tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-29 00:34:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1004 from Varbin/1003-os-detection

Browse Source 
Test for LINUX_VERSION before setting it again
This commit is contained in:
Michael Boelen 2021-01-07 11:30:51 +01:00 committed by GitHub
commit c38c89ae4e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 94 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/consts
View File

@ -145,6 +145,7 @@ ETC_PATHS="/etc /usr/local/etc"
LICENSE_KEY="" LICENSE_KEY=""
LICENSE_SERVER="" LICENSE_SERVER=""
LINUX_VERSION="" LINUX_VERSION=""
LINUX_VERSION_LIKE=""
LINUXCONFIGFILE="" LINUXCONFIGFILE=""
LMDBINARY="" LMDBINARY=""
LMDFOUND=0 LMDFOUND=0

48
include/osdetection
View File

@ -226,11 +226,13 @@
;; ;;
"kali") "kali")
LINUX_VERSION="Kali" LINUX_VERSION="Kali"
LINUX_VERSION_LIKE="Debian"
OS_NAME="Kali Linux" OS_NAME="Kali Linux"
OS_VERSION="Rolling release" OS_VERSION="Rolling release"
;; ;;
"linuxmint") "linuxmint")
LINUX_VERSION="Linux Mint" LINUX_VERSION="Linux Mint"
LINUX_VERSION_LIKE="Ubuntu"
OS_NAME="Linux Mint" OS_NAME="Linux Mint"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
@ -278,18 +280,21 @@
;; ;;
"pop") "pop")
LINUX_VERSION="Pop!_OS" LINUX_VERSION="Pop!_OS"
LINUX_VERSION_LIKE="Ubuntu"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="Pop!_OS" OS_NAME="Pop!_OS"
;; ;;
"pureos") "pureos")
LINUX_VERSION="PureOS" LINUX_VERSION="PureOS"
LINUX_VERSION_LIKE="Debian"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="PureOS" OS_NAME="PureOS"
;; ;;
"raspbian") "raspbian")
LINUX_VERSION="Raspbian" LINUX_VERSION="Raspbian"
LINUX_VERSION_LIKE="Debian"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="Raspbian" OS_NAME="Raspbian"
@ -378,31 +383,32 @@
# CPUBuilders Linux # CPUBuilders Linux
if [ -e "/etc/cpub-release" ]; then OS_FULLNAME=$(cat /etc/cpub-release); fi if [ -e "/etc/cpub-release" ]; then OS_FULLNAME=$(cat /etc/cpub-release); fi
# Debian/Ubuntu (***) - Set first to Debian if [ -z "${LINUX_VERSION}" ] && [ -e "/etc/debian_version" ]; then
if [ -e "/etc/debian_version" ]; then # Debian/Ubuntu (***) - Set first to Debian
OS_VERSION=$(cat /etc/debian_version) OS_VERSION=$(cat /etc/debian_version)
OS_FULLNAME="Debian ${OS_VERSION}" OS_FULLNAME="Debian ${OS_VERSION}"
LINUX_VERSION="Debian" LINUX_VERSION="Debian"
fi
# /etc/lsb-release does not exist on Debian # /etc/lsb-release does not exist on Debian
if [ -e "/etc/debian_version" -a -e /etc/lsb-release ]; then if [ -e /etc/lsb-release ]; then
OS_VERSION=$(cat /etc/debian_version) OS_VERSION=$(cat /etc/debian_version)
FIND=$(grep "^DISTRIB_ID=" /etc/lsb-release | cut -d '=' -f2 | sed 's/"//g') FIND=$(grep "^DISTRIB_ID=" /etc/lsb-release | cut -d '=' -f2 | sed 's/"//g')
if [ "${FIND}" = "Ubuntu" ]; then if [ "${FIND}" = "Ubuntu" ]; then
OS_VERSION=$(grep "^DISTRIB_RELEASE=" /etc/lsb-release | cut -d '=' -f2) OS_VERSION=$(grep "^DISTRIB_RELEASE=" /etc/lsb-release | cut -d '=' -f2)
OS_FULLNAME="Ubuntu ${OS_VERSION}" OS_FULLNAME="Ubuntu ${OS_VERSION}"
LINUX_VERSION="Ubuntu" LINUX_VERSION="Ubuntu"
elif [ "${FIND}" = "elementary OS" ]; then elif [ "${FIND}" = "elementary OS" ]; then
LINUX_VERSION="elementary OS" LINUX_VERSION="elementary OS"
OS_VERSION=$(grep "^DISTRIB_RELEASE=" /etc/lsb-release | cut -d '=' -f2) LINUX_VERSION_LIKE="Ubuntu"
OS_FULLNAME=$(grep "^DISTRIB_DESCRIPTION=" /etc/lsb-release | cut -d '=' -f2 | sed 's/"//g') OS_VERSION=$(grep "^DISTRIB_RELEASE=" /etc/lsb-release | cut -d '=' -f2)
else OS_FULLNAME=$(grep "^DISTRIB_DESCRIPTION=" /etc/lsb-release | cut -d '=' -f2 | sed 's/"//g')
# Catch all, in case it's unclear what specific release this is. else
OS_FULLNAME="Debian ${OS_VERSION}" # Catch all, in case it's unclear what specific release this is.
LINUX_VERSION="Debian" OS_FULLNAME="Debian ${OS_VERSION}"
LINUX_VERSION="Debian"
fi
# Ubuntu test (optional) $(grep "[Uu]buntu" /proc/version)
fi fi
# Ubuntu test (optional) $(grep "[Uu]buntu" /proc/version)
fi fi
# Override for Linux Mint, as that is initially detected as Debian or Ubuntu # Override for Linux Mint, as that is initially detected as Debian or Ubuntu
@ -410,6 +416,8 @@
FIND=$(lsb_release --id | awk -F: '{ print $2 }' | awk '{ print $1 }') FIND=$(lsb_release --id | awk -F: '{ print $2 }' | awk '{ print $1 }')
if [ "${FIND}" = "LinuxMint" ]; then if [ "${FIND}" = "LinuxMint" ]; then
LINUX_VERSION="Linux Mint" LINUX_VERSION="Linux Mint"
# LMDE (Linux Mint Debian Edition) should be detected as Debian
LINUX_VERSION_LIKE="Ubuntu"
OS_VERSION=$(lsb_release --release | awk '{ print $2 }') OS_VERSION=$(lsb_release --release | awk '{ print $2 }')
OS_FULLNAME="Linux Mint ${OS_VERSION}" OS_FULLNAME="Linux Mint ${OS_VERSION}"
fi fi

8
include/tests_boot_services
View File

@ -712,7 +712,13 @@
# Test : BOOT-5180 # Test : BOOT-5180
# Description : Check for Linux boot services (Debian style) # Description : Check for Linux boot services (Debian style)
# Notes : Debian 8+ shows runlevel 5 # Notes : Debian 8+ shows runlevel 5
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] ||
[ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for Linux boot services (Debian style)" Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for Linux boot services (Debian style)"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
# Runlevel check # Runlevel check

9
include/tests_kernel
View File

@ -81,7 +81,7 @@
fi fi
else else
LogText "Result: file ${ROOTDIR}etc/inittab not found" LogText "Result: file ${ROOTDIR}etc/inittab not found"
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
LogText "Test: Checking run level with who -r, for Debian based systems" LogText "Test: Checking run level with who -r, for Debian based systems"
FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }') FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }')
if HasData "${FIND}"; then if HasData "${FIND}"; then
@ -368,7 +368,12 @@
# #
# Test : KRNL-5788 # Test : KRNL-5788
# Description : Checking availability new kernel # Description : Checking availability new kernel
if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] ||
[ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel" Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
HAS_VMLINUZ=0 HAS_VMLINUZ=0

86
include/tests_ports_packages
View File

@ -600,8 +600,8 @@
# #
# Test : PKGS-7366 # Test : PKGS-7366
# Description : Checking if debsecan is installed and enabled on Debian systems # Description : Checking if debsecan is installed and enabled on Debian systems
if [ -n "${DEBSECANBINARY}" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ -n "${DEBSECANBINARY}" ] && ( [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] ); then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsecan utility" Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Checking for debsecan utility"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
if [ -n "${DEBSECANBINARY}" ]; then if [ -n "${DEBSECANBINARY}" ]; then
LogText "Result: debsecan utility is installed" LogText "Result: debsecan utility is installed"
@ -986,7 +986,9 @@
PREQS_MET="NO" PREQS_MET="NO"
if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then
case "${LINUX_VERSION}" in case "${LINUX_VERSION}" in
"Debian" | "Linux Mint" | "Ubuntu") "Debian" | "Linux Mint" | "Ubuntu" | "Pop!_OS")
# Todo: PureOS (not rolling) has security repositories
# Todo: Debian sid does not have a security repository.
PREQS_MET="YES" PREQS_MET="YES"
;; ;;
*) *)
@ -1042,7 +1044,13 @@
# #
# Test : PKGS-7390 # Test : PKGS-7390
# Description : Check Ubuntu database consistency # Description : Check Ubuntu database consistency
if [ "${LINUX_VERSION}" = "Ubuntu" -a -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if ([ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] ||
[ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]) && [ -x "${ROOTDIR}usr/bin/apt-get" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency" Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Package database consistency by running apt-get check" LogText "Test: Package database consistency by running apt-get check"
@ -1191,7 +1199,13 @@
# #
# Test : PKGS-7394 # Test : PKGS-7394
# Description : Check Ubuntu upgradeable packages # Description : Check Ubuntu upgradeable packages
if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if ([ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] ||
[ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]) && [ -x "${ROOTDIR}usr/bin/apt-get" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Ubuntu updates" Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Ubuntu updates"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking ${ROOTDIR}usr/bin/apt-show-versions" LogText "Test: checking ${ROOTDIR}usr/bin/apt-show-versions"
@ -1329,37 +1343,39 @@
case "${OS}" in case "${OS}" in
"Linux") "Linux")
case "${LINUX_VERSION}" in for DIST in CentOS Debian Fedora RHEL Ubuntu; do
"CentOS" | "Debian" | "Fedora" | "RHEL" | "Ubuntu") if [ "${LINUX_VERSION}" = "${DIST}" ] || [ "${LINUX_VERSION_LIKE}" = "${DIST}" ]; then
UNATTENDED_UPGRADES_OPTION_AVAILABLE=1 UNATTENDED_UPGRADES_OPTION_AVAILABLE=1
# Test available tools for Linux fi
if [ -f "${ROOTDIR}bin/auter" ]; then done
UNATTENDED_UPGRADES_TOOL="auter"
UNATTENDED_UPGRADES_TOOLKIT=1 if [ $UNATTENDED_UPGRADES_OPTION_AVAILABLE -eq 1 ]; then
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" # Test available tools for Linux
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" if [ -f "${ROOTDIR}bin/auter" ]; then
fi UNATTENDED_UPGRADES_TOOL="auter"
if [ -f "${ROOTDIR}sbin/yum-cron" ]; then UNATTENDED_UPGRADES_TOOLKIT=1
UNATTENDED_UPGRADES_TOOL="yum-cron" LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
UNATTENDED_UPGRADES_TOOLKIT=1 Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" fi
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" if [ -f "${ROOTDIR}sbin/yum-cron" ]; then
fi UNATTENDED_UPGRADES_TOOL="yum-cron"
if [ -f "${ROOTDIR}usr/bin/dnf-automatic" ]; then UNATTENDED_UPGRADES_TOOLKIT=1
UNATTENDED_UPGRADES_TOOL="dnf-automatic" LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
UNATTENDED_UPGRADES_TOOLKIT=1 Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" fi
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" if [ -f "${ROOTDIR}usr/bin/dnf-automatic" ]; then
fi UNATTENDED_UPGRADES_TOOL="dnf-automatic"
if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then UNATTENDED_UPGRADES_TOOLKIT=1
UNATTENDED_UPGRADES_TOOL="unattended-upgrade" LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
UNATTENDED_UPGRADES_TOOLKIT=1 Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" fi
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then
fi UNATTENDED_UPGRADES_TOOL="unattended-upgrade"
;; UNATTENDED_UPGRADES_TOOLKIT=1
esac LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
fi
fi
;; ;;
esac esac