#!/bin/sh ################################################################################# # # Lynis # ------------------ # # Copyright 2007-2013, Michael Boelen # Copyright 2007-2017, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com # GitHub : https://github.com/CISOfy/lynis # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Kernel # ################################################################################# # InsertSection "Kernel" # ################################################################################# # CORE_DUMPS_DISABLED=0 CPU_PAE=0 CPU_NX=0 LINUXCONFIGFILE="" LINUXCONFIGFILE_ZIPPED=0 # ################################################################################# # # Test : KRNL-5622 # Description : Check default run level on Linux machines Register --test-no KRNL-5622 --os Linux --weight L --network NO --category security --description "Determine Linux default run level" if [ ${SKIPTEST} -eq 0 ]; then # Checking if we can find the systemd default target LogText "Test: Checking for systemd default.target" if [ -L /etc/systemd/system/default.target ]; then LogText "Result: symlink found" if [ ! "${READLINKBINARY}" = "" ]; then FIND=$(${READLINKBINARY} /etc/systemd/system/default.target) if [ "${FIND}" = "" ]; then LogText "Exception: can't find the target of the symlink of /etc/systemd/system/default.target" ReportException "${TEST_NO}:01" else FIND2=$(echo ${FIND} | ${EGREPBINARY} "runlevel5|graphical") if [ ! "${FIND2}" = "" ]; then LogText "Result: Found match on runlevel5/graphical" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 5" --color GREEN Report "linux_default_runlevel=5" else LogText "Result: No match found on runlevel, defaulting to runlevel 3" Display --indent 2 --text "- Checking default runlevel" --result "runlevel 3" --color GREEN Report "linux_default_runlevel=3" fi fi else LogText "Result: No readlink binary, can't determine where symlink is pointing to" Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW fi else LogText "Result: no systemd found, so trying inittab" LogText "Test: Checking /etc/inittab" if [ -f /etc/inittab ]; then LogText "Result: file /etc/inittab found" LogText "Test: Checking default Linux run level" FIND=$(${AWKBINARY} -F: '/^id/ { print $2; }' /etc/inittab | head -n 1) if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Checking default runlevel" --result "${STATUS_UNKNOWN}" --color YELLOW LogText "Result: Can't determine default run level from /etc/inittab" else Display --indent 2 --text "- Checking default run level" --result "${FIND}" --color GREEN LogText "Found default run level '${FIND}'" Report "linux_default_runlevel=${FIND}" fi else LogText "Result: file /etc/inittab not found" if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then LogText "Test: Checking run level with who -r, for Debian based systems" FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }') if [ ! "${FIND}" = "" ]; then LogText "Result: Found default run level '${FIND}'" Report "linux_default_runlevel=${FIND}" Display --indent 2 --text "- Checking default run level" --result "RUNLEVEL ${FIND}" --color GREEN else LogText "Result: Can't determine default run level from who -r" Display --indent 2 --text "- Checking default run level" --result "${STATUS_UNKNOWN}" --color YELLOW fi fi fi fi fi # ################################################################################# # # Test : KRNL-5677 # Description : Check CPU options and support (PAE, No eXecute, eXecute Disable) # More info : pae and nx bit are both visible on AMD and Intel CPU's if supported Register --test-no KRNL-5677 --os Linux --weight L --network NO --category security --description "Check CPU options and support" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking CPU support (NX/PAE)" LogText "Test: Checking /proc/cpuinfo" if [ -f /proc/cpuinfo ]; then LogText "Result: found /proc/cpuinfo" LogText "Test: Checking CPU options (XD/NX/PAE)" FIND_PAE_NX=$(${GREPBINARY} " pae " /proc/cpuinfo | ${GREPBINARY} " nx ") FIND_PAE=$(${GREPBINARY} " pae " /proc/cpuinfo) FIND_NX=$(${GREPBINARY} " nx " /proc/cpuinfo) FOUND=0 if [ ! "${FIND_PAE_NX}" = "" ]; then LogText "PAE: Yes" LogText "NX: Yes" CPU_PAE=1 CPU_NX=1 LogText "Result: PAE or No eXecute option(s) both found" Report "cpu_pae=1" Report "cpu_nx=1" FOUND=1 else if [ ! "${FIND_PAE}" = "" -a "${FIND_NX}" = "" ]; then Report "cpu_pae=1" LogText "Result: found PAE" CPU_PAE=1 FOUND=1 else if [ ! "${FIND_NX}" = "" -a "${FIND_PAE}" = "" ]; then Report "cpu_nx=1" LogText "Result: found No eXecute" CPU_NX=1 FOUND=1 else LogText "Result: found no CPU options enabled (PAE or NX bit)" fi fi fi if [ ${FOUND} -eq 1 ]; then Display --indent 4 --text "CPU support: PAE and/or NoeXecute supported" --result "${STATUS_FOUND}" --color GREEN else Display --indent 4 --text "CPU support: No PAE or NoeXecute supported" --result "${STATUS_NONE}" --color YELLOW ReportSuggestion ${TEST_NO} "Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support" fi else Display --indent 4 --text "CPU support: no /proc/cpuinfo" --result "${STATUS_SKIPPED}" --color YELLOW LogText "Result: /proc/cpuinfo not found" fi fi # ################################################################################# # # Test : KRNL-5680 # Description : Check if installed kernel has PAE support # Dependency : KRNL-5677 # More info : RedHat/CentOS/Fedora uses the package name 'kernel-PAE' # ################################################################################# # # Test : KRNL-5695 # Description : Determining Linux kernel version and release number Register --test-no KRNL-5695 --os Linux --weight L --network NO --category security --description "Determine Linux kernel version and release number" if [ ${SKIPTEST} -eq 0 ]; then # Kernel number (and suffix) LINUX_KERNEL_RELEASE=$(uname -r) Report "linux_kernel_release=${LINUX_KERNEL_RELEASE}" LogText "Result: found kernel release ${LINUX_KERNEL_RELEASE}" # Type and build date LINUX_KERNEL_VERSION=$(uname -v) Report "linux_kernel_version=${LINUX_KERNEL_VERSION}" LogText "Result: found kernel version ${LINUX_KERNEL_VERSION}" Display --indent 2 --text "- Checking kernel version and release" --result "${STATUS_DONE}" --color GREEN fi # ################################################################################# # # Test : KRNL-5723 # Description : Check if Linux is build as a monolithic kernel or not Register --test-no KRNL-5723 --os Linux --weight L --network NO --category security --description "Determining if Linux kernel is monolithic" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then LogText "Test: checking if kernel is monolithic or modular" # Checking if any modules are loaded FIND=$(${LSMODBINARY} | ${GREPBINARY} -v "^Module" | wc -l | ${TRBINARY} -s ' ' | ${TRBINARY} -d ' ') Display --indent 2 --text "- Checking kernel type" --result "${STATUS_DONE}" --color GREEN if [ "${FIND}" = "0" ]; then LogText "Result: Found monolithic kernel" Report "linux_kernel_type=monolithic" MONOLITHIC_KERNEL=1 else LogText "Result: Found modular kernel" Report "linux_kernel_type=modular" MONOLITHIC_KERNEL=0 fi else LogText "Test skipped, lsmod binary not found or /proc/modules can not be opened" fi fi # ################################################################################# # # Test : KRNL-5726 # Description : Checking Linux loaded kernel modules Register --test-no KRNL-5726 --os Linux --weight L --network NO --category security --description "Checking Linux loaded kernel modules" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${LSMODBINARY}" = "" -a -f /proc/modules ]; then FIND=$(${LSMODBINARY} | ${AWKBINARY} '{ if ($1!="Module") print $1 }' | sort) Display --indent 2 --text "- Checking loaded kernel modules" --result "${STATUS_DONE}" --color GREEN if [ ! "${FIND}" = "" ]; then LogText "Loaded modules according lsmod:" N=0 for I in ${FIND}; do LogText "Loaded module: ${I}" Report "loaded_kernel_module[]=${I}" N=$((N + 1)) done Display --indent 6 --text "Found ${N} active modules" else LogText "Result: no loaded modules found" LogText "Notice: No loaded kernel modules could indicate a broken/malformed lsmod, or a (custom) monolithic kernel" fi else LogText "Test skipped, lsmod binary not found or /proc/modules can not be opened" fi fi # ################################################################################# # # Test : KRNL-5728 # Description : Checking for available Linux kernel configuration file in /boot Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config" if [ ${SKIPTEST} -eq 0 ]; then CHECKFILE="/boot/config-$(uname -r)" if [ -f ${CHECKFILE} ]; then LINUXCONFIGFILE="${CHECKFILE}" LogText "Result: found config (${LINUXCONFIGFILE})" Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN elif [ -f /proc/config.gz ]; then LINUXCONFIGFILE="${CHECKFILE}" LINUXCONFIGFILE_ZIPPED=1 LogText "Result: found config: /proc/config.gz (compressed)" Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN else LogText "Result: no Linux kernel configuration file found in /boot" Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_NOT_FOUND}" --color WHITE fi if [ ! "${LINUXCONFIGFILE}" = "" ]; then Report "linux_config_file=${LINUXCONFIGFILE}" fi fi # ################################################################################# # # Test : KRNL-5730 # Description : Checking default I/O kernel scheduler # Notes : This test could be extended with testing some of the specific devices like disks # cat /sys/block/sda/queue/scheduler PREQS_MET="NO" if [ ! "${LINUXCONFIGFILE}" = "" ]; then if [ -f ${LINUXCONFIGFILE} ]; then PREQS_MET="YES"; fi fi Register --test-no KRNL-5730 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking disk I/O kernel scheduler" if [ ${SKIPTEST} -eq 0 ]; then if [ ${LINUXCONFIGFILE_ZIPPED} -eq 1 ]; then GREPTOOL="${ZGREPBINARY}"; else GREPTOOL="${GREPBINARY}"; fi if [ ! "${GREPTOOL}" = "" ]; then LogText "Test: Checking the default I/O kernel scheduler" LINUX_KERNEL_IOSCHED=$(${GREPTOOL} "CONFIG_DEFAULT_IOSCHED" ${LINUXCONFIGFILE} | ${AWKBINARY} -F= '{ print $2 }' | ${SEDBINARY} s/\"//g) if [ ! "${LINUX_KERNEL_IOSCHED}" = "" ]; then LogText "Result: found IO scheduler '${LINUX_KERNEL_IOSCHED}'" Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_FOUND}" --color GREEN Report "linux_kernel_io_scheduler[]=${LINUX_KERNEL_IOSCHED}" else LogText "Result: no default i/o kernel scheduler found" Display --indent 2 --text "- Checking default I/O kernel scheduler" --result "${STATUS_NOT_FOUND}" --color WHITE fi else ReportException "${TEST_NO}" "No valid ${GREPBINARY} tool found to search kernel settings" fi fi # ################################################################################# # # Test : KRNL-5745 # Description : Checking FreeBSD loaded kernel modules Register --test-no KRNL-5745 --os FreeBSD --weight L --network NO --category security --description "Checking FreeBSD loaded kernel modules" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking active kernel modules" LogText "Test: Active kernel modules (KLDs)" LogText "Description: View all active kernel modules (including kernel)" LogText "Test: Checking modules" if [ -f /sbin/kldstat ]; then FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6) if [ $? -eq 0 ]; then LogText "Loaded modules according kldstat:" N=0 for I in ${FIND}; do LogText "Loaded module: ${I}" Report "loaded_kernel_module[]=${I}" N=$((N + 1)) done Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN else Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED LogText "Result: Problem with executing kldstat" fi else echo "[ ${WHITE}SKIPPED${NORMAL} ]" LogText "Result: no results, can't find /sbin/kldstat" fi fi # ################################################################################# # # Test : KRNL-5831 # Description : Checking DragonFly loaded kernel modules Register --test-no KRNL-5831 --os DragonFly --weight L --network NO --category security --description "Checking DragonFly loaded kernel modules" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Checking active kernel modules" LogText "Test: Active kernel modules (KLDs)" LogText "Description: View all active kernel modules (including kernel)" LogText "Test: Checking modules" if [ -f /sbin/kldstat ]; then FIND=$(kldstat | ${GREPBINARY} -v 'Name' | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f6) if [ $? -eq 0 ]; then LogText "Loaded modules according kldstat:" N=0 for I in ${FIND}; do LogText "Loaded module: ${I}" Report "loaded_kernel_module[]=${I}" N=$((N + 1)) done Display --indent 4 --text "Found ${N} kernel modules" --result "${STATUS_DONE}" --color GREEN else Display --indent 4 --text "Test failed" --result "${STATUS_WARNING}" --color RED LogText "Result: Problem with executing kldstat" fi else echo "[ ${WHITE}SKIPPED${NORMAL} ]" LogText "Result: no results, can't find /sbin/kldstat" fi fi # ################################################################################# # # Test : KRNL-5770 # Description : Checking Solaris load modules Register --test-no KRNL-5770 --os Solaris --weight L --network NO --category security --description "Checking active kernel modules" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: searching loaded kernel modules" FIND=$(/usr/sbin/modinfo -c -w | ${GREPBINARY} -v "UNLOADED" | ${GREPBINARY} LOADED | ${AWKBINARY} '{ print $3 }' | sort) if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do LogText "Found module: ${I}" Report "loaded_kernel_module[]=${I}" done Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_DONE}" --color GREEN else LogText "Result: no output" Display --indent 2 --text "- Checking Solaris active kernel modules" --result "${STATUS_UNKNOWN}" --color YELLOW fi fi # ################################################################################# # # Test : KRNL-5788 # Description : Checking availability new kernel if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching apt-cache, to determine if a newer kernel is available" if [ -x /usr/bin/apt-cache ]; then LogText "Result: found /usr/bin/apt-cache" LogText "Test: checking readlink location of /vmlinuz" if [ -f /vmlinuz ]; then FINDKERNFILE=$(readlink -f /vmlinuz) LogText "Output: readlink reported file ${FINDKERNFILE}" LogText "Test: checking package from dpkg -S" FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}') LogText "Output: dpkg -S reported package ${FINDKERNEL}" elif [ -e /dev/grsec ]; then FINDKERNEL=linux-image-$(uname -r) LogText "/vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" else LogText "This system is missing /vmlinuz. Unable to check whether kernel is up-to-date." ReportSuggestion ${TEST_NO} "Determine why /vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz" fi LogText "Test: Using apt-cache policy to determine if there is an update available" FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') FINDCAND=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') LogText "Kernel installed: ${FINDINST}" LogText "Kernel candidate: ${FINDCAND}" if [ -z "${FINDINST}" ]; then Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW LogText "Result: Exception occurred, no output from apt-cache policy" ReportException "${TEST_NO}:01" LogText "Exception: apt-cache policy did not return an installed kernel version" ReportSuggestion ${TEST_NO} "Check the output of apt-cache policy manually to determine why output is empty" else if [ "${FINDINST}" = "${FINDCAND}" ]; then if [ -e /dev/grsec ]; then Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch" else Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN LogText "Result: no kernel update available" fi else Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW LogText "Result: kernel update available according 'apt-cache policy'." ReportSuggestion ${TEST_NO} "Determine priority for available kernel update" fi fi else LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests." fi fi # ################################################################################# # # Test : KRNL-5820 # Description : Checking core dumps configuration (Linux) Register --test-no KRNL-5820 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking presence /etc/security/limits.conf" if [ -f /etc/security/limits.conf ]; then LogText "Result: file /etc/security/limits.conf exists" LogText "Test: Checking if core dumps are disabled in /etc/security/limits.conf" FIND1=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core" && $4=="1") { print "soft core enabled" } }') FIND2=$(${GREPBINARY} -v "^#" /etc/security/limits.conf | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core" && $4=="1") { print "hard core enabled" } }') if [ "${FIND1}" = "soft core enabled" -o "${FIND2}" = "hard core enabled" ]; then LogText "Result: core dumps (soft or hard) are enabled" Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_ENABLED}" --color YELLOW ReportSuggestion "${TEST_NO}" "Check if core dumps need to be enabled on this system" AddHP 1 2 else LogText "Result: core dumps (soft and hard) are both disabled" Display --indent 2 --text "- Checking core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN CORE_DUMPS_DISABLED=1 AddHP 3 3 fi # Sysctl option LogText "Test: Checking sysctl value of fs.suid_dumpable" FIND=$(${SYSCTLBINARY} fs.suid_dumpable 2> /dev/null | ${AWKBINARY} '{ if ($1=="fs.suid_dumpable") { print $3 } }') if [ -z "${FIND}" ]; then LogText "Result: sysctl key fs.suid_dumpable not found" else LogText "Result: value ${FIND} found" fi if [ "${FIND}" = "2" ]; then LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color GREEN AddHP 1 1 elif [ "${FIND}" = "1" ]; then LogText "Result: all programs can perform core dumps (value 1, for debugging)" Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump" AddHP 0 1 else LogText "Result: found default option, some programs can dump (not processes which need to change credentials)" Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color YELLOW AddHP 1 1 fi else LogText "Result: file /etc/security/limits.conf does not exist, skipping test" fi # TODO: Check ulimit settings in /etc/profile and /etc/profile.d fi # ################################################################################# # # Test : KRNL-5826 # Description : Checking core dumps configuration (Solaris) #Register --test-no KRNL-5826 --os Linux --weight L --network NO --category security --description "Checking core dumps configuration" #if [ ${SKIPTEST} -eq 0 ]; then # ################################################################################# # # Test : KRNL-5830 # Description : Check if system needs a reboot (Linux only) Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel" if [ ${SKIPTEST} -eq 0 ]; then REBOOT_NEEDED=2 FILE="${ROOTDIR}var/run/reboot-required.pkgs" LogText "Test: Checking presence ${FILE}" if [ -f ${FILE} ]; then LogText "Result: file ${FILE} exists" FIND=$(${WCBINARY} -l < ${FILE}) if [ "${FIND}" = "0" ]; then LogText "Result: No reboot needed (file empty)" REBOOT_NEEDED=0 else PKGSCOUNT=$(${WCBINARY} -l < ${FILE}) LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" for I in ${FIND}; do LogText "Package: ${I}" done REBOOT_NEEDED=1 fi else LogText "Result: file ${FILE} not found" fi # Check if /boot exists if [ -d ${ROOTDIR}boot ]; then LogText "Result: /boot exists, performing more tests from here" FIND=$(${LSBINARY} ${ROOTDIR}boot/* 2> /dev/null) if [ ! -z "${FIND}" ]; then if [ -f ${ROOTDIR}boot/vmlinuz -a ! -L ${ROOTDIR}boot/vmlinuz ]; then LogText "Result: found /boot/vmlinuz (not symlinked)" NEXTLINE=0 FINDVERSION="" for I in $(file ${ROOTDIR}boot/vmlinuz-linux); do if [ ${NEXTLINE} -eq 1 ]; then FINDVERSION="${I}" else # Searching for the Linux kernel after the keyword 'version' if [ "${I}" = "version" ]; then NEXTLINE=1; fi fi done if [ ! -z "${FINDVERSION}" ]; then CURRENT_KERNEL=$(uname -r) if [ ! "${CURRENT_KERNEL}" = "${FINDVERSION}" ]; then LogText "Result: reboot needed, as current kernel is different than the one loaded" REBOOT_NEEDED=1 fi else ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data" fi elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then LogText "Result: /found /boot/vmlinuz-linux (usually Arch Linux or similar)" LogText "Test: checking kernel version on disk" VERSION_ON_DISK=$(${FILEBINARY} -b ${ROOTDIR}boot/vmlinuz-linux | ${AWKBINARY} '{ if ($1=="Linux" && $7=="version") { print $8 }}') if [ ! -z "${VERSION_ON_DISK}" ]; then LogText "Result: found version ${VERSION_ON_DISK}" ACTIVE_KERNEL=$(uname -r) LogText "Result: active kernel version ${ACTIVE_KERNEL}" if [ "${VERSION_ON_DISK}" = "${ACTIVE_KERNEL}" ]; then REBOOT_NEEDED=0 LogText "Result: no reboot needed, active kernel is the same version as the one on disk" else REBOOT_NEEDED=1 LogText "Result: reboot needed, as there is a difference between active kernel and the one on disk" fi else LogText "Result: could not find the version on disk" ReportException "${TEST_NO}:4" "Could not find the kernel version from /boot/vmlinux-linux" fi else if [ -L ${ROOTDIR}boot/vmlinuz ]; then LogText "Result: found symlink of ${ROOTDIR}boot/vmlinuz, skipping file" else LogText "Result: ${ROOTDIR}boot/vmlinuz not on disk, trying to find ${ROOTDIR}boot/vmlinuz*" fi # Extra current kernel version and replace dashes to allow numeric ${SORTBINARY} later on MYKERNEL=$(${UNAMEBINARY} -r | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's/-/./g') LogText "Result: using ${MYKERNEL} as my kernel version (stripped)" FIND=$(ls ${ROOTDIR}boot/vmlinuz* 2> /dev/null) if [ ! -z "${FIND}" ]; then for ITEM in ${FIND}; do LogText "Result: found ${ITEM}" done # Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers) # Ignore rescue images. Remove generic. and huge. for Slackware machines LogText "Action: checking relevant kernels" KERNELS=$(${LSBINARY} /boot/vmlinuz* | ${GREPBINARY} -v rescue | ${SEDBINARY} 's/vmlinuz-//' | ${SEDBINARY} 's/generic.//' | ${SEDBINARY} 's/huge.//' | ${SEDBINARY} 's/\.[a-z].*.//g' | ${SEDBINARY} 's/-[a-z].*.//g' | ${SEDBINARY} 's./boot/..' | ${SEDBINARY} 's/-/./g' | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.) KERNELS_ONE_LINE=$(echo ${KERNELS} | ${TRBINARY} '\n' ' ') LogText "Output: ${KERNELS_ONE_LINE}" elif [ ! "$(ls ${ROOTDIR}boot/kernel* 2> /dev/null)" = "" ]; then LogText "Output: Found a kernel file in ${ROOTDIR}boot" # Display kernels, extract version numbers and ${SORTBINARY} them numeric per column (up to 6 numbers) # Examples: # /boot/kernel-genkernel-x86_64-3.14.14-gentoo KERNELS=$(${LSBINARY} ${ROOTDIR}boot/kernel* | ${AWKBINARY} -F- '{ if ($2=="genkernel") { print $4 }}' | ${GREPBINARY} "^[0-9]" | ${SORTBINARY} -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 -k6,6 -t \.) if [ ! -z "${KERNELS}" ]; then LogText "Output: ${KERNELS}"; fi else ReportException "${TEST_NO}:2" "Can not find any vmlinuz or kernel files in /boot, which is unexpected" fi if [ ! -z "${KERNELS}" ]; then FOUND_KERNEL=0 for I in ${KERNELS}; do # Check if we already found a kernel and it is not equal to what we run (e.g. double versions may exist) if [ ${FOUND_KERNEL} -eq 1 -a ! "${MYKERNEL}" = "${I}" ]; then LogText "Result: found a kernel (${I}) later than running one (${MYKERNEL})" REBOOT_NEEDED=1 fi if [ "${MYKERNEL}" = "${I}" ]; then FOUND_KERNEL=1 LogText "Result: Found ${I} (= our kernel)" else LogText "Result: Found ${I}" fi done # Check if we at least found the kernel on disk if [ ${FOUND_KERNEL} -eq 0 ]; then ReportException "${TEST_NO}:3" "Could not find our running kernel on disk, which is unexpected" else # If we are not sure yet reboot it needed, but we found running kernel as last one on disk, we run latest kernel if [ ${REBOOT_NEEDED} -eq 2 ]; then LogText "Result: we found our kernel on disk as last entry, so seems to be up-to-date" REBOOT_NEEDED=0 fi fi fi fi # No files in /boot else LogText "Result: Skipping this test, as there are no files in /boot" fi else LogText "Result: /boot does not exist" fi # Display discovered status if [ ${REBOOT_NEEDED} -eq 0 ]; then Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_NO}" --color GREEN AddHP 5 5 elif [ ${REBOOT_NEEDED} -eq 1 ]; then Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_YES}" --color RED ReportWarning ${TEST_NO} "Reboot of system is most likely needed" "" "text:reboot" AddHP 0 5 else Display --indent 2 --text "- Check if reboot is needed" --result "${STATUS_UNKNOWN}" --color YELLOW fi fi # ################################################################################# # WaitForKeyPress # #================================================================================ # Lynis - Copyright 2007-2017, CISOfy - https://cisofy.com