tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Style improvements and hardening points

This commit is contained in:
Michael Boelen 2016-09-26 12:05:30 +02:00
parent 343eb5304f
commit 9caf3005b5
1 changed files with 125 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
include/tests_ports_packages
View File

@ -31,16 +31,15 @@
################################################################################# #################################################################################
# #
Display --indent 2 --text "- Searching package managers" Display --indent 2 --text "- Searching package managers"
# #
################################################################################# #################################################################################
# #
# Test : PKGS-7301 # Test : PKGS-7301
# Description : Query FreeBSD pkg # Description : Query FreeBSD pkg
if [ -x /usr/sbin/pkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -x ${ROOTDIR}usr/sbin/pkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query NetBSD pkg" Register --test-no PKGS-7301 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Query NetBSD pkg"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FIND=`pkg -N 2>&1; echo $?` FIND=$(pkg -N 2>&1; echo $?)
if [ "${FIND}" = "0" ]; then if [ "${FIND}" = "0" ]; then
Display --indent 4 --text "- Searching packages with pkg" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- Searching packages with pkg" --result "${STATUS_FOUND}" --color GREEN
Report "package_manager[]=pkg" Report "package_manager[]=pkg"
@ -49,12 +48,12 @@
LogText "Test: Querying pkg to get package list" LogText "Test: Querying pkg to get package list"
Display --indent 6 --text "- Querying pkg for installed packages" Display --indent 6 --text "- Querying pkg for installed packages"
LogText "Output:"; LogText "-----" LogText "Output:"; LogText "-----"
SPACKAGES=`/usr/sbin/pkg query %n,%v` SPACKAGES=$(${ROOTDIR}usr/sbin/pkg query %n,%v)
for J in ${SPACKAGES}; do for ITEM in ${SPACKAGES}; do
sPKG_NAME=`echo ${J} | ${CUTBINARY} -d ',' -f1` sPKG_NAME=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f1)
sPKG_VERSION=`echo ${J} | ${CUTBINARY} -d ',' -f2` sPKG_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f2)
LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})" LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${ITEM}"
done done
fi fi
fi fi
@ -73,17 +72,16 @@
LogText "Test: Querying pkg_info to get package list" LogText "Test: Querying pkg_info to get package list"
Display --indent 6 --text "- Querying pkg_info for installed packages" Display --indent 6 --text "- Querying pkg_info for installed packages"
LogText "Output:"; LogText "-----" LogText "Output:"; LogText "-----"
SPACKAGES=`/usr/sbin/pkg_info 2>&1 | ${SORTBINARY} | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1 | ${SEDBINARY} -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'` SPACKAGES=$(${ROOTDIR}usr/sbin/pkg_info 2>&1 | ${SORTBINARY} | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1 | ${SEDBINARY} -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g')
for J in ${SPACKAGES}; do for ITEM in ${SPACKAGES}; do
N=$((N + 1)) N=$((N + 1))
sPKG_NAME=`echo ${J} | ${CUTBINARY} -d ',' -f1` sPKG_NAME=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f1)
sPKG_VERSION=`echo ${J} | ${CUTBINARY} -d ',' -f2` sPKG_VERSION=$(echo ${ITEM} | ${CUTBINARY} -d ',' -f2)
LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})" LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${ITEM}"
done done
Report "installed_packages=${N}" Report "installed_packages=${N}"
fi fi
# #
################################################################################# #################################################################################
# #
@ -112,7 +110,7 @@
# #
# Test : PKGS-7304 # Test : PKGS-7304
# Description : Gentoo packages # Description : Gentoo packages
if [ -x /usr/bin/emerge -a -x /usr/bin/equery ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -x ${ROOTDIR}usr/bin/emerge -a -x ${ROOTDIR}usr/bin/equery ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7304 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Gentoo packages" Register --test-no PKGS-7304 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Gentoo packages"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching emerge" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- Searching emerge" --result "${STATUS_FOUND}" --color GREEN
@ -121,7 +119,7 @@
LogText "Test: Querying portage to get package list" LogText "Test: Querying portage to get package list"
Display --indent 4 --text "- Querying portage for installed packages" Display --indent 4 --text "- Querying portage for installed packages"
LogText "Output:"; LogText "-----" LogText "Output:"; LogText "-----"
GPACKAGES=`equery l '*' | ${SEDBINARY} -e 's/[.*]//g'` GPACKAGES=$(equery l '*' | ${SEDBINARY} -e 's/[.*]//g')
for J in ${GPACKAGES}; do for J in ${GPACKAGES}; do
LogText "Found package ${J}" LogText "Found package ${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0," INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
@ -135,7 +133,7 @@
# #
# Test : PKGS-7306 # Test : PKGS-7306
# Description : Solaris packages # Description : Solaris packages
if [ -x /usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -x ${ROOTDIR}usr/bin/pkginfo ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Solaris packages" Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Solaris packages"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 4 --text "- Searching pkginfo" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- Searching pkginfo" --result "${STATUS_FOUND}" --color GREEN
@ -145,7 +143,7 @@
Display --indent 4 --text "- Querying pkginfo for installed packages" Display --indent 4 --text "- Querying pkginfo for installed packages"
LogText "Output:"; LogText "-----" LogText "Output:"; LogText "-----"
# Strip SUNW from strings # Strip SUNW from strings
SPACKAGES=`/usr/bin/pkginfo -i | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2 | ${SEDBINARY} "s#^SUNW##"` SPACKAGES=$(${ROOTDIR}usr/bin/pkginfo -i | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2 | ${SEDBINARY} "s#^SUNW##")
for J in ${SPACKAGES}; do for J in ${SPACKAGES}; do
LogText "Found package ${J}" LogText "Found package ${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0," INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0,"
@ -176,8 +174,8 @@
else else
for J in ${SPACKAGES}; do for J in ${SPACKAGES}; do
N=$((N + 1)) N=$((N + 1))
PACKAGE_NAME=`echo ${J} | ${AWKBINARY} -F, '{print $1}'` PACKAGE_NAME=$(echo ${J} | ${AWKBINARY} -F, '{print $1}')
PACKAGE_VERSION=`echo ${J} | ${AWKBINARY} -F, '{print $2}'` PACKAGE_VERSION=$(echo ${J} | ${AWKBINARY} -F, '{print $2}')
LogText "Found package: ${J}" LogText "Found package: ${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}," INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION},"
done done
@ -225,8 +223,8 @@
Register --test-no PKGS-7312 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking available updates for pacman based system" Register --test-no PKGS-7312 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking available updates for pacman based system"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0 FOUND=0
FIND=`which checkupdates` FIND=$(which checkupdates 2> /dev/null)
if [ ! "${FIND}" = "" ]; then if [ ! -z "${FIND}" ]; then
FIND=`checkupdates` FIND=`checkupdates`
for I in ${FIND}; do for I in ${FIND}; do
LogText "Result: update available for ${I}" LogText "Result: update available for ${I}"
@ -508,7 +506,7 @@
FIND=`${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery"` FIND=`${DNFBINARY} 2>&1 | ${GREPBINARY} "^repoquery"`
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Action: checking integrity of package database" LogText "Action: checking integrity of package database"
FIND=`${DNFBINARY} -q repoquery --duplicated` FIND=$(${DNFBINARY} -q repoquery --duplicated)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
LogText "Result: found unexpected result on repoquery --duplicated" LogText "Result: found unexpected result on repoquery --duplicated"
ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --duplicated" ReportSuggestion "${TEST_NO}" "Check output of: dnf repoquery --duplicated"
@ -536,7 +534,7 @@
AddHP 3 3 AddHP 3 3
PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="debsecan" PACKAGE_AUDIT_TOOL="debsecan"
FIND=`find /etc/cron* -name debsecan` FIND=$(${FINDBINARY} ${ROOTDIR}etc/cron* -name debsecan)
if [ ! ${FIND} = "" ]; then if [ ! ${FIND} = "" ]; then
LogText "Result: cron job is configured for debsecan" LogText "Result: cron job is configured for debsecan"
Display --indent 6 --text "- debsecan cron job" --result "${STATUS_FOUND}" --color GREEN Display --indent 6 --text "- debsecan cron job" --result "${STATUS_FOUND}" --color GREEN
@ -624,7 +622,7 @@
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: pkg audit results are clean" LogText "Result: pkg audit results are clean"
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
AddHP 2 2 AddHP 10 10
else else
Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_WARNING}" --color RED Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result "${STATUS_WARNING}" --color RED
LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable." LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable."
@ -641,7 +639,6 @@
else else
ReportSuggestion "${TEST_NO}" "Fetch the package database with pkg_admin fetch-pkg-vulnerabilities" ReportSuggestion "${TEST_NO}" "Fetch the package database with pkg_admin fetch-pkg-vulnerabilities"
AddHP 0 2 AddHP 0 2
fi fi
else else
Display --indent 2 --text "- pkg_admin audit not installed" --result "${STATUS_NOT_FOUND}" --color WHITE Display --indent 2 --text "- pkg_admin audit not installed" --result "${STATUS_NOT_FOUND}" --color WHITE
@ -664,6 +661,7 @@
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
LogText "Result: pkg audit results are clean" LogText "Result: pkg audit results are clean"
Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
AddHP 10 10
else else
if [ ! -z "${FIND}" ]; then if [ ! -z "${FIND}" ]; then
VULNERABLE_PACKAGES_FOUND=1 VULNERABLE_PACKAGES_FOUND=1
@ -694,6 +692,7 @@
if [ "${FIND}" = "" ]; then if [ "${FIND}" = "" ]; then
LogText "Result: Portaudit results are clean" LogText "Result: Portaudit results are clean"
Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result "${STATUS_NONE}" --color GREEN
AddHP 10 10
else else
Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result "${STATUS_WARNING}" --color RED Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result "${STATUS_WARNING}" --color RED
LogText "Result: Portaudit found one or more installed packages which are vulnerable." LogText "Result: Portaudit found one or more installed packages which are vulnerable."
@ -963,9 +962,9 @@
LogText "Result: found /usr/lib/update-notifier/apt-check" LogText "Result: found /usr/lib/update-notifier/apt-check"
LogText "Test: checking if any of the updates contain security updates" LogText "Test: checking if any of the updates contain security updates"
# apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only # apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only
FIND=`/usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }'` FIND=$(/usr/lib/update-notifier/apt-check 2>&1 | ${AWKBINARY} -F\; '{ print $2 }')
# Check if we get the proper line back and amount of security patches available # Check if we get the proper line back and amount of security patches available
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
LogText "Result: did not find security updates line" LogText "Result: did not find security updates line"
ReportSuggestion ${TEST_NO} "Check if system is up-to-date, security updates test (apt-check) gives an unexpected result" ReportSuggestion ${TEST_NO} "Check if system is up-to-date, security updates test (apt-check) gives an unexpected result"
ReportException "${TEST_NO}:1" "Apt-check did not provide any result" ReportException "${TEST_NO}:1" "Apt-check did not provide any result"
@ -986,7 +985,7 @@
# Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates) # Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates)
# Show packages which would be upgraded and match 'security' in repository name # Show packages which would be upgraded and match 'security' in repository name
FIND=`/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | ${CUTBINARY} -d ' ' -f2 | ${SORTBINARY} -u` FIND=$(/usr/bin/apt-get --dry-run --show-upgraded upgrade 2> /dev/null | ${GREPBINARY} '-security' | ${GREPBINARY} "^Inst" | ${CUTBINARY} -d ' ' -f2 | ${SORTBINARY} -u)
if [ ! "${FIND}" = "" ]; then if [ ! "${FIND}" = "" ]; then
VULNERABLE_PACKAGES_FOUND=1 VULNERABLE_PACKAGES_FOUND=1
SCAN_PERFORMED=1 SCAN_PERFORMED=1
@ -1040,8 +1039,8 @@
LogText "Result: found /usr/bin/glsa-check" LogText "Result: found /usr/bin/glsa-check"
LogText "Test: checking if there are any vulnerable packages" LogText "Test: checking if there are any vulnerable packages"
# glsa-check reports the GLSA date/ID string, not the vulnerable package. # glsa-check reports the GLSA date/ID string, not the vulnerable package.
FIND=`/usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | wc -l` FIND=$(/usr/bin/glsa-check -t all 2>&1 | ${GREPBINARY} -v "This system is affected by the following GLSAs:" | ${GREPBINARY} -v "This system is not affected by any of the listed GLSAs" | ${WCBINARY} -l)
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
LogText "Result: unexpected result: wc should report 0 if no vulnerable packages are found." LogText "Result: unexpected result: wc should report 0 if no vulnerable packages are found."
LogText "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result" LogText "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result"
ReportException "${TEST_NO}:1" "glsa-check did not provide any result, which is unexpected" ReportException "${TEST_NO}:1" "glsa-check did not provide any result, which is unexpected"
@ -1075,8 +1074,8 @@
if [ -x /usr/bin/apt-show-versions ]; then if [ -x /usr/bin/apt-show-versions ]; then
LogText "Result: found /usr/bin/apt-show-versions" LogText "Result: found /usr/bin/apt-show-versions"
LogText "Test: Checking packages which can be upgraded via apt-show-versions" LogText "Test: Checking packages which can be upgraded via apt-show-versions"
FIND=`/usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g'` FIND=$(/usr/bin/apt-show-versions -u | ${SEDBINARY} 's/ /!space!/g')
if [ "${FIND}" = "" ]; then if [ -z "${FIND}" ]; then
LogText "Result: no packages found which can be upgraded" LogText "Result: no packages found which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN
AddHP 3 3 AddHP 3 3
@ -1084,9 +1083,9 @@
LogText "Result: found one or more packages which can be upgraded" LogText "Result: found one or more packages which can be upgraded"
Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_FOUND}" --color YELLOW Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_FOUND}" --color YELLOW
# output: program/repository upgradeable from version X to Y # output: program/repository upgradeable from version X to Y
for I in ${FIND}; do for ITEM in ${FIND}; do
I=`echo ${I} | ${SEDBINARY} 's/!space!/ /g'` ITEM=$(echo ${ITEM} | ${SEDBINARY} 's/!space!/ /g')
LogText "${I}" LogText "${ITEM}"
done done
fi fi
else else
@ -1132,9 +1131,9 @@
Register --test-no PKGS-7410 --weight L --network NO --category security --description "Count installed kernel packages" Register --test-no PKGS-7410 --weight L --network NO --category security --description "Count installed kernel packages"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
KERNELS=0 KERNELS=0
if [ ! "${RPMBINARY}" = "" ]; then if [ ! -z "${RPMBINARY}" ]; then
LogText "Test: Checking how many kernel packages are installed" LogText "Test: Checking how many kernel packages are installed"
KERNELS=`rpm -q kernel 2> /dev/null | wc -l` KERNELS=$(${RPMBINARY} -q kernel 2> /dev/null | ${WCBINARY} -l)
if [ ${KERNELS} -eq 0 ]; then if [ ${KERNELS} -eq 0 ]; then
LogText "Result: found no kernels from rpm -q kernel output, which is unexpected" LogText "Result: found no kernels from rpm -q kernel output, which is unexpected"
ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output" ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output"
@ -1162,7 +1161,6 @@ Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}"
WaitForKeyPress WaitForKeyPress
# #
#================================================================================ #================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com