Package: lynis
Version: 1.3.2-1
Severity: normal
Tags: patch
Dear Maintainer,
I've run into a pair of small problems with the way Lynis is testing for
configured NTP clients.
The first problem I encountered was on my laptop, because this machine is
running intermittently I have my NTP client configured in
/etc/anacrontab and
not in /etc/crontab. The second file was being checked by Lynis but not
the first and so was
missed on my system.
The second problem I encountered was on a few servers I manage. On them, I
have my NTP client set to run from /etc/cron.daily but Lynis only checks
/etc/cron.d and /var/spool/crontab. I was able to add a small loop that
then
checks /etc/cron.d, /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly,
/etc/cron.monthly and /var/spool/crontab. This should allow a user to
configure his NTP client to run based on what is appropriate to
compensate for
the time drift of his system.
I have included a patch that includes fixes for both problems for your
consideration. Is this the type of change Lynis should make on Debian?
Thank you,
Dave Vehrs
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 3.10-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
lynis depends on no packages.
Versions of packages lynis recommends:
ii menu 2.1.46
Versions of packages lynis suggests:
ii dnsutils 1:9.9.3.dfsg.P2-4
-- no debconf information
*** tests_time.patch
--- tests_time.orig 2013-10-19 08:46:21.000000000 -0600
+++ tests_time 2013-10-19 09:07:42.000000000 -0600
@@ -50,55 +50,72 @@
Display --indent 2 --text "- Checking running NTP
daemon..." --result "NOT FOUND" --color WHITE
fi
- # Check crontab for OpenBSD/FreeBSD
- if [ -f /etc/crontab ]; then
- FIND=`cat /etc/crontab | egrep "ntpdate|rdate" | grep -v '^#'`
- if [ ! "${FIND}" = "" ]; then
- FOUND=1;
- Display --indent 2 --text "- Checking NTP client in
crontab file..." --result FOUND --color GREEN
- else
- Display --indent 2 --text "- Checking NTP client in
crontab file..." --result "NOT FOUND" --color WHITE
- fi
- fi
-
- # Don't run check in cron job directory on Solaris
- # /etc/cron.d/FIFO is a special file and test get stuck at this file
- if [ ! "${OS}" = "Solaris" ]; then
- # Check cron jobs
- if [ -d /etc/cron.d ]; then
- FIND=`ls /etc/cron.d`
- if [ ! "${FIND}" = "" ]; then
- FIND2=`egrep "rdate|ntpdate" /etc/cron.d/*`
- if [ ! "${FIND2}" = "" ]; then
- FOUND=1;
- Display --indent 2 --text "- Checking NTP client
in cron.d files..." --result FOUND --color GREEN
- logtext "Result: found ntpdate or rdate in
/etc/cron.d directory"
- logtext "Output: ${FIND2}"
- else
- Display --indent 2 --text "- Checking NTP client
in cron.d files..." --result "NOT FOUND" --color WHITE
- fi
- else
- logtext "Result: /etc/cron.d is empty, skipping
search in cron.d directory"
- fi
- fi
+ # If not already found, check files.
+ if [ ${FOUND} -eq 0 ]; then
+ # Check if ntpdate or rdate are scheduled for execution in
various crontab files for OpenBSD/FreeBSD/Linux
+ logtext "Test: Searching for scheduled ntpdate or rdate
execution in a few files..."
+ for FILE in \
+ /etc/crontab \
+ /etc/anacrontab; do
+ # Check if file exists
+ if [ -f ${FILE} ]; then
+ # Check if rdate or ntpdate are configured to run in FILE
+ FIND=`cat ${FILE} | egrep "ntpdate|rdate" | grep -v '^#'`
+ if [ ! "${FIND}" = "" ]; then
+ FOUND=1
+ Display --indent 2 --text "- Checking for NTP
client in ${FILE} file..." --result FOUND --color GREEN
+ logtext "Result: found ntpdate or rdate in ${FILE}
file"
+ logtext "Output: ${FIND}"
+ else
+ Display --indent 2 --text "- Checking for NTP
client in ${FILE} file..." --result "NOT FOUND" --color WHITE
+ fi
+ else
+ logtext "Result: ${FILE} does not exist, skipping search."
+ fi
+ done
+ fi
- if [ -d /var/spool/crontabs ]; then
- FIND=`ls /var/spool/crontabs`
- if [ ! "${FIND}" = "" ]; then
- FIND2=`egrep "rdate|ntpdate" /var/spool/crontabs/*`
- if [ ! "${FIND2}" = "" ]; then
- FOUND=1;
- Display --indent 2 --text "- Checking NTP client
in crontabs files..." --result FOUND --color GREEN
- logtext "Result: found ntpdate or rdate in
/var/spool/crontabs directory"
- logtext "Output: ${FIND2}"
- else
- Display --indent 2 --text "- Checking NTP client
in crontabs files..." --result "NOT FOUND" --color WHITE
- fi
- else
- logtext "Result: /var/spool/crontabs is empty,
skipping search in /vars/spool/crontabs directory"
- fi
- fi
- fi
+ # If not already found, check directories.
+ if [ ${FOUND} -eq 0 ]; then
+ # Looking for ntpdate or rdate in scripts stored in a few
directories for
+ # cron scheduled execution.
+ logtext "Test: Searching for scheduled job for ntpdate or rdate
in a few directories..."
+ for DIRECTORY in \
+ /etc/cron.d \
+ /etc/cron.hourly \
+ /etc/cron.daily \
+ /etc/cron.weekly \
+ /etc/cron.monthly \
+ /var/spool/crontabs; do
+ # Check if DIRECTORY exists
+ if [ -d ${DIRECTORY} ]; then
+ # Check if DIRECTORY has any files in it
+ FIND=`ls ${DIRECTORY}`
+ if [ ! "${FIND}" = "" ]; then
+ # Check if rdate or ntpdate are called from any
file in DIRECTORY
+ # For Solaris, exclude the file /etc/cron.d/FIFO
because it is a
+ # special file and may cause the test to hang.
+ if [ "${OS}" = "Solaris" ]; then
+ FIND2=`egrep "rdate|ntpdate" --exclude="FIFO"
${DIRECTORY}/* | grep -v '^#'`
+ else
+ FIND2=`egrep "rdate|ntpdate" ${DIRECTORY}/* |
grep -v '^#'`
+ fi
+ if [ ! "${FIND2}" = "" ]; then
+ FOUND=1;
+ Display --indent 2 --text "- Checking for NTP
client in ${DIRECTORY} directory..." --result "FOUND" --color GREEN
+ logtext "Result: found ntpdate or rdate in
${DIRECTORY} directory"
+ logtext "Output: ${FIND2}"
+ else
+ Display --indent 2 --text "- Checking for NTP
client in ${DIRECTORY} directory..." --result "NOT FOUND" --color WHITE
+ fi
+ else
+ logtext "Result: ${DIRECTORY} is empty, skipping
search."
+ fi
+ else
+ logtext "Result: ${DIRECTORY} does not exist, skipping
search."
+ fi
+ done
+ fi
if [ ${FOUND} -eq 0 -a ${OS} = "FreeBSD" ]; then
logtext "Test: Checking if ntpdate is enabled at startup in
FreeBSD"
@@ -122,7 +139,7 @@
ReportWarning ${TEST_NO} "M" "No running NTP daemon or
available client found"
AddHP 0 2
else
- Display --indent 2 --text "- Checking for a running NTP
daemon or client..." --result OK --color GREEN
+ Display --indent 2 --text "- Found NTP time syncing daemon
or client..." --result OK --color GREEN
logtext "Result: Found a time syncing daemon/client."
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
