Merge branch 'master' into master

.editorconfig

@@ -0,0 +1,7 @@
+# See: https://editorconfig.org/
+
+root = true
+
+[*]
+indent_style = space
+indent_size = 4

.gitignore

@@ -1,4 +1,5 @@
 .bzr
 .bzrignore
+.DS_Store
 custom.prf
 *.swp

CHANGELOG.md

@@ -1,5 +1,160 @@
 # Lynis Changelog
 
+## Lynis 3.1.5 (not released yet)
+
+### Added
+- Support for OpenWrt
+
+### Changed
+- Corrected detection of service manager SMF
+- Extended GetHostID function to allow HostID and HostID2 creation on OpenWrt
+
+---------------------------------------------------------------------------------
+
+## Lynis 3.1.4 (2025-01-28)
+
+### Changed
+- Update of translations: Portuguese
+- Add macOS Sequoia
+- Update of EOL database
+- Bugfix for using slashes in parameters (SafeInput function)
+- Simplified copyright line and meta data in files
+- Support for powerpc64le in authentication section
+- Don't show error "kadmin.local: unable to get default realm"
+
+---------------------------------------------------------------------------------
+
+## Lynis 3.1.3 (2024-12-16)
+
+This release introduces additional documentation in the form of blog articles
+to support the (missing) control information on the website. 
+
+### Added
+- Detection of Buildroot, Fedora Linux Asahi Remix, Garden Linux, Peppermint OS
+- Support for blog posts and articles to enhance suggestions
+
+### Changed
+- BOOT-5264 - Changed output of systemd-analyze test and added link
+- FILE-6398 - Test temporarily disabled as on modern kernels JDB support is built-in
+- FIRE-4508 - Several changes to expand the test, make it more generic, resolve minor issues
+- KRNL-5622 - Test if systemctl binary is set
+- Several improvements for busybox
+- Update of translations: Italian, Russian, Spanish
+
+---------------------------------------------------------------------------------
+
+## Lynis 3.1.2 (2024-09-26)
+
+### Added
+- Detection of ALT Linux
+- Detection of Athena OS
+- Detection of Container-Optimized OS from Google
+- Detection of Koozali SME Server
+- Detection of Nobara Linux
+- Detection of Open Source Media Center (OSMC)
+- Detection of PostmarketOS
+- CRYP-7932 - macOS FileVault encryption test
+- FILE-6398 - Check if JBD (Journal Block Device) driver is loaded
+- FINT-4344 - Wazuh system running state
+- PKGS-7305 - Query macOS Apps in /Applications and CoreServices
+- File added: .editorconfig, which is used by editors to standardize formatting
+
+### Changed
+- Correction of software EOL database and inclusion of AIX entries
+- Support sysctl value perf_event_paranoid -> 2|3
+- Update of translations: German, Portuguese, Turkish
+- Grammar and spell improvements
+- Improved package detection on Alpine Linux
+- Slackware support to check installed packges (functionPackageIsInstalled())
+- Added words prosecute/report to LEGAL_BANNER_STRINGS
+- Busybox support: Replace newer tr command syntax with older ascii specific operations
+- Added Wazuh as a malware scanner/antivirus and rootkit detection tool
+- Updated PHP versions and removed PHP 5 (deprecated)
+- AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc)
+- CONT-8104 - Checking for errors, not only warning in docker info output
+- DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD
+- FILE-6344 - Test kernel version (major/minor)
+- INSE-8000 - Added inetd package and service name used in ubuntu 24.04
+- KRNL-5622 - Use systemctl get-default instead of following link
+- KRNL-5820 - Accept ulimit with -H parameter also
+- LOGG-2144 - Check for wazuh-agent presence on Linux systems
+- MACF-6234 - Test if semanage binary is available
+- MALW-3200 - ESET Endpoint Antivirus added
+- MALW-3280 - McAfee Antivirus for Linux deprecated
+- MALW-3291 - Check if Microsoft Defender Antivirus is installe
+- NETW-3200 - Added regex to allow both /bin/true as /bin/false
+- PKGS-7303 - Added version numbers to brew packages
+- PKGS-7370 - Cron job check for debsums improved
+- PKGS-7392 - Improved filtering of apt-check output (Ubuntu 24.04 may give an error)
+- PKGS-7410 - Added kernel name for Hardkernel odroid XU4
+
+---------------------------------------------------------------------------------
+
+## Lynis 3.1.1 (2024-03-17)
+
+### Added
+- Detection of ArcoLinux
+
+### Changed
+- DBS-1882 - Redis configuration file path added for FreeBSD (/usr/local/etc/redis.conf)
+- DBS-1882 - Check /snap directory location for Redis configuration file
+
+---------------------------------------------------------------------------------
+
+## Lynis 3.1.0 (2024-03-11)
+
+### Added
+- Translation: Indonesian
+
+### Changed
+- MALW-3280 - Correction to detect com.avast.daemon
+- OS detection added for Guix System, macOS Ventura (13.x)/Sonoma (14.x), NXP LSDK, OpenEmbedded "nodistro", and The Yocto Projects distro "Poky"
+- Updated Amazon Linux EOL dates and addition of Amazon Linux 2023
+- STATUS_NOT_ACTIVE variable added to translation files
+- End-of-life dates updated
+- Fixing missing or erroneous test number comments
+- Detection of SentinelOne corrected
+- Wazuh for file integrity and tooling
+- Updated parsing output of arch-audit
+- Added support for SentinelOne detection
+- Replacing deprecated option -i for xargs
+- Path detection for PostgreSQL improved
+
+---------------------------------------------------------------------------------
+
+## Lynis 3.0.9 (2023-08-03)
+
+### Changed
+- DBS-1820 - Added newer style format for Mongo authorization setting
+- FILE-6410 - Locations added for plocate
+- SSH-7408 - Only test Compression if sshd version < 7.4
+- Improved fetching timestamp
+- Minor changes such as typos
+
+---------------------------------------------------------------------------------
+
+## Lynis 3.0.8 (2022-05-17)
+
+### Added
+- MALW-3274 - Detect McAfee VirusScan Command Line Scanner
+- PKGS-7346 Check Alpine Package Keeper (apk)
+- PKGS-7395 Check Alpine upgradeable packages
+- EOL for Alpine Linux 3.14 and 3.15
+
+### Changed
+- AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2)
+- FILE-7524 - Test enhanced to support symlinks
+- HTTP-6643 - Support ModSecurity version 2 and 3
+- KRNL-5788 - Only run relevant tests and improved logging
+- KRNL-5820 - Additional path for security/limits.conf
+- KRNL-5830 - Check for /var/run/needs_restarting (Slackware)
+- KRNL-5830 - Add a presence check for /boot/vmlinuz
+- PRNT-2308 - Bugfix that prevented test from storing values correctly
+- Extended location of PAM files for AARCH64
+- Some messages in log improved
+
+---------------------------------------------------------------------------------
+
 ## Lynis 3.0.7 (2022-01-18)
 
 ### Added

CONTRIBUTORS.md

@@ -36,7 +36,7 @@ These people made a significant impact to the development of Lynis:
 * Alexander Lobodzinski, Germany
 * Bodine Wilson
 * Brian Ginsbach
-* C.J. Adams-Collier, US
+* C.J. Collier, US
 * Charlie Heselton, US
 * Dave Vehrs
 * David Marzal Cánovas, Spain

FAQ

@@ -97,6 +97,4 @@
   A: Whitelist the interface in the profile file (if_promisc).
 
 
-
 ================================================================================
- Lynis - Copyright 2007-2021, Michael Boelen, CISOfy - https://cisofy.com

INSTALL

@@ -46,6 +46,4 @@
   often asked questions.
 
 
-
 ================================================================================
- Lynis - Copyright 2007-2021, Michael Boelen, CISOfy - https://cisofy.com

README

@@ -142,4 +142,3 @@
 
 
 ================================================================================
- Lynis - Copyright 2007-2016, Michael Boelen and CISOfy - https://cisofy.com

README.md

@@ -48,7 +48,7 @@ There are multiple options available to install Lynis.
 
 ### Software Package
 
-For sytems running Linux, BSD, and macOS, there is typically a package available. This is the preferred method of obtaining Lynis, as it is quick to install and easy to update. The Lynis project itself also provides [packages](https://packages.cisofy.com/) in RPM or DEB format suitable for systems systems running:
+For systems running Linux, BSD, and macOS, there is typically a package available. This is the preferred method of obtaining Lynis, as it is quick to install and easy to update. The Lynis project itself also provides [packages](https://packages.cisofy.com/) in RPM or DEB format suitable for systems systems running:
 `CentOS`, `Debian`, `Fedora`, `OEL`, `openSUSE`, `RHEL`, `Ubuntu`, and others.
 
 Some distributions may also have Lynis in their software repository: [![Repology](https://repology.org/badge/tiny-repos/lynis.svg)](https://repology.org/project/lynis/versions)
@@ -100,7 +100,7 @@ Lynis is collecting some awards along the way and we are proud of that.
 
 * 2015
   * [![ToolsWatch Best Tools (second place)](https://www.toolswatch.org/badges/toptools/2015.svg)](https://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/)
-  * [Best of Open Source Software Awards 2015](http://www.idgenterprise.com/news/press-release/infoworld-announces-the-2015-best-of-open-source-software-awards/).
+  * [Best of Open Source Software Awards 2015](http://www.idgenterprise.com/news/press-release/infoworld-announces-the-2015-best-of-open-source-software-awards/) ([mirror](https://web.archive.org/web/20210313082124/https://www.idg.com/news/infoworld-announces-the-2015-best-of-open-source-software-awards/)).
 
 * 2014
   * [![ToolsWatch Best Tools (third place)](https://www.toolswatch.org/badges/toptools/2014.svg)](https://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/)

db/control-links.db

@@ -0,0 +1,46 @@
+# Links for controls pointing to informational pages. Note: only links managed by the project are allowed (cisofy.com / linux-audit.com)
+# Format:
+# Control;Text;Link;
+ACCT-9628;blog;Linux audit framework 101: basic rules for configuration;https://linux-audit.com/linux-audit-framework/linux-audit-framework-101-basic-rules-for-configuration/
+ACCT-9628;blog;Monitoring Linux file access, changes and data modifications;https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/
+AUTH-9228;blog;File integrity of password files;https://linux-audit.com/authentication/file-integrity-of-password-files/
+AUTH-9229;blog;Linux password security: hashing rounds;https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/
+AUTH-9230;blog;Linux password security: hashing rounds;https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/
+AUTH-9262;blog;Configure minimum password length for Linux systems;https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+AUTH-9286;blog;Configure minimum password length for Linux systems;https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
+AUTH-9328;blog;Set default file permissions on Linux with umask;https://linux-audit.com/filesystems/file-permissions/set-default-file-permissions-with-umask/
+BANN-7126;blog;The real purpose of login banners;https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
+BANN-7130;blog;The real purpose of login banners;https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
+BOOT-5264;blog;Systemd features to secure service files;https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/
+FINT-4350;blog;Monitoring Linux file access, changes and data modifications;https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/
+FINT-4350;blog;Monitor for file changes on Linux;https://linux-audit.com/monitor-for-file-system-changes-on-linux/
+HRDN-7220;blog;Why remove compilers from your system?;https://linux-audit.com/software/why-remove-compilers-from-your-system/
+HRDN-7222;blog;Why remove compilers from your system?;https://linux-audit.com/software/why-remove-compilers-from-your-system/
+HRDN-7230;blog;Antivirus for Linux: is it really needed?;https://linux-audit.com/malware/antivirus-for-linux-really-needed/
+HRDN-7230;blog;Monitoring Linux Systems for Rootkits;https://linux-audit.com/monitoring-linux-systems-for-rootkits/
+HTTP-6704;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
+HTTP-6706;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
+HTTP-6708;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
+HTTP-6710;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
+HTTP-6712;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
+HTTP-6714;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
+HTTP-6716;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
+HTTP-6720;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
+INSE-8116;blog;Find and Disable Insecure Services on Linux;https://linux-audit.com/find-disable-insecure-services-linux/
+KRNL-5820;blog;Understand and configure core dumps on Linux;https://linux-audit.com/software/understand-and-configure-core-dumps-work-on-linux/
+KRNL-6000;blog;Linux hardening with sysctl settings;https://linux-audit.com/linux-hardening-with-sysctl/
+KRNL-6000;blog;Overview of sysctl options and values;https://linux-audit.com/kernel/sysctl/
+MACF-6208;blog;AppArmor;https://linux-audit.com/security-frameworks/apparmor/
+MAIL-8816;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
+MAIL-8817;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
+MAIL-8818;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
+MAIL-8820;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
+NAME-4402;blog;Keeping your /etc/hosts file healthy;https://linux-audit.com/is-your-etc-hosts-file-healthy/
+NAME-4404;blog;Keeping your /etc/hosts file healthy;https://linux-audit.com/is-your-etc-hosts-file-healthy/
+NETW-2600;blog;Linux Security Guide for Hardening IPv6;https://linux-audit.com/networking/linux-security-guide-for-hardening-ipv6/
+SSH-7402;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+SSH-7404;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+SSH-7406;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+SSH-7408;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+SSH-7440;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
+# EOF

db/languages/az

@@ -82,6 +82,7 @@ STATUS_FOUND="Tapıldı"
 #STATUS_MEDIUM="MEDIUM"
 #STATUS_NON_DEFAULT="NON DEFAULT"
 STATUS_NONE="Yox"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 #STATUS_NOT_CONFIGURED="NOT CONFIGURED"
 #STATUS_NOT_DISABLED="NOT DISABLED"
 #STATUS_NOT_ENABLED="NOT ENABLED"
@@ -105,3 +106,4 @@ STATUS_WARNING="Xəbərdarlıq"
 STATUS_YES="Bəli"
 TEXT_UPDATE_AVAILABLE="yeniləmə mövcud"
 TEXT_YOU_CAN_HELP_LOGFILE="qeydləri gönderib kömek eyleyin"
+#SECTION_KERBEROS="Kerberos"

db/languages/cn

@@ -83,6 +83,7 @@ STATUS_FOUND="找到"
 #STATUS_MEDIUM="MEDIUM"
 #STATUS_NON_DEFAULT="NON DEFAULT"
 STATUS_NONE="没有"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 #STATUS_NOT_CONFIGURED="NOT CONFIGURED"
 #STATUS_NOT_DISABLED="NOT DISABLED"
 #STATUS_NOT_ENABLED="NOT ENABLED"
@@ -106,3 +107,4 @@ STATUS_WARNING="警告"
 STATUS_YES="是"
 TEXT_UPDATE_AVAILABLE="有可以更新的版本"
 TEXT_YOU_CAN_HELP_LOGFILE="你可以通过记录日志来帮忙"
+#SECTION_KERBEROS="Kerberos"

db/languages/da

@@ -83,6 +83,7 @@ STATUS_FOUND="FUNDET"
 #STATUS_NON_DEFAULT="NON DEFAULT"
 STATUS_NONE="INGEN"
 STATUS_NO="NEJ"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 #STATUS_NOT_CONFIGURED="NOT CONFIGURED"
 #STATUS_NOT_DISABLED="NOT DISABLED"
 STATUS_NOT_ENABLED="IKKE AKTIVERET"
@@ -105,3 +106,4 @@ STATUS_WEAK="SVAG"
 STATUS_YES="JA"
 TEXT_UPDATE_AVAILABLE="opdatering tilgængelig"
 TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjælpe ved at bidrage med din logfil"
+#SECTION_KERBEROS="Kerberos"

db/languages/de

@@ -84,6 +84,7 @@ STATUS_NO="NEIN"
 STATUS_NO_UPDATE="KEINE AKTUALISIERUNG"
 STATUS_NON_DEFAULT="NICHT STANDARD"
 STATUS_NONE="NICHTS"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 STATUS_NOT_CONFIGURED="NICHT KONFIGURIERT"
 STATUS_NOT_DISABLED="NICHT DEAKTIVIERT"
 STATUS_NOT_ENABLED="NICHT AKTIVIERT"
@@ -105,3 +106,4 @@ STATUS_WEAK="SCHWACH"
 STATUS_YES="JA"
 TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar"
 TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen"
+SECTION_KERBEROS="Kerberos"

db/languages/en

@@ -63,6 +63,7 @@ SECTION_USB_DEVICES="USB Devices"
 SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
 SECTION_VIRTUALIZATION="Virtualization"
 SECTION_WEBSERVER="Software: webserver"
+SECTION_KERBEROS="Kerberos"
 STATUS_ACTIVE="ACTIVE"
 STATUS_CHECK_NEEDED="CHECK NEEDED"
 STATUS_DEBUG="DEBUG"
@@ -84,6 +85,7 @@ STATUS_NO="NO"
 STATUS_NO_UPDATE="NO UPDATE"
 STATUS_NON_DEFAULT="NON DEFAULT"
 STATUS_NONE="NONE"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 STATUS_NOT_CONFIGURED="NOT CONFIGURED"
 STATUS_NOT_DISABLED="NOT DISABLED"
 STATUS_NOT_ENABLED="NOT ENABLED"

db/languages/es

@@ -74,7 +74,7 @@ STATUS_DONE="HECHO"
 STATUS_ENABLED="HABILITADO"
 STATUS_ERROR="ERROR"
 STATUS_EXPOSED="EXPUESTO"
-STATUS_FAILED="FALLADO"
+STATUS_FAILED="HA FALLADO"
 STATUS_FILES_FOUND="ARCHIVOS ENCONTRADOS"
 STATUS_FOUND="ENCONTRADO"
 STATUS_HARDENED="BASTIONADO"
@@ -85,6 +85,7 @@ STATUS_NO_UPDATE="SIN ACTUALIZACIÓN"
 STATUS_NO="NO"
 STATUS_NON_DEFAULT="NO POR DEFECTO"
 STATUS_NONE="NINGUNO"
+STATUS_NOT_ACTIVE="SIN ACTIVAR"
 STATUS_NOT_CONFIGURED="NO CONFIGURADO"
 STATUS_NOT_DISABLED="NO DESHABILITADO"
 STATUS_NOT_ENABLED="NO HABILITADO"
@@ -106,3 +107,4 @@ STATUS_WEAK="DÉBIL"
 STATUS_YES="SÍ"
 TEXT_UPDATE_AVAILABLE="Actualización disponible"
 TEXT_YOU_CAN_HELP_LOGFILE="Puedes ayudar compartiendo tu archivo de registro"
+#SECTION_KERBEROS="Kerberos"

db/languages/fi

@@ -83,6 +83,7 @@ STATUS_FOUND="LÖYTYNYT"
 STATUS_NO="EI"
 #STATUS_NON_DEFAULT="NON DEFAULT"
 STATUS_NONE="EI MITÄÄN"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 #STATUS_NOT_CONFIGURED="NOT CONFIGURED"
 #STATUS_NOT_DISABLED="NOT DISABLED"
 #STATUS_NOT_ENABLED="NOT ENABLED"
@@ -105,3 +106,4 @@ STATUS_WARNING="VAROITUS"
 STATUS_YES="KYLLÄ"
 TEXT_UPDATE_AVAILABLE="päivitys saatavilla"
 TEXT_YOU_CAN_HELP_LOGFILE="Voit auttaa toimittamalla lokitiedoston"
+#SECTION_KERBEROS="Kerberos"

db/languages/fr

@@ -84,6 +84,7 @@ STATUS_NO="NON"
 STATUS_NO_UPDATE="PAS DE MISE A JOUR"
 STATUS_NON_DEFAULT="PAS PAR DÉFAUT"
 STATUS_NONE="AUCUN"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 STATUS_NOT_CONFIGURED="NON CONFIGURÉ"
 STATUS_NOT_DISABLED="NON DESACTIVÉ"
 STATUS_NOT_ENABLED="NON ACTIVÉ"
@@ -105,3 +106,4 @@ STATUS_WEAK="FAIBLE"
 STATUS_YES="OUI"
 TEXT_UPDATE_AVAILABLE="Mise à jour disponible"
 TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal"
+SECTION_KERBEROS="Kerberos"

db/languages/gr

@@ -82,6 +82,7 @@ STATUS_FOUND="ΒΡΕΘΗΚΕ"
 #STATUS_MEDIUM="MEDIUM"
 #STATUS_NON_DEFAULT="NON DEFAULT"
 STATUS_NONE="ΚΑΝΕΝΑ"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 #STATUS_NOT_CONFIGURED="NOT CONFIGURED"
 #STATUS_NOT_DISABLED="NOT DISABLED"
 #STATUS_NOT_ENABLED="NOT ENABLED"
@@ -105,3 +106,4 @@ STATUS_WARNING="ΠΡΟΣΟΧΗ"
 STATUS_YES="ΝΑΙ"
 TEXT_UPDATE_AVAILABLE="διαθέσιμη ενημέρωση"
 TEXT_YOU_CAN_HELP_LOGFILE="Μπορείτε να βοηθήσετε παρέχοντας το αρχείο καταγραφής"
+#SECTION_KERBEROS="Kerberos"

db/languages/he

@@ -82,6 +82,7 @@ STATUS_FOUND="נמצא"
 #STATUS_MEDIUM="MEDIUM"
 #STATUS_NON_DEFAULT="NON DEFAULT"
 STATUS_NONE="אין כלל"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 #STATUS_NOT_CONFIGURED="NOT CONFIGURED"
 #STATUS_NOT_DISABLED="NOT DISABLED"
 #STATUS_NOT_ENABLED="NOT ENABLED"
@@ -105,3 +106,4 @@ STATUS_WARNING="אזהרה"
 STATUS_YES="כן"
 TEXT_UPDATE_AVAILABLE="עדכון זמין"
 TEXT_YOU_CAN_HELP_LOGFILE="ניתן לעזור על ידי שליחת קובץ הלוג"
+#SECTION_KERBEROS="Kerberos"

db/languages/hu

@@ -83,6 +83,7 @@ STATUS_FOUND="FOUND"
 #STATUS_NON_DEFAULT="NON DEFAULT"
 STATUS_NO="NEM"
 STATUS_NONE="NONE"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 #STATUS_NOT_CONFIGURED="NOT CONFIGURED"
 #STATUS_NOT_DISABLED="NOT DISABLED"
 #STATUS_NOT_ENABLED="NOT ENABLED"
@@ -105,3 +106,4 @@ STATUS_WARNING="FIGYELMEZTETÉS"
 STATUS_YES="IGEN"
 TEXT_UPDATE_AVAILABLE="frissítés elérhető"
 TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
+#SECTION_KERBEROS="Kerberos"

db/languages/id

@@ -0,0 +1,109 @@
+ERROR_NO_LICENSE="Tidak ada kunci lisensi yang dikonfigurasi"
+ERROR_NO_UPLOAD_SERVER="Tidak ada server unggahan yang dikonfigurasi"
+GEN_CHECKING="Memeriksa"
+GEN_CURRENT_VERSION="Versi sekarang"
+GEN_DEBUG_MODE="Debug mode"
+GEN_INITIALIZE_PROGRAM="Inisialisasi program"
+GEN_LATEST_VERSION="Versi terbaru"
+GEN_PHASE="fase"
+GEN_PLUGINS_ENABLED="Plugin diaktifkan"
+GEN_UPDATE_AVAILABLE="update tersedia"
+GEN_VERBOSE_MODE="Verbose mode"
+GEN_WHAT_TO_DO="Apa yang harus dilakukan"
+NOTE_EXCEPTIONS_FOUND="Pengecualian ditemukan"
+NOTE_EXCEPTIONS_FOUND_DETAILED="Beberapa peristiwa atau informasi luar biasa ditemukan"
+NOTE_PLUGINS_TAKE_TIME="Note: plugin memiliki pengujian yang lebih ekstensif dan mungkin memerlukan waktu beberapa menit untuk menyelesaikannya"
+NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Tes yang dilewati karena mode non-istimewa"
+#SECTION_ACCOUNTING="Accounting"
+#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
+#SECTION_BASICS="Basics"
+#SECTION_BOOT_AND_SERVICES="Boot and services"
+#SECTION_CONTAINERS="Containers"
+#SECTION_CRYPTOGRAPHY="Cryptography"
+SECTION_CUSTOM_TESTS="Tes kustom"
+#SECTION_DATABASES="Databases"
+#SECTION_DATA_UPLOAD="Data upload"
+#SECTION_DOWNLOADS="Downloads"
+#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
+#SECTION_FILE_INTEGRITY="Software: file integrity"
+#SECTION_FILE_PERMISSIONS="File Permissions"
+#SECTION_FILE_SYSTEMS="File systems"
+#SECTION_FIREWALLS="Software: firewalls"
+#SECTION_GENERAL="General"
+#SECTION_HARDENING="Hardening"
+#SECTION_HOME_DIRECTORIES="Home directories"
+#SECTION_IMAGE="Image"
+#SECTION_INITIALIZING_PROGRAM="Initializing program"
+#SECTION_INSECURE_SERVICES="Insecure services"
+#SECTION_KERNEL_HARDENING="Kernel Hardening"
+#SECTION_KERNEL="Kernel"
+#SECTION_LDAP_SERVICES="LDAP Services"
+#SECTION_LOGGING_AND_FILES="Logging and files"
+SECTION_MALWARE="Software: Malware"
+SECTION_MEMORY_AND_PROCESSES="Memory and Processes"
+SECTION_NAME_SERVICES="Name services"
+SECTION_NETWORKING="Networking"
+SECTION_PERMISSIONS="Permissions"
+SECTION_PORTS_AND_PACKAGES="Ports and packages"
+SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
+SECTION_PROGRAM_DETAILS="Program Details"
+SECTION_SCHEDULED_TASKS="Scheduled tasks"
+SECTION_SECURITY_FRAMEWORKS="Security frameworks"
+SECTION_SHELLS="Shells"
+SECTION_SNMP_SUPPORT="SNMP Support"
+SECTION_SOFTWARE="Software"
+SECTION_SQUID_SUPPORT="Squid Support"
+SECTION_SSH_SUPPORT="SSH Support"
+SECTION_STORAGE="Storage"
+SECTION_SYSTEM_INTEGRITY="Software: System integrity"
+SECTION_SYSTEM_TOOLING="Software: System tooling"
+SECTION_SYSTEM_TOOLS="System tools"
+SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization"
+SECTION_USB_DEVICES="USB Devices"
+SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
+SECTION_VIRTUALIZATION="Virtualization"
+SECTION_WEBSERVER="Software: webserver"
+STATUS_ACTIVE="ACTIVE"
+STATUS_CHECK_NEEDED="CHECK NEEDED"
+STATUS_DEBUG="DEBUG"
+STATUS_DEFAULT="DEFAULT"
+STATUS_DIFFERENT="DIFFERENT"
+STATUS_DISABLED="DISABLED"
+STATUS_DONE="DONE"
+STATUS_ENABLED="ENABLED"
+STATUS_ERROR="ERROR"
+STATUS_EXPOSED="EXPOSED"
+STATUS_FAILED="FAILED"
+STATUS_FILES_FOUND="FILES FOUND"
+STATUS_FOUND="FOUND"
+STATUS_HARDENED="HARDENED"
+STATUS_INSTALLED="INSTALLED"
+STATUS_LOCAL_ONLY="LOCAL ONLY"
+STATUS_MEDIUM="MEDIUM"
+STATUS_NO="NO"
+STATUS_NO_UPDATE="NO UPDATE"
+STATUS_NON_DEFAULT="NON DEFAULT"
+STATUS_NONE="NONE"
+STATUS_NOT_CONFIGURED="NOT CONFIGURED"
+STATUS_NOT_DISABLED="NOT DISABLED"
+STATUS_NOT_ENABLED="NOT ENABLED"
+STATUS_NOT_FOUND="NOT FOUND"
+STATUS_NOT_RUNNING="NOT RUNNING"
+STATUS_OFF="OFF"
+STATUS_OK="OK"
+STATUS_ON="ON"
+STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED"
+STATUS_PROTECTED="PROTECTED"
+STATUS_RUNNING="RUNNING"
+STATUS_SKIPPED="SKIPPED"
+STATUS_SUGGESTION="SUGGESTION"
+STATUS_UNKNOWN="UNKNOWN"
+STATUS_UNSAFE="UNSAFE"
+STATUS_UPDATE_AVAILABLE="UPDATE TERSEDIA"
+STATUS_WARNING="WARNING"
+STATUS_WEAK="WEAK"
+STATUS_YES="YES"
+TEXT_UPDATE_AVAILABLE="update tersedia"
+TEXT_YOU_CAN_HELP_LOGFILE="Anda dapat membantu dengan memberikan file log Anda"
+#SECTION_KERBEROS="Kerberos"
+#STATUS_NOT_ACTIVE="NOT ACTIVE"

db/languages/it

@@ -14,94 +14,96 @@ NOTE_EXCEPTIONS_FOUND_DETAILED="Sono stati rilevati alcuni eventi o informazioni
 NOTE_EXCEPTIONS_FOUND="Trovate Eccezioni"
 NOTE_PLUGINS_TAKE_TIME="Nota: i plugin sono sottoposti a test più estesi e possono richiedere alcuni minuti per il completamento"
 NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Test saltati a causa della modalità di esecuzione non privilegiata"
-#SECTION_ACCOUNTING="Accounting"
+SECTION_ACCOUNTING="Accounting"
-#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
+SECTION_BANNERS_AND_IDENTIFICATION="Banners e identificazione"
-#SECTION_BASICS="Basics"
+SECTION_BASICS="Basi"
-#SECTION_BOOT_AND_SERVICES="Boot and services"
+SECTION_BOOT_AND_SERVICES="Avvio e servizi"
-#SECTION_CONTAINERS="Containers"
+SECTION_CONTAINERS="Container"
-#SECTION_CRYPTOGRAPHY="Cryptography"
+SECTION_CRYPTOGRAPHY="Crittografia"
 SECTION_CUSTOM_TESTS="Test su misura (Custom)"
-#SECTION_DATABASES="Databases"
+SECTION_DATABASES="Database"
-#SECTION_DATA_UPLOAD="Data upload"
+SECTION_DATA_UPLOAD="Caricamenti dati"
 SECTION_DOWNLOADS="Scaricamenti"
-#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
+SECTION_EMAIL_AND_MESSAGING="Software: e-mail e messaggistica"
-#SECTION_FILE_INTEGRITY="Software: file integrity"
+SECTION_FILE_INTEGRITY="Software: integrità file"
-#SECTION_FILE_PERMISSIONS="File Permissions"
+SECTION_FILE_PERMISSIONS="Permessi file"
-#SECTION_FILE_SYSTEMS="File systems"
+SECTION_FILE_SYSTEMS="File system"
-#SECTION_FIREWALLS="Software: firewalls"
+SECTION_FIREWALLS="Software: firewall"
 SECTION_GENERAL="Generale"
-#SECTION_HARDENING="Hardening"
+SECTION_HARDENING="Hardening"
-#SECTION_HOME_DIRECTORIES="Home directories"
+SECTION_HOME_DIRECTORIES="Cartelle home"
-#SECTION_IMAGE="Image"
+SECTION_IMAGE="Immagine"
 SECTION_INITIALIZING_PROGRAM="Inizializzando il programma"
 SECTION_INSECURE_SERVICES="Service insicuri"
-#SECTION_KERNEL_HARDENING="Kernel Hardening"
+SECTION_KERNEL_HARDENING="Hardening del kernel"
-#SECTION_KERNEL="Kernel"
+SECTION_KERNEL="Kernel"
-#SECTION_LDAP_SERVICES="LDAP Services"
+SECTION_LDAP_SERVICES="Servizi LDAP"
-#SECTION_LOGGING_AND_FILES="Logging and files"
+SECTION_LOGGING_AND_FILES="Logging e file"
 SECTION_MALWARE="Malware"
 SECTION_MEMORY_AND_PROCESSES="Memoria e Processi"
-#SECTION_NAME_SERVICES="Name services"
+SECTION_NAME_SERVICES="Name services"
-#SECTION_NETWORKING="Networking"
+SECTION_NETWORKING="Rete"
-#SECTION_PERMISSIONS="Permissions"
+SECTION_PERMISSIONS="Permessi"
-#SECTION_PORTS_AND_PACKAGES="Ports and packages"
+SECTION_PORTS_AND_PACKAGES="Ports e pacchetti"
-#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
+SECTION_PRINTERS_AND_SPOOLS="Stampanti e code di stampa"
-#SECTION_PROGRAM_DETAILS="Program Details"
+SECTION_PROGRAM_DETAILS="Dettagli programma"
-#SECTION_SCHEDULED_TASKS="Scheduled tasks"
+SECTION_SCHEDULED_TASKS="Azioni programmate"
-#SECTION_SECURITY_FRAMEWORKS="Security frameworks"
+SECTION_SECURITY_FRAMEWORKS="Framework di sicurezza"
-#SECTION_SHELLS="Shells"
+SECTION_SHELLS="Shells"
-#SECTION_SNMP_SUPPORT="SNMP Support"
+SECTION_SNMP_SUPPORT="Supporto per SNMP"
-#SECTION_SOFTWARE="Software"
+SECTION_SOFTWARE="Software"
-#SECTION_SQUID_SUPPORT="Squid Support"
+SECTION_SQUID_SUPPORT="Supporto per Squid"
-#SECTION_SSH_SUPPORT="SSH Support"
+SECTION_SSH_SUPPORT="Supporto per SSH"
 SECTION_STORAGE="Spazio di archiviazione"
-#SECTION_SYSTEM_INTEGRITY="Software: System integrity"
+SECTION_SYSTEM_INTEGRITY="Software: integrità del sistema"
 #SECTION_SYSTEM_TOOLING="Software: System tooling"
-#SECTION_SYSTEM_TOOLS="System tools"
+SECTION_SYSTEM_TOOLS="Strumenti di sistema"
 SECTION_TIME_AND_SYNCHRONIZATION="Tempo and Sincronizzazione"
-#SECTION_USB_DEVICES="USB Devices"
+SECTION_USB_DEVICES="Periferiche USB"
-#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
+SECTION_USERS_GROUPS_AND_AUTHENTICATION="Utenti, Gruppi e Authenticazione"
-#SECTION_VIRTUALIZATION="Virtualization"
+SECTION_VIRTUALIZATION="Virtualizzazione"
-#SECTION_WEBSERVER="Software: webserver"
+SECTION_WEBSERVER="Software: webserver"
-#STATUS_ACTIVE="ACTIVE"
+STATUS_ACTIVE="ATTIVO"
-#STATUS_CHECK_NEEDED="CHECK NEEDED"
+STATUS_CHECK_NEEDED="CONTROLLO RICHIESTO"
-#STATUS_DEBUG="DEBUG"
+STATUS_DEBUG="DEBUG"
-#STATUS_DEFAULT="DEFAULT"
+STATUS_DEFAULT="DEFAULT"
-#STATUS_DIFFERENT="DIFFERENT"
+STATUS_DIFFERENT="DIFFERENTE"
 STATUS_DISABLED="DISABILITATO"
 STATUS_DONE="FATTO"
 STATUS_ENABLED="ABILITATO"
 STATUS_ERROR="ERRORE"
-#STATUS_EXPOSED="EXPOSED"
+STATUS_EXPOSED="ESPOSTO"
 STATUS_FAILED="FALLITO"
-#STATUS_FILES_FOUND="FILES FOUND"
+STATUS_FILES_FOUND="FILE TROVATI"
 STATUS_FOUND="TROVATO"
-#STATUS_HARDENED="HARDENED"
+STATUS_HARDENED="HARDENED"
-#STATUS_INSTALLED="INSTALLED"
+STATUS_INSTALLED="INSTALLATO"
-#STATUS_LOCAL_ONLY="LOCAL ONLY"
+STATUS_LOCAL_ONLY="SOLO LOCALE"
-#STATUS_MEDIUM="MEDIUM"
+STATUS_MEDIUM="MEDIO"
-#STATUS_NON_DEFAULT="NON DEFAULT"
+STATUS_NON_DEFAULT="NON DEFAULT"
 STATUS_NONE="NESSUNO"
 STATUS_NO="NO"
+STATUS_NOT_ACTIVE="NON ATTIVO"
 STATUS_NOT_CONFIGURED="NON CONFIGURATO"
-#STATUS_NOT_DISABLED="NOT DISABLED"
+STATUS_NOT_DISABLED="NON DISABILITATO"
-#STATUS_NOT_ENABLED="NOT ENABLED"
+STATUS_NOT_ENABLED="NON ABILITATO"
 STATUS_NOT_FOUND="NON TROVATO"
 STATUS_NOT_RUNNING="NON IN ESECUZIONE"
-#STATUS_NO_UPDATE="NO UPDATE"
+STATUS_NO_UPDATE="NESSUN AGGIORNAMENTO"
 STATUS_OFF="OFF"
 STATUS_OK="OK"
 STATUS_ON="ON"
-#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED"
+STATUS_PARTIALLY_HARDENED="PARZIALMENTE HARDENED"
-#STATUS_PROTECTED="PROTECTED"
+STATUS_PROTECTED="PROTETTO"
 STATUS_RUNNING="IN ESECUZIONE"
 STATUS_SKIPPED="SALTATO"
 STATUS_SUGGESTION="SUGGERIMENTO"
 STATUS_UNKNOWN="SCONOSCIUTO"
-#STATUS_UNSAFE="UNSAFE"
+STATUS_UNSAFE="NON SICURO"
-#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE"
+STATUS_UPDATE_AVAILABLE="AGGIORNAMENTO DISPONIBILE"
 STATUS_WARNING="ATTENZIONE"
 STATUS_WEAK="DEBOLE"
 STATUS_YES="SI"
 TEXT_UPDATE_AVAILABLE="aggiornamento disponibile"
 TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log"
+SECTION_KERBEROS="Kerberos"

db/languages/ja

@@ -83,6 +83,7 @@ STATUS_FOUND="見つかりました"
 STATUS_NO="いいえ"
 #STATUS_NON_DEFAULT="NON DEFAULT"
 STATUS_NONE="なし"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 #STATUS_NOT_CONFIGURED="NOT CONFIGURED"
 #STATUS_NOT_DISABLED="NOT DISABLED"
 #STATUS_NOT_ENABLED="NOT ENABLED"
@@ -105,3 +106,4 @@ STATUS_WARNING="警告"
 STATUS_YES="はい"
 TEXT_UPDATE_AVAILABLE="アップデートが利用可能"
 TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
+#SECTION_KERBEROS="Kerberos"

db/languages/ko

@@ -83,6 +83,7 @@ STATUS_FOUND="발견"
 STATUS_NO="아니오"
 #STATUS_NON_DEFAULT="NON DEFAULT"
 STATUS_NONE="없음"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 #STATUS_NOT_CONFIGURED="NOT CONFIGURED"
 #STATUS_NOT_DISABLED="NOT DISABLED"
 #STATUS_NOT_ENABLED="NOT ENABLED"
@@ -105,3 +106,4 @@ STATUS_WEAK="취약"
 STATUS_YES="예"
 TEXT_UPDATE_AVAILABLE="업데이트 가능"
 TEXT_YOU_CAN_HELP_LOGFILE="로그 파일을 제공하면 도움을 받을 수 있습니다"
+#SECTION_KERBEROS="Kerberos"

db/languages/nb-NO

@@ -83,6 +83,7 @@ STATUS_FOUND="FUNNET"
 #STATUS_NON_DEFAULT="NON DEFAULT"
 STATUS_NO="NEI"
 STATUS_NONE="INGEN"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 #STATUS_NOT_CONFIGURED="NOT CONFIGURED"
 #STATUS_NOT_DISABLED="NOT DISABLED"
 #STATUS_NOT_ENABLED="NOT ENABLED"
@@ -105,3 +106,4 @@ STATUS_WARNING="ADVARSEL"
 STATUS_YES="JA"
 TEXT_UPDATE_AVAILABLE="oppdatering tilgjengelig"
 TEXT_YOU_CAN_HELP_LOGFILE="Du kan bidra ved å laste opp din loggfil"
+#SECTION_KERBEROS="Kerberos"

db/languages/nl

@@ -83,6 +83,7 @@ STATUS_FOUND="GEVONDEN"
 #STATUS_NON_DEFAULT="NON DEFAULT"
 STATUS_NO="NEE"
 STATUS_NONE="GEEN"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 STATUS_NOT_CONFIGURED="NIET GECONFIGUREERD"
 #STATUS_NOT_DISABLED="NOT DISABLED"
 #STATUS_NOT_ENABLED="NOT ENABLED"
@@ -105,3 +106,4 @@ STATUS_WEAK="ZWAK"
 STATUS_YES="JA"
 TEXT_UPDATE_AVAILABLE="update beschikbaar"
 TEXT_YOU_CAN_HELP_LOGFILE="Help mee door je logbestand te delen"
+#SECTION_KERBEROS="Kerberos"

db/languages/pl

@@ -83,6 +83,7 @@
 #STATUS_NON_DEFAULT="NON DEFAULT"
 #STATUS_NONE="NONE"
 #STATUS_NO="NO"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 #STATUS_NOT_CONFIGURED="NOT CONFIGURED"
 #STATUS_NOT_DISABLED="NOT DISABLED"
 #STATUS_NOT_ENABLED="NOT ENABLED"
@@ -105,3 +106,4 @@
 #STATUS_YES="YES"
 #TEXT_UPDATE_AVAILABLE="update available"
 #TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
+#SECTION_KERBEROS="Kerberos"

db/languages/pt

@@ -1,3 +1,7 @@
+
+# Usado o Google Tradutor para traduzir:  https://translate.google.com.br/
+
+
 ERROR_NO_LICENSE="Nenhuma chave de licença configurada"
 ERROR_NO_UPLOAD_SERVER="Nenhum servidor de upload configurado"
 GEN_CHECKING="Verificando"
@@ -14,94 +18,96 @@ NOTE_EXCEPTIONS_FOUND_DETAILED="Alguns eventos ou informações excepcionais for
 NOTE_EXCEPTIONS_FOUND="Exceptions encontradas"
 NOTE_PLUGINS_TAKE_TIME="Nota: plugins requerem testes mais extensivos e podem levar vários minutos para completar"
 NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Testes ignorados devido ao modo sem privilégios"
-#SECTION_ACCOUNTING="Accounting"
+SECTION_ACCOUNTING="Contabilidade"
-#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
+SECTION_BANNERS_AND_IDENTIFICATION="Banners e identificação"
-#SECTION_BASICS="Basics"
+SECTION_BASICS="Base"
-#SECTION_BOOT_AND_SERVICES="Boot and services"
+SECTION_BOOT_AND_SERVICES="Inicialização e serviços"
-#SECTION_CONTAINERS="Containers"
+SECTION_CONTAINERS="Containers"
-#SECTION_CRYPTOGRAPHY="Cryptography"
+SECTION_CRYPTOGRAPHY="Criptografia"
 SECTION_CUSTOM_TESTS="Testes personalizados"
-#SECTION_DATABASES="Databases"
+SECTION_DATABASES="Bancos de dados"
-#SECTION_DATA_UPLOAD="Data upload"
+SECTION_DATA_UPLOAD="Carregamento de dados"
-#SECTION_DOWNLOADS="Downloads"
+SECTION_DOWNLOADS="Transferências"
-#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
+SECTION_EMAIL_AND_MESSAGING="Programas: e-mail e mensagens"
-#SECTION_FILE_INTEGRITY="Software: file integrity"
+SECTION_FILE_INTEGRITY="Programas: integridade do arquivo"
-#SECTION_FILE_PERMISSIONS="File Permissions"
+SECTION_FILE_PERMISSIONS="Permissões de arquivo"
-#SECTION_FILE_SYSTEMS="File systems"
+SECTION_FILE_SYSTEMS="Sistemas de arquivos"
-#SECTION_FIREWALLS="Software: firewalls"
+SECTION_FIREWALLS="Programas: firewalls"
-#SECTION_GENERAL="General"
+SECTION_GENERAL="Em geral"
 #SECTION_HARDENING="Hardening"
-#SECTION_HOME_DIRECTORIES="Home directories"
+SECTION_HOME_DIRECTORIES="Diretórios iniciais"
-#SECTION_IMAGE="Image"
+SECTION_IMAGE="Imagem"
-#SECTION_INITIALIZING_PROGRAM="Initializing program"
+SECTION_INITIALIZING_PROGRAM="Inicializando programa"
-#SECTION_INSECURE_SERVICES="Insecure services"
+SECTION_INSECURE_SERVICES="Serviços inseguros"
-#SECTION_KERNEL_HARDENING="Kernel Hardening"
+SECTION_KERNEL_HARDENING="Hardening do Kernel"
-#SECTION_KERNEL="Kernel"
+SECTION_KERNEL="Kernel"
-#SECTION_LDAP_SERVICES="LDAP Services"
+SECTION_LDAP_SERVICES="Serviços LDAP"
-#SECTION_LOGGING_AND_FILES="Logging and files"
+SECTION_LOGGING_AND_FILES="Registro e arquivos"
 SECTION_MALWARE="Malware"
 SECTION_MEMORY_AND_PROCESSES="Memória e Processos"
-#SECTION_NAME_SERVICES="Name services"
+SECTION_NAME_SERVICES="Serviços de nomes"
-#SECTION_NETWORKING="Networking"
+SECTION_NETWORKING="Rede"
-#SECTION_PERMISSIONS="Permissions"
+SECTION_PERMISSIONS="Permissões"
-#SECTION_PORTS_AND_PACKAGES="Ports and packages"
+SECTION_PORTS_AND_PACKAGES="Portas e pacotes"
-#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
+SECTION_PRINTERS_AND_SPOOLS="Impressoras"
-#SECTION_PROGRAM_DETAILS="Program Details"
+SECTION_PROGRAM_DETAILS="Detalhes do programa"
-#SECTION_SCHEDULED_TASKS="Scheduled tasks"
+SECTION_SCHEDULED_TASKS="Atividades agendadas"
-#SECTION_SECURITY_FRAMEWORKS="Security frameworks"
+SECTION_SECURITY_FRAMEWORKS="Estruturas de segurança"
 #SECTION_SHELLS="Shells"
-#SECTION_SNMP_SUPPORT="SNMP Support"
+SECTION_SNMP_SUPPORT="Suporte SNMP"
-#SECTION_SOFTWARE="Software"
+SECTION_SOFTWARE="Programas"
-#SECTION_SQUID_SUPPORT="Squid Support"
+SECTION_SQUID_SUPPORT="Suporte Squid"
-#SECTION_SSH_SUPPORT="SSH Support"
+SECTION_SSH_SUPPORT="Suporte SSH"
-#SECTION_STORAGE="Storage"
+SECTION_STORAGE="Armazenamento"
-#SECTION_SYSTEM_INTEGRITY="Software: System integrity"
+SECTION_SYSTEM_INTEGRITY="Programas: Integridade do sistema"
-#SECTION_SYSTEM_TOOLING="Software: System tooling"
+SECTION_SYSTEM_TOOLING="Programas: Ferramentas de sistema"
-#SECTION_SYSTEM_TOOLS="System tools"
+SECTION_SYSTEM_TOOLS="Ferramentas do sistema"
-#SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization"
+SECTION_TIME_AND_SYNCHRONIZATION="Tempo e sincronização"
-#SECTION_USB_DEVICES="USB Devices"
+SECTION_USB_DEVICES="Dispositivos USB"
-#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
+SECTION_USERS_GROUPS_AND_AUTHENTICATION="Usuários, grupos e autenticação"
-#SECTION_VIRTUALIZATION="Virtualization"
+SECTION_VIRTUALIZATION="Virtualização"
-#SECTION_WEBSERVER="Software: webserver"
+SECTION_WEBSERVER="Programas: Servidor Web"
-#STATUS_ACTIVE="ACTIVE"
+STATUS_ACTIVE="ATIVO"
-#STATUS_CHECK_NEEDED="CHECK NEEDED"
+STATUS_CHECK_NEEDED="VERIFICAÇÃO NECESSÁRIA"
 #STATUS_DEBUG="DEBUG"
-#STATUS_DEFAULT="DEFAULT"
+STATUS_DEFAULT="PADRÃO"
-#STATUS_DIFFERENT="DIFFERENT"
+STATUS_DIFFERENT="DIFERENTE"
 STATUS_DISABLED="DESABILITADO"
 STATUS_DONE="FEITO"
 STATUS_ENABLED="HABILITADO"
 STATUS_ERROR="ERRO"
-#STATUS_EXPOSED="EXPOSED"
+STATUS_EXPOSED="EXPOSTO"
-#STATUS_FAILED="FAILED"
+STATUS_FAILED="FALHAR"
-#STATUS_FILES_FOUND="FILES FOUND"
+STATUS_FILES_FOUND="ARQUIVOS ENCONTRADOS"
 STATUS_FOUND="ENCONTRADO"
 #STATUS_HARDENED="HARDENED"
-#STATUS_INSTALLED="INSTALLED"
+STATUS_INSTALLED="INSTALADO"
-#STATUS_LOCAL_ONLY="LOCAL ONLY"
+STATUS_LOCAL_ONLY="SOMENTE LOCAL"
-#STATUS_MEDIUM="MEDIUM"
+STATUS_MEDIUM="MÉDIO"
 STATUS_NO="NÃO"
-#STATUS_NON_DEFAULT="NON DEFAULT"
+STATUS_NON_DEFAULT="FORA DO PADRÃO"
 STATUS_NONE="NENHUM"
-#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
-#STATUS_NOT_DISABLED="NOT DISABLED"
+STATUS_NOT_CONFIGURED="NÃO CONFIGURADO"
-#STATUS_NOT_ENABLED="NOT ENABLED"
+STATUS_NOT_DISABLED="NÃO DESATIVADO"
+STATUS_NOT_ENABLED="NÃO HABILITADO"
 STATUS_NOT_FOUND="NÃO ENCONTRADO"
 STATUS_NOT_RUNNING="PARADO"
-#STATUS_NO_UPDATE="NO UPDATE"
+STATUS_NO_UPDATE="SEM ATUALIZAÇÃO"
-STATUS_OFF="OFF"
+STATUS_OFF="DESLIGADO"
 STATUS_OK="OK"
-STATUS_ON="ON"
+STATUS_ON="LIGADO"
-#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED"
+STATUS_PARTIALLY_HARDENED="HARDENED PARCIAL"
-#STATUS_PROTECTED="PROTECTED"
+STATUS_PROTECTED="PROTEGIDO"
 STATUS_RUNNING="EM EXECUÇÃO"
 STATUS_SKIPPED="IGNORADO"
 STATUS_SUGGESTION="SUGESTÃO"
 STATUS_UNKNOWN="DESCONHECIDO"
-#STATUS_UNSAFE="UNSAFE"
+STATUS_UNSAFE="INSEGURO"
-#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE"
+STATUS_UPDATE_AVAILABLE="ATUALIZAÇÃO DISPONÍVEL"
 STATUS_WARNING="ATENÇÃO"
-#STATUS_WEAK="WEAK"
+STATUS_WEAK="FRACO"
 STATUS_YES="SIM"
 TEXT_UPDATE_AVAILABLE="Atualização disponível"
 TEXT_YOU_CAN_HELP_LOGFILE="Você pode ajudar fornecendo seu arquivo de log"
+SECTION_KERBEROS="Kerberos"

db/languages/ru

@@ -1,75 +1,75 @@
-ERROR_NO_LICENSE="Лицензионный ключ не настроен"
+ERROR_NO_LICENSE="ОШИБКА: ЛИЦЕНЗИОННЫЙ КЛЮЧ НЕ НАСТРОЕН"
-ERROR_NO_UPLOAD_SERVER="Загрузочный сервер не настроен"
+ERROR_NO_UPLOAD_SERVER="ОШИБКА: ЗАГРУЗОЧНЫЙ СЕРВЕР НЕ НАСТРОЕН"
-GEN_CHECKING="Проверка"
+GEN_CHECKING="ПРОВЕРКА"
-GEN_CURRENT_VERSION="Текущая версия"
+GEN_CURRENT_VERSION="ТЕКУЩАЯ ВЕРСИЯ"
-GEN_DEBUG_MODE="Режим отладки"
+GEN_DEBUG_MODE="РЕЖИМ ОТЛАДКИ"
-GEN_INITIALIZE_PROGRAM="Инициализация программы"
+GEN_INITIALIZE_PROGRAM="ИНИЦИАЛИЗАЦИЯ ПРОГРАММЫ"
-GEN_LATEST_VERSION="Последняя версия"
+GEN_LATEST_VERSION="ПОСЛЕДНЯЯ ВЕРСИЯ"
-GEN_PHASE="Стадия"
+GEN_PHASE="СТАДИЯ"
-GEN_PLUGINS_ENABLED="Плагины включены"
+GEN_PLUGINS_ENABLED="ПЛАГИНЫ ВКЛЮЧЕНЫ"
-GEN_UPDATE_AVAILABLE="доступно обновление"
+GEN_UPDATE_AVAILABLE="ДОСТУПНО ОБНОВЛЕНИЕ"
-GEN_VERBOSE_MODE="Подробный режим"
+GEN_VERBOSE_MODE="ПОДРОБНЫЙ РЕЖИМ"
-GEN_WHAT_TO_DO="Что сделать"
+GEN_WHAT_TO_DO="ЧТО СДЕЛАТЬ?"
-NOTE_EXCEPTIONS_FOUND_DETAILED="Были найдены некоторые исключительные события или информация"
+NOTE_EXCEPTIONS_FOUND_DETAILED="БЫЛИ ОБНАРУЖЕНЫ УНИКАЛЬНЫЕ СОБЫТИЯ ИЛИ СВЕДЕНИЯ"
-NOTE_EXCEPTIONS_FOUND="Найдены исключения"
+NOTE_EXCEPTIONS_FOUND="НАЙДЕННЫ ИСКЛЮЧЕНИЯ"
-NOTE_PLUGINS_TAKE_TIME="Примечание: плагины имеют более обширные тесты и могут занять несколько минут до завершения"
+NOTE_PLUGINS_TAKE_TIME="ПРИМЕЧАНИЕ: ПЛАГИНЫ ИМЕЮТ БОЛЕЕ ОБШИРНЫЕ ТЕСТЫ И МОГУТ ЗАНЯТЬ НЕСКОЛЬКО МИНУТ ДО ЗАВЕРШЕНИЯ"
-NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Тесты пропущены из-за использования непривилегированного режима"
+NOTE_SKIPPED_TESTS_NON_PRIVILEGED="ТЕСТЫ ПРОПУЩЕНЫ ИЗ-ЗА ИСПОЛЬЗОВАНИЯ НЕПРЕВЕЛИГИРОВАННОГО РЕЖИМА"
-SECTION_ACCOUNTING="Учёт"
+SECTION_ACCOUNTING="УЧЁТ"
-SECTION_BANNERS_AND_IDENTIFICATION="Баннеры и идентификаторы"
+SECTION_BANNERS_AND_IDENTIFICATION="БАННЕРЫ И ИДЕНТИФИКАТОРЫ"
-SECTION_BASICS="Основное"
+SECTION_BASICS="ОСНОВНОЕ"
-SECTION_BOOT_AND_SERVICES="Загрузка и сервисы"
+SECTION_BOOT_AND_SERVICES="ЗАГРУЗКА И СЕРВИСЫ"
-SECTION_CONTAINERS="Контейнеры"
+SECTION_CONTAINERS="КОНТЕЙНЕРЫ"
-SECTION_CRYPTOGRAPHY="Криптография"
+SECTION_CRYPTOGRAPHY="КРИПТОГРАФИЯ"
-SECTION_CUSTOM_TESTS="Пользовательские тесты"
+SECTION_CUSTOM_TESTS="ПОЛЬЗОВАТЕЛЬСКИЕ ТЕСТЫ"
-SECTION_DATABASES="Базы данных"
+SECTION_DATABASES="БАЗЫ ДАННЫХ"
-SECTION_DATA_UPLOAD="Отправка данных"
+SECTION_DATA_UPLOAD="ОТПРАВКА ДАННЫХ"
-SECTION_DOWNLOADS="Загрузки"
+SECTION_DOWNLOADS="ЗАГРУЗКИ"
-SECTION_EMAIL_AND_MESSAGING="Программное обеспечение: e-mail и отправка сообщений"
+SECTION_EMAIL_AND_MESSAGING="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ: E-MAIL И ОТПРАВКА СООБЩЕНИЙ"
 SECTION_FILE_INTEGRITY="Программное обеспечение: целостность файлов"
-SECTION_FILE_PERMISSIONS="Права доступа к файлам"
+SECTION_FILE_PERMISSIONS="ПРАВА ДОСТУПА К ФАЙЛАМ"
-SECTION_FILE_SYSTEMS="Файловые системы"
+SECTION_FILE_SYSTEMS="ФАЙЛОВЫЕ СИСТЕМЫ"
-SECTION_FIREWALLS="Программное обеспечение: firewall"
+SECTION_FIREWALLS="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ: FIREWALL"
-SECTION_GENERAL="Общее"
+SECTION_GENERAL="ОБЩЕЕ"
-SECTION_HARDENING="Усиление"
+SECTION_HARDENING="УСИЛЕНИЕ"
-SECTION_HOME_DIRECTORIES="Домашние директории"
+SECTION_HOME_DIRECTORIES="ДОМАШНИЕ ДИРЕКТОРИИ"
-SECTION_IMAGE="Образы"
+SECTION_IMAGE="ОБРАЗЫ"
-SECTION_INITIALIZING_PROGRAM="Инициализация программы"
+SECTION_INITIALIZING_PROGRAM="ИНИЦИАЛИЗАЦИЯ ПРОГРАММЫ"
-SECTION_INSECURE_SERVICES="Небезопасные сервисы"
+SECTION_INSECURE_SERVICES="НЕБЕЗОПАСНЫЕ СЕРВИСЫ"
-SECTION_KERNEL_HARDENING="УСиления ядра"
+SECTION_KERNEL_HARDENING="УСИЛЕНИЕ ЯДРА"
-SECTION_KERNEL="Ядро"
+SECTION_KERNEL="ЯДРО"
-SECTION_LDAP_SERVICES="Сервисы LDAP"
+SECTION_LDAP_SERVICES="СЕРВИСЫ LDAP"
-SECTION_LOGGING_AND_FILES="Логирование и файлы"
+SECTION_LOGGING_AND_FILES="ЛОГИРОВАНИЕ И ФАЙЛЫ"
-SECTION_MALWARE="Вредоносное ПО"
+SECTION_MALWARE="ВРЕДОНОСНОЕ ПО"
-SECTION_MEMORY_AND_PROCESSES="Память и процессы"
+SECTION_MEMORY_AND_PROCESSES="ПАМЯТЬ И ПРОЦЕССОРЫ"
-SECTION_NAME_SERVICES="Серверы имён"
+SECTION_NAME_SERVICES="СЕРВЕРЫ ИМЁН"
-SECTION_NETWORKING="Сети"
+SECTION_NETWORKING="СЕТИ"
-SECTION_PERMISSIONS="Права доступа"
+SECTION_PERMISSIONS="ПРАВА ДОСТУПА"
-SECTION_PORTS_AND_PACKAGES="Пакеты"
+SECTION_PORTS_AND_PACKAGES="ПАКЕТЫ"
-SECTION_PRINTERS_AND_SPOOLS="Принтеры и спулеры"
+SECTION_PRINTERS_AND_SPOOLS="ПРИНТЕРЫ И СПУЛЕРЫ"
-SECTION_PROGRAM_DETAILS="Подробности о программе"
+SECTION_PROGRAM_DETAILS="ПОДРОБНОСТИ О ПРОГРАММЕ"
-SECTION_SCHEDULED_TASKS="Запланированные задачи"
+SECTION_SCHEDULED_TASKS="ЗАПЛАНИРОВАННЫЕ ЗАДАЧИ"
-SECTION_SECURITY_FRAMEWORKS="Фреймворки"
+SECTION_SECURITY_FRAMEWORKS="ФРЕЙМВОРКИ"
-SECTION_SHELLS="Командные оболочки"
+SECTION_SHELLS="КОМАНДНЫЕ ОБОЛОЧКИ"
-SECTION_SNMP_SUPPORT="Поддержка SNMP"
+SECTION_SNMP_SUPPORT="ПОДДЕРЖКА SNMP"
-SECTION_SOFTWARE="Программное обеспечение"
+SECTION_SOFTWARE="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ"
-SECTION_SQUID_SUPPORT="Поддержка Squid"
+SECTION_SQUID_SUPPORT="ПОДДЕРЖКА Squid"
-SECTION_SSH_SUPPORT="Поддержка SSH"
+SECTION_SSH_SUPPORT="ПОДДЕРЖКА SSH"
-SECTION_STORAGE="Хранилище"
+SECTION_STORAGE="ХРАНИЛИЩЕ"
-SECTION_SYSTEM_INTEGRITY="Программное обеспечение: целостность системы"
+SECTION_SYSTEM_INTEGRITY="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ: ЦЕЛОСТНОСТЬ СИСТЕМЫ"
-SECTION_SYSTEM_TOOLING="SПрограммное обеспечение: системные инструменты"
+SECTION_SYSTEM_TOOLING="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ: СИСТЕМНЫЕ ИНСТУРМЕНТЫ"
-SECTION_SYSTEM_TOOLS="Системные утилиты"
+SECTION_SYSTEM_TOOLS="СИСТЕМНЫЕ УТИЛИТЫ"
-SECTION_TIME_AND_SYNCHRONIZATION="Время и его синхронизация"
+SECTION_TIME_AND_SYNCHRONIZATION="ВРЕМЯ И ЕГО СИНХРОНИЗАЦИЯ"
-SECTION_USB_DEVICES="USB Устройства"
+SECTION_USB_DEVICES="USB УСТРОЙСТВА"
-SECTION_USERS_GROUPS_AND_AUTHENTICATION="Пользователи, группы и Аутентификация"
+SECTION_USERS_GROUPS_AND_AUTHENTICATION="ПОЛЬЗОВАТЕЛИ, ГРУППЫ И АУТЕНТИФИКАЦИЯ"
-SECTION_VIRTUALIZATION="Виртуализация"
+SECTION_VIRTUALIZATION="ВИРТУАЛИЗАЦИЯ"
-SECTION_WEBSERVER="Программное обеспечение: веб-серверы"
+SECTION_WEBSERVER="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ: WEB-СЕРВЕРЫ"
 STATUS_ACTIVE="АКТИВЕН"
 STATUS_CHECK_NEEDED="ТРЕБУЕТСЯ ПРОВЕРКА"
 STATUS_DEBUG="ОТЛАДКА"
 STATUS_DEFAULT="ПО УМОЛЧАНИЮ"
 STATUS_DIFFERENT="ОТЛИЧАЕТСЯ"
 STATUS_DISABLED="ОТКЛЮЧЕНО"
-STATUS_DONE="Завершено"
+STATUS_DONE="ЗАВЕРШЕНО"
 STATUS_ENABLED="ВКЛЮЧЕНО"
 STATUS_ERROR="ОШИБКА"
 STATUS_EXPOSED="УЯЗВИМО"
@@ -81,7 +81,8 @@ STATUS_INSTALLED="УСТАНОВЛЕНО"
 STATUS_LOCAL_ONLY="ТОЛЬКО ЛОКАЛЬНО"
 STATUS_MEDIUM="СРЕДНИЙ"
 STATUS_NON_DEFAULT="НЕ ПО УМОЛЧАНИЮ"
-STATUS_NONE="Отсутствует"
+STATUS_NONE="ОТСУТСТВУЕТ"
+STATUS_NOT_ACTIVE="НЕ АКТИВЕН"
 STATUS_NOT_CONFIGURED="НЕ СКОНФИГУРИРОВАНО"
 STATUS_NOT_DISABLED="НЕ ОТКЛЮЧЕНО"
 STATUS_NOT_ENABLED="НЕ ВКЛЮЧЕНО"
@@ -89,9 +90,9 @@ STATUS_NOT_FOUND="НЕ НАЙДЕНО"
 STATUS_NOT_RUNNING="НЕ ЗАПУЩЕНО"
 STATUS_NO_UPDATE="ОБНОВЛЕНИЙ НЕТ"
 STATUS_NO="НЕТ"
-STATUS_OFF="Выключено"
+STATUS_OFF="ВЫКЛЮЧЕНО"
 STATUS_OK="ОК"
-STATUS_ON="Включено"
+STATUS_ON="ВКЛЮЧЕНО"
 STATUS_PARTIALLY_HARDENED="ЧАСТИЧНО УСИЛЕНО"
 STATUS_PROTECTED="ЗАЩИЩЕНО"
 STATUS_RUNNING="ЗАПУЩЕНО"
@@ -103,5 +104,6 @@ STATUS_UPDATE_AVAILABLE="ДОСТУПНЫ ОБНОВЛЕНИЯ"
 STATUS_WARNING="ПРЕДУПРЕЖДЕНИЕ"
 STATUS_WEAK="СЛАБЫЙ"
 STATUS_YES="ДА"
-TEXT_UPDATE_AVAILABLE="доступно обновление"
+TEXT_UPDATE_AVAILABLE="ДОСТУПНО ОБНОВЛЕНИЕ"
-TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь, предоставив ваш лог-файл"
+TEXT_YOU_CAN_HELP_LOGFILE="ПОЖАЛУЙСТА, ПОМОГИТЕ НАМ, ОТПРАВИВ ВАШ LOG-ФАЙЛ"
+SECTION_KERBEROS="KERBEROS"

db/languages/se

@@ -83,6 +83,7 @@ STATUS_FOUND="HITTAD"
 #STATUS_NON_DEFAULT="NON DEFAULT"
 STATUS_NONE="INGEN"
 STATUS_NO="NEJ"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 #STATUS_NOT_CONFIGURED="NOT CONFIGURED"
 #STATUS_NOT_DISABLED="NOT DISABLED"
 #STATUS_NOT_ENABLED="NOT ENABLED"
@@ -105,3 +106,4 @@ STATUS_WARNING="VARNING"
 STATUS_YES="JA"
 TEXT_UPDATE_AVAILABLE="uppdatering tillgänglig"
 TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjälpa till genom att bidra med din loggfil"
+#SECTION_KERBEROS="Kerberos"

db/languages/sk

@@ -83,6 +83,7 @@ STATUS_FOUND="NÁJDENÉ"
 #STATUS_NON_DEFAULT="NON DEFAULT"
 STATUS_NONE="ŽIADNE"
 STATUS_NO="NIE"
+STATUS_NOT_ACTIVE="NOT ACTIVE"
 #STATUS_NOT_CONFIGURED="NOT CONFIGURED"
 #STATUS_NOT_DISABLED="NOT DISABLED"
 #STATUS_NOT_ENABLED="NOT ENABLED"
@@ -105,3 +106,4 @@ STATUS_WARNING="VAROVANIE"
 STATUS_YES="ÁNO"
 TEXT_UPDATE_AVAILABLE="aktualizácia k dispozícii"
 TEXT_YOU_CAN_HELP_LOGFILE="Môžete pomôcť poskytnutím log súboru"
+#SECTION_KERBEROS="Kerberos"

db/languages/tr

@@ -1,107 +1,109 @@
-ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmamış"
+ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmadı"
-ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmamış"
+ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmadı"
-GEN_CHECKING="Kontrol ediyor"
+GEN_CHECKING=" Denetleniyor"
-GEN_CURRENT_VERSION="Mevcut Sürüm"
+GEN_CURRENT_VERSION="Geçerli sürüm"
 GEN_DEBUG_MODE="Hata ayıklama modu"
 GEN_INITIALIZE_PROGRAM="Program başlatılıyor"
-GEN_LATEST_VERSION="Son sürüm"
+GEN_LATEST_VERSION="En son sürüm"
-GEN_PHASE="faz"
+GEN_PHASE="evre"
-GEN_PLUGINS_ENABLED="Yapılandırılmış eklentiler"
+GEN_PLUGINS_ENABLED="Etkinleştirilen eklentiler"
-GEN_UPDATE_AVAILABLE="güncelleme mevcut"
+GEN_UPDATE_AVAILABLE="güncelleme var"
-GEN_VERBOSE_MODE="Detay modu"
+GEN_VERBOSE_MODE="Ayrıntılı mod"
 GEN_WHAT_TO_DO="Yapılması gerekenler"
-NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai durumlar ve bilgiler bulundu"
 NOTE_EXCEPTIONS_FOUND="İstisnalar bulundu"
-NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha detaylı testler içermektedir ve tamamlanmaları uzun sürebilir"
+NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai olaylar veya bilgiler bulundu"
+NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha kapsamlı testlere sahiptir ve tamamlanması birkaç dakika sürebilir"
 NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Yetkisiz çalışma nedeniyle atlanan testler"
-#SECTION_ACCOUNTING="Accounting"
+SECTION_ACCOUNTING="Hesaplama"
-#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
+SECTION_BANNERS_AND_IDENTIFICATION="Afişler ve tanımlama"
-#SECTION_BASICS="Basics"
+SECTION_BASICS="Temel Bilgiler"
-#SECTION_BOOT_AND_SERVICES="Boot and services"
+SECTION_BOOT_AND_SERVICES="Önyükleme ve hizmetler"
-#SECTION_CONTAINERS="Containers"
+SECTION_CONTAINERS="Konteynerler"
-#SECTION_CRYPTOGRAPHY="Cryptography"
+SECTION_CRYPTOGRAPHY="Kriptografi"
 SECTION_CUSTOM_TESTS="Özel testler"
-#SECTION_DATABASES="Databases"
+SECTION_DATA_UPLOAD="Veri yükleme"
-#SECTION_DATA_UPLOAD="Data upload"
+SECTION_DATABASES="Veri tabanları"
-#SECTION_DOWNLOADS="Downloads"
+SECTION_DOWNLOADS="İndirilenler"
-#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
+SECTION_EMAIL_AND_MESSAGING="Yazılım: e-posta ve mesajlaşma"
-#SECTION_FILE_INTEGRITY="Software: file integrity"
+SECTION_FILE_INTEGRITY="Yazılım: dosya bütünlüğü"
-#SECTION_FILE_PERMISSIONS="File Permissions"
+SECTION_FILE_PERMISSIONS="Dosya izinleri"
-#SECTION_FILE_SYSTEMS="File systems"
+SECTION_FILE_SYSTEMS="Dosya sistemleri"
-#SECTION_FIREWALLS="Software: firewalls"
+SECTION_FIREWALLS="Yazılım: güvenlik duvarları"
-#SECTION_GENERAL="General"
+SECTION_GENERAL="Genel"
-#SECTION_HARDENING="Hardening"
+SECTION_HARDENING="Sıkılaştırma"
-#SECTION_HOME_DIRECTORIES="Home directories"
+SECTION_HOME_DIRECTORIES="Ev dizinleri"
-#SECTION_IMAGE="Image"
+SECTION_IMAGE="Kalıp"
-#SECTION_INITIALIZING_PROGRAM="Initializing program"
+SECTION_INITIALIZING_PROGRAM="Program başlatılıyor"
-#SECTION_INSECURE_SERVICES="Insecure services"
+SECTION_INSECURE_SERVICES="Güvensiz hizmetler"
-#SECTION_KERNEL_HARDENING="Kernel Hardening"
+SECTION_KERNEL="Çekirdek"
-#SECTION_KERNEL="Kernel"
+SECTION_KERNEL_HARDENING="Çekirdek Sıkılaştırma"
-#SECTION_LDAP_SERVICES="LDAP Services"
+SECTION_LDAP_SERVICES="LDAP Hizmetleri"
-#SECTION_LOGGING_AND_FILES="Logging and files"
+SECTION_LOGGING_AND_FILES="Günlük kaydı ve dosyalar"
-SECTION_MALWARE="Kötücül yazılım"
+SECTION_MALWARE="Yazılım: Kötü Amaçlı Yazılım"
-SECTION_MEMORY_AND_PROCESSES="Bellek ve Prosesler"
+SECTION_MEMORY_AND_PROCESSES="Bellek ve Süreçler"
-#SECTION_NAME_SERVICES="Name services"
+SECTION_NAME_SERVICES="Ad hizmetleri"
-#SECTION_NETWORKING="Networking"
+SECTION_NETWORKING="Ağ İletişimi"
-#SECTION_PERMISSIONS="Permissions"
+SECTION_PERMISSIONS="İzinler"
-#SECTION_PORTS_AND_PACKAGES="Ports and packages"
+SECTION_PORTS_AND_PACKAGES="Bağlantı noktaları ve paketler"
-#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
+SECTION_PRINTERS_AND_SPOOLS="Yazıcılar ve Biriktiriciler"
-#SECTION_PROGRAM_DETAILS="Program Details"
+SECTION_PROGRAM_DETAILS="Program Ayrıntıları"
-#SECTION_SCHEDULED_TASKS="Scheduled tasks"
+SECTION_SCHEDULED_TASKS="Zamanlanan görevler"
-#SECTION_SECURITY_FRAMEWORKS="Security frameworks"
+SECTION_SECURITY_FRAMEWORKS="Güvenlik çerçeveleri"
-#SECTION_SHELLS="Shells"
+SECTION_SHELLS="Kabuklar"
-#SECTION_SNMP_SUPPORT="SNMP Support"
+SECTION_SNMP_SUPPORT="SNMP Desteği"
-#SECTION_SOFTWARE="Software"
+SECTION_SOFTWARE="Yazılım"
-#SECTION_SQUID_SUPPORT="Squid Support"
+SECTION_SQUID_SUPPORT="Squid Desteği"
-#SECTION_SSH_SUPPORT="SSH Support"
+SECTION_SSH_SUPPORT="SSH Desteği"
-#SECTION_STORAGE="Storage"
+SECTION_STORAGE="Depolama"
-#SECTION_SYSTEM_INTEGRITY="Software: System integrity"
+SECTION_SYSTEM_INTEGRITY="Yazılım: Sistem bütünlüğü"
-#SECTION_SYSTEM_TOOLING="Software: System tooling"
+SECTION_SYSTEM_TOOLING="Yazılım: Sistem araçları"
-#SECTION_SYSTEM_TOOLS="System tools"
+SECTION_SYSTEM_TOOLS="Sistem araçları"
-#SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization"
+SECTION_TIME_AND_SYNCHRONIZATION="Zaman ve Eşzamanlama"
-#SECTION_USB_DEVICES="USB Devices"
+SECTION_USB_DEVICES="USB Aygıtları"
-#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
+SECTION_USERS_GROUPS_AND_AUTHENTICATION="Kullanıcılar, Gruplar ve Kimlik Doğrulama"
-#SECTION_VIRTUALIZATION="Virtualization"
+SECTION_VIRTUALIZATION="Sanallaştırma"
-#SECTION_WEBSERVER="Software: webserver"
+SECTION_WEBSERVER="Yazılım: web sunucusu"
-#STATUS_ACTIVE="ACTIVE"
+STATUS_ACTIVE=" ETKİN"
-#STATUS_CHECK_NEEDED="CHECK NEEDED"
+STATUS_CHECK_NEEDED=" DENETİM GEREKLI"
-#STATUS_DEBUG="DEBUG"
+STATUS_DEBUG="HATA AYIKLAMA"
-#STATUS_DEFAULT="DEFAULT"
+STATUS_DEFAULT="ÖNTANIMLI"
-#STATUS_DIFFERENT="DIFFERENT"
+STATUS_DIFFERENT="FARKLI"
-STATUS_DISABLED="ETKİSİZLEŞTİRİLMİŞ"
+STATUS_DISABLED="DEVRE DIŞI BIRAKILDI"
 STATUS_DONE="TAMAMLANDI"
-STATUS_ENABLED="ETKİNLEŞTİRİLMİŞ"
+STATUS_ENABLED="ETKİNLEŞTİRİLDİ"
 STATUS_ERROR="HATA"
-#STATUS_EXPOSED="EXPOSED"
+STATUS_EXPOSED="AÇIKTA BIRAKILDI"
-#STATUS_FAILED="FAILED"
+STATUS_FAILED="BAŞARISIZ"
-#STATUS_FILES_FOUND="FILES FOUND"
+STATUS_FILES_FOUND="DOSYALAR BULUNDU"
 STATUS_FOUND="BULUNDU"
-#STATUS_HARDENED="HARDENED"
+STATUS_HARDENED="SIKILAŞTIRILDI"
-#STATUS_INSTALLED="INSTALLED"
+STATUS_INSTALLED="KURULU"
-#STATUS_LOCAL_ONLY="LOCAL ONLY"
+STATUS_LOCAL_ONLY="YALNIZCA YEREL"
-#STATUS_MEDIUM="MEDIUM"
+STATUS_MEDIUM="ORTA"
 STATUS_NO="HAYIR"
-#STATUS_NON_DEFAULT="NON DEFAULT"
+STATUS_NO_UPDATE="GÜNCELLEME YOK"
+STATUS_NON_DEFAULT="ÖNTANIMLI OLMAYAN"
 STATUS_NONE="YOK"
-#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
+STATUS_NOT_ACTIVE="ETKİN DEĞİL"
-#STATUS_NOT_DISABLED="NOT DISABLED"
+STATUS_NOT_CONFIGURED="YAPILANDIRILMADI"
-#STATUS_NOT_ENABLED="NOT ENABLED"
+STATUS_NOT_DISABLED="DEVRE DIŞI BIRAKILMADI"
+STATUS_NOT_ENABLED="ETKİNLEŞTİRİLMEDİ"
 STATUS_NOT_FOUND="BULUNAMADI"
 STATUS_NOT_RUNNING="ÇALIŞMIYOR"
-#STATUS_NO_UPDATE="NO UPDATE"
 STATUS_OFF="KAPALI"
 STATUS_OK="TAMAM"
 STATUS_ON="AÇIK"
-#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED"
+STATUS_PARTIALLY_HARDENED="KISMEN SIKILAŞTIRILDI"
-#STATUS_PROTECTED="PROTECTED"
+STATUS_PROTECTED="KORUMALI"
 STATUS_RUNNING="ÇALIŞIYOR"
 STATUS_SKIPPED="ATLANDI"
 STATUS_SUGGESTION="ÖNERİ"
 STATUS_UNKNOWN="BİLİNMİYOR"
-#STATUS_UNSAFE="UNSAFE"
+STATUS_UNSAFE="GÜVENLİ DEĞİL"
-#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE"
+STATUS_UPDATE_AVAILABLE="GÜNCELLEME VAR"
 STATUS_WARNING="UYARI"
-#STATUS_WEAK="WEAK"
+STATUS_WEAK="ZAYIF"
 STATUS_YES="EVET"
-TEXT_UPDATE_AVAILABLE="güncelleme mevcut"
+TEXT_UPDATE_AVAILABLE="güncelleme var"
-TEXT_YOU_CAN_HELP_LOGFILE="Log dosyanızı göndererek yardımcı olabilirsiniz"
+TEXT_YOU_CAN_HELP_LOGFILE="Günlük dosyanızı göndererek yardımcı olabilirsiniz"
+#SECTION_KERBEROS="Kerberos"

db/software-eol.db

@@ -14,8 +14,31 @@
 # For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1.
 # Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching.
 #
+# AIX - https://www.ibm.com/support/pages/aix-support-lifecycle-information 
+#
+os:AIX 7300-02:2026-11-30:1796032800:
+os:AIX 7300-01:2025-12-31:1767175200:
+os:AIX 7300-00:2024-12-31:1735639200:
+os:AIX 7200-05::-1:
+os:AIX 7200-04:2022-11-30:1669802400:
+os:AIX 7200-03:2021-09-30:1632996000:
+os:AIX 7200-02:2020-10-31:1604138400:
+os:AIX 7200-01:2019-11-30:1575108000:
+os:AIX 7200-00:2018-12-30:1546164000:
+os:AIX 7100:2023-04-30:1682848800:
+os:AIX 6:2017-04-30:1493546400:
+os:AIX 5:2012-04-30:1335780000:
+os:AIX 4:2003-12-31:1072864800:
+os:AIX 3:1997-12-31:883562400:
+#
 # Alpine - https://alpinelinux.org/releases/
 #
+os:Alpine 3.19:2025-11-01:1761955200
+os:Alpine 3.18:2025-05-09:1746748800
+os:Alpine 3.17:2024-11-22:1732233600
+os:Alpine 3.16:2024-05-23:1716422400
+os:Alpine 3.15:2023-11-01:1698793200
+os:Alpine 3.14:2023-05-01:1682899200
 os:Alpine 3.13:2022-11-01:1667275200
 os:Alpine 3.12:2022-05-01:1651377600
 os:Alpine 3.11:2021-11-01:1635739200
@@ -26,8 +49,9 @@ os:Alpine 3.8:2020-05-01:1588305600
 # Amazon Linux
 #
 # Note: shortest entry is listed at end due to regular expression matching being used
-os:Amazon Linux 2:2023-06-26:1687730400:
+os:Amazon Linux 2023:2029-06-30:1877464800:
-os:Amazon Linux:2020-06-30:1593468000:
+os:Amazon Linux 2:2026-06-30:1782863999:
+os:Amazon Linux:2023-12-31:1703980800:
 #
 # Arch Linux
 #
@@ -38,16 +62,19 @@ os:Arch Linux::-1:
 os:CentOS release 5:2017-03-31:1490911200:
 os:CentOS release 6:2020-11-30:1606690800:
 os:CentOS Linux 7:2024-06-30:1719698400:
-os:CentOS Linux 8:2029-05-31:1874872800:
+os:CentOS Linux 8:2021-12-31:1640905200:
 #
 # Debian - https://wiki.debian.org/DebianReleases#Production_Releases
+# https://wiki.debian.org/LTS
 #
 os:Debian 5.0:2012-02-06:1328482800:
 os:Debian 6.0:2016-02-29:1456700400:
 os:Debian 7:2018-05-31:1527717600:
 os:Debian 8:2020-06-30:1593468000:
-os:Debian 9:2022-01-01:1640991600:
+os:Debian 9:2022-06-30:1656547200:
-os:Debian 10:2022-01-01:1640991600:
+os:Debian 10:2022-09-10:1665266400:
+os:Debian 11:2024-07-01:1719784800:
+os:Debian 12:2028-06-30:1845936000:
 #
 # Fedora - https://fedoraproject.org/wiki/End_of_life
 #
@@ -106,14 +133,14 @@ os:macOS High Sierra \(10.13.2\):2018-01-23:1516662000:
 os:macOS High Sierra \(10.13.3\):2018-03-29:1522274400:
 os:macOS High Sierra \(10.13.4\):2018-06-01:1527804000:
 os:macOS High Sierra \(10.13.5\):2018-07-09:1531087200:
-os:macOS High Sierra \(10.13.6\)::-1:
+os:macOS High Sierra \(10.13.6\)::2020-12-01:1606780800:
 os:macOS Mojave \(10.14\):2018-10-30:1540854000:
 os:macOS Mojave \(10.14.1\):2018-12-05:1543964400:
 os:macOS Mojave \(10.14.2\):2019-01-22:1548111600:
 os:macOS Mojave \(10.14.3\):2019-03-25:1553468400:
 os:macOS Mojave \(10.14.4\):2019-05-13:1557698400:
 os:macOS Mojave \(10.14.5\):2019-07-22:1563746400:
-os:macOS Mojave \(10.14.6\)::-1:
+os:macOS Mojave \(10.14.6\)::2021-10-25:1635120000:
 os:macOS Catalina \(10.15\):2019-10-29:1572303600:
 os:macOS Catalina \(10.15.1\):2019-12-10:1575932400:
 os:macOS Catalina \(10.15.2\):2020-01-28:1580166000:
@@ -121,7 +148,12 @@ os:macOS Catalina \(10.15.3\):2020-03-24:1585004400:
 os:macOS Catalina \(10.15.4\):2020-05-26:1590444000:
 os:macOS Catalina \(10.15.5\):2020-07-15:1594764000:
 os:macOS Catalina \(10.15.6\):2020-09-24:1600898400:
-os:macOS Catalina \(10.15.7\)::-1:
+os:macOS Catalina \(10.15.7\)::2022-09-12:1662940800:
+os:macOS Big Sur \(11.7.10\):2023-09-26:1695686400:
+os:macOS Monterey \(12.7.6\):2024-09-16:1726444800:
+os:macOS Ventura \(13.7.2\)::-1:
+os:macOS Sonoma \(14.7.2\)::-1:
+os:macOS Sequoia \(15.2\)::-1:
 #
 # Mageia - https://www.mageia.org/en/support/
 #
@@ -132,6 +164,7 @@ os:Mageia 4:2015-09-19:1442613600
 os:Mageia 5:2017-12-31:1514674800
 os:Mageia 6:2019-09-30:1569794400
 os:Mageia 7:2020-12-30:1609282800
+os:Mageia 8::-1
 #
 # NetBSD - https://www.netbsd.org/support/security/release.html and
 #          https://www.netbsd.org/releases/formal.html
@@ -194,6 +227,11 @@ os:OpenBSD 6.4:2019-10-17:1571270400:
 os:OpenBSD 6.5:2020-05-19:1589846400:
 os:OpenBSD 6.6:2020-10-01:1601510400:
 os:OpenBSD 6.7:2021-05-01:1619827200:
+os:OpenBSD 6.8:2021-10-14:1665698400:
+os:OpenBSD 6.9:2022-04-21:1650492000:
+os:OpenBSD 7.0:2022-10-20:1666216800:
+os:OpenBSD 7.1:2023-05-01:1682892000:
+os:OpenBSD 7.2::-1
 #
 # Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/
 #
@@ -237,6 +275,7 @@ os:Ubuntu 18.04:2023-05-01:1682892000:
 os:Ubuntu 18.10:2019-07-18:1563400800:
 os:Ubuntu 19.04:2020-01-01:1577833200:
 os:Ubuntu 20.04:2025-04-01:1743458400:
+os:Ubuntu 22.04:2027-04-01:1806537600:
 #
 # OmniosCE - https://omniosce.org/releasenotes.html
 #

db/tests.db

@@ -136,7 +136,7 @@ FILE-7524:test:security:file_permissions::Perform file permissions check:
 FINT-4310:test:security:file_integrity::AFICK availability:
 FINT-4314:test:security:file_integrity::AIDE availability:
 FINT-4315:test:security:file_integrity::Check AIDE configuration file:
-FINT-4316:test:security:file_integirty::Presence of AIDE database and size check:
+FINT-4316:test:security:file_integrity::Presence of AIDE database and size check:
 FINT-4318:test:security:file_integrity::Osiris availability:
 FINT-4322:test:security:file_integrity::Samhain availability:
 FINT-4326:test:security:file_integrity::Tripwire availability:
@@ -148,6 +148,7 @@ FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running:
 FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status
 FINT-4340:test:security:file_integrity:Linux:Check dm-integrity status
 FINT-4341:test:security:file_integrity:Linux:Check dm-verity status
+FINT-4344:test:security:file_integrity::Wazuh syscheck daemon running:
 FINT-4350:test:security:file_integrity::File integrity software installed:
 FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512):
 FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module:
@@ -204,7 +205,7 @@ INSE-8200:test:security:insecure_services::Usage of TCP wrappers:
 INSE-8300:test:security:insecure_services::Presence of rsh client:
 INSE-8302:test:security:insecure_services::Presence of rsh server:
 INSE-8310:test:security:insecure_services::Presence of telnet client:
-INSE-8312:test:security:insecure_services::Presence of telnet server:
+INSE-8322:test:security:insecure_services::Presence of telnet server:
 INSE-8314:test:security:insecure_services::Presence of NIS client:
 INSE-8316:test:security:insecure_services::Presence of NIS server:
 INSE-8318:test:security:insecure_services::Presence of TFTP client:
@@ -265,6 +266,7 @@ MAIL-8838:test:security:mail_messaging::Check dovecot process:
 MAIL-8860:test:security:mail_messaging::Check Qmail status:
 MAIL-8880:test:security:mail_messaging::Check Sendmail status:
 MAIL-8920:test:security:mail_messaging::Check OpenSMTPD status:
+MALW-3274:test:security:malware::Check for McAfee VirusScan Command Line Scanner:
 MALW-3275:test:security:malware::Check for chkrootkit:
 MALW-3276:test:security:malware::Check for Rootkit Hunter:
 MALW-3278:test:security:malware::Check for LMD:
@@ -274,6 +276,7 @@ MALW-3284:test:security:malware::Check for clamd:
 MALW-3286:test:security:malware::Check for freshclam:
 MALW-3288:test:security:malware::Check for ClamXav:
 MALW-3290:test:security:malware::Presence of malware scanner:
+MALW-3291:test:security:malware::Check for Microsoft Defender Antivirus:
 NAME-4016:test:security:nameservices::Check /etc/resolv.conf default domain:
 NAME-4018:test:security:nameservices::Check /etc/resolv.conf search domains:
 NAME-4020:test:security:nameservices::Check non default options:
@@ -322,6 +325,7 @@ PHP-2376:test:security:php::Check PHP allow_url_fopen option:
 PHP-2378:test:security:php::Check PHP allow_url_include option:
 PHP-2379:test:security:php::Check PHP suhosin extension status:
 PHP-2382:test:security:php::Check PHP listen option:
+PKGS-7200:test:security:ports_packages:Linux:Check Alpine Package Keeper (apk):
 PKGS-7301:test:security:ports_packages::Query NetBSD pkg:
 PKGS-7302:test:security:ports_packages::Query FreeBSD/NetBSD pkg_info:
 PKGS-7303:test:security:ports_packages::Query brew package manager:
@@ -358,6 +362,7 @@ PKGS-7390:test:security:ports_packages:Linux:Check Ubuntu database consistency:
 PKGS-7392:test:security:ports_packages:Linux:Check for Debian/Ubuntu security updates:
 PKGS-7393:test:security:ports_packages::Check for Gentoo vulnerable packages:
 PKGS-7394:test:security:ports_packages:Linux:Check for Ubuntu updates:
+PKGS-7395:test:security:ports_packages:Linux:Check Alpine upgradeable packages:
 PKGS-7398:test:security:ports_packages::Check for package audit tool:
 PKGS-7410:test:security:ports_packages::Count installed kernel packages:
 PKGS-7420:test:security:ports_packages::Detect toolkit to automatically download and apply upgrades:
@@ -434,8 +439,9 @@ TOOL-5102:test:security:tooling::Check for presence of Fail2ban:
 TOOL-5104:test:security:tooling::Enabled tests for Fail2ban:
 TOOL-5120:test:security:tooling::Presence of Snort IDS:
 TOOL-5122:test:security:tooling::Snort IDS configuration file:
+TOOL-5128:test:security:tooling::Check for active Wazuh daemon:
 TOOL-5130:test:security:tooling::Check for active Suricata daemon:
-TOOL-5160:test:security:tooling::Check for active OSSEC daemon:
+TOOL-5126:test:security:tooling::Check for active OSSEC daemon:
 TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling:
 USB-1000:test:security:storage:Linux:Check if USB storage is disabled:
 USB-2000:test:security:storage:Linux:Check USB authorizations:

default.prf

@@ -144,6 +144,7 @@ plugin=software
 plugin=system-integrity
 plugin=systemd
 plugin=users
+plugin=krb5
 
 # Disable a particular plugin (will overrule an enabled plugin)
 #disable-plugin=authentication
@@ -197,7 +198,7 @@ config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//k
 config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
-config-data=sysctl;kernel.perf_event_paranoid;3;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.perf_event_paranoid;2|3|4;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;

extras/build-lynis.sh

@@ -238,7 +238,7 @@
 
     echo "[*] Starting with DEB building process"
 
-        DEBCHANGELOGFULLVERSION=$(head -1 ../debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//')
+        DEBCHANGELOGFULLVERSION=$(head -n 1 ../debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//')
         DEBCHANGELOGVERSION=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }')
         DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }')
         if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then
@@ -251,7 +251,7 @@
 #    BZRSTATUS=$(${BZRBINARY} status . 2>&1 > /dev/null; echo $?)
 #    if [ "${BZRSTATUS}" = "0" ]; then
 #        echo "[V] bzr has proper directory tree"
-#        DEBCHANGELOGFULLVERSION=$(head -1 debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//')
+#        DEBCHANGELOGFULLVERSION=$(head -n 1 debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//')
 #        DEBCHANGELOGVERSION=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }')
 #        DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }')
 #        echo "[=] Version in Debian changelog: ${DEBCHANGELOGVERSION} (revision: ${DEBCHANGELOGVERSIONREV})"

include/binaries

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -134,6 +133,7 @@
                             aide)                   AIDEBINARY=${BINARY};              LogText "  Found known binary: aide (file integrity checker) - ${BINARY}" ;;
                             apache2)                HTTPDBINARY=${BINARY};             LogText "  Found known binary: apache2 (web server) - ${BINARY}" ;;
                             apt)                    APTBINARY=${BINARY};               LogText "  Found known binary: apt (package manager) - ${BINARY}" ;;
+                            apk)                    APKBINARY=${BINARY};               LogText "  Found known binary: apk (package manager) - ${BINARY}" ;;
                             arch-audit)             ARCH_AUDIT_BINARY="${BINARY}";     LogText "  Found known binary: arch-audit (auditing utility to test for vulnerable packages) - ${BINARY}" ;;
                             auditd)                 AUDITDBINARY=${BINARY};            LogText "  Found known binary: auditd (audit framework) - ${BINARY}" ;;
                             awk)                    AWKBINARY=${BINARY};               LogText "  Found known binary: awk (string tool) - ${BINARY}" ;;
@@ -168,7 +168,6 @@
                             domainname)             DOMAINNAMEBINARY="${BINARY}";      LogText "  Found known binary: domainname (NIS domain) - ${BINARY}" ;;
                             dpkg)                   DPKGBINARY="${BINARY}";            LogText "  Found known binary: dpkg (package management) - ${BINARY}" ;;
                             xbps-query)             XBPSBINARY="${BINARY}";            LogText "  Found known binary: xbps (package management) - ${BINARY}" ;;
-                            egrep)                  EGREPBINARY=${BINARY};             LogText "  Found known binary: egrep (text search) - ${BINARY}" ;;
                             equery)                 EQUERYBINARY="${BINARY}";          LogText "  Found known binary: query (package manager) - ${BINARY}" ;;
                             evmctl)                 EVMCTLBINARY=${BINARY};            LogText "  Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;;
                             exim)                   EXIMBINARY="${BINARY}";            EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText "  Found known binary ${BINARY} (version ${EXIMVERSION})" ;;
@@ -196,6 +195,8 @@
                             iptables-save)          IPTABLESSAVEBINARY="${BINARY}";    LogText "  Found known binary: iptables-save (firewall) - ${BINARY}" ;;
                             istat)                  ISTATBINARY="${BINARY}";           LogText "  Found known binary: istat (file information) - ${BINARY}" ;;
                             journalctl)             JOURNALCTLBINARY="${BINARY}";      LogText "  Found known binary: journalctl (systemd journal) - ${BINARY}" ;;
+                            kadmin.local)           KADMINLOCALBINARY="${BINARY}";     LogText "  Found known binary: kadmin.local (krb5) - ${BINARY}" ;;
+                            kdb5_util)              KDB5UTILBINARY="${BINARY}";        LogText "  Found known binary: kdb5_util (krb5) - ${BINARY}" ;;
                             kldstat)                KLDSTATBINARY="${BINARY}";         LogText "  Found known binary: kldstat (kernel modules) - ${BINARY}" ;;
                             kstat)                  KSTATBINARY="${BINARY}";           LogText "  Found known binary: kstat (kernel statistics) - ${BINARY}" ;;
                             launchctl)              LAUNCHCTL_BINARY="${BINARY}";      SERVICE_MANAGER="launchd"; LogText "  Found known binary: launchctl (launchd client) - ${BINARY}" ;;
@@ -336,11 +337,19 @@
         Report "binaries_sgid_count=${SGID_BINARIES}"
         Report "binary_paths=${BINARY_PATHS_FOUND}"
 
+	# If grep is capable of extended regexp, use that instead of egrep to avoid annoying warning
+	if [ "${GREPBINARY:-}" ] ; then
+		${GREPBINARY} --help 2> /dev/null | ${GREPBINARY} -e "extended-regexp" > /dev/null
+		if [ $? -eq 0 ] ; then
+			EGREPBINARY="${GREPBINARY} -E"
+		fi
+	fi
+	
+
         # Test if the basic system tools are defined. These will be used during the audit.
         [ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found"
         [ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found"
         [ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found"
-        [ "${EGREPBINARY:-}" ] || ExitFatal "egrep binary not found"
         [ "${FINDBINARY:-}" ] || ExitFatal "find binary not found"
         [ "${GREPBINARY:-}" ] || ExitFatal "grep binary not found"
         [ "${HEADBINARY:-}" ] || ExitFatal "head binary not found"
@@ -365,6 +374,4 @@
     fi
 
 
-#
+# EOF
-#================================================================================
-# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com

include/consts

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -43,6 +42,7 @@ ETC_PATHS="/etc /usr/local/etc"
 # == Variable initializing ==
 #
     APTBINARY=""
+    APKBINARY=""
     ARCH_AUDIT_BINARY=""
     AUDITORNAME=""
     AUDITCTLBINARY=""
@@ -168,8 +168,10 @@ ETC_PATHS="/etc /usr/local/etc"
     MACHINEID=""
     MACHINE_ROLE=""
     MALWARE_SCANNER_INSTALLED=0
+    MDATPBINARY=""
     MIN_PASSWORD_LENGTH=-1
     MONGODB_RUNNING=0
+    MONOLITHIC_KERNEL_TESTED=0
     MOUNTBINARY=""
     MTREEBINARY=""
     MYSQLCLIENTBINARY=""
@@ -297,7 +299,9 @@ ETC_PATHS="/etc /usr/local/etc"
     SSL_CERTIFICATE_INCLUDE_PACKAGES=0
     SSL_CERTIFICATE_PATHS=""
     SSL_CERTIFICATE_PATHS_TO_IGNORE=""
+    STATUS_NOT_ACTIVE=""
     STUNNELBINARY=""
+    SURICATABINARY=""
     SWUPDBINARY=""
     SYSLOGNGBINARY=""
     SYSTEMCTLBINARY=""
@@ -414,9 +418,4 @@ ETC_PATHS="/etc /usr/local/etc"
     OK="${GREEN}"
     BAD="${RED}"
 
-#
+# EOF 
-#################################################################################
-#
-
-#================================================================================
-# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com

include/data_upload

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -272,6 +271,4 @@
          ExitFatal
     fi
 
-#
+# EOF
-#================================================================================
-# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com

include/functions

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -941,7 +940,7 @@
             done
         fi
 
-        if [ ! "${SHA1SUMBINARY}" = "" -o ! "${OPENSSLBINARY}" = "" -o ! "${CSUMBINARY}" = "" ]; then
+        if [ ! "${SHA1SUMBINARY}" = "" -o ! "${SHA256SUMBINARY}" = "" -o ! "${OPENSSLBINARY}" = "" -o ! "${CSUMBINARY}" = "" ]; then
             LogText "Info: found hashing tool, start generation of HostID"
             case "${OS}" in
 
@@ -968,7 +967,7 @@
                 ;;
 
                 "DragonFly" | "FreeBSD")
-                    FIND=$(${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
+                    FIND=$(${IFCONFIGBINARY} | grep ether | head -n 1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
                     if HasData "${FIND}"; then
                         HOSTID=$(echo ${FIND} | sha1)
                     else
@@ -996,7 +995,7 @@
                         for INTERFACE in ${NET_INTERFACES}; do
                             if grep -q -s 'up' "/sys/class/net/${INTERFACE}/operstate"; then
                                 LogText "Interface '${INTERFACE}' is up, fetching MAC address"
-                                FIND=$(head -1 "/sys/class/net/${INTERFACE}/address" | tr '[:upper:]' '[:lower:]')
+                                FIND=$(head -n 1 "/sys/class/net/${INTERFACE}/address" | tr '[:upper:]' '[:lower:]')
                                 if HasData "${FIND}"; then
                                     HOSTID_GEN="linux-sys-interface-up"
                                     break
@@ -1010,7 +1009,7 @@
                         LogText "Info: trying output from 'ip' to generate HostID"
                         # Determine if we have the common available eth0 interface. If so, give that priority.
                         # Note: apply sorting in case there would be multiple MAC addresses linked to increase predictable end result
-                        FIND=$(${IPBINARY} addr show eth0 2> /dev/null | grep -E "link/ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]' | sort | head -1)
+                        FIND=$(${IPBINARY} addr show eth0 2> /dev/null | grep -E "link/ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]' | sort | head -n 1)
                         if HasData "${FIND}"; then
                             HOSTID_GEN="linux-ip-interface-eth0"
                         else
@@ -1020,7 +1019,7 @@
                             # 3) Convert everything to lowercase
                             # 4) Sort the entries, so that the output is more predictable between runs when the same interfaces are available
                             # 5) Select first entry
-                            FIND=$(${IPBINARY} -family link addr show up 2> /dev/null | awk '{if($1=="link/ether" && $2 !~ "^02:42:"){print $2}}' | tr '[:upper:]' '[:lower:]' | sort | head -1)
+                            FIND=$(${IPBINARY} -family link addr show up 2> /dev/null | awk '{if($1=="link/ether" && $2 !~ "^02:42:"){print $2}}' | tr '[:upper:]' '[:lower:]' | sort | head -n 1)
                             if HasData "${FIND}"; then
                                 HOSTID_GEN="linux-ip-interface-up-other"
                             else
@@ -1049,7 +1048,7 @@
                                         HOSTID_GEN="linux-ifconfig-interface-eth0-ether"
                                     fi
                                 else
-                                    FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]')
+                                    FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -n 1 | tr '[:upper:]' '[:lower:]')
                                     if IsEmpty "${FIND}"; then
                                         ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)"
                                     else
@@ -1058,7 +1057,7 @@
                                     fi
                                 fi
                             else
-                                FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
+                                FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -n 1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
                                 HOSTID_GEN="linux-ifconfig-interface-first-hwaddr"
                             fi
                         else
@@ -1069,7 +1068,12 @@
                     # Check if we found a MAC address to generate the HostID
                     if HasData "${FIND}"; then
                         LogText "Info: using hardware address '${FIND}' to create HostID"
-                        HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
+                        if [ -n "${SHA1SUMBINARY}" ]; then
+                            HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
+                        elif [ -n "${SHA256SUMBINARY}" ]; then
+                            # Truncate hash to match SHA1 length
+                            HOSTID=$(echo ${FIND} | ${SHA256SUMBINARY} | awk '{ print $1 }' | head -c 40)
+                        fi
                         LogText "Result: Found HostID: ${HOSTID}"
                     else
                         ReportException "GetHostID" "HostID could not be generated"
@@ -1077,7 +1081,7 @@
                 ;;
 
                 "macOS")
-                    FIND=$(${IFCONFIGBINARY} en0 | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
+                    FIND=$(${IFCONFIGBINARY} en0 | grep ether | head -n 1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
                     if [ ! "${FIND}" = "" ]; then
                         HOSTID=$(echo ${FIND} | shasum | awk '{ print $1 }')
                     else
@@ -1099,7 +1103,7 @@
                 ;;
 
                 "NetBSD")
-                    FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
+                    FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -n 1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
                     if HasData "${FIND}"; then
                         HOSTID=$(echo ${FIND} | sha1)
                     else
@@ -1108,7 +1112,7 @@
                 ;;
 
                 "OpenBSD")
-                    FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
+                    FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -n 1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
                     if HasData "${FIND}"; then
                         HOSTID=$(echo ${FIND} | sha1)
                     else
@@ -1156,7 +1160,7 @@
             fi
 
         else
-            ReportException "GetHostID" "Can't create HOSTID as there is no SHA1 hash tool available (sha1, sha1sum, openssl)"
+            ReportException "GetHostID" "Can't create HOSTID as there is no hash tool available (sha1, sha1sum, openssl, truncated sha256sum)"
         fi
 
         # Search machine ID
@@ -1164,7 +1168,7 @@
         # Optional: DBUS creates ID as well with dbus-uuidgen and is stored in /var/lib/dbus-machine-id (might be symlinked to /etc/machine-id)
         sMACHINEIDFILE="/etc/machine-id"
         if [ -f ${sMACHINEIDFILE} ]; then
-            FIND=$(head -1 ${sMACHINEIDFILE} | grep "^[a-f0-9]")
+            FIND=$(head -n 1 ${sMACHINEIDFILE} | grep "^[a-f0-9]")
             if [ "${FIND}" = "" ]; then
                 MACHINEID="${FIND}"
             fi
@@ -1199,10 +1203,9 @@
             LogText "Info: start generation of HostID (version 2)"
             FOUND=0
             DATA_SSH=""
-            # Use public keys
-            SSH_KEY_FILES="ssh_host_ed25519_key.pub ssh_host_ecdsa_key.pub ssh_host_dsa_key.pub ssh_host_rsa_key.pub"
             if [ -d /etc/ssh ]; then
-                for I in ${SSH_KEY_FILES}; do
+                SSH_PUBKEY_FILES="ssh_host_ed25519_key.pub ssh_host_ecdsa_key.pub ssh_host_dsa_key.pub ssh_host_rsa_key.pub"
+                for I in ${SSH_PUBKEY_FILES}; do
                     if [ ${FOUND} -eq 0 ]; then
                         if [ -f /etc/ssh/${I} ]; then
                             LogText "Result: found file ${I} in /etc/ssh, using that as candidate to create hostid2"
@@ -1211,8 +1214,20 @@
                         fi
                     fi
                 done
+            elif [ -d /etc/dropbear ]; then
+                SSH_KEY_FILES="dropbear_ed25519_host_key dropbear_rsa_host_key"
+                for I in ${SSH_KEY_FILES}; do
+                    if [ ${FOUND} -eq 0 ]; then
+                        if [ -f "/etc/dropbear/${I}" ]; then
+                            LogText "Result: found file ${I} in /etc/dropbear, using that as candidate to create hostid2"
+                            # Dropbear stores both keys in one binary file
+                            DATA_SSH=$(dropbearkey -y -f "/etc/dropbear/${I}" | grep '^ssh')
+                            FOUND=1
+                        fi
+                    fi
+                done
             else
-                LogText "Result: no /etc/ssh directory found, skipping"
+                LogText "Result: no /etc/ssh nor /etc/dropbear directory found, skipping"
             fi
 
             STRING_TO_HASH=""
@@ -1306,11 +1321,16 @@
         if [ $# -ne 2 ]; then Fatal "Incorrect usage of HasCorrectFilePermissions"; fi
         CHECKFILE="$1"
         CHECKPERMISSION_FULL="$2"
+        # Check for symlink
+        if [ -L ${CHECKFILE} ]; then
+            ShowSymlinkPath ${CHECKFILE}
+            if [ ! "${SYMLINK}" = "" ]; then CHECKFILE="${SYMLINK}"; fi
+        fi
         if [ ! -d ${CHECKFILE} -a ! -f ${CHECKFILE} ]; then
             return 2
         else
             for CHECK_PERMISSION in ${CHECKPERMISSION_FULL}; do
-                DATA=$(echo ${CHECK_PERMISSION} | ${EGREPBINARY} "[rwx]")
+                DATA=$(echo ${CHECK_PERMISSION} | ${GREPBINARY} -E "[rwx]")
                 if [ $? -eq 0 ]; then
                     # add a dummy character as first character so it looks like output is a normal file
                     CHECK_PERMISSION=$(echo "-${CHECK_PERMISSION}" | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}')
@@ -1320,9 +1340,8 @@
                 CHECK_PERMISSION=$(echo "${CHECK_PERMISSION}" | ${AWKBINARY} '{printf "%03d",$1}')
 
                 # First try stat command
-                LogText "Test: checking if file ${CHECKFILE} has the permissions set to ${CHECK_PERMISSION} or more restrictive"
+                LogText "Test: checking if file ${CHECKFILE} has the permissions set to ${CHECK_PERMISSION} (${CHECKPERMISSION_FULL}) or more restrictive"
                 if [ -n "${STATBINARY}" ]; then
-
                     case ${OS} in
                         *BSD | "macOS")
                             # BSD and macOS have no --format, only short notation
@@ -1332,6 +1351,8 @@
                             # busybox does not support format
                             if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then
                                 DATA=$(${STATBINARY} --format=%a ${CHECKFILE})
+                            else
+                                DATA=$(${STATBINARY} -c %a ${CHECKFILE})
                             fi
                         ;;
                     esac
@@ -1345,12 +1366,16 @@
                         ;;
                         *)
                             # Only use find when OS is NOT AIX and binaries are NOT busybox
+                            if [ -d "${CHECKFILE}" ]; then
+                                MAXDEPTH="-maxdepth 0"
+                            else
+                                MAXDEPTH=""
+                            fi
+
                             if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then
-                                if [ -d ${CHECKFILE} ]; then
+                                DATA=$(${FINDBINARY} "${CHECKFILE}" ${MAXDEPTH} -printf "%m")
-                                    DATA=$(${FINDBINARY} ${CHECKFILE} -maxdepth 0 -printf "%m")
+                            else
-                                else
+                                DATA=$(${FINDBINARY} "${CHECKFILE}" ${MAXDEPTH} -exec stat -c %a {} \;)
-                                    DATA=$(${FINDBINARY} ${CHECKFILE} -printf "%m")
-                                fi
                             fi
                         ;;
                     esac
@@ -1388,7 +1413,7 @@
                 fi
             done
 
-            LogText "Outcome: permissions of file ${CHECKFILE} are not matching expected value (${DATA} != ${CHECKPERMISSION_FULL})"
+            LogText "Outcome: permissions of file ${CHECKFILE} are not matching expected value (${DATA} != ${CHECK_PERMISSION})"
             # No match, return exit code 1
             return 1
         fi
@@ -1604,7 +1629,7 @@
                 # This search is not foolproof
                 LogText "Performing simple ps scan (busybox)"
                 PSOPTIONS=" -o args="
-                FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${EGREPBINARY:-egrep} "( |/)${search}" | ${GREPBINARY:-grep} -v "grep")
+                FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${GREPBINARY:-grep} -E "( |/)${search}" | ${GREPBINARY:-grep} -v "grep")
             else
                 if [ -n "${users}" ]; then
                     for u in ${users}; do
@@ -1868,7 +1893,7 @@
             # FreeBSD: hw.hv_vendor (remains empty for VirtualBox)
             # NetBSD: machdep.dmi.system-product
             # OpenBSD: hw.product
-            FIND=$(sysctl -a 2> /dev/null | grep -E "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }')
+            FIND=$(sysctl -a 2> /dev/null | grep -E "(hw.product|machdep.dmi.system-product)" | head -n 1 | sed 's/ = /=/' | awk -F= '{ print $2 }')
             if [ ! "${FIND}" = "" ]; then
                 SHORT="${FIND}"
             fi
@@ -2002,7 +2027,11 @@
         if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldWritable function"; fi
         sFILE=$1
         FileIsWorldWritable=""
-
+        # Check for symlink
+        if [ -L ${sFILE} ]; then
+            ShowSymlinkPath ${sFILE}
+            if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi
+        fi
         # Only check if target is a file or directory
         if [ -f ${sFILE} -o -d ${sFILE} ]; then
             FINDVAL=$(ls -ld ${sFILE} | cut -c 9)
@@ -2078,6 +2107,10 @@
         elif [ -n "${PKGINFOBINARY}" ]; then
             output=$(${PKGINFOBINARY} -q -e ${package} >/dev/null 2>&1)
             exit_code=$?  # 0=package installed, 1=package not installed
+        # Slackware also has RPM for some reason and that's why this test precedes the RPMBINARY test
+        elif [ "${OS_NAME}" = "Slackware Linux" -a -d "${ROOTDIR}/var/lib/pkgtools/packages" ]; then
+            output=$( ls ${ROOTDIR}/var/lib/pkgtools/packages/ 2> /dev/null | ${GREPBINARY} "^${package}-[^-]\+-[^-]\+-[^-]\+$" )
+            exit_code=$?
         elif [ -n "${RPMBINARY}" ]; then
             output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1)
             exit_code=$?
@@ -2090,6 +2123,9 @@
         elif [ -n "${XBPSBINARY}" ]; then
             output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii")
             exit_code=$?
+        elif [ -n "${APKBINARY}" ]; then
+            output=$(${APKBINARY} list --installed ${package} 2> /dev/null | ${GREPBINARY} ${package})
+            exit_code=$?
         else
             if [ "${package}" != "__dummy__" ]; then
                 ReportException "PackageIsInstalled:01 (test=${TEST_NO:-unknown})"
@@ -2551,14 +2587,18 @@
 
     GetTimestamp() {
         ts=0
-        case "${OS}" in
+        # Detect if the implementation of date supports nanoseconds,
-            "Linux")
+        if [ "${OS}" = "Linux" ]; then
+            current_nanoseconds=$(date "+%N")
+            # Verify if the result of the command is a number
+            if [ -n "$current_nanoseconds" ] && [ "$current_nanoseconds" -eq "$current_nanoseconds" ] 2>/dev/null; then
                 ts=$(date "+%s%N")
-            ;;
+            else
-            *)
                 ts=$(date "+%s")
-            ;;
+            fi
-        esac
+        else
+            ts=$(date "+%s")
+        fi
         echo $ts
     }
 
@@ -2743,7 +2783,6 @@
             if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Reason to skip: ${SKIPREASON}"; fi
             TESTS_SKIPPED="${TEST_NO}|${TESTS_SKIPPED}"
         fi
-        unset SKIPREASON
 
         # Save timestamp for next time the Register function is called
         PREVIOUS_TEST="${TEST_NO}"
@@ -3028,11 +3067,12 @@
 
     SafeInput() {
         exitcode=1
-        # By default remove only control characters
+        # Test against the string with a generic test set
         if [ $# -eq 1 ]; then
             input="$1"
-            cleaned=$(echo ${input} | tr -d '[:cntrl:]')
+            # Only allow common set of characters: a-z, A-Z, 0-9, /._-:=
-        # If know what to test against, then see if input matches the specified class
+            cleaned=$(echo "$input" | sed 's/[^a-zA-Z0-9\/\._:=-]//g')
+        # If two parameters are specified, then test input against specified class
         elif [ $# -eq 2 ]; then
             input="$1"
             testchars="$2"
@@ -3040,7 +3080,7 @@
         else
             ExitFatal "No argument or too many arguments provided to SafeInput()"
         fi
-
+        # Test if the cleaned string is the same as the original input
         if [ "${cleaned}" = "${input}" ]; then
             exitcode=0
         fi
@@ -3156,7 +3196,7 @@
 
                     if [ ${PENTESTINGMODE} -eq 0 -a ${IS_PARAMETERS} -eq 0 ]; then
                         if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then
-                            echo "Fatal error: group owner of directory $1 should be owned by root user, wheel or similar (found: ${GROUP})."
+                            echo "Fatal error: group owner of directory $1 should be owned by root group, wheel or similar (found: ${GROUP})."
                             ExitFatal
                         fi
                     fi
@@ -3723,7 +3763,4 @@
         if IsDeveloperMode; then Debug "Warning: old ShowResult() function is used. Please replace any reference with WaitForKeyPress."; fi
     }
 
-
+# EOF
-#================================================================================
-# Lynis is part of Lynis Enterprise and released under GPLv3 license
-# Copyright 2007-2021 - Michael Boelen, CISOfy - https://cisofy.com

include/helper_audit_dockerfile

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -233,5 +232,4 @@ fi
         rm -f ${TMP_FILE}
     fi
 
-
+# EOF
-# The End

include/helper_configure

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -104,4 +103,4 @@
 
     ExitClean
 
-# The End
+# EOF

include/helper_generate

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -189,4 +188,4 @@ fi
 
 ExitClean
 
-# The End
+# EOF

include/helper_show

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -480,4 +479,4 @@ ExitClean
 # - categories
 # - workdir
 
-# The End
+# EOF

include/helper_system_remote_scan

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -82,4 +81,4 @@
     # No more Lynis output
     QUIET=1
 
-# The End
+# EOF

include/helper_update

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -111,4 +110,4 @@ ExitClean
 
 QUIET=1
 
-# The End
+# EOF

include/osdetection

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -64,6 +63,9 @@
                     10.15 | 10.15.[0-9]*) OS_FULLNAME="macOS Catalina (${OS_VERSION})" ;;
                     11 | 11.[0-9]*) OS_FULLNAME="macOS Big Sur (${OS_VERSION})" ;;
                     12 | 12.[0-9]*) OS_FULLNAME="macOS Monterey (${OS_VERSION})" ;;
+                    13 | 13.[0-9]*) OS_FULLNAME="macOS Ventura (${OS_VERSION})" ;;
+                    14 | 14.[0-9]*) OS_FULLNAME="macOS Sonoma (${OS_VERSION})" ;;
+                    15 | 15.[0-9]*) OS_FULLNAME="macOS Sequoia (${OS_VERSION})" ;;
                     *) echo "Unknown macOS version. Do you know what version it is? Create an issue at ${PROGRAM_SOURCE}" ;;
                 esac
             else
@@ -158,6 +160,11 @@
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                         ;;
+                        "altlinux")
+                            LINUX_VERSION="ALT Linux"
+                            OS_NAME="altlinux"
+                            OS_VERSION=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "amzn")
                             LINUX_VERSION="Amazon Linux"
                             OS_NAME="Amazon Linux"
@@ -169,16 +176,38 @@
                             OS_FULLNAME="Arch Linux"
                             OS_VERSION="Rolling release"
                         ;;
+                        "archarm")
+                            LINUX_VERSION="Arch Linux ARM"
+                            OS_FULLNAME="Arch Linux ARM"
+                            OS_VERSION="Rolling release"
+                        ;;
                         "arch32")
                             LINUX_VERSION="Arch Linux 32"
                             OS_FULLNAME="Arch Linux 32"
                             OS_VERSION="Rolling release"
                         ;;
+                        "arcolinux")
+                            LINUX_VERSION="ArcoLinux"
+                            OS_FULLNAME="ArcoLinux"
+                            OS_VERSION="Rolling release"
+                        ;;
                         "artix")
                             LINUX_VERSION="Artix Linux"
                             OS_FULLNAME="Artix Linux"
                             OS_VERSION="Rolling release"
                         ;;
+                        "athena")
+                            LINUX_VERSION="Athena OS"
+                            OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
+                        "buildroot")
+                            LINUX_VERSION="Buildroot"
+                            OS_NAME="Buildroot"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "bunsenlabs")
                             LINUX_VERSION="BunsenLabs"
                             OS_NAME="BunsenLabs"
@@ -208,6 +237,11 @@
                             OS_NAME="CoreOS Linux"
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                         ;;
+                        "cos")
+                            LINUX_VERSION="Container-Optimized OS"
+                            OS_NAME="Container-Optimized OS from Google"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "debian")
                             LINUX_VERSION="Debian"
                             OS_NAME="Debian"
@@ -238,6 +272,12 @@
                             OS_REDHAT_OR_CLONE=1
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                         ;;
+                        "fedora-asahi-remix")
+                            LINUX_VERSION="Fedora"
+                            OS_NAME="Fedora Linux Asahi Remix"
+                            OS_REDHAT_OR_CLONE=1
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "flatcar")
                             LINUX_VERSION="Flatcar"
                             LINUX_VERSION_LIKE="CoreOS"
@@ -249,6 +289,13 @@
                             OS_FULLNAME="Funtoo Linux"
                             OS_VERSION="Rolling release"
                         ;;
+                        "gardenlinux")
+                            LINUX_VERSION="Garden Linux"
+                            LINUX_VERSION_LIKE="Debian"
+                            OS_NAME=$(grep "^NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION=$(grep "^GARDENLINUX_VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^GARDENLINUX_VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "garuda")
                             LINUX_VERSION="Garuda"
                             OS_FULLNAME="Garuda Linux"
@@ -260,6 +307,12 @@
                             OS_NAME="Gentoo Linux"
                             OS_VERSION="Rolling release"
                         ;;
+                        "guix")
+                            LINUX_VERSION="Guix"
+                            OS_FULLNAME="Guix System"
+                            OS_NAME="Guix"
+                            OS_VERSION="Rolling release"
+                        ;;
                         "ipfire")
                             LINUX_VERSION="IPFire"
                             OS_NAME="IPFire"
@@ -271,6 +324,12 @@
                             OS_NAME="Kali Linux"
                             OS_VERSION="Rolling release"
                         ;;
+                        "koozali")
+                            LINUX_VERSION="Koozali"
+                            OS_NAME="Koozali SME Server"
+                            OS_REDHAT_OR_CLONE=1
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "linuxmint")
                             LINUX_VERSION="Linux Mint"
                             LINUX_VERSION_LIKE="Ubuntu"
@@ -278,6 +337,11 @@
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                         ;;
+                        "lsdk")
+                            LINUX_VERSION="NXP LSDK"
+                            OS_NAME="NXP LSDK"
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "mageia")
                             LINUX_VERSION="Mageia"
                             OS_NAME="Mageia"
@@ -290,6 +354,13 @@
                             OS_NAME="Manjaro"
                             OS_VERSION="Rolling release"
                         ;;
+                        "neon")
+                            LINUX_VERSION="KDE Neon"
+                            LINUX_VERSION_LIKE="Ubuntu"
+                            OS_NAME="KDE Neon"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "nethserver")
                             LINUX_VERSION="NethServer"
                             OS_NAME="NethServer"
@@ -308,6 +379,18 @@
                             OS_REDHAT_OR_CLONE=1
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                         ;;
+                        "nobara")
+                            LINUX_VERSION="Nobara"
+                            OS_NAME="Nobara Linux"
+                            OS_REDHAT_OR_CLONE=1
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
+                        "nodistro")
+                            LINUX_VERSION="openembedded"
+                            OS_NAME="OpenEmbedded"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "opensuse-tumbleweed")
                             LINUX_VERSION="openSUSE Tumbleweed"
                             # It's rolling release but has a snapshot version (the date of the snapshot)
@@ -324,12 +407,33 @@
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_NAME="openSUSE"
                         ;;
+                        "osmc")
+                            LINUX_VERSION="OSMC"
+                            LINUX_VERSION_LIKE="Debian"
+                            OS_NAME="Open Source Media Center"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "parrot")
                             LINUX_VERSION="Parrot"
                             OS_NAME="Parrot GNU/Linux"
                             OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                         ;;
+                        "peppermint")
+                            LINUX_VERSION="Peppermint OS"
+                            LINUX_VERSION_LIKE="Debian"
+                            OS_NAME="Peppermint OS"
+                            OS_VERSION=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION_CODENAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
+                        "poky")
+                            LINUX_VERSION="Poky"
+                            OS_NAME="openembedded"
+                            LINUX_VERSION_LIKE="openembedded"
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+
+                        ;;
                         "pop")
                             LINUX_VERSION="Pop!_OS"
                             LINUX_VERSION_LIKE="Ubuntu"
@@ -337,6 +441,13 @@
                             OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                             OS_NAME="Pop!_OS"
                         ;;
+                        "postmarketos")
+                            LINUX_VERSION="PostmarketOS"
+                            LINUX_VERSION_LIKE="Alpine"
+                            OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                            OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+                        ;;
                         "pureos")
                             LINUX_VERSION="PureOS"
                             LINUX_VERSION_LIKE="Debian"
@@ -401,7 +512,7 @@
                             OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
                         ;;
                         *)
-                            ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the the contents (cat /etc/os-release): ${PROGRAM_SOURCE}"
+                            ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the contents (cat /etc/os-release): ${PROGRAM_SOURCE}"
                         ;;
                     esac
                 fi
@@ -678,7 +789,7 @@
                         ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}"
                         ;;
                 esac
-            elif [ "$(uname -o 2> /dev/null)" == "illumos" ]; then
+            elif [ "$(uname -o 2> /dev/null)" = "illumos" ]; then
                 OPENSOLARIS=1
         
                 # Solaris has a free form text file with release information
@@ -725,7 +836,7 @@
                 if tail -1 < /etc/release | xargs | grep "^Solaris " > /dev/null; then
                     OS_FULLNAME=$(tail -1 < /etc/release | xargs)
                 else
-                    OS_FULLNAME=$(head -1 < /etc/release | xargs)
+                    OS_FULLNAME=$(head -n 1 < /etc/release | xargs)
                 fi
                 OS_VERSION=$(echo "$OS_FULLNAME" | cut -d ' ' -f 2,3)
             else  # Old behaviour
@@ -777,10 +888,26 @@
     ECHONB=""
 
     case ${OS} in
-        "AIX")                           ECHOCMD="echo"; ECHONB="printf" ;;
+        "AIX")
-        "DragonFly"|"FreeBSD"|"NetBSD")  ECHOCMD="echo -e"; ECHONB="echo -n" ;;
+            ECHOCMD="echo";
-        "macOS" | "Mac OS X")                         ECHOCMD="echo"; ECHONB="/bin/echo -n" ;;
+            ECHONB="printf"
-        "Solaris")                       ECHOCMD="echo" ; test -f /usr/ucb/echo && ECHONB="/usr/ucb/echo -n" ;;
+        ;;
+        "DragonFly"|"FreeBSD"|"NetBSD")
+            ECHOCMD="echo -e"
+            ECHONB="echo -n"
+            NOW=$(date "+%s")
+        ;;
+        "macOS" | "Mac OS X")
+            ECHOCMD="echo"
+            ECHONB="/bin/echo -n"
+            NOW=$(date "+%s")
+        ;;
+
+        "Solaris")         
+            ECHOCMD="echo"
+            test -f /usr/ucb/echo && ECHONB="/usr/ucb/echo -n"
+            NOW=$(nawk 'BEGIN{print srand()}')
+        ;;
         "Linux")
             # Check if dash is used (Debian/Ubuntu)
             DEFAULT_SHELL=$(ls -l /bin/sh | awk -F'>' '{print $2}')
@@ -788,16 +915,23 @@
                 " dash")                 ECHOCMD="/bin/echo -e" ;;
                 *)                       ECHOCMD="echo -e" ;;
             esac
+            NOW=$(date "+%s")
+        ;;
+        *)
+            ECHOCMD="echo -e"
+            NOW=$(date "+%s")
         ;;
-        *)                               ECHOCMD="echo -e" ;;
     esac
-
+    
     # Check if we have full featured commands, or are using BusyBox as a shell
     if [ -x /bin/busybox ]; then
         if [ -L /bin/ps ]; then
             ShowSymlinkPath /bin/ps
             if [ "${SYMLINK}" = "/bin/busybox" ]; then
                 SHELL_IS_BUSYBOX=1
+                LogText "Result: The device is using Busybox."
+            else
+                LogText "Result: The device is NOT using Busybox."
             fi
         fi
     fi
@@ -820,13 +954,10 @@
             if [ -n "${EOL_TIMESTAMP}" ]; then
                 EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1)
                 if [ -n "${EOL_DATE}" ]; then
-                    NOW=$(date "+%s")
+                    if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then
-                    if [ -n "${NOW}" ]; then
+                        EOL=1
-                        if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then
+                    else
-                            EOL=1
+                        EOL=0
-                        else
-                            EOL=0
-                        fi
                     fi
                 else
                     EOL=0

include/parameters

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

include/profiles

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -56,7 +55,7 @@
         fi
 
         # Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character)
-        DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-')
+        DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[a-zA-Z0-9]/\[\]\(\)_\|,\.:;= \n\r-')
         if ! IsEmpty "${DATA}"; then
             DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information."
             LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile."
@@ -68,7 +67,7 @@
         fi
 
         # Now parse the profile and filter out unwanted characters
-        DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g')
+        DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[a-zA-Z0-9]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g')
         for CONFIGOPTION in ${DATA}; do
             if ContainsString "^config:" "${CONFIGOPTION}"; then
                 # Old style configuration
@@ -352,7 +351,7 @@
 
                 # Which tests to skip (skip-test=ABCD-1234 or skip-test=ABCD-1234:subtest)
                 skip-test)
-                    STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]')
+                    STRING=$(echo ${VALUE} | awk '{print toupper($0)}')
                     SKIP_TESTS="${SKIP_TESTS} ${STRING}"
                 ;;
 
@@ -371,7 +370,7 @@
 
                 ssl-certificate-paths-to-ignore)
                     # Retrieve paths to ignore when searching for certificates. Strip special characters, replace possible spaces
-                    SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[:cntrl:]' | sed 's/ /__space__/g' | tr ':' ' ')
+                    SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[\001-\037]' | sed 's/ /__space__/g' | tr ':' ' ')
                     Debug "SSL paths to ignore: ${SSL_CERTIFICATE_PATHS_TO_IGNORE}"
                     AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates"
                 ;;
@@ -479,7 +478,7 @@
 
                 # Deprecated: skip tests
                 test_skip_always)
-                    STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]')
+                    STRING=$(echo ${VALUE} | awk '{print toupper($0)}')
                     SKIP_TESTS="${SKIP_TESTS} ${STRING}"
                     LogText "[deprecated option] Tests to be skipped: ${VALUE}"
                     DisplayToolTip "Replace deprecated option 'test_skip_always' and replace with 'skip-test' (add to custom.prf)"

include/report

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -161,7 +160,8 @@
                 for SUGGESTION in ${SUGGESTIONS}; do
                     SOLUTION=""
                     SHOWSUGGESTION=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://')
-                    ADDLINK=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//' | ${AWKBINARY} -F: '{print $1}')
+                    RELATED_CONTROL=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//' | ${AWKBINARY} -F: '{print $1}')
+                    ADDLINK="${RELATED_CONTROL}"
                     DETAILS=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[details://' | sed 's/\]\(.*\)]//')
                     SUGGESTION_PIECES=$(echo ${SUGGESTION} | sed 's/\[/ [/g')
                     for PIECE in ${SUGGESTION_PIECES}; do
@@ -174,10 +174,23 @@
                     echo "  ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}"
                     if [ ! "${DETAILS}" = "-" -a -n "${DETAILS}" ]; then echo "    - Details  : ${CYAN}${DETAILS}${NORMAL}"; fi
                     if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo "    - Solution : ${SOLUTION}"; fi
+                    # Show relevant articles if the database is available
+                    if [ -f ${DBDIR}/control-links.db ]; then
+                        echo "    - Related resources"
+                        ARTICLES=$($AWKBINARY -F \; -v control=${RELATED_CONTROL} '{if($1==control && $2=="blog"){print $2";"$3";"$4";"}}' "${DBDIR}/control-links.db" | sed 's/ /!space!/g')
+                        if [ -n "${ARTICLES}" ]; then
+                            for ITEM in ${ARTICLES}; do
+                                ITEM=$(echo ${ITEM} | sed 's/!space!/ /g')
+                                ARTICLE=$(echo ${ITEM} | awk -F\; '{print $2}')
+                                ARTICLE_LINK=$(echo ${ITEM} | awk -F\; '{print $3}')
+                                echo "      * Article: ${CYAN}${ARTICLE}${NORMAL}: ${ARTICLE_LINK}"
+                            done
+                        fi
+                    fi
                     if [ -z "${IS_CUSTOM}" ]; then
-                        echo "      ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}"
+                        echo "      * Website: ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}"
                     else
-                        echo "      ${GRAY}${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}${NORMAL}"
+                        echo "      * Details: ${GRAY}${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}${NORMAL}"
                     fi
                     echo ""
                 done
@@ -312,6 +325,4 @@
         echo "================================================================================"
     fi
 
-#
+# EOF
-#================================================================================
-# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com

include/tests_accounting

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -478,6 +477,4 @@
 
 WaitForKeyPress
 
-#
+# EOF
-#================================================================================
-# Lynis - Copyright 2007-2021, Michael Boelen / CISOfy - https://cisofy.com

include/tests_authentication

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -25,7 +24,7 @@
     LDAP_AUTH_ENABLED=0
     LDAP_PAM_ENABLED=0
     LDAP_CONF_LOCATIONS="${ROOTDIR}etc/ldap.conf ${ROOTDIR}etc/ldap/ldap.conf ${ROOTDIR}etc/openldap/ldap.conf ${ROOTDIR}usr/local/etc/ldap.conf ${ROOTDIR}usr/local/etc/openldap/ldap.conf"
-    PAM_FILE_LOCATIONS="${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security"
+    PAM_FILE_LOCATIONS="${ROOTDIR}usr/lib/aarch64-linux-gnu/security ${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib/powerpc64le-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security"
     SUDOERS_LOCATIONS="${ROOTDIR}etc/sudoers ${ROOTDIR}usr/local/etc/sudoers ${ROOTDIR}usr/pkg/etc/sudoers"
     SUDOERS_FILE=""
 #
@@ -42,9 +41,9 @@
         LogText "Test: Searching accounts with UID 0"
         # Check if device is a QNAP, as the root user is called admin, and not root
         if [ ${QNAP_DEVICE} -eq 1 ]; then
-            FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
+            FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${GREPBINARY} -E -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
         else
-            FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
+            FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${GREPBINARY} -E -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
         fi
         if [ -n "${FIND}" ]; then
             Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED
@@ -163,7 +162,7 @@
         LogText "Test: Checking login shells"
         if [ -f ${ROOTDIR}etc/master.passwd ]; then
             # Check for all shells, except: (/usr)/sbin/nologin /nonexistent
-            FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
+            FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${GREPBINARY} -E -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
             if [ -z "${FIND}" ]; then
                 Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
             else
@@ -499,13 +498,13 @@
     Register --test-no AUTH-9240 --weight L --network NO --category security --description "Query NIS+ authentication support"
     if [ ${SKIPTEST} -eq 0 ]; then
         if [ -f /etc/nsswitch.conf ]; then
-            FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus")
+            FIND=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} -E "compat|nisplus")
             if [ -z "${FIND}" ]; then
                 LogText "Result: NIS+ authentication not enabled"
                 Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
             else
-                FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
+                FIND2=$(${GREPBINARY} -E "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
-                FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
+                FIND3=$(${GREPBINARY} -E "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
                 if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
                     LogText "Result: NIS+ authentication enabled"
                     Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
@@ -526,13 +525,13 @@
     Register --test-no AUTH-9242 --weight L --network NO --category security --description "Query NIS authentication support"
     if [ ${SKIPTEST} -eq 0 ]; then
         if [ -f /etc/nsswitch.conf ]; then
-            FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus")
+            FIND=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} -E "compat|nis" | ${GREPBINARY} -v "nisplus")
             if [ -z "${FIND}" ]; then
                 LogText "Result: NIS authentication not enabled"
                 Display --indent 2 --text "- NIS authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
             else
-                FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
+                FIND2=$(${GREPBINARY} -E "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
-                FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
+                FIND3=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
                 if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
                     LogText "Result: NIS authentication enabled"
                     Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
@@ -607,7 +606,7 @@
                     Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
                     ;;
             esac
-            SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)"
+            SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} -L ${SUDOERS_D} -type f -print)"
         fi
         for f in ${SUDO_CONFIG_FILES}; do
             LogText "Test: checking file (${f})"
@@ -717,7 +716,7 @@
         if [ ${FOUND} -eq 0 ]; then
             Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW
             LogText "Result: no PAM modules for password strength testing found"
-            ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
+            ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc or libpam-passwdqc"
             AddHP 0 3
         else
             Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN
@@ -737,7 +736,7 @@
             LogText "Result: file ${ROOTDIR}etc/pam.conf exists"
             Display --indent 2 --text "- PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN
             LogText "Test: searching PAM configuration files"
-            FIND=$(${EGREPBINARY} -v "^#" ${ROOTDIR}etc/pam.conf | ${EGREPBINARY} -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/  / /g' | ${SEDBINARY} 's/ /:space:/g')
+            FIND=$(${GREPBINARY} -E -v "^#" ${ROOTDIR}etc/pam.conf | ${GREPBINARY} -E -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/  / /g' | ${SEDBINARY} 's/ /:space:/g')
             if [ -z "${FIND}" ]; then
                 LogText "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)"
             else
@@ -764,7 +763,7 @@
             LogText "Result: directory /etc/pam.d exists"
             Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN
             LogText "Test: searching PAM configuration files"
-            FIND=$(${FINDBINARY} ${ROOTDIR}etc/pam.d \! -name "*.pam-old" -type f -print | sort)
+            FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/pam.d \! -name "*.pam-old" -type f -print | sort)
             for FILE in ${FIND}; do
                 LogText "Found file: ${FILE}"
             done
@@ -1017,7 +1016,7 @@
             LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}"
             LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
             # Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
-            FIND=$(${EGREPBINARY} -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
+            FIND=$(${GREPBINARY} -E -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
             if [ -n "${FIND}" ]; then
                 for ACCOUNT in ${FIND}; do
                     LogText "Result: password of user ${ACCOUNT} has been expired"
@@ -1109,8 +1108,8 @@
                 TEST_PERFORMED=1
                 LogText "Result: file ${ROOTDIR}etc/inittab exists"
                 LogText "Test: checking presence sulogin for single user mode"
-                FIND=$(${EGREPBINARY} "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
+                FIND=$(${GREPBINARY} -E "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
-                FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
+                FIND2=$(${GREPBINARY} -E "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
                 if [ -n "${FIND}" -o -n "${FIND2}" ]; then
                     FOUND=1
                     LogText "Result: found sulogin, so single user is protected"
@@ -1147,7 +1146,7 @@
                     # Mark test as performed only when at least 1 target exists (e.g. Ubuntu 14.04 has limited systemd support)
                     TEST_PERFORMED=1
                     LogText "Result: found target ${I}"
-                    FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin")
+                    FIND=$(${GREPBINARY} -E "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin")
                     if [ "${FIND}" = "" ]; then
                         LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication"
                     else
@@ -1270,8 +1269,6 @@
                 LogText "Result: found no umask. Please check if this is correct"
                 Display --indent 4 --text "- umask (/etc/profile)" --result "${STATUS_NOT_FOUND}" --color YELLOW
             fi
-          else
-            LogText "Result: file /etc/profile does not exist"
         fi
 
         # /etc/passwd
@@ -1486,7 +1483,7 @@
     Register --test-no AUTH-9402 --weight L --network NO --category security --description "Query LDAP authentication support"
     if [ ${SKIPTEST} -eq 0 ]; then
         if [ -f ${ROOTDIR}etc/nsswitch.conf ]; then
-            FIND=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap")
+            FIND=$(${GREPBINARY} -E "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap")
             if [ "${FIND}" = "" ]; then
                 LogText "Result: LDAP authentication not enabled"
                 Display --indent 2 --text "- LDAP authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
@@ -1514,7 +1511,7 @@
                 LogText "Result: file ${FILE} exists, LDAP being used"
                 LDAP_CLIENT_CONFIG_FILE="${FILE}"
                 LogText "Test: checking LDAP servers in file ${FILE}"
-                FIND=$(${EGREPBINARY} "^host " ${FILE} | ${AWKBINARY} '{ print $2 }')
+                FIND=$(${GREPBINARY} -E "^host " ${FILE} | ${AWKBINARY} '{ print $2 }')
                 for SERVER in ${FIND}; do
                     Display --indent 6 --text "LDAP server: ${SERVER}"
                     LogText "Result: found LDAP server ${SERVER}"
@@ -1533,31 +1530,49 @@
     # Description : Logging of failed login attempts
     Register --test-no AUTH-9408 --weight L --network NO --category security --description "Logging of failed login attempts"
     if [ ${SKIPTEST} -eq 0 ]; then
-        if [ -f "${ROOTDIR}etc/pam.conf" ]; then
+        if [ -f "${ROOTDIR}etc/pam.conf" -o -d "${ROOTDIR}etc/pam.d" ]; then
             FOUND_PAM_TALLY2=0
             FOUND_TALLYLOG=0
-            if [ -s "${ROOTDIR}var/log/tallylog" ]; then
+            FOUND_PAM_FAILLOCK=0
+            FOUND_FAILLOCKDIR=0
+            if [ -d "${ROOTDIR}var/run/faillock" ]; then
+                FOUND_FAILLOCKDIR=1
+                LogText "Result: found ${ROOTDIR}var/run/faillock directory"
+            elif [ -s "${ROOTDIR}var/log/tallylog" ]; then
                 FOUND_TALLYLOG=1
                 LogText "Result: found ${ROOTDIR}var/log/tallylog with a size bigger than zero"
             else
-                LogText "Result: did not find ${ROOTDIR}var/log/tallylog on disk or its file size is zero bytes"
+                LogText "Result: did not find ${ROOTDIR}var/run/faillock directory or ${ROOTDIR}var/log/tallylog file on disk or its file size is zero bytes"
             fi
-            # Determine if pam_tally2 is available
+            # Determine if pam_faillock is available
             for D in $(GetReportData --key "pam_module\\\[\\\]"); do
-                if ContainsString "pam_tally2" "${D}"; then
+                if ContainsString "pam_faillock" "${D}"; then
-                    LogText "Result: found pam_tally2 module on disk"
+                    LogText "Result: found pam_faillock module on disk"
-                    FOUND_PAM_TALLY2=1
+                    FOUND_PAM_FAILLOCK=1
                 fi
             done
-            if [ ${FOUND_PAM_TALLY2} -eq 1 -a ${FOUND_TALLYLOG} -eq 1 ]; then
+            if [ ${FOUND_PAM_FAILLOCK} -eq 0 ]; then
+                # Determine if pam_tally2 is available
+                for D in $(GetReportData --key "pam_module\\\[\\\]"); do
+                    if ContainsString "pam_tally2" "${D}"; then
+                        LogText "Result: found pam_tally2 module on disk"
+                        FOUND_PAM_TALLY2=1
+                    fi
+                done
+            fi
+            if [ ${FOUND_PAM_FAILLOCK} -eq 1 -a ${FOUND_FAILLOCKDIR} -eq 1 ]; then
+                LogText "Outcome: authentication failures are logged using pam_faillock"
+                AUTH_FAILED_LOGINS_LOGGED=1
+                Report "auth_failed_logins_tooling[]=pam_faillock"
+            elif [ ${FOUND_PAM_TALLY2} -eq 1 -a ${FOUND_TALLYLOG} -eq 1 ]; then
                 LogText "Outcome: authentication failures are logged using pam_tally2"
                 AUTH_FAILED_LOGINS_LOGGED=1
                 Report "auth_failed_logins_tooling[]=pam_tally2"
             else
-                LogText "Outcome: it looks like pam_tally2 is not configured to log failed login attempts"
+                LogText "Outcome: it looks like pam_faillock or pam_tally2 is not configured to log failed login attempts"
             fi
 
-            unset FOUND_PAM_TALLY2 FOUND_TALLYLOG
+            unset FOUND_PAM_TALLY2 FOUND_TALLYLOG FOUND_PAM_FAILLOCK FOUND_FAILLOCKDIR
         fi
         # Also check /etc/logins.defs, although its usage decreased over the years
         if [ -f ${ROOTDIR}etc/login.defs ]; then

include/tests_banners

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -27,7 +26,7 @@
 #################################################################################
 #
     BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
-    LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited record restricted secure subject system terms warning"
+    LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited prosecute record report restricted secure subject system terms warning"
 #
 #################################################################################
 #

include/tests_boot_services

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -147,7 +146,7 @@
                 fi
             ;;
             "Solaris")
-                if [ -n "${ROOTDIR}usr/bin/svcs" ]; then
+                if [ -x "${ROOTDIR}usr/bin/svcs" ]; then
                     SERVICE_MANAGER="SMF (svcs)"
                 elif [ -d "${ROOTDIR}etc/init.d" ]; then
                     SERVICE_MANAGER="SysV Init"
@@ -347,7 +346,7 @@
         FOUND=0
 
         if [ -d "${ROOTDIR}etc/grub.d" ]; then
-            CONF_FILES=$(${FINDBINARY} "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]')
+            CONF_FILES=$(${FINDBINARY} -L "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]')
             CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}"
         else
             CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg"
@@ -460,7 +459,7 @@
                 BOOT_LOADER_FOUND=1
                 Display --indent 2 --text "- Checking presence LILO" --result "${STATUS_OK}" --color GREEN
                 LogText "Checking password option LILO"
-                FIND=$(${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#")
+                FIND=$(${GREPBINARY} -E 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#")
                 if [ -z "${FIND}" ]; then
                     if [ "${MACHINE_ROLE}" = "server" -o "${MACHINE_ROLE}" = "workstation" ]; then
                         Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED
@@ -605,7 +604,7 @@
         else
             # FreeBSD (Read /etc/rc.conf file for enabled services)
             LogText "Searching for services at startup (rc.conf)"
-            FIND=$(${EGREPBINARY} -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
+            FIND=$(${GREPBINARY} -E -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${GREPBINARY} -E -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
         fi
         COUNT=0
         for ITEM in ${FIND}; do
@@ -715,7 +714,7 @@
             if [ -n "${CHKCONFIGBINARY}" ]; then
                 LogText "Result: chkconfig binary found, trying that to discover information"
                 LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
-                FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
+                FIND=$(${CHKCONFIGBINARY} --list | ${GREPBINARY} -E '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
                 COUNT=0
                 Report "boot_service_tool=chkconfig"
                 for ITEM in ${FIND}; do
@@ -785,7 +784,7 @@
             if [ -d ${DIR} ]; then
                 LogText "Result: directory ${DIR} found"
                 LogText "Test: checking for available files in directory"
-                FIND=$(${FINDBINARY} ${DIR} -type f -print | ${SORTBINARY})
+                FIND=$(${FINDBINARY} -L ${DIR} -type f -print | ${SORTBINARY})
                 if [ -n "${FIND}" ]; then
                     LogText "Result: found files in directory, checking permissions now"
                     for FILE in ${FIND}; do
@@ -809,7 +808,7 @@
         for NO in 0 1 2 3 4 5 6; do
             LogText "Test: Checking ${ROOTDIR}etc/rc${NO}.d scripts for writable bit"
             if [ -d ${ROOTDIR}etc/rc${NO}.d ]; then
-                FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc${NO}.d -type f -print | ${SORTBINARY})
+                FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/rc${NO}.d -type f -print | ${SORTBINARY})
                 for I in ${FIND}; do
                     if IsWorldWritable ${I}; then
                         FOUND=1
@@ -947,7 +946,7 @@
         if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then
             LogText "Result: file /usr/lib/systemd/system/rescue.service"
             LogText "Test: checking presence sulogin for single user mode"
-            FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service)
+            FIND=$(${GREPBINARY} -E "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service)
             if [ -n "${FIND}" ]; then
                 FOUND=1
                 LogText "Result: found sulogin, so single user is protected"
@@ -981,14 +980,14 @@
                 Report "running_service[]=${ITEM}"
                 COUNT=$((COUNT + 1 ))
             done
-            LogText "Note: Run rcctl ls all | egrep  '^(pf|check_quotas|library_aslr)$' to see all daemons"
+            LogText "Note: Run rcctl ls all | grep -E '^(pf|check_quotas|library_aslr)$' to see all daemons"
             Display --indent 2 --text "- Check running daemons (rcctl)" --result "${STATUS_DONE}" --color GREEN
             Display --indent 8 --text "Result: found ${COUNT} running daemons"
             LogText "Result: Found ${COUNT} running daemons"
 
             # OpenBSD (Ask rcctl(8) for enabled daemons)
             LogText "Searching for enabled daemons (rcctl)"
-            FIND=$(${RCCTLBINARY} ls on | ${EGREPBINARY} -v '^(pf|check_quotas|library_aslr)$')
+            FIND=$(${RCCTLBINARY} ls on | ${GREPBINARY} -E -v '^(pf|check_quotas|library_aslr)$')
             COUNT=0
             Report "boot_service_tool=rcctl"
             for ITEM in ${FIND}; do
@@ -996,7 +995,7 @@
                 Report "boot_service[]=${ITEM}"
                 COUNT=$((COUNT + 1 ))
             done
-            LogText "Note: Run rcctl ls all | egrep  '^(pf|check_quotas|library_aslr)$' to see all daemons"
+            LogText "Note: Run rcctl ls all | grep -E  '^(pf|check_quotas|library_aslr)$' to see all daemons"
             Display --indent 2 --text "- Check enabled daemons at boot (rcctl)" --result "${STATUS_DONE}" --color GREEN
             Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot"
             LogText "Result: Found ${COUNT} enabled daemons at boot"
@@ -1017,7 +1016,7 @@
             LogText "Result: directory ${DIR} found"
             LogText "Test: checking for available files in directory"
             # OpenBSD uses symlinks to create another instance of daemons
-            FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print | ${SORTBINARY})
+            FIND=$(${FINDBINARY} -L ${CHECKDIR} -type f -print | ${SORTBINARY})
             if [ -n "${FIND}" ]; then
                 LogText "Result: found files in directory, checking permissions now"
                 for FILE in ${FIND}; do
@@ -1090,6 +1089,8 @@
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Run systemd-analyze security"
         Display --indent 2 --text "- Running 'systemd-analyze security'"
+        Display --indent 6 --text "Unit name (exposure value) and predicate"
+        Display --indent 6 --text "--------------------------------"
         ${SYSTEMDANALYZEBINARY} security | while read UNIT EXPOSURE PREDICATE HAPPY; do
             if [ "${UNIT}" = "UNIT" ]; then
                 continue
@@ -1111,11 +1112,11 @@
                 ;;
                 UNSAFE | DANGEROUS)
                     STATUS="${STATUS_UNSAFE}"
-                    COLOR=RED
+                    COLOR=YELLOW
                 ;;
             esac
-            Display --indent 8 --text "- ${UNIT}:" --result "${STATUS}" --color "${COLOR}"
+            Display --indent 4 --text "- ${UNIT} (value=${EXPOSURE})" --result "${STATUS}" --color "${COLOR}"
-            LogText "Result: ${UNIT}: ${EXPOSURE} ${STATUS}"
+            LogText "Result: ${UNIT} has exposure value ${EXPOSURE} with predicate '${STATUS}'"
         done
         ReportSuggestion "${TEST_NO}" "Consider hardening system services" "Run '${SYSTEMDANALYZEBINARY} security SERVICE' for each service"
     fi

include/tests_containers

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -107,7 +106,7 @@
             LogText "Result: disabling further Docker tests as docker version gave exit code other than zero (0)"
             RUN_DOCKER_TESTS=0
         fi
-        FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} "^WARNING:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g')
+        FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} -E "^WARNING:|^ERROR:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g')
         if [ ! "${FIND}" = "" ]; then
             LogText "Result: found warning(s) in output"
             for I in ${FIND}; do
@@ -137,7 +136,7 @@
 
         # Check total of containers
         LogText "Test: checking total amount of Docker containers"
-        DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${EGREPBINARY} "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }')
+        DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${GREPBINARY} -E "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }')
         if [ -z "${DOCKER_CONTAINERS_TOTAL}" ]; then
             DOCKER_CONTAINERS_TOTAL=0
         fi
@@ -224,6 +223,4 @@
 
 WaitForKeyPress
 
-#
+# EOF
-#================================================================================
-# Lynis - Copyright 2007-2021, CISOfy - https://cisofy.com

include/tests_crypto

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -54,7 +53,7 @@
                     LASTSUBDIR=""
                     LogText "Result: found directory ${DIR}"
                     # Search for certificate files
-                    FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
+                    FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${GREPBINARY} -E ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
                     for FILE in ${FILES}; do
                         FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g')
                         # See if we need to skip this path
@@ -80,7 +79,7 @@
                             if [ ${CANREAD} -eq 1 ]; then
                                 # Only check the files that are not installed by a package, unless enabled by profile
                                 if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then
-                                    echo ${FILE} | ${EGREPBINARY} -q ".cer$|.der$"
+                                    echo ${FILE} | ${GREPBINARY} -E -q ".cer$|.der$"
                                     CER_DER=$?
                                     OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
                                     if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then
@@ -217,6 +216,33 @@
     fi
 #
 #################################################################################
+#
+    # Test        : CRYP-7932
+    # Description : Determine if system has enabled macOS FileVault encryption
+    Register --test-no CRYP-7932 --os macOS --weight L --network NO --category crypto --description "Determine if system has enabled macOS FileVault encryption"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        if command -v fdesetup &> /dev/null; then
+            case $(fdesetup status) in
+                *"FileVault is On."*)
+                    LogText "Result: FileVault is enabled."
+                    Display --indent 2 --text "- FileVault is enabled." --result "${STATUS_OK}" --color GREEN
+                    Report "encryption[]=filevault"
+                    AddHP 3 3
+                    ;;
+                *)
+                    LogText "Result: FileVault is not enabled."
+                    Display --indent 2 --text "- FileVault is not enabled." --result "${STATUS_WARNING}" --color RED
+                    AddHP 0 3
+                    ;;
+            esac
+        else
+            LogText "Result: fdesetup command not found. Unable to determine FileVault status."
+            Display --indent 2 --text "- Unable to determine FileVault status (fdesetup command not found)." --result "${STATUS_WARNING}" --color YELLOW
+            AddHP 0 3
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : CRYP-8002
     # Description : Gather available kernel entropy

include/tests_databases

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -45,7 +44,7 @@
     # Description : Check if MySQL is being used
     Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process"
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=$(${PSBINARY} ax | ${EGREPBINARY} "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep")
+        FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep")
         if [ -z "${FIND}" ]; then
             if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
             LogText "Result: MySQL process not active"
@@ -85,7 +84,7 @@
         LogText "Test: Trying to login to local MySQL server without password"
 
         # "-u root --password=" avoids ~/.my.cnf authentication settings
-        # "plugin = 'mysql_native_password' AND authentication_string = ''" avoids false positives when secure plugins are used 
+        # "plugin = 'mysql_native_password' AND authentication_string = ''" avoids false positives when secure plugins are used
         FIND=$(${MYSQLCLIENTBINARY} --default-auth=mysql_native_password  --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql > /dev/null 2>&1; echo $?)
         if [ "${FIND}" = "0" ]; then
            LogText "Result: Login succeeded, no MySQL root password set!"
@@ -127,12 +126,25 @@
             for FILE in ${MONGO_CONF_FILES}; do
                 if [ -f ${FILE} ]; then
                     LogText "Result: found MongoDB configuration file (${FILE})"
-                    LogText "Test: determine authorization setting in new style YAML format"
+                    # YAML with quotes
-                    AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: enabled" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)")
+                    if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
-                    if HasData "${AUTH_IN_CONFIG}"; then
+                        LogText "Test: determine authorization setting in new style YAML format"
-                        LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format)"
+                        AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: \"enabled\"" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)")
-                        MONGODB_AUTHORIZATION_ENABLED=1
+                        if HasData "${AUTH_IN_CONFIG}"; then
-                    else
+                            LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format with quotes)"
+                            MONGODB_AUTHORIZATION_ENABLED=1
+                        fi
+                    fi
+                    # YAML without quotes
+                    if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
+                        AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: enabled" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)")
+                        if HasData "${AUTH_IN_CONFIG}"; then
+                            LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format without quotes)"
+                            MONGODB_AUTHORIZATION_ENABLED=1
+                        fi
+                    fi
+                    # Old style
+                    if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
                         LogText "Result: did NOT find authorization option enabled in configuration file (with YAML format)"
                         LogText "Test: now searching for old style configuration (auth = true) in configuration file"
                         AUTH_IN_CONFIG=$(${GREPBINARY} "auth = true" ${FILE} | ${GREPBINARY} -v "noauth" | ${GREPBINARY} -E -v "(^#|#auth)")
@@ -173,8 +185,10 @@
     # Test        : DBS-1826
     # Description : Check if PostgreSQL is being used
     Register --test-no DBS-1826 --weight L --network NO --category security --description "Checking active PostgreSQL processes"
+    for PROCES in postgres postmaster
+    do
     if [ ${SKIPTEST} -eq 0 ]; then
-        if IsRunning "postgres"; then
+        if IsRunning "${PROCES}"; then
             Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_FOUND}" --color GREEN
             LogText "Result: PostgreSQL is active"
             POSTGRESQL_RUNNING=1
@@ -182,9 +196,10 @@
             Report "postgresql_running=${POSTGRESQL_RUNNING}"
         else
             if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
-            LogText "Result: PostgreSQL process not active"
+            LogText "Result: PostgreSQL process ${PROCES} not active"
         fi
     fi
+    done
 #
 #################################################################################
 #
@@ -198,13 +213,15 @@
     # Arch            /var/lib/postgres/data/postgresql.conf
     # CentOS/Fedora   /var/lib/pgsql/data/postgresql.conf
     # Ubuntu          /etc/postgresql/x.y/main/postgresql.conf
+    # FreeBSD         /var/db/postgres/data[0-9][0-9]/postgresql.conf
 
     if [ "${POSTGRESQL_RUNNING}" -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="PostgreSQL not installed or not running"; fi
 
     Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration"
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND_PATHS="${ROOTDIR}etc/postgres ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data"
+        FIND_PATHS=$(${LSBINARY} -d ${ROOTDIR}usr/local/pgsql/data* 2> /dev/null)
-        CONFIG_FILES=$(${FINDBINARY} ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g")
+        FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data ${ROOTDIR}var/lib/pgsql/data ${ROOTDIR}var/db/postgres/data[0-9][0-9]"
+        CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -I'{}' sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g")
         for CF in ${CONFIG_FILES}; do
             Report "postgresql_config_file[]=${CF}"
             LogText "Found configuration file (${CF})"
@@ -213,7 +230,7 @@
                 ReportWarning "${TEST_NO}" "PostgreSQL configuration file ${CF} is world readable and might leak sensitive details" "${CF}" "Use chmod 600 to change file permissions"
             else
                 LogText "Result: great, configuration file ${CF} is not world readable"
-            fi            
+            fi
         done
     fi
 #
@@ -231,7 +248,7 @@
     #               reco: recovery (optional)
     Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes"
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=$(${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep")
+        FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep")
         if [ -z "${FIND}" ]; then
             if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
             LogText "Result: Oracle process(es) not active"
@@ -298,10 +315,16 @@
     if [ ${REDIS_RUNNING} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; SKIPREASON="Redis not running"; fi
     Register --test-no DBS-1882 --weight L --network NO --preqs-met "${PREQS_MET}" --skip-reason "${SKIPREASON}" --category security --description "Redis configuration file"
     if [ ${SKIPTEST} -eq 0 ]; then
-        PATHS="${ROOTDIR}etc/redis ${ROOTDIR}usr/local/etc/redis ${ROOTDIR}usr/local/redis/etc"
+        PATHS="${ROOTDIR}etc/redis ${ROOTDIR}usr/local/etc ${ROOTDIR}usr/local/etc/redis ${ROOTDIR}usr/local/redis/etc"
         if [ ${QNAP_DEVICE} -eq 1 ]; then
             PATHS="${PATHS} ${ROOTDIR}share/CACHEDEV1_DATA/.qpkg/QKVM/usr/etc/redis.conf"
         fi
+        if [ -d "${ROOTDIR}snap" ]; then
+          for SNAP_PATH in $(${FINDBINARY} ${ROOTDIR}snap -name 'redis.conf' -type f | ${SEDBINARY} 's/redis.conf$//g'); do
+            PATHS="${PATHS} ${SNAP_PATH}"
+          done
+        fi
+
         ALLFILES=$(${LSBINARY} ${ROOTDIR}etc/redis.conf 2> /dev/null)
         FOUND=0
         for DIR in ${PATHS}; do

include/tests_dns

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

include/tests_file_integrity

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -104,7 +103,7 @@
     if [ -n "${AIDEBINARY}" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of AIDE database and size check"
     if [ ${SKIPTEST} -eq 0 ]; then
-        AIDE_DB=$(${EGREPBINARY} '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://")
+        AIDE_DB=$(${GREPBINARY} -E '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://")
         if case ${AIDE_DB} in @@*) ;; *) false;; esac; then
             I=$(${GREPBINARY} "@@define.*DBDIR" ${AIDECONFIG} | ${AWKBINARY} '{print $3}')
             AIDE_DB=$(echo ${AIDE_DB} | ${SEDBINARY} "s#.*}#${I}#")
@@ -330,7 +329,7 @@
 	ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
 	for DEVICE in /dev/mapper/*; do
 	    if [ -e "${DEVICE}" ]; then
-		FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*INTEGRITY')
+		FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*INTEGRITY')
 		if [ ! -z "${FIND}" ]; then
 		    FOUND=1
 		    LogText "Result: found dm-integrity device ${DEVICE}"
@@ -370,7 +369,7 @@
 	ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
 	for DEVICE in /dev/mapper/*; do
 	    if [ -e "${DEVICE}" ]; then
-		FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*VERITY')
+		FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*VERITY')
 		if [ ! -z "${FIND}" ]; then
 		    FOUND=1
 		    LogText "Result: found dm-verity device ${DEVICE}"
@@ -398,13 +397,32 @@
     fi
 #
 #################################################################################
+#
+    # Test        : FINT-4344
+    # Description : Check if Wazuh system integrity tool is running
+    Register --test-no FINT-4344 --weight L --network NO --category security --description "Wazuh syscheck daemon running"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        LogText "Test: Checking if Wazuh syscheck daemon is running"
+        if IsRunning "wazuh-syscheckd"; then
+            LogText "Result: syscheck (Wazuh) active"
+            Report "file_integrity_tool[]=wazuh"
+            FILE_INT_TOOL="wazuh-syscheck"
+            FILE_INT_TOOL_FOUND=1
+            Display --indent 4 --text "- Wazuh (syscheck)" --result "${STATUS_FOUND}" --color GREEN
+        else
+            LogText "Result: syscheck (Wazuh) is not active"
+            if IsVerbose; then Display --indent 4 --text "- Wazuh" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : FINT-4402 (was FINT-4316)
     # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
     if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)"
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)")
+        FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${GREPBINARY} -E "= .*(sha256|sha512)")
         if [ -z "${FIND}" ]; then
             LogText "Result: No SHA256 or SHA512 found for creating checksums"
             Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW
@@ -438,7 +456,7 @@
 #
 #################################################################################
 #
-    WaitForKeyPress
+
-#
+WaitForKeyPress
-#================================================================================
+
-# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com
+# EOF

include/tests_file_permissions

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -35,7 +34,7 @@
         FOUND=0
         for PROFILE in ${PROFILES}; do
             LogText "Using profile ${PROFILE} for baseline."
-            FILES=$(${EGREPBINARY} '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1)
+            FILES=$(${GREPBINARY} -E '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1)
             for F in ${FILES}; do
                 LogText "Test: checking file/directory ${F}"
                 if [ -f "${F}" ]; then
@@ -70,6 +69,4 @@
 
 WaitForKeyPress
 
-#
+# EOF
-#================================================================================
-# Lynis - Copyright 2007-2021, CISOfy - https://cisofy.com

include/tests_filesystems

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -346,7 +345,13 @@
         LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}')
         LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}')
         if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then
-            if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+            if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then
+                PREQS_MET="YES";
+            elif [ ${LINUX_KERNEL_MAJOR} -ge 4 ]; then
+                PREQS_MET="YES";
+            else
+                PREQS_MET="NO";
+            fi
         else
             PREQS_MET="NO";
         fi
@@ -356,7 +361,7 @@
         # Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least
         # https://www.kernel.org/doc/html/latest/filesystems/proc.html#chapter-4-configuring-procfs
         LogText "Test: check proc mount with incorrect mount options"
-        FIND=$(${MOUNTBINARY} | ${EGREPBINARY} "${ROOTDIR}proc " | ${EGREPBINARY} -o "hidepid=([0-9]|[a-z][a-z]*)")
+        FIND=$(${MOUNTBINARY} | ${GREPBINARY} -E "${ROOTDIR}proc " | ${GREPBINARY} -E -o "hidepid=([0-9]|[a-z][a-z]*)")
         if [ "${FIND}" = "hidepid=4" -o "${FIND}" = "hidepid=ptraceable" ]; then  # https://lwn.net/Articles/817137/
             Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN
             LogText "Result: proc mount mounted with ${FIND}"
@@ -504,7 +509,7 @@
         fi
 
         LogText "Test: Checking acl option on xfs root file system"
-        FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr')
+        FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${GREPBINARY} -E 'no_acl|no_user_xattr')
         if [ -z "${FIND}" ]; then
             FOUND=1
             # some other tests to do ?
@@ -638,7 +643,7 @@
         NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} -l)
         NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} -l)
         NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} -l)
-        NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} -l)
+        NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${GREPBINARY} -E -v '^\(ro[,)]' | ${WCBINARY} -l)
         LogText "Result: Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS}, of total ${NMOUNTS}"
         Display --indent 2 --text "- Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS} of total ${NMOUNTS}"
     fi
@@ -726,11 +731,51 @@
 #
 #################################################################################
 #
-    # Test        : FILE-6398 TODO
+    # Test        : FILE-6398
     # Description : Check if JBD (Journal Block Device) driver is loaded
-
+    # Notes       : Test is temporarily disabled, as JBD might be in a kernel (built-in) - https://github.com/CISOfy/lynis/issues/1508
-    # Want to contribute to Lynis? Create this test
+#    Register --test-no FILE-6398 --os Linux --weight L --network NO --category security --description "Checking if JBD (Journal Block Device) driver is loaded"
-
+#    if [ ${SKIPTEST} -eq 0 ]; then
+#        LogText "Test: Checking if JBD (Journal Block Device) driver is loaded"
+#        NOTINUSE=0
+#        # Only perform testing if we know that KRNL-5723 performed tests
+#        if [ ${MONOLITHIC_KERNEL_TESTED} -eq 1 ]; then
+#            # Cannot check if driver is loaded/present if kernel is monolithic
+#            if [ ${MONOLITHIC_KERNEL} -eq 0 ]; then
+#                JBD=$(${LSMODBINARY} | ${GREPBINARY} ^jbd)
+#                if [ -n "${JBD}" ]; then
+#                    LogText "Result: JBD driver is loaded"
+#                    INUSE=$(echo ${JBD} | ${AWKBINARY} '{if ($3 -ne 0) {print $4}}')
+#                    if [ -n "${INUSE}" ]; then
+#                        LogText "Result: JBD driver is in use by drivers: ${INUSE}"
+#                        Report "JBD driver is in use by drivers: ${INUSE}"
+#                        Display --indent 2 --text "- JBD driver loaded and in use" --result "${STATUS_OK}" --color GREEN
+#                    else
+#                        NOTINUSE=1
+#                        LogText "Result: JBD driver loaded, but not in use"
+#                        Report "JBD driver is loaded, but not in use."
+#                        Display --indent 2 --text "- JBD driver loaded, but not in use" --result "${STATUS_SUGGESTION}" --color YELLOW
+#                    fi
+#                else
+#                    NOTINUSE=2
+#                    LogText "Result: JBD driver not loaded"
+#                    Report "JBD driver not loaded."
+#                    Display --indent 2 --text "- JBD driver is not loaded" --result "${STATUS_CHECK_NEEDED}" --color YELLOW
+#                fi
+#                if [ ${NOTINUSE} -eq 1 ]; then
+#                    ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is loaded but not in use." "You are currently not using any filesystems with journaling, i.e. you have greater risk of data corruption in case of system crash."
+#                elif [ ${NOTINUSE} -eq 2 ]; then
+#                    ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is not loaded." "Since boot-time, you have not been using any filesystems with journaling. Alternatively, reason could be driver is blacklisted."
+#                fi
+#            else
+#                Display --indent 2 --text "- JBD driver: unable to check" --result "${STATUS_UNKNOWN}" --color YELLOW
+#                LogText "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel."
+#            fi
+#        else
+#            Display --indent 2 --text "- JBD driver: test skipped" --result "${STATUS_UNKNOWN}" --color YELLOW
+#            LogText "Test skipped as the kernel type (monolithic/modular) is unknown"
+#        fi
+#    fi
 #
 #################################################################################
 #
@@ -744,7 +789,7 @@
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking locate database"
         FOUND=0
-        LOCATE_DBS="${ROOTDIR}var/lib/mlocate/mlocate.db ${ROOTDIR}var/lib/locate/locatedb ${ROOTDIR}var/lib/locatedb ${ROOTDIR}var/lib/slocate/slocate.db ${ROOTDIR}var/cache/locate/locatedb ${ROOTDIR}var/db/locate.database"
+        LOCATE_DBS="${ROOTDIR}var/cache/locate/locatedb ${ROOTDIR}var/db/locate.database ${ROOTDIR}var/lib/locate/locatedb ${ROOTDIR}var/lib/locatedb ${ROOTDIR}var/lib/mlocate/mlocate.db ${ROOTDIR}var/lib/plocate/plocate.db ${ROOTDIR}var/lib/slocate/slocate.db"
         for FILE in ${LOCATE_DBS}; do
             if [ -f ${FILE} ]; then
                 LogText "Result: locate database found (${FILE})"
@@ -814,13 +859,13 @@
             AVAILABLE_MODPROBE_FS=""
             for FS in ${LIST_FS_NOT_SUPPORTED}; do
                 # Check if filesystem is present in modprobe output
-                FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | ${TAILBINARY} -1)
+                FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${GREPBINARY} -E "/${FS}.ko" | ${TAILBINARY} -1)
                 if [ -n "${FIND}" ]; then
                     LogText "Result: found ${FS} support in the kernel (output = ${FIND})"
                     Debug "Module ${FS} present in the kernel"
                     LogText "Test: Checking if ${FS} is active"
                     # Check if FS is present in lsmod output
-                    FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}")
+                    FIND=$(${LSMODBINARY} | ${GREPBINARY} -E "^${FS}")
                     if IsEmpty "${FIND}"; then
                         LogText "Result: module ${FS} is currently not loaded in the kernel."
                         AddHP 2 3
@@ -835,15 +880,19 @@
                     AddHP 3 3
                     if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi
                 fi
-                for SUBDIR in "${ROOTDIR}etc" "/usr/lib"; do
+                
-                    FIND=$(${LSBINARY} ${SUBDIR}/modprobe.d/* 2> /dev/null)
+                for SUBDIR in "${ROOTDIR}etc" "${ROOTDIR}usr/lib"; do
-                    if [ -n "${FIND}" ]; then
+                    if [ -d "${SUBDIR}/modprobe.d" ]; then
-                        FIND1=$(${EGREPBINARY} "^blacklist ${FS}$" ${SUBDIR}/modprobe.d/* | ${GREPBINARY} -v "#")
+                        LogText "Result: directory ${SUBDIR}/modprobe.d exists"
-                        FIND2=$(${EGREPBINARY} "^install ${FS} /bin/true$" ${SUBDIR}/modprobe.d/* | ${GREPBINARY} -v "#")
+                        FIND=$(${LSBINARY} "${SUBDIR}/modprobe.d/*" 2> /dev/null)
-                        if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
+                        if [ -n "${FIND}" ]; then
-                            Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN
+                            FIND1=$(${GREPBINARY} -E "^blacklist[[:space:]]+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
-                            LogText "Result: module ${FS} is blacklisted"
+                            FIND2=$(${GREPBINARY} -E "^install[[:space:]]+${FS}[[:space:]]+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
-                            break
+                            if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
+                                Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN
+                                LogText "Result: module ${FS} is blacklisted"
+                                break
+                            fi
                         fi
                     fi
                 done

include/tests_firewalls

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -109,43 +108,77 @@
     Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains"
     if [ ${SKIPTEST} -eq 0 ]; then
         Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN
-        TABLES="filter"
+        IPTABLES_TABLES="filter nat mangle raw security"
-        for TABLE in ${TABLES}; do
+        for IPTABLES_TABLE in ${IPTABLES_TABLES}
-            LogText "Test: gathering information from table ${TABLE}"
+        do
-            FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY}  -z -o -w  '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1')
+            ${IPTABLESBINARY} -t "${IPTABLES_TABLE}" --list-rules --wait 1 2>/dev/zero |
-        done
+            {
-
+                IPTABLES_OUTPUT_QUEUE=""
-        echo "${FIND}" | while read -r line; do
+                while IFS="$(printf '\n')" read -r IPTABLES_LINES
-            table=$(echo ${line} | ${AWKBINARY} '{ print $1 }')
+                do
-            chainname=$(echo ${line} | ${AWKBINARY} '{ print $2 }')
+                    set -- ${IPTABLES_LINES}
-            policy=$(echo ${line} | ${AWKBINARY} '{ print $3 }')
+                    while [ $# -gt 0 ]; do
-            LogText "Result: iptables  ${table}  -- ${chainname} policy is ${policy}."
+                        if [ "${1}" = "-P" ]; then
-            LogText "Result: ${policy}"
+                            IPTABLES_CHAIN="${2}"
-
+                            IPTABLES_TARGET="${3}"
-            if [ "${TABLE}" = "filter" ]; then
+                            shift 3
-                if [ "${chainname}" = "INPUT" ]; then
+                        elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ]; then
-                    case ${policy} in
+                            IPTABLES_CHAIN="${2}"
-                        "ACCEPT")
+                            shift 2
-                             LogText "Result: Found ACCEPT for ${chainname} (table: ${table})"
+                        elif [ "${1}" = "-j" ]; then
-                             Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "ACCEPT" --color YELLOW
+                            IPTABLES_TARGET="${2}"
-                             #ReportSuggestion "${TEST_NO}" "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})"
+                            shift
-                             AddHP 1 3
+                        else
-                             ;;
+                            shift
-                         "DROP")
+                        fi
-                             LogText "Result: Found DROP for ${chainname} (table: ${table})"
+                    done
-                             Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "DROP" --color GREEN
+                    # logics
-                             AddHP 3 3
+                    if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ]; then
-                             ;;
+                        if [ "${IPTABLES_CHAIN}" = "INPUT" ]; then
-                         *)
+                            if [ "${IPTABLES_TARGET}" = "ACCEPT" ]; then
-                             Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "other" --color YELLOW
+                                IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW 1 3"
-                             LogText "Result: Unknown policy: ${policy}"
+                            elif [ "${IPTABLES_TARGET}" = "DROP" ]; then
-                             #ReportSuggestion "${TEST_NO}" "Check iptables ${chainname} (table: ${table}) chain policy"
+                                IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN 3 3"
-                             ;;
+                            fi
-                    esac
+                        fi
+                        if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ]; then
+                            if [ "${IPTABLES_TARGET}" = "NFQUEUE" ]; then
+                                IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED 0 3"
+                            fi
+                        fi
+                    fi
+                done
+                if [ -n "${IPTABLES_OUTPUT_QUEUE}" ]; then
+                    # Sort output if sort tool is available
+                    if [ -n "${SORTBINARY}" ]; then
+                        LogText "Info: sorting output"
+                        IPTABLES_OUTPUT="$(printf '%b' "${IPTABLES_OUTPUT_QUEUE}" | ${SORTBINARY} -u )"
+                    else
+                        IPTABLES_OUTPUT="$(printf '%b' "${IPTABLES_OUTPUT_QUEUE}")"
+                    fi
+                    printf '%b\n' "${IPTABLES_OUTPUT}" | while IFS="$(printf '\n')" read -r IPTABLES_OUTPUT_LINE
+                    do
+                        if [ -n "$IPTABLES_OUTPUT_LINE" ]; then
+                            set -- ${IPTABLES_OUTPUT_LINE}
+                            while [ $# -gt 0 ]; do
+                                LogText "Result: Found target '${3}' for chain '${2}' (table: ${1})"
+                                Display --indent 6 --text "- Chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}"
+                                if [ "${3}" = "NFQUEUE" ]
+                                then
+                                    ReportSuggestion "${TEST_NO}" "Consider avoid ${3} target if possible (iptables chain ${2}, table: ${1})"
+                                fi
+                                AddHP "${5}" "${6}"
+                                shift 6
+                            done
+                        fi
+                    done
                 fi
-            fi
+            }
+            unset IPTABLES_TABLE
         done
+        unset IPTABLES_TABLES
     fi
+    unset PREQS_MET
 #
 #################################################################################
 #
@@ -154,7 +187,7 @@
     if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset"
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
+        FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${GREPBINARY} -E -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
         if [ -n "${FIND}" ]; then
             FIREWALL_ACTIVE=1
             if [ ${FIND} -le 5 ]; then
@@ -506,7 +539,7 @@
     Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check for empty ruleset
-        NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
+        NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${GREPBINARY} -E -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
         if [ ${NFT_RULES_LENGTH} -le 3 ]; then
             FIREWALL_EMPTY_RULESET=1
             LogText "Result: this firewall set has 3 rules or less and is considered to be empty"

include/tests_hardening

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -99,7 +98,7 @@
             else
                 Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED
             fi
-            ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC"
+            ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC, Wazuh"
             AddHP 1 3
             LogText "Result: no malware scanner found"
         fi

include/tests_homedirs

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -57,7 +56,7 @@
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check if users' home directories permissions are 750 or more restrictive
         FOUND=0
-        USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
+        USERDATA=$(${GREPBINARY} -E -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
         while read -r LINE; do
             USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
             DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
@@ -93,7 +92,7 @@ EOF
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check if users own their home directories
         FOUND=0
-        USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
+        USERDATA=$(${GREPBINARY} -E -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
         while read -r LINE; do
             USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
             DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)

include/tests_insecure_services

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -41,7 +40,7 @@
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check for installed inetd daemon
         LogText "Test: Checking if inetd is installed"
-        if PackageIsInstalled "inetd"; then
+        if PackageIsInstalled "inetd" || PackageIsInstalled "inetutils-inetd"; then
             INETD_PACKAGE_INSTALLED=1
             LogText "Result: inetd is installed"
             Display --indent 2 --text "- Installed inetd package" --result "${STATUS_FOUND}" --color YELLOW
@@ -61,7 +60,7 @@
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check running processes
         LogText "Test: Searching for active inet daemon"
-        if IsRunning "inetd"; then
+        if IsRunning "inetd" || IsRunning "inetutils-inetd"; then
             LogText "Result: inetd is running"
             Display --indent 4 --text "- inetd status" --result "${STATUS_ACTIVE}" --color GREEN
             INETD_ACTIVE=1
@@ -298,7 +297,7 @@
     #if [ ${SKIPTEST} -eq 0 ]; then
     #    # Check presence of Rsh Trust Files
     #    FOUND=0
-    #    for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do
+    #    for LINE in $(${CAT_BINARY} /etc/passwd | ${GREPBINARY} -E -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do
     #        USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
     #        DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
     #            if [ -d ${DIR} ]; then
@@ -371,7 +370,7 @@
 #
 #################################################################################
 #
-    # Test        : INSE-8312
+    # Test        : INSE-8322
     # Description : Check if telnet server is installed
     Register --test-no INSE-8322 --package-manager-required --weight L --network NO --category security --description "Check if telnet server is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
@@ -492,6 +491,8 @@
 #
 #################################################################################
 #
+    # Test        : INSE-8050
+    # Description : Check for insecure services on macOS
     if [ -n "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi
     Register --test-no INSE-8050 --os "macOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS"
     if [ ${SKIPTEST} -eq 0 ]; then

include/tests_kerberos

@@ -0,0 +1,188 @@
+#!/bin/sh
+
+InsertSection "${SECTION_KERBEROS}"
+
+#
+#########################################################################
+#
+
+    # Test        : KRB-1000
+    # Description : Check that Kerberos principals have passwords that expire
+    Register --test-no KRB-1000 --weight L --network NO --description "Check for Kerberos KDC tools"
+    if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ]
+    then
+        PREQS_MET="YES"
+        # Make sure krb5 debugging doesn't mess up the output
+        unset KRB5_TRACE
+        PRINCS="$(${KADMINLOCALBINARY} listprincs 2>/dev/null | ${TRBINARY:-tr} '\n' ' ')"
+        if [ -z "${PRINCS}" ]
+        then
+            PREQS_MET="NO"
+        fi
+    else
+        PREQS_MET="NO"
+    fi
+    if [ "${PREQS_MET}" = "YES" ]; then
+        Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_FOUND}" --color GREEN
+    else
+        Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_NOT_FOUND}" --color WHITE
+    fi
+
+    # Test        : KRB-1010
+    # Description : Check that Kerberos principals have passwords that expire
+    Register --test-no KRB-1010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        for I in ${PRINCS}
+        do
+            FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Password expiration date:')"
+            if [ "${FIND}" = "Password expiration date: [never]" ]
+            then
+                LogText "Result: Kerberos principal ${I} has a password/key that never expires"
+                FOUND=1
+            fi
+        done
+        if [ ${FOUND} -eq 1 ]; then
+            Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_WARNING}" --color RED
+            ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have expiring passwords"
+        else
+            Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_OK}" --color GREEN
+        fi
+    fi
+#
+#################################################################################
+#
+
+    # Test        : KRB-1020
+    # Description : Check last password change for Kerberos principals
+    Register --test-no KRB-1020 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        for I in ${PRINCS}
+        do
+            FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n '/^Last password change:\s\+/s/^Last password change:\s\+//p')"
+            if [ "${FIND}" = "[never]" ]
+            then
+                LogText "Result: Kerberos principal ${I} has a password/key that has never been changed"
+                FOUND=1
+            else
+                J="$(date -d "${FIND}" +%s)"
+                if [ ${J} -lt $((NOW - 60 * 60 * 24 * 365)) ]
+                then
+                    LogText "Result: Kerberos principal ${I} has had a password/key change over a year ago"
+                    FOUND=1
+                fi
+            fi
+        done
+        if [ ${FOUND} -eq 1 ]; then
+            Display --indent 4 --text "- Principals with late password change" --result "${STATUS_WARNING}" --color RED
+            ReportSuggestion "${TEST_NO}" "Enforce frequent password/key change for your Kerberos principals"
+        else
+            Display --indent 4 --text "- Principals with late password change" --result "${STATUS_OK}" --color GREEN
+        fi
+    fi
+
+#
+#################################################################################
+#
+
+    # Test        : KRB-1030
+    # Description : Check that Kerberos principals have a policy associated to them
+    Register --test-no KRB5-1030 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        for I in ${PRINCS}
+        do
+            FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Policy:')"
+            if [ "${FIND}" = "Policy: [none]" ]
+            then
+                LogText "Result: Kerberos principal ${I} does not have a policy associated to it"
+                FOUND=1
+            fi
+        done
+        if [ ${FOUND} -eq 1 ]; then
+            Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_WARNING}" --color RED
+            ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have a policy associated to them"
+        else
+            Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_OK}" --color GREEN
+        fi
+    fi
+
+#
+#################################################################################
+#
+
+    # Test        : KRB-1040
+    # Description : Check various attributes for Kerberos principals
+    Register --test-no KRB5-1040 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FOUND=0
+        for I in ${PRINCS}
+        do
+            J="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n 's/^Attributes:\s\+\(.\+\)$/\1/p')"
+            if ContainsString "^K/M@" "${I}" || \
+                ContainsString "^kadmin/admin@" "${I}" || \
+                ContainsString "^kadmin/changepw@" "${I}" || \
+                ContainsString "^krbtgt/" "${I}"
+            then
+                if ! ContainsString "\bLOCKDOWN_KEYS\b" "${J}"
+                then
+                    LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute"
+                    FOUND=1
+                fi
+            elif ContainsString "/admin@" "${I}"
+            then
+                if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}"
+                then
+                    LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute"
+                    FOUND=1
+                fi
+            elif ContainsString "^[^/$]+@" "${I}"
+            then
+                if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}"
+                then
+                    LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute"
+                    FOUND=1
+                fi
+            fi
+        done
+        if [ ${FOUND} -eq 1 ]; then
+            Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_WARNING}" --color RED
+            ReportSuggestion "${TEST_NO}" "Harden your Kerberos principals with appropriate attributes"
+        else
+            Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_OK}" --color GREEN
+        fi
+    fi
+
+#
+#################################################################################
+#
+
+    # Test        : KRB-1050
+    # Description : Check for weak crypto
+    Register --test-no KRB-1050 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}')
+        if [ -n "${FIND}" ]; then
+            while read I J
+            do
+                LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}"
+            done << EOF
+${FIND}
+EOF
+            Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_WARNING}" --color RED
+            ReportSuggestion "${TEST_NO}" "Remove weak (des|arcfour|cbc|sha1) cryptographic keys from principals"
+        else
+            Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_OK}" --color GREEN
+        fi
+    fi
+
+#
+#################################################################################
+#
+
+unset PRINCS
+unset I
+unset J
+
+#EOF

include/tests_kernel

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -41,28 +40,17 @@
     if [ ${SKIPTEST} -eq 0 ]; then
         # Checking if we can find the systemd default target
         LogText "Test: Checking for systemd default.target"
-        if [ -L ${ROOTDIR}etc/systemd/system/default.target ]; then
+        if [ $( [ ! -z ${SYSTEMCTLBINARY} ] && ${SYSTEMCTLBINARY} get-default) ]; then
-            LogText "Result: symlink found"
+            FIND=$(${SYSTEMCTLBINARY} get-default)
-            if HasData "${READLINKBINARY}"; then
+            FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
-                FIND=$(${READLINKBINARY} ${ROOTDIR}etc/systemd/system/default.target)
+            if HasData "${FIND2}"; then
-                if ! HasData "${FIND}"; then
+                LogText "Result: Found match on runlevel5/graphical"
-                    LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
+                Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
-                    ReportException "${TEST_NO}:01"
+                Report "linux_default_runlevel=5"
-                else
-                    FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
-                    if HasData "${FIND2}"; then
-                        LogText "Result: Found match on runlevel5/graphical"
-                        Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
-                        Report "linux_default_runlevel=5"
-                    else
-                        LogText "Result: No match found on runlevel, defaulting to runlevel 3"
-                        Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
-                        Report "linux_default_runlevel=3"
-                    fi
-                fi
             else
-                LogText "Result: No readlink binary, can't determine where symlink is pointing to"
+                LogText "Result: No match found on runlevel, defaulting to runlevel 3"
-                Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW
+                Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
+                Report "linux_default_runlevel=3"
             fi
         else
             LogText "Result: no systemd found, so trying inittab"
@@ -187,6 +175,7 @@
             # Checking if any modules are loaded
             FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ')
             Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN
+            MONOLITHIC_KERNEL_TESTED=1
             if [ "${FIND}" = "0" ]; then
                 LogText "Result: Found monolithic kernel"
                 Report "linux_kernel_type=monolithic"
@@ -368,14 +357,14 @@
 #
     # Test        : KRNL-5788
     # Description : Checking availability new kernel
-    if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] ||
+    if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
-           [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
         PREQS_MET="YES"
     else
         PREQS_MET="NO"
     fi
     Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel"
     if [ ${SKIPTEST} -eq 0 ]; then
+        FINDKERNEL=""
         HAS_VMLINUZ=0
         LogText "Test: Searching apt-cache, to determine if a newer kernel is available"
         if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then
@@ -384,62 +373,69 @@
             if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then
                 HAS_VMLINUZ=1
                 if [ -f ${ROOTDIR}vmlinuz ]; then
-                    FINDVMLINUZ=${ROOTDIR}vmlinuz
+                    FINDVMLINUZ="${ROOTDIR}vmlinuz"
                 else
-                    FINDVMLINUZ=${ROOTDIR}boot/vmlinuz
+                    FINDVMLINUZ="${ROOTDIR}boot/vmlinuz"
                 fi
                 LogText "Result: found ${FINDVMLINUZ}"
                 LogText "Test: checking readlink location of ${FINDVMLINUZ}"
                 FINDKERNFILE=$(readlink -f ${FINDVMLINUZ})
                 LogText "Output: readlink reported file ${FINDKERNFILE}"
-                LogText "Test: checking package from dpkg -S"
+                LogText "Test: checking relevant package using output from dpkg -S"
                 FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}')
                 LogText "Output: dpkg -S reported package ${FINDKERNEL}"
             elif [ -e ${ROOTDIR}dev/grsec ]; then
-                FINDKERNEL=linux-image-$(uname -r)
+                FINDKERNEL="linux-image-$(uname -r)"
                 LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
             elif [ -e ${ROOTDIR}etc/rpi-issue ]; then
-                FINDKERNEL=raspberrypi-kernel
+                FINDKERNEL="raspberrypi-kernel"
                 LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian"
-            elif `${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf`; then
+            elif $(${GREPBINARY} -E -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then
-                FINDKERNEL=linux-image-$(uname -r)
+                FINDKERNEL="linux-image-$(uname -r)"
                 LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No"
             else
-                LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz.  Unable to check whether kernel is up-to-date."
+                LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date."
                 ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz"
             fi
-            LogText "Test: Using apt-cache policy to determine if there is an update available"
+
-            FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
+            if IsEmpty "${FINDKERNEL}"; then
-            FINDCAND=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
+                LogText "Result: could not check kernel update status as kernel is unknown"
-            LogText "Kernel installed: ${FINDINST}"
-            LogText "Kernel candidate: ${FINDCAND}"
-            if IsEmpty "${FINDINST}"; then
-                Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW
-                LogText "Result: Exception occurred, no output from apt-cache policy"
-                if [ ${HAS_VMLINUZ} -eq 1 ]; then
-                    ReportException "${TEST_NO}:01"
-                    ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty"
-                fi
-                LogText "Result: apt-cache policy did not return an installed kernel version"
             else
-                if [ "${FINDINST}" = "${FINDCAND}" ]; then
+                LogText "Result: found kernel '${FINDKERNEL}' which will be used for further testing"
-                    if [ -e /dev/grsec ]; then
+                LogText "Test: Using apt-cache policy to determine if there is an update available"
-                        Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN
+                FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${GREPBINARY} -E 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
-                        LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available"
+                FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${GREPBINARY} -E 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
-                        ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch"
+                LogText "Kernel installed: ${FINDINSTALLED}"
-                    else
+                LogText "Kernel candidate: ${FINDCANDIDATE}"
-                        Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN
+                if IsEmpty "${FINDINSTALLED}"; then
-                        LogText "Result: no kernel update available"
+                    Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW
+                    LogText "Result: Exception occurred, no output from apt-cache policy"
+                    if [ ${HAS_VMLINUZ} -eq 1 ]; then
+                        ReportException "${TEST_NO}:01" "Found vmlinuz (${FINDVMLINUZ}) but could not determine the installed kernel using apt-cache policy"
+                        ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty"
                     fi
+                    LogText "Result: apt-cache policy did not return an installed kernel version"
                 else
-                    Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
+                    if [ "${FINDINSTALLED}" = "${FINDCANDIDATE}" ]; then
-                    LogText "Result: kernel update available according 'apt-cache policy'."
+                        if [ -e /dev/grsec ]; then
-                    ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update"
+                            Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN
+                            LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available"
+                            ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch"
+                        else
+                            Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN
+                            LogText "Result: no kernel update available"
+                        fi
+                    else
+                        Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
+                        LogText "Result: kernel update available according 'apt-cache policy'."
+                        ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update"
+                    fi
                 fi
             fi
         else
-            LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests."
+            LogText "Result: could NOT find ${ROOTDIR}usr/bin/apt-cache, skipped other tests."
         fi
+        unset FINDCANDIDATE FINDINSTALLED FINDKERNEL HAS_VMLINUZ
     fi
 #
 #################################################################################
@@ -460,12 +456,12 @@
             SYSD_CORED_BASE_STORAGE_FOUND=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
             SYSD_CORED_BASE_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
             SYSD_CORED_BASE_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
-            # check conf files in possibly existing coredump.conf.d folders 
+            # check conf files in possibly existing coredump.conf.d folders
             # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
             # while there could be multiple files overwriting each other, we are checking the number of occurrences
-            SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
+            SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
-            SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
+            SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
-            SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
+            SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
             SYSD_CORED_SUB_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
             SYSD_CORED_SUB_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
             if ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
@@ -505,82 +501,85 @@
         if [ -f "${ROOTDIR}etc/profile" ]; then
             LogText "Test: Checking if 'ulimit -c 0' exists in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh"
             # use tail -1 in the following commands to get the last entry, which is the one that counts (in case of profile.d/ probably counts)
-            ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
+            ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -H\?c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
-            ULIMIT_C_VALUE_SUB="$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
+            ULIMIT_C_VALUE_SUB="$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -H\?c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
             if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" = "0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE}" = "0" ] ); then
                 LogText "Result: core dumps are disabled by 'ulimit -c 0' in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh"
                 Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DISABLED}" --color GREEN
                 AddHP 1 1
             elif [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ -z "${ULIMIT_C_VALUE}" ]; then
                 LogText "Result: core dumps are not disabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. Didn't find setting 'ulimit -c 0'"
-                Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DEFAULT}" --color WHITE
+                Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_DEFAULT}" --color WHITE
                 AddHP 0 1
             elif ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE_SUB}" = "unlimited" ] || [ "${ULIMIT_C_VALUE_SUB}" != "0" ] ) ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE}" = "unlimited" ] || [ "${ULIMIT_C_VALUE}" != "0" ] ) ); then
                 LogText "Result: core dumps are enabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. A value higher than 0 is configured for 'ulimit -c'"
-                Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ENABLED}" --color RED
+                Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ENABLED}" --color RED
                 AddHP 0 1
             else
                 LogText "Result: ERROR - something went wrong. Unexpected result during check of ${ROOTDIR}etc/profile and ${ROOTDIR}etc/profile.d/*.sh config files. Please report on Github!"
-                Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ERROR}" --color YELLOW
+                Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ERROR}" --color YELLOW
             fi
         fi
-        # Limits option
-        LogText "Test: Checking presence ${ROOTDIR}etc/security/limits.conf"
-        if [ -f "${ROOTDIR}etc/security/limits.conf" ]; then
-            LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists"
-            LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*"
-            # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
-            FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1)
-            FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1)
-            FIND3=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1)
 
-            # When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file.
+        # Limits options
-            if [ "${FIND3}" = "core dumps disabled" ]; then
+        for DIR in "/" "/usr/"; do
-                FIND1="soft core disabled"
+            LogText "Test: Checking presence ${DIR}etc/security/limits.conf"
-                FIND2="hard core disabled"
+            if [ -f "${DIR}etc/security/limits.conf" ]; then
-            elif [ "${FIND3}" = "core dumps enabled" ]; then
+                LogText "Result: file ${DIR}etc/security/limits.conf exists"
-                FIND1="soft core enabled"
+                LogText "Test: Checking if core dumps are disabled in ${DIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*"
-                FIND2="hard core enabled"
+                # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
-            fi
+                FIND1=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1)
+                FIND2=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1)
+                FIND3=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1)
 
-            IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
+                # When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file.
-            IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
+                if [ "${FIND3}" = "core dumps disabled" ]; then
-
+                    FIND1="soft core disabled"
-            if [ "${FIND2}" = "hard core disabled" ]; then
+                    FIND2="hard core disabled"
-                LogText "Result: core dumps are hard disabled"
+                elif [ "${FIND3}" = "core dumps enabled" ]; then
-                Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN"
+                    FIND1="soft core enabled"
-                if [ "${FIND1}" = "soft core disabled" ]; then
+                    FIND2="hard core enabled"
-                    Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
+                fi
-                else
+
-                    Display --indent 4 --text "- 'soft' config in security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN"
+                IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
+                IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
+
+                if [ "${FIND2}" = "hard core disabled" ]; then
+                    LogText "Result: core dumps are hard disabled"
+                    Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN"
+                    if [ "${FIND1}" = "soft core disabled" ]; then
+                        Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
+                    else
+                        Display --indent 4 --text "- 'soft' config in ${DIR}etc/security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN"
+                    fi
+                    AddHP 3 3
+                elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then
+                    LogText "Result: core dumps (soft and hard) are enabled"
+                    Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
+                    Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
+                    ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file"
+                    AddHP 0 3
+                elif [ "${FIND1}" = "soft core disabled" ]; then
+                    LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})"
+                    Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
+                    Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
+                    AddHP 2 3
+                elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then
+                    LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})"
+                    Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
+                    Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
+                    AddHP 0 3
+                else
+                    LogText "Result: core dumps are not explicitly disabled"
+                    Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
+                    Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
+                    ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${DIR}etc/security/limits.conf file"
+                    AddHP 1 3
                 fi
-                AddHP 3 3
-            elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then
-                LogText "Result: core dumps (soft and hard) are enabled"
-                Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
-                Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
-                ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file"
-                AddHP 0 3
-            elif [ "${FIND1}" = "soft core disabled" ]; then
-                LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})"
-                Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
-                Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
-                AddHP 2 3
-            elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then
-                LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})"
-                Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
-                Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
-                AddHP 0 3
             else
-                LogText "Result: core dumps are not explicitly disabled"
+                LogText "Result: file ${DIR}etc/security/limits.conf does not exist, skipping test for this file"
-                Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
-                Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
-                ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/security/limits.conf file"
-                AddHP 1 3
             fi
-        else
+        done
-            LogText "Result: file ${ROOTDIR}etc/security/limits.conf does not exist, skipping test"
-        fi
 
         # Sysctl option
         LogText "Test: Checking sysctl value of fs.suid_dumpable"
@@ -615,25 +614,29 @@
     Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel"
     if [ ${SKIPTEST} -eq 0 ]; then
         REBOOT_NEEDED=2
-        FILE="${ROOTDIR}var/run/reboot-required.pkgs"
+        for FILE in "${ROOTDIR}var/run/reboot-required.pkgs" "${ROOTDIR}var/run/needs_restarting"
-        LogText "Test: Checking presence ${FILE}"
+        do
-        if [ -f ${FILE} ]; then
+            LogText "Test: Checking presence ${FILE}"
-            LogText "Result: file ${FILE} exists"
+            if [ -f ${FILE} ]; then
-            FIND=$(${WCBINARY} -l < ${FILE})
+                LogText "Result: file ${FILE} exists"
-            if [ "${FIND}" = "0" ]; then
+                FIND=$(${WCBINARY} -l < ${FILE})
-                LogText "Result: No reboot needed (file empty)"
+                if [ "${FIND}" = "0" ]; then
-                REBOOT_NEEDED=0
+                    LogText "Result: No reboot needed (file empty)"
+                    REBOOT_NEEDED=0
+                    break
+                else
+                    PKGSCOUNT=$(${WCBINARY} -l < ${FILE})
+                    LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages"
+                    for I in ${FIND}; do
+                        LogText "Package: ${I}"
+                    done
+                    REBOOT_NEEDED=1
+                    break
+                fi
             else
-                PKGSCOUNT=$(${WCBINARY} -l < ${FILE})
+                LogText "Result: file ${FILE} not found"
-                LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages"
-                for I in ${FIND}; do
-                    LogText "Package: ${I}"
-                done
-                REBOOT_NEEDED=1
             fi
-        else
+        done
-            LogText "Result: file ${FILE} not found"
-        fi
 
         # Check if /boot exists
         if [ -d "${ROOTDIR}boot" ]; then
@@ -663,7 +666,10 @@
                         ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data"
                     fi
                 elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then
-                    if [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
+                    if [ -f ${ROOTDIR}boot/vmlinuz ]; then
+                          LogText "Result: found ${ROOTDIR}boot/vmlinuz"
+                          FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz
+                    elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
                         LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux"
                         FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux
                     elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then
@@ -675,7 +681,7 @@
                     else
                         # Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Sort based on versions (-v) and then find the last item
                         # Note: ignore a rescue kernel (e.g. CentOS)
-                        FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${TAILBINARY} -1)
+                        FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue-' | ${TAILBINARY} -1)
                         LogText "Result: found ${FOUND_VMLINUZ}"
                     fi
 
@@ -809,7 +815,7 @@
             LogText "Check: try to find raspberrypi-kernel file in ${APT_ARCHIVE_DIRECTORY} and extract package date from file name"
 
             FOUND_KERNEL_DATE=$(${FINDBINARY} ${APT_ARCHIVE_DIRECTORY} -name "raspberrypi-kernel*" -printf "%T@ %Tc %p\n" 2> /dev/null \
-            | ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${EGREPBINARY} -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g')
+            | ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${GREPBINARY} -E -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g')
 
             if [ -n "${FOUND_KERNEL_DATE}" ]; then
                 FOUND_KERNEL_IN_SECONDS=$(date -d "${FOUND_KERNEL_DATE}" "+%s" 2> /dev/null)
@@ -823,7 +829,7 @@
             else
                 LogText "Result: Skipping this test, as extracting the seconds of package date failed"
             fi
-            
+
             if [ -n "${UNAME_OUTPUT}" ]; then
                 LogText "Result: Got an output from 'uname -v'"
                 LogText "Check: Trying to extract kernel build date from 'uname -v' output"
@@ -834,21 +840,21 @@
                             next="month"
                         fi
                     elif [ "$next" = "month" ]; then
-                        if [ $(${ECHOCMD} "${part}" | ${EGREPBINARY} -c "[A-Z][a-z]") -ge 1 ]; then
+                        if [ $(${ECHOCMD} "${part}" | ${GREPBINARY} -E -c "[A-Z][a-z]") -ge 1 ]; then
                             UNAME_DATE_MONTH="${part}"
                             next="day"
                         fi
                     elif [ "${next}" = "day" ]; then
-                        if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
+                        if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c "[0-9][0-9]") -ge 1 ]; then
                             UNAME_DATE_DAY="${part}"
                             next="time"
                         fi
                     elif [ "${next}" = "time" ]; then
-                        if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c ":[0-9][0-9]:") -ge 1 ]; then
+                        if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c ":[0-9][0-9]:") -ge 1 ]; then
                             next="year"
                         fi
                     elif [ "${next}" = "year" ]; then
-                        if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
+                        if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c "[0-9][0-9]") -ge 1 ]; then
                             UNAME_DATE_YEAR="${part}"
                             break
                         fi
@@ -894,8 +900,7 @@
             else
                 LogText "Result: Did not get output from 'uname -v'. Skipping test."
             fi
-                
+
-            
         else
             LogText "Result: /var/cache/apt/archives/ does not exist"
         fi
@@ -918,6 +923,4 @@
 
 WaitForKeyPress
 
-#
+# EOF
-#================================================================================
-# Lynis - Copyright 2007-2021, CISOfy - https://cisofy.com

include/tests_kernel_hardening

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

include/tests_ldap

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

include/tests_logging

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -28,6 +27,7 @@
     METALOG_RUNNING=0
     RFC3195D_RUNNING=0
     RSYSLOG_RUNNING=0
+    WAZUH_AGENT_RUNNING=0
     SOLARIS_LOGHOST=""
     SOLARIS_LOGHOST_FOUND=0
     SOLARIS_LOGHOST_LOCALHOST=0
@@ -45,7 +45,7 @@
     Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Searching for a logging daemon"
-        FIND=$(${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep")
+        FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep")
         if [ -z "${FIND}" ]; then
             Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED
             LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
@@ -220,6 +220,23 @@
     fi
 #
 #################################################################################
+#
+    # Test        : LOGG-2144
+    # Description : Check for wazuh-agent presence on Linux systems
+    Register --test-no LOGG-2144 --os Linux --weight L --network NO --category security --description "Checking wazuh-agent"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        LogText "Result: Searching for wazuh-agent instances in the process list"
+        if IsRunning "wazuh-agent"; then
+            LogText "Result: Found wazuh-agent in process list"
+            Display --indent 4 --text "- Checking wazuh-agent status" --result "${STATUS_FOUND}" --color GREEN
+            WAZUH_AGENT_RUNNING=1
+        else
+            LogText "Result: wazuh-agent NOT found in process list"
+            Display --indent 4 --text "- Checking wazuh-agent daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : LOGG-2146
     # Description : Check for logrotate (/etc/logrotate.conf and logrotate.d)
@@ -261,7 +278,7 @@
     Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking which files are rotated with logrotate and if they exist"
-        FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }')
+        FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }')
         if [ -z "${FIND}" ]; then
             LogText "Result: nothing found"
         else
@@ -280,7 +297,7 @@
     Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking which directories can be found in logrotate configuration"
-        FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
+        FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
         if IsEmpty "${FIND}"; then
             LogText "Result: nothing found"
         else
@@ -345,7 +362,7 @@
     if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ] && [ -n "${SOLARIS_LOGHOST}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no LOGG-2153 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking loghost is localhost"
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${EGREPBINARY} "::1|127.0.0.1|127.1")
+        FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} -E "::1|127.0.0.1|127.1")
         if [ -n "${FIND}" ]; then
             SOLARIS_LOGHOST_LOCALHOST=1
             LogText "Result: loghost entry is localhost (default)"
@@ -371,7 +388,7 @@
             TARGET="${ROOTDIR}etc/rsyslog.conf"
             if [ -f ${TARGET} ]; then
                 LogText "Test: analyzing file ${TARGET} for remote target"
-                DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
+                DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
                 if [ -z "${DATA}" ]; then
                     LogText "Result: no remote target found"
                 else
@@ -387,11 +404,11 @@
             fi
             TARGET="${ROOTDIR}etc/rsyslog.d"
             if [ -d ${TARGET} ]; then
-                FILES=$(${FINDBINARY} ${TARGET} -type f -print0 | ${TRBINARY} -cd '[:print:]\0' | ${SEDBINARY} 's/[[:blank:]]/:space:/g' | ${TRBINARY} '\0' ' ')
+                FILES=$(${FINDBINARY} -L ${TARGET} -type f -print0 | ${TRBINARY} -cd '[:print:]\0' | ${SEDBINARY} 's/[[:blank:]]/:space:/g' | ${TRBINARY} '\0' ' ')
                 for F in ${FILES}; do
                     F=$(echo ${F} | ${SEDBINARY} 's/:space:/ /g')
                     LogText "Test: analyzing file ${F} for remote target"
-                    DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
+                    DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
                     if [ -n "${DATA}" ]; then
                         LogText "Result: found remote target"
                         REMOTE_LOGGING_ENABLED=1
@@ -403,7 +420,7 @@
                         done
                     else
                         # Check new style configuration (omrelp/omfwd). This can be all on one line or even split over multiple lines.
-                        DATA=$(${EGREPBINARY} "target=\"([a-zA-Z0-9\-])" ${F})
+                        DATA=$(${GREPBINARY} -E "target=\"([a-zA-Z0-9\-])" ${F})
                         if [ -n "${DATA}" ]; then
                             LogText "Result: most likely remote log host is used, as keyword 'target' is used"
                             REMOTE_LOGGING_ENABLED=1
@@ -424,7 +441,7 @@
 
         if [ -f ${SYSLOGD_CONF} ]; then
             LogText "Test: check if logs are also logged to a remote logging host"
-            FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
+            FIND=$(${GREPBINARY} -E "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
             if [ -n "${FIND}" ]; then
                 FIND2=$(echo "${FIND}" | ${GREPBINARY} -v "@loghost")
                 if [ ${SOLARIS_LOGHOST_LOCALHOST} -eq 1 ] && [ -z "${FIND2}" ]; then
@@ -435,9 +452,9 @@
                 fi
             else
                 # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
-                DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
+                DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${GREPBINARY} -E "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
                 for DESTINATION in ${DESTINATIONS}; do
-                    FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
+                    FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${GREPBINARY} -E "destination\(${DESTINATION}\)")
                     if [ -n "${FIND2}" ]; then
                         LogText "Result: found destination ${DESTINATION} configured for remote logging"
                         REMOTE_LOGGING_ENABLED=1
@@ -446,6 +463,21 @@
             fi
         fi
 
+        # Test wazuh-agent configuration for syslog configuration
+        if [ ${WAZUH_AGENT_RUNNING} ]; then
+            WAZUH_AGENT_CONF="/var/ossec/etc/ossec.conf"
+        fi
+
+        if [ -f ${WAZUH_AGENT_CONF} ]; then
+            LogText "Test: Checking Wazuh agent configuration for remote syslog forwarding"
+            FIND=$(${EGREPBINARY} '<location>/var/log/syslog</location>' ${WAZUH_AGENT_CONF})
+            if [ "${FIND}" ]; then
+                DESTINATION=$(${EGREPBINARY} -o '<address>([A-Za-z0-9\.\-\_]*)</address>' ${WAZUH_AGENT_CONF} | sed 's/<address>//' | sed 's/<\/address>//')
+                LogText "Result: found destination ${DESTINATION} configured for remote logging with wazuh"
+                REMOTE_LOGGING_ENABLED=1
+            fi
+        fi
+
         # Show result
         if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
             Report "remote_syslog_configured=0"
@@ -539,7 +571,7 @@
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: checking open log files with lsof"
         if [ -n "${LSOFBINARY}" ]; then
-            FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
+            FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${GREPBINARY} -E -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
             for I in ${FIND}; do
                 LogText "Found logfile: ${I}"
             done
@@ -572,7 +604,7 @@
             LSOF_GREP="${LSOF_GREP}|anacron|awk|run-parts"
         fi
 
-        FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${EGREPBINARY} -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
+        FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${GREPBINARY} -E -vw "${LSOF_GREP}" | ${GREPBINARY} -E -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
         if [ -n "${FIND}" ]; then
             LogText "Result: found one or more files which are deleted, but still in use"
             for I in ${FIND}; do

include/tests_mac_frameworks

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -158,10 +157,14 @@
                 Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
             fi
             Display --indent 8 --text "Current SELinux mode: ${FIND}"
-            PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
+            if [ -n "${SEMANAGEBINARY}" ]; then
-            NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
+                PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
-            Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
+                NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
-            LogText "Permissive SELinux object types: ${PERMISSIVE}"
+                Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
+                LogText "Permissive SELinux object types: ${PERMISSIVE}"
+            else
+                LogText "Result: semanage binary NOT found, can't analyse permissive domains"
+            fi
             UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ')
             INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ')
             NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l)

include/tests_mail_messaging

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -70,18 +69,18 @@
         unset FIND FIND2 FIND3 FIND4
 
         # Local Only
-        FIND=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^nonlocal')
+        FIND=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^nonlocal')
         # Internet Host
-        FIND2=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^dnslookup_relay_to_domains')
+        FIND2=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^dnslookup_relay_to_domains')
         # Smarthost or Satellite
-        FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost')
+        FIND3=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^smarthost')
 
         if [ -n "${FIND}" ]; then
             EXIM_TYPE="LOCAL ONLY"
         elif [ -n "${FIND2}" ]; then
             EXIM_TYPE="INTERNET HOST"
         elif [ -n "${FIND3}" ]; then
-            FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^hub_user_smarthost')
+            FIND4=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^hub_user_smarthost')
             if [ -n "${FIND4}" ]; then
                 EXIM_TYPE="SATELLITE"
             else
@@ -415,7 +414,7 @@
     Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status"
     if [ ${SKIPTEST} -eq 0  ]; then
         LogText "Test: check smtpd status"
-        FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep")
+        FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep")
         if [ ! "${FIND}" = "" ]; then
             LogText "Result: found running smtpd process"
             Display --indent 2 --text "- OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN

include/tests_malware

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -39,12 +38,28 @@
     MALWARE_SCANNER_INSTALLED=0
     MALWARE_DAEMON_RUNNING=0
     ROOTKIT_SCANNER_FOUND=0
+    SENTINELONE_SCANNER_RUNNING=0
     SOPHOS_SCANNER_RUNNING=0
     SYMANTEC_SCANNER_RUNNING=0
     SYNOLOGY_DAEMON_RUNNING=0
     TRENDMICRO_DSA_DAEMON_RUNNING=0
+    WAZUH_DAEMON_RUNNING=0
 #
 #################################################################################
+#
+    # Test        : MALW-3274
+    # Description : Check for installed tool (McAfee VirusScan for Command Line)
+    Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        LogText "Test: checking presence McAfee VirusScan for Command Line"
+        if [ -x /usr/local/uvscan/uvscan ]; then
+            Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line (deprecated)" --result "${STATUS_FOUND}" --color RED
+            LogText "Result: Found ${MCAFEECLBINARY}"
+            AddHP 0 2
+            LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another antivirus instead."
+       fi
+    fi
+#################################################################################
 #
     # Test        : MALW-3275
     # Description : Check for installed tool (chkrootkit)
@@ -110,7 +125,7 @@
 
         # Avast (macOS)
         LogText "Test: checking process com.avast.daemon"
-        if IsRunning "com.avast.daemon"; then
+        if IsRunning --full "com.avast.daemon"; then
             FOUND=1
             AVAST_DAEMON_RUNNING=1
             MALWARE_DAEMON_RUNNING=1
@@ -168,8 +183,8 @@
         fi
 
         # ESET security products
-        LogText "Test: checking process esets_daemon"
+        LogText "Test: checking process esets_daemon or oaeventd (ESET)"
-        if IsRunning "esets_daemon"; then
+        if IsRunning "esets_daemon" || IsRunning "oaeventd"; then
             FOUND=1
             ESET_DAEMON_RUNNING=1
             MALWARE_DAEMON_RUNNING=1
@@ -213,6 +228,20 @@
             Report "malware_scanner[]=mcafee"
         fi
 
+       # SentinelOne
+       LogText "Text: checking process sentineld (SentinelOne)"
+       if IsRunning "sentineld"; then SENTINELONE_SCANNER_RUNNING=1; fi # macOS
+       if IsRunning "s1-agent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Linux
+       if IsRunning "SentinelAgent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Windows
+       if [ ${SENTINELONE_SCANNER_RUNNING} -eq 1 ]; then
+            FOUND=1
+            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} SentinelOne" --result "${STATUS_FOUND}" --color GREEN; fi
+            LogText "Result: Found SentinelOne"
+            MALWARE_DAEMON_RUNNING=1
+            MALWARE_SCANNER_INSTALLED=1
+            Report "malware_scanner[]=sentinelone"
+        fi
+
         # Sophos savscand/SophosScanD
         LogText "Test: checking process savscand"
         if IsRunning "savscand"; then
@@ -290,6 +319,19 @@
             Report "malware_scanner[]=trend-micro-av"
         fi
 
+        # Wazuh agent
+        LogText "Test: checking process wazuh-agent to test for Wazuh agent"
+        if IsRunning "wazuh-agent"; then
+            if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Wazuh agent" --result "${STATUS_FOUND}" --color GREEN; fi
+            LogText "Result: found Wazuh component"
+            FOUND=1
+            WAZUH_DAEMON_RUNNING=1
+            MALWARE_DAEMON_RUNNING=1
+            MALWARE_SCANNER_INSTALLED=1
+            ROOTKIT_SCANNER_FOUND=1
+            Report "malware_scanner[]=wazuh"
+        fi
+
         if [ ${FOUND} -eq 0 ]; then
             LogText "Result: no commercial anti-virus tools found"
             AddHP 0 3
@@ -336,6 +378,24 @@
     fi
 #
 #################################################################################
+#
+    # Test        : MALW-3291
+    # Description : Check if Microsoft Defender Antivirus is installed
+    Register --test-no MALW-3291 --weight L --network NO --category security --description "Check for mdatp"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        LogText "Test: checking presence mdatp"
+        if [ ! "${MDATPBINARY}" = "" ]; then
+            Display --indent 2 --text "- Checking Microsoft Defender Antivirus" --result "${STATUS_FOUND}" --color GREEN
+            LogText "Result: Found ${MDATPBINARY}"
+            MALWARE_SCANNER_INSTALLED=1
+            AddHP 2 2
+            Report "malware_scanner[]=mdatp"
+        else
+            LogText "Result: mdatp couldn't be found"
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : MALW-3286
     # Description : Check running freshclam if clamd process is running

include/tests_memory_processes

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

include/tests_nameservices

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -339,7 +338,7 @@
     Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Trying to determine version from banner"
-        FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*")
+        FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${GREPBINARY} -E "[0-9].[0-9].[0-9]*")
         if [ "${FIND}" = "" ]; then
             LogText "Result: no useful information in banner found"
             Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN
@@ -485,7 +484,7 @@
                 LogText "Result: ypldap is running"
                 Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN
             else
-                ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
+                ReportSuggestion "${TEST_NO}" "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
             fi
         else
             LogText "Result: ypbind is not active"
@@ -571,7 +570,7 @@
     Register --test-no NAME-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check duplicate line in /etc/hosts"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts"
-        OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${EGREPBINARY} -v '^(#|$)' | ${EGREPBINARY} "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d)
+        OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E -v '^(#|$)' | ${GREPBINARY} -E "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d)
         if [ -z "${OUTPUT}" ]; then
             LogText "Result: OK, no duplicate lines found"
             Display --indent 4 --text "- Duplicate entries in hosts file" --result "${STATUS_NONE}" --color GREEN
@@ -592,7 +591,7 @@
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Check /etc/hosts contains an entry for this server name"
         if [ -n "${HOSTNAME}" ]; then
-            DATA=$(${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME})
+            DATA=$(${GREPBINARY} -E -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME})
             if [ -n "${DATA}" ]; then
                 LogText "Result: Found entry for ${HOSTNAME} in ${ROOTDIR}etc/hosts"
                 Display --indent 4 --text "- Presence of configured hostname in /etc/hosts" --result "${STATUS_FOUND}" --color GREEN
@@ -615,7 +614,7 @@
     Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Check server hostname not locally mapped in ${ROOTDIR}etc/hosts"
-        DATA=$(${EGREPBINARY} -v '^(#|$)' ${ROOTDIR}etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME})
+        DATA=$(${GREPBINARY} -E -v '^(#|$)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME})
         if [ -n "${DATA}" ]; then
             LogText "Result: Found this server hostname mapped to a local address"
             LogText "Output: ${DATA}"

include/tests_networking

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -280,7 +279,7 @@
     Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
     if [ $SKIPTEST -eq 0 ]; then
         LogText "Test: Searching default gateway(s)"
-        FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
+        FIND=$(${NETSTATBINARY} -rn | ${GREPBINARY} -E "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
         if [ -n "${FIND}" ]; then
             for I in ${FIND}; do
                 LogText "Result: Found default gateway ${I}"
@@ -750,7 +749,7 @@
                         UNCOMMON_PROTOCOL_DISABLED=0
                         # First check modprobe.conf
                         if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
-                            DATA=$(${GREPBINARY} "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.conf)
+                            DATA=$(${GREPBINARY} -E "^install[[:space:]]+${P}[[:space:]]+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.conf)
                             if [ -n "${DATA}" ]; then
                                 LogText "Result: found ${P} module disabled via modprobe.conf"
                                 UNCOMMON_PROTOCOL_DISABLED=1
@@ -759,7 +758,7 @@
                         # Then additional modprobe configuration files
                         if [ -d ${ROOTDIR}etc/modprobe.d ]; then
                             # Return file names (-l) and suppress errors (-s)
-                            DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/*)
+                            DATA=$(${GREPBINARY} -l -s -E "^install[[:space:]]+${P}[[:space:]]+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/*)
                             if [ -n "${DATA}" ]; then
                                 UNCOMMON_PROTOCOL_DISABLED=1
                                 for F in ${DATA}; do

include/tests_php

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -30,25 +29,26 @@
     # Possible locations of php.ini
     PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \
                 ${ROOTDIR}etc/php/php.ini \
-                ${ROOTDIR}etc/php5.5/php.ini \
-                ${ROOTDIR}etc/php5.6/php.ini \
                 ${ROOTDIR}etc/php7.0/php.ini \
                 ${ROOTDIR}etc/php7.1/php.ini \
                 ${ROOTDIR}etc/php7.2/php.ini \
                 ${ROOTDIR}etc/php7.3/php.ini \
                 ${ROOTDIR}etc/php7.4/php.ini \
-                ${ROOTDIR}etc/php/cgi-php5/php.ini \
+                ${ROOTDIR}etc/php8.0/php.ini \
-                ${ROOTDIR}etc/php/cli-php5/php.ini \
+                ${ROOTDIR}etc/php8.1/php.ini \
-                ${ROOTDIR}etc/php/apache2-php5/php.ini \
+                ${ROOTDIR}etc/php8.2/php.ini \
-                ${ROOTDIR}etc/php/apache2-php5.5/php.ini \
+                ${ROOTDIR}etc/php8.3/php.ini \
-                ${ROOTDIR}etc/php/apache2-php5.6/php.ini \
+                ${ROOTDIR}etc/php8.4/php.ini \
                 ${ROOTDIR}etc/php/apache2-php7.0/php.ini \
                 ${ROOTDIR}etc/php/apache2-php7.1/php.ini \
                 ${ROOTDIR}etc/php/apache2-php7.2/php.ini \
                 ${ROOTDIR}etc/php/apache2-php7.3/php.ini \
                 ${ROOTDIR}etc/php/apache2-php7.4/php.ini \
-                ${ROOTDIR}etc/php/cgi-php5.5/php.ini \
+                ${ROOTDIR}etc/php/apache2-php8.0/php.ini \
-                ${ROOTDIR}etc/php/cgi-php5.6/php.ini \
+                ${ROOTDIR}etc/php/apache2-php8.1/php.ini \
+                ${ROOTDIR}etc/php/apache2-php8.2/php.ini \
+                ${ROOTDIR}etc/php/apache2-php8.3/php.ini \
+                ${ROOTDIR}etc/php/apache2-php8.4/php.ini \
                 ${ROOTDIR}etc/php/cgi-php7.0/php.ini \
                 ${ROOTDIR}etc/php/cgi-php7.1/php.ini \
                 ${ROOTDIR}etc/php/cgi-php7.2/php.ini \
@@ -61,33 +61,39 @@
                 ${ROOTDIR}etc/php/cli-php7.2/php.ini \
                 ${ROOTDIR}etc/php/cli-php7.3/php.ini \
                 ${ROOTDIR}etc/php/cli-php7.4/php.ini \
-                ${ROOTDIR}etc/php/embed-php5.5/php.ini \
+                ${ROOTDIR}etc/php/cli-php8.0/php.ini \
-                ${ROOTDIR}etc/php/embed-php5.6/php.ini \
+                ${ROOTDIR}etc/php/cli-php8.1/php.ini \
+                ${ROOTDIR}etc/php/cli-php8.2/php.ini \
+                ${ROOTDIR}etc/php/cli-php8.3/php.ini \
+                ${ROOTDIR}etc/php/cli-php8.4/php.ini \
                 ${ROOTDIR}etc/php/embed-php7.0/php.ini \
                 ${ROOTDIR}etc/php/embed-php7.1/php.ini \
                 ${ROOTDIR}etc/php/embed-php7.2/php.ini \
                 ${ROOTDIR}etc/php/embed-php7.3/php.ini \
                 ${ROOTDIR}etc/php/embed-php7.4/php.ini \
-                ${ROOTDIR}etc/php/fpm-php7.4/php.ini \
+                ${ROOTDIR}etc/php/embed-php8.0/php.ini \
-                ${ROOTDIR}etc/php/fpm-php7.3/php.ini \
+                ${ROOTDIR}etc/php/embed-php8.1/php.ini \
-                ${ROOTDIR}etc/php/fpm-php7.2/php.ini \
+                ${ROOTDIR}etc/php/embed-php8.2/php.ini \
-                ${ROOTDIR}etc/php/fpm-php7.1/php.ini \
+                ${ROOTDIR}etc/php/embed-php8.3/php.ini \
+                ${ROOTDIR}etc/php/embed-php8.4/php.ini \
                 ${ROOTDIR}etc/php/fpm-php7.0/php.ini \
-                ${ROOTDIR}etc/php/fpm-php5.5/php.ini \
+                ${ROOTDIR}etc/php/fpm-php7.1/php.ini \
-                ${ROOTDIR}etc/php/fpm-php5.6/php.ini \
+                ${ROOTDIR}etc/php/fpm-php7.2/php.ini \
-                ${ROOTDIR}etc/php5/cgi/php.ini \
+                ${ROOTDIR}etc/php/fpm-php7.3/php.ini \
-                ${ROOTDIR}etc/php5/cli/php.ini \
+                ${ROOTDIR}etc/php/fpm-php7.4/php.ini \
-                ${ROOTDIR}etc/php5/cli-php5.4/php.ini \
+                ${ROOTDIR}etc/php/fpm-php8.0/php.ini \
-                ${ROOTDIR}etc/php5/cli-php5.5/php.ini \
+                ${ROOTDIR}etc/php/fpm-php8.1/php.ini \
-                ${ROOTDIR}etc/php5/cli-php5.6/php.ini \
+                ${ROOTDIR}etc/php/fpm-php8.2/php.ini \
-                ${ROOTDIR}etc/php5/apache2/php.ini \
-                ${ROOTDIR}etc/php5/fpm/php.ini \
-                ${ROOTDIR}private/etc/php.ini \
                 ${ROOTDIR}etc/php/7.0/apache2/php.ini \
                 ${ROOTDIR}etc/php/7.1/apache2/php.ini \
                 ${ROOTDIR}etc/php/7.2/apache2/php.ini \
                 ${ROOTDIR}etc/php/7.3/apache2/php.ini \
                 ${ROOTDIR}etc/php/7.4/apache2/php.ini \
+                ${ROOTDIR}etc/php/8.0/apache2/php.ini \
+                ${ROOTDIR}etc/php/8.1/apache2/php.ini \
+                ${ROOTDIR}etc/php/8.2/apache2/php.ini \
+                ${ROOTDIR}etc/php/8.3/apache2/php.ini \
+                ${ROOTDIR}etc/php/8.4/apache2/php.ini \
                 ${ROOTDIR}etc/php/7.0/cli/php.ini \
                 ${ROOTDIR}etc/php/7.0/fpm/php.ini \
                 ${ROOTDIR}etc/php/7.1/cli/php.ini \
@@ -98,56 +104,65 @@
                 ${ROOTDIR}etc/php/7.3/fpm/php.ini \
                 ${ROOTDIR}etc/php/7.4/cli/php.ini \
                 ${ROOTDIR}etc/php/7.4/fpm/php.ini \
-                ${ROOTDIR}var/www/conf/php.ini \
+                ${ROOTDIR}etc/php/8.0/cli/php.ini \
-                ${ROOTDIR}usr/local/etc/php.ini \
+                ${ROOTDIR}etc/php/8.0/fpm/php.ini \
-                ${ROOTDIR}usr/local/lib/php.ini \
+                ${ROOTDIR}etc/php/8.1/cli/php.ini \
-                ${ROOTDIR}usr/local/etc/php5/cgi/php.ini \
+                ${ROOTDIR}etc/php/8.1/fpm/php.ini \
-                ${ROOTDIR}usr/local/php54/lib/php.ini \
+                ${ROOTDIR}etc/php/8.2/cli/php.ini \
-                ${ROOTDIR}usr/local/php56/lib/php.ini \
+                ${ROOTDIR}etc/php/8.2/fpm/php.ini \
-                ${ROOTDIR}usr/local/php70/lib/php.ini \
+                ${ROOTDIR}etc/php/8.3/cli/php.ini \
-                ${ROOTDIR}usr/local/php71/lib/php.ini \
+                ${ROOTDIR}etc/php/8.3/fpm/php.ini \
-                ${ROOTDIR}usr/local/php72/lib/php.ini \
+                ${ROOTDIR}etc/php/8.4/cli/php.ini \
-                ${ROOTDIR}usr/local/php73/lib/php.ini \
+                ${ROOTDIR}etc/php/8.4/fpm/php.ini \
-                ${ROOTDIR}usr/local/php74/lib/php.ini \
-                ${ROOTDIR}usr/local/zend/etc/php.ini \
-                ${ROOTDIR}usr/pkg/etc/php.ini \
-                ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \
-                ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.ini \
-                ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.ini \
-                ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
-                ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
-                ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
-                ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
-                ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \
-                ${ROOTDIR}opt/alt/php44/etc/php.ini \
-                ${ROOTDIR}opt/alt/php51/etc/php.ini \
-                ${ROOTDIR}opt/alt/php52/etc/php.ini \
-                ${ROOTDIR}opt/alt/php53/etc/php.ini \
-                ${ROOTDIR}opt/alt/php54/etc/php.ini \
-                ${ROOTDIR}opt/alt/php55/etc/php.ini \
-                ${ROOTDIR}opt/alt/php56/etc/php.ini \
                 ${ROOTDIR}opt/alt/php70/etc/php.ini \
                 ${ROOTDIR}opt/alt/php71/etc/php.ini \
                 ${ROOTDIR}opt/alt/php72/etc/php.ini \
                 ${ROOTDIR}opt/alt/php73/etc/php.ini \
                 ${ROOTDIR}opt/alt/php74/etc/php.ini \
+                ${ROOTDIR}opt/alt/php80/etc/php.ini \
+                ${ROOTDIR}opt/alt/php81/etc/php.ini \
+                ${ROOTDIR}opt/alt/php82/etc/php.ini \
+                ${ROOTDIR}opt/alt/php83/etc/php.ini \
+                ${ROOTDIR}opt/alt/php84/etc/php.ini \
+                ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
+                ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
+                ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
+                ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
+                ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \
+                ${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.ini \
+                ${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.ini \
+                ${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.ini \
+                ${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.ini \
+                ${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.ini \
+                ${ROOTDIR}private/etc/php.ini \
+                ${ROOTDIR}var/www/conf/php.ini \
+                ${ROOTDIR}usr/local/etc/php.ini \
+                ${ROOTDIR}usr/local/lib/php.ini \
+                ${ROOTDIR}usr/local/php70/lib/php.ini \
+                ${ROOTDIR}usr/local/php71/lib/php.ini \
+                ${ROOTDIR}usr/local/php72/lib/php.ini \
+                ${ROOTDIR}usr/local/php73/lib/php.ini \
+                ${ROOTDIR}usr/local/php74/lib/php.ini \
+                ${ROOTDIR}usr/local/php80/lib/php.ini \
+                ${ROOTDIR}usr/local/php81/lib/php.ini \
+                ${ROOTDIR}usr/local/php82/lib/php.ini \
+                ${ROOTDIR}usr/local/php83/lib/php.ini \
+                ${ROOTDIR}usr/local/php84/lib/php.ini \
+                ${ROOTDIR}usr/local/zend/etc/php.ini \
+                ${ROOTDIR}usr/pkg/etc/php.ini \
                 ${ROOTDIR}etc/opt/remi/php56/php.ini \
                 ${ROOTDIR}etc/opt/remi/php70/php.ini \
                 ${ROOTDIR}etc/opt/remi/php71/php.ini \
                 ${ROOTDIR}etc/opt/remi/php72/php.ini \
                 ${ROOTDIR}etc/opt/remi/php73/php.ini \
-                ${ROOTDIR}etc/opt/remi/php74/php.ini"
+                ${ROOTDIR}etc/opt/remi/php74/php.ini \
-    # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
+                ${ROOTDIR}etc/opt/remi/php80/php.ini \
-    PHPINILOCS="${PHPINILOCS} \
+                ${ROOTDIR}etc/opt/remi/php81/php.ini \
-                ${ROOTDIR}etc/php-5.6.ini \
+                ${ROOTDIR}etc/opt/remi/php82/php.ini\
-                ${ROOTDIR}etc/php-7.0.ini \
+                ${ROOTDIR}etc/opt/remi/php83/php.ini \
-                ${ROOTDIR}etc/php-7.1.ini \
+                ${ROOTDIR}etc/opt/remi/php84/php.ini"
-                ${ROOTDIR}etc/php-7.2.ini \
-                ${ROOTDIR}etc/php-7.3.ini \
-                ${ROOTDIR}etc/php-7.4.ini"
 
-    PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \
+    PHPINIDIRS="${ROOTDIR}etc/php/7.0/cli/conf.d \
-                ${ROOTDIR}etc/php/7.0/cli/conf.d \
                 ${ROOTDIR}etc/php/7.1/cli/conf.d \
                 ${ROOTDIR}etc/php/7.2/cli/conf.d \
                 ${ROOTDIR}etc/php/7.3/cli/conf.d \
@@ -157,41 +172,55 @@
                 ${ROOTDIR}etc/php/7.2/fpm/conf.d \
                 ${ROOTDIR}etc/php/7.3/fpm/conf.d \
                 ${ROOTDIR}etc/php/7.4/fpm/conf.d \
+                ${ROOTDIR}etc/php/8.0/fpm/conf.d \
+                ${ROOTDIR}etc/php/8.1/fpm/conf.d \
+                ${ROOTDIR}etc/php/8.2/fpm/conf.d \
+                ${ROOTDIR}etc/php/8.3/fpm/conf.d \
+                ${ROOTDIR}etc/php/8.4/fpm/conf.d \
                 ${ROOTDIR}etc/php.d \
-                ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \
-                ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \
-                ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d \
                 ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
                 ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \
                 ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \
                 ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \
                 ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.d \
-                ${ROOTDIR}opt/alt/php44/etc/php.d.all \
+                ${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.d \
-                ${ROOTDIR}opt/alt/php51/etc/php.d.all \
+                ${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.d \
-                ${ROOTDIR}opt/alt/php52/etc/php.d.all \
+                ${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.d \
-                ${ROOTDIR}opt/alt/php53/etc/php.d.all \
+                ${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.d \
-                ${ROOTDIR}opt/alt/php54/etc/php.d.all \
+                ${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.d \
-                ${ROOTDIR}opt/alt/php55/etc/php.d.all \
-                ${ROOTDIR}opt/alt/php56/etc/php.d.all \
                 ${ROOTDIR}opt/alt/php70/etc/php.d.all \
                 ${ROOTDIR}opt/alt/php71/etc/php.d.all \
                 ${ROOTDIR}opt/alt/php72/etc/php.d.all \
                 ${ROOTDIR}opt/alt/php73/etc/php.d.all \
                 ${ROOTDIR}opt/alt/php74/etc/php.d.all \
+                ${ROOTDIR}opt/alt/php80/etc/php.d.all \
+                ${ROOTDIR}opt/alt/php81/etc/php.d.all \
+                ${ROOTDIR}opt/alt/php82/etc/php.d.all \
+                ${ROOTDIR}opt/alt/php83/etc/php.d.all \
+                ${ROOTDIR}opt/alt/php84/etc/php.d.all \
                 ${ROOTDIR}usr/local/lib/php.conf.d \
                 ${ROOTDIR}usr/local/php70/lib/php.conf.d \
                 ${ROOTDIR}usr/local/php71/lib/php.conf.d \
                 ${ROOTDIR}usr/local/php72/lib/php.conf.d \
                 ${ROOTDIR}usr/local/php73/lib/php.conf.d \
-                ${ROOTDIR}usr/local/php74/lib/php.conf.d"
+                ${ROOTDIR}usr/local/php74/lib/php.conf.d \
-    # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
+                ${ROOTDIR}usr/local/php80/lib/php.conf.d \
+                ${ROOTDIR}usr/local/php81/lib/php.conf.d \
+                ${ROOTDIR}usr/local/php82/lib/php.conf.d \
+                ${ROOTDIR}usr/local/php83/lib/php.conf.d \
+                ${ROOTDIR}usr/local/php84/lib/php.conf.d"
+                
     PHPINIDIRS="${PHPINIDIRS} \
-                ${ROOTDIR}etc/php-5.6 \
                 ${ROOTDIR}etc/php-7.0 \
                 ${ROOTDIR}etc/php-7.1 \
                 ${ROOTDIR}etc/php-7.2 \
                 ${ROOTDIR}etc/php-7.3 \
-                ${ROOTDIR}etc/php-7.4"
+                ${ROOTDIR}etc/php-7.4 \
+                ${ROOTDIR}etc/php-8.0 \
+                ${ROOTDIR}etc/php-8.1 \
+                ${ROOTDIR}etc/php-8.2 \
+                ${ROOTDIR}etc/php-8.3 \
+                ${ROOTDIR}etc/php-8.4"
 #
 #################################################################################
 #
@@ -285,9 +314,9 @@
     # Test        : PHP-2368
     # Description : Check php register_globals option
     # Notes       : Don't test for it if PHP version is 5.4.0 or later (it has been removed)
-    if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${EGREPBINARY}" ]; then
+    if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${GREPBINARY}" ]; then
         if [ -f "${PHPINIFILE}" ]; then
-            FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])")
+            FIND=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^(4.|5.[0-3])")
             if [ -z "${FIND}" ]; then
                 PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals"
             else
@@ -305,7 +334,7 @@
     Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking PHP register_globals option"
-        FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
+        FIND=$(${GREPBINARY} -E -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
         if [ -n "${FIND}" ]; then
             Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
             ReportWarning "${TEST_NO}" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
@@ -338,7 +367,7 @@
                     ;;
             esac
             LogText "Test: Checking file ${FILE}"
-            FIND=$(${EGREPBINARY} -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;')
+            FIND=$(${GREPBINARY} -E -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;')
             if HasData "${FIND}"; then
                 LogText "Result: found a a possible match on expose_php setting"
                 LogText "Data: ${FIND}"
@@ -367,7 +396,7 @@
     Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking PHP enable_dl option"
-        FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
+        FIND=$(${GREPBINARY} -E -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
         if [ -n "${FIND}" ]; then
             Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW
             Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls"
@@ -389,7 +418,7 @@
     Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking PHP allow_url_fopen option"
-        FIND=$(${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
+        FIND=$(${GREPBINARY} -E -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
         if [ -z "${FIND}" ]; then
             Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW
             LogText "Result: allow_url_fopen option is turned on, which can be used for downloads via PHP and is a security risk"
@@ -412,7 +441,7 @@
     Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking PHP allow_url_include option"
-        FIND=$(${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
+        FIND=$(${GREPBINARY} -E -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
         if [ -z "${FIND}" ]; then
             Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW
             Report "Result: allow_url_include option is turned on, which can be used for downloads via PHP and is a risk"
@@ -436,7 +465,7 @@
     #if [ ${SKIPTEST} -eq 0 ]; then
     #    FOUND=0
     #    SIMULATION=0
-    #    MAJOR_VERSION=$(echo ${PHPVERSION} | ${EGREPBINARY} "^7")
+    #    MAJOR_VERSION=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^7")
     #    if [ "${OS}" = "OpenBSD" ]; then
     #        FOUND=1                    # On OpenBSD, Suhosin is hard linked into PHP
     #        SIMULATION=off
@@ -519,7 +548,7 @@
                     ;;
             esac
             LogText "Test: Checking file ${FILE}"
-            FIND=$(${EGREPBINARY} -i "^listen = [0-9]{1,5}$" ${FILE})
+            FIND=$(${GREPBINARY} -E -i "^listen = [0-9]{1,5}$" ${FILE})
             if HasData "${FIND}"; then
                 LogText "Result: found listen on just a port number"
                 LogText "Data: ${FIND}"

include/tests_ports_packages

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -34,6 +33,34 @@
     Display --indent 2 --text "- Searching package managers"
 #
 #################################################################################
+#
+    # Test        : PKGS-7200
+    # Description : Check Alpine Package Keeper (apk)
+    if [ -x ${ROOTDIR}/sbin/apk ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    Register --test-no PKGS-7200 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying apk"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        COUNT=0
+        Display --indent 4 --text "- Searching apk package manager" --result "${STATUS_FOUND}" --color GREEN
+        LogText "Result: Found apk binary"
+        Report "package_manager[]=apk"
+        PACKAGE_MGR_PKG=1
+        LogText "Test: Querying apk info -v to get package list"
+        Display --indent 6 --text "- Querying package manager"
+        LogText "Output:"
+        SPACKAGES=$(apk info -v | ${SEDBINARY} -r -e 's/([a-z,A-Z,0-9,_,-,.]{1,250})-([a-z,A-Z,0-9,.]+-r[a-z,A-Z,0-9]+)/\1,\2/' | sort)
+        for J in ${SPACKAGES}; do
+            COUNT=$((COUNT + 1))
+            PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1)
+            PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
+            LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
+            INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
+        done
+        Report "installed_packages=${COUNT}"
+    else
+        LogText "Result: apk "${STATUS_NOT_FOUND}", test skipped"
+    fi
+#
+#################################################################################
 #
     # Test        : PKGS-7301
     # Description : Query FreeBSD pkg
@@ -99,11 +126,15 @@
         LogText "Test: Querying brew to get package list"
         Display --indent 4 --text "- Querying brew for installed packages"
         LogText "Output:"; LogText "-----"
-        GPACKAGES=$(brew list)
+        GPACKAGES=$(brew list --versions)
-        for J in ${GPACKAGES}; do
+        while IFS= read -r PKG; do
-            LogText "Found package ${J}"
+            PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f1)
-            INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
+            PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f2)
-        done
+            LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
+            INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
+        done << EOF
+$GPACKAGES
+EOF
     else
         LogText "Result: brew can NOT be found on this system"
     fi
@@ -130,6 +161,29 @@
         LogText "Result: emerge can NOT be found on this system"
     fi
 #
+#################################################################################
+#
+    # Test        : PKGS-7305
+    # Description : Query macOS Apps in /Applications and CoreServices
+    Register --test-no PKGS-7305 --os macOS --weight L --network NO --category security --description "Query macOS Apps in /Applications and CoreServices"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        LogText "Test: Querying Apps in /Applications"
+        Display --indent 4 --text "- Querying macOS Apps in /Applications"
+        LogText "Output:"; LogText "-----"
+        for APP in /Applications/*.app; do
+            PACKAGE_NAME=$(basename "$APP" .app)
+            PACKAGE_VERSION=$(defaults read "$APP/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A")
+            LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
+            INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
+        done
+        Display --indent 4 --text "- Querying Apple CoreServices"
+        for CS in /Library/Apple/System/Library/CoreServices/*.app; do
+            PACKAGE_NAME=$(basename "$CS" .app)
+            PACKAGE_VERSION=$(defaults read "$CS/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A")
+            LogText "Found CoreServices: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
+            INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
+        done   
+    fi
 #
 #################################################################################
 #
@@ -319,12 +373,13 @@
     Register --test-no PKGS-7322 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Discover vulnerable packages with arch-audit"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: checking arch-audit output for vulnerable packages"
-        FIND=$(${ARCH_AUDIT_BINARY} | ${SEDBINARY} 's/\.\..*$//' | ${SEDBINARY} 's/, //g' | ${SEDBINARY} 's/\(\["\|"\]\)//g' | ${SEDBINARY} 's/""/,/g' | ${AWKBINARY} '{ if($1=="Package") { print $2"|"$6"|"}}' | ${AWKBINARY} -F'|' 'NF>1{a[$1] = a[$1]","$2}END{for(i in a){print i""a[i]"|"}}' | ${SEDBINARY} 's/,/|cve=/' | ${SORTBINARY})
+        FIND=$(${ARCH_AUDIT_BINARY} | ${SEDBINARY} 's/ High risk!//' | ${SEDBINARY} 's/ Medium risk!//' | ${SEDBINARY} 's/ Low risk!//' | ${SEDBINARY} 's/\.\..*$//' | ${SEDBINARY} 's/, /,/g' | ${SEDBINARY} 's/\(\["\|"\]\)//g' | ${SEDBINARY} 's/""/,/g' | ${AWKBINARY} '{if ($0 ~ /is affected by CVE\-/) {print $1"|"$5"|"} else {ORS=""; print $1"|"; for (i=5; i<=NF; i++)print $i; print "\n"; ORS="\n"}}'| ${AWKBINARY} -F'|' 'NF>1{a[$1] = a[$1]","$2}END{for(i in a){print i""a[i]"|"}}' | ${SEDBINARY} 's/,CVE-/|cve=CVE-/' | ${SORTBINARY})
         if [ -z "${FIND}" ]; then
             LogText "Result: no vulnerable packages found with arch-audit"
             AddHP 10 10
         else
             LogText "Result: found one or more vulnerable packages"
+            VULNERABLE_PACKAGES_FOUND=1
             for ITEM in ${FIND}; do
                 LogText "Found line: ${ITEM}"
                 Report "vulnerable_package[]=${ITEM}"
@@ -643,9 +698,20 @@
             # Check in /etc/cron.hourly, daily, weekly, monthly etc
             COUNT=$(find /etc/cron* -name debsums | wc -l)
             if [ ${COUNT} -gt 0 ]; then
-                LogText "Result: Cron job is configured for debsums utility."
+                CRON_CHECK=""
-                Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
+                if [ -f ${ROOTDIR}etc/default/debsums ]; then
-                AddHP 3 3
+                    CRON_CHECK=$(${GREPBINARY} CRON_CHECK /etc/default/debsums|${AWKBINARY} -F "=" '{print $2}')
+                fi
+                if [ "${CRON_CHECK}" = "daily" ] || [ "${CRON_CHECK}" = "weekly" ] || [ "${CRON_CHECK}" = "monthly" ]; then
+                    LogText "Result: Cron job is configured for debsums utility."
+                    Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
+                    AddHP 3 3
+                else
+                    LogText "Result: Cron job is not configured for debsums utility."
+                    Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
+                    AddHP 1 3
+                    ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regularly via a cron job (CRON_CHECK in default file)."
+                fi
             else
                 LogText "Result: Cron job is not configured for debsums utility."
                 Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
@@ -808,7 +874,7 @@
     Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: YUM package update management"
-        FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$")
+        FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -E "^[0-9]+$")
         if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
             LogText "Result: YUM package update management failed"
             Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED
@@ -1002,7 +1068,7 @@
         if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then
             if [ -f ${ROOTDIR}etc/apt/sources.list ]; then
                 LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
-                FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
+                FIND=$(${GREPBINARY} -E "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
                 if [ -n "${FIND}" ]; then
                     FOUND=1
                     Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN
@@ -1015,7 +1081,7 @@
             fi
             if [ -d /etc/apt/sources.list.d ]; then
                 LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
-                FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
+                FIND=$(${GREPBINARY} -E -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
                 if [ -n "${FIND}" ]; then
                     FOUND=1
                     Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN
@@ -1094,7 +1160,9 @@
             LogText "Result: found ${ROOTDIR}usr/lib/update-notifier/apt-check"
             LogText "Test: checking if any of the updates contain security updates"
             # apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only
-            FIND=$(${ROOTDIR}usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }')
+            # We search for the lines that start with a number, as on Ubuntu 24.04 an error can happen:
+            # Warning: W:Unable to read /var/lib/ubuntu-advantage/apt-esm/etc/apt/apt.conf.d/ - DirectoryExists (2: No such file or directory)
+            FIND=$(${ROOTDIR}usr/lib/update-notifier/apt-check 2>&1 | ${GREPBINARY} '^[0-9]' | ${AWKBINARY} -F\; '{ print $2 }')
             # Check if we get the proper line back and amount of security patches available
             if [ -z "${FIND}" ]; then
                 LogText "Result: did not find security updates line"
@@ -1235,6 +1303,41 @@
 
 #
 #################################################################################
+#
+    # Test        : PKGS-7395
+    # Description : Check Alpine upgradeable packages
+    if [ "${LINUX_VERSION}" = "Alpine Linux" ]  && [ -x "${ROOTDIR}sbin/apk" ]; then
+        PREQS_MET="YES"
+    else
+        PREQS_MET="NO"
+    fi
+
+    Register --test-no PKGS-7395 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Alpine updates"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
+            LogText "Action: updating package repository with apk"
+            ${ROOTDIR}sbin/apk update
+            LogText "Result: apk finished"
+        else
+            LogText "Result: using a possibly outdated repository, as updating is disabled via configuration"
+        fi
+        LogText "Test: Checking packages which can be upgraded via apk version -l '<'"
+        FIND=$(${ROOTDIR}sbin/apk version -l '<' | ${GREPBINARY} '<' | ${SEDBINARY} 's/\s\+<\s/</g')
+        if [ -z "${FIND}" ]; then
+            LogText "Result: no packages found which can be upgraded"
+            Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN
+            AddHP 3 3
+        else
+            LogText "Result: found one or more packages which can be upgraded"
+            Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_FOUND}" --color YELLOW
+            for ITEM in ${FIND}; do
+                ITEM=$(echo ${ITEM} | ${SEDBINARY}  -r -e 's/([a-z,A-Z,0-9,_,-,.]{1,250})-([a-z,A-Z,0-9,.]+-r[a-z,A-Z,0-9]+)<([a-z,A-Z,0-9,-,.]+)/\1 from \2 to \3/')
+                LogText "${ITEM}"
+            done
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : PKGS-7398
     # Description : Check package audit tool
@@ -1274,8 +1377,8 @@
 
         if [ "${DPKGBINARY}" ]; then
             TESTED=1
-            KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]"
+            KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]|linux-odroid-5422"
-            KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${EGREPBINARY} "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l)
+            KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} -E "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l)
             if [ ${KERNELS} -eq 0 ]; then
                 LogText "Result: found no kernels from dpkg -l output, which is unexpected"
             elif [ ${KERNELS} -gt 5 ]; then

include/tests_printers_spoolers

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -139,9 +138,19 @@
     Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd network configuration"
     if [ ${SKIPTEST} -eq 0 ]; then
         FOUND=0
-        # Checking network addresses
+        PORT_FOUND=0
+
         LogText "Test: Checking CUPS daemon listening network addresses"
-        FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
+
+        # Search for Port statement
+        FIND=$(${GREPBINARY} -E "^Port 631" ${CUPSD_CONFIG_FILE})
+        if [ -n "${FIND}" ]; then
+            LogText "Result: found CUPS listening on port 631 (most likely all interfaces)"
+            PORT_FOUND=1
+        fi
+
+        # Checking network addresses
+        FIND=$(${GREPBINARY} -E "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
         COUNT=0
         for ITEM in ${FIND}; do
             LogText "Result: found network address: ${ITEM}"
@@ -149,17 +158,10 @@
             FOUND=1
         done
 
-        # Search for Port statement
-        FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE})
-        if [ -n "${FIND}" ]; then
-            LogText "Result: found CUPS listening on port 631 (most likely all interfaces)"
-            FOUND=1
-        fi
-
         # Check if daemon might be running on localhost
-        if [ ${FOUND} -eq 0 ]; then
+        if [ ${FOUND} -eq 0 -a ${PORT_FOUND} -eq 0 ]; then
             LogText "Result: CUPS does not look to be listening on a network port"
-        elif [ ${COUNT} -eq 1 ]; then
+        elif [ ${COUNT} -eq 1 -a ${PORT_FOUND} -eq 0 ]; then
             if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then
                 LogText "Result: CUPS daemon only running on localhost"
                 AddHP 2 2
@@ -219,7 +221,7 @@
         QDAEMON_CONFIG_FILE="${ROOTDIR}etc/qconfig"
         FileIsReadable ${QDAEMON_CONFIG_FILE}
         if [ ${CANREAD} -eq 1 ]; then
-            FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device")
+            FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${GREPBINARY} -E "backend|device")
             if [ -n "${FIND}" ]; then
                 LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
                 Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN

include/tests_scheduling

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -35,7 +34,7 @@
     # Description : Check cron daemon
     Register --test-no SCHD-7702 --weight L --network NO --category security --description "Check status of cron daemon"
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )")
+        FIND=$(${PSBINARY} aux | ${GREPBINARY} -E "( cron$|/cron(d)? )")
         if IsEmpty "${FIND}"; then
             LogText "Result: no cron daemon found"
         else
@@ -55,12 +54,12 @@
         BAD_FILE_PERMISSIONS=0
         BAD_FILE_OWNERSHIP=0
         FindCronJob() {
-            sCRONJOBS=$(${EGREPBINARY} '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
+            sCRONJOBS=$(${GREPBINARY} -E '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
         }
 
         CRONTAB_FILE="${ROOTDIR}etc/crontab"
         if [ -f ${CRONTAB_FILE} ]; then
-            ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab"
+            ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab"
             if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
             if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
             FindCronJob ${CRONTAB_FILE}
@@ -77,7 +76,7 @@
                 if FileIsReadable ${DIR}; then
                     LogText "Result: found directory ${DIR}"
                     LogText "Test: searching files in ${DIR}"
-                    FIND=$(${FINDBINARY} ${DIR} -type f -print | ${GREPBINARY} -v ".placeholder")
+                    FIND=$(${FINDBINARY} -L ${DIR} -type f -print | ${GREPBINARY} -v ".placeholder")
                     if IsEmpty "${FIND}"; then
                         LogText "Result: no files found in ${DIR}"
                     else
@@ -86,7 +85,7 @@
                             if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
                             if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
                             FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
-                            if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
+                            if [ "${FILENAME}" = "lynis" ]; then ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
                             FindCronJob ${FILE}
                             if HasData "${sCRONJOBS}"; then
                                 for K in ${sCRONJOBS}; do
@@ -112,7 +111,7 @@
                 LogText "Result: found directory ${I}"
                 if FileIsReadable ${I}; then
                     LogText "Test: searching files in ${I}"
-                    FIND=$(${FINDBINARY} ${I} -type f -print 2> /dev/null | ${GREPBINARY} -v ".placeholder")
+                    FIND=$(${FINDBINARY} -L ${I} -type f -print 2> /dev/null | ${GREPBINARY} -v ".placeholder")
                     if [ -z "${FIND}" ]; then
                         LogText "Result: no files found in ${I}"
                     else
@@ -121,7 +120,7 @@
                             if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${FILE}"; Report "insecure_fileperms_cronjob[]=${FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
                             if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${FILE}"; Report "bad_fileowner_cronjob[]=${FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
                             FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
-                            if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
+                            if [ "${FILENAME}" = "lynis" ]; then ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
                             LogText "Result: Found cronjob (${I}): ${FILE}"
                             Report "cronjob[]=${FILE}"
                         done
@@ -141,7 +140,7 @@
             FIND=$(${FINDBINARY} /var/spool/cron/crontabs -xdev -type f -print 2> /dev/null)
             for I in ${FIND}; do
                 if FileIsReadable ${I}; then
-                    ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
+                    ${GREPBINARY} -E -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
                     FindCronJob ${I}
                     for FILE in ${sCRONJOBS}; do
                         LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${FILE})"
@@ -154,7 +153,7 @@
                 FIND=$(find ${ROOTDIR}var/spool/cron -type f -print)
                 for I in ${FIND}; do
                     if FileIsReadable ${I}; then
-                        ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
+                        ${GREPBINARY} -E -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
                         FindCronJob ${I}
                         for FILE in ${sCRONJOBS}; do
                             LogText "Found cronjob in ${ROOTDIR}var/spool/cron: ${I} (${FILE})"
@@ -169,7 +168,7 @@
         if [ "${OS}" = "Linux" ]; then
             if [ -f /etc/anacrontab ]; then
                 LogText "Test: checking anacrontab"
-                sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
+                sANACRONJOBS=$(${GREPBINARY} -E '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
                 if [ -n "${sANACRONJOBS}" ]; then
                     Report "scheduler[]=anacron"
                     for I in ${sANACRONJOBS}; do

include/tests_shells

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -52,7 +51,7 @@
     Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking console TTYs"
-        FIND=$(${EGREPBINARY} '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure')
+        FIND=$(${GREPBINARY} -E '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure')
         if [ -z "${FIND}" ]; then
             Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN
             LogText "Result: console is secured against single user mode without password."
@@ -167,9 +166,9 @@
             FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null)
             if [ -n "${FIND}" ]; then
                 # Determine if we can find a TMOUT value
-                FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
+                FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
                 # Determine if the value is exported (with export, readonly, or typeset)
-                FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
+                FIND2=$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
                 if [ -n "${FIND}" ]; then
                     N=0; IDLE_TIMEOUT=1
                     for I in ${FIND}; do
@@ -277,9 +276,10 @@
 
 Report "session_timeout_enabled=${IDLE_TIMEOUT}"
 
+#
+#################################################################################
+#
 
 WaitForKeyPress
 
-#
+# EOF
-#================================================================================
-# Lynis - Copyright 2007-2021, CISOfy - http://cisofy.com

include/tests_snmp

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -102,6 +101,4 @@
 
 WaitForKeyPress
 
-#
+# EOF
-#================================================================================
-# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com

include/tests_squid

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -42,7 +41,7 @@
         LogText "Test: Searching for a Squid daemon"
         FOUND=0
         # Check running processes
-        FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep")
+        FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "(squid|squid3) " | ${GREPBINARY} -v "grep")
         if [ -n "${FIND}" ]; then
             SQUID_DAEMON_RUNNING=1
             LogText "Result: Squid daemon is running"
@@ -131,7 +130,7 @@
     Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
-        FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \))
+        FIND=$(find -L ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \))
         if [ -n "${FIND}" ]; then
             LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
             Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED
@@ -323,6 +322,4 @@
 
 WaitForKeyPress
 
-#
+# EOF
-#================================================================================
-# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com

include/tests_ssh

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -22,7 +21,7 @@
 #
 #################################################################################
 #
-    SSH_DAEMON_CONFIG_LOCS="/etc /etc/ssh /usr/local/etc/ssh /opt/csw/etc/ssh"
+    SSH_DAEMON_CONFIG_LOCS="/etc /etc/ssh /usr/local/etc/ssh /opt/csw/etc/ssh /usr/etc/ssh"
     SSH_DAEMON_CONFIG=""
     SSH_DAEMON_PORT=""
     SSH_DAEMON_RUNNING=0
@@ -74,7 +73,7 @@
                 LogText "Result: ${I}/sshd_config exists"
                 if [ ${FOUND} -eq 1 ]; then
                     ReportException "${TEST_NO}:01"
-                    LogText "Result: we already had found another sshd_config file. Using this new file then."
+                    LogText "Result: we already found another sshd_config file. Using this new file instead of the previous one."
                 fi
                 FileIsReadable ${I}/sshd_config
                 if [ ${CANREAD} -eq 1 ]; then
@@ -135,7 +134,6 @@
         SSHOPS="AllowTcpForwarding:NO,LOCAL,YES:=\
                 ClientAliveCountMax:2,4,16:<\
                 ClientAliveInterval:300,600,900:<\
-                Compression:NO,,YES:=\
                 FingerprintHash:SHA256,MD5,:=\
                 GatewayPorts:NO,,YES:=\
                 IgnoreRhosts:YES,,NO:=\
@@ -158,12 +156,12 @@
         # OpenSSH had some options removed over time. Based on the version we add some additional options to check
         if [ ${OPENSSHD_VERSION_MAJOR} -lt 7 ]; then
             LogText "Result: added additional options for OpenSSH 6.x and lower"
-            SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:=  Protocol:2,,1:="
+            SSHOPS="${SSHOPS} Compression:(DELAYED|NO),,YES:= UsePrivilegeSeparation:SANDBOX,YES,NO:=  Protocol:2,,1:="
         elif [ ${OPENSSHD_VERSION_MAJOR} -eq 7 ]; then
             # Protocol 1 support removed (OpenSSH 7.4 and later)
             if [ ${OPENSSHD_VERSION_MINOR} -lt 4 ]; then
                 LogText "Result: added additional options for OpenSSH < 7.4"
-                SSHOPS="${SSHOPS} Protocol:2,,1:="
+                SSHOPS="${SSHOPS} Compression:(DELAYED|NO),,YES:= Protocol:2,,1:="
             fi
             # UsePrivilegedSeparation removed (OpenSSH 7.5 and later)
             if [ ${OPENSSHD_VERSION_MINOR} -lt 5 ]; then
@@ -300,7 +298,7 @@
     if [ ${SKIPTEST} -eq 0 ]; then
         FOUND=0
         # AllowUsers
-        FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
+        FIND=$(${GREPBINARY} -E -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
         if [ -n "${FIND}" ]; then
             LogText "Result: AllowUsers set, with value ${FIND}"
             Display --indent 4 --text "- OpenSSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
@@ -311,9 +309,9 @@
         fi
 
         # AllowGroups
-        FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
+        FIND=$(${GREPBINARY} -E -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
         if [ -n "${FIND}" ]; then
-            LogText "Result: AllowUsers set ${FIND}"
+            LogText "Result: AllowGroups set ${FIND}"
             Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
             FOUND=1
         else

include/tests_storage

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -38,8 +37,8 @@
         if [ -d "${ROOTDIR}etc/modprobe.d" ]; then
             FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
             if [ -n "${FIND}" ]; then
-                FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
+                FIND1=$(${GREPBINARY} -E "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
-                FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
+                FIND2=$(${GREPBINARY} -E "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
                 if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
                     FOUND=1
                     LogText "Result: found firewire ohci driver in disabled state"
@@ -49,8 +48,8 @@
             fi
         fi
         if [ -f "${ROOTDIR}etc/modprobe.conf" ]; then
-            FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
+            FIND1=$(${GREPBINARY} -E -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
-            FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
+            FIND2=$(${GREPBINARY} -E -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
             if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
                 FOUND=1
                 LogText "Result: found firewire ohci driver in disabled state"
@@ -75,6 +74,4 @@
 
 WaitForKeyPress
 
-#
+# EOF
-#================================================================================
-# Lynis - Copyright 2007-2021, CISOfy, Michael Boelen - https://cisofy.com

include/tests_storage_nfs

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

include/tests_system_integrity

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
-# Website  : https://cisofy.com
+# Website  : https://cisofy.com/
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -30,6 +29,8 @@
 #
 #################################################################################
 #
+    # Test        : SINT-7010
+    # Description : System Integrity Status
     if [ -x ${ROOTDIR}/usr/bin/csrutil ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No CSrutil binary found"; fi
     Register --test-no SINT-7010 --os MacOS --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight H --network NO --category security --description "System Integrity Status"
     if [ ${SKIPTEST} -eq 0 ]; then
@@ -48,7 +49,7 @@
 #
 #################################################################################
 #
-    WaitForKeyPress
+
-#
+WaitForKeyPress
-#================================================================================
+
-# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com
+# EOF

include/tests_time

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -139,7 +138,7 @@
         for I in ${CRONTAB_FILES}; do
             if [ -f ${I} ]; then
                 LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}"
-                FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#')
+                FIND=$(${GREPBINARY} -E "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#')
                 if [ -n "${FIND}" ]; then
                     FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
                     Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
@@ -161,10 +160,10 @@
         for I in ${CRON_DIRS}; do
             for J in "${I}"/*; do  # iterate over folders in a safe way
                 # Check: regular file, readable and not called .placeholder
-                FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$')
+                FIND=$(echo "${J}" | ${GREPBINARY} -E '/.placeholder$')
                 if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then
                     LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}"
-                    FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#")
+                    FIND=$("${GREPBINARY}" -E "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#")
                     if [ -n "${FIND}" ]; then
                         FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
                         LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}"
@@ -232,7 +231,7 @@
     Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Check the status of time synchronization via timedatectl"
-        FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes")
+        FIND=$(${TIMEDATECTL} status | ${GREPBINARY} -E "(NTP|System clock) synchronized: yes")
         if [ -z "${FIND}" ]; then
             LogText "Result: time not synchronized via NTP"
             ReportSuggestion "${TEST_NO}" "Check timedatectl output. Synchronization via NTP is enabled, but status reflects it is not synchronized"
@@ -273,7 +272,7 @@
         else
             for ITEM in ${FIND}; do
                 LogText "Found stratum 16 peer: ${ITEM}"
-                FIND2=$(${EGREPBINARY} "^ntp-ignore-stratum-16-peer=${ITEM}" ${PROFILE})
+                FIND2=$(${GREPBINARY} -E "^ntp-ignore-stratum-16-peer=${ITEM}" ${PROFILE})
                 if IsEmpty "${FIND2}"; then
                     COUNT=$((COUNT + 1))
                     Report "ntp_stratum_16_peer[]=${ITEM}"
@@ -303,7 +302,7 @@
     Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking unreliable ntp peers"
-        FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g')
+        FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} -E "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g')
         if [ -z "${FIND}" ]; then
             Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN
             LogText "Result: No unreliable peers found"
@@ -371,7 +370,7 @@
     Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking preferred time source"
-        FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} '^x')
+        FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} -E '^x')
         if [ -z "${FIND}" ]; then
             Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_OK}" --color GREEN
             LogText "Result: No falsetickers found (items preceding with an 'x')"
@@ -455,7 +454,7 @@
         else
             LogText "Result: ${FILE} is not empty, which is fine"
             Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN
-            sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} | ${EGREPBINARY} -v "^127." | ${EGREPBINARY} -v "^::1")
+            sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} | ${GREPBINARY} -E -v "^127." | ${GREPBINARY} -E -v "^::1")
             for I in ${sFIND}; do
                 FIND=$(${GREPBINARY} ^${I} ${FILE} | wc -l)
                 if [ ${FIND} -gt 0 ]; then
@@ -553,7 +552,7 @@
     Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Format is "xx/yy peers valid, ..."
-        FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1)
+        FIND=$(${NTPCTLBINARY} -s status | ${GREPBINARY} -E -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1)
         if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then
             ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status"
         fi

include/tests_tooling

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -259,8 +258,8 @@
     #            # Check email alert configuration
     #            LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}"
     #
-    #            FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
+    #            FIND=$(${GREPBINARY} -E "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
-    #            FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
+    #            FIND2=$(${GREPBINARY} -E "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
     #
     #            if [ -n "${FIND}" ]; then
     #                FAIL2BAN_EMAIL=1
@@ -400,7 +399,7 @@
 #
 #################################################################################
 #
-    # Test        : TOOL-5160
+    # Test        : TOOL-5126
     # Description : Check for OSSEC
     Register --test-no TOOL-5126 --weight L --network NO --category security --description "Check for active OSSEC daemon"
     if [ ${SKIPTEST} -eq 0 ]; then
@@ -428,6 +427,35 @@
     fi
 #
 #################################################################################
+#
+    # Test        : TOOL-5128
+    # Description : Check for Wazuh daemon
+    Register --test-no TOOL-5128 --weight L --network NO --category security --description "Check for active Wazuh daemon"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        # Server side
+        if IsRunning "wazuh-analysisd"; then
+            IDS_IPS_TOOL_FOUND=1
+            Report "ids_ips_tooling[]=wazuh"
+            Report "ids_ips_tooling[]=wazuh-analysisd"
+            LogText "Result: Wazuh analysis daemon is active"
+            Display --indent 2 --text "- Checking presence of Wazuh (analysis)" --result "${STATUS_FOUND}" --color GREEN
+        else
+            LogText "Result: Wazuh analysis daemon not active"
+        fi
+
+        # Client side
+        if IsRunning "wazuh-agentd"; then
+            IDS_IPS_TOOL_FOUND=1
+            Report "ids_ips_tooling[]=wazuh"
+            Report "ids_ips_tooling[]=wazuh-agentd"
+            LogText "Result: Wazuh agent daemon is active"
+            Display --indent 2 --text "- Checking presence of Wazuh (agent)" --result "${STATUS_FOUND}" --color GREEN
+        else
+            LogText "Result: Wazuh agent daemon not active"
+        fi
+    fi
+#
+#################################################################################
 #
     # Test        : TOOL-5190
     # Description : Check for an IDS/IPS tool

include/tests_usb

@@ -6,7 +6,7 @@
 # ------------------
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -54,8 +54,8 @@
         if [ -d /etc/modprobe.d ]; then
             FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
             if [ -n "${FIND}" ]; then
-                FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
+                FIND=$(${GREPBINARY} -E -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
-                FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
+                FIND2=$(${GREPBINARY} -E -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
                 if [ -n "${FIND}" -o -n "${FIND2}" ]; then
                     FOUND=1
                     LogText "Result: found usb-storage driver in disabled state (blacklisted)"
@@ -65,7 +65,7 @@
             fi
         fi
         if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
-            FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
+            FIND=$(${GREPBINARY} -E "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
             if [ -n "${FIND}" ]; then
                 FOUND=1
                 LogText "Result: found usb-storage driver in disabled state"
@@ -316,11 +316,11 @@
                     Display --indent 4 --text "- RuleFile" --result "${STATUS_FOUND}" --color GREEN
                     AddHP 1 1
 
-                    USBGUARD_RULES_ALLOW=$(${EGREPBINARY} -c "^allow" ${USBGUARD_RULES})
+                    USBGUARD_RULES_ALLOW=$(${GREPBINARY} -E -c "^allow" ${USBGUARD_RULES})
                     Display --indent 6 --text "- Controllers & Devices allow" --result "${USBGUARD_RULES_ALLOW}" --color WHITE
-                    USBGUARD_RULES_BLOCK=$(${EGREPBINARY} -c "^block" ${USBGUARD_RULES})
+                    USBGUARD_RULES_BLOCK=$(${GREPBINARY} -E -c "^block" ${USBGUARD_RULES})
                     Display --indent 6 --text "- Controllers & Devices block" --result "${USBGUARD_RULES_BLOCK}" --color WHITE
-                    USBGUARD_RULES_REJECT=$(${EGREPBINARY} -c "^reject" ${USBGUARD_RULES})
+                    USBGUARD_RULES_REJECT=$(${GREPBINARY} -E -c "^reject" ${USBGUARD_RULES})
                     Display --indent 6 --text "- Controllers & Devices reject" --result "${USBGUARD_RULES_REJECT}" --color WHITE
                 else
                     LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)"

include/tests_virtualization

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

include/tests_webservers

@@ -5,11 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
-# Blog     : http://linux-audit.com
+# Blog     : https://linux-audit.com/
 # GitHub   : https://github.com/CISOfy/lynis
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@@ -48,6 +47,8 @@
     TMPFILE="${TEMP_FILE}"
     CreateTempFile || ExitFatal
     TMPFILE2="${TEMP_FILE}"
+    CreateTempFile || ExitFatal
+    TMPFILE3="${TEMP_FILE}"
 #
 #################################################################################
 #
@@ -63,7 +64,7 @@
             Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE
         else
             LogText "Test: Scanning for Apache binary"
-            IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache')
+            IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} -E '[aA]pache')
             if IsEmpty "${IS_APACHE}"; then
                 LogText "Result: ${HTTPDBINARY} is not Apache"
                 Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE
@@ -203,7 +204,7 @@
     #if [ ${SKIPTEST} -eq 0 ]; then
     #    # Testing Debian style
     #    LogText "Test: searching loaded/enabled Apache modules"
-    #    apachectl -t -D DUMP_MODULES 2>&1 | ${EGREPBINARY} -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //'
+    #    apachectl -t -D DUMP_MODULES 2>&1 | ${GREPBINARY} -E -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //'
     #    for I in ${APACHE_MODULES_ENABLED_LOCS}; do
     #        LogText "Test: checking ${I}"
     #        if [ -d ${I} ]; then
@@ -288,7 +289,7 @@
     Register --test-no HTTP-6643 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check modules, module
-        if CheckItem "apache_module" "/mod_security2.so"; then
+        if CheckItem "apache_module" "/mod_security(2|3).so" ; then
             Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_FOUND}" --color GREEN
             AddHP 3 3
         else
@@ -300,8 +301,42 @@
 #
 #################################################################################
 #
-    # Test        : HTTP-6660 TODO
+    # Test        : HTTP-6660
     # Description : Search for "TraceEnable off" in configuration files
+    if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    Register --test-no HTTP-6660 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Apache security setting: TraceEnable"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        for DIR in ${sTEST_APACHE_TARGETS}; do
+            if [ -d ${DIR} ]; then
+                find ${DIR} -name "*.conf" -print >> ${TMPFILE3}
+            fi
+        done
+
+        # Check all Apache conf-files for TraceEnable
+        if [ -f ${TMPFILE3} ]; then
+            Display --indent 2 --text '- Checking TraceEnable setting in:'
+            for APACHE_CONFFILE in $(cat ${TMPFILE3}); do
+                TRACEENABLE=$( ${GREPBINARY} -i -E '^TraceEnable' ${APACHE_CONFFILE} | ${AWKBINARY} '{print $2}' )
+                if [ ! ${TRACEENABLE} ]; then
+                    LogText "Result: no TraceEnable setting found in ${APACHE_CONFFILE}"
+                    Display --indent 4 --text "  ${APACHE_CONFFILE}" --result "${STATUS_NOT_FOUND}" --color WHITE
+                else
+                    TRACEENABLED_SETTING=$( echo ${TRACEENABLE} | tr 'A-Z' 'a-z' )
+                    if [ "x${TRACEENABLED_SETTING}" = 'xoff' ]; then
+                        LogText "Result: found TraceEnable setting set to 'off' in ${APACHE_CONFFILE}"
+                        Report "Apache setting: 'TraceEnable Off' in ${APACHE_CONFFILE}"
+                        Display --indent 4 --text "  ${APACHE_CONFFILE}" --result "${STATUS_FOUND}" --color GREEN
+                    else
+                        LogText "Result: found TraceEnable setting set to '"${TRACEENABLE}"' in ${APACHE_CONFFILE}"
+                        Report "Apache setting: 'TraceEnable "${TRACEENABLE}"' in ${APACHE_CONFFILE}"
+                        Display --indent 4 --text "  ${APACHE_CONFFILE}" --result "${STATUS_SUGGESTION}" --color YELLOW
+                        ReportSuggestion "${TEST_NO}" "Consider setting 'TraceEnable Off' in ${APACHE_CONFFILE}" "Set TraceEnable to 'On' or 'extended' for testing and diagnostic purposes only."
+                    fi
+                fi
+            done
+            rm -f ${TMPFILE3}
+        fi
+    fi
 #
 #################################################################################
 #
@@ -381,7 +416,7 @@
         done
 
         # Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx
-        SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})")
+        SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${GREPBINARY} -E -v "(application|audio|image|text|video)/" | ${GREPBINARY} -E -v "({|})")
         for I in ${SORTFILE}; do
             I=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g')
             Report "nginx_config_option[]=${I}";
@@ -608,6 +643,7 @@
     # Remove temp file (double check)
     if [ -n "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
     if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
+    if [ -n "${TMPFILE3}" ]; then if [ -f ${TMPFILE3} ]; then rm -f ${TMPFILE3}; fi; fi
 
     WaitForKeyPress
 

include/tool_tips

@@ -5,8 +5,7 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright (c) Michael Boelen, CISOfy, and many contributors.
-# Copyright 2007-2021, CISOfy
 #
 # Website  : https://cisofy.com
 # Blog     : http://linux-audit.com

lynis

@@ -5,10 +5,10 @@
 #   Lynis
 # ------------------
 #
-# Copyright 2007-2013, Michael Boelen
+# Copyright Michael Boelen, CISOfy
-#           2013-now, CISOfy
 #
-# Web site: https://cisofy.com
+# Web site : https://cisofy.com/
+# Blog     : https://linux-audit.com/ 
 #
 # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 # welcome to redistribute it under the terms of the GNU General Public License.
@@ -43,16 +43,16 @@
     PROGRAM_WEBSITE="https://cisofy.com/lynis/"
 
     # Version details
-    PROGRAM_RELEASE_DATE="2022-01-18"
+    PROGRAM_RELEASE_DATE="2025-01-28"
-    PROGRAM_RELEASE_TIMESTAMP=1642512096
+    PROGRAM_RELEASE_TIMESTAMP=1738061140
-    PROGRAM_RELEASE_TYPE="release" # pre-release or release
+    PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release
-    PROGRAM_VERSION="3.0.7"
+    PROGRAM_VERSION="3.1.5"
 
     # Source, documentation and license
     PROGRAM_SOURCE="https://github.com/CISOfy/lynis"
     PROGRAM_PACKAGE="https://packages.cisofy.com/"
     PROGRAM_DOCUMENTATION="https://cisofy.com/docs/"
-    PROGRAM_COPYRIGHT="2007-2021, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
+    PROGRAM_COPYRIGHT="2007-2024, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
     PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
   welcome to redistribute it under the terms of the GNU General Public License.
   See the LICENSE file for details about using this software."
@@ -217,10 +217,10 @@
 
     # Extract the short notation of the language (first two characters).
     if [ -x "$(command -v locale 2> /dev/null)" ]; then
-        LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | egrep "^[a-z]{2}$")
+        LANGUAGE=$(locale | grep -E "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | grep -E "^[a-z]{2}$")
         # Try locale command if shell variable had no value
         if [ -z "${DISPLAY_LANG}" ]; then
-            DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2)
+            DISPLAY_LANG=$(locale | grep -E "^LANG=" | cut -d= -f2)
         fi
     else
         LANGUAGE="en"
@@ -514,7 +514,7 @@ ${NORMAL}
     . ${INCLUDEDIR}/osdetection
     Display --indent 2 --text "- Detecting OS... " --result "${STATUS_DONE}" --color GREEN
 
-    # Check hostname
+    # Check hostname and get timestamp
     case ${OS} in
         HP-UX)
                     HOSTNAME=$(hostname) ;;
@@ -531,7 +531,6 @@ ${NORMAL}
     if [ "${OS}" = "Linux" -a "${HOSTNAME}" = "${FQDN}" ]; then
         FQDN=$(hostname -f 2> /dev/null)
     fi
-
 #
 #################################################################################
 #
@@ -789,16 +788,10 @@ ${NORMAL}
         fi
     fi
 
-    # Test for older releases, without testing via update mechanism
-    if [ "${OS}" = "Solaris" ]; then
-        NOW=$(nawk 'BEGIN{print srand()}')
-    else
-        NOW=$(date "+%s")
-    fi
-
     OLD_RELEASE=0
     TIME_DIFFERENCE_CHECK=10368000 # 4 months
     RELEASE_PLUS_TIMEDIFF=$((PROGRAM_RELEASE_TIMESTAMP + TIME_DIFFERENCE_CHECK))
+    NOW=$(date "+%s")
     if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then
         # Show if release is old, only if we didn't show it with normal update check
         if [ ${UPDATE_AVAILABLE} -eq 0 ]; then
@@ -1025,7 +1018,7 @@ ${NORMAL}
         if [ "${TEST_GROUP_TO_CHECK}" = "all" ]; then
             LogText "Info: perform tests from all categories"
 
-            INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
+            INCLUDE_TESTS="boot_services kernel memory_processes authentication kerberos shells \
                            filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \
                            mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
                            insecure_services banners scheduling accounting time crypto virtualization containers \

plugins/plugin_systemd_phase1

@@ -47,13 +47,13 @@
     if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3802 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd version and options" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -1)
+        FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -n 1)
         if [ -n "${FIND}" ]; then
             SYSTEMD_VERSION=${FIND}
             Report "systemd_version=${FIND}"
             LogText "Result: found systemd version ${FIND}"
         fi
-        FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1)
+        FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -n 1)
         if [ -n "${FIND}" ]; then
             Report "systemd_builtin_components=${FIND}"
             LogText "Result: found builtin components list"
@@ -101,7 +101,7 @@
     if [ -f ${ROOTDIR}etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3808 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd machine ID" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=$(cat ${ROOTDIR}etc/machine-id | head -1)
+        FIND=$(cat ${ROOTDIR}etc/machine-id | head -n 1)
         if [ -n "${FIND}" ]; then
             SYSTEMD_MACHINEID="${FIND}"
             LogText "Result: found machine ID: ${SYSTEMD_MACHINEID}"
@@ -134,7 +134,7 @@
         FIND=$(${JOURNALCTLBINARY} --list-boots | wc -l)
         LogText "Output: number of boots listed in journal is ${FIND}"
         if [ -n "${FIND}" ]; then Report "journal_bootlogs=${FIND}"; fi
-        FIND=$(${JOURNALCTLBINARY} --list-boots | head -1 | awk '{ print $4 }')
+        FIND=$(${JOURNALCTLBINARY} --list-boots | head -n 1 | awk '{ print $4 }')
         LogText "Output: oldest boot date in journal is ${FIND}"
         if [ -n "${FIND}" ]; then Report "journal_oldest_bootdate=${FIND}"; fi
     fi
@@ -204,7 +204,7 @@
     if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
     Register --test-no PLGN-3830 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status" --progress
     if [ ${SKIPTEST} -eq 0 ]; then
-        FIND=$(${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -1)
+        FIND=$(${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -n 1)
         if [ -n "${FIND}" ]; then
             Report "systemd_status=${FIND}"
             LogText "Result: found systemd status = ${FIND}"