tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added support to require a detected and known package manager

This commit is contained in:
Michael Boelen 2020-04-06 20:47:45 +02:00
parent 798f5322f6
commit c368846a08
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
5 changed files with 50 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -159,6 +159,7 @@ Using the relevant options, the scan will change base on the intended goal.
- Several code cleanups, simplification of commands, and code standardization - Several code cleanups, simplification of commands, and code standardization
- Tests using lsof may ignore individual threads (if supported) - Tests using lsof may ignore individual threads (if supported)
- Corrected end-of-life detection for CentOS 7 and CentOS 8 - Corrected end-of-life detection for CentOS 7 and CentOS 8
- Tests can require detected package manager (--package-manager-required)
- Do not show tool tips when quiet option is used - Do not show tool tips when quiet option is used
- Improved screen output in several tests - Improved screen output in several tests
- Extended output of 'lynis update info' - Extended output of 'lynis update info'

3
include/consts
View File

@ -125,6 +125,7 @@ unset LANG
GRSEC_FOUND=0 GRSEC_FOUND=0
GRUBCONFFILE="" GRUBCONFFILE=""
GRUB2INSTALLBINARY="" GRUB2INSTALLBINARY=""
HAS_PACKAGE_MANAGER=0
HAS_SYSTEMD=0 HAS_SYSTEMD=0
HEADBINARY="" HEADBINARY=""
HELPER="" HELPER=""
@ -222,6 +223,7 @@ unset LANG
PGREPBINARY="" PGREPBINARY=""
PIDFILE="" PIDFILE=""
PKG_BINARY="" PKG_BINARY=""
PKGINFOBINARY=""
PKGADMINBINARY="" PKGADMINBINARY=""
PLUGINDIR="" PLUGINDIR=""
PLUGIN_PHASE=0 PLUGIN_PHASE=0
@ -324,6 +326,7 @@ unset LANG
VULNERABLE_PACKAGES_FOUND=0 VULNERABLE_PACKAGES_FOUND=0
WCBINARY="" WCBINARY=""
XARGSBINARY="" XARGSBINARY=""
XBPSBINARY=""
YUMBINARY="" YUMBINARY=""
ZYPPERBINARY="" ZYPPERBINARY=""

27
include/functions
View File

@ -2019,6 +2019,7 @@
PackageIsInstalled() { PackageIsInstalled() {
exit_code=255 exit_code=255
# First parameter is package name (or __dummy__ for initial test to see if package manager is available and works as expected)
if [ $# -eq 1 ]; then if [ $# -eq 1 ]; then
package="$1" package="$1"
else else
@ -2056,7 +2057,21 @@
output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii") output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii")
exit_code=$? exit_code=$?
else else
ReportException "PackageIsInstalled:01" if [ "${package}" != "__dummy__" ]; then
ReportException "PackageIsInstalled:01 (test=${TEST_NO:-unknown})"
fi
fi
# Give thumbs up if dummy package is used during initial test for package manager availability
if [ "${package}" = "__dummy__" ]; then
# There should be no positive match on this dummy package
if [ ${exit_code} -eq 0 ]; then
exit_code=1
elif [ ${exit_code} -eq 255 ]; then
exit_code=1
else
exit_code=0
fi
fi fi
return ${exit_code} return ${exit_code}
@ -2499,8 +2514,8 @@
Register() { Register() {
# Do not insert a log break, if previous test was not logged # Do not insert a log break, if previous test was not logged
if [ ${SKIPLOGTEST} -eq 0 ]; then LogTextBreak; fi if [ ${SKIPLOGTEST} -eq 0 ]; then LogTextBreak; fi
ROOT_ONLY=0; SKIPTEST=0; SKIPLOGTEST=0; SKIPREASON=""; TEST_NEED_OS=""; PREQS_MET="" ROOT_ONLY=0; SKIPTEST=0; SKIPLOGTEST=0; SKIPREASON=""; PREQS_MET=""
TEST_CATEGORY=""; TEST_NEED_NETWORK=""; TEST_NEED_PLATFORM="" TEST_CATEGORY=""; TEST_NEED_NETWORK=""; TEST_NEED_OS=""; TEST_NEED_PKG_MGR=0; TEST_NEED_PLATFORM=""
TOTAL_TESTS=$((TOTAL_TESTS + 1)) TOTAL_TESTS=$((TOTAL_TESTS + 1))
while [ $# -ge 1 ]; do while [ $# -ge 1 ]; do
case $1 in case $1 in
@ -2524,6 +2539,9 @@
shift shift
TEST_NEED_OS=$1 TEST_NEED_OS=$1
;; ;;
--package-manager-required)
TEST_NEED_PKG_MGR=1
;;
--preqs-met) --preqs-met)
shift shift
PREQS_MET=$1 PREQS_MET=$1
@ -2636,6 +2654,9 @@
# Check for correct hardware platform # Check for correct hardware platform
if [ ${SKIPTEST} -eq 0 -a -n "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi if [ ${SKIPTEST} -eq 0 -a -n "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi
# Check for required (and discovered) package manager
if [ ${SKIPTEST} -eq 0 -a ${TEST_NEED_PKG_MGR} -eq 1 -a ${HAS_PACKAGE_MANAGER} -eq 0 ]; then SKIPTEST=1; SKIPREASON="Requires a known package manager to test presence of a particular package"; fi
# Not all prerequisites met, like missing tool # Not all prerequisites met, like missing tool
if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; if [ -z "${SKIPREASON}" ]; then SKIPREASON="Prerequisites not met (ie missing tool, other type of Linux distribution)"; fi; fi if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; if [ -z "${SKIPREASON}" ]; then SKIPREASON="Prerequisites not met (ie missing tool, other type of Linux distribution)"; fi; fi

22
include/tests_insecure_services
View File

@ -37,7 +37,7 @@
# #
# Test : INSE-8000 # Test : INSE-8000
# Description : Check for installed inetd package # Description : Check for installed inetd package
Register --test-no INSE-8000 --weight L --network NO --category security --description "Installed inetd package" Register --test-no INSE-8000 --package-manager-required --weight L --network NO --category security --description "Installed inetd package"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check for installed inetd daemon # Check for installed inetd daemon
LogText "Test: Checking if inetd is installed" LogText "Test: Checking if inetd is installed"
@ -134,7 +134,7 @@
# #
# Test : INSE-8100 # Test : INSE-8100
# Description : Check for installed xinetd daemon # Description : Check for installed xinetd daemon
Register --test-no INSE-8100 --weight L --network NO --category security --description "Check for installed xinetd daemon" Register --test-no INSE-8100 --package-manager-required --weight L --network NO --category security --description "Check for installed xinetd daemon"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check for installed xinetd daemon # Check for installed xinetd daemon
LogText "Test: Checking for installed xinetd daemon" LogText "Test: Checking for installed xinetd daemon"
@ -250,7 +250,7 @@
# Test : INSE-8200 # Test : INSE-8200
# Description : Check if tcp_wrappers is installed when inetd/xinetd is active # Description : Check if tcp_wrappers is installed when inetd/xinetd is active
if [ ${INETD_ACTIVE} -eq 1 -o ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${INETD_ACTIVE} -eq 1 -o ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8200 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active" Register --test-no INSE-8200 --package-manager-required --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if tcp_wrappers is installed" LogText "Test: Checking if tcp_wrappers is installed"
FOUND=0 FOUND=0
@ -272,7 +272,7 @@
# #
# Test : INSE-8300 # Test : INSE-8300
# Description : Check if rsh client is installed # Description : Check if rsh client is installed
Register --test-no INSE-8300 --weight L --network NO --category security --description "Check if rsh client is installed" Register --test-no INSE-8300 --package-manager-required --weight L --network NO --category security --description "Check if rsh client is installed"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if rsh client is installed" LogText "Test: Checking if rsh client is installed"
FOUND=0 FOUND=0
@ -328,7 +328,7 @@
# #
# Test : INSE-8304 # Test : INSE-8304
# Description : Check if rsh server is installed # Description : Check if rsh server is installed
Register --test-no INSE-8304 --weight L --network NO --category security --description "Check if rsh server is installed" Register --test-no INSE-8304 --package-manager-required --weight L --network NO --category security --description "Check if rsh server is installed"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check if rsh server is installed # Check if rsh server is installed
LogText "Test: Checking if rsh server is installed" LogText "Test: Checking if rsh server is installed"
@ -352,7 +352,7 @@
# #
# Test : INSE-8310 # Test : INSE-8310
# Description : Check if telnet client is installed # Description : Check if telnet client is installed
Register --test-no INSE-8310 --weight L --network NO --category security --description "Check if telnet client is installed" Register --test-no INSE-8310 --package-manager-required --weight L --network NO --category security --description "Check if telnet client is installed"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check if telnet client is installed # Check if telnet client is installed
LogText "Test: Checking if telnet client is installed" LogText "Test: Checking if telnet client is installed"
@ -373,7 +373,7 @@
# #
# Test : INSE-8312 # Test : INSE-8312
# Description : Check if telnet server is installed # Description : Check if telnet server is installed
Register --test-no INSE-8322 --weight L --network NO --category security --description "Check if telnet server is installed" Register --test-no INSE-8322 --package-manager-required --weight L --network NO --category security --description "Check if telnet server is installed"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Check if TFTP server is installed # Check if TFTP server is installed
LogText "Test: Checking if telnet server is installed" LogText "Test: Checking if telnet server is installed"
@ -398,7 +398,7 @@
# #
# Test : INSE-8314 # Test : INSE-8314
# Description : Check if NIS client is installed # Description : Check if NIS client is installed
Register --test-no INSE-8314 --weight L --network NO --category security --description "Check if NIS client is installed" Register --test-no INSE-8314 --package-manager-required --weight L --network NO --category security --description "Check if NIS client is installed"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND="" FOUND=""
LogText "Test: Checking if NIS client is installed" LogText "Test: Checking if NIS client is installed"
@ -422,7 +422,7 @@
# #
# Test : INSE-8316 # Test : INSE-8316
# Description : Check if NIS server is installed # Description : Check if NIS server is installed
Register --test-no INSE-8316 --weight L --network NO --category security --description "Check if NIS server is installed" Register --test-no INSE-8316 --package-manager-required --weight L --network NO --category security --description "Check if NIS server is installed"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
FOUND="" FOUND=""
LogText "Test: Checking if NIS server is installed" LogText "Test: Checking if NIS server is installed"
@ -446,7 +446,7 @@
# #
# Test : INSE-8318 # Test : INSE-8318
# Description : Check if TFTP client is installed # Description : Check if TFTP client is installed
Register --test-no INSE-8318 --weight L --network NO --category security --description "Check if TFTP client is installed" Register --test-no INSE-8318 --package-manager-required --weight L --network NO --category security --description "Check if TFTP client is installed"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if TFTP client is installed" LogText "Test: Checking if TFTP client is installed"
FOUND="" FOUND=""
@ -470,7 +470,7 @@
# #
# Test : INSE-8320 # Test : INSE-8320
# Description : Check if TFTP server is installed # Description : Check if TFTP server is installed
Register --test-no INSE-8320 --weight L --network NO --category security --description "Check if TFTP server is installed" Register --test-no INSE-8320 --package-manager-required --weight L --network NO --category security --description "Check if TFTP server is installed"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if TFTP server is installed" LogText "Test: Checking if TFTP server is installed"
FOUND="" FOUND=""

11
lynis
View File

@ -524,6 +524,7 @@ ${NORMAL}
if [ "${OS}" = "Linux" -a "${HOSTNAME}" = "${FQDN}" ]; then if [ "${OS}" = "Linux" -a "${HOSTNAME}" = "${FQDN}" ]; then
FQDN=$(hostname -f 2> /dev/null) FQDN=$(hostname -f 2> /dev/null)
fi fi
# #
################################################################################# #################################################################################
# #
@ -568,6 +569,7 @@ ${NORMAL}
fi fi
Report "test_category=${TEST_CATEGORY_TO_CHECK}" Report "test_category=${TEST_CATEGORY_TO_CHECK}"
Report "test_group=${TEST_GROUP_TO_CHECK}" Report "test_group=${TEST_GROUP_TO_CHECK}"
# #
################################################################################# #################################################################################
# #
@ -630,6 +632,7 @@ ${NORMAL}
echo "Make sure to execute ${PROGRAM_NAME} from untarred directory or check your installation." echo "Make sure to execute ${PROGRAM_NAME} from untarred directory or check your installation."
exit 1 exit 1
fi fi
# #
################################################################################# #################################################################################
# #
@ -817,6 +820,14 @@ ${NORMAL}
# #
################################################################################# #################################################################################
# #
# Test if we have a package manager available by testing for a dummy package (should not exist)
if PackageIsInstalled "__dummy__"; then
HAS_PACKAGE_MANAGER=1
LogText "Informational: package manager is used"
else
LogText "Informational: no known package manager for this system"
fi
# Use hardware detection capabilities # Use hardware detection capabilities
IsVirtualMachine IsVirtualMachine
if IsContainer; then if IsContainer; then