From d96628d9b1d116e3fa7d909e0d2b323653d5d6d7 Mon Sep 17 00:00:00 2001 From: Sander Date: Fri, 14 May 2021 11:56:48 +0000 Subject: [PATCH 01/57] Adding HTTP-6660 test --- include/tests_webservers | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/include/tests_webservers b/include/tests_webservers index 6e0a3b3d..d3634ece 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -48,6 +48,8 @@ TMPFILE="${TEMP_FILE}" CreateTempFile || ExitFatal TMPFILE2="${TEMP_FILE}" + CreateTempFile || ExitFatal + TMPFILE3="${TEMP_FILE}" # ################################################################################# # @@ -300,8 +302,42 @@ # ################################################################################# # - # Test : HTTP-6660 TODO + # Test : HTTP-6660 # Description : Search for "TraceEnable off" in configuration files + if [ ${APACHE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no HTTP-6660 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking Apache security setting: TraceEnable" + if [ ${SKIPTEST} -eq 0 ]; then + for DIR in ${sTEST_APACHE_TARGETS}; do + if [ -d ${DIR} ]; then + find ${DIR} -name "*.conf" -print >> ${TMPFILE3} + fi + done + + # Check all Apache conf-files for TraceEnable + if [ -f ${TMPFILE3} ]; then + Display --indent 2 --text '- Checking TraceEnable setting in:' + for APACHE_CONFFILE in $(cat ${TMPFILE3}); do + TRACEENABLE=$( ${GREPBINARY} -i -E '^TraceEnable' ${APACHE_CONFFILE} | ${AWKBINARY} '{print $2}' ) + if [ ! ${TRACEENABLE} ]; then + LogText "Result: no TraceEnable setting found in ${APACHE_CONFFILE}" + Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_NOT_FOUND}" --color WHITE + else + TRACEENABLED_SETTING=$( echo ${TRACEENABLE} | tr 'A-Z' 'a-z' ) + if [ x${TRACEENABLED_SETTING} == x'off' ]; then + LogText "Result: found TraceEnable setting set to 'off' in ${APACHE_CONFFILE}" + Report "Apache setting: 'TraceEnable Off' in ${APACHE_CONFFILE}" + Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_FOUND}" --color GREEN + else + LogText "Result: found TraceEnable setting set to '"${TRACEENABLE}"' in ${APACHE_CONFFILE}" + Report "Apache setting: 'TraceEnable "${TRACEENABLE}"' in ${APACHE_CONFFILE}" + Display --indent 4 --text " ${APACHE_CONFFILE}" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Consider setting 'TraceEnable Off' in ${APACHE_CONFFILE}" "Set TraceEnable to 'On' or 'extended' for testing and diagnostic purposes only." + fi + fi + done + rm -f ${TMPFILE3} + fi + fi # ################################################################################# # @@ -608,6 +644,7 @@ # Remove temp file (double check) if [ -n "${TMPFILE}" ]; then if [ -f ${TMPFILE} ]; then rm -f ${TMPFILE}; fi; fi if [ -n "${TMPFILE2}" ]; then if [ -f ${TMPFILE2} ]; then rm -f ${TMPFILE2}; fi; fi + if [ -n "${TMPFILE3}" ]; then if [ -f ${TMPFILE3} ]; then rm -f ${TMPFILE3}; fi; fi WaitForKeyPress From 0298f519406fab873246ad751f19fd91e1aa7baf Mon Sep 17 00:00:00 2001 From: Sander Date: Sat, 15 May 2021 19:22:17 +0000 Subject: [PATCH 02/57] Added FILE-6398 test --- include/tests_filesystems | 42 +++++++++++++++++++++++++++++++++++---- 1 file changed, 38 insertions(+), 4 deletions(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index d3a6eaab..d2836480 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -721,11 +721,45 @@ # ################################################################################# # - # Test : FILE-6398 TODO + # Test : FILE-6398 # Description : Check if JBD (Journal Block Device) driver is loaded - - # Want to contribute to Lynis? Create this test - + Register --test-no FILE-6398 --os Linux --weight L --network NO --category security --description "Checking if JBD (Journal Block Device) driver is loaded" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking if JBD (Journal Block Device) driver is loaded" + NOTINUSE=0 + # Cannot check if driver is loaded/present if kernel is monolithic + if [ ${MONOLITHIC_KERNEL} -eq 0 ]; then + JBD=$(${LSMODBINARY} | ${GREPBINARY} ^jbd) + if [ -n "${JBD}" ]; then + LogText "Result: JBD driver is loaded" + INUSE=$(echo ${JBD} | ${AWKBINARY} '{if ($3 -ne 0) {print $4}}') + if [ -n "${INUSE}" ]; then + LogText "Result: JBD driver is in use by drivers: ${INUSE}" + Report "JBD driver is in use by drivers: ${INUSE}" + Display --indent 2 --text "- JBD driver loaded and in use" --result "${STATUS_OK}" --color GREEN + else + NOTINUSE=1 + LogText "Result: JBD driver loaded, but not in use" + Report "JBD driver is loaded, but not in use." + Display --indent 2 --text "- JBD driver loaded, but not in use" --result "${STATUS_SUGGESTION}" --color YELLOW + fi + else + NOTINUSE=2 + LogText "Result: JBD driver not loaded" + Report "JBD driver not loaded." + Display --indent 2 --text "- JBD driver is not loaded" --result "${STATUS_CHECK_NEEDED}" --color YELLOW + fi + if [ ${NOTINUSE} -eq 1 ]; then + ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is loaded but not in use." "You are currently not using any filesystems with journaling, i.e. you have greater risk of data corruption in case of system crash." + elif [ ${NOTINUSE} -eq 2 ]; then + ReportSuggestion "${TEST_NO}" "The JBD (Journal Block Device) driver is not loaded." "Since boot-time, you have not been using any filesystems with journaling. Alternatively, reason could be driver is blacklisted." + fi + else + LogText "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel." + Report "Kernel is monolithic - cannot check if JBD driver is part of compiled kernel." + Display --indent 2 --text "- JBD driver: unable to check" --result "${STATUS_UNKNOWN}" --color RED + fi + fi # ################################################################################# # From 2e6415a3b3987f3b7c5e383fa5c0f7771f5af85d Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Sun, 23 Jan 2022 10:36:55 +0200 Subject: [PATCH 03/57] perf_event_paranoid -> 2|3 The value of 3 was introduced in c76a4ca and the source was this[1]. The documentation in the source notes that the value of 3 requires a patch for the Linux kernel. Vanilla kernel has the "maximum" value of 2[2]. [1] https://docs.clip-os.org/clipos/kernel.html#sysctl-security-tuning [2] https://www.kernel.org/doc/html/v5.7/admin-guide/sysctl/kernel.html#perf-event-paranoid --- default.prf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default.prf b/default.prf index aadc4495..79c0a48c 100644 --- a/default.prf +++ b/default.prf @@ -197,7 +197,7 @@ config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//k config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; -config-data=sysctl;kernel.perf_event_paranoid;3;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; +config-data=sysctl;kernel.perf_event_paranoid;2|3;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; From 34d99f72f6f55053ba445847568d88eeeee1ff59 Mon Sep 17 00:00:00 2001 From: Skia Date: Thu, 17 Mar 2022 23:28:34 +0100 Subject: [PATCH 04/57] osdetection: add PostmarketOS --- include/osdetection | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/osdetection b/include/osdetection index d9b8a41c..29c3e69e 100644 --- a/include/osdetection +++ b/include/osdetection @@ -337,6 +337,13 @@ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Pop!_OS" ;; + "postmarketos") + LINUX_VERSION="PostmarketOS" + LINUX_VERSION_LIKE="Alpine" + OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "pureos") LINUX_VERSION="PureOS" LINUX_VERSION_LIKE="Debian" From f315c0b3257a301fe17b3a8904190df36d853940 Mon Sep 17 00:00:00 2001 From: mab974 <12948653+mab974@users.noreply.github.com> Date: Wed, 13 Apr 2022 13:42:21 +0400 Subject: [PATCH 05/57] osdetection: add Koozali #1274 --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index d9b8a41c..ecd34865 100644 --- a/include/osdetection +++ b/include/osdetection @@ -271,6 +271,12 @@ OS_NAME="Kali Linux" OS_VERSION="Rolling release" ;; + "koozali") + LINUX_VERSION="Koozali" + OS_NAME="Koozali SME Server" + OS_REDHAT_OR_CLONE=1 + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "linuxmint") LINUX_VERSION="Linux Mint" LINUX_VERSION_LIKE="Ubuntu" From 225338a92359773e7bfa8e2c21ab2aa9bd7b5990 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 18 May 2022 18:02:34 +0200 Subject: [PATCH 06/57] use systemctl get-default instead of following links MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/tests_kernel | 40 ++++++++++++++-------------------------- 1 file changed, 14 insertions(+), 26 deletions(-) diff --git a/include/tests_kernel b/include/tests_kernel index ad914bfb..61f8ae73 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -41,28 +41,17 @@ if [ ${SKIPTEST} -eq 0 ]; then # Checking if we can find the systemd default target LogText "Test: Checking for systemd default.target" - if [ -L ${ROOTDIR}etc/systemd/system/default.target ]; then - LogText "Result: symlink found" - if HasData "${READLINKBINARY}"; then - FIND=$(${READLINKBINARY} ${ROOTDIR}etc/systemd/system/default.target) - if ! HasData "${FIND}"; then - LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target" - ReportException "${TEST_NO}:01" - else - FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical") - if HasData "${FIND2}"; then - LogText "Result: Found match on runlevel5/graphical" - Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN - Report "linux_default_runlevel=5" - else - LogText "Result: No match found on runlevel, defaulting to runlevel 3" - Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN - Report "linux_default_runlevel=3" - fi - fi + if [ $(${SYSTEMCTLBINARY} get-default) ]; then + FIND=$(${SYSTEMCTLBINARY} get-default) + FIND2=$(${ECHOCMD} ${FIND} | ${EGREPBINARY} "runlevel5|graphical") + if HasData "${FIND2}"; then + LogText "Result: Found match on runlevel5/graphical" + Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN + Report "linux_default_runlevel=5" else - LogText "Result: No readlink binary, can't determine where symlink is pointing to" - Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW + LogText "Result: No match found on runlevel, defaulting to runlevel 3" + Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN + Report "linux_default_runlevel=3" fi else LogText "Result: no systemd found, so trying inittab" @@ -467,7 +456,7 @@ SYSD_CORED_BASE_STORAGE_FOUND=$(${GREPBINARY} -v "^ *#" ${ROOTDIR}etc/systemd/coredump.conf 2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g') SYSD_CORED_BASE_STORAGE_NR_ENABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} | ${AWKBINARY} '{print $2}') SYSD_CORED_BASE_STORAGE_NR_DISABLED=$(${ECHOCMD} "${SYSD_CORED_BASE_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} | ${AWKBINARY} '{print $2}') - # check conf files in possibly existing coredump.conf.d folders + # check conf files in possibly existing coredump.conf.d folders # using find instead of grep -r to stay POSIX compliant. On AIX and HPUX grep -r is not available. # while there could be multiple files overwriting each other, we are checking the number of occurrences SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} -L /etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/ /usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY} 's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" | ${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' | ${GREPBINARY} "^0 *$" | ${WCBINARY} -l) @@ -531,7 +520,7 @@ Display --indent 4 --text "- configuration in ${ROOTDIR}etc/profile" --result "${STATUS_ERROR}" --color YELLOW fi fi - + # Limits options for DIR in "/" "/usr/"; do LogText "Test: Checking presence ${DIR}etc/security/limits.conf" @@ -840,7 +829,7 @@ else LogText "Result: Skipping this test, as extracting the seconds of package date failed" fi - + if [ -n "${UNAME_OUTPUT}" ]; then LogText "Result: Got an output from 'uname -v'" LogText "Check: Trying to extract kernel build date from 'uname -v' output" @@ -911,8 +900,7 @@ else LogText "Result: Did not get output from 'uname -v'. Skipping test." fi - - + else LogText "Result: /var/cache/apt/archives/ does not exist" fi From b3436629ce061489c4f999bdcfcd0fd52af7a061 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 20 Jun 2022 09:54:29 +0200 Subject: [PATCH 07/57] add check for ESET oaeventd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- include/tests_malware | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_malware b/include/tests_malware index 40336fa5..4fa901d9 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -186,8 +186,8 @@ fi # ESET security products - LogText "Test: checking process esets_daemon" - if IsRunning "esets_daemon"; then + LogText "Test: checking process esets_daemon or oaeventd (ESET)" + if IsRunning "esets_daemon" || IsRunning "oaeventd"; then FOUND=1 ESET_DAEMON_RUNNING=1 MALWARE_DAEMON_RUNNING=1 From e4cd5eaede8309cf1af9c6e902e64bf61407b0a6 Mon Sep 17 00:00:00 2001 From: Zafer Balkan Date: Wed, 20 Jul 2022 21:41:55 +0300 Subject: [PATCH 08/57] Added Wazuh Agent as a malware scanner/antivirus Solves https://github.com/CISOfy/lynis/issues/1304 Wazuh is a fork of OSSEC and is being actively maintained. Wazuh agent has capabilities to detect and prevent malware acting as an EDR. Therefore, it seems feasible to add wazuh-agent to the accepted antivirus products. https://documentation.wazuh.com/current/user-manual/capabilities/anomalies-detection/index.html https://documentation.wazuh.com/current/pci-dss/rootkit-detection.html --- include/tests_malware | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/include/tests_malware b/include/tests_malware index 40336fa5..3ddc9277 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -308,6 +308,17 @@ Report "malware_scanner[]=trend-micro-av" fi + # Wazuh agent + LogText "Test: checking process wazuh-agent to test for Wazuh agent" + if IsRunning "wazuh-agent"; then + if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Wazuh agent" --result "${STATUS_FOUND}" --color GREEN; fi + LogText "Result: found Wazuh component" + FOUND=1 + MALWARE_DAEMON_RUNNING=1 + MALWARE_SCANNER_INSTALLED=1 + Report "malware_scanner[]=wazuh" + fi + if [ ${FOUND} -eq 0 ]; then LogText "Result: no commercial anti-virus tools found" AddHP 0 3 From 32a39eaaf884444baa7b5ec76a87b8e2990906ae Mon Sep 17 00:00:00 2001 From: Zafer Balkan Date: Wed, 20 Jul 2022 21:50:26 +0300 Subject: [PATCH 09/57] Added Wazuh agent as a rootkit scanner Wazuh is a fork of OSSEC and is being actively maintained. Wazuh agent has capabilities to detect and prevent rootkits. Therefore, it seems feasible to add wazuh-agent to the accepted rootkit detection products. https://documentation.wazuh.com/current/pci-dss/rootkit-detection.html --- include/tests_malware | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/tests_malware b/include/tests_malware index 3ddc9277..237b7cc1 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -43,6 +43,7 @@ SYMANTEC_SCANNER_RUNNING=0 SYNOLOGY_DAEMON_RUNNING=0 TRENDMICRO_DSA_DAEMON_RUNNING=0 + WAZUH_DAEMON_RUNNING=0 # ################################################################################# # @@ -314,8 +315,10 @@ if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Wazuh agent" --result "${STATUS_FOUND}" --color GREEN; fi LogText "Result: found Wazuh component" FOUND=1 + WAZUH_DAEMON_RUNNING=1 MALWARE_DAEMON_RUNNING=1 MALWARE_SCANNER_INSTALLED=1 + ROOTKIT_SCANNER_FOUND=1 Report "malware_scanner[]=wazuh" fi From 3140a245da2c709e379c34ca6f3495428f0c7e5e Mon Sep 17 00:00:00 2001 From: Zafer Balkan Date: Fri, 5 Aug 2022 15:45:35 +0300 Subject: [PATCH 10/57] Added wazuh-agent as a remote syslog capability --- include/tests_logging | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/include/tests_logging b/include/tests_logging index b6acdbe5..ed87ff17 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -28,6 +28,7 @@ METALOG_RUNNING=0 RFC3195D_RUNNING=0 RSYSLOG_RUNNING=0 + WAZUH_AGENT_RUNNING=0 SOLARIS_LOGHOST="" SOLARIS_LOGHOST_FOUND=0 SOLARIS_LOGHOST_LOCALHOST=0 @@ -220,6 +221,23 @@ fi # ################################################################################# +# + # Test : LOGG-2144 + # Description : Check for wazuh-agent presence on Linux systems + Register --test-no LOGG-2144 --os Linux --weight L --network NO --category security --description "Checking wazuh-agent" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Result: Searching for wazuh-agent instances in the process list" + if IsRunning "wazuh-agent"; then + LogText "Result: Found wazuh-agent in process list" + Display --indent 4 --text "- Checking wazuh-agent status" --result "${STATUS_FOUND}" --color GREEN + WAZUH_AGENT_RUNNING=1 + else + LogText "Result: wazuh-agent NOT found in process list" + Display --indent 4 --text "- Checking wazuh-agent daemon status" --result "${STATUS_NOT_FOUND}" --color WHITE + fi + fi +# +################################################################################# # # Test : LOGG-2146 # Description : Check for logrotate (/etc/logrotate.conf and logrotate.d) @@ -446,6 +464,21 @@ fi fi + # Test wazuh-agent configuration for syslog configuration + if [ ${WAZUH_AGENT_RUNNING} ]; then + WAZUH_AGENT_CONF="/var/ossec/etc/ossec.conf" + fi + + if [ -f ${WAZUH_AGENT_CONF} ]; then + LogText "Test: Checking Wazuh agent configuration for remote syslog forwarding" + FIND=$(${EGREPBINARY} '/var/log/syslog' ${WAZUH_AGENT_CONF}) + if [ "${FIND}" ]; then + DESTINATION=$(${EGREPBINARY} -o '
([A-Za-z0-9\.\-\_]*)
' ${WAZUH_AGENT_CONF} | sed 's/
//' | sed 's/<\/address>//') + LogText "Result: found destination ${DESTINATION} configured for remote logging with wazuh" + REMOTE_LOGGING_ENABLED=1 + fi + fi + # Show result if [ ${REMOTE_LOGGING_ENABLED} -eq 0 ]; then Report "remote_syslog_configured=0" From 8e9a95d88797a4349263a797bcd0aa243f0bdbec Mon Sep 17 00:00:00 2001 From: Alan Gonzalez <2751993+alangonzalez@users.noreply.github.com> Date: Fri, 28 Oct 2022 14:08:26 -0400 Subject: [PATCH 11/57] Update profiles --- include/profiles | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/profiles b/include/profiles index 6bf7758a..325ec887 100644 --- a/include/profiles +++ b/include/profiles @@ -56,7 +56,7 @@ fi # Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character) - DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-') + DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[a-zA-Z0-9]/\[\]\(\)_\|,\.:;= \n\r-') if ! IsEmpty "${DATA}"; then DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information." LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile." @@ -68,7 +68,7 @@ fi # Now parse the profile and filter out unwanted characters - DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g') + DATA=$(grep -E "^config:|^[a-z-].*=" ${PROFILE} | tr -dc '[a-zA-Z0-9]/\[\]\(\)_\|,\.:;= \n\r-' | sed 's/ /!space!/g') for CONFIGOPTION in ${DATA}; do if ContainsString "^config:" "${CONFIGOPTION}"; then # Old style configuration From 4edbce250b31fcdd5cfeb309326fa2a171801c1d Mon Sep 17 00:00:00 2001 From: Alan Gonzalez <2751993+alangonzalez@users.noreply.github.com> Date: Fri, 28 Oct 2022 14:45:05 -0400 Subject: [PATCH 12/57] Update profiles --- include/profiles | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/profiles b/include/profiles index 325ec887..6d7c0aa7 100644 --- a/include/profiles +++ b/include/profiles @@ -352,7 +352,7 @@ # Which tests to skip (skip-test=ABCD-1234 or skip-test=ABCD-1234:subtest) skip-test) - STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]') + STRING=$(echo ${VALUE} | awk '{print toupper($0)}') SKIP_TESTS="${SKIP_TESTS} ${STRING}" ;; @@ -371,7 +371,7 @@ ssl-certificate-paths-to-ignore) # Retrieve paths to ignore when searching for certificates. Strip special characters, replace possible spaces - SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[:cntrl:]' | sed 's/ /__space__/g' | tr ':' ' ') + SSL_CERTIFICATE_PATHS_TO_IGNORE=$(echo ${VALUE} | tr -d '[\001-\037]' | sed 's/ /__space__/g' | tr ':' ' ') Debug "SSL paths to ignore: ${SSL_CERTIFICATE_PATHS_TO_IGNORE}" AddSetting "ssl-certificate-paths-to-ignore" "${SSL_CERTIFICATE_PATHS_TO_IGNORE}" "Paths that should be ignored for SSL certificates" ;; @@ -479,7 +479,7 @@ # Deprecated: skip tests test_skip_always) - STRING=$(echo ${VALUE} | tr '[:lower:]' '[:upper:]') + STRING=$(echo ${VALUE} | awk '{print toupper($0)}') SKIP_TESTS="${SKIP_TESTS} ${STRING}" LogText "[deprecated option] Tests to be skipped: ${VALUE}" DisplayToolTip "Replace deprecated option 'test_skip_always' and replace with 'skip-test' (add to custom.prf)" From 051052cc153bd78adfb1b41cb0949dcae08ca82e Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Thu, 17 Nov 2022 18:47:44 +0200 Subject: [PATCH 13/57] Added Slackware support for PackageIsInstalled() function --- include/functions | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/functions b/include/functions index 38cc46b3..f27211d0 100644 --- a/include/functions +++ b/include/functions @@ -2086,6 +2086,10 @@ elif [ -n "${PKGINFOBINARY}" ]; then output=$(${PKGINFOBINARY} -q -e ${package} >/dev/null 2>&1) exit_code=$? # 0=package installed, 1=package not installed + # Slackware also has RPM for some reason and that's why this test precedes the RPMBINARY test + elif [ "${OS_NAME}" = "Slackware Linux" -a -d "${ROOTDIR}/var/lib/pkgtools/packages" ]; then + output=$( ls ${ROOTDIR}/var/lib/pkgtools/packages/ 2> /dev/null | ${GREPBINARY} "^${package}-[^-]\+-[^-]\+-[^-]\+$" ) + exit_code=$? elif [ -n "${RPMBINARY}" ]; then output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1) exit_code=$? From 31c22f2daa59963823e3821b281f178d342f4afb Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Thu, 5 Jan 2023 14:43:29 +0200 Subject: [PATCH 14/57] Added "prosecute" & "report" to LEGAL_BANNER_STRINGS https://xkcd.com/838/ --- include/tests_banners | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_banners b/include/tests_banners index cd148f30..0694e9de 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -27,7 +27,7 @@ ################################################################################# # BANNER_FILES="${ROOTDIR}etc/issue ${ROOTDIR}etc/issue.net ${ROOTDIR}etc/motd" - LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited record restricted secure subject system terms warning" + LEGAL_BANNER_STRINGS="audit access authori condition connect consent continu criminal enforce evidence forbidden intrusion law legal legislat log monitor owner penal policy policies privacy private prohibited prosecute record report restricted secure subject system terms warning" # ################################################################################# # From 349975103fae73567cec495d0c9bddcba9b2fc9d Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 23 Feb 2023 13:17:25 +0100 Subject: [PATCH 15/57] tests_mac_frameworks: check for existance of semanage binary. It's not installed everywhere, causing this error message: /usr/share/lynis/include/tests_mac_frameworks: line 161: permissive: command not found /usr/share/lynis/include/tests_mac_frameworks: line 162: permissive: command not found --- include/tests_mac_frameworks | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index cda343ad..ca454529 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -158,10 +158,14 @@ Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED fi Display --indent 8 --text "Current SELinux mode: ${FIND}" - PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ') - NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l) - Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types" - LogText "Permissive SELinux object types: ${PERMISSIVE}" + if [ -x "$SEMANAGEBINARY" ]; then + PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ') + NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l) + Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types" + LogText "Permissive SELinux object types: ${PERMISSIVE}" + else + LogText "Result: semanage binary NOT found, can't analyse permissive domains" + fi UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ') INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ') NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l) From fe0b40c98d08f35481bb6b1ab64276958355a379 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 10 Mar 2023 10:46:04 +0100 Subject: [PATCH 16/57] support perf_event_paranoid=4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- default.prf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default.prf b/default.prf index aadc4495..6cffcc1e 100644 --- a/default.prf +++ b/default.prf @@ -197,7 +197,7 @@ config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//k config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; -config-data=sysctl;kernel.perf_event_paranoid;3;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; +config-data=sysctl;kernel.perf_event_paranoid;3|4;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; From fd64aa24d64b1281c4d72bc63db80538988caffc Mon Sep 17 00:00:00 2001 From: xnoguer Date: Tue, 18 Apr 2023 16:46:19 -0400 Subject: [PATCH 17/57] Adding test MALW-3291 in order to solve issue 1322 (related to issue 994) --- db/tests.db | 1 + include/consts | 1 + include/tests_malware | 18 ++++++++++++++++++ 3 files changed, 20 insertions(+) diff --git a/db/tests.db b/db/tests.db index e4dc8fbd..206b6008 100644 --- a/db/tests.db +++ b/db/tests.db @@ -275,6 +275,7 @@ MALW-3284:test:security:malware::Check for clamd: MALW-3286:test:security:malware::Check for freshclam: MALW-3288:test:security:malware::Check for ClamXav: MALW-3290:test:security:malware::Presence of malware scanner: +MALW-3291:test:security:malware::Check for Microsoft Defender Antivirus: NAME-4016:test:security:nameservices::Check /etc/resolv.conf default domain: NAME-4018:test:security:nameservices::Check /etc/resolv.conf search domains: NAME-4020:test:security:nameservices::Check non default options: diff --git a/include/consts b/include/consts index 5d618429..714f4a92 100644 --- a/include/consts +++ b/include/consts @@ -169,6 +169,7 @@ ETC_PATHS="/etc /usr/local/etc" MACHINEID="" MACHINE_ROLE="" MALWARE_SCANNER_INSTALLED=0 + MDATPBINARY="" MIN_PASSWORD_LENGTH=-1 MONGODB_RUNNING=0 MOUNTBINARY="" diff --git a/include/tests_malware b/include/tests_malware index 40336fa5..04f7ea76 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -354,6 +354,24 @@ fi # ################################################################################# +# + # Test : MALW-3291 + # Description : Check if Microsoft Defender Antivirus is installed + Register --test-no MALW-3291 --weight L --network NO --category security --description "Check for mdatp" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking presence mdatp" + if [ ! "${MDATPBINARY}" = "" ]; then + Display --indent 2 --text "- Checking Microsoft Defender Antivirus" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found ${MDATPBINARY}" + MALWARE_SCANNER_INSTALLED=1 + AddHP 2 2 + Report "malware_scanner[]=mdatp" + else + LogText "Result: mdatp couldn't be found" + fi + fi +# +################################################################################# # # Test : MALW-3286 # Description : Check running freshclam if clamd process is running From 7d494da5c49e9ac48bedf8043bd002aa213f879b Mon Sep 17 00:00:00 2001 From: xnoguer Date: Tue, 25 Apr 2023 10:06:02 -0400 Subject: [PATCH 18/57] Checking for errors, not only warning in docker info output --- include/tests_containers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_containers b/include/tests_containers index af10997d..c8d23b2a 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -107,7 +107,7 @@ LogText "Result: disabling further Docker tests as docker version gave exit code other than zero (0)" RUN_DOCKER_TESTS=0 fi - FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} "^WARNING:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g') + FIND=$(${DOCKERBINARY} info 2>&1 | ${GREPBINARY} -E "^WARNING:|^ERROR:" | ${CUTBINARY} -d " " -f 2- | ${SEDBINARY} 's/ /:space:/g') if [ ! "${FIND}" = "" ]; then LogText "Result: found warning(s) in output" for I in ${FIND}; do From 68da1d2b923d39bba4d56ad4b1f10c17e52b9dca Mon Sep 17 00:00:00 2001 From: xnoguer Date: Wed, 26 Apr 2023 17:38:42 -0400 Subject: [PATCH 19/57] Fixing test on kernel major and minor version --- include/tests_filesystems | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/include/tests_filesystems b/include/tests_filesystems index ab6191aa..fe0877a3 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -346,7 +346,13 @@ LINUX_KERNEL_MAJOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $1}') LINUX_KERNEL_MINOR=$(echo $OS_KERNELVERSION | ${AWKBINARY} -F. '{print $2}') if [ -n "${LINUX_KERNEL_MAJOR}" -a -n "${LINUX_KERNEL_MINOR}" ]; then - if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${LINUX_KERNEL_MAJOR} -ge 3 -a ${LINUX_KERNEL_MINOR} -ge 3 ]; then + PREQS_MET="YES"; + elif [ ${LINUX_KERNEL_MAJOR} -ge 4 ]; then + PREQS_MET="YES"; + else + PREQS_MET="NO"; + fi else PREQS_MET="NO"; fi From e1cb35f28fdc4d9340087f581c5408cc629679d6 Mon Sep 17 00:00:00 2001 From: xnoguer Date: Thu, 27 Apr 2023 17:31:32 -0400 Subject: [PATCH 20/57] Adding package libpam-passwdqc as suggestion --- include/tests_authentication | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_authentication b/include/tests_authentication index 0552d646..4f3e8287 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -717,7 +717,7 @@ if [ ${FOUND} -eq 0 ]; then Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_SUGGESTION}" --color YELLOW LogText "Result: no PAM modules for password strength testing found" - ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc" + ReportSuggestion "${TEST_NO}" "Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc or libpam-passwdqc" AddHP 0 3 else Display --indent 2 --text "- PAM password strength tools" --result "${STATUS_OK}" --color GREEN From 8ac8629bfe3dcf1168b99baf5c3a3f99d1298eac Mon Sep 17 00:00:00 2001 From: Ian Chesal Date: Wed, 10 May 2023 17:02:33 -0400 Subject: [PATCH 21/57] feat(editorconfig): Add a .editorconfig file to the project Modern editors read this file and use it to enforce formatting consistency in files for a project. See: https://editorconfig.org/ Settings were made accoring to what is written in the CONTRIBUTING.md file. --- .editorconfig | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .editorconfig diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 00000000..d630ab92 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,7 @@ +# See: https://editorconfig.org/ + +root = true + +[*] +indent_style = space +indent_size = 4 From 1aba2b14090d2ccaeffe3bdb9d0a187f1bb96b79 Mon Sep 17 00:00:00 2001 From: Ian Chesal Date: Wed, 10 May 2023 17:04:57 -0400 Subject: [PATCH 22/57] feat(cos): Add detection for Google's Container-Optimized OS --- include/osdetection | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/osdetection b/include/osdetection index 989b1b38..eeeb120d 100644 --- a/include/osdetection +++ b/include/osdetection @@ -208,6 +208,11 @@ OS_NAME="CoreOS Linux" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "cos") + LINUX_VERSION="Container-Optimized OS" + OS_NAME="Container-Optimized OS from Google" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "debian") LINUX_VERSION="Debian" OS_NAME="Debian" From ae129b24beb9e9fc3cde7f45e33fea41a694efd5 Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Thu, 18 May 2023 22:02:30 +0000 Subject: [PATCH 23/57] Adding missing test number for suggestion --- include/tests_nameservices | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_nameservices b/include/tests_nameservices index 8c483d08..5431b0ff 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -485,7 +485,7 @@ LogText "Result: ypldap is running" Display --indent 2 --text "- Checking ypldap status" --result "${STATUS_FOUND}" --color GREEN else - ReportSuggestion "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead" + ReportSuggestion "${TEST_NO}" "Disable the usage of NIS/NIS+ and use an alternative like LDAP or Kerberos instead" fi else LogText "Result: ypbind is not active" From d26a98ca1921a99508267d333107e8121a970c99 Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Fri, 2 Jun 2023 09:16:28 +0000 Subject: [PATCH 24/57] Checking debsums default file to make sure cron jobs are enabled --- include/tests_ports_packages | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 9ca1948d..1028d8fb 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -671,9 +671,20 @@ # Check in /etc/cron.hourly, daily, weekly, monthly etc COUNT=$(find /etc/cron* -name debsums | wc -l) if [ ${COUNT} -gt 0 ]; then - LogText "Result: Cron job is configured for debsums utility." - Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN - AddHP 3 3 + CRON_CHECK="" + if [ -f ${ROOTDIR}etc/default/debsums ]; then + CRON_CHECK=$(${GREPBINARY} CRON_CHECK /etc/default/debsums|${AWKBINARY} -F "=" '{print $2}') + fi + if [ "${CRON_CHECK}" = "daily" ] || [ "${CRON_CHECK}" = "weekly" ] || [ "${CRON_CHECK}" = "monthly" ]; then + LogText "Result: Cron job is configured for debsums utility." + Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_FOUND}" --color GREEN + AddHP 3 3 + else + LogText "Result: Cron job is not configured for debsums utility." + Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW + AddHP 1 3 + ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regularly via a cron job (CRON_CHECK in default file)." + fi else LogText "Result: Cron job is not configured for debsums utility." Display --indent 6 --text "- Cron job for debsums" --result "${STATUS_NOT_FOUND}" --color YELLOW From bc36b3ec63bfebcc45ebf9a4dd2f550726de8c1e Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Tue, 19 Sep 2023 16:12:52 +0000 Subject: [PATCH 25/57] Avoiding warning because of hyphen. Due to changes in grep 3.8 --- include/tests_kernel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_kernel b/include/tests_kernel index bba8080f..201d803e 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -692,7 +692,7 @@ else # Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Sort based on versions (-v) and then find the last item # Note: ignore a rescue kernel (e.g. CentOS) - FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${TAILBINARY} -1) + FOUND_VMLINUZ=$(${LSBINARY} -v ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue-' | ${TAILBINARY} -1) LogText "Result: found ${FOUND_VMLINUZ}" fi From 04a73a9c19bfe5e707cb1f8aeb0ba8f6dbf9a6f7 Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Tue, 19 Sep 2023 16:46:20 +0000 Subject: [PATCH 26/57] Reverting change from another PR --- include/tests_php | 65 +++-------------------------------------------- 1 file changed, 4 insertions(+), 61 deletions(-) diff --git a/include/tests_php b/include/tests_php index beb1eca3..b5f53d9a 100644 --- a/include/tests_php +++ b/include/tests_php @@ -37,9 +37,6 @@ ${ROOTDIR}etc/php7.2/php.ini \ ${ROOTDIR}etc/php7.3/php.ini \ ${ROOTDIR}etc/php7.4/php.ini \ - ${ROOTDIR}etc/php8.0/php.ini \ - ${ROOTDIR}etc/php8.1/php.ini \ - ${ROOTDIR}etc/php8.2/php.ini \ ${ROOTDIR}etc/php/cgi-php5/php.ini \ ${ROOTDIR}etc/php/cli-php5/php.ini \ ${ROOTDIR}etc/php/apache2-php5/php.ini \ @@ -50,9 +47,6 @@ ${ROOTDIR}etc/php/apache2-php7.2/php.ini \ ${ROOTDIR}etc/php/apache2-php7.3/php.ini \ ${ROOTDIR}etc/php/apache2-php7.4/php.ini \ - ${ROOTDIR}etc/php/apache2-php8.0/php.ini \ - ${ROOTDIR}etc/php/apache2-php8.1/php.ini \ - ${ROOTDIR}etc/php/apache2-php8.2/php.ini \ ${ROOTDIR}etc/php/cgi-php5.5/php.ini \ ${ROOTDIR}etc/php/cgi-php5.6/php.ini \ ${ROOTDIR}etc/php/cgi-php7.0/php.ini \ @@ -60,9 +54,6 @@ ${ROOTDIR}etc/php/cgi-php7.2/php.ini \ ${ROOTDIR}etc/php/cgi-php7.3/php.ini \ ${ROOTDIR}etc/php/cgi-php7.4/php.ini \ - ${ROOTDIR}etc/php/cgi-php8.0/php.ini \ - ${ROOTDIR}etc/php/cgi-php8.1/php.ini \ - ${ROOTDIR}etc/php/cgi-php8.2/php.ini \ ${ROOTDIR}etc/php/cli-php5.5/php.ini \ ${ROOTDIR}etc/php/cli-php5.6/php.ini \ ${ROOTDIR}etc/php/cli-php7.0/php.ini \ @@ -70,9 +61,6 @@ ${ROOTDIR}etc/php/cli-php7.2/php.ini \ ${ROOTDIR}etc/php/cli-php7.3/php.ini \ ${ROOTDIR}etc/php/cli-php7.4/php.ini \ - ${ROOTDIR}etc/php/cli-php8.0/php.ini \ - ${ROOTDIR}etc/php/cli-php8.1/php.ini \ - ${ROOTDIR}etc/php/cli-php8.2/php.ini \ ${ROOTDIR}etc/php/embed-php5.5/php.ini \ ${ROOTDIR}etc/php/embed-php5.6/php.ini \ ${ROOTDIR}etc/php/embed-php7.0/php.ini \ @@ -80,12 +68,6 @@ ${ROOTDIR}etc/php/embed-php7.2/php.ini \ ${ROOTDIR}etc/php/embed-php7.3/php.ini \ ${ROOTDIR}etc/php/embed-php7.4/php.ini \ - ${ROOTDIR}etc/php/embed-php8.0/php.ini \ - ${ROOTDIR}etc/php/embed-php8.1/php.ini \ - ${ROOTDIR}etc/php/embed-php8.2/php.ini \ - ${ROOTDIR}etc/php/fpm-php8.2/php.ini \ - ${ROOTDIR}etc/php/fpm-php8.1/php.ini \ - ${ROOTDIR}etc/php/fpm-php8.0/php.ini \ ${ROOTDIR}etc/php/fpm-php7.4/php.ini \ ${ROOTDIR}etc/php/fpm-php7.3/php.ini \ ${ROOTDIR}etc/php/fpm-php7.2/php.ini \ @@ -106,9 +88,6 @@ ${ROOTDIR}etc/php/7.2/apache2/php.ini \ ${ROOTDIR}etc/php/7.3/apache2/php.ini \ ${ROOTDIR}etc/php/7.4/apache2/php.ini \ - ${ROOTDIR}etc/php/8.0/apache2/php.ini \ - ${ROOTDIR}etc/php/8.1/apache2/php.ini \ - ${ROOTDIR}etc/php/8.2/apache2/php.ini \ ${ROOTDIR}etc/php/7.0/cli/php.ini \ ${ROOTDIR}etc/php/7.0/fpm/php.ini \ ${ROOTDIR}etc/php/7.1/cli/php.ini \ @@ -119,12 +98,6 @@ ${ROOTDIR}etc/php/7.3/fpm/php.ini \ ${ROOTDIR}etc/php/7.4/cli/php.ini \ ${ROOTDIR}etc/php/7.4/fpm/php.ini \ - ${ROOTDIR}etc/php/8.0/cli/php.ini \ - ${ROOTDIR}etc/php/8.0/fpm/php.ini \ - ${ROOTDIR}etc/php/8.1/cli/php.ini \ - ${ROOTDIR}etc/php/8.1/fpm/php.ini \ - ${ROOTDIR}etc/php/8.2/cli/php.ini \ - ${ROOTDIR}etc/php/8.2/fpm/php.ini \ ${ROOTDIR}var/www/conf/php.ini \ ${ROOTDIR}usr/local/etc/php.ini \ ${ROOTDIR}usr/local/lib/php.ini \ @@ -136,9 +109,6 @@ ${ROOTDIR}usr/local/php72/lib/php.ini \ ${ROOTDIR}usr/local/php73/lib/php.ini \ ${ROOTDIR}usr/local/php74/lib/php.ini \ - ${ROOTDIR}usr/local/php80/lib/php.ini \ - ${ROOTDIR}usr/local/php81/lib/php.ini \ - ${ROOTDIR}usr/local/php82/lib/php.ini \ ${ROOTDIR}usr/local/zend/etc/php.ini \ ${ROOTDIR}usr/pkg/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \ @@ -164,18 +134,12 @@ ${ROOTDIR}opt/alt/php72/etc/php.ini \ ${ROOTDIR}opt/alt/php73/etc/php.ini \ ${ROOTDIR}opt/alt/php74/etc/php.ini \ - ${ROOTDIR}opt/alt/php80/etc/php.ini \ - ${ROOTDIR}opt/alt/php81/etc/php.ini \ - ${ROOTDIR}opt/alt/php82/etc/php.ini \ ${ROOTDIR}etc/opt/remi/php56/php.ini \ ${ROOTDIR}etc/opt/remi/php70/php.ini \ ${ROOTDIR}etc/opt/remi/php71/php.ini \ ${ROOTDIR}etc/opt/remi/php72/php.ini \ ${ROOTDIR}etc/opt/remi/php73/php.ini \ - ${ROOTDIR}etc/opt/remi/php74/php.ini \ - ${ROOTDIR}etc/opt/remi/php80/php.ini \ - ${ROOTDIR}etc/opt/remi/php81/php.ini \ - ${ROOTDIR}etc/opt/remi/php82/php.ini" + ${ROOTDIR}etc/opt/remi/php74/php.ini" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINILOCS="${PHPINILOCS} \ ${ROOTDIR}etc/php-5.6.ini \ @@ -183,10 +147,7 @@ ${ROOTDIR}etc/php-7.1.ini \ ${ROOTDIR}etc/php-7.2.ini \ ${ROOTDIR}etc/php-7.3.ini \ - ${ROOTDIR}etc/php-7.4.ini \ - ${ROOTDIR}etc/php-8.0.ini \ - ${ROOTDIR}etc/php-8.1.ini \ - ${ROOTDIR}etc/php-8.2.ini" + ${ROOTDIR}etc/php-7.4.ini" PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \ ${ROOTDIR}etc/php/7.0/cli/conf.d \ @@ -194,17 +155,11 @@ ${ROOTDIR}etc/php/7.2/cli/conf.d \ ${ROOTDIR}etc/php/7.3/cli/conf.d \ ${ROOTDIR}etc/php/7.4/cli/conf.d \ - ${ROOTDIR}etc/php/8.0/cli/conf.d \ - ${ROOTDIR}etc/php/8.1/cli/conf.d \ - ${ROOTDIR}etc/php/8.2/cli/conf.d \ ${ROOTDIR}etc/php/7.0/fpm/conf.d \ ${ROOTDIR}etc/php/7.1/fpm/conf.d \ ${ROOTDIR}etc/php/7.2/fpm/conf.d \ ${ROOTDIR}etc/php/7.3/fpm/conf.d \ ${ROOTDIR}etc/php/7.4/fpm/conf.d \ - ${ROOTDIR}etc/php/8.0/fpm/conf.d \ - ${ROOTDIR}etc/php/8.1/fpm/conf.d \ - ${ROOTDIR}etc/php/8.2/fpm/conf.d \ ${ROOTDIR}etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \ @@ -214,9 +169,6 @@ ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \ ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.d \ - ${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.d \ - ${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.d \ - ${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.d \ ${ROOTDIR}opt/alt/php44/etc/php.d.all \ ${ROOTDIR}opt/alt/php51/etc/php.d.all \ ${ROOTDIR}opt/alt/php52/etc/php.d.all \ @@ -229,18 +181,12 @@ ${ROOTDIR}opt/alt/php72/etc/php.d.all \ ${ROOTDIR}opt/alt/php73/etc/php.d.all \ ${ROOTDIR}opt/alt/php74/etc/php.d.all \ - ${ROOTDIR}opt/alt/php80/etc/php.d.all \ - ${ROOTDIR}opt/alt/php81/etc/php.d.all \ - ${ROOTDIR}opt/alt/php82/etc/php.d.all \ ${ROOTDIR}usr/local/lib/php.conf.d \ ${ROOTDIR}usr/local/php70/lib/php.conf.d \ ${ROOTDIR}usr/local/php71/lib/php.conf.d \ ${ROOTDIR}usr/local/php72/lib/php.conf.d \ ${ROOTDIR}usr/local/php73/lib/php.conf.d \ - ${ROOTDIR}usr/local/php74/lib/php.conf.d \ - ${ROOTDIR}usr/local/php80/lib/php.conf.d \ - ${ROOTDIR}usr/local/php81/lib/php.conf.d \ - ${ROOTDIR}usr/local/php82/lib/php.conf.d" + ${ROOTDIR}usr/local/php74/lib/php.conf.d" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINIDIRS="${PHPINIDIRS} \ ${ROOTDIR}etc/php-5.6 \ @@ -248,10 +194,7 @@ ${ROOTDIR}etc/php-7.1 \ ${ROOTDIR}etc/php-7.2 \ ${ROOTDIR}etc/php-7.3 \ - ${ROOTDIR}etc/php-7.4 \ - ${ROOTDIR}etc/php-8.0 \ - ${ROOTDIR}etc/php-8.1 \ - ${ROOTDIR}etc/php-8.2" + ${ROOTDIR}etc/php-7.4" # ################################################################################# # From a5dbda51b9b44d9f2131271d8dfae0784fbf17c9 Mon Sep 17 00:00:00 2001 From: Xavier Noguer Date: Tue, 19 Sep 2023 16:47:23 +0000 Subject: [PATCH 27/57] Reverting change from another PR --- include/tests_php | 3 --- 1 file changed, 3 deletions(-) diff --git a/include/tests_php b/include/tests_php index b5f53d9a..04502f68 100644 --- a/include/tests_php +++ b/include/tests_php @@ -119,9 +119,6 @@ ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \ - ${ROOTDIR}opt/cpanel/ea-php80/root/etc/php.ini \ - ${ROOTDIR}opt/cpanel/ea-php81/root/etc/php.ini \ - ${ROOTDIR}opt/cpanel/ea-php82/root/etc/php.ini \ ${ROOTDIR}opt/alt/php44/etc/php.ini \ ${ROOTDIR}opt/alt/php51/etc/php.ini \ ${ROOTDIR}opt/alt/php52/etc/php.ini \ From 90ece5444507578dceb25ff34236bea259134a62 Mon Sep 17 00:00:00 2001 From: Hugo Rodrigues Date: Wed, 13 Dec 2023 12:40:05 +0000 Subject: [PATCH 28/57] Fixed Alpine Linux installed package detection --- include/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/functions b/include/functions index 9c52044b..71a938c4 100644 --- a/include/functions +++ b/include/functions @@ -2099,7 +2099,7 @@ output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii") exit_code=$? elif [ -n "${APKBINARY}" ]; then - output=$(${APKBINARY} search ${package} 2> /dev/null | ${GREPBINARY} ${package}) + output=$(${APKBINARY} list --installed ${package} 2> /dev/null | ${GREPBINARY} ${package}) exit_code=$? else if [ "${package}" != "__dummy__" ]; then From 126b8053aa08b739f5d41a0ace498fd82e7e79b1 Mon Sep 17 00:00:00 2001 From: Florian Sonnenschein Date: Mon, 11 Mar 2024 12:14:31 +0100 Subject: [PATCH 29/57] PKGS-7303: Added version numbers to brew packages. This allows lynis enterprise to render the software packages in the webinterface. --- include/tests_ports_packages | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 81babdc3..5fded96e 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -127,11 +127,15 @@ LogText "Test: Querying brew to get package list" Display --indent 4 --text "- Querying brew for installed packages" LogText "Output:"; LogText "-----" - GPACKAGES=$(brew list) - for J in ${GPACKAGES}; do - LogText "Found package ${J}" - INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" - done + GPACKAGES=$(brew list --versions) + while IFS= read -r PKG; do + PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f1) + PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f2) + LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" + done << EOF +$GPACKAGES +EOF else LogText "Result: brew can NOT be found on this system" fi From 0b7e8c3bfe82ae650c0b625f32ae42e592b6e7cd Mon Sep 17 00:00:00 2001 From: Florian Sonnenschein Date: Mon, 11 Mar 2024 10:25:46 +0100 Subject: [PATCH 30/57] Added CRYP-7932 to determine if the system has enabled macOS FileVault. --- include/tests_crypto | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/include/tests_crypto b/include/tests_crypto index a643b6c0..b7279163 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -217,6 +217,27 @@ fi # ################################################################################# +# + # Test : CRYP-7932 + # Description : Determine if system has enabled macOS FileVault encryption + Register --test-no CRYP-7932 --os macOS --weight L --network NO --category crypto --description "Determine if system has enabled macOS FileVault encryption" + if [ ${SKIPTEST} -eq 0 ]; then + filevault_status=$(fdesetup status) + + case "$filevault_status" in + *"FileVault is On."*) + LogText "Result: FileVault is enabled." + Display --indent 2 --text "- FileVault is enabled." --result "${STATUS_OK}" --color GREEN + Report "encryption[]=filevault" + ;; + *) + LogText "Result: FileVault is not enabled." + Display --indent 2 --text "- FileVault is not enabled." --result "${STATUS_WARNING}" --color RED + ;; + esac + fi +# +################################################################################# # # Test : CRYP-8002 # Description : Gather available kernel entropy From e23898b52bafd1b772ba93e69f2e8637d7266520 Mon Sep 17 00:00:00 2001 From: Florian Sonnenschein Date: Mon, 11 Mar 2024 12:21:51 +0100 Subject: [PATCH 31/57] Added PKGS-7305 Query macOS Apps in /Applications and Apple CoreServices and add them to the Report --- include/tests_ports_packages | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 81babdc3..d5625446 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -158,6 +158,29 @@ LogText "Result: emerge can NOT be found on this system" fi # +################################################################################# +# + # Test : PKGS-7305 + # Description : Query macOS Apps in /Applications and CoreServices + Register --test-no PKGS-7305 --os macOS --weight L --network NO --category security --description "Query macOS Apps in /Applications and CoreServices" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Querying Apps in /Applications" + Display --indent 4 --text "- Querying macOS Apps in /Applications" + LogText "Output:"; LogText "-----" + for APP in /Applications/*.app; do + PACKAGE_NAME=$(basename "$APP" .app) + PACKAGE_VERSION=$(defaults read "$APP/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A") + LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" + done + Display --indent 4 --text "- Querying Apple CoreServices" + for CS in /Library/Apple/System/Library/CoreServices/*.app; do + PACKAGE_NAME=$(basename "$CS" .app) + PACKAGE_VERSION=$(defaults read "$CS/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A") + LogText "Found CoreServices: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" + done + fi # ################################################################################# # From f36e39063a1410c24d1a2f85284600004154bd44 Mon Sep 17 00:00:00 2001 From: Ikko Eltociear Ashimine Date: Fri, 22 Mar 2024 14:42:14 +0900 Subject: [PATCH 32/57] Update osdetection minor fix --- include/osdetection | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/osdetection b/include/osdetection index ef4bd587..22648dde 100644 --- a/include/osdetection +++ b/include/osdetection @@ -445,7 +445,7 @@ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; *) - ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the the contents (cat /etc/os-release): ${PROGRAM_SOURCE}" + ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create an issue on GitHub and share the contents (cat /etc/os-release): ${PROGRAM_SOURCE}" ;; esac fi From 58d084ef71333cb4302a560426a538507e40b74e Mon Sep 17 00:00:00 2001 From: TCH Date: Tue, 26 Mar 2024 20:50:50 +0100 Subject: [PATCH 33/57] Update osdetection --- include/osdetection | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/include/osdetection b/include/osdetection index ef4bd587..e5789c88 100644 --- a/include/osdetection +++ b/include/osdetection @@ -332,6 +332,12 @@ OS_REDHAT_OR_CLONE=1 OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "nobara") + LINUX_VERSION="Nobara" + OS_NAME="Nobara Linux" + OS_REDHAT_OR_CLONE=1 + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "nodistro") LINUX_VERSION="openembedded" OS_NAME="OpenEmbedded" From afd0eaddf07e9950eedbded537a96dda6cfe44d1 Mon Sep 17 00:00:00 2001 From: Tobias Svenblad <59305921+tsvenbla@users.noreply.github.com> Date: Thu, 28 Mar 2024 22:01:14 +0200 Subject: [PATCH 34/57] Added regex for NETW-3200 in tests_networking Changed the check /bin/true to /bin/(true|false) to be more inclusive and get rid of false positives. --- include/tests_networking | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/tests_networking b/include/tests_networking index 116f3760..44a65708 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -750,7 +750,7 @@ UNCOMMON_PROTOCOL_DISABLED=0 # First check modprobe.conf if [ -f ${ROOTDIR}etc/modprobe.conf ]; then - DATA=$(${GREPBINARY} "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.conf) + DATA=$(${GREPBINARY} "^install \+${P} \+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.conf) if [ -n "${DATA}" ]; then LogText "Result: found ${P} module disabled via modprobe.conf" UNCOMMON_PROTOCOL_DISABLED=1 @@ -759,7 +759,7 @@ # Then additional modprobe configuration files if [ -d ${ROOTDIR}etc/modprobe.d ]; then # Return file names (-l) and suppress errors (-s) - DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/*) + DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/(true|false)$" ${ROOTDIR}etc/modprobe.d/*) if [ -n "${DATA}" ]; then UNCOMMON_PROTOCOL_DISABLED=1 for F in ${DATA}; do From 48cb2c7cb89e09ad4c56607bd39ce52eafba639f Mon Sep 17 00:00:00 2001 From: Constacalm <163557834+Constacalm@users.noreply.github.com> Date: Mon, 1 Apr 2024 14:48:23 +0300 Subject: [PATCH 35/57] Update osdetection (ALT Linux) Consider to update osdetection script to detect ALT Linux distro in issue #1465 (https://github.com/CISOfy/lynis/issues/1465) --- include/osdetection | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/osdetection b/include/osdetection index ef4bd587..3aab00ab 100644 --- a/include/osdetection +++ b/include/osdetection @@ -160,6 +160,11 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "altlinux") + LINUX_VERSION="ALT Linux" + OS_NAME="altlinux" + OS_VERSION=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "amzn") LINUX_VERSION="Amazon Linux" OS_NAME="Amazon Linux" From 75818a636cd07461974e2eb3d9838d3d722c87b1 Mon Sep 17 00:00:00 2001 From: vk6xebec <59078659+vk6xebec@users.noreply.github.com> Date: Sun, 7 Apr 2024 11:02:14 +0800 Subject: [PATCH 36/57] McAfee antivirus has been deprecated As of 1 Oct 2023, McAfee antivirus for Linux has been deprecated https://www.mcafee.com/support/?locale=no-NO&articleId=TS103384&page=shell&shell=article-view --- include/tests_malware | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/include/tests_malware b/include/tests_malware index 87a721bc..a4a51315 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -46,23 +46,18 @@ TRENDMICRO_DSA_DAEMON_RUNNING=0 # ################################################################################# -# - # Test : MALW-3274 - # Description : Check for installed tool (McAfee VirusScan for Command Line) - Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line" - if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking presence McAfee VirusScan for Command Line" - if [ -x /usr/local/uvscan/uvscan ]; then - Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color GREEN - LogText "Result: Found ${MCAFEECLBINARY}" - MALWARE_SCANNER_INSTALLED=1 - AddHP 2 2 - Report "malware_scanner[]=mcafeecl" - else - LogText "Result: McAfee VirusScan for Command Line not found" - fi - fi -# +# Test : MALW-3274 +# Description : Check for installed tool (McAfee VirusScan for Command Line) +Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line" +if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking presence McAfee VirusScan for Command Line" + if [ -x /usr/local/uvscan/uvscan ]; then + Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color RED + LogText "Result: Found ${MCAFEECLBINARY}" + MALWARE_SCANNER_INSTALLED=0 + AddHP 0 2 + LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another antivirus instead." +fi ################################################################################# # # Test : MALW-3275 From c9f89cd5f41bfbcb8f6d3cf720c4aa2da3e3feb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?O=C4=9Fuz=20Ersen?= Date: Wed, 10 Apr 2024 13:20:24 +0300 Subject: [PATCH 37/57] Update tr --- db/languages/tr | 172 ++++++++++++++++++++++++------------------------ 1 file changed, 86 insertions(+), 86 deletions(-) diff --git a/db/languages/tr b/db/languages/tr index 585cfed5..3df59a53 100644 --- a/db/languages/tr +++ b/db/languages/tr @@ -1,108 +1,108 @@ -ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmamış" -ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmamış" -GEN_CHECKING="Kontrol ediyor" -GEN_CURRENT_VERSION="Mevcut Sürüm" +ERROR_NO_LICENSE="Lisans anahtarı yapılandırılmadı" +ERROR_NO_UPLOAD_SERVER="Yükleme sunucusu yapılandırılmadı" +GEN_CHECKING=" Denetleniyor" +GEN_CURRENT_VERSION="Geçerli sürüm" GEN_DEBUG_MODE="Hata ayıklama modu" GEN_INITIALIZE_PROGRAM="Program başlatılıyor" -GEN_LATEST_VERSION="Son sürüm" -GEN_PHASE="faz" -GEN_PLUGINS_ENABLED="Yapılandırılmış eklentiler" -GEN_UPDATE_AVAILABLE="güncelleme mevcut" -GEN_VERBOSE_MODE="Detay modu" +GEN_LATEST_VERSION="En son sürüm" +GEN_PHASE="evre" +GEN_PLUGINS_ENABLED="Etkinleştirilen eklentiler" +GEN_UPDATE_AVAILABLE="güncelleme var" +GEN_VERBOSE_MODE="Ayrıntılı mod" GEN_WHAT_TO_DO="Yapılması gerekenler" -NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai durumlar ve bilgiler bulundu" NOTE_EXCEPTIONS_FOUND="İstisnalar bulundu" -NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha detaylı testler içermektedir ve tamamlanmaları uzun sürebilir" +NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai olaylar veya bilgiler bulundu" +NOTE_PLUGINS_TAKE_TIME="Not: eklentiler daha kapsamlı testlere sahiptir ve tamamlanması birkaç dakika sürebilir" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Yetkisiz çalışma nedeniyle atlanan testler" -#SECTION_ACCOUNTING="Accounting" -#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification" -#SECTION_BASICS="Basics" -#SECTION_BOOT_AND_SERVICES="Boot and services" -#SECTION_CONTAINERS="Containers" -#SECTION_CRYPTOGRAPHY="Cryptography" +SECTION_ACCOUNTING="Hesaplama" +SECTION_BANNERS_AND_IDENTIFICATION="Afişler ve tanımlama" +SECTION_BASICS="Temel Bilgiler" +SECTION_BOOT_AND_SERVICES="Önyükleme ve hizmetler" +SECTION_CONTAINERS="Konteynerler" +SECTION_CRYPTOGRAPHY="Kriptografi" SECTION_CUSTOM_TESTS="Özel testler" -#SECTION_DATABASES="Databases" -#SECTION_DATA_UPLOAD="Data upload" -#SECTION_DOWNLOADS="Downloads" -#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging" -#SECTION_FILE_INTEGRITY="Software: file integrity" -#SECTION_FILE_PERMISSIONS="File Permissions" -#SECTION_FILE_SYSTEMS="File systems" -#SECTION_FIREWALLS="Software: firewalls" -#SECTION_GENERAL="General" -#SECTION_HARDENING="Hardening" -#SECTION_HOME_DIRECTORIES="Home directories" -#SECTION_IMAGE="Image" -#SECTION_INITIALIZING_PROGRAM="Initializing program" -#SECTION_INSECURE_SERVICES="Insecure services" -#SECTION_KERNEL_HARDENING="Kernel Hardening" -#SECTION_KERNEL="Kernel" -#SECTION_LDAP_SERVICES="LDAP Services" -#SECTION_LOGGING_AND_FILES="Logging and files" -SECTION_MALWARE="Kötücül yazılım" -SECTION_MEMORY_AND_PROCESSES="Bellek ve Prosesler" -#SECTION_NAME_SERVICES="Name services" -#SECTION_NETWORKING="Networking" -#SECTION_PERMISSIONS="Permissions" -#SECTION_PORTS_AND_PACKAGES="Ports and packages" -#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools" -#SECTION_PROGRAM_DETAILS="Program Details" -#SECTION_SCHEDULED_TASKS="Scheduled tasks" -#SECTION_SECURITY_FRAMEWORKS="Security frameworks" -#SECTION_SHELLS="Shells" -#SECTION_SNMP_SUPPORT="SNMP Support" -#SECTION_SOFTWARE="Software" -#SECTION_SQUID_SUPPORT="Squid Support" -#SECTION_SSH_SUPPORT="SSH Support" -#SECTION_STORAGE="Storage" -#SECTION_SYSTEM_INTEGRITY="Software: System integrity" -#SECTION_SYSTEM_TOOLING="Software: System tooling" -#SECTION_SYSTEM_TOOLS="System tools" -#SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization" -#SECTION_USB_DEVICES="USB Devices" -#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" -#SECTION_VIRTUALIZATION="Virtualization" -#SECTION_WEBSERVER="Software: webserver" -#STATUS_ACTIVE="ACTIVE" -#STATUS_CHECK_NEEDED="CHECK NEEDED" -#STATUS_DEBUG="DEBUG" -#STATUS_DEFAULT="DEFAULT" -#STATUS_DIFFERENT="DIFFERENT" -STATUS_DISABLED="ETKİSİZLEŞTİRİLMİŞ" +SECTION_DATA_UPLOAD="Veri yükleme" +SECTION_DATABASES="Veri tabanları" +SECTION_DOWNLOADS="İndirilenler" +SECTION_EMAIL_AND_MESSAGING="Yazılım: e-posta ve mesajlaşma" +SECTION_FILE_INTEGRITY="Yazılım: dosya bütünlüğü" +SECTION_FILE_PERMISSIONS="Dosya izinleri" +SECTION_FILE_SYSTEMS="Dosya sistemleri" +SECTION_FIREWALLS="Yazılım: güvenlik duvarları" +SECTION_GENERAL="Genel" +SECTION_HARDENING="Sıkılaştırma" +SECTION_HOME_DIRECTORIES="Ev dizinleri" +SECTION_IMAGE="Kalıp" +SECTION_INITIALIZING_PROGRAM="Program başlatılıyor" +SECTION_INSECURE_SERVICES="Güvensiz hizmetler" +SECTION_KERNEL="Çekirdek" +SECTION_KERNEL_HARDENING="Çekirdek Sıkılaştırma" +SECTION_LDAP_SERVICES="LDAP Hizmetleri" +SECTION_LOGGING_AND_FILES="Günlük kaydı ve dosyalar" +SECTION_MALWARE="Yazılım: Kötü Amaçlı Yazılım" +SECTION_MEMORY_AND_PROCESSES="Bellek ve Süreçler" +SECTION_NAME_SERVICES="Ad hizmetleri" +SECTION_NETWORKING="Ağ İletişimi" +SECTION_PERMISSIONS="İzinler" +SECTION_PORTS_AND_PACKAGES="Bağlantı noktaları ve paketler" +SECTION_PRINTERS_AND_SPOOLS="Yazıcılar ve Biriktiriciler" +SECTION_PROGRAM_DETAILS="Program Ayrıntıları" +SECTION_SCHEDULED_TASKS="Zamanlanan görevler" +SECTION_SECURITY_FRAMEWORKS="Güvenlik çerçeveleri" +SECTION_SHELLS="Kabuklar" +SECTION_SNMP_SUPPORT="SNMP Desteği" +SECTION_SOFTWARE="Yazılım" +SECTION_SQUID_SUPPORT="Squid Desteği" +SECTION_SSH_SUPPORT="SSH Desteği" +SECTION_STORAGE="Depolama" +SECTION_SYSTEM_INTEGRITY="Yazılım: Sistem bütünlüğü" +SECTION_SYSTEM_TOOLING="Yazılım: Sistem araçları" +SECTION_SYSTEM_TOOLS="Sistem araçları" +SECTION_TIME_AND_SYNCHRONIZATION="Zaman ve Eşzamanlama" +SECTION_USB_DEVICES="USB Aygıtları" +SECTION_USERS_GROUPS_AND_AUTHENTICATION="Kullanıcılar, Gruplar ve Kimlik Doğrulama" +SECTION_VIRTUALIZATION="Sanallaştırma" +SECTION_WEBSERVER="Yazılım: web sunucusu" +STATUS_ACTIVE=" ETKİN" +STATUS_CHECK_NEEDED=" DENETİM GEREKLI" +STATUS_DEBUG="HATA AYIKLAMA" +STATUS_DEFAULT="ÖNTANIMLI" +STATUS_DIFFERENT="FARKLI" +STATUS_DISABLED="DEVRE DIŞI BIRAKILDI" STATUS_DONE="TAMAMLANDI" -STATUS_ENABLED="ETKİNLEŞTİRİLMİŞ" +STATUS_ENABLED="ETKİNLEŞTİRİLDİ" STATUS_ERROR="HATA" -#STATUS_EXPOSED="EXPOSED" -#STATUS_FAILED="FAILED" -#STATUS_FILES_FOUND="FILES FOUND" +STATUS_EXPOSED="AÇIKTA BIRAKILDI" +STATUS_FAILED="BAŞARISIZ" +STATUS_FILES_FOUND="DOSYALAR BULUNDU" STATUS_FOUND="BULUNDU" -#STATUS_HARDENED="HARDENED" -#STATUS_INSTALLED="INSTALLED" -#STATUS_LOCAL_ONLY="LOCAL ONLY" -#STATUS_MEDIUM="MEDIUM" +STATUS_HARDENED="SIKILAŞTIRILDI" +STATUS_INSTALLED="KURULU" +STATUS_LOCAL_ONLY="YALNIZCA YEREL" +STATUS_MEDIUM="ORTA" STATUS_NO="HAYIR" -#STATUS_NON_DEFAULT="NON DEFAULT" +STATUS_NO_UPDATE="GÜNCELLEME YOK" +STATUS_NON_DEFAULT="ÖNTANIMLI OLMAYAN" STATUS_NONE="YOK" -STATUS_NOT_ACTIVE="NOT ACTIVE" -#STATUS_NOT_CONFIGURED="NOT CONFIGURED" -#STATUS_NOT_DISABLED="NOT DISABLED" -#STATUS_NOT_ENABLED="NOT ENABLED" +STATUS_NOT_ACTIVE="ETKİN DEĞİL" +STATUS_NOT_CONFIGURED="YAPILANDIRILMADI" +STATUS_NOT_DISABLED="DEVRE DIŞI BIRAKILMADI" +STATUS_NOT_ENABLED="ETKİNLEŞTİRİLMEDİ" STATUS_NOT_FOUND="BULUNAMADI" STATUS_NOT_RUNNING="ÇALIŞMIYOR" -#STATUS_NO_UPDATE="NO UPDATE" STATUS_OFF="KAPALI" STATUS_OK="TAMAM" STATUS_ON="AÇIK" -#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED" -#STATUS_PROTECTED="PROTECTED" +STATUS_PARTIALLY_HARDENED="KISMEN SIKILAŞTIRILDI" +STATUS_PROTECTED="KORUMALI" STATUS_RUNNING="ÇALIŞIYOR" STATUS_SKIPPED="ATLANDI" STATUS_SUGGESTION="ÖNERİ" STATUS_UNKNOWN="BİLİNMİYOR" -#STATUS_UNSAFE="UNSAFE" -#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE" +STATUS_UNSAFE="GÜVENLİ DEĞİL" +STATUS_UPDATE_AVAILABLE="GÜNCELLEME VAR" STATUS_WARNING="UYARI" -#STATUS_WEAK="WEAK" +STATUS_WEAK="ZAYIF" STATUS_YES="EVET" -TEXT_UPDATE_AVAILABLE="güncelleme mevcut" -TEXT_YOU_CAN_HELP_LOGFILE="Log dosyanızı göndererek yardımcı olabilirsiniz" +TEXT_UPDATE_AVAILABLE="güncelleme var" +TEXT_YOU_CAN_HELP_LOGFILE="Günlük dosyanızı göndererek yardımcı olabilirsiniz" From 8d7c30fd9a0d07632287135aec2f255271099bb7 Mon Sep 17 00:00:00 2001 From: katleese Date: Mon, 29 Apr 2024 10:21:59 +0200 Subject: [PATCH 38/57] changed AllowUsers to AllowGroups in test SSH-7440 --- include/tests_ssh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_ssh b/include/tests_ssh index 6ab6f193..43bf7145 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -312,7 +312,7 @@ # AllowGroups FIND=$(${GREPBINARY} -E -i "^AllowGroups" ${SSH_DAEMON_OPTIONS_FILE} | ${AWKBINARY} '{ print $2 }') if [ -n "${FIND}" ]; then - LogText "Result: AllowUsers set ${FIND}" + LogText "Result: AllowGroups set ${FIND}" Display --indent 4 --text "- OpenSSH option: AllowGroups" --result "${STATUS_FOUND}" --color GREEN FOUND=1 else From aec1f594324d073cd0582c2da5f6ccbb160d1415 Mon Sep 17 00:00:00 2001 From: gonzalo Date: Sat, 4 May 2024 07:52:47 +0200 Subject: [PATCH 39/57] Update binaries Fix a showing error for grep --help on OpenBSD. Discovered by me, fixed by @mboelen --- include/binaries | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/binaries b/include/binaries index b495013c..a2b4895a 100644 --- a/include/binaries +++ b/include/binaries @@ -338,7 +338,7 @@ # If grep is capable of extended regexp, use that instead of egrep to avoid annoying warning if [ "${GREPBINARY:-}" ] ; then - ${GREPBINARY} --help | ${GREPBINARY} -e "extended-regexp" > /dev/null + ${GREPBINARY} --help 2> /dev/null | ${GREPBINARY} -e "extended-regexp" > /dev/null if [ $? -eq 0 ] ; then EGREPBINARY="${GREPBINARY} -E" fi From 740baf29af6d2204c2c9d0fd40c29deb7a9e54f3 Mon Sep 17 00:00:00 2001 From: "Andre @ ARK-ICT" Date: Thu, 9 May 2024 20:45:45 +0200 Subject: [PATCH 40/57] postgresDB fixes for almalinux, rockylinux and freebsd. Tested on almalinux8/9, rockylinux9 and freebsd13 --- include/tests_databases | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/include/tests_databases b/include/tests_databases index 10bbc36a..82e3fa10 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -186,8 +186,10 @@ # Test : DBS-1826 # Description : Check if PostgreSQL is being used Register --test-no DBS-1826 --weight L --network NO --category security --description "Checking active PostgreSQL processes" + for PROCES in postgres postmaster + do if [ ${SKIPTEST} -eq 0 ]; then - if IsRunning "postgres"; then + if IsRunning "${PROCES}"; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_FOUND}" --color GREEN LogText "Result: PostgreSQL is active" POSTGRESQL_RUNNING=1 @@ -195,9 +197,10 @@ Report "postgresql_running=${POSTGRESQL_RUNNING}" else if [ ${DEBUG} -eq 1 ]; then Display --indent 2 --text "- PostgreSQL processes status" --result "${STATUS_NOT_FOUND}" --color WHITE --debug; fi - LogText "Result: PostgreSQL process not active" + LogText "Result: PostgreSQL process ${PROCES} not active" fi fi + done # ################################################################################# # @@ -211,14 +214,15 @@ # Arch /var/lib/postgres/data/postgresql.conf # CentOS/Fedora /var/lib/pgsql/data/postgresql.conf # Ubuntu /etc/postgresql/x.y/main/postgresql.conf + # FreeBSD /var/db/postgres/data[0-9][0-9]/postgresql.conf if [ "${POSTGRESQL_RUNNING}" -eq 1 ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="PostgreSQL not installed or not running"; fi Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Test PostgreSQL configuration" if [ ${SKIPTEST} -eq 0 ]; then FIND_PATHS=$(${LSBINARY} -d ${ROOTDIR}usr/local/pgsql/data* 2> /dev/null) - FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data" - CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g") + FIND_PATHS="${FIND_PATHS} ${ROOTDIR}etc/postgres ${ROOTDIR}etc/postgresql ${ROOTDIR}var/lib/postgres/data ${ROOTDIR}usr/local/pgsql/data ${ROOTDIR}var/lib/pgsql/data ${ROOTDIR}var/db/postgres/data[0-9][0-9]" + CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf" -print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' | ${TRBINARY} '\0' '\n' | xargs -I'{}' sh -c 'test -r "{}" && echo "{}"' | ${SEDBINARY} "s/ /:space:/g") for CF in ${CONFIG_FILES}; do Report "postgresql_config_file[]=${CF}" LogText "Found configuration file (${CF})" From 353b1e0bbf5987e60ac62e8d01adae844b0f36da Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 10 May 2024 12:58:41 +0200 Subject: [PATCH 41/57] Update CHANGELOG.md --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f6dfd05b..74ed8b0f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,8 @@ - Detection of Open Source Media Center (OSMC) ### Changed -- Correction of software EOL database and inclusion of AIX entries +- Correction of software EOL database and inclusion of AIX entries +- DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD --------------------------------------------------------------------------------- From 0ff7965a80d0fa300cf518385a90d69655381af5 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Fri, 10 May 2024 14:49:47 +0200 Subject: [PATCH 42/57] Update lynis Update the copyright line (year), it was very outdated --- lynis | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lynis b/lynis index 9ae06b67..ee6cc596 100755 --- a/lynis +++ b/lynis @@ -52,7 +52,7 @@ PROGRAM_SOURCE="https://github.com/CISOfy/lynis" PROGRAM_PACKAGE="https://packages.cisofy.com/" PROGRAM_DOCUMENTATION="https://cisofy.com/docs/" - PROGRAM_COPYRIGHT="2007-2021, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}" + PROGRAM_COPYRIGHT="2007-2024, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}" PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License. See the LICENSE file for details about using this software." From b8064bc5def38b4e098f4f09c94489949a42fab3 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 14 May 2024 06:50:26 +0000 Subject: [PATCH 43/57] Don't reset status of malware scanner, as there might be two available. Small change to format --- include/tests_malware | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/include/tests_malware b/include/tests_malware index 7d6f7baf..0857ef43 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -46,18 +46,19 @@ TRENDMICRO_DSA_DAEMON_RUNNING=0 # ################################################################################# -# Test : MALW-3274 -# Description : Check for installed tool (McAfee VirusScan for Command Line) -Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line" -if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking presence McAfee VirusScan for Command Line" - if [ -x /usr/local/uvscan/uvscan ]; then - Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color RED - LogText "Result: Found ${MCAFEECLBINARY}" - MALWARE_SCANNER_INSTALLED=0 - AddHP 0 2 - LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another antivirus instead." -fi +# + # Test : MALW-3274 + # Description : Check for installed tool (McAfee VirusScan for Command Line) + Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking presence McAfee VirusScan for Command Line" + if [ -x /usr/local/uvscan/uvscan ]; then + Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line (deprecated)" --result "${STATUS_FOUND}" --color RED + LogText "Result: Found ${MCAFEECLBINARY}" + AddHP 0 2 + LogText "Result: McAfee Antivirus for Linux has been deprecated as of 1 Oct 2023 and will not receive updates. Please use another antivirus instead." + fi + fi ################################################################################# # # Test : MALW-3275 From eeec52b1604ef850c7d8b63dab0a72bb197a3000 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 14 May 2024 11:40:50 +0200 Subject: [PATCH 44/57] Update tests_mac_frameworks Changed check from is executable to is not empty --- include/tests_mac_frameworks | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index ca454529..207a98f5 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -158,7 +158,7 @@ Display --indent 6 --text "- Checking current mode and config file" --result "${STATUS_WARNING}" --color RED fi Display --indent 8 --text "Current SELinux mode: ${FIND}" - if [ -x "$SEMANAGEBINARY" ]; then + if [ -n "${SEMANAGEBINARY}" ]; then PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ') NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l) Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types" From ba4cd63bdac6a3c613d27ef887c6950954d8ac65 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 14 May 2024 12:23:36 +0000 Subject: [PATCH 45/57] Added KDE Neon --- include/osdetection | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/include/osdetection b/include/osdetection index ea8ccedf..33790905 100644 --- a/include/osdetection +++ b/include/osdetection @@ -325,6 +325,13 @@ OS_NAME="Manjaro" OS_VERSION="Rolling release" ;; + "neon") + LINUX_VERSION="KDE Neon" + LINUX_VERSION_LIKE="Ubuntu" + OS_NAME="KDE Neon" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "nethserver") LINUX_VERSION="NethServer" OS_NAME="NethServer" From 79632bfbe5512d24e8a6c732471c7bfe78029f68 Mon Sep 17 00:00:00 2001 From: Florian Sonnenschein Date: Tue, 14 May 2024 16:02:51 +0200 Subject: [PATCH 46/57] - Deleted "filevault_status" variable - Now checks if "fdesetup" exists - Add some hardening points (AddHP): 3 of 3 when enabled, 0 of 3, when not. --- include/tests_crypto | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/include/tests_crypto b/include/tests_crypto index b7279163..7b77b707 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -222,19 +222,25 @@ # Description : Determine if system has enabled macOS FileVault encryption Register --test-no CRYP-7932 --os macOS --weight L --network NO --category crypto --description "Determine if system has enabled macOS FileVault encryption" if [ ${SKIPTEST} -eq 0 ]; then - filevault_status=$(fdesetup status) - - case "$filevault_status" in - *"FileVault is On."*) - LogText "Result: FileVault is enabled." - Display --indent 2 --text "- FileVault is enabled." --result "${STATUS_OK}" --color GREEN - Report "encryption[]=filevault" - ;; - *) - LogText "Result: FileVault is not enabled." - Display --indent 2 --text "- FileVault is not enabled." --result "${STATUS_WARNING}" --color RED - ;; - esac + if command -v fdesetup &> /dev/null; then + case $(fdesetup status) in + *"FileVault is On."*) + LogText "Result: FileVault is enabled." + Display --indent 2 --text "- FileVault is enabled." --result "${STATUS_OK}" --color GREEN + Report "encryption[]=filevault" + AddHP 3 3 + ;; + *) + LogText "Result: FileVault is not enabled." + Display --indent 2 --text "- FileVault is not enabled." --result "${STATUS_WARNING}" --color RED + AddHP 0 3 + ;; + esac + else + LogText "Result: fdesetup command not found. Unable to determine FileVault status." + Display --indent 2 --text "- Unable to determine FileVault status (fdesetup command not found)." --result "${STATUS_WARNING}" --color YELLOW + AddHP 0 3 + fi fi # ################################################################################# From 4f5ede1e42cf73aa6bbe8e2b45b9b95d4b702106 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Tue, 14 May 2024 19:32:54 +0200 Subject: [PATCH 47/57] Update CHANGELOG.md --- CHANGELOG.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 74ed8b0f..ae2dffc9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,12 +3,41 @@ ## Lynis 3.1.2 (not released yet) ### Added +- Detection of ALT Linux - Detection of Athena OS +- Detection of Container-Optimized OS from Google +- Detection of Koozali SME Server +- Detection of Nobara Linux - Detection of Open Source Media Center (OSMC) +- Detection of PostmarketOS +- CRYP-7932 - macOS FileVault encryption test +- FILE-6398 - Check if JBD (Journal Block Device) driver is loaded +- FINT-4344 - Wazuh system running state +- PKGS-7305 - Query macOS Apps in /Applications and CoreServices +- File added: .editorconfig, which is used by editors to standardize formatting ### Changed - Correction of software EOL database and inclusion of AIX entries - DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD +- KRNL-5622 - Use systemctl get-default instead of following link #1296 +- FILE-6344 - Test kernel version (major/minor) +- PKGS-7303 - Added version numbers to brew packages. +- Support sysctl value perf_event_paranoid -> 2|3 #1260 +- Update of Turkish translation +- Grammar and spell improvements +- Improved package detection on Alpine Linux +- Slackware support to check installed packges (functionPackageIsInstalled()) +- Added words prosecute/report to LEGAL_BANNER_STRINGS +- Busybox support: Replace newer tr command syntax with older ascii specific operations +- Added Wazuh as a malware scanner/antivirus and rootkit detection tool +- AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc) +- CONT-8104 - Checking for errors, not only warning in docker info output +- LOGG-2144 - Check for wazuh-agent presence on Linux systems +- MACF-6234 - Test if semanage binary is available +- MALW-3200 - ESET Endpoint Antivirus added +- MALW-3280 - McAfee Antivirus for Linux deprecated +- MALW-3291 - Check if Microsoft Defender Antivirus is installe +- NETW-3200 - Added regex to allow both /bin/true as /bin/false --------------------------------------------------------------------------------- From 9fcd3bdeb356f5989ad5b0062e53216d0a214f63 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 15 May 2024 13:42:53 +0200 Subject: [PATCH 48/57] Update CHANGELOG.md --- CHANGELOG.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ae2dffc9..f53f6618 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,11 +18,7 @@ ### Changed - Correction of software EOL database and inclusion of AIX entries -- DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD -- KRNL-5622 - Use systemctl get-default instead of following link #1296 -- FILE-6344 - Test kernel version (major/minor) -- PKGS-7303 - Added version numbers to brew packages. -- Support sysctl value perf_event_paranoid -> 2|3 #1260 +- Support sysctl value perf_event_paranoid -> 2|3 - Update of Turkish translation - Grammar and spell improvements - Improved package detection on Alpine Linux @@ -32,12 +28,17 @@ - Added Wazuh as a malware scanner/antivirus and rootkit detection tool - AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc) - CONT-8104 - Checking for errors, not only warning in docker info output +- DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux, and FreeBSD +- FILE-6344 - Test kernel version (major/minor) +- KRNL-5622 - Use systemctl get-default instead of following link - LOGG-2144 - Check for wazuh-agent presence on Linux systems - MACF-6234 - Test if semanage binary is available - MALW-3200 - ESET Endpoint Antivirus added - MALW-3280 - McAfee Antivirus for Linux deprecated - MALW-3291 - Check if Microsoft Defender Antivirus is installe - NETW-3200 - Added regex to allow both /bin/true as /bin/false +- PKGS-7303 - Added version numbers to brew packages +- PKGS-7370 - Cron job check for debsums improved --------------------------------------------------------------------------------- From 1a26005b506d2c5dbf0ce2b403dd3b612b2cb374 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 15 May 2024 14:12:54 +0200 Subject: [PATCH 49/57] Update consts Setting variables --- include/consts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/consts b/include/consts index 714f4a92..faf41987 100644 --- a/include/consts +++ b/include/consts @@ -299,7 +299,9 @@ ETC_PATHS="/etc /usr/local/etc" SSL_CERTIFICATE_INCLUDE_PACKAGES=0 SSL_CERTIFICATE_PATHS="" SSL_CERTIFICATE_PATHS_TO_IGNORE="" + STATUS_NOT_ACTIVE="" STUNNELBINARY="" + SURICATABINARY="" SWUPDBINARY="" SYSLOGNGBINARY="" SYSTEMCTLBINARY="" From 24679bee9a4a42142f9922f986577c97d746e258 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 15 May 2024 12:23:23 +0000 Subject: [PATCH 50/57] Do not unset SKIPREASON, as it is cleared at the beginning of the function --- include/functions | 1 - 1 file changed, 1 deletion(-) diff --git a/include/functions b/include/functions index 11ea3df4..66cdceb1 100644 --- a/include/functions +++ b/include/functions @@ -2762,7 +2762,6 @@ if [ ${SKIPLOGTEST} -eq 0 ]; then LogText "Reason to skip: ${SKIPREASON}"; fi TESTS_SKIPPED="${TEST_NO}|${TESTS_SKIPPED}" fi - unset SKIPREASON # Save timestamp for next time the Register function is called PREVIOUS_TEST="${TEST_NO}" From ac526be452c6e09d179680e3aa5e587ac47d5619 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Wed, 14 Feb 2024 21:12:55 +0200 Subject: [PATCH 51/57] Added initial version of a Kerberos plugin --- default.prf | 1 + include/binaries | 1 + plugins/plugin_krb5_phase1 | 121 +++++++++++++++++++++++++++++++++++++ 3 files changed, 123 insertions(+) create mode 100644 plugins/plugin_krb5_phase1 diff --git a/default.prf b/default.prf index ec043417..0e90fa04 100644 --- a/default.prf +++ b/default.prf @@ -144,6 +144,7 @@ plugin=software plugin=system-integrity plugin=systemd plugin=users +plugin=krb5 # Disable a particular plugin (will overrule an enabled plugin) #disable-plugin=authentication diff --git a/include/binaries b/include/binaries index a2b4895a..b65d5159 100644 --- a/include/binaries +++ b/include/binaries @@ -196,6 +196,7 @@ iptables-save) IPTABLESSAVEBINARY="${BINARY}"; LogText " Found known binary: iptables-save (firewall) - ${BINARY}" ;; istat) ISTATBINARY="${BINARY}"; LogText " Found known binary: istat (file information) - ${BINARY}" ;; journalctl) JOURNALCTLBINARY="${BINARY}"; LogText " Found known binary: journalctl (systemd journal) - ${BINARY}" ;; + kadmin.local) KADMINLOCALBINARY="${BINARY}"; LogText " Found known binary: kadmin.local (krb5) - ${BINARY}" ;; kldstat) KLDSTATBINARY="${BINARY}"; LogText " Found known binary: kldstat (kernel modules) - ${BINARY}" ;; kstat) KSTATBINARY="${BINARY}"; LogText " Found known binary: kstat (kernel statistics) - ${BINARY}" ;; launchctl) LAUNCHCTL_BINARY="${BINARY}"; SERVICE_MANAGER="launchd"; LogText " Found known binary: launchctl (launchd client) - ${BINARY}" ;; diff --git a/plugins/plugin_krb5_phase1 b/plugins/plugin_krb5_phase1 new file mode 100644 index 00000000..5a480dcb --- /dev/null +++ b/plugins/plugin_krb5_phase1 @@ -0,0 +1,121 @@ +#!/bin/sh + +######################################################################### +# +# * DO NOT REMOVE * +#----------------------------------------------------- +# PLUGIN_AUTHOR="pyllyukko" +# PLUGIN_CATEGORY=security +# PLUGIN_DATE=2024-02-14 +# PLUGIN_DESC=Kerberos +# PLUGIN_NAME=krb5 +# PLUGIN_REQUIRED_TESTS= +# PLUGIN_VERSION=0.1 +#----------------------------------------------------- +# +######################################################################### +# + + # Test for the prerequisites first + if [ -n "${KADMINLOCALBINARY}" ] + then + PREQS_MET="YES" + # Make sure krb5 debugging doesn't mess up the output + unset KRB5_TRACE + PRINCS="$(${KADMINLOCALBINARY} listprincs | ${TRBINARY:-tr} '\n' ' ')" + if [ -z "${PRINCS}" ] + then + PREQS_MET="NO" + fi + else + PREQS_MET="NO" + fi + + # Test : KRB5-0001 + # Description : Check that Kerberos principals have passwords that expire + Register --test-no KRB5-0001 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire" --progress + if [ ${SKIPTEST} -eq 0 ]; then + for I in ${PRINCS} + do + FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Password expiration date:')" + if [ "${FIND}" = "Password expiration date: [never]" ] + then + LogText "Result: Kerberos principal ${I} has a password/key that never expires" + fi + done + fi +# +################################################################################# +# + + # Test : KRB5-0002 + # Description : Check last password change for Kerberos principals + Register --test-no KRB5-0002 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals" --progress + if [ ${SKIPTEST} -eq 0 ]; then + for I in ${PRINCS} + do + FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n '/^Last password change:\s\+/s/^Last password change:\s\+//p')" + if [ "${FIND}" = "[never]" ] + then + LogText "Result: Kerberos principal ${I} has a password/key that has never been changed" + else + J="$(date -d "${FIND}" +%s)" + if [ ${J} -lt $((NOW - 60 * 60 * 24 * 365)) ] + then + LogText "Result: Kerberos principal ${I} has had a password/key change over a year ago" + fi + fi + done + fi + +# +################################################################################# +# + + # Test : KRB5-0003 + # Description : Check that Kerberos principals have a policy associated to them + Register --test-no KRB5-0003 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them" --progress + if [ ${SKIPTEST} -eq 0 ]; then + for I in ${PRINCS} + do + FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Policy:')" + if [ "${FIND}" = "Policy: [none]" ] + then + LogText "Result: Kerberos principal ${I} does not have a policy associated to it" + fi + done + fi + +# +################################################################################# +# + + # Test : KRB5-0004 + # Description : Check various attributes for Kerberos principals + Register --test-no KRB5-0004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals" --progress + if [ ${SKIPTEST} -eq 0 ]; then + for I in ${PRINCS} + do + J="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n 's/^Attributes:\s\+\(.\+\)$/\1/p')" + if ContainsString "^K/M@" "${I}" || \ + ContainsString "^kadmin/admin@" "${I}" || \ + ContainsString "^kadmin/changepw@" "${I}" || \ + ContainsString "^krbtgt/" "${I}" + then + if ! ContainsString "\bLOCKDOWN_KEYS\b" "${J}" + then + LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute" + fi + fi + done + fi + +# +################################################################################# +# + +unset PRINCS +unset I +unset J + +#EOF From 4d5b41cb4e92365c27b4e738ba70f8d9f4cf9f8a Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Thu, 22 Feb 2024 11:59:02 +0200 Subject: [PATCH 52/57] plugin_krb5_phase1: Added few more tests * Check that admin principals have disallow_tgt_based attribute * Check that regular user principals have requires_pre_auth and disallow_svr attributes * Check for weak crypto * Use kdb5_util for this --- include/binaries | 1 + plugins/plugin_krb5_phase1 | 33 +++++++++++++++++++++++++++++++-- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/include/binaries b/include/binaries index b65d5159..46359b3c 100644 --- a/include/binaries +++ b/include/binaries @@ -197,6 +197,7 @@ istat) ISTATBINARY="${BINARY}"; LogText " Found known binary: istat (file information) - ${BINARY}" ;; journalctl) JOURNALCTLBINARY="${BINARY}"; LogText " Found known binary: journalctl (systemd journal) - ${BINARY}" ;; kadmin.local) KADMINLOCALBINARY="${BINARY}"; LogText " Found known binary: kadmin.local (krb5) - ${BINARY}" ;; + kdb5_util) KDB5UTILBINARY="${BINARY}"; LogText " Found known binary: kdb5_util (krb5) - ${BINARY}" ;; kldstat) KLDSTATBINARY="${BINARY}"; LogText " Found known binary: kldstat (kernel modules) - ${BINARY}" ;; kstat) KSTATBINARY="${BINARY}"; LogText " Found known binary: kstat (kernel statistics) - ${BINARY}" ;; launchctl) LAUNCHCTL_BINARY="${BINARY}"; SERVICE_MANAGER="launchd"; LogText " Found known binary: launchctl (launchd client) - ${BINARY}" ;; diff --git a/plugins/plugin_krb5_phase1 b/plugins/plugin_krb5_phase1 index 5a480dcb..625a3bc9 100644 --- a/plugins/plugin_krb5_phase1 +++ b/plugins/plugin_krb5_phase1 @@ -10,14 +10,14 @@ # PLUGIN_DESC=Kerberos # PLUGIN_NAME=krb5 # PLUGIN_REQUIRED_TESTS= -# PLUGIN_VERSION=0.1 +# PLUGIN_VERSION=0.2 #----------------------------------------------------- # ######################################################################### # # Test for the prerequisites first - if [ -n "${KADMINLOCALBINARY}" ] + if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ] then PREQS_MET="YES" # Make sure krb5 debugging doesn't mess up the output @@ -106,10 +106,39 @@ then LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute" fi + elif ContainsString "/admin@" "${I}" + then + if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}" + then + LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute" + fi + elif ContainsString "^[^/$]+@" "${I}" + then + if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}" + then + LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute" + fi fi done fi +# +################################################################################# +# + + # Test : KRB5-0005 + # Description : Check for weak crypto + Register --test-no KRB5-0005 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto" --progress + if [ ${SKIPTEST} -eq 0 ]; then + FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}') + while read I J + do + LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}" + done << EOF +${FIND} +EOF + fi + # ################################################################################# # From 5182ce31fb5e3dc6a73952a43f13447670ebd2b0 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Wed, 15 May 2024 21:51:44 +0300 Subject: [PATCH 53/57] Changed the Kerberos plugin into a category According to @mboelen's recommendations: https://github.com/CISOfy/lynis/pull/1456#issuecomment-2110761098 --- db/languages/en | 1 + .../tests_kerberos | 92 +++++++++++++------ lynis | 2 +- 3 files changed, 67 insertions(+), 28 deletions(-) rename plugins/plugin_krb5_phase1 => include/tests_kerberos (53%) diff --git a/db/languages/en b/db/languages/en index 52ace1f7..689cc57e 100644 --- a/db/languages/en +++ b/db/languages/en @@ -63,6 +63,7 @@ SECTION_USB_DEVICES="USB Devices" SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" SECTION_VIRTUALIZATION="Virtualization" SECTION_WEBSERVER="Software: webserver" +SECTION_KERBEROS="Kerberos" STATUS_ACTIVE="ACTIVE" STATUS_CHECK_NEEDED="CHECK NEEDED" STATUS_DEBUG="DEBUG" diff --git a/plugins/plugin_krb5_phase1 b/include/tests_kerberos similarity index 53% rename from plugins/plugin_krb5_phase1 rename to include/tests_kerberos index 625a3bc9..494a01b1 100644 --- a/plugins/plugin_krb5_phase1 +++ b/include/tests_kerberos @@ -1,22 +1,14 @@ #!/bin/sh -######################################################################### -# -# * DO NOT REMOVE * -#----------------------------------------------------- -# PLUGIN_AUTHOR="pyllyukko" -# PLUGIN_CATEGORY=security -# PLUGIN_DATE=2024-02-14 -# PLUGIN_DESC=Kerberos -# PLUGIN_NAME=krb5 -# PLUGIN_REQUIRED_TESTS= -# PLUGIN_VERSION=0.2 -#----------------------------------------------------- +InsertSection "${SECTION_KERBEROS}" + # ######################################################################### # - # Test for the prerequisites first + # Test : KRB-1000 + # Description : Check that Kerberos principals have passwords that expire + Register --test-no KRB-1000 --weight L --network NO --description "Check for Kerberos KDC tools" if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ] then PREQS_MET="YES" @@ -30,10 +22,16 @@ else PREQS_MET="NO" fi + if [ "${PREQS_MET}" = "YES" ]; then + Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_FOUND}" --color GREEN + else + Display --indent 2 --text "- Check for Kerberos KDC and principals" --result "${STATUS_NOT_FOUND}" --color WHITE + fi - # Test : KRB5-0001 + # Test : KRB-1010 # Description : Check that Kerberos principals have passwords that expire - Register --test-no KRB5-0001 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire" --progress + Register --test-no KRB-1010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire" + FOUND=0 if [ ${SKIPTEST} -eq 0 ]; then for I in ${PRINCS} do @@ -41,59 +39,84 @@ if [ "${FIND}" = "Password expiration date: [never]" ] then LogText "Result: Kerberos principal ${I} has a password/key that never expires" + FOUND=1 fi done fi + if [ ${FOUND} -eq 1 ]; then + Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_WARNING}" --color RED + ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have expiring passwords" + else + Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_OK}" --color GREEN + fi # ################################################################################# # - # Test : KRB5-0002 + # Test : KRB-1020 # Description : Check last password change for Kerberos principals - Register --test-no KRB5-0002 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals" --progress + Register --test-no KRB-1020 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check last password change for Kerberos principals" if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 for I in ${PRINCS} do FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n '/^Last password change:\s\+/s/^Last password change:\s\+//p')" if [ "${FIND}" = "[never]" ] then LogText "Result: Kerberos principal ${I} has a password/key that has never been changed" + FOUND=1 else J="$(date -d "${FIND}" +%s)" if [ ${J} -lt $((NOW - 60 * 60 * 24 * 365)) ] then LogText "Result: Kerberos principal ${I} has had a password/key change over a year ago" + FOUND=1 fi fi done + if [ ${FOUND} -eq 1 ]; then + Display --indent 4 --text "- Principals with late password change" --result "${STATUS_WARNING}" --color RED + ReportSuggestion "${TEST_NO}" "Enforce frequent password/key change for your Kerberos principals" + else + Display --indent 4 --text "- Principals with late password change" --result "${STATUS_OK}" --color GREEN + fi fi # ################################################################################# # - # Test : KRB5-0003 + # Test : KRB-1030 # Description : Check that Kerberos principals have a policy associated to them - Register --test-no KRB5-0003 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them" --progress + Register --test-no KRB5-1030 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have a policy associated to them" if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 for I in ${PRINCS} do FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Policy:')" if [ "${FIND}" = "Policy: [none]" ] then LogText "Result: Kerberos principal ${I} does not have a policy associated to it" + FOUND=1 fi done + if [ ${FOUND} -eq 1 ]; then + Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_WARNING}" --color RED + ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have a policy associated to them" + else + Display --indent 4 --text "- Principals without associated policy" --result "${STATUS_OK}" --color GREEN + fi fi # ################################################################################# # - # Test : KRB5-0004 + # Test : KRB-1040 # Description : Check various attributes for Kerberos principals - Register --test-no KRB5-0004 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals" --progress + Register --test-no KRB5-1040 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check various attributes for Kerberos principals" if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 for I in ${PRINCS} do J="$(${KADMINLOCALBINARY} getprinc "${I}" | ${SEDBINARY} -n 's/^Attributes:\s\+\(.\+\)$/\1/p')" @@ -105,38 +128,53 @@ if ! ContainsString "\bLOCKDOWN_KEYS\b" "${J}" then LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute" + FOUND=1 fi elif ContainsString "/admin@" "${I}" then if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}" then LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute" + FOUND=1 fi elif ContainsString "^[^/$]+@" "${I}" then if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}" then LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute" + FOUND=1 fi fi done + if [ ${FOUND} -eq 1 ]; then + Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_WARNING}" --color RED + ReportSuggestion "${TEST_NO}" "Harden your Kerberos principals with appropriate attributes" + else + Display --indent 4 --text "- Checking principals for various attributes" --result "${STATUS_OK}" --color GREEN + fi fi # ################################################################################# # - # Test : KRB5-0005 + # Test : KRB-1050 # Description : Check for weak crypto - Register --test-no KRB5-0005 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto" --progress + Register --test-no KRB-1050 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}') - while read I J - do - LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}" - done << EOF + if [ -n "${FIND}" ]; then + while read I J + do + LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}" + done << EOF ${FIND} EOF + Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_WARNING}" --color RED + ReportSuggestion "${TEST_NO}" "Remove weak (des|arcfour|cbc|sha1) cryptographic keys from principals" + else + Display --indent 4 --text "- Principals with weak crypto" --result "${STATUS_OK}" --color GREEN + fi fi # diff --git a/lynis b/lynis index ee6cc596..95135e92 100755 --- a/lynis +++ b/lynis @@ -1018,7 +1018,7 @@ ${NORMAL} if [ "${TEST_GROUP_TO_CHECK}" = "all" ]; then LogText "Info: perform tests from all categories" - INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \ + INCLUDE_TESTS="boot_services kernel memory_processes authentication kerberos shells \ filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spoolers \ mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \ insecure_services banners scheduling accounting time crypto virtualization containers \ From 05b15f4209e6995fcea26aba8fc4638989944196 Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 15 May 2024 20:15:09 +0000 Subject: [PATCH 54/57] Update language files for recent changes --- db/languages/az | 1 + db/languages/cn | 1 + db/languages/da | 1 + db/languages/de | 1 + db/languages/es | 1 + db/languages/fi | 1 + db/languages/fr | 1 + db/languages/gr | 1 + db/languages/he | 1 + db/languages/hu | 1 + db/languages/id | 2 ++ db/languages/it | 1 + db/languages/ja | 1 + db/languages/ko | 1 + db/languages/nb-NO | 1 + db/languages/nl | 1 + db/languages/pl | 1 + db/languages/pt | 1 + db/languages/ru | 1 + db/languages/se | 1 + db/languages/sk | 1 + db/languages/tr | 1 + 22 files changed, 23 insertions(+) diff --git a/db/languages/az b/db/languages/az index 24a0ca70..d5fce57b 100644 --- a/db/languages/az +++ b/db/languages/az @@ -106,3 +106,4 @@ STATUS_WARNING="Xəbərdarlıq" STATUS_YES="Bəli" TEXT_UPDATE_AVAILABLE="yeniləmə mövcud" TEXT_YOU_CAN_HELP_LOGFILE="qeydləri gönderib kömek eyleyin" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/cn b/db/languages/cn index 11826db3..2ca49dde 100644 --- a/db/languages/cn +++ b/db/languages/cn @@ -107,3 +107,4 @@ STATUS_WARNING="警告" STATUS_YES="是" TEXT_UPDATE_AVAILABLE="有可以更新的版本" TEXT_YOU_CAN_HELP_LOGFILE="你可以通过记录日志来帮忙" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/da b/db/languages/da index 1bd77089..b5c86332 100644 --- a/db/languages/da +++ b/db/languages/da @@ -106,3 +106,4 @@ STATUS_WEAK="SVAG" STATUS_YES="JA" TEXT_UPDATE_AVAILABLE="opdatering tilgængelig" TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjælpe ved at bidrage med din logfil" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/de b/db/languages/de index 942693a3..7932153a 100644 --- a/db/languages/de +++ b/db/languages/de @@ -106,3 +106,4 @@ STATUS_WEAK="SCHWACH" STATUS_YES="JA" TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar" TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/es b/db/languages/es index 1ad53db5..cbaf7a4e 100644 --- a/db/languages/es +++ b/db/languages/es @@ -107,3 +107,4 @@ STATUS_WEAK="DÉBIL" STATUS_YES="SÍ" TEXT_UPDATE_AVAILABLE="Actualización disponible" TEXT_YOU_CAN_HELP_LOGFILE="Puedes ayudar compartiendo tu archivo de registro" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/fi b/db/languages/fi index e8dc3564..4b4e73c9 100644 --- a/db/languages/fi +++ b/db/languages/fi @@ -106,3 +106,4 @@ STATUS_WARNING="VAROITUS" STATUS_YES="KYLLÄ" TEXT_UPDATE_AVAILABLE="päivitys saatavilla" TEXT_YOU_CAN_HELP_LOGFILE="Voit auttaa toimittamalla lokitiedoston" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/fr b/db/languages/fr index d0be5c99..353b55e7 100644 --- a/db/languages/fr +++ b/db/languages/fr @@ -106,3 +106,4 @@ STATUS_WEAK="FAIBLE" STATUS_YES="OUI" TEXT_UPDATE_AVAILABLE="Mise à jour disponible" TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/gr b/db/languages/gr index 15c3e509..2a45d7be 100644 --- a/db/languages/gr +++ b/db/languages/gr @@ -106,3 +106,4 @@ STATUS_WARNING="ΠΡΟΣΟΧΗ" STATUS_YES="ΝΑΙ" TEXT_UPDATE_AVAILABLE="διαθέσιμη ενημέρωση" TEXT_YOU_CAN_HELP_LOGFILE="Μπορείτε να βοηθήσετε παρέχοντας το αρχείο καταγραφής" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/he b/db/languages/he index 9755bcf7..ceeb17d8 100644 --- a/db/languages/he +++ b/db/languages/he @@ -106,3 +106,4 @@ STATUS_WARNING="אזהרה" STATUS_YES="כן" TEXT_UPDATE_AVAILABLE="עדכון זמין" TEXT_YOU_CAN_HELP_LOGFILE="ניתן לעזור על ידי שליחת קובץ הלוג" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/hu b/db/languages/hu index 90ae29e1..402b5272 100644 --- a/db/languages/hu +++ b/db/languages/hu @@ -106,3 +106,4 @@ STATUS_WARNING="FIGYELMEZTETÉS" STATUS_YES="IGEN" TEXT_UPDATE_AVAILABLE="frissítés elérhető" TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/id b/db/languages/id index 4a7b26f4..b9b7b42c 100644 --- a/db/languages/id +++ b/db/languages/id @@ -105,3 +105,5 @@ STATUS_WEAK="WEAK" STATUS_YES="YES" TEXT_UPDATE_AVAILABLE="update tersedia" TEXT_YOU_CAN_HELP_LOGFILE="Anda dapat membantu dengan memberikan file log Anda" +#SECTION_KERBEROS="Kerberos" +#STATUS_NOT_ACTIVE="NOT ACTIVE" diff --git a/db/languages/it b/db/languages/it index 26ff3076..0e4c0f19 100644 --- a/db/languages/it +++ b/db/languages/it @@ -106,3 +106,4 @@ STATUS_WEAK="DEBOLE" STATUS_YES="SI" TEXT_UPDATE_AVAILABLE="aggiornamento disponibile" TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/ja b/db/languages/ja index 846b1eb1..4bdcf67d 100644 --- a/db/languages/ja +++ b/db/languages/ja @@ -106,3 +106,4 @@ STATUS_WARNING="警告" STATUS_YES="はい" TEXT_UPDATE_AVAILABLE="アップデートが利用可能" TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/ko b/db/languages/ko index 72d31d79..1c7cbca4 100644 --- a/db/languages/ko +++ b/db/languages/ko @@ -106,3 +106,4 @@ STATUS_WEAK="취약" STATUS_YES="예" TEXT_UPDATE_AVAILABLE="업데이트 가능" TEXT_YOU_CAN_HELP_LOGFILE="로그 파일을 제공하면 도움을 받을 수 있습니다" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/nb-NO b/db/languages/nb-NO index ea3e8832..4bba067b 100644 --- a/db/languages/nb-NO +++ b/db/languages/nb-NO @@ -106,3 +106,4 @@ STATUS_WARNING="ADVARSEL" STATUS_YES="JA" TEXT_UPDATE_AVAILABLE="oppdatering tilgjengelig" TEXT_YOU_CAN_HELP_LOGFILE="Du kan bidra ved å laste opp din loggfil" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/nl b/db/languages/nl index cdb92423..9600ba89 100644 --- a/db/languages/nl +++ b/db/languages/nl @@ -106,3 +106,4 @@ STATUS_WEAK="ZWAK" STATUS_YES="JA" TEXT_UPDATE_AVAILABLE="update beschikbaar" TEXT_YOU_CAN_HELP_LOGFILE="Help mee door je logbestand te delen" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/pl b/db/languages/pl index 887d0a7d..ad7d45f4 100644 --- a/db/languages/pl +++ b/db/languages/pl @@ -106,3 +106,4 @@ STATUS_NOT_ACTIVE="NOT ACTIVE" #STATUS_YES="YES" #TEXT_UPDATE_AVAILABLE="update available" #TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/pt b/db/languages/pt index 483fabd6..8592e700 100644 --- a/db/languages/pt +++ b/db/languages/pt @@ -106,3 +106,4 @@ STATUS_WARNING="ATENÇÃO" STATUS_YES="SIM" TEXT_UPDATE_AVAILABLE="Atualização disponível" TEXT_YOU_CAN_HELP_LOGFILE="Você pode ajudar fornecendo seu arquivo de log" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/ru b/db/languages/ru index 55a4717b..92402178 100644 --- a/db/languages/ru +++ b/db/languages/ru @@ -106,3 +106,4 @@ STATUS_WEAK="СЛАБЫЙ" STATUS_YES="ДА" TEXT_UPDATE_AVAILABLE="доступно обновление" TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь, предоставив ваш лог-файл" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/se b/db/languages/se index e5a90859..73418df1 100644 --- a/db/languages/se +++ b/db/languages/se @@ -106,3 +106,4 @@ STATUS_WARNING="VARNING" STATUS_YES="JA" TEXT_UPDATE_AVAILABLE="uppdatering tillgänglig" TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjälpa till genom att bidra med din loggfil" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/sk b/db/languages/sk index 45a18943..be3d28bf 100644 --- a/db/languages/sk +++ b/db/languages/sk @@ -106,3 +106,4 @@ STATUS_WARNING="VAROVANIE" STATUS_YES="ÁNO" TEXT_UPDATE_AVAILABLE="aktualizácia k dispozícii" TEXT_YOU_CAN_HELP_LOGFILE="Môžete pomôcť poskytnutím log súboru" +#SECTION_KERBEROS="Kerberos" diff --git a/db/languages/tr b/db/languages/tr index 3df59a53..707b6bc3 100644 --- a/db/languages/tr +++ b/db/languages/tr @@ -106,3 +106,4 @@ STATUS_WEAK="ZAYIF" STATUS_YES="EVET" TEXT_UPDATE_AVAILABLE="güncelleme var" TEXT_YOU_CAN_HELP_LOGFILE="Günlük dosyanızı göndererek yardımcı olabilirsiniz" +#SECTION_KERBEROS="Kerberos" From 7ad42d689f6089e6c93667b5a793476a2e9ca90d Mon Sep 17 00:00:00 2001 From: Michael Boelen Date: Wed, 15 May 2024 20:29:28 +0000 Subject: [PATCH 55/57] Fix for line that gave error --- include/tests_malware | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/tests_malware b/include/tests_malware index b01b3855..70c1ff59 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -185,7 +185,7 @@ # ESET security products LogText "Test: checking process esets_daemon or oaeventd (ESET)" - if IsRunning "esets_daemon" || IsRunning "oaeventd"; then + if IsRunning "esets_daemon" || IsRunning "oaeventd"; then FOUND=1 ESET_DAEMON_RUNNING=1 MALWARE_DAEMON_RUNNING=1 From d60c197e14d357c9100ae22efe8d73429f000e4e Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Wed, 15 May 2024 23:31:17 +0300 Subject: [PATCH 56/57] KRB-1010: Silence output when SKIPTEST != 0 Fixes https://github.com/CISOfy/lynis/pull/1456#issuecomment-2113390171 --- include/tests_kerberos | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/include/tests_kerberos b/include/tests_kerberos index 494a01b1..9ef86267 100644 --- a/include/tests_kerberos +++ b/include/tests_kerberos @@ -31,8 +31,8 @@ InsertSection "${SECTION_KERBEROS}" # Test : KRB-1010 # Description : Check that Kerberos principals have passwords that expire Register --test-no KRB-1010 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check that Kerberos principals have passwords that expire" - FOUND=0 if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 for I in ${PRINCS} do FIND="$(${KADMINLOCALBINARY} getprinc "${I}" | ${GREPBINARY} '^Password expiration date:')" @@ -42,12 +42,12 @@ InsertSection "${SECTION_KERBEROS}" FOUND=1 fi done - fi - if [ ${FOUND} -eq 1 ]; then - Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_WARNING}" --color RED - ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have expiring passwords" - else - Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_OK}" --color GREEN + if [ ${FOUND} -eq 1 ]; then + Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_WARNING}" --color RED + ReportSuggestion "${TEST_NO}" "Make sure all your Kerberos principals have expiring passwords" + else + Display --indent 4 --text "- Principals without expiring password" --result "${STATUS_OK}" --color GREEN + fi fi # ################################################################################# From c3996cd1bbbbbfca5a533d4a141ca9c1929a1944 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Wed, 15 May 2024 23:22:28 +0300 Subject: [PATCH 57/57] Rephrasing --- include/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/functions b/include/functions index 66cdceb1..df27db8b 100644 --- a/include/functions +++ b/include/functions @@ -3174,7 +3174,7 @@ if [ ${PENTESTINGMODE} -eq 0 -a ${IS_PARAMETERS} -eq 0 ]; then if [ ! "${GROUP}" = "root" -a ! "${GROUP}" = "wheel" -a ! "${GROUPID}" = "0" ]; then - echo "Fatal error: group owner of directory $1 should be owned by root user, wheel or similar (found: ${GROUP})." + echo "Fatal error: group owner of directory $1 should be owned by root group, wheel or similar (found: ${GROUP})." ExitFatal fi fi