tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-07-27 15:54:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

Resolved merge conflict

Browse Source
This commit is contained in:
Michael Boelen 2020-10-02 11:05:04 +02:00
commit c6bd185fd7
No known key found for this signature in database
GPG Key ID: 26141F77A09D7F04
5 changed files with 94 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CHANGELOG.md
View File

@ -3,6 +3,7 @@
## Lynis 3.0.1 (not released yet)
### Added
- Detection of Alpine Linux
- Detection of CloudLinux
- Detection of Kali Linux
- Detection of Linux Mint
@ -10,24 +11,30 @@
- Detection of Pop!_OS
- Detection of PHP 7.4
- Malware detection tool: Microsoft Defender ATP
- New flag: --slow-warning to allow tests more time before showing a warning
- Test TIME-3185 to check systemd-timesyncd synchronized time
- rsh host file permissions
### Changed
- AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions
- BOOT-5122 - Presence check for grub.d added
- CRYP-7931 - Redirect errors
- CRYP-7902 - Added support for certificates in DER format
- CRYP-7931 - Added data to report
- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted)
- FILE-6430 - Don't grep nonexistant modprobe.d files
- FIRE-4535 - Set initial firewall state
- INSE-8312 - Corrected text on screen
- KRNL-5728 - Handle zipped kernel configuration correctly
- KRNL-5830 - Improved version detection for non-symlinked kernel
- MALW-3280 - Extended detection of BitDefender
- TIME-3104 - Find more time synchronization commands
- TIME-3182 - Corrected detection of time peers
- Fix: hostid generation routine would sometimes show too short IDs
- Generic improvements for macOS
- Fix: language detection
- Generic improvements for macOS
- German translation updated
- End-of-life database updated
- Small code enhancements
- Several minor code enhancements
---------------------------------------------------------------------------------

1
db/tests.db
View File

@ -419,6 +419,7 @@ TIME-3170:test:security:time::Check configuration files:
TIME-3180:test:security:time::Report if ntpctl cannot communicate with OpenNTPD:
TIME-3181:test:security:time::Check status of OpenNTPD time synchronisation
TIME-3182:test:security:time::Check OpenNTPD has working peers
TIME-3185:test:security:time::Check systemd-timesyncd synchronized time
TOOL-5002:test:security:tooling::Checking for automation tools:
TOOL-5102:test:security:tooling::Check for presence of Fail2ban:
TOOL-5104:test:security:tooling::Enabled tests for Fail2ban:

7
default.prf
View File

@ -93,7 +93,7 @@ skip-plugins=no
#skip-upgrade-test=yes
# Locations where to search for SSL certificates (separate paths with a colon)
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
ssl-certificate-include-packages=no
@ -303,6 +303,11 @@ permfile=/etc/motd:rw-r--r--:root:root:WARN:
permfile=/etc/passwd:rw-r--r--:root:-:WARN:
permfile=/etc/passwd-:rw-r--r--:root:-:WARN:
permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN:
permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN:
permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN:
permfile=/root/.rhosts:rw-------:root:root:WARN:
permfile=/root/.rlogin:rw-------:root:root:WARN:
permfile=/root/.shosts:rw-------:root:root:WARN:
# These permissions differ by OS
#permfile=/etc/gshadow:---------:root:-:WARN:

19
include/tests_crypto
View File

@ -54,7 +54,7 @@
LASTSUBDIR=""
LogText "Result: found directory ${DIR}"
# Search for certificate files
FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g')
for FILE in ${FILES}; do
FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g')
# See if we need to skip this path
@ -80,16 +80,23 @@
if [ ${CANREAD} -eq 1 ]; then
# Only check the files that are not installed by a package, unless enabled by profile
if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then
echo ${FILE} | ${EGREPBINARY} --quiet ".cer$|.der$"
CER_DER=$?
OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}")
if [ $? -eq 0 ]; then
if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then
LogText "Result: file is a certificate file"
FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
if [ ${CER_DER} -eq 0 ]; then
SSL_DER_OPT="-inform der"
else
SSL_DER_OPT=
fi
FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
if [ $? -eq 0 ]; then
# Check certificate where 'end date' has been expired
FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -checkend 0 -in "${FILE}" -enddate 2> /dev/null)
EXIT_CODE=$?
CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
CERT_CN=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}')
Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
if [ ${EXIT_CODE} -eq 0 ]; then
LogText "Result: certificate ${FILE} seems to be correct and still valid"

115
include/tests_time
View File

@ -86,9 +86,8 @@
# Reason: openntpd syncs only if large time corrections are not required or -s is passed.
# This might be not intended by the administrator (-s is NOT the default!)
FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" | ${GREPBINARY} -v "grep")
${NTPCTLBINARY} -s status > /dev/null 2> /dev/null
# Status code 0 is when communication over the socket is successfull
if [ "$?" -eq 0 ]; then
if ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd"
LogText "result: found openntpd (method: ntpctl)"
OPENNTPD_COMMUNICATION=1
@ -101,7 +100,7 @@
LogText "result: running openntpd not found, but ntpctl is instaalled"
fi
if [ "${NTP_DAEMON}" == "openntpd" ]; then
if [ "${NTP_DAEMON}" = "openntpd" ]; then
Display --indent 2 --text "- NTP daemon found: OpenNTPD" --result "${STATUS_FOUND}" --color GREEN
fi
fi
@ -124,39 +123,30 @@
fi
# Check timedate daemon (systemd)
if [ -n "${TIMEDATECTL}" ]; then
FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes")
if [ -n "${FIND}" ]; then
# Check for systemd-timesyncd
if [ -f ${ROOTDIR}etc/systemd/timesyncd.conf ]; then
LogText "Result: found ${ROOTDIR}etc/systemd/timesyncd.conf"
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN
SYSTEMD_NTP_ENABLED=1
else
LogText "Result: ${ROOTDIR}etc/systemd/timesyncd.conf does not exist"
fi
else
LogText "Result: time synchronization not performed according timedatectl command"
fi
else
LogText "Result: timedatectl command not available on this system"
FIND=$(${PSBINARY} ax | ${GREPBINARY} "systemd-timesyncd" | ${GREPBINARY} -v "grep")
if [ -n "${FIND}" ]; then
FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd"
Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found running systemd-timesyncd in process list"
fi
# Check crontab for OpenBSD/FreeBSD
# Check anacrontab for Linux
CRONTAB_FILES="/etc/anacrontab /etc/crontab"
# Regex for matching multiple time synchronisation binaries
# Partial sanity check for sntp and ntpdig, but this does not consider all corner cases
CRONTAB_REGEX='ntpdate|rdate|sntp.+-(s|j|--adj)|ntpdig.+-(S|s)'
for I in ${CRONTAB_FILES}; do
if [ -f ${I} ]; then
LogText "Test: checking for ntpdate or rdate in crontab file ${I}"
FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#')
LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}"
FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#')
if [ -n "${FIND}" ]; then
FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1
Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: found ntpdate or rdate reference in crontab file ${I}"
LogText "Result: found ntpdate, rdate, sntp or ntpdig reference in crontab file ${I}"
else
#Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_NOT_FOUND}" --color WHITE
LogText "Result: no ntpdate or rdate reference found in crontab file ${I}"
LogText "Result: no ntpdate, rdate, sntp or ntpdig reference found in crontab file ${I}"
fi
else
LogText "Result: crontab file ${I} not found"
@ -169,31 +159,18 @@
# Check cron jobs
for I in ${CRON_DIRS}; do
if [ -d ${I} ]; then
if FileIsReadable ${I}; then
FIND=$(${FINDBINARY} ${I} -type f -a ! -name ".placeholder" -print 2> /dev/null | ${SEDBINARY} 's/ /__space__/g' | ${TRBINARY} '\n' '\0' | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} '\0' ' ')
for J in "${I}"/*; do # iterate over folders in a safe way
# Check: regular file, readable and not called .placeholder
FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$')
if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then
LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}"
FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#")
if [ -n "${FIND}" ]; then
for J in ${FIND}; do
# Place back spaces if needed
J=$(echo ${J} | ${SEDBINARY} 's/__space__/ /g')
LogText "Test: checking for ntpdate or rdate in ${J}"
if FileIsReadable ${J}; then
FIND2=$(${EGREPBINARY} "rdate|ntpdate" "${J}" | ${GREPBINARY} -v "^#")
if [ -n "${FIND2}" ]; then
LogText "Positive match found: ${FIND2}"
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
fi
else
LogText "Result: could not test in file '${J}' as it is not readable"
fi
done
else
LogText "Result: ${I} is empty, skipping search in directory"
FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1
LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}"
fi
else
LogText "Result: could not search in directory due to permissions"
fi
fi
done
done
if [ ${FOUND_IN_CRON} -eq 1 ]; then
@ -532,7 +509,7 @@
#
# Test : TIME-3180
# Description : Report if ntpctl cannot communicate with OpenNTPD
if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ]; then
if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
@ -548,7 +525,7 @@
#
# Test : TIME-3181
# Description : Check status of OpenNTPD time synchronisation
if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
@ -567,7 +544,7 @@
# Test : TIME-3182
# Description : Check OpenNTPD has working peers
if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
@ -576,11 +553,47 @@
Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers"
if [ ${SKIPTEST} -eq 0 ]; then
# Format is "xx/yy peers valid, ..."
FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o "[0-9]{1,4}/" | ${EGREPBINARY} -o "[0-9]{1,4}" )
if [ -n "${FIND}" ] || [ "${FIND}" -eq 0 ]; then
FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1)
if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then
ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status"
fi
fi
#
#################################################################################
#
# Test : TIME-3185
# Description : Check systemd-timesyncd synchronized time
if [ "${NTP_DAEMON}" = "systemd-timesyncd" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time"
SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -e "${SYNCHRONIZED_FILE}" ]; then
FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") ))
# Check if last sync was more than 2048 seconds (= the default of systemd) ago
if [ "${FIND}" -ge 2048 ]; then
COLOR=RED
ReportWarning "${TEST_NO}" "systemd-timesyncd did not synchronized the time recently."
else
COLOR=GREEN
fi
Display --indent 2 --text "- Last time synchronization" --result "${FIND}s" --color "${COLOR}"
LogText "Result: systemd-timesyncd synchronized time ${FIND} seconds ago."
else
Display --indent 2 --text "- Last time synchronization" --result "${STATUS_NOT_FOUND}" --color RED
ReportWarning "${TEST_NO}" "systemd-timesyncd never successfully synchronized time"
fi
fi
unset SYNCHRONIZED_FILE
#
#################################################################################
#