Merge branch 'master' into master

This commit is contained in:
Michael Boelen 2024-05-16 08:48:23 +02:00 committed by GitHub
commit e75a7b9547
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
50 changed files with 692 additions and 260 deletions

7
.editorconfig Normal file
View File

@ -0,0 +1,7 @@
# See: https://editorconfig.org/
root = true
[*]
indent_style = space
indent_size = 4

View File

@ -3,11 +3,42 @@
## Lynis 3.1.2 (not released yet)
### Added
- Detection of ALT Linux
- Detection of Athena OS
- Detection of Container-Optimized OS from Google
- Detection of Koozali SME Server
- Detection of Nobara Linux
- Detection of Open Source Media Center (OSMC)
- Detection of PostmarketOS
- CRYP-7932 - macOS FileVault encryption test
- FILE-6398 - Check if JBD (Journal Block Device) driver is loaded
- FINT-4344 - Wazuh system running state
- PKGS-7305 - Query macOS Apps in /Applications and CoreServices
- File added: .editorconfig, which is used by editors to standardize formatting
### Changed
- Correction of software EOL database and inclusion of AIX entries
- Correction of software EOL database and inclusion of AIX entries
- Support sysctl value perf_event_paranoid -> 2|3
- Update of Turkish translation
- Grammar and spell improvements
- Improved package detection on Alpine Linux
- Slackware support to check installed packges (functionPackageIsInstalled())
- Added words prosecute/report to LEGAL_BANNER_STRINGS
- Busybox support: Replace newer tr command syntax with older ascii specific operations
- Added Wazuh as a malware scanner/antivirus and rootkit detection tool
- AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc)
- CONT-8104 - Checking for errors, not only warning in docker info output
- DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD
- FILE-6344 - Test kernel version (major/minor)
- KRNL-5622 - Use systemctl get-default instead of following link
- LOGG-2144 - Check for wazuh-agent presence on Linux systems
- MACF-6234 - Test if semanage binary is available
- MALW-3200 - ESET Endpoint Antivirus added
- MALW-3280 - McAfee Antivirus for Linux deprecated
- MALW-3291 - Check if Microsoft Defender Antivirus is installe
- NETW-3200 - Added regex to allow both /bin/true as /bin/false
- PKGS-7303 - Added version numbers to brew packages
- PKGS-7370 - Cron job check for debsums improved
---------------------------------------------------------------------------------

View File

@ -106,3 +106,4 @@ STATUS_WARNING="Xəbərdarlıq"
STATUS_YES="Bəli"
TEXT_UPDATE_AVAILABLE="yeniləmə mövcud"
TEXT_YOU_CAN_HELP_LOGFILE="qeydləri gönderib kömek eyleyin"
#SECTION_KERBEROS="Kerberos"

View File

@ -107,3 +107,4 @@ STATUS_WARNING="警告"
STATUS_YES="是"
TEXT_UPDATE_AVAILABLE="有可以更新的版本"
TEXT_YOU_CAN_HELP_LOGFILE="你可以通过记录日志来帮忙"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_WEAK="SVAG"
STATUS_YES="JA"
TEXT_UPDATE_AVAILABLE="opdatering tilgængelig"
TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjælpe ved at bidrage med din logfil"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_WEAK="SCHWACH"
STATUS_YES="JA"
TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar"
TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen"
#SECTION_KERBEROS="Kerberos"

View File

@ -63,6 +63,7 @@ SECTION_USB_DEVICES="USB Devices"
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
SECTION_VIRTUALIZATION="Virtualization"
SECTION_WEBSERVER="Software: webserver"
SECTION_KERBEROS="Kerberos"
STATUS_ACTIVE="ACTIVE"
STATUS_CHECK_NEEDED="CHECK NEEDED"
STATUS_DEBUG="DEBUG"

View File

@ -107,3 +107,4 @@ STATUS_WEAK="DÉBIL"
STATUS_YES="SÍ"
TEXT_UPDATE_AVAILABLE="Actualización disponible"
TEXT_YOU_CAN_HELP_LOGFILE="Puedes ayudar compartiendo tu archivo de registro"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_WARNING="VAROITUS"
STATUS_YES="KYLLÄ"
TEXT_UPDATE_AVAILABLE="päivitys saatavilla"
TEXT_YOU_CAN_HELP_LOGFILE="Voit auttaa toimittamalla lokitiedoston"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_WEAK="FAIBLE"
STATUS_YES="OUI"
TEXT_UPDATE_AVAILABLE="Mise à jour disponible"
TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_WARNING="ΠΡΟΣΟΧΗ"
STATUS_YES="ΝΑΙ"
TEXT_UPDATE_AVAILABLE="διαθέσιμη ενημέρωση"
TEXT_YOU_CAN_HELP_LOGFILE="Μπορείτε να βοηθήσετε παρέχοντας το αρχείο καταγραφής"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_WARNING="אזהרה"
STATUS_YES="כן"
TEXT_UPDATE_AVAILABLE="עדכון זמין"
TEXT_YOU_CAN_HELP_LOGFILE="ניתן לעזור על ידי שליחת קובץ הלוג"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_WARNING="FIGYELMEZTETÉS"
STATUS_YES="IGEN"
TEXT_UPDATE_AVAILABLE="frissítés elérhető"
TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
#SECTION_KERBEROS="Kerberos"

View File

@ -105,3 +105,5 @@ STATUS_WEAK="WEAK"
STATUS_YES="YES"
TEXT_UPDATE_AVAILABLE="update tersedia"
TEXT_YOU_CAN_HELP_LOGFILE="Anda dapat membantu dengan memberikan file log Anda"
#SECTION_KERBEROS="Kerberos"
#STATUS_NOT_ACTIVE="NOT ACTIVE"

View File

@ -106,3 +106,4 @@ STATUS_WEAK="DEBOLE"
STATUS_YES="SI"
TEXT_UPDATE_AVAILABLE="aggiornamento disponibile"
TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_WARNING="警告"
STATUS_YES="はい"
TEXT_UPDATE_AVAILABLE="アップデートが利用可能"
TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_WEAK="취약"
STATUS_YES="예"
TEXT_UPDATE_AVAILABLE="업데이트 가능"
TEXT_YOU_CAN_HELP_LOGFILE="로그 파일을 제공하면 도움을 받을 수 있습니다"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_WARNING="ADVARSEL"
STATUS_YES="JA"
TEXT_UPDATE_AVAILABLE="oppdatering tilgjengelig"
TEXT_YOU_CAN_HELP_LOGFILE="Du kan bidra ved å laste opp din loggfil"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_WEAK="ZWAK"
STATUS_YES="JA"
TEXT_UPDATE_AVAILABLE="update beschikbaar"
TEXT_YOU_CAN_HELP_LOGFILE="Help mee door je logbestand te delen"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_YES="YES"
#TEXT_UPDATE_AVAILABLE="update available"
#TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_WARNING="ATENÇÃO"
STATUS_YES="SIM"
TEXT_UPDATE_AVAILABLE="Atualização disponível"
TEXT_YOU_CAN_HELP_LOGFILE="Você pode ajudar fornecendo seu arquivo de log"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_WEAK="СЛАБЫЙ"
STATUS_YES="ДА"
TEXT_UPDATE_AVAILABLE="доступно обновление"
TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь, предоставив ваш лог-файл"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_WARNING="VARNING"
STATUS_YES="JA"
TEXT_UPDATE_AVAILABLE="uppdatering tillgänglig"
TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjälpa till genom att bidra med din loggfil"
#SECTION_KERBEROS="Kerberos"

View File

@ -106,3 +106,4 @@ STATUS_WARNING="VAROVANIE"
STATUS_YES="ÁNO"
TEXT_UPDATE_AVAILABLE="aktualizácia k dispozícii"
TEXT_YOU_CAN_HELP_LOGFILE="Môžete pomôcť poskytnutím log súboru"
#SECTION_KERBEROS="Kerberos"

View File

@ -1,108 +1,109 @@
ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmamış"
ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmamış"
GEN_CHECKING="Kontrol ediyor"
GEN_CURRENT_VERSION="Mevcut Sürüm"
ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmadı"
ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmadı"
GEN_CHECKING=" Denetleniyor"
GEN_CURRENT_VERSION="Geçerli sürüm"
GEN_DEBUG_MODE="Hata ayıklama modu"
GEN_INITIALIZE_PROGRAM="Program başlatılıyor"
GEN_LATEST_VERSION="Son sürüm"
GEN_PHASE="faz"
GEN_PLUGINS_ENABLED="Yapılandırılmış eklentiler"
GEN_UPDATE_AVAILABLE="güncelleme mevcut"
GEN_VERBOSE_MODE="Detay modu"
GEN_LATEST_VERSION="En son sürüm"
GEN_PHASE="evre"
GEN_PLUGINS_ENABLED="Etkinleştirilen eklentiler"
GEN_UPDATE_AVAILABLE="güncelleme var"
GEN_VERBOSE_MODE="Ayrıntılı mod"
GEN_WHAT_TO_DO="Yapılması gerekenler"
NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai durumlar ve bilgiler bulundu"
NOTE_EXCEPTIONS_FOUND="İstisnalar bulundu"
NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha detaylı testler içermektedir ve tamamlanmaları uzun sürebilir"
NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai olaylar veya bilgiler bulundu"
NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha kapsamlı testlere sahiptir ve tamamlanması birkaç dakika sürebilir"
NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Yetkisiz çalışma nedeniyle atlanan testler"
#SECTION_ACCOUNTING="Accounting"
#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification"
#SECTION_BASICS="Basics"
#SECTION_BOOT_AND_SERVICES="Boot and services"
#SECTION_CONTAINERS="Containers"
#SECTION_CRYPTOGRAPHY="Cryptography"
SECTION_ACCOUNTING="Hesaplama"
SECTION_BANNERS_AND_IDENTIFICATION="Afişler ve tanımlama"
SECTION_BASICS="Temel Bilgiler"
SECTION_BOOT_AND_SERVICES="Önyükleme ve hizmetler"
SECTION_CONTAINERS="Konteynerler"
SECTION_CRYPTOGRAPHY="Kriptografi"
SECTION_CUSTOM_TESTS="Özel testler"
#SECTION_DATABASES="Databases"
#SECTION_DATA_UPLOAD="Data upload"
#SECTION_DOWNLOADS="Downloads"
#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging"
#SECTION_FILE_INTEGRITY="Software: file integrity"
#SECTION_FILE_PERMISSIONS="File Permissions"
#SECTION_FILE_SYSTEMS="File systems"
#SECTION_FIREWALLS="Software: firewalls"
#SECTION_GENERAL="General"
#SECTION_HARDENING="Hardening"
#SECTION_HOME_DIRECTORIES="Home directories"
#SECTION_IMAGE="Image"
#SECTION_INITIALIZING_PROGRAM="Initializing program"
#SECTION_INSECURE_SERVICES="Insecure services"
#SECTION_KERNEL_HARDENING="Kernel Hardening"
#SECTION_KERNEL="Kernel"
#SECTION_LDAP_SERVICES="LDAP Services"
#SECTION_LOGGING_AND_FILES="Logging and files"
SECTION_MALWARE="Kötücül yazılım"
SECTION_MEMORY_AND_PROCESSES="Bellek ve Prosesler"
#SECTION_NAME_SERVICES="Name services"
#SECTION_NETWORKING="Networking"
#SECTION_PERMISSIONS="Permissions"
#SECTION_PORTS_AND_PACKAGES="Ports and packages"
#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools"
#SECTION_PROGRAM_DETAILS="Program Details"
#SECTION_SCHEDULED_TASKS="Scheduled tasks"
#SECTION_SECURITY_FRAMEWORKS="Security frameworks"
#SECTION_SHELLS="Shells"
#SECTION_SNMP_SUPPORT="SNMP Support"
#SECTION_SOFTWARE="Software"
#SECTION_SQUID_SUPPORT="Squid Support"
#SECTION_SSH_SUPPORT="SSH Support"
#SECTION_STORAGE="Storage"
#SECTION_SYSTEM_INTEGRITY="Software: System integrity"
#SECTION_SYSTEM_TOOLING="Software: System tooling"
#SECTION_SYSTEM_TOOLS="System tools"
#SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization"
#SECTION_USB_DEVICES="USB Devices"
#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication"
#SECTION_VIRTUALIZATION="Virtualization"
#SECTION_WEBSERVER="Software: webserver"
#STATUS_ACTIVE="ACTIVE"
#STATUS_CHECK_NEEDED="CHECK NEEDED"
#STATUS_DEBUG="DEBUG"
#STATUS_DEFAULT="DEFAULT"
#STATUS_DIFFERENT="DIFFERENT"
STATUS_DISABLED="ETKİSİZLEŞTİRİLMİŞ"
SECTION_DATA_UPLOAD="Veri yükleme"
SECTION_DATABASES="Veri tabanları"
SECTION_DOWNLOADS="İndirilenler"
SECTION_EMAIL_AND_MESSAGING="Yazılım: e-posta ve mesajlaşma"
SECTION_FILE_INTEGRITY="Yazılım: dosya bütünlüğü"
SECTION_FILE_PERMISSIONS="Dosya izinleri"
SECTION_FILE_SYSTEMS="Dosya sistemleri"
SECTION_FIREWALLS="Yazılım: güvenlik duvarları"
SECTION_GENERAL="Genel"
SECTION_HARDENING="Sıkılaştırma"
SECTION_HOME_DIRECTORIES="Ev dizinleri"
SECTION_IMAGE="Kalıp"
SECTION_INITIALIZING_PROGRAM="Program başlatılıyor"
SECTION_INSECURE_SERVICES="Güvensiz hizmetler"
SECTION_KERNEL="Çekirdek"
SECTION_KERNEL_HARDENING="Çekirdek Sıkılaştırma"
SECTION_LDAP_SERVICES="LDAP Hizmetleri"
SECTION_LOGGING_AND_FILES="Günlük kaydı ve dosyalar"
SECTION_MALWARE="Yazılım: Kötü Amaçlı Yazılım"
SECTION_MEMORY_AND_PROCESSES="Bellek ve Süreçler"
SECTION_NAME_SERVICES="Ad hizmetleri"
SECTION_NETWORKING="Ağ İletişimi"
SECTION_PERMISSIONS="İzinler"
SECTION_PORTS_AND_PACKAGES="Bağlantı noktaları ve paketler"
SECTION_PRINTERS_AND_SPOOLS="Yazıcılar ve Biriktiriciler"
SECTION_PROGRAM_DETAILS="Program Ayrıntıları"
SECTION_SCHEDULED_TASKS="Zamanlanan görevler"
SECTION_SECURITY_FRAMEWORKS="Güvenlik çerçeveleri"
SECTION_SHELLS="Kabuklar"
SECTION_SNMP_SUPPORT="SNMP Desteği"
SECTION_SOFTWARE="Yazılım"
SECTION_SQUID_SUPPORT="Squid Desteği"
SECTION_SSH_SUPPORT="SSH Desteği"
SECTION_STORAGE="Depolama"
SECTION_SYSTEM_INTEGRITY="Yazılım: Sistem bütünlüğü"
SECTION_SYSTEM_TOOLING="Yazılım: Sistem araçları"
SECTION_SYSTEM_TOOLS="Sistem araçları"
SECTION_TIME_AND_SYNCHRONIZATION="Zaman ve Eşzamanlama"
SECTION_USB_DEVICES="USB Aygıtları"
SECTION_USERS_GROUPS_AND_AUTHENTICATION="Kullanıcılar, Gruplar ve Kimlik Doğrulama"
SECTION_VIRTUALIZATION="Sanallaştırma"
SECTION_WEBSERVER="Yazılım: web sunucusu"
STATUS_ACTIVE=" ETKİN"
STATUS_CHECK_NEEDED=" DENETİM GEREKLI"
STATUS_DEBUG="HATA AYIKLAMA"
STATUS_DEFAULT="ÖNTANIMLI"
STATUS_DIFFERENT="FARKLI"
STATUS_DISABLED="DEVRE DIŞI BIRAKILDI"
STATUS_DONE="TAMAMLANDI"
STATUS_ENABLED="ETKİNLEŞTİRİLMİŞ"
STATUS_ENABLED="ETKİNLEŞTİRİL"
STATUS_ERROR="HATA"
#STATUS_EXPOSED="EXPOSED"
#STATUS_FAILED="FAILED"
#STATUS_FILES_FOUND="FILES FOUND"
STATUS_EXPOSED="AÇIKTA BIRAKILDI"
STATUS_FAILED="BAŞARISIZ"
STATUS_FILES_FOUND="DOSYALAR BULUNDU"
STATUS_FOUND="BULUNDU"
#STATUS_HARDENED="HARDENED"
#STATUS_INSTALLED="INSTALLED"
#STATUS_LOCAL_ONLY="LOCAL ONLY"
#STATUS_MEDIUM="MEDIUM"
STATUS_HARDENED="SIKILAŞTIRILDI"
STATUS_INSTALLED="KURULU"
STATUS_LOCAL_ONLY="YALNIZCA YEREL"
STATUS_MEDIUM="ORTA"
STATUS_NO="HAYIR"
#STATUS_NON_DEFAULT="NON DEFAULT"
STATUS_NO_UPDATE="GÜNCELLEME YOK"
STATUS_NON_DEFAULT="ÖNTANIMLI OLMAYAN"
STATUS_NONE="YOK"
STATUS_NOT_ACTIVE="NOT ACTIVE"
#STATUS_NOT_CONFIGURED="NOT CONFIGURED"
#STATUS_NOT_DISABLED="NOT DISABLED"
#STATUS_NOT_ENABLED="NOT ENABLED"
STATUS_NOT_ACTIVE="ETKİN DEĞİL"
STATUS_NOT_CONFIGURED="YAPILANDIRILMADI"
STATUS_NOT_DISABLED="DEVRE DIŞI BIRAKILMADI"
STATUS_NOT_ENABLED="ETKİNLEŞTİRİLMEDİ"
STATUS_NOT_FOUND="BULUNAMADI"
STATUS_NOT_RUNNING="ÇALIŞMIYOR"
#STATUS_NO_UPDATE="NO UPDATE"
STATUS_OFF="KAPALI"
STATUS_OK="TAMAM"
STATUS_ON="AÇIK"
#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED"
#STATUS_PROTECTED="PROTECTED"
STATUS_PARTIALLY_HARDENED="KISMEN SIKILAŞTIRILDI"
STATUS_PROTECTED="KORUMALI"
STATUS_RUNNING="ÇALIŞIYOR"
STATUS_SKIPPED="ATLANDI"
STATUS_SUGGESTION="ÖNERİ"
STATUS_UNKNOWN="BİLİNMİYOR"
#STATUS_UNSAFE="UNSAFE"
#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE"
STATUS_UNSAFE="GÜVENLİ DEĞİL"
STATUS_UPDATE_AVAILABLE="GÜNCELLEME VAR"
STATUS_WARNING="UYARI"
#STATUS_WEAK="WEAK"
STATUS_WEAK="ZAYIF"
STATUS_YES="EVET"
TEXT_UPDATE_AVAILABLE="güncelleme mevcut"
TEXT_YOU_CAN_HELP_LOGFILE="Log dosyanızı göndererek yardımcı olabilirsiniz"
TEXT_UPDATE_AVAILABLE="güncelleme var"
TEXT_YOU_CAN_HELP_LOGFILE="Günlük dosyanızı göndererek yardımcı olabilirsiniz"
#SECTION_KERBEROS="Kerberos"

View File

@ -276,6 +276,7 @@ MALW-3284:test:security:malware::Check for clamd:
MALW-3286:test:security:malware::Check for freshclam:
MALW-3288:test:security:malware::Check for ClamXav:
MALW-3290:test:security:malware::Presence of malware scanner:
MALW-3291:test:security:malware::Check for Microsoft Defender Antivirus:
NAME-4016:test:security:nameservices::Check /etc/resolv.conf default domain:
NAME-4018:test:security:nameservices::Check /etc/resolv.conf search domains:
NAME-4020:test:security:nameservices::Check non default options:

View File

@ -144,6 +144,7 @@ plugin=software
plugin=system-integrity
plugin=systemd
plugin=users
plugin=krb5
# Disable a particular plugin (will overrule an enabled plugin)
#disable-plugin=authentication
@ -197,7 +198,7 @@ config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//k
config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.perf_event_paranoid;3;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.perf_event_paranoid;2|3|4;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;

View File

@ -196,6 +196,8 @@
iptables-save) IPTABLESSAVEBINARY="${BINARY}"; LogText " Found known binary: iptables-save (firewall) - ${BINARY}" ;;
istat) ISTATBINARY="${BINARY}"; LogText " Found known binary: istat (file information) - ${BINARY}" ;;
journalctl) JOURNALCTLBINARY="${BINARY}"; LogText " Found known binary: journalctl (systemd journal) - ${BINARY}" ;;
kadmin.local) KADMINLOCALBINARY="${BINARY}"; LogText " Found known binary: kadmin.local (krb5) - ${BINARY}" ;;
kdb5_util) KDB5UTILBINARY="${BINARY}"; LogText " Found known binary: kdb5_util (krb5) - ${BINARY}" ;;
kldstat) KLDSTATBINARY="${BINARY}"; LogText " Found known binary: kldstat (kernel modules) - ${BINARY}" ;;
kstat) KSTATBINARY="${BINARY}"; LogText " Found known binary: kstat (kernel statistics) - ${BINARY}" ;;
launchctl) LAUNCHCTL_BINARY="${BINARY}"; SERVICE_MANAGER="launchd"; LogText " Found known binary: launchctl (launchd client) - ${BINARY}" ;;
@ -338,7 +340,7 @@
# If grep is capable of extended regexp, use that instead of egrep to avoid annoying warning
if [ "${GREPBINARY:-}" ] ; then
${GREPBINARY} --help | ${GREPBINARY} -e "extended-regexp" > /dev/null
${GREPBINARY} --help 2> /dev/null | ${GREPBINARY} -e "extended-regexp" > /dev/null
if [ $? -eq 0 ] ; then
EGREPBINARY="${GREPBINARY} -E"
fi

View File

@ -169,6 +169,7 @@ ETC_PATHS="/etc /usr/local/etc"
MACHINEID=""
MACHINE_ROLE=""
MALWARE_SCANNER_INSTALLED=0
MDATPBINARY=""
MIN_PASSWORD_LENGTH=-1
MONGODB_RUNNING=0
MOUNTBINARY=""
@ -298,7 +299,9 @@ ETC_PATHS="/etc /usr/local/etc"
SSL_CERTIFICATE_INCLUDE_PACKAGES=0
SSL_CERTIFICATE_PATHS=""
SSL_CERTIFICATE_PATHS_TO_IGNORE=""
STATUS_NOT_ACTIVE=""
STUNNELBINARY=""
SURICATABINARY=""
SWUPDBINARY=""
SYSLOGNGBINARY=""
SYSTEMCTLBINARY=""

View File

@ -2086,6 +2086,10 @@
elif [ -n "${PKGINFOBINARY}" ]; then
output=$(${PKGINFOBINARY} -q -e ${package} >/dev/null 2>&1)
exit_code=$? # 0=package installed, 1=package not installed
# Slackware also has RPM for some reason and that's why this test precedes the RPMBINARY test
elif [ "${OS_NAME}" = "Slackware Linux" -a -d "${ROOTDIR}/var/lib/pkgtools/packages" ]; then
output=$( ls ${ROOTDIR}/var/lib/pkgtools/packages/ 2> /dev/null | ${GREPBINARY} "^${package}-[^-]\+-[^-]\+-[^-]\+$" )
exit_code=$?
elif [ -n "${RPMBINARY}" ]; then
output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1)
exit_code=$?
@ -2099,7 +2103,7 @@
output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii")
exit_code=$?
elif [ -n "${APKBINARY}" ]; then
output=$(${APKBINARY} search ${package} 2> /dev/null | ${GREPBINARY} ${package})
output=$(${APKBINARY} list --installed ${package} 2> /dev/null | ${GREPBINARY} ${package})
exit_code=$?
else
if [ "${package}" != "__dummy__" ]; then
@ -2758,7 +2762,6 @@
if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Reason to skip: ${SKIPREASON}"; fi
TESTS_SKIPPED="${TEST_NO}|${TESTS_SKIPPED}"
fi
unset SKIPREASON
# Save timestamp for next time the Register function is called
PREVIOUS_TEST="${TEST_NO}"
@ -3171,7 +3174,7 @@
if [ ${PENTESTINGMODE} -eq 0 -a ${IS_PARAMETERS} -eq 0 ]; then
if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then
echo "Fatal error: group owner of directory $1 should be owned by root user, wheel or similar (found: ${GROUP})."
echo "Fatal error: group owner of directory $1 should be owned by root group, wheel or similar (found: ${GROUP})."
ExitFatal
fi
fi

View File

@ -160,6 +160,11 @@
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"altlinux")
LINUX_VERSION="ALT Linux"
OS_NAME="altlinux"
OS_VERSION=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"amzn")
LINUX_VERSION="Amazon Linux"
OS_NAME="Amazon Linux"
@ -221,6 +226,11 @@
OS_NAME="CoreOS Linux"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"cos")
LINUX_VERSION="Container-Optimized OS"
OS_NAME="Container-Optimized OS from Google"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"debian")
LINUX_VERSION="Debian"
OS_NAME="Debian"
@ -290,6 +300,12 @@
OS_NAME="Kali Linux"
OS_VERSION="Rolling release"
;;
"koozali")
LINUX_VERSION="Koozali"
OS_NAME="Koozali SME Server"
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"linuxmint")
LINUX_VERSION="Linux Mint"
LINUX_VERSION_LIKE="Ubuntu"
@ -314,6 +330,13 @@
OS_NAME="Manjaro"
OS_VERSION="Rolling release"
;;
"neon")
LINUX_VERSION="KDE Neon"
LINUX_VERSION_LIKE="Ubuntu"
OS_NAME="KDE Neon"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"nethserver")
LINUX_VERSION="NethServer"
OS_NAME="NethServer"
@ -332,6 +355,12 @@
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"nobara")
LINUX_VERSION="Nobara"
OS_NAME="Nobara Linux"
OS_REDHAT_OR_CLONE=1
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"nodistro")
LINUX_VERSION="openembedded"
OS_NAME="OpenEmbedded"
@ -381,6 +410,13 @@
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="Pop!_OS"
;;
"postmarketos")
LINUX_VERSION="PostmarketOS"
LINUX_VERSION_LIKE="Alpine"
OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
"pureos")
LINUX_VERSION="PureOS"
LINUX_VERSION_LIKE="Debian"
@ -445,7 +481,7 @@
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
*)
ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the the contents (cat /etc/os-release): ${PROGRAM_SOURCE}"
ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the contents (cat /etc/os-release): ${PROGRAM_SOURCE}"
;;
esac
fi

View File

@ -56,7 +56,7 @@
fi
# Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character)
DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-')
DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[a-zA-Z0-9]/\[\]\(\)_\|,\.:;= \n\r-')
if ! IsEmpty "${DATA}"; then
DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information."
LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile."
@ -68,7 +68,7 @@
fi
# Now parse the profile and filter out unwanted characters
DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g')
DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[a-zA-Z0-9]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g')
for CONFIGOPTION in ${DATA}; do
if ContainsString "^config:" "${CONFIGOPTION}"; then
# Old style configuration
@ -352,7 +352,7 @@
# Which tests to skip (skip-test=ABCD-1234 or skip-test=ABCD-1234:subtest)
skip-test)
STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]')
STRING=$(echo ${VALUE} | awk '{print toupper($0)}')
SKIP_TESTS="${SKIP_TESTS} ${STRING}"
;;
@ -371,7 +371,7 @@
ssl-certificate-paths-to-ignore)
# Retrieve paths to ignore when searching for certificates. Strip special characters, replace possible spaces
SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[:cntrl:]' | sed 's/ /__space__/g' | tr ':' ' ')
SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[\001-\037]' | sed 's/ /__space__/g' | tr ':' ' ')
Debug "SSL paths to ignore: ${SSL_CERTIFICATE_PATHS_TO_IGNORE}"
AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates"
;;
@ -479,7 +479,7 @@
# Deprecated: skip tests
test_skip_always)
STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]')
STRING=$(echo ${VALUE} | awk '{print toupper($0)}')
SKIP_TESTS="${SKIP_TESTS} ${STRING}"
LogText "[deprecated option] Tests to be skipped: ${VALUE}"
DisplayToolTip "Replace deprecated option 'test_skip_always' and replace with 'skip-test' (add to custom.prf)"

View File

@ -717,7 +717,7 @@
if [ ${FOUND} -eq 0 ]; then
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW
LogText "Result: no PAM modules for password strength testing found"
ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc"
ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc or libpam-passwdqc"
AddHP 0 3
else
Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN

View File

@ -27,7 +27,7 @@
#################################################################################
#
BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd"
LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited record restricted secure subject system terms warning"
LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited prosecute record report restricted secure subject system terms warning"
#
#################################################################################
#

View File

@ -107,7 +107,7 @@
LogText "Result: disabling further Docker tests as docker version gave exit code other than zero (0)"
RUN_DOCKER_TESTS=0
fi
FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} "^WARNING:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g')
FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} -E "^WARNING:|^ERROR:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g')
if [ ! "${FIND}" = "" ]; then
LogText "Result: found warning(s) in output"
for I in ${FIND}; do

View File

@ -217,6 +217,33 @@
fi
#
#################################################################################
#
# Test : CRYP-7932
# Description : Determine if system has enabled macOS FileVault encryption
Register --test-no CRYP-7932 --os macOS --weight L --network NO --category crypto --description "Determine if system has enabled macOS FileVault encryption"
if [ ${SKIPTEST} -eq 0 ]; then
if command -v fdesetup &> /dev/null; then
case $(fdesetup status) in
*"FileVault is On."*)
LogText "Result: FileVault is enabled."
Display --indent 2 --text "- FileVault is enabled." --result "${STATUS_OK}" --color GREEN
Report "encryption[]=filevault"
AddHP 3 3
;;
*)
LogText "Result: FileVault is not enabled."
Display --indent 2 --text "- FileVault is not enabled." --result "${STATUS_WARNING}" --color RED
AddHP 0 3
;;
esac
else
LogText "Result: fdesetup command not found. Unable to determine FileVault status."
Display --indent 2 --text "- Unable to determine FileVault status (fdesetup command not found)." --result "${STATUS_WARNING}" --color YELLOW
AddHP 0 3
fi
fi
#
#################################################################################
#
# Test : CRYP-8002
# Description : Gather available kernel entropy

View File

@ -186,8 +186,10 @@
# Test : DBS-1826
# Description : Check if PostgreSQL is being used
Register --test-no DBS-1826 --weight L --network NO --category security --description "Checking active PostgreSQL processes"
for PROCES in postgres postmaster
do
if [ ${SKIPTEST} -eq 0 ]; then
if IsRunning "postgres"; then
if IsRunning "${PROCES}"; then
Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: PostgreSQL is active"
POSTGRESQL_RUNNING=1
@ -195,9 +197,10 @@
Report "postgresql_running=${POSTGRESQL_RUNNING}"
else
if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi
LogText "Result: PostgreSQL process not active"
LogText "Result: PostgreSQL process ${PROCES} not active"
fi
fi
done
#
#################################################################################
#
@ -211,14 +214,15 @@
# Arch /var/lib/postgres/data/postgresql.conf
# CentOS/Fedora /var/lib/pgsql/data/postgresql.conf
# Ubuntu /etc/postgresql/x.y/main/postgresql.conf
# FreeBSD /var/db/postgres/data[0-9][0-9]/postgresql.conf
if [ "${POSTGRESQL_RUNNING}" -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="PostgreSQL not installed or not running"; fi
Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration"
if [ ${SKIPTEST} -eq 0 ]; then
FIND_PATHS=$(${LSBINARY} -d ${ROOTDIR}usr/local/pgsql/data* 2> /dev/null)
FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data"
CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g")
FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data ${ROOTDIR}var/lib/pgsql/data ${ROOTDIR}var/db/postgres/data[0-9][0-9]"
CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -I'{}' sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g")
for CF in ${CONFIG_FILES}; do
Report "postgresql_config_file[]=${CF}"
LogText "Found configuration file (${CF})"

View File

@ -346,7 +346,13 @@
LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}')
LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}')
if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then
PREQS_MET="YES";
elif [ ${LINUX_KERNEL_MAJOR} -ge 4 ]; then
PREQS_MET="YES";
else
PREQS_MET="NO";
fi
else
PREQS_MET="NO";
fi
@ -726,11 +732,45 @@
#
#################################################################################
#
# Test : FILE-6398 TODO
# Test : FILE-6398
# Description : Check if JBD (Journal Block Device) driver is loaded
# Want to contribute to Lynis? Create this test
Register --test-no FILE-6398 --os Linux --weight L --network NO --category security --description "Checking if JBD (Journal Block Device) driver is loaded"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking if JBD (Journal Block Device) driver is loaded"
NOTINUSE=0
# Cannot check if driver is loaded/present if kernel is monolithic
if [ ${MONOLITHIC_KERNEL} -eq 0 ]; then
JBD=$(${LSMODBINARY} | ${GREPBINARY} ^jbd)
if [ -n "${JBD}" ]; then
LogText "Result: JBD driver is loaded"
INUSE=$(echo ${JBD} | ${AWKBINARY} '{if ($3 -ne 0) {print $4}}')
if [ -n "${INUSE}" ]; then
LogText "Result: JBD driver is in use by drivers: ${INUSE}"
Report "JBD driver is in use by drivers: ${INUSE}"
Display --indent 2 --text "- JBD driver loaded and in use" --result "${STATUS_OK}" --color GREEN
else
NOTINUSE=1
LogText "Result: JBD driver loaded, but not in use"
Report "JBD driver is loaded, but not in use."
Display --indent 2 --text "- JBD driver loaded, but not in use" --result "${STATUS_SUGGESTION}" --color YELLOW
fi
else
NOTINUSE=2
LogText "Result: JBD driver not loaded"
Report "JBD driver not loaded."
Display --indent 2 --text "- JBD driver is not loaded" --result "${STATUS_CHECK_NEEDED}" --color YELLOW
fi
if [ ${NOTINUSE} -eq 1 ]; then
ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is loaded but not in use." "You are currently not using any filesystems with journaling, i.e. you have greater risk of data corruption in case of system crash."
elif [ ${NOTINUSE} -eq 2 ]; then
ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is not loaded." "Since boot-time, you have not been using any filesystems with journaling. Alternatively, reason could be driver is blacklisted."
fi
else
LogText "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel."
Report "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel."
Display --indent 2 --text "- JBD driver: unable to check" --result "${STATUS_UNKNOWN}" --color RED
fi
fi
#
#################################################################################
#

188
include/tests_kerberos Normal file
View File

@ -0,0 +1,188 @@
#!/bin/sh
InsertSection "${SECTION_KERBEROS}"
#
#########################################################################
#
# Test : KRB-1000
# Description : Check that Kerberos principals have passwords that expire
Register --test-no KRB-1000 --weight L --network NO --description "Check for Kerberos KDC tools"
if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ]
then
PREQS_MET="YES"
# Make sure krb5 debugging doesn't mess up the output
unset KRB5_TRACE
PRINCS="$(${KADMINLOCALBINARY} listprincs | ${TRBINARY:-tr} '\n' ' ')"
if [ -z "${PRINCS}" ]
then
PREQS_MET="NO"
fi
else
PREQS_MET="NO"
fi
if [ "${PREQS_MET}" = "YES" ]; then
Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_FOUND}" --color GREEN
else
Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
# Test : KRB-1010
# Description : Check that Kerberos principals have passwords that expire
Register --test-no KRB-1010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PRINCS}
do
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Password expiration date:')"
if [ "${FIND}" = "Password expiration date: [never]" ]
then
LogText "Result: Kerberos principal ${I} has a password/key that never expires"
FOUND=1
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have expiring passwords"
else
Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : KRB-1020
# Description : Check last password change for Kerberos principals
Register --test-no KRB-1020 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PRINCS}
do
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n '/^Last password change:\s\+/s/^Last password change:\s\+//p')"
if [ "${FIND}" = "[never]" ]
then
LogText "Result: Kerberos principal ${I} has a password/key that has never been changed"
FOUND=1
else
J="$(date -d "${FIND}" +%s)"
if [ ${J} -lt $((NOW - 60 * 60 * 24 * 365)) ]
then
LogText "Result: Kerberos principal ${I} has had a password/key change over a year ago"
FOUND=1
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Principals with late password change" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Enforce frequent password/key change for your Kerberos principals"
else
Display --indent 4 --text "- Principals with late password change" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : KRB-1030
# Description : Check that Kerberos principals have a policy associated to them
Register --test-no KRB5-1030 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PRINCS}
do
FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Policy:')"
if [ "${FIND}" = "Policy: [none]" ]
then
LogText "Result: Kerberos principal ${I} does not have a policy associated to it"
FOUND=1
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have a policy associated to them"
else
Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : KRB-1040
# Description : Check various attributes for Kerberos principals
Register --test-no KRB5-1040 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
for I in ${PRINCS}
do
J="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n 's/^Attributes:\s\+\(.\+\)$/\1/p')"
if ContainsString "^K/M@" "${I}" || \
ContainsString "^kadmin/admin@" "${I}" || \
ContainsString "^kadmin/changepw@" "${I}" || \
ContainsString "^krbtgt/" "${I}"
then
if ! ContainsString "\bLOCKDOWN_KEYS\b" "${J}"
then
LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute"
FOUND=1
fi
elif ContainsString "/admin@" "${I}"
then
if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}"
then
LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute"
FOUND=1
fi
elif ContainsString "^[^/$]+@" "${I}"
then
if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}"
then
LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute"
FOUND=1
fi
fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Harden your Kerberos principals with appropriate attributes"
else
Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
# Test : KRB-1050
# Description : Check for weak crypto
Register --test-no KRB-1050 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}')
if [ -n "${FIND}" ]; then
while read I J
do
LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}"
done << EOF
${FIND}
EOF
Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_WARNING}" --color RED
ReportSuggestion "${TEST_NO}" "Remove weak (des|arcfour|cbc|sha1) cryptographic keys from principals"
else
Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_OK}" --color GREEN
fi
fi
#
#################################################################################
#
unset PRINCS
unset I
unset J
#EOF

View File

@ -41,28 +41,17 @@
if [ ${SKIPTEST} -eq 0 ]; then
# Checking if we can find the systemd default target
LogText "Test: Checking for systemd default.target"
if [ -L ${ROOTDIR}etc/systemd/system/default.target ]; then
LogText "Result: symlink found"
if HasData "${READLINKBINARY}"; then
FIND=$(${READLINKBINARY} ${ROOTDIR}etc/systemd/system/default.target)
if ! HasData "${FIND}"; then
LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target"
ReportException "${TEST_NO}:01"
else
FIND2=$(${ECHOCMD} ${FIND} | ${GREPBINARY} -E "runlevel5|graphical")
if HasData "${FIND2}"; then
LogText "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
Report "linux_default_runlevel=5"
else
LogText "Result: No match found on runlevel, defaulting to runlevel 3"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
Report "linux_default_runlevel=3"
fi
fi
if [ $(${SYSTEMCTLBINARY} get-default) ]; then
FIND=$(${SYSTEMCTLBINARY} get-default)
FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical")
if HasData "${FIND2}"; then
LogText "Result: Found match on runlevel5/graphical"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN
Report "linux_default_runlevel=5"
else
LogText "Result: No readlink binary, can't determine where symlink is pointing to"
Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW
LogText "Result: No match found on runlevel, defaulting to runlevel 3"
Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN
Report "linux_default_runlevel=3"
fi
else
LogText "Result: no systemd found, so trying inittab"
@ -467,7 +456,7 @@
SYSD_CORED_BASE_STORAGE_FOUND=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
SYSD_CORED_BASE_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}')
SYSD_CORED_BASE_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}')
# check conf files in possibly existing coredump.conf.d folders
# check conf files in possibly existing coredump.conf.d folders
# using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available.
# while there could be multiple files overwriting each other, we are checking the number of occurrences
SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
@ -531,7 +520,7 @@
Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ERROR}" --color YELLOW
fi
fi
# Limits options
for DIR in "/" "/usr/"; do
LogText "Test: Checking presence ${DIR}etc/security/limits.conf"
@ -692,7 +681,7 @@
else
# Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Sort based on versions (-v) and then find the last item
# Note: ignore a rescue kernel (e.g. CentOS)
FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${TAILBINARY} -1)
FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue-' | ${TAILBINARY} -1)
LogText "Result: found ${FOUND_VMLINUZ}"
fi
@ -840,7 +829,7 @@
else
LogText "Result: Skipping this test, as extracting the seconds of package date failed"
fi
if [ -n "${UNAME_OUTPUT}" ]; then
LogText "Result: Got an output from 'uname -v'"
LogText "Check: Trying to extract kernel build date from 'uname -v' output"
@ -911,8 +900,7 @@
else
LogText "Result: Did not get output from 'uname -v'. Skipping test."
fi
else
LogText "Result: /var/cache/apt/archives/ does not exist"
fi

View File

@ -28,6 +28,7 @@
METALOG_RUNNING=0
RFC3195D_RUNNING=0
RSYSLOG_RUNNING=0
WAZUH_AGENT_RUNNING=0
SOLARIS_LOGHOST=""
SOLARIS_LOGHOST_FOUND=0
SOLARIS_LOGHOST_LOCALHOST=0
@ -220,6 +221,23 @@
fi
#
#################################################################################
#
# Test : LOGG-2144
# Description : Check for wazuh-agent presence on Linux systems
Register --test-no LOGG-2144 --os Linux --weight L --network NO --category security --description "Checking wazuh-agent"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Result: Searching for wazuh-agent instances in the process list"
if IsRunning "wazuh-agent"; then
LogText "Result: Found wazuh-agent in process list"
Display --indent 4 --text "- Checking wazuh-agent status" --result "${STATUS_FOUND}" --color GREEN
WAZUH_AGENT_RUNNING=1
else
LogText "Result: wazuh-agent NOT found in process list"
Display --indent 4 --text "- Checking wazuh-agent daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
#################################################################################
#
# Test : LOGG-2146
# Description : Check for logrotate (/etc/logrotate.conf and logrotate.d)
@ -446,6 +464,21 @@
fi
fi
# Test wazuh-agent configuration for syslog configuration
if [ ${WAZUH_AGENT_RUNNING} ]; then
WAZUH_AGENT_CONF="/var/ossec/etc/ossec.conf"
fi
if [ -f ${WAZUH_AGENT_CONF} ]; then
LogText "Test: Checking Wazuh agent configuration for remote syslog forwarding"
FIND=$(${EGREPBINARY} '<location>/var/log/syslog</location>' ${WAZUH_AGENT_CONF})
if [ "${FIND}" ]; then
DESTINATION=$(${EGREPBINARY} -o '<address>([A-Za-z0-9\.\-\_]*)</address>' ${WAZUH_AGENT_CONF} | sed 's/<address>//' | sed 's/<\/address>//')
LogText "Result: found destination ${DESTINATION} configured for remote logging with wazuh"
REMOTE_LOGGING_ENABLED=1
fi
fi
# Show result
if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then
Report "remote_syslog_configured=0"

View File

@ -158,10 +158,14 @@
Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED
fi
Display --indent 8 --text "Current SELinux mode: ${FIND}"
PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
LogText "Permissive SELinux object types: ${PERMISSIVE}"
if [ -n "${SEMANAGEBINARY}" ]; then
PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ')
NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l)
Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types"
LogText "Permissive SELinux object types: ${PERMISSIVE}"
else
LogText "Result: semanage binary NOT found, can't analyse permissive domains"
fi
UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ')
INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ')
NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l)

View File

@ -44,6 +44,7 @@
SYMANTEC_SCANNER_RUNNING=0
SYNOLOGY_DAEMON_RUNNING=0
TRENDMICRO_DSA_DAEMON_RUNNING=0
WAZUH_DAEMON_RUNNING=0
#
#################################################################################
#
@ -53,16 +54,12 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence McAfee VirusScan for Command Line"
if [ -x /usr/local/uvscan/uvscan ]; then
Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color GREEN
Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line (deprecated)" --result "${STATUS_FOUND}" --color RED
LogText "Result: Found ${MCAFEECLBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
Report "malware_scanner[]=mcafeecl"
else
LogText "Result: McAfee VirusScan for Command Line not found"
fi
AddHP 0 2
LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another antivirus instead."
fi
fi
#
#################################################################################
#
# Test : MALW-3275
@ -187,8 +184,8 @@
fi
# ESET security products
LogText "Test: checking process esets_daemon"
if IsRunning "esets_daemon"; then
LogText "Test: checking process esets_daemon or oaeventd (ESET)"
if IsRunning "esets_daemon" || IsRunning "oaeventd"; then
FOUND=1
ESET_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
@ -323,6 +320,19 @@
Report "malware_scanner[]=trend-micro-av"
fi
# Wazuh agent
LogText "Test: checking process wazuh-agent to test for Wazuh agent"
if IsRunning "wazuh-agent"; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Wazuh agent" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Wazuh component"
FOUND=1
WAZUH_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1
ROOTKIT_SCANNER_FOUND=1
Report "malware_scanner[]=wazuh"
fi
if [ ${FOUND} -eq 0 ]; then
LogText "Result: no commercial anti-virus tools found"
AddHP 0 3
@ -369,6 +379,24 @@
fi
#
#################################################################################
#
# Test : MALW-3291
# Description : Check if Microsoft Defender Antivirus is installed
Register --test-no MALW-3291 --weight L --network NO --category security --description "Check for mdatp"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking presence mdatp"
if [ ! "${MDATPBINARY}" = "" ]; then
Display --indent 2 --text "- Checking Microsoft Defender Antivirus" --result "${STATUS_FOUND}" --color GREEN
LogText "Result: Found ${MDATPBINARY}"
MALWARE_SCANNER_INSTALLED=1
AddHP 2 2
Report "malware_scanner[]=mdatp"
else
LogText "Result: mdatp couldn't be found"
fi
fi
#
#################################################################################
#
# Test : MALW-3286
# Description : Check running freshclam if clamd process is running

View File

@ -485,7 +485,7 @@
LogText "Result: ypldap is running"
Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN
else
ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
ReportSuggestion "${TEST_NO}" "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead"
fi
else
LogText "Result: ypbind is not active"

View File

@ -750,7 +750,7 @@
UNCOMMON_PROTOCOL_DISABLED=0
# First check modprobe.conf
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
DATA=$(${GREPBINARY} "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.conf)
DATA=$(${GREPBINARY} "^install \+${P} \+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.conf)
if [ -n "${DATA}" ]; then
LogText "Result: found ${P} module disabled via modprobe.conf"
UNCOMMON_PROTOCOL_DISABLED=1
@ -759,7 +759,7 @@
# Then additional modprobe configuration files
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
# Return file names (-l) and suppress errors (-s)
DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/*)
DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/*)
if [ -n "${DATA}" ]; then
UNCOMMON_PROTOCOL_DISABLED=1
for F in ${DATA}; do

View File

@ -30,8 +30,6 @@
# Possible locations of php.ini
PHPINILOCS="${ROOTDIR}etc/php.ini ${ROOTDIR}etc/php.ini.default \
${ROOTDIR}etc/php/php.ini \
${ROOTDIR}etc/php5.5/php.ini \
${ROOTDIR}etc/php5.6/php.ini \
${ROOTDIR}etc/php7.0/php.ini \
${ROOTDIR}etc/php7.1/php.ini \
${ROOTDIR}etc/php7.2/php.ini \
@ -42,11 +40,6 @@
${ROOTDIR}etc/php8.2/php.ini \
${ROOTDIR}etc/php8.3/php.ini \
${ROOTDIR}etc/php8.4/php.ini \
${ROOTDIR}etc/php/cgi-php5/php.ini \
${ROOTDIR}etc/php/cli-php5/php.ini \
${ROOTDIR}etc/php/apache2-php5/php.ini \
${ROOTDIR}etc/php/apache2-php5.5/php.ini \
${ROOTDIR}etc/php/apache2-php5.6/php.ini \
${ROOTDIR}etc/php/apache2-php7.0/php.ini \
${ROOTDIR}etc/php/apache2-php7.1/php.ini \
${ROOTDIR}etc/php/apache2-php7.2/php.ini \
@ -57,16 +50,11 @@
${ROOTDIR}etc/php/apache2-php8.2/php.ini \
${ROOTDIR}etc/php/apache2-php8.3/php.ini \
${ROOTDIR}etc/php/apache2-php8.4/php.ini \
${ROOTDIR}etc/php/cgi-php5.5/php.ini \
${ROOTDIR}etc/php/cgi-php5.6/php.ini \
${ROOTDIR}etc/php/cgi-php7.0/php.ini \
${ROOTDIR}etc/php/cgi-php7.1/php.ini \
${ROOTDIR}etc/php/cgi-php7.2/php.ini \
${ROOTDIR}etc/php/cgi-php7.3/php.ini \
${ROOTDIR}etc/php/cgi-php7.4/php.ini \
${ROOTDIR}etc/php/cgi-php8.0/php.ini \
${ROOTDIR}etc/php/cgi-php8.1/php.ini \
${ROOTDIR}etc/php/cgi-php8.2/php.ini \
${ROOTDIR}etc/php/cli-php5.5/php.ini \
${ROOTDIR}etc/php/cli-php5.6/php.ini \
${ROOTDIR}etc/php/cli-php7.0/php.ini \
@ -79,8 +67,6 @@
${ROOTDIR}etc/php/cli-php8.2/php.ini \
${ROOTDIR}etc/php/cli-php8.3/php.ini \
${ROOTDIR}etc/php/cli-php8.4/php.ini \
${ROOTDIR}etc/php/embed-php5.5/php.ini \
${ROOTDIR}etc/php/embed-php5.6/php.ini \
${ROOTDIR}etc/php/embed-php7.0/php.ini \
${ROOTDIR}etc/php/embed-php7.1/php.ini \
${ROOTDIR}etc/php/embed-php7.2/php.ini \
@ -91,24 +77,14 @@
${ROOTDIR}etc/php/embed-php8.2/php.ini \
${ROOTDIR}etc/php/embed-php8.3/php.ini \
${ROOTDIR}etc/php/embed-php8.4/php.ini \
${ROOTDIR}etc/php/fpm-php8.2/php.ini \
${ROOTDIR}etc/php/fpm-php8.1/php.ini \
${ROOTDIR}etc/php/fpm-php8.0/php.ini \
${ROOTDIR}etc/php/fpm-php7.4/php.ini \
${ROOTDIR}etc/php/fpm-php7.3/php.ini \
${ROOTDIR}etc/php/fpm-php7.2/php.ini \
${ROOTDIR}etc/php/fpm-php7.1/php.ini \
${ROOTDIR}etc/php/fpm-php7.0/php.ini \
${ROOTDIR}etc/php/fpm-php5.5/php.ini \
${ROOTDIR}etc/php/fpm-php5.6/php.ini \
${ROOTDIR}etc/php5/cgi/php.ini \
${ROOTDIR}etc/php5/cli/php.ini \
${ROOTDIR}etc/php5/cli-php5.4/php.ini \
${ROOTDIR}etc/php5/cli-php5.5/php.ini \
${ROOTDIR}etc/php5/cli-php5.6/php.ini \
${ROOTDIR}etc/php5/apache2/php.ini \
${ROOTDIR}etc/php5/fpm/php.ini \
${ROOTDIR}private/etc/php.ini \
${ROOTDIR}etc/php/fpm-php7.1/php.ini \
${ROOTDIR}etc/php/fpm-php7.2/php.ini \
${ROOTDIR}etc/php/fpm-php7.3/php.ini \
${ROOTDIR}etc/php/fpm-php7.4/php.ini \
${ROOTDIR}etc/php/fpm-php8.0/php.ini \
${ROOTDIR}etc/php/fpm-php8.1/php.ini \
${ROOTDIR}etc/php/fpm-php8.2/php.ini \
${ROOTDIR}etc/php/7.0/apache2/php.ini \
${ROOTDIR}etc/php/7.1/apache2/php.ini \
${ROOTDIR}etc/php/7.2/apache2/php.ini \
@ -139,12 +115,30 @@
${ROOTDIR}etc/php/8.3/fpm/php.ini \
${ROOTDIR}etc/php/8.4/cli/php.ini \
${ROOTDIR}etc/php/8.4/fpm/php.ini \
${ROOTDIR}opt/alt/php70/etc/php.ini \
${ROOTDIR}opt/alt/php71/etc/php.ini \
${ROOTDIR}opt/alt/php72/etc/php.ini \
${ROOTDIR}opt/alt/php73/etc/php.ini \
${ROOTDIR}opt/alt/php74/etc/php.ini \
${ROOTDIR}opt/alt/php80/etc/php.ini \
${ROOTDIR}opt/alt/php81/etc/php.ini \
${ROOTDIR}opt/alt/php82/etc/php.ini \
${ROOTDIR}opt/alt/php83/etc/php.ini \
${ROOTDIR}opt/alt/php84/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.ini \
${ROOTDIR}private/etc/php.ini \
${ROOTDIR}var/www/conf/php.ini \
${ROOTDIR}usr/local/etc/php.ini \
${ROOTDIR}usr/local/lib/php.ini \
${ROOTDIR}usr/local/etc/php5/cgi/php.ini \
${ROOTDIR}usr/local/php54/lib/php.ini \
${ROOTDIR}usr/local/php56/lib/php.ini \
${ROOTDIR}usr/local/php70/lib/php.ini \
${ROOTDIR}usr/local/php71/lib/php.ini \
${ROOTDIR}usr/local/php72/lib/php.ini \
@ -157,36 +151,6 @@
${ROOTDIR}usr/local/php84/lib/php.ini \
${ROOTDIR}usr/local/zend/etc/php.ini \
${ROOTDIR}usr/pkg/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.ini \
${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.ini \
${ROOTDIR}opt/alt/php44/etc/php.ini \
${ROOTDIR}opt/alt/php51/etc/php.ini \
${ROOTDIR}opt/alt/php52/etc/php.ini \
${ROOTDIR}opt/alt/php53/etc/php.ini \
${ROOTDIR}opt/alt/php54/etc/php.ini \
${ROOTDIR}opt/alt/php55/etc/php.ini \
${ROOTDIR}opt/alt/php56/etc/php.ini \
${ROOTDIR}opt/alt/php70/etc/php.ini \
${ROOTDIR}opt/alt/php71/etc/php.ini \
${ROOTDIR}opt/alt/php72/etc/php.ini \
${ROOTDIR}opt/alt/php73/etc/php.ini \
${ROOTDIR}opt/alt/php74/etc/php.ini \
${ROOTDIR}opt/alt/php80/etc/php.ini \
${ROOTDIR}opt/alt/php81/etc/php.ini \
${ROOTDIR}opt/alt/php82/etc/php.ini \
${ROOTDIR}opt/alt/php83/etc/php.ini \
${ROOTDIR}opt/alt/php84/etc/php.ini \
${ROOTDIR}etc/opt/remi/php56/php.ini \
${ROOTDIR}etc/opt/remi/php70/php.ini \
${ROOTDIR}etc/opt/remi/php71/php.ini \
@ -198,28 +162,12 @@
${ROOTDIR}etc/opt/remi/php82/php.ini\
${ROOTDIR}etc/opt/remi/php83/php.ini \
${ROOTDIR}etc/opt/remi/php84/php.ini"
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
PHPINILOCS="${PHPINILOCS} \
${ROOTDIR}etc/php-5.6.ini \
${ROOTDIR}etc/php-7.0.ini \
${ROOTDIR}etc/php-7.1.ini \
${ROOTDIR}etc/php-7.2.ini \
${ROOTDIR}etc/php-7.3.ini \
${ROOTDIR}etc/php-7.4.ini \
${ROOTDIR}etc/php-8.0.ini \
${ROOTDIR}etc/php-8.1.ini \
${ROOTDIR}etc/php-8.2.ini\
${ROOTDIR}etc/php-8.3.ini\
${ROOTDIR}etc/php-8.4.ini"
PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \
${ROOTDIR}etc/php/7.0/cli/conf.d \
PHPINIDIRS="${ROOTDIR}etc/php/7.0/cli/conf.d \
${ROOTDIR}etc/php/7.1/cli/conf.d \
${ROOTDIR}etc/php/7.2/cli/conf.d \
${ROOTDIR}etc/php/7.3/cli/conf.d \
${ROOTDIR}etc/php/7.4/cli/conf.d \
${ROOTDIR}etc/php/8.0/cli/conf.d \
${ROOTDIR}etc/php/8.1/cli/conf.d \
${ROOTDIR}etc/php/8.2/cli/conf.d \
${ROOTDIR}etc/php/7.0/fpm/conf.d \
${ROOTDIR}etc/php/7.1/fpm/conf.d \
${ROOTDIR}etc/php/7.2/fpm/conf.d \
@ -231,9 +179,6 @@
${ROOTDIR}etc/php/8.3/fpm/conf.d \
${ROOTDIR}etc/php/8.4/fpm/conf.d \
${ROOTDIR}etc/php.d \
${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \
@ -244,13 +189,6 @@
${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php83/root/etc/php.d \
${ROOTDIR}opt/cpanel/ea-php84/root/etc/php.d \
${ROOTDIR}opt/alt/php44/etc/php.d.all \
${ROOTDIR}opt/alt/php51/etc/php.d.all \
${ROOTDIR}opt/alt/php52/etc/php.d.all \
${ROOTDIR}opt/alt/php53/etc/php.d.all \
${ROOTDIR}opt/alt/php54/etc/php.d.all \
${ROOTDIR}opt/alt/php55/etc/php.d.all \
${ROOTDIR}opt/alt/php56/etc/php.d.all \
${ROOTDIR}opt/alt/php70/etc/php.d.all \
${ROOTDIR}opt/alt/php71/etc/php.d.all \
${ROOTDIR}opt/alt/php72/etc/php.d.all \
@ -272,9 +210,8 @@
${ROOTDIR}usr/local/php82/lib/php.conf.d \
${ROOTDIR}usr/local/php83/lib/php.conf.d \
${ROOTDIR}usr/local/php84/lib/php.conf.d"
# HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current
PHPINIDIRS="${PHPINIDIRS} \
${ROOTDIR}etc/php-5.6 \
${ROOTDIR}etc/php-7.0 \
${ROOTDIR}etc/php-7.1 \
${ROOTDIR}etc/php-7.2 \

View File

@ -127,11 +127,15 @@
LogText "Test: Querying brew to get package list"
Display --indent 4 --text "- Querying brew for installed packages"
LogText "Output:"; LogText "-----"
GPACKAGES=$(brew list)
for J in ${GPACKAGES}; do
LogText "Found package ${J}"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}"
done
GPACKAGES=$(brew list --versions)
while IFS= read -r PKG; do
PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f1)
PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f2)
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done << EOF
$GPACKAGES
EOF
else
LogText "Result: brew can NOT be found on this system"
fi
@ -158,6 +162,29 @@
LogText "Result: emerge can NOT be found on this system"
fi
#
#################################################################################
#
# Test : PKGS-7305
# Description : Query macOS Apps in /Applications and CoreServices
Register --test-no PKGS-7305 --os macOS --weight L --network NO --category security --description "Query macOS Apps in /Applications and CoreServices"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Querying Apps in /Applications"
Display --indent 4 --text "- Querying macOS Apps in /Applications"
LogText "Output:"; LogText "-----"
for APP in /Applications/*.app; do
PACKAGE_NAME=$(basename "$APP" .app)
PACKAGE_VERSION=$(defaults read "$APP/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A")
LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done
Display --indent 4 --text "- Querying Apple CoreServices"
for CS in /Library/Apple/System/Library/CoreServices/*.app; do
PACKAGE_NAME=$(basename "$CS" .app)
PACKAGE_VERSION=$(defaults read "$CS/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A")
LogText "Found CoreServices: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
done
fi
#
#################################################################################
#
@ -672,9 +699,20 @@
# Check in /etc/cron.hourly, daily, weekly, monthly etc
COUNT=$(find /etc/cron* -name debsums | wc -l)
if [ ${COUNT} -gt 0 ]; then
LogText "Result: Cron job is configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
CRON_CHECK=""
if [ -f ${ROOTDIR}etc/default/debsums ]; then
CRON_CHECK=$(${GREPBINARY} CRON_CHECK /etc/default/debsums|${AWKBINARY} -F "=" '{print $2}')
fi
if [ "${CRON_CHECK}" = "daily" ] || [ "${CRON_CHECK}" = "weekly" ] || [ "${CRON_CHECK}" = "monthly" ]; then
LogText "Result: Cron job is configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
LogText "Result: Cron job is not configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW
AddHP 1 3
ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regularly via a cron job (CRON_CHECK in default file)."
fi
else
LogText "Result: Cron job is not configured for debsums utility."
Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW

View File

@ -312,7 +312,7 @@
# AllowGroups
FIND=$(${GREPBINARY} -E -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }')
if [ -n "${FIND}" ]; then
LogText "Result: AllowUsers set ${FIND}"
LogText "Result: AllowGroups set ${FIND}"
Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN
FOUND=1
else

View File

@ -48,6 +48,8 @@
TMPFILE="${TEMP_FILE}"
CreateTempFile || ExitFatal
TMPFILE2="${TEMP_FILE}"
CreateTempFile || ExitFatal
TMPFILE3="${TEMP_FILE}"
#
#################################################################################
#
@ -300,8 +302,42 @@
#
#################################################################################
#
# Test : HTTP-6660 TODO
# Test : HTTP-6660
# Description : Search for "TraceEnable off" in configuration files
if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no HTTP-6660 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Apache security setting: TraceEnable"
if [ ${SKIPTEST} -eq 0 ]; then
for DIR in ${sTEST_APACHE_TARGETS}; do
if [ -d ${DIR} ]; then
find ${DIR} -name "*.conf" -print >> ${TMPFILE3}
fi
done
# Check all Apache conf-files for TraceEnable
if [ -f ${TMPFILE3} ]; then
Display --indent 2 --text '- Checking TraceEnable setting in:'
for APACHE_CONFFILE in $(cat ${TMPFILE3}); do
TRACEENABLE=$( ${GREPBINARY} -i -E '^TraceEnable' ${APACHE_CONFFILE} | ${AWKBINARY} '{print $2}' )
if [ ! ${TRACEENABLE} ]; then
LogText "Result: no TraceEnable setting found in ${APACHE_CONFFILE}"
Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_NOT_FOUND}" --color WHITE
else
TRACEENABLED_SETTING=$( echo ${TRACEENABLE} | tr 'A-Z' 'a-z' )
if [ x${TRACEENABLED_SETTING} == x'off' ]; then
LogText "Result: found TraceEnable setting set to 'off' in ${APACHE_CONFFILE}"
Report "Apache setting: 'TraceEnable Off' in ${APACHE_CONFFILE}"
Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_FOUND}" --color GREEN
else
LogText "Result: found TraceEnable setting set to '"${TRACEENABLE}"' in ${APACHE_CONFFILE}"
Report "Apache setting: 'TraceEnable "${TRACEENABLE}"' in ${APACHE_CONFFILE}"
Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Consider setting 'TraceEnable Off' in ${APACHE_CONFFILE}" "Set TraceEnable to 'On' or 'extended' for testing and diagnostic purposes only."
fi
fi
done
rm -f ${TMPFILE3}
fi
fi
#
#################################################################################
#
@ -608,6 +644,7 @@
# Remove temp file (double check)
if [ -n "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi
if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi
if [ -n "${TMPFILE3}" ]; then if [ -f ${TMPFILE3} ]; then rm -f ${TMPFILE3}; fi; fi
WaitForKeyPress

4
lynis
View File

@ -52,7 +52,7 @@
PROGRAM_SOURCE="https://github.com/CISOfy/lynis"
PROGRAM_PACKAGE="https://packages.cisofy.com/"
PROGRAM_DOCUMENTATION="https://cisofy.com/docs/"
PROGRAM_COPYRIGHT="2007-2021, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
PROGRAM_COPYRIGHT="2007-2024, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software."
@ -1018,7 +1018,7 @@ ${NORMAL}
if [ "${TEST_GROUP_TO_CHECK}" = "all" ]; then
LogText "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \
INCLUDE_TESTS="boot_services kernel memory_processes authentication kerberos shells \
filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \
mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \
insecure_services banners scheduling accounting time crypto virtualization containers \