d60c197e14d357c9100ae22efe8d73429f000e4e Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Wed, 15 May 2024 23:31:17 +0300 Subject: [PATCH 182/282] KRB-1010: Silence output when SKIPTEST != 0 Fixes https://github.com/CISOfy/lynis/pull/1456#issuecomment-2113390171 --- include/tests_kerberos | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/include/tests_kerberos b/include/tests_kerberos index 494a01b1..9ef86267 100644 --- a/include/tests_kerberos +++ b/include/tests_kerberos @@ -31,8 +31,8 @@ InsertSection "${SECTION_KERBEROS}" # Test : KRB-1010 # Description : Check that Kerberos principals have passwords that expire Register --test-no KRB-1010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire" - FOUND=0 if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 for I in ${PRINCS} do FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Password expiration date:')" @@ -42,12 +42,12 @@ InsertSection "${SECTION_KERBEROS}" FOUND=1 fi done - fi - if [ ${FOUND} -eq 1 ]; then - Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_WARNING}" --color RED - ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have expiring passwords" - else - Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_OK}" --color GREEN + if [ ${FOUND} -eq 1 ]; then + Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_WARNING}" --color RED + ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have expiring passwords" + else + Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_OK}" --color GREEN + fi fi # ################################################################################# From c3996cd1bbbbbfca5a533d4a141ca9c1929a1944 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Wed, 15 May 2024 23:22:28 +0300 Subject: [PATCH 183/282] Rephrasing --- include/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/functions b/include/functions index 66cdceb1..df27db8b 100644 --- a/include/functions +++ b/include/functions @@ -3174,7 +3174,7 @@ if [ ${PENTESTINGMODE} -eq 0 -a ${IS_PARAMETERS} -eq 0 ]; then if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then - echo "Fatal error: group owner of directory $1 should be owned by root user, wheel or similar (found: ${GROUP})." + echo "Fatal error: group owner of directory $1 should be owned by root group, wheel or similar (found: ${GROUP})." ExitFatal fi fi From 14f0d563ed2fc2d37609794ddb417bd0114a1d83 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 16 May 2024 08:50:33 +0200 Subject: [PATCH 184/282] Update CHANGELOG.md --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f53f6618..e72db758 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,11 +26,13 @@ - Added words prosecute/report to LEGAL_BANNER_STRINGS - Busybox support: Replace newer tr command syntax with older ascii specific operations - Added Wazuh as a malware scanner/antivirus and rootkit detection tool +- Updated PHP versions and removed PHP 5 (deprecated) - AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc) - CONT-8104 - Checking for errors, not only warning in docker info output - DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD - FILE-6344 - Test kernel version (major/minor) - KRNL-5622 - Use systemctl get-default instead of following link +- KRNL-5820 - Accept ulimit with -H parameter also - LOGG-2144 - Check for wazuh-agent presence on Linux systems - MACF-6234 - Test if semanage binary is available - MALW-3200 - ESET Endpoint Antivirus added From f8e2da3087204ab7b0e60dd8c0b5d7e03d1d0c73 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 16 May 2024 11:13:25 +0000 Subject: [PATCH 185/282] PKGS-7392: filter only lines starting with a number when checking apt-check --- include/tests_ports_packages | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 42288a07..4a9fe6f3 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1161,7 +1161,9 @@ EOF LogText "Result: found ${ROOTDIR}usr/lib/update-notifier/apt-check" LogText "Test: checking if any of the updates contain security updates" # apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only - FIND=$(${ROOTDIR}usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }') + # We search for the lines that start with a number, as on Ubuntu 24.04 an error can happen: + # Warning: W:Unable to read /var/lib/ubuntu-advantage/apt-esm/etc/apt/apt.conf.d/ - DirectoryExists (2: No such file or directory) + FIND=$(${ROOTDIR}usr/lib/update-notifier/apt-check 2>&1 | ${GREPBINARY} '^[0-9]' | ${AWKBINARY} -F\; '{ print $2 }') # Check if we get the proper line back and amount of security patches available if [ -z "${FIND}" ]; then LogText "Result: did not find security updates line" From d037b0697de8b2af1ab956f7fa139e81b3861fd6 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 16 May 2024 11:13:33 +0000 Subject: [PATCH 186/282] Update log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e72db758..af9bdbfc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -41,6 +41,7 @@ - NETW-3200 - Added regex to allow both /bin/true as /bin/false - PKGS-7303 - Added version numbers to brew packages - PKGS-7370 - Cron job check for debsums improved +- PKGS-7392 - Improved filtering of apt-check output (Ubuntu 24.04 may give an error) --------------------------------------------------------------------------------- From ab17f170a57c1212d488fb24839be120a7d438e1 Mon Sep 17 00:00:00 2001 From: Stefan Baumgartner Date: Sun, 19 May 2024 12:23:56 +0200 Subject: [PATCH 187/282] Fix regex for NETW-3200 --- include/tests_networking | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_networking b/include/tests_networking index 44a65708..24bfc7d1 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -750,7 +750,7 @@ UNCOMMON_PROTOCOL_DISABLED=0 # First check modprobe.conf if [ -f ${ROOTDIR}etc/modprobe.conf ]; then - DATA=$(${GREPBINARY} "^install \+${P} \+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.conf) + DATA=$(${GREPBINARY} "^install +${P} +/bin/(true|false)$" ${ROOTDIR}etc/modprobe.conf) if [ -n "${DATA}" ]; then LogText "Result: found ${P} module disabled via modprobe.conf" UNCOMMON_PROTOCOL_DISABLED=1 @@ -759,7 +759,7 @@ # Then additional modprobe configuration files if [ -d ${ROOTDIR}etc/modprobe.d ]; then # Return file names (-l) and suppress errors (-s) - DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/*) + DATA=$(${GREPBINARY} -l -s "^install +${P} +/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/*) if [ -n "${DATA}" ]; then UNCOMMON_PROTOCOL_DISABLED=1 for F in ${DATA}; do From 0515094a337a092b8ae530e6fa94ba583827c1fe Mon Sep 17 00:00:00 2001 From: Stefan Baumgartner Date: Sun, 19 May 2024 12:34:57 +0200 Subject: [PATCH 188/282] Fix REGEX in FILE-6430 --- include/tests_filesystems | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index cabc27e7..3bc5ec3e 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -877,8 +877,8 @@ fi FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) if [ -n "${FIND}" ]; then - FIND1=$(${GREPBINARY} -E "^blacklist \+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${GREPBINARY} -E "^install \+${FS} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND1=$(${GREPBINARY} -E "^blacklist +${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${GREPBINARY} -E "^install +${FS} +/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN LogText "Result: module ${FS} is blacklisted" From 2d03e1821df4ccd4d0603056ca22ace31d6fb3d7 Mon Sep 17 00:00:00 2001 From: Roeland Jansen Date: Mon, 20 May 2024 12:36:00 +0200 Subject: [PATCH 189/282] tumbleweed: added /usr/etc/ssh to SSH_DAEMON_CONFIG_LOCS var --- include/tests_ssh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index 43bf7145..c0650d54 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -22,7 +22,7 @@ # ################################################################################# # - SSH_DAEMON_CONFIG_LOCS="/etc /etc/ssh /usr/local/etc/ssh /opt/csw/etc/ssh" + SSH_DAEMON_CONFIG_LOCS="/etc /etc/ssh /usr/local/etc/ssh /opt/csw/etc/ssh /usr/etc/ssh" SSH_DAEMON_CONFIG="" SSH_DAEMON_PORT="" SSH_DAEMON_RUNNING=0 From e0d3b3f5c73b056375ef6581f319a72838659d42 Mon Sep 17 00:00:00 2001 From: Fernando <33039864+tuxslack@users.noreply.github.com> Date: Wed, 22 May 2024 17:13:52 -0300 Subject: [PATCH 190/282] Update pt --- db/languages/pt | 134 +++++++++++++++++++++++++----------------------- 1 file changed, 69 insertions(+), 65 deletions(-) diff --git a/db/languages/pt b/db/languages/pt index 8592e700..3035e242 100644 --- a/db/languages/pt +++ b/db/languages/pt @@ -1,3 +1,7 @@ + +# Usado o Google Tradutor para traduzir: https://translate.google.com.br/ + + ERROR_NO_LICENSE="Nenhuma chave de licença configurada" ERROR_NO_UPLOAD_SERVER="Nenhum servidor de upload configurado" GEN_CHECKING="Verificando" @@ -14,96 +18,96 @@ NOTE_EXCEPTIONS_FOUND_DETAILED="Alguns eventos ou informações excepcionais for NOTE_EXCEPTIONS_FOUND="Exceptions encontradas" NOTE_PLUGINS_TAKE_TIME="Nota: plugins requerem testes mais extensivos e podem levar vários minutos para completar" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Testes ignorados devido ao modo sem privilégios" -#SECTION_ACCOUNTING="Accounting" -#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification" -#SECTION_BASICS="Basics" -#SECTION_BOOT_AND_SERVICES="Boot and services" -#SECTION_CONTAINERS="Containers" -#SECTION_CRYPTOGRAPHY="Cryptography" +SECTION_ACCOUNTING="Contabilidade" +SECTION_BANNERS_AND_IDENTIFICATION="Banners e identificação" +SECTION_BASICS="Base" +SECTION_BOOT_AND_SERVICES="Inicialização e serviços" +SECTION_CONTAINERS="Containers" +SECTION_CRYPTOGRAPHY="Criptografia" SECTION_CUSTOM_TESTS="Testes personalizados" -#SECTION_DATABASES="Databases" -#SECTION_DATA_UPLOAD="Data upload" -#SECTION_DOWNLOADS="Downloads" -#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging" -#SECTION_FILE_INTEGRITY="Software: file integrity" -#SECTION_FILE_PERMISSIONS="File Permissions" -#SECTION_FILE_SYSTEMS="File systems" -#SECTION_FIREWALLS="Software: firewalls" -#SECTION_GENERAL="General" +SECTION_DATABASES="Bancos de dados" +SECTION_DATA_UPLOAD="Carregamento de dados" +SECTION_DOWNLOADS="Transferências" +SECTION_EMAIL_AND_MESSAGING="Programas: e-mail e mensagens" +SECTION_FILE_INTEGRITY="Programas: integridade do arquivo" +SECTION_FILE_PERMISSIONS="Permissões de arquivo" +SECTION_FILE_SYSTEMS="Sistemas de arquivos" +SECTION_FIREWALLS="Programas: firewalls" +SECTION_GENERAL="Em geral" #SECTION_HARDENING="Hardening" -#SECTION_HOME_DIRECTORIES="Home directories" -#SECTION_IMAGE="Image" -#SECTION_INITIALIZING_PROGRAM="Initializing program" -#SECTION_INSECURE_SERVICES="Insecure services" +SECTION_HOME_DIRECTORIES="Diretórios iniciais" +SECTION_IMAGE="Imagem" +SECTION_INITIALIZING_PROGRAM="Inicializando programa" +SECTION_INSECURE_SERVICES="Serviços inseguros" #SECTION_KERNEL_HARDENING="Kernel Hardening" -#SECTION_KERNEL="Kernel" -#SECTION_LDAP_SERVICES="LDAP Services" -#SECTION_LOGGING_AND_FILES="Logging and files" +SECTION_KERNEL="Kernel" +SECTION_LDAP_SERVICES="Serviços LDAP" +SECTION_LOGGING_AND_FILES="Registro e arquivos" SECTION_MALWARE="Malware" SECTION_MEMORY_AND_PROCESSES="Memória e Processos" -#SECTION_NAME_SERVICES="Name services" -#SECTION_NETWORKING="Networking" -#SECTION_PERMISSIONS="Permissions" -#SECTION_PORTS_AND_PACKAGES="Ports and packages" -#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools" -#SECTION_PROGRAM_DETAILS="Program Details" -#SECTION_SCHEDULED_TASKS="Scheduled tasks" -#SECTION_SECURITY_FRAMEWORKS="Security frameworks" +SECTION_NAME_SERVICES="Serviços de nomes" +SECTION_NETWORKING="Rede" +SECTION_PERMISSIONS="Permissões" +SECTION_PORTS_AND_PACKAGES="Portas e pacotes" +SECTION_PRINTERS_AND_SPOOLS="Impressoras" +SECTION_PROGRAM_DETAILS="Detalhes do programa" +SECTION_SCHEDULED_TASKS="Atividades agendadas" +SECTION_SECURITY_FRAMEWORKS="Estruturas de segurança" #SECTION_SHELLS="Shells" -#SECTION_SNMP_SUPPORT="SNMP Support" -#SECTION_SOFTWARE="Software" -#SECTION_SQUID_SUPPORT="Squid Support" -#SECTION_SSH_SUPPORT="SSH Support" -#SECTION_STORAGE="Storage" -#SECTION_SYSTEM_INTEGRITY="Software: System integrity" -#SECTION_SYSTEM_TOOLING="Software: System tooling" -#SECTION_SYSTEM_TOOLS="System tools" -#SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization" -#SECTION_USB_DEVICES="USB Devices" -#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" -#SECTION_VIRTUALIZATION="Virtualization" -#SECTION_WEBSERVER="Software: webserver" -#STATUS_ACTIVE="ACTIVE" -#STATUS_CHECK_NEEDED="CHECK NEEDED" +SECTION_SNMP_SUPPORT="Suporte SNMP" +SECTION_SOFTWARE="Programas" +SECTION_SQUID_SUPPORT="Suporte Squid" +SECTION_SSH_SUPPORT="Suporte SSH" +SECTION_STORAGE="Armazenamento" +SECTION_SYSTEM_INTEGRITY="Programas: Integridade do sistema" +SECTION_SYSTEM_TOOLING="Programas: Ferramentas de sistema" +SECTION_SYSTEM_TOOLS="Ferramentas do sistema" +SECTION_TIME_AND_SYNCHRONIZATION="Tempo e sincronização" +SECTION_USB_DEVICES="Dispositivos USB" +SECTION_USERS_GROUPS_AND_AUTHENTICATION="Usuários, grupos e autenticação" +SECTION_VIRTUALIZATION="Virtualização" +SECTION_WEBSERVER="Programas: Servidor Web" +STATUS_ACTIVE="ATIVO" +STATUS_CHECK_NEEDED="VERIFICAÇÃO NECESSÁRIA" #STATUS_DEBUG="DEBUG" -#STATUS_DEFAULT="DEFAULT" -#STATUS_DIFFERENT="DIFFERENT" +STATUS_DEFAULT="PADRÃO" +STATUS_DIFFERENT="DIFERENTE" STATUS_DISABLED="DESABILITADO" STATUS_DONE="FEITO" STATUS_ENABLED="HABILITADO" STATUS_ERROR="ERRO" -#STATUS_EXPOSED="EXPOSED" -#STATUS_FAILED="FAILED" -#STATUS_FILES_FOUND="FILES FOUND" +STATUS_EXPOSED="EXPOSTO" +STATUS_FAILED="FALHAR" +STATUS_FILES_FOUND="ARQUIVOS ENCONTRADOS" STATUS_FOUND="ENCONTRADO" #STATUS_HARDENED="HARDENED" -#STATUS_INSTALLED="INSTALLED" -#STATUS_LOCAL_ONLY="LOCAL ONLY" -#STATUS_MEDIUM="MEDIUM" +STATUS_INSTALLED="INSTALADO" +STATUS_LOCAL_ONLY="SOMENTE LOCAL" +STATUS_MEDIUM="MÉDIO" STATUS_NO="NÃO" -#STATUS_NON_DEFAULT="NON DEFAULT" +STATUS_NON_DEFAULT="FORA DO PADRÃO" STATUS_NONE="NENHUM" STATUS_NOT_ACTIVE="NOT ACTIVE" -#STATUS_NOT_CONFIGURED="NOT CONFIGURED" -#STATUS_NOT_DISABLED="NOT DISABLED" -#STATUS_NOT_ENABLED="NOT ENABLED" +STATUS_NOT_CONFIGURED="NÃO CONFIGURADO" +STATUS_NOT_DISABLED="NÃO DESATIVADO" +STATUS_NOT_ENABLED="NÃO HABILITADO" STATUS_NOT_FOUND="NÃO ENCONTRADO" STATUS_NOT_RUNNING="PARADO" -#STATUS_NO_UPDATE="NO UPDATE" -STATUS_OFF="OFF" +STATUS_NO_UPDATE="SEM ATUALIZAÇÃO" +STATUS_OFF="DESLIGADO" STATUS_OK="OK" -STATUS_ON="ON" +STATUS_ON="LIGADO" #STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED" -#STATUS_PROTECTED="PROTECTED" +STATUS_PROTECTED="PROTEGIDO" STATUS_RUNNING="EM EXECUÇÃO" STATUS_SKIPPED="IGNORADO" STATUS_SUGGESTION="SUGESTÃO" STATUS_UNKNOWN="DESCONHECIDO" -#STATUS_UNSAFE="UNSAFE" -#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE" +STATUS_UNSAFE="INSEGURO" +STATUS_UPDATE_AVAILABLE="ATUALIZAÇÃO DISPONÍVEL" STATUS_WARNING="ATENÇÃO" -#STATUS_WEAK="WEAK" +STATUS_WEAK="FRACO" STATUS_YES="SIM" TEXT_UPDATE_AVAILABLE="Atualização disponível" TEXT_YOU_CAN_HELP_LOGFILE="Você pode ajudar fornecendo seu arquivo de log" -#SECTION_KERBEROS="Kerberos" +SECTION_KERBEROS="Kerberos" From a6da9336af579703887e12cffe6a42ce55827756 Mon Sep 17 00:00:00 2001 From: Stefan Baumgartner Date: Fri, 24 May 2024 08:15:50 +0200 Subject: [PATCH 191/282] Update tests_networking More elegant regex to accommodate for tabs and spaces. --- include/tests_networking | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_networking b/include/tests_networking index 24bfc7d1..764204cf 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -750,7 +750,7 @@ UNCOMMON_PROTOCOL_DISABLED=0 # First check modprobe.conf if [ -f ${ROOTDIR}etc/modprobe.conf ]; then - DATA=$(${GREPBINARY} "^install +${P} +/bin/(true|false)$" ${ROOTDIR}etc/modprobe.conf) + DATA=$(${GREPBINARY} -E "^install[[:space:]]+${P}[[:space:]]+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.conf) if [ -n "${DATA}" ]; then LogText "Result: found ${P} module disabled via modprobe.conf" UNCOMMON_PROTOCOL_DISABLED=1 @@ -759,7 +759,7 @@ # Then additional modprobe configuration files if [ -d ${ROOTDIR}etc/modprobe.d ]; then # Return file names (-l) and suppress errors (-s) - DATA=$(${GREPBINARY} -l -s "^install +${P} +/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/*) + DATA=$(${GREPBINARY} -l -s -E "^install[[:space:]]+${P}[[:space:]]+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/*) if [ -n "${DATA}" ]; then UNCOMMON_PROTOCOL_DISABLED=1 for F in ${DATA}; do From 9eafa7913c979033cf8c9d704e899bf553e211ac Mon Sep 17 00:00:00 2001 From: Stefan Baumgartner Date: Fri, 24 May 2024 08:18:16 +0200 Subject: [PATCH 192/282] Update tests_filesystems More elegant regex to accommodate for tabs and spaces. --- include/tests_filesystems | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 3bc5ec3e..58efe975 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -877,8 +877,8 @@ fi FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) if [ -n "${FIND}" ]; then - FIND1=$(${GREPBINARY} -E "^blacklist +${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${GREPBINARY} -E "^install +${FS} +/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND1=$(${GREPBINARY} -E "^blacklist[[:space:]]+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${GREPBINARY} -E "^install[[:space:]]+${FS}[[:space:]]+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN LogText "Result: module ${FS} is blacklisted" From 106db35b1ba563b7902ec6b3c08a30dcc91899fe Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 27 May 2024 13:41:56 +0200 Subject: [PATCH 193/282] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index af9bdbfc..0b41e276 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ - Correction of software EOL database and inclusion of AIX entries - Support sysctl value perf_event_paranoid -> 2|3 - Update of Turkish translation +- Update of Portuguese translation - Grammar and spell improvements - Improved package detection on Alpine Linux - Slackware support to check installed packges (functionPackageIsInstalled()) From 02c823f4f670dc1db7577b1baca80ca09d36277a Mon Sep 17 00:00:00 2001 From: arnaudprc <146345184+arnaudprc@users.noreply.github.com> Date: Thu, 20 Jun 2024 15:14:08 +0200 Subject: [PATCH 194/282] Update fr --- db/languages/fr | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/languages/fr b/db/languages/fr index 353b55e7..7220ff91 100644 --- a/db/languages/fr +++ b/db/languages/fr @@ -106,4 +106,4 @@ STATUS_WEAK="FAIBLE" STATUS_YES="OUI" TEXT_UPDATE_AVAILABLE="Mise à jour disponible" TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal" -#SECTION_KERBEROS="Kerberos" +SECTION_KERBEROS="Kerberos" From 79ad5fc0c94f700aca3669b3f748441d32eaba99 Mon Sep 17 00:00:00 2001 From: Maik Date: Tue, 25 Jun 2024 10:13:04 +0200 Subject: [PATCH 195/282] Accept Keberos translation in DE Language Kerberos is Kerberos in german. --- db/languages/de | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/languages/de b/db/languages/de index 7932153a..ab4c76f9 100644 --- a/db/languages/de +++ b/db/languages/de @@ -106,4 +106,4 @@ STATUS_WEAK="SCHWACH" STATUS_YES="JA" TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar" TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen" -#SECTION_KERBEROS="Kerberos" +SECTION_KERBEROS="Kerberos" From 339b2d996fa24695f491d738714f9784439312fd Mon Sep 17 00:00:00 2001 From: slrslr <6596726+slrslr@users.noreply.github.com> Date: Mon, 8 Jul 2024 07:37:26 +0000 Subject: [PATCH 196/282] Update README.md Latest archive.org backup that I have found. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4fa3900e..b6565bac 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ Lynis is collecting some awards along the way and we are proud of that. * 2015 * [![ToolsWatch Best Tools (second place)](https://www.toolswatch.org/badges/toptools/2015.svg)](https://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/) - * [Best of Open Source Software Awards 2015](http://www.idgenterprise.com/news/press-release/infoworld-announces-the-2015-best-of-open-source-software-awards/). + * [Best of Open Source Software Awards 2015](http://www.idgenterprise.com/news/press-release/infoworld-announces-the-2015-best-of-open-source-software-awards/) ([mirror](https://web.archive.org/web/20210313082124/https://www.idg.com/news/infoworld-announces-the-2015-best-of-open-source-software-awards/)). * 2014 * [![ToolsWatch Best Tools (third place)](https://www.toolswatch.org/badges/toptools/2014.svg)](https://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/) From c513c97236e38265693736fecc9296f8da11b688 Mon Sep 17 00:00:00 2001 From: sdgondola <162355067+sdgondola@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:14:39 +0000 Subject: [PATCH 197/282] Update it --- db/languages/it | 120 ++++++++++++++++++++++++------------------------ 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/db/languages/it b/db/languages/it index 0e4c0f19..160a50d6 100644 --- a/db/languages/it +++ b/db/languages/it @@ -14,96 +14,96 @@ NOTE_EXCEPTIONS_FOUND_DETAILED="Sono stati rilevati alcuni eventi o informazioni NOTE_EXCEPTIONS_FOUND="Trovate Eccezioni" NOTE_PLUGINS_TAKE_TIME="Nota: i plugin sono sottoposti a test più estesi e possono richiedere alcuni minuti per il completamento" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Test saltati a causa della modalità di esecuzione non privilegiata" -#SECTION_ACCOUNTING="Accounting" -#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification" -#SECTION_BASICS="Basics" -#SECTION_BOOT_AND_SERVICES="Boot and services" -#SECTION_CONTAINERS="Containers" -#SECTION_CRYPTOGRAPHY="Cryptography" +SECTION_ACCOUNTING="Accounting" +SECTION_BANNERS_AND_IDENTIFICATION="Banners e identificazione" +SECTION_BASICS="Basi" +SECTION_BOOT_AND_SERVICES="Avvio e servizi" +SECTION_CONTAINERS="Container" +SECTION_CRYPTOGRAPHY="Crittografia" SECTION_CUSTOM_TESTS="Test su misura (Custom)" -#SECTION_DATABASES="Databases" -#SECTION_DATA_UPLOAD="Data upload" +SECTION_DATABASES="Database" +SECTION_DATA_UPLOAD="Caricamenti dati" SECTION_DOWNLOADS="Scaricamenti" -#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging" -#SECTION_FILE_INTEGRITY="Software: file integrity" -#SECTION_FILE_PERMISSIONS="File Permissions" -#SECTION_FILE_SYSTEMS="File systems" -#SECTION_FIREWALLS="Software: firewalls" +SECTION_EMAIL_AND_MESSAGING="Software: e-mail e messaggistica" +SECTION_FILE_INTEGRITY="Software: integrità file" +SECTION_FILE_PERMISSIONS="Permessi file" +SECTION_FILE_SYSTEMS="File system" +SECTION_FIREWALLS="Software: firewall" SECTION_GENERAL="Generale" -#SECTION_HARDENING="Hardening" -#SECTION_HOME_DIRECTORIES="Home directories" -#SECTION_IMAGE="Image" +SECTION_HARDENING="Hardening" +SECTION_HOME_DIRECTORIES="Cartelle home" +SECTION_IMAGE="Immagine" SECTION_INITIALIZING_PROGRAM="Inizializzando il programma" SECTION_INSECURE_SERVICES="Service insicuri" -#SECTION_KERNEL_HARDENING="Kernel Hardening" -#SECTION_KERNEL="Kernel" -#SECTION_LDAP_SERVICES="LDAP Services" -#SECTION_LOGGING_AND_FILES="Logging and files" +SECTION_KERNEL_HARDENING="Hardening del kernel" +SECTION_KERNEL="Kernel" +SECTION_LDAP_SERVICES="Servizi LDAP" +SECTION_LOGGING_AND_FILES="Logging e file" SECTION_MALWARE="Malware" SECTION_MEMORY_AND_PROCESSES="Memoria e Processi" -#SECTION_NAME_SERVICES="Name services" -#SECTION_NETWORKING="Networking" -#SECTION_PERMISSIONS="Permissions" -#SECTION_PORTS_AND_PACKAGES="Ports and packages" -#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools" -#SECTION_PROGRAM_DETAILS="Program Details" -#SECTION_SCHEDULED_TASKS="Scheduled tasks" -#SECTION_SECURITY_FRAMEWORKS="Security frameworks" -#SECTION_SHELLS="Shells" -#SECTION_SNMP_SUPPORT="SNMP Support" -#SECTION_SOFTWARE="Software" -#SECTION_SQUID_SUPPORT="Squid Support" -#SECTION_SSH_SUPPORT="SSH Support" +SECTION_NAME_SERVICES="Name services" +SECTION_NETWORKING="Rete" +SECTION_PERMISSIONS="Permessi" +SECTION_PORTS_AND_PACKAGES="Ports e pacchetti" +SECTION_PRINTERS_AND_SPOOLS="Stampanti e code di stampa" +SECTION_PROGRAM_DETAILS="Dettagli programma" +SECTION_SCHEDULED_TASKS="Azioni programmate" +SECTION_SECURITY_FRAMEWORKS="Framework di sicurezza" +SECTION_SHELLS="Shells" +SECTION_SNMP_SUPPORT="Supporto per SNMP" +SECTION_SOFTWARE="Software" +SECTION_SQUID_SUPPORT="Supporto per Squid" +SECTION_SSH_SUPPORT="Supporto per SSH" SECTION_STORAGE="Spazio di archiviazione" -#SECTION_SYSTEM_INTEGRITY="Software: System integrity" +SECTION_SYSTEM_INTEGRITY="Software: integrità del sistema" #SECTION_SYSTEM_TOOLING="Software: System tooling" -#SECTION_SYSTEM_TOOLS="System tools" +SECTION_SYSTEM_TOOLS="Strumenti di sistema" SECTION_TIME_AND_SYNCHRONIZATION="Tempo and Sincronizzazione" -#SECTION_USB_DEVICES="USB Devices" -#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" -#SECTION_VIRTUALIZATION="Virtualization" -#SECTION_WEBSERVER="Software: webserver" -#STATUS_ACTIVE="ACTIVE" -#STATUS_CHECK_NEEDED="CHECK NEEDED" -#STATUS_DEBUG="DEBUG" -#STATUS_DEFAULT="DEFAULT" -#STATUS_DIFFERENT="DIFFERENT" +SECTION_USB_DEVICES="Periferiche USB" +SECTION_USERS_GROUPS_AND_AUTHENTICATION="Utenti, Gruppi e Authenticazione" +SECTION_VIRTUALIZATION="Virtualizzazione" +SECTION_WEBSERVER="Software: webserver" +STATUS_ACTIVE="ATTIVO" +STATUS_CHECK_NEEDED="CONTROLLO RICHIESTO" +STATUS_DEBUG="DEBUG" +STATUS_DEFAULT="DEFAULT" +STATUS_DIFFERENT="DIFFERENTE" STATUS_DISABLED="DISABILITATO" STATUS_DONE="FATTO" STATUS_ENABLED="ABILITATO" STATUS_ERROR="ERRORE" -#STATUS_EXPOSED="EXPOSED" +STATUS_EXPOSED="ESPOSTO" STATUS_FAILED="FALLITO" -#STATUS_FILES_FOUND="FILES FOUND" +STATUS_FILES_FOUND="FILE TROVATI" STATUS_FOUND="TROVATO" -#STATUS_HARDENED="HARDENED" -#STATUS_INSTALLED="INSTALLED" -#STATUS_LOCAL_ONLY="LOCAL ONLY" -#STATUS_MEDIUM="MEDIUM" -#STATUS_NON_DEFAULT="NON DEFAULT" +STATUS_HARDENED="HARDENED" +STATUS_INSTALLED="INSTALLATO" +STATUS_LOCAL_ONLY="SOLO LOCALE" +STATUS_MEDIUM="MEDIO" +STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="NESSUNO" STATUS_NO="NO" -STATUS_NOT_ACTIVE="NOT ACTIVE" +STATUS_NOT_ACTIVE="NON ATTIVO" STATUS_NOT_CONFIGURED="NON CONFIGURATO" -#STATUS_NOT_DISABLED="NOT DISABLED" -#STATUS_NOT_ENABLED="NOT ENABLED" +STATUS_NOT_DISABLED="NON DISABILITATO" +STATUS_NOT_ENABLED="NON ABILITATO" STATUS_NOT_FOUND="NON TROVATO" STATUS_NOT_RUNNING="NON IN ESECUZIONE" -#STATUS_NO_UPDATE="NO UPDATE" +STATUS_NO_UPDATE="NESSUN AGGIORNAMENTO" STATUS_OFF="OFF" STATUS_OK="OK" STATUS_ON="ON" -#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED" -#STATUS_PROTECTED="PROTECTED" +STATUS_PARTIALLY_HARDENED="PARZIALMENTE HARDENED" +STATUS_PROTECTED="PROTETTO" STATUS_RUNNING="IN ESECUZIONE" STATUS_SKIPPED="SALTATO" STATUS_SUGGESTION="SUGGERIMENTO" STATUS_UNKNOWN="SCONOSCIUTO" -#STATUS_UNSAFE="UNSAFE" -#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE" +STATUS_UNSAFE="NON SICURO" +STATUS_UPDATE_AVAILABLE="AGGIORNAMENTO DISPONIBILE" STATUS_WARNING="ATTENZIONE" STATUS_WEAK="DEBOLE" STATUS_YES="SI" TEXT_UPDATE_AVAILABLE="aggiornamento disponibile" TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log" -#SECTION_KERBEROS="Kerberos" +SECTION_KERBEROS="Kerberos" From bc88602e41c02d03229dc4ca571465bc87a70c47 Mon Sep 17 00:00:00 2001 From: ferorge <38674077+ferorge@users.noreply.github.com> Date: Tue, 23 Jul 2024 19:19:55 -0300 Subject: [PATCH 198/282] Fix issue #1496 Added package and service name used in ubuntu 24.04. --- include/tests_insecure_services | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 0a1dd955..564db774 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -41,7 +41,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check for installed inetd daemon LogText "Test: Checking if inetd is installed" - if PackageIsInstalled "inetd"; then + if PackageIsInstalled "inetd" || PackageIsInstalled "inetutils-inetd"; then INETD_PACKAGE_INSTALLED=1 LogText "Result: inetd is installed" Display --indent 2 --text "- Installed inetd package" --result "${STATUS_FOUND}" --color YELLOW @@ -61,7 +61,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check running processes LogText "Test: Searching for active inet daemon" - if IsRunning "inetd"; then + if IsRunning "inetd" || IsRunning "inetutils-inetd"; then LogText "Result: inetd is running" Display --indent 4 --text "- inetd status" --result "${STATUS_ACTIVE}" --color GREEN INETD_ACTIVE=1 From 623eaa76fe211075530e7fafd59b4ae06e7273da Mon Sep 17 00:00:00 2001 From: ferorge <38674077+ferorge@users.noreply.github.com> Date: Tue, 23 Jul 2024 19:22:07 -0300 Subject: [PATCH 199/282] Fix issue #1497 Added kernel name for Hardkernel odroid XU4. --- include/tests_ports_packages | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 4a9fe6f3..35de8cd5 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1378,7 +1378,7 @@ EOF if [ "${DPKGBINARY}" ]; then TESTED=1 - KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]" + KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]|linux-odroid-5422" KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} -E "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l) if [ ${KERNELS} -eq 0 ]; then LogText "Result: found no kernels from dpkg -l output, which is unexpected" From 815e7d7c66311510dcd9a535da354daf33187816 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 7 Aug 2024 11:40:08 +0000 Subject: [PATCH 200/282] AUTH-9328: log entry was incorrect --- include/tests_authentication | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 08890980..f936619f 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -1270,8 +1270,6 @@ LogText "Result: found no umask. Please check if this is correct" Display --indent 4 --text "- umask (/etc/profile)" --result "${STATUS_NOT_FOUND}" --color YELLOW fi - else - LogText "Result: file /etc/profile does not exist" fi # /etc/passwd From 10e630055efa58914211dced00c63d991ed4a3b3 Mon Sep 17 00:00:00 2001 From: NikJesus <61071047+NikJesus@users.noreply.github.com> Date: Wed, 28 Aug 2024 14:15:28 +0300 Subject: [PATCH 201/282] Update ru --- db/languages/ru | 144 ++++++++++++++++++++++++------------------------ 1 file changed, 72 insertions(+), 72 deletions(-) diff --git a/db/languages/ru b/db/languages/ru index 92402178..a770ab56 100644 --- a/db/languages/ru +++ b/db/languages/ru @@ -1,75 +1,75 @@ -ERROR_NO_LICENSE="Лицензионный ключ не настроен" -ERROR_NO_UPLOAD_SERVER="Загрузочный сервер не настроен" -GEN_CHECKING="Проверка" -GEN_CURRENT_VERSION="Текущая версия" -GEN_DEBUG_MODE="Режим отладки" -GEN_INITIALIZE_PROGRAM="Инициализация программы" -GEN_LATEST_VERSION="Последняя версия" -GEN_PHASE="Стадия" -GEN_PLUGINS_ENABLED="Плагины включены" -GEN_UPDATE_AVAILABLE="доступно обновление" -GEN_VERBOSE_MODE="Подробный режим" -GEN_WHAT_TO_DO="Что сделать" -NOTE_EXCEPTIONS_FOUND_DETAILED="Были найдены некоторые исключительные события или информация" -NOTE_EXCEPTIONS_FOUND="Найдены исключения" -NOTE_PLUGINS_TAKE_TIME="Примечание: плагины имеют более обширные тесты и могут занять несколько минут до завершения" -NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Тесты пропущены из-за использования непривилегированного режима" -SECTION_ACCOUNTING="Учёт" -SECTION_BANNERS_AND_IDENTIFICATION="Баннеры и идентификаторы" -SECTION_BASICS="Основное" -SECTION_BOOT_AND_SERVICES="Загрузка и сервисы" -SECTION_CONTAINERS="Контейнеры" -SECTION_CRYPTOGRAPHY="Криптография" -SECTION_CUSTOM_TESTS="Пользовательские тесты" -SECTION_DATABASES="Базы данных" -SECTION_DATA_UPLOAD="Отправка данных" -SECTION_DOWNLOADS="Загрузки" -SECTION_EMAIL_AND_MESSAGING="Программное обеспечение: e-mail и отправка сообщений" +ERROR_NO_LICENSE="ОШИБКА: ЛИЦЕНЗИОННЫЙ КЛЮЧ НЕ НАСТРОЕН" +ERROR_NO_UPLOAD_SERVER="ОШИБКА: ЗАГРУЗОЧНЫЙ СЕРВЕР НЕ НАСТРОЕН" +GEN_CHECKING="ПРОВЕРКА" +GEN_CURRENT_VERSION="ТЕКУЩАЯ ВЕРСИЯ" +GEN_DEBUG_MODE="РЕЖИМ ОТЛАДКИ" +GEN_INITIALIZE_PROGRAM="ИНИЦИАЛИЗАЦИЯ ПРОГРАММЫ" +GEN_LATEST_VERSION="ПОСЛЕДНЯЯ ВЕРСИЯ" +GEN_PHASE="СТАДИЯ" +GEN_PLUGINS_ENABLED="ПЛАГИНЫ ВКЛЮЧЕНЫ" +GEN_UPDATE_AVAILABLE="ДОСТУПНО ОБНОВЛЕНИЕ" +GEN_VERBOSE_MODE="ПОДРОБНЫЙ РЕЖИМ" +GEN_WHAT_TO_DO="ЧТО СДЕЛАТЬ?" +NOTE_EXCEPTIONS_FOUND_DETAILED="БЫЛИ ОБНАРУЖЕНЫ УНИКАЛЬНЫЕ СОБЫТИЯ ИЛИ СВЕДЕНИЯ" +NOTE_EXCEPTIONS_FOUND="НАЙДЕННЫ ИСКЛЮЧЕНИЯ" +NOTE_PLUGINS_TAKE_TIME="ПРИМЕЧАНИЕ: ПЛАГИНЫ ИМЕЮТ БОЛЕЕ ОБШИРНЫЕ ТЕСТЫ И МОГУТ ЗАНЯТЬ НЕСКОЛЬКО МИНУТ ДО ЗАВЕРШЕНИЯ" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="ТЕСТЫ ПРОПУЩЕНЫ ИЗ-ЗА ИСПОЛЬЗОВАНИЯ НЕПРЕВЕЛИГИРОВАННОГО РЕЖИМА" +SECTION_ACCOUNTING="УЧЁТ" +SECTION_BANNERS_AND_IDENTIFICATION="БАННЕРЫ И ИДЕНТИФИКАТОРЫ" +SECTION_BASICS="ОСНОВНОЕ" +SECTION_BOOT_AND_SERVICES="ЗАГРУЗКА И СЕРВИСЫ" +SECTION_CONTAINERS="КОНТЕЙНЕРЫ" +SECTION_CRYPTOGRAPHY="КРИПТОГРАФИЯ" +SECTION_CUSTOM_TESTS="ПОЛЬЗОВАТЕЛЬСКИЕ ТЕСТЫ" +SECTION_DATABASES="БАЗЫ ДАННЫХ" +SECTION_DATA_UPLOAD="ОТПРАВКА ДАННЫХ" +SECTION_DOWNLOADS="ЗАГРУЗКИ" +SECTION_EMAIL_AND_MESSAGING="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ: E-MAIL И ОТПРАВКА СООБЩЕНИЙ" SECTION_FILE_INTEGRITY="Программное обеспечение: целостность файлов" -SECTION_FILE_PERMISSIONS="Права доступа к файлам" -SECTION_FILE_SYSTEMS="Файловые системы" -SECTION_FIREWALLS="Программное обеспечение: firewall" -SECTION_GENERAL="Общее" -SECTION_HARDENING="Усиление" -SECTION_HOME_DIRECTORIES="Домашние директории" -SECTION_IMAGE="Образы" -SECTION_INITIALIZING_PROGRAM="Инициализация программы" -SECTION_INSECURE_SERVICES="Небезопасные сервисы" -SECTION_KERNEL_HARDENING="УСиления ядра" -SECTION_KERNEL="Ядро" -SECTION_LDAP_SERVICES="Сервисы LDAP" -SECTION_LOGGING_AND_FILES="Логирование и файлы" -SECTION_MALWARE="Вредоносное ПО" -SECTION_MEMORY_AND_PROCESSES="Память и процессы" -SECTION_NAME_SERVICES="Серверы имён" -SECTION_NETWORKING="Сети" -SECTION_PERMISSIONS="Права доступа" -SECTION_PORTS_AND_PACKAGES="Пакеты" -SECTION_PRINTERS_AND_SPOOLS="Принтеры и спулеры" -SECTION_PROGRAM_DETAILS="Подробности о программе" -SECTION_SCHEDULED_TASKS="Запланированные задачи" -SECTION_SECURITY_FRAMEWORKS="Фреймворки" -SECTION_SHELLS="Командные оболочки" -SECTION_SNMP_SUPPORT="Поддержка SNMP" -SECTION_SOFTWARE="Программное обеспечение" -SECTION_SQUID_SUPPORT="Поддержка Squid" -SECTION_SSH_SUPPORT="Поддержка SSH" -SECTION_STORAGE="Хранилище" -SECTION_SYSTEM_INTEGRITY="Программное обеспечение: целостность системы" -SECTION_SYSTEM_TOOLING="SПрограммное обеспечение: системные инструменты" -SECTION_SYSTEM_TOOLS="Системные утилиты" -SECTION_TIME_AND_SYNCHRONIZATION="Время и его синхронизация" -SECTION_USB_DEVICES="USB Устройства" -SECTION_USERS_GROUPS_AND_AUTHENTICATION="Пользователи, группы и Аутентификация" -SECTION_VIRTUALIZATION="Виртуализация" -SECTION_WEBSERVER="Программное обеспечение: веб-серверы" +SECTION_FILE_PERMISSIONS="ПРАВА ДОСТУПА К ФАЙЛАМ" +SECTION_FILE_SYSTEMS="ФАЙЛОВЫЕ СИСТЕМЫ" +SECTION_FIREWALLS="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ: FIREWALL" +SECTION_GENERAL="ОБЩЕЕ" +SECTION_HARDENING="УСИЛЕНИЕ" +SECTION_HOME_DIRECTORIES="ДОМАШНИЕ ДИРЕКТОРИИ" +SECTION_IMAGE="ОБРАЗЫ" +SECTION_INITIALIZING_PROGRAM="ИНИЦИАЛИЗАЦИЯ ПРОГРАММЫ" +SECTION_INSECURE_SERVICES="НЕБЕЗОПАСНЫЕ СЕРВИСЫ" +SECTION_KERNEL_HARDENING="УСИЛЕНИЕ ЯДРА" +SECTION_KERNEL="ЯДРО" +SECTION_LDAP_SERVICES="СЕРВИСЫ LDAP" +SECTION_LOGGING_AND_FILES="ЛОГИРОВАНИЕ И ФАЙЛЫ" +SECTION_MALWARE="ВРЕДОНОСНОЕ ПО" +SECTION_MEMORY_AND_PROCESSES="ПАМЯТЬ И ПРОЦЕССОРЫ" +SECTION_NAME_SERVICES="СЕРВЕРЫ ИМЁН" +SECTION_NETWORKING="СЕТИ" +SECTION_PERMISSIONS="ПРАВА ДОСТУПА" +SECTION_PORTS_AND_PACKAGES="ПАКЕТЫ" +SECTION_PRINTERS_AND_SPOOLS="ПРИНТЕРЫ И СПУЛЕРЫ" +SECTION_PROGRAM_DETAILS="ПОДРОБНОСТИ О ПРОГРАММЕ" +SECTION_SCHEDULED_TASKS="ЗАПЛАНИРОВАННЫЕ ЗАДАЧИ" +SECTION_SECURITY_FRAMEWORKS="ФРЕЙМВОРКИ" +SECTION_SHELLS="КОМАНДНЫЕ ОБОЛОЧКИ" +SECTION_SNMP_SUPPORT="ПОДДЕРЖКА SNMP" +SECTION_SOFTWARE="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ" +SECTION_SQUID_SUPPORT="ПОДДЕРЖКА Squid" +SECTION_SSH_SUPPORT="ПОДДЕРЖКА SSH" +SECTION_STORAGE="ХРАНИЛИЩЕ" +SECTION_SYSTEM_INTEGRITY="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ: ЦЕЛОСТНОСТЬ СИСТЕМЫ" +SECTION_SYSTEM_TOOLING="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ: СИСТЕМНЫЕ ИНСТУРМЕНТЫ" +SECTION_SYSTEM_TOOLS="СИСТЕМНЫЕ УТИЛИТЫ" +SECTION_TIME_AND_SYNCHRONIZATION="ВРЕМЯ И ЕГО СИНХРОНИЗАЦИЯ" +SECTION_USB_DEVICES="USB УСТРОЙСТВА" +SECTION_USERS_GROUPS_AND_AUTHENTICATION="ПОЛЬЗОВАТЕЛИ, ГРУППЫ И АУТЕНТИФИКАЦИЯ" +SECTION_VIRTUALIZATION="ВИРТУАЛИЗАЦИЯ" +SECTION_WEBSERVER="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ: WEB-СЕРВЕРЫ" STATUS_ACTIVE="АКТИВЕН" STATUS_CHECK_NEEDED="ТРЕБУЕТСЯ ПРОВЕРКА" STATUS_DEBUG="ОТЛАДКА" STATUS_DEFAULT="ПО УМОЛЧАНИЮ" STATUS_DIFFERENT="ОТЛИЧАЕТСЯ" STATUS_DISABLED="ОТКЛЮЧЕНО" -STATUS_DONE="Завершено" +STATUS_DONE="ЗАВЕРШЕНО" STATUS_ENABLED="ВКЛЮЧЕНО" STATUS_ERROR="ОШИБКА" STATUS_EXPOSED="УЯЗВИМО" @@ -81,8 +81,8 @@ STATUS_INSTALLED="УСТАНОВЛЕНО" STATUS_LOCAL_ONLY="ТОЛЬКО ЛОКАЛЬНО" STATUS_MEDIUM="СРЕДНИЙ" STATUS_NON_DEFAULT="НЕ ПО УМОЛЧАНИЮ" -STATUS_NONE="Отсутствует" -STATUS_NOT_ACTIVE="NOT ACTIVE" +STATUS_NONE="ОТСУТСТВУЕТ" +STATUS_NOT_ACTIVE="НЕ АКТИВЕН" STATUS_NOT_CONFIGURED="НЕ СКОНФИГУРИРОВАНО" STATUS_NOT_DISABLED="НЕ ОТКЛЮЧЕНО" STATUS_NOT_ENABLED="НЕ ВКЛЮЧЕНО" @@ -90,9 +90,9 @@ STATUS_NOT_FOUND="НЕ НАЙДЕНО" STATUS_NOT_RUNNING="НЕ ЗАПУЩЕНО" STATUS_NO_UPDATE="ОБНОВЛЕНИЙ НЕТ" STATUS_NO="НЕТ" -STATUS_OFF="Выключено" +STATUS_OFF="ВЫКЛЮЧЕНО" STATUS_OK="ОК" -STATUS_ON="Включено" +STATUS_ON="ВКЛЮЧЕНО" STATUS_PARTIALLY_HARDENED="ЧАСТИЧНО УСИЛЕНО" STATUS_PROTECTED="ЗАЩИЩЕНО" STATUS_RUNNING="ЗАПУЩЕНО" @@ -104,6 +104,6 @@ STATUS_UPDATE_AVAILABLE="ДОСТУПНЫ ОБНОВЛЕНИЯ" STATUS_WARNING="ПРЕДУПРЕЖДЕНИЕ" STATUS_WEAK="СЛАБЫЙ" STATUS_YES="ДА" -TEXT_UPDATE_AVAILABLE="доступно обновление" -TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь, предоставив ваш лог-файл" -#SECTION_KERBEROS="Kerberos" +TEXT_UPDATE_AVAILABLE="ДОСТУПНО ОБНОВЛЕНИЕ" +TEXT_YOU_CAN_HELP_LOGFILE="ПОЖАЛУЙСТА, ПОМОГИТЕ НАМ, ОТПРАВИВ ВАШ LOG-ФАЙЛ" +SECTION_KERBEROS="KERBEROS" From 79786e5cc9b6bf702bc5dbde1aa0826986dbef8e Mon Sep 17 00:00:00 2001 From: Justin Pasher Date: Fri, 30 Aug 2024 11:17:46 -0500 Subject: [PATCH 202/282] Wrap quotes properly for dash and other(?) shells --- include/tests_webservers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_webservers b/include/tests_webservers index 4d56e1a8..14cff59c 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -323,7 +323,7 @@ Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_NOT_FOUND}" --color WHITE else TRACEENABLED_SETTING=$( echo ${TRACEENABLE} | tr 'A-Z' 'a-z' ) - if [ x${TRACEENABLED_SETTING} == x'off' ]; then + if [ "x${TRACEENABLED_SETTING}" == 'xoff' ]; then LogText "Result: found TraceEnable setting set to 'off' in ${APACHE_CONFFILE}" Report "Apache setting: 'TraceEnable Off' in ${APACHE_CONFFILE}" Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_FOUND}" --color GREEN From dc9d3606a4be3420ad80df931dd2cae0bd159445 Mon Sep 17 00:00:00 2001 From: Justin Pasher Date: Fri, 30 Aug 2024 12:38:13 -0500 Subject: [PATCH 203/282] Needs to be single = for POSIX sh --- include/tests_webservers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_webservers b/include/tests_webservers index 14cff59c..c0cfc5df 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -323,7 +323,7 @@ Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_NOT_FOUND}" --color WHITE else TRACEENABLED_SETTING=$( echo ${TRACEENABLE} | tr 'A-Z' 'a-z' ) - if [ "x${TRACEENABLED_SETTING}" == 'xoff' ]; then + if [ "x${TRACEENABLED_SETTING}" = 'xoff' ]; then LogText "Result: found TraceEnable setting set to 'off' in ${APACHE_CONFFILE}" Report "Apache setting: 'TraceEnable Off' in ${APACHE_CONFFILE}" Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_FOUND}" --color GREEN From dfb31e867ba1e555662cc8c027f957c15eb2021e Mon Sep 17 00:00:00 2001 From: JerGet Date: Tue, 3 Sep 2024 11:02:50 +0200 Subject: [PATCH 204/282] Update fr --- db/languages/fr | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/languages/fr b/db/languages/fr index 353b55e7..7220ff91 100644 --- a/db/languages/fr +++ b/db/languages/fr @@ -106,4 +106,4 @@ STATUS_WEAK="FAIBLE" STATUS_YES="OUI" TEXT_UPDATE_AVAILABLE="Mise à jour disponible" TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal" -#SECTION_KERBEROS="Kerberos" +SECTION_KERBEROS="Kerberos" From 5f4c78972433f618ddf722687f06c02bc5308f19 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 10 Sep 2024 13:05:49 +0200 Subject: [PATCH 205/282] Update CHANGELOG.md --- CHANGELOG.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0b41e276..9c460d5c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,8 +19,7 @@ ### Changed - Correction of software EOL database and inclusion of AIX entries - Support sysctl value perf_event_paranoid -> 2|3 -- Update of Turkish translation -- Update of Portuguese translation +- Update of translations: German, Portuguest, Turkish - Grammar and spell improvements - Improved package detection on Alpine Linux - Slackware support to check installed packges (functionPackageIsInstalled()) @@ -32,6 +31,7 @@ - CONT-8104 - Checking for errors, not only warning in docker info output - DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD - FILE-6344 - Test kernel version (major/minor) +- INSE-8000 - Added inetd package and service name used in ubuntu 24.04 - KRNL-5622 - Use systemctl get-default instead of following link - KRNL-5820 - Accept ulimit with -H parameter also - LOGG-2144 - Check for wazuh-agent presence on Linux systems @@ -43,6 +43,7 @@ - PKGS-7303 - Added version numbers to brew packages - PKGS-7370 - Cron job check for debsums improved - PKGS-7392 - Improved filtering of apt-check output (Ubuntu 24.04 may give an error) +- PKGS-7410 - Added kernel name for Hardkernel odroid XU4 --------------------------------------------------------------------------------- From fb5b808944819a2e0571d3aff3a02ec1c760f0eb Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 26 Sep 2024 12:16:52 +0000 Subject: [PATCH 206/282] Release 3.1.2 --- CHANGELOG.md | 2 +- lynis | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c460d5c..de66bc21 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Lynis Changelog -## Lynis 3.1.2 (not released yet) +## Lynis 3.1.2 (2024-09-26) ### Added - Detection of ALT Linux diff --git a/lynis b/lynis index 95135e92..721851ab 100755 --- a/lynis +++ b/lynis @@ -43,9 +43,9 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2024-03-18" - PROGRAM_RELEASE_TIMESTAMP=1710671337 - PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_RELEASE_DATE="2024-09-26" + PROGRAM_RELEASE_TIMESTAMP=1727352969 + PROGRAM_RELEASE_TYPE="release" # pre-release or release PROGRAM_VERSION="3.1.2" # Source, documentation and license From 699ec384d248d4f64e1ce7f2daa1027be9557954 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 30 Sep 2024 10:00:55 +0000 Subject: [PATCH 207/282] [FILE-6398] Only perform test if we know if Linux kernel is monolithic/modular --- include/consts | 1 + include/tests_filesystems | 57 +++++++++++++++++++++------------------ include/tests_kernel | 1 + 3 files changed, 33 insertions(+), 26 deletions(-) diff --git a/include/consts b/include/consts index faf41987..dd9f033c 100644 --- a/include/consts +++ b/include/consts @@ -172,6 +172,7 @@ ETC_PATHS="/etc /usr/local/etc" MDATPBINARY="" MIN_PASSWORD_LENGTH=-1 MONGODB_RUNNING=0 + MONOLITHIC_KERNEL_TESTED=0 MOUNTBINARY="" MTREEBINARY="" MYSQLCLIENTBINARY="" diff --git a/include/tests_filesystems b/include/tests_filesystems index 58efe975..c0b67241 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -738,37 +738,42 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if JBD (Journal Block Device) driver is loaded" NOTINUSE=0 - # Cannot check if driver is loaded/present if kernel is monolithic - if [ ${MONOLITHIC_KERNEL} -eq 0 ]; then - JBD=$(${LSMODBINARY} | ${GREPBINARY} ^jbd) - if [ -n "${JBD}" ]; then - LogText "Result: JBD driver is loaded" - INUSE=$(echo ${JBD} | ${AWKBINARY} '{if ($3 -ne 0) {print $4}}') - if [ -n "${INUSE}" ]; then - LogText "Result: JBD driver is in use by drivers: ${INUSE}" - Report "JBD driver is in use by drivers: ${INUSE}" - Display --indent 2 --text "- JBD driver loaded and in use" --result "${STATUS_OK}" --color GREEN + # Only perform testing if we know that KRNL-5723 performed tests + if [ ${MONOLITHIC_KERNEL_TESTED} -eq 1 ]; then + # Cannot check if driver is loaded/present if kernel is monolithic + if [ ${MONOLITHIC_KERNEL} -eq 0 ]; then + JBD=$(${LSMODBINARY} | ${GREPBINARY} ^jbd) + if [ -n "${JBD}" ]; then + LogText "Result: JBD driver is loaded" + INUSE=$(echo ${JBD} | ${AWKBINARY} '{if ($3 -ne 0) {print $4}}') + if [ -n "${INUSE}" ]; then + LogText "Result: JBD driver is in use by drivers: ${INUSE}" + Report "JBD driver is in use by drivers: ${INUSE}" + Display --indent 2 --text "- JBD driver loaded and in use" --result "${STATUS_OK}" --color GREEN + else + NOTINUSE=1 + LogText "Result: JBD driver loaded, but not in use" + Report "JBD driver is loaded, but not in use." + Display --indent 2 --text "- JBD driver loaded, but not in use" --result "${STATUS_SUGGESTION}" --color YELLOW + fi else - NOTINUSE=1 - LogText "Result: JBD driver loaded, but not in use" - Report "JBD driver is loaded, but not in use." - Display --indent 2 --text "- JBD driver loaded, but not in use" --result "${STATUS_SUGGESTION}" --color YELLOW + NOTINUSE=2 + LogText "Result: JBD driver not loaded" + Report "JBD driver not loaded." + Display --indent 2 --text "- JBD driver is not loaded" --result "${STATUS_CHECK_NEEDED}" --color YELLOW + fi + if [ ${NOTINUSE} -eq 1 ]; then + ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is loaded but not in use." "You are currently not using any filesystems with journaling, i.e. you have greater risk of data corruption in case of system crash." + elif [ ${NOTINUSE} -eq 2 ]; then + ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is not loaded." "Since boot-time, you have not been using any filesystems with journaling. Alternatively, reason could be driver is blacklisted." fi else - NOTINUSE=2 - LogText "Result: JBD driver not loaded" - Report "JBD driver not loaded." - Display --indent 2 --text "- JBD driver is not loaded" --result "${STATUS_CHECK_NEEDED}" --color YELLOW - fi - if [ ${NOTINUSE} -eq 1 ]; then - ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is loaded but not in use." "You are currently not using any filesystems with journaling, i.e. you have greater risk of data corruption in case of system crash." - elif [ ${NOTINUSE} -eq 2 ]; then - ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is not loaded." "Since boot-time, you have not been using any filesystems with journaling. Alternatively, reason could be driver is blacklisted." + Display --indent 2 --text "- JBD driver: unable to check" --result "${STATUS_UNKNOWN}" --color YELLOW + LogText "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel." fi else - LogText "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel." - Report "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel." - Display --indent 2 --text "- JBD driver: unable to check" --result "${STATUS_UNKNOWN}" --color RED + Display --indent 2 --text "- JBD driver: test skipped" --result "${STATUS_UNKNOWN}" --color YELLOW + LogText "Test skipped as the kernel type (monolithic/modular) is unknown" fi fi # diff --git a/include/tests_kernel b/include/tests_kernel index f6c879f9..cc986bcc 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -176,6 +176,7 @@ # Checking if any modules are loaded FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ') Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN + MONOLITHIC_KERNEL_TESTED=1 if [ "${FIND}" = "0" ]; then LogText "Result: Found monolithic kernel" Report "linux_kernel_type=monolithic" From f155be945fa4268252f3b9c81c85f2f89fc534dd Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 30 Sep 2024 10:02:39 +0000 Subject: [PATCH 208/282] Preparations for 3.1.3 --- CHANGELOG.md | 7 +++++++ lynis | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index de66bc21..bec63912 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Lynis Changelog +## Lynis 3.1.3 (not released yet) + +### Changed +- FILE-6398 - Only perform test if we know if Linux kernel is monolithic/modular + +--------------------------------------------------------------------------------- + ## Lynis 3.1.2 (2024-09-26) ### Added diff --git a/lynis b/lynis index 721851ab..918f317e 100755 --- a/lynis +++ b/lynis @@ -45,8 +45,8 @@ # Version details PROGRAM_RELEASE_DATE="2024-09-26" PROGRAM_RELEASE_TIMESTAMP=1727352969 - PROGRAM_RELEASE_TYPE="release" # pre-release or release - PROGRAM_VERSION="3.1.2" + PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_VERSION="3.1.3" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" From 03168113ca7d022785ce5dd6daa4f9af895edd4f Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 30 Sep 2024 11:53:13 +0000 Subject: [PATCH 209/282] [KRNL-5622] test if systemctl binary is set --- include/tests_kernel | 79 +++++++++++++++++++++++--------------------- 1 file changed, 42 insertions(+), 37 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index cc986bcc..837b97c8 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -39,50 +39,55 @@ # Description : Check default run level on Linux machines Register --test-no KRNL-5622 --os Linux --weight L --network NO --category security --description "Determine Linux default run level" if [ ${SKIPTEST} -eq 0 ]; then - # Checking if we can find the systemd default target - LogText "Test: Checking for systemd default.target" - if [ $(${SYSTEMCTLBINARY} get-default) ]; then - FIND=$(${SYSTEMCTLBINARY} get-default) - FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical") - if HasData "${FIND2}"; then - LogText "Result: Found match on runlevel5/graphical" - Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN - Report "linux_default_runlevel=5" - else - LogText "Result: No match found on runlevel, defaulting to runlevel 3" - Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN - Report "linux_default_runlevel=3" - fi - else - LogText "Result: no systemd found, so trying inittab" - LogText "Test: Checking ${ROOTDIR}etc/inittab" - if [ -f ${ROOTDIR}etc/inittab ]; then - LogText "Result: file ${ROOTDIR}etc/inittab found" - LogText "Test: Checking default Linux run level" - FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' ${ROOTDIR}etc/inittab | head -n 1) - if IsEmpty "${FIND}"; then - Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW - LogText "Result: Can't determine default run level from ${ROOTDIR}etc/inittab" + # Only run if systemctl binary is available + if [ -n "${SYSTEMCTLBINARY}" ]; then + # Checking if we can find the systemd default target + LogText "Test: Checking for systemd default.target" + if [ $(${SYSTEMCTLBINARY} get-default) ]; then + FIND=$(${SYSTEMCTLBINARY} get-default) + FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical") + if HasData "${FIND2}"; then + LogText "Result: Found match on runlevel5/graphical" + Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN + Report "linux_default_runlevel=5" else - Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN - LogText "Found default run level '${FIND}'" - Report "linux_default_runlevel=${FIND}" + LogText "Result: No match found on runlevel, defaulting to runlevel 3" + Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN + Report "linux_default_runlevel=3" fi else - LogText "Result: file ${ROOTDIR}etc/inittab not found" - if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then - LogText "Test: Checking run level with who -r, for Debian based systems" - FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }') - if HasData "${FIND}"; then - LogText "Result: Found default run level '${FIND}'" - Report "linux_default_runlevel=${FIND}" - Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN + LogText "Result: no systemd found, so trying inittab" + LogText "Test: Checking ${ROOTDIR}etc/inittab" + if [ -f ${ROOTDIR}etc/inittab ]; then + LogText "Result: file ${ROOTDIR}etc/inittab found" + LogText "Test: Checking default Linux run level" + FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' ${ROOTDIR}etc/inittab | head -n 1) + if IsEmpty "${FIND}"; then + Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW + LogText "Result: Can't determine default run level from ${ROOTDIR}etc/inittab" else - LogText "Result: Can't determine default run level from who -r" - Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW + Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN + LogText "Found default run level '${FIND}'" + Report "linux_default_runlevel=${FIND}" + fi + else + LogText "Result: file ${ROOTDIR}etc/inittab not found" + if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then + LogText "Test: Checking run level with who -r, for Debian based systems" + FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }') + if HasData "${FIND}"; then + LogText "Result: Found default run level '${FIND}'" + Report "linux_default_runlevel=${FIND}" + Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN + else + LogText "Result: Can't determine default run level from who -r" + Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW + fi fi fi fi + else + LogText "Result: test skipped, as systemctl binary could not be found" fi fi # From aca2216d74f0f6027b59a32695f4867637d3d961 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 30 Sep 2024 11:53:40 +0000 Subject: [PATCH 210/282] Update log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bec63912..4a9e5ca0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ ### Changed - FILE-6398 - Only perform test if we know if Linux kernel is monolithic/modular +- KRNL-5622 - Test if systemctl binary is set --------------------------------------------------------------------------------- From 214471d8b7a08707bef5644ea83d9f12355a563a Mon Sep 17 00:00:00 2001 From: Kirill Nikiforov Date: Mon, 30 Sep 2024 20:50:21 +0400 Subject: [PATCH 211/282] add Fedora Linux Asahi Remix --- CHANGELOG.md | 1 + include/osdetection | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a9e5ca0..35ce224d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ ### Changed - FILE-6398 - Only perform test if we know if Linux kernel is monolithic/modular - KRNL-5622 - Test if systemctl binary is set +- OS detection for Fedora Linux Asahi Remix --------------------------------------------------------------------------------- diff --git a/include/osdetection b/include/osdetection index 8c85fbf9..9d579ccb 100644 --- a/include/osdetection +++ b/include/osdetection @@ -266,6 +266,12 @@ OS_REDHAT_OR_CLONE=1 OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "fedora-asahi-remix") + LINUX_VERSION="Fedora" + OS_NAME="Fedora Linux Asahi Remix" + OS_REDHAT_OR_CLONE=1 + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "flatcar") LINUX_VERSION="Flatcar" LINUX_VERSION_LIKE="CoreOS" From 42f0b05d10c466ba827f3cb00eb746e2ff40290e Mon Sep 17 00:00:00 2001 From: teoberi Date: Tue, 1 Oct 2024 10:09:43 +0300 Subject: [PATCH 212/282] Update tests_kernel -> KRNL-5622 Fix runlevel detection for SO without systemd (eg. Slackware) --- include/tests_kernel | 79 +++++++++++++++++++++----------------------- 1 file changed, 37 insertions(+), 42 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index 837b97c8..9f3313b7 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -39,55 +39,50 @@ # Description : Check default run level on Linux machines Register --test-no KRNL-5622 --os Linux --weight L --network NO --category security --description "Determine Linux default run level" if [ ${SKIPTEST} -eq 0 ]; then - # Only run if systemctl binary is available - if [ -n "${SYSTEMCTLBINARY}" ]; then - # Checking if we can find the systemd default target - LogText "Test: Checking for systemd default.target" - if [ $(${SYSTEMCTLBINARY} get-default) ]; then - FIND=$(${SYSTEMCTLBINARY} get-default) - FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical") - if HasData "${FIND2}"; then - LogText "Result: Found match on runlevel5/graphical" - Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN - Report "linux_default_runlevel=5" + # Checking if we can find the systemd default target + LogText "Test: Checking for systemd default.target" + if [ $( [ ! -z ${SYSTEMCTLBINARY} ] && ${SYSTEMCTLBINARY} get-default) ]; then + FIND=$(${SYSTEMCTLBINARY} get-default) + FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical") + if HasData "${FIND2}"; then + LogText "Result: Found match on runlevel5/graphical" + Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN + Report "linux_default_runlevel=5" + else + LogText "Result: No match found on runlevel, defaulting to runlevel 3" + Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN + Report "linux_default_runlevel=3" + fi + else + LogText "Result: no systemd found, so trying inittab" + LogText "Test: Checking ${ROOTDIR}etc/inittab" + if [ -f ${ROOTDIR}etc/inittab ]; then + LogText "Result: file ${ROOTDIR}etc/inittab found" + LogText "Test: Checking default Linux run level" + FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' ${ROOTDIR}etc/inittab | head -n 1) + if IsEmpty "${FIND}"; then + Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW + LogText "Result: Can't determine default run level from ${ROOTDIR}etc/inittab" else - LogText "Result: No match found on runlevel, defaulting to runlevel 3" - Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN - Report "linux_default_runlevel=3" + Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN + LogText "Found default run level '${FIND}'" + Report "linux_default_runlevel=${FIND}" fi else - LogText "Result: no systemd found, so trying inittab" - LogText "Test: Checking ${ROOTDIR}etc/inittab" - if [ -f ${ROOTDIR}etc/inittab ]; then - LogText "Result: file ${ROOTDIR}etc/inittab found" - LogText "Test: Checking default Linux run level" - FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' ${ROOTDIR}etc/inittab | head -n 1) - if IsEmpty "${FIND}"; then - Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW - LogText "Result: Can't determine default run level from ${ROOTDIR}etc/inittab" - else - Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN - LogText "Found default run level '${FIND}'" + LogText "Result: file ${ROOTDIR}etc/inittab not found" + if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then + LogText "Test: Checking run level with who -r, for Debian based systems" + FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }') + if HasData "${FIND}"; then + LogText "Result: Found default run level '${FIND}'" Report "linux_default_runlevel=${FIND}" - fi - else - LogText "Result: file ${ROOTDIR}etc/inittab not found" - if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then - LogText "Test: Checking run level with who -r, for Debian based systems" - FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }') - if HasData "${FIND}"; then - LogText "Result: Found default run level '${FIND}'" - Report "linux_default_runlevel=${FIND}" - Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN - else - LogText "Result: Can't determine default run level from who -r" - Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW - fi + Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN + else + LogText "Result: Can't determine default run level from who -r" + Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW fi fi fi - else - LogText "Result: test skipped, as systemctl binary could not be found" fi fi # From 50a1b15ec3385524ef12566b2d2906ef7e55e55c Mon Sep 17 00:00:00 2001 From: Aera23 <130415001+Aera23@users.noreply.github.com> Date: Wed, 2 Oct 2024 12:15:40 +0930 Subject: [PATCH 213/282] Update osdetection - Peppermint OS --- include/osdetection | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/osdetection b/include/osdetection index 9d579ccb..c9422c37 100644 --- a/include/osdetection +++ b/include/osdetection @@ -406,6 +406,13 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "peppermint") + LINUX_VERSION="Peppermint OS" + LINUX_VERSION_LIKE="Debian" + OS_NAME="Peppermint OS" + OS_VERSION=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION_CODENAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "poky") LINUX_VERSION="Poky" OS_NAME="openembedded" From 58bff4f54e43c8fbb7b902e6ff986cc74e4d7d7b Mon Sep 17 00:00:00 2001 From: Francois Perrad Date: Wed, 2 Oct 2024 11:28:06 +0200 Subject: [PATCH 214/282] add Buildroot fix #1520 --- CHANGELOG.md | 1 + include/osdetection | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 35ce224d..8033ff0e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ - FILE-6398 - Only perform test if we know if Linux kernel is monolithic/modular - KRNL-5622 - Test if systemctl binary is set - OS detection for Fedora Linux Asahi Remix +- OS detection for Buildroot --------------------------------------------------------------------------------- diff --git a/include/osdetection b/include/osdetection index 9d579ccb..8bd7288a 100644 --- a/include/osdetection +++ b/include/osdetection @@ -202,6 +202,12 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "buildroot") + LINUX_VERSION="Buildroot" + OS_NAME="Buildroot" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "bunsenlabs") LINUX_VERSION="BunsenLabs" OS_NAME="BunsenLabs" From 916f95aa2c24ff3d72ac258db9048a1f8e0133e0 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 2 Oct 2024 16:55:09 +0200 Subject: [PATCH 215/282] Update CHANGELOG.md --- CHANGELOG.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8033ff0e..b35de781 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,11 +2,14 @@ ## Lynis 3.1.3 (not released yet) +### Added +- Detection of Buildroot +- Detection of Fedora Linux Asahi Remix + ### Changed - FILE-6398 - Only perform test if we know if Linux kernel is monolithic/modular - KRNL-5622 - Test if systemctl binary is set -- OS detection for Fedora Linux Asahi Remix -- OS detection for Buildroot +- Update of translations: Russian --------------------------------------------------------------------------------- @@ -29,7 +32,7 @@ ### Changed - Correction of software EOL database and inclusion of AIX entries - Support sysctl value perf_event_paranoid -> 2|3 -- Update of translations: German, Portuguest, Turkish +- Update of translations: German, Portuguese, Turkish - Grammar and spell improvements - Improved package detection on Alpine Linux - Slackware support to check installed packges (functionPackageIsInstalled()) From 71dc7d2c957308ae15256a6d36353cd47f033ea5 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 4 Oct 2024 08:27:24 +0200 Subject: [PATCH 216/282] Update CHANGELOG.md --- CHANGELOG.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b35de781..2de64851 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,8 +3,7 @@ ## Lynis 3.1.3 (not released yet) ### Added -- Detection of Buildroot -- Detection of Fedora Linux Asahi Remix +- Detection of Buildroot, Fedora Linux Asahi Remix, Peppermint OS ### Changed - FILE-6398 - Only perform test if we know if Linux kernel is monolithic/modular From b7ced8e0307b9ae0eac3c24f8b5865c560598e53 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Fri, 4 Oct 2024 09:21:11 +0200 Subject: [PATCH 217/282] FIRE-4508 - Fix typo in conditional expression --- include/tests_firewalls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 6852b536..92e0fc78 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -122,7 +122,7 @@ LogText "Result: iptables ${table} -- ${chainname} policy is ${policy}." LogText "Result: ${policy}" - if [ "${TABLE}" = "filter" ]; then + if [ "${table}" = "filter" ]; then if [ "${chainname}" = "INPUT" ]; then case ${policy} in "ACCEPT") From 12f96af8b41ee87ac05e1fb9cb2805587d022b61 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Fri, 4 Oct 2024 09:24:17 +0200 Subject: [PATCH 218/282] FIRE-4508 - Adding more tables in ip4tables --- include/tests_firewalls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 6852b536..c6747f53 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -109,7 +109,7 @@ Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN - TABLES="filter" + TABLES="filter nat mangle raw security" for TABLE in ${TABLES}; do LogText "Test: gathering information from table ${TABLE}" FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${GREPBINARY} -E -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') From 782212b3908500a744c86110be76c7ee43baa318 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 4 Oct 2024 10:07:38 +0200 Subject: [PATCH 219/282] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2de64851..7d625649 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ ### Changed - FILE-6398 - Only perform test if we know if Linux kernel is monolithic/modular +- FIRE-4508 - Fix typo in conditional expression - KRNL-5622 - Test if systemctl binary is set - Update of translations: Russian From c51b066131289ed9fc1c418fd1adf51b8f7a8f47 Mon Sep 17 00:00:00 2001 From: teoberi Date: Fri, 4 Oct 2024 21:46:30 +0300 Subject: [PATCH 220/282] Update tests_firewalls -> FIRE-4508 Include #1554 Fix FIND variable (remove "\n" and -z) Add sort + uniq while read line from FIND --- include/tests_firewalls | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 92e0fc78..53fed3ab 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -109,13 +109,13 @@ Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN - TABLES="filter" + TABLES="filter nat mangle raw security" for TABLE in ${TABLES}; do LogText "Test: gathering information from table ${TABLE}" - FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${GREPBINARY} -E -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') + FIND="$FIND"(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${GREPBINARY} -E -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') done - echo "${FIND}" | while read -r line; do + echo "${FIND}" | sort | uniq | while read -r line; do table=$(echo ${line} | ${AWKBINARY} '{ print $1 }') chainname=$(echo ${line} | ${AWKBINARY} '{ print $2 }') policy=$(echo ${line} | ${AWKBINARY} '{ print $3 }') From 1a408248b0a3eb4a05b4e24250884d0783ec4b29 Mon Sep 17 00:00:00 2001 From: teoberi Date: Fri, 4 Oct 2024 21:55:57 +0300 Subject: [PATCH 221/282] Update tests_firewalls -> FIRE-4508 Fix copy error --- include/tests_firewalls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 53fed3ab..803de69b 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -112,7 +112,7 @@ TABLES="filter nat mangle raw security" for TABLE in ${TABLES}; do LogText "Test: gathering information from table ${TABLE}" - FIND="$FIND"(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${GREPBINARY} -E -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') + FIND="$FIND"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${GREPBINARY} -E -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') done echo "${FIND}" | sort | uniq | while read -r line; do From f0527111a01f9fa64274382153d6f472b73a51f3 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 7 Oct 2024 11:20:02 +0200 Subject: [PATCH 222/282] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d625649..027b7e66 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,7 @@ ### Changed - FILE-6398 - Only perform test if we know if Linux kernel is monolithic/modular -- FIRE-4508 - Fix typo in conditional expression +- FIRE-4508 - Several changes to expand the test, make it more generic, resolve minor issues - KRNL-5622 - Test if systemctl binary is set - Update of translations: Russian From e9c2a1ad3f0afe8bc6561b9f70d7597beadb91a2 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Tue, 8 Oct 2024 01:36:39 +0200 Subject: [PATCH 223/282] Update tests_firewalls --- include/tests_firewalls | 76 ++++++++++++++++++++++++----------------- 1 file changed, 44 insertions(+), 32 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 803de69b..315be1fc 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -110,42 +110,54 @@ if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN TABLES="filter nat mangle raw security" - for TABLE in ${TABLES}; do - LogText "Test: gathering information from table ${TABLE}" - FIND="$FIND"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${GREPBINARY} -E -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') - done - - echo "${FIND}" | sort | uniq | while read -r line; do - table=$(echo ${line} | ${AWKBINARY} '{ print $1 }') - chainname=$(echo ${line} | ${AWKBINARY} '{ print $2 }') - policy=$(echo ${line} | ${AWKBINARY} '{ print $3 }') - LogText "Result: iptables ${table} -- ${chainname} policy is ${policy}." - LogText "Result: ${policy}" - + for table in ${TABLES}; do + chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING" if [ "${table}" = "filter" ]; then - if [ "${chainname}" = "INPUT" ]; then - case ${policy} in - "ACCEPT") - LogText "Result: Found ACCEPT for ${chainname} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "ACCEPT" --color YELLOW - #ReportSuggestion "${TEST_NO}" "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})" - AddHP 1 3 - ;; - "DROP") - LogText "Result: Found DROP for ${chainname} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "DROP" --color GREEN - AddHP 3 3 - ;; - *) - Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "other" --color YELLOW - LogText "Result: Unknown policy: ${policy}" - #ReportSuggestion "${TEST_NO}" "Check iptables ${chainname} (table: ${table}) chain policy" - ;; - esac - fi + chains="INPUT FORWARD OUTPUT" fi + for chain in ${chains}; do + ${IPTABLESBINARY} -t "${table}" -S "${chain}" | while read -r line; do + readarray -d" " -t array <<< ${line} + c=0 + for i in ${array[@]}; do + if [ "${i}" = "-j" ]; then + let index=c+1 + target="${array[${index}]}" + fi + if [ "${i}" = "-d" ]; then + let index=c+1 + destination="${array[${index}]}" + fi + if [ "${i}" = "-s" ]; then + let index=c+1 + source="${array[${index}]}" + fi + let c++ + done + + # logics + if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "ACCEPT" ] ; then + LogText "Result: Found ACCEPT for ${chainname} (table: ${table})" + Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color YELLOW + AddHP 1 3 + fi + if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "DROP" ] ; then + LogText "Result: Found DROP for ${chainname} (table: ${table})" + Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color GREEN + AddHP 3 3 + fi + if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && ( [ "${chain}" = "INPUT" ] || [ "${chain}" = "FORWARD" ] || [ "${chain}" = "OUTPUT" ] ) && [ "${target}" = "NFQUEUE" ] ; then + LogText "Result: Found DROP for ${chainname} (table: ${table})" + Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, chain ${chain})" --result "DROP" --color RED + ReportSuggestion "${TEST_NO}" "Consider avoid ${target} target if possible (iptables chain ${chain}, table: ${table})" + AddHP 0 3 + fi + done + done done + fi + # ################################################################################# # From d0f5ee7df9d9f65406122869d53d10ddd3c1729e Mon Sep 17 00:00:00 2001 From: vassap2022 <97514323+vassap2022@users.noreply.github.com> Date: Tue, 8 Oct 2024 10:44:17 +0200 Subject: [PATCH 224/282] add gardenlinux in osdetection Fixes: #1507 --- include/osdetection | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/include/osdetection b/include/osdetection index fa2046d5..5890cd7f 100644 --- a/include/osdetection +++ b/include/osdetection @@ -504,6 +504,14 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "gardenlinux") + LINUX_VERSION="Garden Linux" + LINUX_VERSION_LIKE="Debian" + OS_NAME=$(grep "^NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION=$(grep "^GARDENLINUX_VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^GARDENLINUX_VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + + ;; *) ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the contents (cat /etc/os-release): ${PROGRAM_SOURCE}" ;; From 94a944b1107cd4d08843c8e0e385b6a212fcaa74 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 8 Oct 2024 08:59:31 +0000 Subject: [PATCH 225/282] Moving entry Garden Linux --- CHANGELOG.md | 2 +- include/osdetection | 15 +++++++-------- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 027b7e66..ca3f9067 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ ## Lynis 3.1.3 (not released yet) ### Added -- Detection of Buildroot, Fedora Linux Asahi Remix, Peppermint OS +- Detection of Buildroot, Fedora Linux Asahi Remix, Garden Linux, Peppermint OS ### Changed - FILE-6398 - Only perform test if we know if Linux kernel is monolithic/modular diff --git a/include/osdetection b/include/osdetection index 5890cd7f..fda72333 100644 --- a/include/osdetection +++ b/include/osdetection @@ -289,6 +289,13 @@ OS_FULLNAME="Funtoo Linux" OS_VERSION="Rolling release" ;; + "gardenlinux") + LINUX_VERSION="Garden Linux" + LINUX_VERSION_LIKE="Debian" + OS_NAME=$(grep "^NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION=$(grep "^GARDENLINUX_VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^GARDENLINUX_VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "garuda") LINUX_VERSION="Garuda" OS_FULLNAME="Garuda Linux" @@ -504,14 +511,6 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; - "gardenlinux") - LINUX_VERSION="Garden Linux" - LINUX_VERSION_LIKE="Debian" - OS_NAME=$(grep "^NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') - OS_VERSION=$(grep "^GARDENLINUX_VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') - OS_VERSION_FULL=$(grep "^GARDENLINUX_VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') - - ;; *) ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the contents (cat /etc/os-release): ${PROGRAM_SOURCE}" ;; From 8ca5b83584f04e2ceb8ba9f193064f0ae9d4737c Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Tue, 8 Oct 2024 11:29:48 +0200 Subject: [PATCH 226/282] Update tests_firewalls --- include/tests_firewalls | 47 ++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 315be1fc..614d0202 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -116,48 +116,47 @@ chains="INPUT FORWARD OUTPUT" fi for chain in ${chains}; do - ${IPTABLESBINARY} -t "${table}" -S "${chain}" | while read -r line; do - readarray -d" " -t array <<< ${line} - c=0 - for i in ${array[@]}; do - if [ "${i}" = "-j" ]; then - let index=c+1 - target="${array[${index}]}" + iptables -t "${table}" -S "${chain}" 2>/dev/zero | while read -r line; do + set -- ${line} + while [ $# -gt 0 ]; do + if [ "${1}" = "-P" ]; then + target="${3}" + shift 3 + elif [ "${1}" = "-j" ]; then + target="${2}" + shift + elif [ "${1}" = "-d" ]; then + dst="${2}" + shift + elif [ "${1}" = "-s" ]; then + src="${2}" + shift + else + shift fi - if [ "${i}" = "-d" ]; then - let index=c+1 - destination="${array[${index}]}" - fi - if [ "${i}" = "-s" ]; then - let index=c+1 - source="${array[${index}]}" - fi - let c++ done # logics if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "ACCEPT" ] ; then - LogText "Result: Found ACCEPT for ${chainname} (table: ${table})" + LogText "Result: Found ACCEPT for ${chain} (table: ${table})" Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color YELLOW AddHP 1 3 fi if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "DROP" ] ; then - LogText "Result: Found DROP for ${chainname} (table: ${table})" + LogText "Result: Found DROP for ${chain} (table: ${table})" Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color GREEN AddHP 3 3 fi if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && ( [ "${chain}" = "INPUT" ] || [ "${chain}" = "FORWARD" ] || [ "${chain}" = "OUTPUT" ] ) && [ "${target}" = "NFQUEUE" ] ; then - LogText "Result: Found DROP for ${chainname} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, chain ${chain})" --result "DROP" --color RED + LogText "Result: Found DROP for ${chain} (table: ${table})" + Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "NFQUEUE" --color RED ReportSuggestion "${TEST_NO}" "Consider avoid ${target} target if possible (iptables chain ${chain}, table: ${table})" AddHP 0 3 fi done - done - done - + done + done fi - # ################################################################################# # From 13ced756cd86be2cfab0a79df443f2d332cde86e Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Tue, 8 Oct 2024 11:59:24 +0200 Subject: [PATCH 227/282] Update tests_firewalls --- include/tests_firewalls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 614d0202..e589af2b 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -116,7 +116,7 @@ chains="INPUT FORWARD OUTPUT" fi for chain in ${chains}; do - iptables -t "${table}" -S "${chain}" 2>/dev/zero | while read -r line; do + ${IPTABLESBINARY} -t "${table}" -S "${chain}" 2>/dev/zero | while read -r line; do set -- ${line} while [ $# -gt 0 ]; do if [ "${1}" = "-P" ]; then From d90413e243302a836326f46a0cf855e1a662a0d8 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Tue, 8 Oct 2024 12:02:07 +0200 Subject: [PATCH 228/282] Update tests_firewalls --- include/tests_firewalls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index e589af2b..e6dfafbb 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -138,18 +138,18 @@ # logics if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "ACCEPT" ] ; then - LogText "Result: Found ACCEPT for ${chain} (table: ${table})" + LogText "Result: Found ${target} for ${chain} (table: ${table})" Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color YELLOW AddHP 1 3 fi if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "DROP" ] ; then - LogText "Result: Found DROP for ${chain} (table: ${table})" + LogText "Result: Found ${target} for ${chain} (table: ${table})" Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color GREEN AddHP 3 3 fi if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && ( [ "${chain}" = "INPUT" ] || [ "${chain}" = "FORWARD" ] || [ "${chain}" = "OUTPUT" ] ) && [ "${target}" = "NFQUEUE" ] ; then - LogText "Result: Found DROP for ${chain} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "NFQUEUE" --color RED + LogText "Result: Found ${target} for ${chain} (table: ${table})" + Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color RED ReportSuggestion "${TEST_NO}" "Consider avoid ${target} target if possible (iptables chain ${chain}, table: ${table})" AddHP 0 3 fi From 2d4ec42696b662001244f69d804a23c9d0631fa2 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Wed, 9 Oct 2024 00:57:16 +0200 Subject: [PATCH 229/282] Update tests_firewalls --- include/tests_firewalls | 152 ++++++++++++++++++++++++++++------------ 1 file changed, 109 insertions(+), 43 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index e6dfafbb..a73d8fc3 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -109,53 +109,119 @@ Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN - TABLES="filter nat mangle raw security" - for table in ${TABLES}; do - chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING" - if [ "${table}" = "filter" ]; then - chains="INPUT FORWARD OUTPUT" - fi - for chain in ${chains}; do - ${IPTABLESBINARY} -t "${table}" -S "${chain}" 2>/dev/zero | while read -r line; do - set -- ${line} - while [ $# -gt 0 ]; do - if [ "${1}" = "-P" ]; then - target="${3}" + tables="filter nat mangle raw security" + for t in ${tables} + do + ${iptables_binary} -t "${t}" -S -v -w 1 2>/dev/zero | while read -r line + do + set -- ${line} + while [ $# -gt 0 ] + do + if [ "${1}" = "!" ] + then + not="${1}" + if [ "${2}" = "-d" ] + then + d="${not} ${3}" + shift 3 + elif [ "${2}" = "-s" ] + then + s="${not} ${3}" + shift 3 + elif [ "${2}" = "-i" ] + then + p="${not} ${3}" + shift 3 + elif [ "${2}" = "-o" ] + then + o="${not} ${3}" + shift 3 + elif [ "${2}" = "-f" ] + then + p="${not} ${3}" shift 3 - elif [ "${1}" = "-j" ]; then - target="${2}" - shift - elif [ "${1}" = "-d" ]; then - dst="${2}" - shift - elif [ "${1}" = "-s" ]; then - src="${2}" - shift - else - shift fi - done - - # logics - if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "ACCEPT" ] ; then - LogText "Result: Found ${target} for ${chain} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color YELLOW - AddHP 1 3 - fi - if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && [ "${chain}" = "INPUT" ] && [ "${target}" = "DROP" ] ; then - LogText "Result: Found ${target} for ${chain} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color GREEN - AddHP 3 3 - fi - if ( [ "${table}" = "filter" ] || [ "${table}" = "security" ] ) && ( [ "${chain}" = "INPUT" ] || [ "${chain}" = "FORWARD" ] || [ "${chain}" = "OUTPUT" ] ) && [ "${target}" = "NFQUEUE" ] ; then - LogText "Result: Found ${target} for ${chain} (table: ${table})" - Display --indent 6 --text "- Checking chain ${chain} (table: ${table}, chain ${chain})" --result "${target}" --color RED - ReportSuggestion "${TEST_NO}" "Consider avoid ${target} target if possible (iptables chain ${chain}, table: ${table})" - AddHP 0 3 + shift + elif [ "${1}" = "-P" ] + then + c="${2}" + j="${3}" + shift 3 + elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ] + then + c="${2}" + shift 2 + elif [ "${1}" = "-j" ] + then + j="${2}" + shift + elif [ "${1}" = "-p" ] + then + p="${2}" + shift + elif [ "${1}" = "-d" ] + then + d="${2}" + shift + elif [ "${1}" = "-s" ] + then + s="${2}" + shift + elif [ "${1}" = "-m" ] + then + m="${2}" + shift + elif [ "${1}" = "-g" ] + then + g="${2}" + shift + elif [ "${1}" = "-i" ] + then + i="${2}" + shift + elif [ "${1}" = "-o" ] + then + o="${2}" + shift + elif [ "${1}" = "-f" ] + then + f="${2}" + shift + elif [ "${1}" = "-c" ] + then + pc="${2}" + bc="${3}" + shift 3 + else + shift fi done - done - done + # logics + if [ "${t}" = "filter" ] || [ "${t}" = "security" ] + then + if [ "${c}" = "INPUT" ] && [ "${j}" = "ACCEPT" ] + then + LogText "Result: Found ${j} for ${c} (table: ${t})" + Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color YELLOW + AddHP 1 3 + elif [ "${c}" = "INPUT" ] && [ "${j}" = "DROP" ] + then + LogText "Result: Found ${j} for ${c} (table: ${t})" + Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color GREEN + AddHP 3 3 + elif [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] + then + if [ "${j}" = "NFQUEUE" ] + then + LogText "Result: Found ${j} for ${c} (table: ${t})" + Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color RED + ReportSuggestion "${TEST_NO}" "Consider avoid ${j} target if possible (iptables chain ${c}, table: ${t})" + AddHP 0 3 + fi + fi + fi + done + done fi # ################################################################################# From d64f4808234da4449d7c29fd8de6280f70a45d0e Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Wed, 9 Oct 2024 09:40:01 +0200 Subject: [PATCH 230/282] Update tests_firewalls --- include/tests_firewalls | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index a73d8fc3..89170a0b 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -112,7 +112,7 @@ tables="filter nat mangle raw security" for t in ${tables} do - ${iptables_binary} -t "${t}" -S -v -w 1 2>/dev/zero | while read -r line + ${IPTABLESBINARY} -t "${t}" -S -v -w 1 2>/dev/zero | while read -r line do set -- ${line} while [ $# -gt 0 ] @@ -199,16 +199,25 @@ # logics if [ "${t}" = "filter" ] || [ "${t}" = "security" ] then - if [ "${c}" = "INPUT" ] && [ "${j}" = "ACCEPT" ] + if [ "${c}" = "INPUT" ] then - LogText "Result: Found ${j} for ${c} (table: ${t})" - Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color YELLOW - AddHP 1 3 - elif [ "${c}" = "INPUT" ] && [ "${j}" = "DROP" ] + if [ "${j}" = "ACCEPT" ] + then + LogText "Result: Found ${j} for ${c} (table: ${t})" + Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color YELLOW + AddHP 1 3 + elif [ "${j}" = "DROP" ] + then + LogText "Result: Found ${j} for ${c} (table: ${t})" + Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color GREEN + AddHP 3 3 + fi + elif [ "${c}" = "FORWARD" ] then - LogText "Result: Found ${j} for ${c} (table: ${t})" - Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color GREEN - AddHP 3 3 + : + elif [ "${c}" = "OUTPUT" ] + then + : elif [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] then if [ "${j}" = "NFQUEUE" ] From 5d50814f04d6b23895a590eaf4b3e406adc7fef5 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Wed, 9 Oct 2024 12:24:18 +0200 Subject: [PATCH 231/282] Update tests_firewalls --- include/tests_firewalls | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 89170a0b..1d41e0e6 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -218,7 +218,8 @@ elif [ "${c}" = "OUTPUT" ] then : - elif [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] + fi + if [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] then if [ "${j}" = "NFQUEUE" ] then @@ -231,6 +232,7 @@ fi done done + # resume fi # ################################################################################# From 99409e04a22ebb124bf370168f446fe690ec948e Mon Sep 17 00:00:00 2001 From: CloudyProton <34248863+CloudyProton@users.noreply.github.com> Date: Thu, 10 Oct 2024 00:29:32 +0000 Subject: [PATCH 232/282] Include powerpc64le on tests_authentication Add check for powerpc64le-linux-gnu location in PAM_FILE_LOCATIONS --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index f936619f..cea49440 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -25,7 +25,7 @@ LDAP_AUTH_ENABLED=0 LDAP_PAM_ENABLED=0 LDAP_CONF_LOCATIONS="${ROOTDIR}etc/ldap.conf ${ROOTDIR}etc/ldap/ldap.conf ${ROOTDIR}etc/openldap/ldap.conf ${ROOTDIR}usr/local/etc/ldap.conf ${ROOTDIR}usr/local/etc/openldap/ldap.conf" - PAM_FILE_LOCATIONS="${ROOTDIR}usr/lib/aarch64-linux-gnu/security ${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security" + PAM_FILE_LOCATIONS="${ROOTDIR}usr/lib/aarch64-linux-gnu/security ${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib/powerpc64le-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security" SUDOERS_LOCATIONS="${ROOTDIR}etc/sudoers ${ROOTDIR}usr/local/etc/sudoers ${ROOTDIR}usr/pkg/etc/sudoers" SUDOERS_FILE="" # From fa9082ab77c198fdcd6c98ea43a33b35c47e9bcf Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Thu, 10 Oct 2024 12:31:05 +0200 Subject: [PATCH 233/282] Update tests_firewalls --- include/tests_firewalls | 224 +++++++++++++++++++++------------------- 1 file changed, 118 insertions(+), 106 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 1d41e0e6..d8d9ce0b 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -112,127 +112,139 @@ tables="filter nat mangle raw security" for t in ${tables} do - ${IPTABLESBINARY} -t "${t}" -S -v -w 1 2>/dev/zero | while read -r line - do - set -- ${line} - while [ $# -gt 0 ] + ${IPTABLESBINARY} -t "${t}" -S -v -w 1 2>/dev/zero | + { + while read -r line do - if [ "${1}" = "!" ] - then - not="${1}" - if [ "${2}" = "-d" ] + set -- ${line} + while [ $# -gt 0 ] + do + if [ "${1}" = "!" ] then - d="${not} ${3}" - shift 3 - elif [ "${2}" = "-s" ] + not="${1}" + if [ "${2}" = "-d" ] + then + d="${not} ${3}" + shift 3 + elif [ "${2}" = "-s" ] + then + s="${not} ${3}" + shift 3 + elif [ "${2}" = "-i" ] + then + p="${not} ${3}" + shift 3 + elif [ "${2}" = "-o" ] + then + o="${not} ${3}" + shift 3 + elif [ "${2}" = "-f" ] + then + p="${not} ${3}" + shift 3 + fi + shift + elif [ "${1}" = "-P" ] then - s="${not} ${3}" + c="${2}" + j="${3}" shift 3 - elif [ "${2}" = "-i" ] + elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ] then - p="${not} ${3}" - shift 3 - elif [ "${2}" = "-o" ] + c="${2}" + shift 2 + elif [ "${1}" = "-j" ] then - o="${not} ${3}" - shift 3 - elif [ "${2}" = "-f" ] + j="${2}" + shift + elif [ "${1}" = "-p" ] then - p="${not} ${3}" + p="${2}" + shift + elif [ "${1}" = "-d" ] + then + d="${2}" + shift + elif [ "${1}" = "-s" ] + then + s="${2}" + shift + elif [ "${1}" = "-m" ] + then + m="${2}" + shift + elif [ "${1}" = "-g" ] + then + g="${2}" + shift + elif [ "${1}" = "-i" ] + then + i="${2}" + shift + elif [ "${1}" = "-o" ] + then + o="${2}" + shift + elif [ "${1}" = "-f" ] + then + f="${2}" + shift + elif [ "${1}" = "-c" ] + then + pc="${2}" + bc="${3}" shift 3 + else + shift fi - shift - elif [ "${1}" = "-P" ] + done + # logics + if [ "${t}" = "filter" ] || [ "${t}" = "security" ] then - c="${2}" - j="${3}" - shift 3 - elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ] - then - c="${2}" - shift 2 - elif [ "${1}" = "-j" ] - then - j="${2}" - shift - elif [ "${1}" = "-p" ] - then - p="${2}" - shift - elif [ "${1}" = "-d" ] - then - d="${2}" - shift - elif [ "${1}" = "-s" ] - then - s="${2}" - shift - elif [ "${1}" = "-m" ] - then - m="${2}" - shift - elif [ "${1}" = "-g" ] - then - g="${2}" - shift - elif [ "${1}" = "-i" ] - then - i="${2}" - shift - elif [ "${1}" = "-o" ] - then - o="${2}" - shift - elif [ "${1}" = "-f" ] - then - f="${2}" - shift - elif [ "${1}" = "-c" ] - then - pc="${2}" - bc="${3}" - shift 3 - else - shift + if [ "${c}" = "INPUT" ] + then + if [ "${j}" = "ACCEPT" ] + then + errqueue="${errqueue}\n${t} ${c} ${j} YELLOW" + AddHP 1 3 + elif [ "${j}" = "DROP" ] + then + errqueue="${errqueue}\n${t} ${c} ${j} GREEN" + AddHP 3 3 + fi + elif [ "${c}" = "FORWARD" ] + then + : + elif [ "${c}" = "OUTPUT" ] + then + : + fi + if [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] + then + if [ "${j}" = "NFQUEUE" ] + then + errqueue="${errqueue}\n${t} ${c} ${j} RED" + AddHP 0 3 + fi + fi fi done - # logics - if [ "${t}" = "filter" ] || [ "${t}" = "security" ] - then - if [ "${c}" = "INPUT" ] - then - if [ "${j}" = "ACCEPT" ] + # resume + echo ${errqueue} | ${SORTBINARY} -u | while read -r eq + do + set -- ${eq} + while [ $# -gt 0 ] + do + Display --indent 6 --text "Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" + if [ "${3}" = "NFQUEUE" ] then - LogText "Result: Found ${j} for ${c} (table: ${t})" - Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color YELLOW - AddHP 1 3 - elif [ "${j}" = "DROP" ] - then - LogText "Result: Found ${j} for ${c} (table: ${t})" - Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color GREEN - AddHP 3 3 + ReportSuggestion "${TEST_NO}" "Consider avoid ${3} target if possible (iptables chain ${2}, table: ${1})" fi - elif [ "${c}" = "FORWARD" ] - then - : - elif [ "${c}" = "OUTPUT" ] - then - : - fi - if [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] - then - if [ "${j}" = "NFQUEUE" ] - then - LogText "Result: Found ${j} for ${c} (table: ${t})" - Display --indent 6 --text "- Checking chain ${c} (table: ${t}, chain ${c})" --result "${j}" --color RED - ReportSuggestion "${TEST_NO}" "Consider avoid ${j} target if possible (iptables chain ${c}, table: ${t})" - AddHP 0 3 - fi - fi - fi - done + shift 4 + done + done + } done - # resume fi # ################################################################################# From b5d86daabb340587dea0483891acb6f171c3f4f1 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Thu, 10 Oct 2024 13:06:57 +0200 Subject: [PATCH 234/282] Update tests_firewalls --- include/tests_firewalls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index d8d9ce0b..ab810596 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -114,7 +114,7 @@ do ${IPTABLESBINARY} -t "${t}" -S -v -w 1 2>/dev/zero | { - while read -r line + while IFS="\n" read -r line do set -- ${line} while [ $# -gt 0 ] @@ -230,7 +230,7 @@ fi done # resume - echo ${errqueue} | ${SORTBINARY} -u | while read -r eq + echo ${errqueue} | ${SORTBINARY} -u | while IFS="\n" read -r eq do set -- ${eq} while [ $# -gt 0 ] From 8918445e2c910527760295c2e5ebb05b8653b768 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 10 Oct 2024 13:03:11 +0000 Subject: [PATCH 235/282] [BOOT-5264] Change output and link to clarify options --- include/tests_boot_services | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index 967b98a6..8a11014f 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -1090,6 +1090,8 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Run systemd-analyze security" Display --indent 2 --text "- Running 'systemd-analyze security'" + Display --indent 6 --text "Unit name (exposure value) and predicate" + Display --indent 6 --text "--------------------------------" ${SYSTEMDANALYZEBINARY} security | while read UNIT EXPOSURE PREDICATE HAPPY; do if [ "${UNIT}" = "UNIT" ]; then continue @@ -1111,13 +1113,13 @@ ;; UNSAFE | DANGEROUS) STATUS="${STATUS_UNSAFE}" - COLOR=RED + COLOR=YELLOW ;; esac - Display --indent 8 --text "- ${UNIT}:" --result "${STATUS}" --color "${COLOR}" - LogText "Result: ${UNIT}: ${EXPOSURE} ${STATUS}" + Display --indent 4 --text "- ${UNIT} (value=${EXPOSURE})" --result "${STATUS}" --color "${COLOR}" + LogText "Result: ${UNIT} has exposure value ${EXPOSURE} with predicate '${STATUS}'" done - ReportSuggestion "${TEST_NO}" "Consider hardening system services" "Run '${SYSTEMDANALYZEBINARY} security SERVICE' for each service" + ReportSuggestion "${TEST_NO}" "Consider hardening system services" "Run '${SYSTEMDANALYZEBINARY} security SERVICE' for each service" "Learn about systemd features to secure services: https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/" fi # ################################################################################# From 86aa1b3bcc75721c3639be082dcc9c6f0c749a7e Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 10 Oct 2024 13:04:01 +0000 Subject: [PATCH 236/282] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ca3f9067..f91c58df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ - Detection of Buildroot, Fedora Linux Asahi Remix, Garden Linux, Peppermint OS ### Changed +- BOOT-5264 - Changed output of systemd-analyze test and added link - FILE-6398 - Only perform test if we know if Linux kernel is monolithic/modular - FIRE-4508 - Several changes to expand the test, make it more generic, resolve minor issues - KRNL-5622 - Test if systemctl binary is set From 0891d2693e61bd41228517951565d4b05245b2aa Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Fri, 11 Oct 2024 11:04:56 +0200 Subject: [PATCH 237/282] Update tests_firewalls --- include/tests_firewalls | 80 ++++------------------------------------- 1 file changed, 7 insertions(+), 73 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index ab810596..25f3dff3 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -112,39 +112,14 @@ tables="filter nat mangle raw security" for t in ${tables} do - ${IPTABLESBINARY} -t "${t}" -S -v -w 1 2>/dev/zero | + ${IPTABLESBINARY} -t "${t}" -S -w 1 2>/dev/zero | { while IFS="\n" read -r line do set -- ${line} while [ $# -gt 0 ] do - if [ "${1}" = "!" ] - then - not="${1}" - if [ "${2}" = "-d" ] - then - d="${not} ${3}" - shift 3 - elif [ "${2}" = "-s" ] - then - s="${not} ${3}" - shift 3 - elif [ "${2}" = "-i" ] - then - p="${not} ${3}" - shift 3 - elif [ "${2}" = "-o" ] - then - o="${not} ${3}" - shift 3 - elif [ "${2}" = "-f" ] - then - p="${not} ${3}" - shift 3 - fi - shift - elif [ "${1}" = "-P" ] + if [ "${1}" = "-P" ] then c="${2}" j="${3}" @@ -157,43 +132,6 @@ then j="${2}" shift - elif [ "${1}" = "-p" ] - then - p="${2}" - shift - elif [ "${1}" = "-d" ] - then - d="${2}" - shift - elif [ "${1}" = "-s" ] - then - s="${2}" - shift - elif [ "${1}" = "-m" ] - then - m="${2}" - shift - elif [ "${1}" = "-g" ] - then - g="${2}" - shift - elif [ "${1}" = "-i" ] - then - i="${2}" - shift - elif [ "${1}" = "-o" ] - then - o="${2}" - shift - elif [ "${1}" = "-f" ] - then - f="${2}" - shift - elif [ "${1}" = "-c" ] - then - pc="${2}" - bc="${3}" - shift 3 else shift fi @@ -212,12 +150,6 @@ errqueue="${errqueue}\n${t} ${c} ${j} GREEN" AddHP 3 3 fi - elif [ "${c}" = "FORWARD" ] - then - : - elif [ "${c}" = "OUTPUT" ] - then - : fi if [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] then @@ -230,12 +162,14 @@ fi done # resume - echo ${errqueue} | ${SORTBINARY} -u | while IFS="\n" read -r eq + if [ ! "${SORTBINARY}" = "" ]; then eq="$( echo "${errqueue}" | ${SORTBINARY} -u )"; else eq="${errqueue}"; fi + echo "${eq}" | while IFS="\n" read -r eql do - set -- ${eq} + set -- ${eql} while [ $# -gt 0 ] do - Display --indent 6 --text "Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" + LogText "Result: Found ${3} for ${2} (table: ${1})" + Display --indent 6 --text "- Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" if [ "${3}" = "NFQUEUE" ] then ReportSuggestion "${TEST_NO}" "Consider avoid ${3} target if possible (iptables chain ${2}, table: ${1})" From e5462afb159c3c9542d58248653634521fedd9c6 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 11 Oct 2024 11:14:31 +0000 Subject: [PATCH 238/282] Added support for blog posts and articles to support suggestions --- db/control-links.db | 4 ++++ include/report | 12 +++++++++--- 2 files changed, 13 insertions(+), 3 deletions(-) create mode 100644 db/control-links.db diff --git a/db/control-links.db b/db/control-links.db new file mode 100644 index 00000000..c2606e93 --- /dev/null +++ b/db/control-links.db @@ -0,0 +1,4 @@ +# Links for controls pointing to informational pages. Note: only links managed by the project are allowed (cisofy.com / linux-audit.com) +# Format: Control;Text;Link; +BOOT-5264;blog;Systemd features to secure service files;https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/; +# EOF diff --git a/include/report b/include/report index ec5f3f66..55791039 100644 --- a/include/report +++ b/include/report @@ -161,7 +161,8 @@ for SUGGESTION in ${SUGGESTIONS}; do SOLUTION="" SHOWSUGGESTION=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://') - ADDLINK=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//' | ${AWKBINARY} -F: '{print $1}') + RELATED_CONTROL=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//' | ${AWKBINARY} -F: '{print $1}') + ADDLINK="${RELATED_CONTROL}" DETAILS=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[details://' | sed 's/\]\(.*\)]//') SUGGESTION_PIECES=$(echo ${SUGGESTION} | sed 's/\[/ [/g') for PIECE in ${SUGGESTION_PIECES}; do @@ -174,10 +175,15 @@ echo " ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}" if [ ! "${DETAILS}" = "-" -a -n "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi + # Show relevant articles if the database is available + if [ -f ${DBDIR}/control-links.db ]; then + echo " - Related resources:" + $AWKBINARY -F \; -v control=${RELATED_CONTROL} '{if($1==control && $2=="blog"){print " * Article - "$3": "$4}}' "${DBDIR}/control-links.db" + fi if [ -z "${IS_CUSTOM}" ]; then - echo " ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}" + echo " * Website - ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}" else - echo " ${GRAY}${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}${NORMAL}" + echo " * Details - ${GRAY}${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}${NORMAL}" fi echo "" done From e84af49ada22d58c10206ae8f4fc3781755e724b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 11 Oct 2024 11:15:08 +0000 Subject: [PATCH 239/282] Remove text suggestion as it is replaced with more generic method --- include/tests_boot_services | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index 8a11014f..a9a926a0 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -1119,7 +1119,7 @@ Display --indent 4 --text "- ${UNIT} (value=${EXPOSURE})" --result "${STATUS}" --color "${COLOR}" LogText "Result: ${UNIT} has exposure value ${EXPOSURE} with predicate '${STATUS}'" done - ReportSuggestion "${TEST_NO}" "Consider hardening system services" "Run '${SYSTEMDANALYZEBINARY} security SERVICE' for each service" "Learn about systemd features to secure services: https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/" + ReportSuggestion "${TEST_NO}" "Consider hardening system services" "Run '${SYSTEMDANALYZEBINARY} security SERVICE' for each service" fi # ################################################################################# From f3ffbb0b486661d4da840d3c791c8bc9e6c073e0 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Fri, 11 Oct 2024 15:24:20 +0200 Subject: [PATCH 240/282] Update tests_firewalls --- include/tests_firewalls | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 25f3dff3..f55f74e3 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -165,17 +165,19 @@ if [ ! "${SORTBINARY}" = "" ]; then eq="$( echo "${errqueue}" | ${SORTBINARY} -u )"; else eq="${errqueue}"; fi echo "${eq}" | while IFS="\n" read -r eql do - set -- ${eql} - while [ $# -gt 0 ] - do - LogText "Result: Found ${3} for ${2} (table: ${1})" - Display --indent 6 --text "- Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" - if [ "${3}" = "NFQUEUE" ] - then - ReportSuggestion "${TEST_NO}" "Consider avoid ${3} target if possible (iptables chain ${2}, table: ${1})" - fi - shift 4 - done + if [ ! "$eql" = "" ] + then + set -- ${eql} + while [ $# -gt 0 ] + do + Display --indent 6 --text "- Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" + if [ "${3}" = "NFQUEUE" ] + then + ReportSuggestion "${TEST_NO}" "Consider avoid ${3} target if possible (iptables chain ${2}, table: ${1})" + fi + shift 4 + done + fi done } done From ae5813fecc2fa742528dd29057cb9a3d8a241098 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 13 Oct 2024 12:43:53 +0000 Subject: [PATCH 241/282] Update links and improve readability of articles --- db/control-links.db | 30 ++++++++++++++++++++++++++++++ include/report | 16 ++++++++++++---- 2 files changed, 42 insertions(+), 4 deletions(-) diff --git a/db/control-links.db b/db/control-links.db index c2606e93..78752119 100644 --- a/db/control-links.db +++ b/db/control-links.db @@ -1,4 +1,34 @@ # Links for controls pointing to informational pages. Note: only links managed by the project are allowed (cisofy.com / linux-audit.com) # Format: Control;Text;Link; +ACCT-9628;blog;Linux audit framework 101: basic rules for configuration;https://linux-audit.com/linux-audit-framework-101-basic-rules-for-configuration/; +ACCT-9628;blog;Monitoring Linux file access, changes and data modifications;https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/; +AUTH-9228;blog;File integrity of password files;https://linux-audit.com/file-integrity-of-password-files/; +AUTH-9262;blog;Configure minimum password length for Linux systems;https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/; +AUTH-9286;blog;Configure minimum password length for Linux systems;https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/; +BANN-7126;blog;The real purpose of login banners;https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/; +BANN-7130;blog;The real purpose of login banners;https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/; BOOT-5264;blog;Systemd features to secure service files;https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/; +FINT-4350;blog;Monitoring Linux file access, changes and data modifications;https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/; +FINT-4350;blog;Monitor for file changes on Linux;https://linux-audit.com/monitor-for-file-system-changes-on-linux/; +HTTP-6704;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; +HTTP-6706;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; +HTTP-6708;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; +HTTP-6710;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; +HTTP-6712;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; +HTTP-6714;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; +HTTP-6716;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; +HTTP-6720;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; +INSE-8116;blgo;Find and Disable Insecure Services on Linux;https://linux-audit.com/find-disable-insecure-services-linux/; +MAIL-8816;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/; +MAIL-8817;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/; +MAIL-8818;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/; +MAIL-8820;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/; +NAME-4402;blog;Keeping your /etc/hosts file healthy;https://linux-audit.com/is-your-etc-hosts-file-healthy/; +NAME-4404;blog;Keeping your /etc/hosts file healthy;https://linux-audit.com/is-your-etc-hosts-file-healthy/; +NETW-2600;blog;Linux Security Guide for Hardening IPv6;https://linux-audit.com/linux-security-guide-for-hardening-ipv6/; +SSH-7402;blog;OpenSSH security and hardening;https://linux-audit.com/audit-and-harden-your-ssh-configuration/; +SSH-7404;blog;OpenSSH security and hardening;https://linux-audit.com/audit-and-harden-your-ssh-configuration/; +SSH-7406;blog;OpenSSH security and hardening;https://linux-audit.com/audit-and-harden-your-ssh-configuration/; +SSH-7408;blog;OpenSSH security and hardening;https://linux-audit.com/audit-and-harden-your-ssh-configuration/; +SSH-7440;blog;OpenSSH security and hardening;https://linux-audit.com/audit-and-harden-your-ssh-configuration/; # EOF diff --git a/include/report b/include/report index 55791039..9aa7f3c9 100644 --- a/include/report +++ b/include/report @@ -177,13 +177,21 @@ if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi # Show relevant articles if the database is available if [ -f ${DBDIR}/control-links.db ]; then - echo " - Related resources:" - $AWKBINARY -F \; -v control=${RELATED_CONTROL} '{if($1==control && $2=="blog"){print " * Article - "$3": "$4}}' "${DBDIR}/control-links.db" + echo " - Related resources" + ARTICLES=$($AWKBINARY -F \; -v control=${RELATED_CONTROL} '{if($1==control && $2=="blog"){print $2";"$3";"$4";"}}' "${DBDIR}/control-links.db" | sed 's/ /!space!/g') + if [ -n "${ARTICLES}" ]; then + for ITEM in ${ARTICLES}; do + ITEM=$(echo ${ITEM} | sed 's/!space!/ /g') + ARTICLE=$(echo ${ITEM} | awk -F\; '{print $2}') + ARTICLE_LINK=$(echo ${ITEM} | awk -F\; '{print $3}') + echo " * Article: ${CYAN}${ARTICLE}${NORMAL}: ${ARTICLE_LINK}" + done + fi fi if [ -z "${IS_CUSTOM}" ]; then - echo " * Website - ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}" + echo " * Website: ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}" else - echo " * Details - ${GRAY}${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}${NORMAL}" + echo " * Details: ${GRAY}${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}${NORMAL}" fi echo "" done From 6cdf0ad1390f03494642da29ff1ec7bee9083ec5 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 14 Oct 2024 09:45:01 +0200 Subject: [PATCH 242/282] Update CHANGELOG.md --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f91c58df..568cfdef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,13 +4,14 @@ ### Added - Detection of Buildroot, Fedora Linux Asahi Remix, Garden Linux, Peppermint OS +- Support for blog posts and articles to enhance suggestions ### Changed - BOOT-5264 - Changed output of systemd-analyze test and added link - FILE-6398 - Only perform test if we know if Linux kernel is monolithic/modular - FIRE-4508 - Several changes to expand the test, make it more generic, resolve minor issues - KRNL-5622 - Test if systemctl binary is set -- Update of translations: Russian +- Update of translations: Italian, Russian --------------------------------------------------------------------------------- From d61ac72d49282daa1136aebddab13ff2ce62e681 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Mon, 14 Oct 2024 11:13:39 +0200 Subject: [PATCH 243/282] Update tests_firewalls --- include/tests_firewalls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index f55f74e3..be8bb083 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -114,7 +114,7 @@ do ${IPTABLESBINARY} -t "${t}" -S -w 1 2>/dev/zero | { - while IFS="\n" read -r line + while IFS="$(printf '\n')" read -r line do set -- ${line} while [ $# -gt 0 ] @@ -163,7 +163,7 @@ done # resume if [ ! "${SORTBINARY}" = "" ]; then eq="$( echo "${errqueue}" | ${SORTBINARY} -u )"; else eq="${errqueue}"; fi - echo "${eq}" | while IFS="\n" read -r eql + echo "${eq}" | while IFS="$(printf '\n')" read -r eql do if [ ! "$eql" = "" ] then From 06b220e503d23375a142376dee95fefa0ce270b7 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Mon, 14 Oct 2024 12:10:58 +0200 Subject: [PATCH 244/282] Update tests_firewalls --- include/tests_firewalls | 49 +++++++++++++++++++++++------------------ 1 file changed, 27 insertions(+), 22 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index be8bb083..831c19b2 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -109,65 +109,70 @@ Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN - tables="filter nat mangle raw security" - for t in ${tables} + IPTABLES_TABLES="filter nat mangle raw security" + for IPTABLES_TABLE in ${IPTABLES_TABLES} do - ${IPTABLESBINARY} -t "${t}" -S -w 1 2>/dev/zero | + ${IPTABLESBINARY} -t "${IPTABLES_TABLE}" --list-rules --wait 1 2>/dev/zero | { - while IFS="$(printf '\n')" read -r line + while IFS="$(printf '\n')" read -r IPTABLES_OUTPUT_LINE do - set -- ${line} + set -- ${IPTABLES_OUTPUT_LINE} while [ $# -gt 0 ] do if [ "${1}" = "-P" ] then - c="${2}" - j="${3}" + IPTABLES_CHAIN="${2}" + IPTABLES_TARGET="${3}" shift 3 elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ] then - c="${2}" + IPTABLES_CHAIN="${2}" shift 2 elif [ "${1}" = "-j" ] then - j="${2}" + IPTABLES_TARGET="${2}" shift else shift fi done # logics - if [ "${t}" = "filter" ] || [ "${t}" = "security" ] + if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ] then - if [ "${c}" = "INPUT" ] + if [ "${IPTABLES_CHAIN}" = "INPUT" ] then - if [ "${j}" = "ACCEPT" ] + if [ "${IPTABLES_TARGET}" = "ACCEPT" ] then - errqueue="${errqueue}\n${t} ${c} ${j} YELLOW" + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" AddHP 1 3 - elif [ "${j}" = "DROP" ] + elif [ "${IPTABLES_TARGET}" = "DROP" ] then - errqueue="${errqueue}\n${t} ${c} ${j} GREEN" + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" AddHP 3 3 fi fi - if [ "${c}" = "INPUT" ] || [ "${c}" = "FORWARD" ] || [ "${c}" = "OUTPUT" ] + if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ] then - if [ "${j}" = "NFQUEUE" ] + if [ "${IPTABLES_TARGET}" = "NFQUEUE" ] then - errqueue="${errqueue}\n${t} ${c} ${j} RED" + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" AddHP 0 3 fi fi fi done # resume - if [ ! "${SORTBINARY}" = "" ]; then eq="$( echo "${errqueue}" | ${SORTBINARY} -u )"; else eq="${errqueue}"; fi - echo "${eq}" | while IFS="$(printf '\n')" read -r eql + if [ ! "${SORTBINARY}" = "" ] + then + IPTABLES_OUTPUT="$( echo "${IPTABLES_OUTPUT_QUEUE}" | ${SORTBINARY} -u )" + else + IPTABLES_OUTPUT="${IPTABLES_OUTPUT_QUEUE}" + fi + echo "${IPTABLES_OUTPUT}" | while IFS="$(printf '\n')" read -r IPTABLES_OUTPUT_LINE do - if [ ! "$eql" = "" ] + if [ ! "$IPTABLES_OUTPUT_LINE" = "" ] then - set -- ${eql} + set -- ${IPTABLES_OUTPUT_LINE} while [ $# -gt 0 ] do Display --indent 6 --text "- Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" From 976e2e00e5c79ce2c6316b082970186a7c5c1576 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 14 Oct 2024 12:37:28 +0000 Subject: [PATCH 245/282] Adding new links --- db/control-links.db | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/db/control-links.db b/db/control-links.db index 78752119..dcb5b3b6 100644 --- a/db/control-links.db +++ b/db/control-links.db @@ -10,6 +10,8 @@ BANN-7130;blog;The real purpose of login banners;https://linux-audit.com/the-rea BOOT-5264;blog;Systemd features to secure service files;https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/; FINT-4350;blog;Monitoring Linux file access, changes and data modifications;https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/; FINT-4350;blog;Monitor for file changes on Linux;https://linux-audit.com/monitor-for-file-system-changes-on-linux/; +HRDN-7230;blog;Antivirus for Linux: is it really needed?;https://linux-audit.com/malware/antivirus-for-linux-really-needed/; +HRDN-7230;blog;Monitoring Linux Systems for Rootkits;https://linux-audit.com/monitoring-linux-systems-for-rootkits/; HTTP-6704;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; HTTP-6706;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; HTTP-6708;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; @@ -18,7 +20,9 @@ HTTP-6712;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx- HTTP-6714;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; HTTP-6716;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; HTTP-6720;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; -INSE-8116;blgo;Find and Disable Insecure Services on Linux;https://linux-audit.com/find-disable-insecure-services-linux/; +INSE-8116;blog;Find and Disable Insecure Services on Linux;https://linux-audit.com/find-disable-insecure-services-linux/; +KRNL-6000;blog;Linux hardening with sysctl settings;https://linux-audit.com/linux-hardening-with-sysctl/; +KRNL-6000;blog;Overview of sysctl options and values;https://linux-audit.com/kernel/sysctl/; MAIL-8816;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/; MAIL-8817;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/; MAIL-8818;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/; From ade45301a81e2b1e39198d0c90283131274c2a10 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Mon, 14 Oct 2024 15:58:14 +0200 Subject: [PATCH 246/282] Update tests_firewalls --- include/tests_firewalls | 40 +++++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 831c19b2..223fe63d 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -114,9 +114,9 @@ do ${IPTABLESBINARY} -t "${IPTABLES_TABLE}" --list-rules --wait 1 2>/dev/zero | { - while IFS="$(printf '\n')" read -r IPTABLES_OUTPUT_LINE + while IFS="$(printf '\n')" read -r IPTABLES_LINES do - set -- ${IPTABLES_OUTPUT_LINE} + set -- ${IPTABLES_LINES} while [ $# -gt 0 ] do if [ "${1}" = "-P" ] @@ -137,26 +137,29 @@ fi done # logics - if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ] + if [ ! "${IPTABLES_TABLE}" = "" ] && [ ! "${IPTABLES_CHAIN}" = "" ] && [ ! "${IPTABLES_TARGET}" = "" ] then - if [ "${IPTABLES_CHAIN}" = "INPUT" ] + if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ] then - if [ "${IPTABLES_TARGET}" = "ACCEPT" ] + if [ "${IPTABLES_CHAIN}" = "INPUT" ] then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" - AddHP 1 3 - elif [ "${IPTABLES_TARGET}" = "DROP" ] - then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" - AddHP 3 3 + if [ "${IPTABLES_TARGET}" = "ACCEPT" ] + then + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" + AddHP 1 3 + elif [ "${IPTABLES_TARGET}" = "DROP" ] + then + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" + AddHP 3 3 + fi fi - fi - if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ] - then - if [ "${IPTABLES_TARGET}" = "NFQUEUE" ] + if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ] then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" - AddHP 0 3 + if [ "${IPTABLES_TARGET}" = "NFQUEUE" ] + then + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" + AddHP 0 3 + fi fi fi fi @@ -185,8 +188,11 @@ fi done } + unset IPTABLES_TABLE done + unset IPTABLES_TABLES fi + unset PREQS_MET # ################################################################################# # From 7bdcd56f631cdcf9f1d0bd52d8b9e88ec08b9043 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Mon, 14 Oct 2024 16:05:33 +0200 Subject: [PATCH 247/282] Update tests_firewalls --- include/tests_firewalls | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 223fe63d..fb8a731c 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -137,29 +137,26 @@ fi done # logics - if [ ! "${IPTABLES_TABLE}" = "" ] && [ ! "${IPTABLES_CHAIN}" = "" ] && [ ! "${IPTABLES_TARGET}" = "" ] + if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ] then - if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ] + if [ "${IPTABLES_CHAIN}" = "INPUT" ] then - if [ "${IPTABLES_CHAIN}" = "INPUT" ] + if [ "${IPTABLES_TARGET}" = "ACCEPT" ] then - if [ "${IPTABLES_TARGET}" = "ACCEPT" ] - then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" - AddHP 1 3 - elif [ "${IPTABLES_TARGET}" = "DROP" ] - then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" - AddHP 3 3 - fi + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" + AddHP 1 3 + elif [ "${IPTABLES_TARGET}" = "DROP" ] + then + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" + AddHP 3 3 fi - if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ] + fi + if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ] + then + if [ "${IPTABLES_TARGET}" = "NFQUEUE" ] then - if [ "${IPTABLES_TARGET}" = "NFQUEUE" ] - then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" - AddHP 0 3 - fi + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" + AddHP 0 3 fi fi fi From c53969d1fccdf8d88abb8f8176f94fc1b8a13825 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Tue, 15 Oct 2024 09:29:50 +0200 Subject: [PATCH 248/282] Update tests_firewalls --- include/tests_firewalls | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index fb8a731c..b4605cdd 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -114,6 +114,7 @@ do ${IPTABLESBINARY} -t "${IPTABLES_TABLE}" --list-rules --wait 1 2>/dev/zero | { + IPTABLES_OUTPUT_QUEUE="" while IFS="$(printf '\n')" read -r IPTABLES_LINES do set -- ${IPTABLES_LINES} @@ -143,11 +144,11 @@ then if [ "${IPTABLES_TARGET}" = "ACCEPT" ] then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" AddHP 1 3 elif [ "${IPTABLES_TARGET}" = "DROP" ] then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" AddHP 3 3 fi fi @@ -155,7 +156,7 @@ then if [ "${IPTABLES_TARGET}" = "NFQUEUE" ] then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" AddHP 0 3 fi fi From 690f82e5e43d66219bc35b546b4e85ae8ef81628 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Tue, 15 Oct 2024 09:56:30 +0200 Subject: [PATCH 249/282] Update tests_firewalls --- include/tests_firewalls | 1 + 1 file changed, 1 insertion(+) diff --git a/include/tests_firewalls b/include/tests_firewalls index b4605cdd..2995e3f5 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -176,6 +176,7 @@ set -- ${IPTABLES_OUTPUT_LINE} while [ $# -gt 0 ] do + LogText "Result: Found ${3} for ${2} (table: ${1})" Display --indent 6 --text "- Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" if [ "${3}" = "NFQUEUE" ] then From b1e1f619751344b467bea92b4f2ad26b44664287 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 15 Oct 2024 13:15:24 +0000 Subject: [PATCH 250/282] [FIRE-4508] bring code and output in line with rest --- include/tests_firewalls | 48 ++++++++++++++++------------------------- 1 file changed, 18 insertions(+), 30 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 2995e3f5..29823564 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -118,19 +118,15 @@ while IFS="$(printf '\n')" read -r IPTABLES_LINES do set -- ${IPTABLES_LINES} - while [ $# -gt 0 ] - do - if [ "${1}" = "-P" ] - then + while [ $# -gt 0 ]; do + if [ "${1}" = "-P" ]; then IPTABLES_CHAIN="${2}" IPTABLES_TARGET="${3}" shift 3 - elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ] - then + elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ]; then IPTABLES_CHAIN="${2}" shift 2 - elif [ "${1}" = "-j" ] - then + elif [ "${1}" = "-j" ]; then IPTABLES_TARGET="${2}" shift else @@ -138,46 +134,38 @@ fi done # logics - if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ] - then - if [ "${IPTABLES_CHAIN}" = "INPUT" ] - then - if [ "${IPTABLES_TARGET}" = "ACCEPT" ] - then + if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ]; then + if [ "${IPTABLES_CHAIN}" = "INPUT" ]; then + if [ "${IPTABLES_TARGET}" = "ACCEPT" ]; then IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" AddHP 1 3 - elif [ "${IPTABLES_TARGET}" = "DROP" ] - then + elif [ "${IPTABLES_TARGET}" = "DROP" ]; then IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" AddHP 3 3 fi fi - if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ] - then - if [ "${IPTABLES_TARGET}" = "NFQUEUE" ] - then + if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ]; then + if [ "${IPTABLES_TARGET}" = "NFQUEUE" ]; then IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" AddHP 0 3 fi fi fi done - # resume - if [ ! "${SORTBINARY}" = "" ] - then - IPTABLES_OUTPUT="$( echo "${IPTABLES_OUTPUT_QUEUE}" | ${SORTBINARY} -u )" + # Sort output if sort tool is available + if [ -n "${SORTBINARY}" ]; then + LogText "Info: sorting output" + IPTABLES_OUTPUT="$(echo "${IPTABLES_OUTPUT_QUEUE}" | ${SORTBINARY} -u )" else IPTABLES_OUTPUT="${IPTABLES_OUTPUT_QUEUE}" fi echo "${IPTABLES_OUTPUT}" | while IFS="$(printf '\n')" read -r IPTABLES_OUTPUT_LINE do - if [ ! "$IPTABLES_OUTPUT_LINE" = "" ] - then + if [ -n "$IPTABLES_OUTPUT_LINE" ]; then set -- ${IPTABLES_OUTPUT_LINE} - while [ $# -gt 0 ] - do - LogText "Result: Found ${3} for ${2} (table: ${1})" - Display --indent 6 --text "- Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" + while [ $# -gt 0 ]; do + LogText "Result: Found target '${3}' for chain '${2}' (table: ${1})" + Display --indent 6 --text "- Chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" if [ "${3}" = "NFQUEUE" ] then ReportSuggestion "${TEST_NO}" "Consider avoid ${3} target if possible (iptables chain ${2}, table: ${1})" From f6275f6397686a9e803fab58d870205ace42fc85 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 15 Oct 2024 17:26:19 +0000 Subject: [PATCH 251/282] [FILE-6398] test disabled --- CHANGELOG.md | 2 +- include/tests_filesystems | 85 ++++++++++++++++++++------------------- 2 files changed, 44 insertions(+), 43 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 568cfdef..9ba6d8c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ ### Changed - BOOT-5264 - Changed output of systemd-analyze test and added link -- FILE-6398 - Only perform test if we know if Linux kernel is monolithic/modular +- FILE-6398 - Test temporarily disabled as on modern kernels JDB support is built-in - FIRE-4508 - Several changes to expand the test, make it more generic, resolve minor issues - KRNL-5622 - Test if systemctl binary is set - Update of translations: Italian, Russian diff --git a/include/tests_filesystems b/include/tests_filesystems index c0b67241..153c0427 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -734,48 +734,49 @@ # # Test : FILE-6398 # Description : Check if JBD (Journal Block Device) driver is loaded - Register --test-no FILE-6398 --os Linux --weight L --network NO --category security --description "Checking if JBD (Journal Block Device) driver is loaded" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Checking if JBD (Journal Block Device) driver is loaded" - NOTINUSE=0 - # Only perform testing if we know that KRNL-5723 performed tests - if [ ${MONOLITHIC_KERNEL_TESTED} -eq 1 ]; then - # Cannot check if driver is loaded/present if kernel is monolithic - if [ ${MONOLITHIC_KERNEL} -eq 0 ]; then - JBD=$(${LSMODBINARY} | ${GREPBINARY} ^jbd) - if [ -n "${JBD}" ]; then - LogText "Result: JBD driver is loaded" - INUSE=$(echo ${JBD} | ${AWKBINARY} '{if ($3 -ne 0) {print $4}}') - if [ -n "${INUSE}" ]; then - LogText "Result: JBD driver is in use by drivers: ${INUSE}" - Report "JBD driver is in use by drivers: ${INUSE}" - Display --indent 2 --text "- JBD driver loaded and in use" --result "${STATUS_OK}" --color GREEN - else - NOTINUSE=1 - LogText "Result: JBD driver loaded, but not in use" - Report "JBD driver is loaded, but not in use." - Display --indent 2 --text "- JBD driver loaded, but not in use" --result "${STATUS_SUGGESTION}" --color YELLOW - fi - else - NOTINUSE=2 - LogText "Result: JBD driver not loaded" - Report "JBD driver not loaded." - Display --indent 2 --text "- JBD driver is not loaded" --result "${STATUS_CHECK_NEEDED}" --color YELLOW - fi - if [ ${NOTINUSE} -eq 1 ]; then - ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is loaded but not in use." "You are currently not using any filesystems with journaling, i.e. you have greater risk of data corruption in case of system crash." - elif [ ${NOTINUSE} -eq 2 ]; then - ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is not loaded." "Since boot-time, you have not been using any filesystems with journaling. Alternatively, reason could be driver is blacklisted." - fi - else - Display --indent 2 --text "- JBD driver: unable to check" --result "${STATUS_UNKNOWN}" --color YELLOW - LogText "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel." - fi - else - Display --indent 2 --text "- JBD driver: test skipped" --result "${STATUS_UNKNOWN}" --color YELLOW - LogText "Test skipped as the kernel type (monolithic/modular) is unknown" - fi - fi + # Notes : Test is temporarily disabled, as JBD might be in a kernel (built-in) - https://github.com/CISOfy/lynis/issues/1508 +# Register --test-no FILE-6398 --os Linux --weight L --network NO --category security --description "Checking if JBD (Journal Block Device) driver is loaded" +# if [ ${SKIPTEST} -eq 0 ]; then +# LogText "Test: Checking if JBD (Journal Block Device) driver is loaded" +# NOTINUSE=0 +# # Only perform testing if we know that KRNL-5723 performed tests +# if [ ${MONOLITHIC_KERNEL_TESTED} -eq 1 ]; then +# # Cannot check if driver is loaded/present if kernel is monolithic +# if [ ${MONOLITHIC_KERNEL} -eq 0 ]; then +# JBD=$(${LSMODBINARY} | ${GREPBINARY} ^jbd) +# if [ -n "${JBD}" ]; then +# LogText "Result: JBD driver is loaded" +# INUSE=$(echo ${JBD} | ${AWKBINARY} '{if ($3 -ne 0) {print $4}}') +# if [ -n "${INUSE}" ]; then +# LogText "Result: JBD driver is in use by drivers: ${INUSE}" +# Report "JBD driver is in use by drivers: ${INUSE}" +# Display --indent 2 --text "- JBD driver loaded and in use" --result "${STATUS_OK}" --color GREEN +# else +# NOTINUSE=1 +# LogText "Result: JBD driver loaded, but not in use" +# Report "JBD driver is loaded, but not in use." +# Display --indent 2 --text "- JBD driver loaded, but not in use" --result "${STATUS_SUGGESTION}" --color YELLOW +# fi +# else +# NOTINUSE=2 +# LogText "Result: JBD driver not loaded" +# Report "JBD driver not loaded." +# Display --indent 2 --text "- JBD driver is not loaded" --result "${STATUS_CHECK_NEEDED}" --color YELLOW +# fi +# if [ ${NOTINUSE} -eq 1 ]; then +# ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is loaded but not in use." "You are currently not using any filesystems with journaling, i.e. you have greater risk of data corruption in case of system crash." +# elif [ ${NOTINUSE} -eq 2 ]; then +# ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is not loaded." "Since boot-time, you have not been using any filesystems with journaling. Alternatively, reason could be driver is blacklisted." +# fi +# else +# Display --indent 2 --text "- JBD driver: unable to check" --result "${STATUS_UNKNOWN}" --color YELLOW +# LogText "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel." +# fi +# else +# Display --indent 2 --text "- JBD driver: test skipped" --result "${STATUS_UNKNOWN}" --color YELLOW +# LogText "Test skipped as the kernel type (monolithic/modular) is unknown" +# fi +# fi # ################################################################################# # From 86dd94c7bcfd1011ab482578dfd1afd6d8d61091 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Wed, 16 Oct 2024 11:34:20 +0200 Subject: [PATCH 252/282] Update tests_firewalls --- include/tests_firewalls | 54 ++++++++++++++++++++--------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index 29823564..c01b80ed 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -137,43 +137,43 @@ if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ]; then if [ "${IPTABLES_CHAIN}" = "INPUT" ]; then if [ "${IPTABLES_TARGET}" = "ACCEPT" ]; then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW" - AddHP 1 3 + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW 1 3" elif [ "${IPTABLES_TARGET}" = "DROP" ]; then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN" - AddHP 3 3 + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN 3 3" fi fi if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ]; then if [ "${IPTABLES_TARGET}" = "NFQUEUE" ]; then - IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED" - AddHP 0 3 + IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED 0 3" fi fi fi done - # Sort output if sort tool is available - if [ -n "${SORTBINARY}" ]; then - LogText "Info: sorting output" - IPTABLES_OUTPUT="$(echo "${IPTABLES_OUTPUT_QUEUE}" | ${SORTBINARY} -u )" - else - IPTABLES_OUTPUT="${IPTABLES_OUTPUT_QUEUE}" - fi - echo "${IPTABLES_OUTPUT}" | while IFS="$(printf '\n')" read -r IPTABLES_OUTPUT_LINE - do - if [ -n "$IPTABLES_OUTPUT_LINE" ]; then - set -- ${IPTABLES_OUTPUT_LINE} - while [ $# -gt 0 ]; do - LogText "Result: Found target '${3}' for chain '${2}' (table: ${1})" - Display --indent 6 --text "- Chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" - if [ "${3}" = "NFQUEUE" ] - then - ReportSuggestion "${TEST_NO}" "Consider avoid ${3} target if possible (iptables chain ${2}, table: ${1})" - fi - shift 4 - done + if [ -n "${IPTABLES_OUTPUT_QUEUE}" ]; then + # Sort output if sort tool is available + if [ -n "${SORTBINARY}" ]; then + LogText "Info: sorting output" + IPTABLES_OUTPUT="$(printf '%b' "${IPTABLES_OUTPUT_QUEUE}" | ${SORTBINARY} -u )" + else + IPTABLES_OUTPUT="$(printf '%b' "${IPTABLES_OUTPUT_QUEUE}")" fi - done + printf '%b\n' "${IPTABLES_OUTPUT}" | while IFS="$(printf '\n')" read -r IPTABLES_OUTPUT_LINE + do + if [ -n "$IPTABLES_OUTPUT_LINE" ]; then + set -- ${IPTABLES_OUTPUT_LINE} + while [ $# -gt 0 ]; do + LogText "Result: Found target '${3}' for chain '${2}' (table: ${1})" + Display --indent 6 --text "- Chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}" + if [ "${3}" = "NFQUEUE" ] + then + ReportSuggestion "${TEST_NO}" "Consider avoid ${3} target if possible (iptables chain ${2}, table: ${1})" + fi + AddHP "${5}" "${6}" + shift 6 + done + fi + done + fi } unset IPTABLES_TABLE done From 630769377a14946b4725ba83d7858dd2085c7b45 Mon Sep 17 00:00:00 2001 From: nser77 <104022475+nser77@users.noreply.github.com> Date: Wed, 23 Oct 2024 21:31:13 +0200 Subject: [PATCH 253/282] Update tests_boot_services --- include/tests_boot_services | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index a9a926a0..ed54b319 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -147,7 +147,7 @@ fi ;; "Solaris") - if [ -n "${ROOTDIR}usr/bin/svcs" ]; then + if [ -d "${ROOTDIR}usr/bin/svcs" ]; then SERVICE_MANAGER="SMF (svcs)" elif [ -d "${ROOTDIR}etc/init.d" ]; then SERVICE_MANAGER="SysV Init" From 4e6f91f75b9dbb67228e0169ea488cdcd873e1fc Mon Sep 17 00:00:00 2001 From: Eduardo Vasconcelos <107057997+EduardoVasconceloss@users.noreply.github.com> Date: Tue, 29 Oct 2024 23:22:38 -0300 Subject: [PATCH 254/282] Update pt: Hardening --- db/languages/pt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/db/languages/pt b/db/languages/pt index 3035e242..e10356ae 100644 --- a/db/languages/pt +++ b/db/languages/pt @@ -39,7 +39,7 @@ SECTION_HOME_DIRECTORIES="Diretórios iniciais" SECTION_IMAGE="Imagem" SECTION_INITIALIZING_PROGRAM="Inicializando programa" SECTION_INSECURE_SERVICES="Serviços inseguros" -#SECTION_KERNEL_HARDENING="Kernel Hardening" +SECTION_KERNEL_HARDENING="Hardening do Kernel" SECTION_KERNEL="Kernel" SECTION_LDAP_SERVICES="Serviços LDAP" SECTION_LOGGING_AND_FILES="Registro e arquivos" @@ -97,7 +97,7 @@ STATUS_NO_UPDATE="SEM ATUALIZAÇÃO" STATUS_OFF="DESLIGADO" STATUS_OK="OK" STATUS_ON="LIGADO" -#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED" +STATUS_PARTIALLY_HARDENED="HARDENED PARCIAL" STATUS_PROTECTED="PROTEGIDO" STATUS_RUNNING="EM EXECUÇÃO" STATUS_SKIPPED="IGNORADO" From 9270ab0a3810ef557b66887e0e980122b84f0a24 Mon Sep 17 00:00:00 2001 From: Luca Fontana Date: Mon, 4 Nov 2024 19:04:37 +0200 Subject: [PATCH 255/282] More support for busybox devices - Replaced "head -1" with "head -n 1" - Fixed Stat format error in busybox - Fixed find -printf error in busybox - SafeInput accept only alphanumeric values, underscore and hyphens --- extras/build-lynis.sh | 4 ++-- include/functions | 41 ++++++++++++++++++++--------------- include/osdetection | 5 ++++- plugins/plugin_systemd_phase1 | 10 ++++----- 4 files changed, 35 insertions(+), 25 deletions(-) diff --git a/extras/build-lynis.sh b/extras/build-lynis.sh index 974f2937..d79e524b 100755 --- a/extras/build-lynis.sh +++ b/extras/build-lynis.sh @@ -238,7 +238,7 @@ echo "[*] Starting with DEB building process" - DEBCHANGELOGFULLVERSION=$(head -1 ../debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//') + DEBCHANGELOGFULLVERSION=$(head -n 1 ../debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//') DEBCHANGELOGVERSION=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }') DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }') if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then @@ -251,7 +251,7 @@ # BZRSTATUS=$(${BZRBINARY} status . 2>&1 > /dev/null; echo $?) # if [ "${BZRSTATUS}" = "0" ]; then # echo "[V] bzr has proper directory tree" -# DEBCHANGELOGFULLVERSION=$(head -1 debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//') +# DEBCHANGELOGFULLVERSION=$(head -n 1 debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//') # DEBCHANGELOGVERSION=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }') # DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }') # echo "[=] Version in Debian changelog: ${DEBCHANGELOGVERSION} (revision: ${DEBCHANGELOGVERSIONREV})" diff --git a/include/functions b/include/functions index df27db8b..1c0bbdc7 100644 --- a/include/functions +++ b/include/functions @@ -968,7 +968,7 @@ ;; "DragonFly" | "FreeBSD") - FIND=$(${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') + FIND=$(${IFCONFIGBINARY} | grep ether | head -n 1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') if HasData "${FIND}"; then HOSTID=$(echo ${FIND} | sha1) else @@ -996,7 +996,7 @@ for INTERFACE in ${NET_INTERFACES}; do if grep -q -s 'up' "/sys/class/net/${INTERFACE}/operstate"; then LogText "Interface '${INTERFACE}' is up, fetching MAC address" - FIND=$(head -1 "/sys/class/net/${INTERFACE}/address" | tr '[:upper:]' '[:lower:]') + FIND=$(head -n 1 "/sys/class/net/${INTERFACE}/address" | tr '[:upper:]' '[:lower:]') if HasData "${FIND}"; then HOSTID_GEN="linux-sys-interface-up" break @@ -1010,7 +1010,7 @@ LogText "Info: trying output from 'ip' to generate HostID" # Determine if we have the common available eth0 interface. If so, give that priority. # Note: apply sorting in case there would be multiple MAC addresses linked to increase predictable end result - FIND=$(${IPBINARY} addr show eth0 2> /dev/null | grep -E "link/ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]' | sort | head -1) + FIND=$(${IPBINARY} addr show eth0 2> /dev/null | grep -E "link/ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]' | sort | head -n 1) if HasData "${FIND}"; then HOSTID_GEN="linux-ip-interface-eth0" else @@ -1020,7 +1020,7 @@ # 3) Convert everything to lowercase # 4) Sort the entries, so that the output is more predictable between runs when the same interfaces are available # 5) Select first entry - FIND=$(${IPBINARY} -family link addr show up 2> /dev/null | awk '{if($1=="link/ether" && $2 !~ "^02:42:"){print $2}}' | tr '[:upper:]' '[:lower:]' | sort | head -1) + FIND=$(${IPBINARY} -family link addr show up 2> /dev/null | awk '{if($1=="link/ether" && $2 !~ "^02:42:"){print $2}}' | tr '[:upper:]' '[:lower:]' | sort | head -n 1) if HasData "${FIND}"; then HOSTID_GEN="linux-ip-interface-up-other" else @@ -1049,7 +1049,7 @@ HOSTID_GEN="linux-ifconfig-interface-eth0-ether" fi else - FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]') + FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -n 1 | tr '[:upper:]' '[:lower:]') if IsEmpty "${FIND}"; then ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)" else @@ -1058,7 +1058,7 @@ fi fi else - FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]') + FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -n 1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]') HOSTID_GEN="linux-ifconfig-interface-first-hwaddr" fi else @@ -1077,7 +1077,7 @@ ;; "macOS") - FIND=$(${IFCONFIGBINARY} en0 | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') + FIND=$(${IFCONFIGBINARY} en0 | grep ether | head -n 1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') if [ ! "${FIND}" = "" ]; then HOSTID=$(echo ${FIND} | shasum | awk '{ print $1 }') else @@ -1099,7 +1099,7 @@ ;; "NetBSD") - FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') + FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -n 1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') if HasData "${FIND}"; then HOSTID=$(echo ${FIND} | sha1) else @@ -1108,7 +1108,7 @@ ;; "OpenBSD") - FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') + FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -n 1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]') if HasData "${FIND}"; then HOSTID=$(echo ${FIND} | sha1) else @@ -1164,7 +1164,7 @@ # Optional: DBUS creates ID as well with dbus-uuidgen and is stored in /var/lib/dbus-machine-id (might be symlinked to /etc/machine-id) sMACHINEIDFILE="/etc/machine-id" if [ -f ${sMACHINEIDFILE} ]; then - FIND=$(head -1 ${sMACHINEIDFILE} | grep "^[a-f0-9]") + FIND=$(head -n 1 ${sMACHINEIDFILE} | grep "^[a-f0-9]") if [ "${FIND}" = "" ]; then MACHINEID="${FIND}" fi @@ -1336,6 +1336,8 @@ # busybox does not support format if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then DATA=$(${STATBINARY} --format=%a ${CHECKFILE}) + else + DATA=$(${STATBINARY} -c %a ${CHECKFILE}) fi ;; esac @@ -1349,12 +1351,16 @@ ;; *) # Only use find when OS is NOT AIX and binaries are NOT busybox + if [ -d "${CHECKFILE}" ]; then + MAXDEPTH="-maxdepth 0" + else + MAXDEPTH="" + fi + if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then - if [ -d ${CHECKFILE} ]; then - DATA=$(${FINDBINARY} ${CHECKFILE} -maxdepth 0 -printf "%m") - else - DATA=$(${FINDBINARY} ${CHECKFILE} -printf "%m") - fi + DATA=$(${FINDBINARY} "${CHECKFILE}" ${MAXDEPTH} -printf "%m") + else + DATA=$(${FINDBINARY} "${CHECKFILE}" ${MAXDEPTH} -exec stat -c %a {} \;) fi ;; esac @@ -1872,7 +1878,7 @@ # FreeBSD: hw.hv_vendor (remains empty for VirtualBox) # NetBSD: machdep.dmi.system-product # OpenBSD: hw.product - FIND=$(sysctl -a 2> /dev/null | grep -E "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }') + FIND=$(sysctl -a 2> /dev/null | grep -E "(hw.product|machdep.dmi.system-product)" | head -n 1 | sed 's/ = /=/' | awk -F= '{ print $2 }') if [ ! "${FIND}" = "" ]; then SHORT="${FIND}" fi @@ -3049,7 +3055,8 @@ # By default remove only control characters if [ $# -eq 1 ]; then input="$1" - cleaned=$(echo ${input} | tr -d '[:cntrl:]') + # cleaned=$(echo ${input} | tr -d '[:cntrl:]') + cleaned=$(echo "$input" | sed 's/[^a-zA-Z0-9_-]//g') # If know what to test against, then see if input matches the specified class elif [ $# -eq 2 ]; then input="$1" diff --git a/include/osdetection b/include/osdetection index fda72333..8ae1c1d5 100644 --- a/include/osdetection +++ b/include/osdetection @@ -836,7 +836,7 @@ if tail -1 < /etc/release | xargs | grep "^Solaris " > /dev/null; then OS_FULLNAME=$(tail -1 < /etc/release | xargs) else - OS_FULLNAME=$(head -1 < /etc/release | xargs) + OS_FULLNAME=$(head -n 1 < /etc/release | xargs) fi OS_VERSION=$(echo "$OS_FULLNAME" | cut -d ' ' -f 2,3) else # Old behaviour @@ -929,6 +929,9 @@ ShowSymlinkPath /bin/ps if [ "${SYMLINK}" = "/bin/busybox" ]; then SHELL_IS_BUSYBOX=1 + LogText "Result: The device is using Busybox." + else + LogText "Result: The device is NOT using Busybox." fi fi fi diff --git a/plugins/plugin_systemd_phase1 b/plugins/plugin_systemd_phase1 index 4e183f88..01c8db9a 100644 --- a/plugins/plugin_systemd_phase1 +++ b/plugins/plugin_systemd_phase1 @@ -47,13 +47,13 @@ if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3802 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd version and options" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -1) + FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -n 1) if [ -n "${FIND}" ]; then SYSTEMD_VERSION=${FIND} Report "systemd_version=${FIND}" LogText "Result: found systemd version ${FIND}" fi - FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1) + FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -n 1) if [ -n "${FIND}" ]; then Report "systemd_builtin_components=${FIND}" LogText "Result: found builtin components list" @@ -101,7 +101,7 @@ if [ -f ${ROOTDIR}etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3808 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd machine ID" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(cat ${ROOTDIR}etc/machine-id | head -1) + FIND=$(cat ${ROOTDIR}etc/machine-id | head -n 1) if [ -n "${FIND}" ]; then SYSTEMD_MACHINEID="${FIND}" LogText "Result: found machine ID: ${SYSTEMD_MACHINEID}" @@ -134,7 +134,7 @@ FIND=$(${JOURNALCTLBINARY} --list-boots | wc -l) LogText "Output: number of boots listed in journal is ${FIND}" if [ -n "${FIND}" ]; then Report "journal_bootlogs=${FIND}"; fi - FIND=$(${JOURNALCTLBINARY} --list-boots | head -1 | awk '{ print $4 }') + FIND=$(${JOURNALCTLBINARY} --list-boots | head -n 1 | awk '{ print $4 }') LogText "Output: oldest boot date in journal is ${FIND}" if [ -n "${FIND}" ]; then Report "journal_oldest_bootdate=${FIND}"; fi fi @@ -204,7 +204,7 @@ if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PLGN-3830 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status" --progress if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -1) + FIND=$(${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -n 1) if [ -n "${FIND}" ]; then Report "systemd_status=${FIND}" LogText "Result: found systemd status = ${FIND}" From d76bfdbc1c47c3ffe4faa8cdaae70cc56fad0ad9 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 4 Nov 2024 19:27:00 +0100 Subject: [PATCH 256/282] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ba6d8c4..56e8f9c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ - FILE-6398 - Test temporarily disabled as on modern kernels JDB support is built-in - FIRE-4508 - Several changes to expand the test, make it more generic, resolve minor issues - KRNL-5622 - Test if systemctl binary is set +- Several improvements for busybox - Update of translations: Italian, Russian --------------------------------------------------------------------------------- From 1ab0a790b3e57e99275056e2512a7ff88b50f24e Mon Sep 17 00:00:00 2001 From: Octaviodmol Date: Mon, 18 Nov 2024 13:43:54 -0600 Subject: [PATCH 257/282] Update es --- db/languages/es | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/db/languages/es b/db/languages/es index cbaf7a4e..a0f233fd 100644 --- a/db/languages/es +++ b/db/languages/es @@ -74,7 +74,7 @@ STATUS_DONE="HECHO" STATUS_ENABLED="HABILITADO" STATUS_ERROR="ERROR" STATUS_EXPOSED="EXPUESTO" -STATUS_FAILED="FALLADO" +STATUS_FAILED="HA FALLADO" STATUS_FILES_FOUND="ARCHIVOS ENCONTRADOS" STATUS_FOUND="ENCONTRADO" STATUS_HARDENED="BASTIONADO" @@ -85,7 +85,7 @@ STATUS_NO_UPDATE="SIN ACTUALIZACIÓN" STATUS_NO="NO" STATUS_NON_DEFAULT="NO POR DEFECTO" STATUS_NONE="NINGUNO" -STATUS_NOT_ACTIVE="NOT ACTIVE" +STATUS_NOT_ACTIVE="SIN ACTIVAR" STATUS_NOT_CONFIGURED="NO CONFIGURADO" STATUS_NOT_DISABLED="NO DESHABILITADO" STATUS_NOT_ENABLED="NO HABILITADO" From 562b1f1baee41c600c55c182fc19f777041c2e01 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 26 Nov 2024 10:23:40 +0100 Subject: [PATCH 258/282] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56e8f9c0..df3a7ca5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ - FIRE-4508 - Several changes to expand the test, make it more generic, resolve minor issues - KRNL-5622 - Test if systemctl binary is set - Several improvements for busybox -- Update of translations: Italian, Russian +- Update of translations: Italian, Russian, Spanish --------------------------------------------------------------------------------- From 2a540ddf759e1ea677b433710336f57c88a97711 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 3 Dec 2024 12:34:21 +0000 Subject: [PATCH 259/282] Allow more characters as part of 'lynis configure settings' command --- include/functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/functions b/include/functions index 1c0bbdc7..db7f5359 100644 --- a/include/functions +++ b/include/functions @@ -3052,11 +3052,11 @@ SafeInput() { exitcode=1 - # By default remove only control characters + # By default remove only special or undefined characters if [ $# -eq 1 ]; then input="$1" - # cleaned=$(echo ${input} | tr -d '[:cntrl:]') - cleaned=$(echo "$input" | sed 's/[^a-zA-Z0-9_-]//g') + # Allow only a common set of characters in first parameter + cleaned=$(echo "$input" | sed 's/[^a-zA-Z0-9\._:=-]//g') # If know what to test against, then see if input matches the specified class elif [ $# -eq 2 ]; then input="$1" @@ -3065,7 +3065,7 @@ else ExitFatal "No argument or too many arguments provided to SafeInput()" fi - + # Test if the cleaned string is the same as the original input if [ "${cleaned}" = "${input}" ]; then exitcode=0 fi From 7cfe45ef477ebe9d8345fa955b25104cc77d6040 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 16 Dec 2024 09:16:29 +0000 Subject: [PATCH 260/282] Updating links and adding new ones --- db/control-links.db | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/db/control-links.db b/db/control-links.db index dcb5b3b6..502474c7 100644 --- a/db/control-links.db +++ b/db/control-links.db @@ -1,15 +1,21 @@ # Links for controls pointing to informational pages. Note: only links managed by the project are allowed (cisofy.com / linux-audit.com) -# Format: Control;Text;Link; -ACCT-9628;blog;Linux audit framework 101: basic rules for configuration;https://linux-audit.com/linux-audit-framework-101-basic-rules-for-configuration/; +# Format: +# Control;Text;Link; +ACCT-9628;blog;Linux audit framework 101: basic rules for configuration;https://linux-audit.com/linux-audit-framework/linux-audit-framework-101-basic-rules-for-configuration/; ACCT-9628;blog;Monitoring Linux file access, changes and data modifications;https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/; -AUTH-9228;blog;File integrity of password files;https://linux-audit.com/file-integrity-of-password-files/; +AUTH-9228;blog;File integrity of password files;https://linux-audit.com/authentication/file-integrity-of-password-files/; +AUTH-9229;blog;Linux password security: hashing rounds;https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/; +AUTH-9230;blog;Linux password security: hashing rounds;https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/; AUTH-9262;blog;Configure minimum password length for Linux systems;https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/; AUTH-9286;blog;Configure minimum password length for Linux systems;https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/; +AUTH-9328;blog;Set default file permissions on Linux with umask;https://linux-audit.com/filesystems/file-permissions/set-default-file-permissions-with-umask/; BANN-7126;blog;The real purpose of login banners;https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/; BANN-7130;blog;The real purpose of login banners;https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/; BOOT-5264;blog;Systemd features to secure service files;https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/; FINT-4350;blog;Monitoring Linux file access, changes and data modifications;https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/; FINT-4350;blog;Monitor for file changes on Linux;https://linux-audit.com/monitor-for-file-system-changes-on-linux/; +HRDN-7220;blog;Why remove compilers from your system?;https://linux-audit.com/software/why-remove-compilers-from-your-system/; +HRDN-7222;blog;Why remove compilers from your system?;https://linux-audit.com/software/why-remove-compilers-from-your-system/; HRDN-7230;blog;Antivirus for Linux: is it really needed?;https://linux-audit.com/malware/antivirus-for-linux-really-needed/; HRDN-7230;blog;Monitoring Linux Systems for Rootkits;https://linux-audit.com/monitoring-linux-systems-for-rootkits/; HTTP-6704;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; @@ -21,18 +27,20 @@ HTTP-6714;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx- HTTP-6716;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; HTTP-6720;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; INSE-8116;blog;Find and Disable Insecure Services on Linux;https://linux-audit.com/find-disable-insecure-services-linux/; +KRNL-5820;blog;Understand and configure core dumps on Linux;https://linux-audit.com/software/understand-and-configure-core-dumps-work-on-linux/; KRNL-6000;blog;Linux hardening with sysctl settings;https://linux-audit.com/linux-hardening-with-sysctl/; KRNL-6000;blog;Overview of sysctl options and values;https://linux-audit.com/kernel/sysctl/; +MACF-6208;blog;AppArmor;https://linux-audit.com/security-frameworks/apparmor/; MAIL-8816;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/; MAIL-8817;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/; MAIL-8818;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/; MAIL-8820;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/; NAME-4402;blog;Keeping your /etc/hosts file healthy;https://linux-audit.com/is-your-etc-hosts-file-healthy/; NAME-4404;blog;Keeping your /etc/hosts file healthy;https://linux-audit.com/is-your-etc-hosts-file-healthy/; -NETW-2600;blog;Linux Security Guide for Hardening IPv6;https://linux-audit.com/linux-security-guide-for-hardening-ipv6/; -SSH-7402;blog;OpenSSH security and hardening;https://linux-audit.com/audit-and-harden-your-ssh-configuration/; -SSH-7404;blog;OpenSSH security and hardening;https://linux-audit.com/audit-and-harden-your-ssh-configuration/; -SSH-7406;blog;OpenSSH security and hardening;https://linux-audit.com/audit-and-harden-your-ssh-configuration/; -SSH-7408;blog;OpenSSH security and hardening;https://linux-audit.com/audit-and-harden-your-ssh-configuration/; -SSH-7440;blog;OpenSSH security and hardening;https://linux-audit.com/audit-and-harden-your-ssh-configuration/; +NETW-2600;blog;Linux Security Guide for Hardening IPv6;https://linux-audit.com/networking/linux-security-guide-for-hardening-ipv6/; +SSH-7402;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/; +SSH-7404;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/; +SSH-7406;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/; +SSH-7408;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/; +SSH-7440;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/; # EOF From 0666994d7ddd14e6de6d9e63a64fff898453db0b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 16 Dec 2024 09:22:08 +0000 Subject: [PATCH 261/282] Release 3.1.3 --- CHANGELOG.md | 5 ++++- lynis | 6 +++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index df3a7ca5..a36dfb2f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,9 @@ # Lynis Changelog -## Lynis 3.1.3 (not released yet) +## Lynis 3.1.3 (2024-12-16) + +This release introduces additional documentation in the form of blog articles +to support the (missing) control information on the website. ### Added - Detection of Buildroot, Fedora Linux Asahi Remix, Garden Linux, Peppermint OS diff --git a/lynis b/lynis index 918f317e..6614bb15 100755 --- a/lynis +++ b/lynis @@ -43,9 +43,9 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2024-09-26" - PROGRAM_RELEASE_TIMESTAMP=1727352969 - PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_RELEASE_DATE="2024-12-16" + PROGRAM_RELEASE_TIMESTAMP=1734340704 + PROGRAM_RELEASE_TYPE="release" # pre-release or release PROGRAM_VERSION="3.1.3" # Source, documentation and license From acfb10aa2bfdb7a8d6d7b336f381d756dcea2bed Mon Sep 17 00:00:00 2001 From: al-lac Date: Mon, 16 Dec 2024 11:33:38 +0100 Subject: [PATCH 262/282] Add macOS Sequoia and update EOL --- db/software-eol.db | 11 ++++++++--- include/osdetection | 1 + 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/db/software-eol.db b/db/software-eol.db index 342db780..6ca03fdd 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -133,14 +133,14 @@ os:macOS High Sierra \(10.13.2\):2018-01-23:1516662000: os:macOS High Sierra \(10.13.3\):2018-03-29:1522274400: os:macOS High Sierra \(10.13.4\):2018-06-01:1527804000: os:macOS High Sierra \(10.13.5\):2018-07-09:1531087200: -os:macOS High Sierra \(10.13.6\)::-1: +os:macOS High Sierra \(10.13.6\)::2020-12-01:1606780800: os:macOS Mojave \(10.14\):2018-10-30:1540854000: os:macOS Mojave \(10.14.1\):2018-12-05:1543964400: os:macOS Mojave \(10.14.2\):2019-01-22:1548111600: os:macOS Mojave \(10.14.3\):2019-03-25:1553468400: os:macOS Mojave \(10.14.4\):2019-05-13:1557698400: os:macOS Mojave \(10.14.5\):2019-07-22:1563746400: -os:macOS Mojave \(10.14.6\)::-1: +os:macOS Mojave \(10.14.6\)::2021-10-25:1635120000: os:macOS Catalina \(10.15\):2019-10-29:1572303600: os:macOS Catalina \(10.15.1\):2019-12-10:1575932400: os:macOS Catalina \(10.15.2\):2020-01-28:1580166000: @@ -148,7 +148,12 @@ os:macOS Catalina \(10.15.3\):2020-03-24:1585004400: os:macOS Catalina \(10.15.4\):2020-05-26:1590444000: os:macOS Catalina \(10.15.5\):2020-07-15:1594764000: os:macOS Catalina \(10.15.6\):2020-09-24:1600898400: -os:macOS Catalina \(10.15.7\)::-1: +os:macOS Catalina \(10.15.7\)::2022-09-12:1662940800: +os:macOS Big Sur \(11.7.10\):2023-09-26:1695686400: +os:macOS Monterey \(12.7.6\):2024-09-16:1726444800: +os:macOS Ventura \(13.7.2\)::-1: +os:macOS Sonoma \(14.7.2\)::-1: +os:macOS Sequoia \(15.2\)::-1: # # Mageia - https://www.mageia.org/en/support/ # diff --git a/include/osdetection b/include/osdetection index 8ae1c1d5..d6517911 100644 --- a/include/osdetection +++ b/include/osdetection @@ -66,6 +66,7 @@ 12 | 12.[0-9]*) OS_FULLNAME="macOS Monterey (${OS_VERSION})" ;; 13 | 13.[0-9]*) OS_FULLNAME="macOS Ventura (${OS_VERSION})" ;; 14 | 14.[0-9]*) OS_FULLNAME="macOS Sonoma (${OS_VERSION})" ;; + 15 | 15.[0-9]*) OS_FULLNAME="macOS Sequoia (${OS_VERSION})" ;; *) echo "Unknown macOS version. Do you know what version it is? Create an issue at ${PROGRAM_SOURCE}" ;; esac else From 54b813f4c09c0ce80dee6788a2f19ffaec5b1668 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 16 Dec 2024 10:39:57 +0000 Subject: [PATCH 263/282] Switch to pre-release --- CHANGELOG.md | 7 +++++++ lynis | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a36dfb2f..dff6788c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Lynis Changelog +## Lynis 3.1.4 (not released yet) + +### Changed +- Update of translations: Portuguese + +--------------------------------------------------------------------------------- + ## Lynis 3.1.3 (2024-12-16) This release introduces additional documentation in the form of blog articles diff --git a/lynis b/lynis index 6614bb15..6b57f4c0 100755 --- a/lynis +++ b/lynis @@ -45,8 +45,8 @@ # Version details PROGRAM_RELEASE_DATE="2024-12-16" PROGRAM_RELEASE_TIMESTAMP=1734340704 - PROGRAM_RELEASE_TYPE="release" # pre-release or release - PROGRAM_VERSION="3.1.3" + PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_VERSION="3.1.4" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" From 7570da4ab33eb01fe1c225c31c64c13e66a342d3 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 16 Dec 2024 10:56:43 +0000 Subject: [PATCH 264/282] Update log --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dff6788c..53306d2b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ ### Changed - Update of translations: Portuguese +- Add macOS Sequoia +- Update of EOL database --------------------------------------------------------------------------------- From d8844925e34d478965bd8d8eaed5f9eaea1db992 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Wed, 18 Dec 2024 17:09:23 +0200 Subject: [PATCH 265/282] Fix #1562 kadmin.local binary might exist, even though Kerberos is not configured and /etc/krb5.conf does not exist. --- include/tests_kerberos | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_kerberos b/include/tests_kerberos index 9ef86267..98fccfa6 100644 --- a/include/tests_kerberos +++ b/include/tests_kerberos @@ -14,7 +14,7 @@ InsertSection "${SECTION_KERBEROS}" PREQS_MET="YES" # Make sure krb5 debugging doesn't mess up the output unset KRB5_TRACE - PRINCS="$(${KADMINLOCALBINARY} listprincs | ${TRBINARY:-tr} '\n' ' ')" + PRINCS="$(${KADMINLOCALBINARY} listprincs 2>/dev/null | ${TRBINARY:-tr} '\n' ' ')" if [ -z "${PRINCS}" ] then PREQS_MET="NO" From f2ac59a1303f397e263404d10f1315977372b58e Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 18 Dec 2024 17:53:09 +0000 Subject: [PATCH 266/282] Allow forward slash in SafeInput check --- include/functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/functions b/include/functions index db7f5359..7f193aa5 100644 --- a/include/functions +++ b/include/functions @@ -3052,12 +3052,12 @@ SafeInput() { exitcode=1 - # By default remove only special or undefined characters + # Test against the string with a generic test set if [ $# -eq 1 ]; then input="$1" - # Allow only a common set of characters in first parameter - cleaned=$(echo "$input" | sed 's/[^a-zA-Z0-9\._:=-]//g') - # If know what to test against, then see if input matches the specified class + # Only allow common set of characters: a-z, A-Z, 0-9, /._-:= + cleaned=$(echo "$input" | sed 's/[^a-zA-Z0-9\/\._:=-]//g') + # If two parameters are specified, then test input against specified class elif [ $# -eq 2 ]; then input="$1" testchars="$2" From 5febfd7e06b45f4c654d0808ac6e29d76a90eef8 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 4 Jan 2025 15:41:27 +0100 Subject: [PATCH 267/282] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 53306d2b..761fb18f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ - Update of translations: Portuguese - Add macOS Sequoia - Update of EOL database +- Bugfix for slashes in parameters --------------------------------------------------------------------------------- From 6d8a9aa3a3b647959474bbe83b4a51fbfd28f81c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 4 Jan 2025 15:41:49 +0100 Subject: [PATCH 268/282] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 761fb18f..45bad88f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ - Update of translations: Portuguese - Add macOS Sequoia - Update of EOL database -- Bugfix for slashes in parameters +- Bugfix for using slashes in parameters (SafeInput function) --------------------------------------------------------------------------------- From 2fe242f46467da2e9c474d3bf662e75c989fb60f Mon Sep 17 00:00:00 2001 From: "C.J. Collier" Date: Fri, 17 Jan 2025 14:55:57 -0800 Subject: [PATCH 269/282] Update CONTRIBUTORS.md reverted to maiden name --- CONTRIBUTORS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index 29328d7e..07229362 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -36,7 +36,7 @@ These people made a significant impact to the development of Lynis: * Alexander Lobodzinski, Germany * Bodine Wilson * Brian Ginsbach -* C.J. Adams-Collier, US +* C.J. Collier, US * Charlie Heselton, US * Dave Vehrs * David Marzal Cánovas, Spain From 59648cc1901efd425b6319c3a699701e12a19c34 Mon Sep 17 00:00:00 2001 From: Samuel Henrique Date: Mon, 20 Jan 2025 12:19:59 +0000 Subject: [PATCH 270/282] Update Amazon Linux 2 EOL As per https://aws.amazon.com/amazon-linux-2/faqs/: > Amazon Linux 2 end of support date (End of Life, or EOL) will be on 2026-06-30. --- db/software-eol.db | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/software-eol.db b/db/software-eol.db index 6ca03fdd..e7f3c166 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -50,7 +50,7 @@ os:Alpine 3.8:2020-05-01:1588305600 # # Note: shortest entry is listed at end due to regular expression matching being used os:Amazon Linux 2023:2028-03-15:1836691200: -os:Amazon Linux 2:2025-06-30:1751241600: +os:Amazon Linux 2:2026-06-30:1782863999: os:Amazon Linux:2023-12-31:1703980800: # # Arch Linux From cbc880f4a8799a47e8bd98a0d373f2d086fef0d8 Mon Sep 17 00:00:00 2001 From: Samuel Henrique Date: Mon, 20 Jan 2025 17:53:31 +0000 Subject: [PATCH 271/282] Update Amazon Linux 2023 EOL As per https://docs.aws.amazon.com/linux/al2023/ug/release-cadence.html: > The maintenance phase ends June 30, 2029. --- db/software-eol.db | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/software-eol.db b/db/software-eol.db index e7f3c166..8796b245 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -49,7 +49,7 @@ os:Alpine 3.8:2020-05-01:1588305600 # Amazon Linux # # Note: shortest entry is listed at end due to regular expression matching being used -os:Amazon Linux 2023:2028-03-15:1836691200: +os:Amazon Linux 2023:2029-06-30:1877558399000: os:Amazon Linux 2:2026-06-30:1782863999: os:Amazon Linux:2023-12-31:1703980800: # From 95530fdc0eb409de14c40f83a324ca92699cf227 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 28 Jan 2025 10:15:09 +0000 Subject: [PATCH 272/282] Simplified copyright line and meta information as including (and updating) the year does not hold much value --- FAQ | 2 -- INSTALL | 2 -- README | 1 - include/binaries | 11 ++++------- include/consts | 14 ++++---------- include/data_upload | 11 ++++------- include/functions | 12 ++++-------- include/helper_audit_dockerfile | 10 ++++------ include/helper_configure | 9 ++++----- include/helper_generate | 9 ++++----- include/helper_show | 9 ++++----- include/helper_system_remote_scan | 9 ++++----- include/helper_update | 9 ++++----- include/osdetection | 7 +++---- include/parameters | 7 +++---- include/profiles | 7 +++---- include/report | 11 ++++------- include/tests_accounting | 11 ++++------- include/tests_authentication | 5 ++--- include/tests_banners | 5 ++--- include/tests_boot_services | 5 ++--- include/tests_containers | 11 ++++------- include/tests_crypto | 5 ++--- include/tests_databases | 5 ++--- include/tests_dns | 5 ++--- include/tests_file_integrity | 13 ++++++------- include/tests_file_permissions | 9 +++------ include/tests_filesystems | 7 +++---- include/tests_firewalls | 5 ++--- include/tests_hardening | 5 ++--- include/tests_homedirs | 5 ++--- include/tests_insecure_services | 5 ++--- include/tests_kernel | 9 +++------ include/tests_kernel_hardening | 5 ++--- include/tests_ldap | 5 ++--- include/tests_logging | 5 ++--- include/tests_mac_frameworks | 5 ++--- include/tests_mail_messaging | 5 ++--- include/tests_malware | 5 ++--- include/tests_memory_processes | 5 ++--- include/tests_nameservices | 5 ++--- include/tests_networking | 5 ++--- include/tests_php | 5 ++--- include/tests_ports_packages | 5 ++--- include/tests_printers_spoolers | 5 ++--- include/tests_scheduling | 7 +++---- include/tests_shells | 14 +++++++------- include/tests_snmp | 11 ++++------- include/tests_squid | 9 +++------ include/tests_ssh | 5 ++--- include/tests_storage | 9 +++------ include/tests_storage_nfs | 5 ++--- include/tests_system_integrity | 15 +++++++-------- include/tests_time | 5 ++--- include/tests_tooling | 5 ++--- include/tests_usb | 2 +- include/tests_virtualization | 5 ++--- include/tests_webservers | 5 ++--- include/tool_tips | 3 +-- lynis | 6 +++--- 60 files changed, 164 insertions(+), 252 deletions(-) diff --git a/FAQ b/FAQ index 6e7b31b9..6a23024b 100644 --- a/FAQ +++ b/FAQ @@ -97,6 +97,4 @@ A: Whitelist the interface in the profile file (if_promisc). - ================================================================================ - Lynis - Copyright 2007-2021, Michael Boelen, CISOfy - https://cisofy.com diff --git a/INSTALL b/INSTALL index b08ba2ce..d4f80ebf 100644 --- a/INSTALL +++ b/INSTALL @@ -46,6 +46,4 @@ often asked questions. - ================================================================================ - Lynis - Copyright 2007-2021, Michael Boelen, CISOfy - https://cisofy.com diff --git a/README b/README index 0eb9bf2d..fc25b1c5 100644 --- a/README +++ b/README @@ -142,4 +142,3 @@ ================================================================================ - Lynis - Copyright 2007-2016, Michael Boelen and CISOfy - https://cisofy.com diff --git a/include/binaries b/include/binaries index 46359b3c..b4d68bbd 100644 --- a/include/binaries +++ b/include/binaries @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -375,6 +374,4 @@ fi -# -#================================================================================ -# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com +# EOF diff --git a/include/consts b/include/consts index dd9f033c..698743e4 100644 --- a/include/consts +++ b/include/consts @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -419,9 +418,4 @@ ETC_PATHS="/etc /usr/local/etc" OK="${GREEN}" BAD="${RED}" -# -################################################################################# -# - -#================================================================================ -# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com +# EOF diff --git a/include/data_upload b/include/data_upload index c85a4140..9ed59cf4 100644 --- a/include/data_upload +++ b/include/data_upload @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -272,6 +271,4 @@ ExitFatal fi -# -#================================================================================ -# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com +# EOF diff --git a/include/functions b/include/functions index 7f193aa5..403ac626 100644 --- a/include/functions +++ b/include/functions @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -3748,7 +3747,4 @@ if IsDeveloperMode; then Debug "Warning: old ShowResult() function is used. Please replace any reference with WaitForKeyPress."; fi } - -#================================================================================ -# Lynis is part of Lynis Enterprise and released under GPLv3 license -# Copyright 2007-2021 - Michael Boelen, CISOfy - https://cisofy.com +# EOF diff --git a/include/helper_audit_dockerfile b/include/helper_audit_dockerfile index 3ebbb7b2..fb4f1673 100644 --- a/include/helper_audit_dockerfile +++ b/include/helper_audit_dockerfile @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -233,5 +232,4 @@ fi rm -f ${TMP_FILE} fi - -# The End +# EOF diff --git a/include/helper_configure b/include/helper_configure index 315b92f3..b3424bbe 100644 --- a/include/helper_configure +++ b/include/helper_configure @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -104,4 +103,4 @@ ExitClean -# The End +# EOF diff --git a/include/helper_generate b/include/helper_generate index bbfbb8dc..c22013e2 100644 --- a/include/helper_generate +++ b/include/helper_generate @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -189,4 +188,4 @@ fi ExitClean -# The End +# EOF diff --git a/include/helper_show b/include/helper_show index 70a066be..d1256b82 100644 --- a/include/helper_show +++ b/include/helper_show @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -480,4 +479,4 @@ ExitClean # - categories # - workdir -# The End +# EOF diff --git a/include/helper_system_remote_scan b/include/helper_system_remote_scan index 5c54814a..bafb7bbd 100644 --- a/include/helper_system_remote_scan +++ b/include/helper_system_remote_scan @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -82,4 +81,4 @@ # No more Lynis output QUIET=1 -# The End +# EOF diff --git a/include/helper_update b/include/helper_update index 0453ffbd..4badd858 100644 --- a/include/helper_update +++ b/include/helper_update @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -111,4 +110,4 @@ ExitClean QUIET=1 -# The End +# EOF diff --git a/include/osdetection b/include/osdetection index d6517911..7a2e4bf1 100644 --- a/include/osdetection +++ b/include/osdetection @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/parameters b/include/parameters index 90181927..db4ab6b4 100644 --- a/include/parameters +++ b/include/parameters @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/profiles b/include/profiles index 6d7c0aa7..da868ab0 100644 --- a/include/profiles +++ b/include/profiles @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/report b/include/report index 9aa7f3c9..363fdd7e 100644 --- a/include/report +++ b/include/report @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -326,6 +325,4 @@ echo "================================================================================" fi -# -#================================================================================ -# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com +# EOF diff --git a/include/tests_accounting b/include/tests_accounting index 6d89a796..6c44e260 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -478,6 +477,4 @@ WaitForKeyPress -# -#================================================================================ -# Lynis - Copyright 2007-2021, Michael Boelen / CISOfy - https://cisofy.com +# EOF diff --git a/include/tests_authentication b/include/tests_authentication index f936619f..97c4397e 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_banners b/include/tests_banners index 0694e9de..0bf78567 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_boot_services b/include/tests_boot_services index a9a926a0..ec2eaf66 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_containers b/include/tests_containers index 96fed9e8..5241b448 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -224,6 +223,4 @@ WaitForKeyPress -# -#================================================================================ -# Lynis - Copyright 2007-2021, CISOfy - https://cisofy.com +# EOF diff --git a/include/tests_crypto b/include/tests_crypto index 7b77b707..8f6e1de1 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_databases b/include/tests_databases index 82e3fa10..11265b6e 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_dns b/include/tests_dns index 5ef5a382..35276dbd 100644 --- a/include/tests_dns +++ b/include/tests_dns @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 4fffca65..838f986c 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -457,7 +456,7 @@ # ################################################################################# # - WaitForKeyPress -# -#================================================================================ -# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com + +WaitForKeyPress + +# EOF diff --git a/include/tests_file_permissions b/include/tests_file_permissions index 924dad12..e49a22d1 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -70,6 +69,4 @@ WaitForKeyPress -# -#================================================================================ -# Lynis - Copyright 2007-2021, CISOfy - https://cisofy.com +# EOF diff --git a/include/tests_filesystems b/include/tests_filesystems index 153c0427..4b8780b9 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_firewalls b/include/tests_firewalls index c01b80ed..0ed89195 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_hardening b/include/tests_hardening index 8ca04d6d..56c299b9 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_homedirs b/include/tests_homedirs index 77de47f4..c634cb44 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 564db774..ed28829c 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_kernel b/include/tests_kernel index 9f3313b7..7fac8b59 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -924,6 +923,4 @@ WaitForKeyPress -# -#================================================================================ -# Lynis - Copyright 2007-2021, CISOfy - https://cisofy.com +# EOF diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index 630c38d5..009d73c8 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_ldap b/include/tests_ldap index 18cdc09c..cd0371e8 100644 --- a/include/tests_ldap +++ b/include/tests_ldap @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_logging b/include/tests_logging index d560da64..89bb5a17 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 207a98f5..18ef8c24 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index 8d4ae929..744804ee 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_malware b/include/tests_malware index 70c1ff59..3156790b 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_memory_processes b/include/tests_memory_processes index 542400a2..6822df65 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_nameservices b/include/tests_nameservices index e6cc0489..26ac2bb9 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_networking b/include/tests_networking index 764204cf..fcf40802 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_php b/include/tests_php index e2dabf35..99ae8087 100644 --- a/include/tests_php +++ b/include/tests_php @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 35de8cd5..3711ac89 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_printers_spoolers b/include/tests_printers_spoolers index d9318c3b..406c5232 100644 --- a/include/tests_printers_spoolers +++ b/include/tests_printers_spoolers @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_scheduling b/include/tests_scheduling index 10fa0766..a4712ed9 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_shells b/include/tests_shells index b046b608..a76fe084 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -277,9 +276,10 @@ Report "session_timeout_enabled=${IDLE_TIMEOUT}" +# +################################################################################# +# WaitForKeyPress -# -#================================================================================ -# Lynis - Copyright 2007-2021, CISOfy - http://cisofy.com +# EOF diff --git a/include/tests_snmp b/include/tests_snmp index 93755e80..face66fe 100644 --- a/include/tests_snmp +++ b/include/tests_snmp @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -102,6 +101,4 @@ WaitForKeyPress -# -#================================================================================ -# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com +# EOF diff --git a/include/tests_squid b/include/tests_squid index 1eb43955..d693b3f6 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -323,6 +322,4 @@ WaitForKeyPress -# -#================================================================================ -# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com +# EOF diff --git a/include/tests_ssh b/include/tests_ssh index c0650d54..3b786d88 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_storage b/include/tests_storage index 29785e6c..173b7890 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -75,6 +74,4 @@ WaitForKeyPress -# -#================================================================================ -# Lynis - Copyright 2007-2021, CISOfy, Michael Boelen - https://cisofy.com +# EOF diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index fb236560..9e0b0773 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_system_integrity b/include/tests_system_integrity index 9c5b1e51..605764c9 100644 --- a/include/tests_system_integrity +++ b/include/tests_system_integrity @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # -# Website : https://cisofy.com -# Blog : http://linux-audit.com +# Website : https://cisofy.com/ +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -50,7 +49,7 @@ # ################################################################################# # - WaitForKeyPress -# -#================================================================================ -# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com + +WaitForKeyPress + +# EOF diff --git a/include/tests_time b/include/tests_time index b68bc102..0d66a691 100644 --- a/include/tests_time +++ b/include/tests_time @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_tooling b/include/tests_tooling index 606e566f..2fc54668 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_usb b/include/tests_usb index 81c184df..68b8687f 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -6,7 +6,7 @@ # ------------------ # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_virtualization b/include/tests_virtualization index bf985e7c..7f1b2f2e 100644 --- a/include/tests_virtualization +++ b/include/tests_virtualization @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tests_webservers b/include/tests_webservers index c0cfc5df..859f804c 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -5,11 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com -# Blog : http://linux-audit.com +# Blog : https://linux-audit.com/ # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are diff --git a/include/tool_tips b/include/tool_tips index e380a5d5..86c356c6 100644 --- a/include/tool_tips +++ b/include/tool_tips @@ -5,8 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# Copyright 2007-2021, CISOfy +# Copyright (c) Michael Boelen, CISOfy, and many contributors. # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/lynis b/lynis index 6b57f4c0..2f605c27 100755 --- a/lynis +++ b/lynis @@ -5,10 +5,10 @@ # Lynis # ------------------ # -# Copyright 2007-2013, Michael Boelen -# 2013-now, CISOfy +# Copyright Michael Boelen, CISOfy # -# Web site: https://cisofy.com +# Web site : https://cisofy.com/ +# Blog : https://linux-audit.com/ # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. From 5fc4be05af2afb631bd00d52de4976221fc109f2 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 28 Jan 2025 11:19:32 +0100 Subject: [PATCH 273/282] Update software-eol.db Corrected timestamp --- db/software-eol.db | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/software-eol.db b/db/software-eol.db index 8796b245..09932338 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -49,7 +49,7 @@ os:Alpine 3.8:2020-05-01:1588305600 # Amazon Linux # # Note: shortest entry is listed at end due to regular expression matching being used -os:Amazon Linux 2023:2029-06-30:1877558399000: +os:Amazon Linux 2023:2029-06-30:1877464800: os:Amazon Linux 2:2026-06-30:1782863999: os:Amazon Linux:2023-12-31:1703980800: # From f16707fbf7ea9d9ebd978202b6e1d9c64899ba79 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 28 Jan 2025 11:26:23 +0100 Subject: [PATCH 274/282] Update CHANGELOG.md --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 45bad88f..db66855e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,12 +1,15 @@ # Lynis Changelog -## Lynis 3.1.4 (not released yet) +## Lynis 3.1.4 (2025-01-28) ### Changed - Update of translations: Portuguese - Add macOS Sequoia - Update of EOL database - Bugfix for using slashes in parameters (SafeInput function) +- Simplified copyright line and meta data in files +- Support for powerpc64le in authentication section +- Don't show error "kadmin.local: unable to get default realm" --------------------------------------------------------------------------------- From 8dc6df5493d24a4af655e807743b518e09c43f57 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 28 Jan 2025 10:41:07 +0000 Subject: [PATCH 275/282] Remove separator at the end to allow indexing, some bots otherwise include the ; --- db/control-links.db | 84 ++++++++++++++++++++++----------------------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/db/control-links.db b/db/control-links.db index 502474c7..99058afc 100644 --- a/db/control-links.db +++ b/db/control-links.db @@ -1,46 +1,46 @@ # Links for controls pointing to informational pages. Note: only links managed by the project are allowed (cisofy.com / linux-audit.com) # Format: # Control;Text;Link; -ACCT-9628;blog;Linux audit framework 101: basic rules for configuration;https://linux-audit.com/linux-audit-framework/linux-audit-framework-101-basic-rules-for-configuration/; -ACCT-9628;blog;Monitoring Linux file access, changes and data modifications;https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/; -AUTH-9228;blog;File integrity of password files;https://linux-audit.com/authentication/file-integrity-of-password-files/; -AUTH-9229;blog;Linux password security: hashing rounds;https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/; -AUTH-9230;blog;Linux password security: hashing rounds;https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/; -AUTH-9262;blog;Configure minimum password length for Linux systems;https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/; -AUTH-9286;blog;Configure minimum password length for Linux systems;https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/; -AUTH-9328;blog;Set default file permissions on Linux with umask;https://linux-audit.com/filesystems/file-permissions/set-default-file-permissions-with-umask/; -BANN-7126;blog;The real purpose of login banners;https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/; -BANN-7130;blog;The real purpose of login banners;https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/; -BOOT-5264;blog;Systemd features to secure service files;https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/; -FINT-4350;blog;Monitoring Linux file access, changes and data modifications;https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/; -FINT-4350;blog;Monitor for file changes on Linux;https://linux-audit.com/monitor-for-file-system-changes-on-linux/; -HRDN-7220;blog;Why remove compilers from your system?;https://linux-audit.com/software/why-remove-compilers-from-your-system/; -HRDN-7222;blog;Why remove compilers from your system?;https://linux-audit.com/software/why-remove-compilers-from-your-system/; -HRDN-7230;blog;Antivirus for Linux: is it really needed?;https://linux-audit.com/malware/antivirus-for-linux-really-needed/; -HRDN-7230;blog;Monitoring Linux Systems for Rootkits;https://linux-audit.com/monitoring-linux-systems-for-rootkits/; -HTTP-6704;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; -HTTP-6706;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; -HTTP-6708;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; -HTTP-6710;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; -HTTP-6712;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; -HTTP-6714;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; -HTTP-6716;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; -HTTP-6720;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/; -INSE-8116;blog;Find and Disable Insecure Services on Linux;https://linux-audit.com/find-disable-insecure-services-linux/; -KRNL-5820;blog;Understand and configure core dumps on Linux;https://linux-audit.com/software/understand-and-configure-core-dumps-work-on-linux/; -KRNL-6000;blog;Linux hardening with sysctl settings;https://linux-audit.com/linux-hardening-with-sysctl/; -KRNL-6000;blog;Overview of sysctl options and values;https://linux-audit.com/kernel/sysctl/; -MACF-6208;blog;AppArmor;https://linux-audit.com/security-frameworks/apparmor/; -MAIL-8816;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/; -MAIL-8817;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/; -MAIL-8818;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/; -MAIL-8820;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/; -NAME-4402;blog;Keeping your /etc/hosts file healthy;https://linux-audit.com/is-your-etc-hosts-file-healthy/; -NAME-4404;blog;Keeping your /etc/hosts file healthy;https://linux-audit.com/is-your-etc-hosts-file-healthy/; -NETW-2600;blog;Linux Security Guide for Hardening IPv6;https://linux-audit.com/networking/linux-security-guide-for-hardening-ipv6/; -SSH-7402;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/; -SSH-7404;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/; -SSH-7406;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/; -SSH-7408;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/; -SSH-7440;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/; +ACCT-9628;blog;Linux audit framework 101: basic rules for configuration;https://linux-audit.com/linux-audit-framework/linux-audit-framework-101-basic-rules-for-configuration/ +ACCT-9628;blog;Monitoring Linux file access, changes and data modifications;https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/ +AUTH-9228;blog;File integrity of password files;https://linux-audit.com/authentication/file-integrity-of-password-files/ +AUTH-9229;blog;Linux password security: hashing rounds;https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/ +AUTH-9230;blog;Linux password security: hashing rounds;https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/ +AUTH-9262;blog;Configure minimum password length for Linux systems;https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ +AUTH-9286;blog;Configure minimum password length for Linux systems;https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/ +AUTH-9328;blog;Set default file permissions on Linux with umask;https://linux-audit.com/filesystems/file-permissions/set-default-file-permissions-with-umask/ +BANN-7126;blog;The real purpose of login banners;https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/ +BANN-7130;blog;The real purpose of login banners;https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/ +BOOT-5264;blog;Systemd features to secure service files;https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/ +FINT-4350;blog;Monitoring Linux file access, changes and data modifications;https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/ +FINT-4350;blog;Monitor for file changes on Linux;https://linux-audit.com/monitor-for-file-system-changes-on-linux/ +HRDN-7220;blog;Why remove compilers from your system?;https://linux-audit.com/software/why-remove-compilers-from-your-system/ +HRDN-7222;blog;Why remove compilers from your system?;https://linux-audit.com/software/why-remove-compilers-from-your-system/ +HRDN-7230;blog;Antivirus for Linux: is it really needed?;https://linux-audit.com/malware/antivirus-for-linux-really-needed/ +HRDN-7230;blog;Monitoring Linux Systems for Rootkits;https://linux-audit.com/monitoring-linux-systems-for-rootkits/ +HTTP-6704;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/ +HTTP-6706;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/ +HTTP-6708;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/ +HTTP-6710;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/ +HTTP-6712;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/ +HTTP-6714;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/ +HTTP-6716;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/ +HTTP-6720;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/ +INSE-8116;blog;Find and Disable Insecure Services on Linux;https://linux-audit.com/find-disable-insecure-services-linux/ +KRNL-5820;blog;Understand and configure core dumps on Linux;https://linux-audit.com/software/understand-and-configure-core-dumps-work-on-linux/ +KRNL-6000;blog;Linux hardening with sysctl settings;https://linux-audit.com/linux-hardening-with-sysctl/ +KRNL-6000;blog;Overview of sysctl options and values;https://linux-audit.com/kernel/sysctl/ +MACF-6208;blog;AppArmor;https://linux-audit.com/security-frameworks/apparmor/ +MAIL-8816;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/ +MAIL-8817;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/ +MAIL-8818;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/ +MAIL-8820;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/ +NAME-4402;blog;Keeping your /etc/hosts file healthy;https://linux-audit.com/is-your-etc-hosts-file-healthy/ +NAME-4404;blog;Keeping your /etc/hosts file healthy;https://linux-audit.com/is-your-etc-hosts-file-healthy/ +NETW-2600;blog;Linux Security Guide for Hardening IPv6;https://linux-audit.com/networking/linux-security-guide-for-hardening-ipv6/ +SSH-7402;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/ +SSH-7404;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/ +SSH-7406;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/ +SSH-7408;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/ +SSH-7440;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/ # EOF From 85f2c14c2c9615785145bae4323e2234d530f05f Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 28 Jan 2025 11:59:56 +0000 Subject: [PATCH 276/282] Release 3.1.4 --- lynis | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lynis b/lynis index 2f605c27..dce987bb 100755 --- a/lynis +++ b/lynis @@ -43,9 +43,9 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2024-12-16" - PROGRAM_RELEASE_TIMESTAMP=1734340704 - PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_RELEASE_DATE="2025-01-28" + PROGRAM_RELEASE_TIMESTAMP=1738061140 + PROGRAM_RELEASE_TYPE="release" # pre-release or release PROGRAM_VERSION="3.1.4" # Source, documentation and license From aba1d530d3996b95b585394af5a195ce0374ece9 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 29 Jan 2025 14:22:59 +0100 Subject: [PATCH 277/282] Update tests_boot_services As it is not a directory, we need to test if it is a file with executable bit set. --- include/tests_boot_services | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index ed54b319..8b5b4b4c 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -147,7 +147,7 @@ fi ;; "Solaris") - if [ -d "${ROOTDIR}usr/bin/svcs" ]; then + if [ -x "${ROOTDIR}usr/bin/svcs" ]; then SERVICE_MANAGER="SMF (svcs)" elif [ -d "${ROOTDIR}etc/init.d" ]; then SERVICE_MANAGER="SysV Init" From a33e0435be4797dfd58b04c37cb339aa901d35ee Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 29 Jan 2025 14:25:55 +0100 Subject: [PATCH 278/282] Update CHANGELOG.md --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index db66855e..97a2b197 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Lynis Changelog +## Lynis 3.1.5 (not released yet) + +### Changed +- Corrected detection of service manager SMF + +--------------------------------------------------------------------------------- + ## Lynis 3.1.4 (2025-01-28) ### Changed From 4f7a333a355bba4c491f28592e33f9337a6f5f9d Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 29 Jan 2025 14:26:45 +0100 Subject: [PATCH 279/282] Update lynis Switching to development version --- lynis | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lynis b/lynis index dce987bb..e2de13e1 100755 --- a/lynis +++ b/lynis @@ -45,8 +45,8 @@ # Version details PROGRAM_RELEASE_DATE="2025-01-28" PROGRAM_RELEASE_TIMESTAMP=1738061140 - PROGRAM_RELEASE_TYPE="release" # pre-release or release - PROGRAM_VERSION="3.1.4" + PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_VERSION="3.1.5" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" From 580c7a3e2ccd10250934a749a58ab1e3c6ec7e24 Mon Sep 17 00:00:00 2001 From: macie Date: Sun, 9 Feb 2025 08:19:13 +0100 Subject: [PATCH 280/282] fix: HostID generation on OpenWrt To reduce the size of the system, OpenWrt contains only one hashing command - `sha256sum`. SHA-256 hash truncation to SHA1 length is allowed by NIST, see: . --- include/functions | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/include/functions b/include/functions index 403ac626..1bba43e1 100644 --- a/include/functions +++ b/include/functions @@ -940,7 +940,7 @@ done fi - if [ ! "${SHA1SUMBINARY}" = "" -o ! "${OPENSSLBINARY}" = "" -o ! "${CSUMBINARY}" = "" ]; then + if [ ! "${SHA1SUMBINARY}" = "" -o ! "${SHA256SUMBINARY}" = "" -o ! "${OPENSSLBINARY}" = "" -o ! "${CSUMBINARY}" = "" ]; then LogText "Info: found hashing tool, start generation of HostID" case "${OS}" in @@ -1068,7 +1068,12 @@ # Check if we found a MAC address to generate the HostID if HasData "${FIND}"; then LogText "Info: using hardware address '${FIND}' to create HostID" + if [ -n "${SHA1SUMBINARY}" ]; then HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }') + elif [ -n "${SHA256SUMBINARY}" ]; then + # Truncate hash to match SHA1 length + HOSTID=$(echo ${FIND} | ${SHA256SUMBINARY} | awk '{ print $1 }' | head -c 40) + fi LogText "Result: Found HostID: ${HOSTID}" else ReportException "GetHostID" "HostID could not be generated" @@ -1155,7 +1160,7 @@ fi else - ReportException "GetHostID" "Can't create HOSTID as there is no SHA1 hash tool available (sha1, sha1sum, openssl)" + ReportException "GetHostID" "Can't create HOSTID as there is no hash tool available (sha1, sha1sum, openssl, truncated sha256sum)" fi # Search machine ID From 89383ee19635ecd9d151aaf43e6e17051068c4de Mon Sep 17 00:00:00 2001 From: macie Date: Sun, 9 Feb 2025 08:37:45 +0100 Subject: [PATCH 281/282] fix: HostID2 generation on OpenWrt OpenWrt uses `dropbear` as a lightweight SSH server. I assume, that all devices with OpenWrt have MAC address (they are routers), so to minimize impact on other OSes, I didn't touch SSH-based HostID generation. --- include/functions | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/include/functions b/include/functions index 1bba43e1..c0296dca 100644 --- a/include/functions +++ b/include/functions @@ -1069,7 +1069,7 @@ if HasData "${FIND}"; then LogText "Info: using hardware address '${FIND}' to create HostID" if [ -n "${SHA1SUMBINARY}" ]; then - HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }') + HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }') elif [ -n "${SHA256SUMBINARY}" ]; then # Truncate hash to match SHA1 length HOSTID=$(echo ${FIND} | ${SHA256SUMBINARY} | awk '{ print $1 }' | head -c 40) @@ -1203,10 +1203,9 @@ LogText "Info: start generation of HostID (version 2)" FOUND=0 DATA_SSH="" - # Use public keys - SSH_KEY_FILES="ssh_host_ed25519_key.pub ssh_host_ecdsa_key.pub ssh_host_dsa_key.pub ssh_host_rsa_key.pub" if [ -d /etc/ssh ]; then - for I in ${SSH_KEY_FILES}; do + SSH_PUBKEY_FILES="ssh_host_ed25519_key.pub ssh_host_ecdsa_key.pub ssh_host_dsa_key.pub ssh_host_rsa_key.pub" + for I in ${SSH_PUBKEY_FILES}; do if [ ${FOUND} -eq 0 ]; then if [ -f /etc/ssh/${I} ]; then LogText "Result: found file ${I} in /etc/ssh, using that as candidate to create hostid2" @@ -1215,8 +1214,20 @@ fi fi done + elif [ -d /etc/dropbear ]; then + SSH_KEY_FILES="dropbear_ed25519_host_key dropbear_rsa_host_key" + for I in ${SSH_KEY_FILES}; do + if [ ${FOUND} -eq 0 ]; then + if [ -f "/etc/dropbear/${I}" ]; then + LogText "Result: found file ${I} in /etc/dropbear, using that as candidate to create hostid2" + # Dropbear stores both keys in one binary file + DATA_SSH=$(dropbearkey -y -f "/etc/dropbear/${I}" | grep '^ssh') + FOUND=1 + fi + fi + done else - LogText "Result: no /etc/ssh directory found, skipping" + LogText "Result: no /etc/ssh nor /etc/dropbear directory found, skipping" fi STRING_TO_HASH="" From 722a1d7e8b4b72b0948fdaa30ae43692aa4b71ad Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 10 Feb 2025 15:05:06 +0100 Subject: [PATCH 282/282] Update CHANGELOG.md --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 97a2b197..d9314f7b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,8 +2,12 @@ ## Lynis 3.1.5 (not released yet) +### Added +- Support for OpenWrt + ### Changed - Corrected detection of service manager SMF +- Extended GetHostID function to allow HostID and HostID2 creation on OpenWrt ---------------------------------------------------------------------------------