Hello community,
here is the log from the commit of package lynis for openSUSE:Factory checked in at 2019-04-24 13:57:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/lynis (Old)
and /work/SRC/openSUSE:Factory/.lynis.new.5536 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis"
Wed Apr 24 13:57:03 2019 rev:34 rq:697112 version:2.7.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2019-03-10 09:34:45.456185117 +0100
+++ /work/SRC/openSUSE:Factory/.lynis.new.5536/lynis.changes 2019-04-24 13:57:04.792000049 +0200
@@ -1,0 +2,50 @@
+Tue Apr 23 07:24:21 UTC 2019 - Robert Frohl
+
+- Update to 2.7.4
+ Added
+ * FILE-6324 - Discover XFS mount points
+ * INSE-8000 - Installed inetd package
+ * INSE-8100 - Installed xinetd package
+ * INSE-8102 - Status of xinet daemon
+ * INSE-8104 - xinetd configuration file
+ * INSE-8106 - xinetd configuration for inactive daemon
+ * INSE-8200 - Usage of TCP wrappers
+ * INSE-8300 - Presence of rsh client
+ * INSE-8302 - Presence of rsh server
+ * Detect equery binary detection
+ * New 'generate' command
+
+ Changed
+ * AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems
+ * PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages
+ * PKGS-7420 - Detect toolkit to automatically download and apply upgrades
+ * PKGS-7328 - Added global Zypper option --non-interactive
+ * PKGS-7386 - Only show warning when vulnerable packages were discovered
+ * PKGS-7392 - Skip test for Zypper-based systems
+ * Minor changes to improve text output, test descriptions, and logging
+ * Changed CentOS identifiers in end-of-life database
+ * AIX enhancement for IsRunning function
+ * Extended PackageIsInstalled function
+ * Improve text output on AIX systems
+ * Corrected lsvg binary detection
+
+-------------------------------------------------------------------
+Thu Mar 21 12:11:32 UTC 2019 - Robert Frohl
+
+- update to 2.7.3
+ Added
+ * Detection for Lynis being scheduled (e.g. cronjob)
+
+ Changed
+ * HTTP-6624 - Improved logging for test
+ * KRNL-5820 - Changed color for default fs.suid_dumpable value
+ * LOGG-2154 - Adjusted test to search in configuration file correctly
+ * NETW-3015 - Added support for ip binary
+ * SQD-3610 - Description of test changed
+ * SQD-3613 - Corrected description in code
+ * SSH-7408 - Increased values for MaxAuthRetries
+ * Improvements to allow tailored tool tips in future
+ * Corrected detection of blkid binary
+ * Minor textual changes and cleanups
+
+-------------------------------------------------------------------
Old:
----
lynis-2.7.2.tar.gz
lynis-2.7.2.tar.gz.asc
New:
----
lynis-2.7.4.tar.gz
lynis-2.7.4.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ lynis.spec ++++++
--- /var/tmp/diff_new_pack.b0qySC/_old 2019-04-24 13:57:05.535999583 +0200
+++ /var/tmp/diff_new_pack.b0qySC/_new 2019-04-24 13:57:05.539999581 +0200
@@ -23,12 +23,12 @@
%define _pluginsdir %{_datadir}/lynis/plugins
%define _dbdir %{_datadir}/lynis/db
Name: lynis
-Version: 2.7.2
+Version: 2.7.4
Release: 0
Summary: Security and System auditing tool
License: GPL-3.0-only
Group: System/Monitoring
-URL: https://cisofy.com/lynis/
+Url: https://cisofy.com/lynis/
Source0: https://cisofy.com/files/%{name}-%{version}.tar.gz
Source2: tests_binary_rpath
Source3: tests_file_permissionsDB
++++++ lynis-2.7.2.tar.gz -> lynis-2.7.4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/CHANGELOG.md new/lynis/CHANGELOG.md
--- old/lynis/CHANGELOG.md 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/CHANGELOG.md 2019-04-21 02:00:00.000000000 +0200
@@ -1,5 +1,60 @@
# Lynis Changelog
+## Lynis 2.7.4 (2019-04-21)
+
+This is a bigger release than usual, including several new tests created by
+Capashenn (GitHub). It is a coincidence that it is released exactly one more
+after the previous version and on Easter. No easter eggs, only improvements!
+
+### Added
+- FILE-6324 - Discover XFS mount points
+- INSE-8000 - Installed inetd package
+- INSE-8100 - Installed xinetd package
+- INSE-8102 - Status of xinet daemon
+- INSE-8104 - xinetd configuration file
+- INSE-8106 - xinetd configuration for inactive daemon
+- INSE-8200 - Usage of TCP wrappers
+- INSE-8300 - Presence of rsh client
+- INSE-8302 - Presence of rsh server
+- Detect equery binary detection
+- New 'generate' command
+
+### Changed
+- AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems
+- PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages
+- PKGS-7420 - Detect toolkit to automatically download and apply upgrades
+- PKGS-7328 - Added global Zypper option --non-interactive
+- PKGS-7330 - Added global Zypper option --non-interactive
+- PKGS-7386 - Only show warning when vulnerable packages were discovered
+- PKGS-7392 - Skip test for Zypper-based systems
+- Minor changes to improve text output, test descriptions, and logging
+- Changed CentOS identifiers in end-of-life database
+- AIX enhancement for IsRunning function
+- Extended PackageIsInstalled function
+- Improve text output on AIX systems
+- Corrected lsvg binary detection
+
+---------------------------------------------------------------------------------
+
+## Lynis 2.7.3 (2019-03-21)
+
+### Added
+- Detection for Lynis being scheduled (e.g. cronjob)
+
+### Changed
+- HTTP-6624 - Improved logging for test
+- KRNL-5820 - Changed color for default fs.suid_dumpable value
+- LOGG-2154 - Adjusted test to search in configuration file correctly
+- NETW-3015 - Added support for ip binary
+- SQD-3610 - Description of test changed
+- SQD-3613 - Corrected description in code
+- SSH-7408 - Increased values for MaxAuthRetries
+- Improvements to allow tailored tool tips in future
+- Corrected detection of blkid binary
+- Minor textual changes and cleanups
+
+---------------------------------------------------------------------------------
+
## Lynis 2.7.2 (2019-03-07)
### Added
@@ -23,7 +78,6 @@
- PKGS-7388 - Improve detection for security archive
- RPi/Raspian path to PAM_FILE_LOCATIONS
-
---------------------------------------------------------------------------------
## Lynis 2.7.1 (2019-01-30)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/software-eol.db new/lynis/db/software-eol.db
--- old/lynis/db/software-eol.db 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/db/software-eol.db 2019-04-21 02:00:00.000000000 +0200
@@ -11,9 +11,9 @@
#
# CentOS
#
-os:CentOS 5:2017-03-31:1490911200:
-os:CentOS 6:2020-11-30:1606690800:
-os:CentOS 7:2024-06-30:1719698400:
+os:CentOS Linux release 5:2017-03-31:1490911200:
+os:CentOS Linux release 6:2020-11-30:1606690800:
+os:CentOS Linux release 7:2024-06-30:1719698400:
#
# FreeBSD - https://www.freebsd.org/security/unsupported.html
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/tests.db new/lynis/db/tests.db
--- old/lynis/db/tests.db 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/db/tests.db 2019-04-21 02:00:00.000000000 +0200
@@ -169,11 +169,17 @@
HTTP-6714:test:security:webservers::Check for missing error logs in nginx:
HTTP-6716:test:security:webservers::Check for debug mode on error log in nginx:
HTTP-6720:test:security:webservers::Check Nginx log files:
-INSE-8002:test:security:insecure_services::Check for enabled inet daemon:
-INSE-8004:test:security:insecure_services::Check for enabled inet daemon:
-INSE-8006:test:security:insecure_services::Check configuration of inetd when disabled:
+INSE-8000:test:security:insecure_services::Installed inetd package:
+INSE-8002:test:security:insecure_services::Status of inet daemon:
+INSE-8004:test:security:insecure_services::Presence of inetd configuration file:
+INSE-8006:test:security:insecure_services::Check configuration of inetd when it is disabled:
INSE-8016:test:security:insecure_services::Check for telnet via inetd:
INSE-8050:test:security:insecure_services:MacOS:Check for insecure services on macOS systems:
+INSE-8100:test:security:insecure_services::Installed xinetd package:
+INSE-8116:test:security:insecure_services::Insecure services enabled via xinetd:
+INSE-8200:test:security:insecure_services::Usage of TCP wrappers:
+INSE-8300:test:security:insecure_services::Presence of rsh client:
+INSE-8302:test:security:insecure_services::Presence of rsh server:
KRNL-5622:test:security:kernel:Linux:Determine Linux default run level:
KRNL-5677:test:security:kernel:Linux:Check CPU options and support:
KRNL-5695:test:security:kernel:Linux:Determine Linux kernel version and release number:
@@ -319,6 +325,7 @@
PKGS-7394:test:security:ports_packages:Linux:Check for Ubuntu updates:
PKGS-7398:test:security:ports_packages::Check for package audit tool:
PKGS-7410:test:security:ports_packages::Count installed kernel packages:
+PKGS-7420:test:security:ports_packages::Detect toolkit to automatically download and apply upgrades:
PRNT-2302:test:security:printers_spools:FreeBSD:Check for printcap consistency:
PRNT-2304:test:security:printers_spools::Check cupsd status:
PRNT-2306:test:security:printers_spools::Check CUPSd configuration file:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/binaries new/lynis/include/binaries
--- old/lynis/include/binaries 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/binaries 2019-04-21 02:00:00.000000000 +0200
@@ -99,6 +99,7 @@
afick.pl) AFICKBINARY=${BINARY}; LogText " Found known binary: afick (file integrity checker) - ${BINARY}" ;;
aide) AIDEBINARY=${BINARY}; LogText " Found known binary: aide (file integrity checker) - ${BINARY}" ;;
apache2) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;;
+ apt) APTBINARY=${BINARY}; LogText " Found known binary: apt (package manager) - ${BINARY}" ;;
arch-audit) ARCH_AUDIT_BINARY="${BINARY}"; LogText " Found known binary: arch-audit (auditing utility to test for vulnerable packages) - ${BINARY}" ;;
auditd) AUDITDBINARY=${BINARY}; LogText " Found known binary: auditd (audit framework) - ${BINARY}" ;;
awk) AWKBINARY=${BINARY}; LogText " Found known binary: awk (string tool) - ${BINARY}" ;;
@@ -107,14 +108,14 @@
auditctl) AUDITCTLBINARY="${BINARY}"; LogText " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;;
autolog) AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; LogText " Found known binary: autolog (idle session killer) - ${BINARY}" ;;
base64) BASE64BINARY="${BINARY}"; LogText " Found known binary: base64 (encoding tool) - ${BINARY}" ;;
- blkid) BLKDBINARY="${BINARY}"; LogText " Found known binary: blkid (information about block devices) - ${BINARY}" ;;
- bootctl) BOOTCTLBINARY="${BINARY}"; LogText " Found known binary: bootctl (systemd-boot manager utility) - ${BINARY}" ;;
+ blkid) BLKIDBINARY="${BINARY}"; LogText " Found known binary: blkid (information about block devices) - ${BINARY}" ;;
+ bootctl) BOOTCTLBINARY="${BINARY}"; LogText " Found known binary: bootctl (systemd-boot manager utility) - ${BINARY}" ;;
cat) CAT_BINARY="${BINARY}"; LogText " Found known binary: cat (generic file handling) - ${BINARY}" ;;
- cc) CCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: cc (compiler) - ${BINARY}" ;;
+ cc) CCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: cc (compiler) - ${BINARY}" ;;
chkconfig) CHKCONFIGBINARY=${BINARY}; LogText " Found known binary: chkconfig (administration tool) - ${BINARY}" ;;
clamconf) CLAMCONF_BINARY=${BINARY}; LogText " Found known binary: clamconf (information about ClamAV) - ${BINARY}" ;;
clamscan) CLAMSCANBINARY=${BINARY}; LogText " Found known binary: clamscan (AV scanner) - ${BINARY}" ;;
- clang) CLANGBINARY=${BINARY}; COMPILER_INSTALLED=1; LogText " Found known binary: clang (compiler) - ${BINARY}" ;;
+ clang) CLANGBINARY=${BINARY}; COMPILER_INSTALLED=1; LogText " Found known binary: clang (compiler) - ${BINARY}" ;;
cfagent) CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; LogText " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;;
chkrootkit) CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;;
comm) COMMBINARY="${BINARY}"; LogText " Found known binary: comm (file compare) - ${BINARY}" ;;
@@ -131,7 +132,8 @@
domainname) DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;;
dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;;
egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;;
- exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText "Found ${BINARY} (version ${EXIMVERSION})" ;;
+ equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;;
+ exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;;
fail2ban-server) FAIL2BANBINARY="${BINARY}"; LogText " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;;
file) FILEBINARY="${BINARY}"; LogText " Found known binary: file (file type detection) - ${BINARY}" ;;
find) FINDBINARY="${BINARY}"; LogText " Found known binary: find (search tool) - ${BINARY}" ;;
@@ -164,7 +166,7 @@
lsattr) LSATTRBINARY="${BINARY}"; LogText " Found known binary: lsattr (file attributes) - ${BINARY}" ;;
lsmod) LSMODBINARY="${BINARY}"; LogText " Found known binary: lsmod (kernel modules) - ${BINARY}" ;;
lsof) LSOFBINARY="${BINARY}"; LogText " Found known binary: lsof (open files) - ${BINARY}" ;;
- lsvg) LVSGBINARY=${BINARY}; LogText " Found known binary: lsvg (volume manager) - ${BINARY}" ;;
+ lsvg) LSVGBINARY=${BINARY}; LogText " Found known binary: lsvg (volume manager) - ${BINARY}" ;;
lvdisplay) LVDISPLAYBINARY="${BINARY}"; LogText " Found known binary: lvdisplay (LVM tool) - ${BINARY}" ;;
lynx) LYNXBINARY="${BINARY}"; LYNXVERSION=$(${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3); LogText "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;;
maldet) LMDBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/consts new/lynis/include/consts
--- old/lynis/include/consts 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/consts 2019-04-21 02:00:00.000000000 +0200
@@ -46,6 +46,7 @@
#
# == Variable initializing ==
#
+ APTBINARY=""
ARCH_AUDIT_BINARY=""
AUDITORNAME=""
AUDITCTLBINARY=""
@@ -70,6 +71,7 @@
CHKCONFIGBINARY=""
CLAMCONF_BINARY=""
CLAMSCANBINARY=""
+ CLANGBINARY=""
COLORS=1
COMPLIANCE_ENABLE_CIS=0
COMPLIANCE_ENABLE_HIPAA=0
@@ -99,8 +101,11 @@
DNFBINARY=""
DOCKERBINARY=""
DOCKER_DAEMON_RUNNING=0
+ DPKGBINARY=""
ECHOCMD=""
ERROR_ON_WARNINGS=0
+ EQUERYBINARY=""
+ EXIMBINARY=""
FAIL2BANBINARY=""
FILEBINARY=""
FILEVALUE=""
@@ -139,6 +144,7 @@
LOGTEXT=1
LSMODBINARY=""
LSVGBINARY=""
+ LYNIS_CRONJOB=""
MACHINEID=""
MACHINE_ROLE=""
MALWARE_SCANNER_INSTALLED=0
@@ -247,8 +253,10 @@
SHOW_REPORT_SOLUTION=1
SHOW_TOOL_TIPS=1 # Show inline tool tips (default true)
SHOW_WARNINGS_ONLY=0
+ SKIP_GETHOSTID=0
SKIP_PLUGINS=0
SKIP_TESTS=""
+ SKIP_VM_DETECTION=0
SKIPREASON=""
SKIPPED_TESTS_ROOTONLY=""
SMTPCTLBINARY=""
@@ -269,6 +277,7 @@
TESTS_EXECUTED=""
TESTS_SKIPPED=""
TMPFILE=""
+ TOMOYOINITBINARY=""
TOOLTIP_SHOWED=0
TOTAL_SUGGESTIONS=0
TOTAL_WARNINGS=0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/functions new/lynis/include/functions
--- old/lynis/include/functions 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/functions 2019-04-21 02:00:00.000000000 +0200
@@ -805,15 +805,26 @@
# Name : GetHostID()
# Description : Create an unique id for the system
#
- # Returns : optional value
+ # Returns : 0 = fetched or created IDs, 1 = failed, 2 = skipped
# Usage : GetHostID
################################################################################
GetHostID() {
+ if [ ${SKIP_GETHOSTID} -eq 1 ]; then
+ return 2
+ fi
+
if [ ! -z "${HOSTID}" -a ! -z "${HOSTID2}" ]; then
Debug "Skipping creation of host identifiers, as they are already configured (via profile)"
- return 1
+ return 2
+ fi
+
+ if [ -f "${ROOTDIR}etc/lynis/hostids" ]; then
+ Debug "Used hostids file to fetch values"
+ HOSTID=$(grep "^hostid=" ${ROOTDIR}etc/lynis/hostids | awk -F= '{print $2}')
+ HOSTID2=$(grep "^hostid2=" ${ROOTDIR}etc/lynis/hostids | awk -F= '{print $2}')
+ return 0
fi
FIND=""
@@ -1110,8 +1121,9 @@
fi
# Show an exception if no HostID could be created, to ensure each system (and scan) has one
- if [ "${HOSTID}" = "" ]; then
+ if [ -z "${HOSTID}" ]; then
ReportException "GetHostID" "No unique host identifier could be created."
+ return 1
elif [ ! -z "${HOSTID2}" ]; then
return 0
fi
@@ -1284,7 +1296,8 @@
if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi
RUNNING=0
- if [ ! -z "${PGREPBINARY}" ]; then
+ # AIX does not fully support pgrep options, so using ps instead
+ if [ ! -z "${PGREPBINARY}" -a ! "${OS}" = "AIX" ]; then
FIND=$(${PGREPBINARY} ${pgrep_options} "${search}" | ${TRBINARY} '\n' ' ')
else
if [ -z "${PSOPTIONS}" ]; then
@@ -1392,6 +1405,10 @@
ISVIRTUALMACHINE=2; VMTYPE="unknown"; VMFULLTYPE="Unknown"
SHORT=""
+ if [ ${SKIP_VM_DETECTION} -eq 1 ]; then
+ return 2
+ fi
+
# lxc environ detection
if [ -z "${SHORT}" ]; then
if [ -f /proc/1/environ ]; then
@@ -1699,7 +1716,7 @@
################################################################################
# Name : PackageIsInstalled()
- # Description : Add a separator to log file between sections, tests etc
+ # Description : Determines if a package is installed
# Returns : exit code
# Notes : this function is not used yet, but created in advance to allow
# the addition of support for all operating systems
@@ -1714,11 +1731,20 @@
Fatal "Incorrect usage of PackageIsInstalled function"
fi
- if [ ! -z "${RPMBINARY}" ]; then
- output=$(${RPMBINARY} --quiet -q ${package} 2> /dev/null)
+ if [ ! -z "${DNFBINARY}" ]; then
+ output=$(${DNFBINARY} --quiet --cacheonly --noplugins --assumeno info --installed ${package} > /dev/null 2>&1)
+ exit_code=$?
+ elif [ ! -z "${DPKGBINARY}" ]; then
+ output=$(${DPKGBINARY} -l ${package} 2> /dev/null | ${GREPBINARY} "^ii")
exit_code=$?
- elif ! -z "${DPKGBINARY}" ]; then
- output=$(${DPKGBINARY} -l ${package} 2> /dev/null)
+ elif [ ! -z "${EQUERYBINARY}" ]; then
+ output=$(${EQUERYBINARY} --quiet ${package} > /dev/null 2>&1)
+ exit_code=$? # 0=package installed, 3=package not installed
+ elif [ ! -z "${PKG_BINARY}" ]; then
+ output=$(${PKG_BINARY} -N info ${package} >/dev/null 2>&1)
+ exit_code=$? # 0=package installed, 70=invalid package
+ elif [ ! -z "${RPMBINARY}" ]; then
+ output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1)
exit_code=$?
elif [ ! -z "${ZYPPERBINARY}" ]; then
output=$(${ZYPPERBINARY} --quiet --non-interactive search --installed -i ${PACKAGE} 2> /dev/null | grep "^i")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/helper_generate new/lynis/include/helper_generate
--- old/lynis/include/helper_generate 1970-01-01 01:00:00.000000000 +0100
+++ new/lynis/include/helper_generate 2019-04-21 02:00:00.000000000 +0200
@@ -0,0 +1,89 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2013, Michael Boelen
+# Copyright 2007-2019, CISOfy
+#
+# Website : https://cisofy.com
+# Blog : http://linux-audit.com
+# GitHub : https://github.com/CISOfy/lynis
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+######################################################################
+#
+# Helper program to generate specific details such as host IDs
+#
+######################################################################
+#
+# How to use:
+# ------------
+# Run: lynis generate <option>
+#
+######################################################################
+
+SAVEFILE=0
+GENERATE_ARGS="hostids"
+
+if [ $# -gt 0 ]; then
+ case $1 in
+ "hostids")
+
+ if [ $# -gt 1 ]; then
+ shift
+ if [ $1 = "--save" ]; then
+ SAVEFILE=1
+ fi
+ fi
+
+ # Generate random host IDs
+ HOSTID=$(head -c20 < /dev/urandom | xxd -c 20 -p)
+ HOSTID2=$(head -c32 < /dev/urandom | xxd -c 32 -p)
+
+ ${ECHOCMD} "Generated host identifiers"
+ ${ECHOCMD} "- hostid: ${HOSTID}"
+ ${ECHOCMD} "- hostid2: ${HOSTID2}"
+
+ if [ ${SAVEFILE} -eq 1 ]; then
+ FILE="${ROOTDIR}etc/lynis/hostids"
+ if [ -f ${FILE} ]; then
+ ${ECHOCMD} "Error: hostids file already exists (${FILE})"
+ ${ECHOCMD} "Remove the file first and rerun command"
+ ExitFatal
+ else
+ OUTPUT=$(touch ${FILE} 2> /dev/null)
+ if [ $? -eq 0 ]; then
+ ${ECHOCMD} "Created hostids file (${FILE})"
+ echo "# generated using 'lynis generate hostids --save'" > ${FILE}
+ echo "hostid=${HOSTID}" >> ${FILE}
+ echo "hostid2=${HOSTID2}" >> ${FILE}
+ else
+ ExitFatal "Error: could not created hostids file (${FILE}). Issue with permissions?"
+ fi
+ fi
+ fi
+
+ ExitClean
+ ;;
+ *) ${ECHOCMD} "Unknown argument '${RED}$1${NORMAL}' for lynis generate" ;;
+ esac
+else
+ ${ECHOCMD} "\n ${WHITE}Provide an additional argument${NORMAL}\n\n"
+ for ITEM in ${GENERATE_ARGS}; do
+ ${ECHOCMD} " lynis generate ${BROWN}${ITEM}${NORMAL}"
+ done
+ ${ECHOCMD} "\n"
+ ${ECHOCMD} ""
+ ${ECHOCMD} "Extended help about the generate command can be provided with: $0 show commands generate"
+fi
+
+
+ExitClean
+
+# The End
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/helper_show new/lynis/include/helper_show
--- old/lynis/include/helper_show 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/helper_show 2019-04-21 02:00:00.000000000 +0200
@@ -94,6 +94,17 @@
"
+GENERATE_ARGS="( --save )"
+GENERATE_HELP="
+ Generate random value for hostid and hostid2
+ ${WHITE}lynis generate hostids${NORMAL}
+
+ Generate and save values
+ ${WHITE}lynis generate hostids --save${NORMAL}
+
+"
+
+
UPDATE_ARGS="check info"
UPDATE_HELP="
${CYAN}update info${NORMAL}
@@ -274,6 +285,7 @@
shift
case $1 in
"audit") ${ECHOCMD} "${AUDIT_HELP}" ;;
+ "generate") ${ECHOCMD} "${GENERATE_HELP}" ;;
"show") ${ECHOCMD} "${SHOW_HELP}" ;;
"update") ${ECHOCMD} "${UPDATE_HELP}" ;;
"upload-only") ${ECHOCMD} "${UPLOAD_ONLY_HELP}" ;;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/osdetection new/lynis/include/osdetection
--- old/lynis/include/osdetection 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/osdetection 2019-04-21 02:00:00.000000000 +0200
@@ -477,7 +477,7 @@
ECHONB=""
case ${OS} in
- "AIX") ECHOCMD="echo" ;;
+ "AIX") ECHOCMD="echo"; ECHONB="printf" ;;
"DragonFly"|"FreeBSD"|"NetBSD") ECHOCMD="echo -e"; ECHONB="echo -n" ;;
"macOS" | "Mac OS X") ECHOCMD="echo"; ECHONB="/bin/echo -n" ;;
"Solaris") ECHOCMD="echo" ; test -f /usr/ucb/echo && ECHONB="/usr/ucb/echo -n" ;;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/parameters new/lynis/include/parameters
--- old/lynis/include/parameters 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/parameters 2019-04-21 02:00:00.000000000 +0200
@@ -111,6 +111,24 @@
break
;;
+ # Generate data
+ generate)
+ CHECK_BINARIES=0
+ HELPER="generate"
+ LOGTEXT=0
+ QUIET=1
+ RUN_HELPERS=1
+ RUN_TESTS=0
+ RUN_UPDATE_CHECK=0
+ SKIP_GETHOSTID=1
+ SKIP_PLUGINS=1
+ SKIP_VM_DETECTION=1
+ SHOW_PROGRAM_DETAILS=0
+ SHOW_TOOL_TIPS=0
+ shift; HELPER_PARAMS="$@"
+ break
+ ;;
+
# Show Lynis details
show)
CHECK_BINARIES=0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/report new/lynis/include/report
--- old/lynis/include/report 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/report 2019-04-21 02:00:00.000000000 +0200
@@ -178,7 +178,11 @@
echo ""
echo " ${CYAN}Hardening index${NORMAL} : ${WHITE}${HPINDEX}${NORMAL} ${HPGRAPH}"
echo " ${CYAN}Tests performed${NORMAL} : ${WHITE}${CTESTS_PERFORMED}${NORMAL}"
- if [ ${SKIP_PLUGINS} -eq 0 ]; then echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"; fi
+ if [ ${SKIP_PLUGINS} -eq 0 ]; then
+ echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"
+ else
+ echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}Skipped${NORMAL}"
+ fi
echo ""
echo " ${WHITE}Components${NORMAL}:"
if [ ${FIREWALL_ACTIVE} -eq 1 ]; then FIREWALL="${GREEN}V"; else FIREWALL="${RED}X"; fi
@@ -191,15 +195,15 @@
echo " - Malware scanner [${MALWARE}${NORMAL}]"
echo ""
- echo " ${SECTION}Lynis Modules${NORMAL}:"
+ echo " ${SECTION}Lynis modules${NORMAL}:"
if [ ${COMPLIANCE_TESTS_PERFORMED} -eq 1 ]; then
if [ ${COMPLIANCE_FINDINGS_FOUND} -eq 0 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi
else
COMPLIANCE="${YELLOW}?"
fi
- echo " - Compliance Status [${COMPLIANCE}${NORMAL}]"
- echo " - Security Audit [${GREEN}V${NORMAL}]"
- echo " - Vulnerability Scan [${GREEN}V${NORMAL}]"
+ echo " - Compliance status [${COMPLIANCE}${NORMAL}]"
+ echo " - Security audit [${GREEN}V${NORMAL}]"
+ echo " - Vulnerability scan [${GREEN}V${NORMAL}]"
echo ""
echo " ${SECTION}Files${NORMAL}:"
echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_authentication new/lynis/include/tests_authentication
--- old/lynis/include/tests_authentication 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/tests_authentication 2019-04-21 02:00:00.000000000 +0200
@@ -698,25 +698,32 @@
#
# Test : AUTH-9278
# Description : Search LDAP support in PAM files
- Register --test-no AUTH-9278 --weight L --network NO --category security --description "Checking LDAP pam status"
+ Register --test-no AUTH-9278 --weight L --network NO --category security --description "Determine LDAP support in PAM files"
if [ ${SKIPTEST} -eq 0 ]; then
- LogText "Test: checking presence /etc/pam.d/common-auth"
- if [ -f /etc/pam.d/common-auth ]; then
- LogText "Result: file /etc/pam.d/common-auth exists"
- LogText "Test: checking presence LDAP module"
- FIND=$(${GREPBINARY} "^auth.*ldap" /etc/pam.d/common-auth)
- if [ ! "${FIND}" = "" ]; then
- LogText "Result: LDAP module present"
- LogText "Output: ${FIND}"
- Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN
- LDAP_AUTH_ENABLED=1
- LDAP_PAM_ENABLED=1
+ AUTH_FILES="${ROOTDIR}etc/pam.d/common-auth ${ROOTDIR}etc/pam.d/system-auth"
+ for FILE in ${AUTH_FILES}; do
+ LogText "Test: checking presence ${FILE}"
+ if [ -f ${FILE} ]; then
+ LogText "Result: file ${FILE} exists"
+ LogText "Test: checking presence LDAP module"
+ FIND=$(${GREPBINARY} "^auth.*ldap" ${FILE})
+ if [ ! -z "${FIND}" ]; then
+ LogText "Result: LDAP module present"
+ LogText "Output: ${FIND}"
+ LDAP_AUTH_ENABLED=1
+ LDAP_PAM_ENABLED=1
+ else
+ LogText "Result: LDAP module not found"
+ fi
else
- LogText "Result: LDAP module not found"
- Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE
+ LogText "Result: file ${FILE} not found, skipping test"
fi
+ done
+
+ if [ ${LDAP_PAM_ENABLED} -eq 1 ]; then
+ Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN
else
- LogText "Result: file /etc/pam.d/common-auth not found, skipping test"
+ Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE
fi
fi
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_filesystems new/lynis/include/tests_filesystems
--- old/lynis/include/tests_filesystems 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/tests_filesystems 2019-04-21 02:00:00.000000000 +0200
@@ -158,7 +158,27 @@
done
else
LogText "Result: no EXT file systems found"
- Report "file_systems_ext[]=none"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : FILE-6324
+ # Description : Checking Linux XFS file systems
+ Register --test-no FILE-6324 --os Linux --weight L --network NO --category security --description "Checking XFS file systems"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: Checking for Linux XFS file systems"
+ FIND=$(${MOUNTBINARY} -t xfs | ${AWKBINARY} '{ print $3","$5 }')
+ if [ ! -z "${FIND}" ]; then
+ LogText "Result: found one or more XFS file systems"
+ for I in ${FIND}; do
+ FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1)
+ FILETYPE=$(echo ${I} | ${CUTBINARY} -d ',' -f2)
+ LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})"
+ Report "file_systems_xfs[]=${FILESYSTEM}|${FILETYPE}|"
+ done
+ else
+ LogText "Result: no XFS file systems found"
fi
fi
#
@@ -540,13 +560,13 @@
# ---------------------------------------------------------
FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid"
- Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Checking /boot mount options"
+ Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Checking partitions mount options"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -f /etc/fstab ]; then
for I in ${FILESYSTEMS_TO_CHECK}; do
FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d: -f1)
EXPECTED_FLAGS=$(echo ${I} | ${CUTBINARY} -d: -f2 | ${SEDBINARY} 's/,/ /g')
- FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' /etc/fstab)
+ FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' ${ROOTDIR}etc/fstab)
if [ "${FS_FSTAB}" = "glusterfs" ]; then
EXPECTED_FLAGS=$(echo ${EXPECTED_FLAGS} | ${SEDBINARY} 's/\<\(nodev\|nosuid\)\> *//g')
if [ -z "${EXPECTED_FLAGS}" ]; then
@@ -554,7 +574,7 @@
fi
fi
if [ ! -z "${FS_FSTAB}" ]; then
- FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
+ FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ')
LogText "File system: ${FILESYSTEM}"
LogText "Expected flags: ${EXPECTED_FLAGS}"
LogText "Found flags: ${FOUND_FLAGS}"
@@ -562,7 +582,7 @@
FULLY_HARDENED=1
for FLAG in ${EXPECTED_FLAGS}; do
FLAG_AVAILABLE=$(echo ${FOUND_FLAGS} | ${GREPBINARY} ${FLAG})
- if [ "${FLAG_AVAILABLE}" = "" ]; then
+ if [ -z "${FLAG_AVAILABLE}" ]; then
LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}"
FULLY_HARDENED=0
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_insecure_services new/lynis/include/tests_insecure_services
--- old/lynis/include/tests_insecure_services 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/tests_insecure_services 2019-04-21 02:00:00.000000000 +0200
@@ -18,7 +18,7 @@
#
#################################################################################
#
-# Unsecure services
+# Insecure services
#
#################################################################################
#
@@ -28,32 +28,55 @@
#
INETD_ACTIVE=0
INETD_CONFIG_FILE="${ROOTDIR}etc/inetd.conf"
+ INETD_PACKAGE_INSTALLED=0
+ XINETD_ACTIVE=0
+ XINETD_CONFIG_FILE="${ROOTDIR}etc/xinetd.conf"
+ XINETD_CONFIG_DIR="${ROOTDIR}etc/xinetd.d"
+#
+#################################################################################
+#
+ # Test : INSE-8000
+ # Description : Check for installed inetd package
+ Register --test-no INSE-8000 --weight L --network NO --category security --description "Installed inetd package"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check for installed inetd daemon
+ LogText "Test: Checking if inetd is installed"
+ if PackageIsInstalled "inetd"; then
+ INETD_PACKAGE_INSTALLED=1
+ LogText "Result: inetd is installed"
+ Display --indent 2 --text "- Installed inetd package" --result "${STATUS_FOUND}" --color YELLOW
+ #ReportSuggestion ${TEST_NO} "If there are no inetd services required, it is recommended that the daemon be removed"
+ else
+ LogText "Result: inetd is NOT installed"
+ Display --indent 2 --text "- Installed inetd package" --result "${STATUS_NOT_FOUND}" --color GREEN
+ fi
+ fi
#
#################################################################################
#
# Test : INSE-8002
# Description : Check for inetd status
- Register --test-no INSE-8002 --weight L --network NO --category security --description "Check for enabled inet daemon"
+ if [ ${INETD_PACKAGE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no INSE-8002 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled inet daemon"
if [ ${SKIPTEST} -eq 0 ]; then
# Check running processes
LogText "Test: Searching for active inet daemon"
- IsRunning inetd
- if [ ${RUNNING} -eq 1 ]; then
+ if IsRunning "inetd"; then
LogText "Result: inetd is running"
- Display --indent 2 --text "- Checking inetd status" --result "ACTIVE" --color GREEN
+ Display --indent 4 --text "- inetd status" --result "ACTIVE" --color GREEN
INETD_ACTIVE=1
else
LogText "Result: inetd is NOT running"
- Display --indent 2 --text "- Checking inetd status" --result "NOT ACTIVE" --color GREEN
+ Display --indent 4 --text "- inetd status" --result "NOT ACTIVE" --color GREEN
fi
fi
#
#################################################################################
#
# Test : INSE-8004
- # Description : Check for inetd configuration file
+ # Description : Check for inetd configuration file (inetd)
if [ ${INETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled inet daemon"
+ Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of inetd configuration file"
if [ ${SKIPTEST} -eq 0 ]; then
# Check configuration file
LogText "Test: Searching for file ${INETD_CONFIG_FILE}"
@@ -73,15 +96,15 @@
if [ ${INETD_ACTIVE} -eq 0 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no INSE-8006 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of inetd when disabled"
if [ ${SKIPTEST} -eq 0 ]; then
- # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002)
- LogText "Test: check if all services are disabled if inetd is disabled"
+ # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test INSE-8002)
+ LogText "Test: check if all services are disabled when inetd is disabled"
FIND=$(${GREPBINARY} -v "^#" ${INETD_CONFIG_FILE} | ${GREPBINARY} -v "^$")
if [ -z "${FIND}" ]; then
LogText "Result: no services found in ${INETD_CONFIG_FILE}"
- Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_OK}" --color GREEN
+ Display --indent 4 --text "- Checking enabled inetd services" --result "${STATUS_OK}" --color GREEN
else
LogText "Result: found services in inetd, even though inetd is not running"
- Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_SUGGESTION}" --color YELLOW
+ Display --indent 4 --text "- Checking enabled inetd services" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}, or remove inetd service"
fi
fi
@@ -95,7 +118,7 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: checking telnet presence in inetd configuration"
FIND=$(${GREPBINARY} "^telnet" ${INETD_CONFIG_FILE})
- if [ "${FIND}" = "" ]; then
+ if [ -z "${FIND}" ]; then
LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}"
Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_NOT_FOUND}" --color GREEN
AddHP 3 3
@@ -107,6 +130,289 @@
fi
fi
#
+#################################################################################
+#
+ # Test : INSE-8100
+ # Description : Check for installed xinetd daemon
+ Register --test-no INSE-8100 --weight L --network NO --category security --description "Check for installed xinetd daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check for installed xinetd daemon
+ LogText "Test: Checking for installed xinetd daemon"
+ if PackageIsInstalled "xinetd"; then
+ LogText "Result: xinetd is installed"
+ Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_FOUND}" --color YELLOW
+ ReportSuggestion ${TEST_NO} "If there are no xinetd services required, it is recommended that the daemon be removed"
+ else
+ LogText "Result: xinetd is NOT installed"
+ Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_OK}" --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : INSE-8102
+ # Description : Check for xinetd status
+ Register --test-no INSE-8102 --weight L --network NO --category security --description "Check for active xinet daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check running processes
+ LogText "Test: Searching for active extended internet services daemon (xinetd)"
+ if IsRunning "xinetd"; then
+ LogText "Result: xinetd is running"
+ Display --indent 4 --text "- xinetd status" --result "ACTIVE" --color GREEN
+ XINETD_ACTIVE=1
+ else
+ LogText "Result: xinetd is NOT running"
+ Display --indent 4 --text "- xinetd status" --result "NOT ACTIVE" --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : INSE-8104
+ # Description : Check for xinetd configuration file
+ if [ ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no INSE-8104 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled xinet daemon"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check configuration file
+ LogText "Test: Searching for file ${XINETD_CONFIG_FILE}"
+ if [ -f "${XINETD_CONFIG_FILE}" ]; then
+ LogText "Result: ${XINETD_CONFIG_FILE} exists"
+ Display --indent 6 --text "- Configuration file (xinetd.conf)" --result "${STATUS_FOUND}" --color WHITE
+ else
+ LogText "Result: ${XINETD_CONFIG_FILE} does not exist"
+ Display --indent 6 --text "- Configuration file (xinetd.conf)" --result "${STATUS_NOT_FOUND}" --color WHITE
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : INSE-8106
+ # Description : Check for xinetd configuration file contents if xinetd is NOT active
+ if [ ${XINETD_ACTIVE} -eq 0 -a -f ${XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no INSE-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of xinetd when disabled"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check if any service is enabled in /etc/xinetd.d (xinetd is not active, see test INSE-8102)
+ LogText "Test: check if all services are disabled if xinetd is disabled"
+ FIND=$(${GREPBINARY} -r "disable\s*=\s*no" ${XINETD_CONFIG_DIR})
+ if [ -z "${FIND}" ]; then
+ LogText "Result: no services found in ${XINETD_CONFIG_DIR}"
+ Display --indent 6 --text "- Enabled xinetd.d services" --result "${STATUS_NOT_FOUND}" --color GREEN
+ else
+ LogText "Result: found services in ${XINETD_CONFIG_DIR}, even though xinetd is not running"
+ Display --indent 6 --text "- Enabled xinetd.d services" --result "${STATUS_FOUND}" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Although xinetd is not running, make sure no services are enabled in ${XINETD_CONFIG_DIR}, or remove xinetd service"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : INSE-8116
+ # Description : Check for insecure services enabled via xinetd
+ if [ ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no INSE-8116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Insecure services enabled via xinetd"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ XINETD_INSECURE_SERVICE_FOUND=0
+
+ ITEMS="chargen chargen-dgram chargen-stream daytime daytime-dgram daytime-stream discard discard-dgram discard-stream echo echo-dgram echo-stream time time-dgram time-stream ntalk rexec rlogin rsh talk telnet tftp"
+
+ for SERVICE in ${ITEMS}; do
+ LogText "Test: checking service ${SERVICE}"
+ if ! SkipAtomicTest "${TEST_NO}:${SERVICE}"; then
+ FILE="${XINETD_CONFIG_DIR}/${SERVICE}"
+ if [ -f "${FILE}" ]; then
+ LogText "Test: checking status in xinetd configuration file (${FILE})"
+ FIND=$(${GREPBINARY} "disable\s*=\s*no" ${FILE})
+ if [ ! -z "${FIND}" ]; then
+ LogText "Result: found insecure service enabled: ${SERVICE}"
+ XINETD_INSECURE_SERVICE_FOUND=1
+ ReportSuggestion "${TEST_NO}" "Disable or remove any insecure services in the xinetd configuration" "${SERVICE}" "text:See log file for more details"
+ Report "insecure_service[]=${SERVICE}"
+ fi
+ fi
+ else
+ LogText "Result: skipped, as this item is excluded using the profile"
+ fi
+ done
+
+ if [ ${XINETD_INSECURE_SERVICE_FOUND} -eq 0 ]; then
+ LogText "Result: no insecure services found in xinetd configuration"
+ Display --indent 6 --text "- Checking xinetd (insecure services)" --result "${STATUS_OK}" --color GREEN
+ AddHP 3 3
+ else
+ LogText "Result: one ore more insecure services discovered in xinetd configuration"
+ Display --indent 6 --text "- Checking xinetd (insecure services)" --result "${STATUS_WARNING}" --color RED
+ AddHP 0 3
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : INSE-8150
+ # Description : Check for rsync enabled via xinetd
+ #RSYNC_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rsync"
+ #if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RSYNC_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ #Register --test-no INSE-8150 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rsync via xinetd"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ # LogText "Test: checking rsync presence in xinetd configuration"
+ # FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RSYNC_XINETD_CONFIG_FILE})
+ # if [ "${FIND}" = "" ]; then
+ # LogText "Result: rsync not enabled in ${RSYNC_XINETD_CONFIG_FILE}"
+ # Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_DISABLED}" --color GREEN
+ # else
+ # LogText "Result: rsync enabled in ${RSYNC_XINETD_CONFIG_FILE}"
+ # Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_ENABLED}" --color RED
+ # ReportSuggestion "${TEST_NO}" "Disable rsync in xinetd configuration"
+ # fi
+ #fi
+#
+#################################################################################
+#
+ # Test : INSE-8200
+ # Description : Check if tcp_wrappers is installed when inetd/xinetd is active
+ if [ ${INETD_ACTIVE} -eq 1 -o ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no INSE-8200 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: Checking if tcp_wrappers is installed"
+ FOUND=0
+ PACKAGES="tcp_wrappers tcpd"
+ for PACKAGE in ${PACKAGES}; do
+ if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi
+ done
+ if [ ${FOUND} -eq 1 ]; then
+ LogText "Result: tcp_wrappers is installed"
+ Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_OK}" --color GREEN
+ else
+ LogText "Result: tcp_wrappers is NOT installed"
+ Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_SUGGESTION}" --color YELLOW
+ #ReportSuggestion ${TEST_NO} "When network services are using the inetd/xinetd service, the tcp_wrappers package should be installed"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : INSE-8300
+ # Description : Check if rsh client is installed
+ Register --test-no INSE-8300 --weight L --network NO --category security --description "Check if rsh client is installed"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: Checking if rsh client is installed"
+ FOUND=0
+ PACKAGES="rsh rsh-client rsh-redone-client"
+ for PACKAGE in ${PACKAGES}; do
+ if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi
+ done
+ if [ ${FOUND} -eq 1 ]; then
+ LogText "Result: rsh client is installed"
+ Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_SUGGESTION}" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Remove rsh client when it is not in use or replace with the more secure SSH package"
+ else
+ LogText "Result: rsh client is NOT installed"
+ Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_OK}" --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : INSE-8302
+ # Description : Check presence of rsh Trust Files
+ #Register --test-no INSE-8302 --weight L --network NO --category security --description "Check presence of rsh Trust Files"
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ # # Check presence of Rsh Trust Files
+ # FOUND=0
+ # for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do
+ # USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1)
+ # DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6)
+ # if [ -d ${DIR} ]; then
+ # for RHOSTS in ${DIR}/.rhosts; do
+ # if [ ! -h ${RHOSTS} -a -f ${RHOSTS} ]; then
+ # LogText "FOUND .rhosts file in home directory ${DIR} of ${USER}"
+ # FOUND=1
+ # fi
+ # done
+ # fi
+ # done
+ # if [ -f /etc/hosts.equiv ];then
+ # LogText "FOUND /etc/hosts.equiv"
+ # FOUND=1
+ # fi
+ # if [ ${FOUND} -eq 1 ]; then
+ # LogText "Result: found one or more Rsh Trust Files"
+ # Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_SUGGESTION}" --color YELLOW
+ # ReportSuggestion ${TEST_NO} "Remove every Rsh Trust Files as they can allow unauthenticated access to a system"
+ # else
+ # LogText "Result: no Rsh Trust Files found"
+ # Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_OK}" --color GREEN
+ # fi
+ #fi
+#
+#################################################################################
+#
+ # Test : INSE-8304
+ # Description : Check if rsh server is installed
+ Register --test-no INSE-8342 --weight L --network NO --category security --description "Check if rsh server is installed"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check if rsh server is installed
+ LogText "Test: Checking if rsh server is installed"
+ FOUND=0
+ PACKAGES="rsh-server rsh-redone-server"
+ for PACKAGE in ${PACKAGES}; do
+ if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi
+ done
+ if [ ${FOUND} -eq 1 ]; then
+ LogText "Result: rsh server is installed"
+ Display --indent 2 --text "- Installed rsh server package" --result "${STATUS_SUGGESTION}" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Remove the rsh-server package and replace with a more secure alternative like SSH"
+ Report "insecure_service[]=rsh-server"
+ else
+ LogText "Result: rsh server is NOT installed"
+ Display --indent 2 --text "- Installed rsh server package" --result "${STATUS_OK}" --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : INSE-8310
+ # Description : Check if telnet client is installed
+ Register --test-no INSE-8310 --weight L --network NO --category security --description "Check if telnet client is installed"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check if telnet client is installed
+ LogText "Test: Checking if telnet client is installed"
+ if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi
+
+ if [ ${FOUND} -eq 1 ]; then
+ LogText "Result: telnet client is installed"
+ Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_FOUND}" --color YELLOW
+ # Telnet client usage might be used for troubleshooting instead of system administration
+ #ReportSuggestion ${TEST_NO} "telnet client contain numerous security exposures and have been replaced with the more secure SSH package"
+ else
+ LogText "Result: telnet client is NOT installed"
+ Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_OK}" --color GREEN
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : INSE-8312
+ # Description : Check if telnet server is installed
+ Register --test-no INSE-8322 --weight L --network NO --category security --description "Check if telnet server is installed"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ # Check if TFTP server is installed
+ LogText "Test: Checking if telnet server is installed"
+ FOUND=0
+ PACKAGES="telnetd telnet-server"
+ for PACKAGE in ${PACKAGES}; do
+ if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi
+ done
+ if [ ${FOUND} -eq 1 ]; then
+ LogText "Result: telnet server is installed"
+ Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_FOUND}" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package and replace with SSH when possible"
+ Report "insecure_service[]=telnet-server"
+ else
+ LogText "Result: telnet server is NOT installed"
+ Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_NOT_FOUND}" --color GREEN
+ fi
+ fi
+#
#################################################################################
#
if [ ! -z "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_kernel new/lynis/include/tests_kernel
--- old/lynis/include/tests_kernel 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/tests_kernel 2019-04-21 02:00:00.000000000 +0200
@@ -473,7 +473,7 @@
AddHP 0 1
else
LogText "Result: found default option, some programs can dump (not processes which need to change credentials)"
- Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color YELLOW
+ Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color WHITE
AddHP 1 1
fi
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_logging new/lynis/include/tests_logging
--- old/lynis/include/tests_logging 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/tests_logging 2019-04-21 02:00:00.000000000 +0200
@@ -363,7 +363,7 @@
# Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination
DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}')
for DESTINATION in ${DESTINATIONS}; do
- FIND2=$(${GREPBINARY} "log" | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
+ FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)")
if [ ! -z "${FIND2}" = "" ]; then
LogText "Result: found destination ${DESTINATION} configured for remote logging"
REMOTE_LOGGING_ENABLED=1
@@ -465,13 +465,11 @@
FIND=$(${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$")
for I in ${FIND}; do
LogText "Found logfile: ${I}"
- Report "open_logfile[]=${I}"
done
Display --indent 2 --text "- Checking open log files" --result "${STATUS_DONE}" --color GREEN
else
LogText "Result: lsof not installed, skipping test"
- Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color YELLOW
- # Add suggestion
+ Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color WHITE
fi
fi
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_networking new/lynis/include/tests_networking
--- old/lynis/include/tests_networking 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/tests_networking 2019-04-21 02:00:00.000000000 +0200
@@ -507,35 +507,54 @@
#
# Test : NETW-3015
# Description : Checking promiscuous interfaces (Linux)
- # Note : Need ifconfig binary at this moment (does not work on Arch Linux)
- if [ ! "${IFCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)"
+ Register --test-no NETW-3015 --os Linux --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)"
if [ ${SKIPTEST} -eq 0 ]; then
- LogText "Test: Checking promiscuous interfaces (Linux)"
- NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1)
- if [ ! "${NETWORK}" = "" ]; then
+ FOUNDPROMISC=99
+ NETWORK=""
+ USE_IP_INSTEAD_IFCONFIG=0
+
+ if [ ! -z "${IPBINARY}" ]; then
+ LogText "Test: Using ip binary to retrieve network interfaces"
+ NETWORK=$(${IPBINARY} -o link 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{print $2 }' | ${TRBINARY} -d ':')
+ USE_IP_INSTEAD_IFCONFIG=1
+ elif [ ! -z "${IFCONFIGBINARY}" ]; then
+ LogText "Test: Using ifconfig binary to retrieve network interfaces"
+ NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1)
+ fi
+
+ LogText "Test: Checking all interfaces to discover any with promiscuous mode enabled"
+ if [ ! -z "${NETWORK}" ]; then
+ FOUNDPROMISC=0
for I in ${NETWORK}; do
- FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC)
- if [ ! "${FIND}" = "" ]; then
+ if [ ${USE_IP_INSTEAD_IFCONFIG} -eq 1 ]; then
+ FIND=$(${IPBINARY} -o -d link show ${I} 2> /dev/null | ${GREPBINARY} 'promiscuity 1')
+ else
+ FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC)
+ fi
+ if [ ! -z "${FIND}" ]; then
LogText "Result: Promiscuous interface: ${I}"
ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE})
- if [ "${ISWHITELISTED}" = "" ]; then
+ if [ -z "${ISWHITELISTED}" ]; then
FOUNDPROMISC=1
- ReportWarning ${TEST_NO} "Found promiscuous interface (${I})"
+ ReportWarning ${TEST_NO} "Found promiscuous interface" "${I}" "text:Determine if this mode is required or whitelist interface in profile"
LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic"
else
LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)"
fi
fi
done
+ else
+ LogText "Result: no network interfaces discovered, so nothing tested"
fi
# Show result
if [ ${FOUNDPROMISC} -eq 0 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN
LogText "Result: No promiscuous interfaces found"
- else
+ elif [ ${FOUNDPROMISC} -eq 1 ]; then
Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED
+ else
+ Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_UNKNOWN}" --color YELLOW
fi
fi
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_ports_packages new/lynis/include/tests_ports_packages
--- old/lynis/include/tests_ports_packages 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/tests_ports_packages 2019-04-21 02:00:00.000000000 +0200
@@ -344,7 +344,7 @@
COUNT=0
PACKAGE_AUDIT_TOOL_FOUND=1
PACKAGE_AUDIT_TOOL="zypper"
- FIND=$(${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
+ FIND=$(${ZYPPERBINARY} --non-interactive -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }')
if [ ! -z "${FIND}" ]; then
for PKG in ${FIND}; do
COUNT=$((COUNT + 1))
@@ -365,7 +365,7 @@
if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages"
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=$(${ZYPPERBINARY} -n pchk | ${GREPBINARY} "(0 security patches)")
+ FIND=$(${ZYPPERBINARY} --non-interactive pchk | ${GREPBINARY} "(0 security patches)")
if [ ! -z "${FIND}" ]; then
LogText "Result: No security updates found with Zypper"
Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN
@@ -374,7 +374,7 @@
LogText "Result: Zypper found one or more installed packages which are vulnerable."
ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed"
# Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line
- FIND=$(${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
+ FIND=$(${ZYPPERBINARY} --non-interactive lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u)
LogText "List of vulnerable packages/version:"
for PKG in ${FIND}; do
VULNERABLE_PACKAGES_FOUND=1
@@ -930,7 +930,6 @@
AddHP 1 2
done
ReportWarning ${TEST_NO} "Found one or more vulnerable packages."
- ReportSuggestion ${TEST_NO} "Use 'yum --security update' to update your system"
fi
else
LogText "Result: yum-security package not found"
@@ -1055,7 +1054,8 @@
#
# Test : PKGS-7392
# Description : Check Debian/Ubuntu vulnerable packages
- if [ -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ # Note : Skip for zypper-based systems
+ if [ -x ${ROOTDIR}usr/bin/apt-get -a -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network YES --category security --description "Check for Debian/Ubuntu security updates"
if [ ${SKIPTEST} -eq 0 ]; then
VULNERABLE_PACKAGES_FOUND=0
@@ -1247,8 +1247,20 @@
Register --test-no PKGS-7410 --weight L --network NO --category security --description "Count installed kernel packages"
if [ ${SKIPTEST} -eq 0 ]; then
KERNELS=0
- if [ ! -z "${RPMBINARY}" ]; then
- LogText "Test: Checking how many kernel packages are installed"
+ LogText "Test: Checking how many kernel packages are installed"
+
+ if [ ! -z "${DPKGBINARY}" ]; then
+ KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} "linux-image-[0-9]" | ${WCBINARY} -l)
+ if [ ${KERNELS} -eq 0 ]; then
+ LogText "Result: found no kernels from dpkg -l output, which is unexpected"
+ ReportException "KRNL-5840:2" "Could not find any kernel packages from DPKG output"
+ elif [ ${KERNELS} -gt 5 ]; then
+ LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
+ ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages" "${KERNELS} kernels" "text:validate dpkg -l output and perform cleanup with apt autoremove"
+ else
+ LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
+ fi
+ elif [ ! -z "${RPMBINARY}" ]; then
KERNELS=$(${RPMBINARY} -q kernel 2> /dev/null | ${WCBINARY} -l)
if [ ${KERNELS} -eq 0 ]; then
LogText "Result: found no kernels from rpm -q kernel output, which is unexpected"
@@ -1256,16 +1268,78 @@
elif [ ${KERNELS} -gt 5 ]; then
LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups"
ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)"
- AddHP 4 5
else
- LogText "Result: found ${KERNELS} on the system, which is fine"
- AddHP 1 1
+ LogText "Result: found ${KERNELS} kernel packages on the system, which is fine"
fi
fi
+
+ Report "installed_kernel_packages=${KERNELS}"
fi
#
#################################################################################
#
+ # Test : PKGS-7420
+ # Description : Detect toolkit to automatically download and apply upgrades
+ Register --test-no PKGS-7420 --weight L --network NO --category security --description "Detect toolkit to automatically download and apply upgrades"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ UNATTENDED_UPGRADES_TOOLKIT=0
+ UNATTENDED_UPGRADES_TOOL=""
+ UNATTENDED_UPGRADES_OPTION_AVAILABLE=0
+
+ case "${OS}" in
+ "Linux")
+ case "${LINUX_VERSION}" in
+ "CentOS" | "Debian" | "Fedora" | "RHEL" | "Ubuntu")
+
+ UNATTENDED_UPGRADES_OPTION_AVAILABLE=1
+ # Test available tools for Linux
+ if [ -f "${ROOTDIR}bin/auter" ]; then
+ UNATTENDED_UPGRADES_TOOL="auter"
+ UNATTENDED_UPGRADES_TOOLKIT=1
+ LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
+ Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
+ fi
+ if [ -f "${ROOTDIR}sbin/yum-cron" ]; then
+ UNATTENDED_UPGRADES_TOOL="yum-cron"
+ UNATTENDED_UPGRADES_TOOLKIT=1
+ LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
+ Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
+ fi
+ if [ -f "${ROOTDIR}usr/bin/dnf-automatic" ]; then
+ UNATTENDED_UPGRADES_TOOL="dnf-automatic"
+ UNATTENDED_UPGRADES_TOOLKIT=1
+ LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
+ Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
+ fi
+ if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then
+ UNATTENDED_UPGRADES_TOOL="unattended-upgrade"
+ UNATTENDED_UPGRADES_TOOLKIT=1
+ LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}"
+ Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}"
+ fi
+ ;;
+ esac
+ ;;
+ esac
+
+ if [ ${UNATTENDED_UPGRADES_OPTION_AVAILABLE} -eq 1 ]; then
+ if [ ${UNATTENDED_UPGRADES_TOOLKIT} -eq 1 ]; then
+ AddHP 5 5
+ Display --indent 2 --text "- Toolkit for automatic upgrades (${UNATTENDED_UPGRADES_TOOL})" --result "${STATUS_FOUND}" --color GREEN
+ else
+ AddHP 1 5
+ Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOTFOUND}" --color YELLOW
+ LogText "Result: no toolkit for automatic updates discovered"
+ ReportSuggestion "${TEST_NO}" "Consider using a tool to automatically apply upgrades"
+ fi
+ fi
+
+ Report "unattended_upgrade_option_available=${UNATTENDED_UPGRADES_OPTION_AVAILABLE}"
+ fi
+#
+#################################################################################
+#
+
if [ ! -z "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_scheduling new/lynis/include/tests_scheduling
--- old/lynis/include/tests_scheduling 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/tests_scheduling 2019-04-21 02:00:00.000000000 +0200
@@ -61,6 +61,7 @@
CRONTAB_FILE="${ROOTDIR}etc/crontab"
if [ -f ${CRONTAB_FILE} ]; then
+ ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab"
if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
FindCronJob ${CRONTAB_FILE}
@@ -85,6 +86,8 @@
for FILE in ${FIND}; do
if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
+ FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
+ if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
FindCronJob ${FILE}
if HasData "${sCRONJOBS}"; then
for K in ${sCRONJOBS}; do
@@ -115,11 +118,13 @@
LogText "Result: no files found in ${I}"
else
LogText "Result: found one or more files in ${I}. Analyzing files.."
- for J in ${FIND}; do
- if IsWorldWritable ${J}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
- if ! IsOwnedByRoot ${J}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
- LogText "Result: Found cronjob (${I}): ${J}"
- Report "cronjob[]=${J}"
+ for FILE in ${FIND}; do
+ if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${FILE}"; Report "insecure_fileperms_cronjob[]=${FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi
+ if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${FILE}"; Report "bad_fileowner_cronjob[]=${FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi
+ FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}')
+ if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi
+ LogText "Result: Found cronjob (${I}): ${FILE}"
+ Report "cronjob[]=${FILE}"
done
LogText "Result: done with analyzing files in ${I}"
fi
@@ -137,21 +142,23 @@
FIND=$(${FINDBINARY} /var/spool/cron/crontabs -xdev -type f -print 2> /dev/null)
for I in ${FIND}; do
if FileIsReadable ${I}; then
+ ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
FindCronJob ${I}
- for J in ${sCRONJOBS}; do
- LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${J})"
+ for FILE in ${sCRONJOBS}; do
+ LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${FILE})"
Report "cronjob[]=${I}"
done
fi
done
else
- if [ -d /var/spool/cron ]; then
- FIND=$(find /var/spool/cron -type f -print)
+ if [ -d ${ROOTDIR}var/spool/cron ]; then
+ FIND=$(find ${ROOTDIR}var/spool/cron -type f -print)
for I in ${FIND}; do
if FileIsReadable ${I}; then
+ ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}"
FindCronJob ${I}
- for J in ${sCRONJOBS}; do
- LogText "Found cronjob (/var/spool/cron): ${I} (${J})"
+ for FILE in ${sCRONJOBS}; do
+ LogText "Found cronjob in ${ROOTDIR}var/spool/cron: ${I} (${FILE})"
LogText "cronjob[]=${I}"
done
fi
@@ -177,12 +184,12 @@
# Show warning when an issue shows up. Even if *both* the permissions and ownership are wrong, just show one (prevent overload of warnings).
if [ ${BAD_FILE_PERMISSIONS} -eq 1 ]; then
ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect file permissions (see log for details)"
- Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED
+ Display --indent 2 --text "- Checking crontab and cronjobs files" --result "${STATUS_WARNING}" --color RED
elif [ ${BAD_FILE_OWNERSHIP} -eq 1 ]; then
ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect ownership (see log for details)"
- Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED
+ Display --indent 2 --text "- Checking crontab and cronjob files" --result "${STATUS_WARNING}" --color RED
else
- Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_DONE}" --color GREEN
+ Display --indent 2 --text "- Checking crontab and cronjob files" --result "${STATUS_DONE}" --color GREEN
fi
fi
@@ -298,6 +305,12 @@
#################################################################################
#
+if [ -z "${LYNIS_CRONJOB}" ]; then
+ LogText "Result: no scheduled Lynis execution found (e.g. crontab, cronjob)"
+else
+ LogText "Result: found scheduled Lynis execution (${LYNIS_CRONJOB})"
+fi
+
WaitForKeyPress
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_shells new/lynis/include/tests_shells
--- old/lynis/include/tests_shells 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/tests_shells 2019-04-21 02:00:00.000000000 +0200
@@ -31,9 +31,10 @@
# Files (interactive login shells): /etc/profile $HOME/.bash_profile
# $HOME/.bash_login $HOME/.profile
# Files (interactive non-login shells): $HOME/.bash_rc
-
+ #
# csh/tcsh
# Files: /etc/csh.cshrc /etc/csh.login
+ #
# zsh
# Files: /etc/zshenv /etc/zsh/zshenv $HOME/.zshenv /etc/zprofile
# /etc/zsh/zprofile $HOME/.zprofile /etc/zshrc /etc/zsh/zshrc
@@ -68,8 +69,8 @@
#################################################################################
#
# Test : SHLL-6211
- # Description : which shells are available according /etc/shells
- Register --test-no SHLL-6211 --weight L --network NO --category security --description "Checking available and valid shells"
+ # Description : Determine available shell according /etc/shells
+ Register --test-no SHLL-6211 --weight L --network NO --category security --description "Available and valid shells"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Searching for ${ROOTDIR}etc/shells"
if [ -f ${ROOTDIR}etc/shells ]; then
@@ -98,8 +99,8 @@
#################################################################################
#
# Test : SHLL-6220
- # Description : check for idle session killing tools or settings
- Register --test-no SHLL-6220 --weight L --network NO --category security --description "Checking available and valid shells"
+ # Description : Check for idle session killing tools or settings
+ Register --test-no SHLL-6220 --weight L --network NO --category security --description "Idle session killing tools or settings"
if [ ${SKIPTEST} -eq 0 ]; then
IDLE_TIMEOUT_METHOD=""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_squid new/lynis/include/tests_squid
--- old/lynis/include/tests_squid 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/tests_squid 2019-04-21 02:00:00.000000000 +0200
@@ -111,7 +111,7 @@
# Test : SQD-3610
# Description : Check Squid configuration options
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version"
+ Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather Squid settings"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}"
FIND=$(${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g')
@@ -126,7 +126,7 @@
#################################################################################
#
# Test : SQD-3613
- # Description : Check Squid configuration options
+ # Description : Check Squid configuration file permissions
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_ssh new/lynis/include/tests_ssh
--- old/lynis/include/tests_ssh 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/tests_ssh 2019-04-21 02:00:00.000000000 +0200
@@ -137,7 +137,7 @@
IgnoreRhosts:YES,,NO:=\
LoginGraceTime:120,240,480:<\
LogLevel:VERBOSE,INFO,:=\
- MaxAuthTries:2,4,6:<\
+ MaxAuthTries:3,6,999:<\
MaxSessions:2,4,8:<\
PermitRootLogin:(NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD),,YES:=\
PermitUserEnvironment:NO,,YES:=\
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_webservers new/lynis/include/tests_webservers
--- old/lynis/include/tests_webservers 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/tests_webservers 2019-04-21 02:00:00.000000000 +0200
@@ -113,9 +113,10 @@
Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})"
LogText "Result: Configuration file found (${APACHE_CONFIGFILE})"
else
- LogText "Result: File or directory ${APACHE_CONFIGFILE} does not exist"
+ LogText "Result: File or directory ${APACHE_TESTFILE} does not exist"
Display --indent 6 --text "[Notice] possible directory/file parts found, but still unsure what the real configuration file is. Skipping some Apache related tests"
ReportException "${TEST_NO}:1" "Found some unknown directory or file references in Apache configuration"
+ LogText "Note: if only the Apache binary package has been installed, then the configuration might be missing. Is the Apache package really needed?"
fi
fi
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tool_tips new/lynis/include/tool_tips
--- old/lynis/include/tool_tips 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/include/tool_tips 2019-04-21 02:00:00.000000000 +0200
@@ -26,16 +26,41 @@
# Only show tips when enabled
if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then
+ LogText "Tool tips: enabled"
+ # * Regular security auditing
+ #
+ # If package is installed, then suggest users to schedule the audit daily
+ # How: confirm presence of directory /etc/lynis and check cronjobs
+
+
+ # * Check for duplicate items between default and custom profile
+ #
+ # This can be done by marking an item if it overwrites the default profile
+ # with the same value.
+ #
+ # Rationale: default profile should contain have sensible default and
+ # custom profile allows customization for the user or system.
+
+
+ # Suggest usage of plugins if none are enabled
+
+
# Bash completion support
- if [ ! "${ETC_PATHS}" = "" ]; then
- for I in ${ETC_PATHS}; do
- if [ -d ${I}/bash-completion.d ]; then
- if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then
- Display "This system has a bash_completion directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis"
- fi
- fi
- done
- fi
+ #
+ # Detect if bash is used for active user
+ #if [ ! -z "${ETC_PATHS}" ]; then
+ # for I in ${ETC_PATHS}; do
+ # if [ -d ${I}/bash_completion.d ]; then
+ # if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then
+ # Display "This system has a bash_completion directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis"
+ # fi
+ # fi
+ # done
+ #fi
+
+ else
+ LogText "Tool tips: enabled"
+
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/lynis new/lynis/lynis
--- old/lynis/lynis 2019-03-07 01:00:00.000000000 +0100
+++ new/lynis/lynis 2019-04-21 02:00:00.000000000 +0200
@@ -35,10 +35,10 @@
PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com"
# Version details
- PROGRAM_RELEASE_DATE="2019-03-07"
- PROGRAM_RELEASE_TIMESTAMP=1551949337
+ PROGRAM_RELEASE_DATE="2019-04-21"
+ PROGRAM_RELEASE_TIMESTAMP=1555856327
PROGRAM_RELEASE_TYPE="final" # dev or final
- PROGRAM_VERSION="2.7.2"
+ PROGRAM_VERSION="2.7.4"
# Source, documentation and license
PROGRAM_SOURCE="https://github.com/CISOfy/lynis"
@@ -76,7 +76,7 @@
tINCLUDE_TARGETS="/usr/local/include/lynis /usr/local/lynis/include /usr/share/lynis/include ./include" # Default paths to check (CWD as last option, in case we run from standalone)
for I in ${tINCLUDE_TARGETS}; do
if [ "${I}" = "./include" ]; then
- if [ -d ${WORKDIR}/include ]; then INCLUDEDIR="${WORKDIR}/include"; fi
+ if [ -d "${WORKDIR}/include" ]; then INCLUDEDIR="${WORKDIR}/include"; fi
elif [ -d ${I} -a -z "${INCLUDEDIR}" ]; then
INCLUDEDIR=${I}
fi
@@ -95,7 +95,7 @@
DBDIR=""; tDB_TARGETS="/usr/local/share/lynis/db /usr/local/lynis/db /usr/share/lynis/db ./db"
for I in ${tDB_TARGETS}; do
if [ "${I}" = "./db" ]; then
- if [ -d ${WORKDIR}/db ]; then DBDIR="${WORKDIR}/db"; fi
+ if [ -d "${WORKDIR}/db" ]; then DBDIR="${WORKDIR}/db"; fi
elif [ -d ${I} -a -z "${DBDIR}" ]; then
DBDIR="${I}"
fi
@@ -613,6 +613,9 @@
if [ ${EOL} -eq 1 ]; then
echo " End-of-life: ${WARNING}YES${NORMAL}"
ReportWarning "GEN-0010" "This version ${OS_VERSION} is marked end-of-life as of ${EOL_DATE}"
+ elif [ ${EOL} -eq 255 ]; then
+ # TODO - mark as item where community can provide help
+ LogText "Note: the end-of-life of '${OS_FULLNAME}' could not be checked. Entry missing in software-eol.db?"
fi
if [ ! -z "${OS_MODE}" ]; then echo " Operating system mode: ${OS_MODE}"; fi
@@ -1035,7 +1038,7 @@
if [ -f ${INCLUDEDIR}/report ]; then SafePerms ${INCLUDEDIR}/report; . ${INCLUDEDIR}/report; fi
# Show tool tips
- if [ -f ${INCLUDEDIR}/hints_tips ]; then SafePerms ${INCLUDEDIR}/hints_tips; . ${INCLUDEDIR}/hints_tips; fi
+ if [ -f ${INCLUDEDIR}/tool_tips ]; then SafePerms ${INCLUDEDIR}/tool_tips; . ${INCLUDEDIR}/tool_tips; fi
LogText "================================================================================"
LogText "Tests performed: ${CTESTS_PERFORMED}"