Hello community,
here is the log from the commit of package lynis for openSUSE:Factory checked
in at 2018-06-28 15:12:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/lynis (Old)
and /work/SRC/openSUSE:Factory/.lynis.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis"
Thu Jun 28 15:12:53 2018 rev:28 rq:619349 version:2.6.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2018-01-28
00:39:57.496029197 +0100
+++ /work/SRC/openSUSE:Factory/.lynis.new/lynis.changes 2018-06-28
15:13:12.155616687 +0200
@@ -1,0 +2,24 @@
+Wed Jun 27 08:42:31 UTC 2018 - astie...@suse.com
+
+- update to 2.6.5:
+ * mail: Exim configuration test
+ * network: Use FQDN to test status of a nameserver instead of own IP address
+ * ssh: Improved test to allow configurations with a Match block
+- includes changes from 2.6.4:
+ * auth: Made 'sulogin' more generic for systemd rescue shell
+ * dns: Initial work on DNSSEC validation testing
+ * network: Added support for local resolver 127.0.0.53
+ * php: Suhosin test disbled
+ * ssh: Removed 'DELAYED' from OpenSSH Compression setting
+ * time: Improvements to detect step-tickers file and entries
+- includes changes from 2.6.3:
+ * crypt: Do prevalidation for certificates before testing them
+ * hardening: Enhanced compiler permission test
+ * name: Improved test to filter out empty lines
+ * packages: changes to detect yum-utils package and related tooling
+ * plugins: cron file permissions
+- includes changes from 2.6.2:
+ * Textual changes for several tests
+ * Update of tests database
+
+-------------------------------------------------------------------
Old:
----
lynis-2.6.1.tar.gz
lynis-2.6.1.tar.gz.asc
New:
----
lynis-2.6.5.tar.gz
lynis-2.6.5.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ lynis.spec ++++++
--- /var/tmp/diff_new_pack.YJTuZS/_old 2018-06-28 15:13:13.771613726 +0200
+++ /var/tmp/diff_new_pack.YJTuZS/_new 2018-06-28 15:13:13.783613704 +0200
@@ -22,14 +22,13 @@
%define _includedir %{_datadir}/lynis/include
%define _pluginsdir %{_datadir}/lynis/plugins
%define _dbdir %{_datadir}/lynis/db
-%define _bindir %{_prefix}/bin
Name: lynis
-Version: 2.6.1
+Version: 2.6.5
Release: 0
Summary: Security and System auditing tool
-License: GPL-3.0
+License: GPL-3.0-only
Group: System/Monitoring
-Url: https://cisofy.com/lynis/
+URL: https://cisofy.com/lynis/
Source0: https://cisofy.com/files/%{name}-%{version}.tar.gz
Source2: tests_binary_rpath
Source3: tests_file_permissionsDB
@@ -60,7 +59,6 @@
Requires: wget
# FIXME: use proper Requires(pre/post/preun/...)
PreReq: %fillup_prereq
-BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
%description
@@ -121,7 +119,6 @@
chmod +x %{buildroot}%{_pluginsdir}/custom_plugin.template
%files
-%defattr(-,root,root)
%{_bindir}/%{name}
%config(noreplace) %{_sysconfdir}/%{name}/default.prf
%{_dbdir}/*
@@ -133,8 +130,9 @@
%dir %{_datadir}/%{name}/include
%attr(640,root,root) %{_datadir}/%{name}/include/*
%dir %{_datadir}/%{name}/plugins
-%doc CHANGELOG.md CONTRIBUTORS.md FAQ LICENSE README
-%{_mandir}/man8/%{name}.8.*
+%license LICENSE
+%doc CHANGELOG.md CONTRIBUTORS.md FAQ README
+%{_mandir}/man8/%{name}.8%{?ext_man}
%{_datadir}/%{name}/prepare_for_suse.sh
%changelog
++++++ lynis-2.6.1.tar.gz -> lynis-2.6.5.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/CHANGELOG.md new/lynis/CHANGELOG.md
--- old/lynis/CHANGELOG.md 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/CHANGELOG.md 2018-06-26 02:00:00.000000000 +0200
@@ -1,6 +1,65 @@
Lynis Changelog
===============
+Lynis 2.6.5 (2018-06-26)
+
+Tests:
+------
+
+* [MAIL-8804] - Exim configuration test
+* [NETW-2704] - Use FQDN to test status of a nameserver instead of own IP
address
+* [SSH-7402] - Improved test to allow configurations with a Match block
+
+---------------------------------------------------------------------------------
+
+Lynis 2.6.4 (2018-05-02)
+
+Changes:
+--------
+* Several contributions merged, including grammar improvements
+* Initial support for Ubuntu 18.04 LTS
+* Small enhancements for usage
+
+Tests:
+------
+* [AUTH-9308] - Made 'sulogin' more generic for systemd rescue shell
+* [DNS-1600] - Initial work on DNSSEC validation testing
+* [NETW-2704] - Added support for local resolver 127.0.0.53
+* [PHP-2379] - Suhosin test disbled
+* [SSH-7408] - Removed 'DELAYED' from OpenSSH Compression setting
+* [TIME-3160] - Improvements to detect step-tickers file and entries
+
+---------------------------------------------------------------------------------
+
+Lynis 2.6.3 (2018-03-07)
+
+Changes:
+--------
+* Change in routine for host identifiers
+
+Tests:
+------
+* [CRYP-7902] - Do prevalidation for certificates before testing them
+* [HRDN-7222] - Enhanced compiler permission test
+* [NAME-4402] - Improved test to filter out empty lines
+* [PKGS-7384] - Changes to detect yum-utils package and related tooling
+
+Plugins:
+--------
+* [PLGN-2680] - cron file permissions
+
+---------------------------------------------------------------------------------
+
+Lynis 2.6.2 (2018-02-13)
+
+Changes:
+--------
+* Bugfix for Arch Linux (binary detection)
+* Textual changes for several tests
+* Update of tests database
+
+---------------------------------------------------------------------------------
+
Lynis 2.6.1 (2018-01-26)
Changes:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/CONTRIBUTORS.md new/lynis/CONTRIBUTORS.md
--- old/lynis/CONTRIBUTORS.md 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/CONTRIBUTORS.md 2018-06-26 02:00:00.000000000 +0200
@@ -22,6 +22,7 @@
* Arch Linux - Levente Polyak
* Debian / Ubuntu - Francisco Manuel Garcia Claramonte
* Fedora / EPEL - Athmane Madjoudj
+* FreeBSD port - Lars Engels
* NetBSD - Stephen Borrill
* Slackware - Eric Hameleers
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/FAQ new/lynis/FAQ
--- old/lynis/FAQ 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/FAQ 2018-06-26 02:00:00.000000000 +0200
@@ -27,7 +27,7 @@
Q: I can't find any configuration file for Lynis, where is it?
A: Lynis uses profiles. They are similar to a configuration file and
determine
- how a security scan should be performed.
+ how a security scan should be performed.
Q: My version is outdated, what can I do to upgrade?
Check out the upgrade guide:
https://cisofy.com/documentation/lynis/upgrading/
@@ -82,7 +82,7 @@
Q: The program takes long to complete and also uses too much resources. Can
it
be tuned?
A: The time it takes to complete depends on the amount of tests to run.
- However the resources it take can be slighty lowered by increasing the
+ However the resources it take can be slightly lowered by increasing the
pause_between_tests profile option. Keep in mind this increases the total
length of the scan to complete.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/db/languages/az new/lynis/db/languages/az
--- old/lynis/db/languages/az 1970-01-01 01:00:00.000000000 +0100
+++ new/lynis/db/languages/az 2018-06-26 02:00:00.000000000 +0200
@@ -0,0 +1,39 @@
+ERROR_NO_LICENSE="Lisenziya açarı konfiqurasiya edilmeyib"
+ERROR_NO_UPLOAD_SERVER="Yükləmə sunucusu konfiqurasiya edilmeyib"
+GEN_CHECKING="Yoxlanır"
+GEN_CURRENT_VERSION="Cari versiya"
+GEN_DEBUG_MODE="Səhv ayıklama rejimi"
+GEN_INITIALIZE_PROGRAM="Proqram koşuluyor"
+GEN_LATEST_VERSION="Son versiya"
+GEN_PHASE="faza"
+GEN_PLUGINS_ENABLED="Konfiqur edilen uzantılar"
+GEN_UPDATE_AVAILABLE="Yeniləmə mövcud"
+GEN_VERBOSE_MODE="Etraflı"
+GEN_WHAT_TO_DO="edilecekler"
+NOTE_EXCEPTIONS_FOUND="İstisnalar tapıldı"
+NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai durumlar və məlumatlar tapıldı"
+NOTE_PLUGINS_TAKE_TIME="Qeyd: Uzantılar daha ətraflı testlər içermektedir və
tamamlanmaları uzun davam edəbilər"
+NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Səlahiyyət lazımlı testlər"
+SECTION_CUSTOM_TESTS="Xususi testlər"
+SECTION_MALWARE="Pis proqram"
+SECTION_MEMORY_AND_PROCESSES="Yaddaş ve prosesler"
+STATUS_DISABLED="Təsirsiz"
+STATUS_DONE="Bitdi"
+STATUS_ENABLED="Təsirli"
+STATUS_ERROR="Səhv"
+STATUS_FOUND="Tapıldı"
+STATUS_YES="Bəli"
+STATUS_NO="Xeyr"
+STATUS_OFF="Bağlı"
+STATUS_OK="Əvət"
+STATUS_ON="Açıq"
+STATUS_NONE="Yox"
+STATUS_NOT_FOUND="Tapılmadı"
+STATUS_NOT_RUNNING="Çalışmayıb"
+STATUS_RUNNING="İşleyib"
+STATUS_SKIPPED="Atlandı"
+STATUS_SUGGESTION="Teklif"
+STATUS_UNKNOWN="Bilinmeyib"
+STATUS_WARNING="Xəbərdarlıq"
+TEXT_YOU_CAN_HELP_LOGFILE="qeydləri gönderib kömek eyleyin"
+TEXT_UPDATE_AVAILABLE="yeniləmə mövcud"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/db/tests.db new/lynis/db/tests.db
--- old/lynis/db/tests.db 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/db/tests.db 2018-06-26 02:00:00.000000000 +0200
@@ -45,6 +45,7 @@
AUTH-9402:test:security:authentication::Query LDAP authentication support:
AUTH-9406:test:security:authentication::Query LDAP servers in client
configuration:
AUTH-9408:test:security:authentication::Logging of failed login attempts via
/etc/login.defs:
+AUTH-9489:test:security:authentication:DragonFly:Check login shells for
passwordless accounts:
BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file:
BANN-7124:test:security:banners::Check issue banner file:
BANN-7126:test:security:banners::Check issue banner file contents:
@@ -69,13 +70,16 @@
BOOT-5184:test:security:boot_services:Linux:Check permissions for boot
files/scripts:
BOOT-5202:test:security:boot_services::Check uptime of system:
BOOT-5260:test:security:boot_services::Check single user mode for systemd:
+BOOT-5261:test:security:boot_services:DragonFly:Check for DragonFly boot
loader presence:
CONT-8004:test:security:containers:Solaris:Query running Solaris zones:
CONT-8102:test:security:containers::Checking Docker status and information:
CONT-8104:test:security:containers::Checking Docker info for any warnings:
CONT-8106:test:security:containers::Gather basic stats from Docker:
CONT-8107:test:performance:containers::Check number of unused Docker
containers:
CONT-8108:test:security:containers::Check file permissions for Docker files:
+CORE-1000:test:performance:system_integrity::Check all system binaries:
CRYP-7902:test:security:crypto::Check expire date of SSL certificates:
+DNS-1600:test:security:dns::Validating that the DNSSEC signatures are checked:
DBS-1804:test:security:databases::Checking active MySQL process:
DBS-1816:test:security:databases::Checking MySQL root password:
DBS-1818:test:security:databases::MongoDB status:
@@ -88,20 +92,6 @@
DBS-1884:test:security:databases::Redis configuration (requirepass):
DBS-1886:test:security:databases::Redis configuration (CONFIG command renamed):
DBS-1888:test:security:databases::Redis configuration (bind on localhost):
-FINT-4310:test:security:file_integrity::AFICK availability:
-FINT-4314:test:security:file_integrity::AIDE availability:
-FINT-4315:test:security:file_integrity::Check AIDE configuration file:
-FINT-4318:test:security:file_integrity::Osiris availability:
-FINT-4322:test:security:file_integrity::Samhain availability:
-FINT-4326:test:security:file_integrity::Tripwire availability:
-FINT-4328:test:security:file_integrity::OSSEC syscheck daemon running:
-FINT-4330:test:security:file_integrity::mtree availability:
-FINT-4334:test:security:file_integrity::Check lfd daemon status:
-FINT-4336:test:security:file_integrity::Check lfd configuration status:
-FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running:
-FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512):
-FINT-4350:test:security:file_integrity::File integrity software installed:
-FILE-7524:test:security:file_permissions::Perform file permissions check:
FILE-6310:test:security:filesystems::Checking /tmp, /home and /var directory:
FILE-6311:test:security:filesystems::Checking LVM volume groups:
FILE-6312:test:security:filesystems::Checking LVM volumes:
@@ -113,12 +103,28 @@
FILE-6344:test:security:filesystems:Linux:Checking proc mount options:
FILE-6354:test:security:filesystems::Searching for old files in /tmp:
FILE-6362:test:security:filesystems::Checking /tmp sticky bit:
+FILE-6363:test:security:filesystems::Checking /var/tmp sticky bit:
FILE-6368:test:security:filesystems:Linux:Checking ACL support on root file
system:
FILE-6372:test:security:filesystems:Linux:Checking / mount options:
FILE-6374:test:security:filesystems:Linux:Checking /boot mount options:
FILE-6376:test:security:filesystems:Linux:Determine if /var/tmp is bound to
/tmp:
FILE-6410:test:security:filesystems::Checking Locate database:
FILE-6430:test:security:filesystems::Disable mounting of some filesystems:
+FILE-6439:test:security:filesystems:DragonFly:Checking HAMMER PFS mounts:
+FILE-7524:test:security:file_permissions::Perform file permissions check:
+FINT-4310:test:security:file_integrity::AFICK availability:
+FINT-4314:test:security:file_integrity::AIDE availability:
+FINT-4315:test:security:file_integrity::Check AIDE configuration file:
+FINT-4318:test:security:file_integrity::Osiris availability:
+FINT-4322:test:security:file_integrity::Samhain availability:
+FINT-4326:test:security:file_integrity::Tripwire availability:
+FINT-4328:test:security:file_integrity::OSSEC syscheck daemon running:
+FINT-4330:test:security:file_integrity::mtree availability:
+FINT-4334:test:security:file_integrity::Check lfd daemon status:
+FINT-4336:test:security:file_integrity::Check lfd configuration status:
+FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running:
+FINT-4350:test:security:file_integrity::File integrity software installed:
+FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512):
FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module:
FIRE-4508:test:security:firewalls::Check used policies of iptables chains:
FIRE-4512:test:security:firewalls::Check iptables for empty ruleset:
@@ -175,6 +181,7 @@
KRNL-5788:test:security:kernel:Linux:Checking availability new Linux kernel:
KRNL-5820:test:security:kernel:Linux:Checking core dumps configuration:
KRNL-5830:test:security:kernel:Linux:Checking if system is running on the
latest installed kernel:
+KRNL-5831:test:security:kernel:DragonFly:Checking DragonFly loaded kernel
modules:
KRNL-6000:test:security:kernel_hardening::Check sysctl key pairs in scan
profile:
LDAP-2219:test:security:ldap::Check running OpenLDAP instance:
LDAP-2224:test:security:ldap::Check presence slapd.conf:
@@ -182,9 +189,6 @@
LOGG-2132:test:security:logging::Check for running syslog-ng daemon:
LOGG-2134:test:security:logging::Checking Syslog-NG configuration file
consistency:
LOGG-2136:test:security:logging::Check for running systemd journal daemon:
-LOGG-2210:test:security:logging::Check for running metalog daemon:
-LOGG-2230:test:security:logging::Check for running RSyslog daemon:
-LOGG-2240:test:security:logging::Check for running RFC 3195 compliant daemon:
LOGG-2138:test:security:logging:Linux:Checking kernel logger daemon on Linux:
LOGG-2142:test:security:logging:Linux:Checking minilog daemon:
LOGG-2146:test:security:logging::Checking logrotate.conf and logrotate.d:
@@ -199,15 +203,19 @@
LOGG-2180:test:security:logging::Checking open log files:
LOGG-2190:test:security:logging::Checking for deleted files in use:
LOGG-2192:test:security:logging::Checking for opened log files that are empty:
+LOGG-2210:test:security:logging::Check for running metalog daemon:
+LOGG-2230:test:security:logging::Check for running RSyslog daemon:
+LOGG-2240:test:security:logging::Check for running RFC 3195 compliant daemon:
MACF-6204:test:security:mac_frameworks::Check AppArmor presence:
MACF-6208:test:security:mac_frameworks::Check if AppArmor is enabled:
MACF-6232:test:security:mac_frameworks::Check SELINUX presence:
MACF-6234:test:security:mac_frameworks::Check SELINUX status:
MACF-6290:test:security:mac_frameworks::Check for implemented MAC framework:
MAIL-8802:test:security:mail_messaging::Check Exim status:
+MAIL-8804:test:security:mail_messaging::Exim configuration:
MAIL-8814:test:security:mail_messaging::Check postfix process status:
MAIL-8816:test:security:mail_messaging::Check Postfix configuration:
-MAIL-8816:test:security:mail_messaging::Postfix configuration errors:
+MAIL-8817:test:security:mail_messaging::Check Postfix configuration errors:
MAIL-8818:test:security:mail_messaging::Postfix banner:
MAIL-8820:test:security:mail_messaging::Postfix configuration:
MAIL-8838:test:security:mail_messaging::Check dovecot process:
@@ -222,10 +230,6 @@
MALW-3284:test:security:malware::Check for clamd:
MALW-3286:test:security:malware::Check for freshclam:
MALW-3288:test:security:malware::Check for ClamXav:
-PROC-3602:test:security:memory_processes:Linux:Checking /proc/meminfo for
memory details:
-PROC-3604:test:security:memory_processes:Solaris:Query prtconf for memory
details:
-PROC-3612:test:security:memory_processes::Check dead or zombie processes:
-PROC-3614:test:security:memory_processes::Check heavy IO waiting based
processes:
NAME-4016:test:security:nameservices::Check /etc/resolv.conf default domain:
NAME-4018:test:security:nameservices::Check /etc/resolv.conf search domains:
NAME-4020:test:security:nameservices::Check non default options:
@@ -317,6 +321,10 @@
PRNT-2316:test:security:printers_spools:AIX:Checking /etc/qconfig file:
PRNT-2418:test:security:printers_spools:AIX:Checking qdaemon printer spooler
status:
PRNT-2420:test:security:printers_spools:AIX:Checking old print jobs:
+PROC-3602:test:security:memory_processes:Linux:Checking /proc/meminfo for
memory details:
+PROC-3604:test:security:memory_processes:Solaris:Query prtconf for memory
details:
+PROC-3612:test:security:memory_processes::Check dead or zombie processes:
+PROC-3614:test:security:memory_processes::Check heavy IO waiting based
processes:
RBAC-6272:test:security:mac_frameworks::Check grsecurity presence:
SCHD-7702:test:security:scheduling::Check status of cron daemon:
SCHD-7704:test:security:scheduling::Check crontab/cronjobs:
@@ -327,7 +335,7 @@
SHLL-6211:test:security:shells::Checking available and valid shells:
SHLL-6220:test:security:shells::Checking available and valid shells:
SHLL-6230:test:security:shells::Perform umask check for shell configurations:
-SHLL-6290:test:security:shells::Perform Shellshock vulnerability tests:
+SINT-7010:test:security:system_integrity::System Integrity Status:
SNMP-3302:test:security:snmp::Check for running SNMP daemon:
SNMP-3304:test:security:snmp::Check SNMP daemon file location:
SNMP-3306:test:security:snmp::Check SNMP communities:
@@ -341,7 +349,7 @@
SQD-3620:test:security:squid::Check Squid access control lists:
SQD-3624:test:security:squid::Check Squid safe ports:
SQD-3630:test:security:squid::Check Squid reply_body_max_size option:
-SQD-3680:test:security:squid::Check Squid version suppresion:
+SQD-3680:test:security:squid::Check Squid version suppression:
SSH-7402:test:security:ssh::Check for running SSH daemon:
SSH-7404:test:security:ssh::Check SSH daemon file location:
SSH-7408:test:security:ssh::Check SSH specific defined options:
@@ -374,4 +382,5 @@
TOOL-5120:test:security:tooling::Presence of Snort IDS:
TOOL-5122:test:security:tooling::Snort IDS configuration file:
TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling:
+USB-3000:test:security:storage:Linux:Check for presence of USBGuard:
# EOF
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/default.prf new/lynis/default.prf
--- old/lynis/default.prf 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/default.prf 2018-06-26 02:00:00.000000000 +0200
@@ -417,17 +417,24 @@
# This is useful for ephemeral systems which are short-lived.
#allow-auto-purge=yes
+# Sometimes it might be useful to override the host identifiers.
+# Use only hexadecimal values (0-9, a-f), with 40 and 64 characters in length.
+#
+#hostid=40-char-hash
+#hostid2=64-char-hash
+
# Proxy settings
# Protocol (http, https, socks5)
#proxy-protocol=https
-# Address
-#proxy-server=1.2.3.4
+# Proxy server
+#proxy-server=10.0.1.250
-# Port
+# Define proxy port to use
#proxy-port=3128
-# Define group names to link to this system (preferably single words)
+# Define the group names to link to this system (preferably single words).
Default setting: append
+# To clear groups before assignment, add 'action:clear' as last groupname
#system-groups=groupname1,groupname2,groupname3
# Define which compliance standards are audited and reported on. Disable this
if not required.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/extras/build-lynis.sh
new/lynis/extras/build-lynis.sh
--- old/lynis/extras/build-lynis.sh 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/extras/build-lynis.sh 2018-06-26 02:00:00.000000000 +0200
@@ -14,7 +14,7 @@
#
# Options:
- echo "[*] Activity [V] Succesful [X] Error [=] Result"
+ echo "[*] Activity [V] Successful [X] Error [=] Result"
echo ""
# Umask used when creating files/directories
@@ -227,7 +227,7 @@
RPMFILE="${RPMWORKDIR}/RPMS/noarch/lynis-${LYNIS_VERSION}-1.noarch.rpm"
if [ -f ${RPMFILE} ]; then
- echo "[V] Building RPM succesful!"
+ echo "[V] Building RPM successful!"
else
echo "[X] Could not find RPM file, most likely failed"
echo " Expected: ${RPMFILE}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/binaries new/lynis/include/binaries
--- old/lynis/include/binaries 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/binaries 2018-06-26 02:00:00.000000000 +0200
@@ -77,7 +77,8 @@
fi
# Add a space to make sure we discover a related directory if
it was already scanned
- FIND=$(echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}")
+ # The grep -v is to prevent a match /usr/bin in something like
/usr/bin/core_perl
+ FIND=$(echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}" | grep
-v ", ${SCANDIR}/")
if [ ! -z "${FIND}" ]; then
SKIPDIR=1; LogText "Result: Skipping this directory as it
was already scanned"
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/data_upload
new/lynis/include/data_upload
--- old/lynis/include/data_upload 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/data_upload 2018-06-26 02:00:00.000000000 +0200
@@ -238,7 +238,7 @@
# Quit
ExitClean
else
- Display --indent 2 --text "Data upload status" --result OK
--color GREEN
+ Display --indent 2 --text "Data upload status
(${UPLOAD_SERVER})" --result OK --color GREEN
fi
else
echo "${RED}Error${NORMAL}: No hostid and/or hostid2 found. Can
not upload report file."
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/functions new/lynis/include/functions
--- old/lynis/include/functions 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/functions 2018-06-26 02:00:00.000000000 +0200
@@ -68,6 +68,7 @@
# IsWorldWritable Check if a file is world writable
# LogText Log text strings to logfile, prefixed with
date/time
# LogTextBreak Insert a separator in log file
+# PackageIsInstalled Test for installed package
# ParseNginx Parse nginx configuration lines
# ParseProfiles Parse all available profiles
# ParseTestValues Parse a set of values
@@ -804,11 +805,17 @@
# Name : GetHostID()
# Description : Create an unique id for the system
#
- # Returns : Nothing
+ # Returns : optional value
# Usage : GetHostID
################################################################################
GetHostID() {
+
+ if [ ! -z "${HOSTID}" -a ! -z "${HOSTID2}" ]; then
+ Debug "Skipping creation of host identifiers, as they are already
configured (via profile)"
+ return 1
+ fi
+
FIND=""
# Avoid some hashes (empty, only zeros)
BLACKLISTED_HASHES="6ef1338f520d075957424741d7ed35ab5966ae97
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc"
@@ -1104,6 +1111,8 @@
# Show an exception if no HostID could be created, to ensure each
system (and scan) has one
if [ "${HOSTID}" = "" ]; then
ReportException "GetHostID" "No unique host identifier could be
created."
+ elif [ ! -z "${HOSTID2}" ]; then
+ return 0
fi
}
@@ -1688,6 +1697,40 @@
################################################################################
+ # Name : PackageIsInstalled()
+ # Description : Add a separator to log file between sections, tests etc
+ # Returns : exit code
+ # Notes : this function is not used yet, but created in advance to
allow
+ # the addition of support for all operating systems
+
################################################################################
+
+ PackageIsInstalled() {
+ exit_code=255
+
+ if [ $# -eq 1 ]; then
+ package="$1"
+ else
+ Fatal "Incorrect usage of PackageIsInstalled function"
+ fi
+
+ if [ ! -z "${RPMBINARY}" ]; then
+ output=$(${RPMBINARY} --quiet -q ${package} 2> /dev/null)
+ exit_code=$?
+ elif ! -z "${DPKGBINARY}" ]; then
+ output=$(${DPKGBINARY} -l ${package} 2> /dev/null)
+ exit_code=$?
+ elif [ ! -z "${ZYPPERBINARY}" ]; then
+ output=$(${ZYPPERBINARY} --quiet --non-interactive search
--installed -i ${PACKAGE} 2> /dev/null | grep "^i")
+ if [ ! -z "${output}" ]; then exit_code=0; else exit_code=1; fi
+ else
+ ReportException "PackageIsInstalled:01"
+ fi
+
+ return ${exit_code}
+ }
+
+
+
################################################################################
# Name : ParseProfiles()
# Description : Check file permissions and parse data from profiles
# Returns : <nothing>
@@ -2164,7 +2207,7 @@
if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_NEED_PLATFORM}" -a !
"${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1;
SKIPREASON="Incorrect hardware platform"; fi
# Not all prerequisites met, like missing tool
- if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; if
[ -z "${SKIPREASON}" ]; then SKIPREASON="Prerequisities not met (ie missing
tool, other type of Linux distribution)"; fi; fi
+ if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; if
[ -z "${SKIPREASON}" ]; then SKIPREASON="Prerequisites not met (ie missing
tool, other type of Linux distribution)"; fi; fi
# Skip if a test is root only and we are running a non-privileged test
if [ ${SKIPTEST} -eq 0 -a ${ROOT_ONLY} -eq 1 -a ! ${MYID} = "0" ]; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/helper_show
new/lynis/include/helper_show
--- old/lynis/include/helper_show 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/helper_show 2018-06-26 02:00:00.000000000 +0200
@@ -99,11 +99,6 @@
Check version information
-
- ${CYAN}update release${NORMAL}
-
- Perform update of release
-
"
UPLOAD_ONLY_HELP="
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/parameters new/lynis/include/parameters
--- old/lynis/include/parameters 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/parameters 2018-06-26 02:00:00.000000000 +0200
@@ -279,22 +279,32 @@
# Define a custom profile file
--profile)
- shift
- SEARCH_PROFILES=$1
+ if [ $# -gt 1 ]; then
+ shift
+ SEARCH_PROFILES=$1
+ else
+ echo "Specify the profile (lynis audit system --profile
/home/michael/myprofile.prf)"
+ exit 1
+ fi
;;
# Define a custom plugin directory
--plugindir | --plugin-dir | --plugins-dir)
- shift
- PLUGINDIR=$1
- LASTCHAR=$(echo $1 | awk '{ print substr($0, length($0))}')
- if [ "${LASTCHAR}" = "/" ]; then
- echo "${RED}Error:${WHITE} plugin directory path should
not end with a slash${NORMAL}"
- ExitCustom 65
- fi
- if [ ! -d ${PLUGINDIR} ]; then
- echo "${RED}Error:${WHITE} invalid plugin directory
${PLUGINDIR}${NORMAL}"
- ExitCustom 66
+ if [ $# -gt 1 ]; then
+ shift
+ PLUGINDIR=$1
+ LASTCHAR=$(echo $1 | awk '{ print substr($0, length($0))}')
+ if [ "${LASTCHAR}" = "/" ]; then
+ echo "${RED}Error:${WHITE} plugin directory path
should not end with a slash${NORMAL}"
+ ExitCustom 65
+ fi
+ if [ ! -d ${PLUGINDIR} ]; then
+ echo "${RED}Error:${WHITE} invalid plugin directory
${PLUGINDIR}${NORMAL}"
+ ExitCustom 66
+ fi
+ else
+ echo "Specify the plugin directory (lynis audit system
--plugindir /home/michael/plugins)"
+ exit 1
fi
;;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_accounting
new/lynis/include/tests_accounting
--- old/lynis/include/tests_accounting 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/tests_accounting 2018-06-26 02:00:00.000000000 +0200
@@ -353,7 +353,7 @@
#
#################################################################################
#
- # Test : ACCT-9662
+ # Test : ACCT-9660
# Description : Check location for audit events
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else
PREQS_MET="NO"; fi
Register --test-no ACCT-9660 --os Solaris --preqs-met ${PREQS_MET}
--weight L --network NO --category security --description "Check location of
audit events"
@@ -386,7 +386,7 @@
#
#################################################################################
#
- # Test : ACCT-9672
+ # Test : ACCT-9662
# Description : check auditstat
if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else
PREQS_MET="NO"; fi
Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET}
--weight L --network NO --category security --description "Check Solaris
auditing stats"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_authentication
new/lynis/include/tests_authentication
--- old/lynis/include/tests_authentication 2018-01-26 01:00:00.000000000
+0100
+++ new/lynis/include/tests_authentication 2018-06-26 02:00:00.000000000
+0200
@@ -962,7 +962,7 @@
# Mark test as performed only when at least 1 target
exists (e.g. Ubuntu 14.04 has limited systemd support)
TEST_PERFORMED=1
LogText "Result: found target ${I}"
- FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} |
${GREPBINARY} "/sulogin")
+ FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} |
${GREPBINARY} "sulogin")
if [ "${FIND}" = "" ]; then
LogText "Result: did not find sulogin specified,
possible risk of getting into single user mode without authentication"
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_boot_services
new/lynis/include/tests_boot_services
--- old/lynis/include/tests_boot_services 2018-01-26 01:00:00.000000000
+0100
+++ new/lynis/include/tests_boot_services 2018-06-26 02:00:00.000000000
+0200
@@ -71,7 +71,7 @@
case ${OS} in
"Linux")
if [ -f /proc/1/cmdline ]; then
- FILENAME=$(${AWKBINARY} '/(^\/|init)/ { print $1 }'
/proc/1/cmdline)
+ FILENAME=$(${AWKBINARY} '/(^\/|init)/ { print $1 }'
/proc/1/cmdline | tr -d '\0')
LogText "Result: cmdline found = ${FILENAME}"
ISFILE=$(echo ${FILENAME} | ${GREPBINARY} "^/")
if [ ! -z "${ISFILE}" ]; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_crypto
new/lynis/include/tests_crypto
--- old/lynis/include/tests_crypto 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/tests_crypto 2018-06-26 02:00:00.000000000 +0200
@@ -53,24 +53,31 @@
if [ ${CANREAD} -eq 1 ]; then
# Only check the files that are not installed by a
package
if ! FileInstalledByPackage "${FILE}"; then
- LogText "Test: checking file and determining
if it is certificate ${FILE}"
- FIND=$(${OPENSSLBINARY} x509 -noout -in
"${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
+ LogText "Test: test if file is a certificate"
+ OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT'
"${FILE}")
if [ $? -eq 0 ]; then
- # Check certificate where 'end date' has
been expired
- FIND=$(${OPENSSLBINARY} x509 -noout
-checkend 0 -in "${FILE}" -enddate 2> /dev/null)
- EXIT_CODE=$?
- CERT_CN=$(${OPENSSLBINARY} x509 -noout
-subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e
's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
- CERT_NOTAFTER=$(${OPENSSLBINARY} x509
-noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if
($1=="notAfter") { print $2 }}')
- Report
"certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
- if [ ${EXIT_CODE} -eq 0 ]; then
- LogText "Result: certificate ${FILE}
seems to be correct and still valid"
+ LogText "Result: file is a certificate"
+ LogText "Test: checking certificate
details"
+ FIND=$(${OPENSSLBINARY} x509 -noout -in
"${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter")
+ if [ $? -eq 0 ]; then
+ # Check certificate where 'end date'
has been expired
+ FIND=$(${OPENSSLBINARY} x509 -noout
-checkend 0 -in "${FILE}" -enddate 2> /dev/null)
+ EXIT_CODE=$?
+ CERT_CN=$(${OPENSSLBINARY} x509 -noout
-subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e
's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/')
+ CERT_NOTAFTER=$(${OPENSSLBINARY} x509
-noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if
($1=="notAfter") { print $2 }}')
+ Report
"certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|"
+ if [ ${EXIT_CODE} -eq 0 ]; then
+ LogText "Result: certificate
${FILE} seems to be correct and still valid"
+ else
+ FOUNDPROBLEM=1
+ COUNT_EXPIRED=$((COUNT_EXPIRED +
1))
+ LogText "Result: certificate
${FILE} has been expired"
+ fi
else
- FOUNDPROBLEM=1
- COUNT_EXPIRED=$((COUNT_EXPIRED + 1))
- LogText "Result: certificate ${FILE}
has been expired"
+ LogText "Result: skipping tests for
this file (${FILE}) as it is most likely not a certificate (a key file?)"
fi
else
- LogText "Result: skipping tests for this
file (${FILE}) as it is most likely not a certificate (a key file?)"
+ LogText "Result: skipping test for this
file (${FILE}) as we could not find 'BEGIN CERT'"
fi
fi
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_databases
new/lynis/include/tests_databases
--- old/lynis/include/tests_databases 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/tests_databases 2018-06-26 02:00:00.000000000 +0200
@@ -75,12 +75,15 @@
Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --skip-reason
"${SKIPREASON}" --weight L --network NO --category security --description
"Checking MySQL root password"
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: Trying to login to local MySQL server without password"
- FIND=$(${MYSQLCLIENTBINARY} -u root --password= --silent --batch
--execute="" 2> /dev/null; echo $?)
+
+ # "-u root --password=" avoids ~/.my.cnf authentication settings
+ # "plugin = 'mysql_native_password' AND authentication_string = ''"
avoids false positives when secure plugins are used
+ FIND=$(${MYSQLCLIENTBINARY} --no-defaults -u root --password= --silent
--batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND
plugin = 'mysql_native_password' AND authentication_string = ''" mysql
2>/dev/null; echo $?)
if [ "${FIND}" = "0" ]; then
- LogText "Result: Login succeeded, no MySQL root password set!"
- ReportWarning ${TEST_NO} "No MySQL root password set"
- Display --indent 4 --text "- Checking empty MySQL root password"
--result "${STATUS_WARNING}" --color RED
- AddHP 0 5
+ LogText "Result: Login succeeded, no MySQL root password set!"
+ ReportWarning ${TEST_NO} "No MySQL root password set"
+ Display --indent 4 --text "- Checking empty MySQL root password"
--result "${STATUS_WARNING}" --color RED
+ AddHP 0 5
else
LogText "Result: Login did not succeed, so a MySQL root password
is set"
if IsVerbose; then Display --indent 4 --text "- Checking MySQL
root password" --result "${STATUS_OK}" --color GREEN; fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_dns new/lynis/include/tests_dns
--- old/lynis/include/tests_dns 1970-01-01 01:00:00.000000000 +0100
+++ new/lynis/include/tests_dns 2018-06-26 02:00:00.000000000 +0200
@@ -0,0 +1,73 @@
+#!/bin/sh
+
+#################################################################################
+#
+# Lynis
+# ------------------
+#
+# Copyright 2007-2013, Michael Boelen
+# Copyright 2007-2018, CISOfy
+#
+# Website : https://cisofy.com
+# Blog : http://linux-audit.com
+# GitHub : https://github.com/CISOfy/lynis
+#
+# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
+# welcome to redistribute it under the terms of the GNU General Public License.
+# See LICENSE file for usage of this software.
+#
+#################################################################################
+#
+# DNS
+#
+#################################################################################
+#
+# # TODO create records on test domain
+# # TODO after update even IP match can be checked to detect hijacking
+# SIGOKDNS="sigok.example.org" # adress with good DNSSEC signature
+# SIGFAILDNS="sigfail.example.org" # adress with bad DNSSEC signature
+# TIMEOUT=";; connection timed out; no servers could be reached"
+#
+#################################################################################
+#
+# InsertSection "DNS"
+#
+#################################################################################
+#
+# # Test : DNS-1600
+# # Description : Validate DNSSEC signiture is checked
+# Register --test-no DNS-1600 --weight L --network YES --category security
--description "Validate DNSSEC igniture is checked"
+# if [ "${SKIPTEST}" -eq 0 ]; then
+# if [ ! -z "${DIGBINARY}" ]; then
+#
+# GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS)
+# BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS)
+#
+# if [ "${GOOD}" = "${TIMEOUT}" -a "${BAD}" = "${TIMEOUT}" ]; then
+# LogText "Result: received timeout, can't determine DNSSEC
validation"
+# Display --indent 4 --text "- Checking DNSSEC validation"
--result "${STATUS_UNKOWN}" --color YELLOW
+# #ReportException "${TEST_NO}" "Exception found, both query
failed, due to connection timeout"
+# elif [ -z "${GOOD}" -a ! -z "${BAD}" ]; then
+# LogText "Result: good signature failed, yet bad signature was
accepted"
+# Display --indent 4 --text "- Checking DNSSEC validation"
--result "${STATUS_UNKOWN}" --color YELLOW
+# #ReportException "${TEST_NO}" "Exception found, OK failed,
bad signature was accepted"
+# elif [ ! -z "${GOOD}" -a ! -z "${BAD}" ]; then
+# Display --indent 4 --text "- Checking DNSSEC validation"
--result "${STATUS_SUGGESTION}" --color YELLOW
+# LogText "Note: Using DNSSEC validation can protect from DNS
hijacking"
+# #ReportSuggestion "${TEST_NO}" "Altered DNS queries are
accepted, configure DNSSEC valdating name servers"
+# AddHP 2 2
+# elif [ ! -z "${GOOD}" -a -z "${BAD}" ]; then
+# Display --indent 4 --text "- Checking DNSSEC validation"
--result "${STATUS_OK}" --color GREEN
+# LogText "Result: altered DNS responses were ignored"
+# AddHP 0 2
+# fi
+# else
+# Display --indent 4 --text "- DNSSEC validation" --result
"${STATUS_SKIPPED}" --color YELLOW
+# LogText "Result: dig not installed, test can't be fully performed"
+# fi
+# else
+# LogText "Result: Test was skipped"
+# fi
+#
+#################################################################################
+#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_firewalls
new/lynis/include/tests_firewalls
--- old/lynis/include/tests_firewalls 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/tests_firewalls 2018-06-26 02:00:00.000000000 +0200
@@ -115,7 +115,7 @@
TABLES="filter"
for TABLE in ${TABLES}; do
LogText "Test: gathering information from table ${TABLE}"
- FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list |
${EGREPBINARY} -z -o -w '[A-Z]+' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf
"%s %s ",t, $0 ; next;}1')
+ FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list |
${EGREPBINARY} -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE}
'NR%2 {printf "%s %s ",t, $0 ; next;}1')
done
echo "${FIND}" | while read line; do
@@ -522,7 +522,7 @@
#
# Test : FIRE-4594
# Description : Check for APF (Advanced Policy Firewall)
- Register --test-no FIRE-4592 --weight L --network NO --category security
--description "Check for APF presence"
+ Register --test-no FIRE-4594 --weight L --network NO --category security
--description "Check for APF presence"
if [ ! -z "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else
PREQS_MET="NO"; fi
if [ ${SKIPTEST} -eq 0 ]; then
FILE="/etc/apf/conf.apf"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_hardening
new/lynis/include/tests_hardening
--- old/lynis/include/tests_hardening 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/tests_hardening 2018-06-26 02:00:00.000000000 +0200
@@ -53,42 +53,31 @@
if [ ${COMPILER_INSTALLED} -eq 0 ]; then
LogText "Result: no compilers found"
else
- # as
- if [ ! -z "${ASBINARY}" ]; then
- LogText "Test: Check file permissions for as (Assembler)"
- if IsWorldExecutable ${ASBINARY}; then
- LogText "Binary: found ${ASBINARY} (world executable)"
- Report "compiler_world_executable[]=${ASBINARY}"
- AddHP 2 3
- HARDEN_COMPILERS_NEEDED=1
- else
- AddHP 3 3
+ # TODO - c89 c99 cpp ld
+ TEST_BINARIES="${ASBINARY} ${GCCBINARY}"
+ for ITEM in ${TEST_BINARIES}; do
+ FILE="${ITEM}"
+ LogText "Test: Check file permissions for ${ITEM}"
+ ShowSymlinkPath ${ITEM}
+ if [ ! -z "${SYMLINK}" ]; then
+ FILE="${SYMLINK}"
fi
- fi
- # gcc
- if [ ! -z "${GCCBINARY}" ]; then
- LogText "Test: Check file permissions for GCC compiler"
- if IsWorldExecutable ${GCCBINARY}; then
- LogText "Binary: found ${GCCBINARY} (world executable)"
- Report "compiler_world_executable[]=${GCCBINARY}"
+
+ if IsWorldExecutable ${FILE}; then
+ LogText "Binary: found ${FILE} (world executable)"
+ Report "compiler_world_executable[]=${FILE}"
AddHP 2 3
HARDEN_COMPILERS_NEEDED=1
else
AddHP 3 3
fi
- fi
+ done
+
# Report suggestion is one or more compilers can be better hardened
if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then
LogText "Result: at least one compiler could be better
hardened by restricting executable access to root or group only"
ReportSuggestion ${TEST_NO} "Harden compilers like restricting
access to root user only"
fi
-
- # TODO check if compilers have a specific group (like compiler, or
NOT root/wheel)
- # Display --indent 4 --text "- Installed compiler(s)" --result
"${STATUS_FOUND}" --color RED
- # /usr/bin/*cc*
- # /usr/bin/*++*
- # /usr/bin/ld
- # (and 700 or 750 permissions)
fi
fi
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_logging
new/lynis/include/tests_logging
--- old/lynis/include/tests_logging 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/tests_logging 2018-06-26 02:00:00.000000000 +0200
@@ -305,7 +305,7 @@
#
# Test : LOGG-2152
# Description : Check for Solaris 'loghost' entry in /etc/inet/hosts, or
- # succesful resolving via DNS or any other name service.
+ # successful resolving via DNS or any other name service.
Register --test-no LOGG-2152 --weight L --os Solaris --network NO
--category security --description "Checking loghost"
if [ ${SKIPTEST} -eq 0 ]; then
# Try local hosts file
@@ -322,7 +322,7 @@
FIND=$(getent hosts loghost | ${GREPBINARY} loghost)
if [ ! -z "${FIND}" ]; then
SOLARIS_LOGHOST_FOUND=1
- LogText "Result: name resolving was succesful"
+ LogText "Result: name resolving was successful"
LogText "Output: ${FIND}"
else
LogText "Result: name resolving didn't find results"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_mail_messaging
new/lynis/include/tests_mail_messaging
--- old/lynis/include/tests_mail_messaging 2018-01-26 01:00:00.000000000
+0100
+++ new/lynis/include/tests_mail_messaging 2018-06-26 02:00:00.000000000
+0200
@@ -28,6 +28,7 @@
#
DOVECOT_RUNNING=0
EXIM_RUNNING=0
+ EXIM_TYPE=""
IMAP_DAEMON=""
OPENSMTPD_RUNNING=0
POP3_DAEMON=""
@@ -58,6 +59,114 @@
#
#################################################################################
#
+ # Test : MAIL-8804
+ # Description : Exim configuration options
+ if [ ${EXIM_RUNNING} -eq 1 -a ! "${EXIMBINARY}" = "" ]; then
PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no MAIL-8803 --preqs-met ${PREQS_MET} --weight L --network
NO --category security --description "Exim configuration options"
+ if [ ${SKIPTEST} -eq 0 -a ${EXIM_RUNNING} -eq 1 ]; then
+ LogText "Test: Exim configuration options"
+
+ EXIM_ROUTERS=$(exim -bP router_list)
+
+ unset FIND FIND2 FIND3 FIND4
+
+ # Local Only
+ FIND=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^nonlocal')
+ # Internet Host
+ FIND2=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY}
'^dnslookup_relay_to_domains')
+ # Smarthost or Satellite
+ FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost')
+
+ if [ ! -z "${FIND}" ]; then
+ EXIM_TYPE="LOCAL ONLY"
+ elif [ ! -z "${FIND2}" ]; then
+ EXIM_TYPE="INTERNET HOST"
+ elif [ ! -z "${FIND3}" ]; then
+ FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY}
'^hub_user_smarthost')
+ if [ ! -z "${FIND4}" ]; then
+ EXIM_TYPE="SATELLITE"
+ else
+ EXIM_TYPE="SMARTHOST"
+ fi
+ fi
+
+ if [ ! -z "${EXIM_TYPE}" ]; then
+ LogText "Result: Exim Type - ${EXIM_TYPE}"
+ Display --indent 4 --text "- Type" --result "${EXIM_TYPE}" --color
GREEN
+ else
+ LogText "Result: Exim Type - Not Configured"
+ Display --indent 4 --text "- Type" --result "Not Configured"
--color WHITE
+ fi
+
+ if [ "${EXIM_TYPE}" = "INTERNET HOST" -o "${EXIM_TYPE}" = "SMARTHOST"
]; then
+ LogText "Test: Exim Public Interfaces"
+ EXIM_IP=$(exim -bP local_interfaces | cut -d '=' -f2 | sed -e
's/\s*<\s*\;\?//' -e 's/\s*::0\s*\;\?//' -e 's/\s*127.0.0.1\s*\;\?//' -e
's/^\s*//' -e 's/\s*$//')
+ if [ ! -z "${EXIM_IP}" ]; then
+ LogText "Result: ${EXIM_IP}"
+ Display --indent 4 --text "- Public Interface(s)" --result
"${EXIM_IP}" --color GREEN
+ else
+ LogText "Result: None"
+ Display --indent 4 --text "- Public Interface(s)" --result
"NONE" --color WHITE
+ fi
+
+ LogText "Test: Exim TLS State"
+ EXIM_TLS=$(exim -bP tls_advertise_hosts | cut -d '=' -f2 | sed -e
's/^\s*//' -e 's/\s*$//')
+ if [ ! -z "${EXIM_TLS}" ]; then
+ LogText "Result: Enabled"
+ Display --indent 4 --text "- TLS" --result "ENABLED" --color
GREEN
+ else
+ LogText "Result: Not enabled"
+ Display --indent 4 --text "- TLS" --result "NOT ENABLED"
--color WHITE
+ fi
+ fi
+
+ if [ ! -z "${EXIM_TYPE}" -a "${EXIM_TYPE}" != "LOCAL ONLY" ]; then
+ LogText "Test: Exim Certificate and Private Key"
+
+ case "${EXIM_TYPE}" in
+ "INTERNET HOST" | "SMARTHOST" )
+ EXIM_CERTIFICATE=$(exim -bP tls_certificate | cut -d '='
-f2 | sed -e 's/^\s*//' -e 's/\s*$//')
+ EXIM_PRIVATEKEY=$(exim -bP tls_privatekey | cut -d '=' -f2
| sed -e 's/^\s*//' -e 's/\s*$//')
+ ;;
+ "SATELLITE" )
+ EXIM_CERTIFICATE=$(exim -bP transport
remote_smtp_smarthost | grep tls_certificate | cut -d '=' -f2 | sed -e
's/^\s*//' -e 's/\s*$//')
+ EXIM_PRIVATEKEY=$(exim -bP transport remote_smtp_smarthost
| grep tls_privatekey | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
+ ;;
+ esac
+
+ if [ ! -z "${EXIM_CERTIFICATE}" ]; then
+ LogText "Result: ${EXIM_CERTIFICATE}"
+ if [ -f "${EXIM_CERTIFICATE}" ]; then
+ Display --indent 4 --text "- Certificate" --result
"${STATUS_FOUND}" --color GREEN
+ LogText "Result: Certificate found."
+ else
+ Display --indent 4 --text "- Certificate" --result
"${STATUS_NOT_FOUND}" --color YELLOW
+ LogText "Result: Certificate not found."
+ fi
+ else
+ LogText "Result: Certificate not set."
+ Display --indent 4 --text "- Certificate not set" --result
"${STATUS_WARNING}" --color WHITE
+ fi
+
+ if [ ! -z "${EXIM_PRIVATEKEY}" ]; then
+ LogText "Result: ${EXIM_PRIVATEKEY}"
+ if [ -f "${EXIM_PRIVATEKEY}" ]; then
+ LogText "Result: Private Key found."
+ Display --indent 4 --text "- Private Key" --result
"${STATUS_FOUND}" --color GREEN
+ else
+ Display --indent 4 --text "- Private Key" --result
"${STATUS_NOT_FOUND}" --color YELLOW
+ LogText "Result: Private Key not found."
+ fi
+ else
+ LogText "Result: Private Key not set."
+ Display --indent 4 --text "- Private Key not set" --result
"${STATUS_WARNING}" --color WHITE
+ fi
+ fi
+ fi
+
+#
+#################################################################################
+#
# Test : MAIL-8814
# Description : Check Postfix process
# Notes : qmgr and pickup run under postfix uid, without full path
to binary
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_nameservices
new/lynis/include/tests_nameservices
--- old/lynis/include/tests_nameservices 2018-01-26 01:00:00.000000000
+0100
+++ new/lynis/include/tests_nameservices 2018-06-26 02:00:00.000000000
+0200
@@ -476,7 +476,7 @@
#
#################################################################################
#
- # Test : NAME-4302
+ # Test : NAME-4304
# Description : Check NIS ypbind daemon status
Register --test-no NAME-4304 --weight L --network NO --category security
--description "Check NIS ypbind status"
if [ ${SKIPTEST} -eq 0 ]; then
@@ -573,19 +573,19 @@
if [ ${SKIPTEST} -eq 0 ]; then
LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts"
if [ -f ${ROOTDIR}etc/hosts ]; then
- sFIND=$(${EGREPBINARY} -v '^(#|$)' ${ROOTDIR}etc/hosts |
${AWKBINARY} '{ print $1, $2 }' | ${SORTBINARY} | ${UNIQBINARY} -d)
- if [ "${sFIND}" = "" ]; then
+ OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts |
${EGREPBINARY} -v '^(#|$)' | ${EGREPBINARY} "[a-f0-9]" | ${SORTBINARY} |
${UNIQBINARY} -d)
+ if [ -z "${OUTPUT}" ]; then
LogText "Result: OK, no duplicate lines found"
Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts
(duplicates)" --result "${STATUS_OK}" --color GREEN
else
- LogText "Found duplicate line: ${sFIND}"
+ LogText "Found duplicate line: ${OUTPUT}"
LogText "Result: found duplicate line"
Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts
(duplicates)" --result "${STATUS_SUGGESTION}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Remove duplicate lines in
${ROOTDIR}etc/hosts"
fi
else
- LogText "Result: ${ROOTDIR}etc/hosts not found, test skipped"
- Display --indent 4 --text "Searching duplicate line" --result
"${STATUS_SKIPPED}" --color YELLOW
+ LogText "Result: ${ROOTDIR}etc/hosts not found, test skipped"
+ Display --indent 4 --text "Searching duplicate line" --result
"${STATUS_SKIPPED}" --color YELLOW
fi
fi
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_networking
new/lynis/include/tests_networking
--- old/lynis/include/tests_networking 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/tests_networking 2018-06-26 02:00:00.000000000 +0200
@@ -131,13 +131,13 @@
LogText "Found nameserver: ${I}"
Report "nameserver[]=${I}"
# Check if a local resolver is available (like DNSMasq)
- if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" =
"127.0.1.1" -o "${I}" = "0.0.0.0" ]; then
+ if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" =
"127.0.0.53" -o "${I}" = "127.0.1.1" -o "${I}" = "0.0.0.0" ]; then
LOCAL_DNSRESOLVER_FOUND=1
fi
if [ ! -z "${DIGBINARY}" ]; then
# See if we can query something at the nameserver
# 0=good, other=bad
- DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0
@${I} ${I} > /dev/null ; echo $?)
+ DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0
@${I} ${FQDN} > /dev/null ; echo $?)
if [ "${DNSRESPONSE}" = "0" ]; then
Display --indent 8 --text "Nameserver: ${I}"
--result "${STATUS_OK}" --color GREEN
LogText "Nameserver ${I} seems to respond to
queries from this host."
@@ -163,7 +163,7 @@
#
# Test : NETW-2705
# Description : Basic nameserver configuration tests (connectivity)
- if [ ${LOCAL_DNSRESOLVER_FOUND} -eq 0 ]; then PREQS_MET="YES"; else
PREQS_MET="NO"; fi
+ if [ ${LOCAL_DNSRESOLVER_FOUND} -eq 0 ]; then PREQS_MET="YES"; else
PREQS_MET="NO"; fi
Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network
YES --category security --description "Check availability two nameservers"
if [ ${SKIPTEST} -eq 0 ]; then
SKIP=0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_php new/lynis/include/tests_php
--- old/lynis/include/tests_php 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/tests_php 2018-06-26 02:00:00.000000000 +0200
@@ -42,6 +42,8 @@
${ROOTDIR}etc/php5/apache2/php.ini \
${ROOTDIR}etc/php5/fpm/php.ini \
${ROOTDIR}private/etc/php.ini \
+ ${ROOTDIR}etc/php/7.2/cli/php.ini
${ROOTDIR}etc/php/7.2/fpm/php.ini \
+ ${ROOTDIR}etc/php/7.1/cli/php.ini
${ROOTDIR}etc/php/7.1/fpm/php.ini \
${ROOTDIR}etc/php/7.0/cli/php.ini
${ROOTDIR}etc/php/7.0/fpm/php.ini \
${ROOTDIR}var/www/conf/php.ini \
${ROOTDIR}usr/local/etc/php.ini
${ROOTDIR}usr/local/lib/php.ini \
@@ -65,7 +67,11 @@
${ROOTDIR}opt/alt/php55/etc/php.ini \
${ROOTDIR}opt/alt/php56/etc/php.ini \
${ROOTDIR}opt/alt/php70/etc/php.ini \
- ${ROOTDIR}opt/alt/php71/etc/php.ini"
+ ${ROOTDIR}opt/alt/php71/etc/php.ini \
+ ${ROOTDIR}etc/opt/remi/php56/php.ini \
+ ${ROOTDIR}etc/opt/remi/php70/php.ini \
+ ${ROOTDIR}etc/opt/remi/php71/php.ini \
+ ${ROOTDIR}etc/opt/remi/php72/php.ini"
PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \
${ROOTDIR}etc/php/7.0/cli/conf.d \
@@ -307,79 +313,80 @@
#
#################################################################################
#
+ # - test disabled for time being, as newer suhosin7 work is not stable
enough -
# Test : PHP-2379
# Description : Check PHP suhosin extension status
- if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else
PREQS_MET="NO"; fi
- Register --test-no PHP-2379 --preqs-met ${PREQS_MET} --weight L --network
NO --category security --description "Check PHP suhosin extension status"
+ #if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else
PREQS_MET="NO"; fi
+ #Register --test-no PHP-2379 --preqs-met ${PREQS_MET} --weight L --network
NO --category security --description "Check PHP suhosin extension status"
- if [ ${SKIPTEST} -eq 0 ]; then
- FOUND=0
- SIMULATION=0
- MAJOR_VERSION=$(echo ${PHPVERSION} | ${EGREPBINARY} "^7")
- if [ "${OS}" = "OpenBSD" ]; then
- FOUND=1 # On OpenBSD, Suhosin is hard linked
into PHP
- SIMULATION=off
- else
- for I in ${PHPINI_ALLFILES}; do
- LogText "Test: Checking for PHP suhosin extension status in
file ${I}"
- FIND=$(${GREPBINARY} -oP '^extension=.*?suhosin7?.so.*$' ${I})
- if [ -z "${FIND}" ]; then
- LogText "Result: ${I}: suhosin is not enabled"
- else
- LogText "Result: ${I}: suhosin is enabled"
- FOUND=1
- fi
+ #if [ ${SKIPTEST} -eq 0 ]; then
+ # FOUND=0
+ # SIMULATION=0
+ # MAJOR_VERSION=$(echo ${PHPVERSION} | ${EGREPBINARY} "^7")
+ # if [ "${OS}" = "OpenBSD" ]; then
+ # FOUND=1 # On OpenBSD, Suhosin is hard linked
into PHP
+ # SIMULATION=off
+ # else
+ # for I in ${PHPINI_ALLFILES}; do
+ # LogText "Test: Checking for PHP suhosin extension status in
file ${I}"
+ # FIND=$(${GREPBINARY} -oP '^extension=.*?suhosin7?.so.*$' ${I})
+ # if [ -z "${FIND}" ]; then
+ # LogText "Result: ${I}: suhosin is not enabled"
+ # else
+ # LogText "Result: ${I}: suhosin is enabled"
+ # FOUND=1
+ # fi
- LogText "Test: Check Suhosin simulation mode status"
- SIMULATION=$(${GREPBINARY} -oP '^suhosin.simulation.*$' ${I} |
${CUTBINARY} -d= -f2 | ${GREPBINARY} -io 'off' | ${TRBINARY} '[:upper:]'
'[:lower:]')
- if [ "${SIMULATION}" = "off" ]; then
- LogText "Result: ${I}: suhosin simulation mode is not
active"
- else
- LogText "Result: ${I}: suhosin simulation mode is active"
- fi
- done
- fi
+ # LogText "Test: Check Suhosin simulation mode status"
+ # SIMULATION=$(${GREPBINARY} -oP '^suhosin.simulation.*$' ${I}
| ${CUTBINARY} -d= -f2 | ${GREPBINARY} -io 'off' | ${TRBINARY} '[:upper:]'
'[:lower:]')
+ # if [ "${SIMULATION}" = "off" ]; then
+ # LogText "Result: ${I}: suhosin simulation mode is not
active"
+ # else
+ # LogText "Result: ${I}: suhosin simulation mode is active"
+ # fi
+ # done
+ # fi
- # Check Suhosin for PHP 7
- if [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then
- LogText "Test: Check Suhosin for PHP 7 is not enabled"
- LogText "Result: Suhosin for PHP 7 is in alpha stage and should
not be used in production"
- ReportSuggestion ${TEST_NO} "Disable Suhosin for PHP 7"
- Display --indent 4 --text "- Checking PHP suhosin extension
status" --result "${STATUS_WARNING}" --color RED
- Display --indent 6 --text "- Suhosin is enabled for PHP 7"
--result "${STATUS_WARNING}" --color RED
- AddHP 0 1
- elif [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then
- LogText "Test: Check Suhosin for PHP 7 is not enabled"
- LogText "Result: Suhosin for PHP 7 is not enabled"
- Display --indent 4 --text "- Checking PHP suhosin extension
status" --result "${STATUS_OK}" --color GREEN
- Display --indent 6 --text "- Suhosin is not enabled for PHP 7"
--result "${STATUS_OK}" --color GREEN
- AddHP 1 1
- else
- if [ ${FOUND} -eq 0 ]; then
- LogText "Result: Suhosin extension is not enabled"
- Display --indent 4 --text "- Checking PHP suhosin extension
status" --result "${STATUS_WARNING}" --color RED
- ReportSuggestion ${TEST_NO} "Harden PHP by enabling suhosin
extension"
- LogText "suhosin extension is not enabled"
- AddHP 0 1
- else
- LogText "Result: Suhosin extension is enabled"
- Display --indent 4 --text "- Checking PHP suhosin extension
status" --result "${STATUS_OK}" --color GREEN
- AddHP 2 2
- fi
+ # # Check Suhosin for PHP 7
+ # if [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then
+ # LogText "Test: Check Suhosin for PHP 7 is not enabled"
+ # LogText "Result: Suhosin for PHP 7 is in alpha stage and should
not be used in production"
+ # ReportSuggestion ${TEST_NO} "Disable Suhosin for PHP 7"
+ # Display --indent 4 --text "- Checking PHP suhosin extension
status" --result "${STATUS_WARNING}" --color RED
+ # Display --indent 6 --text "- Suhosin is enabled for PHP 7"
--result "${STATUS_WARNING}" --color RED
+ # AddHP 0 1
+ # elif [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then
+ # LogText "Test: Check Suhosin for PHP 7 is not enabled"
+ # LogText "Result: Suhosin for PHP 7 is not enabled"
+ # Display --indent 4 --text "- Checking PHP suhosin extension
status" --result "${STATUS_OK}" --color GREEN
+ # Display --indent 6 --text "- Suhosin is not enabled for PHP 7"
--result "${STATUS_OK}" --color GREEN
+ # AddHP 1 1
+ # else
+ # if [ ${FOUND} -eq 0 ]; then
+ # LogText "Result: Suhosin extension is not enabled"
+ # Display --indent 4 --text "- Checking PHP suhosin extension
status" --result "${STATUS_WARNING}" --color RED
+ # ReportSuggestion ${TEST_NO} "Harden PHP by enabling suhosin
extension"
+ # LogText "suhosin extension is not enabled"
+ # AddHP 0 1
+ # else
+ # LogText "Result: Suhosin extension is enabled"
+ # Display --indent 4 --text "- Checking PHP suhosin extension
status" --result "${STATUS_OK}" --color GREEN
+ # AddHP 2 2
+ # fi
- if [ "${SIMULATION}" = "off" ]; then
- LogText "Result: Suhosin simulation mode is not active"
- Display --indent 6 --text "- Suhosin simulation mode status"
--result "${STATUS_OK}" --color GREEN
- AddHP 2 2
- else
- LogText "Result: Suhosin simulation mode is active"
- Display --indent 6 --text "- Suhosin simulation mode status"
--result "${STATUS_WARNING}" --color RED
- ReportSuggestion ${TEST_NO} "Harden PHP by deactivating
suhosin simulation mode"
- LogText "suhosin simulation mode is active"
- AddHP 0 1
- fi
- fi
- fi
+ # if [ "${SIMULATION}" = "off" ]; then
+ # LogText "Result: Suhosin simulation mode is not active"
+ # Display --indent 6 --text "- Suhosin simulation mode status"
--result "${STATUS_OK}" --color GREEN
+ # AddHP 2 2
+ # else
+ # LogText "Result: Suhosin simulation mode is active"
+ # Display --indent 6 --text "- Suhosin simulation mode status"
--result "${STATUS_WARNING}" --color RED
+ # ReportSuggestion ${TEST_NO} "Harden PHP by deactivating
suhosin simulation mode"
+ # LogText "suhosin simulation mode is active"
+ # AddHP 0 1
+ # fi
+ # fi
+ #fi
#
#################################################################################
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_ports_packages
new/lynis/include/tests_ports_packages
--- old/lynis/include/tests_ports_packages 2018-01-26 01:00:00.000000000
+0100
+++ new/lynis/include/tests_ports_packages 2018-06-26 02:00:00.000000000
+0200
@@ -826,11 +826,12 @@
if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES";
else PREQS_MET="NO"; fi
Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight
L --network NO --category security --description "Check for YUM utils package"
if [ ${SKIPTEST} -eq 0 ]; then
- if [ -x ${ROOTDIR}usr/bin/package-cleanup ]; then
- LogText "Result: found YUM utils package
(${ROOTDIR}usr/bin/package-cleanup)"
+ # package-cleanup tool can be found in different locations
+ if [ -x ${ROOTDIR}bin/package-cleanup -o -x
${ROOTDIR}usr/bin/package-cleanup ]; then
+ LogText "Result: found YUM utils package (package-cleanup)"
# Check for duplicates
LogText "Test: Checking for duplicate packages"
- FIND=$(${ROOTDIR}usr/bin/package-cleanup -q --dupes > /dev/null;
echo $?)
+ FIND=$(package-cleanup -q --dupes > /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then
LogText "Result: No duplicate packages found"
Display --indent 2 --text "- Checking package database
duplicates" --result "${STATUS_OK}" --color GREEN
@@ -843,7 +844,7 @@
# Check for package database problems
LogText "Test: Checking for database problems"
- FIND=$(${ROOTDIR}usr/bin/package-cleanup --problems > /dev/null;
echo $?)
+ FIND=$(package-cleanup --problems > /dev/null; echo $?)
if [ "${FIND}" = "0" ]; then
LogText "Result: No package database problems found"
Display --indent 2 --text "- Checking package database for
problems" --result "${STATUS_OK}" --color GREEN
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_printers_spools
new/lynis/include/tests_printers_spools
--- old/lynis/include/tests_printers_spools 2018-01-26 01:00:00.000000000
+0100
+++ new/lynis/include/tests_printers_spools 2018-06-26 02:00:00.000000000
+0200
@@ -202,7 +202,7 @@
#
#################################################################################
#
- # Test : PRNT-2416
+ # Test : PRNT-2316
# Description : Check /etc/qconfig file
Register --test-no PRNT-2316 --os AIX --weight L --network NO --category
security --description "Checking /etc/qconfig file"
if [ ${SKIPTEST} -eq 0 ]; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_squid
new/lynis/include/tests_squid
--- old/lynis/include/tests_squid 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/tests_squid 2018-06-26 02:00:00.000000000 +0200
@@ -302,7 +302,7 @@
# Test : SQD-3680
# Description : Check httpd_suppress_version_string
if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ];
then PREQS_MET="YES"; else PREQS_MET="NO"; fi
- Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network
NO --category security --description "Check Squid version suppresion"
+ Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network
NO --category security --description "Check Squid version suppression"
if [ ${SKIPTEST} -eq 0 ]; then
FIND=$(${GREPBINARY} "^httpd_suppress_version_string "
${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on")
if [ -z "${FIND}" ]; then
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_ssh new/lynis/include/tests_ssh
--- old/lynis/include/tests_ssh 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/tests_ssh 2018-06-26 02:00:00.000000000 +0200
@@ -46,7 +46,8 @@
# Store settings in a temporary file
CreateTempFile
SSH_DAEMON_OPTIONS_FILE="${TEMP_FILE}"
- ${SSHDBINARY} -T 2> /dev/null > ${SSH_DAEMON_OPTIONS_FILE}
+ # Use a non-existing user, to ensure that systems that have a
Match block configured, will be evaluated as well
+ ${SSHDBINARY} -T -C user=doesnotexist,host=none,addr=none 2>
/dev/null > ${SSH_DAEMON_OPTIONS_FILE}
else
Display --indent 2 --text "- Checking running SSH daemon" --result
"${STATUS_NOT_FOUND}" --color WHITE
fi
@@ -110,7 +111,7 @@
SSHOPS="AllowTcpForwarding:NO,LOCAL,YES:=\
ClientAliveCountMax:2,4,16:<\
ClientAliveInterval:300,600,900:<\
- Compression:(DELAYED|NO),,YES:=\
+ Compression:NO,,YES:=\
FingerprintHash:SHA256,MD5,:=\
GatewayPorts:NO,,YES:=\
IgnoreRhosts:YES,,NO:=\
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/include/tests_time new/lynis/include/tests_time
--- old/lynis/include/tests_time 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/include/tests_time 2018-06-26 02:00:00.000000000 +0200
@@ -360,10 +360,10 @@
FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} '^x')
if [ -z "${FIND}" ]; then
Display --indent 2 --text "- Checking falsetickers" --result
"${STATUS_OK}" --color GREEN
- LogText "Result: No falsetickers found (items preceeding with an
'x')"
+ LogText "Result: No falsetickers found (items preceding with an
'x')"
else
Display --indent 2 --text "- Checking falsetickers" --result
"${STATUS_NONE}" --color YELLOW
- LogText "Result: Found one or more falsetickers (items preceeding
with an 'x')"
+ LogText "Result: Found one or more falsetickers (items preceding
with an 'x')"
for I in ${FIND}; do
I=$(echo ${I} | ${SEDBINARY} 's/x//g')
LogText "Falseticker found: ${I}"
@@ -422,44 +422,47 @@
# Test : TIME-3160
# Description : Check empty NTP step-tickers
# Notes : Mostly applies to Red Hat and clones
- if [ "${NTPD_RUNNING}" -eq 1 -a ! -z "${NTPQBINARY}" -a ! -z
"${CHKCONFIGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ FILE="${ROOTDIR}etc/ntp/step-tickers"
+ if [ "${NTPD_RUNNING}" -eq 1 -a ! -z "${NTPQBINARY}" -a -f "${FILE}" ];
then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no TIME-3160 --os Linux --preqs-met ${PREQS_MET} --weight
L --network NO --category security --description "Check empty NTP step-tickers"
if [ ${SKIPTEST} -eq 0 ]; then
FOUND=0
- FILE="/etc/ntp/step-tickers"
- if [ -f ${FILE} ]; then
- if [ ! -s "${FILE}" ]; then
+ OUTPUT=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE})
+ if [ -z "${OUTPUT}" ]; then
+ if [ ${OS_REDHAT_OR_CLONE} -eq 1 -a -f "${FILE}" ]; then
+ # On RedHat if step-ticker file exists but is empty, the
ntpdate start script uses the servers listed in ntp.conf for the initial time
synchronization
+ LogText "Result: ${FILE} exists and it is empty. On RedHat the
initial time synchronization will be done with the servers listed in ntp.conf."
+ Display --indent 2 --text "- Checking NTP step-tickers file"
--result "${STATUS_OK}" --color GREEN
+ else
LogText "Result: ${FILE} is empty. The step-tickers contain no
configured NTP servers"
Display --indent 2 --text "- Checking NTP step-tickers file"
--result "EMPTY FILE" --color YELLOW
ReportSuggestion ${TEST_NO} "Use step-tickers file for quicker
time synchronization"
- else
- LogText "Result: /etc/ntp/step-tickers is not empty, which is
fine"
- Display --indent 2 --text "- Checking NTP step-tickers file"
--result "${STATUS_OK}" --color GREEN
- sFIND=$(${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf |
${GREPBINARY} -v '127.127.1.0')
- for I in ${sFIND}; do
- FIND=$(${GREPBINARY} ^${I} ${FILE} | wc -l)
- if [ ${FIND} -gt 0 ]; then
- LogText "Result: $I exist in ${FILE}"
- else
- LogText "Result: ${I} does NOT exist in ${FILE}"
- FOUND=1
- fi
- done
- if [ ${FOUND} -eq 1 ]; then
- Display --indent 4 --text "- Checking step-tickers ntp
servers entries" --result "SOME MISSING" --color YELLOW
- ReportSuggestion ${TEST_NO} "Some time servers missing in
step-tickers file"
- AddHP 3 4
+ fi
+ else
+ LogText "Result: ${FILE} is not empty, which is fine"
+ Display --indent 2 --text "- Checking NTP step-tickers file"
--result "${STATUS_OK}" --color GREEN
+ sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} |
${EGREPBINARY} -v "^127." | ${EGREPBINARY} -v "^::1")
+ for I in ${sFIND}; do
+ FIND=$(${GREPBINARY} ^${I} ${FILE} | wc -l)
+ if [ ${FIND} -gt 0 ]; then
+ LogText "Result: $I exist in ${FILE}"
else
- Display --indent 4 --text "- Checking step-tickers ntp
servers entries" --result "${STATUS_OK}" --color GREEN
- LogText "Result: all time servers are in step-tickers file"
- AddHP 4 4
+ LogText "Result: ${I} does NOT exist in ${FILE}"
+ FOUND=1
fi
+ done
+ if [ ${FOUND} -eq 1 ]; then
+ Display --indent 4 --text "- Checking step-tickers ntp servers
entries" --result "SOME MISSING" --color YELLOW
+ ReportSuggestion ${TEST_NO} "Some time servers missing in
step-tickers file"
+ AddHP 3 4
+ else
+ Display --indent 4 --text "- Checking step-tickers ntp servers
entries" --result "${STATUS_OK}" --color GREEN
+ LogText "Result: all time servers are in step-tickers file"
+ AddHP 4 4
fi
- LogText "Information: step-tickers is used by ntpdate where as
ntp.conf is the configuration file for the ntpd daemon. ntpdate is initially
run to set the clock before ntpd to make sure time is within 1000 sec."
- LogText "Risk: ntp will not run at boot if the time difference
between the server and client by more then 1000 sec."
- else
- LogText "Result: test skipped because ${FILE} not found"
fi
+ LogText "Information: step-tickers is used by ntpdate where as
ntp.conf is the configuration file for the ntpd daemon. ntpdate is initially
run to set the clock before ntpd to make sure time is within 1000 sec."
+ LogText "Risk: ntp will not run at boot if the time difference between
the server and client by more then 1000 sec."
fi
#
#################################################################################
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/lynis new/lynis/lynis
--- old/lynis/lynis 2018-01-26 01:00:00.000000000 +0100
+++ new/lynis/lynis 2018-06-26 02:00:00.000000000 +0200
@@ -35,10 +35,10 @@
PROGRAM_AUTHOR_CONTACT="lynis-...@cisofy.com"
# Version details
- PROGRAM_RELEASE_DATE="2018-01-26"
- PROGRAM_RELEASE_TIMESTAMP=1516968325
+ PROGRAM_RELEASE_DATE="2018-06-26"
+ PROGRAM_RELEASE_TIMESTAMP=1530018697
PROGRAM_RELEASE_TYPE="final" # dev or final
- PROGRAM_VERSION="2.6.1"
+ PROGRAM_VERSION="2.6.5"
# Source, documentation and license
PROGRAM_SOURCE="https://github.com/CISOfy/lynis";
@@ -130,7 +130,7 @@
else
MYID=$(id -u 2> /dev/null)
fi
- if [ -z "${MYID}" ]; then Display "Could not find user ID with id command.
Want to help improving Lynis? Raise a ticket at ${PROGRAM_SOURCE}"; ExitFatal;
fi
+ if [ -z "${MYID}" ]; then Display "Could not find user ID with id command.
Want to help improve Lynis? Raise a ticket at ${PROGRAM_SOURCE}"; ExitFatal; fi
#
#################################################################################
#
@@ -333,9 +333,9 @@
${WARNING}Warning${NORMAL}: ${WHITE}PID file exists, probably another Lynis
process is running.${NORMAL}
------------------------------------------------------------------------------
-If you are unsure another Lynis process is running currently, you are advised
-to stop current process and check the process list first. If you cancelled
-(by using CTRL+C) a previous instance, you can ignore this message.
+If you are unsure if another Lynis process is running currently, you are
advised
+to stop the current process and check the process list first. If you cancelled
+a previous instance (by using CTRL+C), you can ignore this message.
You are advised to check for temporary files after program completion.
------------------------------------------------------------------------------
@@ -348,7 +348,7 @@
echo "Quitting, to prevent multiple cron jobs running at the same
time"
exit 1 # Manually exit, no cleanups to prevent deleting an active
PID file
else
- wait_for_keypress
+ WaitForKeyPress
fi
# Deleting any stale PID files that might exist. Note: Display
function does not work yet at this point
@@ -416,7 +416,7 @@
${GRAY}--version (-V)${NORMAL} : Display version number
and quit
${WHITE}Enterprise options${NORMAL}
- ${GRAY}--plugin-dir ${BROWN}\"<path>\"${NORMAL} : Define path
of available plugins
+ ${GRAY}--plugindir ${BROWN}<path>${NORMAL} : Define path of
available plugins
${GRAY}--upload${NORMAL} : Upload data to central
node
More options available. Run '$0 show options', or use the man page.
@@ -555,7 +555,7 @@
Display --indent 2 --text "- Detecting language and localization"
--result "${LANGUAGE}" --color WHITE
if [ ! -f ${DBDIR}/languages/${LANGUAGE} ]; then
Display --indent 4 --text "${YELLOW}Notice:${NORMAL} no language
file found for '${LANGUAGE}' (tried: ${DBDIR}/languages/${LANGUAGE})"
- if IsDeveloperVersion; then Display --indent 4 --text "See
https://github.com/CISOfy/lynis-sdk/documentation/10-translations.md for more
details to help translating Lynis"; fi
+ if IsDeveloperVersion; then Display --indent 4 --text "See
https://github.com/CISOfy/lynis-sdk/documentation/10-translations.md for more
details to help translate Lynis"; fi
sleep 5
else
LogText "Importing language file (${DBDIR}/languages/${LANGUAGE})"
@@ -925,7 +925,7 @@
LogText "Info: perform tests from all categories"
INCLUDE_TESTS="boot_services kernel memory_processes
authentication shells \
- filesystems usb storage storage_nfs nameservices
ports_packages networking printers_spools \
+ filesystems usb storage storage_nfs nameservices
dns ports_packages networking printers_spools \
mail_messaging firewalls webservers ssh snmp
databases ldap php squid logging \
insecure_services banners scheduling accounting
time crypto virtualization containers \
mac_frameworks file_integrity tooling malware
file_permissions homedirs \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lynis/plugins/custom_plugin.template
new/lynis/plugins/custom_plugin.template
--- old/lynis/plugins/custom_plugin.template 2018-01-26 01:00:00.000000000
+0100
+++ new/lynis/plugins/custom_plugin.template 2018-06-26 02:00:00.000000000
+0200
@@ -80,6 +80,6 @@
#
# Wait for keypress (unless --quick is being used)
-wait_for_keypress
+WaitForKeyPress
#EOF
