tyler.durden/lynis
1
0
Fork 0
mirror of https://github.com/CISOfy/lynis.git synced 2025-09-25 18:59:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into add_opensuse_slowroll

Browse Source
This commit is contained in:
Michael Boelen 2025-07-31 12:48:41 +00:00 committed by GitHub
commit fcd9b760cb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 302 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
CHANGELOG.md
View File

@ -1,9 +1,26 @@
# Lynis Changelog # Lynis Changelog
## Lynis 3.1.5 (not released yet) ## Lynis 3.1.6 (not released yet)
### Added
- Add notice to screen output if end-of-life state is unclear
### Changed
- Releases are now considered to be old if they are 6 months or older
- Removed generic suggestion for outdated/old Lynis release, instead show to screen output
- Generic clarifications on variable usage for operating system and its version
- Updated end-of-life database
- ACCT-9634 - Define default auditd log file location
- MALW-3280 - Adjusted detection of Wazuh agent
---------------------------------------------------------------------------------
## Lynis 3.1.5 (2025-07-29)
### Added ### Added
- Support for OpenWrt - Support for OpenWrt
- Bitdefender detection on Linux
- Detection of openSUSE Tumbleweed-Slowroll
### Changed ### Changed
- Corrected detection of service manager SMF - Corrected detection of service manager SMF

111
db/software-eol.db
View File

@ -12,10 +12,11 @@
# #
# Notes: # Notes:
# For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1. # For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1.
# Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching. # Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string can used for matching (partial match will count as well).
# #
# AIX - https://www.ibm.com/support/pages/aix-support-lifecycle-information # AIX - https://www.ibm.com/support/pages/aix-support-lifecycle-information
# #
os:AIX 7300-03:2027-12-31:1830207600:
os:AIX 7300-02:2026-11-30:1796032800: os:AIX 7300-02:2026-11-30:1796032800:
os:AIX 7300-01:2025-12-31:1767175200: os:AIX 7300-01:2025-12-31:1767175200:
os:AIX 7300-00:2024-12-31:1735639200: os:AIX 7300-00:2024-12-31:1735639200:
@ -33,18 +34,20 @@ os:AIX 3:1997-12-31:883562400:
# #
# Alpine - https://alpinelinux.org/releases/ # Alpine - https://alpinelinux.org/releases/
# #
os:Alpine 3.19:2025-11-01:1761955200 os:Alpine 3.21:2026-11-01:1793487600:
os:Alpine 3.18:2025-05-09:1746748800 os:Alpine 3.20:2026-04-01:1774994400:
os:Alpine 3.17:2024-11-22:1732233600 os:Alpine 3.19:2025-11-01:1761955200:
os:Alpine 3.16:2024-05-23:1716422400 os:Alpine 3.18:2025-05-09:1746748800:
os:Alpine 3.15:2023-11-01:1698793200 os:Alpine 3.17:2024-11-22:1732233600:
os:Alpine 3.14:2023-05-01:1682899200 os:Alpine 3.16:2024-05-23:1716422400:
os:Alpine 3.13:2022-11-01:1667275200 os:Alpine 3.15:2023-11-01:1698793200:
os:Alpine 3.12:2022-05-01:1651377600 os:Alpine 3.14:2023-05-01:1682899200:
os:Alpine 3.11:2021-11-01:1635739200 os:Alpine 3.13:2022-11-01:1667275200:
os:Alpine 3.10:2021-05-01:1619841600 os:Alpine 3.12:2022-05-01:1651377600:
os:Alpine 3.9:2020-11-01:1604203200 os:Alpine 3.11:2021-11-01:1635739200:
os:Alpine 3.8:2020-05-01:1588305600 os:Alpine 3.10:2021-05-01:1619841600:
os:Alpine 3.9:2020-11-01:1604203200:
os:Alpine 3.8:2020-05-01:1588305600:
# #
# Amazon Linux # Amazon Linux
# #
@ -84,6 +87,18 @@ os:Fedora release 27:2018-11-30:1543532400:
os:Fedora release 28:2019-05-28:1558994400: os:Fedora release 28:2019-05-28:1558994400:
os:Fedora release 29:2019-11-26:1574722800: os:Fedora release 29:2019-11-26:1574722800:
os:Fedora release 30:2020-05-26:1590444000: os:Fedora release 30:2020-05-26:1590444000:
os:Fedora release 31:2020-11-24:1606172400:
os:Fedora release 32:2021-05-25:1621893600:
os:Fedora release 33:2021-11-30:1638226800:
os:Fedora release 34:2022-06-07:1654552800:
os:Fedora release 35:2022-12-13:1670886000:
os:Fedora release 36:2023-05-16:1684188000:
os:Fedora release 37:2023-12-05:1701730800:
os:Fedora release 38:2024-05-21:1716242400:
os:Fedora release 39:2024-11-26:1732575600:
os:Fedora release 40:2025-05-28:1748383200:
os:Fedora release 41:2025-11-19:1763506800:
os:Fedora release 42:2026-05-13:1778623200:
# #
# FreeBSD - https://www.freebsd.org/security/unsupported.html # FreeBSD - https://www.freebsd.org/security/unsupported.html
# #
@ -97,12 +112,34 @@ os:FreeBSD 11.0:2017-11-30:1511996400:
os:FreeBSD 11.1:2018-09-30:1538258400: os:FreeBSD 11.1:2018-09-30:1538258400:
os:FreeBSD 11.2:2019-10-31:1572476400: os:FreeBSD 11.2:2019-10-31:1572476400:
os:FreeBSD 12.0:2020-02-29:1582930800: os:FreeBSD 12.0:2020-02-29:1582930800:
os:FreeBSD 12.1:2021-01-31:1612047600:
os:FreeBSD 12.2:2022-03-31:1648677600:
os:FreeBSD 12.3:2023-03-31:1680213600:
os:FreeBSD 12.4:2023-12-31:1703977200:
os:FreeBSD 13.0:2022-08-31:1661896800:
os:FreeBSD 13.1:2023-07-31:1690754400:
os:FreeBSD 13.2:2024-06-30:1719698400:
os:FreeBSD 13.3:2024-12-31:1735599600:
os:FreeBSD 13.4:2025-06-30:1751234400:
os:FreeBSD 14.0:2024-09-30:1727647200:
os:FreeBSD 14.1:2025-03-31:1743372000:
os:FreeBSD 14.2:2025-09-30:1759183200:
# #
# Linux Mint # Linux Mint
# #
os:Linux Mint 18:2021-04-01:1617228000: os:Linux Mint 18:2021-04-01:1617228000:
os:Linux Mint 19:2023-04-01:1680300000: os:Linux Mint 19:2023-04-01:1680300000:
os:Linux Mint 20:2025-04-01:1743458400: os:Linux Mint 20:2025-04-01:1743458400:
os:Linux Mint 20.1:2025-04-01:1743458400:
os:Linux Mint 20.2:2025-04-01:1743458400:
os:Linux Mint 20.3:2025-04-01:1743458400:
os:Linux Mint 21:2027-04-01:1806530400:
os:Linux Mint 21.0:2027-04-01:1806530400:
os:Linux Mint 21.1:2027-04-01:1806530400:
os:Linux Mint 21.2:2027-04-01:1806530400:
os:Linux Mint 21.3:2027-04-01:1806530400:
os:Linux Mint 22:2029-04-01:1869688800:
os:Linux Mint 22.1:2029-04-01:1869688800:
# #
# macOS - https://support.apple.com/en_US/downloads/macos and # macOS - https://support.apple.com/en_US/downloads/macos and
# https://apple.stackexchange.com/a/282788 and # https://apple.stackexchange.com/a/282788 and
@ -164,7 +201,8 @@ os:Mageia 4:2015-09-19:1442613600
os:Mageia 5:2017-12-31:1514674800 os:Mageia 5:2017-12-31:1514674800
os:Mageia 6:2019-09-30:1569794400 os:Mageia 6:2019-09-30:1569794400
os:Mageia 7:2020-12-30:1609282800 os:Mageia 7:2020-12-30:1609282800
os:Mageia 8::-1 os:Mageia 8:2023-11-30:1701298800:
os:Mageia 9:2025-03-31:1743372000:
# #
# NetBSD - https://www.netbsd.org/support/security/release.html and # NetBSD - https://www.netbsd.org/support/security/release.html and
# https://www.netbsd.org/releases/formal.html # https://www.netbsd.org/releases/formal.html
@ -211,9 +249,17 @@ os:NetBSD 7.1:2020-03-14:1584162000:
os:NetBSD 7.1.1:2020-03-14:1584162000: os:NetBSD 7.1.1:2020-03-14:1584162000:
os:NetBSD 7.1.1:2020-03-14:1584162000: os:NetBSD 7.1.1:2020-03-14:1584162000:
os:NetBSD 7.2:2020-03-14:1584162000: os:NetBSD 7.2:2020-03-14:1584162000:
os:NetBSD 8.0::-1: os:NetBSD 8.0:2024-05-04:1714773600:
os:NetBSD 8.1::-1: os:NetBSD 8.1:2024-05-04:1714773600:
os:NetBSD 8.2:2024-05-04:1714773600:
os:NetBSD 8.3:2024-05-04:1714773600:
os:NetBSD 9.0::-1: os:NetBSD 9.0::-1:
os:NetBSD 9.1::-1:
os:NetBSD 9.2::-1:
os:NetBSD 9.3::-1:
os:NetBSD 9.4::-1:
os:NetBSD 10.0::-1:
os:NetBSD 10.1::-1:
# #
# OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history # OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history
# #
@ -231,7 +277,11 @@ os:OpenBSD 6.8:2021-10-14:1665698400:
os:OpenBSD 6.9:2022-04-21:1650492000: os:OpenBSD 6.9:2022-04-21:1650492000:
os:OpenBSD 7.0:2022-10-20:1666216800: os:OpenBSD 7.0:2022-10-20:1666216800:
os:OpenBSD 7.1:2023-05-01:1682892000: os:OpenBSD 7.1:2023-05-01:1682892000:
os:OpenBSD 7.2::-1 os:OpenBSD 7.2:2023-10-16:1697407200:
os:OpenBSD 7.3:2024-04-05:1712268000:
os:OpenBSD 7.4:2024-10-08:1728338400:
os:OpenBSD 7.5:2025-05-31:1748642400:
os:OpenBSD 7.6:2025-10-31:1761865200:
# #
# Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/ # Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/
# #
@ -254,6 +304,10 @@ os:Slackware Linux 12.2:2013-12-09:1386540000:
os:Slackware Linux 13.0:2018-07-05:1530738000: os:Slackware Linux 13.0:2018-07-05:1530738000:
os:Slackware Linux 13.1:2018-07-05:1530738000: os:Slackware Linux 13.1:2018-07-05:1530738000:
os:Slackware Linux 13.37:2018-07-05:1530738000: os:Slackware Linux 13.37:2018-07-05:1530738000:
os:Slackware Linux 14.0:2024-01-01:1704063600:
os:Slackware Linux 14.1:2024-01-01:1704063600:
os:Slackware Linux 14.2:2024-01-01:1704063600:
os:Slackware Linux 15.0::-1:
# #
# SuSE - https://www.suse.com/lifecycle/ # SuSE - https://www.suse.com/lifecycle/
# #
@ -274,8 +328,18 @@ os:Ubuntu 17.10:2018-07-01:1530396000:
os:Ubuntu 18.04:2023-05-01:1682892000: os:Ubuntu 18.04:2023-05-01:1682892000:
os:Ubuntu 18.10:2019-07-18:1563400800: os:Ubuntu 18.10:2019-07-18:1563400800:
os:Ubuntu 19.04:2020-01-01:1577833200: os:Ubuntu 19.04:2020-01-01:1577833200:
os:Ubuntu 19.10:2020-07-17:1594936800:
os:Ubuntu 20.04:2025-04-01:1743458400: os:Ubuntu 20.04:2025-04-01:1743458400:
os:Ubuntu 20.10:2021-07-22:1626904800:
os:Ubuntu 21.04:2022-01-20:1642633200:
os:Ubuntu 21.10:2022-07-14:1657749600:
os:Ubuntu 22.04:2027-04-01:1806537600: os:Ubuntu 22.04:2027-04-01:1806537600:
os:Ubuntu 22.10:2023-07-20:1689804000:
os:Ubuntu 23.04:2024-01-25:1706137200:
os:Ubuntu 23.10:2024-07-11:1720648800:
os:Ubuntu 24.04:2029-06-01:1874959200:
os:Ubuntu 24.10:2025-07-01:1751320800:
os:Ubuntu 25.04:2026-01-01:1767222000:
# #
# OmniosCE - https://omniosce.org/releasenotes.html # OmniosCE - https://omniosce.org/releasenotes.html
# #
@ -283,9 +347,18 @@ os:OmniOS Community Edition v11 r151022:2020-05-11:1589148000:
os:OmniOS Community Edition v11 r151024:2018-11-04:1541286000: os:OmniOS Community Edition v11 r151024:2018-11-04:1541286000:
os:OmniOS Community Edition v11 r151026:2019-05-05:1557007200: os:OmniOS Community Edition v11 r151026:2019-05-05:1557007200:
os:OmniOS Community Edition v11 r151028:2019-11-04:1572822000: os:OmniOS Community Edition v11 r151028:2019-11-04:1572822000:
os:OmniOS Community Edition v11 r151030::-1: os:OmniOS Community Edition v11 r151030:2022-05-02:1651442400:
os:OmniOS Community Edition v11 r151032:2020-11-03:1604358000: os:OmniOS Community Edition v11 r151032:2020-11-03:1604358000:
os:OmniOS Community Edition v11 r151034::-1: os:OmniOS Community Edition v11 r151034:2021-05-03:1619992800:
os:OmniOS Community Edition v11 r151036:2021-11-01:1635721200:
os:OmniOS Community Edition v11 r151038:2024-05-04:1714773600:
os:OmniOS Community Edition v11 r151040:2022-11-06:1667689200:
os:OmniOS Community Edition v11 r151042:2023-05-01:1682892000:
os:OmniOS Community Edition v11 r151044:2023-11-05:1699138800:
os:OmniOS Community Edition v11 r151046::-1:
os:OmniOS Community Edition v11 r151048:2024-11-04:1730674800:
os:OmniOS Community Edition v11 r151050:2025-05-05:1746396000:
os:OmniOS Community Edition v11 r151052::-1:
# #
## Oracle Solaris - https://www.oracle.com/us/support/library/lifetime-support-hardware-301321.pdf (p. 34) ## Oracle Solaris - https://www.oracle.com/us/support/library/lifetime-support-hardware-301321.pdf (p. 34)
# The list below contains Premier Support End only # The list below contains Premier Support End only

7
include/functions
View File

@ -3070,8 +3070,11 @@
# Test against the string with a generic test set # Test against the string with a generic test set
if [ $# -eq 1 ]; then if [ $# -eq 1 ]; then
input="$1" input="$1"
# Only allow common set of characters: a-z, A-Z, 0-9, /._-:= # Use sed to strip all characters -except- those that are allowed
cleaned=$(echo "$input" | sed 's/[^a-zA-Z0-9\/\._:=-]//g') # - Common set of characters: a-z, A-Z, 0-9
# - Special characters: , /._-:=
# - Space for names (like auditor name)
cleaned=$(echo "$input" | sed 's/[^[:space:]a-zA-Z0-9\/\._:=-]//g')
# If two parameters are specified, then test input against specified class # If two parameters are specified, then test input against specified class
elif [ $# -eq 2 ]; then elif [ $# -eq 2 ]; then
input="$1" input="$1"

32
include/osdetection
View File

@ -20,6 +20,14 @@
# Operating System detection # Operating System detection
# #
################################################################################# #################################################################################
#
# Variables:
# OS is primary operating system name (e.g. Linux)
# OS_NAME is typically the name that people will refer it to (e.g. Debian)
# OS_VERSION is usually the major version (12) or major and minor version (12.9)
# OS_FULLNAME is the operating system name and version (often OS_NAME + OS_VERSION)
#
#################################################################################
# #
# Check operating system # Check operating system
case $(uname) in case $(uname) in
@ -247,6 +255,7 @@
OS_NAME="Debian" OS_NAME="Debian"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_FULLNAME="${OS_NAME} ${OS_VERSION}"
;; ;;
"devuan") "devuan")
LINUX_VERSION="Devuan" LINUX_VERSION="Devuan"
@ -398,7 +407,8 @@
OS_NAME="openSUSE" OS_NAME="openSUSE"
;; ;;
"opensuse-slowroll") "opensuse-slowroll")
LINUX_VERSION="openSUSE Slowroll" LINUX_VERSION="openSUSE Tumbleweed-Slowroll"
# It's rolling release but has a snapshot version (the date of the snapshot)
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_NAME="openSUSE" OS_NAME="openSUSE"
;; ;;
@ -951,24 +961,40 @@
# Check if this OS is end-of-life # Check if this OS is end-of-life
EOL=255 EOL=255
EOL_DATE="" EOL_DATE=""
EOL_OS_MATCH=""
EOL_STATE=""
EOL_TIMESTAMP=0 EOL_TIMESTAMP=0
Debug "Info: determining if we can find end-of-life of this operating system"
if [ -n "${OS_VERSION}" ]; then if [ -n "${OS_VERSION}" ]; then
if [ -f "${DBDIR}/software-eol.db" ]; then if [ -f "${DBDIR}/software-eol.db" ]; then
FIND="${OS_FULLNAME}" FIND="${OS_FULLNAME}"
Debug "Info: using '${OS_FULLNAME}' to search for end-of-life (partial) match"
EOL_TIMESTAMP=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $4}}' ${DBDIR}/software-eol.db | head -n 1) EOL_TIMESTAMP=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $4}}' ${DBDIR}/software-eol.db | head -n 1)
if [ -n "${EOL_TIMESTAMP}" ]; then if [ -n "${EOL_TIMESTAMP}" ]; then
EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1) EOL_DATE=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $3}}' ${DBDIR}/software-eol.db | head -n 1)
if [ -n "${EOL_DATE}" ]; then if [ -n "${EOL_DATE}" ]; then
EOL_OS_MATCH=$(awk -v value="${FIND}" -F: '{if ($1=="os" && value ~ $2){print $2}}' ${DBDIR}/software-eol.db | head -n 1)
Debug "Found a matching line: ${EOL_OS_MATCH} (timestamp=${EOL_TIMESTAMP}, date=${EOL_DATE})"
if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then if [ ${NOW} -gt ${EOL_TIMESTAMP} ]; then
EOL=1 EOL=1
EOL_STATE="This operating system seems be end-of-life and may no longer receive updates or support!"
Debug "Outcome: OS is end-of-life!"
else
EOL=0
EOL_STATE="This operating system seems not to be end-of-life yet"
Debug "Outcome: OS is not end-of-life yet"
fi
else else
EOL=0 EOL=0
fi fi
else else
EOL=0 Debug "Could not find a related OS entry. Maybe it needs to be added to the database (${DBDIR}/software-eol.db)?"
fi
fi fi
else
Debug "No end-of-life database found (${DBDIR}/software-eol.db)"
fi fi
else
Debug "No OS version known, so skipped end-of-life check"
fi fi

72
include/report
View File

@ -208,39 +208,20 @@
echo "================================================================================" echo "================================================================================"
echo "" echo ""
echo " ${WHITE}Lynis security scan details${NORMAL}:" echo " ${WHITE}Lynis security scan details${NORMAL}:"
echo ""
echo " ${CYAN}Hardening index${NORMAL} : ${WHITE}${HPINDEX}${NORMAL} ${HPGRAPH}"
echo " ${CYAN}Tests performed${NORMAL} : ${WHITE}${CTESTS_PERFORMED}${NORMAL}"
if [ ${SKIP_PLUGINS} -eq 0 ]; then
echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"
else
echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}Skipped${NORMAL}"
fi
echo ""
echo " ${WHITE}Components${NORMAL}:"
if [ ${FIREWALL_ACTIVE} -eq 1 ]; then FIREWALL="${GREEN}V"; else FIREWALL="${RED}X"; fi
if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then MALWARE="${GREEN}V"; else MALWARE="${RED}X"; fi
if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then IDSIPS="${GREEN}V"; else IDSIPS="${RED}X"; fi
echo " - Firewall [${FIREWALL}${NORMAL}]"
#echo " - Integrity monitoring [${IDSIPS}${NORMAL}]"
#echo " - Intrusion software [${IDSIPS}${NORMAL}]"
echo " - Malware scanner [${MALWARE}${NORMAL}]"
echo "" echo ""
echo " ${SECTION}Scan mode${NORMAL}:" echo " ${SECTION}Scan mode${NORMAL}:"
if [ ${DEVOPS_MODE} -eq 1 ]; then if [ ${DEVOPS_MODE} -eq 1 ]; then
echo " Normal [ ] Forensics [ ] Integration [V] Pentest [ ]" echo " Normal [ ] Forensics [ ] Integration [▆] Pentest [ ]"
elif [ ${FORENSICS_MODE} -eq 1 ]; then elif [ ${FORENSICS_MODE} -eq 1 ]; then
echo " Normal [ ] Forensics [V] Integration [ ] Pentest [ ]" echo " Normal [ ] Forensics [▆] Integration [ ] Pentest [ ]"
elif [ ${PENTESTINGMODE} -eq 1 ]; then elif [ ${PENTESTINGMODE} -eq 1 ]; then
if [ ${PRIVILEGED} -eq 0 ]; then if [ ${PRIVILEGED} -eq 0 ]; then
echo " Normal [ ] Forensics [ ] Integration [ ] Pentest [V] (running non-privileged)" echo " Normal [ ] Forensics [ ] Integration [ ] Pentest [▆] (running non-privileged)"
else else
echo " Normal [ ] Forensics [ ] Integration [ ] Pentest [V] (running privileged)" echo " Normal [ ] Forensics [ ] Integration [ ] Pentest [▆] (running privileged)"
fi fi
else else
echo " Normal [V] Forensics [ ] Integration [ ] Pentest [ ]" echo " Normal [▆] Forensics [ ] Integration [ ] Pentest [ ]"
fi fi
echo "" echo ""
@ -253,6 +234,26 @@
echo " - Compliance status [${COMPLIANCE}${NORMAL}]" echo " - Compliance status [${COMPLIANCE}${NORMAL}]"
echo " - Security audit [${GREEN}V${NORMAL}]" echo " - Security audit [${GREEN}V${NORMAL}]"
echo " - Vulnerability scan [${GREEN}V${NORMAL}]" echo " - Vulnerability scan [${GREEN}V${NORMAL}]"
echo ""
echo " ${SECTION}Details${NORMAL}:"
echo " ${CYAN}Hardening index${NORMAL} : ${WHITE}${HPINDEX}${NORMAL} ${HPGRAPH}"
echo " ${CYAN}Tests performed${NORMAL} : ${WHITE}${CTESTS_PERFORMED}${NORMAL}"
if [ ${SKIP_PLUGINS} -eq 0 ]; then
echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"
else
echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}Skipped${NORMAL}"
fi
echo ""
echo " ${SECTION}Software components${NORMAL}:"
if [ ${FIREWALL_ACTIVE} -eq 1 ]; then FIREWALL="${GREEN}V"; else FIREWALL="${RED}X"; fi
if [ ${MALWARE_SCANNER_INSTALLED} -eq 1 ]; then MALWARE="${GREEN}V"; else MALWARE="${RED}X"; fi
if [ ${IDS_IPS_TOOL_FOUND} -eq 1 ]; then IDSIPS="${GREEN}V"; else IDSIPS="${RED}X"; fi
echo " - Firewall [${FIREWALL}${NORMAL}]"
#echo " - Integrity monitoring [${IDSIPS}${NORMAL}]"
echo " - Intrusion software [${IDSIPS}${NORMAL}]"
echo " - Malware scanner [${MALWARE}${NORMAL}]"
echo "" echo ""
echo " ${SECTION}Files${NORMAL}:" echo " ${SECTION}Files${NORMAL}:"
echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}" echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}"
@ -264,6 +265,12 @@
echo " ${GEN_CURRENT_VERSION} : ${WHITE}${PROGRAM_AC}${NORMAL} ${GEN_LATEST_VERSION} : ${WHITE}${PROGRAM_LV}${NORMAL}" echo " ${GEN_CURRENT_VERSION} : ${WHITE}${PROGRAM_AC}${NORMAL} ${GEN_LATEST_VERSION} : ${WHITE}${PROGRAM_LV}${NORMAL}"
echo "================================================================================" echo "================================================================================"
else else
if [ ${OLD_RELEASE} -eq 1 ]; then
echo ""
echo " ${NOTICE}Notice: ${WHITE}This version of ${PROGRAM_NAME} is older than 6 months and might be outdated. Check the project page if a newer version is available.${NORMAL}"
echo ""
echo "================================================================================"
fi
########################################################################################### ###########################################################################################
# #
# Software quality program # Software quality program
@ -272,6 +279,7 @@
########################################################################################### ###########################################################################################
if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then if [ ! "${PROGRAM_LV}" = "0" -a ! "${REPORTFILE}" = "" -a ! "${REPORTFILE}" = "/dev/null" ]; then
# Determine if the quality of the program can be increased by filtering out the exceptions # Determine if the quality of the program can be increased by filtering out the exceptions
FIND=$(${GREPBINARY} "^exception" ${REPORTFILE}) FIND=$(${GREPBINARY} "^exception" ${REPORTFILE})
if [ -n "${FIND}" ]; then if [ -n "${FIND}" ]; then
@ -286,13 +294,25 @@
echo "================================================================================" echo "================================================================================"
fi fi
fi fi
# If end-of-life check failed, ask to submit
if [ ! "${PROGRAM_LV}" = "0" -a ${EOL} -eq 255 ]; then
echo ""
echo " ${SECTION}Notice: ${WHITE}No OS entry was found in the end-of-life database${NORMAL}"
echo ""
echo " ${CYAN}${GEN_WHAT_TO_DO}:${NORMAL}"
echo " Please submit a pull request on GitHub to include your OS version and the end date of this OS version is being supported"
echo " URL: ${PROGRAM_SOURCE}"
echo ""
echo "================================================================================"
fi
fi fi
# Display what tests are skipped in non-privileged scan for awareness # Display what tests are skipped in non-privileged scan for awareness
if [ ${PENTESTINGMODE} -eq 1 -a ! "${SKIPPED_TESTS_ROOTONLY}" = "" ]; then if [ ${PENTESTINGMODE} -eq 1 -a ! "${SKIPPED_TESTS_ROOTONLY}" = "" ]; then
echo "" echo ""
echo " ${PURPLE}${NOTE_SKIPPED_TESTS_NON_PRIVILEGED}${NORMAL}" echo " ${PURPLE}${NOTE_SKIPPED_TESTS_NON_PRIVILEGED}:${NORMAL}"
echo ""
FIND=$(echo ${SKIPPED_TESTS_ROOTONLY} | sed 's/ /:space:/g') FIND=$(echo ${SKIPPED_TESTS_ROOTONLY} | sed 's/ /:space:/g')
# Split entries # Split entries
FIND=$(echo ${FIND} | sed 's/====/ /g') FIND=$(echo ${FIND} | sed 's/====/ /g')

16
include/tests_accounting
View File

@ -231,23 +231,25 @@
Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd log file" Register --test-no ACCT-9634 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for auditd log file"
if [ ${SKIPTEST} -eq 0 ]; then if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking auditd log file" LogText "Test: Checking auditd log file"
DEFAULT_LOCATION="/var/log/audit/audit.log"
FIND=$(${GREPBINARY} "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }') FIND=$(${GREPBINARY} "^log_file" ${AUDITD_CONF_FILE} | ${AWKBINARY} '{ if ($1=="log_file" && $2=="=") { print $3 } }')
if [ -n "${FIND}" ]; then if [ -n "${FIND}" ]; then
LogText "Result: log file is defined" LogText "Result: log file is defined"
LogText "Defined value: ${FIND}" LogText "Defined value: ${FIND}"
else
LogText "Result: log file is not defined"
LogText "Assumed default location: ${DEFAULT_LOCATION}"
FIND="${DEFAULT_LOCATION}"
fi
if [ -f ${FIND} ]; then if [ -f ${FIND} ]; then
LogText "Result: log file ${FIND} exists on disk" LogText "Result: log file ${FIND} exists on disk"
Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_FOUND}" --color GREEN Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_FOUND}" --color GREEN
Report "logfile[]=${FIND}" Report "logfile[]=${FIND}"
else else
LogText "Result: can't find log file ${FIND} on disk" LogText "Result: can't find log file ${FIND} on disk"
Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_SUGGESTION}" --color YELLOW Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_SUGGESTION}" --color RED
ReportSuggestion "${TEST_NO}" "Check auditd log file location" ReportWarning "${TEST_NO}" "Check auditd log file location"
fi
else
LogText "Result: no log file found"
Display --indent 4 --text "- Checking auditd log file" --result "${STATUS_WARNING}" --color RED
ReportWarning "${TEST_NO}" "Auditd log file is defined but can not be found on disk"
fi fi
fi fi
# #

10
include/tests_malware
View File

@ -147,14 +147,14 @@
Report "malware_scanner[]=avira" Report "malware_scanner[]=avira"
fi fi
# Bitdefender (macOS) # Bitdefender (macOS & Linux)
LogText "Test: checking process epagd" LogText "Test: checking process Bitdefender daemon"
if IsRunning "bdagentd" || IsRunning "epagd"; then if IsRunning "bdagentd" || IsRunning "epagd" || IsRunning "bdsecd"; then
FOUND=1 FOUND=1
BITDEFENDER_DAEMON_RUNNING=1 BITDEFENDER_DAEMON_RUNNING=1
MALWARE_DAEMON_RUNNING=1 MALWARE_DAEMON_RUNNING=1
MALWARE_SCANNER_INSTALLED=1 MALWARE_SCANNER_INSTALLED=1
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender daemon" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Bitdefender security product" LogText "Result: found Bitdefender security product"
Report "malware_scanner[]=bitdefender" Report "malware_scanner[]=bitdefender"
fi fi
@ -321,7 +321,7 @@
# Wazuh agent # Wazuh agent
LogText "Test: checking process wazuh-agent to test for Wazuh agent" LogText "Test: checking process wazuh-agent to test for Wazuh agent"
if IsRunning "wazuh-agent"; then if IsRunning "wazuh-agentd"; then
if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Wazuh agent" --result "${STATUS_FOUND}" --color GREEN; fi if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Wazuh agent" --result "${STATUS_FOUND}" --color GREEN; fi
LogText "Result: found Wazuh component" LogText "Result: found Wazuh component"
FOUND=1 FOUND=1

55
lynis
View File

@ -43,16 +43,16 @@
PROGRAM_WEBSITE="https://cisofy.com/lynis/" PROGRAM_WEBSITE="https://cisofy.com/lynis/"
# Version details # Version details
PROGRAM_RELEASE_DATE="2025-01-28" PROGRAM_RELEASE_DATE="2025-07-29"
PROGRAM_RELEASE_TIMESTAMP=1738061140 PROGRAM_RELEASE_TIMESTAMP=1753773496
PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release
PROGRAM_VERSION="3.1.5" PROGRAM_VERSION="3.1.6"
# Source, documentation and license # Source, documentation and license
PROGRAM_SOURCE="https://github.com/CISOfy/lynis" PROGRAM_SOURCE="https://github.com/CISOfy/lynis"
PROGRAM_PACKAGE="https://packages.cisofy.com/" PROGRAM_PACKAGE="https://packages.cisofy.com/"
PROGRAM_DOCUMENTATION="https://cisofy.com/docs/" PROGRAM_DOCUMENTATION="https://cisofy.com/docs/"
PROGRAM_COPYRIGHT="2007-2024, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}" PROGRAM_COPYRIGHT="2007-2025, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}"
PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License. welcome to redistribute it under the terms of the GNU General Public License.
See the LICENSE file for details about using this software." See the LICENSE file for details about using this software."
@ -676,12 +676,14 @@ ${NORMAL}
echo " Operating system name: ${OS_NAME}" echo " Operating system name: ${OS_NAME}"
echo " Operating system version: ${OS_VERSION}" echo " Operating system version: ${OS_VERSION}"
LogText "EOL check: ${EOL}" LogText "EOL check: ${EOL}"
if [ ${EOL} -eq 1 ]; then if [ ${EOL} -eq 0 ]; then
echo " End-of-life: ${WARNING}YES${NORMAL}" echo " End-of-life: ${STATUS_NO}"
elif [ ${EOL} -eq 1 ]; then
echo " End-of-life: ${WARNING}${STATUS_YES}${NORMAL}"
ReportWarning "GEN-0010" "This version ${OS_VERSION} is marked end-of-life as of ${EOL_DATE}" ReportWarning "GEN-0010" "This version ${OS_VERSION} is marked end-of-life as of ${EOL_DATE}"
elif [ ${EOL} -eq 255 ]; then elif [ ${EOL} -eq 255 ]; then
# TODO - mark as item where community can provide help echo " End-of-life: ${WARNING}${STATUS_UNKNOWN}${NORMAL}"
LogText "Note: the end-of-life of '${OS_FULLNAME}' could not be checked. Entry missing in software-eol.db?" LogText "Note: the end-of-life of '${OS_FULLNAME}' could not be checked. Entry is missing in db/software-eol.db?"
fi fi
if [ -n "${OS_MODE}" ]; then echo " Operating system mode: ${OS_MODE}"; fi if [ -n "${OS_MODE}" ]; then echo " Operating system mode: ${OS_MODE}"; fi
@ -789,45 +791,52 @@ ${NORMAL}
fi fi
OLD_RELEASE=0 OLD_RELEASE=0
TIME_DIFFERENCE_CHECK=10368000 # 4 months TIME_DIFFERENCE_CHECK=15552000 # approx 6 months
RELEASE_PLUS_TIMEDIFF=$((PROGRAM_RELEASE_TIMESTAMP + TIME_DIFFERENCE_CHECK)) RELEASE_PLUS_TIMEDIFF=$((PROGRAM_RELEASE_TIMESTAMP + TIME_DIFFERENCE_CHECK))
NOW=$(date "+%s") NOW=$(date "+%s")
if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then
# Show if release is old, only if we didn't show it with normal update check
if [ ${UPDATE_AVAILABLE} -eq 0 ]; then
ReportSuggestion "LYNIS" "This release is more than 4 months old. Check the website or GitHub to see if there is an update available."
fi
OLD_RELEASE=1 OLD_RELEASE=1
fi fi
# Show on screen message if release is very outdated (unless --quiet/--silent is used) # Show on screen message if there is an update available or when the release is outdated
if [ ${UPDATE_AVAILABLE} -eq 1 -a ${QUIET} -eq 0 ]; then # Do not show any output when quiet mode is used (--quiet/--silent)
if [ ${QUIET} -eq 0 ]; then
if [ ${UPDATE_AVAILABLE} -eq 1 ]; then
echo "" echo ""
echo " ===============================================================================" echo " ==============================================================================="
echo " ${CYAN}${PROGRAM_NAME} ${TEXT_UPDATE_AVAILABLE}${NORMAL}" echo " ${CYAN}${PROGRAM_NAME} ${TEXT_UPDATE_AVAILABLE}${NORMAL}"
echo " ===============================================================================" echo " ==============================================================================="
echo "" echo ""
if [ ${OLD_RELEASE} -eq 1 ]; then
echo " ${YELLOW}Current version is more than 4 months old${NORMAL}"
echo ""
fi
if [ ${PROGRAM_LV} -gt 0 ]; then if [ ${PROGRAM_LV} -gt 0 ]; then
echo " Current version : ${YELLOW}${PROGRAM_AC}${NORMAL} Latest version : ${GREEN}${PROGRAM_LV}${NORMAL}" echo " Current version : ${YELLOW}${PROGRAM_AC}${NORMAL} Latest version : ${GREEN}${PROGRAM_LV}${NORMAL}"
echo "" echo ""
fi fi
echo " ${WHITE}Please update to the latest version.${NORMAL}" echo " ${WHITE}Please update to the latest version.${NORMAL}"
echo " New releases include additional features, bug fixes, tests, and baselines.${NORMAL}" echo " New releases include additional features, bug fixes, and tests.${NORMAL}"
elif [ ${OLD_RELEASE} -eq 1 ]; then
echo "" echo ""
echo " Download the latest version:" echo " ==============================================================================="
echo " ${CYAN}${PROGRAM_NAME} might be outdated${NORMAL}"
echo " ==============================================================================="
echo "" echo ""
echo " Packages (DEB/RPM) - https://packages.cisofy.com" echo " ${YELLOW}Current version is more than 6 months old${NORMAL}"
echo " This version might be ${WHITE}Please check if there is a more recent version available.${NORMAL}"
echo ""
echo " ${WHITE}Please check if there is a more recent version available.${NORMAL}"
fi
if [ ${OLD_RELEASE} -eq 1 -o ${UPDATE_AVAILABLE} -eq 1 ]; then
echo ""
echo " Download locations:"
echo ""
echo " Packages (DEB/RPM) - https://packages.cisofy.com/"
echo " Website (TAR) - https://cisofy.com/downloads/" echo " Website (TAR) - https://cisofy.com/downloads/"
echo " GitHub (source) - https://github.com/CISOfy/lynis" echo " GitHub - https://github.com/CISOfy/lynis"
echo "" echo ""
echo " ===============================================================================" echo " ==============================================================================="
echo "" echo ""
sleep 5 sleep 5
fi fi
fi
LogTextBreak LogTextBreak
# #

49
publiccode.yml Normal file
View File

@ -0,0 +1,49 @@
publiccodeYmlVersion: "0.4"
name: Lynis
url: https://github.com/CISOfy/lynis
releaseDate: 2025-01-28
platforms:
- linux
- mac
categories:
- cloud-management
- compliance-management
- fleet-management
- it-management
- it-security
developmentStatus: stable
softwareType: standalone/other
description:
en:
shortDescription: Security auditing tool for Linux, macOS, and UNIX-based systems
longDescription: Lynis is a security auditing tool for systems based on UNIX
like Linux, macOS, BSD, and others. It performs an in-depth security scan
and runs on the system itself. The primary goal is to test security
defenses and provide tips for further system hardening. It will also scan
for general system information, vulnerable software packages, and possible
configuration issues. Lynis was commonly used by system administrators and
auditors to assess the security defenses of their systems. Besides the
"blue team," nowadays penetration testers also have Lynis in their
toolkit.
documentation: https://cisofy.com/documentation/lynis/
features:
- command-line
- perform security audit
- extensive log
- security hardening advice
- Linux security hardening
legal:
license: AGPL-3.0-only
maintenance:
type: community
contacts:
- name: Michael Boelen
email: michael.boelen@cisofy.com
phone: ""
affiliation: ""
localisation:
localisationReady: true
availableLanguages:
- en
- es
- nl