tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into macos-eol

This commit is contained in:
Michael Boelen 2020-10-20 13:16:12 +02:00 committed by GitHub
parent 48e794574a 4a99f3bdad
commit 5cb8c68d5c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 164 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
CHANGELOG.md
View File

@ -1,9 +1,25 @@
# Lynis Changelog
## Lynis 3.0.1 (not released yet)
## Lynis 3.0.2 (not released yet)
### Added
- Detection of ROSA Linux
- Detection of Zorin OS
### Changed
- KRNL-5830 - Improved reboot test by ignoring known bad values
- PKGS-7410 - Don't show exception if no kernels were found on the disk
- Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux
- French translation improved
- Small code enhancements
---------------------------------------------------------------------------------
## Lynis 3.0.1 (2020-10-05)
### Added
- Detection of Alpine Linux
- Detection of CloudLinux
- Detection of Kali Linux
- Detection of Linux Mint
- Detection of macOS Big Sur (11.0)
@ -18,6 +34,7 @@
- AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions
- BOOT-5122 - Presence check for grub.d added
- CRYP-7902 - Added support for certificates in DER format
- CRYP-7931 - Added data to report
- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted)
- FILE-6430 - Don't grep nonexistant modprobe.d files
- FIRE-4535 - Set initial firewall state

31
db/languages/fr
View File

@ -1,38 +1,45 @@
ERROR_NO_LICENSE="Pas de clé de licence configurée"
ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré"
GEN_CHECKING="Vérification"
GEN_CURRENT_VERSION="Version actuelle"
GEN_DEBUG_MODE="mode debug"
GEN_INITIALIZE_PROGRAM="Initialisation"
GEN_LATEST_VERSION="Dernière version"
GEN_PHASE="phase"
GEN_PLUGINS_ENABLED="Plugins activés"
GEN_VERBOSE_MODE="mode verbeux"
GEN_UPDATE_AVAILABLE="mise à jour disponible"
GEN_VERBOSE_MODE="mode verbeux"
GEN_WHAT_TO_DO="Que faire"
NOTE_EXCEPTIONS_FOUND="Exceptions trouvées"
NOTE_EXCEPTIONS_FOUND_DETAILED="Des événements ou informations exceptionnels ont été trouvés"
NOTE_PLUGINS_TAKE_TIME="Note: les plugins ont des tests plus poussés et peuvent prendre plusieurs minutes"
NOTE_PLUGINS_TAKE_TIME="Note : Les plugins ont des tests plus poussés et peuvent prendre plusieurs minutes"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Tests ignorés faute de privilèges"
SECTION_CUSTOM_TESTS="Tests Personnalisés"
SECTION_CUSTOM_TESTS="Tests personnalisés"
SECTION_DATA_UPLOAD="Téléchargement de données"
SECTION_INITIALIZING_PROGRAM="Initialisation du programme"
SECTION_MALWARE="Malware"
SECTION_MEMORY_AND_PROCESSES="Mémoire et Processus"
SECTION_MEMORY_AND_PROCESSES="Mémoire et processus"
SECTION_SYSTEM_TOOLS="Outils système"
STATUS_DISABLED="DÉSACTIVÉ"
STATUS_DONE="FAIT"
STATUS_ENABLED="ACTIVÉ"
STATUS_ERROR="ERREUR"
STATUS_FAILED="ÉCHOUÉ"
STATUS_FOUND="TROUVÉ"
STATUS_YES="OUI"
STATUS_NO="NON"
STATUS_OFF="OFF"
STATUS_OK="OK"
STATUS_ON="ON"
STATUS_NO="NON"
STATUS_NONE="AUCUN"
STATUS_NOT_CONFIGURED="NON CONFIGURÉ"
STATUS_NOT_FOUND="NON TROUVÉ"
STATUS_NOT_RUNNING="NON LANCÉ"
STATUS_RUNNING="EN COURS":
STATUS_RUNNING="EN COURS"
STATUS_SKIPPED="IGNORÉ"
STATUS_SUGGESTION="SUGGESTION"
STATUS_UNKNOWN="INCONNU"
STATUS_WARNING="ATTENTION"
STATUS_WEAK="FAIBLE"
STATUS_YES="OUI"
TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal"
TEXT_UPDATE_AVAILABLE="Mise à jour disponible"
STATUS_DISABLED="DÉSACTIVÉ"
STATUS_ENABLED="ACTIVÉ"
STATUS_ERROR="ERREUR"
ERROR_NO_LICENSE="Pas de clé de licence configurée"
ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré"

10
db/software-eol.db
View File

@ -113,6 +113,16 @@ os:macOS Catalina \(10.15.4\):2020-05-26:1590444000:
os:macOS Catalina \(10.15.5\):2020-07-15:1594764000:
os:macOS Catalina \(10.15.6\)::-1:
#
# Mageia - https://www.mageia.org/en/support/
#
os:Mageia 1:2012-12-01:1354316400
os:Mageia 2:2013-11-22:1385074800
os:Mageia 3:2014-11-26:1416956400
os:Mageia 4:2015-09-19:1442613600
os:Mageia 5:2017-12-31:1514674800
os:Mageia 6:2019-09-30:1569794400
os:Mageia 7:2020-12-30:1609282800
#
# NetBSD - https://www.netbsd.org/support/security/release.html and
# https://www.netbsd.org/releases/formal.html
#

13
include/consts
View File

@ -58,6 +58,7 @@ ETC_PATHS="/etc /usr/local/etc"
APPLICATION_FIREWALL_ACTIVE=0
BINARY_SCAN_FINISHED=0
BLKIDBINARY=""
BOOTCTLBINARY=""
CAT_BINARY=""
CFAGENTBINARY=""
CHECK=0
@ -81,6 +82,7 @@ ETC_PATHS="/etc /usr/local/etc"
CONTROL_URL_PROTOCOL=""
CONTAINER_TYPE=""
CREATE_REPORT_FILE=1
CRYPTSETUPBINARY=""
CSUMBINARY=""
CURRENT_TS=0
CUSTOM_URL_APPEND=""
@ -99,12 +101,14 @@ ETC_PATHS="/etc /usr/local/etc"
DISCOVERED_BINARIES=""
DMIDECODEBINARY=""
DNFBINARY=""
DNSDOMAINNAMEBINARY=""
DOCKERBINARY=""
DOCKER_DAEMON_RUNNING=0
DPKGBINARY=""
ECHOCMD=""
ERROR_ON_WARNINGS=0
EQUERYBINARY=""
EVMCTLBINARY=""
EXIMBINARY=""
FAIL2BANBINARY=""
FILEBINARY=""
@ -130,6 +134,7 @@ ETC_PATHS="/etc /usr/local/etc"
HTTPDBINARY=""
IDS_IPS_TOOL_FOUND=0
IFCONFIGBINARY=""
INTEGRITYSETUPBINARY=""
IPBINARY=""
IPFBINARY=""
IPTABLESBINARY=""
@ -148,6 +153,7 @@ ETC_PATHS="/etc /usr/local/etc"
LOGDIR=""
LOGROTATEBINARY=""
LOGTEXT=1
LSBLKBINARY=""
LSMODBINARY=""
LSOFBINARY=""
LSOF_EXTRA_OPTIONS=""
@ -191,6 +197,7 @@ ETC_PATHS="/etc /usr/local/etc"
NGINX_RETURN_FOUND=0
NGINX_ROOT_FOUND=0
NGINX_WEAK_SSL_PROTOCOL_FOUND=0
NTPCTLBINARY=""
NTPD_ROLE=""
NTPQBINARY=""
OPENSSLBINARY=""
@ -204,6 +211,7 @@ ETC_PATHS="/etc /usr/local/etc"
OS_REDHAT_OR_CLONE=0
OSIRISBINARY=""
PACMANBINARY=""
PAM_PASSWORD_PWHISTORY_AMOUNT=""
PASSWORD_MAXIMUM_DAYS=-1
PASSWORD_MINIMUM_DAYS=-1
PAM_2F_AUTH_ENABLED=0
@ -238,6 +246,7 @@ ETC_PATHS="/etc /usr/local/etc"
REFRESH_REPOSITORIES=1
REMOTE_LOGGING_ENABLED=0
RESOLV_DOMAINNAME=""
RESOLVECTLBINARY=""
RKHUNTERBINARY=""
ROOTDIR="/"
ROOTSHBINARY=""
@ -276,6 +285,7 @@ ETC_PATHS="/etc /usr/local/etc"
SLOW_TEST_THRESHOLD=10
SMTPCTLBINARY=""
SNORTBINARY=""
SSBINARY=""
SSHKEYSCANBINARY=""
SSHKEYSCANFOUND=0
SSL_CERTIFICATE_INCLUDE_PACKAGES=0
@ -285,6 +295,7 @@ ETC_PATHS="/etc /usr/local/etc"
SWUPDBINARY=""
SYSLOGNGBINARY=""
SYSTEMCTLBINARY=""
SYSTEMDANALYZEBINARY=""
SYSTEM_IS_NOTEBOOK=255
TEMP_FILE=""
TEMP_FILES=""
@ -294,6 +305,7 @@ ETC_PATHS="/etc /usr/local/etc"
TEST_GROUP_TO_CHECK="all"
TESTS_EXECUTED=""
TESTS_SKIPPED=""
TIMEDATECTL=""
TMPFILE=""
TOMOYOINITBINARY=""
TOOLTIP_SHOWED=0
@ -319,6 +331,7 @@ ETC_PATHS="/etc /usr/local/etc"
USBGUARD_ROOT=""
VALUE=""
VERBOSE=0
VERITYSETUPBINARY=""
VGDISPLAYBINARY=""
VMTYPE=""
VULNERABLE_PACKAGES_FOUND=0

50
include/osdetection
View File

@ -173,6 +173,12 @@
OS_REDHAT_OR_CLONE=1
OS_VERSION="Rolling release"
;;
"cloudlinux")
LINUX_VERSION="CloudLinux"
OS_NAME="CloudLinux"
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"coreos")
LINUX_VERSION="CoreOS"
OS_NAME="CoreOS Linux"
@ -190,6 +196,12 @@
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"flatcar")
LINUX_VERSION="Flatcar"
LINUX_VERSION_LIKE="CoreOS"
OS_NAME="Flatcar Linux"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"gentoo")
LINUX_VERSION="Gentoo"
OS_NAME="Gentoo Linux"
@ -206,6 +218,12 @@
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"mageia")
LINUX_VERSION="Mageia"
OS_NAME="Mageia"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"manjaro")
LINUX_VERSION="Manjaro"
OS_FULLNAME="Manjaro Linux"
@ -249,24 +267,47 @@
;;
"rhel")
LINUX_VERSION="RHEL"
OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="RHEL"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_FULLNAME="${OS_NAME} ${OS_VERSION_FULL}"
OS_REDHAT_OR_CLONE=1
;;
"rosa")
LINUX_VERSION="ROSA Linux"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="ROSA Linux"
;;
"slackware")
LINUX_VERSION="Slackware"
OS_NAME="Slackware Linux"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"sles")
LINUX_VERSION="SLES"
OS_NAME="openSUSE"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"ubuntu")
LINUX_VERSION="Ubuntu"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="Ubuntu"
;;
"void")
LINUX_VERSION="Void Linux"
OS_VERSION="Rolling release"
OS_NAME="Void Linux"
;;
"zorin")
LINUX_VERSION="Zorin OS"
OS_NAME="Zorin OS"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
*)
ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}"
;;
@ -378,13 +419,6 @@
LINUX_VERSION="Fedora"
fi
# Mageia (has also /etc/megaia-release)
FIND=$(grep "Mageia" /etc/redhat-release)
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=$(grep "^Mageia" /etc/redhat-release)
OS_VERSION=$(grep "^Mageia" /etc/redhat-release | awk '{ if ($2=="release") { print $3 } }')
LINUX_VERSION="Mageia"
fi
# Oracle Enterprise Linux
FIND=$(grep "Enterprise Linux Enterprise Linux Server" /etc/redhat-release)

26
include/tests_crypto
View File

@ -21,6 +21,10 @@
# Cryptography
#
#################################################################################
#
RNG_FOUND=0
#
#################################################################################
#
InsertSection "Cryptography"
#
@ -188,20 +192,28 @@
if [ ${SKIPTEST} -eq 0 ]; then
ENCRYPTED_SWAPS=0
UNENCRYPTED_SWAPS=0
SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings)
# Redirect errors, as RHEL 5/6 and others don't have the --show option
SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings 2> /dev/null)
if [ $? -eq 0 ]; then
for BLOCK_DEV in ${SWAPS}; do
if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then
LogText "Result: Found LUKS encrypted swap device: ${BLOCK_DEV}"
ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1))
ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
Report "encrypted_swap[]=${BLOCK_DEV},LUKS"
elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" 2> /dev/null | ${GREPBINARY} --quiet "cipher:"; then
LogText "Result: Found non-LUKS encrypted swap device: ${BLOCK_DEV}"
ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1))
ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
Report "encrypted_swap[]=${BLOCK_DEV},other"
else
LogText "Result: Found unencrypted swap device: ${BLOCK_DEV}"
UNENCRYPTED_SWAPS=$((UNENCRYPTED_SWAPS +1))
Report "non_encrypted_swap[]=${BLOCK_DEV}"
fi
done
Display --indent 2 --text "- Found ${ENCRYPTED_SWAPS} encrypted and ${UNENCRYPTED_SWAPS} unencrypted swap devices in use." --result OK --color WHITE
else
LogText "Result: skipping testing as swapon returned an error."
fi
fi
#
#################################################################################
@ -239,6 +251,7 @@
if IsRunning "rngd"; then
Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_YES}" --color GREEN
LogText "Result: rngd is running"
RNG_FOUND=1
else
Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW
# TODO - enable suggestion when website has listing for this control
@ -270,14 +283,19 @@
done
if [ -z "${FOUND}" ]; then
Display --indent 2 --text "- SW prng" --result "${STATUS_NO}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators"
# ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators"
else
RNG_FOUND=1
Display --indent 2 --text "- SW prng" --result "${STATUS_YES}" --color GREEN
LogText "Result: found ${FOUND} running"
fi
fi
#
#################################################################################
#
Report "rng_found=${RNG_FOUND}"
#
#################################################################################
#
WaitForKeyPress

12
include/tests_kernel
View File

@ -680,8 +680,19 @@
elif [ -f "${FOUND_VMLINUZ}" ]; then
VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//')
LogText "Result: version derived from file name is '${VERSION_ON_DISK}'"
fi
# Data check: perform reset if we found a version but looks incomplete
# Example: Arch Linux will return only 'linux' as its version after it discovered /boot/vmlinuz-linux
case ${VERSION_ON_DISK} in
"linux" | "linux-lts")
LogText "Result: reset of version (${VERSION_ON_DISK}) as it looks incomplete"
VERSION_ON_DISK=""
;;
esac
# If we did not find the version yet, see if we can extract it from the magic data that 'file' returns
if [ -z "${VERSION_ON_DISK}" ]; then
LogText "Test: checking kernel version on disk"
NEXTLINE=0
@ -697,6 +708,7 @@
done
fi
# Last check if we finally got a version or not
if [ -z "${VERSION_ON_DISK}" ]; then
LogText "Result: could not find the version on disk"
ReportException "${TEST_NO}:4" "Could not find the kernel version"

16
include/tests_ports_packages
View File

@ -1289,7 +1289,7 @@
KERNELS=$(${ZYPPERBINARY} --non-interactive -n se --type package --match-exact --installed-only "kernel-default" 2> /dev/null | ${GREPBINARY} "kernel-default" | ${WCBINARY} -l)
if [ ${KERNELS} -eq 0 ]; then
LogText "Result: found no kernels from zypper output, which is unexpected."
ReportException "KRNL-5840:3" "Could not find any kernel packages via package manager. Maybe using a different kernel package?"
ReportException "${TEST_NO}" "Could not find any kernel packages via package manager. Maybe using a different kernel package?"
elif [ ${KERNELS} -gt 3 ]; then
LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages"
@ -1299,7 +1299,19 @@
fi
if [ ${KERNELS} -eq 0 -a ${TESTED} -eq 1 ]; then
ReportException "KRNL-5840:1" "Could not find any kernel packages via package manager"
# Only report exception if there are kernels actually there. For example, LXC use the kernel of host system
case "${OS}" in
"Linux")
if [ -d "${ROOTDIR}boot" ]; then
if [ -z "$(${FINDBINARY} /boot -maxdepth 1 -type f -name 'vmlinuz*' -print -quit)" ]; then
ReportException "${TEST_NO}" "Could not find any kernel packages via package manager"
fi
fi
;;
*)
ReportException "${TEST_NO}" "Could not find any kernel packages via package manager"
;;
esac
fi
Report "installed_kernel_packages=${KERNELS}"

6
lynis
View File

@ -43,10 +43,10 @@
PROGRAM_WEBSITE="https://cisofy.com/lynis/"
# Version details
PROGRAM_RELEASE_DATE="2020-06-26"
PROGRAM_RELEASE_TIMESTAMP=1593159916
PROGRAM_RELEASE_DATE="2020-10-05"
PROGRAM_RELEASE_TIMESTAMP=1601896929
PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release
PROGRAM_VERSION="3.0.1"
PROGRAM_VERSION="3.0.2"
# Source, documentation and license
PROGRAM_SOURCE="https://github.com/CISOfy/lynis"