[LOGG-2154] Check for remote syslogging, more in-depth testing

CHANGELOG

@@ -17,141 +17,152 @@
 
 ================================================================================
 
-    =  Lynis 2.1.x (2.2.0 release in development)  =
+=  Lynis 2.1.6 (development version for 2.2.x)  =
 
-    This is an major release, which includes both new features and enhancements to existing tests.
+*** THIS CHANGELOG IS IN PREPARATION FOR THE NEW 2.2.0 RELEASE ***
 
-    * Automation tools
+We are proud to present this new release of Lynis. It is a major upgrade, and the
-    ------------------
+result of many months of work. This version includes new features and tests, and
-    CFEngine detection has been further extended. Additional logging and reporting of automation tools.
+many small enhancements, to improve the tool. We encourage all to test and
+upgrade to this latest release.
 
-    * Authentication
+* Automation tools
-    ----------------
+------------------
-    Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes
+CFEngine detection has been further extended. Additional logging and reporting of automation tools.
-    checking for /etc/login.defs [AUTH-9408]. Merged password check on Solaris into AUTH-9228.
 
-    New plugin is introduced to analyze PAM settings. It including items like:
+* Authentication
-    - Two-factor authentication methods
+----------------
-    - Minimum password length, password strength and protection status against brute force cracking
+Depending on the operating system, Lynis now tries to determine if failed logins are properly logged. This includes
-    - Password history
+checking for /etc/login.defs [AUTH-9408]. Merged previous password check for Solaris into test AUTH-9228.
+New plugin is introduced to analyze PAM settings. It including items like:
 
-    Report option: auth_failed_logins_logged
+- Two-factor authentication methods
+- Minimum password length, password strength and protection status against brute force cracking
+- Password history
 
-    * Compliance
+Report option: auth_failed_logins_logged
-    ------------
-    Added new compliance_standards option to default.prf. This defines if compliance testing should be performed in future, and for which standards.
 
-    Right now these standards can be selected:
+* Compliance
-    - CIS benchmarks
+------------
-    - HIPAA
+This release prepares for upcoming extensions to assist with compliance testing. The profile has a new option, which can b
-    - ISO27001/ISO27002
+Added new compliance_standards option to default.prf. This defines if compliance testing should be performed in future, and for which standards.
-    - PCI DSS
 
-    * DNS and Name services
+Right now these standards can be selected:
-    -----------------------
+- CIS benchmarks
-    Support added for Unbound DNS caching tool [NAME-4034]
+- HIPAA
-    Configuration check for Unbound [NAME-4036]
+- ISO27001/ISO27002
-    Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used
+- PCI DSS
 
-    * Firewalls
+* DNS and Name services
-    -----------
+-----------------------
-    Test for IPFW firewall on FreeBSD has been improved and status of pflogd will no longer be displayed on screen when pf is not available.
+Support added for Unbound DNS caching tool [NAME-4034]
-    New test FIRE-4532 now supports detection of the Mac OS X application firewall. Also the status of application firewalls is audited now.
+Configuration check for Unbound [NAME-4036]
+Record if a name caching utility is being used like nscd or Unbound. Also logging to report as field name_cache_used
 
-    * Hardware
+* Firewalls
-    ----------
+-----------
-    Detection of firewire is enhanced (both ohci and core detected).
+Test for IPFW firewall on FreeBSD has been improved and status of pflogd will no longer be displayed on screen when pf is not available.
+New test FIRE-4532 now supports detection of the Mac OS X application firewall. Also the status of application firewalls is audited now.
 
-    * Malware
+* Hardware
-    ---------
+----------
-    ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report.
+Detection of firewire is enhanced (both ohci and core detected).
 
-    * Mount points
+* Malware
-    --------------
+---------
-    FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.
+ESET and LMD (Linux Malware Detect) are recognized as a malware scanner. Discovered malware scanners are also logged to the report.
 
-    * Networking
+* Mount points
-    ------------
+--------------
-    NETW-3004 now collects network interface names from most common operating systems.
+FILE-6374 is expanded to test for multiple common mount points and define best practice mount flags.
 
-    * Operating systems
+* Networking
-    -------------------
+------------
-    Improved support for Debian 8 systems. Detection for VMware release has been added.
+NETW-3004 now collects network interface names from most common operating systems.
-    Boot loader exception is not longer displayed when only a subset of tests is performed.
-    FreeBSD systems can now use service command to gather information about enabled services.
 
-    Support for boot loader detection on Mac OS X
+* Operating systems
+-------------------
+Improved support for Debian 8 systems. Detection for VMware release has been added.
+Boot loader exception is not longer displayed when only a subset of tests is performed.
+FreeBSD systems can now use service command to gather information about enabled services.
 
-    * Passwords
+Support for boot loader detection on Mac OS X
-    -----------
-    AUTH-9286 change has been extended to both capture minimum and password age.
 
-    * Software
+* Passwords
-    ----------
+-----------
-    Log when vulnerable software packages were found
+AUTH-9286 change has been extended to both capture minimum and password age.
 
-    * SSH
+* Software and Packages
-    -----
+-----------------------
-    Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition.
+Log when vulnerable software packages were found
 
-    Special thanks to: Kamil Boratyński
+* SSH
+-----
+Multiple configuration tests of SSH are now merged into SSH-7408. This enables easier testing later on and reduces repetition.
 
-    * UEFI and Secure Boot
+* UEFI and Secure Boot
-    ----------------------
+----------------------
-    Initial support to test UEFI settings, including Secure Boot option
+Initial support to test UEFI settings, including Secure Boot option
-    Options boot_uefi_booted and boot_uefi_booted_secure added to report file
+Options boot_uefi_booted and boot_uefi_booted_secure added to report file
 
-    * Virtual machines and Containers
+* Virtual machines and Containers
-    ---------------------------------
+---------------------------------
-    Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools
+Detection of virtual machines has been extended in several ways. Now VMware tools (vmtoolsd) are detected and machine state is improved with tools
-    like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker.
+like Puppet Facter, dmidecode, and lscpu. Properly detect Docker on CoreOS systems, where it before gave error as it found directory /usr/libexec/docker.
-    Check file permissions for Docker files, like socket file [CONT-8108]
+Check file permissions for Docker files, like socket file [CONT-8108]
 
-    * Individual tests
+* Individual tests
-    ------------------
+------------------
-    [AUTH-9204] Exclude NIS entries to avoid false positives
+[AUTH-9204] Exclude NIS entries to avoid false positives
-    [AUTH-9230] Removed test as it was merged into AUTH-9228
+[AUTH-9230] Removed test as it was merged into AUTH-9228
-    [AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD.
+[AUTH-9288] Test for expired passwords
-    [BOOT-5106] New test to test boot loader on Mac OS X
+[AUTH-9328] Show correct message when no umask is found in /etc/profile. It also includes improved logging, and support for /etc/login.conf on systems like FreeBSD.
-    [BOOT-5180] Only gets executed if runlevel 2 is found
+[BOOT-5106] New test to test boot loader on Mac OS X
-    [CONT-8108] New test to test for Docker file permissions
+[BOOT-5180] Only gets executed if runlevel 2 is found
-    [FILE-6410] Added /var/lib/locatedb as search path
+[CONT-8108] New test to test for Docker file permissions
-    [HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox
+[FILE-6410] Added /var/lib/locatedb as search path
-    [PKGS-7308] Split package name and version for RPM based package manager
+[HOME-9310] Use POSIX compatible flags to avoid errors on BusyBox
-    [MALW-3278] New test to detect LMD (Linux Malware Detect)
+[PKGS-7308] Split package name and version for RPM based package manager
-    [SHLL-6230] Test for umask values in shell configuration files (e.g. rc files)
+[MALW-3278] New test to detect LMD (Linux Malware Detect)
-    [TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running
+[SHLL-6230] Test for umask values in shell configuration files (e.g. rc files)
+[TIME-3104] Show only suggestion on FreeBSD systems if ntpdate is configured, yet ntpd isn't running
+[TIME-3170] New test to check NTP configuration files and determine if any of them are world writable
 
-    * Functions
+* Functions
-    -----------
+-----------
-    [DigitsOnly]             New function to extract only numbers from a text string
+[DigitsOnly]             New function to extract only numbers from a text string
-    [DisplayManual]          New function to show text on screen without any markup
+[DisplayManual]          New function to show text on screen without any markup
-    [ExitCustom]             New function to allow program to exit with a different exit code, depending on outcome
+[ExitCustom]             New function to allow program to exit with a different exit code, depending on outcome
-    [GetHostID]              If no MAC address is found, use SSH keys for creation of a host identifier
+[GetHostID]              If no MAC address is found, use SSH keys for creation of a host identifier
-    [IsWordWritable]         Changed return codes for easier usage of the function
+[IsWordWritable]         Changed return codes for easier usage of the function
-    [LogText]                Replaces the older logtext function
+[LogText]                Replaces the older logtext function
-    [Report]                 Replaces the older report function
+[RandomString]           Creates a random string of characters
-    [ReportSuggestion]       Allows two additional parameters to store details (text and external reference to a solution)
+[Report]                 Replaces the older report function
-    [ReportWarning]          Like ReportSuggestion() has additional parameters
+[ReportSuggestion]       Allows two additional parameters to store details (text and external reference to a solution)
-    [ShowComplianceFinding]  Display compliance findings
+[ReportWarning]          Like ReportSuggestion() has additional parameters
-    [ShowSymlinkPath]        Ensure readlink is available
+[ShowComplianceFinding]  Display compliance findings
+[ShowSymlinkPath]        Ensure readlink is available
 
-    * General improvements
+* General improvements
-    ----------------------
+----------------------
-    - When using pentest mode, it will continue without any delays (=quick mode).
+- When using pentest mode, it will continue without any delays (=quick mode).
-    - Data uploads: provide help when self-signed certificates are used.
+- Data uploads: provide help when self-signed certificates are used.
-    - Improved output for tests which before showed results as a warning, while actually are just suggestions.
+- Improved output for tests which before showed results as a warning, while actually are just suggestions.
-    - Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply.
+- Lynis now uses different exit codes, depending on errors or finding warnings. This helps with automation and any custom scripting you want to apply.
-    - Preparations to allow compressing the Lynis report file and enhance uploads.
+- Preparations to allow compressing the Lynis report file and enhance uploads.
-    - Tool tips are displayed, to make Lynis even easier to use.
+- Tool tips are displayed, to make Lynis even easier to use.
-    - PID file has additional checks, including cleanups.
+- PID file has additional checks, including cleanups.
 
-    * Plugins
+* Special thanks
-    ---------
+----------------
-    [PAM]       New plugin available in all versions of Lynis
+We like to specifically thank Kamil Boratyński for his contributions to this release.
-    [PLGN-2804] Limit report output of EXT file systems to 1 item per line
 
-  --------------------------------------------------------------
+* Plugins
+---------
+[PAM]       New plugin available in all versions of Lynis
+[PLGN-2804] Limit report output of EXT file systems to 1 item per line
+
+--------------------------------------------------------------
 
     =  Lynis 2.1.1 (2015-07-22)  =
 

include/consts

@@ -130,6 +130,7 @@ unset LANG
     PRIVILEGED=0
     PROFILEVALUE=""
     PSBINARY="ps"
+    REMOTE_LOGGING_ENABLED=0
     RKHUNTERBINARY=""
     RPMBINARY=""
     RUN_HELPERS=0

include/tests_logging

@@ -346,13 +346,26 @@
             FIND=`egrep "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | grep -v "^#" | grep -v "[a-zA-Z0-9]@"`
             if [ ! "${FIND}" = "" ]; then
                 LogText "Result: remote logging enabled"
-                AddHP 5 5
+                REMOTE_LOGGING_ENABLED=1
-                Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN
+            else
-              else
+                # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
+                DESTINATIONS=`grep "^destination" ${SYSLOGD_CONF} | egrep "(udp|tcp)" | grep "port" | awk '{print $2}'`
+                for DESTINATION in ${DESTINATIONS}; do
+                    FIND2=`grep "log" | grep "source" | egrep "destination\(${DESTINATION}\)"`
+                    if [ ! "${FIND2}" = "" ]; then
+                        LogText "Result: found destination ${DESTINATION} configured for remote logging"
+                        REMOTE_LOGGING_ENABLED=1
+                    fi
+                done
+            fi
+            if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
                 LogText "Result: no remote logging found"
                 ReportSuggestion ${TEST_NO} "Enable logging to an external logging host for archiving purposes and additional protection"
                 AddHP 1 3
                 Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW
+              else
+                AddHP 5 5
+                Display --indent 2 --text "- Checking remote logging" --result ENABLED --color GREEN
             fi
           else
             LogText "Result: test skipped, file ${SYSLOGD_CONF} not found"