diff --git a/CHANGELOG.md b/CHANGELOG.md index 8e63943e..807bbc51 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,33 @@ # Lynis Changelog +## Lynis 3.1.0 (not released yet) + +### Changed +- MALW-3280 - Correction to detect com.avast.daemon +- OS detection added for Guix System, macOS Ventura (13.x)/Sonoma (14.x), NXP LSDK, OpenEmbedded "nodistro", and The Yocto Projects distro "Poky" +- Updated Amazon Linux EOL dates and addition of Amazon Linux 2023 +- STATUS_NOT_ACTIVE variable added to translation files +- End-of-life dates updated +- Fixing missing or erroneous test number comments +- Wazuh for file integrity and tooling +- Updated parsing output of arch-audit +- Added support for SentinelOne detection +- Replacing deprecated option -i for xargs +- Path detection for PostgreSQL improved + +--------------------------------------------------------------------------------- + +## Lynis 3.0.9 (2023-08-03) + +### Changed +- DBS-1820 - Added newer style format for Mongo authorization setting +- FILE-6410 - Locations added for plocate +- SSH-7408 - Only test Compression if sshd version < 7.4 +- Improved fetching timestamp +- Minor changes such as typos + +--------------------------------------------------------------------------------- + ## Lynis 3.0.8 (2022-05-17) ### Added diff --git a/db/languages/az b/db/languages/az index ffdf4254..24a0ca70 100644 --- a/db/languages/az +++ b/db/languages/az @@ -82,6 +82,7 @@ STATUS_FOUND="Tapıldı" #STATUS_MEDIUM="MEDIUM" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="Yox" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/cn b/db/languages/cn index 76f181ca..11826db3 100644 --- a/db/languages/cn +++ b/db/languages/cn @@ -83,6 +83,7 @@ STATUS_FOUND="找到" #STATUS_MEDIUM="MEDIUM" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="没有" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/da b/db/languages/da index 21cac946..1bd77089 100644 --- a/db/languages/da +++ b/db/languages/da @@ -83,6 +83,7 @@ STATUS_FOUND="FUNDET" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="INGEN" STATUS_NO="NEJ" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" STATUS_NOT_ENABLED="IKKE AKTIVERET" diff --git a/db/languages/de b/db/languages/de index fad25db9..942693a3 100644 --- a/db/languages/de +++ b/db/languages/de @@ -84,6 +84,7 @@ STATUS_NO="NEIN" STATUS_NO_UPDATE="KEINE AKTUALISIERUNG" STATUS_NON_DEFAULT="NICHT STANDARD" STATUS_NONE="NICHTS" +STATUS_NOT_ACTIVE="NOT ACTIVE" STATUS_NOT_CONFIGURED="NICHT KONFIGURIERT" STATUS_NOT_DISABLED="NICHT DEAKTIVIERT" STATUS_NOT_ENABLED="NICHT AKTIVIERT" diff --git a/db/languages/en b/db/languages/en index 3fc11069..52ace1f7 100644 --- a/db/languages/en +++ b/db/languages/en @@ -84,6 +84,7 @@ STATUS_NO="NO" STATUS_NO_UPDATE="NO UPDATE" STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="NONE" +STATUS_NOT_ACTIVE="NOT ACTIVE" STATUS_NOT_CONFIGURED="NOT CONFIGURED" STATUS_NOT_DISABLED="NOT DISABLED" STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/es b/db/languages/es index fceb261f..1ad53db5 100644 --- a/db/languages/es +++ b/db/languages/es @@ -85,6 +85,7 @@ STATUS_NO_UPDATE="SIN ACTUALIZACIÓN" STATUS_NO="NO" STATUS_NON_DEFAULT="NO POR DEFECTO" STATUS_NONE="NINGUNO" +STATUS_NOT_ACTIVE="NOT ACTIVE" STATUS_NOT_CONFIGURED="NO CONFIGURADO" STATUS_NOT_DISABLED="NO DESHABILITADO" STATUS_NOT_ENABLED="NO HABILITADO" diff --git a/db/languages/fi b/db/languages/fi index 85e6593a..e8dc3564 100644 --- a/db/languages/fi +++ b/db/languages/fi @@ -83,6 +83,7 @@ STATUS_FOUND="LÖYTYNYT" STATUS_NO="EI" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="EI MITÄÄN" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/fr b/db/languages/fr index d85d643d..d0be5c99 100644 --- a/db/languages/fr +++ b/db/languages/fr @@ -84,6 +84,7 @@ STATUS_NO="NON" STATUS_NO_UPDATE="PAS DE MISE A JOUR" STATUS_NON_DEFAULT="PAS PAR DÉFAUT" STATUS_NONE="AUCUN" +STATUS_NOT_ACTIVE="NOT ACTIVE" STATUS_NOT_CONFIGURED="NON CONFIGURÉ" STATUS_NOT_DISABLED="NON DESACTIVÉ" STATUS_NOT_ENABLED="NON ACTIVÉ" diff --git a/db/languages/gr b/db/languages/gr index 8d285f96..15c3e509 100644 --- a/db/languages/gr +++ b/db/languages/gr @@ -82,6 +82,7 @@ STATUS_FOUND="ΒΡΕΘΗΚΕ" #STATUS_MEDIUM="MEDIUM" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="ΚΑΝΕΝΑ" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/he b/db/languages/he index 83859123..9755bcf7 100644 --- a/db/languages/he +++ b/db/languages/he @@ -82,6 +82,7 @@ STATUS_FOUND="נמצא" #STATUS_MEDIUM="MEDIUM" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="אין כלל" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/hu b/db/languages/hu index 1d055bd8..90ae29e1 100644 --- a/db/languages/hu +++ b/db/languages/hu @@ -83,6 +83,7 @@ STATUS_FOUND="FOUND" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NO="NEM" STATUS_NONE="NONE" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/it b/db/languages/it index 3f3a8853..26ff3076 100644 --- a/db/languages/it +++ b/db/languages/it @@ -83,6 +83,7 @@ STATUS_FOUND="TROVATO" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="NESSUNO" STATUS_NO="NO" +STATUS_NOT_ACTIVE="NOT ACTIVE" STATUS_NOT_CONFIGURED="NON CONFIGURATO" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/ja b/db/languages/ja index 3e3de50c..846b1eb1 100644 --- a/db/languages/ja +++ b/db/languages/ja @@ -83,6 +83,7 @@ STATUS_FOUND="見つかりました" STATUS_NO="いいえ" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="なし" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/ko b/db/languages/ko index dba75b76..72d31d79 100644 --- a/db/languages/ko +++ b/db/languages/ko @@ -83,6 +83,7 @@ STATUS_FOUND="발견" STATUS_NO="아니오" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="없음" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/nb-NO b/db/languages/nb-NO index 84ddf269..ea3e8832 100644 --- a/db/languages/nb-NO +++ b/db/languages/nb-NO @@ -83,6 +83,7 @@ STATUS_FOUND="FUNNET" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NO="NEI" STATUS_NONE="INGEN" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/nl b/db/languages/nl index 4c22b9fe..cdb92423 100644 --- a/db/languages/nl +++ b/db/languages/nl @@ -83,6 +83,7 @@ STATUS_FOUND="GEVONDEN" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NO="NEE" STATUS_NONE="GEEN" +STATUS_NOT_ACTIVE="NOT ACTIVE" STATUS_NOT_CONFIGURED="NIET GECONFIGUREERD" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/pl b/db/languages/pl index 200bac79..887d0a7d 100644 --- a/db/languages/pl +++ b/db/languages/pl @@ -83,6 +83,7 @@ #STATUS_NON_DEFAULT="NON DEFAULT" #STATUS_NONE="NONE" #STATUS_NO="NO" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/pt b/db/languages/pt index 740fab6a..483fabd6 100644 --- a/db/languages/pt +++ b/db/languages/pt @@ -83,6 +83,7 @@ STATUS_FOUND="ENCONTRADO" STATUS_NO="NÃO" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="NENHUM" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/ru b/db/languages/ru index c24603b6..55a4717b 100644 --- a/db/languages/ru +++ b/db/languages/ru @@ -82,6 +82,7 @@ STATUS_LOCAL_ONLY="ТОЛЬКО ЛОКАЛЬНО" STATUS_MEDIUM="СРЕДНИЙ" STATUS_NON_DEFAULT="НЕ ПО УМОЛЧАНИЮ" STATUS_NONE="Отсутствует" +STATUS_NOT_ACTIVE="NOT ACTIVE" STATUS_NOT_CONFIGURED="НЕ СКОНФИГУРИРОВАНО" STATUS_NOT_DISABLED="НЕ ОТКЛЮЧЕНО" STATUS_NOT_ENABLED="НЕ ВКЛЮЧЕНО" diff --git a/db/languages/se b/db/languages/se index d77717b4..e5a90859 100644 --- a/db/languages/se +++ b/db/languages/se @@ -83,6 +83,7 @@ STATUS_FOUND="HITTAD" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="INGEN" STATUS_NO="NEJ" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/sk b/db/languages/sk index 7f021ade..45a18943 100644 --- a/db/languages/sk +++ b/db/languages/sk @@ -83,6 +83,7 @@ STATUS_FOUND="NÁJDENÉ" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="ŽIADNE" STATUS_NO="NIE" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/languages/tr b/db/languages/tr index 62dcb514..585cfed5 100644 --- a/db/languages/tr +++ b/db/languages/tr @@ -83,6 +83,7 @@ STATUS_FOUND="BULUNDU" STATUS_NO="HAYIR" #STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="YOK" +STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_NOT_CONFIGURED="NOT CONFIGURED" #STATUS_NOT_DISABLED="NOT DISABLED" #STATUS_NOT_ENABLED="NOT ENABLED" diff --git a/db/software-eol.db b/db/software-eol.db index f8242d35..880b3279 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -28,8 +28,9 @@ os:Alpine 3.8:2020-05-01:1588305600 # Amazon Linux # # Note: shortest entry is listed at end due to regular expression matching being used -os:Amazon Linux 2:2023-06-26:1687730400: -os:Amazon Linux:2020-06-30:1593468000: +os:Amazon Linux 2023:2028-03-15:1836691200: +os:Amazon Linux 2:2025-06-30:1751241600: +os:Amazon Linux:2023-12-31:1703980800: # # Arch Linux # @@ -40,16 +41,19 @@ os:Arch Linux::-1: os:CentOS release 5:2017-03-31:1490911200: os:CentOS release 6:2020-11-30:1606690800: os:CentOS Linux 7:2024-06-30:1719698400: -os:CentOS Linux 8:2029-05-31:1874872800: +os:CentOS Linux 8:2021-12-31:1640905200: # # Debian - https://wiki.debian.org/DebianReleases#Production_Releases +# https://wiki.debian.org/LTS # os:Debian 5.0:2012-02-06:1328482800: os:Debian 6.0:2016-02-29:1456700400: os:Debian 7:2018-05-31:1527717600: os:Debian 8:2020-06-30:1593468000: -os:Debian 9:2022-01-01:1640991600: -os:Debian 10:2022-01-01:1640991600: +os:Debian 9:2022-06-30:1656547200: +os:Debian 10:2022-09-10:1665266400: +os:Debian 11:2024-07-01:1719784800: +os:Debian 12:2028-06-30:1845936000: # # Fedora - https://fedoraproject.org/wiki/End_of_life # @@ -134,6 +138,7 @@ os:Mageia 4:2015-09-19:1442613600 os:Mageia 5:2017-12-31:1514674800 os:Mageia 6:2019-09-30:1569794400 os:Mageia 7:2020-12-30:1609282800 +os:Mageia 8::-1 # # NetBSD - https://www.netbsd.org/support/security/release.html and # https://www.netbsd.org/releases/formal.html @@ -196,6 +201,11 @@ os:OpenBSD 6.4:2019-10-17:1571270400: os:OpenBSD 6.5:2020-05-19:1589846400: os:OpenBSD 6.6:2020-10-01:1601510400: os:OpenBSD 6.7:2021-05-01:1619827200: +os:OpenBSD 6.8:2021-10-14:1665698400: +os:OpenBSD 6.9:2022-04-21:1650492000: +os:OpenBSD 7.0:2022-10-20:1666216800: +os:OpenBSD 7.1:2023-05-01:1682892000: +os:OpenBSD 7.2::-1 # # Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/ # @@ -239,6 +249,7 @@ os:Ubuntu 18.04:2023-05-01:1682892000: os:Ubuntu 18.10:2019-07-18:1563400800: os:Ubuntu 19.04:2020-01-01:1577833200: os:Ubuntu 20.04:2025-04-01:1743458400: +os:Ubuntu 22.04:2027-04-01:1806537600: # # OmniosCE - https://omniosce.org/releasenotes.html # diff --git a/db/tests.db b/db/tests.db index fe16ef9c..5b005e1b 100644 --- a/db/tests.db +++ b/db/tests.db @@ -136,7 +136,7 @@ FILE-7524:test:security:file_permissions::Perform file permissions check: FINT-4310:test:security:file_integrity::AFICK availability: FINT-4314:test:security:file_integrity::AIDE availability: FINT-4315:test:security:file_integrity::Check AIDE configuration file: -FINT-4316:test:security:file_integirty::Presence of AIDE database and size check: +FINT-4316:test:security:file_integrity::Presence of AIDE database and size check: FINT-4318:test:security:file_integrity::Osiris availability: FINT-4322:test:security:file_integrity::Samhain availability: FINT-4326:test:security:file_integrity::Tripwire availability: @@ -148,6 +148,7 @@ FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running: FINT-4339:test:security:file_integrity:Linux:Check IMA/EVM Status FINT-4340:test:security:file_integrity:Linux:Check dm-integrity status FINT-4341:test:security:file_integrity:Linux:Check dm-verity status +FINT-4344:test:security:file_integrity::Wazuh syscheck daemon running: FINT-4350:test:security:file_integrity::File integrity software installed: FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512): FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module: @@ -204,7 +205,7 @@ INSE-8200:test:security:insecure_services::Usage of TCP wrappers: INSE-8300:test:security:insecure_services::Presence of rsh client: INSE-8302:test:security:insecure_services::Presence of rsh server: INSE-8310:test:security:insecure_services::Presence of telnet client: -INSE-8312:test:security:insecure_services::Presence of telnet server: +INSE-8322:test:security:insecure_services::Presence of telnet server: INSE-8314:test:security:insecure_services::Presence of NIS client: INSE-8316:test:security:insecure_services::Presence of NIS server: INSE-8318:test:security:insecure_services::Presence of TFTP client: @@ -437,8 +438,9 @@ TOOL-5102:test:security:tooling::Check for presence of Fail2ban: TOOL-5104:test:security:tooling::Enabled tests for Fail2ban: TOOL-5120:test:security:tooling::Presence of Snort IDS: TOOL-5122:test:security:tooling::Snort IDS configuration file: +TOOL-5128:test:security:tooling::Check for active Wazuh daemon: TOOL-5130:test:security:tooling::Check for active Suricata daemon: -TOOL-5160:test:security:tooling::Check for active OSSEC daemon: +TOOL-5126:test:security:tooling::Check for active OSSEC daemon: TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling: USB-1000:test:security:storage:Linux:Check if USB storage is disabled: USB-2000:test:security:storage:Linux:Check USB authorizations: diff --git a/include/binaries b/include/binaries index 7aabba42..b495013c 100644 --- a/include/binaries +++ b/include/binaries @@ -169,7 +169,6 @@ domainname) DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;; dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;; xbps-query) XBPSBINARY="${BINARY}"; LogText " Found known binary: xbps (package management) - ${BINARY}" ;; - egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;; equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;; evmctl) EVMCTLBINARY=${BINARY}; LogText " Found known binary: evmctl (IMA/EVM tool) - ${BINARY}" ;; exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;; @@ -337,11 +336,19 @@ Report "binaries_sgid_count=${SGID_BINARIES}" Report "binary_paths=${BINARY_PATHS_FOUND}" + # If grep is capable of extended regexp, use that instead of egrep to avoid annoying warning + if [ "${GREPBINARY:-}" ] ; then + ${GREPBINARY} --help | ${GREPBINARY} -e "extended-regexp" > /dev/null + if [ $? -eq 0 ] ; then + EGREPBINARY="${GREPBINARY} -E" + fi + fi + + # Test if the basic system tools are defined. These will be used during the audit. [ "${AWKBINARY:-}" ] || ExitFatal "awk binary not found" [ "${CAT_BINARY:-}" ] || ExitFatal "cat binary not found" [ "${CUTBINARY:-}" ] || ExitFatal "cut binary not found" - [ "${EGREPBINARY:-}" ] || ExitFatal "egrep binary not found" [ "${FINDBINARY:-}" ] || ExitFatal "find binary not found" [ "${GREPBINARY:-}" ] || ExitFatal "grep binary not found" [ "${HEADBINARY:-}" ] || ExitFatal "head binary not found" diff --git a/include/functions b/include/functions index 5b211707..9c52044b 100644 --- a/include/functions +++ b/include/functions @@ -1315,7 +1315,7 @@ return 2 else for CHECK_PERMISSION in ${CHECKPERMISSION_FULL}; do - DATA=$(echo ${CHECK_PERMISSION} | ${EGREPBINARY} "[rwx]") + DATA=$(echo ${CHECK_PERMISSION} | ${GREPBINARY} -E "[rwx]") if [ $? -eq 0 ]; then # add a dummy character as first character so it looks like output is a normal file CHECK_PERMISSION=$(echo "-${CHECK_PERMISSION}" | ${AWKBINARY} '{k=0;for(i=0;i<=8;i++)k+=((substr($1,i+2,1)~/[rwx]/)*2^(8-i));if(k)printf("%0o",k)}') @@ -1608,7 +1608,7 @@ # This search is not foolproof LogText "Performing simple ps scan (busybox)" PSOPTIONS=" -o args=" - FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${EGREPBINARY:-egrep} "( |/)${search}" | ${GREPBINARY:-grep} -v "grep") + FIND=$(${PSBINARY:-ps} ${PSOPTIONS} | ${GREPBINARY:-grep} -E "( |/)${search}" | ${GREPBINARY:-grep} -v "grep") else if [ -n "${users}" ]; then for u in ${users}; do @@ -2562,14 +2562,18 @@ GetTimestamp() { ts=0 - case "${OS}" in - "Linux") + # Detect if the implementation of date supports nanoseconds, + if [ "${OS}" = "Linux" ]; then + current_nanoseconds=$(date "+%N") + # Verify if the result of the command is a number + if [ -n "$current_nanoseconds" ] && [ "$current_nanoseconds" -eq "$current_nanoseconds" ] 2>/dev/null; then ts=$(date "+%s%N") - ;; - *) + else ts=$(date "+%s") - ;; - esac + fi + else + ts=$(date "+%s") + fi echo $ts } diff --git a/include/osdetection b/include/osdetection index d9b8a41c..b09bd2f0 100644 --- a/include/osdetection +++ b/include/osdetection @@ -64,6 +64,8 @@ 10.15 | 10.15.[0-9]*) OS_FULLNAME="macOS Catalina (${OS_VERSION})" ;; 11 | 11.[0-9]*) OS_FULLNAME="macOS Big Sur (${OS_VERSION})" ;; 12 | 12.[0-9]*) OS_FULLNAME="macOS Monterey (${OS_VERSION})" ;; + 13 | 13.[0-9]*) OS_FULLNAME="macOS Ventura (${OS_VERSION})" ;; + 14 | 14.[0-9]*) OS_FULLNAME="macOS Sonoma (${OS_VERSION})" ;; *) echo "Unknown macOS version. Do you know what version it is? Create an issue at ${PROGRAM_SOURCE}" ;; esac else @@ -260,6 +262,12 @@ OS_NAME="Gentoo Linux" OS_VERSION="Rolling release" ;; + "guix") + LINUX_VERSION="Guix" + OS_FULLNAME="Guix System" + OS_NAME="Guix" + OS_VERSION="Rolling release" + ;; "ipfire") LINUX_VERSION="IPFire" OS_NAME="IPFire" @@ -278,6 +286,11 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "lsdk") + LINUX_VERSION="NXP LSDK" + OS_NAME="NXP LSDK" + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "mageia") LINUX_VERSION="Mageia" OS_NAME="Mageia" @@ -308,6 +321,12 @@ OS_REDHAT_OR_CLONE=1 OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "nodistro") + LINUX_VERSION="openembedded" + OS_NAME="OpenEmbedded" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "opensuse-tumbleweed") LINUX_VERSION="openSUSE Tumbleweed" # It's rolling release but has a snapshot version (the date of the snapshot) @@ -330,6 +349,14 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "poky") + LINUX_VERSION="Poky" + OS_NAME="openembedded" + LINUX_VERSION_LIKE="openembedded" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + + ;; "pop") LINUX_VERSION="Pop!_OS" LINUX_VERSION_LIKE="Ubuntu" @@ -777,10 +804,26 @@ ECHONB="" case ${OS} in - "AIX") ECHOCMD="echo"; ECHONB="printf" ;; - "DragonFly"|"FreeBSD"|"NetBSD") ECHOCMD="echo -e"; ECHONB="echo -n" ;; - "macOS" | "Mac OS X") ECHOCMD="echo"; ECHONB="/bin/echo -n" ;; - "Solaris") ECHOCMD="echo" ; test -f /usr/ucb/echo && ECHONB="/usr/ucb/echo -n" ;; + "AIX") + ECHOCMD="echo"; + ECHONB="printf" + ;; + "DragonFly"|"FreeBSD"|"NetBSD") + ECHOCMD="echo -e" + ECHONB="echo -n" + NOW=$(date "+%s") + ;; + "macOS" | "Mac OS X") + ECHOCMD="echo" + ECHONB="/bin/echo -n" + NOW=$(date "+%s") + ;; + + "Solaris") + ECHOCMD="echo" + test -f /usr/ucb/echo && ECHONB="/usr/ucb/echo -n" + NOW=$(nawk 'BEGIN{print srand()}') + ;; "Linux") # Check if dash is used (Debian/Ubuntu) DEFAULT_SHELL=$(ls -l /bin/sh | awk -F'>' '{print $2}') @@ -788,10 +831,14 @@ " dash") ECHOCMD="/bin/echo -e" ;; *) ECHOCMD="echo -e" ;; esac + NOW=$(date "+%s") + ;; + *) + ECHOCMD="echo -e" + NOW=$(date "+%s") ;; - *) ECHOCMD="echo -e" ;; esac - + # Check if we have full featured commands, or are using BusyBox as a shell if [ -x /bin/busybox ]; then if [ -L /bin/ps ]; then @@ -820,13 +867,10 @@ if [ -n "${EOL_TIMESTAMP}" ]; then EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1) if [ -n "${EOL_DATE}" ]; then - NOW=$(date "+%s") - if [ -n "${NOW}" ]; then - if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then - EOL=1 - else - EOL=0 - fi + if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then + EOL=1 + else + EOL=0 fi else EOL=0 diff --git a/include/tests_authentication b/include/tests_authentication index 0552d646..3ec54d64 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -42,9 +42,9 @@ LogText "Test: Searching accounts with UID 0" # Check if device is a QNAP, as the root user is called admin, and not root if [ ${QNAP_DEVICE} -eq 1 ]; then - FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') + FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${GREPBINARY} -E -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') else - FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') + FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${GREPBINARY} -E -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') fi if [ -n "${FIND}" ]; then Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED @@ -163,7 +163,7 @@ LogText "Test: Checking login shells" if [ -f ${ROOTDIR}etc/master.passwd ]; then # Check for all shells, except: (/usr)/sbin/nologin /nonexistent - FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${EGREPBINARY} -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g') + FIND=$(${GREPBINARY} "[a-z]:\*:" ${ROOTDIR}etc/master.passwd | ${GREPBINARY} -E -v '^#|/sbin/nologin|/usr/sbin/nologin|/nonexistent' | ${SEDBINARY} 's/ /!space!/g') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Login shells" --result "${STATUS_OK}" --color GREEN else @@ -499,13 +499,13 @@ Register --test-no AUTH-9240 --weight L --network NO --category security --description "Query NIS+ authentication support" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/nsswitch.conf ]; then - FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus") + FIND=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} -E "compat|nisplus") if [ -z "${FIND}" ]; then LogText "Result: NIS+ authentication not enabled" Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE else - FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") - FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") + FIND2=$(${GREPBINARY} -E "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") + FIND3=$(${GREPBINARY} -E "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") if [ -n "${FIND2}" -o -n "${FIND3}" ]; then LogText "Result: NIS+ authentication enabled" Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN @@ -526,13 +526,13 @@ Register --test-no AUTH-9242 --weight L --network NO --category security --description "Query NIS authentication support" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/nsswitch.conf ]; then - FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus") + FIND=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} -E "compat|nis" | ${GREPBINARY} -v "nisplus") if [ -z "${FIND}" ]; then LogText "Result: NIS authentication not enabled" Display --indent 2 --text "- NIS authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE else - FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") - FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") + FIND2=$(${GREPBINARY} -E "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") + FIND3=$(${GREPBINARY} -E "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") if [ -n "${FIND2}" -o -n "${FIND3}" ]; then LogText "Result: NIS authentication enabled" Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN @@ -737,7 +737,7 @@ LogText "Result: file ${ROOTDIR}etc/pam.conf exists" Display --indent 2 --text "- PAM configuration files (pam.conf)" --result "${STATUS_FOUND}" --color GREEN LogText "Test: searching PAM configuration files" - FIND=$(${EGREPBINARY} -v "^#" ${ROOTDIR}etc/pam.conf | ${EGREPBINARY} -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g') + FIND=$(${GREPBINARY} -E -v "^#" ${ROOTDIR}etc/pam.conf | ${GREPBINARY} -E -v "^$" | ${SEDBINARY} 's/[[:space:]]/ /g' | ${SEDBINARY} 's/ / /g' | ${SEDBINARY} 's/ /:space:/g') if [ -z "${FIND}" ]; then LogText "Result: File has no configuration options defined (empty, or only filled with comments and empty lines)" else @@ -1017,7 +1017,7 @@ LogText "Data: Days since epoch is ${DAYS_SINCE_EPOCH}" LogText "Test: collecting accounts which have an expired password (last day changed + maximum change time)" # Skip fields with a !, *, or x, or !* (field $3 is last changed, $5 is maximum changed) - FIND=$(${EGREPBINARY} -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}') + FIND=$(${GREPBINARY} -E -v ":[\!\*x]([\*\!])?:" /etc/shadow | ${AWKBINARY} -v today=${DAYS_SINCE_EPOCH} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}') if [ -n "${FIND}" ]; then for ACCOUNT in ${FIND}; do LogText "Result: password of user ${ACCOUNT} has been expired" @@ -1109,8 +1109,8 @@ TEST_PERFORMED=1 LogText "Result: file ${ROOTDIR}etc/inittab exists" LogText "Test: checking presence sulogin for single user mode" - FIND=$(${EGREPBINARY} "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab) - FIND2=$(${EGREPBINARY} "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab) + FIND=$(${GREPBINARY} -E "^[a-zA-Z0-9~]+:S:(respawn|wait):/sbin/sulogin" /etc/inittab) + FIND2=$(${GREPBINARY} -E "^su:S:(respawn|wait):/sbin/sulogin" /etc/inittab) if [ -n "${FIND}" -o -n "${FIND2}" ]; then FOUND=1 LogText "Result: found sulogin, so single user is protected" @@ -1147,7 +1147,7 @@ # Mark test as performed only when at least 1 target exists (e.g. Ubuntu 14.04 has limited systemd support) TEST_PERFORMED=1 LogText "Result: found target ${I}" - FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin") + FIND=$(${GREPBINARY} -E "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin") if [ "${FIND}" = "" ]; then LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication" else @@ -1486,7 +1486,7 @@ Register --test-no AUTH-9402 --weight L --network NO --category security --description "Query LDAP authentication support" if [ ${SKIPTEST} -eq 0 ]; then if [ -f ${ROOTDIR}etc/nsswitch.conf ]; then - FIND=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap") + FIND=$(${GREPBINARY} -E "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap") if [ "${FIND}" = "" ]; then LogText "Result: LDAP authentication not enabled" Display --indent 2 --text "- LDAP authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE @@ -1514,7 +1514,7 @@ LogText "Result: file ${FILE} exists, LDAP being used" LDAP_CLIENT_CONFIG_FILE="${FILE}" LogText "Test: checking LDAP servers in file ${FILE}" - FIND=$(${EGREPBINARY} "^host " ${FILE} | ${AWKBINARY} '{ print $2 }') + FIND=$(${GREPBINARY} -E "^host " ${FILE} | ${AWKBINARY} '{ print $2 }') for SERVER in ${FIND}; do Display --indent 6 --text "LDAP server: ${SERVER}" LogText "Result: found LDAP server ${SERVER}" diff --git a/include/tests_boot_services b/include/tests_boot_services index 5901cd70..967b98a6 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -460,7 +460,7 @@ BOOT_LOADER_FOUND=1 Display --indent 2 --text "- Checking presence LILO" --result "${STATUS_OK}" --color GREEN LogText "Checking password option LILO" - FIND=$(${EGREPBINARY} 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#") + FIND=$(${GREPBINARY} -E 'password[[:space:]]?=' ${LILOCONFFILE} | ${GREPBINARY} -v "^#") if [ -z "${FIND}" ]; then if [ "${MACHINE_ROLE}" = "server" -o "${MACHINE_ROLE}" = "workstation" ]; then Display --indent 4 --text "- Password option presence " --result "${STATUS_WARNING}" --color RED @@ -605,7 +605,7 @@ else # FreeBSD (Read /etc/rc.conf file for enabled services) LogText "Searching for services at startup (rc.conf)" - FIND=$(${EGREPBINARY} -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${EGREPBINARY} -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//') + FIND=$(${GREPBINARY} -E -v -i '^#|none' ${ROOTDIR}etc/rc.conf | ${GREPBINARY} -E -i '_enable.*(yes|on|1)' | ${SORTBINARY} | ${AWKBINARY} -F= '{ print $1 }' | ${SEDBINARY} 's/_enable//') fi COUNT=0 for ITEM in ${FIND}; do @@ -715,7 +715,7 @@ if [ -n "${CHKCONFIGBINARY}" ]; then LogText "Result: chkconfig binary found, trying that to discover information" LogText "Searching for services at startup (chkconfig, runlevel 3 and 5)" - FIND=$(${CHKCONFIGBINARY} --list | ${EGREPBINARY} '3:on|5:on' | ${AWKBINARY} '{ print $1 }') + FIND=$(${CHKCONFIGBINARY} --list | ${GREPBINARY} -E '3:on|5:on' | ${AWKBINARY} '{ print $1 }') COUNT=0 Report "boot_service_tool=chkconfig" for ITEM in ${FIND}; do @@ -947,7 +947,7 @@ if [ -f ${ROOTDIR}usr/lib/systemd/system/rescue.service ]; then LogText "Result: file /usr/lib/systemd/system/rescue.service" LogText "Test: checking presence sulogin for single user mode" - FIND=$(${EGREPBINARY} "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service) + FIND=$(${GREPBINARY} -E "^ExecStart=.*sulogin" ${ROOTDIR}usr/lib/systemd/system/rescue.service) if [ -n "${FIND}" ]; then FOUND=1 LogText "Result: found sulogin, so single user is protected" @@ -981,14 +981,14 @@ Report "running_service[]=${ITEM}" COUNT=$((COUNT + 1 )) done - LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons" + LogText "Note: Run rcctl ls all | grep -E '^(pf|check_quotas|library_aslr)$' to see all daemons" Display --indent 2 --text "- Check running daemons (rcctl)" --result "${STATUS_DONE}" --color GREEN Display --indent 8 --text "Result: found ${COUNT} running daemons" LogText "Result: Found ${COUNT} running daemons" # OpenBSD (Ask rcctl(8) for enabled daemons) LogText "Searching for enabled daemons (rcctl)" - FIND=$(${RCCTLBINARY} ls on | ${EGREPBINARY} -v '^(pf|check_quotas|library_aslr)$') + FIND=$(${RCCTLBINARY} ls on | ${GREPBINARY} -E -v '^(pf|check_quotas|library_aslr)$') COUNT=0 Report "boot_service_tool=rcctl" for ITEM in ${FIND}; do @@ -996,7 +996,7 @@ Report "boot_service[]=${ITEM}" COUNT=$((COUNT + 1 )) done - LogText "Note: Run rcctl ls all | egrep '^(pf|check_quotas|library_aslr)$' to see all daemons" + LogText "Note: Run rcctl ls all | grep -E '^(pf|check_quotas|library_aslr)$' to see all daemons" Display --indent 2 --text "- Check enabled daemons at boot (rcctl)" --result "${STATUS_DONE}" --color GREEN Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot" LogText "Result: Found ${COUNT} enabled daemons at boot" diff --git a/include/tests_containers b/include/tests_containers index af10997d..a02ea268 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -137,7 +137,7 @@ # Check total of containers LogText "Test: checking total amount of Docker containers" - DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${EGREPBINARY} "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }') + DOCKER_CONTAINERS_TOTAL=$(${DOCKERBINARY} info 2> /dev/null | ${GREPBINARY} -E "^[ \t]?Containers: " | ${AWKBINARY} '{ print $2 }') if [ -z "${DOCKER_CONTAINERS_TOTAL}" ]; then DOCKER_CONTAINERS_TOTAL=0 fi diff --git a/include/tests_crypto b/include/tests_crypto index 89ad1e62..a643b6c0 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -54,7 +54,7 @@ LASTSUBDIR="" LogText "Result: found directory ${DIR}" # Search for certificate files - FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') + FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${GREPBINARY} -E ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') for FILE in ${FILES}; do FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g') # See if we need to skip this path @@ -80,7 +80,7 @@ if [ ${CANREAD} -eq 1 ]; then # Only check the files that are not installed by a package, unless enabled by profile if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then - echo ${FILE} | ${EGREPBINARY} -q ".cer$|.der$" + echo ${FILE} | ${GREPBINARY} -E -q ".cer$|.der$" CER_DER=$? OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then diff --git a/include/tests_databases b/include/tests_databases index f5bc22ae..3f2e00f5 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -45,7 +45,7 @@ # Description : Check if MySQL is being used Register --test-no DBS-1804 --weight L --network NO --category security --description "Checking active MySQL process" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${PSBINARY} ax | ${EGREPBINARY} "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "mariadb|mysqld|mysqld_safe" | ${GREPBINARY} -v "grep") if [ -z "${FIND}" ]; then if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- MySQL process status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: MySQL process not active" @@ -127,12 +127,25 @@ for FILE in ${MONGO_CONF_FILES}; do if [ -f ${FILE} ]; then LogText "Result: found MongoDB configuration file (${FILE})" - LogText "Test: determine authorization setting in new style YAML format" - AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: enabled" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)") - if HasData "${AUTH_IN_CONFIG}"; then - LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format)" - MONGODB_AUTHORIZATION_ENABLED=1 - else + # YAML with quotes + if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then + LogText "Test: determine authorization setting in new style YAML format" + AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: \"enabled\"" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)") + if HasData "${AUTH_IN_CONFIG}"; then + LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format with quotes)" + MONGODB_AUTHORIZATION_ENABLED=1 + fi + fi + # YAML without quotes + if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then + AUTH_IN_CONFIG=$(${GREPBINARY} "authorization: enabled" ${FILE} | ${GREPBINARY} -E -v "(^#|#auth)") + if HasData "${AUTH_IN_CONFIG}"; then + LogText "Result: GOOD, found authorization option enabled in configuration file (YAML format without quotes)" + MONGODB_AUTHORIZATION_ENABLED=1 + fi + fi + # Old style + if [ ${MONGODB_AUTHORIZATION_ENABLED} -eq 0 ]; then LogText "Result: did NOT find authorization option enabled in configuration file (with YAML format)" LogText "Test: now searching for old style configuration (auth = true) in configuration file" AUTH_IN_CONFIG=$(${GREPBINARY} "auth = true" ${FILE} | ${GREPBINARY} -v "noauth" | ${GREPBINARY} -E -v "(^#|#auth)") @@ -203,7 +216,8 @@ Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration" if [ ${SKIPTEST} -eq 0 ]; then - FIND_PATHS="${ROOTDIR}etc/postgres ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data" + FIND_PATHS=$(${LSBINARY} -d ${ROOTDIR}usr/local/pgsql/data* 2> /dev/null) + FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data" CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g") for CF in ${CONFIG_FILES}; do Report "postgresql_config_file[]=${CF}" @@ -231,7 +245,7 @@ # reco: recovery (optional) Register --test-no DBS-1840 --weight L --network NO --category security --description "Checking active Oracle processes" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${PSBINARY} ax | ${EGREPBINARY} "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "ora_pmon|ora_smon|tnslsnr" | ${GREPBINARY} -v "grep") if [ -z "${FIND}" ]; then if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- Oracle processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi LogText "Result: Oracle process(es) not active" diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 8a38b97e..4fffca65 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -104,7 +104,7 @@ if [ -n "${AIDEBINARY}" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4316 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of AIDE database and size check" if [ ${SKIPTEST} -eq 0 ]; then - AIDE_DB=$(${EGREPBINARY} '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://") + AIDE_DB=$(${GREPBINARY} -E '(^database|^database_in)=' ${AIDECONFIG} | ${SEDBINARY} "s/.*://") if case ${AIDE_DB} in @@*) ;; *) false;; esac; then I=$(${GREPBINARY} "@@define.*DBDIR" ${AIDECONFIG} | ${AWKBINARY} '{print $3}') AIDE_DB=$(echo ${AIDE_DB} | ${SEDBINARY} "s#.*}#${I}#") @@ -330,7 +330,7 @@ ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }') for DEVICE in /dev/mapper/*; do if [ -e "${DEVICE}" ]; then - FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*INTEGRITY') + FIND=$(${INTEGRITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*INTEGRITY') if [ ! -z "${FIND}" ]; then FOUND=1 LogText "Result: found dm-integrity device ${DEVICE}" @@ -370,7 +370,7 @@ ROOTDEVICE=$(${MOUNTBINARY} | ${AWKBINARY} '/ on \/ type / { print $1 }') for DEVICE in /dev/mapper/*; do if [ -e "${DEVICE}" ]; then - FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${EGREPBINARY} 'type:.*VERITY') + FIND=$(${VERITYSETUPBINARY} status "${DEVICE}" | ${GREPBINARY} -E 'type:.*VERITY') if [ ! -z "${FIND}" ]; then FOUND=1 LogText "Result: found dm-verity device ${DEVICE}" @@ -398,13 +398,32 @@ fi # ################################################################################# +# + # Test : FINT-4344 + # Description : Check if Wazuh system integrity tool is running + Register --test-no FINT-4344 --weight L --network NO --category security --description "Wazuh syscheck daemon running" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking if Wazuh syscheck daemon is running" + if IsRunning "wazuh-syscheckd"; then + LogText "Result: syscheck (Wazuh) active" + Report "file_integrity_tool[]=wazuh" + FILE_INT_TOOL="wazuh-syscheck" + FILE_INT_TOOL_FOUND=1 + Display --indent 4 --text "- Wazuh (syscheck)" --result "${STATUS_FOUND}" --color GREEN + else + LogText "Result: syscheck (Wazuh) is not active" + if IsVerbose; then Display --indent 4 --text "- Wazuh" --result "${STATUS_NOT_FOUND}" --color WHITE; fi + fi + fi +# +################################################################################# # # Test : FINT-4402 (was FINT-4316) # Description : Check if AIDE is configured to use SHA256 or SHA512 checksums if [ ! "${AIDEBINARY}" = "" -a -n "${AIDECONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FINT-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "AIDE configuration: Checksums (SHA256 or SHA512)" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${EGREPBINARY} "= .*(sha256|sha512)") + FIND=$(${GREPBINARY} -v "^#" ${AIDECONFIG} | ${GREPBINARY} -E "= .*(sha256|sha512)") if [ -z "${FIND}" ]; then LogText "Result: No SHA256 or SHA512 found for creating checksums" Display --indent 6 --text "- AIDE config (Checksum)" --result Suggestion --color YELLOW diff --git a/include/tests_file_permissions b/include/tests_file_permissions index 32598f45..924dad12 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -35,7 +35,7 @@ FOUND=0 for PROFILE in ${PROFILES}; do LogText "Using profile ${PROFILE} for baseline." - FILES=$(${EGREPBINARY} '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1) + FILES=$(${GREPBINARY} -E '^permfile=|^permdir=' ${PROFILE} | ${CUTBINARY} -d= -f2 | ${CUTBINARY} -d: -f1) for F in ${FILES}; do LogText "Test: checking file/directory ${F}" if [ -f "${F}" ]; then diff --git a/include/tests_filesystems b/include/tests_filesystems index 480ba40a..93af33ed 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -356,7 +356,7 @@ # Proc should be mounted with 'hidepid=2' or 'hidepid=1' at least # https://www.kernel.org/doc/html/latest/filesystems/proc.html#chapter-4-configuring-procfs LogText "Test: check proc mount with incorrect mount options" - FIND=$(${MOUNTBINARY} | ${EGREPBINARY} "${ROOTDIR}proc " | ${EGREPBINARY} -o "hidepid=([0-9]|[a-z][a-z]*)") + FIND=$(${MOUNTBINARY} | ${GREPBINARY} -E "${ROOTDIR}proc " | ${GREPBINARY} -E -o "hidepid=([0-9]|[a-z][a-z]*)") if [ "${FIND}" = "hidepid=4" -o "${FIND}" = "hidepid=ptraceable" ]; then # https://lwn.net/Articles/817137/ Display --indent 2 --text "- Testing /proc mount (hidepid)" --result "${STATUS_OK}" --color GREEN LogText "Result: proc mount mounted with ${FIND}" @@ -504,7 +504,7 @@ fi LogText "Test: Checking acl option on xfs root file system" - FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${EGREPBINARY} 'no_acl|no_user_xattr') + FIND=$(${MOUNTBINARY} | ${AWKBINARY} '{ if ($3=="/" && $5~/xfs/) { print $6 } }' | ${GREPBINARY} -E 'no_acl|no_user_xattr') if [ -z "${FIND}" ]; then FOUND=1 # some other tests to do ? @@ -638,7 +638,7 @@ NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} -l) NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} -l) NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} -l) - NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} -l) + NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${GREPBINARY} -E -v '^\(ro[,)]' | ${WCBINARY} -l) LogText "Result: Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS}, of total ${NMOUNTS}" Display --indent 2 --text "- Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS} of total ${NMOUNTS}" fi @@ -744,7 +744,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking locate database" FOUND=0 - LOCATE_DBS="${ROOTDIR}var/lib/mlocate/mlocate.db ${ROOTDIR}var/lib/locate/locatedb ${ROOTDIR}var/lib/locatedb ${ROOTDIR}var/lib/slocate/slocate.db ${ROOTDIR}var/cache/locate/locatedb ${ROOTDIR}var/db/locate.database" + LOCATE_DBS="${ROOTDIR}var/cache/locate/locatedb ${ROOTDIR}var/db/locate.database ${ROOTDIR}var/lib/locate/locatedb ${ROOTDIR}var/lib/locatedb ${ROOTDIR}var/lib/mlocate/mlocate.db ${ROOTDIR}var/lib/plocate/plocate.db ${ROOTDIR}var/lib/slocate/slocate.db" for FILE in ${LOCATE_DBS}; do if [ -f ${FILE} ]; then LogText "Result: locate database found (${FILE})" @@ -814,13 +814,13 @@ AVAILABLE_MODPROBE_FS="" for FS in ${LIST_FS_NOT_SUPPORTED}; do # Check if filesystem is present in modprobe output - FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${EGREPBINARY} "/${FS}.ko" | ${TAILBINARY} -1) + FIND=$(${MODPROBEBINARY} -v -n ${FS} 2>/dev/null | ${GREPBINARY} -E "/${FS}.ko" | ${TAILBINARY} -1) if [ -n "${FIND}" ]; then LogText "Result: found ${FS} support in the kernel (output = ${FIND})" Debug "Module ${FS} present in the kernel" LogText "Test: Checking if ${FS} is active" # Check if FS is present in lsmod output - FIND=$(${LSMODBINARY} | ${EGREPBINARY} "^${FS}") + FIND=$(${LSMODBINARY} | ${GREPBINARY} -E "^${FS}") if IsEmpty "${FIND}"; then LogText "Result: module ${FS} is currently not loaded in the kernel." AddHP 2 3 @@ -837,8 +837,8 @@ fi FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) if [ -n "${FIND}" ]; then - FIND1=$(${EGREPBINARY} "^blacklist \+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} "^install \+${FS} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND1=$(${GREPBINARY} -E "^blacklist \+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${GREPBINARY} -E "^install \+${FS} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN LogText "Result: module ${FS} is blacklisted" diff --git a/include/tests_firewalls b/include/tests_firewalls index 44d6c441..6852b536 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -112,7 +112,7 @@ TABLES="filter" for TABLE in ${TABLES}; do LogText "Test: gathering information from table ${TABLE}" - FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') + FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${GREPBINARY} -E -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') done echo "${FIND}" | while read -r line; do @@ -154,7 +154,7 @@ if [ -n "${IPTABLESBINARY}" -a ${IPTABLES_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no FIRE-4512 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check iptables for empty ruleset" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${EGREPBINARY} -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ') + FIND=$(${IPTABLESBINARY} --list --numeric 2> /dev/null | ${GREPBINARY} -E -v "^(Chain|target|$)" | ${WCBINARY} -l | ${TRBINARY} -d ' ') if [ -n "${FIND}" ]; then FIREWALL_ACTIVE=1 if [ ${FIND} -le 5 ]; then @@ -506,7 +506,7 @@ Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration" if [ ${SKIPTEST} -eq 0 ]; then # Check for empty ruleset - NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l) + NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${GREPBINARY} -E -v "table|chain|;$|}$|^$" | ${WCBINARY} -l) if [ ${NFT_RULES_LENGTH} -le 3 ]; then FIREWALL_EMPTY_RULESET=1 LogText "Result: this firewall set has 3 rules or less and is considered to be empty" diff --git a/include/tests_hardening b/include/tests_hardening index c414edb6..8ca04d6d 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -99,7 +99,7 @@ else Display --indent 4 --text "- Installed malware scanner" --result "${STATUS_NOT_FOUND}" --color RED fi - ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC" + ReportSuggestion "${TEST_NO}" "Harden the system by installing at least one malware scanner, to perform periodic file system scans" "-" "Install a tool like rkhunter, chkrootkit, OSSEC, Wazuh" AddHP 1 3 LogText "Result: no malware scanner found" fi diff --git a/include/tests_homedirs b/include/tests_homedirs index 3e5f1b78..77de47f4 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -57,7 +57,7 @@ if [ ${SKIPTEST} -eq 0 ]; then # Check if users' home directories permissions are 750 or more restrictive FOUND=0 - USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') + USERDATA=$(${GREPBINARY} -E -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') while read -r LINE; do USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) @@ -93,7 +93,7 @@ EOF if [ ${SKIPTEST} -eq 0 ]; then # Check if users own their home directories FOUND=0 - USERDATA=$(${EGREPBINARY} -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') + USERDATA=$(${GREPBINARY} -E -v '^(daemon|git|halt|root|shutdown|sync)' ${ROOTDIR}etc/passwd | ${AWKBINARY} -F: '($7 !~ "/(false|nologin)$") { print }') while read -r LINE; do USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) diff --git a/include/tests_insecure_services b/include/tests_insecure_services index f01966f2..0a1dd955 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -298,7 +298,7 @@ #if [ ${SKIPTEST} -eq 0 ]; then # # Check presence of Rsh Trust Files # FOUND=0 - # for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do + # for LINE in $(${CAT_BINARY} /etc/passwd | ${GREPBINARY} -E -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do # USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) # DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) # if [ -d ${DIR} ]; then @@ -371,7 +371,7 @@ # ################################################################################# # - # Test : INSE-8312 + # Test : INSE-8322 # Description : Check if telnet server is installed Register --test-no INSE-8322 --package-manager-required --weight L --network NO --category security --description "Check if telnet server is installed" if [ ${SKIPTEST} -eq 0 ]; then @@ -492,6 +492,8 @@ # ################################################################################# # + # Test : INSE-8050 + # Description : Check for insecure services on macOS if [ -n "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi Register --test-no INSE-8050 --os "macOS" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight M --network NO --category security --description "Check for insecure services on macOS" if [ ${SKIPTEST} -eq 0 ]; then diff --git a/include/tests_kernel b/include/tests_kernel index 61f8ae73..49c609ed 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -390,7 +390,7 @@ elif [ -e ${ROOTDIR}etc/rpi-issue ]; then FINDKERNEL="raspberrypi-kernel" LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian" - elif $(${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then + elif $(${GREPBINARY} -E -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then FINDKERNEL="linux-image-$(uname -r)" LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No" else @@ -403,8 +403,8 @@ else LogText "Result: found kernel '${FINDKERNEL}' which will be used for further testing" LogText "Test: Using apt-cache policy to determine if there is an update available" - FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') - FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${GREPBINARY} -E 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${GREPBINARY} -E 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') LogText "Kernel installed: ${FINDINSTALLED}" LogText "Kernel candidate: ${FINDCANDIDATE}" if IsEmpty "${FINDINSTALLED}"; then @@ -815,7 +815,7 @@ LogText "Check: try to find raspberrypi-kernel file in ${APT_ARCHIVE_DIRECTORY} and extract package date from file name" FOUND_KERNEL_DATE=$(${FINDBINARY} ${APT_ARCHIVE_DIRECTORY} -name "raspberrypi-kernel*" -printf "%T@ %Tc %p\n" 2> /dev/null \ - | ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${EGREPBINARY} -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g') + | ${SORTBINARY} -nr | ${HEADBINARY} -1 | ${GREPBINARY} -o "raspberrypi-kernel.*deb" | ${GREPBINARY} -E -o "\.[0-9]+" | ${SEDBINARY} 's/\.//g') if [ -n "${FOUND_KERNEL_DATE}" ]; then FOUND_KERNEL_IN_SECONDS=$(date -d "${FOUND_KERNEL_DATE}" "+%s" 2> /dev/null) @@ -840,21 +840,21 @@ next="month" fi elif [ "$next" = "month" ]; then - if [ $(${ECHOCMD} "${part}" | ${EGREPBINARY} -c "[A-Z][a-z]") -ge 1 ]; then + if [ $(${ECHOCMD} "${part}" | ${GREPBINARY} -E -c "[A-Z][a-z]") -ge 1 ]; then UNAME_DATE_MONTH="${part}" next="day" fi elif [ "${next}" = "day" ]; then - if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then + if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c "[0-9][0-9]") -ge 1 ]; then UNAME_DATE_DAY="${part}" next="time" fi elif [ "${next}" = "time" ]; then - if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c ":[0-9][0-9]:") -ge 1 ]; then + if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c ":[0-9][0-9]:") -ge 1 ]; then next="year" fi elif [ "${next}" = "year" ]; then - if [ $(${ECHOCMD} ${part} | ${EGREPBINARY} -c "[0-9][0-9]") -ge 1 ]; then + if [ $(${ECHOCMD} ${part} | ${GREPBINARY} -E -c "[0-9][0-9]") -ge 1 ]; then UNAME_DATE_YEAR="${part}" break fi diff --git a/include/tests_logging b/include/tests_logging index b6acdbe5..04bee67d 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -45,7 +45,7 @@ Register --test-no LOGG-2130 --weight L --network NO --category security --description "Check for running syslog daemon" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for a logging daemon" - FIND=$(${PSBINARY} ax | ${EGREPBINARY} "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "syslogd|syslog-ng|metalog|systemd-journal" | ${GREPBINARY} -v "grep") if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking for a running log daemon" --result "${STATUS_WARNING}" --color RED LogText "Result: Could not find a syslog daemon like syslog, syslog-ng, rsyslog, metalog, systemd-journal" @@ -261,7 +261,7 @@ Register --test-no LOGG-2148 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking logrotated files" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which files are rotated with logrotate and if they exist" - FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }') + FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2!="log") { print "File:"$2":does_not_exist" } else { print "File:"$3":exists" } }') if [ -z "${FIND}" ]; then LogText "Result: nothing found" else @@ -280,7 +280,7 @@ Register --test-no LOGG-2150 --weight L --preqs-met ${PREQS_MET} --network NO --category security --description "Checking directories in logrotate configuration" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking which directories can be found in logrotate configuration" - FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${EGREPBINARY} "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u) + FIND=$(${LOGROTATEBINARY} -d -v ${ROOTDIR}etc/logrotate.conf 2>&1 | ${GREPBINARY} -E "considering log|skipping" | ${GREPBINARY} -v '*' | ${SORTBINARY} -u | ${AWKBINARY} '{ if ($2=="log") { print $3 } }' | ${SEDBINARY} 's@/[^/]*$@@g' | ${SORTBINARY} -u) if IsEmpty "${FIND}"; then LogText "Result: nothing found" else @@ -345,7 +345,7 @@ if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ] && [ -n "${SOLARIS_LOGHOST}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no LOGG-2153 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking loghost is localhost" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${EGREPBINARY} "::1|127.0.0.1|127.1") + FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${GREPBINARY} -E "::1|127.0.0.1|127.1") if [ -n "${FIND}" ]; then SOLARIS_LOGHOST_LOCALHOST=1 LogText "Result: loghost entry is localhost (default)" @@ -371,7 +371,7 @@ TARGET="${ROOTDIR}etc/rsyslog.conf" if [ -f ${TARGET} ]; then LogText "Test: analyzing file ${TARGET} for remote target" - DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g') + DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${TARGET} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g') if [ -z "${DATA}" ]; then LogText "Result: no remote target found" else @@ -391,7 +391,7 @@ for F in ${FILES}; do F=$(echo ${F} | ${SEDBINARY} 's/:space:/ /g') LogText "Test: analyzing file ${F} for remote target" - DATA=$(${EGREPBINARY} "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g') + DATA=$(${GREPBINARY} -E "@@?([a-zA-Z0-9\-])+(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?(\.)?(([a-zA-Z0-9-])+)?" ${F} | ${GREPBINARY} -v "#" | ${TRBINARY} -cd "[:print:]\n" | ${SEDBINARY} 's/[[:blank:]]\{1,\}/:space:/g') if [ -n "${DATA}" ]; then LogText "Result: found remote target" REMOTE_LOGGING_ENABLED=1 @@ -403,7 +403,7 @@ done else # Check new style configuration (omrelp/omfwd). This can be all on one line or even split over multiple lines. - DATA=$(${EGREPBINARY} "target=\"([a-zA-Z0-9\-])" ${F}) + DATA=$(${GREPBINARY} -E "target=\"([a-zA-Z0-9\-])" ${F}) if [ -n "${DATA}" ]; then LogText "Result: most likely remote log host is used, as keyword 'target' is used" REMOTE_LOGGING_ENABLED=1 @@ -424,7 +424,7 @@ if [ -f ${SYSLOGD_CONF} ]; then LogText "Test: check if logs are also logged to a remote logging host" - FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@") + FIND=$(${GREPBINARY} -E "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@") if [ -n "${FIND}" ]; then FIND2=$(echo "${FIND}" | ${GREPBINARY} -v "@loghost") if [ ${SOLARIS_LOGHOST_LOCALHOST} -eq 1 ] && [ -z "${FIND2}" ]; then @@ -435,9 +435,9 @@ fi else # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination - DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}') + DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${GREPBINARY} -E "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}') for DESTINATION in ${DESTINATIONS}; do - FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)") + FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${GREPBINARY} -E "destination\(${DESTINATION}\)") if [ -n "${FIND2}" ]; then LogText "Result: found destination ${DESTINATION} configured for remote logging" REMOTE_LOGGING_ENABLED=1 @@ -539,7 +539,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking open log files with lsof" if [ -n "${LSOFBINARY}" ]; then - FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$") + FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n 2>&1 | ${GREPBINARY} "log$" | ${GREPBINARY} -E -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$") for I in ${FIND}; do LogText "Found logfile: ${I}" done @@ -572,7 +572,7 @@ LSOF_GREP="${LSOF_GREP}|anacron|awk|run-parts" fi - FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${EGREPBINARY} -vw "${LSOF_GREP}" | ${EGREPBINARY} -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) + FIND=$(${LSOFBINARY}${LSOF_EXTRA_OPTIONS} -n +L 1 2>&1 | ${GREPBINARY} -E -vw "${LSOF_GREP}" | ${GREPBINARY} -E -v '/dev/zero|/\[aio\]' | ${AWKBINARY} '{ if ($5=="REG") { printf "%s(%s)\n", $10, $1 } }' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) if [ -n "${FIND}" ]; then LogText "Result: found one or more files which are deleted, but still in use" for I in ${FIND}; do diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index a8e9ec3b..8d4ae929 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -70,18 +70,18 @@ unset FIND FIND2 FIND3 FIND4 # Local Only - FIND=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^nonlocal') + FIND=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^nonlocal') # Internet Host - FIND2=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^dnslookup_relay_to_domains') + FIND2=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^dnslookup_relay_to_domains') # Smarthost or Satellite - FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost') + FIND3=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^smarthost') if [ -n "${FIND}" ]; then EXIM_TYPE="LOCAL ONLY" elif [ -n "${FIND2}" ]; then EXIM_TYPE="INTERNET HOST" elif [ -n "${FIND3}" ]; then - FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^hub_user_smarthost') + FIND4=$(echo "${EXIM_ROUTERS}" | ${GREPBINARY} -E '^hub_user_smarthost') if [ -n "${FIND4}" ]; then EXIM_TYPE="SATELLITE" else @@ -415,7 +415,7 @@ Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check smtpd status" - FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep") if [ ! "${FIND}" = "" ]; then LogText "Result: found running smtpd process" Display --indent 2 --text "- OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN diff --git a/include/tests_malware b/include/tests_malware index 40336fa5..87a721bc 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -39,6 +39,7 @@ MALWARE_SCANNER_INSTALLED=0 MALWARE_DAEMON_RUNNING=0 ROOTKIT_SCANNER_FOUND=0 + SENTINELONE_SCANNER_RUNNING=0 SOPHOS_SCANNER_RUNNING=0 SYMANTEC_SCANNER_RUNNING=0 SYNOLOGY_DAEMON_RUNNING=0 @@ -128,7 +129,7 @@ # Avast (macOS) LogText "Test: checking process com.avast.daemon" - if IsRunning "com.avast.daemon"; then + if IsRunning --full "com.avast.daemon"; then FOUND=1 AVAST_DAEMON_RUNNING=1 MALWARE_DAEMON_RUNNING=1 @@ -231,6 +232,20 @@ Report "malware_scanner[]=mcafee" fi + # SentinelOne + LogText "Text: checking process sentineld (SentinelOne)" + if IsRunning "sentineld"; then SENTINELONE_SCANNER_RUNNING=1; fi # macOS + if IsRunning "s1-agent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Linux + if IsRunning "SentinelAgent"; then SENTINELONE_SCANNER_RUNNING=1; fi # Windows + if [ ${SENTINELONE_SCANNER_RUNNING} -eq 1 ]; then + FOUND=1 + if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} SentinelOne" --result "${STATUS_FOUND}" --color GREEN; fi + LogText "Result: Found SentinelOne" + MALWARE_DAEMON_RUNNING=1 + MALWARE_SCANNER_INSTALLED=1 + Report "malware_scanner[]=sentinelone" + fi + # Sophos savscand/SophosScanD LogText "Test: checking process savscand" if IsRunning "savscand"; then diff --git a/include/tests_nameservices b/include/tests_nameservices index 8c483d08..c35b4171 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -339,7 +339,7 @@ Register --test-no NAME-4210 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check DNS banner" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Trying to determine version from banner" - FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${EGREPBINARY} "[0-9].[0-9].[0-9]*") + FIND=$(${DIGBINARY} @localhost version.bind chaos txt | ${GREPBINARY} "^version.bind" | ${GREPBINARY} TXT | ${GREPBINARY} -E "[0-9].[0-9].[0-9]*") if [ "${FIND}" = "" ]; then LogText "Result: no useful information in banner found" Display --indent 4 --text "- Checking BIND version in banner" --result "${STATUS_OK}" --color GREEN @@ -571,7 +571,7 @@ Register --test-no NAME-4402 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check duplicate line in /etc/hosts" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts" - OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${EGREPBINARY} -v '^(#|$)' | ${EGREPBINARY} "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d) + OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E -v '^(#|$)' | ${GREPBINARY} -E "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d) if [ -z "${OUTPUT}" ]; then LogText "Result: OK, no duplicate lines found" Display --indent 4 --text "- Duplicate entries in hosts file" --result "${STATUS_NONE}" --color GREEN @@ -592,7 +592,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check /etc/hosts contains an entry for this server name" if [ -n "${HOSTNAME}" ]; then - DATA=$(${EGREPBINARY} -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME}) + DATA=$(${GREPBINARY} -E -v '^(#|$|^::1\s|localhost)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -i ${HOSTNAME}) if [ -n "${DATA}" ]; then LogText "Result: Found entry for ${HOSTNAME} in ${ROOTDIR}etc/hosts" Display --indent 4 --text "- Presence of configured hostname in /etc/hosts" --result "${STATUS_FOUND}" --color GREEN @@ -615,7 +615,7 @@ Register --test-no NAME-4406 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check server hostname mapping" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check server hostname not locally mapped in ${ROOTDIR}etc/hosts" - DATA=$(${EGREPBINARY} -v '^(#|$)' ${ROOTDIR}etc/hosts | ${EGREPBINARY} '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME}) + DATA=$(${GREPBINARY} -E -v '^(#|$)' ${ROOTDIR}etc/hosts | ${GREPBINARY} -E '^(localhost|::1)\s' | ${GREPBINARY} -w ${HOSTNAME}) if [ -n "${DATA}" ]; then LogText "Result: Found this server hostname mapped to a local address" LogText "Output: ${DATA}" diff --git a/include/tests_networking b/include/tests_networking index 7faf7125..116f3760 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -280,7 +280,7 @@ Register --test-no NETW-3001 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Find default gateway (route)" if [ $SKIPTEST -eq 0 ]; then LogText "Test: Searching default gateway(s)" - FIND=$(${NETSTATBINARY} -rn | ${EGREPBINARY} "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2) + FIND=$(${NETSTATBINARY} -rn | ${GREPBINARY} -E "^0.0.0.0|default" | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f2) if [ -n "${FIND}" ]; then for I in ${FIND}; do LogText "Result: Found default gateway ${I}" diff --git a/include/tests_php b/include/tests_php index 23738198..04502f68 100644 --- a/include/tests_php +++ b/include/tests_php @@ -285,9 +285,9 @@ # Test : PHP-2368 # Description : Check php register_globals option # Notes : Don't test for it if PHP version is 5.4.0 or later (it has been removed) - if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${EGREPBINARY}" ]; then + if [ -n "${PHPINIFILE}" -a -n "${PHPVERSION}" -a -n "${GREPBINARY}" ]; then if [ -f "${PHPINIFILE}" ]; then - FIND=$(echo ${PHPVERSION} | ${EGREPBINARY} "^(4.|5.[0-3])") + FIND=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^(4.|5.[0-3])") if [ -z "${FIND}" ]; then PREQS_MET="NO"; Debug "Found most likely PHP version 5.4.0 or higher (${PHPVERSION}) which does not use register_globals" else @@ -305,7 +305,7 @@ Register --test-no PHP-2368 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP register_globals option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP register_globals option" - FIND=$(${EGREPBINARY} -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') + FIND=$(${GREPBINARY} -E -i 'register_globals.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') if [ -n "${FIND}" ]; then Display --indent 4 --text "- Checking register_globals option" --result "${STATUS_WARNING}" --color RED ReportWarning "${TEST_NO}" "PHP option register_globals option is turned on, which can be a risk for variable value overwriting" @@ -338,7 +338,7 @@ ;; esac LogText "Test: Checking file ${FILE}" - FIND=$(${EGREPBINARY} -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;') + FIND=$(${GREPBINARY} -E -i 'expose_php.*(on|yes|1)' ${FILE} | ${GREPBINARY} -v '^;') if HasData "${FIND}"; then LogText "Result: found a a possible match on expose_php setting" LogText "Data: ${FIND}" @@ -367,7 +367,7 @@ Register --test-no PHP-2374 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP enable_dl option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP enable_dl option" - FIND=$(${EGREPBINARY} -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') + FIND=$(${GREPBINARY} -E -i 'enable_dl.*(on|yes|1)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') if [ -n "${FIND}" ]; then Display --indent 4 --text "- Checking enable_dl option" --result "${STATUS_ON}" --color YELLOW Report "Result: enable_dl option is turned on, which can be used to enable more modules dynamically and circumventing security controls" @@ -389,7 +389,7 @@ Register --test-no PHP-2376 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_fopen option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP allow_url_fopen option" - FIND=$(${EGREPBINARY} -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') + FIND=$(${GREPBINARY} -E -i 'allow_url_fopen.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking allow_url_fopen option" --result "${STATUS_ON}" --color YELLOW LogText "Result: allow_url_fopen option is turned on, which can be used for downloads via PHP and is a security risk" @@ -412,7 +412,7 @@ Register --test-no PHP-2378 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP allow_url_include option" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking PHP allow_url_include option" - FIND=$(${EGREPBINARY} -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') + FIND=$(${GREPBINARY} -E -i 'allow_url_include.*(off|no|0)' ${PHPINIFILE} | ${GREPBINARY} -v '^;') if [ -z "${FIND}" ]; then Display --indent 4 --text "- Checking allow_url_include option" --result "${STATUS_ON}" --color YELLOW Report "Result: allow_url_include option is turned on, which can be used for downloads via PHP and is a risk" @@ -436,7 +436,7 @@ #if [ ${SKIPTEST} -eq 0 ]; then # FOUND=0 # SIMULATION=0 - # MAJOR_VERSION=$(echo ${PHPVERSION} | ${EGREPBINARY} "^7") + # MAJOR_VERSION=$(echo ${PHPVERSION} | ${GREPBINARY} -E "^7") # if [ "${OS}" = "OpenBSD" ]; then # FOUND=1 # On OpenBSD, Suhosin is hard linked into PHP # SIMULATION=off @@ -519,7 +519,7 @@ ;; esac LogText "Test: Checking file ${FILE}" - FIND=$(${EGREPBINARY} -i "^listen = [0-9]{1,5}$" ${FILE}) + FIND=$(${GREPBINARY} -E -i "^listen = [0-9]{1,5}$" ${FILE}) if HasData "${FIND}"; then LogText "Result: found listen on just a port number" LogText "Data: ${FIND}" diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 9ca1948d..81babdc3 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -347,12 +347,13 @@ Register --test-no PKGS-7322 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Discover vulnerable packages with arch-audit" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking arch-audit output for vulnerable packages" - FIND=$(${ARCH_AUDIT_BINARY} | ${SEDBINARY} 's/\.\..*$//' | ${SEDBINARY} 's/, //g' | ${SEDBINARY} 's/\(\["\|"\]\)//g' | ${SEDBINARY} 's/""/,/g' | ${AWKBINARY} '{ if($1=="Package") { print $2"|"$6"|"}}' | ${AWKBINARY} -F'|' 'NF>1{a[$1] = a[$1]","$2}END{for(i in a){print i""a[i]"|"}}' | ${SEDBINARY} 's/,/|cve=/' | ${SORTBINARY}) + FIND=$(${ARCH_AUDIT_BINARY} | ${SEDBINARY} 's/ High risk!//' | ${SEDBINARY} 's/ Medium risk!//' | ${SEDBINARY} 's/ Low risk!//' | ${SEDBINARY} 's/\.\..*$//' | ${SEDBINARY} 's/, /,/g' | ${SEDBINARY} 's/\(\["\|"\]\)//g' | ${SEDBINARY} 's/""/,/g' | ${AWKBINARY} '{if ($0 ~ /is affected by CVE\-/) {print $1"|"$5"|"} else {ORS=""; print $1"|"; for (i=5; i<=NF; i++)print $i; print "\n"; ORS="\n"}}'| ${AWKBINARY} -F'|' 'NF>1{a[$1] = a[$1]","$2}END{for(i in a){print i""a[i]"|"}}' | ${SEDBINARY} 's/,CVE-/|cve=CVE-/' | ${SORTBINARY}) if [ -z "${FIND}" ]; then LogText "Result: no vulnerable packages found with arch-audit" AddHP 10 10 else LogText "Result: found one or more vulnerable packages" + VULNERABLE_PACKAGES_FOUND=1 for ITEM in ${FIND}; do LogText "Found line: ${ITEM}" Report "vulnerable_package[]=${ITEM}" @@ -836,7 +837,7 @@ Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --category security --description "Check for YUM package update management" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: YUM package update management" - FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${EGREPBINARY} "^[0-9]+$") + FIND=$(${YUMBINARY} repolist 2>/dev/null | ${GREPBINARY} repolist | ${SEDBINARY} 's/[[:blank:]]//g' | ${SEDBINARY} 's/[,.]//g' | ${AWKBINARY} -F ":" '{print $2}' | ${GREPBINARY} -E "^[0-9]+$") if [ -z "${FIND}" -o "${FIND}" = "0" ]; then LogText "Result: YUM package update management failed" Display --indent 2 --text "- YUM package management consistency" --result "${STATUS_WARNING}" --color RED @@ -1030,7 +1031,7 @@ if [ ${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY} -eq 0 ]; then if [ -f ${ROOTDIR}etc/apt/sources.list ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file" - FIND=$(${EGREPBINARY} "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') + FIND=$(${GREPBINARY} -E "security.debian.org|security.ubuntu.com|security/? " ${ROOTDIR}etc/apt/sources.list | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') if [ -n "${FIND}" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list file" --result "${STATUS_OK}" --color GREEN @@ -1043,7 +1044,7 @@ fi if [ -d /etc/apt/sources.list.d ]; then LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory" - FIND=$(${EGREPBINARY} -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') + FIND=$(${GREPBINARY} -E -r "security.debian.org|security.ubuntu.com|security/? " /etc/apt/sources.list.d | ${GREPBINARY} -v '#' | ${SEDBINARY} 's/ /!space!/g') if [ -n "${FIND}" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result "${STATUS_OK}" --color GREEN @@ -1338,7 +1339,7 @@ if [ "${DPKGBINARY}" ]; then TESTED=1 KERNEL_PKG_NAMES="linux-image-[0-9]|raspberrypi-kernel|pve-kernel-[0-9]" - KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${EGREPBINARY} "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l) + KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} -E "${KERNEL_PKG_NAMES}" | ${WCBINARY} -l) if [ ${KERNELS} -eq 0 ]; then LogText "Result: found no kernels from dpkg -l output, which is unexpected" elif [ ${KERNELS} -gt 5 ]; then diff --git a/include/tests_printers_spoolers b/include/tests_printers_spoolers index 851b0edd..d9318c3b 100644 --- a/include/tests_printers_spoolers +++ b/include/tests_printers_spoolers @@ -144,14 +144,14 @@ LogText "Test: Checking CUPS daemon listening network addresses" # Search for Port statement - FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE}) + FIND=$(${GREPBINARY} -E "^Port 631" ${CUPSD_CONFIG_FILE}) if [ -n "${FIND}" ]; then LogText "Result: found CUPS listening on port 631 (most likely all interfaces)" PORT_FOUND=1 fi # Checking network addresses - FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }') + FIND=$(${GREPBINARY} -E "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }') COUNT=0 for ITEM in ${FIND}; do LogText "Result: found network address: ${ITEM}" @@ -222,7 +222,7 @@ QDAEMON_CONFIG_FILE="${ROOTDIR}etc/qconfig" FileIsReadable ${QDAEMON_CONFIG_FILE} if [ ${CANREAD} -eq 1 ]; then - FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${EGREPBINARY} "backend|device") + FIND=$(${GREPBINARY} -v "^\*" ${QDAEMON_CONFIG_FILE} | ${GREPBINARY} -E "backend|device") if [ -n "${FIND}" ]; then LogText "Result: printers are defined in ${QDAEMON_CONFIG_FILE}" Display --indent 2 --text "- Checking /etc/qconfig file" --result "${STATUS_FOUND}" --color GREEN diff --git a/include/tests_scheduling b/include/tests_scheduling index 3aa004c6..10fa0766 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -35,7 +35,7 @@ # Description : Check cron daemon Register --test-no SCHD-7702 --weight L --network NO --category security --description "Check status of cron daemon" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${PSBINARY} aux | ${EGREPBINARY} "( cron$|/cron(d)? )") + FIND=$(${PSBINARY} aux | ${GREPBINARY} -E "( cron$|/cron(d)? )") if IsEmpty "${FIND}"; then LogText "Result: no cron daemon found" else @@ -55,12 +55,12 @@ BAD_FILE_PERMISSIONS=0 BAD_FILE_OWNERSHIP=0 FindCronJob() { - sCRONJOBS=$(${EGREPBINARY} '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY}) + sCRONJOBS=$(${GREPBINARY} -E '^([0-9*])' $1 | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY}) } CRONTAB_FILE="${ROOTDIR}etc/crontab" if [ -f ${CRONTAB_FILE} ]; then - ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab" + ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab" if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi FindCronJob ${CRONTAB_FILE} @@ -86,7 +86,7 @@ if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}') - if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi + if [ "${FILENAME}" = "lynis" ]; then ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi FindCronJob ${FILE} if HasData "${sCRONJOBS}"; then for K in ${sCRONJOBS}; do @@ -121,7 +121,7 @@ if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${FILE}"; Report "insecure_fileperms_cronjob[]=${FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${FILE}"; Report "bad_fileowner_cronjob[]=${FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}') - if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi + if [ "${FILENAME}" = "lynis" ]; then ${GREPBINARY} -E -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi LogText "Result: Found cronjob (${I}): ${FILE}" Report "cronjob[]=${FILE}" done @@ -141,7 +141,7 @@ FIND=$(${FINDBINARY} /var/spool/cron/crontabs -xdev -type f -print 2> /dev/null) for I in ${FIND}; do if FileIsReadable ${I}; then - ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" + ${GREPBINARY} -E -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" FindCronJob ${I} for FILE in ${sCRONJOBS}; do LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${FILE})" @@ -154,7 +154,7 @@ FIND=$(find ${ROOTDIR}var/spool/cron -type f -print) for I in ${FIND}; do if FileIsReadable ${I}; then - ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" + ${GREPBINARY} -E -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" FindCronJob ${I} for FILE in ${sCRONJOBS}; do LogText "Found cronjob in ${ROOTDIR}var/spool/cron: ${I} (${FILE})" @@ -169,7 +169,7 @@ if [ "${OS}" = "Linux" ]; then if [ -f /etc/anacrontab ]; then LogText "Test: checking anacrontab" - sANACRONJOBS=$(${EGREPBINARY} '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY}) + sANACRONJOBS=$(${GREPBINARY} -E '^([0-9@])' /etc/anacrontab | ${TRBINARY} '\t' ' ' | ${TRBINARY} -s ' ' | ${TRBINARY} ' ' ',' | ${SORTBINARY}) if [ -n "${sANACRONJOBS}" ]; then Report "scheduler[]=anacron" for I in ${sANACRONJOBS}; do diff --git a/include/tests_shells b/include/tests_shells index 8ecbde2c..b046b608 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -52,7 +52,7 @@ Register --test-no SHLL-6202 --os FreeBSD --weight L --network NO --category security --description "Check console TTYs" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking console TTYs" - FIND=$(${EGREPBINARY} '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure') + FIND=$(${GREPBINARY} -E '^console' ${ROOTDIR}etc/ttys | ${GREPBINARY} -v 'insecure') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking console TTYs" --result "${STATUS_OK}" --color GREEN LogText "Result: console is secured against single user mode without password." diff --git a/include/tests_squid b/include/tests_squid index c486108c..1eb43955 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -42,7 +42,7 @@ LogText "Test: Searching for a Squid daemon" FOUND=0 # Check running processes - FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(squid|squid3) " | ${GREPBINARY} -v "grep") + FIND=$(${PSBINARY} ax | ${GREPBINARY} -E "(squid|squid3) " | ${GREPBINARY} -v "grep") if [ -n "${FIND}" ]; then SQUID_DAEMON_RUNNING=1 LogText "Result: Squid daemon is running" diff --git a/include/tests_ssh b/include/tests_ssh index de3209ee..6ab6f193 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -135,7 +135,6 @@ SSHOPS="AllowTcpForwarding:NO,LOCAL,YES:=\ ClientAliveCountMax:2,4,16:<\ ClientAliveInterval:300,600,900:<\ - Compression:NO,,YES:=\ FingerprintHash:SHA256,MD5,:=\ GatewayPorts:NO,,YES:=\ IgnoreRhosts:YES,,NO:=\ @@ -158,12 +157,12 @@ # OpenSSH had some options removed over time. Based on the version we add some additional options to check if [ ${OPENSSHD_VERSION_MAJOR} -lt 7 ]; then LogText "Result: added additional options for OpenSSH 6.x and lower" - SSHOPS="${SSHOPS} UsePrivilegeSeparation:SANDBOX,YES,NO:= Protocol:2,,1:=" + SSHOPS="${SSHOPS} Compression:(DELAYED|NO),,YES:= UsePrivilegeSeparation:SANDBOX,YES,NO:= Protocol:2,,1:=" elif [ ${OPENSSHD_VERSION_MAJOR} -eq 7 ]; then # Protocol 1 support removed (OpenSSH 7.4 and later) if [ ${OPENSSHD_VERSION_MINOR} -lt 4 ]; then LogText "Result: added additional options for OpenSSH < 7.4" - SSHOPS="${SSHOPS} Protocol:2,,1:=" + SSHOPS="${SSHOPS} Compression:(DELAYED|NO),,YES:= Protocol:2,,1:=" fi # UsePrivilegedSeparation removed (OpenSSH 7.5 and later) if [ ${OPENSSHD_VERSION_MINOR} -lt 5 ]; then @@ -300,7 +299,7 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 # AllowUsers - FIND=$(${EGREPBINARY} -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') + FIND=$(${GREPBINARY} -E -i "^AllowUsers" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') if [ -n "${FIND}" ]; then LogText "Result: AllowUsers set, with value ${FIND}" Display --indent 4 --text "- OpenSSH option: AllowUsers" --result "${STATUS_FOUND}" --color GREEN @@ -311,7 +310,7 @@ fi # AllowGroups - FIND=$(${EGREPBINARY} -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') + FIND=$(${GREPBINARY} -E -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') if [ -n "${FIND}" ]; then LogText "Result: AllowUsers set ${FIND}" Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN diff --git a/include/tests_storage b/include/tests_storage index ac60502c..29785e6c 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -38,8 +38,8 @@ if [ -d "${ROOTDIR}etc/modprobe.d" ]; then FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) if [ -n "${FIND}" ]; then - FIND1=$(${EGREPBINARY} "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND1=$(${GREPBINARY} -E "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${GREPBINARY} -E "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then FOUND=1 LogText "Result: found firewire ohci driver in disabled state" @@ -49,8 +49,8 @@ fi fi if [ -f "${ROOTDIR}etc/modprobe.conf" ]; then - FIND1=$(${EGREPBINARY} -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#") + FIND1=$(${GREPBINARY} -E -r "blacklist (ohci1394|firewire[-_]ohci|firewire-core)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#") + FIND2=$(${GREPBINARY} -E -r "install (ohci1394|firewire[-_]ohci|firewire-core) /bin/(false|true)" "${ROOTDIR}etc/modprobe.conf" | ${GREPBINARY} -v "#") if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then FOUND=1 LogText "Result: found firewire ohci driver in disabled state" diff --git a/include/tests_system_integrity b/include/tests_system_integrity index befe09a0..9c5b1e51 100644 --- a/include/tests_system_integrity +++ b/include/tests_system_integrity @@ -30,6 +30,8 @@ # ################################################################################# # + # Test : SINT-7010 + # Description : System Integrity Status if [ -x ${ROOTDIR}/usr/bin/csrutil ]; then PREQS_MET="YES"; else PREQS_MET="NO"; SKIPREASON="No CSrutil binary found"; fi Register --test-no SINT-7010 --os MacOS --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight H --network NO --category security --description "System Integrity Status" if [ ${SKIPTEST} -eq 0 ]; then diff --git a/include/tests_time b/include/tests_time index df9a86b7..b68bc102 100644 --- a/include/tests_time +++ b/include/tests_time @@ -139,7 +139,7 @@ for I in ${CRONTAB_FILES}; do if [ -f ${I} ]; then LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}" - FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#') + FIND=$(${GREPBINARY} -E "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#') if [ -n "${FIND}" ]; then FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1 Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN @@ -161,10 +161,10 @@ for I in ${CRON_DIRS}; do for J in "${I}"/*; do # iterate over folders in a safe way # Check: regular file, readable and not called .placeholder - FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$') + FIND=$(echo "${J}" | ${GREPBINARY} -E '/.placeholder$') if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}" - FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#") + FIND=$("${GREPBINARY}" -E "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#") if [ -n "${FIND}" ]; then FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}" @@ -232,7 +232,7 @@ Register --test-no TIME-3106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check systemd NTP time synchronization status" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Check the status of time synchronization via timedatectl" - FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes") + FIND=$(${TIMEDATECTL} status | ${GREPBINARY} -E "(NTP|System clock) synchronized: yes") if [ -z "${FIND}" ]; then LogText "Result: time not synchronized via NTP" ReportSuggestion "${TEST_NO}" "Check timedatectl output. Synchronization via NTP is enabled, but status reflects it is not synchronized" @@ -273,7 +273,7 @@ else for ITEM in ${FIND}; do LogText "Found stratum 16 peer: ${ITEM}" - FIND2=$(${EGREPBINARY} "^ntp-ignore-stratum-16-peer=${ITEM}" ${PROFILE}) + FIND2=$(${GREPBINARY} -E "^ntp-ignore-stratum-16-peer=${ITEM}" ${PROFILE}) if IsEmpty "${FIND2}"; then COUNT=$((COUNT + 1)) Report "ntp_stratum_16_peer[]=${ITEM}" @@ -303,7 +303,7 @@ Register --test-no TIME-3120 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check unreliable NTP peers" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking unreliable ntp peers" - FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g') + FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} -E "^(-|#)" | ${AWKBINARY} '{ print $1 }' | ${SEDBINARY} 's/^-//g') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking unreliable ntp peers" --result "${STATUS_NONE}" --color GREEN LogText "Result: No unreliable peers found" @@ -371,7 +371,7 @@ Register --test-no TIME-3132 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check NTP falsetickers" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking preferred time source" - FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} '^x') + FIND=$(${NTPQBINARY} -p -n | ${GREPBINARY} -E '^x') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_OK}" --color GREEN LogText "Result: No falsetickers found (items preceding with an 'x')" @@ -455,7 +455,7 @@ else LogText "Result: ${FILE} is not empty, which is fine" Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN - sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} | ${EGREPBINARY} -v "^127." | ${EGREPBINARY} -v "^::1") + sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} | ${GREPBINARY} -E -v "^127." | ${GREPBINARY} -E -v "^::1") for I in ${sFIND}; do FIND=$(${GREPBINARY} ^${I} ${FILE} | wc -l) if [ ${FIND} -gt 0 ]; then @@ -553,7 +553,7 @@ Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers" if [ ${SKIPTEST} -eq 0 ]; then # Format is "xx/yy peers valid, ..." - FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1) + FIND=$(${NTPCTLBINARY} -s status | ${GREPBINARY} -E -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1) if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status" fi diff --git a/include/tests_tooling b/include/tests_tooling index 083f5045..606e566f 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -259,8 +259,8 @@ # # Check email alert configuration # LogText "Test: checking for email actions within ${FAIL2BAN_CONFIG}" # - # FIND=$(${EGREPBINARY} "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}) - # FIND2=$(${EGREPBINARY} "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}) + # FIND=$(${GREPBINARY} -E "^action = \%\(action_m.*\)s" ${FAIL2BAN_CONFIG}) + # FIND2=$(${GREPBINARY} -E "^action = \%\(action_\)s" ${FAIL2BAN_CONFIG}) # # if [ -n "${FIND}" ]; then # FAIL2BAN_EMAIL=1 @@ -400,7 +400,7 @@ # ################################################################################# # - # Test : TOOL-5160 + # Test : TOOL-5126 # Description : Check for OSSEC Register --test-no TOOL-5126 --weight L --network NO --category security --description "Check for active OSSEC daemon" if [ ${SKIPTEST} -eq 0 ]; then @@ -428,6 +428,35 @@ fi # ################################################################################# +# + # Test : TOOL-5128 + # Description : Check for Wazuh daemon + Register --test-no TOOL-5128 --weight L --network NO --category security --description "Check for active Wazuh daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Server side + if IsRunning "wazuh-analysisd"; then + IDS_IPS_TOOL_FOUND=1 + Report "ids_ips_tooling[]=wazuh" + Report "ids_ips_tooling[]=wazuh-analysisd" + LogText "Result: Wazuh analysis daemon is active" + Display --indent 2 --text "- Checking presence of Wazuh (analysis)" --result "${STATUS_FOUND}" --color GREEN + else + LogText "Result: Wazuh analysis daemon not active" + fi + + # Client side + if IsRunning "wazuh-agentd"; then + IDS_IPS_TOOL_FOUND=1 + Report "ids_ips_tooling[]=wazuh" + Report "ids_ips_tooling[]=wazuh-agentd" + LogText "Result: Wazuh agent daemon is active" + Display --indent 2 --text "- Checking presence of Wazuh (agent)" --result "${STATUS_FOUND}" --color GREEN + else + LogText "Result: Wazuh agent daemon not active" + fi + fi +# +################################################################################# # # Test : TOOL-5190 # Description : Check for an IDS/IPS tool diff --git a/include/tests_usb b/include/tests_usb index d99d5a66..81c184df 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -54,8 +54,8 @@ if [ -d /etc/modprobe.d ]; then FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) if [ -n "${FIND}" ]; then - FIND=$(${EGREPBINARY} -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*) + FIND=$(${GREPBINARY} -E -r "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${GREPBINARY} -E -r "^blacklist usb[-_]storage" ${ROOTDIR}etc/modprobe.d/*) if [ -n "${FIND}" -o -n "${FIND2}" ]; then FOUND=1 LogText "Result: found usb-storage driver in disabled state (blacklisted)" @@ -65,7 +65,7 @@ fi fi if [ -f ${ROOTDIR}etc/modprobe.conf ]; then - FIND=$(${EGREPBINARY} "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#") + FIND=$(${GREPBINARY} -E "install usb[-_]storage /bin/(false|true)" ${ROOTDIR}etc/modprobe.conf | ${GREPBINARY} "usb-storage" | ${GREPBINARY} -v "#") if [ -n "${FIND}" ]; then FOUND=1 LogText "Result: found usb-storage driver in disabled state" @@ -316,11 +316,11 @@ Display --indent 4 --text "- RuleFile" --result "${STATUS_FOUND}" --color GREEN AddHP 1 1 - USBGUARD_RULES_ALLOW=$(${EGREPBINARY} -c "^allow" ${USBGUARD_RULES}) + USBGUARD_RULES_ALLOW=$(${GREPBINARY} -E -c "^allow" ${USBGUARD_RULES}) Display --indent 6 --text "- Controllers & Devices allow" --result "${USBGUARD_RULES_ALLOW}" --color WHITE - USBGUARD_RULES_BLOCK=$(${EGREPBINARY} -c "^block" ${USBGUARD_RULES}) + USBGUARD_RULES_BLOCK=$(${GREPBINARY} -E -c "^block" ${USBGUARD_RULES}) Display --indent 6 --text "- Controllers & Devices block" --result "${USBGUARD_RULES_BLOCK}" --color WHITE - USBGUARD_RULES_REJECT=$(${EGREPBINARY} -c "^reject" ${USBGUARD_RULES}) + USBGUARD_RULES_REJECT=$(${GREPBINARY} -E -c "^reject" ${USBGUARD_RULES}) Display --indent 6 --text "- Controllers & Devices reject" --result "${USBGUARD_RULES_REJECT}" --color WHITE else LogText "Result: RuleFile not found (\"man usbguard\" for instructions to install initial policies)" diff --git a/include/tests_webservers b/include/tests_webservers index e0ca5737..1dbde636 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -63,7 +63,7 @@ Display --indent 2 --text "- Checking Apache" --result "${STATUS_NOT_FOUND}" --color WHITE else LogText "Test: Scanning for Apache binary" - IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${EGREPBINARY} '[aA]pache') + IS_APACHE=$(${HTTPDBINARY} -v 2> /dev/null | ${GREPBINARY} -E '[aA]pache') if IsEmpty "${IS_APACHE}"; then LogText "Result: ${HTTPDBINARY} is not Apache" Display --indent 2 --text "- Checking Apache (binary ${HTTPDBINARY})" --result "NO MATCH" --color WHITE @@ -203,7 +203,7 @@ #if [ ${SKIPTEST} -eq 0 ]; then # # Testing Debian style # LogText "Test: searching loaded/enabled Apache modules" - # apachectl -t -D DUMP_MODULES 2>&1 | ${EGREPBINARY} -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //' + # apachectl -t -D DUMP_MODULES 2>&1 | ${GREPBINARY} -E -v "(Loaded Modules|Syntax OK)" | ${SEDBINARY} 's/(\(shared\|static\))//' | ${SEDBINARY} 's/ //' # for I in ${APACHE_MODULES_ENABLED_LOCS}; do # LogText "Test: checking ${I}" # if [ -d ${I} ]; then @@ -381,7 +381,7 @@ done # Sort all discovered configuration lines and store unique ones. Also strip out the mime types configured in nginx - SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${EGREPBINARY} -v "(application|audio|image|text|video)/" | ${EGREPBINARY} -v "({|})") + SORTFILE=$(${SORTBINARY} -u ${TMPFILE} | ${SEDBINARY} 's/ /:space:/g' | ${GREPBINARY} -E -v "(application|audio|image|text|video)/" | ${GREPBINARY} -E -v "({|})") for I in ${SORTFILE}; do I=$(echo ${I} | ${SEDBINARY} 's/:space:/ /g') Report "nginx_config_option[]=${I}"; diff --git a/lynis b/lynis index cf7d6bc6..ab769b24 100755 --- a/lynis +++ b/lynis @@ -43,10 +43,10 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2022-05-17" - PROGRAM_RELEASE_TIMESTAMP=1652791205 + PROGRAM_RELEASE_DATE="2023-08-03" + PROGRAM_RELEASE_TIMESTAMP=1691062820 PROGRAM_RELEASE_TYPE="release" # pre-release or release - PROGRAM_VERSION="3.0.8" + PROGRAM_VERSION="3.0.9" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" @@ -217,10 +217,10 @@ # Extract the short notation of the language (first two characters). if [ -x "$(command -v locale 2> /dev/null)" ]; then - LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | egrep "^[a-z]{2}$") + LANGUAGE=$(locale | grep -E "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | grep -E "^[a-z]{2}$") # Try locale command if shell variable had no value if [ -z "${DISPLAY_LANG}" ]; then - DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2) + DISPLAY_LANG=$(locale | grep -E "^LANG=" | cut -d= -f2) fi else LANGUAGE="en" @@ -514,7 +514,7 @@ ${NORMAL} . ${INCLUDEDIR}/osdetection Display --indent 2 --text "- Detecting OS... " --result "${STATUS_DONE}" --color GREEN - # Check hostname + # Check hostname and get timestamp case ${OS} in HP-UX) HOSTNAME=$(hostname) ;; @@ -531,7 +531,6 @@ ${NORMAL} if [ "${OS}" = "Linux" -a "${HOSTNAME}" = "${FQDN}" ]; then FQDN=$(hostname -f 2> /dev/null) fi - # ################################################################################# # @@ -789,16 +788,10 @@ ${NORMAL} fi fi - # Test for older releases, without testing via update mechanism - if [ "${OS}" = "Solaris" ]; then - NOW=$(nawk 'BEGIN{print srand()}') - else - NOW=$(date "+%s") - fi - OLD_RELEASE=0 TIME_DIFFERENCE_CHECK=10368000 # 4 months RELEASE_PLUS_TIMEDIFF=$((PROGRAM_RELEASE_TIMESTAMP + TIME_DIFFERENCE_CHECK)) + NOW=$(date "+%s") if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then # Show if release is old, only if we didn't show it with normal update check if [ ${UPDATE_AVAILABLE} -eq 0 ]; then