Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package lynis for openSUSE:Factory checked in at 2021-05-11 23:04:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lynis (Old) and /work/SRC/openSUSE:Factory/.lynis.new.2988 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis" Tue May 11 23:04:38 2021 rev:43 rq:892267 version:3.0.4 Changes: -------- --- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2021-01-08 17:40:13.749019197 +0100 +++ /work/SRC/openSUSE:Factory/.lynis.new.2988/lynis.changes 2021-05-11 23:04:48.992783482 +0200 @@ -1,0 +2,17 @@ +Tue May 11 12:43:28 UTC 2021 - Johannes Segitz <[email protected]> + +- Update to 3.0.4 + * Added + - ACCT-9670 - Detection of cmd tooling + - ACCT-9672 - Test cmd configuration file + - BOOT-5140 - Check for ELILO boot loader presence + - OS detection of AlmaLinux, Garuda Linux, Manjaro (ARM), and others + * Changed + - BOOT-5104 - Add service manager detection support for runit + - FILE-6430 - Report suggestion only when at least one kernel module is not in the blacklist + - FIRE-4540 - Corrected nftables empy ruleset test + - LOGG-2138 - Do not check for klogd when metalog is being used + - TIME-3185 - Improved support for Debian stretch + - Corrected issue when Lynis is not executed directly from lynis directory + +------------------------------------------------------------------- Old: ---- lynis-3.0.3.tar.gz lynis-3.0.3.tar.gz.asc New: ---- lynis-3.0.4.tar.gz lynis-3.0.4.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lynis.spec ++++++ --- /var/tmp/diff_new_pack.IBPTRx/_old 2021-05-11 23:04:49.616780907 +0200 +++ /var/tmp/diff_new_pack.IBPTRx/_new 2021-05-11 23:04:49.620780890 +0200 @@ -23,7 +23,7 @@ %define _pluginsdir %{_datadir}/lynis/plugins %define _dbdir %{_datadir}/lynis/db Name: lynis -Version: 3.0.3 +Version: 3.0.4 Release: 0 Summary: Security and System auditing tool License: GPL-3.0-only ++++++ lynis-3.0.3.tar.gz -> lynis-3.0.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/CHANGELOG.md new/lynis/CHANGELOG.md --- old/lynis/CHANGELOG.md 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/CHANGELOG.md 2021-05-11 02:00:00.000000000 +0200 @@ -1,14 +1,30 @@ # Lynis Changelog -## Lynis 3.0.3 (2021-01-07) +## Lynis 3.0.4 (2021-05-11) ### Added +- ACCT-9670 - Detection of cmd tooling +- ACCT-9672 - Test cmd configuration file +- BOOT-5140 - Check for ELILO boot loader presence +- OS detection of AlmaLinux, Garuda Linux, Manjaro (ARM), and others + +### Changed +- BOOT-5104 - Add service manager detection support for runit +- FILE-6430 - Report suggestion only when at least one kernel module is not in the blacklist +- FIRE-4540 - Corrected nftables empy ruleset test +- LOGG-2138 - Do not check for klogd when metalog is being used +- TIME-3185 - Improved support for Debian stretch +- Corrected issue when Lynis is not executed directly from lynis directory + +--------------------------------------------------------------------------------- +## Lynis 3.0.3 (2021-01-07) + +### Added - HRDN-7231 - Check for registered non-native binary formats - OS detection of Parrot GNU/Linux ### Changed - - DBS-1816 - Force test to check only password authentication - KRNL-5677 - Support for NetBSD - Bugfix: command 'configure settings' did not work as intended diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/languages/en new/lynis/db/languages/en --- old/lynis/db/languages/en 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/db/languages/en 2021-05-11 02:00:00.000000000 +0200 @@ -72,10 +72,14 @@ STATUS_DONE="DONE" STATUS_ENABLED="ENABLED" STATUS_ERROR="ERROR" +STATUS_EXPOSED="EXPOSED" STATUS_FAILED="FAILED" STATUS_FILES_FOUND="FILES FOUND" STATUS_FOUND="FOUND" +STATUS_HARDENED="HARDENED" STATUS_INSTALLED="INSTALLED" +STATUS_LOCAL_ONLY="LOCAL ONLY" +STATUS_MEDIUM="MEDIUM" STATUS_NO="NO" STATUS_NO_UPDATE="NO UPDATE" STATUS_NON_DEFAULT="NON DEFAULT" @@ -88,11 +92,13 @@ STATUS_OFF="OFF" STATUS_OK="OK" STATUS_ON="ON" +STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED" STATUS_PROTECTED="PROTECTED" STATUS_RUNNING="RUNNING" STATUS_SKIPPED="SKIPPED" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="UNKNOWN" +STATUS_UNSAFE="UNSAFE" STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE" STATUS_WARNING="WARNING" STATUS_WEAK="WEAK" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/languages/fr new/lynis/db/languages/fr --- old/lynis/db/languages/fr 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/db/languages/fr 2021-05-11 02:00:00.000000000 +0200 @@ -72,10 +72,14 @@ STATUS_DONE="FAIT" STATUS_ENABLED="ACTIV??" STATUS_ERROR="ERREUR" +STATUS_EXPOSED="EXPOS??" STATUS_FAILED="??CHOU??" STATUS_FILES_FOUND="FICHIERS TROUV??S" STATUS_FOUND="TROUV??" +STATUS_HARDENED="RENFORC??" STATUS_INSTALLED="INSTALL??" +STATUS_LOCAL_ONLY="LOCAL SEULEMENT" +STATUS_MEDIUM="MOYEN" STATUS_NO="NON" STATUS_NO_UPDATE="PAS DE MISE A JOUR" STATUS_NON_DEFAULT="PAS PAR D??FAUT" @@ -88,11 +92,13 @@ STATUS_OFF="OFF" STATUS_OK="OK" STATUS_ON="ON" +STATUS_PARTIALLY_HARDENED="PARTIELLEMENT RENFORC??" STATUS_PROTECTED="PROT??G??" STATUS_RUNNING="EN COURS" STATUS_SKIPPED="IGNOR??" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="INCONNU" +STATUS_UNSAFE="RISQU??" STATUS_UPDATE_AVAILABLE="MISE A JOUR DISPONIBLE" STATUS_WARNING="AVERTISSEMENT" STATUS_WEAK="FAIBLE" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/software-eol.db new/lynis/db/software-eol.db --- old/lynis/db/software-eol.db 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/db/software-eol.db 2021-05-11 02:00:00.000000000 +0200 @@ -14,8 +14,9 @@ # For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1. # Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching. # -# Alpine - https://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases +# Alpine - https://alpinelinux.org/releases/ # +os:Alpine 3.13:2022-11-01:1667275200 os:Alpine 3.12:2022-05-01:1651377600 os:Alpine 3.11:2021-11-01:1635739200 os:Alpine 3.10:2021-05-01:1619841600 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/tests.db new/lynis/db/tests.db --- old/lynis/db/tests.db 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/db/tests.db 2021-05-11 02:00:00.000000000 +0200 @@ -14,6 +14,8 @@ ACCT-9656:test:security:accounting:Solaris:Check BSM auditing in module list: ACCT-9660:test:security:accounting:Solaris:Check location of audit events: ACCT-9662:test:security:accounting:Solaris:Check Solaris auditing stats: +ACCT-9670:test:security:accounting:Linux:Check for cmd tooling: +ACCT-9672:test:security:accounting:Linux:Check cmd configuration file: AUTH-9204:test:security:authentication::Check users with an UID of zero: AUTH-9208:test:security:authentication::Check non-unique accounts in passwd file: AUTH-9212:test:security:authentication::Test group file: @@ -67,6 +69,7 @@ BOOT-5124:test:security:boot_services:FreeBSD:Check for FreeBSD boot loader presence: BOOT-5126:test:security:boot_services:NetBSD:Check for NetBSD boot loader presence: BOOT-5139:test:security:boot_services::Check for LILO boot loader presence: +BOOT-5140:test:security:boot_services::Check for ELILO boot loader presence: BOOT-5142:test:security:boot_services::Check SPARC Improved boot loader (SILO): BOOT-5155:test:security:boot_services::Check for YABOOT boot loader configuration file: BOOT-5159:test:security:boot_services:OpenBSD:Check for OpenBSD boot loader presence: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/binaries new/lynis/include/binaries --- old/lynis/include/binaries 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/include/binaries 2021-05-11 02:00:00.000000000 +0200 @@ -152,6 +152,7 @@ clang) CLANGBINARY=${BINARY}; COMPILER_INSTALLED=1; LogText " Found known binary: clang (compiler) - ${BINARY}" ;; cfagent) CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; LogText " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;; chkrootkit) CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;; + cmd_daemon) CMDBINARY=${BINARY}; LogText " Found known binary: cmd (audit framework) - ${BINARY}" ;; comm) COMMBINARY="${BINARY}"; LogText " Found known binary: comm (file compare) - ${BINARY}" ;; cryptsetup) CRYPTSETUPBINARY="${BINARY}"; LogText " Found known binary: cryptsetup (block device encryption) - ${BINARY}" ;; csum) CSUMBINARY="${BINARY}"; LogText " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/consts new/lynis/include/consts --- old/lynis/include/consts 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/include/consts 2021-05-11 02:00:00.000000000 +0200 @@ -70,6 +70,7 @@ CLAMCONF_BINARY="" CLAMSCANBINARY="" CLANGBINARY="" + CMDBINARY="" COLORS=1 COMPLIANCE_ENABLE_CIS=0 COMPLIANCE_ENABLE_HIPAA=0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/osdetection new/lynis/include/osdetection --- old/lynis/include/osdetection 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/include/osdetection 2021-05-11 02:00:00.000000000 +0200 @@ -144,6 +144,13 @@ OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') if [ -n "${OS_ID}" ]; then case ${OS_ID} in + "almalinux") + LINUX_VERSION="AlmaLinux" + OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_REDHAT_OR_CLONE=1 + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "alpine") LINUX_VERSION="Alpine Linux" OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') @@ -190,6 +197,12 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "devuan") + LINUX_VERSION="Devuan" + OS_NAME="Devuan" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "elementary") LINUX_VERSION="elementary OS" OS_NAME="elementary OS" @@ -214,6 +227,12 @@ OS_NAME="Flatcar Linux" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "garuda") + LINUX_VERSION="Garuda" + OS_FULLNAME="Garuda Linux" + OS_NAME="Garuda" + OS_VERSION="Rolling release" + ;; "gentoo") LINUX_VERSION="Gentoo" OS_NAME="Gentoo Linux" @@ -243,7 +262,7 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; - "manjaro") + "manjaro" | "manjaro-arm") LINUX_VERSION="Manjaro" OS_FULLNAME="Manjaro Linux" OS_NAME="Manjaro" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_accounting new/lynis/include/tests_accounting --- old/lynis/include/tests_accounting 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_accounting 2021-05-11 02:00:00.000000000 +0200 @@ -24,7 +24,10 @@ # AUDITD_CONF_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/audit" AUDITD_CONF_FILE="" + CMD_CONF_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/cmd" + CMD_CONF_FILE="" LINUX_AUDITD_RUNNING=0 + LINUX_CMD_RUNNING=0 AUDIT_DAEMON_RUNNING=0 SOLARIS_AUDITD_RUNNING=0 # @@ -413,6 +416,59 @@ fi fi # +################################################################################# +# + # Test : ACCT-9670 + # Description : Check cmd status + if [ -n "${CMDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no ACCT-9670 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for cmd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Check cmd status" + if IsRunning "cmd_daemon"; then + LogText "Result: cmd running" + Display --indent 2 --text "- Checking cmd" --result "${STATUS_ENABLED}" --color GREEN + LINUX_CMD_RUNNING=1 + AUDIT_DAEMON_RUNNING=1 + Report "audit_trail_tool[]=cmd" + Report "linux_cmd_running=1" + AddHP 4 4 + else + LogText "Result: cmd not active" + Display --indent 2 --text "- Checking cmd" --result "${STATUS_NOT_FOUND}" --color WHITE + if [ ! "${VMTYPE}" = "openvz" ]; then + ReportSuggestion "${TEST_NO}" "Install cmd to collect audit information" + fi + AddHP 0 1 + Report "linux_cmd_running=0" + fi + fi +# +################################################################################# +# + # Test : ACCT-9672 + # Description : Check cmd configuration file + if [ -n "${CMDBINARY}" -a ${LINUX_CMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no ACCT-9672 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for cmd configuration file" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking cmd configuration file" + for DIR in ${CMD_CONF_LOCS}; do + if [ -f ${DIR}/config.ini ]; then + CMD_CONF_FILE="${DIR}/config.ini" + LogText "Result: Found ${DIR}/config.ini" + else + LogText "Result: ${DIR}/config.ini not found" + fi + done + # Check if we discovered the configuration file. It should be there is the binaries are available and process is running + if [ -n "${CMD_CONF_FILE}" ]; then + Display --indent 4 --text "- Checking cmd configuration file" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: could not find cmd configuration file" + Display --indent 4 --text "- Checking cmd configuration file" --result "${STATUS_FOUND}" --color RED + ReportSuggestion "${TEST_NO}" "Determine the location of cmd configuration file" + fi + fi +# ################################################################################# # Report "audit_daemon_running=${AUDIT_DAEMON_RUNNING}" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_authentication new/lynis/include/tests_authentication --- old/lynis/include/tests_authentication 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_authentication 2021-05-11 02:00:00.000000000 +0200 @@ -294,12 +294,12 @@ # disabled | shadowed | no password | locked account (can be literal *LOCK* or something like LOCKED) ;; *:\$5\$*| *:\$6\$*) - # sha256crypt | sha512crypt: check number of rounds, should be >5000 + # sha256crypt | sha512crypt: check number of rounds, should be >=5000 ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') if [ -z "${ROUNDS}" ]; then - echo 'sha256crypt/sha512crypt(default<=5000rounds)' - elif [ "${ROUNDS}" -le 5000 ]; then - echo 'sha256crypt/sha512crypt(<=5000rounds)' + echo 'sha256crypt/sha512crypt(default=5000rounds)' + elif [ "${ROUNDS}" -lt 5000 ]; then + echo 'sha256crypt/sha512crypt(<5000rounds)' fi ;; *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_boot_services new/lynis/include/tests_boot_services --- old/lynis/include/tests_boot_services 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_boot_services 2021-05-11 02:00:00.000000000 +0200 @@ -63,6 +63,7 @@ # Description : Determine service manager # Notes : # initscripts - Used by Arch before + # runit - Used by Artix, Devuan, Dragora and Void # systemd - Common option with more Linux distros implementing it # upstart - Used by Debian/Ubuntu Register --test-no BOOT-5104 --weight L --network NO --category security --description "Determine service manager" @@ -71,7 +72,7 @@ case ${OS} in "Linux") if [ -f /proc/1/cmdline ]; then - OUTPUT=$(${AWKBINARY} '/(^\/|init)/ { print $1 }' /proc/1/cmdline | ${TRBINARY} '\0' ' ' | ${SEDBINARY} 's/ $//') + OUTPUT=$(${AWKBINARY} '/(^\/|init|runit)/ { print $1 }' /proc/1/cmdline | ${TRBINARY} '\0' ' ' | ${SEDBINARY} 's/ $//') LogText "Result: cmdline found = ${OUTPUT}" FILENAME=$(echo "${OUTPUT}" | ${AWKBINARY} '{print $1}') LogText "Result: file on disk = ${FILENAME}" @@ -108,6 +109,9 @@ upstart) SERVICE_MANAGER="upstart" ;; + runit) + SERVICE_MANAGER="runit" + ;; *) CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd") if [ -n "${CONTAINS_SYSTEMD}" ]; then @@ -484,6 +488,25 @@ # ################################################################################# # + # Test : BOOT-5140 + # Description : Check for ELILO boot loader + Register --test-no BOOT-5140 --os "Linux" --weight L --network NO --root-only YES --category security --description "Check for ELILO boot loader presence" + if [ ${SKIPTEST} -eq 0 ]; then + BOOT_LOADER_SEARCHED=1 + CONF_FILES="${ROOTDIR}etc/elilo.conf ${ROOTDIR}boot/efi/EFI/${LINUX_VERSION}/elilo.conf" + for FILE in ${CONF_FILES}; do + FileExists ${FILE} + if [ ${FILE_FOUND} -eq 1 ]; then + Display --indent 2 --text "- Checking boot loader ELILO" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: found ELILO boot loader" + BOOT_LOADER="ELILO" + BOOT_LOADER_FOUND=1 + fi + done + fi +# +################################################################################# +# # Test : BOOT-5142 # Description : Check for SILO boot loader Register --test-no BOOT-5142 --weight L --network NO --category security --description "Check SPARC Improved boot loader (SILO)" @@ -1068,23 +1091,28 @@ if [ "${UNIT}" = "UNIT" ]; then continue fi + STATUS="UNKNOWN" COLOR="BLACK" case ${PREDICATE} in PERFECT | SAFE | OK) + STATUS="${STATUS_PROTECTED}" COLOR=GREEN ;; MEDIUM) + STATUS="${STATUS_MEDIUM}" COLOR=WHITE ;; EXPOSED) + STATUS="${STATUS_EXPOSED}" COLOR=YELLOW ;; UNSAFE | DANGEROUS) + STATUS="${STATUS_UNSAFE}" COLOR=RED ;; esac - Display --indent 8 --text "- ${UNIT}:" --result "${PREDICATE}" --color "${COLOR}" - LogText "Result: ${UNIT}: ${EXPOSURE} ${PREDICATE}" + Display --indent 8 --text "- ${UNIT}:" --result "${STATUS}" --color "${COLOR}" + LogText "Result: ${UNIT}: ${EXPOSURE} ${STATUS}" done ReportSuggestion "${TEST_NO}" "Consider hardening system services" "Run '${SYSTEMDANALYZEBINARY} security SERVICE' for each service" fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_filesystems new/lynis/include/tests_filesystems --- old/lynis/include/tests_filesystems 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_filesystems 2021-05-11 02:00:00.000000000 +0200 @@ -606,11 +606,11 @@ done if [ ${FULLY_HARDENED} -eq 1 ]; then LogText "Result: marked ${FILESYSTEM} as fully hardened" - Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_HARDENED}" --color GREEN AddHP 5 5 elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then LogText "Result: marked ${FILESYSTEM} as partially hardened" - Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_PARTIALLY_HARDENED}" --color YELLOW AddHP 4 5 else # if @@ -820,11 +820,11 @@ LogText "Result: module ${FS} is currently not loaded in the kernel." AddHP 2 3 if IsDebug; then Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN; fi - FOUND=1 - AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} " else LogText "Result: module ${FS} is loaded in the kernel" Display --indent 4 --text "- Module $FS loaded in the kernel (lsmod)" --result "FOUND" --color WHITE + FOUND=1 + AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} " fi else AddHP 3 3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_firewalls new/lynis/include/tests_firewalls --- old/lynis/include/tests_firewalls 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_firewalls 2021-05-11 02:00:00.000000000 +0200 @@ -506,7 +506,7 @@ Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration" if [ ${SKIPTEST} -eq 0 ]; then # Check for empty ruleset - NFT_RULES_LENGTH=$(${NFTBINARY} list ruleset --stateless 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l) + NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l) if [ ${NFT_RULES_LENGTH} -le 3 ]; then FIREWALL_EMPTY_RULESET=1 LogText "Result: this firewall set has 3 rules or less and is considered to be empty" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_logging new/lynis/include/tests_logging --- old/lynis/include/tests_logging 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_logging 2021-05-11 02:00:00.000000000 +0200 @@ -177,14 +177,14 @@ # # Test : LOGG-2138 # Description : Check for kernel log daemon (klogd) presence on Linux systems - # Notes : * When using rsyslog or systemd (systemd-journal), this process is not needed. + # Notes : * When using metalog, rsyslog or systemd (systemd-journal), this process is not needed. # * In combination with syslog-ng, klogd is still an addition to it, since it # captures kernel related events and send them to syslog-ng. # * This test should be below all other logging daemons Register --test-no LOGG-2138 --os Linux --weight L --network NO --category security --description "Checking kernel logger daemon on Linux" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching kernel logger daemon (klogd)" - if [ ${RSYSLOG_RUNNING} -eq 0 -a ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ]; then + if [ ${RSYSLOG_RUNNING} -eq 0 ] && [ ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ] && [ ${METALOG_RUNNING} -eq 0 ]; then # Search for klogd, but ignore other lines related to klogd (like dd with input/output file) #FIND=$(${PSBINARY} ax | ${GREPBINARY} "klogd" | ${GREPBINARY} -v "dd" | ${GREPBINARY} -v "grep") if IsRunning "klogd"; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_nameservices new/lynis/include/tests_nameservices --- old/lynis/include/tests_nameservices 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_nameservices 2021-05-11 02:00:00.000000000 +0200 @@ -578,7 +578,7 @@ else LogText "Found duplicate line: ${OUTPUT}" LogText "Result: found duplicate line" - Display --indent 4 --text "- Duplicate entries in hosts file" --result "$STATUS_FOUND}" --color YELLOW + Display --indent 4 --text "- Duplicate entries in hosts file" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion "${TEST_NO}" "Remove duplicate lines in ${ROOTDIR}etc/hosts" fi fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_time new/lynis/include/tests_time --- old/lynis/include/tests_time 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_time 2021-05-11 02:00:00.000000000 +0200 @@ -585,6 +585,10 @@ if [ ! -e "${SYNCHRONIZED_FILE}" ]; then SYNCHRONIZED_FILE="/var/lib/private/systemd/timesync/clock" fi + # Fix for debian stretch + if [ ! -e "${SYNCHRONIZED_FILE}" ]; then + SYNCHRONIZED_FILE="/var/lib/systemd/clock" + fi if [ -e "${SYNCHRONIZED_FILE}" ]; then FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") )) # Check if last sync was more than 2048 seconds (= the default of systemd) ago diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/lynis new/lynis/lynis --- old/lynis/lynis 2021-01-07 01:00:00.000000000 +0100 +++ new/lynis/lynis 2021-05-11 02:00:00.000000000 +0200 @@ -43,10 +43,10 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/"; # Version details - PROGRAM_RELEASE_DATE="2021-01-07" - PROGRAM_RELEASE_TIMESTAMP=1610029111 + PROGRAM_RELEASE_DATE="2021-05-11" + PROGRAM_RELEASE_TIMESTAMP=1620725174 PROGRAM_RELEASE_TYPE="release" # pre-release or release - PROGRAM_VERSION="3.0.3" + PROGRAM_VERSION="3.0.4" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis"; @@ -89,6 +89,7 @@ if [ -d "${WORKDIR}/include" ]; then INCLUDEDIR="${WORKDIR}/include"; fi elif [ -d ${I} -a -z "${INCLUDEDIR}" ]; then INCLUDEDIR=${I} + break fi done fi
