Real Ubuntu and Debian do not have LINUX_VERSION_LIKE set. They are
different enough to consider them as a different distribution.
Tests targetting any of distributions based of those two should check
both, LINUX_VERSION and LINUX_VERSION_LIKE.
Before parsing /etc/debian-release and /etc/lsb-release,
it is now checked if the variable LINUX_VERSION is already set.
This fixescisofy/lynis#1003, but has some side effects.
This will affects Ubuntu and Debian based distributions, like:
- Pop!_OS (Ubuntu based)
- Kali (Debian Based)
- Raspbian
- ...
Unfortunately this will likely skip/brake a few tests for those
distributions, as they are not considered to be Ubuntu or Debian
anymore. Linux Mint was already detected properly, but at least some
tests already had support for them (will other tests for Ubuntu are
skipped).
Those are tests I identified that will be skipped incorrectly now:
- BOOT-5180: Check for Linux boot services (Debian style)
It was already skipped on Linux Mint.
- KRNL-5622: Check default run level on Linux machines
This will only be skipped if systemd is not installed. It is
already skipped on Linux Mint in this case.
- KRNL-5788: Checking availability new kernel (sic!)
This was already skipped on Linux Mint.
- PKGS-7388: Check security repository (...)
It will now be skipped for all distributions that do use the
Debian / Ubuntu security repositories but are not detected as such
anymore (like Pop!_OS). It will now be correctly skipped on
Raspbian. This test was already aware of Linux Mint.
- PKGS-7390: Check Ubuntu database consitency
I am not sure why this test is Ubuntu only, thus it already
skipped on Debian and Mint.
- PKGS-7394: Check Ubuntu upgradeable packages
I am not sure why this is for Ubuntu only, too.
I think this should be feature tested instead, as
apt-show-versions can be installed on any Debian based
distribution as well..
- PKGS-7366: Checking if debsecan is installed (...)
While it may be correct to skip, debsecan remains usefull if
package versions, patches and vulnerability fixes are very close
on Debian itself.
It is the correct behaviour to not do this test on Ubuntu and
Ubuntu based distributions, as Canonical does not provide the
required databases.
- PKGS-7420: (Autoupdates)
Linux Mint was already skipped on this test.
I think this could be solved by introducing a variable like
LINUX_VERSION_PARENT. On Linux Mint it would be set to Ubuntu, on e.g.
Kali Linux the veriable has the value Debian. Tests can use this variable
to check if it is broadly applicable, and then check if the specific
distribution is excluded.
Replace setting an artificaly high date and converted date for
operating systems with no EOL (rolling) or the EOL is still to
be determined. This makes it easier for humans and saves making
a comparison (when using an artifically high converted time)
will always be false (EOL=0).
An example entry
os:AGreatOS 2.0:👎
The converted time (seconds since the epoch) could be specified as
zero but this typically means the OS is out of date (now), A value
of -1 is a convention indicating no EOL.
* Work around Solaris' /bin/sh not being POSIX.
If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or
a derivative, and /bin/sh cannot be trusted to support POSIX, but
/usr/xpg4/bin/sh can be. Exec it right away.
* Work around Solaris 'which' command oddity.
Solaris' (at least) 'which' command outputs not-found errors to STDOUT
instead of STDERR.
This makes "did we get any output from which" checks insufficient;
piping to grep -v the "no foo in ..." message should work.
Note that this patch set includes all such uses of which that I could
find, including ones that should never be reached on Solaris (i.e. only
executed on some other OS) just for consistency.
* Improved alternate-sh exec to avoid looping.
* Solaris' /usr/ucb/echo supports -n.
* Check for the best hash type that openssl supports.
When using openssl to generate hashes, do not assume it supports
sha256; try that, then sha1, then give up and use md5.
* Solaris does not support sed -i; use a tempfile.
* Use the full path for modinfo.
When running as non-root, /usr/sbin/ might not be in PATH.
include/tests_accounting already calls modinfo by full path, but
include/tests_kernel did not.
* Solaris find does not support -maxdepth.
This mirrors the logic already in tests_homedirs.
* Use PSBINARY instead of ps.
* Work around Solaris' date not supporting +%s.
Printing nawk's srand value is a bizarre but apparently once popular
workaround for there being no normal userland command to print
UNIX epoch seconds. A perl one-liner is the other common approach,
but nawk may be more reliably present on Solaris than perl.
* Revert to using sha1 for HOSTID.
* Whitespace cleanup for openssl hash tests.
* Description fix: SafePerms works on files not dirs.
All uses of SafePerms are on files (and indeed, it would reject
directories which would have +x set).
* Lots of whitespace cleanups.
Enforce everywhere(?) the same indentations for if/fi blocks.
The standard for the Lynis codebase is 4 spaces. But sometimes
it's 1, sometimes 3, sometimes 8.
These patches standardize all(?) if blocks but _not_ else's (which
are usually indented 2, but sometimes zero); I was too lazy to
identify those (see below).
This diff is giant, but should not change code behavior at all;
diff -w shows no changes apart from whitespace.
FWIW I identified instances to check by using:
perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces=""; } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1)
Which produced output like:
./extras/build-lynis.sh:217: if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
./extras/build-lynis.sh:218: echo "[X] Version in specfile is outdated"
./plugins/plugin_pam_phase1:69: if [ -d ${PAM_DIRECTORY} ]; then
./plugins/plugin_pam_phase1:70: LogText "Result: /etc/pam.d exists"
...There's probably formal shellscript-beautification tools that
I'm oblivious about.
* More whitespace standardization.
* Fix a syntax error.
This looks like an if [ foo -o bar ]; was converted to if .. elif,
but incompletely.
* Add whitespace before closing ].
Without it, the shell thinks the ] is part of the last string, and
emits warnings like:
.../lynis/include/tests_authentication: line 1028: [: missing `]'
* Default all macOS `OS` names as macOS. Added comments to specify `uname` outputs for better understanding.
* Refactored all `Mac` instances referring to macOS over to `macOS` formatting.
Tested on my own machine, unable to find any errors outside of normal parameters.
Simon Biewald
Steve Kolenich
Michael Boelen
Chris Lynch
Alexander Lackner
Aditya Shastri
Brian Ginsbach
Craig Comstock
Mark Garrett
Kristian Schuster
pyllyukko
柯豪
Wagner
Brian Ginsbach
Jeremy Daer
hlein
Justin P
mboelen
SiemKorteweg