Commit Graph

120 Commits

Author SHA1 Message Date
Michael Boelen 8e61275ff4
Move state recording to report section 2019-05-16 15:23:23 +02:00
Michael Boelen 96c1ea8b0e
[PKGS-7386] Removed suggestion as a warning is already displayed when vulnerable packages were discovered 2019-04-20 14:31:11 +02:00
Michael Boelen 017103e20c
[PKGS-7392] - Skip test for Zypper-based systems 2019-04-17 15:26:43 +02:00
Michael Boelen 121c861446
Non-interactive mode for zypper 2019-04-17 15:07:07 +02:00
Michael Boelen bf5219d9b9
[PKGS-7328/PKGS-7330] added non-interactive global option 2019-04-15 19:30:21 +02:00
Michael Boelen d0df518426
[PKGS-7420] corrected typo 2019-03-30 13:58:23 +01:00
Michael Boelen 3660043308
[PKGS-7420] limit test to specific OS, add dnf-automatic support, extend logging 2019-03-30 13:31:03 +01:00
Michael Boelen 3702ae67b5
[PKGS-7420] Detect toolkit to automatically download and apply upgrades 2019-03-29 12:53:13 +01:00
Michael Boelen 605c381eb6
[PKGS-7410] add support for DPKG-based systems to gather installed kernel packages 2019-03-29 12:22:20 +01:00
silentcreek 17f2e34660 [PKGS-7388] Fix false positive warning on missing security archive (#651)
Currently the check for the security archive in Debian/Ubuntu fails, if
the archive is not hosted on security.{debian,ubuntu}.org and the URL
does have trailing slash, such as this:
  deb http://deb.debian.org/debian-security/ stretch/updates main

Change the regular expression to allow for a trailing slash in the URL
when filtering the package sources lists.

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
2019-03-07 10:03:11 +01:00
Michael Boelen 66066ae226
Changed year and preparing for new release 2019-01-31 14:47:35 +01:00
Jesus Christian Cruz Acono 414be240e8 Update tests_ports_packages (#586)
change " " <- space for [[:blank:]] (to clean all pausible spaces)
2018-10-05 10:23:19 +02:00
Michael Boelen b4e93d4fcc
[PKGS-7322] Updated solution text 2018-09-17 09:23:04 +02:00
Michael Boelen e210d7f3b6
[PKGS-7384] changes to detect yum-utils package and related tooling 2018-02-19 15:01:59 +01:00
Michael Boelen 66f8cb2441
Changed year 2018-01-11 09:50:26 +01:00
wschaft c453331265 fixing "Repository listed more than once" issue (#449) (#490) 2017-11-08 19:20:20 +01:00
Tom Reynolds 41174afda6 Do not limit debsums to Debian systems (#457)
Debsums is supported on Debian and other systems as per GitHub issue #446. 
Undo commit d1969001c6.
2017-09-04 15:30:25 +02:00
Brian Ginsbach 3512068a49 [PKGS-7380] Fix NetBSD packages vulnerabilities file name (#443)
* [PKGS-7380] Fix NetBSD packages vulnerabilities file name

* OS Detection: Add early Mac OS X releases
2017-08-19 10:53:25 +02:00
Michael Boelen d682673c63
Preparations for APT 2017-08-19 10:51:06 +02:00
Michael Boelen d1969001c6
[PKGS-7370] only use debsums test for Debian systems 2017-07-10 16:08:32 +02:00
Jose Luis Duran 9dc4efefd6 Fix pkg audit option (#403)
-F, --fetch
       Fetch the database before checking.

[ci skip]
2017-06-14 14:06:18 +02:00
Michael Boelen 4ecb9d4d05
[bulk change] cleaning up, code enhancements, initialization of variables, and new tests 2017-04-30 17:59:35 +02:00
Michael Boelen 70ea29483a
Code enhancements 2017-04-23 20:06:54 +02:00
Yaisel Hurtado 4368013b43 Fixed detection of security repositories (#370) 2017-03-17 17:59:21 +00:00
Michael Boelen 352ea8c21c Added missing pipe 2017-03-13 19:55:00 +01:00
Michael Boelen b67d9233eb Added more logging 2017-03-13 19:53:56 +01:00
Michael Boelen e4474320ee [PKGS-7387] check all repositories for usage of gpg signing 2017-03-13 19:47:06 +01:00
Michael Boelen de84454d3f Cleanup 2017-03-12 19:27:16 +01:00
Michael Boelen a70cfd0a70 Improve message 2017-03-09 12:32:32 +01:00
Michael Boelen 336dcb4811 [PKGS-7381] Enhanced FreeBSD pkg audit testing 2017-03-09 12:27:38 +01:00
hlein 62d9a18861 A bunch of Solaris compatibility tweaks (#367)
* Work around Solaris' /bin/sh not being POSIX.

If /usr/xpg4/bin/sh is present, we are (definitely?) on Solaris or
a derivative, and /bin/sh cannot be trusted to support POSIX, but
/usr/xpg4/bin/sh can be.  Exec it right away.

* Work around Solaris 'which' command oddity.

Solaris' (at least) 'which' command outputs not-found errors to STDOUT
instead of STDERR.

This makes "did we get any output from which" checks insufficient;
piping to grep -v the "no foo in ..." message should work.

Note that this patch set includes all such uses of which that I could
find, including ones that should never be reached on Solaris (i.e. only
executed on some other OS) just for consistency.

* Improved alternate-sh exec to avoid looping.

* Solaris' /usr/ucb/echo supports -n.

* Check for the best hash type that openssl supports.

When using openssl to generate hashes, do not assume it supports
sha256; try that, then sha1, then give up and use md5.

* Solaris does not support sed -i; use a tempfile.

* Use the full path for modinfo.

When running as non-root, /usr/sbin/ might not be in PATH.
include/tests_accounting already calls modinfo by full path, but
include/tests_kernel did not.

* Solaris find does not support -maxdepth.

This mirrors the logic already in tests_homedirs.

* Use PSBINARY instead of ps.

* Work around Solaris' date not supporting +%s.

Printing nawk's srand value is a bizarre but apparently once popular
workaround for there being no normal userland command to print
UNIX epoch seconds.  A perl one-liner is the other common approach,
but nawk may be more reliably present on Solaris than perl.

* Revert to using sha1 for HOSTID.

* Whitespace cleanup for openssl hash tests.
2017-03-08 16:24:24 +00:00
hlein e054e9757c Lots of cleanups (#366)
* Description fix: SafePerms works on files not dirs.

All uses of SafePerms are on files (and indeed, it would reject
directories which would have +x set).

* Lots of whitespace cleanups.

Enforce everywhere(?) the same indentations for if/fi blocks.
The standard for the Lynis codebase is 4 spaces.  But sometimes
it's 1, sometimes 3, sometimes 8.

These patches standardize all(?) if blocks but _not_ else's (which
are usually indented 2, but sometimes zero); I was too lazy to
identify those (see below).

This diff is giant, but should not change code behavior at all;
diff -w shows no changes apart from whitespace.

FWIW I identified instances to check by using:

  perl -ne 'if ($oldfile ne $ARGV) { $.=1; $oldfile=$ARGV; }; chomp; if ($spaces) { next unless /^( *)([^ ]+)/; $newspaces=length($1); $firsttok = $2; next unless defined($firsttok); $offset = ($firsttok eq "elif" ? 0 : 4); if ($newspaces != $spaces + $offset) { print "$ARGV:$ifline\n$ARGV:$.:$_\n\n" }; $ifline=""; $spaces="";  } if (/^( *)if (?!.*[; ]fi)/) { $ifline = "$.:$_"; $spaces = length($1); }' $(find . -type f -print0 | xargs -0 file | egrep shell | cut -d: -f1)

Which produced output like:

  ./extras/build-lynis.sh:217:            if [ ${VERSION_IN_SPECFILE} = "" -o ! "${VERSION_IN_SPECFILE}" = "${LYNIS_VERSION}" ]; then
  ./extras/build-lynis.sh:218:               echo "[X] Version in specfile is outdated"

  ./plugins/plugin_pam_phase1:69:        if [ -d ${PAM_DIRECTORY} ]; then
  ./plugins/plugin_pam_phase1:70:                LogText "Result: /etc/pam.d exists"

...There's probably formal shellscript-beautification tools that
I'm oblivious about.

* More whitespace standardization.

* Fix a syntax error.

This looks like an if [ foo -o bar ]; was converted to if .. elif,
but incompletely.

* Add whitespace before closing ].

Without it, the shell thinks the ] is part of the last string, and
emits warnings like:

  .../lynis/include/tests_authentication: line 1028: [: missing `]'
2017-03-07 19:23:08 +00:00
hlein b595cc0fb5 Various cleanups (#363)
* Typo fix.

* Style change: always use $(), never ``.

The Lynis code already mostly used $(), but backticks were sprinkled
around.  Converted all of them.

* Lots of minor spelling/typo fixes.

FWIW these were found with:

  find . -type f -print0 | xargs -0 cat | aspell list | sort -u | egrep '^[a-z]+$' | less

And then reviewing the list to pick out things that looked like
misspelled words as opposed to variables, etc., and then manual
inspection of context to determine the intention.
2017-03-06 07:41:21 +00:00
Michael Boelen 34ba1ba184 Changed date and preparing for release 2017-02-09 13:35:40 +01:00
Michael Boelen 22d27434c9 Enhance pkg support on FreeBSD 2016-10-15 16:38:33 +02:00
Michael Boelen f1c3c23cae Corrected error redirection 2016-10-15 16:22:18 +02:00
Michael Boelen 8777a5e616 Use rootdir and proper error redirection 2016-10-15 16:20:04 +02:00
Michael Boelen f0b9a64c47 [PKGS-7381] bugfix at detection of pkg tool 2016-10-15 16:16:26 +02:00
Michael Boelen d88f755f40 [PKGS-7381] check pkg audit and report when the vulnerability database is missing 2016-10-15 16:12:49 +02:00
Michael Boelen d0d76c44cb Improved logging 2016-10-15 15:38:06 +02:00
Michael Boelen 9caf3005b5 Style improvements and hardening points 2016-09-26 12:05:30 +02:00
Michael Boelen a3f57e6d01 Mark tests PKGS-7320 and PKGS-7322 as Linux-only 2016-09-24 16:17:11 +02:00
Michael Boelen 98d9096739 Mark arch-audit as a package audit tool 2016-09-24 15:36:45 +02:00
Michael Boelen 1418e0404b Extended message for arch-audit 2016-09-24 15:34:31 +02:00
Michael Boelen 263c0b558b Changes to show more details for warnings 2016-09-24 15:27:42 +02:00
Michael Boelen 1bc29ebb2e Added solution to arch-audit test 2016-09-24 15:20:24 +02:00
Michael Boelen 1063c8f3e8 Replace calls to binaries and changes in output within report 2016-09-24 15:07:20 +02:00
Michael Boelen 780e66ea81 Use OS full name to detect distribution 2016-09-24 14:58:30 +02:00
Michael Boelen db419495bf Added support for arch-audit tooling 2016-09-24 14:49:14 +02:00
Michael Boelen 9d91f7dac7 [PKGS-7381] Improved output of log and warning 2016-09-22 14:54:55 +02:00