mirror of
https://github.com/CISOfy/lynis.git
synced 2025-07-27 15:54:09 +02:00
[KRNL-5788] Only run relevant tests and improved logging
This commit is contained in:
Michael Boelen
parent
83296d6e8f
commit
b0ca58895b
@ -368,14 +368,14 @@
|
|||||||
#
|
#
|
||||||
# Test : KRNL-5788
|
# Test : KRNL-5788
|
||||||
# Description : Checking availability new kernel
|
# Description : Checking availability new kernel
|
||||||
if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] ||
|
if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
|
||||||
[ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
|
|
||||||
PREQS_MET="YES"
|
PREQS_MET="YES"
|
||||||
else
|
else
|
||||||
PREQS_MET="NO"
|
PREQS_MET="NO"
|
||||||
fi
|
fi
|
||||||
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel"
|
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel"
|
||||||
if [ ${SKIPTEST} -eq 0 ]; then
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
FINDKERNEL=""
|
||||||
HAS_VMLINUZ=0
|
HAS_VMLINUZ=0
|
||||||
LogText "Test: Searching apt-cache, to determine if a newer kernel is available"
|
LogText "Test: Searching apt-cache, to determine if a newer kernel is available"
|
||||||
if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then
|
if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then
|
||||||
@ -384,62 +384,69 @@
|
|||||||
if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then
|
if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then
|
||||||
HAS_VMLINUZ=1
|
HAS_VMLINUZ=1
|
||||||
if [ -f ${ROOTDIR}vmlinuz ]; then
|
if [ -f ${ROOTDIR}vmlinuz ]; then
|
||||||
FINDVMLINUZ=${ROOTDIR}vmlinuz
|
FINDVMLINUZ="${ROOTDIR}vmlinuz"
|
||||||
else
|
else
|
||||||
FINDVMLINUZ=${ROOTDIR}boot/vmlinuz
|
FINDVMLINUZ="${ROOTDIR}boot/vmlinuz"
|
||||||
fi
|
fi
|
||||||
LogText "Result: found ${FINDVMLINUZ}"
|
LogText "Result: found ${FINDVMLINUZ}"
|
||||||
LogText "Test: checking readlink location of ${FINDVMLINUZ}"
|
LogText "Test: checking readlink location of ${FINDVMLINUZ}"
|
||||||
FINDKERNFILE=$(readlink -f ${FINDVMLINUZ})
|
FINDKERNFILE=$(readlink -f ${FINDVMLINUZ})
|
||||||
LogText "Output: readlink reported file ${FINDKERNFILE}"
|
LogText "Output: readlink reported file ${FINDKERNFILE}"
|
||||||
LogText "Test: checking package from dpkg -S"
|
LogText "Test: checking relevant package using output from dpkg -S"
|
||||||
FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}')
|
FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}')
|
||||||
LogText "Output: dpkg -S reported package ${FINDKERNEL}"
|
LogText "Output: dpkg -S reported package ${FINDKERNEL}"
|
||||||
elif [ -e ${ROOTDIR}dev/grsec ]; then
|
elif [ -e ${ROOTDIR}dev/grsec ]; then
|
||||||
FINDKERNEL=linux-image-$(uname -r)
|
FINDKERNEL="linux-image-$(uname -r)"
|
||||||
LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
|
LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
|
||||||
elif [ -e ${ROOTDIR}etc/rpi-issue ]; then
|
elif [ -e ${ROOTDIR}etc/rpi-issue ]; then
|
||||||
FINDKERNEL=raspberrypi-kernel
|
FINDKERNEL="raspberrypi-kernel"
|
||||||
LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian"
|
LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian"
|
||||||
elif `${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf`; then
|
elif $(${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then
|
||||||
FINDKERNEL=linux-image-$(uname -r)
|
FINDKERNEL="linux-image-$(uname -r)"
|
||||||
LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No"
|
LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No"
|
||||||
else
|
else
|
||||||
LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date."
|
LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date."
|
||||||
ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz"
|
ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz"
|
||||||
fi
|
fi
|
||||||
LogText "Test: Using apt-cache policy to determine if there is an update available"
|
|
||||||
FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
|
if IsEmpty "${FINDKERNEL}"; then
|
||||||
FINDCAND=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
|
LogText "Result: could not check kernel update status as kernel is unknown"
|
||||||
LogText "Kernel installed: ${FINDINST}"
|
|
||||||
LogText "Kernel candidate: ${FINDCAND}"
|
|
||||||
if IsEmpty "${FINDINST}"; then
|
|
||||||
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW
|
|
||||||
LogText "Result: Exception occurred, no output from apt-cache policy"
|
|
||||||
if [ ${HAS_VMLINUZ} -eq 1 ]; then
|
|
||||||
ReportException "${TEST_NO}:01"
|
|
||||||
ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty"
|
|
||||||
fi
|
|
||||||
LogText "Result: apt-cache policy did not return an installed kernel version"
|
|
||||||
else
|
else
|
||||||
if [ "${FINDINST}" = "${FINDCAND}" ]; then
|
LogText "Result: found kernel '${FINDKERNEL}' which will be used for further testing"
|
||||||
if [ -e /dev/grsec ]; then
|
LogText "Test: Using apt-cache policy to determine if there is an update available"
|
||||||
Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN
|
FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
|
||||||
LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available"
|
FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
|
||||||
ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch"
|
LogText "Kernel installed: ${FINDINSTALLED}"
|
||||||
else
|
LogText "Kernel candidate: ${FINDCANDIDATE}"
|
||||||
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN
|
if IsEmpty "${FINDINSTALLED}"; then
|
||||||
LogText "Result: no kernel update available"
|
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW
|
||||||
|
LogText "Result: Exception occurred, no output from apt-cache policy"
|
||||||
|
if [ ${HAS_VMLINUZ} -eq 1 ]; then
|
||||||
|
ReportException "${TEST_NO}:01" "Found vmlinuz (${FINDVMLINUZ}) but could not determine the installed kernel using apt-cache policy"
|
||||||
|
ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty"
|
||||||
fi
|
fi
|
||||||
|
LogText "Result: apt-cache policy did not return an installed kernel version"
|
||||||
else
|
else
|
||||||
Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
|
if [ "${FINDINSTALLED}" = "${FINDCANDIDATE}" ]; then
|
||||||
LogText "Result: kernel update available according 'apt-cache policy'."
|
if [ -e /dev/grsec ]; then
|
||||||
ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update"
|
Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN
|
||||||
|
LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available"
|
||||||
|
ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch"
|
||||||
|
else
|
||||||
|
Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN
|
||||||
|
LogText "Result: no kernel update available"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
|
||||||
|
LogText "Result: kernel update available according 'apt-cache policy'."
|
||||||
|
ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests."
|
LogText "Result: could NOT find ${ROOTDIR}usr/bin/apt-cache, skipped other tests."
|
||||||
fi
|
fi
|
||||||
|
unset FINDCANDIDATE FINDINSTALLED FINDKERNEL HAS_VMLINUZ
|
||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user