Hello community,
here is the log from the commit of package lynis for openSUSE:Factory checked in at 2012-02-29 14:08:27
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/lynis (Old)
and /work/SRC/openSUSE:Factory/.lynis.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis", Maintainer is ""
Changes:
--------
--- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2011-09-23 02:12:29.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.lynis.new/lynis.changes 2012-02-29 14:08:29.000000000 +0100
@@ -1,0 +2,31 @@
+Mon Dec 26 16:24:35 UTC 2011 - Sascha.Manns@open-slx.de
+
+- fixed conflict in spec
+
+-------------------------------------------------------------------
+Mon Dec 26 16:18:01 UTC 2011 - Sascha.Manns@open-slx.de
+
+- updated to version 1.3.0
+- from Changelog:
+- New:
+ - Profile option: ignore_home_dir
+ - TCP wrappers category added
+ - Tooling category added
+ - Initial extensions to support plugins in the future
+ - Test for unpurged Debian packages [PKGS-7346]
+ - Test for compiler permissions [HRDN-7222]
+- Changes:
+ - Converted all dates to ISO format and updated copyright lines
+ - Correct suggestion for file integrity tool [FINT-4350]
+ - Added hint when RPM list is empty on DPKG based systems [PKGS-7308]
+ - Changed logging for /etc/security/limits.conf file [KRNL-5820]
+ - Fixed incorrect warning for single user mode [AUTH-9308]
+ - Improved output for stratum 16 time servers [TIME-3116]
+ - Added suggestion and screen output for kernel hardening [KRNL-6000]
+ - Screen layout optimalizations and log file improvements
+ - Improved list/layout of scan options
+ - Improved binary check for compilers
+ - Added configuration option in scan profile (show_tool_tips, default
+ true)
+
+-------------------------------------------------------------------
Old:
----
lynis-1.2.9.tar.gz
lynis-1.2.9_suse.diff
lynis-1.2.9_suse_detection.diff
New:
----
dbus-whitelist.db
lynis-1.3.0.tar.bz2
lynis_1.3.0_db-fileperms.diff
lynis_1.3.0_include-test-databases.diff
lynis_1.3.0_include_binaries.diff
lynis_1.3.0_include_consts.diff
lynis_1.3.0_lynis.diff
prepare_for_suse.sh
tests_binary_rpath
tests_file_permissionsDB
tests_file_permissions_ww
tests_network_allowed_ports
tests_system_dbus
tests_system_proc
tests_tmp_symlinks
tests_users_wo_password
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ lynis.spec ++++++
--- /var/tmp/diff_new_pack.2egam3/_old 2012-02-29 14:08:31.000000000 +0100
+++ /var/tmp/diff_new_pack.2egam3/_new 2012-02-29 14:08:31.000000000 +0100
@@ -2,7 +2,7 @@
# spec file for package lynis
#
# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
-# Copyright (c) 2009-2010 Sascha Manns
+# Copyright (c) 2009-2011 Sascha Manns
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -23,17 +23,34 @@
%define _bindir /usr/bin
Name: lynis
-Version: 1.2.9
+Version: 1.3.0
Release: 1
-License: GPL-2.0+
+License: GPL-3.0
Summary: Security and System auditing tool
Url: http://www.rootkit.nl/projects/lynis.html
Group: System/Monitoring
-Source: %{name}-%{version}.tar.gz
+Source0: %{name}-%{version}.tar.bz2
Source1: default.prf
+Source2: tests_binary_rpath
+Source3: tests_file_permissionsDB
+Source4: tests_file_permissions_ww
+Source5: tests_network_allowed_ports
+Source6: tests_system_dbus
+Source7: tests_system_proc
+Source8: tests_tmp_symlinks
+Source9: tests_users_wo_password
+Source10: prepare_for_suse.sh
+Source11: dbus-whitelist.db
# PATCH-OPENSUSE-FIX -- thomas@novell.com - modifying for openSUSE
-Patch0: %{name}-%{version}_suse.diff
-Patch1: %{name}-%{version}_suse_detection.diff
+Patch0: %{name}_%{version}_lynis.diff
+# PATCH-OPENSUSE-FIX -- thomas@novell.com - modifying for openSUSE
+Patch1: %{name}_%{version}_db-fileperms.diff
+# PATCH-OPENSUSE-FIX -- thomas@novell.com - modifying for openSUSE
+Patch2: %{name}_%{version}_include_consts.diff
+# PATCH-OPENSUSE-FIX -- thomas@novell.com - modifying for openSUSE
+Patch3: %{name}_%{version}_include_binaries.diff
+# PATCH-OPENSUSE-FIX -- thomas@novell.com - modifying for openSUSE
+Patch4: %{name}_%{version}_include-test-databases.diff
BuildRequires: gcc-c++
BuildRequires: libxml2-devel
PreReq: %fillup_prereq
@@ -60,8 +77,11 @@
%prep
%setup -q
-%patch0 -p1
-%patch1 -p1
+%patch0
+%patch1
+%patch2
+%patch3
+%patch4
%build
@@ -74,22 +94,28 @@
%__install -d %{buildroot}%{_bindir}
%__install -d %{buildroot}%{_datadir}/%{name}
%__install %{name} %{buildroot}%{_bindir}
-%__install prepare_for_suse.sh %{buildroot}%{_datadir}/%{name}
+%__install %{SOURCE10} %{buildroot}%{_datadir}/%{name}
# install man-page
%__install -d %{buildroot}%{_mandir}/man8
%__install -pm 644 %{name}.8 %{buildroot}%{_mandir}/man8
# install functions/includes
%__install -d %{buildroot}%{_includedir}
%__install include/* %{buildroot}%{_includedir}
+%__install %{SOURCE2} %{buildroot}%{_includedir}
+%__install %{SOURCE3} %{buildroot}%{_includedir}
+%__install %{SOURCE4} %{buildroot}%{_includedir}
+%__install %{SOURCE5} %{buildroot}%{_includedir}
+%__install %{SOURCE6} %{buildroot}%{_includedir}
+%__install %{SOURCE7} %{buildroot}%{_includedir}
+%__install %{SOURCE8} %{buildroot}%{_includedir}
+%__install %{SOURCE9} %{buildroot}%{_includedir}
# install plugins
%__install -d %{buildroot}%{_pluginsdir}
%__install -pm 644 plugins/* %{buildroot}%{_pluginsdir}
# install database files
%__install -d %{buildroot}%{_dbdir}
%__install -pm 644 db/* %{buildroot}%{_dbdir}
-
-# Hack for non-executable-script
-%{__chmod} +x %{buildroot}%{_datadir}/%{name}/plugins/plugin_*
+%__install -pm 644 %{SOURCE11} %{buildroot}%{_dbdir}
%clean
%__rm -rf %{buildroot}
++++++ dbus-whitelist.db ++++++
avahi-dbus.conf
backup-manager.conf
bluetooth.conf
cnetworkmanager.conf
com.google.code.BackupManager.service
com.novell.Pkcs11Monitor.conf
ConsoleKit.conf
cups.conf
fi.epitest.hostap.WPASupplicant.service
galago-daemon.conf
gdm.conf
hal.conf
kerneloops.dbus
knetworkmanager.conf
NetworkManager.conf
newprinternotification.conf
nm-applet.conf
nm-avahi-autoipd.conf
nm-dhcp-client.conf
nm-dispatcher.conf
nm-novellvpn-service.conf
nm-openvpn-service.conf
nm-pptp-service.conf
nm-system-settings.conf
nm-vpnc-service.conf
org.bluez.service
org.freedesktop.ConsoleKit.service
org.freedesktop.ModemManager.conf
org.freedesktop.ModemManager.service
org.freedesktop.NetworkManagerSystemSettings.service
org.freedesktop.nm_dispatcher.service
org.freedesktop.PackageKit.conf
org.freedesktop.PackageKit.service
org.freedesktop.PolicyKit.conf
org.freedesktop.PolicyKit.service
org.gnome.ClockApplet.Mechanism.conf
org.gnome.ClockApplet.Mechanism.service
org.gnome.GConf.Defaults.conf
org.gnome.GConf.Defaults.service
org.opensuse.BackupManager.service
org.opensuse.CupsPkHelper.Mechanism.conf
org.opensuse.CupsPkHelper.Mechanism.service
org.opensuse.yast.SCR.conf
org.opensuse.yast.SCR.service
pommed.conf
powersave.conf
system.d
upsd.conf
wpa_supplicant.conf
xorg-server.conf
yum-updatesd.conf++++++ default.prf ++++++
--- /var/tmp/diff_new_pack.2egam3/_old 2012-02-29 14:08:31.000000000 +0100
+++ /var/tmp/diff_new_pack.2egam3/_new 2012-02-29 14:08:31.000000000 +0100
@@ -50,6 +50,7 @@
#################################################################################
plugin_enable=security_malware
plugin_enable=security_rootkit
+plugin_enable=plugin_fileperms
#################################################################################
++++++ lynis-1.2.9.tar.gz -> lynis-1.3.0.tar.bz2 ++++++
++++ 2827 lines of diff (skipped)
++++++ lynis_1.3.0_db-fileperms.diff ++++++
Index: db/fileperms.db
===================================================================
--- db/fileperms.db.orig
+++ db/fileperms.db
@@ -1,19 +1,214 @@
-#version=2008053000
-#
-# Field definitions
-# ===============================
-# 1) file | dir
-# 2) file name
-# 3) file permissions
-# 4) file owner
-# 5) file group owner
-# 6) operating system, or systems
-# 7) operating system special
-# 8)
-#
-#==================================================
-file:/etc/group:644:root:root:Linux:
-file:/etc/gshadow:400:root:root:Linux:
-file:/etc/passwd:644:root:root:Linux:
-file:/etc/shadow:400:root:root:Linux:
-
+file:/var/lib/xemacs/lock/:1777:root:root:Linux:
+file:/var/run/uscreens/:1777:root:root:Linux:
+file:/etc/crontab:44:root:root:Linux:
+file:/etc/exports:644:root:root:Linux:
+file:/etc/fstab:644:root:root:Linux:
+file:/etc/ftpaccess:644:root:root:Linux:
+file:/etc/ftpusers:644:root:root:Linux:
+file:/etc/inetd.conf:644:root:root:Linux:
+file:/etc/inittab:644:root:root:Linux:
+file:/etc/mtab:644:root:root:Linux:
+file:/etc/rmtab:644:root:root:Linux:
+file:/var/lib/nfs/rmtab:644:root:root:Linux:
+file:/etc/syslog.conf:644:root:root:Linux:
+file:/bin/su:4755:root:root:Linux:
+file:/usr/bin/at:4755:root:trusted:Linux:
+file:/usr/bin/crontab:4755:root:trusted:Linux:
+file:/usr/bin/gpasswd:4755:root:shadow:Linux:
+file:/usr/bin/newgrp:4755:root:root:Linux:
+file:/usr/bin/passwd:4755:root:shadow:Linux:
+file:/usr/bin/chfn:4755:root:shadow:Linux:
+file:/usr/bin/chage:4755:root:shadow:Linux:
+file:/usr/bin/chsh:4755:root:shadow:Linux:
+file:/usr/bin/expiry:4755:root:shadow:Linux:
+file:/usr/bin/sudo:4755:root:root:Linux:
+file:/usr/sbin/su-wrapper:4755:root:root:Linux:
+file:/usr/bin/opiepasswd:4755:root:root:Linux:
+file:/usr/bin/opiesu:4755:root:root:Linux:
+file:/usr/bin/ncpmount:4750:root:trusted:Linux:
+file:/usr/bin/ncpumount:4750:root:trusted:Linux:
+file:/sbin/mount.nfs:4755:root:root:Linux:
+file:/bin/mount:4755:root:root:Linux:
+file:/bin/umount:4755:root:root:Linux:
+file:/bin/eject:4755:root:audio:Linux:
+file:/usr/bin/fusermount:4755:root:trusted:Linux:
+file:/usr/lib/majordomo/wrapper:4755:root:daemon:Linux:
+file:/usr/lib/pt_chown:4755:root:root:Linux:
+file:/usr/lib64/pt_chown:4755:root:root:Linux:
+file:/sbin/unix_chkpwd:4755:root:shadow:Linux:
+file:/sbin/unix2_chkpwd:4755:root:shadow:Linux:
+file:/usr/sbin/popauth:4755:pop:trusted:Linux:
+file:/usr/sbin/pam_auth:4755:root:shadow:Linux:
+file:/usr/lib/vte/gnome-pty-helper:2755:root:tty:Linux:
+file:/usr/src/packages/SOURCES/:1777:root:root:Linux:
+file:/usr/src/packages/BUILD/:1777:root:root:Linux:
+file:/usr/src/packages/BUILDROOT/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/alpha/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/alphaev56/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/alphaev67/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/alphaev6/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/arm4l/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/athlon/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/i386/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/i486/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/i586/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/i686/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/ia64/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/mips/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/ppc/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/ppc64/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/powerpc/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/powerpc64/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/s390/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/s390x/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/sparc/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/sparcv9/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/sparc64/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/x86_64/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv4l/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv5tel/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv5tevl/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv5tejl/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv5tejvl/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv6l/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv6vl/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/armv7l/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/hppa/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/hppa2.0/:1777:root:root:Linux:
+file:/usr/src/packages/RPMS/noarch/:1777:root:root:Linux:
+file:/usr/src/packages/SPECS/:1777:root:root:Linux:
+file:/usr/src/packages/SRPMS/:1777:root:root:Linux:
+file:/usr/bin/v4l-conf:4755:root:video:Linux:
+file:/usr/lib/ia32el/suid_ia32x_loader:4755:root:root:Linux:
+file:/usr/bin/ntping:4750:root:trusted:Linux:
+file:/usr/bin/vlock:2755:root:shadow:Linux:
+file:/usr/bin/Xorg:4711:root:root:Linux:
+file:/usr/bin/wall:2755:root:tty:Linux:
+file:/usr/bin/write:2755:root:tty:Linux:
+file:/usr/bin/makeweb:2755:root:www:Linux:
+file:/usr/bin/yaps:2755:root:uucp:Linux:
+file:/usr/bin/nwsfind:4750:root:trusted:Linux:
+file:/usr/bin/ncplogin:4750:root:trusted:Linux:
+file:/usr/bin/ncpmap:4750:root:trusted:Linux:
+file:/usr/lib/lpdfilter/bin/runlpr:4755:root:root:Linux:
+file:/sbin/pccardctl:4755:root:trusted:Linux:
+file:/usr/sbin/mgnokiidev:4755:root:uucp:Linux:
+file:/usr/lib/pcp/pmpost:4755:root:root:Linux:
+file:/usr/lib/mailman/cgi-bin/admin:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/admindb:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/edithtml:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/listinfo:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/options:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/private:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/roster:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/subscribe:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/confirm:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/create:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/editarch:2755:root:mailman:Linux:
+file:/usr/lib/mailman/cgi-bin/rmlist:2755:root:mailman:Linux:
+file:/usr/lib/mailman/mail/mailman:2755:root:mailman:Linux:
+file:/usr/lib/libgnomesu/gnomesu-pam-backend:4755:root:root:Linux:
+file:/usr/sbin/change-passwd:4755:root:root:Linux:
+file:/usr/bin/lppasswd:2755:lp:lp:Linux:
+file:/usr/bin/get_printing_ticket:4750:root:lp:Linux:
+file:/bin/ping:4755:root:root:Linux:
+file:/bin/ping6:4755:root:root:Linux:
+file:/usr/sbin/mtr:4750:root:dialout:Linux:
+file:/usr/bin/rcp:4755:root:root:Linux:
+file:/usr/bin/rlogin:4755:root:root:Linux:
+file:/usr/bin/rsh:4755:root:root:Linux:
+file:/usr/bin/cl_status:2555:root:haclient:Linux:
+file:/usr/sbin/exim:4755:root:root:Linux:
+file:/usr/sbin/pppoe-wrapper:4750:root:dialout:Linux:
+file:/sbin/isdnctrl:4750:root:dialout:Linux:
+file:/usr/bin/vboxbeep:4755:root:trusted:Linux:
+file:/usr/lib/mc/cons.saver:4755:root:root:Linux:
+file:/usr/bin/jfbterm:6755:root:tty:Linux:
+file:/opt/kde3/bin/artswrapper:4755:root:root:Linux:
+file:/opt/kde3/bin/kcheckpass:4755:root:shadow:Linux:
+file:/usr/lib/kde4/libexec/kcheckpass:4755:root:shadow:Linux:
+file:/usr/lib64/kde4/libexec/kcheckpass:4755:root:shadow:Linux:
+file:/opt/kde3/bin/kdesud:2755:root:nogroup:Linux:
+file:/usr/lib/kde4/libexec/kdesud:2755:root:nogroup:Linux:
+file:/usr/lib64/kde4/libexec/kdesud:2755:root:nogroup:Linux:
+file:/opt/kde3/bin/kpac_dhcp_helper:4755:root:root:Linux:
+file:/opt/kde3/bin/start_kdeinit:4755:root:root:Linux:
+file:/usr/lib/kde4/libexec/start_kdeinit:4755:root:root:Linux:
+file:/usr/lib64/kde4/libexec/start_kdeinit:4755:root:root:Linux:
+file:/usr/bin/fileshareset:4755:root:root:Linux:
+file:/usr/sbin/amcheck:4750:root:amanda:Linux:
+file:/usr/lib/amanda/calcsize:4750:root:amanda:Linux:
+file:/usr/lib/amanda/rundump:4750:root:amanda:Linux:
+file:/usr/lib/amanda/planner:4750:root:amanda:Linux:
+file:/usr/lib/amanda/runtar:4750:root:amanda:Linux:
+file:/usr/lib/amanda/dumper:4750:root:amanda:Linux:
+file:/usr/lib/amanda/killpgrp:4750:root:amanda:Linux:
+file:/usr/lib/gnats/gen-index:4555:gnats:root:Linux:
+file:/usr/lib/gnats/pr-edit:4555:gnats:root:Linux:
+file:/usr/lib/gnats/queue-pr:4555:gnats:root:Linux:
+file:/usr/lib/news/bin/rnews:4550:news:uucp:Linux:
+file:/usr/lib/news/bin/startinnfeed:4554:root:news:Linux:
+file:/usr/lib/news/bin/inndstart:4554:root:news:Linux:
+file:/usr/lib/news/bin/inews:2555:news:news:Linux:
+file:/usr/lib/mgettysendfax/faxq-helper:4755:fax:root:Linux:
+file:/var/spool/fax/outgoing/:0755:fax:root:Linux:
+file:/var/spool/fax/outgoing/locks:0755:fax:root:Linux:
+file:/var/spool/uucppublic/:1777:root:root:Linux:
+file:/usr/bin/uucp:6555:uucp:uucp:Linux:
+file:/usr/bin/uuname:6555:uucp:uucp:Linux:
+file:/usr/bin/uustat:6555:uucp:uucp:Linux:
+file:/usr/bin/uux:6555:uucp:uucp:Linux:
+file:/usr/lib/uucp/uucico:6555:uucp:uucp:Linux:
+file:/usr/lib/uucp/uuxqt:6555:uucp:uucp:Linux:
+file:/usr/games/atc:2755:games:games:Linux:
+file:/usr/games/battlestar:2755:games:games:Linux:
+file:/usr/games/canfield:2755:games:games:Linux:
+file:/usr/games/cribbage:2755:games:games:Linux:
+file:/usr/games/phantasia:2755:games:games:Linux:
+file:/usr/games/robots:2755:games:games:Linux:
+file:/usr/games/sail:2755:games:games:Linux:
+file:/usr/games/snake:2755:games:games:Linux:
+file:/usr/games/tetris-bsd:2755:games:games:Linux:
+file:/usr/games/Maelstrom:2755:games:games:Linux:
+file:/usr/games/pachi:2755:games:games:Linux:
+file:/usr/games/martian:2755:games:games:Linux:
+file:/usr/lib/nethack/nethack.tty:2755:games:games:Linux:
+file:/usr/games/chromium:2755:games:games:Linux:
+file:/usr/games/xscrab:2755:games:games:Linux:
+file:/usr/games/trackballs:2755:games:games:Linux:
+file:/usr/games/ltris:2755:games:games:Linux:
+file:/usr/games/xlogical:2755:games:games:Linux:
+file:/usr/games/lbreakout2:2755:games:games:Linux:
+file:/usr/bin/xgalaga:2755:games:games:Linux:
+file:/usr/games/rocksndiamonds:2755:games:games:Linux:
+file:/usr/bin/glines:2755:games:games:Linux:
+file:/usr/bin/gnibbles:2755:games:games:Linux:
+file:/usr/bin/gnobots2:2755:games:games:Linux:
+file:/usr/bin/gnometris:2755:games:games:Linux:
+file:/usr/bin/gnomine:2755:games:games:Linux:
+file:/usr/bin/gnotravex:2755:games:games:Linux:
+file:/usr/bin/gnotski:2755:games:games:Linux:
+file:/usr/bin/gtali:2755:games:games:Linux:
+file:/usr/bin/mahjongg:2755:games:games:Linux:
+file:/usr/bin/same-gnome:2755:games:games:Linux:
+file:/usr/sbin/zypp-refresh-wrapper:4755:root:root:Linux:
+file:/usr/lib/PolicyKit/polkit-set-default-helper:4755:polkituser:root:Linux:
+file:/usr/lib/PolicyKit/polkit-read-auth-helper:2755:root:polkituser:Linux:
+file:/usr/lib/PolicyKit/polkit-revoke-helper:2755:root:polkituser:Linux:
+file:/usr/lib/PolicyKit/polkit-explicit-grant-helper:2755:root:polkituser:Linux:
+file:/usr/lib/PolicyKit/polkit-grant-helper:2755:root:polkituser:Linux:
+file:/usr/lib/PolicyKit/polkit-grant-helper-pam:4750:root:polkituser:Linux:
+file:/usr/lib/polkit-1/polkit-agent-helper-1:4755:root:root:Linux:
+file:/usr/bin/pkexec:4755:root:root:Linux:
+file:/lib/dbus-1/dbus-daemon-launch-helper:4750:root:messagebus:Linux:
+file:/lib64/dbus-1/dbus-daemon-launch-helper:4750:root:messagebus:Linux:
+file:/usr/bin/newrole:4755:root:root:Linux:
+file:/usr/lib/virtualbox/VirtualBox:4750:root:vboxusers:Linux:
+file:/usr/lib/virtualbox/VirtualBox3:4750:root:vboxusers:Linux:
+file:/usr/lib/virtualbox/VBoxBFE:4750:root:vboxusers:Linux:
+file:/usr/lib/virtualbox/VBoxHeadless:4750:root:vboxusers:Linux:
+file:/usr/lib/virtualbox/VBoxSDL:4750:root:vboxusers:Linux:
+file:/usr/lib/virtualbox/VBoxNetAdpCtl:4750:root:vboxusers:Linux:
+file:/usr/bin/vmware-user-suid-wrapper:4755:root:root:Linux:
+file:/var/log/messages:0644:root.root:Linux:
\ No newline at end of file
++++++ lynis_1.3.0_include-test-databases.diff ++++++
Index: include/tests_databases
===================================================================
--- include/tests_databases.orig
+++ include/tests_databases
@@ -117,7 +117,7 @@
# reco: recovery (optional)
Register --test-no DBS-1840 --weight L --network NO --description "Checking active Oracle processes"
if [ ${SKIPTEST} -eq 0 ]; then
- FIND=`${PSBINARY} ax | grep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"`
+ FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"`
if [ "${FIND}" = "" ]; then
Display --indent 2 --text "- Oracle processes status..." --result "NOT FOUND" --color WHITE
logtext "Result: Oracle process(es) not active"
++++++ lynis_1.3.0_include_binaries.diff ++++++
Index: include/binaries
===================================================================
--- include/binaries.orig
+++ include/binaries
@@ -80,7 +80,7 @@
J=${I}"/aa-status"; if [ -f ${J} ]; then APPARMORFOUND=1; AASTATUSBINARY=${J}; logtext "Found ${J}"; fi
J=${I}"/afick.pl"; if [ -f ${J} ]; then AFICKFOUND=0; AFICKBINARY=${J}; logtext "Found ${J}"; fi
J=${I}"/aide"; if [ -f ${J} ]; then AIDEFOUND=1; AIDEBINARY=${J}; logtext "Found ${J}"; fi
- J=${I}"/apache2"; if [ -f ${J} ]; then HTTPDFOUND=1; HTTPDBINARY=${J}; logtext "Found ${J}"; fi
+ J=${I}"/httpd2-prefork"; if [ -f ${J} ]; then HTTPDFOUND=1; HTTPDBINARY=${J}; logtext "Found ${J}"; fi
J=${I}"/auditd"; if [ -f ${J} ]; then AUDITDFOUND=1; AUDITDBINARY=${J}; logtext "Found ${J}"; fi
J=${I}"/awk"; if [ -f ${J} ]; then AWKFOUND=0; AWKBINARY=${J}; logtext "Found ${J}"; fi
J=${I}"/chkconfig"; if [ -f ${J} ]; then CHKCONFIGFOUND=1; CHKCONFIGBINARY=${J}; logtext "Found ${J}"; fi
++++++ lynis_1.3.0_include_consts.diff ++++++
Index: include/consts
===================================================================
--- include/consts.orig
+++ include/consts
@@ -68,6 +68,7 @@ BINPATHS="/bin /sbin /usr/bin /usr/sbin
CHKROOTKITBINARY=""
CHKCONFIGBINARY=""
FILEVALUE=""
+ FILE_NUM_TOTAL=0
FIND=""
GRPCKBINARY=""
IPTABLESBINARY=""
++++++ lynis_1.3.0_lynis.diff ++++++
Index: lynis
===================================================================
--- lynis.orig
+++ lynis
@@ -464,6 +464,14 @@ REPORT_version="${REPORT_version_major}.
#
#################################################################################
#
+
+#
+#################################################################################
+#
+ # init totl number of files
+ FILE_NUM_TOTAL=$(find / -xdev \( -type f -o -type d -o -type s -o -type b -type p -o -type c \) | wc -l | cut -d' ' -f1)
+
+
# Test sections
if [ "${TESTS_CATEGORY_TO_PERFORM}" = "" ]; then
#YYY insert plugin support
@@ -474,7 +482,9 @@ REPORT_version="${REPORT_version_major}.
webservers ssh snmp databases ldap php squid logging \
insecure_services banners scheduling accounting \
time crypto virtualization mac_frameworks file_integrity hardening_tools \
- malware file_permissions homedirs kernel_hardening hardening"
+ malware file_permissions file_permissionsDB homedirs kernel_hardening hardening \
+ system_dbus users_wo_password binary_rpath tmp_symlinks file_permissions_ww \
+ system_proc network_allowed_ports"
else
INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}"
fi
++++++ prepare_for_suse.sh ++++++
#!/bin/bash
umask 0077
function fileperms()
{
PERMS=$(grep -E "^PERMISSION_SECURITY="
/etc/sysconfig/security | awk -F'=' '{print $2}' | sed s/\"//g)
echo $PERMS
for p in $PERMS
do
echo $p
cat "/etc/permissions."$p | grep -E "^/\w.*" | awk -F'
' '{print "file:"$1":"$3":"$2":Linux:"}' >> $TMPDIR/fileperms.lst
done
if ! [ -f db/fileperms.db.orig ]; then
cp -v db/fileperms.db db/fileperms.db.orig
fi
cp $TMPDIR/fileperms.lst db/fileperms.db
}
TMPDIR=$(mktemp -d /tmp/lynis.XXXXXX)
echo "prepare lynis config for your suse systems"
echo "1. lookup file permission level"
fileperms
#rm -rf $TMPDIR
++++++ tests_binary_rpath ++++++
#!/bin/bash
#################################################################################
#
# Author: Thomas Biege
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Verifies if a binary contains an insecure RPATH variable.
#
#################################################################################
#
# TODO:
#
################################################################################
#
InsertSection "Binary integrity"
report "[Software]"
#
#################################################################################
#
# Test : BINARY-1000
# Description : Verifies if a binary contains an insecure RPATH variable.
Register --test-no BINARY-1000 --weight L --network NO --description "Verifies if a binary contains an insecure RPATH variable."
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Starting binary RPATH check..."
logtext "Test: Checking binary integrity of RPATH"
RPNOTOK=0
FILENUM=0
HPMAX=0
HPBAD=0
for FILE in $(find / -xdev -type f \( -perm -0100 -o -perm -0010 -o -perm -0001 \) 2>/dev/null)
do
((FILENUM))
for RPATH_VAL in $(objdump -p "$FILE" 2>/dev/null | egrep -w '(RPATH|RUNPATH)' | awk '{ print $2 ":"}')
do
((HPMAX))
if [ "${RPATH_VAL:0:7}" = "\$ORIGIN" ]; then continue; fi
while [ -n "$RPATH_VAL" ]
do
RPATH_VAL_NXT=${RPATH_VAL%%:*}
RPATH_VAL=${RPATH_VAL##$RPATH_VAL_NXT:}
test -d "$RPATH_VAL_NXT" && RPATH_VAL_NXT=$(cd ${RPATH_VAL_NXT//#\/\//\/}; pwd -P)
case ":$RPATH_VAL_NXT" in
:/usr/lib*)
;;
:/lib*)
;;
:/opt/*/lib*)
;;
:/usr/X11R6/lib*)
;;
:/usr/local/lib*)
;;
*)
((HPBAD))
RPNOTOK=1;
Display --indent 4 --text "${FILE}" --text "RPATH \"$RPATH_VAL_NXT\" on $FILE is not allowed" --result WARNING --color RED
esac
done
done
done
if [ $RPNOTOK == 0 ]; then
Display --indent 4 --text "No bad RPATH usage found in $FILENUM executables" --result OK --color GREEN
fi
HP=$(expr $HPMAX - $HPBAD)
# echo "AddHP $HP $HPMAX"
AddHP $HP $HPMAX
fi
#
#################################################################################
#
wait_for_keypress++++++ tests_file_permissionsDB ++++++
#!/bin/sh
#################################################################################
#
# Author: Thomas Biege
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# File permissions from db file
#
#################################################################################
#
# TODO:
# - owner can have ':' and '.' as delimiter, '.' will cause an error -> fix it!
# - octal perms starting with 0 are valid but will cause an error -> fix it!
#
################################################################################
#
InsertSection "File systems"
#
#################################################################################
#
# Test : FILE-7525
# Description : Perform file permissions check
Register --test-no FILE-7525 --weight L --network NO --description "Perform file permissions check from DB"
if [ ${SKIPTEST} -eq 0 ]; then
DB="${DBDIR}/fileperms.db"
Display --indent 2 --text "- Starting file permissions check from DB..."
logtext "Test: Checking file permissions from DB"
logtext "Using database ${DB}."
HPMAX=0
HPBAD=0
for LINE in $(cat $DB)
do
((HPMAX))
FN=$(echo $LINE | cut -d: -f2)
PM=$(echo $LINE | cut -d: -f3)
UN=$(echo $LINE | cut -d: -f4)
GN=$(echo $LINE | cut -d: -f5)
OS=$(echo $LINE | cut -d: -f6)
if [ -z $OS ]; then
logtext "Warning: line format invalid: '$LINE'"
fi
logtext "Checking $FN"
STR="$PM:$UN:$GN"
STAT=$(stat --printf="%a:%U:%G" $FN 2>/dev/null)
if [ -z $STAT ]; then
#Display --indent 4 --text "${FN}" --result "NOT FOUND" --color WHITE
continue;
fi
if ! [ "$STR" == "$STAT" ]; then
((HPBAD))
Display --indent 4 --text "${FN}" --result WARNING --color RED
else
Display --indent 4 --text "${FN}" --result OK --color GREEN
fi
done
HP=$(expr $HPMAX - $HPBAD)
# echo "AddHP $HP $HPMAX"
AddHP $HP $HPMAX
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================++++++ tests_file_permissions_ww ++++++
#!/bin/sh
#################################################################################
#
# Author: Thomas Biege
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# File permissions world-writeable file
#
#################################################################################
#
# TODO:
#
################################################################################
#
InsertSection "File systems"
#
#################################################################################
#
# Test : FILE-7527
# Description : Perform file permissions check
Register --test-no FILE-7527 --weight L --network NO --description "Lookup world-writeable files."
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Starting file permissions check for world-writeable files..."
logtext "Test: Checking for world-writeable files"
TMP=$(mktemp /tmp/lynis.XXXXXX)
HPMAX=$FILE_NUM_TOTAL
HP=$HPMAX
find / -xdev \( -type f -o -type d -o -type s -o -type b -type p -o -type c \) -a -perm -0002 -print 2>/dev/null > $TMP
for i in $(cat $TMP)
do
((HP--))
Display --indent 4 --text "${i} is world-writeable" --result WARNING --color RED
done
# echo "AddHP $HP $HPMAX"
AddHP $HP $HPMAX
rm -f $TMP
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================++++++ tests_network_allowed_ports ++++++
#!/bin/bash
#################################################################################
#
# Author: Thomas Biege
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Verifies open network ports.
#
#################################################################################
#
# TODO:
#
################################################################################
#
InsertSection "Networking"
#
#################################################################################
#
# Test : NETW-3085
# Description : Verifies dbus policy.
Register --test-no NETW-3085 --weight L --network NO --description "Verifies open network ports."
if [ ${SKIPTEST} -eq 0 ]; then
ALLOWED_PORTS=( 22 25 68 80 111 443 )
TMP=$(mktemp /tmp/lynis.XXXXXX)
STR="${ALLOWED_PORTS[@]:0}"
Display --indent 2 --text "- Starting verifying open network ports ($STR)..."
logtext "Test: Checking open network ports"
logtext "Allowed ports: $STR"
netstat -an | grep -i listen > $TMP
PORTS=($(cat $TMP | awk '{ print $4 }' | sed 's/.*://;s/ACC//' | sort -un))
IDX_P=0
LEN_P=${#PORTS[@]}
NUM_NOTOK=0
while [ $IDX_P -lt $LEN_P ]
do
IDX_A=0
LEN_A=${#ALLOWED_PORTS[@]}
PORTOK=0
while [ $IDX_A -lt $LEN_A ]
do
# echo "${PORTS[$IDX_P]} vs. ${ALLOWED_PORTS[$IDX_A]}"
if [ ${PORTS[$IDX_P]} == ${ALLOWED_PORTS[$IDX_A]} ]
then
PORTOK=1
break
fi
((IDX_A))
done
if [ $PORTOK -eq 0 ]
then
((NUM_NOTOK))
P=${PORTS[$IDX_P]}
Display --indent 4 --text "Open port ${P} not allowed" --result WARNING --color RED
fi
((IDX_P))
done
HPMAX=$LEN_A
HP=$(expr $LEN_A - $NUM_NOTOK)
if [ $HP -lt 0 ]; then HP=0; fi
AddHP $HP $HPMAX
rm -f $TMP
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================++++++ tests_system_dbus ++++++
#!/bin/bash
#################################################################################
#
# Author: Thomas Biege
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Verifies dbus policy.
#
#################################################################################
#
# TODO:
#
################################################################################
#
InsertSection "System Tools"
report "[Software]"
#
#################################################################################
#
# Test : SYSTEM-1000
# Description : Verifies dbus policy.
Register --test-no SYSTEM-1000 --weight L --network NO --description "Verifies if a binary contains an insecure RPATH variable."
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Starting dbus policy check..."
logtext "Test: Checking dbus policy"
DB="${DBDIR}/dbus-whitelist.db"
if ! [ -f $DB ]
then
if [ -f ./dbus-whitelist.db ]
then
DB="./dbus-whitelist.db"
else
logtext "Warning: dbus autostart/system services whitelist file is missing."
return
fi
fi
WHITELIST=$(cat $DB)
HPMAX=$(wc -l $DB | cut -d' ' -f1)
HPBAD=0
E=$(ls -1 /usr/share/dbus-*/system-services/*.service /etc/dbus-*/system.d/*.conf 2>/dev/null)
if ! [ -z "$E" ]
then
for i in $E
do
DF=$(basename $i)
FOUND=0
for j in $WHITELIST
do
if [ "$DF" == "$j" ]; then FOUND=1; fi
done
if [ $FOUND -eq 0 ]
then
((HPBAD))
PKG=$(rpm -qf "$i")
Display --indent 4 --text "Warning: Package $PKG installs an unknown D-BUS autostart/system service: $DF" --result WARNING --color RED
fi
done
fi
HP=$(expr $HPMAX - $HPBAD)
# echo "AddHP $HP $HPMAX"
AddHP $HP $HPMAX
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================++++++ tests_system_proc ++++++
#!/bin/bash
#################################################################################
#
# Author: Thomas Biege
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Checking for processes running as 'nobody'
#
#################################################################################
#
# TODO:
#
################################################################################
#
InsertSection "Memory and processes"
#
#################################################################################
#
# Test : PROC-3625
# Description : Processes running as 'nobody'
Register --test-no PROC-3625 --weight L --network NO --description "Processes running as 'nobody'."
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Starting look-up of 'nobody' processes..."
logtext "Test: Checking for processes running as 'nobody'"
TMP=$(mktemp /tmp/lynis.XXXXXX)
TMP2=$(mktemp /tmp/lynis.XXXXXX)
ps -eo uname,pid,comm | tr -s " " | sed "s/ /:/g" > $TMP
HPMAX=$(wc -l $TMP | cut -d' ' -f1)
grep '^nobody' $TMP > $TMP2
HP=$HPMAX
for i in $(cat $TMP2)
do
((HP--))
PID=$(echo $i | cut -d: -f2)
PNAME=$(echo $i | cut -d: -f3)
Display --indent 4 --text "${PNAME} [PID ${PID}] runs as user 'nobody'" --result WARNING --color RED
done
# echo "AddHP $HP $HPMAX"
AddHP $HP $HPMAX
rm -f $TMP $TMP2
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================++++++ tests_tmp_symlinks ++++++
#!/bin/sh
#################################################################################
#
# Author: Thomas Biege
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Looks up symlinks in /tmp
#
#################################################################################
#
# TODO:
# - also verify other tmp localtions like /var/tmp and ~/tmp
#
################################################################################
#
InsertSection "File systems"
#
#################################################################################
#
# Test : FILE-7526
# Description : Looks up symlinks in /tmp
Register --test-no FILE-7526 --weight L --network NO --description "Looks up symlinks in /tmp"
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Starting look-up of symlinks in /tmp..."
logtext "Test: Checking /tmp for symlinks"
TMP_SYMLINK=$(find /tmp -type l -print 2>/dev/null)
if [ "$TMP_SYMLINK" ]
then
for sym in $TMP_SYMLINK
do
Display --indent 4 --text "${sym}" --result WARNING --color RED
done
fi
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================++++++ tests_users_wo_password ++++++
#!/bin/bash
#################################################################################
#
# Author: Thomas Biege
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# Verifies dbus policy.
#
#################################################################################
#
# TODO:
#
################################################################################
#
InsertSection "Users, Groups and Authentication"
report "[Software]"
#
#################################################################################
#
# Test : AUTH-1000
# Description : Verifies dbus policy.
Register --test-no AUTH-1000 --weight M --network NO --description "Verifies if users without a password exist."
if [ ${SKIPTEST} -eq 0 ]; then
Display --indent 2 --text "- Starting password check for users..."
logtext "Test: Checking existence of password"
TMPDIR=$(mktemp -d /tmp/lynis.XXXXXX)
HPMAX=$(wc -l /etc/passwd | cut -d' ' -f1)
awk -F: '$2 == "" && $1 != "" {print $1}' /etc/passwd > $TMPDIR/userwopwd
awk -F: '$2 == "" && $1 != "" {print $1}' /etc/shadow >> $TMPDIR/userwopwd
sort -u $TMPDIR/userwopwd > $TMPDIR/userwopwd2
HPBAD=0
for i in $(cat $TMPDIR/userwopwd2)
do
((HPBAD))
Display --indent 4 --text "${i} has no password set" --result WARNING --color RED
done
HP=$(expr $HPMAX - $HPBAD)
# echo "AddHP $HP $HPMAX"
AddHP $HP $HPMAX
rm -rf $TMPDIR
fi
#
#################################################################################
#
wait_for_keypress
#
#================================================================================--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org