Hello community, here is the log from the commit of package lynis for openSUSE:Factory checked in at 2012-02-29 14:08:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lynis (Old) and /work/SRC/openSUSE:Factory/.lynis.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2011-09-23 02:12:29.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.lynis.new/lynis.changes 2012-02-29 14:08:29.000000000 +0100 @@ -1,0 +2,31 @@ +Mon Dec 26 16:24:35 UTC 2011 - [email protected] + +- fixed conflict in spec + +------------------------------------------------------------------- +Mon Dec 26 16:18:01 UTC 2011 - [email protected] + +- updated to version 1.3.0 +- from Changelog: +- New: + - Profile option: ignore_home_dir + - TCP wrappers category added + - Tooling category added + - Initial extensions to support plugins in the future + - Test for unpurged Debian packages [PKGS-7346] + - Test for compiler permissions [HRDN-7222] +- Changes: + - Converted all dates to ISO format and updated copyright lines + - Correct suggestion for file integrity tool [FINT-4350] + - Added hint when RPM list is empty on DPKG based systems [PKGS-7308] + - Changed logging for /etc/security/limits.conf file [KRNL-5820] + - Fixed incorrect warning for single user mode [AUTH-9308] + - Improved output for stratum 16 time servers [TIME-3116] + - Added suggestion and screen output for kernel hardening [KRNL-6000] + - Screen layout optimalizations and log file improvements + - Improved list/layout of scan options + - Improved binary check for compilers + - Added configuration option in scan profile (show_tool_tips, default + true) + +------------------------------------------------------------------- Old: ---- lynis-1.2.9.tar.gz lynis-1.2.9_suse.diff lynis-1.2.9_suse_detection.diff New: ---- dbus-whitelist.db lynis-1.3.0.tar.bz2 lynis_1.3.0_db-fileperms.diff lynis_1.3.0_include-test-databases.diff lynis_1.3.0_include_binaries.diff lynis_1.3.0_include_consts.diff lynis_1.3.0_lynis.diff prepare_for_suse.sh tests_binary_rpath tests_file_permissionsDB tests_file_permissions_ww tests_network_allowed_ports tests_system_dbus tests_system_proc tests_tmp_symlinks tests_users_wo_password ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lynis.spec ++++++ --- /var/tmp/diff_new_pack.2egam3/_old 2012-02-29 14:08:31.000000000 +0100 +++ /var/tmp/diff_new_pack.2egam3/_new 2012-02-29 14:08:31.000000000 +0100 @@ -2,7 +2,7 @@ # spec file for package lynis # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. -# Copyright (c) 2009-2010 Sascha Manns <[email protected]> +# Copyright (c) 2009-2011 Sascha Manns <[email protected]> # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,17 +23,34 @@ %define _bindir /usr/bin Name: lynis -Version: 1.2.9 +Version: 1.3.0 Release: 1 -License: GPL-2.0+ +License: GPL-3.0 Summary: Security and System auditing tool Url: http://www.rootkit.nl/projects/lynis.html Group: System/Monitoring -Source: %{name}-%{version}.tar.gz +Source0: %{name}-%{version}.tar.bz2 Source1: default.prf +Source2: tests_binary_rpath +Source3: tests_file_permissionsDB +Source4: tests_file_permissions_ww +Source5: tests_network_allowed_ports +Source6: tests_system_dbus +Source7: tests_system_proc +Source8: tests_tmp_symlinks +Source9: tests_users_wo_password +Source10: prepare_for_suse.sh +Source11: dbus-whitelist.db # PATCH-OPENSUSE-FIX -- [email protected] - modifying for openSUSE -Patch0: %{name}-%{version}_suse.diff -Patch1: %{name}-%{version}_suse_detection.diff +Patch0: %{name}_%{version}_lynis.diff +# PATCH-OPENSUSE-FIX -- [email protected] - modifying for openSUSE +Patch1: %{name}_%{version}_db-fileperms.diff +# PATCH-OPENSUSE-FIX -- [email protected] - modifying for openSUSE +Patch2: %{name}_%{version}_include_consts.diff +# PATCH-OPENSUSE-FIX -- [email protected] - modifying for openSUSE +Patch3: %{name}_%{version}_include_binaries.diff +# PATCH-OPENSUSE-FIX -- [email protected] - modifying for openSUSE +Patch4: %{name}_%{version}_include-test-databases.diff BuildRequires: gcc-c++ BuildRequires: libxml2-devel PreReq: %fillup_prereq @@ -60,8 +77,11 @@ %prep %setup -q -%patch0 -p1 -%patch1 -p1 +%patch0 +%patch1 +%patch2 +%patch3 +%patch4 %build @@ -74,22 +94,28 @@ %__install -d %{buildroot}%{_bindir} %__install -d %{buildroot}%{_datadir}/%{name} %__install %{name} %{buildroot}%{_bindir} -%__install prepare_for_suse.sh %{buildroot}%{_datadir}/%{name} +%__install %{SOURCE10} %{buildroot}%{_datadir}/%{name} # install man-page %__install -d %{buildroot}%{_mandir}/man8 %__install -pm 644 %{name}.8 %{buildroot}%{_mandir}/man8 # install functions/includes %__install -d %{buildroot}%{_includedir} %__install include/* %{buildroot}%{_includedir} +%__install %{SOURCE2} %{buildroot}%{_includedir} +%__install %{SOURCE3} %{buildroot}%{_includedir} +%__install %{SOURCE4} %{buildroot}%{_includedir} +%__install %{SOURCE5} %{buildroot}%{_includedir} +%__install %{SOURCE6} %{buildroot}%{_includedir} +%__install %{SOURCE7} %{buildroot}%{_includedir} +%__install %{SOURCE8} %{buildroot}%{_includedir} +%__install %{SOURCE9} %{buildroot}%{_includedir} # install plugins %__install -d %{buildroot}%{_pluginsdir} %__install -pm 644 plugins/* %{buildroot}%{_pluginsdir} # install database files %__install -d %{buildroot}%{_dbdir} %__install -pm 644 db/* %{buildroot}%{_dbdir} - -# Hack for non-executable-script -%{__chmod} +x %{buildroot}%{_datadir}/%{name}/plugins/plugin_* +%__install -pm 644 %{SOURCE11} %{buildroot}%{_dbdir} %clean %__rm -rf %{buildroot} ++++++ dbus-whitelist.db ++++++ avahi-dbus.conf backup-manager.conf bluetooth.conf cnetworkmanager.conf com.google.code.BackupManager.service com.novell.Pkcs11Monitor.conf ConsoleKit.conf cups.conf fi.epitest.hostap.WPASupplicant.service galago-daemon.conf gdm.conf hal.conf kerneloops.dbus knetworkmanager.conf NetworkManager.conf newprinternotification.conf nm-applet.conf nm-avahi-autoipd.conf nm-dhcp-client.conf nm-dispatcher.conf nm-novellvpn-service.conf nm-openvpn-service.conf nm-pptp-service.conf nm-system-settings.conf nm-vpnc-service.conf org.bluez.service org.freedesktop.ConsoleKit.service org.freedesktop.ModemManager.conf org.freedesktop.ModemManager.service org.freedesktop.NetworkManagerSystemSettings.service org.freedesktop.nm_dispatcher.service org.freedesktop.PackageKit.conf org.freedesktop.PackageKit.service org.freedesktop.PolicyKit.conf org.freedesktop.PolicyKit.service org.gnome.ClockApplet.Mechanism.conf org.gnome.ClockApplet.Mechanism.service org.gnome.GConf.Defaults.conf org.gnome.GConf.Defaults.service org.opensuse.BackupManager.service org.opensuse.CupsPkHelper.Mechanism.conf org.opensuse.CupsPkHelper.Mechanism.service org.opensuse.yast.SCR.conf org.opensuse.yast.SCR.service pommed.conf powersave.conf system.d upsd.conf wpa_supplicant.conf xorg-server.conf yum-updatesd.conf++++++ default.prf ++++++ --- /var/tmp/diff_new_pack.2egam3/_old 2012-02-29 14:08:31.000000000 +0100 +++ /var/tmp/diff_new_pack.2egam3/_new 2012-02-29 14:08:31.000000000 +0100 @@ -50,6 +50,7 @@ ################################################################################# plugin_enable=security_malware plugin_enable=security_rootkit +plugin_enable=plugin_fileperms ################################################################################# ++++++ lynis-1.2.9.tar.gz -> lynis-1.3.0.tar.bz2 ++++++ ++++ 2827 lines of diff (skipped) ++++++ lynis_1.3.0_db-fileperms.diff ++++++ Index: db/fileperms.db =================================================================== --- db/fileperms.db.orig +++ db/fileperms.db @@ -1,19 +1,214 @@ -#version=2008053000 -# -# Field definitions -# =============================== -# 1) file | dir -# 2) file name -# 3) file permissions -# 4) file owner -# 5) file group owner -# 6) operating system, or systems -# 7) operating system special -# 8) -# -#================================================== -file:/etc/group:644:root:root:Linux: -file:/etc/gshadow:400:root:root:Linux: -file:/etc/passwd:644:root:root:Linux: -file:/etc/shadow:400:root:root:Linux: - +file:/var/lib/xemacs/lock/:1777:root:root:Linux: +file:/var/run/uscreens/:1777:root:root:Linux: +file:/etc/crontab:44:root:root:Linux: +file:/etc/exports:644:root:root:Linux: +file:/etc/fstab:644:root:root:Linux: +file:/etc/ftpaccess:644:root:root:Linux: +file:/etc/ftpusers:644:root:root:Linux: +file:/etc/inetd.conf:644:root:root:Linux: +file:/etc/inittab:644:root:root:Linux: +file:/etc/mtab:644:root:root:Linux: +file:/etc/rmtab:644:root:root:Linux: +file:/var/lib/nfs/rmtab:644:root:root:Linux: +file:/etc/syslog.conf:644:root:root:Linux: +file:/bin/su:4755:root:root:Linux: +file:/usr/bin/at:4755:root:trusted:Linux: +file:/usr/bin/crontab:4755:root:trusted:Linux: +file:/usr/bin/gpasswd:4755:root:shadow:Linux: +file:/usr/bin/newgrp:4755:root:root:Linux: +file:/usr/bin/passwd:4755:root:shadow:Linux: +file:/usr/bin/chfn:4755:root:shadow:Linux: +file:/usr/bin/chage:4755:root:shadow:Linux: +file:/usr/bin/chsh:4755:root:shadow:Linux: +file:/usr/bin/expiry:4755:root:shadow:Linux: +file:/usr/bin/sudo:4755:root:root:Linux: +file:/usr/sbin/su-wrapper:4755:root:root:Linux: +file:/usr/bin/opiepasswd:4755:root:root:Linux: +file:/usr/bin/opiesu:4755:root:root:Linux: +file:/usr/bin/ncpmount:4750:root:trusted:Linux: +file:/usr/bin/ncpumount:4750:root:trusted:Linux: +file:/sbin/mount.nfs:4755:root:root:Linux: +file:/bin/mount:4755:root:root:Linux: +file:/bin/umount:4755:root:root:Linux: +file:/bin/eject:4755:root:audio:Linux: +file:/usr/bin/fusermount:4755:root:trusted:Linux: +file:/usr/lib/majordomo/wrapper:4755:root:daemon:Linux: +file:/usr/lib/pt_chown:4755:root:root:Linux: +file:/usr/lib64/pt_chown:4755:root:root:Linux: +file:/sbin/unix_chkpwd:4755:root:shadow:Linux: +file:/sbin/unix2_chkpwd:4755:root:shadow:Linux: +file:/usr/sbin/popauth:4755:pop:trusted:Linux: +file:/usr/sbin/pam_auth:4755:root:shadow:Linux: +file:/usr/lib/vte/gnome-pty-helper:2755:root:tty:Linux: +file:/usr/src/packages/SOURCES/:1777:root:root:Linux: +file:/usr/src/packages/BUILD/:1777:root:root:Linux: +file:/usr/src/packages/BUILDROOT/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/alpha/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/alphaev56/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/alphaev67/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/alphaev6/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/arm4l/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/athlon/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/i386/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/i486/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/i586/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/i686/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/ia64/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/mips/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/ppc/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/ppc64/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/powerpc/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/powerpc64/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/s390/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/s390x/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/sparc/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/sparcv9/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/sparc64/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/x86_64/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv4l/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv5tel/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv5tevl/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv5tejl/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv5tejvl/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv6l/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv6vl/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/armv7l/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/hppa/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/hppa2.0/:1777:root:root:Linux: +file:/usr/src/packages/RPMS/noarch/:1777:root:root:Linux: +file:/usr/src/packages/SPECS/:1777:root:root:Linux: +file:/usr/src/packages/SRPMS/:1777:root:root:Linux: +file:/usr/bin/v4l-conf:4755:root:video:Linux: +file:/usr/lib/ia32el/suid_ia32x_loader:4755:root:root:Linux: +file:/usr/bin/ntping:4750:root:trusted:Linux: +file:/usr/bin/vlock:2755:root:shadow:Linux: +file:/usr/bin/Xorg:4711:root:root:Linux: +file:/usr/bin/wall:2755:root:tty:Linux: +file:/usr/bin/write:2755:root:tty:Linux: +file:/usr/bin/makeweb:2755:root:www:Linux: +file:/usr/bin/yaps:2755:root:uucp:Linux: +file:/usr/bin/nwsfind:4750:root:trusted:Linux: +file:/usr/bin/ncplogin:4750:root:trusted:Linux: +file:/usr/bin/ncpmap:4750:root:trusted:Linux: +file:/usr/lib/lpdfilter/bin/runlpr:4755:root:root:Linux: +file:/sbin/pccardctl:4755:root:trusted:Linux: +file:/usr/sbin/mgnokiidev:4755:root:uucp:Linux: +file:/usr/lib/pcp/pmpost:4755:root:root:Linux: +file:/usr/lib/mailman/cgi-bin/admin:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/admindb:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/edithtml:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/listinfo:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/options:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/private:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/roster:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/subscribe:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/confirm:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/create:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/editarch:2755:root:mailman:Linux: +file:/usr/lib/mailman/cgi-bin/rmlist:2755:root:mailman:Linux: +file:/usr/lib/mailman/mail/mailman:2755:root:mailman:Linux: +file:/usr/lib/libgnomesu/gnomesu-pam-backend:4755:root:root:Linux: +file:/usr/sbin/change-passwd:4755:root:root:Linux: +file:/usr/bin/lppasswd:2755:lp:lp:Linux: +file:/usr/bin/get_printing_ticket:4750:root:lp:Linux: +file:/bin/ping:4755:root:root:Linux: +file:/bin/ping6:4755:root:root:Linux: +file:/usr/sbin/mtr:4750:root:dialout:Linux: +file:/usr/bin/rcp:4755:root:root:Linux: +file:/usr/bin/rlogin:4755:root:root:Linux: +file:/usr/bin/rsh:4755:root:root:Linux: +file:/usr/bin/cl_status:2555:root:haclient:Linux: +file:/usr/sbin/exim:4755:root:root:Linux: +file:/usr/sbin/pppoe-wrapper:4750:root:dialout:Linux: +file:/sbin/isdnctrl:4750:root:dialout:Linux: +file:/usr/bin/vboxbeep:4755:root:trusted:Linux: +file:/usr/lib/mc/cons.saver:4755:root:root:Linux: +file:/usr/bin/jfbterm:6755:root:tty:Linux: +file:/opt/kde3/bin/artswrapper:4755:root:root:Linux: +file:/opt/kde3/bin/kcheckpass:4755:root:shadow:Linux: +file:/usr/lib/kde4/libexec/kcheckpass:4755:root:shadow:Linux: +file:/usr/lib64/kde4/libexec/kcheckpass:4755:root:shadow:Linux: +file:/opt/kde3/bin/kdesud:2755:root:nogroup:Linux: +file:/usr/lib/kde4/libexec/kdesud:2755:root:nogroup:Linux: +file:/usr/lib64/kde4/libexec/kdesud:2755:root:nogroup:Linux: +file:/opt/kde3/bin/kpac_dhcp_helper:4755:root:root:Linux: +file:/opt/kde3/bin/start_kdeinit:4755:root:root:Linux: +file:/usr/lib/kde4/libexec/start_kdeinit:4755:root:root:Linux: +file:/usr/lib64/kde4/libexec/start_kdeinit:4755:root:root:Linux: +file:/usr/bin/fileshareset:4755:root:root:Linux: +file:/usr/sbin/amcheck:4750:root:amanda:Linux: +file:/usr/lib/amanda/calcsize:4750:root:amanda:Linux: +file:/usr/lib/amanda/rundump:4750:root:amanda:Linux: +file:/usr/lib/amanda/planner:4750:root:amanda:Linux: +file:/usr/lib/amanda/runtar:4750:root:amanda:Linux: +file:/usr/lib/amanda/dumper:4750:root:amanda:Linux: +file:/usr/lib/amanda/killpgrp:4750:root:amanda:Linux: +file:/usr/lib/gnats/gen-index:4555:gnats:root:Linux: +file:/usr/lib/gnats/pr-edit:4555:gnats:root:Linux: +file:/usr/lib/gnats/queue-pr:4555:gnats:root:Linux: +file:/usr/lib/news/bin/rnews:4550:news:uucp:Linux: +file:/usr/lib/news/bin/startinnfeed:4554:root:news:Linux: +file:/usr/lib/news/bin/inndstart:4554:root:news:Linux: +file:/usr/lib/news/bin/inews:2555:news:news:Linux: +file:/usr/lib/mgettysendfax/faxq-helper:4755:fax:root:Linux: +file:/var/spool/fax/outgoing/:0755:fax:root:Linux: +file:/var/spool/fax/outgoing/locks:0755:fax:root:Linux: +file:/var/spool/uucppublic/:1777:root:root:Linux: +file:/usr/bin/uucp:6555:uucp:uucp:Linux: +file:/usr/bin/uuname:6555:uucp:uucp:Linux: +file:/usr/bin/uustat:6555:uucp:uucp:Linux: +file:/usr/bin/uux:6555:uucp:uucp:Linux: +file:/usr/lib/uucp/uucico:6555:uucp:uucp:Linux: +file:/usr/lib/uucp/uuxqt:6555:uucp:uucp:Linux: +file:/usr/games/atc:2755:games:games:Linux: +file:/usr/games/battlestar:2755:games:games:Linux: +file:/usr/games/canfield:2755:games:games:Linux: +file:/usr/games/cribbage:2755:games:games:Linux: +file:/usr/games/phantasia:2755:games:games:Linux: +file:/usr/games/robots:2755:games:games:Linux: +file:/usr/games/sail:2755:games:games:Linux: +file:/usr/games/snake:2755:games:games:Linux: +file:/usr/games/tetris-bsd:2755:games:games:Linux: +file:/usr/games/Maelstrom:2755:games:games:Linux: +file:/usr/games/pachi:2755:games:games:Linux: +file:/usr/games/martian:2755:games:games:Linux: +file:/usr/lib/nethack/nethack.tty:2755:games:games:Linux: +file:/usr/games/chromium:2755:games:games:Linux: +file:/usr/games/xscrab:2755:games:games:Linux: +file:/usr/games/trackballs:2755:games:games:Linux: +file:/usr/games/ltris:2755:games:games:Linux: +file:/usr/games/xlogical:2755:games:games:Linux: +file:/usr/games/lbreakout2:2755:games:games:Linux: +file:/usr/bin/xgalaga:2755:games:games:Linux: +file:/usr/games/rocksndiamonds:2755:games:games:Linux: +file:/usr/bin/glines:2755:games:games:Linux: +file:/usr/bin/gnibbles:2755:games:games:Linux: +file:/usr/bin/gnobots2:2755:games:games:Linux: +file:/usr/bin/gnometris:2755:games:games:Linux: +file:/usr/bin/gnomine:2755:games:games:Linux: +file:/usr/bin/gnotravex:2755:games:games:Linux: +file:/usr/bin/gnotski:2755:games:games:Linux: +file:/usr/bin/gtali:2755:games:games:Linux: +file:/usr/bin/mahjongg:2755:games:games:Linux: +file:/usr/bin/same-gnome:2755:games:games:Linux: +file:/usr/sbin/zypp-refresh-wrapper:4755:root:root:Linux: +file:/usr/lib/PolicyKit/polkit-set-default-helper:4755:polkituser:root:Linux: +file:/usr/lib/PolicyKit/polkit-read-auth-helper:2755:root:polkituser:Linux: +file:/usr/lib/PolicyKit/polkit-revoke-helper:2755:root:polkituser:Linux: +file:/usr/lib/PolicyKit/polkit-explicit-grant-helper:2755:root:polkituser:Linux: +file:/usr/lib/PolicyKit/polkit-grant-helper:2755:root:polkituser:Linux: +file:/usr/lib/PolicyKit/polkit-grant-helper-pam:4750:root:polkituser:Linux: +file:/usr/lib/polkit-1/polkit-agent-helper-1:4755:root:root:Linux: +file:/usr/bin/pkexec:4755:root:root:Linux: +file:/lib/dbus-1/dbus-daemon-launch-helper:4750:root:messagebus:Linux: +file:/lib64/dbus-1/dbus-daemon-launch-helper:4750:root:messagebus:Linux: +file:/usr/bin/newrole:4755:root:root:Linux: +file:/usr/lib/virtualbox/VirtualBox:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VirtualBox3:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VBoxBFE:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VBoxHeadless:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VBoxSDL:4750:root:vboxusers:Linux: +file:/usr/lib/virtualbox/VBoxNetAdpCtl:4750:root:vboxusers:Linux: +file:/usr/bin/vmware-user-suid-wrapper:4755:root:root:Linux: +file:/var/log/messages:0644:root.root:Linux: \ No newline at end of file ++++++ lynis_1.3.0_include-test-databases.diff ++++++ Index: include/tests_databases =================================================================== --- include/tests_databases.orig +++ include/tests_databases @@ -117,7 +117,7 @@ # reco: recovery (optional) Register --test-no DBS-1840 --weight L --network NO --description "Checking active Oracle processes" if [ ${SKIPTEST} -eq 0 ]; then - FIND=`${PSBINARY} ax | grep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"` + FIND=`${PSBINARY} ax | egrep "ora_pmon|ora_smon|tnslsnr" | grep -v "grep"` if [ "${FIND}" = "" ]; then Display --indent 2 --text "- Oracle processes status..." --result "NOT FOUND" --color WHITE logtext "Result: Oracle process(es) not active" ++++++ lynis_1.3.0_include_binaries.diff ++++++ Index: include/binaries =================================================================== --- include/binaries.orig +++ include/binaries @@ -80,7 +80,7 @@ J=${I}"/aa-status"; if [ -f ${J} ]; then APPARMORFOUND=1; AASTATUSBINARY=${J}; logtext "Found ${J}"; fi J=${I}"/afick.pl"; if [ -f ${J} ]; then AFICKFOUND=0; AFICKBINARY=${J}; logtext "Found ${J}"; fi J=${I}"/aide"; if [ -f ${J} ]; then AIDEFOUND=1; AIDEBINARY=${J}; logtext "Found ${J}"; fi - J=${I}"/apache2"; if [ -f ${J} ]; then HTTPDFOUND=1; HTTPDBINARY=${J}; logtext "Found ${J}"; fi + J=${I}"/httpd2-prefork"; if [ -f ${J} ]; then HTTPDFOUND=1; HTTPDBINARY=${J}; logtext "Found ${J}"; fi J=${I}"/auditd"; if [ -f ${J} ]; then AUDITDFOUND=1; AUDITDBINARY=${J}; logtext "Found ${J}"; fi J=${I}"/awk"; if [ -f ${J} ]; then AWKFOUND=0; AWKBINARY=${J}; logtext "Found ${J}"; fi J=${I}"/chkconfig"; if [ -f ${J} ]; then CHKCONFIGFOUND=1; CHKCONFIGBINARY=${J}; logtext "Found ${J}"; fi ++++++ lynis_1.3.0_include_consts.diff ++++++ Index: include/consts =================================================================== --- include/consts.orig +++ include/consts @@ -68,6 +68,7 @@ BINPATHS="/bin /sbin /usr/bin /usr/sbin CHKROOTKITBINARY="" CHKCONFIGBINARY="" FILEVALUE="" + FILE_NUM_TOTAL=0 FIND="" GRPCKBINARY="" IPTABLESBINARY="" ++++++ lynis_1.3.0_lynis.diff ++++++ Index: lynis =================================================================== --- lynis.orig +++ lynis @@ -464,6 +464,14 @@ REPORT_version="${REPORT_version_major}. # ################################################################################# # + +# +################################################################################# +# + # init totl number of files + FILE_NUM_TOTAL=$(find / -xdev \( -type f -o -type d -o -type s -o -type b -type p -o -type c \) | wc -l | cut -d' ' -f1) + + # Test sections if [ "${TESTS_CATEGORY_TO_PERFORM}" = "" ]; then #YYY insert plugin support @@ -474,7 +482,9 @@ REPORT_version="${REPORT_version_major}. webservers ssh snmp databases ldap php squid logging \ insecure_services banners scheduling accounting \ time crypto virtualization mac_frameworks file_integrity hardening_tools \ - malware file_permissions homedirs kernel_hardening hardening" + malware file_permissions file_permissionsDB homedirs kernel_hardening hardening \ + system_dbus users_wo_password binary_rpath tmp_symlinks file_permissions_ww \ + system_proc network_allowed_ports" else INCLUDE_TESTS="${TESTS_CATEGORY_TO_PERFORM}" fi ++++++ prepare_for_suse.sh ++++++ #!/bin/bash umask 0077 function fileperms() { PERMS=$(grep -E "^PERMISSION_SECURITY=" /etc/sysconfig/security | awk -F'=' '{print $2}' | sed s/\"//g) echo $PERMS for p in $PERMS do echo $p cat "/etc/permissions."$p | grep -E "^/\w.*" | awk -F' ' '{print "file:"$1":"$3":"$2":Linux:"}' >> $TMPDIR/fileperms.lst done if ! [ -f db/fileperms.db.orig ]; then cp -v db/fileperms.db db/fileperms.db.orig fi cp $TMPDIR/fileperms.lst db/fileperms.db } TMPDIR=$(mktemp -d /tmp/lynis.XXXXXX) echo "prepare lynis config for your suse systems" echo "1. lookup file permission level" fileperms #rm -rf $TMPDIR ++++++ tests_binary_rpath ++++++ #!/bin/bash ################################################################################# # # Author: Thomas Biege <[email protected]> # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Verifies if a binary contains an insecure RPATH variable. # ################################################################################# # # TODO: # ################################################################################ # InsertSection "Binary integrity" report "[Software]" # ################################################################################# # # Test : BINARY-1000 # Description : Verifies if a binary contains an insecure RPATH variable. Register --test-no BINARY-1000 --weight L --network NO --description "Verifies if a binary contains an insecure RPATH variable." if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Starting binary RPATH check..." logtext "Test: Checking binary integrity of RPATH" RPNOTOK=0 FILENUM=0 HPMAX=0 HPBAD=0 for FILE in $(find / -xdev -type f \( -perm -0100 -o -perm -0010 -o -perm -0001 \) 2>/dev/null) do ((FILENUM)) for RPATH_VAL in $(objdump -p "$FILE" 2>/dev/null | egrep -w '(RPATH|RUNPATH)' | awk '{ print $2 ":"}') do ((HPMAX)) if [ "${RPATH_VAL:0:7}" = "\$ORIGIN" ]; then continue; fi while [ -n "$RPATH_VAL" ] do RPATH_VAL_NXT=${RPATH_VAL%%:*} RPATH_VAL=${RPATH_VAL##$RPATH_VAL_NXT:} test -d "$RPATH_VAL_NXT" && RPATH_VAL_NXT=$(cd ${RPATH_VAL_NXT//#\/\//\/}; pwd -P) case ":$RPATH_VAL_NXT" in :/usr/lib*) ;; :/lib*) ;; :/opt/*/lib*) ;; :/usr/X11R6/lib*) ;; :/usr/local/lib*) ;; *) ((HPBAD)) RPNOTOK=1; Display --indent 4 --text "${FILE}" --text "RPATH \"$RPATH_VAL_NXT\" on $FILE is not allowed" --result WARNING --color RED esac done done done if [ $RPNOTOK == 0 ]; then Display --indent 4 --text "No bad RPATH usage found in $FILENUM executables" --result OK --color GREEN fi HP=$(expr $HPMAX - $HPBAD) # echo "AddHP $HP $HPMAX" AddHP $HP $HPMAX fi # ################################################################################# # wait_for_keypress++++++ tests_file_permissionsDB ++++++ #!/bin/sh ################################################################################# # # Author: Thomas Biege <[email protected]> # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # File permissions from db file # ################################################################################# # # TODO: # - owner can have ':' and '.' as delimiter, '.' will cause an error -> fix it! # - octal perms starting with 0 are valid but will cause an error -> fix it! # ################################################################################ # InsertSection "File systems" # ################################################################################# # # Test : FILE-7525 # Description : Perform file permissions check Register --test-no FILE-7525 --weight L --network NO --description "Perform file permissions check from DB" if [ ${SKIPTEST} -eq 0 ]; then DB="${DBDIR}/fileperms.db" Display --indent 2 --text "- Starting file permissions check from DB..." logtext "Test: Checking file permissions from DB" logtext "Using database ${DB}." HPMAX=0 HPBAD=0 for LINE in $(cat $DB) do ((HPMAX)) FN=$(echo $LINE | cut -d: -f2) PM=$(echo $LINE | cut -d: -f3) UN=$(echo $LINE | cut -d: -f4) GN=$(echo $LINE | cut -d: -f5) OS=$(echo $LINE | cut -d: -f6) if [ -z $OS ]; then logtext "Warning: line format invalid: '$LINE'" fi logtext "Checking $FN" STR="$PM:$UN:$GN" STAT=$(stat --printf="%a:%U:%G" $FN 2>/dev/null) if [ -z $STAT ]; then #Display --indent 4 --text "${FN}" --result "NOT FOUND" --color WHITE continue; fi if ! [ "$STR" == "$STAT" ]; then ((HPBAD)) Display --indent 4 --text "${FN}" --result WARNING --color RED else Display --indent 4 --text "${FN}" --result OK --color GREEN fi done HP=$(expr $HPMAX - $HPBAD) # echo "AddHP $HP $HPMAX" AddHP $HP $HPMAX fi # ################################################################################# # wait_for_keypress # #================================================================================++++++ tests_file_permissions_ww ++++++ #!/bin/sh ################################################################################# # # Author: Thomas Biege <[email protected]> # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # File permissions world-writeable file # ################################################################################# # # TODO: # ################################################################################ # InsertSection "File systems" # ################################################################################# # # Test : FILE-7527 # Description : Perform file permissions check Register --test-no FILE-7527 --weight L --network NO --description "Lookup world-writeable files." if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Starting file permissions check for world-writeable files..." logtext "Test: Checking for world-writeable files" TMP=$(mktemp /tmp/lynis.XXXXXX) HPMAX=$FILE_NUM_TOTAL HP=$HPMAX find / -xdev \( -type f -o -type d -o -type s -o -type b -type p -o -type c \) -a -perm -0002 -print 2>/dev/null > $TMP for i in $(cat $TMP) do ((HP--)) Display --indent 4 --text "${i} is world-writeable" --result WARNING --color RED done # echo "AddHP $HP $HPMAX" AddHP $HP $HPMAX rm -f $TMP fi # ################################################################################# # wait_for_keypress # #================================================================================++++++ tests_network_allowed_ports ++++++ #!/bin/bash ################################################################################# # # Author: Thomas Biege <[email protected]> # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Verifies open network ports. # ################################################################################# # # TODO: # ################################################################################ # InsertSection "Networking" # ################################################################################# # # Test : NETW-3085 # Description : Verifies dbus policy. Register --test-no NETW-3085 --weight L --network NO --description "Verifies open network ports." if [ ${SKIPTEST} -eq 0 ]; then ALLOWED_PORTS=( 22 25 68 80 111 443 ) TMP=$(mktemp /tmp/lynis.XXXXXX) STR="${ALLOWED_PORTS[@]:0}" Display --indent 2 --text "- Starting verifying open network ports ($STR)..." logtext "Test: Checking open network ports" logtext "Allowed ports: $STR" netstat -an | grep -i listen > $TMP PORTS=($(cat $TMP | awk '{ print $4 }' | sed 's/.*://;s/ACC//' | sort -un)) IDX_P=0 LEN_P=${#PORTS[@]} NUM_NOTOK=0 while [ $IDX_P -lt $LEN_P ] do IDX_A=0 LEN_A=${#ALLOWED_PORTS[@]} PORTOK=0 while [ $IDX_A -lt $LEN_A ] do # echo "${PORTS[$IDX_P]} vs. ${ALLOWED_PORTS[$IDX_A]}" if [ ${PORTS[$IDX_P]} == ${ALLOWED_PORTS[$IDX_A]} ] then PORTOK=1 break fi ((IDX_A)) done if [ $PORTOK -eq 0 ] then ((NUM_NOTOK)) P=${PORTS[$IDX_P]} Display --indent 4 --text "Open port ${P} not allowed" --result WARNING --color RED fi ((IDX_P)) done HPMAX=$LEN_A HP=$(expr $LEN_A - $NUM_NOTOK) if [ $HP -lt 0 ]; then HP=0; fi AddHP $HP $HPMAX rm -f $TMP fi # ################################################################################# # wait_for_keypress # #================================================================================++++++ tests_system_dbus ++++++ #!/bin/bash ################################################################################# # # Author: Thomas Biege <[email protected]> # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Verifies dbus policy. # ################################################################################# # # TODO: # ################################################################################ # InsertSection "System Tools" report "[Software]" # ################################################################################# # # Test : SYSTEM-1000 # Description : Verifies dbus policy. Register --test-no SYSTEM-1000 --weight L --network NO --description "Verifies if a binary contains an insecure RPATH variable." if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Starting dbus policy check..." logtext "Test: Checking dbus policy" DB="${DBDIR}/dbus-whitelist.db" if ! [ -f $DB ] then if [ -f ./dbus-whitelist.db ] then DB="./dbus-whitelist.db" else logtext "Warning: dbus autostart/system services whitelist file is missing." return fi fi WHITELIST=$(cat $DB) HPMAX=$(wc -l $DB | cut -d' ' -f1) HPBAD=0 E=$(ls -1 /usr/share/dbus-*/system-services/*.service /etc/dbus-*/system.d/*.conf 2>/dev/null) if ! [ -z "$E" ] then for i in $E do DF=$(basename $i) FOUND=0 for j in $WHITELIST do if [ "$DF" == "$j" ]; then FOUND=1; fi done if [ $FOUND -eq 0 ] then ((HPBAD)) PKG=$(rpm -qf "$i") Display --indent 4 --text "Warning: Package $PKG installs an unknown D-BUS autostart/system service: $DF" --result WARNING --color RED fi done fi HP=$(expr $HPMAX - $HPBAD) # echo "AddHP $HP $HPMAX" AddHP $HP $HPMAX fi # ################################################################################# # wait_for_keypress # #================================================================================++++++ tests_system_proc ++++++ #!/bin/bash ################################################################################# # # Author: Thomas Biege <[email protected]> # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Checking for processes running as 'nobody' # ################################################################################# # # TODO: # ################################################################################ # InsertSection "Memory and processes" # ################################################################################# # # Test : PROC-3625 # Description : Processes running as 'nobody' Register --test-no PROC-3625 --weight L --network NO --description "Processes running as 'nobody'." if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Starting look-up of 'nobody' processes..." logtext "Test: Checking for processes running as 'nobody'" TMP=$(mktemp /tmp/lynis.XXXXXX) TMP2=$(mktemp /tmp/lynis.XXXXXX) ps -eo uname,pid,comm | tr -s " " | sed "s/ /:/g" > $TMP HPMAX=$(wc -l $TMP | cut -d' ' -f1) grep '^nobody' $TMP > $TMP2 HP=$HPMAX for i in $(cat $TMP2) do ((HP--)) PID=$(echo $i | cut -d: -f2) PNAME=$(echo $i | cut -d: -f3) Display --indent 4 --text "${PNAME} [PID ${PID}] runs as user 'nobody'" --result WARNING --color RED done # echo "AddHP $HP $HPMAX" AddHP $HP $HPMAX rm -f $TMP $TMP2 fi # ################################################################################# # wait_for_keypress # #================================================================================++++++ tests_tmp_symlinks ++++++ #!/bin/sh ################################################################################# # # Author: Thomas Biege <[email protected]> # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Looks up symlinks in /tmp # ################################################################################# # # TODO: # - also verify other tmp localtions like /var/tmp and ~/tmp # ################################################################################ # InsertSection "File systems" # ################################################################################# # # Test : FILE-7526 # Description : Looks up symlinks in /tmp Register --test-no FILE-7526 --weight L --network NO --description "Looks up symlinks in /tmp" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Starting look-up of symlinks in /tmp..." logtext "Test: Checking /tmp for symlinks" TMP_SYMLINK=$(find /tmp -type l -print 2>/dev/null) if [ "$TMP_SYMLINK" ] then for sym in $TMP_SYMLINK do Display --indent 4 --text "${sym}" --result WARNING --color RED done fi fi # ################################################################################# # wait_for_keypress # #================================================================================++++++ tests_users_wo_password ++++++ #!/bin/bash ################################################################################# # # Author: Thomas Biege <[email protected]> # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. # See LICENSE file for usage of this software. # ################################################################################# # # Verifies dbus policy. # ################################################################################# # # TODO: # ################################################################################ # InsertSection "Users, Groups and Authentication" report "[Software]" # ################################################################################# # # Test : AUTH-1000 # Description : Verifies dbus policy. Register --test-no AUTH-1000 --weight M --network NO --description "Verifies if users without a password exist." if [ ${SKIPTEST} -eq 0 ]; then Display --indent 2 --text "- Starting password check for users..." logtext "Test: Checking existence of password" TMPDIR=$(mktemp -d /tmp/lynis.XXXXXX) HPMAX=$(wc -l /etc/passwd | cut -d' ' -f1) awk -F: '$2 == "" && $1 != "" {print $1}' /etc/passwd > $TMPDIR/userwopwd awk -F: '$2 == "" && $1 != "" {print $1}' /etc/shadow >> $TMPDIR/userwopwd sort -u $TMPDIR/userwopwd > $TMPDIR/userwopwd2 HPBAD=0 for i in $(cat $TMPDIR/userwopwd2) do ((HPBAD)) Display --indent 4 --text "${i} has no password set" --result WARNING --color RED done HP=$(expr $HPMAX - $HPBAD) # echo "AddHP $HP $HPMAX" AddHP $HP $HPMAX rm -rf $TMPDIR fi # ################################################################################# # wait_for_keypress # #================================================================================-- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
