From 5b09da0d9878096d45f04b858c4f65e674369ab4 Mon Sep 17 00:00:00 2001 From: Katka Durechova Date: Sat, 27 Oct 2018 20:19:08 +0200 Subject: [PATCH 001/679] Store log and data file in home directory for non-privileged usage --- lynis | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/lynis b/lynis index f2926cce..5956290b 100755 --- a/lynis +++ b/lynis @@ -236,21 +236,21 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta # Disable logging if no alternative was provided if [ ${PRIVILEGED} -eq 0 ]; then if [ -z "${LOGFILE}" ]; then - # Try creating a log file in temporary directory - if [ ! -f /tmp/lynis.log ]; then - if [ -L /tmp/lynis.log ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi - touch /tmp/lynis.log - if [ $? -eq 0 ]; then LOGFILE="/tmp/lynis.log"; else LOGFILE="/dev/null"; fi + # Try creating a log file in home directory + if [ ! -f "$HOME/lynis.log" ]; then + if [ -L "$HOME/lynis.log" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi + touch "$HOME/lynis.log" + if [ $? -eq 0 ]; then LOGFILE="$HOME/lynis.log"; else LOGFILE="/dev/null"; fi else - LOGFILE="/tmp/lynis.log" + LOGFILE="$HOME/lynis.log" fi else if [ -L "${LOGFILE}" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi fi if [ -z "${REPORTFILE}" ]; then - touch /tmp/lynis-report.dat - if [ -L /tmp/lynis-report.dat ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi - if [ $? -eq 0 ]; then REPORTFILE="/tmp/lynis-report.dat"; else REPORTFILE="/dev/null"; fi + touch "$HOME/lynis-report.dat" + if [ -L "$HOME/lynis-report.dat" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi + if [ $? -eq 0 ]; then REPORTFILE="$HOME/lynis-report.dat"; else REPORTFILE="/dev/null"; fi else if [ -L "${REPORTFILE}" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi fi From 19921ab00142c94033f0473febfcf26919db56b9 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 28 Feb 2019 10:19:09 +0100 Subject: [PATCH 002/679] Style improvements, typo, variable usage --- include/tests_authentication | 56 ++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index c4f62b64..e0571a49 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -487,35 +487,35 @@ if [ ! -z "${SUDOERS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no AUTH-9252 --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check ownership and permissions for sudo configuration files" if [ ${SKIPTEST} -eq 0 ]; then - SUDO_CONFIG_FILES="${SUDOERS_FILE}" - SUDOERS_D="${SUDOERS_FILE}.d" - if [ -d "${SUDOERS_D}" ]; then - LogText "Test: checking drop-in directory (${SUDOERS_D})" - FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10) - FIND1=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}') - LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND1}" - if [ "${FIND}" = "rwxrwx---" -o "${FIND}" = "rwxr-x---" -o "${FIND}" = "rwx------" ] && [ "${FIND1}" = "00" ]; then - LogText "Result: directory ${SUDOERS_D} permissions/ownership OK" - Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN - else - LogText "Result: directory has possibly unsafe permissions/ownership" - Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED - fi - SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)" - fi - for f in ${SUDO_CONFIG_FILES}; do - LogText "Test: checking file (${f})" - FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10) - FIND1=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}') - LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND1}" - if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ] && [ "${FIND1}" = "00" ]; then - LogText "Result: file ${f} permissions/ownerhsip OK" - Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN - else - LogText "Result: file has possibly unsafe permissions/ownership" - Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED + SUDO_CONFIG_FILES="${SUDOERS_FILE}" + SUDOERS_D="${SUDOERS_FILE}.d" + if [ -d "${SUDOERS_D}" ]; then + LogText "Test: checking drop-in directory (${SUDOERS_D})" + FIND=$(${LSBINARY} -ld ${SUDOERS_D} | ${CUTBINARY} -c 2-10) + FIND2=$(${LSBINARY} -nd ${SUDOERS_D} | ${AWKBINARY} '{print $3$4}') + LogText "Result: Found directory permissions: ${FIND} and owner UID GID: ${FIND2}" + if [ "${FIND}" = "rwxrwx---" -o "${FIND}" = "rwxr-x---" -o "${FIND}" = "rwx------" ] && [ "${FIND2}" = "00" ]; then + LogText "Result: directory ${SUDOERS_D} permissions/ownership OK" + Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: directory has possibly unsafe permissions/ownership" + Display --indent 4 --text "- Permissions for directory: ${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED + fi + SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} ${SUDOERS_D} -type f -print)" fi - done + for f in ${SUDO_CONFIG_FILES}; do + LogText "Test: checking file (${f})" + FIND=$(${LSBINARY} -l ${f} | ${CUTBINARY} -c 2-10) + FIND2=$(${LSBINARY} -n ${f} | ${AWKBINARY} '{print $3$4}') + LogText "Result: Found file permissions: ${FIND} and owner UID GID: ${FIND2}" + if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ] && [ "${FIND2}" = "00" ]; then + LogText "Result: file ${f} permissions/ownership OK" + Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: file has possibly unsafe permissions/ownership" + Display --indent 4 --text "- Permissions for: ${f}" --result "${STATUS_WARNING}" --color RED + fi + done fi # ################################################################################# From ab9a53169b369d66898380c013e9d2f771578123 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 28 Feb 2019 10:20:26 +0100 Subject: [PATCH 003/679] Updated log --- CHANGELOG.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a0da6223..8cdae27c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,8 +5,13 @@ ### Added - Support for end-of-life detection of the operating system ---------------------------------------------------------------------------------- +### Changed +- RPi/Raspian path to PAM_FILE_LOCATIONS +- AUTH-9252 - Adds support for files in sudoers.d +- AUTH-9252 - Test extended to check file and directory ownership +- NETW-2704Ignore inline comments in /etc/resolv.conf +--------------------------------------------------------------------------------- ## Lynis 2.7.1 (2019-01-30) From e0b93ed0cc5ed00d7fb76a55c9f0dd1b31a3ac2e Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 4 Mar 2019 12:08:47 +0100 Subject: [PATCH 004/679] Replace awk statement with grep to simplify search --- include/osdetection | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/osdetection b/include/osdetection index 959d3a9e..83ba2312 100644 --- a/include/osdetection +++ b/include/osdetection @@ -515,7 +515,8 @@ if [ ! -z "${OS_VERSION}" ]; then if [ -f "${DBDIR}/software-eol.db" ]; then FIND="${OS_FULLNAME}" - EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && $2 ~ value){print $3}}' ${DBDIR}/software-eol.db | head -n 1) + # Does not work on FreeBSD: EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && $2 ~ value){print $3}}' ${DBDIR}/software-eol.db | head -n 1) + EOL_DATE=$(grep "os:${FIND}" ${DBDIR}/software-eol.db | awk -F: '{print $3}' | head -n 1) if [ ! -z "${EOL_DATE}" ]; then NOW=$(date "+%s") FIND=$(date "+%s" --date=${EOL_DATE}) From 9d8b12e0f8683d5a0c93dd0aac845241e464119e Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 4 Mar 2019 12:13:47 +0100 Subject: [PATCH 005/679] Initial lookup with awk corrected --- include/osdetection | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/osdetection b/include/osdetection index 83ba2312..ef105eba 100644 --- a/include/osdetection +++ b/include/osdetection @@ -515,8 +515,8 @@ if [ ! -z "${OS_VERSION}" ]; then if [ -f "${DBDIR}/software-eol.db" ]; then FIND="${OS_FULLNAME}" - # Does not work on FreeBSD: EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && $2 ~ value){print $3}}' ${DBDIR}/software-eol.db | head -n 1) - EOL_DATE=$(grep "os:${FIND}" ${DBDIR}/software-eol.db | awk -F: '{print $3}' | head -n 1) + EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1) + #EOL_DATE=$(grep "os:${FIND}" ${DBDIR}/software-eol.db | awk -F: '{print $3}' | head -n 1) if [ ! -z "${EOL_DATE}" ]; then NOW=$(date "+%s") FIND=$(date "+%s" --date=${EOL_DATE}) From f7a291a62f2e4747eb7624f06a0c34581cfb9f3f Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 4 Mar 2019 12:33:03 +0100 Subject: [PATCH 006/679] Use datestamps instead of date, due to compatibility with other platforms --- db/software-eol.db | 48 +++++++++++++++++++++++++++------------------ include/osdetection | 8 +++----- 2 files changed, 32 insertions(+), 24 deletions(-) diff --git a/db/software-eol.db b/db/software-eol.db index 9bf96c12..56b3cb76 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -1,22 +1,32 @@ +# # End-of-life for operating systems and software +# +# This file has 4 fields: +# 1) category +# 2) name +# 3) date (human-readable) +# 4) converted date (seconds since epoch) +# +# Date can be converted on Linux using: date "+%s" --date=2020-01-01 +# # FreeBSD - https://www.freebsd.org/releases/ -os:FreeBSD 9.3:2014-07-01: -os:FreeBSD 10.0:2014-01-01: -os:FreeBSD 10.1:2014-11-01: -os:FreeBSD 10.2:2015-08-01: -os:FreeBSD 10.3:2016-04-01: -os:FreeBSD 10.4:2017-10-01: -os:FreeBSD 11.0:2016-10-01: -os:FreeBSD 11.1:2017-07-01: +os:FreeBSD 9.3:2014-07-01:1404165600: +os:FreeBSD 10.0:2014-01-01:1388530800: +os:FreeBSD 10.1:2014-11-01:0: +os:FreeBSD 10.2:2015-08-01:0: +os:FreeBSD 10.3:2016-04-01:0: +os:FreeBSD 10.4:2017-10-01:0: +os:FreeBSD 11.0:2016-10-01:0: +os:FreeBSD 11.1:2017-07-01:0: # Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack -os:Ubuntu 14.04:2019-05-01: -os:Ubuntu 14.10:2015-07-01: -os:Ubuntu 15.04:2016-01-01: -os:Ubuntu 15.10:2016-07-01: -os:Ubuntu 16.04:2021-05-01: -os:Ubuntu 16.10:2017-07-01: -os:Ubuntu 17.04:2018-01-01: -os:Ubuntu 17.10:2018-07-01: -os:Ubuntu 18.04:2023-05-01: -os:Ubuntu 18.10:2019-07-01: -os:Ubuntu 19.04:2020-01-01: \ No newline at end of file +os:Ubuntu 14.04:2019-05-01:0: +os:Ubuntu 14.10:2015-07-01:0: +os:Ubuntu 15.04:2016-01-01:0: +os:Ubuntu 15.10:2016-07-01:0: +os:Ubuntu 16.04:2021-05-01:0: +os:Ubuntu 16.10:2017-07-01:0: +os:Ubuntu 17.04:2018-01-01:0: +os:Ubuntu 17.10:2018-07-01:0: +os:Ubuntu 18.04:2023-05-01:1682892000: +os:Ubuntu 18.10:2019-07-01:1561932000: +os:Ubuntu 19.04:2020-01-01:1577833200: \ No newline at end of file diff --git a/include/osdetection b/include/osdetection index ef105eba..069167bb 100644 --- a/include/osdetection +++ b/include/osdetection @@ -515,13 +515,11 @@ if [ ! -z "${OS_VERSION}" ]; then if [ -f "${DBDIR}/software-eol.db" ]; then FIND="${OS_FULLNAME}" - EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1) - #EOL_DATE=$(grep "os:${FIND}" ${DBDIR}/software-eol.db | awk -F: '{print $3}' | head -n 1) + EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $4}}' ${DBDIR}/software-eol.db | head -n 1) if [ ! -z "${EOL_DATE}" ]; then NOW=$(date "+%s") - FIND=$(date "+%s" --date=${EOL_DATE}) - if [ ! -z "${FIND}" ]; then - if [ ${NOW} -gt ${FIND} ]; then + if [ ! -z "${NOW}" ]; then + if [ ${NOW} -gt ${EOL_DATE} ]; then EOL=1 else EOL=0 From ff6446a5bceb0229bc4a6d81586a935103327f93 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 4 Mar 2019 12:33:25 +0100 Subject: [PATCH 007/679] Added 'show eol' command --- include/helper_show | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/include/helper_show b/include/helper_show index cb154c68..6e0738e6 100644 --- a/include/helper_show +++ b/include/helper_show @@ -32,13 +32,14 @@ COMMANDS="audit configure show update upload-only" HELPERS="audit configure show update" OPTIONS="--auditor\n--cronjob (--cron)\n--debug\n--developer\n--help (-h)\n--license-key\n--log-file\n--manpage (--man)\n--no-colors\n--no-log\n--pentest\n--profile\n--plugin-dir\n--quick (-Q)\n--quiet (-q)\n--report-file\n--reverse-colors\n--skip-plugins\n--tests\n--tests-from-category\n--tests-from-group\n--upload\n--verbose\n--version (-V)\n--wait\n--warnings-only" -SHOW_ARGS="categories changelog commands dbdir details environment groups help hostids includedir language license logfile man options os pidfile plugindir profiles release releasedate report settings tests version workdir" +SHOW_ARGS="categories changelog commands dbdir details environment eol groups help hostids includedir language license logfile man options os pidfile plugindir profiles release releasedate report settings tests version workdir" SHOW_HELP="lynis show ${BROWN}categories${NORMAL} (display test categories) lynis show ${BROWN}changelog${NORMAL} ${GRAY}[version]${NORMAL} (release details) lynis show ${BROWN}commands${NORMAL} (all available commands) lynis show ${BROWN}dbdir${NORMAL} (database directory) lynis show ${BROWN}details${NORMAL} (display test details from log file) lynis show ${BROWN}environment${NORMAL} (hardware, virtual machine, or container type) +lynis show ${BROWN}eol${NORMAL} (OS end-of-life status) lynis show ${BROWN}groups${NORMAL} (test groups) lynis show ${BROWN}help${NORMAL} (detailed information about arguments) lynis show ${BROWN}hostids${NORMAL} (unique IDs for this system) @@ -242,6 +243,17 @@ if [ $# -gt 0 ]; then ${ECHOCMD} "virtual-machine=0" fi ;; + "eol") + if [ ${EOL} -eq 0 ]; then + ${ECHOCMD} "OS end-of-life: No" + elif [ ${EOL} -eq 1 ]; then + ${ECHOCMD} "OS end-of-life: Yes" + elif [ ${EOL} -eq 255 ]; then + ${ECHOCMD} "OS end-of-life: Not tested" + else + ${ECHOCMD} "OS end-of-life: Unknown" + fi + ;; "groups") ViewGroups ;; From 1214c2436346163796086330b4522371bb9af2b0 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 4 Mar 2019 12:33:50 +0100 Subject: [PATCH 008/679] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8cdae27c..da4e6fd9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ ### Added - Support for end-of-life detection of the operating system +- New 'lynis show eol' command ### Changed - RPi/Raspian path to PAM_FILE_LOCATIONS From 19f38bc1eff7dee22fef8854c944d61d6c0dd90c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 4 Mar 2019 13:40:40 +0100 Subject: [PATCH 009/679] Updated entries --- db/software-eol.db | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/db/software-eol.db b/db/software-eol.db index 56b3cb76..d50471df 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -19,14 +19,14 @@ os:FreeBSD 10.4:2017-10-01:0: os:FreeBSD 11.0:2016-10-01:0: os:FreeBSD 11.1:2017-07-01:0: # Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack -os:Ubuntu 14.04:2019-05-01:0: +os:Ubuntu 14.04:2019-05-01:1556661600: os:Ubuntu 14.10:2015-07-01:0: os:Ubuntu 15.04:2016-01-01:0: os:Ubuntu 15.10:2016-07-01:0: -os:Ubuntu 16.04:2021-05-01:0: +os:Ubuntu 16.04:2021-05-01:1619820000: os:Ubuntu 16.10:2017-07-01:0: -os:Ubuntu 17.04:2018-01-01:0: -os:Ubuntu 17.10:2018-07-01:0: +os:Ubuntu 17.04:2018-01-01:1514761200: +os:Ubuntu 17.10:2018-07-01:1530396000: os:Ubuntu 18.04:2023-05-01:1682892000: os:Ubuntu 18.10:2019-07-01:1561932000: os:Ubuntu 19.04:2020-01-01:1577833200: \ No newline at end of file From 06bf77cb3052c7417b6fe44e70428b36da68c031 Mon Sep 17 00:00:00 2001 From: chr0mag Date: Tue, 5 Mar 2019 09:57:58 -0800 Subject: [PATCH 010/679] [FIRE-4540] Modify test to better measure rules (#636) This test was previously measuring the number of bytes (wc -c) in the exported JSON which is likely not what was intended and will lead to false positives anytime the number of bytes exceeds 16. The export feature is poorly documented and requires the jansson package on the target system to export as JSON - which may not always be the case. Lastly, 16 is an arbitrary and uncessarily high number. A simple workstation firewall can have only 3 rules and be effective. This commit makes use of 'nft list ruleset' instead of the export command, strips out blank lines as well as table & chain headers before measuring the number of lines in the output. Any result with more than 3 rules is now considered non-empty. This is more consistent with the equivalent iptables test case. --- include/tests_firewalls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/tests_firewalls b/include/tests_firewalls index d794b3f4..85f2b150 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -506,13 +506,13 @@ # Test : FIRE-4540 # Description : Check nftables configuration if HasData "${NFTBINARY}"; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for empty nftables configuration" + Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration" if [ ${SKIPTEST} -eq 0 ]; then # Check for empty ruleset - NFT_RULES_LENGTH=$(${NFTBINARY} export json 2> /dev/null | wc -c) - if [ ${NFT_RULES_LENGTH} -le 16 ]; then + NFT_RULES_LENGTH=$(${NFTBINARY} list ruleset --stateless 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l) + if [ ${NFT_RULES_LENGTH} -le 3 ]; then FIREWALL_EMPTY_RULESET=1 - LogText "Result: this firewall set has 16 rules or less and is considered to be empty" + LogText "Result: this firewall set has 3 rules or less and is considered to be empty" else LogText "Result: found ${NFT_RULES_LENGTH} rules in nftables configuration" fi From 0dafe4a02b494e0c94c3d1b89e9e9791e2fde63d Mon Sep 17 00:00:00 2001 From: jirib <46245+jirib@users.noreply.github.com> Date: Tue, 5 Mar 2019 19:03:44 +0100 Subject: [PATCH 011/679] better OpenBSD support (#641) --- db/tests.db | 4 ++ include/binaries | 3 + include/tests_authentication | 44 +++++++++++++ include/tests_boot_services | 116 ++++++++++++++++++++++++++++++++++- include/tests_hardening | 2 +- include/tests_php | 6 ++ 6 files changed, 173 insertions(+), 2 deletions(-) diff --git a/db/tests.db b/db/tests.db index cfc6b287..fae4a41b 100644 --- a/db/tests.db +++ b/db/tests.db @@ -45,6 +45,8 @@ AUTH-9340:test:security:authentication:Solaris:Solaris account locking: AUTH-9402:test:security:authentication::Query LDAP authentication support: AUTH-9406:test:security:authentication::Query LDAP servers in client configuration: AUTH-9408:test:security:authentication::Logging of failed login attempts via /etc/login.defs: +AUTH-9409:test:security:authentication:OpenBSD:Check for doas file: +AUTH-9410:test:security:authentication:OpenBSD:Check for doas file permissions: AUTH-9489:test:security:authentication:DragonFly:Check login shells for passwordless accounts: BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file: BANN-7124:test:security:banners::Check issue banner file: @@ -71,6 +73,8 @@ BOOT-5184:test:security:boot_services:Linux:Check permissions for boot files/scr BOOT-5202:test:security:boot_services::Check uptime of system: BOOT-5260:test:security:boot_services::Check single user mode for systemd: BOOT-5261:test:security:boot_services:DragonFly:Check for DragonFly boot loader presence: +BOOT-5262:test:security:boot_services:OpenBSD:Check for OpenBSD boot daemons: +BOOT-5263:test:security:boot_services:OpenBSD:Check permissions for boot files/scripts: CONT-8004:test:security:containers:Solaris:Query running Solaris zones: CONT-8102:test:security:containers::Checking Docker status and information: CONT-8104:test:security:containers::Checking Docker info for any warnings: diff --git a/include/binaries b/include/binaries index 1042aa63..c993899a 100644 --- a/include/binaries +++ b/include/binaries @@ -109,9 +109,11 @@ base64) BASE64BINARY="${BINARY}"; LogText " Found known binary: base64 (encoding tool) - ${BINARY}" ;; blkid) BLKDBINARY="${BINARY}"; LogText " Found known binary: blkid (information about block devices) - ${BINARY}" ;; cat) CAT_BINARY="${BINARY}"; LogText " Found known binary: cat (generic file handling) - ${BINARY}" ;; + cc) CCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: cc (compiler) - ${BINARY}" ;; chkconfig) CHKCONFIGBINARY=${BINARY}; LogText " Found known binary: chkconfig (administration tool) - ${BINARY}" ;; clamconf) CLAMCONF_BINARY=${BINARY}; LogText " Found known binary: clamconf (information about ClamAV) - ${BINARY}" ;; clamscan) CLAMSCANBINARY=${BINARY}; LogText " Found known binary: clamscan (AV scanner) - ${BINARY}" ;; + clang) CLANGBINARY=${BINARY}; COMPILER_INSTALLED=1; LogText " Found known binary: clang (compiler) - ${BINARY}" ;; cfagent) CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; LogText " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;; chkrootkit) CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;; comm) COMMBINARY="${BINARY}"; LogText " Found known binary: comm (file compare) - ${BINARY}" ;; @@ -194,6 +196,7 @@ python) PYTHONBINARY="${BINARY}"; PYTHONVERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHONVERSION})" ;; python2) PYTHON2BINARY="${BINARY}"; PYTHON2VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON2VERSION})" ;; python3) PYTHON3BINARY="${BINARY}"; PYTHON3VERSION=$(${BINARY} --version 2>&1 | sed 's/^Python //'); LogText "Found known binary: ${FILENAME} (programming language interpreter) - ${BINARY} (version ${PYTHON3VERSION})" ;; + rcctl) RCCTLBINARY="${BINARY}"; LogText " Found known binary: rcctl (services and daemons configuration and control) - ${BINARY}" ;; readlink) READLINKBINARY="${BINARY}"; LogText " Found known binary: readlink (follows symlinks) - ${BINARY}" ;; rkhunter) RKHUNTERBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: rkhunter (malware scanner) - ${BINARY}" ;; rootsh) ROOTSHBINARY="${BINARY}"; LogText " Found known binary: rootsh (wrapper for shells) - ${BINARY}" ;; diff --git a/include/tests_authentication b/include/tests_authentication index e0571a49..fe8ece41 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -1389,6 +1389,50 @@ fi # ################################################################################# +# + # Test : AUTH-9409 + # Description : Check for doas file + DOAS_FILE="" + Register --test-no AUTH-9409 --os OpenBSD --weight L --network NO --category security --description "Checking /etc/doas.conf file" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + LogText "Test: checking presence /etc/doas.conf" + if [ -f /etc/doas.conf ]; then + DOAS_FILE=/etc/doas.conf + FOUND=1 + LogText "Result: file /etc/doas.conf found" + else + LogText "Result: file /etc/doas.conf not found" + fi + if [ ${FOUND} -eq 1 ]; then + LogText "Result: /etc/doas.conf file found" + Display --indent 2 --text "- doas file" --result "${STATUS_FOUND}" --color GREEN + else + LogText "Result: doas file NOT found" + Display --indent 2 --text "- doas file" --result "${STATUS_NOT_FOUND}" --color YELLOW + fi + fi +# +################################################################################# +# + # Test : AUTH-9410 + # Description : Check for doas file permissions + if [ ! -z "${DOAS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no AUTH-9410 --os OpenBSD --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check /etc/doas.conf file permissions" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking /etc/doas.conf permissions" + FIND=$(ls -l ${DOAS_FILE} | ${CUTBINARY} -c 2-10) + LogText "Result: Found /etc/doas.conf file permissions: ${FIND}" + if [ "${FIND}" = "rw-------" -o "${FIND}" = "rw-rw----" -o "${FIND}" = "r--r-----" ]; then + LogText "Result: file /etc/doas.conf has correct permissions" + Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: file has possibly unsafe file permissions" + Display --indent 4 --text "- Check doas file permissions" --result "${STATUS_WARNING}" --color RED + fi + fi +# +################################################################################# # Report "auth_failed_logins_logged=${AUTH_FAILED_LOGINS_LOGGED}" diff --git a/include/tests_boot_services b/include/tests_boot_services index 325407b3..84680efc 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -125,7 +125,7 @@ if [ -f /usr/bin/init-openrc ]; then SERVICE_MANAGER="openrc"; fi fi ;; - "DragonFly" | "NetBSD" | "FreeBSD") + "DragonFly" | "NetBSD" | "FreeBSD" | "OpenBSD") if [ -x /sbin/init -a -d ${ROOTDIR}etc/rc.d -a -f ${ROOTDIR}etc/rc ]; then SERVICE_MANAGER="bsdrc" fi @@ -823,6 +823,120 @@ fi # ################################################################################# +# + # Test : BOOT-5262 + # Description : Check for OpenBSD boot daemons + Register --test-no BOOT-5262 --os OpenBSD --weight L --network NO --category security --description "Check for OpenBSD boot daemons" + if [ ${SKIPTEST} -eq 0 ]; then + if HasData "${RCCTLBINARY}"; then + LogText "Result: rcctl binary found, trying that to discover information" + # OpenBSD (Ask rcctl(8) for running daemons) + LogText "Searching for running daemons (rcctl)" + FIND=$(${RCCTLBINARY} ls started) + COUNT=0 + Report "running_service_tool=rcctl" + for ITEM in ${FIND}; do + LogText "Found running daemon: ${ITEM}" + Report "running_service[]=${ITEM}" + COUNT=$((COUNT + 1 )) + done + LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons" + Display --indent 2 --text "- Check running daemons (rcctl)" --result "${STATUS_DONE}" --color GREEN + Display --indent 8 --text "Result: found ${COUNT} running daemons" + LogText "Result: Found ${COUNT} running daemons" + + # OpenBSD (Ask rcctl(8) for enabled daemons) + LogText "Searching for enabled daemons (rcctl)" + FIND=$(${RCCTLBINARY} ls on | ${EGREPBINARY} -v '^(pf|check_quotas|library_aslr)$') + COUNT=0 + Report "boot_service_tool=rcctl" + for ITEM in ${FIND}; do + LogText "Found enabled daemon at boot: ${ITEM}" + Report "boot_service[]=${ITEM}" + COUNT=$((COUNT + 1 )) + done + LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons" + Display --indent 2 --text "- Check enabled daemons at boot (rcctl)" --result "${STATUS_DONE}" --color GREEN + Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot" + LogText "Result: Found ${COUNT} enabled daemons at boot" + fi + fi +# +################################################################################# +# + # Test : BOOT-5263 + # Description : Check OpenBSD world writable startup scripts + Register --test-no BOOT-5263 --os OpenBSD --weight L --network NO --category security --description "Check permissions for boot files/scripts" + if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + CHECKDIR="${ROOTDIR}etc/rc.d" + LogText "Result: checking ${ROOTDIR}etc/rc.d scripts for writable bit" + LogText "Test: checking if directory ${DIR} exists" + if [ -d ${CHECKDIR} ]; then + LogText "Result: directory ${DIR} found" + LogText "Test: checking for available files in directory" + # OpenBSD uses symlinks to create another instance of daemons + FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print | ${SORTBINARY}) + if [ ! -z "${FIND}" ]; then + LogText "Result: found files in directory, checking permissions now" + for FILE in ${FIND}; do + LogText "Test: checking permissions of file ${FILE}" + ShowSymlinkPath "${FILE}" + if [ ${FOUNDPATH} -eq 1 ]; then + CHECKFILE="${SYMLINK}" + LogText "Result: found the path behind this symlink (${CHECKFILE} --> ${FILE})" + else + CHECKFILE="${FILE}" + fi + if IsWorldWritable ${CHECKFILE}; then + FOUND=1 + LogText "Result: warning, file ${CHECKFILE} is world writable" + else + LogText "Result: good, file ${CHECKFILE} not world writable" + fi + done + else + LogText "Result: found no files in directory." + fi + else + LogText "Result: directory ${CHECKDIR} not found. Skipping.." + fi + + # Other files + CHECKFILES="${ROOTDIR}etc/rc ${ROOT}etc/rc.conf ${ROOT}etc/rc.conf.local ${ROOTDIR}etc/rc.local" + for I in ${CHECKFILES}; do + if [ -f ${I} ]; then + ShowSymlinkPath "${I}" + if [ ${FOUNDPATH} -eq 1 ]; then + CHECKFILE="${SYMLINK}" + LogText "Result: found the path behind this symlink (${CHECKFILE} --> ${I})" + else + CHECKFILE="${I}" + fi + LogText "Test: Checking ${CHECKFILE} file for writable bit" + if IsWorldWritable ${CHECKFILE}; then + FOUND=1 + ReportWarning ${TEST_NO} "Found writable startup script ${CHECKFILE}" + LogText "Result: warning, file ${CHECKFILE} is world writable" + else + LogText "Result: good, file ${CHECKFILE} not world writable" + fi + fi + done + + # Check results + if [ ${FOUND} -eq 1 ]; then + Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_WARNING}" --color RED + ReportWarning ${TEST_NO} "Found world writable startup scripts" "-" "-" + LogText "Result: found one or more scripts which are possibly writable by other users" + AddHP 0 3 + else + Display --indent 2 --text "- Check startup files (permissions)" --result "${STATUS_OK}" --color GREEN + AddHP 3 3 + fi + fi +# +################################################################################# # Report "boot_loader=${BOOT_LOADER}" diff --git a/include/tests_hardening b/include/tests_hardening index 8945f9a3..0719cf8e 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -54,7 +54,7 @@ LogText "Result: no compilers found" else # TODO - c89 c99 cpp ld - TEST_BINARIES="${ASBINARY} ${GCCBINARY}" + TEST_BINARIES="${ASBINARY} ${CCBINARY} ${CLANGBINARY} ${GCCBINARY}" for ITEM in ${TEST_BINARIES}; do FILE="${ITEM}" LogText "Test: Check file permissions for ${ITEM}" diff --git a/include/tests_php b/include/tests_php index 795ce253..363321cf 100644 --- a/include/tests_php +++ b/include/tests_php @@ -72,6 +72,9 @@ ${ROOTDIR}etc/opt/remi/php70/php.ini \ ${ROOTDIR}etc/opt/remi/php71/php.ini \ ${ROOTDIR}etc/opt/remi/php72/php.ini" + # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current + PHPINILOCS="${PHPINILOCS} \ + ${ROOTDIR}etc/php-5.6.ini ${ROOTDIR}etc/php-7.0.ini ${ROOTDIR}etc/php-7.1.ini ${ROOTDIR}etc/php-7.2.ini" PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \ ${ROOTDIR}etc/php/7.0/cli/conf.d \ @@ -92,6 +95,9 @@ ${ROOTDIR}opt/alt/php56/etc/php.d.all \ ${ROOTDIR}opt/alt/php70/etc/php.d.all \ ${ROOTDIR}opt/alt/php71/etc/php.d.all" + # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current + PHPINIDIRS="${PHPINIDIRS} \ + ${ROOTDIR}etc/php-5.6 ${ROOTDIR}etc/php-7.0 ${ROOTDIR}etc/php-7.1 ${ROOTDIR}etc/php-7.2" # ################################################################################# # From 9b5ef7c80f683bf3cc3c4adfa0fd021df3c03335 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 5 Mar 2019 19:30:53 +0100 Subject: [PATCH 012/679] Updated log --- CHANGELOG.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index da4e6fd9..bd58385c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,14 +3,20 @@ ## Lynis 2.7.2 (not released yet) ### Added +- AUTH-9409 - Support for doas (OpenBSD) +- AUTH-9410 - Test file permissions of doas configuration +- BOOT-5262 - Check OpenBSD boot daemons +- BOOT-5263 - Test permissions for boot files and scripts - Support for end-of-life detection of the operating system - New 'lynis show eol' command ### Changed -- RPi/Raspian path to PAM_FILE_LOCATIONS - AUTH-9252 - Adds support for files in sudoers.d - AUTH-9252 - Test extended to check file and directory ownership +- FIRE-4540 - Modify test to better measure rules - NETW-2704Ignore inline comments in /etc/resolv.conf +- RPi/Raspian path to PAM_FILE_LOCATIONS + --------------------------------------------------------------------------------- From 32fc4a01b0fc9ebfdf23b7d08bee85dc4f57c1bf Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 5 Mar 2019 19:31:11 +0100 Subject: [PATCH 013/679] Corrected FreeBSD, added CentOS and OpenBSD --- db/software-eol.db | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/db/software-eol.db b/db/software-eol.db index d50471df..39edb2da 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -9,22 +9,36 @@ # # Date can be converted on Linux using: date "+%s" --date=2020-01-01 # -# FreeBSD - https://www.freebsd.org/releases/ -os:FreeBSD 9.3:2014-07-01:1404165600: -os:FreeBSD 10.0:2014-01-01:1388530800: -os:FreeBSD 10.1:2014-11-01:0: -os:FreeBSD 10.2:2015-08-01:0: -os:FreeBSD 10.3:2016-04-01:0: -os:FreeBSD 10.4:2017-10-01:0: -os:FreeBSD 11.0:2016-10-01:0: -os:FreeBSD 11.1:2017-07-01:0: +# CentOS +# +os:CentOS 5:2017-03-31:1490911200: +os:CentOS 6:2020-11-30:1606690800: +os:CentOS 7:2024-06-30:1719698400: +# +# FreeBSD - https://www.freebsd.org/security/unsupported.html +# +os:FreeBSD 9.3:2014-12-31:0: +os:FreeBSD 10.0:2015-02-28:0: +os:FreeBSD 10.1:2016-12-31:0: +os:FreeBSD 10.2:2016-12-31:0: +os:FreeBSD 10.3:2018-04-30:0: +os:FreeBSD 10.4:2018-10-31:0: +os:FreeBSD 11.0:2017-11-30:0: +os:FreeBSD 11.1:2018-09-30:0: +# +# OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history +# +os:OpenBSD 5.8:2016-09-01:0: +os:OpenBSD 5.9:2017-04-11:0: +# # Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack +# os:Ubuntu 14.04:2019-05-01:1556661600: os:Ubuntu 14.10:2015-07-01:0: os:Ubuntu 15.04:2016-01-01:0: os:Ubuntu 15.10:2016-07-01:0: os:Ubuntu 16.04:2021-05-01:1619820000: -os:Ubuntu 16.10:2017-07-01:0: +os:Ubuntu 16.10:2017-07-01:1498860000: os:Ubuntu 17.04:2018-01-01:1514761200: os:Ubuntu 17.10:2018-07-01:1530396000: os:Ubuntu 18.04:2023-05-01:1682892000: From 8888b01dcd5cb93fa3d4d15d79a568d57841ffbc Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 5 Mar 2019 19:31:36 +0100 Subject: [PATCH 014/679] Store date and timestamp for EOL --- include/osdetection | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/include/osdetection b/include/osdetection index 069167bb..5ab80293 100644 --- a/include/osdetection +++ b/include/osdetection @@ -512,14 +512,16 @@ # Check if this OS is end-of-life EOL=255 EOL_DATE="" + EOL_TIMESTAMP=0 if [ ! -z "${OS_VERSION}" ]; then if [ -f "${DBDIR}/software-eol.db" ]; then FIND="${OS_FULLNAME}" - EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $4}}' ${DBDIR}/software-eol.db | head -n 1) - if [ ! -z "${EOL_DATE}" ]; then + EOL_TIMESTAMP=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $4}}' ${DBDIR}/software-eol.db | head -n 1) + if [ ! -z "${EOL_TIMESTAMP}" ]; then + EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1) NOW=$(date "+%s") if [ ! -z "${NOW}" ]; then - if [ ${NOW} -gt ${EOL_DATE} ]; then + if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then EOL=1 else EOL=0 From 89bf6074988b70cac8e3a63b0110b9540700d863 Mon Sep 17 00:00:00 2001 From: Jerry Park Date: Thu, 7 Mar 2019 18:01:02 +0900 Subject: [PATCH 015/679] Added Korean translation (#652) * Korean translation for ko-KR Translation in Korean * changed ko-KR to ko --- db/languages/ko | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 db/languages/ko diff --git a/db/languages/ko b/db/languages/ko new file mode 100644 index 00000000..df13cf7f --- /dev/null +++ b/db/languages/ko @@ -0,0 +1,40 @@ +ERROR_NO_LICENSE="라이선스 키가 없습니다" +ERROR_NO_UPLOAD_SERVER="업로드 서버가 설정되지 않았습니다" +GEN_CHECKING="확인중입니다" +GEN_CURRENT_VERSION="현재 버전" +GEN_DEBUG_MODE="디버그 모드" +GEN_INITIALIZE_PROGRAM="프로그램을 초기화합니다" +GEN_LATEST_VERSION="최신 버전" +GEN_PHASE="phase" +GEN_PLUGINS_ENABLED="플러그인이 활성화되었습니다" +GEN_UPDATE_AVAILABLE="업데이트 가능" +GEN_VERBOSE_MODE="상세 모드" +GEN_WHAT_TO_DO="할 일" +NOTE_EXCEPTIONS_FOUND="예외 발견" +NOTE_EXCEPTIONS_FOUND_DETAILED="몇 가지 예외 이벤트나 정보가 발견되었습니다" +NOTE_PLUGINS_TAKE_TIME="참고: 플러그인은 광범위한 테스트를 거치며 완료될 때까지 몇 분의 시간이 소요됩니다" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="비특권 모드로 인해 테스트를 생략했습니다" +SECTION_CUSTOM_TESTS="사용자정의 테스트" +SECTION_MALWARE="악성코드" +SECTION_MEMORY_AND_PROCESSES="메모리와 프로세스" +STATUS_DISABLED="비활성화됨" +STATUS_DONE="완료" +STATUS_ENABLED="활성화됨" +STATUS_ERROR="에러" +STATUS_FOUND="발견" +STATUS_YES="예" +STATUS_NO="아니오" +STATUS_OFF="끔" +STATUS_OK="OK" +STATUS_ON="켬" +STATUS_NONE="없음" +STATUS_NOT_FOUND="발견되지않음" +STATUS_NOT_RUNNING="동작하지않음" +STATUS_RUNNING="동작중" +STATUS_SKIPPED="생략" +STATUS_SUGGESTION="추천" +STATUS_UNKNOWN="알수없음" +STATUS_WARNING="경고" +STATUS_WEAK="취약" +TEXT_YOU_CAN_HELP_LOGFILE="로그 파일을 제공하면 도움을 받을 수 있습니다" +TEXT_UPDATE_AVAILABLE="업데이트 가능" From 17f2e34660b9be19ad671feb783bf957703fa038 Mon Sep 17 00:00:00 2001 From: silentcreek Date: Thu, 7 Mar 2019 10:03:11 +0100 Subject: [PATCH 016/679] [PKGS-7388] Fix false positive warning on missing security archive (#651) Currently the check for the security archive in Debian/Ubuntu fails, if the archive is not hosted on security.{debian,ubuntu}.org and the URL does have trailing slash, such as this: deb http://deb.debian.org/debian-security/ stretch/updates main Change the regular expression to allow for a trailing slash in the URL when filtering the package sources lists. Signed-off-by: Timo Sigurdsson --- include/tests_ports_packages | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 9a22e8a4..1426a068 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -993,7 +993,7 @@ if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then if [ -f ${ROOTDIR}etc/apt/sources.list ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file" - FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') + FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') if [ ! -z "${FIND}" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN @@ -1006,7 +1006,7 @@ fi if [ -d /etc/apt/sources.list.d ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory" - FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') + FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') if [ ! -z "${FIND}" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN From fb567465c9159e9217907776e3132392ad8baeb5 Mon Sep 17 00:00:00 2001 From: silentcreek Date: Thu, 7 Mar 2019 10:05:12 +0100 Subject: [PATCH 017/679] [KRNL-5788] Fix false positive warning on missing /vmlinuz (#650) Not all architectures use a /vmlinuz symlink in Debian. For instance, armhf systems may only provide a symlink in /boot/vmlinuz. Fall back to testing /boot/vmlinuz if /vmlinuz is not found. Signed-off-by: Timo Sigurdsson --- include/tests_kernel | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index 88a3c2fc..62c78800 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -374,10 +374,17 @@ LogText "Test: Searching apt-cache, to determine if a newer kernel is available" if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then LogText "Result: found ${ROOTDIR}usr/bin/apt-cache" - LogText "Test: checking readlink location of ${ROOTDIR}vmlinuz" - if [ -f ${ROOTDIR}vmlinuz ]; then + LogText "Test: checking presence of ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz" + if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then HAS_VMLINUZ=1 - FINDKERNFILE=$(readlink -f ${ROOTDIR}vmlinuz) + if [ -f ${ROOTDIR}vmlinuz ]; then + FINDVMLINUZ=${ROOTDIR}vmlinuz + else + FINDVMLINUZ=${ROOTDIR}boot/vmlinuz + fi + LogText "Result: found ${FINDVMLINUZ}" + LogText "Test: checking readlink location of ${FINDVMLINUZ}" + FINDKERNFILE=$(readlink -f ${FINDVMLINUZ}) LogText "Output: readlink reported file ${FINDKERNFILE}" LogText "Test: checking package from dpkg -S" FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}') @@ -386,8 +393,8 @@ FINDKERNEL=linux-image-$(uname -r) LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" else - LogText "This system is missing ${ROOTDIR}vmlinuz. Unable to check whether kernel is up-to-date." - ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz" + LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." + ReportSuggestion ${TEST_NO} "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz" fi LogText "Test: Using apt-cache policy to determine if there is an update available" FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') From 341612418f004be954b08689b3b640305045c8b1 Mon Sep 17 00:00:00 2001 From: chr0mag Date: Thu, 7 Mar 2019 01:07:52 -0800 Subject: [PATCH 018/679] BOOT-5117 adds systemd-boot bootloader detection (#634) Adds a test to detect systemd-boot. The 'bootctl' binary is also added as this is the utility used to inspect the systemd-boot configuration. This test is only executed if systemd is installed, the bootctl utility exists and the system is booted in UEFI mode. --- include/binaries | 1 + include/tests_boot_services | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/include/binaries b/include/binaries index c993899a..c2f7a598 100644 --- a/include/binaries +++ b/include/binaries @@ -108,6 +108,7 @@ autolog) AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; LogText " Found known binary: autolog (idle session killer) - ${BINARY}" ;; base64) BASE64BINARY="${BINARY}"; LogText " Found known binary: base64 (encoding tool) - ${BINARY}" ;; blkid) BLKDBINARY="${BINARY}"; LogText " Found known binary: blkid (information about block devices) - ${BINARY}" ;; + bootctl) BOOTCTLBINARY="${BINARY}"; LogText " Found known binary: bootctl (systemd-boot manager utility) - ${BINARY}" ;; cat) CAT_BINARY="${BINARY}"; LogText " Found known binary: cat (generic file handling) - ${BINARY}" ;; cc) CCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: cc (compiler) - ${BINARY}" ;; chkconfig) CHKCONFIGBINARY=${BINARY}; LogText " Found known binary: chkconfig (administration tool) - ${BINARY}" ;; diff --git a/include/tests_boot_services b/include/tests_boot_services index 84680efc..2de8d748 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -239,6 +239,23 @@ fi # ################################################################################# +# + # Test : BOOT-5117 + # Description : Check for systemd-boot boot loader + if [ ! "${BOOTCTLBINARY}" = "" -a ${HAS_SYSTEMD} -eq 1 -a ${UEFI_BOOTED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no BOOT-5117 --preqs-met ${PREQS_MET} --os "Linux" --weight L --network NO --category security --description "Check for systemd-boot bootloader presence" + if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 + CURRENT_BOOT_LOADER=$(${BOOTCTLBINARY} status --no-pager 2>/dev/null | ${AWKBINARY} '/Current Boot Loader/{ getline; print $2 }') + if [ "${CURRENT_BOOT_LOADER}" = "systemd-boot" ]; then + Display --indent 2 --text "- Checking systemd-boot presence" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: found systemd-boot" + BOOT_LOADER="systemd-boot" + BOOT_LOADER_FOUND=1 + fi + fi +# +################################################################################# # # Test : BOOT-5121 # Description : Check for GRUB boot loader From e33ca1ec58ff64376c8bed968b92f2f30dfee153 Mon Sep 17 00:00:00 2001 From: chr0mag Date: Thu, 7 Mar 2019 01:10:21 -0800 Subject: [PATCH 019/679] [BOOT 5177] Simplify service filter & support multiple periods in names (#633) * Handle service names with multiple periods The current awk filter produces truncated output if the service name contains multiple periods. eg. dbus-org.freedesktop.resolve1.service and dbus-org.freedesktop.network1.service both appear as 'dbus-org' in the resulting service list. This change addresses this by filtering on '.service' instead. * Simplify systemd service filtering Added systemctl switches to filter the output based on enabled or running services. This removes the need for one of the awk statements. --- include/tests_boot_services | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index 2de8d748..77d3cb47 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -564,7 +564,7 @@ LogText "Result: systemctl binary found, trying that to discover information" # Running services LogText "Searching for running services (systemctl services only)" - FIND=$(${SYSTEMCTLBINARY} --full --type=service | ${AWKBINARY} '{ if ($4=="running") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }') + FIND=$(${SYSTEMCTLBINARY} --no-legend --full --type=service --state=running | ${AWKBINARY} -F.service '{ print $1 }') COUNT=0 Report "running_service_tool=systemctl" for ITEM in ${FIND}; do @@ -579,7 +579,7 @@ # Services at boot LogText "Searching for enabled services (systemctl services only)" - FIND=$(${SYSTEMCTLBINARY} list-unit-files --type=service | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="enabled") { print $1 } }' | ${AWKBINARY} -F. '{ print $1 }') + FIND=$(${SYSTEMCTLBINARY} list-unit-files --no-legend --type=service --state=enabled | ${SORTBINARY} -u | ${AWKBINARY} -F.service '{ print $1 }') COUNT=0 Report "boot_service_tool=systemctl" for ITEM in ${FIND}; do From ec4d89b978a4888747f67b0dd6e91b7db1bbbc2a Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 7 Mar 2019 10:15:16 +0100 Subject: [PATCH 020/679] [BOOT-5122] don't use WARNING, but show NONE if no protection is implemented --- include/tests_boot_services | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_boot_services b/include/tests_boot_services index 77d3cb47..5495938c 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -332,7 +332,7 @@ LogText "Result: GRUB has password protection." AddHP 4 4 else - Display --indent 4 --text "- Checking for password protection" --result "${STATUS_WARNING}" --color RED + Display --indent 4 --text "- Checking for password protection" --result "${STATUS_NONE}" --color RED LogText "Result: Didn't find hashed password line in GRUB boot file!" ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)" AddHP 0 2 From c83f87853fbd69e5dcb0f9e687035af73380e2fb Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 7 Mar 2019 11:01:33 +0100 Subject: [PATCH 021/679] Add new tests --- db/tests.db | 1 + 1 file changed, 1 insertion(+) diff --git a/db/tests.db b/db/tests.db index fae4a41b..641ea927 100644 --- a/db/tests.db +++ b/db/tests.db @@ -58,6 +58,7 @@ BOOT-5104:test:security:boot_services::Determine service manager: BOOT-5106:test:security:boot_services:MacOS:Check EFI boot file on macOS: BOOT-5108:test:security:boot_services:Linux:Test Syslinux boot loader: BOOT-5116:test:security:boot_services::Check if system is booted in UEFI mode: +BOOT-5117:test:security:boot_services:Linux:Check for systemd-boot boot loader: BOOT-5121:test:security:boot_services::Check for GRUB boot loader presence: BOOT-5122:test:security:boot_services::Check for GRUB boot password: BOOT-5124:test:security:boot_services:FreeBSD:Check for FreeBSD boot loader presence: From 015447321964162bb9d6f257006c69ef40c532ea Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 7 Mar 2019 11:55:21 +0100 Subject: [PATCH 022/679] Release 2.7.2 --- CHANGELOG.md | 10 ++++++++-- lynis | 6 +++--- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd58385c..c7027158 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,20 +1,26 @@ # Lynis Changelog -## Lynis 2.7.2 (not released yet) +## Lynis 2.7.2 (2019-03-07) ### Added - AUTH-9409 - Support for doas (OpenBSD) - AUTH-9410 - Test file permissions of doas configuration +- BOOT-5117 - Support for systemd-boot boot loader added +- BOOT-5177 - Simplify service filter and allow multiple dots in service names - BOOT-5262 - Check OpenBSD boot daemons - BOOT-5263 - Test permissions for boot files and scripts - Support for end-of-life detection of the operating system - New 'lynis show eol' command +- Korean translation ### Changed - AUTH-9252 - Adds support for files in sudoers.d - AUTH-9252 - Test extended to check file and directory ownership +- BOOT-5122 - Use NONE instead of WARNING if no password is set - FIRE-4540 - Modify test to better measure rules -- NETW-2704Ignore inline comments in /etc/resolv.conf +- KRNL-5788 - Resolve false positive warning on missing /vmlinuz +- NETW-2704 - Ignore inline comments in /etc/resolv.conf +- PKGS-7388 - Improve detection for security archive - RPi/Raspian path to PAM_FILE_LOCATIONS diff --git a/lynis b/lynis index e2ff0fdf..773caa24 100755 --- a/lynis +++ b/lynis @@ -35,9 +35,9 @@ PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com" # Version details - PROGRAM_RELEASE_DATE="2019-02-26" - PROGRAM_RELEASE_TIMESTAMP=1548942179 - PROGRAM_RELEASE_TYPE="dev" # dev or final + PROGRAM_RELEASE_DATE="2019-03-07" + PROGRAM_RELEASE_TIMESTAMP=1551949337 + PROGRAM_RELEASE_TYPE="final" # dev or final PROGRAM_VERSION="2.7.2" # Source, documentation and license From a4b179e4ef36f80749b49a818d9162643ac4eff0 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 7 Mar 2019 12:11:33 +0100 Subject: [PATCH 023/679] Switch to development for 2.7.3 --- CHANGELOG.md | 9 ++++++++- lynis | 4 ++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c7027158..651936be 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Lynis Changelog +## Lynis 2.7.3 (not released yet) + +### Added + +### Changed + +--------------------------------------------------------------------------------- + ## Lynis 2.7.2 (2019-03-07) ### Added @@ -23,7 +31,6 @@ - PKGS-7388 - Improve detection for security archive - RPi/Raspian path to PAM_FILE_LOCATIONS - --------------------------------------------------------------------------------- ## Lynis 2.7.1 (2019-01-30) diff --git a/lynis b/lynis index 773caa24..c941b705 100755 --- a/lynis +++ b/lynis @@ -37,8 +37,8 @@ # Version details PROGRAM_RELEASE_DATE="2019-03-07" PROGRAM_RELEASE_TIMESTAMP=1551949337 - PROGRAM_RELEASE_TYPE="final" # dev or final - PROGRAM_VERSION="2.7.2" + PROGRAM_RELEASE_TYPE="dev" # dev or final + PROGRAM_VERSION="2.7.3" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" From 95c11f827044dc8cdb9977a8be356516682b1fc9 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 11 Mar 2019 14:06:17 +0100 Subject: [PATCH 024/679] [KRNL-5820] Changed color for default value - fixes GitHub #655 --- include/tests_kernel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_kernel b/include/tests_kernel index 62c78800..f89177ce 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -473,7 +473,7 @@ AddHP 0 1 else LogText "Result: found default option, some programs can dump (not processes which need to change credentials)" - Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color YELLOW + Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color WHITE AddHP 1 1 fi else From f828a06bec0e42480982feabf2c9b5087382db51 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 14 Mar 2019 10:45:08 +0100 Subject: [PATCH 025/679] Corrected file location for tips --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index c941b705..cc874a0c 100755 --- a/lynis +++ b/lynis @@ -1035,7 +1035,7 @@ ${NORMAL} if [ -f ${INCLUDEDIR}/report ]; then SafePerms ${INCLUDEDIR}/report; . ${INCLUDEDIR}/report; fi # Show tool tips - if [ -f ${INCLUDEDIR}/hints_tips ]; then SafePerms ${INCLUDEDIR}/hints_tips; . ${INCLUDEDIR}/hints_tips; fi + if [ -f ${INCLUDEDIR}/tool_tips ]; then SafePerms ${INCLUDEDIR}/tool_tips; . ${INCLUDEDIR}/tool_tips; fi LogText "================================================================================" LogText "Tests performed: ${CTESTS_PERFORMED}" From 3cf64ff5a6940f706eb3c6f62f09b0c0fba0f8aa Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 14 Mar 2019 12:30:37 +0100 Subject: [PATCH 026/679] Preparations for user tips to improve usage of tool --- include/tool_tips | 38 +++++++++++++++++++++++++++++--------- 1 file changed, 29 insertions(+), 9 deletions(-) diff --git a/include/tool_tips b/include/tool_tips index 304e9e28..343a943c 100644 --- a/include/tool_tips +++ b/include/tool_tips @@ -26,16 +26,36 @@ # Only show tips when enabled if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then + # * Regular security auditing + # + # If package is installed, then suggest users to schedule the audit daily + # How: confirm presence of directory /etc/lynis and check cronjobs + + + # * Check for duplicate items between default and custom profile + # + # This can be done by marking an item if it overwrites the default profile + # with the same value. + # + # Rationale: default profile should contain have sensible default and + # custom profile allows customization for the user or system. + + + # Suggest usage of plugins if none are enabled + + # Bash completion support - if [ ! "${ETC_PATHS}" = "" ]; then - for I in ${ETC_PATHS}; do - if [ -d ${I}/bash-completion.d ]; then - if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then - Display "This system has a bash_completion directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis" - fi - fi - done - fi + # + # Detect if bash is used for active user + #if [ ! -z "${ETC_PATHS}" ]; then + # for I in ${ETC_PATHS}; do + # if [ -d ${I}/bash_completion.d ]; then + # if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then + # Display "This system has a bash_completion directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis" + # fi + # fi + # done + #fi fi From 3e7b319ec7f028e51df05642686a7e6ab5a28efa Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 14 Mar 2019 12:31:39 +0100 Subject: [PATCH 027/679] Readability changes and show when plugin execution is skipped --- include/report | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/include/report b/include/report index 3439747b..b200f6be 100644 --- a/include/report +++ b/include/report @@ -178,7 +178,11 @@ echo "" echo " ${CYAN}Hardening index${NORMAL} : ${WHITE}${HPINDEX}${NORMAL} ${HPGRAPH}" echo " ${CYAN}Tests performed${NORMAL} : ${WHITE}${CTESTS_PERFORMED}${NORMAL}" - if [ ${SKIP_PLUGINS} -eq 0 ]; then echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"; fi + if [ ${SKIP_PLUGINS} -eq 0 ]; then + echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}" + else + echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}Skipped${NORMAL}" + fi echo "" echo " ${WHITE}Components${NORMAL}:" if [ ${FIREWALL_ACTIVE} -eq 1 ]; then FIREWALL="${GREEN}V"; else FIREWALL="${RED}X"; fi @@ -191,15 +195,15 @@ echo " - Malware scanner [${MALWARE}${NORMAL}]" echo "" - echo " ${SECTION}Lynis Modules${NORMAL}:" + echo " ${SECTION}Lynis modules${NORMAL}:" if [ ${COMPLIANCE_TESTS_PERFORMED} -eq 1 ]; then if [ ${COMPLIANCE_FINDINGS_FOUND} -eq 0 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi else COMPLIANCE="${YELLOW}?" fi - echo " - Compliance Status [${COMPLIANCE}${NORMAL}]" - echo " - Security Audit [${GREEN}V${NORMAL}]" - echo " - Vulnerability Scan [${GREEN}V${NORMAL}]" + echo " - Compliance status [${COMPLIANCE}${NORMAL}]" + echo " - Security audit [${GREEN}V${NORMAL}]" + echo " - Vulnerability scan [${GREEN}V${NORMAL}]" echo "" echo " ${SECTION}Files${NORMAL}:" echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}" From 48195ce2212d2bec8369c837d8feb31ec04b673f Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 14 Mar 2019 12:32:19 +0100 Subject: [PATCH 028/679] Initial work to detect Lynis in cronjobs --- include/consts | 1 + include/tests_scheduling | 41 ++++++++++++++++++++++++++-------------- 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/include/consts b/include/consts index 5e801e06..671ed1ca 100644 --- a/include/consts +++ b/include/consts @@ -139,6 +139,7 @@ unset LANG LOGTEXT=1 LSMODBINARY="" LSVGBINARY="" + LYNIS_CRONJOB="" MACHINEID="" MACHINE_ROLE="" MALWARE_SCANNER_INSTALLED=0 diff --git a/include/tests_scheduling b/include/tests_scheduling index 4d188eb6..f0f54b5b 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -61,6 +61,7 @@ CRONTAB_FILE="${ROOTDIR}etc/crontab" if [ -f ${CRONTAB_FILE} ]; then + ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab" if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi FindCronJob ${CRONTAB_FILE} @@ -85,6 +86,8 @@ for FILE in ${FIND}; do if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi + FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}') + if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi FindCronJob ${FILE} if HasData "${sCRONJOBS}"; then for K in ${sCRONJOBS}; do @@ -115,11 +118,13 @@ LogText "Result: no files found in ${I}" else LogText "Result: found one or more files in ${I}. Analyzing files.." - for J in ${FIND}; do - if IsWorldWritable ${J}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi - if ! IsOwnedByRoot ${J}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi - LogText "Result: Found cronjob (${I}): ${J}" - Report "cronjob[]=${J}" + for FILE in ${FIND}; do + if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${FILE}"; Report "insecure_fileperms_cronjob[]=${FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi + if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${FILE}"; Report "bad_fileowner_cronjob[]=${FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi + FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}') + if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi + LogText "Result: Found cronjob (${I}): ${FILE}" + Report "cronjob[]=${FILE}" done LogText "Result: done with analyzing files in ${I}" fi @@ -137,21 +142,23 @@ FIND=$(${FINDBINARY} /var/spool/cron/crontabs -xdev -type f -print 2> /dev/null) for I in ${FIND}; do if FileIsReadable ${I}; then + ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" FindCronJob ${I} - for J in ${sCRONJOBS}; do - LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${J})" + for FILE in ${sCRONJOBS}; do + LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${FILE})" Report "cronjob[]=${I}" done fi done else - if [ -d /var/spool/cron ]; then - FIND=$(find /var/spool/cron -type f -print) + if [ -d ${ROOTDIR}var/spool/cron ]; then + FIND=$(find ${ROOTDIR}var/spool/cron -type f -print) for I in ${FIND}; do if FileIsReadable ${I}; then + ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" FindCronJob ${I} - for J in ${sCRONJOBS}; do - LogText "Found cronjob (/var/spool/cron): ${I} (${J})" + for FILE in ${sCRONJOBS}; do + LogText "Found cronjob in ${ROOTDIR}var/spool/cron: ${I} (${FILE})" LogText "cronjob[]=${I}" done fi @@ -177,12 +184,12 @@ # Show warning when an issue shows up. Even if *both* the permissions and ownership are wrong, just show one (prevent overload of warnings). if [ ${BAD_FILE_PERMISSIONS} -eq 1 ]; then ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect file permissions (see log for details)" - Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED + Display --indent 2 --text "- Checking crontab and cronjobs files" --result "${STATUS_WARNING}" --color RED elif [ ${BAD_FILE_OWNERSHIP} -eq 1 ]; then ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect ownership (see log for details)" - Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED + Display --indent 2 --text "- Checking crontab and cronjob files" --result "${STATUS_WARNING}" --color RED else - Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_DONE}" --color GREEN + Display --indent 2 --text "- Checking crontab and cronjob files" --result "${STATUS_DONE}" --color GREEN fi fi @@ -298,6 +305,12 @@ ################################################################################# # +if [ -z "${LYNIS_CRONJOB}" ]; then + LogText "Result: no scheduled Lynis execution found (e.g. crontab, cronjob)" +else + LogText "Result: found scheduled Lynis execution (${LYNIS_CRONJOB})" +fi + WaitForKeyPress # From 820666f448c10ac992e67ea5e140aa24e5b702ba Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 14 Mar 2019 12:33:35 +0100 Subject: [PATCH 029/679] Updated log --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 651936be..c06b30f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,8 +3,12 @@ ## Lynis 2.7.3 (not released yet) ### Added +- Detection for Lynis being scheduled (e.g. cronjob) ### Changed +- KRNL-5820 - Changed color for default fs.suid_dumpable value +- Improvements to allow tailored tool tips +- Minor textual changes --------------------------------------------------------------------------------- From 0e8a12e2080b9044fcf7826250f4deadeccbc2bd Mon Sep 17 00:00:00 2001 From: Warren Date: Thu, 14 Mar 2019 08:34:17 -0300 Subject: [PATCH 030/679] Quote WORKDIR directory existence in lynis (#653) Quote both "${WORKDIR}/include" and "${WORKDIR}/db" directory existence check in if-statements to avoid "Fatal error: can't find directory" in case of a space-character in the ${WORKDIR} path. --- lynis | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lynis b/lynis index cc874a0c..cf0bfa98 100755 --- a/lynis +++ b/lynis @@ -76,7 +76,7 @@ tINCLUDE_TARGETS="/usr/local/include/lynis /usr/local/lynis/include /usr/share/lynis/include ./include" # Default paths to check (CWD as last option, in case we run from standalone) for I in ${tINCLUDE_TARGETS}; do if [ "${I}" = "./include" ]; then - if [ -d ${WORKDIR}/include ]; then INCLUDEDIR="${WORKDIR}/include"; fi + if [ -d "${WORKDIR}/include" ]; then INCLUDEDIR="${WORKDIR}/include"; fi elif [ -d ${I} -a -z "${INCLUDEDIR}" ]; then INCLUDEDIR=${I} fi @@ -95,7 +95,7 @@ Make sure to execute ${PROGRAM_NAME} from untarred directory or check your insta DBDIR=""; tDB_TARGETS="/usr/local/share/lynis/db /usr/local/lynis/db /usr/share/lynis/db ./db" for I in ${tDB_TARGETS}; do if [ "${I}" = "./db" ]; then - if [ -d ${WORKDIR}/db ]; then DBDIR="${WORKDIR}/db"; fi + if [ -d "${WORKDIR}/db" ]; then DBDIR="${WORKDIR}/db"; fi elif [ -d ${I} -a -z "${DBDIR}" ]; then DBDIR="${I}" fi From 703a856e82ed0678d33ca089cc1566dd6979b127 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 14 Mar 2019 13:15:07 +0100 Subject: [PATCH 031/679] Corrected blkid detection --- include/binaries | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/binaries b/include/binaries index c2f7a598..18b54b2a 100644 --- a/include/binaries +++ b/include/binaries @@ -107,14 +107,14 @@ auditctl) AUDITCTLBINARY="${BINARY}"; LogText " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;; autolog) AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; LogText " Found known binary: autolog (idle session killer) - ${BINARY}" ;; base64) BASE64BINARY="${BINARY}"; LogText " Found known binary: base64 (encoding tool) - ${BINARY}" ;; - blkid) BLKDBINARY="${BINARY}"; LogText " Found known binary: blkid (information about block devices) - ${BINARY}" ;; - bootctl) BOOTCTLBINARY="${BINARY}"; LogText " Found known binary: bootctl (systemd-boot manager utility) - ${BINARY}" ;; + blkid) BLKIDBINARY="${BINARY}"; LogText " Found known binary: blkid (information about block devices) - ${BINARY}" ;; + bootctl) BOOTCTLBINARY="${BINARY}"; LogText " Found known binary: bootctl (systemd-boot manager utility) - ${BINARY}" ;; cat) CAT_BINARY="${BINARY}"; LogText " Found known binary: cat (generic file handling) - ${BINARY}" ;; - cc) CCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: cc (compiler) - ${BINARY}" ;; + cc) CCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: cc (compiler) - ${BINARY}" ;; chkconfig) CHKCONFIGBINARY=${BINARY}; LogText " Found known binary: chkconfig (administration tool) - ${BINARY}" ;; clamconf) CLAMCONF_BINARY=${BINARY}; LogText " Found known binary: clamconf (information about ClamAV) - ${BINARY}" ;; clamscan) CLAMSCANBINARY=${BINARY}; LogText " Found known binary: clamscan (AV scanner) - ${BINARY}" ;; - clang) CLANGBINARY=${BINARY}; COMPILER_INSTALLED=1; LogText " Found known binary: clang (compiler) - ${BINARY}" ;; + clang) CLANGBINARY=${BINARY}; COMPILER_INSTALLED=1; LogText " Found known binary: clang (compiler) - ${BINARY}" ;; cfagent) CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; LogText " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;; chkrootkit) CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;; comm) COMMBINARY="${BINARY}"; LogText " Found known binary: comm (file compare) - ${BINARY}" ;; From dac92d27bb6dcec4f11b922786e4bbc60f0fb19e Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 14 Mar 2019 13:15:32 +0100 Subject: [PATCH 032/679] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c06b30f9..8be56fd0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ ### Changed - KRNL-5820 - Changed color for default fs.suid_dumpable value - Improvements to allow tailored tool tips +- Corrected detection of blkid binary - Minor textual changes --------------------------------------------------------------------------------- From 89782f1e9835b319b67cd0231d574e3081dd32cf Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 14 Mar 2019 14:15:59 +0100 Subject: [PATCH 033/679] Add logging status of tool tips --- include/tool_tips | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/tool_tips b/include/tool_tips index 343a943c..bf529ca2 100644 --- a/include/tool_tips +++ b/include/tool_tips @@ -26,6 +26,7 @@ # Only show tips when enabled if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then + LogText "Tool tips: enabled" # * Regular security auditing # # If package is installed, then suggest users to schedule the audit daily @@ -56,6 +57,10 @@ # fi # done #fi + + else + LogText "Tool tips: enabled" + fi From 4a47bde240f271deb46341e66dc7a38fe8b1f4f6 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 15 Mar 2019 13:52:55 +0100 Subject: [PATCH 034/679] Adjusted descriptions --- include/tests_squid | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_squid b/include/tests_squid index 3e1dbe2e..c9eb1b71 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -111,7 +111,7 @@ # Test : SQD-3610 # Description : Check Squid configuration options if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version" + Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather Squid settings" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" FIND=$(${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g') @@ -126,7 +126,7 @@ ################################################################################# # # Test : SQD-3613 - # Description : Check Squid configuration options + # Description : Check Squid configuration file permissions if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions" if [ ${SKIPTEST} -eq 0 ]; then From b6b1f109012cc5aba7fc3f8c7ee190b903d5fbea Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 15 Mar 2019 13:53:06 +0100 Subject: [PATCH 035/679] Updated log --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8be56fd0..4ef53afb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ ### Changed - KRNL-5820 - Changed color for default fs.suid_dumpable value +- SQD-3610 - Description of test changed +- SQD-3613 - Corrected description in code - Improvements to allow tailored tool tips - Corrected detection of blkid binary - Minor textual changes From 048815abc0106c61854e2d89dee82a162388972a Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 15 Mar 2019 14:00:47 +0100 Subject: [PATCH 036/679] [SSH-7408] Increased values for MaxAuthRetries as sometimes SSH key-based authentication may need it --- include/tests_ssh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index 29b8aa52..fe303778 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -137,7 +137,7 @@ IgnoreRhosts:YES,,NO:=\ LoginGraceTime:120,240,480:<\ LogLevel:VERBOSE,INFO,:=\ - MaxAuthTries:2,4,6:<\ + MaxAuthTries:3,6,999:<\ MaxSessions:2,4,8:<\ PermitRootLogin:(NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD),,YES:=\ PermitUserEnvironment:NO,,YES:=\ From a350dfec1b2ccdda7ecfac6125b8eb559c7bffe3 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 15 Mar 2019 14:01:48 +0100 Subject: [PATCH 037/679] Updated log --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ef53afb..d56b7ce2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,8 @@ - KRNL-5820 - Changed color for default fs.suid_dumpable value - SQD-3610 - Description of test changed - SQD-3613 - Corrected description in code -- Improvements to allow tailored tool tips +- SSH-7408 - Increased values for MaxAuthRetries +- Improvements to allow tailored tool tips in future - Corrected detection of blkid binary - Minor textual changes From 306d9eaab6ee20d741fcff33be9f06e4c6d8ff63 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 15 Mar 2019 14:24:42 +0100 Subject: [PATCH 038/679] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d56b7ce2..29cab4c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ ### Changed - KRNL-5820 - Changed color for default fs.suid_dumpable value +- LOGG-2154 - Adjusted test to search in configuration file correctly - SQD-3610 - Description of test changed - SQD-3613 - Corrected description in code - SSH-7408 - Increased values for MaxAuthRetries From 303050dda3ffa97c0139db07dfa41f94f2f217f8 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 15 Mar 2019 14:25:00 +0100 Subject: [PATCH 039/679] [LOGG-2154] Adjusted test to search in configuration file correctly --- include/tests_logging | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_logging b/include/tests_logging index efb9e9d2..27e6baef 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -363,7 +363,7 @@ # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}') for DESTINATION in ${DESTINATIONS}; do - FIND2=$(${GREPBINARY} "log" | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)") + FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)") if [ ! -z "${FIND2}" = "" ]; then LogText "Result: found destination ${DESTINATION} configured for remote logging" REMOTE_LOGGING_ENABLED=1 From 888df98af46549c7b93f907477e0316faad9c7bd Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 19 Mar 2019 13:06:31 +0100 Subject: [PATCH 040/679] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 29cab4c1..9a1cdfd9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ - Detection for Lynis being scheduled (e.g. cronjob) ### Changed +- HTTP-6624 - Improved logging for test - KRNL-5820 - Changed color for default fs.suid_dumpable value - LOGG-2154 - Adjusted test to search in configuration file correctly - SQD-3610 - Description of test changed From 928023ec6aead100a517d8c342c1e9b9f649a5fc Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 19 Mar 2019 13:07:12 +0100 Subject: [PATCH 041/679] [HTTP-6624] improved logging for test --- include/tests_webservers | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/tests_webservers b/include/tests_webservers index 459e1633..5d0907b9 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -113,9 +113,10 @@ Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})" LogText "Result: Configuration file found (${APACHE_CONFIGFILE})" else - LogText "Result: File or directory ${APACHE_CONFIGFILE} does not exist" + LogText "Result: File or directory ${APACHE_TESTFILE} does not exist" Display --indent 6 --text "[Notice] possible directory/file parts found, but still unsure what the real configuration file is. Skipping some Apache related tests" ReportException "${TEST_NO}:1" "Found some unknown directory or file references in Apache configuration" + LogText "Note: if only the Apache binary package has been installed, then the configuration might be missing. Is the Apache package really needed?" fi fi fi From 943e09db01bf524c99396e64c5e053f53ec1f732 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 21 Mar 2019 09:07:05 +0100 Subject: [PATCH 042/679] [LOGG-2180] minor cleanup --- include/tests_logging | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/include/tests_logging b/include/tests_logging index 27e6baef..c7995b47 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -465,13 +465,11 @@ FIND=$(${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$") for I in ${FIND}; do LogText "Found logfile: ${I}" - Report "open_logfile[]=${I}" done Display --indent 2 --text "- Checking open log files" --result "${STATUS_DONE}" --color GREEN else LogText "Result: lsof not installed, skipping test" - Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color YELLOW - # Add suggestion + Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color WHITE fi fi # From ea8c032ea91223bd2c8eac7b0087808747b0e316 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 21 Mar 2019 09:34:26 +0100 Subject: [PATCH 043/679] [NETW-3015] added support for ip binary --- include/tests_networking | 41 +++++++++++++++++++++++++++++----------- 1 file changed, 30 insertions(+), 11 deletions(-) diff --git a/include/tests_networking b/include/tests_networking index e2503b60..3986220b 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -507,35 +507,54 @@ # # Test : NETW-3015 # Description : Checking promiscuous interfaces (Linux) - # Note : Need ifconfig binary at this moment (does not work on Arch Linux) - if [ ! "${IFCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)" + Register --test-no NETW-3015 --os Linux --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Checking promiscuous interfaces (Linux)" - NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1) - if [ ! "${NETWORK}" = "" ]; then + FOUNDPROMISC=99 + NETWORK="" + USE_IP_INSTEAD_IFCONFIG=0 + + if [ ! -z "${IPBINARY}" ]; then + LogText "Test: Using ip binary to retrieve network interfaces" + NETWORK=$(${IPBINARY} -o link 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{print $2 }' | ${TRBINARY} -d ':') + USE_IP_INSTEAD_IFCONFIG=1 + elif [ ! -z "${IFCONFIGBINARY}" ]; then + LogText "Test: Using ifconfig binary to retrieve network interfaces" + NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1) + fi + + LogText "Test: Checking all interfaces to discover any with promiscuous mode enabled" + if [ ! -z "${NETWORK}" ]; then + FOUNDPROMISC=0 for I in ${NETWORK}; do - FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC) - if [ ! "${FIND}" = "" ]; then + if [ ${USE_IP_INSTEAD_IFCONFIG} -eq 1 ]; then + FIND=$(${IPBINARY} -o -d link show ${I} 2> /dev/null | ${GREPBINARY} 'promiscuity 1') + else + FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC) + fi + if [ ! -z "${FIND}" ]; then LogText "Result: Promiscuous interface: ${I}" ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}) - if [ "${ISWHITELISTED}" = "" ]; then + if [ -z "${ISWHITELISTED}" ]; then FOUNDPROMISC=1 - ReportWarning ${TEST_NO} "Found promiscuous interface (${I})" + ReportWarning ${TEST_NO} "Found promiscuous interface" "${I}" "text:Determine if this mode is required or whitelist interface in profile" LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic" else LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)" fi fi done + else + LogText "Result: no network interfaces discovered, so nothing tested" fi # Show result if [ ${FOUNDPROMISC} -eq 0 ]; then Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN LogText "Result: No promiscuous interfaces found" - else + elif [ ${FOUNDPROMISC} -eq 1 ]; then Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED + else + Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_UNKNOWN}" --color YELLOW fi fi # From 09e2de2ea5620026f9be8f13b491437e8e50074e Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 21 Mar 2019 09:35:30 +0100 Subject: [PATCH 044/679] Release 2.7.3 --- CHANGELOG.md | 5 +++-- lynis | 6 +++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a1cdfd9..a3522551 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Lynis Changelog -## Lynis 2.7.3 (not released yet) +## Lynis 2.7.3 (2019-03-21) ### Added - Detection for Lynis being scheduled (e.g. cronjob) @@ -9,12 +9,13 @@ - HTTP-6624 - Improved logging for test - KRNL-5820 - Changed color for default fs.suid_dumpable value - LOGG-2154 - Adjusted test to search in configuration file correctly +- NETW-3015 - Added support for ip binary - SQD-3610 - Description of test changed - SQD-3613 - Corrected description in code - SSH-7408 - Increased values for MaxAuthRetries - Improvements to allow tailored tool tips in future - Corrected detection of blkid binary -- Minor textual changes +- Minor textual changes and cleanups --------------------------------------------------------------------------------- diff --git a/lynis b/lynis index cf0bfa98..15d509ea 100755 --- a/lynis +++ b/lynis @@ -35,9 +35,9 @@ PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com" # Version details - PROGRAM_RELEASE_DATE="2019-03-07" - PROGRAM_RELEASE_TIMESTAMP=1551949337 - PROGRAM_RELEASE_TYPE="dev" # dev or final + PROGRAM_RELEASE_DATE="2019-03-21" + PROGRAM_RELEASE_TIMESTAMP=1553157295 + PROGRAM_RELEASE_TYPE="final" # dev or final PROGRAM_VERSION="2.7.3" # Source, documentation and license From 52dd096e0f6aa9804d2c0305cd5dcb5ee4b2d352 Mon Sep 17 00:00:00 2001 From: Capashenn Date: Tue, 19 Mar 2019 10:45:10 +0100 Subject: [PATCH 045/679] fix issue #621 --- include/tests_ssh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/tests_ssh b/include/tests_ssh index fe303778..e811e069 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -98,12 +98,12 @@ if [ ${SSH_DAEMON_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SSH-7406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determine OpenSSH version" if [ ${SKIPTEST} -eq 0 ]; then - OPENSSHD_VERSION=$(sshd -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d ',') + OPENSSHD_VERSION=$(${SSHDBINARY} -t -d 2>&1 | ${GREPBINARY} 'sshd version' | ${AWKBINARY} '{if($4~OpenSSH_){print $4}}' | ${AWKBINARY} -F_ '{print $2}' | ${TRBINARY} -d ',' | ${TRBINARY} -d '\r') LogText "Result: discovered OpenSSH version is ${OPENSSHD_VERSION}" if [ ! -z ${OPENSSHD_VERSION} ]; then - OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY} -F. '{print $1}') + OPENSSHD_VERSION_MAJOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $1}') LogText "Result: OpenSSH major version: ${OPENSSHD_VERSION_MAJOR}" - OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION} | ${AWKBINARY} -F. '{print $2}') + OPENSSHD_VERSION_MINOR=$(echo ${OPENSSHD_VERSION%%p*} | ${AWKBINARY} -F. '{print $2}') LogText "Result: OpenSSH minor version: ${OPENSSHD_VERSION_MINOR}" fi fi @@ -113,7 +113,7 @@ # Test : SSH-7408 # Description : Check SSH specific defined options # Notes : Instead of parsing the configuration file, we query the SSH daemon itself - if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${SSH_DAEMON_RUNNING} -eq 1 -a ! -z "${SSH_DAEMON_OPTIONS_FILE}" -a ${OPENSSHD_VERSION_MAJOR} -ge 5 -a ${OPENSSHD_VERSION_MINOR} -ge 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SSH-7408 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check SSH specific defined options" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking specific defined options in ${SSH_DAEMON_OPTIONS_FILE}" From 5dbe4f20fcbe0591396d996d748454ab5278770d Mon Sep 17 00:00:00 2001 From: Capashenn Date: Thu, 21 Mar 2019 18:24:06 +0100 Subject: [PATCH 046/679] Add some default permfile/permdir --- default.prf | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/default.prf b/default.prf index ef474b1f..d7c35e66 100644 --- a/default.prf +++ b/default.prf @@ -332,7 +332,28 @@ openldap:slapd.conf:owner:ldap-root: #permfile:/etc/inetd.conf:rw-------:root:-:WARN: #permfile:/etc/fstab:rw-r--r--:root:-:WARN: permfile:/etc/lilo.conf:rw-------:root:-:WARN: - +permfile:/boot/grub2/grub.cfg:rw-------:root:root:WARN: +permfile:/boot/grub/grub.cfg:rw-------:root:root:WARN: +permfile:/boot/grub2/user.cfg:rw-------:root:root:WARN: +permfile:/etc/motd:rw-r--r--:root:root:WARN: +permfile:/etc/issue:rw-r--r--:root:root:WARN: +permfile:/etc/issue.net:rw-r--r--:root:root:WARN: +permfile:/etc/hosts.allow:rw-r--r--:root:root:WARN: +permfile:/etc/hosts.deny:rw-r--r--:root:root:WARN: +permfile:/etc/crontab:rw-------:root:-:WARN: +permfile:/etc/cron.allow:rw-------:root:-:WARN: +permfile:/etc/cron.deny:rw-------:root:-:WARN: +permfile:/etc/at.allow:rw-------:root:-:WARN: +permfile:/etc/at.deny:rw-------:root:-:WARN: +permfile:/etc/ssh/sshd_config:rw-------:root:-:WARN: +permfile:/etc/passwd:rw-r--r--:root:-:WARN: +permfile:/etc/shadow:---------:root:-:WARN: +permfile:/etc/group:rw-r--r--:root:-:WARN: +permfile:/etc/gshadow:---------:root:-:WARN: +permfile:/etc/passwd-:rw-r--r--:root:-:WARN: +permfile:/etc/shadow-:---------:root:-:WARN: +permfile:/etc/group-:rw-r--r--:root:-:WARN: +permfile:/etc/gshadow-:---------:root:-:WARN: ################################################################################# # @@ -343,6 +364,11 @@ permfile:/etc/lilo.conf:rw-------:root:-:WARN: ################################################################################# permdir:/root/.ssh:rwx------:root:-:WARN: +permdir:/etc/cron.hourly:rwx------:root:root:WARN: +permdir:/etc/cron.daily:rwx------:root:root:WARN: +permdir:/etc/cron.weekly:rwx------:root:root:WARN: +permdir:/etc/cron.monthly:rwx------:root:root:WARN: +permdir:/etc/cron.d:rwx------:root:root:WARN: # Scan for a program/binary in BINPATHs #scanbinary:Rootkit Hunter:rkhunter: From c8af37c069313a3bad1d47e7bd33391e3a83e538 Mon Sep 17 00:00:00 2001 From: Capashenn Date: Mon, 25 Mar 2019 13:44:25 +0100 Subject: [PATCH 047/679] fix issues #666 #667 --- include/tests_homedirs | 59 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/include/tests_homedirs b/include/tests_homedirs index 045a2753..6beadaa5 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -50,6 +50,65 @@ fi # ################################################################################# +# + # Test : HOME-9304 + # Description : Check if users' home directories permissions are 750 or more restrictive + Register --test-no HOME-9304 --weight L --network NO --category security --description "Check if users' home directories permissions are 750 or more restrictive" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if users' home directories permissions are 750 or more restrictive + FOUND=0 + for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do + USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) + DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) + if [ -d ${DIR} ]; then + WRITE_GROUP_PERM=$(ls -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c6) + OTHER_PERMS=$(ls -ld ${DIR} | ${CUTBINARY} -f1 -d" " | ${CUTBINARY} -c8-10) + if [ ! ${WRITE_GROUP_PERM} = "-" -o ! ${OTHER_PERMS} = "---" ]; then + LogText "Result: permissions of home directory ${DIR} of user ${USER} are not strict enough. Should be 750 or more restrictive. Change with: chmod 750 ${DIR}" + FOUND=1 + fi + fi + done + # Result + if [ ${FOUND} -eq 1 ]; then + Display --indent 2 --text "- Checking users' home directories permissions" --result "${STATUS_WARNING}" --color RED + ReportWarning ${TEST_NO} "Permissions of some users' home directories are not strict enough. Should be 750 or more restrictive." + else + Display --indent 2 --text "- Checking users' home directories permissions" --result "${STATUS_OK}" --color GREEN + LogText "Result: Ok, All users' home directories permissions are 750 or more restrictive" + fi + fi +# +################################################################################# +# + # Test : HOME-9306 + # Description : Check if users own their home directories + Register --test-no HOME-9306 --weight L --network NO --category security --description "Check if users own their home directories" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if users own their home directories + FOUND=0 + for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do + USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) + DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) + if [ -d ${DIR} ]; then + OWNER=$(ls -ld ${DIR} | awk -F" " '{ print $3 }') + if [ ! ${OWNER} = ${USER} ]; then + LogText "Result: The home directory ${DIR} of user ${USER} is owned by ${OWNER}. Change with: chown ${OWNER} ${DIR}" + FOUND=1 + fi + fi + done + # Result + if [ ${FOUND} -eq 1 ]; then + Display --indent 2 --text "- Checking users' home directories ownership" --result "${STATUS_WARNING}" --color RED + ReportWarning ${TEST_NO} "Owner of some users' home directories are not correctly set" + else + Display --indent 2 --text "- Checking users' home directories ownership" --result "${STATUS_OK}" --color GREEN + LogText "Result: Ok, All users own their home directories" + fi + fi +# +################################################################################# # # Test : HOME-9310 # Description : Check for suspicious shell history files From 06cdf6c50f7bac61afc6dc383716262e7c7d9838 Mon Sep 17 00:00:00 2001 From: Capashenn Date: Mon, 25 Mar 2019 14:46:27 +0100 Subject: [PATCH 048/679] fix issue #659 --- include/tests_kernel | 68 ++++++++++++++++++++++++-------------------- 1 file changed, 37 insertions(+), 31 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index f89177ce..66a80214 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -31,6 +31,7 @@ CPU_NX=0 LINUXCONFIGFILE="" LINUXCONFIGFILE_ZIPPED=0 + LIMITS_DIRECTORY="${ROOTDIR}etc/security/limits.d" # ################################################################################# # @@ -436,51 +437,56 @@ # Description : Checking core dumps configuration (Linux) Register --test-no KRNL-5820 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration" if [ ${SKIPTEST} -eq 0 ]; then + # Limits option LogText "Test: Checking presence /etc/security/limits.conf" if [ -f /etc/security/limits.conf ]; then LogText "Result: file /etc/security/limits.conf exists" - LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf" - FIND1=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }') - FIND2=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }') - if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then - LogText "Result: core dumps (soft or hard) are enabled" - Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW - ReportSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system" - AddHP 1 2 - else + LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf and /etc/security/limits.d/*" + FIND1=$(${GREPBINARY} -r -v "^#" /etc/security/limits.conf ${LIMITS_DIRECTORY} | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" && $3=="core" && $4!="0") { print "soft core enabled" } }') + FIND2=$(${GREPBINARY} -r -v "^#" /etc/security/limits.conf ${LIMITS_DIRECTORY} | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" && $3=="core" && $4!="0") { print "hard core enabled" } }') + if [ "${FIND2}" = "hard core disabled" ]; then LogText "Result: core dumps (soft and hard) are both disabled" Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN CORE_DUMPS_DISABLED=1 AddHP 3 3 - fi - - # Sysctl option - LogText "Test: Checking sysctl value of fs.suid_dumpable" - FIND=$(${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | ${AWKBINARY} '{ if ($1=="fs.suid_dumpable") { print $3 } }') - if [ -z "${FIND}" ]; then - LogText "Result: sysctl key fs.suid_dumpable not found" + elif [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then + LogText "Result: core dumps (soft or hard) are enabled" + Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system" + AddHP 1 3 else - LogText "Result: value ${FIND} found" - fi - if [ "${FIND}" = "2" ]; then - LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" - Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN - AddHP 1 1 - elif [ "${FIND}" = "1" ]; then - LogText "Result: all programs can perform core dumps (value 1, for debugging)" - Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW - ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump" - AddHP 0 1 - else - LogText "Result: found default option, some programs can dump (not processes which need to change credentials)" - Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color WHITE - AddHP 1 1 + LogText "Result: core dumps are not explicitly disabled" + Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_NOT_FOUND}" --color WHITE + ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in /etc/security/limits.conf file" + AddHP 2 3 fi else LogText "Result: file /etc/security/limits.conf does not exist, skipping test" fi # TODO: Check ulimit settings in /etc/profile and /etc/profile.d + # Sysctl option + LogText "Test: Checking sysctl value of fs.suid_dumpable" + FIND=$(${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | ${AWKBINARY} '{ if ($1=="fs.suid_dumpable") { print $3 } }') + if [ -z "${FIND}" ]; then + LogText "Result: sysctl key fs.suid_dumpable not found" + else + LogText "Result: value ${FIND} found" + fi + if [ "${FIND}" = "2" ]; then + LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" + Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN + AddHP 1 1 + elif [ "${FIND}" = "1" ]; then + LogText "Result: all programs can perform core dumps (value 1, for debugging)" + Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW + ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump" + AddHP 0 1 + else + LogText "Result: found default option, some programs can dump (not processes which need to change credentials)" + Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color WHITE + AddHP 1 1 + fi fi # ################################################################################# From 3ba94b9700ca6cc549ce48d133311c874754448c Mon Sep 17 00:00:00 2001 From: Capashenn Date: Mon, 25 Mar 2019 18:36:07 +0100 Subject: [PATCH 049/679] fix issue #610 STRG-1842 --- include/tests_usb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/tests_usb b/include/tests_usb index dcb8ad77..6c874364 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -105,6 +105,10 @@ LogText "Test: ${device} is authorized currently" Report "usb_authorized_device[]=${device}" fi + else + LogText "Test: ${device} is authorized by default" + Report "usb_authorized_default_device[]=${device}" + FOUND=1 fi done From 605c381eb6063435b5da13ca2f8b3a91fe9b0aa9 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 29 Mar 2019 12:22:20 +0100 Subject: [PATCH 050/679] [PKGS-7410] add support for DPKG-based systems to gather installed kernel packages --- include/tests_ports_packages | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 1426a068..ff28678f 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1247,8 +1247,20 @@ Register --test-no PKGS-7410 --weight L --network NO --category security --description "Count installed kernel packages" if [ ${SKIPTEST} -eq 0 ]; then KERNELS=0 - if [ ! -z "${RPMBINARY}" ]; then - LogText "Test: Checking how many kernel packages are installed" + LogText "Test: Checking how many kernel packages are installed" + + if [ ! -z "${DPKGBINARY}" ]; then + KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} "linux-image-[0-9]" | ${WCBINARY} -l) + if [ ${KERNELS} -eq 0 ]; then + LogText "Result: found no kernels from dpkg -l output, which is unexpected" + ReportException "KRNL-5840:2" "Could not find any kernel packages from DPKG output" + elif [ ${KERNELS} -gt 5 ]; then + LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" + ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages" "${KERNELS} kernels" "text:validate dpkg -l output and perform cleanup with apt autoremove" + else + LogText "Result: found ${KERNELS} kernel packages on the system, which is fine" + fi + elif [ ! -z "${RPMBINARY}" ]; then KERNELS=$(${RPMBINARY} -q kernel 2> /dev/null | ${WCBINARY} -l) if [ ${KERNELS} -eq 0 ]; then LogText "Result: found no kernels from rpm -q kernel output, which is unexpected" @@ -1256,12 +1268,12 @@ elif [ ${KERNELS} -gt 5 ]; then LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)" - AddHP 4 5 else - LogText "Result: found ${KERNELS} on the system, which is fine" - AddHP 1 1 + LogText "Result: found ${KERNELS} kernel packages on the system, which is fine" fi fi + + Report "installed_kernel_packages=${KERNELS}" fi # ################################################################################# From de2ef2c3e718ac22a11a98808b1a1795c559b487 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 29 Mar 2019 12:23:45 +0100 Subject: [PATCH 051/679] Add apt and dpkg binaries --- include/binaries | 1 + include/consts | 2 ++ 2 files changed, 3 insertions(+) diff --git a/include/binaries b/include/binaries index 18b54b2a..ec9a634f 100644 --- a/include/binaries +++ b/include/binaries @@ -99,6 +99,7 @@ afick.pl) AFICKBINARY=${BINARY}; LogText " Found known binary: afick (file integrity checker) - ${BINARY}" ;; aide) AIDEBINARY=${BINARY}; LogText " Found known binary: aide (file integrity checker) - ${BINARY}" ;; apache2) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;; + apt) APTBINARY=${BINARY}; LogText " Found known binary: apt (package manager) - ${BINARY}" ;; arch-audit) ARCH_AUDIT_BINARY="${BINARY}"; LogText " Found known binary: arch-audit (auditing utility to test for vulnerable packages) - ${BINARY}" ;; auditd) AUDITDBINARY=${BINARY}; LogText " Found known binary: auditd (audit framework) - ${BINARY}" ;; awk) AWKBINARY=${BINARY}; LogText " Found known binary: awk (string tool) - ${BINARY}" ;; diff --git a/include/consts b/include/consts index 671ed1ca..1abe26f9 100644 --- a/include/consts +++ b/include/consts @@ -46,6 +46,7 @@ unset LANG # # == Variable initializing == # + APTBINARY="" ARCH_AUDIT_BINARY="" AUDITORNAME="" AUDITCTLBINARY="" @@ -99,6 +100,7 @@ unset LANG DNFBINARY="" DOCKERBINARY="" DOCKER_DAEMON_RUNNING=0 + DPKGBINARY="" ECHOCMD="" ERROR_ON_WARNINGS=0 FAIL2BANBINARY="" From 20da48bdfeaaf5405e695ae10bff80c45d9c1de4 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 29 Mar 2019 12:24:01 +0100 Subject: [PATCH 052/679] Switch to development version --- CHANGELOG.md | 7 +++++++ lynis | 6 +++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a3522551..2a41b2eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Lynis Changelog +## Lynis 2.7.4 (not released yet) + +### Changed +- PKGS-7410 - add support for DPKG-based systems to gather installed kernel packages + +--------------------------------------------------------------------------------- + ## Lynis 2.7.3 (2019-03-21) ### Added diff --git a/lynis b/lynis index 15d509ea..e6263074 100755 --- a/lynis +++ b/lynis @@ -35,10 +35,10 @@ PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com" # Version details - PROGRAM_RELEASE_DATE="2019-03-21" + PROGRAM_RELEASE_DATE="2019-03-29" PROGRAM_RELEASE_TIMESTAMP=1553157295 - PROGRAM_RELEASE_TYPE="final" # dev or final - PROGRAM_VERSION="2.7.3" + PROGRAM_RELEASE_TYPE="dev" # dev or final + PROGRAM_VERSION="2.7.4" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" From f9bcf26f25e2bd07c05e840362530abfda438a79 Mon Sep 17 00:00:00 2001 From: Capashenn <37273010+Capashenn@users.noreply.github.com> Date: Fri, 29 Mar 2019 12:26:12 +0100 Subject: [PATCH 053/679] fix issue #612 (#677) LDAP support for Red Hat and others (fix issue #612) --- include/tests_authentication | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index fe8ece41..9fe8af43 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -700,23 +700,29 @@ # Description : Search LDAP support in PAM files Register --test-no AUTH-9278 --weight L --network NO --category security --description "Checking LDAP pam status" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking presence /etc/pam.d/common-auth" - if [ -f /etc/pam.d/common-auth ]; then - LogText "Result: file /etc/pam.d/common-auth exists" - LogText "Test: checking presence LDAP module" - FIND=$(${GREPBINARY} "^auth.*ldap" /etc/pam.d/common-auth) - if [ ! "${FIND}" = "" ]; then - LogText "Result: LDAP module present" - LogText "Output: ${FIND}" - Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN - LDAP_AUTH_ENABLED=1 - LDAP_PAM_ENABLED=1 + AUTH_FILES="/etc/pam.d/common-auth /etc/pam.d/system-auth" + for FILE in ${AUTH_FILES}; do + LogText "Test: checking presence ${FILE}" + if [ -f ${FILE} ]; then + LogText "Result: file ${FILE} exists" + LogText "Test: checking presence LDAP module" + FIND=$(${GREPBINARY} "^auth.*ldap" ${FILE}) + if [ ! "${FIND}" = "" ]; then + LogText "Result: LDAP module present" + LogText "Output: ${FIND}" + LDAP_AUTH_ENABLED=1 + LDAP_PAM_ENABLED=1 + else + LogText "Result: LDAP module not found" + fi else - LogText "Result: LDAP module not found" - Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE + LogText "Result: file ${FILE} not found, skipping test" fi + done + if [ ${LDAP_PAM_ENABLED} -eq 1 ]; then + Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN else - LogText "Result: file /etc/pam.d/common-auth not found, skipping test" + Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # From 8a9edeb40b018dec05f9dc0418971e50f55026db Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 29 Mar 2019 12:30:12 +0100 Subject: [PATCH 054/679] [AUTH-9278] style change, description, allow different root directory --- include/tests_authentication | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/include/tests_authentication b/include/tests_authentication index 9fe8af43..2ede2b7d 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -698,27 +698,28 @@ # # Test : AUTH-9278 # Description : Search LDAP support in PAM files - Register --test-no AUTH-9278 --weight L --network NO --category security --description "Checking LDAP pam status" + Register --test-no AUTH-9278 --weight L --network NO --category security --description "Determine LDAP support in PAM files" if [ ${SKIPTEST} -eq 0 ]; then - AUTH_FILES="/etc/pam.d/common-auth /etc/pam.d/system-auth" + AUTH_FILES="${ROOTDIR}etc/pam.d/common-auth ${ROOTDIR}etc/pam.d/system-auth" for FILE in ${AUTH_FILES}; do LogText "Test: checking presence ${FILE}" if [ -f ${FILE} ]; then LogText "Result: file ${FILE} exists" LogText "Test: checking presence LDAP module" FIND=$(${GREPBINARY} "^auth.*ldap" ${FILE}) - if [ ! "${FIND}" = "" ]; then + if [ ! -z "${FIND}" ]; then LogText "Result: LDAP module present" LogText "Output: ${FIND}" LDAP_AUTH_ENABLED=1 LDAP_PAM_ENABLED=1 - else + else LogText "Result: LDAP module not found" fi else LogText "Result: file ${FILE} not found, skipping test" fi done + if [ ${LDAP_PAM_ENABLED} -eq 1 ]; then Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN else From c36917ae83ca1cbab8b2ba88fa680361190286df Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 29 Mar 2019 12:32:08 +0100 Subject: [PATCH 055/679] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2a41b2eb..caf75ed3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Lynis 2.7.4 (not released yet) ### Changed +- AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems - PKGS-7410 - add support for DPKG-based systems to gather installed kernel packages --------------------------------------------------------------------------------- From 3702ae67b5ddb71df60701fabe691cf114db8670 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 29 Mar 2019 12:53:13 +0100 Subject: [PATCH 056/679] [PKGS-7420] Detect toolkit to automatically download and apply upgrades --- include/tests_ports_packages | 40 ++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index ff28678f..05f150a6 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1278,6 +1278,46 @@ # ################################################################################# # + # Test : PKGS-7420 + # Description : Detect toolkit to automatically download and apply upgrades + Register --test-no PKGS-7420 --weight L --network NO --category security --description "Detect toolkit to automatically download and apply upgrades" + if [ ${SKIPTEST} -eq 0 ]; then + UNATTENDED_UPGRADES_TOOLKIT=0 + UNATTENDED_UPGRADES_TOOL="" + if [ -f "${ROOTDIR}bin/auter" ]; then + UNATTENDED_UPGRADES_TOOL="auter" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=auter" + fi + if [ -f "${ROOTDIR}sbin/yum-cron" ]; then + UNATTENDED_UPGRADES_TOOL="yum-cron" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=yum-cron" + fi + if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then + UNATTENDED_UPGRADES_TOOL="unattended-upgrade" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=unattended-upgrade" + fi + if [ ${UNATTENDED_UPGRADES_TOOLKIT} -eq 1 ]; then + AddHP 5 5 + Display --indent 2 --text "- Toolkit for automatic upgrades (${UNATTENDED_UPGRADES_TOOL})" --result "${STATUS_FOUND}" --color GREEN + else + # TODO - Add logic to only display this when it is applicable as not all operating systems might support such tooling + AddHP 1 5 + Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOTFOUND}" --color YELLOW + LogText "Result: no toolkit for automatic updates discovered" + # TODO - add suggestion + fi + + fi +# +################################################################################# +# + if [ ! -z "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi From abaed3e6c1fabb172d187c943cf75634719e69ac Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 29 Mar 2019 12:53:52 +0100 Subject: [PATCH 057/679] Updated log --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index caf75ed3..8eedb146 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,8 @@ ### Changed - AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems -- PKGS-7410 - add support for DPKG-based systems to gather installed kernel packages +- PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages +- PKGS-7420 - Detect toolkit to automatically download and apply upgrades --------------------------------------------------------------------------------- From 295a2699d3fa18c06d4191725254b2b0a94ba463 Mon Sep 17 00:00:00 2001 From: Capashenn Date: Fri, 29 Mar 2019 16:34:01 +0100 Subject: [PATCH 058/679] bugfix HOME-9304 HOME-9306 --- include/tests_homedirs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/tests_homedirs b/include/tests_homedirs index 6beadaa5..1c850105 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -57,7 +57,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if users' home directories permissions are 750 or more restrictive FOUND=0 - for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do + for LINE in "$(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }')"; do USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) if [ -d ${DIR} ]; then @@ -87,13 +87,13 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if users own their home directories FOUND=0 - for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do + for LINE in "$(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }')"; do USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) if [ -d ${DIR} ]; then OWNER=$(ls -ld ${DIR} | awk -F" " '{ print $3 }') if [ ! ${OWNER} = ${USER} ]; then - LogText "Result: The home directory ${DIR} of user ${USER} is owned by ${OWNER}. Change with: chown ${OWNER} ${DIR}" + LogText "Result: The home directory ${DIR} of user ${USER} is owned by ${OWNER}. Change with: chown ${USER} ${DIR}" FOUND=1 fi fi From 3660043308d5ad56c0e767f64deea41107ca5330 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 30 Mar 2019 13:31:03 +0100 Subject: [PATCH 059/679] [PKGS-7420] limit test to specific OS, add dnf-automatic support, extend logging --- include/tests_ports_packages | 76 +++++++++++++++++++++++------------- 1 file changed, 49 insertions(+), 27 deletions(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 05f150a6..9798a9b7 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1284,35 +1284,57 @@ if [ ${SKIPTEST} -eq 0 ]; then UNATTENDED_UPGRADES_TOOLKIT=0 UNATTENDED_UPGRADES_TOOL="" - if [ -f "${ROOTDIR}bin/auter" ]; then - UNATTENDED_UPGRADES_TOOL="auter" - UNATTENDED_UPGRADES_TOOLKIT=1 - LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" - Report "unattended_upgrade_tool[]=auter" - fi - if [ -f "${ROOTDIR}sbin/yum-cron" ]; then - UNATTENDED_UPGRADES_TOOL="yum-cron" - UNATTENDED_UPGRADES_TOOLKIT=1 - LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" - Report "unattended_upgrade_tool[]=yum-cron" - fi - if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then - UNATTENDED_UPGRADES_TOOL="unattended-upgrade" - UNATTENDED_UPGRADES_TOOLKIT=1 - LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" - Report "unattended_upgrade_tool[]=unattended-upgrade" - fi - if [ ${UNATTENDED_UPGRADES_TOOLKIT} -eq 1 ]; then - AddHP 5 5 - Display --indent 2 --text "- Toolkit for automatic upgrades (${UNATTENDED_UPGRADES_TOOL})" --result "${STATUS_FOUND}" --color GREEN - else - # TODO - Add logic to only display this when it is applicable as not all operating systems might support such tooling - AddHP 1 5 - Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOTFOUND}" --color YELLOW - LogText "Result: no toolkit for automatic updates discovered" - # TODO - add suggestion + UNATTENDED_UPGRADES_OPTION_AVAILABLE=0 + + case "${OS}" in + "Linux") + case "${LINUX_VERSION}" in + "CentOS" | "Debian" | "Fedora" | "RHEL" | "Ubuntu") + + UNATTENDED_UPGRADES_OPTION_AVAILABLE=1 + # Test available tools for Linux + if [ -f "${ROOTDIR}bin/auter" ]; then + UNATTENDED_UPGRADES_TOOL="auter" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + if [ -f "${ROOTDIR}sbin/yum-cron" ]; then + UNATTENDED_UPGRADES_TOOL="yum-cron" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + if [ -f "${ROOTDIR}usr/bin/dnf-automatic" ]; then + UNATTENDED_UPGRADES_TOOL="dnf-automatic" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then + UNATTENDED_UPGRADES_TOOL="unattended-upgrade" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + ;; + esac + ;; + esac + + if [ ${UNATTENDED_UPGRADES_OPTION_AVAILABLE} -eq 1 ]; then + if [ ${UNATTENDED_UPGRADES_TOOLKIT} -eq 1 ]; then + AddHP 5 5 + Display --indent 2 --text "- Toolkit for automatic upgrades (${UNATTENDED_UPGRADES_TOOL})" --result "${STATUS_FOUND}" --color GREEN + else + AddHP 1 5 + Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOTFOUND}" --color YELLOW + LogText "Result: no toolkit for automatic updates discovered" + ReportSuggestion "${TEST_NO}" "Consider using a tool to automatically apply upgrades" + fi fi + Report "unattended_upgrade_option_avaiable=${UNATTENDED_UPGRADES_OPTION_AVAILABLE}" fi # ################################################################################# From d0df518426dd3ddb6f36bce86140e15c8e65ee81 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 30 Mar 2019 13:58:23 +0100 Subject: [PATCH 060/679] [PKGS-7420] corrected typo --- include/tests_ports_packages | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 9798a9b7..09243391 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1334,7 +1334,7 @@ fi fi - Report "unattended_upgrade_option_avaiable=${UNATTENDED_UPGRADES_OPTION_AVAILABLE}" + Report "unattended_upgrade_option_available=${UNATTENDED_UPGRADES_OPTION_AVAILABLE}" fi # ################################################################################# From 7b7086566da4b677470c13d65261719582a6bca5 Mon Sep 17 00:00:00 2001 From: Capashenn <37273010+Capashenn@users.noreply.github.com> Date: Tue, 2 Apr 2019 07:46:04 +0200 Subject: [PATCH 061/679] Add test FILE-6324 check XFS file systems (#699) --- include/tests_filesystems | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/include/tests_filesystems b/include/tests_filesystems index a52bb66b..e1be0a1f 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -163,6 +163,28 @@ fi # ################################################################################# +# + # Test : FILE-6324 + # Description : Checking Linux XFS file systems + Register --test-no FILE-6324 --os Linux --weight L --network NO --category security --description "Checking XFS file systems" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking for Linux XFS file systems" + FIND=$(${MOUNTBINARY} -t xfs | ${AWKBINARY} '{ print $3","$5 }') + if [ ! -z "${FIND}" ]; then + LogText "Result: found one or more XFS file systems" + for I in ${FIND}; do + FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1) + FILETYPE=$(echo ${I} | ${CUTBINARY} -d ',' -f2) + LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})" + Report "file_systems_xfs[]=${FILESYSTEM}|${FILETYPE}|" + done + else + LogText "Result: no XFS file systems found" + Report "file_systems_xfs[]=none" + fi + fi +# +################################################################################# # # Test : FILE-6329 # Description : Query all FFS/UFS mounts from /etc/fstab From 2c83037cbad67885e85289cbffca8875330fc16c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 2 Apr 2019 07:58:10 +0200 Subject: [PATCH 062/679] Minor cleanup --- include/tests_filesystems | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index e1be0a1f..43b9e7ec 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -158,7 +158,6 @@ done else LogText "Result: no EXT file systems found" - Report "file_systems_ext[]=none" fi fi # @@ -180,7 +179,6 @@ done else LogText "Result: no XFS file systems found" - Report "file_systems_xfs[]=none" fi fi # From f2e6b23c9f0ce432cd55e48f52e60c9e06263097 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 2 Apr 2019 11:14:49 +0200 Subject: [PATCH 063/679] Added PKGS-7420 --- db/tests.db | 1 + 1 file changed, 1 insertion(+) diff --git a/db/tests.db b/db/tests.db index 641ea927..24023cd2 100644 --- a/db/tests.db +++ b/db/tests.db @@ -319,6 +319,7 @@ PKGS-7393:test:security:ports_packages::Check for Gentoo vulnerable packages: PKGS-7394:test:security:ports_packages:Linux:Check for Ubuntu updates: PKGS-7398:test:security:ports_packages::Check for package audit tool: PKGS-7410:test:security:ports_packages::Count installed kernel packages: +PKGS-7420:test:security:ports_packages::Detect toolkit to automatically download and apply upgrades: PRNT-2302:test:security:printers_spools:FreeBSD:Check for printcap consistency: PRNT-2304:test:security:printers_spools::Check cupsd status: PRNT-2306:test:security:printers_spools::Check CUPSd configuration file: From 349f011489f56237f42912847de35cfbb7bd114b Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 2 Apr 2019 11:14:56 +0200 Subject: [PATCH 064/679] Updated log --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8eedb146..88fbf8d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## Lynis 2.7.4 (not released yet) +### Added +- FILE-6324 - Discover XFS mount points + ### Changed - AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems - PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages From e0ca517aaa88e6954a1b3cda79f2cb5b70a12c7b Mon Sep 17 00:00:00 2001 From: Capashenn <37273010+Capashenn@users.noreply.github.com> Date: Tue, 2 Apr 2019 11:15:31 +0200 Subject: [PATCH 065/679] Add tests INSE-8310 INSE-8312 (telnet) (#693) * Add test INSE-8000 * Add xinetd support in insecure_services * fix issue #662 * Check for talk via xinetd * Check for chargen via xinetd * Check for daytime via xinetd * Check discard via xinetd * Check echo via xinatd * Check time via xinetd * Check tftp via xinetd * Check rsync via xinetd * Add test INSE-8200 * Add test INSE-8300 INSE-8302 INSE-8304 (rsh) * Add tests INSE-8310 INSE-8312 (telnet) --- include/tests_insecure_services | 629 +++++++++++++++++++++++++++++++- 1 file changed, 628 insertions(+), 1 deletion(-) diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 277791d9..9490fa32 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -18,7 +18,7 @@ # ################################################################################# # -# Unsecure services +# Insecure services # ################################################################################# # @@ -28,6 +28,28 @@ # INETD_ACTIVE=0 INETD_CONFIG_FILE="${ROOTDIR}etc/inetd.conf" + XINETD_ACTIVE=0 + XINETD_CONFIG_FILE="${ROOTDIR}etc/xinetd.conf" + XINETD_CONFIG_DIR="${ROOTDIR}etc/xinetd.d" +# +################################################################################# +# + # Test : INSE-8000 + # Description : Check for installed inetd daemon + Register --test-no INSE-8000 --weight L --network NO --category security --description "Check for installed inetd daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Check for installed inetd daemon + LogText "Test: Checking if inetd is installed" + PackageIsInstalled inetd + if [ $? -eq 0 ]; then + LogText "Result: inetd is installed" + Display --indent 2 --text "- Checking inetd installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "If there are no inetd services required, it is recommended that the daemon be removed" + else + LogText "Result: inetd is NOT installed" + Display --indent 2 --text "- Checking inetd installation" --result "${STATUS_OK}" --color GREEN + fi + fi # ################################################################################# # @@ -108,6 +130,611 @@ fi # ################################################################################# +# + # Test : INSE-8100 + # Description : Check for installed xinetd daemon + Register --test-no INSE-8100 --weight L --network NO --category security --description "Check for installed xinetd daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Check for installed xinetd daemon + LogText "Test: Checking for installed xinetd daemon" + PackageIsInstalled xinetd + if [ $? -eq 0 ]; then + LogText "Result: xinetd is installed" + Display --indent 2 --text "- Checking xinetd installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "If there are no xinetd services required, it is recommended that the daemon be removed" + else + LogText "Result: xinetd is NOT installed" + Display --indent 2 --text "- Checking xinetd installation" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8102 + # Description : Check for xinetd status + Register --test-no INSE-8102 --weight L --network NO --category security --description "Check for enabled xinet daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Check running processes + LogText "Test: Searching for active xinet daemon" + IsRunning xinetd + if [ ${RUNNING} -eq 1 ]; then + LogText "Result: xinetd is running" + Display --indent 4 --text "- Checking xinetd status" --result "ACTIVE" --color GREEN + XINETD_ACTIVE=1 + else + LogText "Result: xinetd is NOT running" + Display --indent 4 --text "- Checking xinetd status" --result "NOT ACTIVE" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8104 + # Description : Check for xinetd configuration file + if [ ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8104 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled xinet daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Check configuration file + LogText "Test: Searching for file ${XINETD_CONFIG_FILE}" + if [ -f ${XINETD_CONFIG_FILE} ]; then + LogText "Result: ${XINETD_CONFIG_FILE} exists" + Display --indent 6 --text "- Checking xinetd.conf" --result "${STATUS_FOUND}" --color WHITE + else + LogText "Result: ${XINETD_CONFIG_FILE} does not exist" + Display --indent 6 --text "- Checking xinetd.conf" --result "${STATUS_NOT_FOUND}" --color WHITE + fi + fi +# +################################################################################# +# + # Test : INSE-8106 + # Description : Check for xinetd configuration file contents if xinetd is NOT active + if [ ${XINETD_ACTIVE} -eq 0 -a -f ${XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of xinetd when disabled" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if any service is enabled in /etc/xinetd.d (xinetd is not active, see test 8102) + LogText "Test: check if all services are disabled if xinetd is disabled" + FIND=$(${GREPBINARY} -r "disable\s*=\s*no" ${XINETD_CONFIG_DIR}) + if [ -z "${FIND}" ]; then + LogText "Result: no services found in ${XINETD_CONFIG_DIR}" + Display --indent 6 --text "- Checking xinetd.d services" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: found services in ${XINETD_CONFIG_DIR}, even though xinetd is not running" + Display --indent 6 --text "- Checking xinetd.d services" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "Although xinetd is not running, make sure no services are enabled in ${XINETD_CONFIG_DIR}, or remove xinetd service" + fi + fi +# +################################################################################# +# + # Test : INSE-8116 + # Description : Check for telnet enabled via xinetd + TELNET_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/telnet" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TELNET_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for telnet via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking telnet presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TELNET_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: telnet not enabled in ${TELNET_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (telnet)" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 + else + LogText "Result: telnet enabled in ${TELNET_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (telnet)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable telnet in xinetd configuration and use SSH instead" + AddHP 1 3 + fi + fi +# +################################################################################# +# + # Test : INSE-8118 + # Description : Check for rsh enabled via xinetd + RSH_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rsh" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RSH_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8118 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rsh via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking rsh presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RSH_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: rsh not enabled in ${RSH_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rsh)" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 + else + LogText "Result: rsh enabled in ${RSH_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rsh)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable rsh in xinetd configuration and use SSH instead" + AddHP 1 3 + fi + fi +# +################################################################################# +# + # Test : INSE-8120 + # Description : Check for rlogin enabled via xinetd + RLOGIN_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rlogin" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RLOGIN_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rlogin via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking rlogin presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RLOGIN_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: rlogin not enabled in ${RLOGIN_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rlogin)" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 + else + LogText "Result: rlogin enabled in ${RLOGIN_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rlogin)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable rlogin in xinetd configuration and use SSH instead" + AddHP 1 3 + fi + fi +# +################################################################################# +# + # Test : INSE-8122 + # Description : Check for rexec enabled via xinetd + REXEC_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rexec" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${REXEC_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rexec via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking rexec presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${REXEC_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: rexec not enabled in ${REXEC_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rexec)" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 + else + LogText "Result: rexec enabled in ${REXEC_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rexec)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable rexec in xinetd configuration and use SSH instead" + AddHP 1 3 + fi + fi +# +################################################################################# +# + # Test : INSE-8124 + # Description : Check for talk enabled via xinetd + TALK_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/talk" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TALK_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8124 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for talk via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking talk presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TALK_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: talk not enabled in ${TALK_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (talk)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: talk enabled in ${TALK_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (talk)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable talk in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8126 + # Description : Check for ntalk enabled via xinetd + NTALK_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/ntalk" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${NTALK_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8126 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ntalk via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking ntalk presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${NTALK_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: ntalk not enabled in ${NTALK_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (ntalk)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: ntalk enabled in ${NTALK_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (ntalk)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable ntalk in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8128 + # Description : Check for chargen-dgram enabled via xinetd + CHARGEN_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/chargen-dgram" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${CHARGEN_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for chargen-dgram via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking chargen-dgram presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${CHARGEN_DGRAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: chargen-dgram not enabled in ${CHARGEN_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (chargen-dgram)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: chargen-dgram enabled in ${CHARGEN_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (chargen-dgram)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable chargen-dgram in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8130 + # Description : Check for chargen-stream enabled via xinetd + CHARGEN_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/chargen-stream" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${CHARGEN-STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8130 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for chargen-stream via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking chargen-stream presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${CHARGEN_STREAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: chargen-stream not enabled in ${CHARGEN_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (chargen-stream)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: chargen-stream enabled in ${CHARGEN_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (chargen-stream)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable chargen-stream in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8132 + # Description : Check for daytime-dgram enabled via xinetd + DAYTIME_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/daytime-dgram" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DAYTIME_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for daytime-dgram via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking daytime-dgram presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DAYTIME_DGRAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: daytime-dgram not enabled in ${DAYTIME_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (daytime-dgram)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: daytime-dgram enabled in ${DAYTIME_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (daytime-dgram)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable daytime-dgram in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8134 + # Description : Check for daytime-stream enabled via xinetd + DAYTIME_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/daytime-stream" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DAYTIME_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8134 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for daytime-stream via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking daytime-stream presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DAYTIME_STREAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: daytime-stream not enabled in ${DAYTIME_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (daytime-stream)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: daytime-stream enabled in ${DAYTIME_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (daytime-stream)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable daytime-stream in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8136 + # Description : Check for discard-dgram enabled via xinetd + DISCARD_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/discard-dgram" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DISCARD_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8136 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for discard-dgram via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking discard-dgram presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DISCARD_DGRAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: discard-dgram not enabled in ${DISCARD_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (discard-dgram)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: discard-dgram enabled in ${DISCARD_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (discard-dgram)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable discard-dgram in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8138 + # Description : Check for discard-stream enabled via xinetd + DISCARD_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/discard-stream" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DISCARD_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8138 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for discard-stream via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking discard-stream presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DISCARD_STREAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: discard-stream not enabled in ${DISCARD_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (discard-stream)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: discard-stream enabled in ${DISCARD_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (discard-stream)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable discard-stream in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8140 + # Description : Check for echo-dgram enabled via xinetd + ECHO_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/echo-dgram" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${ECHO_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8140 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for echo-dgram via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking echo-dgram presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${ECHO_DGRAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: echo-dgram not enabled in ${ECHO_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (echo-dgram)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: echo-dgram enabled in ${ECHO_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (echo-dgram)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable echo-dgram in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8142 + # Description : Check for echo-stream enabled via xinetd + ECHO_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/echo-stream" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${ECHO_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8142 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for echo-stream via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking echo-stream presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${ECHO_STREAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: echo-stream not enabled in ${ECHO_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (echo-stream)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: echo-stream enabled in ${ECHO_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (echo-stream)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable echo-stream in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8144 + # Description : Check for time-dgram enabled via xinetd + TIME_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/time-dgram" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TIME_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8144 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for time-dgram via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking time-dgram presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TIME_DGRAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: time-dgram not enabled in ${TIME_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (time-dgram)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: time-dgram enabled in ${TIME_DGRAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (time-dgram)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable time-dgram in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8146 + # Description : Check for time-stream enabled via xinetd + TIME_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/time-stream" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TIME_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8146 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for time-stream via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking time-stream presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TIME_STREAM_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: time-stream not enabled in ${TIME_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (time-stream)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: time-stream enabled in ${TIME_STREAM_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (time-stream)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable time-stream in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8148 + # Description : Check for tftp enabled via xinetd + TFTP_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/tftp" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TFTP_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8148 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for tftp via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking tftp presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TFTP_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: tftp not enabled in ${TFTP_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (tftp)" --result "${STATUS_DISABLED}" --color GREEN + AddHP 3 3 + else + LogText "Result: tftp enabled in ${TFTP_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (tftp)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable tftp in xinetd configuration" + AddHP 1 3 + fi + fi +# +################################################################################# +# + # Test : INSE-8150 + # Description : Check for rsync enabled via xinetd + RSYNC_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rsync" + if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RSYNC_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8150 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rsync via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking rsync presence in xinetd configuration" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RSYNC_XINETD_CONFIG_FILE}) + if [ "${FIND}" = "" ]; then + LogText "Result: rsync not enabled in ${RSYNC_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_DISABLED}" --color GREEN + else + LogText "Result: rsync enabled in ${RSYNC_XINETD_CONFIG_FILE}" + Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_ENABLED}" --color RED + ReportSuggestion "${TEST_NO}" "Disable rsync in xinetd configuration" + fi + fi +# +################################################################################# +# + # Test : INSE-8200 + # Description : Check if tcp_wrappers is installed when inetd/xinetd is active + if [ ${INETD_ACTIVE} -eq 1 -o ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8200 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if tcp_wrappers is installed when inetd/xinetd is active + LogText "Test: Checking if tcp_wrappers is installed" + FOUND="" + PACKAGES="tcp_wrappers tcpd" + for PACKAGE in ${PACKAGES}; do + PackageIsInstalled ${PACKAGE} + if [ $? -eq 0 ];then + FOUND=${PACKAGE} + fi + done + if [ ${FOUND} ]; then + LogText "Result: tcp_wrappers is installed" + Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: tcp_wrappers is NOT installed" + Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "When network services are using the inetd/xinetd service, the tcp_wrappers package should be installed" + fi + fi +# +################################################################################# +# + # Test : INSE-8300 + # Description : Check if rsh client is installed + Register --test-no INSE-8300 --weight L --network NO --category security --description "Check if rsh client is installed" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if rsh is installed + LogText "Test: Checking if rsh client is installed" + FOUND="" + PACKAGES="rsh rsh-client rsh-redone-client" + for PACKAGE in ${PACKAGES}; do + PackageIsInstalled ${PACKAGE} + if [ $? -eq 0 ];then + FOUND=${PACKAGE} + fi + done + if [ ${FOUND} ]; then + LogText "Result: rsh client is installed" + Display --indent 2 --text "- Checking rsh client installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "Rsh client contain numerous security exposures and have been replaced with the more secure SSH package" + else + LogText "Result: rsh client is NOT installed" + Display --indent 2 --text "- Checking rsh client installation" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8302 + # Description : Check presence of Rsh Trust Files + Register --test-no INSE-8302 --weight L --network NO --category security --description "Check presence of Rsh Trust Files" + if [ ${SKIPTEST} -eq 0 ]; then + # Check presence of Rsh Trust Files + FOUND=0 + for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do + USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) + DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) + if [ -d ${DIR} ]; then + for RHOSTS in ${DIR}/.rhosts; do + if [ ! -h ${RHOSTS} -a -f ${RHOSTS} ]; then + LogText "FOUND .rhosts file in home directory ${DIR} of ${USER}" + FOUND=1 + fi + done + fi + done + if [ -f /etc/hosts.equiv ];then + LogText "FOUND /etc/hosts.equiv" + FOUND=1 + fi + if [ ${FOUND} -eq 1 ]; then + LogText "Result: found one or more Rsh Trust Files" + Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "Remove every Rsh Trust Files as they can allow unauthenticated access to a system" + else + LogText "Result: no Rsh Trust Files found" + Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8304 + # Description : Check if rsh server is installed + Register --test-no INSE-8342 --weight L --network NO --category security --description "Check if rsh server is installed" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if rsh server is installed + LogText "Test: Checking if rsh server is installed" + FOUND="" + PACKAGES="rsh-server rsh-redone-server" + for PACKAGE in ${PACKAGES}; do + PackageIsInstalled ${PACKAGE} + if [ $? -eq 0 ];then + FOUND=${PACKAGE} + fi + done + if [ ${FOUND} ]; then + LogText "Result: rsh server is installed" + Display --indent 2 --text "- Checking rsh server installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "Removing the rsh-server package decreases the risk of the accidental (or intentional) activation of rsh services" + + else + LogText "Result: rsh server is NOT installed" + Display --indent 2 --text "- Checking rsh server installation" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8310 + # Description : Check if telnet client is installed + Register --test-no INSE-8310 --weight L --network NO --category security --description "Check if telnet client is installed" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if telnet client is installed + LogText "Test: Checking if telnet client is installed" + PackageIsInstalled telnet + if [ $? -eq 0 ]; then + LogText "Result: telnet client is installed" + Display --indent 2 --text "- Checking telnet client installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "telnet client contain numerous security exposures and have been replaced with the more secure SSH package" + else + LogText "Result: telnet client is NOT installed" + Display --indent 2 --text "- Checking telnet client installation" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8312 + # Description : Check if telnet server is installed + Register --test-no INSE-8322 --weight L --network NO --category security --description "Check if telnet server is installed" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if TFTP server is installed + LogText "Test: Checking if telnet server is installed" + FOUND="" + PACKAGES="telnetd telnet-server" + for PACKAGE in ${PACKAGES}; do + PackageIsInstalled ${PACKAGE} + if [ $? -eq 0 ];then + FOUND=${PACKAGE} + fi + done + if [ ${FOUND} ]; then + LogText "Result: telnet server is installed" + Display --indent 2 --text "- Checking telnet server installation" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of telnet services" + else + LogText "Result: telnet server is NOT installed" + Display --indent 2 --text "- Checking telnet server installation" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# # if [ ! -z "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi Register --test-no INSE-8050 --os "macOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS" From 247eb7d9a6bc50fa06ac33d3a118d79f7b24cc2c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 3 Apr 2019 12:46:03 +0200 Subject: [PATCH 066/679] Corrected if-statement --- include/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/functions b/include/functions index 95083600..e8965986 100644 --- a/include/functions +++ b/include/functions @@ -1717,7 +1717,7 @@ if [ ! -z "${RPMBINARY}" ]; then output=$(${RPMBINARY} --quiet -q ${package} 2> /dev/null) exit_code=$? - elif ! -z "${DPKGBINARY}" ]; then + elif [ ! -z "${DPKGBINARY}" ]; then output=$(${DPKGBINARY} -l ${package} 2> /dev/null) exit_code=$? elif [ ! -z "${ZYPPERBINARY}" ]; then From 28fd5948f7cc4d7d4f9119a60389da084a45e109 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 4 Apr 2019 14:41:56 +0200 Subject: [PATCH 067/679] Updated log --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 88fbf8d8..664b52cf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,14 @@ ### Added - FILE-6324 - Discover XFS mount points +- INSE-8000 - Installed inetd package +- INSE-8100 - Installed xinetd package +- INSE-8102 - Status of xinet daemon +- INSE-8104 - xinetd configuration file +- INSE-8106 - xinetd configuration for inactive daemon +- INSE-8200 - Usage of TCP wrappers +- INSE-8300 - Presence of rsh client +- INSE-8302 - Presence of rsh server ### Changed - AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems From 7ebfd3015c4daa41607f6aaf9e435ff74332ad29 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 4 Apr 2019 14:42:06 +0200 Subject: [PATCH 068/679] Added new tests --- db/tests.db | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/db/tests.db b/db/tests.db index 24023cd2..215c3595 100644 --- a/db/tests.db +++ b/db/tests.db @@ -169,11 +169,17 @@ HTTP-6712:test:security:webservers::Check nginx access logging: HTTP-6714:test:security:webservers::Check for missing error logs in nginx: HTTP-6716:test:security:webservers::Check for debug mode on error log in nginx: HTTP-6720:test:security:webservers::Check Nginx log files: -INSE-8002:test:security:insecure_services::Check for enabled inet daemon: -INSE-8004:test:security:insecure_services::Check for enabled inet daemon: -INSE-8006:test:security:insecure_services::Check configuration of inetd when disabled: +INSE-8000:test:security:insecure_services::Installed inetd package: +INSE-8002:test:security:insecure_services::Status of inet daemon: +INSE-8004:test:security:insecure_services::Presence of inetd configuration file: +INSE-8006:test:security:insecure_services::Check configuration of inetd when it is disabled: INSE-8016:test:security:insecure_services::Check for telnet via inetd: INSE-8050:test:security:insecure_services:MacOS:Check for insecure services on macOS systems: +INSE-8100:test:security:insecure_services::Installed xinetd package: +INSE-8116:test:security:insecure_services::Insecure services enabled via xinetd: +INSE-8200:test:security:insecure_services::Usage of TCP wrappers: +INSE-8300:test:security:insecure_services::Presence of rsh client: +INSE-8302:test:security:insecure_services::Presence of rsh server: KRNL-5622:test:security:kernel:Linux:Determine Linux default run level: KRNL-5677:test:security:kernel:Linux:Check CPU options and support: KRNL-5695:test:security:kernel:Linux:Determine Linux kernel version and release number: From 99362242784c9efd25b84b38a347f10933af1e1a Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 4 Apr 2019 14:42:39 +0200 Subject: [PATCH 069/679] Merge of several tests, cleanup, minor code enhancements and restructure --- include/tests_insecure_services | 589 ++++++++------------------------ 1 file changed, 134 insertions(+), 455 deletions(-) diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 9490fa32..afed850e 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -28,6 +28,7 @@ # INETD_ACTIVE=0 INETD_CONFIG_FILE="${ROOTDIR}etc/inetd.conf" + INETD_PACKAGE_INSTALLED=0 XINETD_ACTIVE=0 XINETD_CONFIG_FILE="${ROOTDIR}etc/xinetd.conf" XINETD_CONFIG_DIR="${ROOTDIR}etc/xinetd.d" @@ -35,19 +36,19 @@ ################################################################################# # # Test : INSE-8000 - # Description : Check for installed inetd daemon - Register --test-no INSE-8000 --weight L --network NO --category security --description "Check for installed inetd daemon" + # Description : Check for installed inetd package + Register --test-no INSE-8000 --weight L --network NO --category security --description "Installed inetd package" if [ ${SKIPTEST} -eq 0 ]; then # Check for installed inetd daemon LogText "Test: Checking if inetd is installed" - PackageIsInstalled inetd - if [ $? -eq 0 ]; then + if PackageIsInstalled "inetd"; then + INETD_PACKAGE_INSTALLED=1 LogText "Result: inetd is installed" - Display --indent 2 --text "- Checking inetd installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "If there are no inetd services required, it is recommended that the daemon be removed" + Display --indent 2 --text "- Installation of inetd package" --result "${STATUS_FOUND}" --color YELLOW + #ReportSuggestion ${TEST_NO} "If there are no inetd services required, it is recommended that the daemon be removed" else LogText "Result: inetd is NOT installed" - Display --indent 2 --text "- Checking inetd installation" --result "${STATUS_OK}" --color GREEN + Display --indent 2 --text "- Installation of inetd package" --result "${STATUS_NOT_FOUND}" --color GREEN fi fi # @@ -55,27 +56,27 @@ # # Test : INSE-8002 # Description : Check for inetd status - Register --test-no INSE-8002 --weight L --network NO --category security --description "Check for enabled inet daemon" + if [ ${INETD_PACKAGE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8002 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled inet daemon" if [ ${SKIPTEST} -eq 0 ]; then # Check running processes LogText "Test: Searching for active inet daemon" - IsRunning inetd - if [ ${RUNNING} -eq 1 ]; then + if IsRunning "inetd"; then LogText "Result: inetd is running" - Display --indent 2 --text "- Checking inetd status" --result "ACTIVE" --color GREEN + Display --indent 4 --text "- inetd status" --result "ACTIVE" --color GREEN INETD_ACTIVE=1 else LogText "Result: inetd is NOT running" - Display --indent 2 --text "- Checking inetd status" --result "NOT ACTIVE" --color GREEN + Display --indent 4 --text "- inetd status" --result "NOT ACTIVE" --color GREEN fi fi # ################################################################################# # # Test : INSE-8004 - # Description : Check for inetd configuration file + # Description : Check for inetd configuration file (inetd) if [ ${INETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled inet daemon" + Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of inetd configuration file" if [ ${SKIPTEST} -eq 0 ]; then # Check configuration file LogText "Test: Searching for file ${INETD_CONFIG_FILE}" @@ -95,15 +96,15 @@ if [ ${INETD_ACTIVE} -eq 0 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no INSE-8006 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of inetd when disabled" if [ ${SKIPTEST} -eq 0 ]; then - # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002) - LogText "Test: check if all services are disabled if inetd is disabled" + # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test INSE-8002) + LogText "Test: check if all services are disabled when inetd is disabled" FIND=$(${GREPBINARY} -v "^#" ${INETD_CONFIG_FILE} | ${GREPBINARY} -v "^$") if [ -z "${FIND}" ]; then LogText "Result: no services found in ${INETD_CONFIG_FILE}" - Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_OK}" --color GREEN + Display --indent 4 --text "- Checking enabled inetd services" --result "${STATUS_OK}" --color GREEN else LogText "Result: found services in inetd, even though inetd is not running" - Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_SUGGESTION}" --color YELLOW + Display --indent 4 --text "- Checking enabled inetd services" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}, or remove inetd service" fi fi @@ -117,7 +118,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking telnet presence in inetd configuration" FIND=$(${GREPBINARY} "^telnet" ${INETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}" Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_NOT_FOUND}" --color GREEN AddHP 3 3 @@ -140,11 +141,11 @@ PackageIsInstalled xinetd if [ $? -eq 0 ]; then LogText "Result: xinetd is installed" - Display --indent 2 --text "- Checking xinetd installation" --result "${STATUS_SUGGESTION}" --color YELLOW + Display --indent 2 --text "- Installation of xinetd package" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "If there are no xinetd services required, it is recommended that the daemon be removed" else LogText "Result: xinetd is NOT installed" - Display --indent 2 --text "- Checking xinetd installation" --result "${STATUS_OK}" --color GREEN + Display --indent 2 --text "- Installation of xinetd package" --result "${STATUS_OK}" --color GREEN fi fi # @@ -152,18 +153,17 @@ # # Test : INSE-8102 # Description : Check for xinetd status - Register --test-no INSE-8102 --weight L --network NO --category security --description "Check for enabled xinet daemon" + Register --test-no INSE-8102 --weight L --network NO --category security --description "Check for active xinet daemon" if [ ${SKIPTEST} -eq 0 ]; then # Check running processes - LogText "Test: Searching for active xinet daemon" - IsRunning xinetd - if [ ${RUNNING} -eq 1 ]; then + LogText "Test: Searching for active extended internet services daemon (xinetd)" + if IsRunning "xinetd"; then LogText "Result: xinetd is running" - Display --indent 4 --text "- Checking xinetd status" --result "ACTIVE" --color GREEN + Display --indent 4 --text "- xinetd status" --result "ACTIVE" --color GREEN XINETD_ACTIVE=1 else LogText "Result: xinetd is NOT running" - Display --indent 4 --text "- Checking xinetd status" --result "NOT ACTIVE" --color GREEN + Display --indent 4 --text "- xinetd status" --result "NOT ACTIVE" --color GREEN fi fi # @@ -176,12 +176,12 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check configuration file LogText "Test: Searching for file ${XINETD_CONFIG_FILE}" - if [ -f ${XINETD_CONFIG_FILE} ]; then + if [ -f "${XINETD_CONFIG_FILE}" ]; then LogText "Result: ${XINETD_CONFIG_FILE} exists" - Display --indent 6 --text "- Checking xinetd.conf" --result "${STATUS_FOUND}" --color WHITE + Display --indent 6 --text "- Configuration file (xinetd.conf)" --result "${STATUS_FOUND}" --color WHITE else LogText "Result: ${XINETD_CONFIG_FILE} does not exist" - Display --indent 6 --text "- Checking xinetd.conf" --result "${STATUS_NOT_FOUND}" --color WHITE + Display --indent 6 --text "- Configuration file (xinetd.conf)" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # @@ -192,15 +192,15 @@ if [ ${XINETD_ACTIVE} -eq 0 -a -f ${XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no INSE-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of xinetd when disabled" if [ ${SKIPTEST} -eq 0 ]; then - # Check if any service is enabled in /etc/xinetd.d (xinetd is not active, see test 8102) + # Check if any service is enabled in /etc/xinetd.d (xinetd is not active, see test INSE-8102) LogText "Test: check if all services are disabled if xinetd is disabled" FIND=$(${GREPBINARY} -r "disable\s*=\s*no" ${XINETD_CONFIG_DIR}) if [ -z "${FIND}" ]; then LogText "Result: no services found in ${XINETD_CONFIG_DIR}" - Display --indent 6 --text "- Checking xinetd.d services" --result "${STATUS_OK}" --color GREEN + Display --indent 6 --text "- Enabled xinetd.d services" --result "${STATUS_NOT_FOUND}" --color GREEN else LogText "Result: found services in ${XINETD_CONFIG_DIR}, even though xinetd is not running" - Display --indent 6 --text "- Checking xinetd.d services" --result "${STATUS_SUGGESTION}" --color YELLOW + Display --indent 6 --text "- Enabled xinetd.d services" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Although xinetd is not running, make sure no services are enabled in ${XINETD_CONFIG_DIR}, or remove xinetd service" fi fi @@ -208,350 +208,41 @@ ################################################################################# # # Test : INSE-8116 - # Description : Check for telnet enabled via xinetd - TELNET_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/telnet" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TELNET_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for telnet via xinetd" + # Description : Check for insecure services enabled via xinetd + if [ ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Insecure services enabled via xinetd" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking telnet presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TELNET_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: telnet not enabled in ${TELNET_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (telnet)" --result "${STATUS_DISABLED}" --color GREEN + XINETD_INSECURE_SERVICE_FOUND=0 + + ITEMS="chargen chargen-dgram chargen-stream daytime daytime-dgram daytime-stream discard discard-dgram discard-stream echo echo-dgram echo-stream time time-dgram time-stream ntalk rexec rlogin rsh talk telnet tftp" + + for SERVICE in ${ITEMS}; do + LogText "Test: checking service ${SERVICE}" + if ! SkipAtomicTest "${TEST_NO}:${SERVICE}"; then + FILE="${XINETD_CONFIG_DIR}/${SERVICE}" + if [ -f "${FILE}" ]; then + LogText "Test: checking status in xinetd configuration file (${FILE})" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${FILE}) + if [ ! -z "${FIND}" ]; then + LogText "Result: found insecure service enabled: ${SERVICE}" + XINETD_INSECURE_SERVICE_FOUND=1 + ReportSuggestion "${TEST_NO}" "Disable or remove any insecure services in the xinetd configuration" "${SERVICE}" "text:See log file for more details" + Report "insecure_service[]=${SERVICE}" + fi + fi + else + LogText "Result: skipped, as this item is excluded using the profile" + fi + done + + if [ ${XINETD_INSECURE_SERVICE_FOUND} -eq 0 ]; then + LogText "Result: no insecure services found in xinetd configuration" + Display --indent 6 --text "- Checking xinetd (insecure services)" --result "${STATUS_OK}" --color GREEN AddHP 3 3 else - LogText "Result: telnet enabled in ${TELNET_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (telnet)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable telnet in xinetd configuration and use SSH instead" - AddHP 1 3 - fi - fi -# -################################################################################# -# - # Test : INSE-8118 - # Description : Check for rsh enabled via xinetd - RSH_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rsh" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RSH_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8118 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rsh via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking rsh presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RSH_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: rsh not enabled in ${RSH_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rsh)" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 - else - LogText "Result: rsh enabled in ${RSH_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rsh)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable rsh in xinetd configuration and use SSH instead" - AddHP 1 3 - fi - fi -# -################################################################################# -# - # Test : INSE-8120 - # Description : Check for rlogin enabled via xinetd - RLOGIN_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rlogin" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RLOGIN_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rlogin via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking rlogin presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RLOGIN_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: rlogin not enabled in ${RLOGIN_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rlogin)" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 - else - LogText "Result: rlogin enabled in ${RLOGIN_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rlogin)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable rlogin in xinetd configuration and use SSH instead" - AddHP 1 3 - fi - fi -# -################################################################################# -# - # Test : INSE-8122 - # Description : Check for rexec enabled via xinetd - REXEC_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rexec" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${REXEC_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8122 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rexec via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking rexec presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${REXEC_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: rexec not enabled in ${REXEC_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rexec)" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 - else - LogText "Result: rexec enabled in ${REXEC_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rexec)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable rexec in xinetd configuration and use SSH instead" - AddHP 1 3 - fi - fi -# -################################################################################# -# - # Test : INSE-8124 - # Description : Check for talk enabled via xinetd - TALK_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/talk" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TALK_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8124 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for talk via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking talk presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TALK_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: talk not enabled in ${TALK_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (talk)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: talk enabled in ${TALK_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (talk)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable talk in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8126 - # Description : Check for ntalk enabled via xinetd - NTALK_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/ntalk" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${NTALK_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8126 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for ntalk via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking ntalk presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${NTALK_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: ntalk not enabled in ${NTALK_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (ntalk)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: ntalk enabled in ${NTALK_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (ntalk)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable ntalk in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8128 - # Description : Check for chargen-dgram enabled via xinetd - CHARGEN_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/chargen-dgram" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${CHARGEN_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8128 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for chargen-dgram via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking chargen-dgram presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${CHARGEN_DGRAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: chargen-dgram not enabled in ${CHARGEN_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (chargen-dgram)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: chargen-dgram enabled in ${CHARGEN_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (chargen-dgram)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable chargen-dgram in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8130 - # Description : Check for chargen-stream enabled via xinetd - CHARGEN_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/chargen-stream" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${CHARGEN-STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8130 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for chargen-stream via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking chargen-stream presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${CHARGEN_STREAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: chargen-stream not enabled in ${CHARGEN_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (chargen-stream)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: chargen-stream enabled in ${CHARGEN_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (chargen-stream)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable chargen-stream in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8132 - # Description : Check for daytime-dgram enabled via xinetd - DAYTIME_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/daytime-dgram" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DAYTIME_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for daytime-dgram via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking daytime-dgram presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DAYTIME_DGRAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: daytime-dgram not enabled in ${DAYTIME_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (daytime-dgram)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: daytime-dgram enabled in ${DAYTIME_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (daytime-dgram)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable daytime-dgram in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8134 - # Description : Check for daytime-stream enabled via xinetd - DAYTIME_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/daytime-stream" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DAYTIME_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8134 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for daytime-stream via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking daytime-stream presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DAYTIME_STREAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: daytime-stream not enabled in ${DAYTIME_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (daytime-stream)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: daytime-stream enabled in ${DAYTIME_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (daytime-stream)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable daytime-stream in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8136 - # Description : Check for discard-dgram enabled via xinetd - DISCARD_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/discard-dgram" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DISCARD_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8136 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for discard-dgram via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking discard-dgram presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DISCARD_DGRAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: discard-dgram not enabled in ${DISCARD_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (discard-dgram)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: discard-dgram enabled in ${DISCARD_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (discard-dgram)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable discard-dgram in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8138 - # Description : Check for discard-stream enabled via xinetd - DISCARD_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/discard-stream" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${DISCARD_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8138 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for discard-stream via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking discard-stream presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${DISCARD_STREAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: discard-stream not enabled in ${DISCARD_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (discard-stream)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: discard-stream enabled in ${DISCARD_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (discard-stream)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable discard-stream in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8140 - # Description : Check for echo-dgram enabled via xinetd - ECHO_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/echo-dgram" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${ECHO_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8140 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for echo-dgram via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking echo-dgram presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${ECHO_DGRAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: echo-dgram not enabled in ${ECHO_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (echo-dgram)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: echo-dgram enabled in ${ECHO_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (echo-dgram)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable echo-dgram in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8142 - # Description : Check for echo-stream enabled via xinetd - ECHO_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/echo-stream" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${ECHO_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8142 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for echo-stream via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking echo-stream presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${ECHO_STREAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: echo-stream not enabled in ${ECHO_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (echo-stream)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: echo-stream enabled in ${ECHO_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (echo-stream)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable echo-stream in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8144 - # Description : Check for time-dgram enabled via xinetd - TIME_DGRAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/time-dgram" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TIME_DGRAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8144 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for time-dgram via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking time-dgram presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TIME_DGRAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: time-dgram not enabled in ${TIME_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (time-dgram)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: time-dgram enabled in ${TIME_DGRAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (time-dgram)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable time-dgram in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8146 - # Description : Check for time-stream enabled via xinetd - TIME_STREAM_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/time-stream" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TIME_STREAM_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8146 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for time-stream via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking time-stream presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TIME_STREAM_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: time-stream not enabled in ${TIME_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (time-stream)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: time-stream enabled in ${TIME_STREAM_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (time-stream)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable time-stream in xinetd configuration" - fi - fi -# -################################################################################# -# - # Test : INSE-8148 - # Description : Check for tftp enabled via xinetd - TFTP_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/tftp" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${TFTP_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8148 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for tftp via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking tftp presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${TFTP_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: tftp not enabled in ${TFTP_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (tftp)" --result "${STATUS_DISABLED}" --color GREEN - AddHP 3 3 - else - LogText "Result: tftp enabled in ${TFTP_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (tftp)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable tftp in xinetd configuration" - AddHP 1 3 + LogText "Result: one ore more insecure services discovered in xinetd configuration" + Display --indent 6 --text "- Checking xinetd (insecure services)" --result "${STATUS_WARNING}" --color RED + AddHP 0 3 fi fi # @@ -559,21 +250,21 @@ # # Test : INSE-8150 # Description : Check for rsync enabled via xinetd - RSYNC_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rsync" - if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RSYNC_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8150 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rsync via xinetd" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking rsync presence in xinetd configuration" - FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RSYNC_XINETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then - LogText "Result: rsync not enabled in ${RSYNC_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_DISABLED}" --color GREEN - else - LogText "Result: rsync enabled in ${RSYNC_XINETD_CONFIG_FILE}" - Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_ENABLED}" --color RED - ReportSuggestion "${TEST_NO}" "Disable rsync in xinetd configuration" - fi - fi + #RSYNC_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rsync" + #if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RSYNC_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + #Register --test-no INSE-8150 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rsync via xinetd" + #if [ ${SKIPTEST} -eq 0 ]; then + # LogText "Test: checking rsync presence in xinetd configuration" + # FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RSYNC_XINETD_CONFIG_FILE}) + # if [ "${FIND}" = "" ]; then + # LogText "Result: rsync not enabled in ${RSYNC_XINETD_CONFIG_FILE}" + # Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_DISABLED}" --color GREEN + # else + # LogText "Result: rsync enabled in ${RSYNC_XINETD_CONFIG_FILE}" + # Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_ENABLED}" --color RED + # ReportSuggestion "${TEST_NO}" "Disable rsync in xinetd configuration" + # fi + #fi # ################################################################################# # @@ -582,23 +273,19 @@ if [ ${INETD_ACTIVE} -eq 1 -o ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no INSE-8200 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active" if [ ${SKIPTEST} -eq 0 ]; then - # Check if tcp_wrappers is installed when inetd/xinetd is active LogText "Test: Checking if tcp_wrappers is installed" - FOUND="" + FOUND=0 PACKAGES="tcp_wrappers tcpd" for PACKAGE in ${PACKAGES}; do - PackageIsInstalled ${PACKAGE} - if [ $? -eq 0 ];then - FOUND=${PACKAGE} - fi + if PackageIsInstalled ${PACKAGE}; then FOUND=1; fi done - if [ ${FOUND} ]; then + if [ ${FOUND} -eq 1 ]; then LogText "Result: tcp_wrappers is installed" Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_OK}" --color GREEN else LogText "Result: tcp_wrappers is NOT installed" Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "When network services are using the inetd/xinetd service, the tcp_wrappers package should be installed" + #ReportSuggestion ${TEST_NO} "When network services are using the inetd/xinetd service, the tcp_wrappers package should be installed" fi fi # @@ -608,20 +295,16 @@ # Description : Check if rsh client is installed Register --test-no INSE-8300 --weight L --network NO --category security --description "Check if rsh client is installed" if [ ${SKIPTEST} -eq 0 ]; then - # Check if rsh is installed LogText "Test: Checking if rsh client is installed" - FOUND="" + FOUND=0 PACKAGES="rsh rsh-client rsh-redone-client" for PACKAGE in ${PACKAGES}; do - PackageIsInstalled ${PACKAGE} - if [ $? -eq 0 ];then - FOUND=${PACKAGE} - fi + if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi done - if [ ${FOUND} ]; then + if [ ${FOUND} -eq 1 ]; then LogText "Result: rsh client is installed" Display --indent 2 --text "- Checking rsh client installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Rsh client contain numerous security exposures and have been replaced with the more secure SSH package" + ReportSuggestion ${TEST_NO} "Remove rsh client when it is not in use or replace with the more secure SSH package" else LogText "Result: rsh client is NOT installed" Display --indent 2 --text "- Checking rsh client installation" --result "${STATUS_OK}" --color GREEN @@ -631,36 +314,36 @@ ################################################################################# # # Test : INSE-8302 - # Description : Check presence of Rsh Trust Files - Register --test-no INSE-8302 --weight L --network NO --category security --description "Check presence of Rsh Trust Files" - if [ ${SKIPTEST} -eq 0 ]; then - # Check presence of Rsh Trust Files - FOUND=0 - for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do - USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) - DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) - if [ -d ${DIR} ]; then - for RHOSTS in ${DIR}/.rhosts; do - if [ ! -h ${RHOSTS} -a -f ${RHOSTS} ]; then - LogText "FOUND .rhosts file in home directory ${DIR} of ${USER}" - FOUND=1 - fi - done - fi - done - if [ -f /etc/hosts.equiv ];then - LogText "FOUND /etc/hosts.equiv" - FOUND=1 - fi - if [ ${FOUND} -eq 1 ]; then - LogText "Result: found one or more Rsh Trust Files" - Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Remove every Rsh Trust Files as they can allow unauthenticated access to a system" - else - LogText "Result: no Rsh Trust Files found" - Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_OK}" --color GREEN - fi - fi + # Description : Check presence of rsh Trust Files + #Register --test-no INSE-8302 --weight L --network NO --category security --description "Check presence of rsh Trust Files" + #if [ ${SKIPTEST} -eq 0 ]; then + # # Check presence of Rsh Trust Files + # FOUND=0 + # for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do + # USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) + # DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) + # if [ -d ${DIR} ]; then + # for RHOSTS in ${DIR}/.rhosts; do + # if [ ! -h ${RHOSTS} -a -f ${RHOSTS} ]; then + # LogText "FOUND .rhosts file in home directory ${DIR} of ${USER}" + # FOUND=1 + # fi + # done + # fi + # done + # if [ -f /etc/hosts.equiv ];then + # LogText "FOUND /etc/hosts.equiv" + # FOUND=1 + # fi + # if [ ${FOUND} -eq 1 ]; then + # LogText "Result: found one or more Rsh Trust Files" + # Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_SUGGESTION}" --color YELLOW + # ReportSuggestion ${TEST_NO} "Remove every Rsh Trust Files as they can allow unauthenticated access to a system" + # else + # LogText "Result: no Rsh Trust Files found" + # Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_OK}" --color GREEN + # fi + #fi # ################################################################################# # @@ -670,19 +353,16 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if rsh server is installed LogText "Test: Checking if rsh server is installed" - FOUND="" + FOUND=0 PACKAGES="rsh-server rsh-redone-server" for PACKAGE in ${PACKAGES}; do - PackageIsInstalled ${PACKAGE} - if [ $? -eq 0 ];then - FOUND=${PACKAGE} - fi + if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi done - if [ ${FOUND} ]; then + if [ ${FOUND} -eq 1 ]; then LogText "Result: rsh server is installed" Display --indent 2 --text "- Checking rsh server installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Removing the rsh-server package decreases the risk of the accidental (or intentional) activation of rsh services" - + ReportSuggestion ${TEST_NO} "Remove the rsh-server package and replace with a more secure alternative like SSH" + Report "insecure_service[]=rsh-server" else LogText "Result: rsh server is NOT installed" Display --indent 2 --text "- Checking rsh server installation" --result "${STATUS_OK}" --color GREEN @@ -697,11 +377,12 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if telnet client is installed LogText "Test: Checking if telnet client is installed" - PackageIsInstalled telnet - if [ $? -eq 0 ]; then + if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi + if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet client is installed" - Display --indent 2 --text "- Checking telnet client installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "telnet client contain numerous security exposures and have been replaced with the more secure SSH package" + Display --indent 2 --text "- Checking telnet client installation" --result "${STATUS_FOUND}" --color YELLOW + # Telnet client usage might be used for troubleshooting instead of system administration + #ReportSuggestion ${TEST_NO} "telnet client contain numerous security exposures and have been replaced with the more secure SSH package" else LogText "Result: telnet client is NOT installed" Display --indent 2 --text "- Checking telnet client installation" --result "${STATUS_OK}" --color GREEN @@ -716,18 +397,16 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if TFTP server is installed LogText "Test: Checking if telnet server is installed" - FOUND="" + FOUND=0 PACKAGES="telnetd telnet-server" for PACKAGE in ${PACKAGES}; do - PackageIsInstalled ${PACKAGE} - if [ $? -eq 0 ];then - FOUND=${PACKAGE} - fi + if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi done - if [ ${FOUND} ]; then + if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet server is installed" - Display --indent 2 --text "- Checking telnet server installation" --result "${STATUS_SUGGESTION}" --color YELLOW - ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package decreases the risk of the accidental (or intentional) activation of telnet services" + Display --indent 2 --text "- Checking telnet server installation" --result "${STATUS_FOUND}" --color YELLOW + ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package and replace with SSH when possible" + Report "insecure_service[]=telnet-server" else LogText "Result: telnet server is NOT installed" Display --indent 2 --text "- Checking telnet server installation" --result "${STATUS_OK}" --color GREEN From 72ba872a2fc2de1900f7a3f088b1b136a2751e32 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 4 Apr 2019 19:04:42 +0200 Subject: [PATCH 070/679] Improve text output for AIX systems --- include/osdetection | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/osdetection b/include/osdetection index 5ab80293..a6c18bb5 100644 --- a/include/osdetection +++ b/include/osdetection @@ -477,7 +477,7 @@ ECHONB="" case ${OS} in - "AIX") ECHOCMD="echo" ;; + "AIX") ECHOCMD="echo"; ECHONB="printf" ;; "DragonFly"|"FreeBSD"|"NetBSD") ECHOCMD="echo -e"; ECHONB="echo -n" ;; "macOS" | "Mac OS X") ECHOCMD="echo"; ECHONB="/bin/echo -n" ;; "Solaris") ECHOCMD="echo" ; test -f /usr/ucb/echo && ECHONB="/usr/ucb/echo -n" ;; From ef0b5b7641e4af2664e578386cba425c79517f04 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Thu, 4 Apr 2019 19:05:02 +0200 Subject: [PATCH 071/679] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 664b52cf..a6a5e11d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ - AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems - PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages - PKGS-7420 - Detect toolkit to automatically download and apply upgrades +- Improve text output for AIX systems --------------------------------------------------------------------------------- From 2750e9b7b8014a01b5e218d89856a37793529ec1 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 7 Apr 2019 15:50:46 +0200 Subject: [PATCH 072/679] Detect equery binary --- include/binaries | 3 ++- include/consts | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/include/binaries b/include/binaries index ec9a634f..2ba93cfa 100644 --- a/include/binaries +++ b/include/binaries @@ -132,7 +132,8 @@ domainname) DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;; dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;; egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;; - exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText "Found ${BINARY} (version ${EXIMVERSION})" ;; + equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;; + exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;; fail2ban-server) FAIL2BANBINARY="${BINARY}"; LogText " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;; file) FILEBINARY="${BINARY}"; LogText " Found known binary: file (file type detection) - ${BINARY}" ;; find) FINDBINARY="${BINARY}"; LogText " Found known binary: find (search tool) - ${BINARY}" ;; diff --git a/include/consts b/include/consts index 1abe26f9..fa923c99 100644 --- a/include/consts +++ b/include/consts @@ -103,6 +103,7 @@ unset LANG DPKGBINARY="" ECHOCMD="" ERROR_ON_WARNINGS=0 + EQUERYBINARY="" FAIL2BANBINARY="" FILEBINARY="" FILEVALUE="" From f8b390617b14fefa045c24c3810488e3740fadcf Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 7 Apr 2019 15:51:25 +0200 Subject: [PATCH 073/679] Changed screen output --- include/tests_insecure_services | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/include/tests_insecure_services b/include/tests_insecure_services index afed850e..2b673072 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -44,11 +44,11 @@ if PackageIsInstalled "inetd"; then INETD_PACKAGE_INSTALLED=1 LogText "Result: inetd is installed" - Display --indent 2 --text "- Installation of inetd package" --result "${STATUS_FOUND}" --color YELLOW + Display --indent 2 --text "- Installed inetd package" --result "${STATUS_FOUND}" --color YELLOW #ReportSuggestion ${TEST_NO} "If there are no inetd services required, it is recommended that the daemon be removed" else LogText "Result: inetd is NOT installed" - Display --indent 2 --text "- Installation of inetd package" --result "${STATUS_NOT_FOUND}" --color GREEN + Display --indent 2 --text "- Installed inetd package" --result "${STATUS_NOT_FOUND}" --color GREEN fi fi # @@ -141,11 +141,11 @@ PackageIsInstalled xinetd if [ $? -eq 0 ]; then LogText "Result: xinetd is installed" - Display --indent 2 --text "- Installation of xinetd package" --result "${STATUS_FOUND}" --color YELLOW + Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "If there are no xinetd services required, it is recommended that the daemon be removed" else LogText "Result: xinetd is NOT installed" - Display --indent 2 --text "- Installation of xinetd package" --result "${STATUS_OK}" --color GREEN + Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_OK}" --color GREEN fi fi # @@ -303,11 +303,11 @@ done if [ ${FOUND} -eq 1 ]; then LogText "Result: rsh client is installed" - Display --indent 2 --text "- Checking rsh client installation" --result "${STATUS_SUGGESTION}" --color YELLOW + Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Remove rsh client when it is not in use or replace with the more secure SSH package" else LogText "Result: rsh client is NOT installed" - Display --indent 2 --text "- Checking rsh client installation" --result "${STATUS_OK}" --color GREEN + Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_OK}" --color GREEN fi fi # @@ -360,12 +360,12 @@ done if [ ${FOUND} -eq 1 ]; then LogText "Result: rsh server is installed" - Display --indent 2 --text "- Checking rsh server installation" --result "${STATUS_SUGGESTION}" --color YELLOW + Display --indent 2 --text "- Installed rsh server package" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Remove the rsh-server package and replace with a more secure alternative like SSH" Report "insecure_service[]=rsh-server" else LogText "Result: rsh server is NOT installed" - Display --indent 2 --text "- Checking rsh server installation" --result "${STATUS_OK}" --color GREEN + Display --indent 2 --text "- Installed rsh server package" --result "${STATUS_OK}" --color GREEN fi fi # @@ -380,12 +380,12 @@ if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet client is installed" - Display --indent 2 --text "- Checking telnet client installation" --result "${STATUS_FOUND}" --color YELLOW + Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_FOUND}" --color YELLOW # Telnet client usage might be used for troubleshooting instead of system administration #ReportSuggestion ${TEST_NO} "telnet client contain numerous security exposures and have been replaced with the more secure SSH package" else LogText "Result: telnet client is NOT installed" - Display --indent 2 --text "- Checking telnet client installation" --result "${STATUS_OK}" --color GREEN + Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_OK}" --color GREEN fi fi # @@ -404,12 +404,12 @@ done if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet server is installed" - Display --indent 2 --text "- Checking telnet server installation" --result "${STATUS_FOUND}" --color YELLOW + Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package and replace with SSH when possible" Report "insecure_service[]=telnet-server" else LogText "Result: telnet server is NOT installed" - Display --indent 2 --text "- Checking telnet server installation" --result "${STATUS_OK}" --color GREEN + Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_NOT_FOUND}" --color GREEN fi fi # From 1e134bc1b36cbdadf3d42a8c0b3a0016318550c8 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 7 Apr 2019 15:52:52 +0200 Subject: [PATCH 074/679] Extended function with more package managers --- include/functions | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/include/functions b/include/functions index e8965986..c1df0fbf 100644 --- a/include/functions +++ b/include/functions @@ -1714,11 +1714,20 @@ Fatal "Incorrect usage of PackageIsInstalled function" fi - if [ ! -z "${RPMBINARY}" ]; then - output=$(${RPMBINARY} --quiet -q ${package} 2> /dev/null) + if [ ! -z "${DNFBINARY}" ]; then + output=$(${DNFBINARY} --quiet --cacheonly --noplugins --assumeno info --installed ${package} > /dev/null 2>&1) exit_code=$? elif [ ! -z "${DPKGBINARY}" ]; then - output=$(${DPKGBINARY} -l ${package} 2> /dev/null) + output=$(${DPKGBINARY} -l ${package} > /dev/null 2>&1) + exit_code=$? + elif [ ! -z "${EQUERYBINARY}" ]; then + output=$(${EQUERYBINARY} --quiet ${package} > /dev/null 2>&1) + exit_code=$? # 0=package installed, 3=package not installed + elif [ ! -z "${PKG_BINARY}" ]; then + output=$(${PKG_BINARY} -N info ${package} >& /dev/null) + exit_code=$? # 0=package installed, 70=invalid package + elif [ ! -z "${RPMBINARY}" ]; then + output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1) exit_code=$? elif [ ! -z "${ZYPPERBINARY}" ]; then output=$(${ZYPPERBINARY} --quiet --non-interactive search --installed -i ${PACKAGE} 2> /dev/null | grep "^i") From 1a1d736fa7baee2983ae7b8452c64fb342313c32 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 7 Apr 2019 15:53:04 +0200 Subject: [PATCH 075/679] Updated log --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a6a5e11d..0d0187d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,12 +12,14 @@ - INSE-8200 - Usage of TCP wrappers - INSE-8300 - Presence of rsh client - INSE-8302 - Presence of rsh server +- Detect equery binary detection ### Changed - AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems - PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages - PKGS-7420 - Detect toolkit to automatically download and apply upgrades - Improve text output for AIX systems +- Extended PackageIsInstalled function --------------------------------------------------------------------------------- From 08ecd911801dd90215ab885e690dec3686cf1d36 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 7 Apr 2019 19:03:21 +0200 Subject: [PATCH 076/679] Use ps instead of pgrep on AIX --- include/functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/functions b/include/functions index c1df0fbf..e3a09c0c 100644 --- a/include/functions +++ b/include/functions @@ -1284,7 +1284,8 @@ if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi RUNNING=0 - if [ ! -z "${PGREPBINARY}" ]; then + # AIX does not fully support pgrep options, so using ps instead + if [ ! -z "${PGREPBINARY}" -a ! "${OS}" = "AIX" ]; then FIND=$(${PGREPBINARY} ${pgrep_options} "${search}" | ${TRBINARY} '\n' ' ') else if [ -z "${PSOPTIONS}" ]; then From 3516ce9de10528f08f949b09daa179e949b0596c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sun, 7 Apr 2019 19:03:28 +0200 Subject: [PATCH 077/679] Updated log --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0d0187d7..c7c09fc0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,8 +18,9 @@ - AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems - PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages - PKGS-7420 - Detect toolkit to automatically download and apply upgrades -- Improve text output for AIX systems +- AIX enhancement for IsRunning function - Extended PackageIsInstalled function +- Improve text output on AIX systems --------------------------------------------------------------------------------- From 71a0c79053119fedfcb68d47c7b4483b16a8ec1c Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 8 Apr 2019 07:53:04 +0200 Subject: [PATCH 078/679] Corrected stdout/stderr redirection for FreeBSD pkg tool --- include/functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/functions b/include/functions index e3a09c0c..26d8c378 100644 --- a/include/functions +++ b/include/functions @@ -1700,7 +1700,7 @@ ################################################################################ # Name : PackageIsInstalled() - # Description : Add a separator to log file between sections, tests etc + # Description : Determines if a package is installed # Returns : exit code # Notes : this function is not used yet, but created in advance to allow # the addition of support for all operating systems @@ -1725,7 +1725,7 @@ output=$(${EQUERYBINARY} --quiet ${package} > /dev/null 2>&1) exit_code=$? # 0=package installed, 3=package not installed elif [ ! -z "${PKG_BINARY}" ]; then - output=$(${PKG_BINARY} -N info ${package} >& /dev/null) + output=$(${PKG_BINARY} -N info ${package} >/dev/null 2>&1) exit_code=$? # 0=package installed, 70=invalid package elif [ ! -z "${RPMBINARY}" ]; then output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1) From 137dc6f0ccb1abe91c6102362209c274e6897ec7 Mon Sep 17 00:00:00 2001 From: Capashenn <37273010+Capashenn@users.noreply.github.com> Date: Mon, 8 Apr 2019 10:36:17 +0200 Subject: [PATCH 079/679] fix FILE-6374 (#672) --- include/tests_filesystems | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 43b9e7ec..8bf47685 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -560,7 +560,7 @@ # --------------------------------------------------------- FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid" - Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Checking /boot mount options" + Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Checking partitions mount options" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/fstab ]; then for I in ${FILESYSTEMS_TO_CHECK}; do @@ -574,7 +574,7 @@ fi fi if [ ! -z "${FS_FSTAB}" ]; then - FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') + FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} -d '\n') LogText "File system: ${FILESYSTEM}" LogText "Expected flags: ${EXPECTED_FLAGS}" LogText "Found flags: ${FOUND_FLAGS}" From 256bc1da0fec522dc6cce84bba499416c367f6d8 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 8 Apr 2019 11:07:41 +0200 Subject: [PATCH 080/679] Undoed submitted pull request as it breaks testing at least on Ubuntu system --- include/tests_filesystems | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index 8bf47685..7dc61933 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -566,7 +566,7 @@ for I in ${FILESYSTEMS_TO_CHECK}; do FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d: -f1) EXPECTED_FLAGS=$(echo ${I} | ${CUTBINARY} -d: -f2 | ${SEDBINARY} 's/,/ /g') - FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' /etc/fstab) + FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' ${ROOTDIR}etc/fstab) if [ "${FS_FSTAB}" = "glusterfs" ]; then EXPECTED_FLAGS=$(echo ${EXPECTED_FLAGS} | ${SEDBINARY} 's/\<\(nodev\|nosuid\)\> *//g') if [ -z "${EXPECTED_FLAGS}" ]; then @@ -574,7 +574,7 @@ fi fi if [ ! -z "${FS_FSTAB}" ]; then - FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} -d '\n') + FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') LogText "File system: ${FILESYSTEM}" LogText "Expected flags: ${EXPECTED_FLAGS}" LogText "Found flags: ${FOUND_FLAGS}" @@ -582,7 +582,7 @@ FULLY_HARDENED=1 for FLAG in ${EXPECTED_FLAGS}; do FLAG_AVAILABLE=$(echo ${FOUND_FLAGS} | ${GREPBINARY} ${FLAG}) - if [ "${FLAG_AVAILABLE}" = "" ]; then + if [ -z "${FLAG_AVAILABLE}" ]; then LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}" FULLY_HARDENED=0 else From fd8b1e790d3eb7e3d98b89fc66edd392862f8430 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Mon, 8 Apr 2019 15:09:18 +0200 Subject: [PATCH 081/679] Improved PackageIsInstalled function and its usage --- include/functions | 2 +- include/tests_insecure_services | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/include/functions b/include/functions index 26d8c378..b15bda88 100644 --- a/include/functions +++ b/include/functions @@ -1719,7 +1719,7 @@ output=$(${DNFBINARY} --quiet --cacheonly --noplugins --assumeno info --installed ${package} > /dev/null 2>&1) exit_code=$? elif [ ! -z "${DPKGBINARY}" ]; then - output=$(${DPKGBINARY} -l ${package} > /dev/null 2>&1) + output=$(${DPKGBINARY} -l ${package} 2> /dev/null | ${GREPBINARY} "^ii") exit_code=$? elif [ ! -z "${EQUERYBINARY}" ]; then output=$(${EQUERYBINARY} --quiet ${package} > /dev/null 2>&1) diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 2b673072..841189d8 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -138,8 +138,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check for installed xinetd daemon LogText "Test: Checking for installed xinetd daemon" - PackageIsInstalled xinetd - if [ $? -eq 0 ]; then + if PackageIsInstalled "xinetd"; then LogText "Result: xinetd is installed" Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion ${TEST_NO} "If there are no xinetd services required, it is recommended that the daemon be removed" @@ -277,7 +276,7 @@ FOUND=0 PACKAGES="tcp_wrappers tcpd" for PACKAGE in ${PACKAGES}; do - if PackageIsInstalled ${PACKAGE}; then FOUND=1; fi + if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi done if [ ${FOUND} -eq 1 ]; then LogText "Result: tcp_wrappers is installed" @@ -299,7 +298,7 @@ FOUND=0 PACKAGES="rsh rsh-client rsh-redone-client" for PACKAGE in ${PACKAGES}; do - if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi + if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi done if [ ${FOUND} -eq 1 ]; then LogText "Result: rsh client is installed" @@ -356,7 +355,7 @@ FOUND=0 PACKAGES="rsh-server rsh-redone-server" for PACKAGE in ${PACKAGES}; do - if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi + if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi done if [ ${FOUND} -eq 1 ]; then LogText "Result: rsh server is installed" @@ -377,7 +376,8 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if telnet client is installed LogText "Test: Checking if telnet client is installed" - if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi + if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi + if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet client is installed" Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_FOUND}" --color YELLOW @@ -400,7 +400,7 @@ FOUND=0 PACKAGES="telnetd telnet-server" for PACKAGE in ${PACKAGES}; do - if PackageIsInstalled "${PACKAGE}"; then FOUND=1; fi + if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi done if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet server is installed" From fe09e4ebaa8f52cd6b7c01bc2088001cce4a7afe Mon Sep 17 00:00:00 2001 From: Capashenn <37273010+Capashenn@users.noreply.github.com> Date: Tue, 9 Apr 2019 06:49:34 +0200 Subject: [PATCH 082/679] fix SHLL-6220 description (#673) --- include/tests_shells | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_shells b/include/tests_shells index 8f9763b4..80735064 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -99,7 +99,7 @@ # # Test : SHLL-6220 # Description : check for idle session killing tools or settings - Register --test-no SHLL-6220 --weight L --network NO --category security --description "Checking available and valid shells" + Register --test-no SHLL-6220 --weight L --network NO --category security --description "check for idle session killing tools or settings" if [ ${SKIPTEST} -eq 0 ]; then IDLE_TIMEOUT_METHOD="" From 15c942ac24adbac67f13f97d554a6e97986507c2 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 9 Apr 2019 06:51:47 +0200 Subject: [PATCH 083/679] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c7c09fc0..fa67946f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ - AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems - PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages - PKGS-7420 - Detect toolkit to automatically download and apply upgrades +- Minor changes to improve text output and test descriptions - AIX enhancement for IsRunning function - Extended PackageIsInstalled function - Improve text output on AIX systems From d90c43d06cbf10b90da61593beac6bb85d7be083 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 9 Apr 2019 06:52:00 +0200 Subject: [PATCH 084/679] Updated descriptions --- include/tests_shells | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/include/tests_shells b/include/tests_shells index 80735064..3a094ad8 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -31,9 +31,10 @@ # Files (interactive login shells): /etc/profile $HOME/.bash_profile # $HOME/.bash_login $HOME/.profile # Files (interactive non-login shells): $HOME/.bash_rc - + # # csh/tcsh # Files: /etc/csh.cshrc /etc/csh.login + # # zsh # Files: /etc/zshenv /etc/zsh/zshenv $HOME/.zshenv /etc/zprofile # /etc/zsh/zprofile $HOME/.zprofile /etc/zshrc /etc/zsh/zshrc @@ -68,8 +69,8 @@ ################################################################################# # # Test : SHLL-6211 - # Description : which shells are available according /etc/shells - Register --test-no SHLL-6211 --weight L --network NO --category security --description "Checking available and valid shells" + # Description : Determine available shell according /etc/shells + Register --test-no SHLL-6211 --weight L --network NO --category security --description "Available and valid shells" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for ${ROOTDIR}etc/shells" if [ -f ${ROOTDIR}etc/shells ]; then @@ -98,8 +99,8 @@ ################################################################################# # # Test : SHLL-6220 - # Description : check for idle session killing tools or settings - Register --test-no SHLL-6220 --weight L --network NO --category security --description "check for idle session killing tools or settings" + # Description : Check for idle session killing tools or settings + Register --test-no SHLL-6220 --weight L --network NO --category security --description "Idle session killing tools or settings" if [ ${SKIPTEST} -eq 0 ]; then IDLE_TIMEOUT_METHOD="" From e195e7c8e0be65491745a4a89b559d60c5106ed7 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 9 Apr 2019 08:26:16 +0200 Subject: [PATCH 085/679] Corrected lsvg binary detection --- include/binaries | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/binaries b/include/binaries index 2ba93cfa..7bf0d233 100644 --- a/include/binaries +++ b/include/binaries @@ -166,7 +166,7 @@ lsattr) LSATTRBINARY="${BINARY}"; LogText " Found known binary: lsattr (file attributes) - ${BINARY}" ;; lsmod) LSMODBINARY="${BINARY}"; LogText " Found known binary: lsmod (kernel modules) - ${BINARY}" ;; lsof) LSOFBINARY="${BINARY}"; LogText " Found known binary: lsof (open files) - ${BINARY}" ;; - lsvg) LVSGBINARY=${BINARY}; LogText " Found known binary: lsvg (volume manager) - ${BINARY}" ;; + lsvg) LSVGBINARY=${BINARY}; LogText " Found known binary: lsvg (volume manager) - ${BINARY}" ;; lvdisplay) LVDISPLAYBINARY="${BINARY}"; LogText " Found known binary: lvdisplay (LVM tool) - ${BINARY}" ;; lynx) LYNXBINARY="${BINARY}"; LYNXVERSION=$(${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3); LogText "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;; maldet) LMDBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;; From 6bc2aefbd4ef905e48c86f416b95eb919da3511e Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 9 Apr 2019 08:26:24 +0200 Subject: [PATCH 086/679] Updated log --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fa67946f..8d73513c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ - AIX enhancement for IsRunning function - Extended PackageIsInstalled function - Improve text output on AIX systems +- Corrected lsvg binary detection --------------------------------------------------------------------------------- From 2d0c68493154e8dfee061f7a101a3a689a29097f Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Sat, 13 Apr 2019 13:26:56 +0200 Subject: [PATCH 087/679] Added new 'generate' command --- include/consts | 2 + include/functions | 22 ++++++++-- include/helper_generate | 89 +++++++++++++++++++++++++++++++++++++++++ include/helper_show | 12 ++++++ include/parameters | 18 +++++++++ 5 files changed, 140 insertions(+), 3 deletions(-) create mode 100644 include/helper_generate diff --git a/include/consts b/include/consts index fa923c99..24a32167 100644 --- a/include/consts +++ b/include/consts @@ -251,8 +251,10 @@ unset LANG SHOW_REPORT_SOLUTION=1 SHOW_TOOL_TIPS=1 # Show inline tool tips (default true) SHOW_WARNINGS_ONLY=0 + SKIP_GETHOSTID=0 SKIP_PLUGINS=0 SKIP_TESTS="" + SKIP_VM_DETECTION=0 SKIPREASON="" SKIPPED_TESTS_ROOTONLY="" SMTPCTLBINARY="" diff --git a/include/functions b/include/functions index b15bda88..35cb6b00 100644 --- a/include/functions +++ b/include/functions @@ -805,15 +805,26 @@ # Name : GetHostID() # Description : Create an unique id for the system # - # Returns : optional value + # Returns : 0 = fetched or created IDs, 1 = failed, 2 = skipped # Usage : GetHostID ################################################################################ GetHostID() { + if [ ${SKIP_GETHOSTID} -eq 1 ]; then + return 2 + fi + if [ ! -z "${HOSTID}" -a ! -z "${HOSTID2}" ]; then Debug "Skipping creation of host identifiers, as they are already configured (via profile)" - return 1 + return 2 + fi + + if [ -f "${ROOTDIR}etc/lynis/hostids" ]; then + Debug "Used hostids file to fetch values" + HOSTID=$(grep "^hostid=" ${ROOTDIR}etc/lynis/hostids | awk -F= '{print $2}') + HOSTID2=$(grep "^hostid2=" ${ROOTDIR}etc/lynis/hostids | awk -F= '{print $2}') + return 0 fi FIND="" @@ -1110,8 +1121,9 @@ fi # Show an exception if no HostID could be created, to ensure each system (and scan) has one - if [ "${HOSTID}" = "" ]; then + if [ -z "${HOSTID}" ]; then ReportException "GetHostID" "No unique host identifier could be created." + return 1 elif [ ! -z "${HOSTID2}" ]; then return 0 fi @@ -1393,6 +1405,10 @@ ISVIRTUALMACHINE=2; VMTYPE="unknown"; VMFULLTYPE="Unknown" SHORT="" + if [ ${SKIP_VM_DETECTION} -eq 1 ]; then + return 2 + fi + # lxc environ detection if [ -z "${SHORT}" ]; then if [ -f /proc/1/environ ]; then diff --git a/include/helper_generate b/include/helper_generate new file mode 100644 index 00000000..bdcfb44d --- /dev/null +++ b/include/helper_generate @@ -0,0 +1,89 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2013, Michael Boelen +# Copyright 2007-2019, CISOfy +# +# Website : https://cisofy.com +# Blog : http://linux-audit.com +# GitHub : https://github.com/CISOfy/lynis +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +###################################################################### +# +# Helper program to generate specific details such as host IDs +# +###################################################################### +# +# How to use: +# ------------ +# Run: lynis generate