FixesCISOfy/lynis#1075.
Before this commit, the interfaces "e1000g1" and "net0" were allowed.
The name "e1000g0" is appended to the list.
After finding an interface, the loop is interrupted now. As previously
"net0" was always used, even if another interface was available, the list
is reordered to "net0 e1000g1 e1000g0" to not break previous generations.
A typo is also fixed ("No interface found op Solaris ..." -> "No
interface found on").
Signed-off-by: Simon Biewald <simon@fam-biewald.de>
New variable OPENSOLARIS to distringuish between Oracle Solaris and
OpenSolaris derivates. The edge case of OpenSolaris itself is not yet
solved, but OpenSolaris itself should be very rare these days.
Currently detected and distinguished Solaris variants are:
- Oracle Solaris >= 11 (exluding Solaris Express and OpenSolaris)
- Solaris < 11 (as "Sun Solaris")
- OmniosCE (but not old Omnios)
- OpenIndiana
- Shillix
- SmartOS
- Tribblix
- "Unknown Illumos" for unknown distributions based on Illumos
Lynis will fall back to "Sun Solaris" with "SunOS 5.X" for unknown
distributions.
The "new" service manager was included with Solaris 10 and not 11. It is
named "service management facility" (see smf(5) man page).
There is no IPS service manager, the name is only used for the package
manager of OpenSolaris and Solaris 11.
Signed-off-by: Simon Biewald <simon@fam-biewald.de>
The first od is removed, the second time is moved to right before echoing
the characters. On certain OpenSolaris distributions, `od` always outputs
spaces, even if the input is empty. The spaces would have been converted
to !space!, thus Lynis detected invalid characters / old style configuration.
Resolvescisofy/lynis#1065.
Signed-off-by: Simon Biewald <simon@fam-biewald.de>
The Solaris IPS service manager (svcs) is now detected, and services
managed with it are enumerated.
Test BOOT-5184 now runs on Solaris, too, as SysV init scripts are
supported as well, even with IPS. SysV Init has been the traditional
init system on Solaris.
On Solaris, the name loghost can be used to point to remote log servers.
By default loghost is configured to 127.0.0.1, logging to the local
machine.
Thus a new test - LOGG-2153 - is created to test if loghost is not
localhost and LOGG-2154 is modified to ignore @loghost lines if loghost
is localhost.
Commit 94e0a4e added a test for the Suricata binary, but the result appears to
be used nowhere. Add a proper test for an active Suricata daemon in the
IDS/IPS tooling section.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
Real Ubuntu and Debian do not have LINUX_VERSION_LIKE set. They are
different enough to consider them as a different distribution.
Tests targetting any of distributions based of those two should check
both, LINUX_VERSION and LINUX_VERSION_LIKE.
Improve handling of kenrel files
/boot/vmlinuz-linux-lts
/boot/vmlinuz-linux
/boot/vmlinuz-lts
by updateing RegEx and adding elif
this corrects issue where version is identified
as 'linux' or 'lts' causing false report that a
reboot is needed
Before parsing /etc/debian-release and /etc/lsb-release,
it is now checked if the variable LINUX_VERSION is already set.
This fixescisofy/lynis#1003, but has some side effects.
This will affects Ubuntu and Debian based distributions, like:
- Pop!_OS (Ubuntu based)
- Kali (Debian Based)
- Raspbian
- ...
Unfortunately this will likely skip/brake a few tests for those
distributions, as they are not considered to be Ubuntu or Debian
anymore. Linux Mint was already detected properly, but at least some
tests already had support for them (will other tests for Ubuntu are
skipped).
Those are tests I identified that will be skipped incorrectly now:
- BOOT-5180: Check for Linux boot services (Debian style)
It was already skipped on Linux Mint.
- KRNL-5622: Check default run level on Linux machines
This will only be skipped if systemd is not installed. It is
already skipped on Linux Mint in this case.
- KRNL-5788: Checking availability new kernel (sic!)
This was already skipped on Linux Mint.
- PKGS-7388: Check security repository (...)
It will now be skipped for all distributions that do use the
Debian / Ubuntu security repositories but are not detected as such
anymore (like Pop!_OS). It will now be correctly skipped on
Raspbian. This test was already aware of Linux Mint.
- PKGS-7390: Check Ubuntu database consitency
I am not sure why this test is Ubuntu only, thus it already
skipped on Debian and Mint.
- PKGS-7394: Check Ubuntu upgradeable packages
I am not sure why this is for Ubuntu only, too.
I think this should be feature tested instead, as
apt-show-versions can be installed on any Debian based
distribution as well..
- PKGS-7366: Checking if debsecan is installed (...)
While it may be correct to skip, debsecan remains usefull if
package versions, patches and vulnerability fixes are very close
on Debian itself.
It is the correct behaviour to not do this test on Ubuntu and
Ubuntu based distributions, as Canonical does not provide the
required databases.
- PKGS-7420: (Autoupdates)
Linux Mint was already skipped on this test.
I think this could be solved by introducing a variable like
LINUX_VERSION_PARENT. On Linux Mint it would be set to Ubuntu, on e.g.
Kali Linux the veriable has the value Debian. Tests can use this variable
to check if it is broadly applicable, and then check if the specific
distribution is excluded.
Thomas Sjögren
Michael Boelen
ElviaSchoultz
Simon Biewald
Josh Soref
Stéphane
Fabien Lehoussel
Timo Sigurdsson
Sergey Zhemoitel
danielorihuelarodriguez@gmail.com
Jimver
Steve Kolenich