Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package lynis for openSUSE:Factory checked
in at 2022-05-18 13:13:38
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/lynis (Old)
and /work/SRC/openSUSE:Factory/.lynis.new.1538 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis"
Wed May 18 13:13:38 2022 rev:51 rq:977874 version:3.0.8
Changes:
--------
--- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2022-02-04
21:52:49.414975360 +0100
+++ /work/SRC/openSUSE:Factory/.lynis.new.1538/lynis.changes 2022-05-18
13:13:51.718697386 +0200
@@ -1,0 +2,22 @@
+Tue May 17 14:00:34 UTC 2022 - Robert Frohl <rfr...@suse.com>
+
+- Update to 3.0.8:
+ * Added
+ - MALW-3274 - Detect McAfee VirusScan Command Line Scanner
+ - PKGS-7346 Check Alpine Package Keeper (apk)
+ - PKGS-7395 Check Alpine upgradeable packages
+ - EOL for Alpine Linux 3.14 and 3.15
+ * Changed
+ - AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2)
+ - FILE-7524 - Test enhanced to support symlinks
+ - HTTP-6643 - Support ModSecurity version 2 and 3
+ - KRNL-5788 - Only run relevant tests and improved logging
+ - KRNL-5820 - Additional path for security/limits.conf
+ - KRNL-5830 - Check for /var/run/needs_restarting (Slackware)
+ - KRNL-5830 - Add a presence check for /boot/vmlinuz
+ - PRNT-2308 - Bugfix that prevented test from storing values correctly
+ - Extended location of PAM files for AARCH64
+ - Some messages in log improved
+- accepted upstream, removed additional_paths_security-limits.patch
+
+-------------------------------------------------------------------
Old:
----
additional_paths_security-limits.patch
lynis-3.0.7.tar.gz
lynis-3.0.7.tar.gz.asc
New:
----
lynis-3.0.8.tar.gz
lynis-3.0.8.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ lynis.spec ++++++
--- /var/tmp/diff_new_pack.yfVNoT/_old 2022-05-18 13:13:52.394697957 +0200
+++ /var/tmp/diff_new_pack.yfVNoT/_new 2022-05-18 13:13:52.402697964 +0200
@@ -23,7 +23,7 @@
%define _pluginsdir %{_datadir}/lynis/plugins
%define _dbdir %{_datadir}/lynis/db
Name: lynis
-Version: 3.0.7
+Version: 3.0.8
Release: 0
Summary: Security and System auditing tool
License: GPL-3.0-only
@@ -51,8 +51,6 @@
Patch5: %{name}_1.3.6_include-osdetection.diff
# https://github.com/CISOfy/lynis/pull/1215
Patch6: additional_module_blacklist_locations.patch
-# https://github.com/CISOfy/lynis/issues/1264
-Patch7: additional_paths_security-limits.patch
BuildRequires: gcc-c++
BuildRequires: libxml2-devel
Requires: bash
@@ -80,7 +78,6 @@
%patch2
%patch5
%patch6 -p1
-%patch7 -p1
%build
++++++ lynis-3.0.7.tar.gz -> lynis-3.0.8.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/CHANGELOG.md new/lynis/CHANGELOG.md
--- old/lynis/CHANGELOG.md 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/CHANGELOG.md 2022-05-17 02:00:00.000000000 +0200
@@ -1,5 +1,27 @@
# Lynis Changelog
+## Lynis 3.0.8 (2022-05-17)
+
+### Added
+- MALW-3274 - Detect McAfee VirusScan Command Line Scanner
+- PKGS-7346 Check Alpine Package Keeper (apk)
+- PKGS-7395 Check Alpine upgradeable packages
+- EOL for Alpine Linux 3.14 and 3.15
+
+### Changed
+- AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2)
+- FILE-7524 - Test enhanced to support symlinks
+- HTTP-6643 - Support ModSecurity version 2 and 3
+- KRNL-5788 - Only run relevant tests and improved logging
+- KRNL-5820 - Additional path for security/limits.conf
+- KRNL-5830 - Check for /var/run/needs_restarting (Slackware)
+- KRNL-5830 - Add a presence check for /boot/vmlinuz
+- PRNT-2308 - Bugfix that prevented test from storing values correctly
+- Extended location of PAM files for AARCH64
+- Some messages in log improved
+
+---------------------------------------------------------------------------------
+
## Lynis 3.0.7 (2022-01-18)
### Added
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/db/software-eol.db new/lynis/db/software-eol.db
--- old/lynis/db/software-eol.db 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/db/software-eol.db 2022-05-17 02:00:00.000000000 +0200
@@ -16,6 +16,8 @@
#
# Alpine - https://alpinelinux.org/releases/
#
+os:Alpine 3.15:2023-11-01:1698793200
+os:Alpine 3.14:2023-05-01:1682899200
os:Alpine 3.13:2022-11-01:1667275200
os:Alpine 3.12:2022-05-01:1651377600
os:Alpine 3.11:2021-11-01:1635739200
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/db/tests.db new/lynis/db/tests.db
--- old/lynis/db/tests.db 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/db/tests.db 2022-05-17 02:00:00.000000000 +0200
@@ -265,6 +265,7 @@
MAIL-8860:test:security:mail_messaging::Check Qmail status:
MAIL-8880:test:security:mail_messaging::Check Sendmail status:
MAIL-8920:test:security:mail_messaging::Check OpenSMTPD status:
+MALW-3274:test:security:malware::Check for McAfee VirusScan Command Line
Scanner:
MALW-3275:test:security:malware::Check for chkrootkit:
MALW-3276:test:security:malware::Check for Rootkit Hunter:
MALW-3278:test:security:malware::Check for LMD:
@@ -322,6 +323,7 @@
PHP-2378:test:security:php::Check PHP allow_url_include option:
PHP-2379:test:security:php::Check PHP suhosin extension status:
PHP-2382:test:security:php::Check PHP listen option:
+PKGS-7200:test:security:ports_packages:Linux:Check Alpine Package Keeper (apk):
PKGS-7301:test:security:ports_packages::Query NetBSD pkg:
PKGS-7302:test:security:ports_packages::Query FreeBSD/NetBSD pkg_info:
PKGS-7303:test:security:ports_packages::Query brew package manager:
@@ -358,6 +360,7 @@
PKGS-7392:test:security:ports_packages:Linux:Check for Debian/Ubuntu security
updates:
PKGS-7393:test:security:ports_packages::Check for Gentoo vulnerable packages:
PKGS-7394:test:security:ports_packages:Linux:Check for Ubuntu updates:
+PKGS-7395:test:security:ports_packages:Linux:Check Alpine upgradeable packages:
PKGS-7398:test:security:ports_packages::Check for package audit tool:
PKGS-7410:test:security:ports_packages::Count installed kernel packages:
PKGS-7420:test:security:ports_packages::Detect toolkit to automatically
download and apply upgrades:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/binaries new/lynis/include/binaries
--- old/lynis/include/binaries 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/include/binaries 2022-05-17 02:00:00.000000000 +0200
@@ -134,6 +134,7 @@
aide) AIDEBINARY=${BINARY};
LogText " Found known binary: aide (file integrity checker) -
${BINARY}" ;;
apache2) HTTPDBINARY=${BINARY};
LogText " Found known binary: apache2 (web server) - ${BINARY}" ;;
apt) APTBINARY=${BINARY};
LogText " Found known binary: apt (package manager) - ${BINARY}" ;;
+ apk) APKBINARY=${BINARY};
LogText " Found known binary: apk (package manager) - ${BINARY}" ;;
arch-audit)
ARCH_AUDIT_BINARY="${BINARY}"; LogText " Found known binary: arch-audit
(auditing utility to test for vulnerable packages) - ${BINARY}" ;;
auditd) AUDITDBINARY=${BINARY};
LogText " Found known binary: auditd (audit framework) - ${BINARY}" ;;
awk) AWKBINARY=${BINARY};
LogText " Found known binary: awk (string tool) - ${BINARY}" ;;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/consts new/lynis/include/consts
--- old/lynis/include/consts 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/include/consts 2022-05-17 02:00:00.000000000 +0200
@@ -43,6 +43,7 @@
# == Variable initializing ==
#
APTBINARY=""
+ APKBINARY=""
ARCH_AUDIT_BINARY=""
AUDITORNAME=""
AUDITCTLBINARY=""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/functions new/lynis/include/functions
--- old/lynis/include/functions 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/include/functions 2022-05-17 02:00:00.000000000 +0200
@@ -1306,6 +1306,11 @@
if [ $# -ne 2 ]; then Fatal "Incorrect usage of
HasCorrectFilePermissions"; fi
CHECKFILE="$1"
CHECKPERMISSION_FULL="$2"
+ # Check for symlink
+ if [ -L ${CHECKFILE} ]; then
+ ShowSymlinkPath ${CHECKFILE}
+ if [ ! "${SYMLINK}" = "" ]; then CHECKFILE="${SYMLINK}"; fi
+ fi
if [ ! -d ${CHECKFILE} -a ! -f ${CHECKFILE} ]; then
return 2
else
@@ -1320,9 +1325,8 @@
CHECK_PERMISSION=$(echo "${CHECK_PERMISSION}" | ${AWKBINARY}
'{printf "%03d",$1}')
# First try stat command
- LogText "Test: checking if file ${CHECKFILE} has the
permissions set to ${CHECK_PERMISSION} or more restrictive"
+ LogText "Test: checking if file ${CHECKFILE} has the
permissions set to ${CHECK_PERMISSION} (${CHECKPERMISSION_FULL}) or more
restrictive"
if [ -n "${STATBINARY}" ]; then
-
case ${OS} in
*BSD | "macOS")
# BSD and macOS have no --format, only short
notation
@@ -1388,7 +1392,7 @@
fi
done
- LogText "Outcome: permissions of file ${CHECKFILE} are not
matching expected value (${DATA} != ${CHECKPERMISSION_FULL})"
+ LogText "Outcome: permissions of file ${CHECKFILE} are not
matching expected value (${DATA} != ${CHECK_PERMISSION})"
# No match, return exit code 1
return 1
fi
@@ -2002,7 +2006,11 @@
if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling
IsWorldWritable function"; fi
sFILE=$1
FileIsWorldWritable=""
-
+ # Check for symlink
+ if [ -L ${sFILE} ]; then
+ ShowSymlinkPath ${sFILE}
+ if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi
+ fi
# Only check if target is a file or directory
if [ -f ${sFILE} -o -d ${sFILE} ]; then
FINDVAL=$(ls -ld ${sFILE} | cut -c 9)
@@ -2090,6 +2098,9 @@
elif [ -n "${XBPSBINARY}" ]; then
output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY}
"^ii")
exit_code=$?
+ elif [ -n "${APKBINARY}" ]; then
+ output=$(${APKBINARY} search ${package} 2> /dev/null |
${GREPBINARY} ${package})
+ exit_code=$?
else
if [ "${package}" != "__dummy__" ]; then
ReportException "PackageIsInstalled:01
(test=${TEST_NO:-unknown})"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/osdetection
new/lynis/include/osdetection
--- old/lynis/include/osdetection 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/include/osdetection 2022-05-17 02:00:00.000000000 +0200
@@ -678,7 +678,7 @@
ReportException "OS Detection" "Unknown OS found in
/etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}"
;;
esac
- elif [ "$(uname -o 2> /dev/null)" == "illumos" ]; then
+ elif [ "$(uname -o 2> /dev/null)" = "illumos" ]; then
OPENSOLARIS=1
# Solaris has a free form text file with release information
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_authentication
new/lynis/include/tests_authentication
--- old/lynis/include/tests_authentication 2022-01-18 01:00:00.000000000
+0100
+++ new/lynis/include/tests_authentication 2022-05-17 02:00:00.000000000
+0200
@@ -25,7 +25,7 @@
LDAP_AUTH_ENABLED=0
LDAP_PAM_ENABLED=0
LDAP_CONF_LOCATIONS="${ROOTDIR}etc/ldap.conf ${ROOTDIR}etc/ldap/ldap.conf
${ROOTDIR}etc/openldap/ldap.conf ${ROOTDIR}usr/local/etc/ldap.conf
${ROOTDIR}usr/local/etc/openldap/ldap.conf"
- PAM_FILE_LOCATIONS="${ROOTDIR}lib/arm-linux-gnueabihf/security
${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security
${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security
${ROOTDIR}usr/lib /usr/lib/security"
+ PAM_FILE_LOCATIONS="${ROOTDIR}usr/lib/aarch64-linux-gnu/security
${ROOTDIR}lib/arm-linux-gnueabihf/security
${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security
${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security
${ROOTDIR}usr/lib /usr/lib/security"
SUDOERS_LOCATIONS="${ROOTDIR}etc/sudoers ${ROOTDIR}usr/local/etc/sudoers
${ROOTDIR}usr/pkg/etc/sudoers"
SUDOERS_FILE=""
#
@@ -607,7 +607,7 @@
Display --indent 4 --text "- Permissions for directory:
${SUDOERS_D}" --result "${STATUS_WARNING}" --color RED
;;
esac
- SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY}
${SUDOERS_D} -type f -print)"
+ SUDO_CONFIG_FILES="${SUDO_CONFIG_FILES} $(${FINDBINARY} -L
${SUDOERS_D} -type f -print)"
fi
for f in ${SUDO_CONFIG_FILES}; do
LogText "Test: checking file (${f})"
@@ -764,7 +764,7 @@
LogText "Result: directory /etc/pam.d exists"
Display --indent 2 --text "- PAM configuration files (pam.d)"
--result "${STATUS_FOUND}" --color GREEN
LogText "Test: searching PAM configuration files"
- FIND=$(${FINDBINARY} ${ROOTDIR}etc/pam.d \! -name "*.pam-old"
-type f -print | sort)
+ FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/pam.d \! -name "*.pam-old"
-type f -print | sort)
for FILE in ${FIND}; do
LogText "Found file: ${FILE}"
done
@@ -1533,31 +1533,49 @@
# Description : Logging of failed login attempts
Register --test-no AUTH-9408 --weight L --network NO --category security
--description "Logging of failed login attempts"
if [ ${SKIPTEST} -eq 0 ]; then
- if [ -f "${ROOTDIR}etc/pam.conf" ]; then
+ if [ -f "${ROOTDIR}etc/pam.conf" -o -d "${ROOTDIR}etc/pam.d" ]; then
FOUND_PAM_TALLY2=0
FOUND_TALLYLOG=0
- if [ -s "${ROOTDIR}var/log/tallylog" ]; then
+ FOUND_PAM_FAILLOCK=0
+ FOUND_FAILLOCKDIR=0
+ if [ -d "${ROOTDIR}var/run/faillock" ]; then
+ FOUND_FAILLOCKDIR=1
+ LogText "Result: found ${ROOTDIR}var/run/faillock directory"
+ elif [ -s "${ROOTDIR}var/log/tallylog" ]; then
FOUND_TALLYLOG=1
LogText "Result: found ${ROOTDIR}var/log/tallylog with a size
bigger than zero"
else
- LogText "Result: did not find ${ROOTDIR}var/log/tallylog on
disk or its file size is zero bytes"
+ LogText "Result: did not find ${ROOTDIR}var/run/faillock
directory or ${ROOTDIR}var/log/tallylog file on disk or its file size is zero
bytes"
fi
- # Determine if pam_tally2 is available
+ # Determine if pam_faillock is available
for D in $(GetReportData --key "pam_module\\\[\\\]"); do
- if ContainsString "pam_tally2" "${D}"; then
- LogText "Result: found pam_tally2 module on disk"
- FOUND_PAM_TALLY2=1
+ if ContainsString "pam_faillock" "${D}"; then
+ LogText "Result: found pam_faillock module on disk"
+ FOUND_PAM_FAILLOCK=1
fi
done
- if [ ${FOUND_PAM_TALLY2} -eq 1 -a ${FOUND_TALLYLOG} -eq 1 ]; then
+ if [ ${FOUND_PAM_FAILLOCK} -eq 0 ]; then
+ # Determine if pam_tally2 is available
+ for D in $(GetReportData --key "pam_module\\\[\\\]"); do
+ if ContainsString "pam_tally2" "${D}"; then
+ LogText "Result: found pam_tally2 module on disk"
+ FOUND_PAM_TALLY2=1
+ fi
+ done
+ fi
+ if [ ${FOUND_PAM_FAILLOCK} -eq 1 -a ${FOUND_FAILLOCKDIR} -eq 1 ];
then
+ LogText "Outcome: authentication failures are logged using
pam_faillock"
+ AUTH_FAILED_LOGINS_LOGGED=1
+ Report "auth_failed_logins_tooling[]=pam_faillock"
+ elif [ ${FOUND_PAM_TALLY2} -eq 1 -a ${FOUND_TALLYLOG} -eq 1 ]; then
LogText "Outcome: authentication failures are logged using
pam_tally2"
AUTH_FAILED_LOGINS_LOGGED=1
Report "auth_failed_logins_tooling[]=pam_tally2"
else
- LogText "Outcome: it looks like pam_tally2 is not configured
to log failed login attempts"
+ LogText "Outcome: it looks like pam_faillock or pam_tally2 is
not configured to log failed login attempts"
fi
- unset FOUND_PAM_TALLY2 FOUND_TALLYLOG
+ unset FOUND_PAM_TALLY2 FOUND_TALLYLOG FOUND_PAM_FAILLOCK
FOUND_FAILLOCKDIR
fi
# Also check /etc/logins.defs, although its usage decreased over the
years
if [ -f ${ROOTDIR}etc/login.defs ]; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_boot_services
new/lynis/include/tests_boot_services
--- old/lynis/include/tests_boot_services 2022-01-18 01:00:00.000000000
+0100
+++ new/lynis/include/tests_boot_services 2022-05-17 02:00:00.000000000
+0200
@@ -347,7 +347,7 @@
FOUND=0
if [ -d "${ROOTDIR}etc/grub.d" ]; then
- CONF_FILES=$(${FINDBINARY} "${ROOTDIR}etc/grub.d" -type f -name
"[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]')
+ CONF_FILES=$(${FINDBINARY} -L "${ROOTDIR}etc/grub.d" -type f -name
"[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]')
CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg
${CONF_FILES}"
else
CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg"
@@ -785,7 +785,7 @@
if [ -d ${DIR} ]; then
LogText "Result: directory ${DIR} found"
LogText "Test: checking for available files in directory"
- FIND=$(${FINDBINARY} ${DIR} -type f -print | ${SORTBINARY})
+ FIND=$(${FINDBINARY} -L ${DIR} -type f -print | ${SORTBINARY})
if [ -n "${FIND}" ]; then
LogText "Result: found files in directory, checking
permissions now"
for FILE in ${FIND}; do
@@ -809,7 +809,7 @@
for NO in 0 1 2 3 4 5 6; do
LogText "Test: Checking ${ROOTDIR}etc/rc${NO}.d scripts for
writable bit"
if [ -d ${ROOTDIR}etc/rc${NO}.d ]; then
- FIND=$(${FINDBINARY} ${ROOTDIR}etc/rc${NO}.d -type f -print |
${SORTBINARY})
+ FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/rc${NO}.d -type f -print
| ${SORTBINARY})
for I in ${FIND}; do
if IsWorldWritable ${I}; then
FOUND=1
@@ -1017,7 +1017,7 @@
LogText "Result: directory ${DIR} found"
LogText "Test: checking for available files in directory"
# OpenBSD uses symlinks to create another instance of daemons
- FIND=$(${FINDBINARY} ${CHECKDIR} \( -type f -o -type l \) -print |
${SORTBINARY})
+ FIND=$(${FINDBINARY} -L ${CHECKDIR} -type f -print | ${SORTBINARY})
if [ -n "${FIND}" ]; then
LogText "Result: found files in directory, checking
permissions now"
for FILE in ${FIND}; do
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_databases
new/lynis/include/tests_databases
--- old/lynis/include/tests_databases 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/include/tests_databases 2022-05-17 02:00:00.000000000 +0200
@@ -204,7 +204,7 @@
Register --test-no DBS-1828 --preqs-met ${PREQS_MET} --weight L --network
NO --category security --description "Test PostgreSQL configuration"
if [ ${SKIPTEST} -eq 0 ]; then
FIND_PATHS="${ROOTDIR}etc/postgres ${ROOTDIR}var/lib/postgres/data
${ROOTDIR}usr/local/pgsql/data"
- CONFIG_FILES=$(${FINDBINARY} ${FIND_PATHS} -type f -name "*.conf"
-print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' |
${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' |
${SEDBINARY} "s/ /:space:/g")
+ CONFIG_FILES=$(${FINDBINARY} -L ${FIND_PATHS} -type f -name "*.conf"
-print0 2> /dev/null | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} -d '\n' |
${TRBINARY} '\0' '\n' | xargs -i sh -c 'test -r "{}" && echo "{}"' |
${SEDBINARY} "s/ /:space:/g")
for CF in ${CONFIG_FILES}; do
Report "postgresql_config_file[]=${CF}"
LogText "Found configuration file (${CF})"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_kernel
new/lynis/include/tests_kernel
--- old/lynis/include/tests_kernel 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/include/tests_kernel 2022-05-17 02:00:00.000000000 +0200
@@ -368,14 +368,14 @@
#
# Test : KRNL-5788
# Description : Checking availability new kernel
- if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ]
||
- [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}"
= "Ubuntu" ]; then
+ if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ]
|| [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" =
"Ubuntu" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight
L --network NO --category security --description "Checking availability new
Linux kernel"
if [ ${SKIPTEST} -eq 0 ]; then
+ FINDKERNEL=""
HAS_VMLINUZ=0
LogText "Test: Searching apt-cache, to determine if a newer kernel is
available"
if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then
@@ -384,62 +384,69 @@
if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then
HAS_VMLINUZ=1
if [ -f ${ROOTDIR}vmlinuz ]; then
- FINDVMLINUZ=${ROOTDIR}vmlinuz
+ FINDVMLINUZ="${ROOTDIR}vmlinuz"
else
- FINDVMLINUZ=${ROOTDIR}boot/vmlinuz
+ FINDVMLINUZ="${ROOTDIR}boot/vmlinuz"
fi
LogText "Result: found ${FINDVMLINUZ}"
LogText "Test: checking readlink location of ${FINDVMLINUZ}"
FINDKERNFILE=$(readlink -f ${FINDVMLINUZ})
LogText "Output: readlink reported file ${FINDKERNFILE}"
- LogText "Test: checking package from dpkg -S"
+ LogText "Test: checking relevant package using output from
dpkg -S"
FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null |
${AWKBINARY} -F : '{print $1}')
LogText "Output: dpkg -S reported package ${FINDKERNEL}"
elif [ -e ${ROOTDIR}dev/grsec ]; then
- FINDKERNEL=linux-image-$(uname -r)
+ FINDKERNEL="linux-image-$(uname -r)"
LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity;
assuming ${FINDKERNEL}"
elif [ -e ${ROOTDIR}etc/rpi-issue ]; then
- FINDKERNEL=raspberrypi-kernel
+ FINDKERNEL="raspberrypi-kernel"
LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian"
- elif `${EGREPBINARY} -q 'do_symlinks.*=.*No'
${ROOTDIR}etc/kernel-img.conf`; then
- FINDKERNEL=linux-image-$(uname -r)
+ elif $(${EGREPBINARY} -q 'do_symlinks.*=.*No'
${ROOTDIR}etc/kernel-img.conf); then
+ FINDKERNEL="linux-image-$(uname -r)"
LogText "Result: ${ROOTDIR}vmlinuz missing due to
/etc/kernel-img.conf item do_symlinks = No"
else
- LogText "This system is missing ${ROOTDIR}vmlinuz or
${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date."
+ LogText "This system is missing ${ROOTDIR}vmlinuz or
${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date."
ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz
or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz
or /boot/vmlinuz"
fi
- LogText "Test: Using apt-cache policy to determine if there is an
update available"
- FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY}
'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
- FINDCAND=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY}
'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
- LogText "Kernel installed: ${FINDINST}"
- LogText "Kernel candidate: ${FINDCAND}"
- if IsEmpty "${FINDINST}"; then
- Display --indent 2 --text "- Checking for available kernel
update" --result "${STATUS_UNKNOWN}" --color YELLOW
- LogText "Result: Exception occurred, no output from apt-cache
policy"
- if [ ${HAS_VMLINUZ} -eq 1 ]; then
- ReportException "${TEST_NO}:01"
- ReportSuggestion "${TEST_NO}" "Check the output of
apt-cache policy to determine why its output is empty"
- fi
- LogText "Result: apt-cache policy did not return an installed
kernel version"
+
+ if IsEmpty "${FINDKERNEL}"; then
+ LogText "Result: could not check kernel update status as
kernel is unknown"
else
- if [ "${FINDINST}" = "${FINDCAND}" ]; then
- if [ -e /dev/grsec ]; then
- Display --indent 2 --text "- Checking for available
kernel update" --result GRSEC --color GREEN
- LogText "Result: Grsecurity is installed; unable to
determine if there's a newer kernel available"
- ReportManual "Manually check to confirm you're using a
recent kernel and grsecurity patch"
- else
- Display --indent 2 --text "- Checking for available
kernel update" --result "${STATUS_OK}" --color GREEN
- LogText "Result: no kernel update available"
+ LogText "Result: found kernel '${FINDKERNEL}' which will be
used for further testing"
+ LogText "Test: Using apt-cache policy to determine if there is
an update available"
+ FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} |
${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
+ FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} |
${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
+ LogText "Kernel installed: ${FINDINSTALLED}"
+ LogText "Kernel candidate: ${FINDCANDIDATE}"
+ if IsEmpty "${FINDINSTALLED}"; then
+ Display --indent 2 --text "- Checking for available kernel
update" --result "${STATUS_UNKNOWN}" --color YELLOW
+ LogText "Result: Exception occurred, no output from
apt-cache policy"
+ if [ ${HAS_VMLINUZ} -eq 1 ]; then
+ ReportException "${TEST_NO}:01" "Found vmlinuz
(${FINDVMLINUZ}) but could not determine the installed kernel using apt-cache
policy"
+ ReportSuggestion "${TEST_NO}" "Check the output of
apt-cache policy to determine why its output is empty"
fi
+ LogText "Result: apt-cache policy did not return an
installed kernel version"
else
- Display --indent 2 --text "- Checking for available kernel
update" --result "UPDATE AVAILABLE" --color YELLOW
- LogText "Result: kernel update available according
'apt-cache policy'."
- ReportSuggestion "${TEST_NO}" "Determine priority for
available kernel update"
+ if [ "${FINDINSTALLED}" = "${FINDCANDIDATE}" ]; then
+ if [ -e /dev/grsec ]; then
+ Display --indent 2 --text "- Checking for
available kernel update" --result GRSEC --color GREEN
+ LogText "Result: Grsecurity is installed; unable
to determine if there's a newer kernel available"
+ ReportManual "Manually check to confirm you're
using a recent kernel and grsecurity patch"
+ else
+ Display --indent 2 --text "- Checking for
available kernel update" --result "${STATUS_OK}" --color GREEN
+ LogText "Result: no kernel update available"
+ fi
+ else
+ Display --indent 2 --text "- Checking for available
kernel update" --result "UPDATE AVAILABLE" --color YELLOW
+ LogText "Result: kernel update available according
'apt-cache policy'."
+ ReportSuggestion "${TEST_NO}" "Determine priority for
available kernel update"
+ fi
fi
fi
else
- LogText "Result: could NOT find /usr/bin/apt-cache, skipped other
tests."
+ LogText "Result: could NOT find ${ROOTDIR}usr/bin/apt-cache,
skipped other tests."
fi
+ unset FINDCANDIDATE FINDINSTALLED FINDKERNEL HAS_VMLINUZ
fi
#
#################################################################################
@@ -463,9 +470,9 @@
# check conf files in possibly existing coredump.conf.d folders
# using find instead of grep -r to stay POSIX compliant. On AIX
and HPUX grep -r is not available.
# while there could be multiple files overwriting each other, we
are checking the number of occurrences
- SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY}
/etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/
/usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY}
's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" |
${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' |
${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
- SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY}
/etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/
/usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY}
's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" |
${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' |
${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
- SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY}
/etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/
/usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY}
's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY}
-d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
+ SYSD_CORED_SUB_PROCSIZEMAX_NR_DISABLED=$(${FINDBINARY} -L
/etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/
/usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY}
's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" |
${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' |
${GREPBINARY} "^0 *$" | ${WCBINARY} -l)
+ SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED=$(${FINDBINARY} -L
/etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/
/usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY}
's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^ProcessSizeMax=" |
${CUTBINARY} -d'=' -f2 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g' |
${GREPBINARY} -v "^0 *$" | ${WCBINARY} -l)
+ SYSD_CORED_SUB_STORAGE_FOUND=$(${FINDBINARY} -L
/etc/systemd/coredump.conf.d/ /run/systemd/coredump.conf.d/
/usr/lib/systemd/coredump.conf.d/ -type f -iname "*.conf" -exec ${SEDBINARY}
's/^ *//g' {} \; 2> /dev/null | ${GREPBINARY} -i "^Storage=" | ${CUTBINARY}
-d'=' -f2 | ${SEDBINARY} 's/ .*$//g')
SYSD_CORED_SUB_STORAGE_NR_ENABLED=$(${ECHOCMD}
"${SYSD_CORED_SUB_STORAGE_FOUND}" | ${SEDBINARY} 's/none//g' | ${WCBINARY} |
${AWKBINARY} '{print $2}')
SYSD_CORED_SUB_STORAGE_NR_DISABLED=$(${ECHOCMD}
"${SYSD_CORED_SUB_STORAGE_FOUND}" | ${GREPBINARY} -o "none" | ${WCBINARY} |
${AWKBINARY} '{print $2}')
if ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_DISABLED} -ge 1 ] && [
${SYSD_CORED_BASE_STORAGE_NR_DISABLED} -ge 1 ] && [
${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -eq 0 ] && [
${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -eq 0 ] ) || \
@@ -506,81 +513,84 @@
LogText "Test: Checking if 'ulimit -c 0' exists in
${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh"
# use tail -1 in the following commands to get the last entry,
which is the one that counts (in case of profile.d/ probably counts)
ULIMIT_C_VALUE="$(${GREPBINARY} "ulimit -c " ${ROOTDIR}etc/profile
2> /dev/null | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY}
-1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ;
s/\([A-Z][a-z]*\)*$//g')"
- ULIMIT_C_VALUE_SUB="$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name
"*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY} "ulimit
-c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY} -1 |
${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ; s/\([A-Z][a-z]*\)*$//g')"
+ ULIMIT_C_VALUE_SUB="$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d
-name "*.sh" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null | ${GREPBINARY}
"ulimit -c " | ${SEDBINARY} 's/^ *//g' | ${GREPBINARY} -v "^#" | ${TAILBINARY}
-1 | ${CUTBINARY} -d' ' -f3 | ${SEDBINARY} 's/ .*$//g ;
s/\([A-Z][a-z]*\)*$//g')"
if ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && [ "${ULIMIT_C_VALUE_SUB}" =
"0" ] ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && [
"${ULIMIT_C_VALUE}" = "0" ] ); then
LogText "Result: core dumps are disabled by 'ulimit -c 0' in
${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh"
Display --indent 4 --text "- configuration in etc/profile"
--result "${STATUS_DISABLED}" --color GREEN
AddHP 1 1
elif [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ -z "${ULIMIT_C_VALUE}" ];
then
LogText "Result: core dumps are not disabled in
${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. Didn't find
setting 'ulimit -c 0'"
- Display --indent 4 --text "- configuration in etc/profile"
--result "${STATUS_DEFAULT}" --color WHITE
+ Display --indent 4 --text "- configuration in
${ROOTDIR}etc/profile" --result "${STATUS_DEFAULT}" --color WHITE
AddHP 0 1
elif ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && ( [
"${ULIMIT_C_VALUE_SUB}" = "unlimited" ] || [ "${ULIMIT_C_VALUE_SUB}" != "0" ] )
) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && ( [
"${ULIMIT_C_VALUE}" = "unlimited" ] || [ "${ULIMIT_C_VALUE}" != "0" ] ) ); then
LogText "Result: core dumps are enabled in
${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. A value
higher than 0 is configured for 'ulimit -c'"
- Display --indent 4 --text "- configuration in etc/profile"
--result "${STATUS_ENABLED}" --color RED
+ Display --indent 4 --text "- configuration in
${ROOTDIR}etc/profile" --result "${STATUS_ENABLED}" --color RED
AddHP 0 1
else
LogText "Result: ERROR - something went wrong. Unexpected
result during check of ${ROOTDIR}etc/profile and ${ROOTDIR}etc/profile.d/*.sh
config files. Please report on Github!"
- Display --indent 4 --text "- configuration in etc/profile"
--result "${STATUS_ERROR}" --color YELLOW
+ Display --indent 4 --text "- configuration in
${ROOTDIR}etc/profile" --result "${STATUS_ERROR}" --color YELLOW
fi
fi
- # Limits option
- LogText "Test: Checking presence ${ROOTDIR}etc/security/limits.conf"
- if [ -f "${ROOTDIR}etc/security/limits.conf" ]; then
- LogText "Result: file ${ROOTDIR}etc/security/limits.conf exists"
- LogText "Test: Checking if core dumps are disabled in
${ROOTDIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*"
- # using find instead of grep -r to stay POSIX compliant. On AIX
and HPUX grep -r is not available.
- FIND1=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf"
"${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null |
${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core"
&& $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" &&
$3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1)
- FIND2=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf"
"${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null |
${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core"
&& $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" &&
$3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1)
- FIND3=$(${FINDBINARY} "${ROOTDIR}etc/security/limits.conf"
"${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null |
${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" &&
$4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" &&
$3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1)
+
+ # Limits options
+ for DIR in "/" "/usr/"; do
+ LogText "Test: Checking presence ${DIR}etc/security/limits.conf"
+ if [ -f "${DIR}etc/security/limits.conf" ]; then
+ LogText "Result: file ${DIR}etc/security/limits.conf exists"
+ LogText "Test: Checking if core dumps are disabled in
${DIR}etc/security/limits.conf and ${LIMITS_DIRECTORY}/*"
+ # using find instead of grep -r to stay POSIX compliant. On
AIX and HPUX grep -r is not available.
+ FIND1=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf"
"${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null |
${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="soft" && $3=="core"
&& $4=="0") { print "soft core disabled" } else if ($1=="*" && $2=="soft" &&
$3=="core" && $4!="0") { print "soft core enabled" } }' | ${TAILBINARY} -1)
+ FIND2=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf"
"${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null |
${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="hard" && $3=="core"
&& $4=="0") { print "hard core disabled" } else if ($1=="*" && $2=="hard" &&
$3=="core" && $4!="0") { print "hard core enabled" } }' | ${TAILBINARY} -1)
+ FIND3=$(${FINDBINARY} -L "${DIR}etc/security/limits.conf"
"${LIMITS_DIRECTORY}" -type f -exec ${CAT_BINARY} {} \; 2> /dev/null |
${GREPBINARY} -v "^$" | ${AWKBINARY} '{ if ($1=="*" && $2=="-" && $3=="core" &&
$4=="0") { print "core dumps disabled" } else if ($1=="*" && $2=="-" &&
$3=="core" && $4!="0") { print "core dumps enabled" } }' | ${TAILBINARY} -1)
- # When "* - core [value]" is used, then this sets both soft and
core. In that case we set the values, as they the type 'hard' and 'soft' will
not be present in the configuration file.
- if [ "${FIND3}" = "core dumps disabled" ]; then
- FIND1="soft core disabled"
- FIND2="hard core disabled"
- elif [ "${FIND3}" = "core dumps enabled" ]; then
- FIND1="soft core enabled"
- FIND2="hard core enabled"
- fi
+ # When "* - core [value]" is used, then this sets both soft
and core. In that case we set the values, as they the type 'hard' and 'soft'
will not be present in the configuration file.
+ if [ "${FIND3}" = "core dumps disabled" ]; then
+ FIND1="soft core disabled"
+ FIND2="hard core disabled"
+ elif [ "${FIND3}" = "core dumps enabled" ]; then
+ FIND1="soft core enabled"
+ FIND2="hard core enabled"
+ fi
- IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ];
then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then
${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
- IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ];
then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then
${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
+ IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled"
]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then
${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
+ IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled"
]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then
${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)"
- if [ "${FIND2}" = "hard core disabled" ]; then
- LogText "Result: core dumps are hard disabled"
- Display --indent 4 --text "- 'hard' configuration in
security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "GREEN"
- if [ "${FIND1}" = "soft core disabled" ]; then
- Display --indent 4 --text "- 'soft' configuration in
security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
+ if [ "${FIND2}" = "hard core disabled" ]; then
+ LogText "Result: core dumps are hard disabled"
+ Display --indent 4 --text "- 'hard' configuration in
${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color
"GREEN"
+ if [ "${FIND1}" = "soft core disabled" ]; then
+ Display --indent 4 --text "- 'soft' configuration in
${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color
"GREEN"
+ else
+ Display --indent 4 --text "- 'soft' config in
${DIR}etc/security/limits.conf (implicit)" --result "${STATUS_DISABLED}"
--color "GREEN"
+ fi
+ AddHP 3 3
+ elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" =
"hard core enabled" ]; then
+ LogText "Result: core dumps (soft and hard) are enabled"
+ Display --indent 4 --text "- 'hard' configuration in
${DIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
+ Display --indent 4 --text "- 'soft' configuration in
${DIR}etc/security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
+ ReportSuggestion "${TEST_NO}" "If not required, consider
explicit disabling of core dump in /etc/security/limits.conf file"
+ AddHP 0 3
+ elif [ "${FIND1}" = "soft core disabled" ]; then
+ LogText "Result: core dumps are disabled for 'soft'
('hard'=${IS_HARDCORE_DISABLED})"
+ Display --indent 4 --text "- 'hard' configuration in
${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color
"$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [
"${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else
${ECHOCMD} WHITE; fi)"
+ Display --indent 4 --text "- 'soft' configuration in
${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color
"GREEN"
+ AddHP 2 3
+ elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" =
"hard core enabled" ]; then
+ LogText "Result: core dumps are partially enabled
('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})"
+ Display --indent 4 --text "- 'hard' configuration in
${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color
"$(if [ "${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [
"${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else
${ECHOCMD} WHITE; fi)"
+ Display --indent 4 --text "- 'soft' configuration in
${DIR}etc/security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color
"$(if [ "${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [
"${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else
${ECHOCMD} WHITE; fi)"
+ AddHP 0 3
else
- Display --indent 4 --text "- 'soft' config in
security/limits.conf (implicit)" --result "${STATUS_DISABLED}" --color "GREEN"
+ LogText "Result: core dumps are not explicitly disabled"
+ Display --indent 4 --text "- 'hard' configuration in
${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color
"WHITE"
+ Display --indent 4 --text "- 'soft' configuration in
${DIR}etc/security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color
"WHITE"
+ ReportSuggestion "${TEST_NO}" "If not required, consider
explicit disabling of core dump in ${DIR}etc/security/limits.conf file"
+ AddHP 1 3
fi
- AddHP 3 3
- elif [ "${FIND1}" = "soft core enabled" ] && [ "${FIND2}" = "hard
core enabled" ]; then
- LogText "Result: core dumps (soft and hard) are enabled"
- Display --indent 4 --text "- 'hard' configuration in
security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
- Display --indent 4 --text "- 'soft' configuration in
security/limits.conf" --result "${STATUS_ENABLED}" --color "RED"
- ReportSuggestion "${TEST_NO}" "If not required, consider
explicit disabling of core dump in /etc/security/limits.conf file"
- AddHP 0 3
- elif [ "${FIND1}" = "soft core disabled" ]; then
- LogText "Result: core dumps are disabled for 'soft'
('hard'=${IS_HARDCORE_DISABLED})"
- Display --indent 4 --text "- 'hard' configuration in
security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [
"${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [
"${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else
${ECHOCMD} WHITE; fi)"
- Display --indent 4 --text "- 'soft' configuration in
security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "GREEN"
- AddHP 2 3
- elif [ "${FIND1}" = "soft core enabled" ] || [ "${FIND2}" = "hard
core enabled" ]; then
- LogText "Result: core dumps are partially enabled
('hard'=${IS_HARDCORE_DISABLED}, 'soft'=${IS_SOFTCORE_DISABLED})"
- Display --indent 4 --text "- 'hard' configuration in
security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "$(if [
"${IS_HARDCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [
"${IS_HARDCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else
${ECHOCMD} WHITE; fi)"
- Display --indent 4 --text "- 'soft' configuration in
security/limits.conf" --result "${IS_SOFTCORE_DISABLED}" --color "$(if [
"${IS_SOFTCORE_DISABLED}" = "ENABLED" ]; then ${ECHOCMD} RED; elif [
"${IS_SOFTCORE_DISABLED}" = "DISABLED" ]; then ${ECHOCMD} GREEN; else
${ECHOCMD} WHITE; fi)"
- AddHP 0 3
else
- LogText "Result: core dumps are not explicitly disabled"
- Display --indent 4 --text "- 'hard' configuration in
security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
- Display --indent 4 --text "- 'soft' configuration in
security/limits.conf" --result "${IS_HARDCORE_DISABLED}" --color "WHITE"
- ReportSuggestion "${TEST_NO}" "If not required, consider
explicit disabling of core dump in ${ROOTDIR}etc/security/limits.conf file"
- AddHP 1 3
+ LogText "Result: file ${DIR}etc/security/limits.conf does not
exist, skipping test for this file"
fi
- else
- LogText "Result: file ${ROOTDIR}etc/security/limits.conf does not
exist, skipping test"
- fi
+ done
# Sysctl option
LogText "Test: Checking sysctl value of fs.suid_dumpable"
@@ -615,25 +625,29 @@
Register --test-no KRNL-5830 --os Linux --weight L --network NO --category
security --description "Checking if system is running on the latest installed
kernel"
if [ ${SKIPTEST} -eq 0 ]; then
REBOOT_NEEDED=2
- FILE="${ROOTDIR}var/run/reboot-required.pkgs"
- LogText "Test: Checking presence ${FILE}"
- if [ -f ${FILE} ]; then
- LogText "Result: file ${FILE} exists"
- FIND=$(${WCBINARY} -l < ${FILE})
- if [ "${FIND}" = "0" ]; then
- LogText "Result: No reboot needed (file empty)"
- REBOOT_NEEDED=0
+ for FILE in "${ROOTDIR}var/run/reboot-required.pkgs"
"${ROOTDIR}var/run/needs_restarting"
+ do
+ LogText "Test: Checking presence ${FILE}"
+ if [ -f ${FILE} ]; then
+ LogText "Result: file ${FILE} exists"
+ FIND=$(${WCBINARY} -l < ${FILE})
+ if [ "${FIND}" = "0" ]; then
+ LogText "Result: No reboot needed (file empty)"
+ REBOOT_NEEDED=0
+ break
+ else
+ PKGSCOUNT=$(${WCBINARY} -l < ${FILE})
+ LogText "Result: reboot is needed, related to ${PKGSCOUNT}
packages"
+ for I in ${FIND}; do
+ LogText "Package: ${I}"
+ done
+ REBOOT_NEEDED=1
+ break
+ fi
else
- PKGSCOUNT=$(${WCBINARY} -l < ${FILE})
- LogText "Result: reboot is needed, related to ${PKGSCOUNT}
packages"
- for I in ${FIND}; do
- LogText "Package: ${I}"
- done
- REBOOT_NEEDED=1
+ LogText "Result: file ${FILE} not found"
fi
- else
- LogText "Result: file ${FILE} not found"
- fi
+ done
# Check if /boot exists
if [ -d "${ROOTDIR}boot" ]; then
@@ -663,7 +677,10 @@
ReportException "${TEST_NO}:1" "Can't determine kernel
version on disk, need debug data"
fi
elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f
${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t
${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then
- if [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
+ if [ -f ${ROOTDIR}boot/vmlinuz ]; then
+ LogText "Result: found ${ROOTDIR}boot/vmlinuz"
+ FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz
+ elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux"
FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux
elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_logging
new/lynis/include/tests_logging
--- old/lynis/include/tests_logging 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/include/tests_logging 2022-05-17 02:00:00.000000000 +0200
@@ -387,7 +387,7 @@
fi
TARGET="${ROOTDIR}etc/rsyslog.d"
if [ -d ${TARGET} ]; then
- FILES=$(${FINDBINARY} ${TARGET} -type f -print0 | ${TRBINARY}
-cd '[:print:]\0' | ${SEDBINARY} 's/[[:blank:]]/:space:/g' | ${TRBINARY} '\0' '
')
+ FILES=$(${FINDBINARY} -L ${TARGET} -type f -print0 |
${TRBINARY} -cd '[:print:]\0' | ${SEDBINARY} 's/[[:blank:]]/:space:/g' |
${TRBINARY} '\0' ' ')
for F in ${FILES}; do
F=$(echo ${F} | ${SEDBINARY} 's/:space:/ /g')
LogText "Test: analyzing file ${F} for remote target"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_malware
new/lynis/include/tests_malware
--- old/lynis/include/tests_malware 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/include/tests_malware 2022-05-17 02:00:00.000000000 +0200
@@ -46,6 +46,24 @@
#
#################################################################################
#
+ # Test : MALW-3274
+ # Description : Check for installed tool (McAfee VirusScan for Command
Line)
+ Register --test-no MALW-3274 --weight L --network NO --category security
--description "Check for McAfee VirusScan Command Line"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: checking presence McAfee VirusScan for Command Line"
+ if [ -x /usr/local/uvscan/uvscan ]; then
+ Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for
Command Line" --result "${STATUS_FOUND}" --color GREEN
+ LogText "Result: Found ${MCAFEECLBINARY}"
+ MALWARE_SCANNER_INSTALLED=1
+ AddHP 2 2
+ Report "malware_scanner[]=mcafeecl"
+ else
+ LogText "Result: McAfee VirusScan for Command Line not found"
+ fi
+ fi
+#
+#################################################################################
+#
# Test : MALW-3275
# Description : Check for installed tool (chkrootkit)
Register --test-no MALW-3275 --weight L --network NO --category security
--description "Check for chkrootkit"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_ports_packages
new/lynis/include/tests_ports_packages
--- old/lynis/include/tests_ports_packages 2022-01-18 01:00:00.000000000
+0100
+++ new/lynis/include/tests_ports_packages 2022-05-17 02:00:00.000000000
+0200
@@ -35,6 +35,34 @@
#
#################################################################################
#
+ # Test : PKGS-7200
+ # Description : Check Alpine Package Keeper (apk)
+ if [ -x ${ROOTDIR}/sbin/apk ]; then PREQS_MET="YES"; else PREQS_MET="NO";
fi
+ Register --test-no PKGS-7200 --preqs-met ${PREQS_MET} --weight L --network
NO --category security --description "Querying apk"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ COUNT=0
+ Display --indent 4 --text "- Searching apk package manager" --result
"${STATUS_FOUND}" --color GREEN
+ LogText "Result: Found apk binary"
+ Report "package_manager[]=apk"
+ PACKAGE_MGR_PKG=1
+ LogText "Test: Querying apk info -v to get package list"
+ Display --indent 6 --text "- Querying package manager"
+ LogText "Output:"
+ SPACKAGES=$(apk info -v | ${SEDBINARY} -r -e
's/([a-z,A-Z,0-9,_,-,.]{1,250})-([a-z,A-Z,0-9,.]+-r[a-z,A-Z,0-9]+)/\1,\2/' |
sort)
+ for J in ${SPACKAGES}; do
+ COUNT=$((COUNT + 1))
+ PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1)
+ PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2)
+ LogText "Found package: ${PACKAGE_NAME} (version:
${PACKAGE_VERSION})"
+
INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
+ done
+ Report "installed_packages=${COUNT}"
+ else
+ LogText "Result: apk "${STATUS_NOT_FOUND}", test skipped"
+ fi
+#
+#################################################################################
+#
# Test : PKGS-7301
# Description : Query FreeBSD pkg
if [ -x ${ROOTDIR}usr/sbin/pkg ]; then PREQS_MET="YES"; else
PREQS_MET="NO"; fi
@@ -1236,6 +1264,41 @@
#
#################################################################################
#
+ # Test : PKGS-7395
+ # Description : Check Alpine upgradeable packages
+ if [ "${LINUX_VERSION}" = "Alpine Linux" ] && [ -x "${ROOTDIR}sbin/apk"
]; then
+ PREQS_MET="YES"
+ else
+ PREQS_MET="NO"
+ fi
+
+ Register --test-no PKGS-7395 --os Linux --preqs-met ${PREQS_MET} --weight
L --network YES --category security --description "Check for Alpine updates"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then
+ LogText "Action: updating package repository with apk"
+ ${ROOTDIR}sbin/apk update
+ LogText "Result: apk finished"
+ else
+ LogText "Result: using a possibly outdated repository, as updating
is disabled via configuration"
+ fi
+ LogText "Test: Checking packages which can be upgraded via apk version
-l '<'"
+ FIND=$(${ROOTDIR}sbin/apk version -l '<' | ${GREPBINARY} '<' |
${SEDBINARY} 's/\s\+<\s/</g')
+ if [ -z "${FIND}" ]; then
+ LogText "Result: no packages found which can be upgraded"
+ Display --indent 2 --text "- Checking upgradeable packages"
--result "${STATUS_NONE}" --color GREEN
+ AddHP 3 3
+ else
+ LogText "Result: found one or more packages which can be upgraded"
+ Display --indent 2 --text "- Checking upgradeable packages"
--result "${STATUS_FOUND}" --color YELLOW
+ for ITEM in ${FIND}; do
+ ITEM=$(echo ${ITEM} | ${SEDBINARY} -r -e
's/([a-z,A-Z,0-9,_,-,.]{1,250})-([a-z,A-Z,0-9,.]+-r[a-z,A-Z,0-9]+)<([a-z,A-Z,0-9,-,.]+)/\1
from \2 to \3/')
+ LogText "${ITEM}"
+ done
+ fi
+ fi
+#
+#################################################################################
+#
# Test : PKGS-7398
# Description : Check package audit tool
Register --test-no PKGS-7398 --weight L --network YES --category security
--description "Check for package audit tool"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_printers_spoolers
new/lynis/include/tests_printers_spoolers
--- old/lynis/include/tests_printers_spoolers 2022-01-18 01:00:00.000000000
+0100
+++ new/lynis/include/tests_printers_spoolers 2022-05-17 02:00:00.000000000
+0200
@@ -139,8 +139,18 @@
Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network
NO --category security --description "Check CUPSd network configuration"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
- # Checking network addresses
+ PORT_FOUND=0
+
LogText "Test: Checking CUPS daemon listening network addresses"
+
+ # Search for Port statement
+ FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE})
+ if [ -n "${FIND}" ]; then
+ LogText "Result: found CUPS listening on port 631 (most likely all
interfaces)"
+ PORT_FOUND=1
+ fi
+
+ # Checking network addresses
FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} |
${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }')
COUNT=0
for ITEM in ${FIND}; do
@@ -149,17 +159,10 @@
FOUND=1
done
- # Search for Port statement
- FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE})
- if [ -n "${FIND}" ]; then
- LogText "Result: found CUPS listening on port 631 (most likely all
interfaces)"
- FOUND=1
- fi
-
# Check if daemon might be running on localhost
- if [ ${FOUND} -eq 0 ]; then
+ if [ ${FOUND} -eq 0 -a ${PORT_FOUND} -eq 0 ]; then
LogText "Result: CUPS does not look to be listening on a network
port"
- elif [ ${COUNT} -eq 1 ]; then
+ elif [ ${COUNT} -eq 1 -a ${PORT_FOUND} -eq 0 ]; then
if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ];
then
LogText "Result: CUPS daemon only running on localhost"
AddHP 2 2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_scheduling
new/lynis/include/tests_scheduling
--- old/lynis/include/tests_scheduling 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/include/tests_scheduling 2022-05-17 02:00:00.000000000 +0200
@@ -77,7 +77,7 @@
if FileIsReadable ${DIR}; then
LogText "Result: found directory ${DIR}"
LogText "Test: searching files in ${DIR}"
- FIND=$(${FINDBINARY} ${DIR} -type f -print | ${GREPBINARY}
-v ".placeholder")
+ FIND=$(${FINDBINARY} -L ${DIR} -type f -print |
${GREPBINARY} -v ".placeholder")
if IsEmpty "${FIND}"; then
LogText "Result: no files found in ${DIR}"
else
@@ -112,7 +112,7 @@
LogText "Result: found directory ${I}"
if FileIsReadable ${I}; then
LogText "Test: searching files in ${I}"
- FIND=$(${FINDBINARY} ${I} -type f -print 2> /dev/null |
${GREPBINARY} -v ".placeholder")
+ FIND=$(${FINDBINARY} -L ${I} -type f -print 2> /dev/null |
${GREPBINARY} -v ".placeholder")
if [ -z "${FIND}" ]; then
LogText "Result: no files found in ${I}"
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_shells
new/lynis/include/tests_shells
--- old/lynis/include/tests_shells 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/include/tests_shells 2022-05-17 02:00:00.000000000 +0200
@@ -167,9 +167,9 @@
FIND=$(${LSBINARY} ${ROOTDIR}etc/profile.d/*.sh 2> /dev/null)
if [ -n "${FIND}" ]; then
# Determine if we can find a TMOUT value
- FIND=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh"
-type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d
' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' |
${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
+ FIND=$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh"
-type f -exec cat {} \; 2> /dev/null | ${GREPBINARY} 'TMOUT=' | ${TRBINARY} -d
' ' | ${TRBINARY} -d '\t' | ${GREPBINARY} -v "^#" | ${SEDBINARY} 's/export//' |
${SEDBINARY} 's/#.*//' | ${AWKBINARY} -F= '{ print $2 }')
# Determine if the value is exported (with export, readonly,
or typeset)
- FIND2=$(${FINDBINARY} ${ROOTDIR}etc/profile.d -name "*.sh"
-type f -exec cat {} \; 2> /dev/null | ${GREPBINARY}
'\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" |
${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
+ FIND2=$(${FINDBINARY} -L ${ROOTDIR}etc/profile.d -name "*.sh"
-type f -exec cat {} \; 2> /dev/null | ${GREPBINARY}
'\(export\|readonly\|typeset -r\)[ \t]*TMOUT' | ${GREPBINARY} -v "^#" |
${SEDBINARY} 's/#.*//' | ${AWKBINARY} '{ print $1 }')
if [ -n "${FIND}" ]; then
N=0; IDLE_TIMEOUT=1
for I in ${FIND}; do
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_squid
new/lynis/include/tests_squid
--- old/lynis/include/tests_squid 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/include/tests_squid 2022-05-17 02:00:00.000000000 +0200
@@ -131,7 +131,7 @@
Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network
NO --category security --description "Check Squid file permissions"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Checking file permissions of ${SQUID_DAEMON_CONFIG}"
- FIND=$(find ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o -perm
-002 -o -perm -001 \))
+ FIND=$(find -L ${SQUID_DAEMON_CONFIG} -type f -a \( -perm -004 -o
-perm -002 -o -perm -001 \))
if [ -n "${FIND}" ]; then
LogText "Result: file ${SQUID_DAEMON_CONFIG} is world readable,
writable or executable and could leak information or passwords"
Display --indent 4 --text "- Checking Squid configuration file
permissions" --result "${STATUS_WARNING}" --color RED
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_ssh new/lynis/include/tests_ssh
--- old/lynis/include/tests_ssh 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/include/tests_ssh 2022-05-17 02:00:00.000000000 +0200
@@ -74,7 +74,7 @@
LogText "Result: ${I}/sshd_config exists"
if [ ${FOUND} -eq 1 ]; then
ReportException "${TEST_NO}:01"
- LogText "Result: we already had found another sshd_config
file. Using this new file then."
+ LogText "Result: we already found another sshd_config
file. Using this new file instead of the previous one."
fi
FileIsReadable ${I}/sshd_config
if [ ${CANREAD} -eq 1 ]; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_webservers
new/lynis/include/tests_webservers
--- old/lynis/include/tests_webservers 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/include/tests_webservers 2022-05-17 02:00:00.000000000 +0200
@@ -288,7 +288,7 @@
Register --test-no HTTP-6643 --preqs-met ${PREQS_MET} --weight L --network
NO --category security --description "Determining existence of specific Apache
modules"
if [ ${SKIPTEST} -eq 0 ]; then
# Check modules, module
- if CheckItem "apache_module" "/mod_security2.so"; then
+ if CheckItem "apache_module" "/mod_security(2|3).so" ; then
Display --indent 10 --text "ModSecurity: web application firewall"
--result "${STATUS_FOUND}" --color GREEN
AddHP 3 3
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/lynis new/lynis/lynis
--- old/lynis/lynis 2022-01-18 01:00:00.000000000 +0100
+++ new/lynis/lynis 2022-05-17 02:00:00.000000000 +0200
@@ -43,10 +43,10 @@
PROGRAM_WEBSITE="https://cisofy.com/lynis/";
# Version details
- PROGRAM_RELEASE_DATE="2022-01-18"
- PROGRAM_RELEASE_TIMESTAMP=1642512096
+ PROGRAM_RELEASE_DATE="2022-05-17"
+ PROGRAM_RELEASE_TIMESTAMP=1652791205
PROGRAM_RELEASE_TYPE="release" # pre-release or release
- PROGRAM_VERSION="3.0.7"
+ PROGRAM_VERSION="3.0.8"
# Source, documentation and license
PROGRAM_SOURCE="https://github.com/CISOfy/lynis";
