tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-28 08:14:10 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into fix_nginx_parser

Browse Source
This commit is contained in:
Michael Boelen 2020-10-22 08:43:44 +02:00 committed by GitHub
commit 7930644b6c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
47 changed files with 366 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
CHANGELOG.md
View File

@ -1,9 +1,30 @@
# Lynis Changelog # Lynis Changelog
## Lynis 3.0.1 (not released yet) ## Lynis 3.0.2 (not released yet)
### Added
- Detection of Flatcar, Mageia, ROSA Linux, SLES (extended), Void Linux, Zorin OS
- macOS and Mageia EOL dates
### Changed
- KRNL-5830 - Improved reboot test by ignoring known bad values
- KRNL-5830 - Ignore rescue kernel such as on CentOS systems
- PKGS-7410 - Don't show exception if no kernels were found on the disk
- TIME-3185 - Supports now checking files at multiple locations (systemd)
- ParseNginx function: Support include on absolute paths
- ParseNginx function: Ignore empty included wildcards
- Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux
- Test if pgrep exists before using it
- French translation improved
- Small code enhancements
---------------------------------------------------------------------------------
## Lynis 3.0.1 (2020-10-05)
### Added ### Added
- Detection of Alpine Linux - Detection of Alpine Linux
- Detection of CloudLinux
- Detection of Kali Linux - Detection of Kali Linux
- Detection of Linux Mint - Detection of Linux Mint
- Detection of macOS Big Sur (11.0) - Detection of macOS Big Sur (11.0)
@ -18,6 +39,7 @@
- AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions - AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions
- BOOT-5122 - Presence check for grub.d added - BOOT-5122 - Presence check for grub.d added
- CRYP-7902 - Added support for certificates in DER format - CRYP-7902 - Added support for certificates in DER format
- CRYP-7931 - Added data to report
- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) - CRYP-7931 - Redirect errors (e.g. when swap is not encrypted)
- FILE-6430 - Don't grep nonexistant modprobe.d files - FILE-6430 - Don't grep nonexistant modprobe.d files
- FIRE-4535 - Set initial firewall state - FIRE-4535 - Set initial firewall state

45
db/languages/en
View File

@ -14,12 +14,55 @@ NOTE_EXCEPTIONS_FOUND="Exceptions found"
NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found" NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found"
NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete" NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode"
SECTION_ACCOUNTING="Accounting"
SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
SECTION_BASICS="Basics"
SECTION_BOOT_AND_SERVICES="Boot and services"
SECTION_CONTAINERS="Containers"
SECTION_CRYPTOGRAPHY="Cryptography"
SECTION_CUSTOM_TESTS="Custom tests" SECTION_CUSTOM_TESTS="Custom tests"
SECTION_DATA_UPLOAD="Data upload" SECTION_DATA_UPLOAD="Data upload"
SECTION_DATABASES="Databases"
SECTION_DOWNLOADS="Downloads"
SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
SECTION_FILE_INTEGRITY="Software: file integrity"
SECTION_FILE_PERMISSIONS="File Permissions"
SECTION_FILE_SYSTEMS="File systems"
SECTION_FIREWALLS="Software: firewalls"
SECTION_GENERAL="General"
SECTION_HARDENING="Hardening"
SECTION_HOME_DIRECTORIES="Home directories"
SECTION_IMAGE="Image"
SECTION_INITIALIZING_PROGRAM="Initializing program" SECTION_INITIALIZING_PROGRAM="Initializing program"
SECTION_MALWARE="Malware" SECTION_INSECURE_SERVICES="Insecure services"
SECTION_KERNEL="Kernel"
SECTION_KERNEL_HARDENING="Kernel Hardening"
SECTION_LDAP_SERVICES="LDAP Services"
SECTION_LOGGING_AND_FILES="Logging and files"
SECTION_MALWARE="Software: Malware"
SECTION_MEMORY_AND_PROCESSES="Memory and Processes" SECTION_MEMORY_AND_PROCESSES="Memory and Processes"
SECTION_NAME_SERVICES="Name services"
SECTION_NETWORKING="Networking"
SECTION_PERMISSIONS="Permissions"
SECTION_PORTS_AND_PACKAGES="Ports and packages"
SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
SECTION_PROGRAM_DETAILS="Program Details"
SECTION_SCHEDULED_TASKS="Scheduled tasks"
SECTION_SECURITY_FRAMEWORKS="Security frameworks"
SECTION_SHELLS="Shells"
SECTION_SNMP_SUPPORT="SNMP Support"
SECTION_SOFTWARE="Software"
SECTION_SQUID_SUPPORT="Squid Support"
SECTION_SSH_SUPPORT="SSH Support"
SECTION_STORAGE="Storage"
SECTION_SYSTEM_INTEGRITY="Software: System integrity"
SECTION_SYSTEM_TOOLING="Software: System tooling"
SECTION_SYSTEM_TOOLS="System tools" SECTION_SYSTEM_TOOLS="System tools"
SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization"
SECTION_USB_DEVICES="USB Devices"
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
SECTION_VIRTUALIZATION="Virtualization"
SECTION_WEBSERVER="Software: webserver"
STATUS_DISABLED="DISABLED" STATUS_DISABLED="DISABLED"
STATUS_DONE="DONE" STATUS_DONE="DONE"
STATUS_ENABLED="ENABLED" STATUS_ENABLED="ENABLED"

86
db/languages/fr
View File

@ -1,38 +1,88 @@
ERROR_NO_LICENSE="Pas de clé de licence configurée"
ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré"
GEN_CHECKING="Vérification" GEN_CHECKING="Vérification"
GEN_CURRENT_VERSION="Version actuelle" GEN_CURRENT_VERSION="Version actuelle"
GEN_DEBUG_MODE="mode debug" GEN_DEBUG_MODE="mode débug"
GEN_INITIALIZE_PROGRAM="Initialisation" GEN_INITIALIZE_PROGRAM="Initialisation"
GEN_LATEST_VERSION="Dernière version"
GEN_PHASE="phase" GEN_PHASE="phase"
GEN_PLUGINS_ENABLED="Plugins activés" GEN_PLUGINS_ENABLED="Plugins activés"
GEN_VERBOSE_MODE="mode verbeux"
GEN_UPDATE_AVAILABLE="mise à jour disponible" GEN_UPDATE_AVAILABLE="mise à jour disponible"
GEN_VERBOSE_MODE="mode verbeux"
GEN_WHAT_TO_DO="Que faire" GEN_WHAT_TO_DO="Que faire"
NOTE_EXCEPTIONS_FOUND="Exceptions trouvées" NOTE_EXCEPTIONS_FOUND="Exceptions trouvées"
NOTE_EXCEPTIONS_FOUND_DETAILED="Des événements ou informations exceptionnels ont été trouvés" NOTE_EXCEPTIONS_FOUND_DETAILED="Des événements ou informations exceptionnels ont été trouvés"
NOTE_PLUGINS_TAKE_TIME="Note: les plugins ont des tests plus poussés et peuvent prendre plusieurs minutes" NOTE_PLUGINS_TAKE_TIME="Note : Les plugins ont des tests plus poussés qui peuvent prendre plusieurs minutes"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Tests ignorés faute de privilèges" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Tests ignorés faute de privilèges"
SECTION_CUSTOM_TESTS="Tests Personnalisés" SECTION_ACCOUNTING="Comptes"
SECTION_MALWARE="Malware" SECTION_BANNERS_AND_IDENTIFICATION="Bannières et identification"
SECTION_MEMORY_AND_PROCESSES="Mémoire et Processus" SECTION_BASICS="Basics"
SECTION_BOOT_AND_SERVICES="Démarrage et services"
SECTION_CONTAINERS="Conteneurs"
SECTION_CRYPTOGRAPHY="Cryptographie"
SECTION_CUSTOM_TESTS="Tests personnalisés"
SECTION_DATA_UPLOAD="Téléchargement de données"
SECTION_DATABASES="Bases de données"
SECTION_DOWNLOADS="Téléchargements"
SECTION_EMAIL_AND_MESSAGING="Logiciel : Email et messagerie"
SECTION_FILE_INTEGRITY="Logiciel : Intégrité de fichier"
SECTION_FILE_PERMISSIONS="Permissions de fichier"
SECTION_FILE_SYSTEMS="Systèmes de fichier"
SECTION_FIREWALLS="Logiciel : Pare-feux"
SECTION_GENERAL="Général"
SECTION_HARDENING="Hardening"
SECTION_HOME_DIRECTORIES="Home directories"
SECTION_IMAGE="Image"
SECTION_INITIALIZING_PROGRAM="Initialisation du programme"
SECTION_INSECURE_SERVICES="Services non sécurisés"
SECTION_KERNEL="Noyau"
SECTION_KERNEL_HARDENING="Kernel Hardening"
SECTION_LDAP_SERVICES="Services LDAP"
SECTION_LOGGING_AND_FILES="Journalisation et fichiers"
SECTION_MALWARE="Logiciel : Malware"
SECTION_MEMORY_AND_PROCESSES="Mémoire et processus"
SECTION_NAME_SERVICES="Services de noms"
SECTION_NETWORKING="Mise en réseau"
SECTION_PERMISSIONS="Permissions"
SECTION_PORTS_AND_PACKAGES="Ports et packages"
SECTION_PRINTERS_AND_SPOOLS="Imprimantes et serveurs d'impression"
SECTION_PROGRAM_DETAILS="Détails du programme"
SECTION_SCHEDULED_TASKS="Tâches planifiées"
SECTION_SECURITY_FRAMEWORKS="Security frameworks"
SECTION_SHELLS="Shells"
SECTION_SNMP_SUPPORT="Prise en charge SNMP"
SECTION_SOFTWARE="Logiciel"
SECTION_SQUID_SUPPORT="Prise en charge Squid"
SECTION_SSH_SUPPORT="Prise en charge SSH"
SECTION_STORAGE="Stockage"
SECTION_SYSTEM_INTEGRITY="Logiciel : Intégrité du système"
SECTION_SYSTEM_TOOLING="Logiciel : System tooling"
SECTION_SYSTEM_TOOLS="Outils système"
SECTION_TIME_AND_SYNCHRONIZATION="Heure et synchronisation"
SECTION_USB_DEVICES="Périphériques USB"
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Utilisateurs, groupes et authentification"
SECTION_VIRTUALIZATION="Virtualisation"
SECTION_WEBSERVER="Logiciel : Serveur web"
STATUS_DISABLED="DÉSACTIVÉ"
STATUS_DONE="FAIT" STATUS_DONE="FAIT"
STATUS_ENABLED="ACTIVÉ"
STATUS_ERROR="ERREUR"
STATUS_FAILED="ÉCHOUÉ"
STATUS_FOUND="TROUVÉ" STATUS_FOUND="TROUVÉ"
STATUS_YES="OUI"
STATUS_NO="NON" STATUS_NO="NON"
STATUS_NONE="AUCUN"
STATUS_NOT_CONFIGURED="NON CONFIGURÉ"
STATUS_NOT_FOUND="NON TROUVÉ"
STATUS_NOT_RUNNING="NON LANCÉ"
STATUS_OFF="OFF" STATUS_OFF="OFF"
STATUS_OK="OK" STATUS_OK="OK"
STATUS_ON="ON" STATUS_ON="ON"
STATUS_NONE="AUCUN" STATUS_RUNNING="EN COURS"
STATUS_NOT_FOUND="NON TROUVÉ"
STATUS_NOT_RUNNING="NON LANCÉ"
STATUS_RUNNING="EN COURS":
STATUS_SKIPPED="IGNORÉ" STATUS_SKIPPED="IGNORÉ"
STATUS_SUGGESTION="SUGGESTION" STATUS_SUGGESTION="SUGGESTION"
STATUS_UNKNOWN="INCONNU" STATUS_UNKNOWN="INCONNU"
STATUS_WARNING="ATTENTION" STATUS_WARNING="AVERTISSEMENT"
TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal" STATUS_WEAK="FAIBLE"
STATUS_YES="OUI"
TEXT_UPDATE_AVAILABLE="Mise à jour disponible" TEXT_UPDATE_AVAILABLE="Mise à jour disponible"
STATUS_DISABLED="DÉSACTIVÉ" TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal"
STATUS_ENABLED="ACTIVÉ"
STATUS_ERROR="ERREUR"
ERROR_NO_LICENSE="Pas de clé de licence configurée"
ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré"

56
db/software-eol.db
View File

@ -68,6 +68,62 @@ os:Linux Mint 18:2021-04-01:1617228000:
os:Linux Mint 19:2023-04-01:1680300000: os:Linux Mint 19:2023-04-01:1680300000:
os:Linux Mint 20:2025-04-01:1743458400: os:Linux Mint 20:2025-04-01:1743458400:
# #
# macOS - https://support.apple.com/en_US/downloads/macos and
# https://apple.stackexchange.com/a/282788 and
# https://en.wikipedia.org/wiki/Category:MacOS_versions
#
os:Mac OS X 10.0 \(Cheetah\):2002-09-18:1032300000:
os:Mac OS X 10.1 \(Puma\):2003-11-10:1068418800:
os:Mac OS X 10.2 \(Jaguar\):2005-05-16:1116194400:
os:Mac OS X 10.3 \(Panther\):2007-11-15:1195081200:
os:Mac OS X 10.4 \(Tiger\):2009-09-10:1252533600:
os:Mac OS X 10.5 \(Leopard\):2011-06-23:1308780000:
os:Mac OS X 10.6 \(Snow Leopard\):2013-12-16:1387148400:
os:Mac OS X 10.7 \(Lion\):2014-11-17:1416178800:
os:Mac OS X 10.8 \(Mountain Lion\):2015-10-21:1445378400:
os:Mac OS X 10.9 \(Mavericks\):2016-10-24:1477260000:
os:Mac OS X 10.10 \(Yosemite\):2017-10-31:1509404400:
os:Mac OS X 10.11 \(El Capitan\):2018-10-30:1540854000:
os:macOS Sierra \(10.12\):2016-10-24:1477260000:
os:macOS Sierra \(10.12.1\):2016-12-13:1481583600:
os:macOS Sierra \(10.12.2\):2017-01-23:1485126000:
os:macOS Sierra \(10.12.3\):2017-03-27:1490565600:
os:macOS Sierra \(10.12.4\):2017-05-15:1494799200:
os:macOS Sierra \(10.12.5\):2017-07-19:1500415200:
os:macOS Sierra \(10.12.6\):2019-10-29:1572303600:
os:macOS High Sierra \(10.13\):2017-10-31:1509404400:
os:macOS High Sierra \(10.13.1\):2017-12-06:1512514800:
os:macOS High Sierra \(10.13.2\):2018-01-23:1516662000:
os:macOS High Sierra \(10.13.3\):2018-03-29:1522274400:
os:macOS High Sierra \(10.13.4\):2018-06-01:1527804000:
os:macOS High Sierra \(10.13.5\):2018-07-09:1531087200:
os:macOS High Sierra \(10.13.6\)::-1:
os:macOS Mojave \(10.14\):2018-10-30:1540854000:
os:macOS Mojave \(10.14.1\):2018-12-05:1543964400:
os:macOS Mojave \(10.14.2\):2019-01-22:1548111600:
os:macOS Mojave \(10.14.3\):2019-03-25:1553468400:
os:macOS Mojave \(10.14.4\):2019-05-13:1557698400:
os:macOS Mojave \(10.14.5\):2019-07-22:1563746400:
os:macOS Mojave \(10.14.6\)::-1:
os:macOS Catalina \(10.15\):2019-10-29:1572303600:
os:macOS Catalina \(10.15.1\):2019-12-10:1575932400:
os:macOS Catalina \(10.15.2\):2020-01-28:1580166000:
os:macOS Catalina \(10.15.3\):2020-03-24:1585004400:
os:macOS Catalina \(10.15.4\):2020-05-26:1590444000:
os:macOS Catalina \(10.15.5\):2020-07-15:1594764000:
os:macOS Catalina \(10.15.6\):2020-09-24:1600898400:
os:macOS Catalina \(10.15.7\)::-1:
#
# Mageia - https://www.mageia.org/en/support/
#
os:Mageia 1:2012-12-01:1354316400
os:Mageia 2:2013-11-22:1385074800
os:Mageia 3:2014-11-26:1416956400
os:Mageia 4:2015-09-19:1442613600
os:Mageia 5:2017-12-31:1514674800
os:Mageia 6:2019-09-30:1569794400
os:Mageia 7:2020-12-30:1609282800
#
# NetBSD - https://www.netbsd.org/support/security/release.html and # NetBSD - https://www.netbsd.org/support/security/release.html and
# https://www.netbsd.org/releases/formal.html # https://www.netbsd.org/releases/formal.html
# #

2
include/binaries
View File

@ -30,7 +30,7 @@
################################################################################# #################################################################################
# #
if [ ${CHECK_BINARIES} -eq 1 ]; then if [ ${CHECK_BINARIES} -eq 1 ]; then
InsertSection "System Tools" InsertSection "${SECTION_SYSTEM_TOOLS}"
Display --indent 2 --text "- Scanning available tools..." Display --indent 2 --text "- Scanning available tools..."
LogText "Start scanning for available audit binaries and tools..." LogText "Start scanning for available audit binaries and tools..."

13
include/consts
View File

@ -58,6 +58,7 @@ ETC_PATHS="/etc /usr/local/etc"
APPLICATION_FIREWALL_ACTIVE=0 APPLICATION_FIREWALL_ACTIVE=0
BINARY_SCAN_FINISHED=0 BINARY_SCAN_FINISHED=0
BLKIDBINARY="" BLKIDBINARY=""
BOOTCTLBINARY=""
CAT_BINARY="" CAT_BINARY=""
CFAGENTBINARY="" CFAGENTBINARY=""
CHECK=0 CHECK=0
@ -81,6 +82,7 @@ ETC_PATHS="/etc /usr/local/etc"
CONTROL_URL_PROTOCOL="" CONTROL_URL_PROTOCOL=""
CONTAINER_TYPE="" CONTAINER_TYPE=""
CREATE_REPORT_FILE=1 CREATE_REPORT_FILE=1
CRYPTSETUPBINARY=""
CSUMBINARY="" CSUMBINARY=""
CURRENT_TS=0 CURRENT_TS=0
CUSTOM_URL_APPEND="" CUSTOM_URL_APPEND=""
@ -99,12 +101,14 @@ ETC_PATHS="/etc /usr/local/etc"
DISCOVERED_BINARIES="" DISCOVERED_BINARIES=""
DMIDECODEBINARY="" DMIDECODEBINARY=""
DNFBINARY="" DNFBINARY=""
DNSDOMAINNAMEBINARY=""
DOCKERBINARY="" DOCKERBINARY=""
DOCKER_DAEMON_RUNNING=0 DOCKER_DAEMON_RUNNING=0
DPKGBINARY="" DPKGBINARY=""
ECHOCMD="" ECHOCMD=""
ERROR_ON_WARNINGS=0 ERROR_ON_WARNINGS=0
EQUERYBINARY="" EQUERYBINARY=""
EVMCTLBINARY=""
EXIMBINARY="" EXIMBINARY=""
FAIL2BANBINARY="" FAIL2BANBINARY=""
FILEBINARY="" FILEBINARY=""
@ -130,6 +134,7 @@ ETC_PATHS="/etc /usr/local/etc"
HTTPDBINARY="" HTTPDBINARY=""
IDS_IPS_TOOL_FOUND=0 IDS_IPS_TOOL_FOUND=0
IFCONFIGBINARY="" IFCONFIGBINARY=""
INTEGRITYSETUPBINARY=""
IPBINARY="" IPBINARY=""
IPFBINARY="" IPFBINARY=""
IPTABLESBINARY="" IPTABLESBINARY=""
@ -148,6 +153,7 @@ ETC_PATHS="/etc /usr/local/etc"
LOGDIR="" LOGDIR=""
LOGROTATEBINARY="" LOGROTATEBINARY=""
LOGTEXT=1 LOGTEXT=1
LSBLKBINARY=""
LSMODBINARY="" LSMODBINARY=""
LSOFBINARY="" LSOFBINARY=""
LSOF_EXTRA_OPTIONS="" LSOF_EXTRA_OPTIONS=""
@ -191,6 +197,7 @@ ETC_PATHS="/etc /usr/local/etc"
NGINX_RETURN_FOUND=0 NGINX_RETURN_FOUND=0
NGINX_ROOT_FOUND=0 NGINX_ROOT_FOUND=0
NGINX_WEAK_SSL_PROTOCOL_FOUND=0 NGINX_WEAK_SSL_PROTOCOL_FOUND=0
NTPCTLBINARY=""
NTPD_ROLE="" NTPD_ROLE=""
NTPQBINARY="" NTPQBINARY=""
OPENSSLBINARY="" OPENSSLBINARY=""
@ -204,6 +211,7 @@ ETC_PATHS="/etc /usr/local/etc"
OS_REDHAT_OR_CLONE=0 OS_REDHAT_OR_CLONE=0
OSIRISBINARY="" OSIRISBINARY=""
PACMANBINARY="" PACMANBINARY=""
PAM_PASSWORD_PWHISTORY_AMOUNT=""
PASSWORD_MAXIMUM_DAYS=-1 PASSWORD_MAXIMUM_DAYS=-1
PASSWORD_MINIMUM_DAYS=-1 PASSWORD_MINIMUM_DAYS=-1
PAM_2F_AUTH_ENABLED=0 PAM_2F_AUTH_ENABLED=0
@ -238,6 +246,7 @@ ETC_PATHS="/etc /usr/local/etc"
REFRESH_REPOSITORIES=1 REFRESH_REPOSITORIES=1
REMOTE_LOGGING_ENABLED=0 REMOTE_LOGGING_ENABLED=0
RESOLV_DOMAINNAME="" RESOLV_DOMAINNAME=""
RESOLVECTLBINARY=""
RKHUNTERBINARY="" RKHUNTERBINARY=""
ROOTDIR="/" ROOTDIR="/"
ROOTSHBINARY="" ROOTSHBINARY=""
@ -276,6 +285,7 @@ ETC_PATHS="/etc /usr/local/etc"
SLOW_TEST_THRESHOLD=10 SLOW_TEST_THRESHOLD=10
SMTPCTLBINARY="" SMTPCTLBINARY=""
SNORTBINARY="" SNORTBINARY=""
SSBINARY=""
SSHKEYSCANBINARY="" SSHKEYSCANBINARY=""
SSHKEYSCANFOUND=0 SSHKEYSCANFOUND=0
SSL_CERTIFICATE_INCLUDE_PACKAGES=0 SSL_CERTIFICATE_INCLUDE_PACKAGES=0
@ -285,6 +295,7 @@ ETC_PATHS="/etc /usr/local/etc"
SWUPDBINARY="" SWUPDBINARY=""
SYSLOGNGBINARY="" SYSLOGNGBINARY=""
SYSTEMCTLBINARY="" SYSTEMCTLBINARY=""
SYSTEMDANALYZEBINARY=""
SYSTEM_IS_NOTEBOOK=255 SYSTEM_IS_NOTEBOOK=255
TEMP_FILE="" TEMP_FILE=""
TEMP_FILES="" TEMP_FILES=""
@ -294,6 +305,7 @@ ETC_PATHS="/etc /usr/local/etc"
TEST_GROUP_TO_CHECK="all" TEST_GROUP_TO_CHECK="all"
TESTS_EXECUTED="" TESTS_EXECUTED=""
TESTS_SKIPPED="" TESTS_SKIPPED=""
TIMEDATECTL=""
TMPFILE="" TMPFILE=""
TOMOYOINITBINARY="" TOMOYOINITBINARY=""
TOOLTIP_SHOWED=0 TOOLTIP_SHOWED=0
@ -319,6 +331,7 @@ ETC_PATHS="/etc /usr/local/etc"
USBGUARD_ROOT="" USBGUARD_ROOT=""
VALUE="" VALUE=""
VERBOSE=0 VERBOSE=0
VERITYSETUPBINARY=""
VGDISPLAYBINARY="" VGDISPLAYBINARY=""
VMTYPE="" VMTYPE=""
VULNERABLE_PACKAGES_FOUND=0 VULNERABLE_PACKAGES_FOUND=0

3
include/functions
View File

@ -1547,8 +1547,7 @@
if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi
RUNNING=0 RUNNING=0
# AIX does not fully support pgrep options, so using ps instead if [ -x "${PGREPBINARY}" ] && [ "${OS}" != "AIX" ]; then
if [ "${OS}" != "AIX" ]; then
# When --user is used, perform a search using the -u option # When --user is used, perform a search using the -u option
# Initialize users for strict mode # Initialize users for strict mode
if [ -n "${users:-}" ]; then if [ -n "${users:-}" ]; then

10
include/helper_audit_dockerfile
View File

@ -44,7 +44,7 @@ fi
################################################################################################## ##################################################################################################
# #
InsertSection "Image" InsertSection "${SECTION_IMAGE}"
PKGMGR="" PKGMGR=""
FIND=$(grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g') FIND=$(grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g')
@ -93,7 +93,7 @@ fi
# #
################################################################################################## ##################################################################################################
# #
InsertSection "Basics" InsertSection "${SECTION_BASICS}"
MAINTAINER=$(grep -E -i "*MAINTAINER" ${AUDIT_FILE} | sed 's/=/ /g' | cut -d'"' -f 2) MAINTAINER=$(grep -E -i "*MAINTAINER" ${AUDIT_FILE} | sed 's/=/ /g' | cut -d'"' -f 2)
if [ -z "${MAINTAINER}" ]; then if [ -z "${MAINTAINER}" ]; then
@ -127,7 +127,7 @@ fi
# #
################################################################################################## ##################################################################################################
# #
InsertSection "Software" InsertSection "${SECTION_SOFTWARE}"
case $PKGMGR in case $PKGMGR in
"apt") "apt")
@ -166,7 +166,7 @@ fi
# #
################################################################################################## ##################################################################################################
# #
InsertSection "Downloads" InsertSection "${SECTION_DOWNLOADS}"
FILE_DOWNLOAD=0 FILE_DOWNLOAD=0
@ -217,7 +217,7 @@ fi
# #
################################################################################################## ##################################################################################################
# #
InsertSection "Permissions" InsertSection "${SECTION_PERMISSIONS}"
FIND=$(grep -i "chmod 777" ${AUDIT_FILE}) FIND=$(grep -i "chmod 777" ${AUDIT_FILE})
if HasData "${FIND}"; then if HasData "${FIND}"; then

50
include/osdetection
View File

@ -173,6 +173,12 @@
OS_REDHAT_OR_CLONE=1 OS_REDHAT_OR_CLONE=1
OS_VERSION="Rolling release" OS_VERSION="Rolling release"
;; ;;
"cloudlinux")
LINUX_VERSION="CloudLinux"
OS_NAME="CloudLinux"
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"coreos") "coreos")
LINUX_VERSION="CoreOS" LINUX_VERSION="CoreOS"
OS_NAME="CoreOS Linux" OS_NAME="CoreOS Linux"
@ -190,6 +196,12 @@
OS_REDHAT_OR_CLONE=1 OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;; ;;
"flatcar")
LINUX_VERSION="Flatcar"
LINUX_VERSION_LIKE="CoreOS"
OS_NAME="Flatcar Linux"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"gentoo") "gentoo")
LINUX_VERSION="Gentoo" LINUX_VERSION="Gentoo"
OS_NAME="Gentoo Linux" OS_NAME="Gentoo Linux"
@ -206,6 +218,12 @@
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;; ;;
"mageia")
LINUX_VERSION="Mageia"
OS_NAME="Mageia"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"manjaro") "manjaro")
LINUX_VERSION="Manjaro" LINUX_VERSION="Manjaro"
OS_FULLNAME="Manjaro Linux" OS_FULLNAME="Manjaro Linux"
@ -249,24 +267,47 @@
;; ;;
"rhel") "rhel")
LINUX_VERSION="RHEL" LINUX_VERSION="RHEL"
OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="RHEL"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_FULLNAME="${OS_NAME} ${OS_VERSION_FULL}" OS_FULLNAME="${OS_NAME} ${OS_VERSION_FULL}"
OS_REDHAT_OR_CLONE=1 OS_REDHAT_OR_CLONE=1
;; ;;
"rosa")
LINUX_VERSION="ROSA Linux"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="ROSA Linux"
;;
"slackware") "slackware")
LINUX_VERSION="Slackware" LINUX_VERSION="Slackware"
OS_NAME="Slackware Linux" OS_NAME="Slackware Linux"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;; ;;
"sles")
LINUX_VERSION="SLES"
OS_NAME="openSUSE"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"ubuntu") "ubuntu")
LINUX_VERSION="Ubuntu" LINUX_VERSION="Ubuntu"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="Ubuntu" OS_NAME="Ubuntu"
;; ;;
"void")
LINUX_VERSION="Void Linux"
OS_VERSION="Rolling release"
OS_NAME="Void Linux"
;;
"zorin")
LINUX_VERSION="Zorin OS"
OS_NAME="Zorin OS"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
*) *)
ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}" ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}"
;; ;;
@ -378,13 +419,6 @@
LINUX_VERSION="Fedora" LINUX_VERSION="Fedora"
fi fi
# Mageia (has also /etc/megaia-release)
FIND=$(grep "Mageia" /etc/redhat-release)
if [ ! "${FIND}" = "" ]; then
OS_FULLNAME=$(grep "^Mageia" /etc/redhat-release)
OS_VERSION=$(grep "^Mageia" /etc/redhat-release | awk '{ if ($2=="release") { print $3 } }')
LINUX_VERSION="Mageia"
fi
# Oracle Enterprise Linux # Oracle Enterprise Linux
FIND=$(grep "Enterprise Linux Enterprise Linux Server" /etc/redhat-release) FIND=$(grep "Enterprise Linux Enterprise Linux Server" /etc/redhat-release)

2
include/tests_accounting
View File

@ -18,7 +18,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Accounting" InsertSection "${SECTION_ACCOUNTING}"
# #
################################################################################# #################################################################################
# #

2
include/tests_authentication
View File

@ -31,7 +31,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Users, Groups and Authentication" InsertSection "${SECTION_USERS_GROUPS_AND_AUTHENTICATION}"
# Test : AUTH-9204 # Test : AUTH-9204
# Description : Check users with UID zero (0) # Description : Check users with UID zero (0)

2
include/tests_banners
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Banners and identification" InsertSection "${SECTION_BANNERS_AND_IDENTIFICATION}"
# #
################################################################################# #################################################################################
# #

2
include/tests_boot_services
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Boot and services" InsertSection "${SECTION_BOOT_AND_SERVICES}"
# #
################################################################################# #################################################################################
# #

2
include/tests_containers
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Containers" InsertSection "${SECTION_CONTAINERS}"
# #
################################################################################# #################################################################################
# #

50
include/tests_crypto
View File

@ -22,7 +22,11 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Cryptography" RNG_FOUND=0
#
#################################################################################
#
InsertSection "${SECTION_CRYPTOGRAPHY}"
# #
################################################################################# #################################################################################
# #
@ -188,20 +192,28 @@
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
ENCRYPTED_SWAPS=0 ENCRYPTED_SWAPS=0
UNENCRYPTED_SWAPS=0 UNENCRYPTED_SWAPS=0
SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings) # Redirect errors, as RHEL 5/6 and others don't have the --show option
for BLOCK_DEV in ${SWAPS}; do SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings 2> /dev/null)
if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then if [ $? -eq 0 ]; then
LogText "Result: Found LUKS encrypted swap device: ${BLOCK_DEV}" for BLOCK_DEV in ${SWAPS}; do
ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1)) if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then
elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" 2> /dev/null | ${GREPBINARY} --quiet "cipher:"; then LogText "Result: Found LUKS encrypted swap device: ${BLOCK_DEV}"
LogText "Result: Found non-LUKS encrypted swap device: ${BLOCK_DEV}" ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1)) Report "encrypted_swap[]=${BLOCK_DEV},LUKS"
else elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" 2> /dev/null | ${GREPBINARY} --quiet "cipher:"; then
LogText "Result: Found unencrypted swap device: ${BLOCK_DEV}" LogText "Result: Found non-LUKS encrypted swap device: ${BLOCK_DEV}"
UNENCRYPTED_SWAPS=$((UNENCRYPTED_SWAPS +1)) ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1))
fi Report "encrypted_swap[]=${BLOCK_DEV},other"
done else
Display --indent 2 --text "- Found ${ENCRYPTED_SWAPS} encrypted and ${UNENCRYPTED_SWAPS} unencrypted swap devices in use." --result OK --color WHITE LogText "Result: Found unencrypted swap device: ${BLOCK_DEV}"
UNENCRYPTED_SWAPS=$((UNENCRYPTED_SWAPS +1))
Report "non_encrypted_swap[]=${BLOCK_DEV}"
fi
done
Display --indent 2 --text "- Found ${ENCRYPTED_SWAPS} encrypted and ${UNENCRYPTED_SWAPS} unencrypted swap devices in use." --result OK --color WHITE
else
LogText "Result: skipping testing as swapon returned an error."
fi
fi fi
# #
################################################################################# #################################################################################
@ -239,6 +251,7 @@
if IsRunning "rngd"; then if IsRunning "rngd"; then
Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_YES}" --color GREEN Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_YES}" --color GREEN
LogText "Result: rngd is running" LogText "Result: rngd is running"
RNG_FOUND=1
else else
Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW
# TODO - enable suggestion when website has listing for this control # TODO - enable suggestion when website has listing for this control
@ -270,14 +283,19 @@
done done
if [ -z "${FOUND}" ]; then if [ -z "${FOUND}" ]; then
Display --indent 2 --text "- SW prng" --result "${STATUS_NO}" --color YELLOW Display --indent 2 --text "- SW prng" --result "${STATUS_NO}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators" # ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators"
else else
RNG_FOUND=1
Display --indent 2 --text "- SW prng" --result "${STATUS_YES}" --color GREEN Display --indent 2 --text "- SW prng" --result "${STATUS_YES}" --color GREEN
LogText "Result: found ${FOUND} running" LogText "Result: found ${FOUND} running"
fi fi
fi fi
# #
################################################################################# #################################################################################
#
Report "rng_found=${RNG_FOUND}"
#
#################################################################################
# #
WaitForKeyPress WaitForKeyPress

2
include/tests_databases
View File

@ -39,7 +39,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Databases" InsertSection "${SECTION_DATABASES}"
# Test : DBS-1804 # Test : DBS-1804
# Description : Check if MySQL is being used # Description : Check if MySQL is being used

2
include/tests_file_integrity
View File

@ -25,7 +25,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Software: file integrity" InsertSection "${SECTION_FILE_INTEGRITY}"
Display --indent 2 --text "- Checking file integrity tools" Display --indent 2 --text "- Checking file integrity tools"
# #
################################################################################# #################################################################################

2
include/tests_file_permissions
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "File Permissions" InsertSection "${SECTION_FILE_PERMISSIONS}"
# #
################################################################################# #################################################################################
# #

2
include/tests_filesystems
View File

@ -28,7 +28,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "File systems" InsertSection "${SECTION_FILE_SYSTEMS}"
# #
################################################################################# #################################################################################
# #

2
include/tests_firewalls
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Software: firewalls" InsertSection "${SECTION_FIREWALLS}"
# #
################################################################################# #################################################################################
# #

2
include/tests_hardening
View File

@ -18,7 +18,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Hardening" InsertSection "${SECTION_HARDENING}"
# COMPILER_INSTALLED is initialized before # COMPILER_INSTALLED is initialized before
HARDEN_COMPILERS_NEEDED=0 HARDEN_COMPILERS_NEEDED=0

2
include/tests_homedirs
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Home directories" InsertSection "${SECTION_HOME_DIRECTORIES}"
# #
################################################################################# #################################################################################
# #

2
include/tests_insecure_services
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Insecure services" InsertSection "${SECTION_INSECURE_SERVICES}"
# #
################################################################################# #################################################################################
# #

19
include/tests_kernel
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Kernel" InsertSection "${SECTION_KERNEL}"
# #
################################################################################# #################################################################################
# #
@ -665,8 +665,9 @@
LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux-lts" LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux-lts"
FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux-lts FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux-lts
else else
# Match on /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default # Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Get newest file (ls -t and pipe into head)
FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1) # Note: ignore a rescue kernel (e.g. CentOS)
FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${HEADBINARY} -1)
LogText "Result: found ${FOUND_VMLINUZ}" LogText "Result: found ${FOUND_VMLINUZ}"
fi fi
@ -680,8 +681,19 @@
elif [ -f "${FOUND_VMLINUZ}" ]; then elif [ -f "${FOUND_VMLINUZ}" ]; then
VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//') VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//')
LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" LogText "Result: version derived from file name is '${VERSION_ON_DISK}'"
fi fi
# Data check: perform reset if we found a version but looks incomplete
# Example: Arch Linux will return only 'linux' as its version after it discovered /boot/vmlinuz-linux
case ${VERSION_ON_DISK} in
"linux" | "linux-lts")
LogText "Result: reset of version (${VERSION_ON_DISK}) as it looks incomplete"
VERSION_ON_DISK=""
;;
esac
# If we did not find the version yet, see if we can extract it from the magic data that 'file' returns
if [ -z "${VERSION_ON_DISK}" ]; then if [ -z "${VERSION_ON_DISK}" ]; then
LogText "Test: checking kernel version on disk" LogText "Test: checking kernel version on disk"
NEXTLINE=0 NEXTLINE=0
@ -697,6 +709,7 @@
done done
fi fi
# Last check if we finally got a version or not
if [ -z "${VERSION_ON_DISK}" ]; then if [ -z "${VERSION_ON_DISK}" ]; then
LogText "Result: could not find the version on disk" LogText "Result: could not find the version on disk"
ReportException "${TEST_NO}:4" "Could not find the kernel version" ReportException "${TEST_NO}:4" "Could not find the kernel version"

2
include/tests_kernel_hardening
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Kernel Hardening" InsertSection "${SECTION_KERNEL_HARDENING}"
# #
################################################################################# #################################################################################
# #

2
include/tests_ldap
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "LDAP Services" InsertSection "${SECTION_LDAP_SERVICES}"
# #
################################################################################# #################################################################################
# #

2
include/tests_logging
View File

@ -36,7 +36,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Logging and files" InsertSection "${SECTION_LOGGING_AND_FILES}"
# Test : LOGG-2130 # Test : LOGG-2130
# Description : Check for a running syslog daemon # Description : Check for a running syslog daemon

2
include/tests_mac_frameworks
View File

@ -24,7 +24,7 @@
SELINUXFOUND=0 SELINUXFOUND=0
TOMOYOFOUND=0 TOMOYOFOUND=0
InsertSection "Security frameworks" InsertSection "${SECTION_SECURITY_FRAMEWORKS}"
# #
################################################################################# #################################################################################
# #

2
include/tests_mail_messaging
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Software: e-mail and messaging" InsertSection "${SECTION_EMAIL_AND_MESSAGING}"
# #
################################################################################# #################################################################################
# #

2
include/tests_malware
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Software: ${SECTION_MALWARE}" InsertSection "${SECTION_MALWARE}"
# #
################################################################################# #################################################################################
# #

2
include/tests_nameservices
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Name services" InsertSection "${SECTION_NAME_SERVICES}"
# #
################################################################################# #################################################################################
# #

2
include/tests_networking
View File

@ -31,7 +31,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Networking" InsertSection "${SECTION_NETWORKING}"
# #
################################################################################# #################################################################################
# #

18
include/tests_ports_packages
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Ports and packages" InsertSection "${SECTION_PORTS_AND_PACKAGES}"
PACKAGE_MGR_PKG=0 PACKAGE_MGR_PKG=0
PACKAGE_AUDIT_TOOL="" PACKAGE_AUDIT_TOOL=""
PACKAGE_AUDIT_TOOL_FOUND=0 PACKAGE_AUDIT_TOOL_FOUND=0
@ -1289,7 +1289,7 @@
KERNELS=$(${ZYPPERBINARY} --non-interactive -n se --type package --match-exact --installed-only "kernel-default" 2> /dev/null | ${GREPBINARY} "kernel-default" | ${WCBINARY} -l) KERNELS=$(${ZYPPERBINARY} --non-interactive -n se --type package --match-exact --installed-only "kernel-default" 2> /dev/null | ${GREPBINARY} "kernel-default" | ${WCBINARY} -l)
if [ ${KERNELS} -eq 0 ]; then if [ ${KERNELS} -eq 0 ]; then
LogText "Result: found no kernels from zypper output, which is unexpected." LogText "Result: found no kernels from zypper output, which is unexpected."
ReportException "KRNL-5840:3" "Could not find any kernel packages via package manager. Maybe using a different kernel package?" ReportException "${TEST_NO}" "Could not find any kernel packages via package manager. Maybe using a different kernel package?"
elif [ ${KERNELS} -gt 3 ]; then elif [ ${KERNELS} -gt 3 ]; then
LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages" ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages"
@ -1299,7 +1299,19 @@
fi fi
if [ ${KERNELS} -eq 0 -a ${TESTED} -eq 1 ]; then if [ ${KERNELS} -eq 0 -a ${TESTED} -eq 1 ]; then
ReportException "KRNL-5840:1" "Could not find any kernel packages via package manager" # Only report exception if there are kernels actually there. For example, LXC use the kernel of host system
case "${OS}" in
"Linux")
if [ -d "${ROOTDIR}boot" ]; then
if [ -z "$(${FINDBINARY} /boot -maxdepth 1 -type f -name 'vmlinuz*' -print -quit)" ]; then
ReportException "${TEST_NO}" "Could not find any kernel packages via package manager"
fi
fi
;;
*)
ReportException "${TEST_NO}" "Could not find any kernel packages via package manager"
;;
esac
fi fi
Report "installed_kernel_packages=${KERNELS}" Report "installed_kernel_packages=${KERNELS}"

2
include/tests_printers_spoolers
View File

@ -34,7 +34,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Printers and Spools" InsertSection "${SECTION_PRINTERS_AND_SPOOLS}"
# #
################################################################################# #################################################################################
# #

2
include/tests_scheduling
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Scheduled tasks" InsertSection "${SECTION_SCHEDULED_TASKS}"
# #
################################################################################# #################################################################################
# #

2
include/tests_shells
View File

@ -23,7 +23,7 @@
################################################################################# #################################################################################
# #
IDLE_TIMEOUT=0 IDLE_TIMEOUT=0
InsertSection "Shells" InsertSection "${SECTION_SHELLS}"
# #
################################################################################# #################################################################################
# #

2
include/tests_snmp
View File

@ -28,7 +28,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "SNMP Support" InsertSection "${SECTION_SNMP_SUPPORT}"
# Test : SNMP-3302 # Test : SNMP-3302
# Description : Check for a running SNMP daemon # Description : Check for a running SNMP daemon

2
include/tests_squid
View File

@ -29,7 +29,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Squid Support" InsertSection "${SECTION_SQUID_SUPPORT}"
# #
################################################################################# #################################################################################
# #

2
include/tests_ssh
View File

@ -34,7 +34,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "SSH Support" InsertSection "${SECTION_SSH_SUPPORT}"
# #
################################################################################# #################################################################################
# #

2
include/tests_storage
View File

@ -18,7 +18,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Storage" InsertSection "${SECTION_STORAGE}"
# #
################################################################################# #################################################################################
# #

2
include/tests_system_integrity
View File

@ -25,7 +25,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Software: system integrity" InsertSection "${SECTION_SYSTEM_INTEGRITY}"
Display --indent 2 --text "- Checking file integrity tools" Display --indent 2 --text "- Checking file integrity tools"
# #
################################################################################# #################################################################################

11
include/tests_time
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Time and Synchronization" InsertSection "${SECTION_TIME_AND_SYNCHRONIZATION}"
# #
################################################################################# #################################################################################
# #
@ -575,7 +575,16 @@
Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time" Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time"
SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized" SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# On earlier systemd versions (237), '/run/systemd/timesync/synchronized' does not exist, so use '/var/lib/systemd/timesync/clock'
if [ ! -e "${SYNCHRONIZED_FILE}" ]; then
SYNCHRONIZED_FILE="/var/lib/systemd/timesync/clock"
fi
# DynamicUser=yes moves the clock file to '/var/lib/private/systemd/timesync/clock'
if [ ! -e "${SYNCHRONIZED_FILE}" ]; then
SYNCHRONIZED_FILE="/var/lib/private/systemd/timesync/clock"
fi
if [ -e "${SYNCHRONIZED_FILE}" ]; then if [ -e "${SYNCHRONIZED_FILE}" ]; then
FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") )) FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") ))
# Check if last sync was more than 2048 seconds (= the default of systemd) ago # Check if last sync was more than 2048 seconds (= the default of systemd) ago

2
include/tests_tooling
View File

@ -37,7 +37,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Software: System tooling" InsertSection "${SECTION_SYSTEM_TOOLING}"
# #
################################################################################# #################################################################################
# #

2
include/tests_usb
View File

@ -19,7 +19,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "USB Devices" InsertSection "${SECTION_USB_DEVICES}"
# #
################################################################################# #################################################################################
# #

2
include/tests_virtualization
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Virtualization" InsertSection "${SECTION_VIRTUALIZATION}"
# #
################################################################################# #################################################################################
# #

2
include/tests_webservers
View File

@ -22,7 +22,7 @@
# #
################################################################################# #################################################################################
# #
InsertSection "Software: webserver" InsertSection "${SECTION_WEBSERVER}"
# #
################################################################################# #################################################################################
# #

10
lynis
View File

@ -43,10 +43,10 @@
PROGRAM_WEBSITE="https://cisofy.com/lynis/" PROGRAM_WEBSITE="https://cisofy.com/lynis/"
# Version details # Version details
PROGRAM_RELEASE_DATE="2020-06-26" PROGRAM_RELEASE_DATE="2020-10-05"
PROGRAM_RELEASE_TIMESTAMP=1593159916 PROGRAM_RELEASE_TIMESTAMP=1601896929
PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release
PROGRAM_VERSION="3.0.1" PROGRAM_VERSION="3.0.2"
# Source, documentation and license # Source, documentation and license
PROGRAM_SOURCE="https://github.com/CISOfy/lynis" PROGRAM_SOURCE="https://github.com/CISOfy/lynis"
@ -862,7 +862,7 @@ ${NORMAL}
################################################################################# #################################################################################
# #
if IsVerbose; then if IsVerbose; then
InsertSection "Program Details" InsertSection "${SECTION_PROGRAM_DETAILS}"
Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "YES" --color GREEN Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "YES" --color GREEN
if IsDebug; then if IsDebug; then
Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "YES" --color GREEN Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "YES" --color GREEN
@ -1017,7 +1017,7 @@ ${NORMAL}
LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)" LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)"
ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}" ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}"
# Insert a section and warn user also on screen # Insert a section and warn user also on screen
InsertSection "General" InsertSection "${SECTION_GENERAL}"
Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "SKIPPED" --color RED Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "SKIPPED" --color RED
fi fi
else else