tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into master

This commit is contained in:
Michael Boelen 2025-02-10 15:09:35 +01:00 committed by GitHub
parent ffbb4d7413 722a1d7e8b
commit 5c5f540b43
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
95 changed files with 2303 additions and 1114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.editorconfig Normal file
View File

@ -0,0 +1,7 @@
# See: https://editorconfig.org/
root = true
[*]
indent_style = space
indent_size = 4

1
.gitignore vendored
View File

@ -1,4 +1,5 @@
.bzr
.bzrignore
.DS_Store
custom.prf
*.swp

155
CHANGELOG.md
View File

@ -1,5 +1,160 @@
# Lynis Changelog
## Lynis 3.1.5 (not released yet)
### Added
- Support for OpenWrt
### Changed
- Corrected detection of service manager SMF
- Extended GetHostID function to allow HostID and HostID2 creation on OpenWrt
---------------------------------------------------------------------------------
## Lynis 3.1.4 (2025-01-28)
### Changed
- Update of translations: Portuguese
- Add macOS Sequoia
- Update of EOL database
- Bugfix for using slashes in parameters (SafeInput function)
- Simplified copyright line and meta data in files
- Support for powerpc64le in authentication section
- Don't show error "kadmin.local: unable to get default realm"
---------------------------------------------------------------------------------
## Lynis 3.1.3 (2024-12-16)
This release introduces additional documentation in the form of blog articles
to support the (missing) control information on the website.
### Added
- Detection of Buildroot, Fedora Linux Asahi Remix, Garden Linux, Peppermint OS
- Support for blog posts and articles to enhance suggestions
### Changed
- BOOT-5264 - Changed output of systemd-analyze test and added link
- FILE-6398 - Test temporarily disabled as on modern kernels JDB support is built-in
- FIRE-4508 - Several changes to expand the test, make it more generic, resolve minor issues
- KRNL-5622 - Test if systemctl binary is set
- Several improvements for busybox
- Update of translations: Italian, Russian, Spanish
---------------------------------------------------------------------------------
## Lynis 3.1.2 (2024-09-26)
### Added
- Detection of ALT Linux
- Detection of Athena OS
- Detection of Container-Optimized OS from Google
- Detection of Koozali SME Server
- Detection of Nobara Linux
- Detection of Open Source Media Center (OSMC)
- Detection of PostmarketOS
- CRYP-7932 - macOS FileVault encryption test
- FILE-6398 - Check if JBD (Journal Block Device) driver is loaded
- FINT-4344 - Wazuh system running state
- PKGS-7305 - Query macOS Apps in /Applications and CoreServices
- File added: .editorconfig, which is used by editors to standardize formatting
### Changed
- Correction of software EOL database and inclusion of AIX entries
- Support sysctl value perf_event_paranoid -> 2|3
- Update of translations: German, Portuguese, Turkish
- Grammar and spell improvements
- Improved package detection on Alpine Linux
- Slackware support to check installed packges (functionPackageIsInstalled())
- Added words prosecute/report to LEGAL_BANNER_STRINGS
- Busybox support: Replace newer tr command syntax with older ascii specific operations
- Added Wazuh as a malware scanner/antivirus and rootkit detection tool
- Updated PHP versions and removed PHP 5 (deprecated)
- AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc)
- CONT-8104 - Checking for errors, not only warning in docker info output
- DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD
- FILE-6344 - Test kernel version (major/minor)
- INSE-8000 - Added inetd package and service name used in ubuntu 24.04
- KRNL-5622 - Use systemctl get-default instead of following link
- KRNL-5820 - Accept ulimit with -H parameter also
- LOGG-2144 - Check for wazuh-agent presence on Linux systems
- MACF-6234 - Test if semanage binary is available
- MALW-3200 - ESET Endpoint Antivirus added
- MALW-3280 - McAfee Antivirus for Linux deprecated
- MALW-3291 - Check if Microsoft Defender Antivirus is installe
- NETW-3200 - Added regex to allow both /bin/true as /bin/false
- PKGS-7303 - Added version numbers to brew packages
- PKGS-7370 - Cron job check for debsums improved
- PKGS-7392 - Improved filtering of apt-check output (Ubuntu 24.04 may give an error)
- PKGS-7410 - Added kernel name for Hardkernel odroid XU4
---------------------------------------------------------------------------------
## Lynis 3.1.1 (2024-03-17)
### Added
- Detection of ArcoLinux
### Changed
- DBS-1882 - Redis configuration file path added for FreeBSD (/usr/local/etc/redis.conf)
- DBS-1882 - Check /snap directory location for Redis configuration file
---------------------------------------------------------------------------------
## Lynis 3.1.0 (2024-03-11)
### Added
- Translation: Indonesian
### Changed
- MALW-3280 - Correction to detect com.avast.daemon
- OS detection added for Guix System, macOS Ventura (13.x)/Sonoma (14.x), NXP LSDK, OpenEmbedded "nodistro", and The Yocto Projects distro "Poky"
- Updated Amazon Linux EOL dates and addition of Amazon Linux 2023
- STATUS_NOT_ACTIVE variable added to translation files
- End-of-life dates updated
- Fixing missing or erroneous test number comments
- Detection of SentinelOne corrected
- Wazuh for file integrity and tooling
- Updated parsing output of arch-audit
- Added support for SentinelOne detection
- Replacing deprecated option -i for xargs
- Path detection for PostgreSQL improved
---------------------------------------------------------------------------------
## Lynis 3.0.9 (2023-08-03)
### Changed
- DBS-1820 - Added newer style format for Mongo authorization setting
- FILE-6410 - Locations added for plocate
- SSH-7408 - Only test Compression if sshd version < 7.4
- Improved fetching timestamp
- Minor changes such as typos
---------------------------------------------------------------------------------
## Lynis 3.0.8 (2022-05-17)
### Added
- MALW-3274 - Detect McAfee VirusScan Command Line Scanner
- PKGS-7346 Check Alpine Package Keeper (apk)
- PKGS-7395 Check Alpine upgradeable packages
- EOL for Alpine Linux 3.14 and 3.15
### Changed
- AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2)
- FILE-7524 - Test enhanced to support symlinks
- HTTP-6643 - Support ModSecurity version 2 and 3
- KRNL-5788 - Only run relevant tests and improved logging
- KRNL-5820 - Additional path for security/limits.conf
- KRNL-5830 - Check for /var/run/needs_restarting (Slackware)
- KRNL-5830 - Add a presence check for /boot/vmlinuz
- PRNT-2308 - Bugfix that prevented test from storing values correctly
- Extended location of PAM files for AARCH64
- Some messages in log improved
---------------------------------------------------------------------------------
## Lynis 3.0.7 (2022-01-18)
### Added

2
CONTRIBUTORS.md
View File

@ -36,7 +36,7 @@ These people made a significant impact to the development of Lynis:
* Alexander Lobodzinski, Germany
* Bodine Wilson
* Brian Ginsbach
* C.J. Adams-Collier, US
* C.J. Collier, US
* Charlie Heselton, US
* Dave Vehrs
* David Marzal Cánovas, Spain

2
FAQ
View File

@ -97,6 +97,4 @@
A: Whitelist the interface in the profile file (if_promisc).
================================================================================
Lynis - Copyright 2007-2021, Michael Boelen, CISOfy - https://cisofy.com

2
INSTALL
View File

@ -46,6 +46,4 @@
often asked questions.
================================================================================
Lynis - Copyright 2007-2021, Michael Boelen, CISOfy - https://cisofy.com

1
README
View File

@ -142,4 +142,3 @@
================================================================================
Lynis - Copyright 2007-2016, Michael Boelen and CISOfy - https://cisofy.com

4
README.md
View File

@ -48,7 +48,7 @@ There are multiple options available to install Lynis.
### Software Package
For sytems running Linux, BSD, and macOS, there is typically a package available. This is the preferred method of obtaining Lynis, as it is quick to install and easy to update. The Lynis project itself also provides [packages](https://packages.cisofy.com/) in RPM or DEB format suitable for systems systems running:
For systems running Linux, BSD, and macOS, there is typically a package available. This is the preferred method of obtaining Lynis, as it is quick to install and easy to update. The Lynis project itself also provides [packages](https://packages.cisofy.com/) in RPM or DEB format suitable for systems systems running:
`CentOS`, `Debian`, `Fedora`, `OEL`, `openSUSE`, `RHEL`, `Ubuntu`, and others.
Some distributions may also have Lynis in their software repository: [![Repology](https://repology.org/badge/tiny-repos/lynis.svg)](https://repology.org/project/lynis/versions)
@ -100,7 +100,7 @@ Lynis is collecting some awards along the way and we are proud of that.
* 2015
* [![ToolsWatch Best Tools (second place)](https://www.toolswatch.org/badges/toptools/2015.svg)](https://www.toolswatch.org/2016/02/2015-top-security-tools-as-voted-by-toolswatch-org-readers/)
* [Best of Open Source Software Awards 2015](http://www.idgenterprise.com/news/press-release/infoworld-announces-the-2015-best-of-open-source-software-awards/).
* [Best of Open Source Software Awards 2015](http://www.idgenterprise.com/news/press-release/infoworld-announces-the-2015-best-of-open-source-software-awards/) ([mirror](https://web.archive.org/web/20210313082124/https://www.idg.com/news/infoworld-announces-the-2015-best-of-open-source-software-awards/)).
* 2014
* [![ToolsWatch Best Tools (third place)](https://www.toolswatch.org/badges/toptools/2014.svg)](https://www.toolswatch.org/2015/01/2014-top-security-tools-as-voted-by-toolswatch-org-readers/)

46
db/control-links.db Normal file
View File

@ -0,0 +1,46 @@
# Links for controls pointing to informational pages. Note: only links managed by the project are allowed (cisofy.com / linux-audit.com)
# Format:
# Control;Text;Link;
ACCT-9628;blog;Linux audit framework 101: basic rules for configuration;https://linux-audit.com/linux-audit-framework/linux-audit-framework-101-basic-rules-for-configuration/
ACCT-9628;blog;Monitoring Linux file access, changes and data modifications;https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/
AUTH-9228;blog;File integrity of password files;https://linux-audit.com/authentication/file-integrity-of-password-files/
AUTH-9229;blog;Linux password security: hashing rounds;https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/
AUTH-9230;blog;Linux password security: hashing rounds;https://linux-audit.com/authentication/configure-the-minimum-password-length-on-linux-systems/
AUTH-9262;blog;Configure minimum password length for Linux systems;https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
AUTH-9286;blog;Configure minimum password length for Linux systems;https://linux-audit.com/configure-the-minimum-password-length-on-linux-systems/
AUTH-9328;blog;Set default file permissions on Linux with umask;https://linux-audit.com/filesystems/file-permissions/set-default-file-permissions-with-umask/
BANN-7126;blog;The real purpose of login banners;https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
BANN-7130;blog;The real purpose of login banners;https://linux-audit.com/the-real-purpose-of-login-banners-on-linux/
BOOT-5264;blog;Systemd features to secure service files;https://linux-audit.com/systemd/systemd-features-to-secure-units-and-services/
FINT-4350;blog;Monitoring Linux file access, changes and data modifications;https://linux-audit.com/monitoring-linux-file-access-changes-and-modifications/
FINT-4350;blog;Monitor for file changes on Linux;https://linux-audit.com/monitor-for-file-system-changes-on-linux/
HRDN-7220;blog;Why remove compilers from your system?;https://linux-audit.com/software/why-remove-compilers-from-your-system/
HRDN-7222;blog;Why remove compilers from your system?;https://linux-audit.com/software/why-remove-compilers-from-your-system/
HRDN-7230;blog;Antivirus for Linux: is it really needed?;https://linux-audit.com/malware/antivirus-for-linux-really-needed/
HRDN-7230;blog;Monitoring Linux Systems for Rootkits;https://linux-audit.com/monitoring-linux-systems-for-rootkits/
HTTP-6704;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
HTTP-6706;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
HTTP-6708;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
HTTP-6710;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
HTTP-6712;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
HTTP-6714;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
HTTP-6716;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
HTTP-6720;blog;Nginx security hardening guide;https://linux-audit.com/web/nginx-security-configuration-hardening-guide/
INSE-8116;blog;Find and Disable Insecure Services on Linux;https://linux-audit.com/find-disable-insecure-services-linux/
KRNL-5820;blog;Understand and configure core dumps on Linux;https://linux-audit.com/software/understand-and-configure-core-dumps-work-on-linux/
KRNL-6000;blog;Linux hardening with sysctl settings;https://linux-audit.com/linux-hardening-with-sysctl/
KRNL-6000;blog;Overview of sysctl options and values;https://linux-audit.com/kernel/sysctl/
MACF-6208;blog;AppArmor;https://linux-audit.com/security-frameworks/apparmor/
MAIL-8816;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
MAIL-8817;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
MAIL-8818;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
MAIL-8820;blog;Postfix Hardening Guide for Security and Privacy;https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/
NAME-4402;blog;Keeping your /etc/hosts file healthy;https://linux-audit.com/is-your-etc-hosts-file-healthy/
NAME-4404;blog;Keeping your /etc/hosts file healthy;https://linux-audit.com/is-your-etc-hosts-file-healthy/
NETW-2600;blog;Linux Security Guide for Hardening IPv6;https://linux-audit.com/networking/linux-security-guide-for-hardening-ipv6/
SSH-7402;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
SSH-7404;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
SSH-7406;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
SSH-7408;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
SSH-7440;blog;OpenSSH security and hardening;https://linux-audit.com/ssh/audit-and-harden-your-ssh-configuration/
# EOF

2
db/languages/az
View File

@ -82,6 +82,7 @@ STATUS_FOUND="Tapıldı"
#STATUS_MEDIUM="MEDIUM"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="Yox"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
@ -105,3 +106,4 @@ STATUS_WARNING="Xəbərdarlıq"
STATUS_YES="Bəli"
TEXT_UPDATE_AVAILABLE="yeniləmə mövcud"
TEXT_YOU_CAN_HELP_LOGFILE="qeydləri gönderib kömek eyleyin"
#SECTION_KERBEROS="Kerberos"

2
db/languages/cn
View File

@ -83,6 +83,7 @@ STATUS_FOUND="找到"
#STATUS_MEDIUM="MEDIUM"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="没有"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
@ -106,3 +107,4 @@ STATUS_WARNING="警告"
STATUS_YES="是"
TEXT_UPDATE_AVAILABLE="有可以更新的版本"
TEXT_YOU_CAN_HELP_LOGFILE="你可以通过记录日志来帮忙"
#SECTION_KERBEROS="Kerberos"

2
db/languages/da
View File

@ -83,6 +83,7 @@ STATUS_FOUND="FUNDET"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="INGEN"
STATUS_NO="NEJ"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
STATUS_NOT_ENABLED="IKKE AKTIVERET"
@ -105,3 +106,4 @@ STATUS_WEAK="SVAG"
STATUS_YES="JA"
TEXT_UPDATE_AVAILABLE="opdatering tilgængelig"
TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjælpe ved at bidrage med din logfil"
#SECTION_KERBEROS="Kerberos"

2
db/languages/de
View File

@ -84,6 +84,7 @@ STATUS_NO="NEIN"
STATUS_NO_UPDATE="KEINE AKTUALISIERUNG"
STATUS_NON_DEFAULT="NICHT STANDARD"
STATUS_NONE="NICHTS"
STATUS_NOT_ACTIVE="NOT ACTIVE"
STATUS_NOT_CONFIGURED="NICHT KONFIGURIERT"
STATUS_NOT_DISABLED="NICHT DEAKTIVIERT"
STATUS_NOT_ENABLED="NICHT AKTIVIERT"
@ -105,3 +106,4 @@ STATUS_WEAK="SCHWACH"
STATUS_YES="JA"
TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar"
TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen"
SECTION_KERBEROS="Kerberos"

2
db/languages/en
View File

@ -63,6 +63,7 @@ SECTION_USB_DEVICES="USB Devices"
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
SECTION_VIRTUALIZATION="Virtualization"
SECTION_WEBSERVER="Software: webserver"
SECTION_KERBEROS="Kerberos"
STATUS_ACTIVE="ACTIVE"
STATUS_CHECK_NEEDED="CHECK NEEDED"
STATUS_DEBUG="DEBUG"
@ -84,6 +85,7 @@ STATUS_NO="NO"
STATUS_NO_UPDATE="NO UPDATE"
STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="NONE"
STATUS_NOT_ACTIVE="NOT ACTIVE"
STATUS_NOT_CONFIGURED="NOT CONFIGURED"
STATUS_NOT_DISABLED="NOT DISABLED"
STATUS_NOT_ENABLED="NOT ENABLED"

4
db/languages/es
View File

@ -74,7 +74,7 @@ STATUS_DONE="HECHO"
STATUS_ENABLED="HABILITADO"
STATUS_ERROR="ERROR"
STATUS_EXPOSED="EXPUESTO"
STATUS_FAILED="FALLADO"
STATUS_FAILED="HA FALLADO"
STATUS_FILES_FOUND="ARCHIVOS ENCONTRADOS"
STATUS_FOUND="ENCONTRADO"
STATUS_HARDENED="BASTIONADO"
@ -85,6 +85,7 @@ STATUS_NO_UPDATE="SIN ACTUALIZACIÓN"
STATUS_NO="NO"
STATUS_NON_DEFAULT="NO POR DEFECTO"
STATUS_NONE="NINGUNO"
STATUS_NOT_ACTIVE="SIN ACTIVAR"
STATUS_NOT_CONFIGURED="NO CONFIGURADO"
STATUS_NOT_DISABLED="NO DESHABILITADO"
STATUS_NOT_ENABLED="NO HABILITADO"
@ -106,3 +107,4 @@ STATUS_WEAK="DÉBIL"
STATUS_YES="SÍ"
TEXT_UPDATE_AVAILABLE="Actualización disponible"
TEXT_YOU_CAN_HELP_LOGFILE="Puedes ayudar compartiendo tu archivo de registro"
#SECTION_KERBEROS="Kerberos"

2
db/languages/fi
View File

@ -83,6 +83,7 @@ STATUS_FOUND="LÖYTYNYT"
STATUS_NO="EI"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="EI MITÄÄN"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
@ -105,3 +106,4 @@ STATUS_WARNING="VAROITUS"
STATUS_YES="KYLLÄ"
TEXT_UPDATE_AVAILABLE="päivitys saatavilla"
TEXT_YOU_CAN_HELP_LOGFILE="Voit auttaa toimittamalla lokitiedoston"
#SECTION_KERBEROS="Kerberos"

2
db/languages/fr
View File

@ -84,6 +84,7 @@ STATUS_NO="NON"
STATUS_NO_UPDATE="PAS DE MISE A JOUR"
STATUS_NON_DEFAULT="PAS PAR DÉFAUT"
STATUS_NONE="AUCUN"
STATUS_NOT_ACTIVE="NOT ACTIVE"
STATUS_NOT_CONFIGURED="NON CONFIGURÉ"
STATUS_NOT_DISABLED="NON DESACTIVÉ"
STATUS_NOT_ENABLED="NON ACTIVÉ"
@ -105,3 +106,4 @@ STATUS_WEAK="FAIBLE"
STATUS_YES="OUI"
TEXT_UPDATE_AVAILABLE="Mise à jour disponible"
TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal"
SECTION_KERBEROS="Kerberos"

2
db/languages/gr
View File

@ -82,6 +82,7 @@ STATUS_FOUND="ΒΡΕΘΗΚΕ"
#STATUS_MEDIUM="MEDIUM"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="ΚΑΝΕΝΑ"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
@ -105,3 +106,4 @@ STATUS_WARNING="ΠΡΟΣΟΧΗ"
STATUS_YES="ΝΑΙ"
TEXT_UPDATE_AVAILABLE="διαθέσιμη ενημέρωση"
TEXT_YOU_CAN_HELP_LOGFILE="Μπορείτε να βοηθήσετε παρέχοντας το αρχείο καταγραφής"
#SECTION_KERBEROS="Kerberos"

2
db/languages/he
View File

@ -82,6 +82,7 @@ STATUS_FOUND="נמצא"
#STATUS_MEDIUM="MEDIUM"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="אין כלל"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
@ -105,3 +106,4 @@ STATUS_WARNING="אזהרה"
STATUS_YES="כן"
TEXT_UPDATE_AVAILABLE="עדכון זמין"
TEXT_YOU_CAN_HELP_LOGFILE="ניתן לעזור על ידי שליחת קובץ הלוג"
#SECTION_KERBEROS="Kerberos"

2
db/languages/hu
View File

@ -83,6 +83,7 @@ STATUS_FOUND="FOUND"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NO="NEM"
STATUS_NONE="NONE"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
@ -105,3 +106,4 @@ STATUS_WARNING="FIGYELMEZTETÉS"
STATUS_YES="IGEN"
TEXT_UPDATE_AVAILABLE="frissítés elérhető"
TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
#SECTION_KERBEROS="Kerberos"

109
db/languages/id Normal file
View File

@ -0,0 +1,109 @@
ERROR_NO_LICENSE="Tidak ada kunci lisensi yang dikonfigurasi"
ERROR_NO_UPLOAD_SERVER="Tidak ada server unggahan yang dikonfigurasi"
GEN_CHECKING="Memeriksa"
GEN_CURRENT_VERSION="Versi sekarang"
GEN_DEBUG_MODE="Debug mode"
GEN_INITIALIZE_PROGRAM="Inisialisasi program"
GEN_LATEST_VERSION="Versi terbaru"
GEN_PHASE="fase"
GEN_PLUGINS_ENABLED="Plugin diaktifkan"
GEN_UPDATE_AVAILABLE="update tersedia"
GEN_VERBOSE_MODE="Verbose mode"
GEN_WHAT_TO_DO="Apa yang harus dilakukan"
NOTE_EXCEPTIONS_FOUND="Pengecualian ditemukan"
NOTE_EXCEPTIONS_FOUND_DETAILED="Beberapa peristiwa atau informasi luar biasa ditemukan"
NOTE_PLUGINS_TAKE_TIME="Note: plugin memiliki pengujian yang lebih ekstensif dan mungkin memerlukan waktu beberapa menit untuk menyelesaikannya"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Tes yang dilewati karena mode non-istimewa"
#SECTION_ACCOUNTING="Accounting"
#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
#SECTION_BASICS="Basics"
#SECTION_BOOT_AND_SERVICES="Boot and services"
#SECTION_CONTAINERS="Containers"
#SECTION_CRYPTOGRAPHY="Cryptography"
SECTION_CUSTOM_TESTS="Tes kustom"
#SECTION_DATABASES="Databases"
#SECTION_DATA_UPLOAD="Data upload"
#SECTION_DOWNLOADS="Downloads"
#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
#SECTION_FILE_INTEGRITY="Software: file integrity"
#SECTION_FILE_PERMISSIONS="File Permissions"
#SECTION_FILE_SYSTEMS="File systems"
#SECTION_FIREWALLS="Software: firewalls"
#SECTION_GENERAL="General"
#SECTION_HARDENING="Hardening"
#SECTION_HOME_DIRECTORIES="Home directories"
#SECTION_IMAGE="Image"
#SECTION_INITIALIZING_PROGRAM="Initializing program"
#SECTION_INSECURE_SERVICES="Insecure services"
#SECTION_KERNEL_HARDENING="Kernel Hardening"
#SECTION_KERNEL="Kernel"
#SECTION_LDAP_SERVICES="LDAP Services"
#SECTION_LOGGING_AND_FILES="Logging and files"
SECTION_MALWARE="Software: Malware"
SECTION_MEMORY_AND_PROCESSES="Memory and Processes"
SECTION_NAME_SERVICES="Name services"
SECTION_NETWORKING="Networking"
SECTION_PERMISSIONS="Permissions"
SECTION_PORTS_AND_PACKAGES="Ports and packages"
SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
SECTION_PROGRAM_DETAILS="Program Details"
SECTION_SCHEDULED_TASKS="Scheduled tasks"
SECTION_SECURITY_FRAMEWORKS="Security frameworks"
SECTION_SHELLS="Shells"
SECTION_SNMP_SUPPORT="SNMP Support"
SECTION_SOFTWARE="Software"
SECTION_SQUID_SUPPORT="Squid Support"
SECTION_SSH_SUPPORT="SSH Support"
SECTION_STORAGE="Storage"
SECTION_SYSTEM_INTEGRITY="Software: System integrity"
SECTION_SYSTEM_TOOLING="Software: System tooling"
SECTION_SYSTEM_TOOLS="System tools"
SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization"
SECTION_USB_DEVICES="USB Devices"
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
SECTION_VIRTUALIZATION="Virtualization"
SECTION_WEBSERVER="Software: webserver"
STATUS_ACTIVE="ACTIVE"
STATUS_CHECK_NEEDED="CHECK NEEDED"
STATUS_DEBUG="DEBUG"
STATUS_DEFAULT="DEFAULT"
STATUS_DIFFERENT="DIFFERENT"
STATUS_DISABLED="DISABLED"
STATUS_DONE="DONE"
STATUS_ENABLED="ENABLED"
STATUS_ERROR="ERROR"
STATUS_EXPOSED="EXPOSED"
STATUS_FAILED="FAILED"
STATUS_FILES_FOUND="FILES FOUND"
STATUS_FOUND="FOUND"
STATUS_HARDENED="HARDENED"
STATUS_INSTALLED="INSTALLED"
STATUS_LOCAL_ONLY="LOCAL ONLY"
STATUS_MEDIUM="MEDIUM"
STATUS_NO="NO"
STATUS_NO_UPDATE="NO UPDATE"
STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="NONE"
STATUS_NOT_CONFIGURED="NOT CONFIGURED"
STATUS_NOT_DISABLED="NOT DISABLED"
STATUS_NOT_ENABLED="NOT ENABLED"
STATUS_NOT_FOUND="NOT FOUND"
STATUS_NOT_RUNNING="NOT RUNNING"
STATUS_OFF="OFF"
STATUS_OK="OK"
STATUS_ON="ON"
STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED"
STATUS_PROTECTED="PROTECTED"
STATUS_RUNNING="RUNNING"
STATUS_SKIPPED="SKIPPED"
STATUS_SUGGESTION="SUGGESTION"
STATUS_UNKNOWN="UNKNOWN"
STATUS_UNSAFE="UNSAFE"
STATUS_UPDATE_AVAILABLE="UPDATE TERSEDIA"
STATUS_WARNING="WARNING"
STATUS_WEAK="WEAK"
STATUS_YES="YES"
TEXT_UPDATE_AVAILABLE="update tersedia"
TEXT_YOU_CAN_HELP_LOGFILE="Anda dapat membantu dengan memberikan file log Anda"
#SECTION_KERBEROS="Kerberos"
#STATUS_NOT_ACTIVE="NOT ACTIVE"

118
db/languages/it
View File

@ -14,94 +14,96 @@ NOTE_EXCEPTIONS_FOUND_DETAILED="Sono stati rilevati alcuni eventi o informazioni
NOTE_EXCEPTIONS_FOUND="Trovate Eccezioni"
NOTE_PLUGINS_TAKE_TIME="Nota: i plugin sono sottoposti a test più estesi e possono richiedere alcuni minuti per il completamento"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Test saltati a causa della modalità di esecuzione non privilegiata"
#SECTION_ACCOUNTING="Accounting"
#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
#SECTION_BASICS="Basics"
#SECTION_BOOT_AND_SERVICES="Boot and services"
#SECTION_CONTAINERS="Containers"
#SECTION_CRYPTOGRAPHY="Cryptography"
SECTION_ACCOUNTING="Accounting"
SECTION_BANNERS_AND_IDENTIFICATION="Banners e identificazione"
SECTION_BASICS="Basi"
SECTION_BOOT_AND_SERVICES="Avvio e servizi"
SECTION_CONTAINERS="Container"
SECTION_CRYPTOGRAPHY="Crittografia"
SECTION_CUSTOM_TESTS="Test su misura (Custom)"
#SECTION_DATABASES="Databases"
#SECTION_DATA_UPLOAD="Data upload"
SECTION_DATABASES="Database"
SECTION_DATA_UPLOAD="Caricamenti dati"
SECTION_DOWNLOADS="Scaricamenti"
#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
#SECTION_FILE_INTEGRITY="Software: file integrity"
#SECTION_FILE_PERMISSIONS="File Permissions"
#SECTION_FILE_SYSTEMS="File systems"
#SECTION_FIREWALLS="Software: firewalls"
SECTION_EMAIL_AND_MESSAGING="Software: e-mail e messaggistica"
SECTION_FILE_INTEGRITY="Software: integrità file"
SECTION_FILE_PERMISSIONS="Permessi file"
SECTION_FILE_SYSTEMS="File system"
SECTION_FIREWALLS="Software: firewall"
SECTION_GENERAL="Generale"
#SECTION_HARDENING="Hardening"
#SECTION_HOME_DIRECTORIES="Home directories"
#SECTION_IMAGE="Image"
SECTION_HARDENING="Hardening"
SECTION_HOME_DIRECTORIES="Cartelle home"
SECTION_IMAGE="Immagine"
SECTION_INITIALIZING_PROGRAM="Inizializzando il programma"
SECTION_INSECURE_SERVICES="Service insicuri"
#SECTION_KERNEL_HARDENING="Kernel Hardening"
#SECTION_KERNEL="Kernel"
#SECTION_LDAP_SERVICES="LDAP Services"
#SECTION_LOGGING_AND_FILES="Logging and files"
SECTION_KERNEL_HARDENING="Hardening del kernel"
SECTION_KERNEL="Kernel"
SECTION_LDAP_SERVICES="Servizi LDAP"
SECTION_LOGGING_AND_FILES="Logging e file"
SECTION_MALWARE="Malware"
SECTION_MEMORY_AND_PROCESSES="Memoria e Processi"
#SECTION_NAME_SERVICES="Name services"
#SECTION_NETWORKING="Networking"
#SECTION_PERMISSIONS="Permissions"
#SECTION_PORTS_AND_PACKAGES="Ports and packages"
#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
#SECTION_PROGRAM_DETAILS="Program Details"
#SECTION_SCHEDULED_TASKS="Scheduled tasks"
#SECTION_SECURITY_FRAMEWORKS="Security frameworks"
#SECTION_SHELLS="Shells"
#SECTION_SNMP_SUPPORT="SNMP Support"
#SECTION_SOFTWARE="Software"
#SECTION_SQUID_SUPPORT="Squid Support"
#SECTION_SSH_SUPPORT="SSH Support"
SECTION_NAME_SERVICES="Name services"
SECTION_NETWORKING="Rete"
SECTION_PERMISSIONS="Permessi"
SECTION_PORTS_AND_PACKAGES="Ports e pacchetti"
SECTION_PRINTERS_AND_SPOOLS="Stampanti e code di stampa"
SECTION_PROGRAM_DETAILS="Dettagli programma"
SECTION_SCHEDULED_TASKS="Azioni programmate"
SECTION_SECURITY_FRAMEWORKS="Framework di sicurezza"
SECTION_SHELLS="Shells"
SECTION_SNMP_SUPPORT="Supporto per SNMP"
SECTION_SOFTWARE="Software"
SECTION_SQUID_SUPPORT="Supporto per Squid"
SECTION_SSH_SUPPORT="Supporto per SSH"
SECTION_STORAGE="Spazio di archiviazione"
#SECTION_SYSTEM_INTEGRITY="Software: System integrity"
SECTION_SYSTEM_INTEGRITY="Software: integrità del sistema"
#SECTION_SYSTEM_TOOLING="Software: System tooling"
#SECTION_SYSTEM_TOOLS="System tools"
SECTION_SYSTEM_TOOLS="Strumenti di sistema"
SECTION_TIME_AND_SYNCHRONIZATION="Tempo and Sincronizzazione"
#SECTION_USB_DEVICES="USB Devices"
#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
#SECTION_VIRTUALIZATION="Virtualization"
#SECTION_WEBSERVER="Software: webserver"
#STATUS_ACTIVE="ACTIVE"
#STATUS_CHECK_NEEDED="CHECK NEEDED"
#STATUS_DEBUG="DEBUG"
#STATUS_DEFAULT="DEFAULT"
#STATUS_DIFFERENT="DIFFERENT"
SECTION_USB_DEVICES="Periferiche USB"
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Utenti, Gruppi e Authenticazione"
SECTION_VIRTUALIZATION="Virtualizzazione"
SECTION_WEBSERVER="Software: webserver"
STATUS_ACTIVE="ATTIVO"
STATUS_CHECK_NEEDED="CONTROLLO RICHIESTO"
STATUS_DEBUG="DEBUG"
STATUS_DEFAULT="DEFAULT"
STATUS_DIFFERENT="DIFFERENTE"
STATUS_DISABLED="DISABILITATO"
STATUS_DONE="FATTO"
STATUS_ENABLED="ABILITATO"
STATUS_ERROR="ERRORE"
#STATUS_EXPOSED="EXPOSED"
STATUS_EXPOSED="ESPOSTO"
STATUS_FAILED="FALLITO"
#STATUS_FILES_FOUND="FILES FOUND"
STATUS_FILES_FOUND="FILE TROVATI"
STATUS_FOUND="TROVATO"
#STATUS_HARDENED="HARDENED"
#STATUS_INSTALLED="INSTALLED"
#STATUS_LOCAL_ONLY="LOCAL ONLY"
#STATUS_MEDIUM="MEDIUM"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_HARDENED="HARDENED"
STATUS_INSTALLED="INSTALLATO"
STATUS_LOCAL_ONLY="SOLO LOCALE"
STATUS_MEDIUM="MEDIO"
STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="NESSUNO"
STATUS_NO="NO"
STATUS_NOT_ACTIVE="NON ATTIVO"
STATUS_NOT_CONFIGURED="NON CONFIGURATO"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
STATUS_NOT_DISABLED="NON DISABILITATO"
STATUS_NOT_ENABLED="NON ABILITATO"
STATUS_NOT_FOUND="NON TROVATO"
STATUS_NOT_RUNNING="NON IN ESECUZIONE"
#STATUS_NO_UPDATE="NO UPDATE"
STATUS_NO_UPDATE="NESSUN AGGIORNAMENTO"
STATUS_OFF="OFF"
STATUS_OK="OK"
STATUS_ON="ON"
#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED"
#STATUS_PROTECTED="PROTECTED"
STATUS_PARTIALLY_HARDENED="PARZIALMENTE HARDENED"
STATUS_PROTECTED="PROTETTO"
STATUS_RUNNING="IN ESECUZIONE"
STATUS_SKIPPED="SALTATO"
STATUS_SUGGESTION="SUGGERIMENTO"
STATUS_UNKNOWN="SCONOSCIUTO"
#STATUS_UNSAFE="UNSAFE"
#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE"
STATUS_UNSAFE="NON SICURO"
STATUS_UPDATE_AVAILABLE="AGGIORNAMENTO DISPONIBILE"
STATUS_WARNING="ATTENZIONE"
STATUS_WEAK="DEBOLE"
STATUS_YES="SI"
TEXT_UPDATE_AVAILABLE="aggiornamento disponibile"
TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log"
SECTION_KERBEROS="Kerberos"

2
db/languages/ja
View File

@ -83,6 +83,7 @@ STATUS_FOUND="見つかりました"
STATUS_NO="いいえ"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="なし"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
@ -105,3 +106,4 @@ STATUS_WARNING="警告"
STATUS_YES="はい"
TEXT_UPDATE_AVAILABLE="アップデートが利用可能"
TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
#SECTION_KERBEROS="Kerberos"

2
db/languages/ko
View File

@ -83,6 +83,7 @@ STATUS_FOUND="발견"
STATUS_NO="아니오"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="없음"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
@ -105,3 +106,4 @@ STATUS_WEAK="취약"
STATUS_YES="예"
TEXT_UPDATE_AVAILABLE="업데이트 가능"
TEXT_YOU_CAN_HELP_LOGFILE="로그 파일을 제공하면 도움을 받을 수 있습니다"
#SECTION_KERBEROS="Kerberos"

2
db/languages/nb-NO
View File

@ -83,6 +83,7 @@ STATUS_FOUND="FUNNET"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NO="NEI"
STATUS_NONE="INGEN"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
@ -105,3 +106,4 @@ STATUS_WARNING="ADVARSEL"
STATUS_YES="JA"
TEXT_UPDATE_AVAILABLE="oppdatering tilgjengelig"
TEXT_YOU_CAN_HELP_LOGFILE="Du kan bidra ved å laste opp din loggfil"
#SECTION_KERBEROS="Kerberos"

2
db/languages/nl
View File

@ -83,6 +83,7 @@ STATUS_FOUND="GEVONDEN"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NO="NEE"
STATUS_NONE="GEEN"
STATUS_NOT_ACTIVE="NOT ACTIVE"
STATUS_NOT_CONFIGURED="NIET GECONFIGUREERD"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
@ -105,3 +106,4 @@ STATUS_WEAK="ZWAK"
STATUS_YES="JA"
TEXT_UPDATE_AVAILABLE="update beschikbaar"
TEXT_YOU_CAN_HELP_LOGFILE="Help mee door je logbestand te delen"
#SECTION_KERBEROS="Kerberos"

2
db/languages/pl
View File

@ -83,6 +83,7 @@
#STATUS_NON_DEFAULT="NON DEFAULT"
#STATUS_NONE="NONE"
#STATUS_NO="NO"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
@ -105,3 +106,4 @@
#STATUS_YES="YES"
#TEXT_UPDATE_AVAILABLE="update available"
#TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
#SECTION_KERBEROS="Kerberos"

138
db/languages/pt
View File

@ -1,3 +1,7 @@
# Usado o Google Tradutor para traduzir: https://translate.google.com.br/
ERROR_NO_LICENSE="Nenhuma chave de licença configurada"
ERROR_NO_UPLOAD_SERVER="Nenhum servidor de upload configurado"
GEN_CHECKING="Verificando"
@ -14,94 +18,96 @@ NOTE_EXCEPTIONS_FOUND_DETAILED="Alguns eventos ou informações excepcionais for
NOTE_EXCEPTIONS_FOUND="Exceptions encontradas"
NOTE_PLUGINS_TAKE_TIME="Nota: plugins requerem testes mais extensivos e podem levar vários minutos para completar"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Testes ignorados devido ao modo sem privilégios"
#SECTION_ACCOUNTING="Accounting"
#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
#SECTION_BASICS="Basics"
#SECTION_BOOT_AND_SERVICES="Boot and services"
#SECTION_CONTAINERS="Containers"
#SECTION_CRYPTOGRAPHY="Cryptography"
SECTION_ACCOUNTING="Contabilidade"
SECTION_BANNERS_AND_IDENTIFICATION="Banners e identificação"
SECTION_BASICS="Base"
SECTION_BOOT_AND_SERVICES="Inicialização e serviços"
SECTION_CONTAINERS="Containers"
SECTION_CRYPTOGRAPHY="Criptografia"
SECTION_CUSTOM_TESTS="Testes personalizados"
#SECTION_DATABASES="Databases"
#SECTION_DATA_UPLOAD="Data upload"
#SECTION_DOWNLOADS="Downloads"
#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
#SECTION_FILE_INTEGRITY="Software: file integrity"
#SECTION_FILE_PERMISSIONS="File Permissions"
#SECTION_FILE_SYSTEMS="File systems"
#SECTION_FIREWALLS="Software: firewalls"
#SECTION_GENERAL="General"
SECTION_DATABASES="Bancos de dados"
SECTION_DATA_UPLOAD="Carregamento de dados"
SECTION_DOWNLOADS="Transferências"
SECTION_EMAIL_AND_MESSAGING="Programas: e-mail e mensagens"
SECTION_FILE_INTEGRITY="Programas: integridade do arquivo"
SECTION_FILE_PERMISSIONS="Permissões de arquivo"
SECTION_FILE_SYSTEMS="Sistemas de arquivos"
SECTION_FIREWALLS="Programas: firewalls"
SECTION_GENERAL="Em geral"
#SECTION_HARDENING="Hardening"
#SECTION_HOME_DIRECTORIES="Home directories"
#SECTION_IMAGE="Image"
#SECTION_INITIALIZING_PROGRAM="Initializing program"
#SECTION_INSECURE_SERVICES="Insecure services"
#SECTION_KERNEL_HARDENING="Kernel Hardening"
#SECTION_KERNEL="Kernel"
#SECTION_LDAP_SERVICES="LDAP Services"
#SECTION_LOGGING_AND_FILES="Logging and files"
SECTION_HOME_DIRECTORIES="Diretórios iniciais"
SECTION_IMAGE="Imagem"
SECTION_INITIALIZING_PROGRAM="Inicializando programa"
SECTION_INSECURE_SERVICES="Serviços inseguros"
SECTION_KERNEL_HARDENING="Hardening do Kernel"
SECTION_KERNEL="Kernel"
SECTION_LDAP_SERVICES="Serviços LDAP"
SECTION_LOGGING_AND_FILES="Registro e arquivos"
SECTION_MALWARE="Malware"
SECTION_MEMORY_AND_PROCESSES="Memória e Processos"
#SECTION_NAME_SERVICES="Name services"
#SECTION_NETWORKING="Networking"
#SECTION_PERMISSIONS="Permissions"
#SECTION_PORTS_AND_PACKAGES="Ports and packages"
#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
#SECTION_PROGRAM_DETAILS="Program Details"
#SECTION_SCHEDULED_TASKS="Scheduled tasks"
#SECTION_SECURITY_FRAMEWORKS="Security frameworks"
SECTION_NAME_SERVICES="Serviços de nomes"
SECTION_NETWORKING="Rede"
SECTION_PERMISSIONS="Permissões"
SECTION_PORTS_AND_PACKAGES="Portas e pacotes"
SECTION_PRINTERS_AND_SPOOLS="Impressoras"
SECTION_PROGRAM_DETAILS="Detalhes do programa"
SECTION_SCHEDULED_TASKS="Atividades agendadas"
SECTION_SECURITY_FRAMEWORKS="Estruturas de segurança"
#SECTION_SHELLS="Shells"
#SECTION_SNMP_SUPPORT="SNMP Support"
#SECTION_SOFTWARE="Software"
#SECTION_SQUID_SUPPORT="Squid Support"
#SECTION_SSH_SUPPORT="SSH Support"
#SECTION_STORAGE="Storage"
#SECTION_SYSTEM_INTEGRITY="Software: System integrity"
#SECTION_SYSTEM_TOOLING="Software: System tooling"
#SECTION_SYSTEM_TOOLS="System tools"
#SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization"
#SECTION_USB_DEVICES="USB Devices"
#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
#SECTION_VIRTUALIZATION="Virtualization"
#SECTION_WEBSERVER="Software: webserver"
#STATUS_ACTIVE="ACTIVE"
#STATUS_CHECK_NEEDED="CHECK NEEDED"
SECTION_SNMP_SUPPORT="Suporte SNMP"
SECTION_SOFTWARE="Programas"
SECTION_SQUID_SUPPORT="Suporte Squid"
SECTION_SSH_SUPPORT="Suporte SSH"
SECTION_STORAGE="Armazenamento"
SECTION_SYSTEM_INTEGRITY="Programas: Integridade do sistema"
SECTION_SYSTEM_TOOLING="Programas: Ferramentas de sistema"
SECTION_SYSTEM_TOOLS="Ferramentas do sistema"
SECTION_TIME_AND_SYNCHRONIZATION="Tempo e sincronização"
SECTION_USB_DEVICES="Dispositivos USB"
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Usuários, grupos e autenticação"
SECTION_VIRTUALIZATION="Virtualização"
SECTION_WEBSERVER="Programas: Servidor Web"
STATUS_ACTIVE="ATIVO"
STATUS_CHECK_NEEDED="VERIFICAÇÃO NECESSÁRIA"
#STATUS_DEBUG="DEBUG"
#STATUS_DEFAULT="DEFAULT"
#STATUS_DIFFERENT="DIFFERENT"
STATUS_DEFAULT="PADRÃO"
STATUS_DIFFERENT="DIFERENTE"
STATUS_DISABLED="DESABILITADO"
STATUS_DONE="FEITO"
STATUS_ENABLED="HABILITADO"
STATUS_ERROR="ERRO"
#STATUS_EXPOSED="EXPOSED"
#STATUS_FAILED="FAILED"
#STATUS_FILES_FOUND="FILES FOUND"
STATUS_EXPOSED="EXPOSTO"
STATUS_FAILED="FALHAR"
STATUS_FILES_FOUND="ARQUIVOS ENCONTRADOS"
STATUS_FOUND="ENCONTRADO"
#STATUS_HARDENED="HARDENED"
#STATUS_INSTALLED="INSTALLED"
#STATUS_LOCAL_ONLY="LOCAL ONLY"
#STATUS_MEDIUM="MEDIUM"
STATUS_INSTALLED="INSTALADO"
STATUS_LOCAL_ONLY="SOMENTE LOCAL"
STATUS_MEDIUM="MÉDIO"
STATUS_NO="NÃO"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NON_DEFAULT="FORA DO PADRÃO"
STATUS_NONE="NENHUM"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
STATUS_NOT_ACTIVE="NOT ACTIVE"
STATUS_NOT_CONFIGURED="NÃO CONFIGURADO"
STATUS_NOT_DISABLED="NÃO DESATIVADO"
STATUS_NOT_ENABLED="NÃO HABILITADO"
STATUS_NOT_FOUND="NÃO ENCONTRADO"
STATUS_NOT_RUNNING="PARADO"
#STATUS_NO_UPDATE="NO UPDATE"
STATUS_OFF="OFF"
STATUS_NO_UPDATE="SEM ATUALIZAÇÃO"
STATUS_OFF="DESLIGADO"
STATUS_OK="OK"
STATUS_ON="ON"
#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED"
#STATUS_PROTECTED="PROTECTED"
STATUS_ON="LIGADO"
STATUS_PARTIALLY_HARDENED="HARDENED PARCIAL"
STATUS_PROTECTED="PROTEGIDO"
STATUS_RUNNING="EM EXECUÇÃO"
STATUS_SKIPPED="IGNORADO"
STATUS_SUGGESTION="SUGESTÃO"
STATUS_UNKNOWN="DESCONHECIDO"
#STATUS_UNSAFE="UNSAFE"
#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE"
STATUS_UNSAFE="INSEGURO"
STATUS_UPDATE_AVAILABLE="ATUALIZAÇÃO DISPONÍVEL"
STATUS_WARNING="ATENÇÃO"
#STATUS_WEAK="WEAK"
STATUS_WEAK="FRACO"
STATUS_YES="SIM"
TEXT_UPDATE_AVAILABLE="Atualização disponível"
TEXT_YOU_CAN_HELP_LOGFILE="Você pode ajudar fornecendo seu arquivo de log"
SECTION_KERBEROS="Kerberos"

142
db/languages/ru
View File

@ -1,75 +1,75 @@
ERROR_NO_LICENSE="Лицензионный ключ не настроен"
ERROR_NO_UPLOAD_SERVER="Загрузочный сервер не настроен"
GEN_CHECKING="Проверка"
GEN_CURRENT_VERSION="Текущая версия"
GEN_DEBUG_MODE="Режим отладки"
GEN_INITIALIZE_PROGRAM="Инициализация программы"
GEN_LATEST_VERSION="Последняя версия"
GEN_PHASE="Стадия"
GEN_PLUGINS_ENABLED="Плагины включены"
GEN_UPDATE_AVAILABLE="доступно обновление"
GEN_VERBOSE_MODE="Подробный режим"
GEN_WHAT_TO_DO="Что сделать"
NOTE_EXCEPTIONS_FOUND_DETAILED="Были найдены некоторые исключительные события или информация"
NOTE_EXCEPTIONS_FOUND="Найдены исключения"
NOTE_PLUGINS_TAKE_TIME="Примечание: плагины имеют более обширные тесты и могут занять несколько минут до завершения"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Тесты пропущены из-за использования непривилегированного режима"
SECTION_ACCOUNTING="Учёт"
SECTION_BANNERS_AND_IDENTIFICATION="Баннеры и идентификаторы"
SECTION_BASICS="Основное"
SECTION_BOOT_AND_SERVICES="Загрузка и сервисы"
SECTION_CONTAINERS="Контейнеры"
SECTION_CRYPTOGRAPHY="Криптография"
SECTION_CUSTOM_TESTS="Пользовательские тесты"
SECTION_DATABASES="Базы данных"
SECTION_DATA_UPLOAD="Отправка данных"
SECTION_DOWNLOADS="Загрузки"
SECTION_EMAIL_AND_MESSAGING="Программное обеспечение: e-mail и отправка сообщений"
ERROR_NO_LICENSE="ОШИБКА: ЛИЦЕНЗИОННЫЙ КЛЮЧ НЕ НАСТРОЕН"
ERROR_NO_UPLOAD_SERVER="ОШИБКА: ЗАГРУЗОЧНЫЙ СЕРВЕР НЕ НАСТРОЕН"
GEN_CHECKING="ПРОВЕРКА"
GEN_CURRENT_VERSION="ТЕКУЩАЯ ВЕРСИЯ"
GEN_DEBUG_MODE="РЕЖИМ ОТЛАДКИ"
GEN_INITIALIZE_PROGRAM="ИНИЦИАЛИЗАЦИЯ ПРОГРАММЫ"
GEN_LATEST_VERSION="ПОСЛЕДНЯЯ ВЕРСИЯ"
GEN_PHASE="СТАДИЯ"
GEN_PLUGINS_ENABLED="ПЛАГИНЫ ВКЛЮЧЕНЫ"
GEN_UPDATE_AVAILABLE="ДОСТУПНО ОБНОВЛЕНИЕ"
GEN_VERBOSE_MODE="ПОДРОБНЫЙ РЕЖИМ"
GEN_WHAT_TO_DO="ЧТО СДЕЛАТЬ?"
NOTE_EXCEPTIONS_FOUND_DETAILED="БЫЛИ ОБНАРУЖЕНЫ УНИКАЛЬНЫЕ СОБЫТИЯ ИЛИ СВЕДЕНИЯ"
NOTE_EXCEPTIONS_FOUND="НАЙДЕННЫ ИСКЛЮЧЕНИЯ"
NOTE_PLUGINS_TAKE_TIME="ПРИМЕЧАНИЕ: ПЛАГИНЫ ИМЕЮТ БОЛЕЕ ОБШИРНЫЕ ТЕСТЫ И МОГУТ ЗАНЯТЬ НЕСКОЛЬКО МИНУТ ДО ЗАВЕРШЕНИЯ"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="ТЕСТЫ ПРОПУЩЕНЫ ИЗ-ЗА ИСПОЛЬЗОВАНИЯ НЕПРЕВЕЛИГИРОВАННОГО РЕЖИМА"
SECTION_ACCOUNTING="УЧЁТ"
SECTION_BANNERS_AND_IDENTIFICATION="БАННЕРЫ И ИДЕНТИФИКАТОРЫ"
SECTION_BASICS="ОСНОВНОЕ"
SECTION_BOOT_AND_SERVICES="ЗАГРУЗКА И СЕРВИСЫ"
SECTION_CONTAINERS="КОНТЕЙНЕРЫ"
SECTION_CRYPTOGRAPHY="КРИПТОГРАФИЯ"
SECTION_CUSTOM_TESTS="ПОЛЬЗОВАТЕЛЬСКИЕ ТЕСТЫ"
SECTION_DATABASES="БАЗЫ ДАННЫХ"
SECTION_DATA_UPLOAD="ОТПРАВКА ДАННЫХ"
SECTION_DOWNLOADS="ЗАГРУЗКИ"
SECTION_EMAIL_AND_MESSAGING="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ: E-MAIL И ОТПРАВКА СООБЩЕНИЙ"
SECTION_FILE_INTEGRITY="Программное обеспечение: целостность файлов"
SECTION_FILE_PERMISSIONS="Права доступа к файлам"
SECTION_FILE_SYSTEMS="Файловые системы"
SECTION_FIREWALLS="Программное обеспечение: firewall"
SECTION_GENERAL="Общее"
SECTION_HARDENING="Усиление"
SECTION_HOME_DIRECTORIES="Домашние директории"
SECTION_IMAGE="Образы"
SECTION_INITIALIZING_PROGRAM="Инициализация программы"
SECTION_INSECURE_SERVICES="Небезопасные сервисы"
SECTION_KERNEL_HARDENING="УСиления ядра"
SECTION_KERNEL="Ядро"
SECTION_LDAP_SERVICES="Сервисы LDAP"
SECTION_LOGGING_AND_FILES="Логирование и файлы"
SECTION_MALWARE="Вредоносное ПО"
SECTION_MEMORY_AND_PROCESSES="Память и процессы"
SECTION_NAME_SERVICES="Серверы имён"
SECTION_NETWORKING="Сети"
SECTION_PERMISSIONS="Права доступа"
SECTION_PORTS_AND_PACKAGES="Пакеты"
SECTION_PRINTERS_AND_SPOOLS="Принтеры и спулеры"
SECTION_PROGRAM_DETAILS="Подробности о программе"
SECTION_SCHEDULED_TASKS="Запланированные задачи"
SECTION_SECURITY_FRAMEWORKS="Фреймворки"
SECTION_SHELLS="Командные оболочки"
SECTION_SNMP_SUPPORT="Поддержка SNMP"
SECTION_SOFTWARE="Программное обеспечение"
SECTION_SQUID_SUPPORT="Поддержка Squid"
SECTION_SSH_SUPPORT="Поддержка SSH"
SECTION_STORAGE="Хранилище"
SECTION_SYSTEM_INTEGRITY="Программное обеспечение: целостность системы"
SECTION_SYSTEM_TOOLING="рограммное обеспечение: системные инструменты"
SECTION_SYSTEM_TOOLS="Системные утилиты"
SECTION_TIME_AND_SYNCHRONIZATION="Время и его синхронизация"
SECTION_USB_DEVICES="USB Устройства"
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Пользователи, группы и Аутентификация"
SECTION_VIRTUALIZATION="Виртуализация"
SECTION_WEBSERVER="Программное обеспечение: веб-серверы"
SECTION_FILE_PERMISSIONS="ПРАВА ДОСТУПА К ФАЙЛАМ"
SECTION_FILE_SYSTEMS="ФАЙЛОВЫЕ СИСТЕМЫ"
SECTION_FIREWALLS="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ: FIREWALL"
SECTION_GENERAL="ОБЩЕЕ"
SECTION_HARDENING="УСИЛЕНИЕ"
SECTION_HOME_DIRECTORIES="ДОМАШНИЕ ДИРЕКТОРИИ"
SECTION_IMAGE="ОБРАЗЫ"
SECTION_INITIALIZING_PROGRAM="ИНИЦИАЛИЗАЦИЯ ПРОГРАММЫ"
SECTION_INSECURE_SERVICES="НЕБЕЗОПАСНЫЕ СЕРВИСЫ"
SECTION_KERNEL_HARDENING="УСИЛЕНИЕ ЯДРА"
SECTION_KERNEL="ЯДРО"
SECTION_LDAP_SERVICES="СЕРВИСЫ LDAP"
SECTION_LOGGING_AND_FILES="ЛОГИРОВАНИЕ И ФАЙЛЫ"
SECTION_MALWARE="ВРЕДОНОСНОЕ ПО"
SECTION_MEMORY_AND_PROCESSES="ПАМЯТЬ И ПРОЦЕССОРЫ"
SECTION_NAME_SERVICES="СЕРВЕРЫ ИМЁН"
SECTION_NETWORKING="СЕТИ"
SECTION_PERMISSIONS="ПРАВА ДОСТУПА"
SECTION_PORTS_AND_PACKAGES="ПАКЕТЫ"
SECTION_PRINTERS_AND_SPOOLS="ПРИНТЕРЫ И СПУЛЕРЫ"
SECTION_PROGRAM_DETAILS="ПОДРОБНОСТИ О ПРОГРАММЕ"
SECTION_SCHEDULED_TASKS="ЗАПЛАНИРОВАННЫЕ ЗАДАЧИ"
SECTION_SECURITY_FRAMEWORKS="ФРЕЙМВОРКИ"
SECTION_SHELLS="КОМАНДНЫЕ ОБОЛОЧКИ"
SECTION_SNMP_SUPPORT="ПОДДЕРЖКА SNMP"
SECTION_SOFTWARE="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ"
SECTION_SQUID_SUPPORT="ПОДДЕРЖКА Squid"
SECTION_SSH_SUPPORT="ПОДДЕРЖКА SSH"
SECTION_STORAGE="ХРАНИЛИЩЕ"
SECTION_SYSTEM_INTEGRITY="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ: ЦЕЛОСТНОСТЬ СИСТЕМЫ"
SECTION_SYSTEM_TOOLING="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ: СИСТЕМНЫЕ ИНСТУРМЕНТЫ"
SECTION_SYSTEM_TOOLS="СИСТЕМНЫЕ УТИЛИТЫ"
SECTION_TIME_AND_SYNCHRONIZATION="ВРЕМЯ И ЕГО СИНХРОНИЗАЦИЯ"
SECTION_USB_DEVICES="USB УСТРОЙСТВА"
SECTION_USERS_GROUPS_AND_AUTHENTICATION="ПОЛЬЗОВАТЕЛИ, ГРУППЫ И АУТЕНТИФИКАЦИЯ"
SECTION_VIRTUALIZATION="ВИРТУАЛИЗАЦИЯ"
SECTION_WEBSERVER="ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ: WEB-СЕРВЕРЫ"
STATUS_ACTIVE="АКТИВЕН"
STATUS_CHECK_NEEDED="ТРЕБУЕТСЯ ПРОВЕРКА"
STATUS_DEBUG="ОТЛАДКА"
STATUS_DEFAULT="ПО УМОЛЧАНИЮ"
STATUS_DIFFERENT="ОТЛИЧАЕТСЯ"
STATUS_DISABLED="ОТКЛЮЧЕНО"
STATUS_DONE="Завершено"
STATUS_DONE="ЗАВЕРШЕНО"
STATUS_ENABLED="ВКЛЮЧЕНО"
STATUS_ERROR="ОШИБКА"
STATUS_EXPOSED="УЯЗВИМО"
@ -81,7 +81,8 @@ STATUS_INSTALLED="УСТАНОВЛЕНО"
STATUS_LOCAL_ONLY="ТОЛЬКО ЛОКАЛЬНО"
STATUS_MEDIUM="СРЕДНИЙ"
STATUS_NON_DEFAULT="НЕ ПО УМОЛЧАНИЮ"
STATUS_NONE="Отсутствует"
STATUS_NONE="ОТСУТСТВУЕТ"
STATUS_NOT_ACTIVE="НЕ АКТИВЕН"
STATUS_NOT_CONFIGURED="НЕ СКОНФИГУРИРОВАНО"
STATUS_NOT_DISABLED="НЕ ОТКЛЮЧЕНО"
STATUS_NOT_ENABLED="НЕ ВКЛЮЧЕНО"
@ -89,9 +90,9 @@ STATUS_NOT_FOUND="НЕ НАЙДЕНО"
STATUS_NOT_RUNNING="НЕ ЗАПУЩЕНО"
STATUS_NO_UPDATE="ОБНОВЛЕНИЙ НЕТ"
STATUS_NO="НЕТ"
STATUS_OFF="Выключено"
STATUS_OFF="ВЫКЛЮЧЕНО"
STATUS_OK="ОК"
STATUS_ON="Включено"
STATUS_ON="ВКЛЮЧЕНО"
STATUS_PARTIALLY_HARDENED="ЧАСТИЧНО УСИЛЕНО"
STATUS_PROTECTED="ЗАЩИЩЕНО"
STATUS_RUNNING="ЗАПУЩЕНО"
@ -103,5 +104,6 @@ STATUS_UPDATE_AVAILABLE="ДОСТУПНЫ ОБНОВЛЕНИЯ"
STATUS_WARNING="ПРЕДУПРЕЖДЕНИЕ"
STATUS_WEAK="СЛАБЫЙ"
STATUS_YES="ДА"
TEXT_UPDATE_AVAILABLE="доступно обновление"
TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь, предоставив ваш лог-файл"
TEXT_UPDATE_AVAILABLE="ДОСТУПНО ОБНОВЛЕНИЕ"
TEXT_YOU_CAN_HELP_LOGFILE="ПОЖАЛУЙСТА, ПОМОГИТЕ НАМ, ОТПРАВИВ ВАШ LOG-ФАЙЛ"
SECTION_KERBEROS="KERBEROS"

2
db/languages/se
View File

@ -83,6 +83,7 @@ STATUS_FOUND="HITTAD"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="INGEN"
STATUS_NO="NEJ"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
@ -105,3 +106,4 @@ STATUS_WARNING="VARNING"
STATUS_YES="JA"
TEXT_UPDATE_AVAILABLE="uppdatering tillgänglig"
TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjälpa till genom att bidra med din loggfil"
#SECTION_KERBEROS="Kerberos"

2
db/languages/sk
View File

@ -83,6 +83,7 @@ STATUS_FOUND="NÁJDENÉ"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NONE="ŽIADNE"
STATUS_NO="NIE"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
@ -105,3 +106,4 @@ STATUS_WARNING="VAROVANIE"
STATUS_YES="ÁNO"
TEXT_UPDATE_AVAILABLE="aktualizácia k dispozícii"
TEXT_YOU_CAN_HELP_LOGFILE="Môžete pomôcť poskytnutím log súboru"
#SECTION_KERBEROS="Kerberos"

172
db/languages/tr
View File

@ -1,107 +1,109 @@
ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmamış"
ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmamış"
GEN_CHECKING="Kontrol ediyor"
GEN_CURRENT_VERSION="Mevcut Sürüm"
ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmadı"
ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmadı"
GEN_CHECKING=" Denetleniyor"
GEN_CURRENT_VERSION="Geçerli sürüm"
GEN_DEBUG_MODE="Hata ayıklama modu"
GEN_INITIALIZE_PROGRAM="Program başlatılıyor"
GEN_LATEST_VERSION="Son sürüm"
GEN_PHASE="faz"
GEN_PLUGINS_ENABLED="Yapılandırılmış eklentiler"
GEN_UPDATE_AVAILABLE="güncelleme mevcut"
GEN_VERBOSE_MODE="Detay modu"
GEN_LATEST_VERSION="En son sürüm"
GEN_PHASE="evre"
GEN_PLUGINS_ENABLED="Etkinleştirilen eklentiler"
GEN_UPDATE_AVAILABLE="güncelleme var"
GEN_VERBOSE_MODE="Ayrıntılı mod"
GEN_WHAT_TO_DO="Yapılması gerekenler"
NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai durumlar ve bilgiler bulundu"
NOTE_EXCEPTIONS_FOUND="İstisnalar bulundu"
NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha detaylı testler içermektedir ve tamamlanmaları uzun sürebilir"
NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai olaylar veya bilgiler bulundu"
NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha kapsamlı testlere sahiptir ve tamamlanması birkaç dakika sürebilir"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Yetkisiz çalışma nedeniyle atlanan testler"
#SECTION_ACCOUNTING="Accounting"
#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
#SECTION_BASICS="Basics"
#SECTION_BOOT_AND_SERVICES="Boot and services"
#SECTION_CONTAINERS="Containers"
#SECTION_CRYPTOGRAPHY="Cryptography"
SECTION_ACCOUNTING="Hesaplama"
SECTION_BANNERS_AND_IDENTIFICATION="Afişler ve tanımlama"
SECTION_BASICS="Temel Bilgiler"
SECTION_BOOT_AND_SERVICES="Önyükleme ve hizmetler"
SECTION_CONTAINERS="Konteynerler"
SECTION_CRYPTOGRAPHY="Kriptografi"
SECTION_CUSTOM_TESTS="Özel testler"
#SECTION_DATABASES="Databases"
#SECTION_DATA_UPLOAD="Data upload"
#SECTION_DOWNLOADS="Downloads"
#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
#SECTION_FILE_INTEGRITY="Software: file integrity"
#SECTION_FILE_PERMISSIONS="File Permissions"
#SECTION_FILE_SYSTEMS="File systems"
#SECTION_FIREWALLS="Software: firewalls"
#SECTION_GENERAL="General"
#SECTION_HARDENING="Hardening"
#SECTION_HOME_DIRECTORIES="Home directories"
#SECTION_IMAGE="Image"
#SECTION_INITIALIZING_PROGRAM="Initializing program"
#SECTION_INSECURE_SERVICES="Insecure services"
#SECTION_KERNEL_HARDENING="Kernel Hardening"
#SECTION_KERNEL="Kernel"
#SECTION_LDAP_SERVICES="LDAP Services"
#SECTION_LOGGING_AND_FILES="Logging and files"
SECTION_MALWARE="Kötücül yazılım"
SECTION_MEMORY_AND_PROCESSES="Bellek ve Prosesler"
#SECTION_NAME_SERVICES="Name services"
#SECTION_NETWORKING="Networking"
#SECTION_PERMISSIONS="Permissions"
#SECTION_PORTS_AND_PACKAGES="Ports and packages"
#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
#SECTION_PROGRAM_DETAILS="Program Details"
#SECTION_SCHEDULED_TASKS="Scheduled tasks"
#SECTION_SECURITY_FRAMEWORKS="Security frameworks"
#SECTION_SHELLS="Shells"
#SECTION_SNMP_SUPPORT="SNMP Support"
#SECTION_SOFTWARE="Software"
#SECTION_SQUID_SUPPORT="Squid Support"
#SECTION_SSH_SUPPORT="SSH Support"
#SECTION_STORAGE="Storage"
#SECTION_SYSTEM_INTEGRITY="Software: System integrity"
#SECTION_SYSTEM_TOOLING="Software: System tooling"
#SECTION_SYSTEM_TOOLS="System tools"
#SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization"
#SECTION_USB_DEVICES="USB Devices"
#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
#SECTION_VIRTUALIZATION="Virtualization"
#SECTION_WEBSERVER="Software: webserver"
#STATUS_ACTIVE="ACTIVE"
#STATUS_CHECK_NEEDED="CHECK NEEDED"
#STATUS_DEBUG="DEBUG"
#STATUS_DEFAULT="DEFAULT"
#STATUS_DIFFERENT="DIFFERENT"
STATUS_DISABLED="ETKİSİZLEŞTİRİLMİŞ"
SECTION_DATA_UPLOAD="Veri yükleme"
SECTION_DATABASES="Veri tabanları"
SECTION_DOWNLOADS="İndirilenler"
SECTION_EMAIL_AND_MESSAGING="Yazılım: e-posta ve mesajlaşma"
SECTION_FILE_INTEGRITY="Yazılım: dosya bütünlüğü"
SECTION_FILE_PERMISSIONS="Dosya izinleri"
SECTION_FILE_SYSTEMS="Dosya sistemleri"
SECTION_FIREWALLS="Yazılım: güvenlik duvarları"
SECTION_GENERAL="Genel"
SECTION_HARDENING="Sıkılaştırma"
SECTION_HOME_DIRECTORIES="Ev dizinleri"
SECTION_IMAGE="Kalıp"
SECTION_INITIALIZING_PROGRAM="Program başlatılıyor"
SECTION_INSECURE_SERVICES="Güvensiz hizmetler"
SECTION_KERNEL="Çekirdek"
SECTION_KERNEL_HARDENING="Çekirdek Sıkılaştırma"
SECTION_LDAP_SERVICES="LDAP Hizmetleri"
SECTION_LOGGING_AND_FILES="Günlük kaydı ve dosyalar"
SECTION_MALWARE="Yazılım: Kötü Amaçlı Yazılım"
SECTION_MEMORY_AND_PROCESSES="Bellek ve Süreçler"
SECTION_NAME_SERVICES="Ad hizmetleri"
SECTION_NETWORKING="Ağ İletişimi"
SECTION_PERMISSIONS="İzinler"
SECTION_PORTS_AND_PACKAGES="Bağlantı noktaları ve paketler"
SECTION_PRINTERS_AND_SPOOLS="Yazıcılar ve Biriktiriciler"
SECTION_PROGRAM_DETAILS="Program Ayrıntıları"
SECTION_SCHEDULED_TASKS="Zamanlanan görevler"
SECTION_SECURITY_FRAMEWORKS="Güvenlik çerçeveleri"
SECTION_SHELLS="Kabuklar"
SECTION_SNMP_SUPPORT="SNMP Desteği"
SECTION_SOFTWARE="Yazılım"
SECTION_SQUID_SUPPORT="Squid Desteği"
SECTION_SSH_SUPPORT="SSH Desteği"
SECTION_STORAGE="Depolama"
SECTION_SYSTEM_INTEGRITY="Yazılım: Sistem bütünlüğü"
SECTION_SYSTEM_TOOLING="Yazılım: Sistem araçları"
SECTION_SYSTEM_TOOLS="Sistem araçları"
SECTION_TIME_AND_SYNCHRONIZATION="Zaman ve Eşzamanlama"
SECTION_USB_DEVICES="USB Aygıtları"
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Kullanıcılar, Gruplar ve Kimlik Doğrulama"
SECTION_VIRTUALIZATION="Sanallaştırma"
SECTION_WEBSERVER="Yazılım: web sunucusu"
STATUS_ACTIVE=" ETKİN"
STATUS_CHECK_NEEDED=" DENETİM GEREKLI"
STATUS_DEBUG="HATA AYIKLAMA"
STATUS_DEFAULT="ÖNTANIMLI"
STATUS_DIFFERENT="FARKLI"
STATUS_DISABLED="DEVRE DIŞI BIRAKILDI"
STATUS_DONE="TAMAMLANDI"
STATUS_ENABLED="ETKİNLEŞTİRİLMİŞ"
STATUS_ENABLED="ETKİNLEŞTİRİL"
STATUS_ERROR="HATA"
#STATUS_EXPOSED="EXPOSED"
#STATUS_FAILED="FAILED"
#STATUS_FILES_FOUND="FILES FOUND"
STATUS_EXPOSED="AÇIKTA BIRAKILDI"
STATUS_FAILED="BAŞARISIZ"
STATUS_FILES_FOUND="DOSYALAR BULUNDU"
STATUS_FOUND="BULUNDU"
#STATUS_HARDENED="HARDENED"
#STATUS_INSTALLED="INSTALLED"
#STATUS_LOCAL_ONLY="LOCAL ONLY"
#STATUS_MEDIUM="MEDIUM"
STATUS_HARDENED="SIKILAŞTIRILDI"
STATUS_INSTALLED="KURULU"
STATUS_LOCAL_ONLY="YALNIZCA YEREL"
STATUS_MEDIUM="ORTA"
STATUS_NO="HAYIR"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NO_UPDATE="GÜNCELLEME YOK"
STATUS_NON_DEFAULT="ÖNTANIMLI OLMAYAN"
STATUS_NONE="YOK"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
STATUS_NOT_ACTIVE="ETKİN DEĞİL"
STATUS_NOT_CONFIGURED="YAPILANDIRILMADI"
STATUS_NOT_DISABLED="DEVRE DIŞI BIRAKILMADI"
STATUS_NOT_ENABLED="ETKİNLEŞTİRİLMEDİ"
STATUS_NOT_FOUND="BULUNAMADI"
STATUS_NOT_RUNNING="ÇALIŞMIYOR"
#STATUS_NO_UPDATE="NO UPDATE"
STATUS_OFF="KAPALI"
STATUS_OK="TAMAM"
STATUS_ON="AÇIK"
#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED"
#STATUS_PROTECTED="PROTECTED"
STATUS_PARTIALLY_HARDENED="KISMEN SIKILAŞTIRILDI"
STATUS_PROTECTED="KORUMALI"
STATUS_RUNNING="ÇALIŞIYOR"
STATUS_SKIPPED="ATLANDI"
STATUS_SUGGESTION="ÖNERİ"
STATUS_UNKNOWN="BİLİNMİYOR"
#STATUS_UNSAFE="UNSAFE"
#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE"
STATUS_UNSAFE="GÜVENLİ DEĞİL"
STATUS_UPDATE_AVAILABLE="GÜNCELLEME VAR"
STATUS_WARNING="UYARI"
#STATUS_WEAK="WEAK"
STATUS_WEAK="ZAYIF"
STATUS_YES="EVET"
TEXT_UPDATE_AVAILABLE="güncelleme mevcut"
TEXT_YOU_CAN_HELP_LOGFILE="Log dosyanızı göndererek yardımcı olabilirsiniz"
TEXT_UPDATE_AVAILABLE="güncelleme var"
TEXT_YOU_CAN_HELP_LOGFILE="Günlük dosyanızı göndererek yardımcı olabilirsiniz"
#SECTION_KERBEROS="Kerberos"

55
db/software-eol.db
View File

@ -14,8 +14,31 @@
# For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1.
# Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching.
#
# AIX - https://www.ibm.com/support/pages/aix-support-lifecycle-information
#
os:AIX 7300-02:2026-11-30:1796032800:
os:AIX 7300-01:2025-12-31:1767175200:
os:AIX 7300-00:2024-12-31:1735639200:
os:AIX 7200-05::-1:
os:AIX 7200-04:2022-11-30:1669802400:
os:AIX 7200-03:2021-09-30:1632996000:
os:AIX 7200-02:2020-10-31:1604138400:
os:AIX 7200-01:2019-11-30:1575108000:
os:AIX 7200-00:2018-12-30:1546164000:
os:AIX 7100:2023-04-30:1682848800:
os:AIX 6:2017-04-30:1493546400:
os:AIX 5:2012-04-30:1335780000:
os:AIX 4:2003-12-31:1072864800:
os:AIX 3:1997-12-31:883562400:
#
# Alpine - https://alpinelinux.org/releases/
#
os:Alpine 3.19:2025-11-01:1761955200
os:Alpine 3.18:2025-05-09:1746748800
os:Alpine 3.17:2024-11-22:1732233600
os:Alpine 3.16:2024-05-23:1716422400
os:Alpine 3.15:2023-11-01:1698793200
os:Alpine 3.14:2023-05-01:1682899200
os:Alpine 3.13:2022-11-01:1667275200
os:Alpine 3.12:2022-05-01:1651377600
os:Alpine 3.11:2021-11-01:1635739200
@ -26,8 +49,9 @@ os:Alpine 3.8:2020-05-01:1588305600
# Amazon Linux
#
# Note: shortest entry is listed at end due to regular expression matching being used
os:Amazon Linux 2:2023-06-26:1687730400:
os:Amazon Linux:2020-06-30:1593468000:
os:Amazon Linux 2023:2029-06-30:1877464800:
os:Amazon Linux 2:2026-06-30:1782863999:
os:Amazon Linux:2023-12-31:1703980800:
#
# Arch Linux
#
@ -38,16 +62,19 @@ os:Arch Linux::-1:
os:CentOS release 5:2017-03-31:1490911200:
os:CentOS release 6:2020-11-30:1606690800:
os:CentOS Linux 7:2024-06-30:1719698400:
os:CentOS Linux 8:2029-05-31:1874872800:
os:CentOS Linux 8:2021-12-31:1640905200:
#
# Debian - https://wiki.debian.org/DebianReleases#Production_Releases
# https://wiki.debian.org/LTS
#
os:Debian 5.0:2012-02-06:1328482800:
os:Debian 6.0:2016-02-29:1456700400:
os:Debian 7:2018-05-31:1527717600:
os:Debian 8:2020-06-30:1593468000:
os:Debian 9:2022-01-01:1640991600:
os:Debian 10:2022-01-01:1640991600:
os:Debian 9:2022-06-30:1656547200:
os:Debian 10:2022-09-10:1665266400:
os:Debian 11:2024-07-01:1719784800:
os:Debian 12:2028-06-30:1845936000:
#
# Fedora - https://fedoraproject.org/wiki/End_of_life
#
@ -106,14 +133,14 @@ os:macOS High Sierra \(10.13.2\):2018-01-23:1516662000:
os:macOS High Sierra \(10.13.3\):2018-03-29:1522274400:
os:macOS High Sierra \(10.13.4\):2018-06-01:1527804000:
os:macOS High Sierra \(10.13.5\):2018-07-09:1531087200:
os:macOS High Sierra \(10.13.6\)::-1:
os:macOS High Sierra \(10.13.6\)::2020-12-01:1606780800:
os:macOS Mojave \(10.14\):2018-10-30:1540854000:
os:macOS Mojave \(10.14.1\):2018-12-05:1543964400:
os:macOS Mojave \(10.14.2\):2019-01-22:1548111600:
os:macOS Mojave \(10.14.3\):2019-03-25:1553468400:
os:macOS Mojave \(10.14.4\):2019-05-13:1557698400:
os:macOS Mojave \(10.14.5\):2019-07-22:1563746400:
os:macOS Mojave \(10.14.6\)::-1:
os:macOS Mojave \(10.14.6\)::2021-10-25:1635120000:
os:macOS Catalina \(10.15\):2019-10-29:1572303600:
os:macOS Catalina \(10.15.1\):2019-12-10:1575932400:
os:macOS Catalina \(10.15.2\):2020-01-28:1580166000:
@ -121,7 +148,12 @@ os:macOS Catalina \(10.15.3\):2020-03-24:1585004400:
os:macOS Catalina \(10.15.4\):2020-05-26:1590444000:
os:macOS Catalina \(10.15.5\):2020-07-15:1594764000:
os:macOS Catalina \(10.15.6\):2020-09-24:1600898400:
os:macOS Catalina \(10.15.7\)::-1:
os:macOS Catalina \(10.15.7\)::2022-09-12:1662940800:
os:macOS Big Sur \(11.7.10\):2023-09-26:1695686400:
os:macOS Monterey \(12.7.6\):2024-09-16:1726444800:
os:macOS Ventura \(13.7.2\)::-1:
os:macOS Sonoma \(14.7.2\)::-1:
os:macOS Sequoia \(15.2\)::-1:
#
# Mageia - https://www.mageia.org/en/support/
#
@ -132,6 +164,7 @@ os:Mageia 4:2015-09-19:1442613600
os:Mageia 5:2017-12-31:1514674800
os:Mageia 6:2019-09-30:1569794400
os:Mageia 7:2020-12-30:1609282800
os:Mageia 8::-1
#
# NetBSD - https://www.netbsd.org/support/security/release.html and
# https://www.netbsd.org/releases/formal.html
@ -194,6 +227,11 @@ os:OpenBSD 6.4:2019-10-17:1571270400:
os:OpenBSD 6.5:2020-05-19:1589846400:
os:OpenBSD 6.6:2020-10-01:1601510400:
os:OpenBSD 6.7:2021-05-01:1619827200:
os:OpenBSD 6.8:2021-10-14:1665698400:
os:OpenBSD 6.9:2022-04-21:1650492000:
os:OpenBSD 7.0:2022-10-20:1666216800:
os:OpenBSD 7.1:2023-05-01:1682892000:
os:OpenBSD 7.2::-1
#
# Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/
#
@ -237,6 +275,7 @@ os:Ubuntu 18.04:2023-05-01:1682892000:
os:Ubuntu 18.10:2019-07-18:1563400800:
os:Ubuntu 19.04:2020-01-01:1577833200:
os:Ubuntu 20.04:2025-04-01:1743458400:
os:Ubuntu 22.04:2027-04-01:1806537600:
#
# OmniosCE - https://omniosce.org/releasenotes.html
#

12
db/tests.db
View File

@ -136,7 +136,7 @@ FILE-7524:test:security:file_permissions::Perform file permissions check:
FINT-4310:test:security:file_integrity::AFICK availability:
FINT-4314:test:security:file_integrity::AIDE availability:
FINT-4315:test:security:file_integrity::Check AIDE configuration file:
FINT-4316:test:security:file_integirty::Presence of AIDE database and size check:
FINT-4316:test:security:file_integrity::Presence of AIDE database and size check:
FINT-4318:test:security:file_integrity::Osiris availability:
FINT-4322:test:security:file_integrity::Samhain availability:
FINT-4326:test:security:file_integrity::Tripwire availability:
@ -148,6 +148,7 @@ FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running:
FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status
FINT-4340:test:security:file_integrity:Linux:Check dm-integrity status
FINT-4341:test:security:file_integrity:Linux:Check dm-verity status
FINT-4344:test:security:file_integrity::Wazuh syscheck daemon running:
FINT-4350:test:security:file_integrity::File integrity software installed:
FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512):
FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module:
@ -204,7 +205,7 @@ INSE-8200:test:security:insecure_services::Usage of TCP wrappers:
INSE-8300:test:security:insecure_services::Presence of rsh client:
INSE-8302:test:security:insecure_services::Presence of rsh server:
INSE-8310:test:security:insecure_services::Presence of telnet client:
INSE-8312:test:security:insecure_services::Presence of telnet server:
INSE-8322:test:security:insecure_services::Presence of telnet server:
INSE-8314:test:security:insecure_services::Presence of NIS client:
INSE-8316:test:security:insecure_services::Presence of NIS server:
INSE-8318:test:security:insecure_services::Presence of TFTP client:
@ -265,6 +266,7 @@ MAIL-8838:test:security:mail_messaging::Check dovecot process:
MAIL-8860:test:security:mail_messaging::Check Qmail status:
MAIL-8880:test:security:mail_messaging::Check Sendmail status:
MAIL-8920:test:security:mail_messaging::Check OpenSMTPD status:
MALW-3274:test:security:malware::Check for McAfee VirusScan Command Line Scanner:
MALW-3275:test:security:malware::Check for chkrootkit:
MALW-3276:test:security:malware::Check for Rootkit Hunter:
MALW-3278:test:security:malware::Check for LMD:
@ -274,6 +276,7 @@ MALW-3284:test:security:malware::Check for clamd:
MALW-3286:test:security:malware::Check for freshclam:
MALW-3288:test:security:malware::Check for ClamXav:
MALW-3290:test:security:malware::Presence of malware scanner:
MALW-3291:test:security:malware::Check for Microsoft Defender Antivirus:
NAME-4016:test:security:nameservices::Check /etc/resolv.conf default domain:
NAME-4018:test:security:nameservices::Check /etc/resolv.conf search domains:
NAME-4020:test:security:nameservices::Check non default options:
@ -322,6 +325,7 @@ PHP-2376:test:security:php::Check PHP allow_url_fopen option:
PHP-2378:test:security:php::Check PHP allow_url_include option:
PHP-2379:test:security:php::Check PHP suhosin extension status:
PHP-2382:test:security:php::Check PHP listen option:
PKGS-7200:test:security:ports_packages:Linux:Check Alpine Package Keeper (apk):
PKGS-7301:test:security:ports_packages::Query NetBSD pkg:
PKGS-7302:test:security:ports_packages::Query FreeBSD/NetBSD pkg_info:
PKGS-7303:test:security:ports_packages::Query brew package manager:
@ -358,6 +362,7 @@ PKGS-7390:test:security:ports_packages:Linux:Check Ubuntu database consistency:
PKGS-7392:test:security:ports_packages:Linux:Check for Debian/Ubuntu security updates:
PKGS-7393:test:security:ports_packages::Check for Gentoo vulnerable packages:
PKGS-7394:test:security:ports_packages:Linux:Check for Ubuntu updates:
PKGS-7395:test:security:ports_packages:Linux:Check Alpine upgradeable packages:
PKGS-7398:test:security:ports_packages::Check for package audit tool:
PKGS-7410:test:security:ports_packages::Count installed kernel packages:
PKGS-7420:test:security:ports_packages::Detect toolkit to automatically download and apply upgrades:
@ -434,8 +439,9 @@ TOOL-5102:test:security:tooling::Check for presence of Fail2ban:
TOOL-5104:test:security:tooling::Enabled tests for Fail2ban:
TOOL-5120:test:security:tooling::Presence of Snort IDS:
TOOL-5122:test:security:tooling::Snort IDS configuration file:
TOOL-5128:test:security:tooling::Check for active Wazuh daemon:
TOOL-5130:test:security:tooling::Check for active Suricata daemon:
TOOL-5160:test:security:tooling::Check for active OSSEC daemon:
TOOL-5126:test:security:tooling::Check for active OSSEC daemon:
TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling:
USB-1000:test:security:storage:Linux:Check if USB storage is disabled:
USB-2000:test:security:storage:Linux:Check USB authorizations:

3
default.prf
View File

@ -144,6 +144,7 @@ plugin=software
plugin=system-integrity
plugin=systemd
plugin=users
plugin=krb5
# Disable a particular plugin (will overrule an enabled plugin)
#disable-plugin=authentication
@ -197,7 +198,7 @@ config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//k
config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.perf_event_paranoid;3;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.perf_event_paranoid;2|3|4;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;

4
extras/build-lynis.sh
View File

@ -238,7 +238,7 @@
echo "[*] Starting with DEB building process"
DEBCHANGELOGFULLVERSION=$(head -1 ../debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//')
DEBCHANGELOGFULLVERSION=$(head -n 1 ../debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//')
DEBCHANGELOGVERSION=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }')
DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }')
if [ "${LYNIS_VERSION}" = "${DEBCHANGELOGVERSION}" ]; then
@ -251,7 +251,7 @@
# BZRSTATUS=$(${BZRBINARY} status . 2>&1 > /dev/null; echo $?)
# if [ "${BZRSTATUS}" = "0" ]; then
# echo "[V] bzr has proper directory tree"
# DEBCHANGELOGFULLVERSION=$(head -1 debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//')
# DEBCHANGELOGFULLVERSION=$(head -n 1 debian/changelog | awk '{ print $2 }' | sed 's/(//' | sed 's/)//')
# DEBCHANGELOGVERSION=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $1 }')
# DEBCHANGELOGVERSIONREV=$(echo ${DEBCHANGELOGFULLVERSION} | awk -F- '{ print $2 }')
# echo "[=] Version in Debian changelog: ${DEBCHANGELOGVERSION} (revision: ${DEBCHANGELOGVERSIONREV})"

25
include/binaries
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -134,6 +133,7 @@
aide) AIDEBINARY=${BINARY}; LogText " Found known binary: aide (file integrity checker) - ${BINARY}" ;;
apache2) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;;
apt) APTBINARY=${BINARY}; LogText " Found known binary: apt (package manager) - ${BINARY}" ;;
apk) APKBINARY=${BINARY}; LogText " Found known binary: apk (package manager) - ${BINARY}" ;;
arch-audit) ARCH_AUDIT_BINARY="${BINARY}"; LogText " Found known binary: arch-audit (auditing utility to test for vulnerable packages) - ${BINARY}" ;;
auditd) AUDITDBINARY=${BINARY}; LogText " Found known binary: auditd (audit framework) - ${BINARY}" ;;
awk) AWKBINARY=${BINARY}; LogText " Found known binary: awk (string tool) - ${BINARY}" ;;
@ -168,7 +168,6 @@
domainname) DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;;
xbps-query) XBPSBINARY="${BINARY}"; LogText " Found known binary: xbps (package management) - ${BINARY}" ;;
egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;;
equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;;
evmctl) EVMCTLBINARY=${BINARY}; LogText " Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;;
exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;;
@ -196,6 +195,8 @@
iptables-save) IPTABLESSAVEBINARY="${BINARY}"; LogText " Found known binary: iptables-save (firewall) - ${BINARY}" ;;
istat) ISTATBINARY="${BINARY}"; LogText " Found known binary: istat (file information) - ${BINARY}" ;;
journalctl) JOURNALCTLBINARY="${BINARY}"; LogText " Found known binary: journalctl (systemd journal) - ${BINARY}" ;;
kadmin.local) KADMINLOCALBINARY="${BINARY}"; LogText " Found known binary: kadmin.local (krb5) - ${BINARY}" ;;
kdb5_util) KDB5UTILBINARY="${BINARY}"; LogText " Found known binary: kdb5_util (krb5) - ${BINARY}" ;;
kldstat) KLDSTATBINARY="${BINARY}"; LogText " Found known binary: kldstat (kernel modules) - ${BINARY}" ;;
kstat) KSTATBINARY="${BINARY}"; LogText " Found known binary: kstat (kernel statistics) - ${BINARY}" ;;
launchctl) LAUNCHCTL_BINARY="${BINARY}"; SERVICE_MANAGER="launchd"; LogText " Found known binary: launchctl (launchd client) - ${BINARY}" ;;
@ -336,11 +337,19 @@
Report "binaries_sgid_count=${SGID_BINARIES}"
Report "binary_paths=${BINARY_PATHS_FOUND}"
# If grep is capable of extended regexp, use that instead of egrep to avoid annoying warning
if [ "${GREPBINARY:-}" ] ; then
${GREPBINARY} --help 2> /dev/null | ${GREPBINARY} -e "extended-regexp" > /dev/null
if [ $? -eq 0 ] ; then
EGREPBINARY="${GREPBINARY} -E"
fi
fi
# Test if the basic system tools are defined. These will be used during the audit.
[ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found"
[ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found"
[ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found"
[ "${EGREPBINARY:-}" ] || ExitFatal "egrep binary not found"
[ "${FINDBINARY:-}" ] || ExitFatal "find binary not found"
[ "${GREPBINARY:-}" ] || ExitFatal "grep binary not found"
[ "${HEADBINARY:-}" ] || ExitFatal "head binary not found"
@ -365,6 +374,4 @@
fi
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
# EOF

19
include/consts
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -43,6 +42,7 @@ ETC_PATHS="/etc /usr/local/etc"
# == Variable initializing ==
#
APTBINARY=""
APKBINARY=""
ARCH_AUDIT_BINARY=""
AUDITORNAME=""
AUDITCTLBINARY=""
@ -168,8 +168,10 @@ ETC_PATHS="/etc /usr/local/etc"
MACHINEID=""
MACHINE_ROLE=""
MALWARE_SCANNER_INSTALLED=0
MDATPBINARY=""
MIN_PASSWORD_LENGTH=-1
MONGODB_RUNNING=0
MONOLITHIC_KERNEL_TESTED=0
MOUNTBINARY=""
MTREEBINARY=""
MYSQLCLIENTBINARY=""
@ -297,7 +299,9 @@ ETC_PATHS="/etc /usr/local/etc"
SSL_CERTIFICATE_INCLUDE_PACKAGES=0
SSL_CERTIFICATE_PATHS=""
SSL_CERTIFICATE_PATHS_TO_IGNORE=""
STATUS_NOT_ACTIVE=""
STUNNELBINARY=""
SURICATABINARY=""
SWUPDBINARY=""
SYSLOGNGBINARY=""
SYSTEMCTLBINARY=""
@ -414,9 +418,4 @@ ETC_PATHS="/etc /usr/local/etc"
OK="${GREEN}"
BAD="${RED}"
#
#################################################################################
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
# EOF

11
include/data_upload
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -272,6 +271,4 @@
ExitFatal
fi
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
# EOF

135
include/functions
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -941,7 +940,7 @@
done
fi
if [ ! "${SHA1SUMBINARY}" = "" -o ! "${OPENSSLBINARY}" = "" -o ! "${CSUMBINARY}" = "" ]; then
if [ ! "${SHA1SUMBINARY}" = "" -o ! "${SHA256SUMBINARY}" = "" -o ! "${OPENSSLBINARY}" = "" -o ! "${CSUMBINARY}" = "" ]; then
LogText "Info: found hashing tool, start generation of HostID"
case "${OS}" in
@ -968,7 +967,7 @@
;;
"DragonFly" | "FreeBSD")
FIND=$(${IFCONFIGBINARY} | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
FIND=$(${IFCONFIGBINARY} | grep ether | head -n 1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if HasData "${FIND}"; then
HOSTID=$(echo ${FIND} | sha1)
else
@ -996,7 +995,7 @@
for INTERFACE in ${NET_INTERFACES}; do
if grep -q -s 'up' "/sys/class/net/${INTERFACE}/operstate"; then
LogText "Interface '${INTERFACE}' is up, fetching MAC address"
FIND=$(head -1 "/sys/class/net/${INTERFACE}/address" | tr '[:upper:]' '[:lower:]')
FIND=$(head -n 1 "/sys/class/net/${INTERFACE}/address" | tr '[:upper:]' '[:lower:]')
if HasData "${FIND}"; then
HOSTID_GEN="linux-sys-interface-up"
break
@ -1010,7 +1009,7 @@
LogText "Info: trying output from 'ip' to generate HostID"
# Determine if we have the common available eth0 interface. If so, give that priority.
# Note: apply sorting in case there would be multiple MAC addresses linked to increase predictable end result
FIND=$(${IPBINARY} addr show eth0 2> /dev/null | grep -E "link/ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]' | sort | head -1)
FIND=$(${IPBINARY} addr show eth0 2> /dev/null | grep -E "link/ether " | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]' | sort | head -n 1)
if HasData "${FIND}"; then
HOSTID_GEN="linux-ip-interface-eth0"
else
@ -1020,7 +1019,7 @@
# 3) Convert everything to lowercase
# 4) Sort the entries, so that the output is more predictable between runs when the same interfaces are available
# 5) Select first entry
FIND=$(${IPBINARY} -family link addr show up 2> /dev/null | awk '{if($1=="link/ether" && $2 !~ "^02:42:"){print $2}}' | tr '[:upper:]' '[:lower:]' | sort | head -1)
FIND=$(${IPBINARY} -family link addr show up 2> /dev/null | awk '{if($1=="link/ether" && $2 !~ "^02:42:"){print $2}}' | tr '[:upper:]' '[:lower:]' | sort | head -n 1)
if HasData "${FIND}"; then
HOSTID_GEN="linux-ip-interface-up-other"
else
@ -1049,7 +1048,7 @@
HOSTID_GEN="linux-ifconfig-interface-eth0-ether"
fi
else
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -1 | tr '[:upper:]' '[:lower:]')
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep "ether " | awk '{ print $2 }' | head -n 1 | tr '[:upper:]' '[:lower:]')
if IsEmpty "${FIND}"; then
ReportException "GetHostID" "No eth0 found (and no ether was found with ifconfig)"
else
@ -1058,7 +1057,7 @@
fi
fi
else
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
FIND=$(${IFCONFIGBINARY} 2> /dev/null | grep HWaddr | head -n 1 | awk '{ print $5 }' | tr '[:upper:]' '[:lower:]')
HOSTID_GEN="linux-ifconfig-interface-first-hwaddr"
fi
else
@ -1069,7 +1068,12 @@
# Check if we found a MAC address to generate the HostID
if HasData "${FIND}"; then
LogText "Info: using hardware address '${FIND}' to create HostID"
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
if [ -n "${SHA1SUMBINARY}" ]; then
HOSTID=$(echo ${FIND} | ${SHA1SUMBINARY} | awk '{ print $1 }')
elif [ -n "${SHA256SUMBINARY}" ]; then
# Truncate hash to match SHA1 length
HOSTID=$(echo ${FIND} | ${SHA256SUMBINARY} | awk '{ print $1 }' | head -c 40)
fi
LogText "Result: Found HostID: ${HOSTID}"
else
ReportException "GetHostID" "HostID could not be generated"
@ -1077,7 +1081,7 @@
;;
"macOS")
FIND=$(${IFCONFIGBINARY} en0 | grep ether | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
FIND=$(${IFCONFIGBINARY} en0 | grep ether | head -n 1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if [ ! "${FIND}" = "" ]; then
HOSTID=$(echo ${FIND} | shasum | awk '{ print $1 }')
else
@ -1099,7 +1103,7 @@
;;
"NetBSD")
FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
FIND=$(${IFCONFIGBINARY} -a | grep "address:" | head -n 1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if HasData "${FIND}"; then
HOSTID=$(echo ${FIND} | sha1)
else
@ -1108,7 +1112,7 @@
;;
"OpenBSD")
FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
FIND=$(${IFCONFIGBINARY} | grep "lladdr " | head -n 1 | awk '{ print $2 }' | tr '[:upper:]' '[:lower:]')
if HasData "${FIND}"; then
HOSTID=$(echo ${FIND} | sha1)
else
@ -1156,7 +1160,7 @@
fi
else
ReportException "GetHostID" "Can't create HOSTID as there is no SHA1 hash tool available (sha1, sha1sum, openssl)"
ReportException "GetHostID" "Can't create HOSTID as there is no hash tool available (sha1, sha1sum, openssl, truncated sha256sum)"
fi
# Search machine ID
@ -1164,7 +1168,7 @@
# Optional: DBUS creates ID as well with dbus-uuidgen and is stored in /var/lib/dbus-machine-id (might be symlinked to /etc/machine-id)
sMACHINEIDFILE="/etc/machine-id"
if [ -f ${sMACHINEIDFILE} ]; then
FIND=$(head -1 ${sMACHINEIDFILE} | grep "^[a-f0-9]")
FIND=$(head -n 1 ${sMACHINEIDFILE} | grep "^[a-f0-9]")
if [ "${FIND}" = "" ]; then
MACHINEID="${FIND}"
fi
@ -1199,10 +1203,9 @@
LogText "Info: start generation of HostID (version 2)"
FOUND=0
DATA_SSH=""
# Use public keys
SSH_KEY_FILES="ssh_host_ed25519_key.pub ssh_host_ecdsa_key.pub ssh_host_dsa_key.pub ssh_host_rsa_key.pub"
if [ -d /etc/ssh ]; then
for I in ${SSH_KEY_FILES}; do
SSH_PUBKEY_FILES="ssh_host_ed25519_key.pub ssh_host_ecdsa_key.pub ssh_host_dsa_key.pub ssh_host_rsa_key.pub"
for I in ${SSH_PUBKEY_FILES}; do
if [ ${FOUND} -eq 0 ]; then
if [ -f /etc/ssh/${I} ]; then
LogText "Result: found file ${I} in /etc/ssh, using that as candidate to create hostid2"
@ -1211,8 +1214,20 @@
fi
fi
done
elif [ -d /etc/dropbear ]; then
SSH_KEY_FILES="dropbear_ed25519_host_key dropbear_rsa_host_key"
for I in ${SSH_KEY_FILES}; do
if [ ${FOUND} -eq 0 ]; then
if [ -f "/etc/dropbear/${I}" ]; then
LogText "Result: found file ${I} in /etc/dropbear, using that as candidate to create hostid2"
# Dropbear stores both keys in one binary file
DATA_SSH=$(dropbearkey -y -f "/etc/dropbear/${I}" | grep '^ssh')
FOUND=1
fi
fi
done
else
LogText "Result: no /etc/ssh directory found, skipping"
LogText "Result: no /etc/ssh nor /etc/dropbear directory found, skipping"
fi
STRING_TO_HASH=""
@ -1306,11 +1321,16 @@
if [ $# -ne 2 ]; then Fatal "Incorrect usage of HasCorrectFilePermissions"; fi
CHECKFILE="$1"
CHECKPERMISSION_FULL="$2"
# Check for symlink
if [ -L ${CHECKFILE} ]; then
ShowSymlinkPath ${CHECKFILE}
if [ ! "${SYMLINK}" = "" ]; then CHECKFILE="${SYMLINK}"; fi
fi
if [ ! -d ${CHECKFILE} -a ! -f ${CHECKFILE} ]; then
return 2
else
for CHECK_PERMISSION in ${CHECKPERMISSION_FULL}; do
DATA=$(echo ${CHECK_PERMISSION} | ${EGREPBINARY} "[rwx]")
DATA=$(echo ${CHECK_PERMISSION} | ${GREPBINARY} -E "[rwx]")
if [ $? -eq 0 ]; then
# add a dummy character as first character so it looks like output is a normal file
CHECK_PERMISSION=$(echo "-${CHECK_PERMISSION}" | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}')
@ -1320,9 +1340,8 @@
CHECK_PERMISSION=$(echo "${CHECK_PERMISSION}" | ${AWKBINARY} '{printf "%03d",$1}')
# First try stat command
LogText "Test: checking if file ${CHECKFILE} has the permissions set to ${CHECK_PERMISSION} or more restrictive"
LogText "Test: checking if file ${CHECKFILE} has the permissions set to ${CHECK_PERMISSION} (${CHECKPERMISSION_FULL}) or more restrictive"
if [ -n "${STATBINARY}" ]; then
case ${OS} in
*BSD | "macOS")
# BSD and macOS have no --format, only short notation
@ -1332,6 +1351,8 @@
# busybox does not support format
if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then
DATA=$(${STATBINARY} --format=%a ${CHECKFILE})
else
DATA=$(${STATBINARY} -c %a ${CHECKFILE})
fi
;;
esac
@ -1345,12 +1366,16 @@
;;
*)
# Only use find when OS is NOT AIX and binaries are NOT busybox
if [ -d "${CHECKFILE}" ]; then
MAXDEPTH="-maxdepth 0"
else
MAXDEPTH=""
fi
if [ ${SHELL_IS_BUSYBOX} -eq 0 ]; then
if [ -d ${CHECKFILE} ]; then
DATA=$(${FINDBINARY} ${CHECKFILE} -maxdepth 0 -printf "%m")
else
DATA=$(${FINDBINARY} ${CHECKFILE} -printf "%m")
fi
DATA=$(${FINDBINARY} "${CHECKFILE}" ${MAXDEPTH} -printf "%m")
else
DATA=$(${FINDBINARY} "${CHECKFILE}" ${MAXDEPTH} -exec stat -c %a {} \;)
fi
;;
esac
@ -1388,7 +1413,7 @@
fi
done
LogText "Outcome: permissions of file ${CHECKFILE} are not matching expected value (${DATA} != ${CHECKPERMISSION_FULL})"
LogText "Outcome: permissions of file ${CHECKFILE} are not matching expected value (${DATA} != ${CHECK_PERMISSION})"
# No match, return exit code 1
return 1
fi
@ -1604,7 +1629,7 @@
# This search is not foolproof
LogText "Performing simple ps scan (busybox)"
PSOPTIONS=" -o args="
FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${EGREPBINARY:-egrep} "( |/)${search}" | ${GREPBINARY:-grep} -v "grep")
FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${GREPBINARY:-grep} -E "( |/)${search}" | ${GREPBINARY:-grep} -v "grep")
else
if [ -n "${users}" ]; then
for u in ${users}; do
@ -1868,7 +1893,7 @@
# FreeBSD: hw.hv_vendor (remains empty for VirtualBox)
# NetBSD: machdep.dmi.system-product
# OpenBSD: hw.product
FIND=$(sysctl -a 2> /dev/null | grep -E "(hw.product|machdep.dmi.system-product)" | head -1 | sed 's/ = /=/' | awk -F= '{ print $2 }')
FIND=$(sysctl -a 2> /dev/null | grep -E "(hw.product|machdep.dmi.system-product)" | head -n 1 | sed 's/ = /=/' | awk -F= '{ print $2 }')
if [ ! "${FIND}" = "" ]; then
SHORT="${FIND}"
fi
@ -2002,7 +2027,11 @@
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldWritable function"; fi
sFILE=$1
FileIsWorldWritable=""
# Check for symlink
if [ -L ${sFILE} ]; then
ShowSymlinkPath ${sFILE}
if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi
fi
# Only check if target is a file or directory
if [ -f ${sFILE} -o -d ${sFILE} ]; then
FINDVAL=$(ls -ld ${sFILE} | cut -c 9)
@ -2078,6 +2107,10 @@
elif [ -n "${PKGINFOBINARY}" ]; then
output=$(${PKGINFOBINARY} -q -e ${package} >/dev/null 2>&1)
exit_code=$? # 0=package installed, 1=package not installed
# Slackware also has RPM for some reason and that's why this test precedes the RPMBINARY test
elif [ "${OS_NAME}" = "Slackware Linux" -a -d "${ROOTDIR}/var/lib/pkgtools/packages" ]; then
output=$( ls ${ROOTDIR}/var/lib/pkgtools/packages/ 2> /dev/null | ${GREPBINARY} "^${package}-[^-]\+-[^-]\+-[^-]\+$" )
exit_code=$?
elif [ -n "${RPMBINARY}" ]; then
output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1)
exit_code=$?
@ -2090,6 +2123,9 @@
elif [ -n "${XBPSBINARY}" ]; then
output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii")
exit_code=$?
elif [ -n "${APKBINARY}" ]; then
output=$(${APKBINARY} list --installed ${package} 2> /dev/null | ${GREPBINARY} ${package})
exit_code=$?
else
if [ "${package}" != "__dummy__" ]; then
ReportException "PackageIsInstalled:01 (test=${TEST_NO:-unknown})"
@ -2551,14 +2587,18 @@
GetTimestamp() {
ts=0
case "${OS}" in
"Linux")
# Detect if the implementation of date supports nanoseconds,
if [ "${OS}" = "Linux" ]; then
current_nanoseconds=$(date "+%N")
# Verify if the result of the command is a number
if [ -n "$current_nanoseconds" ] && [ "$current_nanoseconds" -eq "$current_nanoseconds" ] 2>/dev/null; then
ts=$(date "+%s%N")
;;
*)
else
ts=$(date "+%s")
;;
esac
fi
else
ts=$(date "+%s")
fi
echo $ts
}
@ -2743,7 +2783,6 @@
if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Reason to skip: ${SKIPREASON}"; fi
TESTS_SKIPPED="${TEST_NO}|${TESTS_SKIPPED}"
fi
unset SKIPREASON
# Save timestamp for next time the Register function is called
PREVIOUS_TEST="${TEST_NO}"
@ -3028,11 +3067,12 @@
SafeInput() {
exitcode=1
# By default remove only control characters
# Test against the string with a generic test set
if [ $# -eq 1 ]; then
input="$1"
cleaned=$(echo ${input} | tr -d '[:cntrl:]')
# If know what to test against, then see if input matches the specified class
# Only allow common set of characters: a-z, A-Z, 0-9, /._-:=
cleaned=$(echo "$input" | sed 's/[^a-zA-Z0-9\/\._:=-]//g')
# If two parameters are specified, then test input against specified class
elif [ $# -eq 2 ]; then
input="$1"
testchars="$2"
@ -3040,7 +3080,7 @@
else
ExitFatal "No argument or too many arguments provided to SafeInput()"
fi
# Test if the cleaned string is the same as the original input
if [ "${cleaned}" = "${input}" ]; then
exitcode=0
fi
@ -3156,7 +3196,7 @@
if [ ${PENTESTINGMODE} -eq 0 -a ${IS_PARAMETERS} -eq 0 ]; then
if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then
echo "Fatal error: group owner of directory $1 should be owned by root user, wheel or similar (found: ${GROUP})."
echo "Fatal error: group owner of directory $1 should be owned by root group, wheel or similar (found: ${GROUP})."
ExitFatal
fi
fi
@ -3723,7 +3763,4 @@
if IsDeveloperMode; then Debug "Warning: old ShowResult() function is used. Please replace any reference with WaitForKeyPress."; fi
}
#================================================================================
# Lynis is part of Lynis Enterprise and released under GPLv3 license
# Copyright 2007-2021 - Michael Boelen, CISOfy - https://cisofy.com
# EOF

10
include/helper_audit_dockerfile
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -233,5 +232,4 @@ fi
rm -f ${TMP_FILE}
fi
# The End
# EOF

9
include/helper_configure
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -104,4 +103,4 @@
ExitClean
# The End
# EOF

9
include/helper_generate
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -189,4 +188,4 @@ fi
ExitClean
# The End
# EOF

9
include/helper_show
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -480,4 +479,4 @@ ExitClean
# - categories
# - workdir
# The End
# EOF

9
include/helper_system_remote_scan
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -82,4 +81,4 @@
# No more Lynis output
QUIET=1
# The End
# EOF

9
include/helper_update
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -111,4 +110,4 @@ ExitClean
QUIET=1
# The End
# EOF

169
include/osdetection
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -64,6 +63,9 @@
10.15 | 10.15.[0-9]*) OS_FULLNAME="macOS Catalina (${OS_VERSION})" ;;
11 | 11.[0-9]*) OS_FULLNAME="macOS Big Sur (${OS_VERSION})" ;;
12 | 12.[0-9]*) OS_FULLNAME="macOS Monterey (${OS_VERSION})" ;;
13 | 13.[0-9]*) OS_FULLNAME="macOS Ventura (${OS_VERSION})" ;;
14 | 14.[0-9]*) OS_FULLNAME="macOS Sonoma (${OS_VERSION})" ;;
15 | 15.[0-9]*) OS_FULLNAME="macOS Sequoia (${OS_VERSION})" ;;
*) echo "Unknown macOS version. Do you know what version it is? Create an issue at ${PROGRAM_SOURCE}" ;;
esac
else
@ -158,6 +160,11 @@
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"altlinux")
LINUX_VERSION="ALT Linux"
OS_NAME="altlinux"
OS_VERSION=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"amzn")
LINUX_VERSION="Amazon Linux"
OS_NAME="Amazon Linux"
@ -169,16 +176,38 @@
OS_FULLNAME="Arch Linux"
OS_VERSION="Rolling release"
;;
"archarm")
LINUX_VERSION="Arch Linux ARM"
OS_FULLNAME="Arch Linux ARM"
OS_VERSION="Rolling release"
;;
"arch32")
LINUX_VERSION="Arch Linux 32"
OS_FULLNAME="Arch Linux 32"
OS_VERSION="Rolling release"
;;
"arcolinux")
LINUX_VERSION="ArcoLinux"
OS_FULLNAME="ArcoLinux"
OS_VERSION="Rolling release"
;;
"artix")
LINUX_VERSION="Artix Linux"
OS_FULLNAME="Artix Linux"
OS_VERSION="Rolling release"
;;
"athena")
LINUX_VERSION="Athena OS"
OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"buildroot")
LINUX_VERSION="Buildroot"
OS_NAME="Buildroot"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"bunsenlabs")
LINUX_VERSION="BunsenLabs"
OS_NAME="BunsenLabs"
@ -208,6 +237,11 @@
OS_NAME="CoreOS Linux"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"cos")
LINUX_VERSION="Container-Optimized OS"
OS_NAME="Container-Optimized OS from Google"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"debian")
LINUX_VERSION="Debian"
OS_NAME="Debian"
@ -238,6 +272,12 @@
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"fedora-asahi-remix")
LINUX_VERSION="Fedora"
OS_NAME="Fedora Linux Asahi Remix"
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"flatcar")
LINUX_VERSION="Flatcar"
LINUX_VERSION_LIKE="CoreOS"
@ -249,6 +289,13 @@
OS_FULLNAME="Funtoo Linux"
OS_VERSION="Rolling release"
;;
"gardenlinux")
LINUX_VERSION="Garden Linux"
LINUX_VERSION_LIKE="Debian"
OS_NAME=$(grep "^NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION=$(grep "^GARDENLINUX_VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^GARDENLINUX_VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"garuda")
LINUX_VERSION="Garuda"
OS_FULLNAME="Garuda Linux"
@ -260,6 +307,12 @@
OS_NAME="Gentoo Linux"
OS_VERSION="Rolling release"
;;
"guix")
LINUX_VERSION="Guix"
OS_FULLNAME="Guix System"
OS_NAME="Guix"
OS_VERSION="Rolling release"
;;
"ipfire")
LINUX_VERSION="IPFire"
OS_NAME="IPFire"
@ -271,6 +324,12 @@
OS_NAME="Kali Linux"
OS_VERSION="Rolling release"
;;
"koozali")
LINUX_VERSION="Koozali"
OS_NAME="Koozali SME Server"
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"linuxmint")
LINUX_VERSION="Linux Mint"
LINUX_VERSION_LIKE="Ubuntu"
@ -278,6 +337,11 @@
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"lsdk")
LINUX_VERSION="NXP LSDK"
OS_NAME="NXP LSDK"
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"mageia")
LINUX_VERSION="Mageia"
OS_NAME="Mageia"
@ -290,6 +354,13 @@
OS_NAME="Manjaro"
OS_VERSION="Rolling release"
;;
"neon")
LINUX_VERSION="KDE Neon"
LINUX_VERSION_LIKE="Ubuntu"
OS_NAME="KDE Neon"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"nethserver")
LINUX_VERSION="NethServer"
OS_NAME="NethServer"
@ -308,6 +379,18 @@
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"nobara")
LINUX_VERSION="Nobara"
OS_NAME="Nobara Linux"
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"nodistro")
LINUX_VERSION="openembedded"
OS_NAME="OpenEmbedded"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"opensuse-tumbleweed")
LINUX_VERSION="openSUSE Tumbleweed"
# It's rolling release but has a snapshot version (the date of the snapshot)
@ -324,12 +407,33 @@
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="openSUSE"
;;
"osmc")
LINUX_VERSION="OSMC"
LINUX_VERSION_LIKE="Debian"
OS_NAME="Open Source Media Center"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"parrot")
LINUX_VERSION="Parrot"
OS_NAME="Parrot GNU/Linux"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"peppermint")
LINUX_VERSION="Peppermint OS"
LINUX_VERSION_LIKE="Debian"
OS_NAME="Peppermint OS"
OS_VERSION=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION_CODENAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"poky")
LINUX_VERSION="Poky"
OS_NAME="openembedded"
LINUX_VERSION_LIKE="openembedded"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"pop")
LINUX_VERSION="Pop!_OS"
LINUX_VERSION_LIKE="Ubuntu"
@ -337,6 +441,13 @@
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="Pop!_OS"
;;
"postmarketos")
LINUX_VERSION="PostmarketOS"
LINUX_VERSION_LIKE="Alpine"
OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"pureos")
LINUX_VERSION="PureOS"
LINUX_VERSION_LIKE="Debian"
@ -401,7 +512,7 @@
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
*)
ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the the contents (cat /etc/os-release): ${PROGRAM_SOURCE}"
ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the contents (cat /etc/os-release): ${PROGRAM_SOURCE}"
;;
esac
fi
@ -678,7 +789,7 @@
ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}"
;;
esac
elif [ "$(uname -o 2> /dev/null)" == "illumos" ]; then
elif [ "$(uname -o 2> /dev/null)" = "illumos" ]; then
OPENSOLARIS=1
# Solaris has a free form text file with release information
@ -725,7 +836,7 @@
if tail -1 < /etc/release | xargs | grep "^Solaris " > /dev/null; then
OS_FULLNAME=$(tail -1 < /etc/release | xargs)
else
OS_FULLNAME=$(head -1 < /etc/release | xargs)
OS_FULLNAME=$(head -n 1 < /etc/release | xargs)
fi
OS_VERSION=$(echo "$OS_FULLNAME" | cut -d ' ' -f 2,3)
else # Old behaviour
@ -777,10 +888,26 @@
ECHONB=""
case ${OS} in
"AIX") ECHOCMD="echo"; ECHONB="printf" ;;
"DragonFly"|"FreeBSD"|"NetBSD") ECHOCMD="echo -e"; ECHONB="echo -n" ;;
"macOS" | "Mac OS X") ECHOCMD="echo"; ECHONB="/bin/echo -n" ;;
"Solaris") ECHOCMD="echo" ; test -f /usr/ucb/echo && ECHONB="/usr/ucb/echo -n" ;;
"AIX")
ECHOCMD="echo";
ECHONB="printf"
;;
"DragonFly"|"FreeBSD"|"NetBSD")
ECHOCMD="echo -e"
ECHONB="echo -n"
NOW=$(date "+%s")
;;
"macOS" | "Mac OS X")
ECHOCMD="echo"
ECHONB="/bin/echo -n"
NOW=$(date "+%s")
;;
"Solaris")
ECHOCMD="echo"
test -f /usr/ucb/echo && ECHONB="/usr/ucb/echo -n"
NOW=$(nawk 'BEGIN{print srand()}')
;;
"Linux")
# Check if dash is used (Debian/Ubuntu)
DEFAULT_SHELL=$(ls -l /bin/sh | awk -F'>' '{print $2}')
@ -788,8 +915,12 @@
" dash") ECHOCMD="/bin/echo -e" ;;
*) ECHOCMD="echo -e" ;;
esac
NOW=$(date "+%s")
;;
*)
ECHOCMD="echo -e"
NOW=$(date "+%s")
;;
*) ECHOCMD="echo -e" ;;
esac
# Check if we have full featured commands, or are using BusyBox as a shell
@ -798,6 +929,9 @@
ShowSymlinkPath /bin/ps
if [ "${SYMLINK}" = "/bin/busybox" ]; then
SHELL_IS_BUSYBOX=1
LogText "Result: The device is using Busybox."
else
LogText "Result: The device is NOT using Busybox."
fi
fi
fi
@ -820,13 +954,10 @@
if [ -n "${EOL_TIMESTAMP}" ]; then
EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1)
if [ -n "${EOL_DATE}" ]; then
NOW=$(date "+%s")
if [ -n "${NOW}" ]; then
if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then
EOL=1
else
EOL=0
fi
if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then
EOL=1
else
EOL=0
fi
else
EOL=0

7
include/parameters
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

17
include/profiles
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -56,7 +55,7 @@
fi
# Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character)
DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-')
DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[a-zA-Z0-9]/\[\]\(\)_\|,\.:;= \n\r-')
if ! IsEmpty "${DATA}"; then
DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information."
LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile."
@ -68,7 +67,7 @@
fi
# Now parse the profile and filter out unwanted characters
DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g')
DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[a-zA-Z0-9]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g')
for CONFIGOPTION in ${DATA}; do
if ContainsString "^config:" "${CONFIGOPTION}"; then
# Old style configuration
@ -352,7 +351,7 @@
# Which tests to skip (skip-test=ABCD-1234 or skip-test=ABCD-1234:subtest)
skip-test)
STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]')
STRING=$(echo ${VALUE} | awk '{print toupper($0)}')
SKIP_TESTS="${SKIP_TESTS} ${STRING}"
;;
@ -371,7 +370,7 @@
ssl-certificate-paths-to-ignore)
# Retrieve paths to ignore when searching for certificates. Strip special characters, replace possible spaces
SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[:cntrl:]' | sed 's/ /__space__/g' | tr ':' ' ')
SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[\001-\037]' | sed 's/ /__space__/g' | tr ':' ' ')
Debug "SSL paths to ignore: ${SSL_CERTIFICATE_PATHS_TO_IGNORE}"
AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates"
;;
@ -479,7 +478,7 @@
# Deprecated: skip tests
test_skip_always)
STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]')
STRING=$(echo ${VALUE} | awk '{print toupper($0)}')
SKIP_TESTS="${SKIP_TESTS} ${STRING}"
LogText "[deprecated option] Tests to be skipped: ${VALUE}"
DisplayToolTip "Replace deprecated option 'test_skip_always' and replace with 'skip-test' (add to custom.prf)"

31
include/report
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -161,7 +160,8 @@
for SUGGESTION in ${SUGGESTIONS}; do
SOLUTION=""
SHOWSUGGESTION=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://')
ADDLINK=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//' | ${AWKBINARY} -F: '{print $1}')
RELATED_CONTROL=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//' | ${AWKBINARY} -F: '{print $1}')
ADDLINK="${RELATED_CONTROL}"
DETAILS=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[details://' | sed 's/\]\(.*\)]//')
SUGGESTION_PIECES=$(echo ${SUGGESTION} | sed 's/\[/ [/g')
for PIECE in ${SUGGESTION_PIECES}; do
@ -174,10 +174,23 @@
echo " ${YELLOW}*${NORMAL} ${SHOWSUGGESTION}"
if [ ! "${DETAILS}" = "-" -a -n "${DETAILS}" ]; then echo " - Details : ${CYAN}${DETAILS}${NORMAL}"; fi
if [ ${SHOW_REPORT_SOLUTION} -eq 1 -a ! "${SOLUTION}" = "-" ]; then echo " - Solution : ${SOLUTION}"; fi
# Show relevant articles if the database is available
if [ -f ${DBDIR}/control-links.db ]; then
echo " - Related resources"
ARTICLES=$($AWKBINARY -F \; -v control=${RELATED_CONTROL} '{if($1==control && $2=="blog"){print $2";"$3";"$4";"}}' "${DBDIR}/control-links.db" | sed 's/ /!space!/g')
if [ -n "${ARTICLES}" ]; then
for ITEM in ${ARTICLES}; do
ITEM=$(echo ${ITEM} | sed 's/!space!/ /g')
ARTICLE=$(echo ${ITEM} | awk -F\; '{print $2}')
ARTICLE_LINK=$(echo ${ITEM} | awk -F\; '{print $3}')
echo " * Article: ${CYAN}${ARTICLE}${NORMAL}: ${ARTICLE_LINK}"
done
fi
fi
if [ -z "${IS_CUSTOM}" ]; then
echo " ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}"
echo " * Website: ${GRAY}${CONTROL_URL_PROTOCOL}://${CONTROL_URL_PREPEND}${ADDLINK}${CONTROL_URL_APPEND}${NORMAL}"
else
echo " ${GRAY}${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}${NORMAL}"
echo " * Details: ${GRAY}${CUSTOM_URL_PROTOCOL}://${CUSTOM_URL_PREPEND}${ADDLINK}${CUSTOM_URL_APPEND}${NORMAL}"
fi
echo ""
done
@ -312,6 +325,4 @@
echo "================================================================================"
fi
#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com
# EOF

11
include/tests_accounting
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -478,6 +477,4 @@
WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2021, Michael Boelen / CISOfy - https://cisofy.com
# EOF

85
include/tests_authentication
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -25,7 +24,7 @@
LDAP_AUTH_ENABLED=0
LDAP_PAM_ENABLED=0
LDAP_CONF_LOCATIONS="${ROOTDIR}etc/ldap.conf ${ROOTDIR}etc/ldap/ldap.conf ${ROOTDIR}etc/openldap/ldap.conf ${ROOTDIR}usr/local/etc/ldap.conf ${ROOTDIR}usr/local/etc/openldap/ldap.conf"
PAM_FILE_LOCATIONS="${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security"
PAM_FILE_LOCATIONS="${ROOTDIR}usr/lib/aarch64-linux-gnu/security ${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib/powerpc64le-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security"
SUDOERS_LOCATIONS="${ROOTDIR}etc/sudoers ${ROOTDIR}usr/local/etc/sudoers ${ROOTDIR}usr/pkg/etc/sudoers"
SUDOERS_FILE=""
#
@ -42,9 +41,9 @@
LogText "Test: Searching accounts with UID 0"
# Check if device is a QNAP, as the root user is called admin, and not root
if [ ${QNAP_DEVICE} -eq 1 ]; then
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${GREPBINARY} -E -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
else
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${GREPBINARY} -E -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0')
fi
if [ -n "${FIND}" ]; then
Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED
@ -163,7 +162,7 @@
LogText "Test: Checking login shells"
if [ -f ${ROOTDIR}etc/master.passwd ]; then
# Check for all shells, except: (/usr)/sbin/nologin /nonexistent
FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${GREPBINARY} -E -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN
else
@ -499,13 +498,13 @@
Register --test-no AUTH-9240 --weight L --network NO --category security --description "Query NIS+ authentication support"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus")
FIND=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} -E "compat|nisplus")
if [ -z "${FIND}" ]; then
LogText "Result: NIS+ authentication not enabled"
Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
else
FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
FIND2=$(${GREPBINARY} -E "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
FIND3=$(${GREPBINARY} -E "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus")
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
LogText "Result: NIS+ authentication enabled"
Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN
@ -526,13 +525,13 @@
Register --test-no AUTH-9242 --weight L --network NO --category security --description "Query NIS authentication support"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/nsswitch.conf ]; then
FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus")
FIND=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} -E "compat|nis" | ${GREPBINARY} -v "nisplus")
if [ -z "${FIND}" ]; then
LogText "Result: NIS authentication not enabled"
Display --indent 2 --text "- NIS authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
else
FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
FIND2=$(${GREPBINARY} -E "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
FIND3=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus")
if [ -n "${FIND2}" -o -n "${FIND3}" ]; then
LogText "Result: NIS authentication enabled"
Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN
@ -607,7 +606,7 @@
Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
;;
esac
SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)"
SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} -L ${SUDOERS_D} -type f -print)"
fi
for f in ${SUDO_CONFIG_FILES}; do
LogText "Test: checking file (${f})"
@ -717,7 +716,7 @@
if [ ${FOUND} -eq 0 ]; then
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: no PAM modules for password strength testing found"
ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc or libpam-passwdqc"
AddHP 0 3
else
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN
@ -737,7 +736,7 @@
LogText "Result: file ${ROOTDIR}etc/pam.conf exists"
Display --indent 2 --text "- PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN
LogText "Test: searching PAM configuration files"
FIND=$(${EGREPBINARY} -v "^#" ${ROOTDIR}etc/pam.conf | ${EGREPBINARY} -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g')
FIND=$(${GREPBINARY} -E -v "^#" ${ROOTDIR}etc/pam.conf | ${GREPBINARY} -E -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g')
if [ -z "${FIND}" ]; then
LogText "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)"
else
@ -764,7 +763,7 @@
LogText "Result: directory /etc/pam.d exists"
Display --indent 2 --text "- PAM configuration files (pam.d)" --result "${STATUS_FOUND}" --color GREEN
LogText "Test: searching PAM configuration files"
FIND=$(${FINDBINARY} ${ROOTDIR}etc/pam.d \! -name "*.pam-old" -type f -print | sort)
FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/pam.d \! -name "*.pam-old" -type f -print | sort)
for FILE in ${FIND}; do
LogText "Found file: ${FILE}"
done
@ -1017,7 +1016,7 @@
LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}"
LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)"
# Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed)
FIND=$(${EGREPBINARY} -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
FIND=$(${GREPBINARY} -E -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
if [ -n "${FIND}" ]; then
for ACCOUNT in ${FIND}; do
LogText "Result: password of user ${ACCOUNT} has been expired"
@ -1109,8 +1108,8 @@
TEST_PERFORMED=1
LogText "Result: file ${ROOTDIR}etc/inittab exists"
LogText "Test: checking presence sulogin for single user mode"
FIND=$(${EGREPBINARY} "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
FIND=$(${GREPBINARY} -E "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
FIND2=$(${GREPBINARY} -E "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab)
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found sulogin, so single user is protected"
@ -1147,7 +1146,7 @@
# Mark test as performed only when at least 1 target exists (e.g. Ubuntu 14.04 has limited systemd support)
TEST_PERFORMED=1
LogText "Result: found target ${I}"
FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin")
FIND=$(${GREPBINARY} -E "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin")
if [ "${FIND}" = "" ]; then
LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication"
else
@ -1270,8 +1269,6 @@
LogText "Result: found no umask. Please check if this is correct"
Display --indent 4 --text "- umask (/etc/profile)" --result "${STATUS_NOT_FOUND}" --color YELLOW
fi
else
LogText "Result: file /etc/profile does not exist"
fi
# /etc/passwd
@ -1486,7 +1483,7 @@
Register --test-no AUTH-9402 --weight L --network NO --category security --description "Query LDAP authentication support"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f ${ROOTDIR}etc/nsswitch.conf ]; then
FIND=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap")
FIND=$(${GREPBINARY} -E "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap")
if [ "${FIND}" = "" ]; then
LogText "Result: LDAP authentication not enabled"
Display --indent 2 --text "- LDAP authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE
@ -1514,7 +1511,7 @@
LogText "Result: file ${FILE} exists, LDAP being used"
LDAP_CLIENT_CONFIG_FILE="${FILE}"
LogText "Test: checking LDAP servers in file ${FILE}"
FIND=$(${EGREPBINARY} "^host " ${FILE} | ${AWKBINARY} '{ print $2 }')
FIND=$(${GREPBINARY} -E "^host " ${FILE} | ${AWKBINARY} '{ print $2 }')
for SERVER in ${FIND}; do
Display --indent 6 --text "LDAP server: ${SERVER}"
LogText "Result: found LDAP server ${SERVER}"
@ -1533,31 +1530,49 @@
# Description : Logging of failed login attempts
Register --test-no AUTH-9408 --weight L --network NO --category security --description "Logging of failed login attempts"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f "${ROOTDIR}etc/pam.conf" ]; then
if [ -f "${ROOTDIR}etc/pam.conf" -o -d "${ROOTDIR}etc/pam.d" ]; then
FOUND_PAM_TALLY2=0
FOUND_TALLYLOG=0
if [ -s "${ROOTDIR}var/log/tallylog" ]; then
FOUND_PAM_FAILLOCK=0
FOUND_FAILLOCKDIR=0
if [ -d "${ROOTDIR}var/run/faillock" ]; then
FOUND_FAILLOCKDIR=1
LogText "Result: found ${ROOTDIR}var/run/faillock directory"
elif [ -s "${ROOTDIR}var/log/tallylog" ]; then
FOUND_TALLYLOG=1
LogText "Result: found ${ROOTDIR}var/log/tallylog with a size bigger than zero"
else
LogText "Result: did not find ${ROOTDIR}var/log/tallylog on disk or its file size is zero bytes"
LogText "Result: did not find ${ROOTDIR}var/run/faillock directory or ${ROOTDIR}var/log/tallylog file on disk or its file size is zero bytes"
fi
# Determine if pam_tally2 is available
# Determine if pam_faillock is available
for D in $(GetReportData --key "pam_module\\\[\\\]"); do
if ContainsString "pam_tally2" "${D}"; then
LogText "Result: found pam_tally2 module on disk"
FOUND_PAM_TALLY2=1
if ContainsString "pam_faillock" "${D}"; then
LogText "Result: found pam_faillock module on disk"
FOUND_PAM_FAILLOCK=1
fi
done
if [ ${FOUND_PAM_TALLY2} -eq 1 -a ${FOUND_TALLYLOG} -eq 1 ]; then
if [ ${FOUND_PAM_FAILLOCK} -eq 0 ]; then
# Determine if pam_tally2 is available
for D in $(GetReportData --key "pam_module\\\[\\\]"); do
if ContainsString "pam_tally2" "${D}"; then
LogText "Result: found pam_tally2 module on disk"
FOUND_PAM_TALLY2=1
fi
done
fi
if [ ${FOUND_PAM_FAILLOCK} -eq 1 -a ${FOUND_FAILLOCKDIR} -eq 1 ]; then
LogText "Outcome: authentication failures are logged using pam_faillock"
AUTH_FAILED_LOGINS_LOGGED=1
Report "auth_failed_logins_tooling[]=pam_faillock"
elif [ ${FOUND_PAM_TALLY2} -eq 1 -a ${FOUND_TALLYLOG} -eq 1 ]; then
LogText "Outcome: authentication failures are logged using pam_tally2"
AUTH_FAILED_LOGINS_LOGGED=1
Report "auth_failed_logins_tooling[]=pam_tally2"
else
LogText "Outcome: it looks like pam_tally2 is not configured to log failed login attempts"
LogText "Outcome: it looks like pam_faillock or pam_tally2 is not configured to log failed login attempts"
fi
unset FOUND_PAM_TALLY2 FOUND_TALLYLOG
unset FOUND_PAM_TALLY2 FOUND_TALLYLOG FOUND_PAM_FAILLOCK FOUND_FAILLOCKDIR
fi
# Also check /etc/logins.defs, although its usage decreased over the years
if [ -f ${ROOTDIR}etc/login.defs ]; then

7
include/tests_banners
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -27,7 +26,7 @@
#################################################################################
#
BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited record restricted secure subject system terms warning"
LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited prosecute record report restricted secure subject system terms warning"
#
#################################################################################
#

37
include/tests_boot_services
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -147,7 +146,7 @@
fi
;;
"Solaris")
if [ -n "${ROOTDIR}usr/bin/svcs" ]; then
if [ -x "${ROOTDIR}usr/bin/svcs" ]; then
SERVICE_MANAGER="SMF (svcs)"
elif [ -d "${ROOTDIR}etc/init.d" ]; then
SERVICE_MANAGER="SysV Init"
@ -347,7 +346,7 @@
FOUND=0
if [ -d "${ROOTDIR}etc/grub.d" ]; then
CONF_FILES=$(${FINDBINARY} "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]')
CONF_FILES=$(${FINDBINARY} -L "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]')
CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}"
else
CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg"
@ -460,7 +459,7 @@
BOOT_LOADER_FOUND=1
Display --indent 2 --text "- Checking presence LILO" --result "${STATUS_OK}" --color GREEN
LogText "Checking password option LILO"
FIND=$(${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#")
FIND=$(${GREPBINARY} -E 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#")
if [ -z "${FIND}" ]; then
if [ "${MACHINE_ROLE}" = "server" -o "${MACHINE_ROLE}" = "workstation" ]; then
Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED
@ -605,7 +604,7 @@
else
# FreeBSD (Read /etc/rc.conf file for enabled services)
LogText "Searching for services at startup (rc.conf)"
FIND=$(${EGREPBINARY} -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
FIND=$(${GREPBINARY} -E -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${GREPBINARY} -E -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//')
fi
COUNT=0
for ITEM in ${FIND}; do
@ -715,7 +714,7 @@
if [ -n "${CHKCONFIGBINARY}" ]; then
LogText "Result: chkconfig binary found, trying that to discover information"
LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)"
FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
FIND=$(${CHKCONFIGBINARY} --list | ${GREPBINARY} -E '3:on|5:on' | ${AWKBINARY} '{ print $1 }')
COUNT=0
Report "boot_service_tool=chkconfig"
for ITEM in ${FIND}; do
@ -785,7 +784,7 @@
if [ -d ${DIR} ]; then
LogText "Result: directory ${DIR} found"
LogText "Test: checking for available files in directory"
FIND=$(${FINDBINARY} ${DIR} -type f -print | ${SORTBINARY})
FIND=$(${FINDBINARY} -L ${DIR} -type f -print | ${SORTBINARY})
if [ -n "${FIND}" ]; then
LogText "Result: found files in directory, checking permissions now"
for FILE in ${FIND}; do
@ -809,7 +808,7 @@
for NO in 0 1 2 3 4 5 6; do
LogText "Test: Checking ${ROOTDIR}etc/rc${NO}.d scripts for writable bit"
if [ -d ${ROOTDIR}etc/rc${NO}.d ]; then
FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc${NO}.d -type f -print | ${SORTBINARY})
FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/rc${NO}.d -type f -print | ${SORTBINARY})
for I in ${FIND}; do
if IsWorldWritable ${I}; then
FOUND=1
@ -947,7 +946,7 @@
if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then
LogText "Result: file /usr/lib/systemd/system/rescue.service"
LogText "Test: checking presence sulogin for single user mode"
FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service)
FIND=$(${GREPBINARY} -E "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service)
if [ -n "${FIND}" ]; then
FOUND=1
LogText "Result: found sulogin, so single user is protected"
@ -981,14 +980,14 @@
Report "running_service[]=${ITEM}"
COUNT=$((COUNT + 1 ))
done
LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons"
LogText "Note: Run rcctl ls all | grep -E '^(pf|check_quotas|library_aslr)$' to see all daemons"
Display --indent 2 --text "- Check running daemons (rcctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found ${COUNT} running daemons"
LogText "Result: Found ${COUNT} running daemons"
# OpenBSD (Ask rcctl(8) for enabled daemons)
LogText "Searching for enabled daemons (rcctl)"
FIND=$(${RCCTLBINARY} ls on | ${EGREPBINARY} -v '^(pf|check_quotas|library_aslr)$')
FIND=$(${RCCTLBINARY} ls on | ${GREPBINARY} -E -v '^(pf|check_quotas|library_aslr)$')
COUNT=0
Report "boot_service_tool=rcctl"
for ITEM in ${FIND}; do
@ -996,7 +995,7 @@
Report "boot_service[]=${ITEM}"
COUNT=$((COUNT + 1 ))
done
LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons"
LogText "Note: Run rcctl ls all | grep -E '^(pf|check_quotas|library_aslr)$' to see all daemons"
Display --indent 2 --text "- Check enabled daemons at boot (rcctl)" --result "${STATUS_DONE}" --color GREEN
Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot"
LogText "Result: Found ${COUNT} enabled daemons at boot"
@ -1017,7 +1016,7 @@
LogText "Result: directory ${DIR} found"
LogText "Test: checking for available files in directory"
# OpenBSD uses symlinks to create another instance of daemons
FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print | ${SORTBINARY})
FIND=$(${FINDBINARY} -L ${CHECKDIR} -type f -print | ${SORTBINARY})
if [ -n "${FIND}" ]; then
LogText "Result: found files in directory, checking permissions now"
for FILE in ${FIND}; do
@ -1090,6 +1089,8 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Run systemd-analyze security"
Display --indent 2 --text "- Running 'systemd-analyze security'"
Display --indent 6 --text "Unit name (exposure value) and predicate"
Display --indent 6 --text "--------------------------------"
${SYSTEMDANALYZEBINARY} security | while read UNIT EXPOSURE PREDICATE HAPPY; do
if [ "${UNIT}" = "UNIT" ]; then
continue
@ -1111,11 +1112,11 @@
;;
UNSAFE | DANGEROUS)
STATUS="${STATUS_UNSAFE}"
COLOR=RED
COLOR=YELLOW
;;
esac
Display --indent 8 --text "- ${UNIT}:" --result "${STATUS}" --color "${COLOR}"
LogText "Result: ${UNIT}: ${EXPOSURE} ${STATUS}"
Display --indent 4 --text "- ${UNIT} (value=${EXPOSURE})" --result "${STATUS}" --color "${COLOR}"
LogText "Result: ${UNIT} has exposure value ${EXPOSURE} with predicate '${STATUS}'"
done
ReportSuggestion "${TEST_NO}" "Consider hardening system services" "Run '${SYSTEMDANALYZEBINARY} security SERVICE' for each service"
fi

15
include/tests_containers
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -107,7 +106,7 @@
LogText "Result: disabling further Docker tests as docker version gave exit code other than zero (0)"
RUN_DOCKER_TESTS=0
fi
FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} "^WARNING:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g')
FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} -E "^WARNING:|^ERROR:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g')
if [ ! "${FIND}" = "" ]; then
LogText "Result: found warning(s) in output"
for I in ${FIND}; do
@ -137,7 +136,7 @@
# Check total of containers
LogText "Test: checking total amount of Docker containers"
DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${EGREPBINARY} "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }')
DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${GREPBINARY} -E "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }')
if [ -z "${DOCKER_CONTAINERS_TOTAL}" ]; then
DOCKER_CONTAINERS_TOTAL=0
fi
@ -224,6 +223,4 @@
WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2021, CISOfy - https://cisofy.com
# EOF

36
include/tests_crypto
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -54,7 +53,7 @@
LASTSUBDIR=""
LogText "Result: found directory ${DIR}"
# Search for certificate files
FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${GREPBINARY} -E ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
for FILE in ${FILES}; do
FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g')
# See if we need to skip this path
@ -80,7 +79,7 @@
if [ ${CANREAD} -eq 1 ]; then
# Only check the files that are not installed by a package, unless enabled by profile
if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then
echo ${FILE} | ${EGREPBINARY} -q ".cer$|.der$"
echo ${FILE} | ${GREPBINARY} -E -q ".cer$|.der$"
CER_DER=$?
OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then
@ -217,6 +216,33 @@
fi
#
#################################################################################
#
# Test : CRYP-7932
# Description : Determine if system has enabled macOS FileVault encryption
Register --test-no CRYP-7932 --os macOS --weight L --network NO --category crypto --description "Determine if system has enabled macOS FileVault encryption"
if [ ${SKIPTEST} -eq 0 ]; then
if command -v fdesetup &> /dev/null; then
case $(fdesetup status) in
*"FileVault is On."*)
LogText "Result: FileVault is enabled."
Display --indent 2 --text "- FileVault is enabled." --result "${STATUS_OK}" --color GREEN
Report "encryption[]=filevault"
AddHP 3 3
;;
*)
LogText "Result: FileVault is not enabled."
Display --indent 2 --text "- FileVault is not enabled." --result "${STATUS_WARNING}" --color RED
AddHP 0 3
;;
esac
else
LogText "Result: fdesetup command not found. Unable to determine FileVault status."
Display --indent 2 --text "- Unable to determine FileVault status (fdesetup command not found)." --result "${STATUS_WARNING}" --color YELLOW
AddHP 0 3
fi
fi
#
#################################################################################
#
# Test : CRYP-8002
# Description : Gather available kernel entropy

55
include/tests_databases
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -45,7 +44,7 @@
# Description : Check if MySQL is being used
Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep")
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep")
if [ -z "${FIND}" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: MySQL process not active"
@ -127,12 +126,25 @@
for FILE in ${MONGO_CONF_FILES}; do
if [ -f ${FILE} ]; then
LogText "Result: found MongoDB configuration file (${FILE})"
LogText "Test: determine authorization setting in new style YAML format"
AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: enabled" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)")
if HasData "${AUTH_IN_CONFIG}"; then
LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format)"
MONGODB_AUTHORIZATION_ENABLED=1
else
# YAML with quotes
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
LogText "Test: determine authorization setting in new style YAML format"
AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: \"enabled\"" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)")
if HasData "${AUTH_IN_CONFIG}"; then
LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format with quotes)"
MONGODB_AUTHORIZATION_ENABLED=1
fi
fi
# YAML without quotes
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: enabled" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)")
if HasData "${AUTH_IN_CONFIG}"; then
LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format without quotes)"
MONGODB_AUTHORIZATION_ENABLED=1
fi
fi
# Old style
if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then
LogText "Result: did NOT find authorization option enabled in configuration file (with YAML format)"
LogText "Test: now searching for old style configuration (auth = true) in configuration file"
AUTH_IN_CONFIG=$(${GREPBINARY} "auth = true" ${FILE} | ${GREPBINARY} -v "noauth" | ${GREPBINARY} -E -v "(^#|#auth)")
@ -173,8 +185,10 @@
# Test : DBS-1826
# Description : Check if PostgreSQL is being used
Register --test-no DBS-1826 --weight L --network NO --category security --description "Checking active PostgreSQL processes"
for PROCES in postgres postmaster
do
if [ ${SKIPTEST} -eq 0 ]; then
if IsRunning "postgres"; then
if IsRunning "${PROCES}"; then
Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: PostgreSQL is active"
POSTGRESQL_RUNNING=1
@ -182,9 +196,10 @@
Report "postgresql_running=${POSTGRESQL_RUNNING}"
else
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: PostgreSQL process not active"
LogText "Result: PostgreSQL process ${PROCES} not active"
fi
fi
done
#
#################################################################################
#
@ -198,13 +213,15 @@
# Arch /var/lib/postgres/data/postgresql.conf
# CentOS/Fedora /var/lib/pgsql/data/postgresql.conf
# Ubuntu /etc/postgresql/x.y/main/postgresql.conf
# FreeBSD /var/db/postgres/data[0-9][0-9]/postgresql.conf
if [ "${POSTGRESQL_RUNNING}" -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="PostgreSQL not installed or not running"; fi
Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration"
if [ ${SKIPTEST} -eq 0 ]; then
FIND_PATHS="${ROOTDIR}etc/postgres ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data"
CONFIG_FILES=$(${FINDBINARY} ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g")
FIND_PATHS=$(${LSBINARY} -d ${ROOTDIR}usr/local/pgsql/data* 2> /dev/null)
FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data ${ROOTDIR}var/lib/pgsql/data ${ROOTDIR}var/db/postgres/data[0-9][0-9]"
CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -I'{}' sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g")
for CF in ${CONFIG_FILES}; do
Report "postgresql_config_file[]=${CF}"
LogText "Found configuration file (${CF})"
@ -231,7 +248,7 @@
# reco: recovery (optional)
Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep")
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep")
if [ -z "${FIND}" ]; then
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: Oracle process(es) not active"
@ -298,10 +315,16 @@
if [ ${REDIS_RUNNING} -eq 1 ]; then PREQS_METS="YES"; else PREQS_MET="NO"; SKIPREASON="Redis not running"; fi
Register --test-no DBS-1882 --weight L --network NO --preqs-met "${PREQS_MET}" --skip-reason "${SKIPREASON}" --category security --description "Redis configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
PATHS="${ROOTDIR}etc/redis ${ROOTDIR}usr/local/etc/redis ${ROOTDIR}usr/local/redis/etc"
PATHS="${ROOTDIR}etc/redis ${ROOTDIR}usr/local/etc ${ROOTDIR}usr/local/etc/redis ${ROOTDIR}usr/local/redis/etc"
if [ ${QNAP_DEVICE} -eq 1 ]; then
PATHS="${PATHS} ${ROOTDIR}share/CACHEDEV1_DATA/.qpkg/QKVM/usr/etc/redis.conf"
fi
if [ -d "${ROOTDIR}snap" ]; then
for SNAP_PATH in $(${FINDBINARY} ${ROOTDIR}snap -name 'redis.conf' -type f | ${SEDBINARY} 's/redis.conf$//g'); do
PATHS="${PATHS} ${SNAP_PATH}"
done
fi
ALLFILES=$(${LSBINARY} ${ROOTDIR}etc/redis.conf 2> /dev/null)
FOUND=0
for DIR in ${PATHS}; do

5
include/tests_dns
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

40
include/tests_file_integrity
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -104,7 +103,7 @@
if [ -n "${AIDEBINARY}" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of AIDE database and size check"
if [ ${SKIPTEST} -eq 0 ]; then
AIDE_DB=$(${EGREPBINARY} '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://")
AIDE_DB=$(${GREPBINARY} -E '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://")
if case ${AIDE_DB} in @@*) ;; *) false;; esac; then
I=$(${GREPBINARY} "@@define.*DBDIR" ${AIDECONFIG} | ${AWKBINARY} '{print $3}')
AIDE_DB=$(echo ${AIDE_DB} | ${SEDBINARY} "s#.*}#${I}#")
@ -330,7 +329,7 @@
ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
for DEVICE in /dev/mapper/*; do
if [ -e "${DEVICE}" ]; then
FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*INTEGRITY')
FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*INTEGRITY')
if [ ! -z "${FIND}" ]; then
FOUND=1
LogText "Result: found dm-integrity device ${DEVICE}"
@ -370,7 +369,7 @@
ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }')
for DEVICE in /dev/mapper/*; do
if [ -e "${DEVICE}" ]; then
FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*VERITY')
FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*VERITY')
if [ ! -z "${FIND}" ]; then
FOUND=1
LogText "Result: found dm-verity device ${DEVICE}"
@ -398,13 +397,32 @@
fi
#
#################################################################################
#
# Test : FINT-4344
# Description : Check if Wazuh system integrity tool is running
Register --test-no FINT-4344 --weight L --network NO --category security --description "Wazuh syscheck daemon running"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if Wazuh syscheck daemon is running"
if IsRunning "wazuh-syscheckd"; then
LogText "Result: syscheck (Wazuh) active"
Report "file_integrity_tool[]=wazuh"
FILE_INT_TOOL="wazuh-syscheck"
FILE_INT_TOOL_FOUND=1
Display --indent 4 --text "- Wazuh (syscheck)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: syscheck (Wazuh) is not active"
if IsVerbose; then Display --indent 4 --text "- Wazuh" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
fi
fi
#
#################################################################################
#
# Test : FINT-4402 (was FINT-4316)
# Description : Check if AIDE is configured to use SHA256 or SHA512 checksums
if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)")
FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${GREPBINARY} -E "= .*(sha256|sha512)")
if [ -z "${FIND}" ]; then
LogText "Result: No SHA256 or SHA512 found for creating checksums"
Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW
@ -438,7 +456,7 @@
#
#################################################################################
#
WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com
WaitForKeyPress
# EOF

11
include/tests_file_permissions
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -35,7 +34,7 @@
FOUND=0
for PROFILE in ${PROFILES}; do
LogText "Using profile ${PROFILE} for baseline."
FILES=$(${EGREPBINARY} '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1)
FILES=$(${GREPBINARY} -E '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1)
for F in ${FILES}; do
LogText "Test: checking file/directory ${F}"
if [ -f "${F}" ]; then
@ -70,6 +69,4 @@
WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2021, CISOfy - https://cisofy.com
# EOF

97
include/tests_filesystems
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -346,7 +345,13 @@
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}')
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}')
if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then
PREQS_MET="YES";
elif [ ${LINUX_KERNEL_MAJOR} -ge 4 ]; then
PREQS_MET="YES";
else
PREQS_MET="NO";
fi
else
PREQS_MET="NO";
fi
@ -356,7 +361,7 @@
# Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least
# https://www.kernel.org/doc/html/latest/filesystems/proc.html#chapter-4-configuring-procfs
LogText "Test: check proc mount with incorrect mount options"
FIND=$(${MOUNTBINARY} | ${EGREPBINARY} "${ROOTDIR}proc " | ${EGREPBINARY} -o "hidepid=([0-9]|[a-z][a-z]*)")
FIND=$(${MOUNTBINARY} | ${GREPBINARY} -E "${ROOTDIR}proc " | ${GREPBINARY} -E -o "hidepid=([0-9]|[a-z][a-z]*)")
if [ "${FIND}" = "hidepid=4" -o "${FIND}" = "hidepid=ptraceable" ]; then # https://lwn.net/Articles/817137/
Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN
LogText "Result: proc mount mounted with ${FIND}"
@ -504,7 +509,7 @@
fi
LogText "Test: Checking acl option on xfs root file system"
FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr')
FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${GREPBINARY} -E 'no_acl|no_user_xattr')
if [ -z "${FIND}" ]; then
FOUND=1
# some other tests to do ?
@ -638,7 +643,7 @@
NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} -l)
NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} -l)
NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} -l)
NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} -l)
NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${GREPBINARY} -E -v '^\(ro[,)]' | ${WCBINARY} -l)
LogText "Result: Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS}, of total ${NMOUNTS}"
Display --indent 2 --text "- Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS} of total ${NMOUNTS}"
fi
@ -726,11 +731,51 @@
#
#################################################################################
#
# Test : FILE-6398 TODO
# Test : FILE-6398
# Description : Check if JBD (Journal Block Device) driver is loaded
# Want to contribute to Lynis? Create this test
# Notes : Test is temporarily disabled, as JBD might be in a kernel (built-in) - https://github.com/CISOfy/lynis/issues/1508
# Register --test-no FILE-6398 --os Linux --weight L --network NO --category security --description "Checking if JBD (Journal Block Device) driver is loaded"
# if [ ${SKIPTEST} -eq 0 ]; then
# LogText "Test: Checking if JBD (Journal Block Device) driver is loaded"
# NOTINUSE=0
# # Only perform testing if we know that KRNL-5723 performed tests
# if [ ${MONOLITHIC_KERNEL_TESTED} -eq 1 ]; then
# # Cannot check if driver is loaded/present if kernel is monolithic
# if [ ${MONOLITHIC_KERNEL} -eq 0 ]; then
# JBD=$(${LSMODBINARY} | ${GREPBINARY} ^jbd)
# if [ -n "${JBD}" ]; then
# LogText "Result: JBD driver is loaded"
# INUSE=$(echo ${JBD} | ${AWKBINARY} '{if ($3 -ne 0) {print $4}}')
# if [ -n "${INUSE}" ]; then
# LogText "Result: JBD driver is in use by drivers: ${INUSE}"
# Report "JBD driver is in use by drivers: ${INUSE}"
# Display --indent 2 --text "- JBD driver loaded and in use" --result "${STATUS_OK}" --color GREEN
# else
# NOTINUSE=1
# LogText "Result: JBD driver loaded, but not in use"
# Report "JBD driver is loaded, but not in use."
# Display --indent 2 --text "- JBD driver loaded, but not in use" --result "${STATUS_SUGGESTION}" --color YELLOW
# fi
# else
# NOTINUSE=2
# LogText "Result: JBD driver not loaded"
# Report "JBD driver not loaded."
# Display --indent 2 --text "- JBD driver is not loaded" --result "${STATUS_CHECK_NEEDED}" --color YELLOW
# fi
# if [ ${NOTINUSE} -eq 1 ]; then
# ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is loaded but not in use." "You are currently not using any filesystems with journaling, i.e. you have greater risk of data corruption in case of system crash."
# elif [ ${NOTINUSE} -eq 2 ]; then
# ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is not loaded." "Since boot-time, you have not been using any filesystems with journaling. Alternatively, reason could be driver is blacklisted."
# fi
# else
# Display --indent 2 --text "- JBD driver: unable to check" --result "${STATUS_UNKNOWN}" --color YELLOW
# LogText "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel."
# fi
# else
# Display --indent 2 --text "- JBD driver: test skipped" --result "${STATUS_UNKNOWN}" --color YELLOW
# LogText "Test skipped as the kernel type (monolithic/modular) is unknown"
# fi
# fi
#
#################################################################################
#
@ -744,7 +789,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking locate database"
FOUND=0
LOCATE_DBS="${ROOTDIR}var/lib/mlocate/mlocate.db ${ROOTDIR}var/lib/locate/locatedb ${ROOTDIR}var/lib/locatedb ${ROOTDIR}var/lib/slocate/slocate.db ${ROOTDIR}var/cache/locate/locatedb ${ROOTDIR}var/db/locate.database"
LOCATE_DBS="${ROOTDIR}var/cache/locate/locatedb ${ROOTDIR}var/db/locate.database ${ROOTDIR}var/lib/locate/locatedb ${ROOTDIR}var/lib/locatedb ${ROOTDIR}var/lib/mlocate/mlocate.db ${ROOTDIR}var/lib/plocate/plocate.db ${ROOTDIR}var/lib/slocate/slocate.db"
for FILE in ${LOCATE_DBS}; do
if [ -f ${FILE} ]; then
LogText "Result: locate database found (${FILE})"
@ -814,13 +859,13 @@
AVAILABLE_MODPROBE_FS=""
for FS in ${LIST_FS_NOT_SUPPORTED}; do
# Check if filesystem is present in modprobe output
FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | ${TAILBINARY} -1)
FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${GREPBINARY} -E "/${FS}.ko" | ${TAILBINARY} -1)
if [ -n "${FIND}" ]; then
LogText "Result: found ${FS} support in the kernel (output = ${FIND})"
Debug "Module ${FS} present in the kernel"
LogText "Test: Checking if ${FS} is active"
# Check if FS is present in lsmod output
FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}")
FIND=$(${LSMODBINARY} | ${GREPBINARY} -E "^${FS}")
if IsEmpty "${FIND}"; then
LogText "Result: module ${FS} is currently not loaded in the kernel."
AddHP 2 3
@ -835,15 +880,19 @@
AddHP 3 3
if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi
fi
for SUBDIR in "${ROOTDIR}etc" "/usr/lib"; do
FIND=$(${LSBINARY} ${SUBDIR}/modprobe.d/* 2> /dev/null)
if [ -n "${FIND}" ]; then
FIND1=$(${EGREPBINARY} "^blacklist ${FS}$" ${SUBDIR}/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} "^install ${FS} /bin/true$" ${SUBDIR}/modprobe.d/* | ${GREPBINARY} -v "#")
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN
LogText "Result: module ${FS} is blacklisted"
break
for SUBDIR in "${ROOTDIR}etc" "${ROOTDIR}usr/lib"; do
if [ -d "${SUBDIR}/modprobe.d" ]; then
LogText "Result: directory ${SUBDIR}/modprobe.d exists"
FIND=$(${LSBINARY} "${SUBDIR}/modprobe.d/*" 2> /dev/null)
if [ -n "${FIND}" ]; then
FIND1=$(${GREPBINARY} -E "^blacklist[[:space:]]+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${GREPBINARY} -E "^install[[:space:]]+${FS}[[:space:]]+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN
LogText "Result: module ${FS} is blacklisted"
break
fi
fi
fi
done

111
include/tests_firewalls
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -109,43 +108,77 @@
Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN
TABLES="filter"
for TABLE in ${TABLES}; do
LogText "Test: gathering information from table ${TABLE}"
FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1')
done
echo "${FIND}" | while read -r line; do
table=$(echo ${line} | ${AWKBINARY} '{ print $1 }')
chainname=$(echo ${line} | ${AWKBINARY} '{ print $2 }')
policy=$(echo ${line} | ${AWKBINARY} '{ print $3 }')
LogText "Result: iptables ${table} -- ${chainname} policy is ${policy}."
LogText "Result: ${policy}"
if [ "${TABLE}" = "filter" ]; then
if [ "${chainname}" = "INPUT" ]; then
case ${policy} in
"ACCEPT")
LogText "Result: Found ACCEPT for ${chainname} (table: ${table})"
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "ACCEPT" --color YELLOW
#ReportSuggestion "${TEST_NO}" "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})"
AddHP 1 3
;;
"DROP")
LogText "Result: Found DROP for ${chainname} (table: ${table})"
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "DROP" --color GREEN
AddHP 3 3
;;
*)
Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "other" --color YELLOW
LogText "Result: Unknown policy: ${policy}"
#ReportSuggestion "${TEST_NO}" "Check iptables ${chainname} (table: ${table}) chain policy"
;;
esac
IPTABLES_TABLES="filter nat mangle raw security"
for IPTABLES_TABLE in ${IPTABLES_TABLES}
do
${IPTABLESBINARY} -t "${IPTABLES_TABLE}" --list-rules --wait 1 2>/dev/zero |
{
IPTABLES_OUTPUT_QUEUE=""
while IFS="$(printf '\n')" read -r IPTABLES_LINES
do
set -- ${IPTABLES_LINES}
while [ $# -gt 0 ]; do
if [ "${1}" = "-P" ]; then
IPTABLES_CHAIN="${2}"
IPTABLES_TARGET="${3}"
shift 3
elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ]; then
IPTABLES_CHAIN="${2}"
shift 2
elif [ "${1}" = "-j" ]; then
IPTABLES_TARGET="${2}"
shift
else
shift
fi
done
# logics
if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ]; then
if [ "${IPTABLES_CHAIN}" = "INPUT" ]; then
if [ "${IPTABLES_TARGET}" = "ACCEPT" ]; then
IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW 1 3"
elif [ "${IPTABLES_TARGET}" = "DROP" ]; then
IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN 3 3"
fi
fi
if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ]; then
if [ "${IPTABLES_TARGET}" = "NFQUEUE" ]; then
IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE}\n${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED 0 3"
fi
fi
fi
done
if [ -n "${IPTABLES_OUTPUT_QUEUE}" ]; then
# Sort output if sort tool is available
if [ -n "${SORTBINARY}" ]; then
LogText "Info: sorting output"
IPTABLES_OUTPUT="$(printf '%b' "${IPTABLES_OUTPUT_QUEUE}" | ${SORTBINARY} -u )"
else
IPTABLES_OUTPUT="$(printf '%b' "${IPTABLES_OUTPUT_QUEUE}")"
fi
printf '%b\n' "${IPTABLES_OUTPUT}" | while IFS="$(printf '\n')" read -r IPTABLES_OUTPUT_LINE
do
if [ -n "$IPTABLES_OUTPUT_LINE" ]; then
set -- ${IPTABLES_OUTPUT_LINE}
while [ $# -gt 0 ]; do
LogText "Result: Found target '${3}' for chain '${2}' (table: ${1})"
Display --indent 6 --text "- Chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}"
if [ "${3}" = "NFQUEUE" ]
then
ReportSuggestion "${TEST_NO}" "Consider avoid ${3} target if possible (iptables chain ${2}, table: ${1})"
fi
AddHP "${5}" "${6}"
shift 6
done
fi
done
fi
fi
}
unset IPTABLES_TABLE
done
unset IPTABLES_TABLES
fi
unset PREQS_MET
#
#################################################################################
#
@ -154,7 +187,7 @@
if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${GREPBINARY} -E -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ')
if [ -n "${FIND}" ]; then
FIREWALL_ACTIVE=1
if [ ${FIND} -le 5 ]; then
@ -506,7 +539,7 @@
Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration"
if [ ${SKIPTEST} -eq 0 ]; then
# Check for empty ruleset
NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${GREPBINARY} -E -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
if [ ${NFT_RULES_LENGTH} -le 3 ]; then
FIREWALL_EMPTY_RULESET=1
LogText "Result: this firewall set has 3 rules or less and is considered to be empty"

7
include/tests_hardening
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -99,7 +98,7 @@
else
Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED
fi
ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC"
ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC, Wazuh"
AddHP 1 3
LogText "Result: no malware scanner found"
fi

9
include/tests_homedirs
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -57,7 +56,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Check if users' home directories permissions are 750 or more restrictive
FOUND=0
USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
USERDATA=$(${GREPBINARY} -E -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
while read -r LINE; do
USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
@ -93,7 +92,7 @@ EOF
if [ ${SKIPTEST} -eq 0 ]; then
# Check if users own their home directories
FOUND=0
USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
USERDATA=$(${GREPBINARY} -E -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }')
while read -r LINE; do
USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)

15
include/tests_insecure_services
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -41,7 +40,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Check for installed inetd daemon
LogText "Test: Checking if inetd is installed"
if PackageIsInstalled "inetd"; then
if PackageIsInstalled "inetd" || PackageIsInstalled "inetutils-inetd"; then
INETD_PACKAGE_INSTALLED=1
LogText "Result: inetd is installed"
Display --indent 2 --text "- Installed inetd package" --result "${STATUS_FOUND}" --color YELLOW
@ -61,7 +60,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Check running processes
LogText "Test: Searching for active inet daemon"
if IsRunning "inetd"; then
if IsRunning "inetd" || IsRunning "inetutils-inetd"; then
LogText "Result: inetd is running"
Display --indent 4 --text "- inetd status" --result "${STATUS_ACTIVE}" --color GREEN
INETD_ACTIVE=1
@ -298,7 +297,7 @@
#if [ ${SKIPTEST} -eq 0 ]; then
# # Check presence of Rsh Trust Files
# FOUND=0
# for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do
# for LINE in $(${CAT_BINARY} /etc/passwd | ${GREPBINARY} -E -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do
# USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
# DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
# if [ -d ${DIR} ]; then
@ -371,7 +370,7 @@
#
#################################################################################
#
# Test : INSE-8312
# Test : INSE-8322
# Description : Check if telnet server is installed
Register --test-no INSE-8322 --package-manager-required --weight L --network NO --category security --description "Check if telnet server is installed"
if [ ${SKIPTEST} -eq 0 ]; then
@ -492,6 +491,8 @@
#
#################################################################################
#
# Test : INSE-8050
# Description : Check for insecure services on macOS
if [ -n "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi
Register --test-no INSE-8050 --os "macOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS"
if [ ${SKIPTEST} -eq 0 ]; then

188
include/tests_kerberos Normal file
View File

@ -0,0 +1,188 @@
#!/bin/sh
InsertSection "${SECTION_KERBEROS}"
#
#########################################################################
#
# Test : KRB-1000
# Description : Check that Kerberos principals have passwords that expire
Register --test-no KRB-1000 --weight L --network NO --description "Check for Kerberos KDC tools"
if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ]
then
PREQS_MET="YES"
# Make sure krb5 debugging doesn't mess up the output
unset KRB5_TRACE
PRINCS="$(${KADMINLOCALBINARY} listprincs 2>/dev/null | ${TRBINARY:-tr} '\n' ' ')"
if [ -z "${PRINCS}" ]
then
PREQS_MET="NO"
fi
else
PREQS_MET="NO"
fi
if [ "${PREQS_MET}" = "YES" ]; then
Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
# Test : KRB-1010
# Description : Check that Kerberos principals have passwords that expire
Register --test-no KRB-1010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PRINCS}
do
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Password expiration date:')"
if [ "${FIND}" = "Password expiration date: [never]" ]
then
LogText "Result: Kerberos principal ${I} has a password/key that never expires"
FOUND=1
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have expiring passwords"
else
Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : KRB-1020
# Description : Check last password change for Kerberos principals
Register --test-no KRB-1020 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PRINCS}
do
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n '/^Last password change:\s\+/s/^Last password change:\s\+//p')"
if [ "${FIND}" = "[never]" ]
then
LogText "Result: Kerberos principal ${I} has a password/key that has never been changed"
FOUND=1
else
J="$(date -d "${FIND}" +%s)"
if [ ${J} -lt $((NOW - 60 * 60 * 24 * 365)) ]
then
LogText "Result: Kerberos principal ${I} has had a password/key change over a year ago"
FOUND=1
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Principals with late password change" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Enforce frequent password/key change for your Kerberos principals"
else
Display --indent 4 --text "- Principals with late password change" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : KRB-1030
# Description : Check that Kerberos principals have a policy associated to them
Register --test-no KRB5-1030 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PRINCS}
do
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Policy:')"
if [ "${FIND}" = "Policy: [none]" ]
then
LogText "Result: Kerberos principal ${I} does not have a policy associated to it"
FOUND=1
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have a policy associated to them"
else
Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : KRB-1040
# Description : Check various attributes for Kerberos principals
Register --test-no KRB5-1040 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PRINCS}
do
J="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n 's/^Attributes:\s\+\(.\+\)$/\1/p')"
if ContainsString "^K/M@" "${I}" || \
ContainsString "^kadmin/admin@" "${I}" || \
ContainsString "^kadmin/changepw@" "${I}" || \
ContainsString "^krbtgt/" "${I}"
then
if ! ContainsString "\bLOCKDOWN_KEYS\b" "${J}"
then
LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute"
FOUND=1
fi
elif ContainsString "/admin@" "${I}"
then
if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}"
then
LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute"
FOUND=1
fi
elif ContainsString "^[^/$]+@" "${I}"
then
if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}"
then
LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute"
FOUND=1
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Harden your Kerberos principals with appropriate attributes"
else
Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : KRB-1050
# Description : Check for weak crypto
Register --test-no KRB-1050 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}')
if [ -n "${FIND}" ]; then
while read I J
do
LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}"
done << EOF
${FIND}
EOF
Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Remove weak (des|arcfour|cbc|sha1) cryptographic keys from principals"
else
Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
unset PRINCS
unset I
unset J
#EOF

297
include/tests_kernel
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -41,28 +40,17 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Checking if we can find the systemd default target
LogText "Test: Checking for systemd default.target"
if [ -L ${ROOTDIR}etc/systemd/system/default.target ]; then
LogText "Result: symlink found"
if HasData "${READLINKBINARY}"; then
FIND=$(${READLINKBINARY} ${ROOTDIR}etc/systemd/system/default.target)
if ! HasData "${FIND}"; then
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
ReportException "${TEST_NO}:01"
else
FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
if HasData "${FIND2}"; then
LogText "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
Report "linux_default_runlevel=5"
else
LogText "Result: No match found on runlevel, defaulting to runlevel 3"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
Report "linux_default_runlevel=3"
fi
fi
if [ $( [ ! -z ${SYSTEMCTLBINARY} ] && ${SYSTEMCTLBINARY} get-default) ]; then
FIND=$(${SYSTEMCTLBINARY} get-default)
FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
if HasData "${FIND2}"; then
LogText "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
Report "linux_default_runlevel=5"
else
LogText "Result: No readlink binary, can't determine where symlink is pointing to"
Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: No match found on runlevel, defaulting to runlevel 3"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
Report "linux_default_runlevel=3"
fi
else
LogText "Result: no systemd found, so trying inittab"
@ -187,6 +175,7 @@
# Checking if any modules are loaded
FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ')
Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN
MONOLITHIC_KERNEL_TESTED=1
if [ "${FIND}" = "0" ]; then
LogText "Result: Found monolithic kernel"
Report "linux_kernel_type=monolithic"
@ -368,14 +357,14 @@
#
# Test : KRNL-5788
# Description : Checking availability new kernel
if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] ||
[ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel"
if [ ${SKIPTEST} -eq 0 ]; then
FINDKERNEL=""
HAS_VMLINUZ=0
LogText "Test: Searching apt-cache, to determine if a newer kernel is available"
if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then
@ -384,62 +373,69 @@
if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then
HAS_VMLINUZ=1
if [ -f ${ROOTDIR}vmlinuz ]; then
FINDVMLINUZ=${ROOTDIR}vmlinuz
FINDVMLINUZ="${ROOTDIR}vmlinuz"
else
FINDVMLINUZ=${ROOTDIR}boot/vmlinuz
FINDVMLINUZ="${ROOTDIR}boot/vmlinuz"
fi
LogText "Result: found ${FINDVMLINUZ}"
LogText "Test: checking readlink location of ${FINDVMLINUZ}"
FINDKERNFILE=$(readlink -f ${FINDVMLINUZ})
LogText "Output: readlink reported file ${FINDKERNFILE}"
LogText "Test: checking package from dpkg -S"
LogText "Test: checking relevant package using output from dpkg -S"
FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}')
LogText "Output: dpkg -S reported package ${FINDKERNEL}"
elif [ -e ${ROOTDIR}dev/grsec ]; then
FINDKERNEL=linux-image-$(uname -r)
FINDKERNEL="linux-image-$(uname -r)"
LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
elif [ -e ${ROOTDIR}etc/rpi-issue ]; then
FINDKERNEL=raspberrypi-kernel
FINDKERNEL="raspberrypi-kernel"
LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian"
elif `${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf`; then
FINDKERNEL=linux-image-$(uname -r)
elif $(${GREPBINARY} -E -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then
FINDKERNEL="linux-image-$(uname -r)"
LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No"
else
LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date."
LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date."
ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz"
fi
LogText "Test: Using apt-cache policy to determine if there is an update available"
FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
FINDCAND=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
LogText "Kernel installed: ${FINDINST}"
LogText "Kernel candidate: ${FINDCAND}"
if IsEmpty "${FINDINST}"; then
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: Exception occurred, no output from apt-cache policy"
if [ ${HAS_VMLINUZ} -eq 1 ]; then
ReportException "${TEST_NO}:01"
ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty"
fi
LogText "Result: apt-cache policy did not return an installed kernel version"
if IsEmpty "${FINDKERNEL}"; then
LogText "Result: could not check kernel update status as kernel is unknown"
else
if [ "${FINDINST}" = "${FINDCAND}" ]; then
if [ -e /dev/grsec ]; then
Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN
LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available"
ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch"
else
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN
LogText "Result: no kernel update available"
LogText "Result: found kernel '${FINDKERNEL}' which will be used for further testing"
LogText "Test: Using apt-cache policy to determine if there is an update available"
FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${GREPBINARY} -E 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${GREPBINARY} -E 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
LogText "Kernel installed: ${FINDINSTALLED}"
LogText "Kernel candidate: ${FINDCANDIDATE}"
if IsEmpty "${FINDINSTALLED}"; then
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: Exception occurred, no output from apt-cache policy"
if [ ${HAS_VMLINUZ} -eq 1 ]; then
ReportException "${TEST_NO}:01" "Found vmlinuz (${FINDVMLINUZ}) but could not determine the installed kernel using apt-cache policy"
ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty"
fi
LogText "Result: apt-cache policy did not return an installed kernel version"
else
Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
LogText "Result: kernel update available according 'apt-cache policy'."
ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update"
if [ "${FINDINSTALLED}" = "${FINDCANDIDATE}" ]; then
if [ -e /dev/grsec ]; then
Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN
LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available"
ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch"
else
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN
LogText "Result: no kernel update available"
fi
else
Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
LogText "Result: kernel update available according 'apt-cache policy'."
ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update"
fi
fi
fi
else
LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests."
LogText "Result: could NOT find ${ROOTDIR}usr/bin/apt-cache, skipped other tests."
fi
unset FINDCANDIDATE FINDINSTALLED FINDKERNEL HAS_VMLINUZ
fi
#
#################################################################################
@ -463,9 +459,9 @@
# check conf files in possibly existing coredump.conf.d folders
# using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
# while there could be multiple files overwriting each other, we are checking the number of occurrences
SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
SYSD_CORED_SUB_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
SYSD_CORED_SUB_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_SUB_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
if ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
@ -505,82 +501,85 @@
if [ -f "${ROOTDIR}etc/profile" ]; then
LogText "Test: Checking if 'ulimit -c 0' exists in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh"
# use tail -1 in the following commands to get the last entry, which is the one that counts (in case of profile.d/ probably counts)
ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
ULIMIT_C_VALUE_SUB="$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -H\?c " ${ROOTDIR}etc/profile 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
ULIMIT_C_VALUE_SUB="$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit -H\?c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" = "0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE}" = "0" ] ); then
LogText "Result: core dumps are disabled by 'ulimit -c 0' in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh"
Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DISABLED}" --color GREEN
AddHP 1 1
elif [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ -z "${ULIMIT_C_VALUE}" ]; then
LogText "Result: core dumps are not disabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. Didn't find setting 'ulimit -c 0'"
Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DEFAULT}" --color WHITE
Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_DEFAULT}" --color WHITE
AddHP 0 1
elif ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE_SUB}" = "unlimited" ] || [ "${ULIMIT_C_VALUE_SUB}" != "0" ] ) ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE}" = "unlimited" ] || [ "${ULIMIT_C_VALUE}" != "0" ] ) ); then
LogText "Result: core dumps are enabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. A value higher than 0 is configured for 'ulimit -c'"
Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ENABLED}" --color RED
Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ENABLED}" --color RED
AddHP 0 1
else
LogText "Result: ERROR - something went wrong. Unexpected result during check of ${ROOTDIR}etc/profile and ${ROOTDIR}etc/profile.d/*.sh config files. Please report on Github!"
Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ERROR}" --color YELLOW
Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ERROR}" --color YELLOW
fi
fi
# Limits option
LogText "Test: Checking presence ${ROOTDIR}etc/security/limits.conf"
if [ -f "${ROOTDIR}etc/security/limits.conf" ]; then
LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists"
LogText "Test: Checking if core dumps are disabled in ${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*"
# using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1)
FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1)
FIND3=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1)
# When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file.
if [ "${FIND3}" = "core dumps disabled" ]; then
FIND1="soft core disabled"
FIND2="hard core disabled"
elif [ "${FIND3}" = "core dumps enabled" ]; then
FIND1="soft core enabled"
FIND2="hard core enabled"
fi
# Limits options
for DIR in "/" "/usr/"; do
LogText "Test: Checking presence ${DIR}etc/security/limits.conf"
if [ -f "${DIR}etc/security/limits.conf" ]; then
LogText "Result: file ${DIR}etc/security/limits.conf exists"
LogText "Test: Checking if core dumps are disabled in ${DIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*"
# using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
FIND1=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1)
FIND2=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1)
FIND3=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf" "${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" && $4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" && $3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1)
IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
if [ "${FIND2}" = "hard core disabled" ]; then
LogText "Result: core dumps are hard disabled"
Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN"
if [ "${FIND1}" = "soft core disabled" ]; then
Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
else
Display --indent 4 --text "- 'soft' config in security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN"
# When "* - core [value]" is used, then this sets both soft and core. In that case we set the values, as they the type 'hard' and 'soft' will not be present in the configuration file.
if [ "${FIND3}" = "core dumps disabled" ]; then
FIND1="soft core disabled"
FIND2="hard core disabled"
elif [ "${FIND3}" = "core dumps enabled" ]; then
FIND1="soft core enabled"
FIND2="hard core enabled"
fi
IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
if [ "${FIND2}" = "hard core disabled" ]; then
LogText "Result: core dumps are hard disabled"
Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN"
if [ "${FIND1}" = "soft core disabled" ]; then
Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
else
Display --indent 4 --text "- 'soft' config in ${DIR}etc/security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN"
fi
AddHP 3 3
elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then
LogText "Result: core dumps (soft and hard) are enabled"
Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file"
AddHP 0 3
elif [ "${FIND1}" = "soft core disabled" ]; then
LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})"
Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
AddHP 2 3
elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then
LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})"
Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
AddHP 0 3
else
LogText "Result: core dumps are not explicitly disabled"
Display --indent 4 --text "- 'hard' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
Display --indent 4 --text "- 'soft' configuration in ${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${DIR}etc/security/limits.conf file"
AddHP 1 3
fi
AddHP 3 3
elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard core enabled" ]; then
LogText "Result: core dumps (soft and hard) are enabled"
Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file"
AddHP 0 3
elif [ "${FIND1}" = "soft core disabled" ]; then
LogText "Result: core dumps are disabled for 'soft' ('hard'=${IS_HARDCORE_DISABLED})"
Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
AddHP 2 3
elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard core enabled" ]; then
LogText "Result: core dumps are partially enabled ('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})"
Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [ "${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else ${ECHOCMD} WHITE; fi)"
AddHP 0 3
else
LogText "Result: core dumps are not explicitly disabled"
Display --indent 4 --text "- 'hard' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
Display --indent 4 --text "- 'soft' configuration in security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/security/limits.conf file"
AddHP 1 3
LogText "Result: file ${DIR}etc/security/limits.conf does not exist, skipping test for this file"
fi
else
LogText "Result: file ${ROOTDIR}etc/security/limits.conf does not exist, skipping test"
fi
done
# Sysctl option
LogText "Test: Checking sysctl value of fs.suid_dumpable"
@ -615,25 +614,29 @@
Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel"
if [ ${SKIPTEST} -eq 0 ]; then
REBOOT_NEEDED=2
FILE="${ROOTDIR}var/run/reboot-required.pkgs"
LogText "Test: Checking presence ${FILE}"
if [ -f ${FILE} ]; then
LogText "Result: file ${FILE} exists"
FIND=$(${WCBINARY} -l < ${FILE})
if [ "${FIND}" = "0" ]; then
LogText "Result: No reboot needed (file empty)"
REBOOT_NEEDED=0
for FILE in "${ROOTDIR}var/run/reboot-required.pkgs" "${ROOTDIR}var/run/needs_restarting"
do
LogText "Test: Checking presence ${FILE}"
if [ -f ${FILE} ]; then
LogText "Result: file ${FILE} exists"
FIND=$(${WCBINARY} -l < ${FILE})
if [ "${FIND}" = "0" ]; then
LogText "Result: No reboot needed (file empty)"
REBOOT_NEEDED=0
break
else
PKGSCOUNT=$(${WCBINARY} -l < ${FILE})
LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages"
for I in ${FIND}; do
LogText "Package: ${I}"
done
REBOOT_NEEDED=1
break
fi
else
PKGSCOUNT=$(${WCBINARY} -l < ${FILE})
LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages"
for I in ${FIND}; do
LogText "Package: ${I}"
done
REBOOT_NEEDED=1
LogText "Result: file ${FILE} not found"
fi
else
LogText "Result: file ${FILE} not found"
fi
done
# Check if /boot exists
if [ -d "${ROOTDIR}boot" ]; then
@ -663,7 +666,10 @@
ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data"
fi
elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then
if [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
if [ -f ${ROOTDIR}boot/vmlinuz ]; then
LogText "Result: found ${ROOTDIR}boot/vmlinuz"
FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz
elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux"
FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux
elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then
@ -675,7 +681,7 @@
else
# Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Sort based on versions (-v) and then find the last item
# Note: ignore a rescue kernel (e.g. CentOS)
FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${TAILBINARY} -1)
FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue-' | ${TAILBINARY} -1)
LogText "Result: found ${FOUND_VMLINUZ}"
fi
@ -809,7 +815,7 @@
LogText "Check: try to find raspberrypi-kernel file in ${APT_ARCHIVE_DIRECTORY} and extract package date from file name"
FOUND_KERNEL_DATE=$(${FINDBINARY} ${APT_ARCHIVE_DIRECTORY} -name "raspberrypi-kernel*" -printf "%T@ %Tc %p\n" 2> /dev/null \
| ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${EGREPBINARY} -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g')
| ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${GREPBINARY} -E -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g')
if [ -n "${FOUND_KERNEL_DATE}" ]; then
FOUND_KERNEL_IN_SECONDS=$(date -d "${FOUND_KERNEL_DATE}" "+%s" 2> /dev/null)
@ -834,21 +840,21 @@
next="month"
fi
elif [ "$next" = "month" ]; then
if [ $(${ECHOCMD} "${part}" | ${EGREPBINARY} -c "[A-Z][a-z]") -ge 1 ]; then
if [ $(${ECHOCMD} "${part}" | ${GREPBINARY} -E -c "[A-Z][a-z]") -ge 1 ]; then
UNAME_DATE_MONTH="${part}"
next="day"
fi
elif [ "${next}" = "day" ]; then
if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c "[0-9][0-9]") -ge 1 ]; then
UNAME_DATE_DAY="${part}"
next="time"
fi
elif [ "${next}" = "time" ]; then
if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c ":[0-9][0-9]:") -ge 1 ]; then
if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c ":[0-9][0-9]:") -ge 1 ]; then
next="year"
fi
elif [ "${next}" = "year" ]; then
if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then
if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c "[0-9][0-9]") -ge 1 ]; then
UNAME_DATE_YEAR="${part}"
break
fi
@ -895,7 +901,6 @@
LogText "Result: Did not get output from 'uname -v'. Skipping test."
fi
else
LogText "Result: /var/cache/apt/archives/ does not exist"
fi
@ -918,6 +923,4 @@
WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2021, CISOfy - https://cisofy.com
# EOF

5
include/tests_kernel_hardening
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

5
include/tests_ldap
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

64
include/tests_logging
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -28,6 +27,7 @@
METALOG_RUNNING=0
RFC3195D_RUNNING=0
RSYSLOG_RUNNING=0
WAZUH_AGENT_RUNNING=0
SOLARIS_LOGHOST=""
SOLARIS_LOGHOST_FOUND=0
SOLARIS_LOGHOST_LOCALHOST=0
@ -45,7 +45,7 @@
Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for a logging daemon"
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep")
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep")
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED
LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal"
@ -220,6 +220,23 @@
fi
#
#################################################################################
#
# Test : LOGG-2144
# Description : Check for wazuh-agent presence on Linux systems
Register --test-no LOGG-2144 --os Linux --weight L --network NO --category security --description "Checking wazuh-agent"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Result: Searching for wazuh-agent instances in the process list"
if IsRunning "wazuh-agent"; then
LogText "Result: Found wazuh-agent in process list"
Display --indent 4 --text "- Checking wazuh-agent status" --result "${STATUS_FOUND}" --color GREEN
WAZUH_AGENT_RUNNING=1
else
LogText "Result: wazuh-agent NOT found in process list"
Display --indent 4 --text "- Checking wazuh-agent daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : LOGG-2146
# Description : Check for logrotate (/etc/logrotate.conf and logrotate.d)
@ -261,7 +278,7 @@
Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which files are rotated with logrotate and if they exist"
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }')
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }')
if [ -z "${FIND}" ]; then
LogText "Result: nothing found"
else
@ -280,7 +297,7 @@
Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking which directories can be found in logrotate configuration"
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u)
if IsEmpty "${FIND}"; then
LogText "Result: nothing found"
else
@ -345,7 +362,7 @@
if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ] && [ -n "${SOLARIS_LOGHOST}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no LOGG-2153 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking loghost is localhost"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${EGREPBINARY} "::1|127.0.0.1|127.1")
FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} -E "::1|127.0.0.1|127.1")
if [ -n "${FIND}" ]; then
SOLARIS_LOGHOST_LOCALHOST=1
LogText "Result: loghost entry is localhost (default)"
@ -371,7 +388,7 @@
TARGET="${ROOTDIR}etc/rsyslog.conf"
if [ -f ${TARGET} ]; then
LogText "Test: analyzing file ${TARGET} for remote target"
DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
if [ -z "${DATA}" ]; then
LogText "Result: no remote target found"
else
@ -387,11 +404,11 @@
fi
TARGET="${ROOTDIR}etc/rsyslog.d"
if [ -d ${TARGET} ]; then
FILES=$(${FINDBINARY} ${TARGET} -type f -print0 | ${TRBINARY} -cd '[:print:]\0' | ${SEDBINARY} 's/[[:blank:]]/:space:/g' | ${TRBINARY} '\0' ' ')
FILES=$(${FINDBINARY} -L ${TARGET} -type f -print0 | ${TRBINARY} -cd '[:print:]\0' | ${SEDBINARY} 's/[[:blank:]]/:space:/g' | ${TRBINARY} '\0' ' ')
for F in ${FILES}; do
F=$(echo ${F} | ${SEDBINARY} 's/:space:/ /g')
LogText "Test: analyzing file ${F} for remote target"
DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g')
if [ -n "${DATA}" ]; then
LogText "Result: found remote target"
REMOTE_LOGGING_ENABLED=1
@ -403,7 +420,7 @@
done
else
# Check new style configuration (omrelp/omfwd). This can be all on one line or even split over multiple lines.
DATA=$(${EGREPBINARY} "target=\"([a-zA-Z0-9\-])" ${F})
DATA=$(${GREPBINARY} -E "target=\"([a-zA-Z0-9\-])" ${F})
if [ -n "${DATA}" ]; then
LogText "Result: most likely remote log host is used, as keyword 'target' is used"
REMOTE_LOGGING_ENABLED=1
@ -424,7 +441,7 @@
if [ -f ${SYSLOGD_CONF} ]; then
LogText "Test: check if logs are also logged to a remote logging host"
FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
FIND=$(${GREPBINARY} -E "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@")
if [ -n "${FIND}" ]; then
FIND2=$(echo "${FIND}" | ${GREPBINARY} -v "@loghost")
if [ ${SOLARIS_LOGHOST_LOCALHOST} -eq 1 ] && [ -z "${FIND2}" ]; then
@ -435,9 +452,9 @@
fi
else
# Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${GREPBINARY} -E "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
for DESTINATION in ${DESTINATIONS}; do
FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${GREPBINARY} -E "destination\(${DESTINATION}\)")
if [ -n "${FIND2}" ]; then
LogText "Result: found destination ${DESTINATION} configured for remote logging"
REMOTE_LOGGING_ENABLED=1
@ -446,6 +463,21 @@
fi
fi
# Test wazuh-agent configuration for syslog configuration
if [ ${WAZUH_AGENT_RUNNING} ]; then
WAZUH_AGENT_CONF="/var/ossec/etc/ossec.conf"
fi
if [ -f ${WAZUH_AGENT_CONF} ]; then
LogText "Test: Checking Wazuh agent configuration for remote syslog forwarding"
FIND=$(${EGREPBINARY} '<location>/var/log/syslog</location>' ${WAZUH_AGENT_CONF})
if [ "${FIND}" ]; then
DESTINATION=$(${EGREPBINARY} -o '<address>([A-Za-z0-9\.\-\_]*)</address>' ${WAZUH_AGENT_CONF} | sed 's/<address>//' | sed 's/<\/address>//')
LogText "Result: found destination ${DESTINATION} configured for remote logging with wazuh"
REMOTE_LOGGING_ENABLED=1
fi
fi
# Show result
if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
Report "remote_syslog_configured=0"
@ -539,7 +571,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking open log files with lsof"
if [ -n "${LSOFBINARY}" ]; then
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${GREPBINARY} -E -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
for I in ${FIND}; do
LogText "Found logfile: ${I}"
done
@ -572,7 +604,7 @@
LSOF_GREP="${LSOF_GREP}|anacron|awk|run-parts"
fi
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${EGREPBINARY} -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${GREPBINARY} -E -vw "${LSOF_GREP}" | ${GREPBINARY} -E -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
if [ -n "${FIND}" ]; then
LogText "Result: found one or more files which are deleted, but still in use"
for I in ${FIND}; do

17
include/tests_mac_frameworks
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -158,10 +157,14 @@
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
fi
Display --indent 8 --text "Current SELinux mode: ${FIND}"
PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
LogText "Permissive SELinux object types: ${PERMISSIVE}"
if [ -n "${SEMANAGEBINARY}" ]; then
PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
LogText "Permissive SELinux object types: ${PERMISSIVE}"
else
LogText "Result: semanage binary NOT found, can't analyse permissive domains"
fi
UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ')
INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ')
NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l)

15
include/tests_mail_messaging
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -70,18 +69,18 @@
unset FIND FIND2 FIND3 FIND4
# Local Only
FIND=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^nonlocal')
FIND=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^nonlocal')
# Internet Host
FIND2=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^dnslookup_relay_to_domains')
FIND2=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^dnslookup_relay_to_domains')
# Smarthost or Satellite
FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost')
FIND3=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^smarthost')
if [ -n "${FIND}" ]; then
EXIM_TYPE="LOCAL ONLY"
elif [ -n "${FIND2}" ]; then
EXIM_TYPE="INTERNET HOST"
elif [ -n "${FIND3}" ]; then
FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^hub_user_smarthost')
FIND4=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^hub_user_smarthost')
if [ -n "${FIND4}" ]; then
EXIM_TYPE="SATELLITE"
else
@ -415,7 +414,7 @@
Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check smtpd status"
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep")
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep")
if [ ! "${FIND}" = "" ]; then
LogText "Result: found running smtpd process"
Display --indent 2 --text "- OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN

72
include/tests_malware
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -39,12 +38,28 @@
MALWARE_SCANNER_INSTALLED=0
MALWARE_DAEMON_RUNNING=0
ROOTKIT_SCANNER_FOUND=0
SENTINELONE_SCANNER_RUNNING=0
SOPHOS_SCANNER_RUNNING=0
SYMANTEC_SCANNER_RUNNING=0
SYNOLOGY_DAEMON_RUNNING=0
TRENDMICRO_DSA_DAEMON_RUNNING=0
WAZUH_DAEMON_RUNNING=0
#
#################################################################################
#
# Test : MALW-3274
# Description : Check for installed tool (McAfee VirusScan for Command Line)
Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence McAfee VirusScan for Command Line"
if [ -x /usr/local/uvscan/uvscan ]; then
Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line (deprecated)" --result "${STATUS_FOUND}" --color RED
LogText "Result: Found ${MCAFEECLBINARY}"
AddHP 0 2
LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another antivirus instead."
fi
fi
#################################################################################
#
# Test : MALW-3275
# Description : Check for installed tool (chkrootkit)
@ -110,7 +125,7 @@
# Avast (macOS)
LogText "Test: checking process com.avast.daemon"
if IsRunning "com.avast.daemon"; then
if IsRunning --full "com.avast.daemon"; then
FOUND=1
AVAST_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
@ -168,8 +183,8 @@
fi
# ESET security products
LogText "Test: checking process esets_daemon"
if IsRunning "esets_daemon"; then
LogText "Test: checking process esets_daemon or oaeventd (ESET)"
if IsRunning "esets_daemon" || IsRunning "oaeventd"; then
FOUND=1
ESET_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
@ -213,6 +228,20 @@
Report "malware_scanner[]=mcafee"
fi
# SentinelOne
LogText "Text: checking process sentineld (SentinelOne)"
if IsRunning "sentineld"; then SENTINELONE_SCANNER_RUNNING=1; fi # macOS
if IsRunning "s1-agent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Linux
if IsRunning "SentinelAgent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Windows
if [ ${SENTINELONE_SCANNER_RUNNING} -eq 1 ]; then
FOUND=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} SentinelOne" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: Found SentinelOne"
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
Report "malware_scanner[]=sentinelone"
fi
# Sophos savscand/SophosScanD
LogText "Test: checking process savscand"
if IsRunning "savscand"; then
@ -290,6 +319,19 @@
Report "malware_scanner[]=trend-micro-av"
fi
# Wazuh agent
LogText "Test: checking process wazuh-agent to test for Wazuh agent"
if IsRunning "wazuh-agent"; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Wazuh agent" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Wazuh component"
FOUND=1
WAZUH_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
ROOTKIT_SCANNER_FOUND=1
Report "malware_scanner[]=wazuh"
fi
if [ ${FOUND} -eq 0 ]; then
LogText "Result: no commercial anti-virus tools found"
AddHP 0 3
@ -336,6 +378,24 @@
fi
#
#################################################################################
#
# Test : MALW-3291
# Description : Check if Microsoft Defender Antivirus is installed
Register --test-no MALW-3291 --weight L --network NO --category security --description "Check for mdatp"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence mdatp"
if [ ! "${MDATPBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Microsoft Defender Antivirus" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${MDATPBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
Report "malware_scanner[]=mdatp"
else
LogText "Result: mdatp couldn't be found"
fi
fi
#
#################################################################################
#
# Test : MALW-3286
# Description : Check running freshclam if clamd process is running

5
include/tests_memory_processes
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

15
include/tests_nameservices
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -339,7 +338,7 @@
Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Trying to determine version from banner"
FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*")
FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${GREPBINARY} -E "[0-9].[0-9].[0-9]*")
if [ "${FIND}" = "" ]; then
LogText "Result: no useful information in banner found"
Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN
@ -485,7 +484,7 @@
LogText "Result: ypldap is running"
Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN
else
ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
ReportSuggestion "${TEST_NO}" "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
fi
else
LogText "Result: ypbind is not active"
@ -571,7 +570,7 @@
Register --test-no NAME-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check duplicate line in /etc/hosts"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts"
OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${EGREPBINARY} -v '^(#|$)' | ${EGREPBINARY} "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d)
OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E -v '^(#|$)' | ${GREPBINARY} -E "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d)
if [ -z "${OUTPUT}" ]; then
LogText "Result: OK, no duplicate lines found"
Display --indent 4 --text "- Duplicate entries in hosts file" --result "${STATUS_NONE}" --color GREEN
@ -592,7 +591,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check /etc/hosts contains an entry for this server name"
if [ -n "${HOSTNAME}" ]; then
DATA=$(${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME})
DATA=$(${GREPBINARY} -E -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME})
if [ -n "${DATA}" ]; then
LogText "Result: Found entry for ${HOSTNAME} in ${ROOTDIR}etc/hosts"
Display --indent 4 --text "- Presence of configured hostname in /etc/hosts" --result "${STATUS_FOUND}" --color GREEN
@ -615,7 +614,7 @@
Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check server hostname not locally mapped in ${ROOTDIR}etc/hosts"
DATA=$(${EGREPBINARY} -v '^(#|$)' ${ROOTDIR}etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME})
DATA=$(${GREPBINARY} -E -v '^(#|$)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME})
if [ -n "${DATA}" ]; then
LogText "Result: Found this server hostname mapped to a local address"
LogText "Output: ${DATA}"

11
include/tests_networking
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -280,7 +279,7 @@
Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)"
if [ $SKIPTEST -eq 0 ]; then
LogText "Test: Searching default gateway(s)"
FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
FIND=$(${NETSTATBINARY} -rn | ${GREPBINARY} -E "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2)
if [ -n "${FIND}" ]; then
for I in ${FIND}; do
LogText "Result: Found default gateway ${I}"
@ -750,7 +749,7 @@
UNCOMMON_PROTOCOL_DISABLED=0
# First check modprobe.conf
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
DATA=$(${GREPBINARY} "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.conf)
DATA=$(${GREPBINARY} -E "^install[[:space:]]+${P}[[:space:]]+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.conf)
if [ -n "${DATA}" ]; then
LogText "Result: found ${P} module disabled via modprobe.conf"
UNCOMMON_PROTOCOL_DISABLED=1
@ -759,7 +758,7 @@
# Then additional modprobe configuration files
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
# Return file names (-l) and suppress errors (-s)
DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/*)
DATA=$(${GREPBINARY} -l -s -E "^install[[:space:]]+${P}[[:space:]]+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/*)
if [ -n "${DATA}" ]; then
UNCOMMON_PROTOCOL_DISABLED=1
for F in ${DATA}; do

209
include/tests_php
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -30,25 +29,26 @@
# Possible locations of php.ini
PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \
${ROOTDIR}etc/php/php.ini \
${ROOTDIR}etc/php5.5/php.ini \
${ROOTDIR}etc/php5.6/php.ini \
${ROOTDIR}etc/php7.0/php.ini \
${ROOTDIR}etc/php7.1/php.ini \
${ROOTDIR}etc/php7.2/php.ini \
${ROOTDIR}etc/php7.3/php.ini \
${ROOTDIR}etc/php7.4/php.ini \
${ROOTDIR}etc/php/cgi-php5/php.ini \
${ROOTDIR}etc/php/cli-php5/php.ini \
${ROOTDIR}etc/php/apache2-php5/php.ini \
${ROOTDIR}etc/php/apache2-php5.5/php.ini \
${ROOTDIR}etc/php/apache2-php5.6/php.ini \
${ROOTDIR}etc/php8.0/php.ini \
${ROOTDIR}etc/php8.1/php.ini \
${ROOTDIR}etc/php8.2/php.ini \
${ROOTDIR}etc/php8.3/php.ini \
${ROOTDIR}etc/php8.4/php.ini \
${ROOTDIR}etc/php/apache2-php7.0/php.ini \
${ROOTDIR}etc/php/apache2-php7.1/php.ini \
${ROOTDIR}etc/php/apache2-php7.2/php.ini \
${ROOTDIR}etc/php/apache2-php7.3/php.ini \
${ROOTDIR}etc/php/apache2-php7.4/php.ini \
${ROOTDIR}etc/php/cgi-php5.5/php.ini \
${ROOTDIR}etc/php/cgi-php5.6/php.ini \
${ROOTDIR}etc/php/apache2-php8.0/php.ini \
${ROOTDIR}etc/php/apache2-php8.1/php.ini \
${ROOTDIR}etc/php/apache2-php8.2/php.ini \
${ROOTDIR}etc/php/apache2-php8.3/php.ini \
${ROOTDIR}etc/php/apache2-php8.4/php.ini \
${ROOTDIR}etc/php/cgi-php7.0/php.ini \
${ROOTDIR}etc/php/cgi-php7.1/php.ini \
${ROOTDIR}etc/php/cgi-php7.2/php.ini \
@ -61,33 +61,39 @@
${ROOTDIR}etc/php/cli-php7.2/php.ini \
${ROOTDIR}etc/php/cli-php7.3/php.ini \
${ROOTDIR}etc/php/cli-php7.4/php.ini \
${ROOTDIR}etc/php/embed-php5.5/php.ini \
${ROOTDIR}etc/php/embed-php5.6/php.ini \
${ROOTDIR}etc/php/cli-php8.0/php.ini \
${ROOTDIR}etc/php/cli-php8.1/php.ini \
${ROOTDIR}etc/php/cli-php8.2/php.ini \
${ROOTDIR}etc/php/cli-php8.3/php.ini \
${ROOTDIR}etc/php/cli-php8.4/php.ini \
${ROOTDIR}etc/php/embed-php7.0/php.ini \
${ROOTDIR}etc/php/embed-php7.1/php.ini \
${ROOTDIR}etc/php/embed-php7.2/php.ini \
${ROOTDIR}etc/php/embed-php7.3/php.ini \
${ROOTDIR}etc/php/embed-php7.4/php.ini \
${ROOTDIR}etc/php/fpm-php7.4/php.ini \
${ROOTDIR}etc/php/fpm-php7.3/php.ini \
${ROOTDIR}etc/php/fpm-php7.2/php.ini \
${ROOTDIR}etc/php/fpm-php7.1/php.ini \
${ROOTDIR}etc/php/embed-php8.0/php.ini \
${ROOTDIR}etc/php/embed-php8.1/php.ini \
${ROOTDIR}etc/php/embed-php8.2/php.ini \
${ROOTDIR}etc/php/embed-php8.3/php.ini \
${ROOTDIR}etc/php/embed-php8.4/php.ini \
${ROOTDIR}etc/php/fpm-php7.0/php.ini \
${ROOTDIR}etc/php/fpm-php5.5/php.ini \
${ROOTDIR}etc/php/fpm-php5.6/php.ini \
${ROOTDIR}etc/php5/cgi/php.ini \
${ROOTDIR}etc/php5/cli/php.ini \
${ROOTDIR}etc/php5/cli-php5.4/php.ini \
${ROOTDIR}etc/php5/cli-php5.5/php.ini \
${ROOTDIR}etc/php5/cli-php5.6/php.ini \
${ROOTDIR}etc/php5/apache2/php.ini \
${ROOTDIR}etc/php5/fpm/php.ini \
${ROOTDIR}private/etc/php.ini \
${ROOTDIR}etc/php/fpm-php7.1/php.ini \
${ROOTDIR}etc/php/fpm-php7.2/php.ini \
${ROOTDIR}etc/php/fpm-php7.3/php.ini \
${ROOTDIR}etc/php/fpm-php7.4/php.ini \
${ROOTDIR}etc/php/fpm-php8.0/php.ini \
${ROOTDIR}etc/php/fpm-php8.1/php.ini \
${ROOTDIR}etc/php/fpm-php8.2/php.ini \
${ROOTDIR}etc/php/7.0/apache2/php.ini \
${ROOTDIR}etc/php/7.1/apache2/php.ini \
${ROOTDIR}etc/php/7.2/apache2/php.ini \
${ROOTDIR}etc/php/7.3/apache2/php.ini \
${ROOTDIR}etc/php/7.4/apache2/php.ini \
${ROOTDIR}etc/php/8.0/apache2/php.ini \
${ROOTDIR}etc/php/8.1/apache2/php.ini \
${ROOTDIR}etc/php/8.2/apache2/php.ini \
${ROOTDIR}etc/php/8.3/apache2/php.ini \
${ROOTDIR}etc/php/8.4/apache2/php.ini \
${ROOTDIR}etc/php/7.0/cli/php.ini \
${ROOTDIR}etc/php/7.0/fpm/php.ini \
${ROOTDIR}etc/php/7.1/cli/php.ini \
@ -98,56 +104,65 @@
${ROOTDIR}etc/php/7.3/fpm/php.ini \
${ROOTDIR}etc/php/7.4/cli/php.ini \
${ROOTDIR}etc/php/7.4/fpm/php.ini \
${ROOTDIR}var/www/conf/php.ini \
${ROOTDIR}usr/local/etc/php.ini \
${ROOTDIR}usr/local/lib/php.ini \
${ROOTDIR}usr/local/etc/php5/cgi/php.ini \
${ROOTDIR}usr/local/php54/lib/php.ini \
${ROOTDIR}usr/local/php56/lib/php.ini \
${ROOTDIR}usr/local/php70/lib/php.ini \
${ROOTDIR}usr/local/php71/lib/php.ini \
${ROOTDIR}usr/local/php72/lib/php.ini \
${ROOTDIR}usr/local/php73/lib/php.ini \
${ROOTDIR}usr/local/php74/lib/php.ini \
${ROOTDIR}usr/local/zend/etc/php.ini \
${ROOTDIR}usr/pkg/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \
${ROOTDIR}opt/alt/php44/etc/php.ini \
${ROOTDIR}opt/alt/php51/etc/php.ini \
${ROOTDIR}opt/alt/php52/etc/php.ini \
${ROOTDIR}opt/alt/php53/etc/php.ini \
${ROOTDIR}opt/alt/php54/etc/php.ini \
${ROOTDIR}opt/alt/php55/etc/php.ini \
${ROOTDIR}opt/alt/php56/etc/php.ini \
${ROOTDIR}etc/php/8.0/cli/php.ini \
${ROOTDIR}etc/php/8.0/fpm/php.ini \
${ROOTDIR}etc/php/8.1/cli/php.ini \
${ROOTDIR}etc/php/8.1/fpm/php.ini \
${ROOTDIR}etc/php/8.2/cli/php.ini \
${ROOTDIR}etc/php/8.2/fpm/php.ini \
${ROOTDIR}etc/php/8.3/cli/php.ini \
${ROOTDIR}etc/php/8.3/fpm/php.ini \
${ROOTDIR}etc/php/8.4/cli/php.ini \
${ROOTDIR}etc/php/8.4/fpm/php.ini \
${ROOTDIR}opt/alt/php70/etc/php.ini \
${ROOTDIR}opt/alt/php71/etc/php.ini \
${ROOTDIR}opt/alt/php72/etc/php.ini \
${ROOTDIR}opt/alt/php73/etc/php.ini \
${ROOTDIR}opt/alt/php74/etc/php.ini \
${ROOTDIR}opt/alt/php80/etc/php.ini \
${ROOTDIR}opt/alt/php81/etc/php.ini \
${ROOTDIR}opt/alt/php82/etc/php.ini \
${ROOTDIR}opt/alt/php83/etc/php.ini \
${ROOTDIR}opt/alt/php84/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.ini \
${ROOTDIR}private/etc/php.ini \
${ROOTDIR}var/www/conf/php.ini \
${ROOTDIR}usr/local/etc/php.ini \
${ROOTDIR}usr/local/lib/php.ini \
${ROOTDIR}usr/local/php70/lib/php.ini \
${ROOTDIR}usr/local/php71/lib/php.ini \
${ROOTDIR}usr/local/php72/lib/php.ini \
${ROOTDIR}usr/local/php73/lib/php.ini \
${ROOTDIR}usr/local/php74/lib/php.ini \
${ROOTDIR}usr/local/php80/lib/php.ini \
${ROOTDIR}usr/local/php81/lib/php.ini \
${ROOTDIR}usr/local/php82/lib/php.ini \
${ROOTDIR}usr/local/php83/lib/php.ini \
${ROOTDIR}usr/local/php84/lib/php.ini \
${ROOTDIR}usr/local/zend/etc/php.ini \
${ROOTDIR}usr/pkg/etc/php.ini \
${ROOTDIR}etc/opt/remi/php56/php.ini \
${ROOTDIR}etc/opt/remi/php70/php.ini \
${ROOTDIR}etc/opt/remi/php71/php.ini \
${ROOTDIR}etc/opt/remi/php72/php.ini \
${ROOTDIR}etc/opt/remi/php73/php.ini \
${ROOTDIR}etc/opt/remi/php74/php.ini"
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
PHPINILOCS="${PHPINILOCS} \
${ROOTDIR}etc/php-5.6.ini \
${ROOTDIR}etc/php-7.0.ini \
${ROOTDIR}etc/php-7.1.ini \
${ROOTDIR}etc/php-7.2.ini \
${ROOTDIR}etc/php-7.3.ini \
${ROOTDIR}etc/php-7.4.ini"
${ROOTDIR}etc/opt/remi/php74/php.ini \
${ROOTDIR}etc/opt/remi/php80/php.ini \
${ROOTDIR}etc/opt/remi/php81/php.ini \
${ROOTDIR}etc/opt/remi/php82/php.ini\
${ROOTDIR}etc/opt/remi/php83/php.ini \
${ROOTDIR}etc/opt/remi/php84/php.ini"
PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \
${ROOTDIR}etc/php/7.0/cli/conf.d \
PHPINIDIRS="${ROOTDIR}etc/php/7.0/cli/conf.d \
${ROOTDIR}etc/php/7.1/cli/conf.d \
${ROOTDIR}etc/php/7.2/cli/conf.d \
${ROOTDIR}etc/php/7.3/cli/conf.d \
@ -157,41 +172,55 @@
${ROOTDIR}etc/php/7.2/fpm/conf.d \
${ROOTDIR}etc/php/7.3/fpm/conf.d \
${ROOTDIR}etc/php/7.4/fpm/conf.d \
${ROOTDIR}etc/php/8.0/fpm/conf.d \
${ROOTDIR}etc/php/8.1/fpm/conf.d \
${ROOTDIR}etc/php/8.2/fpm/conf.d \
${ROOTDIR}etc/php/8.3/fpm/conf.d \
${ROOTDIR}etc/php/8.4/fpm/conf.d \
${ROOTDIR}etc/php.d \
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.d \
${ROOTDIR}opt/alt/php44/etc/php.d.all \
${ROOTDIR}opt/alt/php51/etc/php.d.all \
${ROOTDIR}opt/alt/php52/etc/php.d.all \
${ROOTDIR}opt/alt/php53/etc/php.d.all \
${ROOTDIR}opt/alt/php54/etc/php.d.all \
${ROOTDIR}opt/alt/php55/etc/php.d.all \
${ROOTDIR}opt/alt/php56/etc/php.d.all \
${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.d \
${ROOTDIR}opt/alt/php70/etc/php.d.all \
${ROOTDIR}opt/alt/php71/etc/php.d.all \
${ROOTDIR}opt/alt/php72/etc/php.d.all \
${ROOTDIR}opt/alt/php73/etc/php.d.all \
${ROOTDIR}opt/alt/php74/etc/php.d.all \
${ROOTDIR}opt/alt/php80/etc/php.d.all \
${ROOTDIR}opt/alt/php81/etc/php.d.all \
${ROOTDIR}opt/alt/php82/etc/php.d.all \
${ROOTDIR}opt/alt/php83/etc/php.d.all \
${ROOTDIR}opt/alt/php84/etc/php.d.all \
${ROOTDIR}usr/local/lib/php.conf.d \
${ROOTDIR}usr/local/php70/lib/php.conf.d \
${ROOTDIR}usr/local/php71/lib/php.conf.d \
${ROOTDIR}usr/local/php72/lib/php.conf.d \
${ROOTDIR}usr/local/php73/lib/php.conf.d \
${ROOTDIR}usr/local/php74/lib/php.conf.d"
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
${ROOTDIR}usr/local/php74/lib/php.conf.d \
${ROOTDIR}usr/local/php80/lib/php.conf.d \
${ROOTDIR}usr/local/php81/lib/php.conf.d \
${ROOTDIR}usr/local/php82/lib/php.conf.d \
${ROOTDIR}usr/local/php83/lib/php.conf.d \
${ROOTDIR}usr/local/php84/lib/php.conf.d"
PHPINIDIRS="${PHPINIDIRS} \
${ROOTDIR}etc/php-5.6 \
${ROOTDIR}etc/php-7.0 \
${ROOTDIR}etc/php-7.1 \
${ROOTDIR}etc/php-7.2 \
${ROOTDIR}etc/php-7.3 \
${ROOTDIR}etc/php-7.4"
${ROOTDIR}etc/php-7.4 \
${ROOTDIR}etc/php-8.0 \
${ROOTDIR}etc/php-8.1 \
${ROOTDIR}etc/php-8.2 \
${ROOTDIR}etc/php-8.3 \
${ROOTDIR}etc/php-8.4"
#
#################################################################################
#
@ -285,9 +314,9 @@
# Test : PHP-2368
# Description : Check php register_globals option
# Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed)
if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${EGREPBINARY}" ]; then
if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${GREPBINARY}" ]; then
if [ -f "${PHPINIFILE}" ]; then
FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])")
FIND=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^(4.|5.[0-3])")
if [ -z "${FIND}" ]; then
PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals"
else
@ -305,7 +334,7 @@
Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP register_globals option"
FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
FIND=$(${GREPBINARY} -E -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ -n "${FIND}" ]; then
Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED
ReportWarning "${TEST_NO}" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting"
@ -338,7 +367,7 @@
;;
esac
LogText "Test: Checking file ${FILE}"
FIND=$(${EGREPBINARY} -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;')
FIND=$(${GREPBINARY} -E -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;')
if HasData "${FIND}"; then
LogText "Result: found a a possible match on expose_php setting"
LogText "Data: ${FIND}"
@ -367,7 +396,7 @@
Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP enable_dl option"
FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
FIND=$(${GREPBINARY} -E -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ -n "${FIND}" ]; then
Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW
Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls"
@ -389,7 +418,7 @@
Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP allow_url_fopen option"
FIND=$(${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
FIND=$(${GREPBINARY} -E -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW
LogText "Result: allow_url_fopen option is turned on, which can be used for downloads via PHP and is a security risk"
@ -412,7 +441,7 @@
Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking PHP allow_url_include option"
FIND=$(${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
FIND=$(${GREPBINARY} -E -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;')
if [ -z "${FIND}" ]; then
Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW
Report "Result: allow_url_include option is turned on, which can be used for downloads via PHP and is a risk"
@ -436,7 +465,7 @@
#if [ ${SKIPTEST} -eq 0 ]; then
# FOUND=0
# SIMULATION=0
# MAJOR_VERSION=$(echo ${PHPVERSION} | ${EGREPBINARY} "^7")
# MAJOR_VERSION=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^7")
# if [ "${OS}" = "OpenBSD" ]; then
# FOUND=1 # On OpenBSD, Suhosin is hard linked into PHP
# SIMULATION=off
@ -519,7 +548,7 @@
;;
esac
LogText "Test: Checking file ${FILE}"
FIND=$(${EGREPBINARY} -i "^listen = [0-9]{1,5}$" ${FILE})
FIND=$(${GREPBINARY} -E -i "^listen = [0-9]{1,5}$" ${FILE})
if HasData "${FIND}"; then
LogText "Result: found listen on just a port number"
LogText "Data: ${FIND}"

139
include/tests_ports_packages
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -34,6 +33,34 @@
Display --indent 2 --text "- Searching package managers"
#
#################################################################################
#
# Test : PKGS-7200
# Description : Check Alpine Package Keeper (apk)
if [ -x ${ROOTDIR}/sbin/apk ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7200 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying apk"
if [ ${SKIPTEST} -eq 0 ]; then
COUNT=0
Display --indent 4 --text "- Searching apk package manager" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found apk binary"
Report "package_manager[]=apk"
PACKAGE_MGR_PKG=1
LogText "Test: Querying apk info -v to get package list"
Display --indent 6 --text "- Querying package manager"
LogText "Output:"
SPACKAGES=$(apk info -v | ${SEDBINARY} -r -e 's/([a-z,A-Z,0-9,_,-,.]{1,250})-([a-z,A-Z,0-9,.]+-r[a-z,A-Z,0-9]+)/\1,\2/' | sort)
for J in ${SPACKAGES}; do
COUNT=$((COUNT + 1))
PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1)
PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done
Report "installed_packages=${COUNT}"
else
LogText "Result: apk "${STATUS_NOT_FOUND}", test skipped"
fi
#
#################################################################################
#
# Test : PKGS-7301
# Description : Query FreeBSD pkg
@ -99,11 +126,15 @@
LogText "Test: Querying brew to get package list"
Display --indent 4 --text "- Querying brew for installed packages"
LogText "Output:"; LogText "-----"
GPACKAGES=$(brew list)
for J in ${GPACKAGES}; do
LogText "Found package ${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
done
GPACKAGES=$(brew list --versions)
while IFS= read -r PKG; do
PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f1)
PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f2)
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done << EOF
$GPACKAGES
EOF
else
LogText "Result: brew can NOT be found on this system"
fi
@ -130,6 +161,29 @@
LogText "Result: emerge can NOT be found on this system"
fi
#
#################################################################################
#
# Test : PKGS-7305
# Description : Query macOS Apps in /Applications and CoreServices
Register --test-no PKGS-7305 --os macOS --weight L --network NO --category security --description "Query macOS Apps in /Applications and CoreServices"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Querying Apps in /Applications"
Display --indent 4 --text "- Querying macOS Apps in /Applications"
LogText "Output:"; LogText "-----"
for APP in /Applications/*.app; do
PACKAGE_NAME=$(basename "$APP" .app)
PACKAGE_VERSION=$(defaults read "$APP/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A")
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done
Display --indent 4 --text "- Querying Apple CoreServices"
for CS in /Library/Apple/System/Library/CoreServices/*.app; do
PACKAGE_NAME=$(basename "$CS" .app)
PACKAGE_VERSION=$(defaults read "$CS/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A")
LogText "Found CoreServices: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done
fi
#
#################################################################################
#
@ -319,12 +373,13 @@
Register --test-no PKGS-7322 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Discover vulnerable packages with arch-audit"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking arch-audit output for vulnerable packages"
FIND=$(${ARCH_AUDIT_BINARY} | ${SEDBINARY} 's/\.\..*$//' | ${SEDBINARY} 's/, //g' | ${SEDBINARY} 's/\(\["\|"\]\)//g' | ${SEDBINARY} 's/""/,/g' | ${AWKBINARY} '{ if($1=="Package") { print $2"|"$6"|"}}' | ${AWKBINARY} -F'|' 'NF>1{a[$1] = a[$1]","$2}END{for(i in a){print i""a[i]"|"}}' | ${SEDBINARY} 's/,/|cve=/' | ${SORTBINARY})
FIND=$(${ARCH_AUDIT_BINARY} | ${SEDBINARY} 's/ High risk!//' | ${SEDBINARY} 's/ Medium risk!//' | ${SEDBINARY} 's/ Low risk!//' | ${SEDBINARY} 's/\.\..*$//' | ${SEDBINARY} 's/, /,/g' | ${SEDBINARY} 's/\(\["\|"\]\)//g' | ${SEDBINARY} 's/""/,/g' | ${AWKBINARY} '{if ($0 ~ /is affected by CVE\-/) {print $1"|"$5"|"} else {ORS=""; print $1"|"; for (i=5; i<=NF; i++)print $i; print "\n"; ORS="\n"}}'| ${AWKBINARY} -F'|' 'NF>1{a[$1] = a[$1]","$2}END{for(i in a){print i""a[i]"|"}}' | ${SEDBINARY} 's/,CVE-/|cve=CVE-/' | ${SORTBINARY})
if [ -z "${FIND}" ]; then
LogText "Result: no vulnerable packages found with arch-audit"
AddHP 10 10
else
LogText "Result: found one or more vulnerable packages"
VULNERABLE_PACKAGES_FOUND=1
for ITEM in ${FIND}; do
LogText "Found line: ${ITEM}"
Report "vulnerable_package[]=${ITEM}"
@ -643,9 +698,20 @@
# Check in /etc/cron.hourly, daily, weekly, monthly etc
COUNT=$(find /etc/cron* -name debsums | wc -l)
if [ ${COUNT} -gt 0 ]; then
LogText "Result: Cron job is configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
CRON_CHECK=""
if [ -f ${ROOTDIR}etc/default/debsums ]; then
CRON_CHECK=$(${GREPBINARY} CRON_CHECK /etc/default/debsums|${AWKBINARY} -F "=" '{print $2}')
fi
if [ "${CRON_CHECK}" = "daily" ] || [ "${CRON_CHECK}" = "weekly" ] || [ "${CRON_CHECK}" = "monthly" ]; then
LogText "Result: Cron job is configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
LogText "Result: Cron job is not configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 1 3
ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regularly via a cron job (CRON_CHECK in default file)."
fi
else
LogText "Result: Cron job is not configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
@ -808,7 +874,7 @@
Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: YUM package update management"
FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$")
FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -E "^[0-9]+$")
if [ -z "${FIND}" -o "${FIND}" = "0" ]; then
LogText "Result: YUM package update management failed"
Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED
@ -1002,7 +1068,7 @@
if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then
if [ -f ${ROOTDIR}etc/apt/sources.list ]; then
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file"
FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
FIND=$(${GREPBINARY} -E "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
if [ -n "${FIND}" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN
@ -1015,7 +1081,7 @@
fi
if [ -d /etc/apt/sources.list.d ]; then
LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory"
FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
FIND=$(${GREPBINARY} -E -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g')
if [ -n "${FIND}" ]; then
FOUND=1
Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN
@ -1094,7 +1160,9 @@
LogText "Result: found ${ROOTDIR}usr/lib/update-notifier/apt-check"
LogText "Test: checking if any of the updates contain security updates"
# apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only
FIND=$(${ROOTDIR}usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }')
# We search for the lines that start with a number, as on Ubuntu 24.04 an error can happen:
# Warning: W:Unable to read /var/lib/ubuntu-advantage/apt-esm/etc/apt/apt.conf.d/ - DirectoryExists (2: No such file or directory)
FIND=$(${ROOTDIR}usr/lib/update-notifier/apt-check 2>&1 | ${GREPBINARY} '^[0-9]' | ${AWKBINARY} -F\; '{ print $2 }')
# Check if we get the proper line back and amount of security patches available
if [ -z "${FIND}" ]; then
LogText "Result: did not find security updates line"
@ -1235,6 +1303,41 @@
#
#################################################################################
#
# Test : PKGS-7395
# Description : Check Alpine upgradeable packages
if [ "${LINUX_VERSION}" = "Alpine Linux" ] && [ -x "${ROOTDIR}sbin/apk" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no PKGS-7395 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Alpine updates"
if [ ${SKIPTEST} -eq 0 ]; then
if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
LogText "Action: updating package repository with apk"
${ROOTDIR}sbin/apk update
LogText "Result: apk finished"
else
LogText "Result: using a possibly outdated repository, as updating is disabled via configuration"
fi
LogText "Test: Checking packages which can be upgraded via apk version -l '<'"
FIND=$(${ROOTDIR}sbin/apk version -l '<' | ${GREPBINARY} '<' | ${SEDBINARY} 's/\s\+<\s/</g')
if [ -z "${FIND}" ]; then
LogText "Result: no packages found which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN
AddHP 3 3
else
LogText "Result: found one or more packages which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_FOUND}" --color YELLOW
for ITEM in ${FIND}; do
ITEM=$(echo ${ITEM} | ${SEDBINARY} -r -e 's/([a-z,A-Z,0-9,_,-,.]{1,250})-([a-z,A-Z,0-9,.]+-r[a-z,A-Z,0-9]+)<([a-z,A-Z,0-9,-,.]+)/\1 from \2 to \3/')
LogText "${ITEM}"
done
fi
fi
#
#################################################################################
#
# Test : PKGS-7398
# Description : Check package audit tool
@ -1274,8 +1377,8 @@
if [ "${DPKGBINARY}" ]; then
TESTED=1
KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]"
KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${EGREPBINARY} "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l)
KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]|linux-odroid-5422"
KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} -E "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l)
if [ ${KERNELS} -eq 0 ]; then
LogText "Result: found no kernels from dpkg -l output, which is unexpected"
elif [ ${KERNELS} -gt 5 ]; then

32
include/tests_printers_spoolers
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -139,9 +138,19 @@
Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd network configuration"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# Checking network addresses
PORT_FOUND=0
LogText "Test: Checking CUPS daemon listening network addresses"
FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
# Search for Port statement
FIND=$(${GREPBINARY} -E "^Port 631" ${CUPSD_CONFIG_FILE})
if [ -n "${FIND}" ]; then
LogText "Result: found CUPS listening on port 631 (most likely all interfaces)"
PORT_FOUND=1
fi
# Checking network addresses
FIND=$(${GREPBINARY} -E "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
COUNT=0
for ITEM in ${FIND}; do
LogText "Result: found network address: ${ITEM}"
@ -149,17 +158,10 @@
FOUND=1
done
# Search for Port statement
FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE})
if [ -n "${FIND}" ]; then
LogText "Result: found CUPS listening on port 631 (most likely all interfaces)"
FOUND=1
fi
# Check if daemon might be running on localhost
if [ ${FOUND} -eq 0 ]; then
if [ ${FOUND} -eq 0 -a ${PORT_FOUND} -eq 0 ]; then
LogText "Result: CUPS does not look to be listening on a network port"
elif [ ${COUNT} -eq 1 ]; then
elif [ ${COUNT} -eq 1 -a ${PORT_FOUND} -eq 0 ]; then
if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then
LogText "Result: CUPS daemon only running on localhost"
AddHP 2 2
@ -219,7 +221,7 @@
QDAEMON_CONFIG_FILE="${ROOTDIR}etc/qconfig"
FileIsReadable ${QDAEMON_CONFIG_FILE}
if [ ${CANREAD} -eq 1 ]; then
FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device")
FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${GREPBINARY} -E "backend|device")
if [ -n "${FIND}" ]; then
LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}"
Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN

27
include/tests_scheduling
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -35,7 +34,7 @@
# Description : Check cron daemon
Register --test-no SCHD-7702 --weight L --network NO --category security --description "Check status of cron daemon"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )")
FIND=$(${PSBINARY} aux | ${GREPBINARY} -E "( cron$|/cron(d)? )")
if IsEmpty "${FIND}"; then
LogText "Result: no cron daemon found"
else
@ -55,12 +54,12 @@
BAD_FILE_PERMISSIONS=0
BAD_FILE_OWNERSHIP=0
FindCronJob() {
sCRONJOBS=$(${EGREPBINARY} '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
sCRONJOBS=$(${GREPBINARY} -E '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
}
CRONTAB_FILE="${ROOTDIR}etc/crontab"
if [ -f ${CRONTAB_FILE} ]; then
${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab"
${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab"
if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FindCronJob ${CRONTAB_FILE}
@ -77,7 +76,7 @@
if FileIsReadable ${DIR}; then
LogText "Result: found directory ${DIR}"
LogText "Test: searching files in ${DIR}"
FIND=$(${FINDBINARY} ${DIR} -type f -print | ${GREPBINARY} -v ".placeholder")
FIND=$(${FINDBINARY} -L ${DIR} -type f -print | ${GREPBINARY} -v ".placeholder")
if IsEmpty "${FIND}"; then
LogText "Result: no files found in ${DIR}"
else
@ -86,7 +85,7 @@
if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
if [ "${FILENAME}" = "lynis" ]; then ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
FindCronJob ${FILE}
if HasData "${sCRONJOBS}"; then
for K in ${sCRONJOBS}; do
@ -112,7 +111,7 @@
LogText "Result: found directory ${I}"
if FileIsReadable ${I}; then
LogText "Test: searching files in ${I}"
FIND=$(${FINDBINARY} ${I} -type f -print 2> /dev/null | ${GREPBINARY} -v ".placeholder")
FIND=$(${FINDBINARY} -L ${I} -type f -print 2> /dev/null | ${GREPBINARY} -v ".placeholder")
if [ -z "${FIND}" ]; then
LogText "Result: no files found in ${I}"
else
@ -121,7 +120,7 @@
if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${FILE}"; Report "insecure_fileperms_cronjob[]=${FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${FILE}"; Report "bad_fileowner_cronjob[]=${FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
if [ "${FILENAME}" = "lynis" ]; then ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
LogText "Result: Found cronjob (${I}): ${FILE}"
Report "cronjob[]=${FILE}"
done
@ -141,7 +140,7 @@
FIND=$(${FINDBINARY} /var/spool/cron/crontabs -xdev -type f -print 2> /dev/null)
for I in ${FIND}; do
if FileIsReadable ${I}; then
${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
${GREPBINARY} -E -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
FindCronJob ${I}
for FILE in ${sCRONJOBS}; do
LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${FILE})"
@ -154,7 +153,7 @@
FIND=$(find ${ROOTDIR}var/spool/cron -type f -print)
for I in ${FIND}; do
if FileIsReadable ${I}; then
${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
${GREPBINARY} -E -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
FindCronJob ${I}
for FILE in ${sCRONJOBS}; do
LogText "Found cronjob in ${ROOTDIR}var/spool/cron: ${I} (${FILE})"
@ -169,7 +168,7 @@
if [ "${OS}" = "Linux" ]; then
if [ -f /etc/anacrontab ]; then
LogText "Test: checking anacrontab"
sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
sANACRONJOBS=$(${GREPBINARY} -E '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY})
if [ -n "${sANACRONJOBS}" ]; then
Report "scheduler[]=anacron"
for I in ${sANACRONJOBS}; do

20
include/tests_shells
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -52,7 +51,7 @@
Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking console TTYs"
FIND=$(${EGREPBINARY} '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure')
FIND=$(${GREPBINARY} -E '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN
LogText "Result: console is secured against single user mode without password."
@ -167,9 +166,9 @@
FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null)
if [ -n "${FIND}" ]; then
# Determine if we can find a TMOUT value
FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d ' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
# Determine if the value is exported (with export, readonly, or typeset)
FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
FIND2=$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh" -type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} '\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
if [ -n "${FIND}" ]; then
N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do
@ -277,9 +276,10 @@
Report "session_timeout_enabled=${IDLE_TIMEOUT}"
#
#################################################################################
#
WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2021, CISOfy - http://cisofy.com
# EOF

11
include/tests_snmp
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -102,6 +101,4 @@
WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com
# EOF

13
include/tests_squid
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -42,7 +41,7 @@
LogText "Test: Searching for a Squid daemon"
FOUND=0
# Check running processes
FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep")
FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "(squid|squid3) " | ${GREPBINARY} -v "grep")
if [ -n "${FIND}" ]; then
SQUID_DAEMON_RUNNING=1
LogText "Result: Squid daemon is running"
@ -131,7 +130,7 @@
Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \))
FIND=$(find -L ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm -002 -o -perm -001 \))
if [ -n "${FIND}" ]; then
LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable, writable or executable and could leak information or passwords"
Display --indent 4 --text "- Checking Squid configuration file permissions" --result "${STATUS_WARNING}" --color RED
@ -323,6 +322,4 @@
WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com
# EOF

20
include/tests_ssh
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -22,7 +21,7 @@
#
#################################################################################
#
SSH_DAEMON_CONFIG_LOCS="/etc /etc/ssh /usr/local/etc/ssh /opt/csw/etc/ssh"
SSH_DAEMON_CONFIG_LOCS="/etc /etc/ssh /usr/local/etc/ssh /opt/csw/etc/ssh /usr/etc/ssh"
SSH_DAEMON_CONFIG=""
SSH_DAEMON_PORT=""
SSH_DAEMON_RUNNING=0
@ -74,7 +73,7 @@
LogText "Result: ${I}/sshd_config exists"
if [ ${FOUND} -eq 1 ]; then
ReportException "${TEST_NO}:01"
LogText "Result: we already had found another sshd_config file. Using this new file then."
LogText "Result: we already found another sshd_config file. Using this new file instead of the previous one."
fi
FileIsReadable ${I}/sshd_config
if [ ${CANREAD} -eq 1 ]; then
@ -135,7 +134,6 @@
SSHOPS="AllowTcpForwarding:NO,LOCAL,YES:=\
ClientAliveCountMax:2,4,16:<\
ClientAliveInterval:300,600,900:<\
Compression:NO,,YES:=\
FingerprintHash:SHA256,MD5,:=\
GatewayPorts:NO,,YES:=\
IgnoreRhosts:YES,,NO:=\
@ -158,12 +156,12 @@
# OpenSSH had some options removed over time. Based on the version we add some additional options to check
if [ ${OPENSSHD_VERSION_MAJOR} -lt 7 ]; then
LogText "Result: added additional options for OpenSSH 6.x and lower"
SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:= Protocol:2,,1:="
SSHOPS="${SSHOPS} Compression:(DELAYED|NO),,YES:= UsePrivilegeSeparation:SANDBOX,YES,NO:= Protocol:2,,1:="
elif [ ${OPENSSHD_VERSION_MAJOR} -eq 7 ]; then
# Protocol 1 support removed (OpenSSH 7.4 and later)
if [ ${OPENSSHD_VERSION_MINOR} -lt 4 ]; then
LogText "Result: added additional options for OpenSSH < 7.4"
SSHOPS="${SSHOPS} Protocol:2,,1:="
SSHOPS="${SSHOPS} Compression:(DELAYED|NO),,YES:= Protocol:2,,1:="
fi
# UsePrivilegedSeparation removed (OpenSSH 7.5 and later)
if [ ${OPENSSHD_VERSION_MINOR} -lt 5 ]; then
@ -300,7 +298,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
# AllowUsers
FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
FIND=$(${GREPBINARY} -E -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
if [ -n "${FIND}" ]; then
LogText "Result: AllowUsers set, with value ${FIND}"
Display --indent 4 --text "- OpenSSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN
@ -311,9 +309,9 @@
fi
# AllowGroups
FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
FIND=$(${GREPBINARY} -E -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
if [ -n "${FIND}" ]; then
LogText "Result: AllowUsers set ${FIND}"
LogText "Result: AllowGroups set ${FIND}"
Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
FOUND=1
else

17
include/tests_storage
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -38,8 +37,8 @@
if [ -d "${ROOTDIR}etc/modprobe.d" ]; then
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
if [ -n "${FIND}" ]; then
FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND1=$(${GREPBINARY} -E "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${GREPBINARY} -E "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found firewire ohci driver in disabled state"
@ -49,8 +48,8 @@
fi
fi
if [ -f "${ROOTDIR}etc/modprobe.conf" ]; then
FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
FIND1=$(${GREPBINARY} -E -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
FIND2=$(${GREPBINARY} -E -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#")
if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found firewire ohci driver in disabled state"
@ -75,6 +74,4 @@
WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2021, CISOfy, Michael Boelen - https://cisofy.com
# EOF

5
include/tests_storage_nfs
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

17
include/tests_system_integrity
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Website : https://cisofy.com/
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -30,6 +29,8 @@
#
#################################################################################
#
# Test : SINT-7010
# Description : System Integrity Status
if [ -x ${ROOTDIR}/usr/bin/csrutil ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No CSrutil binary found"; fi
Register --test-no SINT-7010 --os MacOS --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight H --network NO --category security --description "System Integrity Status"
if [ ${SKIPTEST} -eq 0 ]; then
@ -48,7 +49,7 @@
#
#################################################################################
#
WaitForKeyPress
#
#================================================================================
# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com
WaitForKeyPress
# EOF

23
include/tests_time
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -139,7 +138,7 @@
for I in ${CRONTAB_FILES}; do
if [ -f ${I} ]; then
LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}"
FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#')
FIND=$(${GREPBINARY} -E "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#')
if [ -n "${FIND}" ]; then
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
@ -161,10 +160,10 @@
for I in ${CRON_DIRS}; do
for J in "${I}"/*; do # iterate over folders in a safe way
# Check: regular file, readable and not called .placeholder
FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$')
FIND=$(echo "${J}" | ${GREPBINARY} -E '/.placeholder$')
if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then
LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}"
FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#")
FIND=$("${GREPBINARY}" -E "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#")
if [ -n "${FIND}" ]; then
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}"
@ -232,7 +231,7 @@
Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Check the status of time synchronization via timedatectl"
FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes")
FIND=$(${TIMEDATECTL} status | ${GREPBINARY} -E "(NTP|System clock) synchronized: yes")
if [ -z "${FIND}" ]; then
LogText "Result: time not synchronized via NTP"
ReportSuggestion "${TEST_NO}" "Check timedatectl output. Synchronization via NTP is enabled, but status reflects it is not synchronized"
@ -273,7 +272,7 @@
else
for ITEM in ${FIND}; do
LogText "Found stratum 16 peer: ${ITEM}"
FIND2=$(${EGREPBINARY} "^ntp-ignore-stratum-16-peer=${ITEM}" ${PROFILE})
FIND2=$(${GREPBINARY} -E "^ntp-ignore-stratum-16-peer=${ITEM}" ${PROFILE})
if IsEmpty "${FIND2}"; then
COUNT=$((COUNT + 1))
Report "ntp_stratum_16_peer[]=${ITEM}"
@ -303,7 +302,7 @@
Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking unreliable ntp peers"
FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g')
FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} -E "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN
LogText "Result: No unreliable peers found"
@ -371,7 +370,7 @@
Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking preferred time source"
FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} '^x')
FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} -E '^x')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_OK}" --color GREEN
LogText "Result: No falsetickers found (items preceding with an 'x')"
@ -455,7 +454,7 @@
else
LogText "Result: ${FILE} is not empty, which is fine"
Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN
sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} | ${EGREPBINARY} -v "^127." | ${EGREPBINARY} -v "^::1")
sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} | ${GREPBINARY} -E -v "^127." | ${GREPBINARY} -E -v "^::1")
for I in ${sFIND}; do
FIND=$(${GREPBINARY} ^${I} ${FILE} | wc -l)
if [ ${FIND} -gt 0 ]; then
@ -553,7 +552,7 @@
Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers"
if [ ${SKIPTEST} -eq 0 ]; then
# Format is "xx/yy peers valid, ..."
FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1)
FIND=$(${NTPCTLBINARY} -s status | ${GREPBINARY} -E -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1)
if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then
ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status"
fi

40
include/tests_tooling
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -259,8 +258,8 @@
# # Check email alert configuration
# LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}"
#
# FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
# FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
# FIND=$(${GREPBINARY} -E "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG})
# FIND2=$(${GREPBINARY} -E "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG})
#
# if [ -n "${FIND}" ]; then
# FAIL2BAN_EMAIL=1
@ -400,7 +399,7 @@
#
#################################################################################
#
# Test : TOOL-5160
# Test : TOOL-5126
# Description : Check for OSSEC
Register --test-no TOOL-5126 --weight L --network NO --category security --description "Check for active OSSEC daemon"
if [ ${SKIPTEST} -eq 0 ]; then
@ -428,6 +427,35 @@
fi
#
#################################################################################
#
# Test : TOOL-5128
# Description : Check for Wazuh daemon
Register --test-no TOOL-5128 --weight L --network NO --category security --description "Check for active Wazuh daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Server side
if IsRunning "wazuh-analysisd"; then
IDS_IPS_TOOL_FOUND=1
Report "ids_ips_tooling[]=wazuh"
Report "ids_ips_tooling[]=wazuh-analysisd"
LogText "Result: Wazuh analysis daemon is active"
Display --indent 2 --text "- Checking presence of Wazuh (analysis)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: Wazuh analysis daemon not active"
fi
# Client side
if IsRunning "wazuh-agentd"; then
IDS_IPS_TOOL_FOUND=1
Report "ids_ips_tooling[]=wazuh"
Report "ids_ips_tooling[]=wazuh-agentd"
LogText "Result: Wazuh agent daemon is active"
Display --indent 2 --text "- Checking presence of Wazuh (agent)" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: Wazuh agent daemon not active"
fi
fi
#
#################################################################################
#
# Test : TOOL-5190
# Description : Check for an IDS/IPS tool

14
include/tests_usb
View File

@ -6,7 +6,7 @@
# ------------------
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -54,8 +54,8 @@
if [ -d /etc/modprobe.d ]; then
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
if [ -n "${FIND}" ]; then
FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
FIND=$(${GREPBINARY} -E -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
FIND2=$(${GREPBINARY} -E -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*)
if [ -n "${FIND}" -o -n "${FIND2}" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state (blacklisted)"
@ -65,7 +65,7 @@
fi
fi
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
FIND=$(${GREPBINARY} -E "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#")
if [ -n "${FIND}" ]; then
FOUND=1
LogText "Result: found usb-storage driver in disabled state"
@ -316,11 +316,11 @@
Display --indent 4 --text "- RuleFile" --result "${STATUS_FOUND}" --color GREEN
AddHP 1 1
USBGUARD_RULES_ALLOW=$(${EGREPBINARY} -c "^allow" ${USBGUARD_RULES})
USBGUARD_RULES_ALLOW=$(${GREPBINARY} -E -c "^allow" ${USBGUARD_RULES})
Display --indent 6 --text "- Controllers & Devices allow" --result "${USBGUARD_RULES_ALLOW}" --color WHITE
USBGUARD_RULES_BLOCK=$(${EGREPBINARY} -c "^block" ${USBGUARD_RULES})
USBGUARD_RULES_BLOCK=$(${GREPBINARY} -E -c "^block" ${USBGUARD_RULES})
Display --indent 6 --text "- Controllers & Devices block" --result "${USBGUARD_RULES_BLOCK}" --color WHITE
USBGUARD_RULES_REJECT=$(${EGREPBINARY} -c "^reject" ${USBGUARD_RULES})
USBGUARD_RULES_REJECT=$(${GREPBINARY} -E -c "^reject" ${USBGUARD_RULES})
Display --indent 6 --text "- Controllers & Devices reject" --result "${USBGUARD_RULES_REJECT}" --color WHITE
else
LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)"

5
include/tests_virtualization
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are

52
include/tests_webservers
View File

@ -5,11 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# Blog : https://linux-audit.com/
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
@ -48,6 +47,8 @@
TMPFILE="${TEMP_FILE}"
CreateTempFile || ExitFatal
TMPFILE2="${TEMP_FILE}"
CreateTempFile || ExitFatal
TMPFILE3="${TEMP_FILE}"
#
#################################################################################
#
@ -63,7 +64,7 @@
Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE
else
LogText "Test: Scanning for Apache binary"
IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache')
IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} -E '[aA]pache')
if IsEmpty "${IS_APACHE}"; then
LogText "Result: ${HTTPDBINARY} is not Apache"
Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE
@ -203,7 +204,7 @@
#if [ ${SKIPTEST} -eq 0 ]; then
# # Testing Debian style
# LogText "Test: searching loaded/enabled Apache modules"
# apachectl -t -D DUMP_MODULES 2>&1 | ${EGREPBINARY} -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //'
# apachectl -t -D DUMP_MODULES 2>&1 | ${GREPBINARY} -E -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //'
# for I in ${APACHE_MODULES_ENABLED_LOCS}; do
# LogText "Test: checking ${I}"
# if [ -d ${I} ]; then
@ -288,7 +289,7 @@
Register --test-no HTTP-6643 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
if CheckItem "apache_module" "/mod_security2.so"; then
if CheckItem "apache_module" "/mod_security(2|3).so" ; then
Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
@ -300,8 +301,42 @@
#
#################################################################################
#
# Test : HTTP-6660 TODO
# Test : HTTP-6660
# Description : Search for "TraceEnable off" in configuration files
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6660 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Apache security setting: TraceEnable"
if [ ${SKIPTEST} -eq 0 ]; then
for DIR in ${sTEST_APACHE_TARGETS}; do
if [ -d ${DIR} ]; then
find ${DIR} -name "*.conf" -print >> ${TMPFILE3}
fi
done
# Check all Apache conf-files for TraceEnable
if [ -f ${TMPFILE3} ]; then
Display --indent 2 --text '- Checking TraceEnable setting in:'
for APACHE_CONFFILE in $(cat ${TMPFILE3}); do
TRACEENABLE=$( ${GREPBINARY} -i -E '^TraceEnable' ${APACHE_CONFFILE} | ${AWKBINARY} '{print $2}' )
if [ ! ${TRACEENABLE} ]; then
LogText "Result: no TraceEnable setting found in ${APACHE_CONFFILE}"
Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_NOT_FOUND}" --color WHITE
else
TRACEENABLED_SETTING=$( echo ${TRACEENABLE} | tr 'A-Z' 'a-z' )
if [ "x${TRACEENABLED_SETTING}" = 'xoff' ]; then
LogText "Result: found TraceEnable setting set to 'off' in ${APACHE_CONFFILE}"
Report "Apache setting: 'TraceEnable Off' in ${APACHE_CONFFILE}"
Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: found TraceEnable setting set to '"${TRACEENABLE}"' in ${APACHE_CONFFILE}"
Report "Apache setting: 'TraceEnable "${TRACEENABLE}"' in ${APACHE_CONFFILE}"
Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Consider setting 'TraceEnable Off' in ${APACHE_CONFFILE}" "Set TraceEnable to 'On' or 'extended' for testing and diagnostic purposes only."
fi
fi
done
rm -f ${TMPFILE3}
fi
fi
#
#################################################################################
#
@ -381,7 +416,7 @@
done
# Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx
SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})")
SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${GREPBINARY} -E -v "(application|audio|image|text|video)/" | ${GREPBINARY} -E -v "({|})")
for I in ${SORTFILE}; do
I=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g')
Report "nginx_config_option[]=${I}";
@ -608,6 +643,7 @@
# Remove temp file (double check)
if [ -n "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
if [ -n "${TMPFILE3}" ]; then if [ -f ${TMPFILE3} ]; then rm -f ${TMPFILE3}; fi; fi
WaitForKeyPress

3
include/tool_tips
View File

@ -5,8 +5,7 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2021, CISOfy
# Copyright (c) Michael Boelen, CISOfy, and many contributors.
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com

33
lynis
View File

@ -5,10 +5,10 @@
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# 2013-now, CISOfy
# Copyright Michael Boelen, CISOfy
#
# Web site: https://cisofy.com
# Web site : https://cisofy.com/
# Blog : https://linux-audit.com/
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@ -43,16 +43,16 @@
PROGRAM_WEBSITE="https://cisofy.com/lynis/"
# Version details
PROGRAM_RELEASE_DATE="2022-01-18"
PROGRAM_RELEASE_TIMESTAMP=1642512096
PROGRAM_RELEASE_TYPE="release" # pre-release or release
PROGRAM_VERSION="3.0.7"
PROGRAM_RELEASE_DATE="2025-01-28"
PROGRAM_RELEASE_TIMESTAMP=1738061140
PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release
PROGRAM_VERSION="3.1.5"
# Source, documentation and license
PROGRAM_SOURCE="https://github.com/CISOfy/lynis"
PROGRAM_PACKAGE="https://packages.cisofy.com/"
PROGRAM_DOCUMENTATION="https://cisofy.com/docs/"
PROGRAM_COPYRIGHT="2007-2021, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
PROGRAM_COPYRIGHT="2007-2024, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software."
@ -217,10 +217,10 @@
# Extract the short notation of the language (first two characters).
if [ -x "$(command -v locale 2> /dev/null)" ]; then
LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | egrep "^[a-z]{2}$")
LANGUAGE=$(locale | grep -E "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | grep -E "^[a-z]{2}$")
# Try locale command if shell variable had no value
if [ -z "${DISPLAY_LANG}" ]; then
DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2)
DISPLAY_LANG=$(locale | grep -E "^LANG=" | cut -d= -f2)
fi
else
LANGUAGE="en"
@ -514,7 +514,7 @@ ${NORMAL}
. ${INCLUDEDIR}/osdetection
Display --indent 2 --text "- Detecting OS... " --result "${STATUS_DONE}" --color GREEN
# Check hostname
# Check hostname and get timestamp
case ${OS} in
HP-UX)
HOSTNAME=$(hostname) ;;
@ -531,7 +531,6 @@ ${NORMAL}
if [ "${OS}" = "Linux" -a "${HOSTNAME}" = "${FQDN}" ]; then
FQDN=$(hostname -f 2> /dev/null)
fi
#
#################################################################################
#
@ -789,16 +788,10 @@ ${NORMAL}
fi
fi
# Test for older releases, without testing via update mechanism
if [ "${OS}" = "Solaris" ]; then
NOW=$(nawk 'BEGIN{print srand()}')
else
NOW=$(date "+%s")
fi
OLD_RELEASE=0
TIME_DIFFERENCE_CHECK=10368000 # 4 months
RELEASE_PLUS_TIMEDIFF=$((PROGRAM_RELEASE_TIMESTAMP + TIME_DIFFERENCE_CHECK))
NOW=$(date "+%s")
if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then
# Show if release is old, only if we didn't show it with normal update check
if [ ${UPDATE_AVAILABLE} -eq 0 ]; then
@ -1025,7 +1018,7 @@ ${NORMAL}
if [ "${TEST_GROUP_TO_CHECK}" = "all" ]; then
LogText "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
INCLUDE_TESTS="boot_services kernel memory_processes authentication kerberos shells \
filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \
mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
insecure_services banners scheduling accounting time crypto virtualization containers \

10
plugins/plugin_systemd_phase1
View File

@ -47,13 +47,13 @@
if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3802 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd version and options" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -1)
FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="systemd") { print $2 } }' | grep "^[1-9][0-9][0-9]$" | head -n 1)
if [ -n "${FIND}" ]; then
SYSTEMD_VERSION=${FIND}
Report "systemd_version=${FIND}"
LogText "Result: found systemd version ${FIND}"
fi
FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -1)
FIND=$(${SYSTEMCTLBINARY} --version 2> /dev/null | grep "^[-+]" | sed 's/[[:space:]]/,/g' | head -n 1)
if [ -n "${FIND}" ]; then
Report "systemd_builtin_components=${FIND}"
LogText "Result: found builtin components list"
@ -101,7 +101,7 @@
if [ -f ${ROOTDIR}etc/machine-id -a ${SYSTEMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3808 --preqs-met ${PREQS_MET} --weight L --network NO --description "Gather systemd machine ID" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(cat ${ROOTDIR}etc/machine-id | head -1)
FIND=$(cat ${ROOTDIR}etc/machine-id | head -n 1)
if [ -n "${FIND}" ]; then
SYSTEMD_MACHINEID="${FIND}"
LogText "Result: found machine ID: ${SYSTEMD_MACHINEID}"
@ -134,7 +134,7 @@
FIND=$(${JOURNALCTLBINARY} --list-boots | wc -l)
LogText "Output: number of boots listed in journal is ${FIND}"
if [ -n "${FIND}" ]; then Report "journal_bootlogs=${FIND}"; fi
FIND=$(${JOURNALCTLBINARY} --list-boots | head -1 | awk '{ print $4 }')
FIND=$(${JOURNALCTLBINARY} --list-boots | head -n 1 | awk '{ print $4 }')
LogText "Output: oldest boot date in journal is ${FIND}"
if [ -n "${FIND}" ]; then Report "journal_oldest_bootdate=${FIND}"; fi
fi
@ -204,7 +204,7 @@
if [ -n "${SYSTEMCTLBINARY}" -a ${SYSTEMD_RUNNING} -eq 1 -a ${SYSTEMD_VERSION} -ge 215 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PLGN-3830 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query systemd status" --progress
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -1)
FIND=$(${SYSTEMCTLBINARY} is-system-running 2> /dev/null | head -n 1)
if [ -n "${FIND}" ]; then
Report "systemd_status=${FIND}"
LogText "Result: found systemd status = ${FIND}"