Hello community, here is the log from the commit of package lynis for openSUSE:Factory checked in at 2018-06-28 15:12:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lynis (Old) and /work/SRC/openSUSE:Factory/.lynis.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis" Thu Jun 28 15:12:53 2018 rev:28 rq:619349 version:2.6.5 Changes: -------- --- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2018-01-28 00:39:57.496029197 +0100 +++ /work/SRC/openSUSE:Factory/.lynis.new/lynis.changes 2018-06-28 15:13:12.155616687 +0200 @@ -1,0 +2,24 @@ +Wed Jun 27 08:42:31 UTC 2018 - astie...@suse.com + +- update to 2.6.5: + * mail: Exim configuration test + * network: Use FQDN to test status of a nameserver instead of own IP address + * ssh: Improved test to allow configurations with a Match block +- includes changes from 2.6.4: + * auth: Made 'sulogin' more generic for systemd rescue shell + * dns: Initial work on DNSSEC validation testing + * network: Added support for local resolver 127.0.0.53 + * php: Suhosin test disbled + * ssh: Removed 'DELAYED' from OpenSSH Compression setting + * time: Improvements to detect step-tickers file and entries +- includes changes from 2.6.3: + * crypt: Do prevalidation for certificates before testing them + * hardening: Enhanced compiler permission test + * name: Improved test to filter out empty lines + * packages: changes to detect yum-utils package and related tooling + * plugins: cron file permissions +- includes changes from 2.6.2: + * Textual changes for several tests + * Update of tests database + +------------------------------------------------------------------- Old: ---- lynis-2.6.1.tar.gz lynis-2.6.1.tar.gz.asc New: ---- lynis-2.6.5.tar.gz lynis-2.6.5.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lynis.spec ++++++ --- /var/tmp/diff_new_pack.YJTuZS/_old 2018-06-28 15:13:13.771613726 +0200 +++ /var/tmp/diff_new_pack.YJTuZS/_new 2018-06-28 15:13:13.783613704 +0200 @@ -22,14 +22,13 @@ %define _includedir %{_datadir}/lynis/include %define _pluginsdir %{_datadir}/lynis/plugins %define _dbdir %{_datadir}/lynis/db -%define _bindir %{_prefix}/bin Name: lynis -Version: 2.6.1 +Version: 2.6.5 Release: 0 Summary: Security and System auditing tool -License: GPL-3.0 +License: GPL-3.0-only Group: System/Monitoring -Url: https://cisofy.com/lynis/ +URL: https://cisofy.com/lynis/ Source0: https://cisofy.com/files/%{name}-%{version}.tar.gz Source2: tests_binary_rpath Source3: tests_file_permissionsDB @@ -60,7 +59,6 @@ Requires: wget # FIXME: use proper Requires(pre/post/preun/...) PreReq: %fillup_prereq -BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch %description @@ -121,7 +119,6 @@ chmod +x %{buildroot}%{_pluginsdir}/custom_plugin.template %files -%defattr(-,root,root) %{_bindir}/%{name} %config(noreplace) %{_sysconfdir}/%{name}/default.prf %{_dbdir}/* @@ -133,8 +130,9 @@ %dir %{_datadir}/%{name}/include %attr(640,root,root) %{_datadir}/%{name}/include/* %dir %{_datadir}/%{name}/plugins -%doc CHANGELOG.md CONTRIBUTORS.md FAQ LICENSE README -%{_mandir}/man8/%{name}.8.* +%license LICENSE +%doc CHANGELOG.md CONTRIBUTORS.md FAQ README +%{_mandir}/man8/%{name}.8%{?ext_man} %{_datadir}/%{name}/prepare_for_suse.sh %changelog ++++++ lynis-2.6.1.tar.gz -> lynis-2.6.5.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/CHANGELOG.md new/lynis/CHANGELOG.md --- old/lynis/CHANGELOG.md 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/CHANGELOG.md 2018-06-26 02:00:00.000000000 +0200 @@ -1,6 +1,65 @@ Lynis Changelog =============== +Lynis 2.6.5 (2018-06-26) + +Tests: +------ + +* [MAIL-8804] - Exim configuration test +* [NETW-2704] - Use FQDN to test status of a nameserver instead of own IP address +* [SSH-7402] - Improved test to allow configurations with a Match block + +--------------------------------------------------------------------------------- + +Lynis 2.6.4 (2018-05-02) + +Changes: +-------- +* Several contributions merged, including grammar improvements +* Initial support for Ubuntu 18.04 LTS +* Small enhancements for usage + +Tests: +------ +* [AUTH-9308] - Made 'sulogin' more generic for systemd rescue shell +* [DNS-1600] - Initial work on DNSSEC validation testing +* [NETW-2704] - Added support for local resolver 127.0.0.53 +* [PHP-2379] - Suhosin test disbled +* [SSH-7408] - Removed 'DELAYED' from OpenSSH Compression setting +* [TIME-3160] - Improvements to detect step-tickers file and entries + +--------------------------------------------------------------------------------- + +Lynis 2.6.3 (2018-03-07) + +Changes: +-------- +* Change in routine for host identifiers + +Tests: +------ +* [CRYP-7902] - Do prevalidation for certificates before testing them +* [HRDN-7222] - Enhanced compiler permission test +* [NAME-4402] - Improved test to filter out empty lines +* [PKGS-7384] - Changes to detect yum-utils package and related tooling + +Plugins: +-------- +* [PLGN-2680] - cron file permissions + +--------------------------------------------------------------------------------- + +Lynis 2.6.2 (2018-02-13) + +Changes: +-------- +* Bugfix for Arch Linux (binary detection) +* Textual changes for several tests +* Update of tests database + +--------------------------------------------------------------------------------- + Lynis 2.6.1 (2018-01-26) Changes: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/CONTRIBUTORS.md new/lynis/CONTRIBUTORS.md --- old/lynis/CONTRIBUTORS.md 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/CONTRIBUTORS.md 2018-06-26 02:00:00.000000000 +0200 @@ -22,6 +22,7 @@ * Arch Linux - Levente Polyak * Debian / Ubuntu - Francisco Manuel Garcia Claramonte * Fedora / EPEL - Athmane Madjoudj +* FreeBSD port - Lars Engels * NetBSD - Stephen Borrill * Slackware - Eric Hameleers diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/FAQ new/lynis/FAQ --- old/lynis/FAQ 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/FAQ 2018-06-26 02:00:00.000000000 +0200 @@ -27,7 +27,7 @@ Q: I can't find any configuration file for Lynis, where is it? A: Lynis uses profiles. They are similar to a configuration file and determine - how a security scan should be performed. + how a security scan should be performed. Q: My version is outdated, what can I do to upgrade? Check out the upgrade guide: https://cisofy.com/documentation/lynis/upgrading/ @@ -82,7 +82,7 @@ Q: The program takes long to complete and also uses too much resources. Can it be tuned? A: The time it takes to complete depends on the amount of tests to run. - However the resources it take can be slighty lowered by increasing the + However the resources it take can be slightly lowered by increasing the pause_between_tests profile option. Keep in mind this increases the total length of the scan to complete. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/languages/az new/lynis/db/languages/az --- old/lynis/db/languages/az 1970-01-01 01:00:00.000000000 +0100 +++ new/lynis/db/languages/az 2018-06-26 02:00:00.000000000 +0200 @@ -0,0 +1,39 @@ +ERROR_NO_LICENSE="Lisenziya açarı konfiqurasiya edilmeyib" +ERROR_NO_UPLOAD_SERVER="Yükləmə sunucusu konfiqurasiya edilmeyib" +GEN_CHECKING="Yoxlanır" +GEN_CURRENT_VERSION="Cari versiya" +GEN_DEBUG_MODE="Səhv ayıklama rejimi" +GEN_INITIALIZE_PROGRAM="Proqram koşuluyor" +GEN_LATEST_VERSION="Son versiya" +GEN_PHASE="faza" +GEN_PLUGINS_ENABLED="Konfiqur edilen uzantılar" +GEN_UPDATE_AVAILABLE="Yeniləmə mövcud" +GEN_VERBOSE_MODE="Etraflı" +GEN_WHAT_TO_DO="edilecekler" +NOTE_EXCEPTIONS_FOUND="İstisnalar tapıldı" +NOTE_EXCEPTIONS_FOUND_DETAILED="Bazı istisnai durumlar və məlumatlar tapıldı" +NOTE_PLUGINS_TAKE_TIME="Qeyd: Uzantılar daha ətraflı testlər içermektedir və tamamlanmaları uzun davam edəbilər" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Səlahiyyət lazımlı testlər" +SECTION_CUSTOM_TESTS="Xususi testlər" +SECTION_MALWARE="Pis proqram" +SECTION_MEMORY_AND_PROCESSES="Yaddaş ve prosesler" +STATUS_DISABLED="Təsirsiz" +STATUS_DONE="Bitdi" +STATUS_ENABLED="Təsirli" +STATUS_ERROR="Səhv" +STATUS_FOUND="Tapıldı" +STATUS_YES="Bəli" +STATUS_NO="Xeyr" +STATUS_OFF="Bağlı" +STATUS_OK="Əvət" +STATUS_ON="Açıq" +STATUS_NONE="Yox" +STATUS_NOT_FOUND="Tapılmadı" +STATUS_NOT_RUNNING="Çalışmayıb" +STATUS_RUNNING="İşleyib" +STATUS_SKIPPED="Atlandı" +STATUS_SUGGESTION="Teklif" +STATUS_UNKNOWN="Bilinmeyib" +STATUS_WARNING="Xəbərdarlıq" +TEXT_YOU_CAN_HELP_LOGFILE="qeydləri gönderib kömek eyleyin" +TEXT_UPDATE_AVAILABLE="yeniləmə mövcud" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/tests.db new/lynis/db/tests.db --- old/lynis/db/tests.db 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/db/tests.db 2018-06-26 02:00:00.000000000 +0200 @@ -45,6 +45,7 @@ AUTH-9402:test:security:authentication::Query LDAP authentication support: AUTH-9406:test:security:authentication::Query LDAP servers in client configuration: AUTH-9408:test:security:authentication::Logging of failed login attempts via /etc/login.defs: +AUTH-9489:test:security:authentication:DragonFly:Check login shells for passwordless accounts: BANN-7113:test:security:banners:FreeBSD:Check COPYRIGHT banner file: BANN-7124:test:security:banners::Check issue banner file: BANN-7126:test:security:banners::Check issue banner file contents: @@ -69,13 +70,16 @@ BOOT-5184:test:security:boot_services:Linux:Check permissions for boot files/scripts: BOOT-5202:test:security:boot_services::Check uptime of system: BOOT-5260:test:security:boot_services::Check single user mode for systemd: +BOOT-5261:test:security:boot_services:DragonFly:Check for DragonFly boot loader presence: CONT-8004:test:security:containers:Solaris:Query running Solaris zones: CONT-8102:test:security:containers::Checking Docker status and information: CONT-8104:test:security:containers::Checking Docker info for any warnings: CONT-8106:test:security:containers::Gather basic stats from Docker: CONT-8107:test:performance:containers::Check number of unused Docker containers: CONT-8108:test:security:containers::Check file permissions for Docker files: +CORE-1000:test:performance:system_integrity::Check all system binaries: CRYP-7902:test:security:crypto::Check expire date of SSL certificates: +DNS-1600:test:security:dns::Validating that the DNSSEC signatures are checked: DBS-1804:test:security:databases::Checking active MySQL process: DBS-1816:test:security:databases::Checking MySQL root password: DBS-1818:test:security:databases::MongoDB status: @@ -88,20 +92,6 @@ DBS-1884:test:security:databases::Redis configuration (requirepass): DBS-1886:test:security:databases::Redis configuration (CONFIG command renamed): DBS-1888:test:security:databases::Redis configuration (bind on localhost): -FINT-4310:test:security:file_integrity::AFICK availability: -FINT-4314:test:security:file_integrity::AIDE availability: -FINT-4315:test:security:file_integrity::Check AIDE configuration file: -FINT-4318:test:security:file_integrity::Osiris availability: -FINT-4322:test:security:file_integrity::Samhain availability: -FINT-4326:test:security:file_integrity::Tripwire availability: -FINT-4328:test:security:file_integrity::OSSEC syscheck daemon running: -FINT-4330:test:security:file_integrity::mtree availability: -FINT-4334:test:security:file_integrity::Check lfd daemon status: -FINT-4336:test:security:file_integrity::Check lfd configuration status: -FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running: -FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512): -FINT-4350:test:security:file_integrity::File integrity software installed: -FILE-7524:test:security:file_permissions::Perform file permissions check: FILE-6310:test:security:filesystems::Checking /tmp, /home and /var directory: FILE-6311:test:security:filesystems::Checking LVM volume groups: FILE-6312:test:security:filesystems::Checking LVM volumes: @@ -113,12 +103,28 @@ FILE-6344:test:security:filesystems:Linux:Checking proc mount options: FILE-6354:test:security:filesystems::Searching for old files in /tmp: FILE-6362:test:security:filesystems::Checking /tmp sticky bit: +FILE-6363:test:security:filesystems::Checking /var/tmp sticky bit: FILE-6368:test:security:filesystems:Linux:Checking ACL support on root file system: FILE-6372:test:security:filesystems:Linux:Checking / mount options: FILE-6374:test:security:filesystems:Linux:Checking /boot mount options: FILE-6376:test:security:filesystems:Linux:Determine if /var/tmp is bound to /tmp: FILE-6410:test:security:filesystems::Checking Locate database: FILE-6430:test:security:filesystems::Disable mounting of some filesystems: +FILE-6439:test:security:filesystems:DragonFly:Checking HAMMER PFS mounts: +FILE-7524:test:security:file_permissions::Perform file permissions check: +FINT-4310:test:security:file_integrity::AFICK availability: +FINT-4314:test:security:file_integrity::AIDE availability: +FINT-4315:test:security:file_integrity::Check AIDE configuration file: +FINT-4318:test:security:file_integrity::Osiris availability: +FINT-4322:test:security:file_integrity::Samhain availability: +FINT-4326:test:security:file_integrity::Tripwire availability: +FINT-4328:test:security:file_integrity::OSSEC syscheck daemon running: +FINT-4330:test:security:file_integrity::mtree availability: +FINT-4334:test:security:file_integrity::Check lfd daemon status: +FINT-4336:test:security:file_integrity::Check lfd configuration status: +FINT-4338:test:security:file_integrity::osqueryd syscheck daemon running: +FINT-4350:test:security:file_integrity::File integrity software installed: +FINT-4402:test:security:file_integrity::Checksums (SHA256 or SHA512): FIRE-4502:test:security:firewalls:Linux:Check iptables kernel module: FIRE-4508:test:security:firewalls::Check used policies of iptables chains: FIRE-4512:test:security:firewalls::Check iptables for empty ruleset: @@ -175,6 +181,7 @@ KRNL-5788:test:security:kernel:Linux:Checking availability new Linux kernel: KRNL-5820:test:security:kernel:Linux:Checking core dumps configuration: KRNL-5830:test:security:kernel:Linux:Checking if system is running on the latest installed kernel: +KRNL-5831:test:security:kernel:DragonFly:Checking DragonFly loaded kernel modules: KRNL-6000:test:security:kernel_hardening::Check sysctl key pairs in scan profile: LDAP-2219:test:security:ldap::Check running OpenLDAP instance: LDAP-2224:test:security:ldap::Check presence slapd.conf: @@ -182,9 +189,6 @@ LOGG-2132:test:security:logging::Check for running syslog-ng daemon: LOGG-2134:test:security:logging::Checking Syslog-NG configuration file consistency: LOGG-2136:test:security:logging::Check for running systemd journal daemon: -LOGG-2210:test:security:logging::Check for running metalog daemon: -LOGG-2230:test:security:logging::Check for running RSyslog daemon: -LOGG-2240:test:security:logging::Check for running RFC 3195 compliant daemon: LOGG-2138:test:security:logging:Linux:Checking kernel logger daemon on Linux: LOGG-2142:test:security:logging:Linux:Checking minilog daemon: LOGG-2146:test:security:logging::Checking logrotate.conf and logrotate.d: @@ -199,15 +203,19 @@ LOGG-2180:test:security:logging::Checking open log files: LOGG-2190:test:security:logging::Checking for deleted files in use: LOGG-2192:test:security:logging::Checking for opened log files that are empty: +LOGG-2210:test:security:logging::Check for running metalog daemon: +LOGG-2230:test:security:logging::Check for running RSyslog daemon: +LOGG-2240:test:security:logging::Check for running RFC 3195 compliant daemon: MACF-6204:test:security:mac_frameworks::Check AppArmor presence: MACF-6208:test:security:mac_frameworks::Check if AppArmor is enabled: MACF-6232:test:security:mac_frameworks::Check SELINUX presence: MACF-6234:test:security:mac_frameworks::Check SELINUX status: MACF-6290:test:security:mac_frameworks::Check for implemented MAC framework: MAIL-8802:test:security:mail_messaging::Check Exim status: +MAIL-8804:test:security:mail_messaging::Exim configuration: MAIL-8814:test:security:mail_messaging::Check postfix process status: MAIL-8816:test:security:mail_messaging::Check Postfix configuration: -MAIL-8816:test:security:mail_messaging::Postfix configuration errors: +MAIL-8817:test:security:mail_messaging::Check Postfix configuration errors: MAIL-8818:test:security:mail_messaging::Postfix banner: MAIL-8820:test:security:mail_messaging::Postfix configuration: MAIL-8838:test:security:mail_messaging::Check dovecot process: @@ -222,10 +230,6 @@ MALW-3284:test:security:malware::Check for clamd: MALW-3286:test:security:malware::Check for freshclam: MALW-3288:test:security:malware::Check for ClamXav: -PROC-3602:test:security:memory_processes:Linux:Checking /proc/meminfo for memory details: -PROC-3604:test:security:memory_processes:Solaris:Query prtconf for memory details: -PROC-3612:test:security:memory_processes::Check dead or zombie processes: -PROC-3614:test:security:memory_processes::Check heavy IO waiting based processes: NAME-4016:test:security:nameservices::Check /etc/resolv.conf default domain: NAME-4018:test:security:nameservices::Check /etc/resolv.conf search domains: NAME-4020:test:security:nameservices::Check non default options: @@ -317,6 +321,10 @@ PRNT-2316:test:security:printers_spools:AIX:Checking /etc/qconfig file: PRNT-2418:test:security:printers_spools:AIX:Checking qdaemon printer spooler status: PRNT-2420:test:security:printers_spools:AIX:Checking old print jobs: +PROC-3602:test:security:memory_processes:Linux:Checking /proc/meminfo for memory details: +PROC-3604:test:security:memory_processes:Solaris:Query prtconf for memory details: +PROC-3612:test:security:memory_processes::Check dead or zombie processes: +PROC-3614:test:security:memory_processes::Check heavy IO waiting based processes: RBAC-6272:test:security:mac_frameworks::Check grsecurity presence: SCHD-7702:test:security:scheduling::Check status of cron daemon: SCHD-7704:test:security:scheduling::Check crontab/cronjobs: @@ -327,7 +335,7 @@ SHLL-6211:test:security:shells::Checking available and valid shells: SHLL-6220:test:security:shells::Checking available and valid shells: SHLL-6230:test:security:shells::Perform umask check for shell configurations: -SHLL-6290:test:security:shells::Perform Shellshock vulnerability tests: +SINT-7010:test:security:system_integrity::System Integrity Status: SNMP-3302:test:security:snmp::Check for running SNMP daemon: SNMP-3304:test:security:snmp::Check SNMP daemon file location: SNMP-3306:test:security:snmp::Check SNMP communities: @@ -341,7 +349,7 @@ SQD-3620:test:security:squid::Check Squid access control lists: SQD-3624:test:security:squid::Check Squid safe ports: SQD-3630:test:security:squid::Check Squid reply_body_max_size option: -SQD-3680:test:security:squid::Check Squid version suppresion: +SQD-3680:test:security:squid::Check Squid version suppression: SSH-7402:test:security:ssh::Check for running SSH daemon: SSH-7404:test:security:ssh::Check SSH daemon file location: SSH-7408:test:security:ssh::Check SSH specific defined options: @@ -374,4 +382,5 @@ TOOL-5120:test:security:tooling::Presence of Snort IDS: TOOL-5122:test:security:tooling::Snort IDS configuration file: TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling: +USB-3000:test:security:storage:Linux:Check for presence of USBGuard: # EOF diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/default.prf new/lynis/default.prf --- old/lynis/default.prf 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/default.prf 2018-06-26 02:00:00.000000000 +0200 @@ -417,17 +417,24 @@ # This is useful for ephemeral systems which are short-lived. #allow-auto-purge=yes +# Sometimes it might be useful to override the host identifiers. +# Use only hexadecimal values (0-9, a-f), with 40 and 64 characters in length. +# +#hostid=40-char-hash +#hostid2=64-char-hash + # Proxy settings # Protocol (http, https, socks5) #proxy-protocol=https -# Address -#proxy-server=1.2.3.4 +# Proxy server +#proxy-server=10.0.1.250 -# Port +# Define proxy port to use #proxy-port=3128 -# Define group names to link to this system (preferably single words) +# Define the group names to link to this system (preferably single words). Default setting: append +# To clear groups before assignment, add 'action:clear' as last groupname #system-groups=groupname1,groupname2,groupname3 # Define which compliance standards are audited and reported on. Disable this if not required. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/extras/build-lynis.sh new/lynis/extras/build-lynis.sh --- old/lynis/extras/build-lynis.sh 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/extras/build-lynis.sh 2018-06-26 02:00:00.000000000 +0200 @@ -14,7 +14,7 @@ # # Options: - echo "[*] Activity [V] Succesful [X] Error [=] Result" + echo "[*] Activity [V] Successful [X] Error [=] Result" echo "" # Umask used when creating files/directories @@ -227,7 +227,7 @@ RPMFILE="${RPMWORKDIR}/RPMS/noarch/lynis-${LYNIS_VERSION}-1.noarch.rpm" if [ -f ${RPMFILE} ]; then - echo "[V] Building RPM succesful!" + echo "[V] Building RPM successful!" else echo "[X] Could not find RPM file, most likely failed" echo " Expected: ${RPMFILE}" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/binaries new/lynis/include/binaries --- old/lynis/include/binaries 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/binaries 2018-06-26 02:00:00.000000000 +0200 @@ -77,7 +77,8 @@ fi # Add a space to make sure we discover a related directory if it was already scanned - FIND=$(echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}") + # The grep -v is to prevent a match /usr/bin in something like /usr/bin/core_perl + FIND=$(echo ${BINARY_PATHS_FOUND} | grep ", ${SCANDIR}" | grep -v ", ${SCANDIR}/") if [ ! -z "${FIND}" ]; then SKIPDIR=1; LogText "Result: Skipping this directory as it was already scanned" fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/data_upload new/lynis/include/data_upload --- old/lynis/include/data_upload 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/data_upload 2018-06-26 02:00:00.000000000 +0200 @@ -238,7 +238,7 @@ # Quit ExitClean else - Display --indent 2 --text "Data upload status" --result OK --color GREEN + Display --indent 2 --text "Data upload status (${UPLOAD_SERVER})" --result OK --color GREEN fi else echo "${RED}Error${NORMAL}: No hostid and/or hostid2 found. Can not upload report file." diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/functions new/lynis/include/functions --- old/lynis/include/functions 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/functions 2018-06-26 02:00:00.000000000 +0200 @@ -68,6 +68,7 @@ # IsWorldWritable Check if a file is world writable # LogText Log text strings to logfile, prefixed with date/time # LogTextBreak Insert a separator in log file +# PackageIsInstalled Test for installed package # ParseNginx Parse nginx configuration lines # ParseProfiles Parse all available profiles # ParseTestValues Parse a set of values @@ -804,11 +805,17 @@ # Name : GetHostID() # Description : Create an unique id for the system # - # Returns : Nothing + # Returns : optional value # Usage : GetHostID ################################################################################ GetHostID() { + + if [ ! -z "${HOSTID}" -a ! -z "${HOSTID2}" ]; then + Debug "Skipping creation of host identifiers, as they are already configured (via profile)" + return 1 + fi + FIND="" # Avoid some hashes (empty, only zeros) BLACKLISTED_HASHES="6ef1338f520d075957424741d7ed35ab5966ae97 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" @@ -1104,6 +1111,8 @@ # Show an exception if no HostID could be created, to ensure each system (and scan) has one if [ "${HOSTID}" = "" ]; then ReportException "GetHostID" "No unique host identifier could be created." + elif [ ! -z "${HOSTID2}" ]; then + return 0 fi } @@ -1688,6 +1697,40 @@ ################################################################################ + # Name : PackageIsInstalled() + # Description : Add a separator to log file between sections, tests etc + # Returns : exit code + # Notes : this function is not used yet, but created in advance to allow + # the addition of support for all operating systems + ################################################################################ + + PackageIsInstalled() { + exit_code=255 + + if [ $# -eq 1 ]; then + package="$1" + else + Fatal "Incorrect usage of PackageIsInstalled function" + fi + + if [ ! -z "${RPMBINARY}" ]; then + output=$(${RPMBINARY} --quiet -q ${package} 2> /dev/null) + exit_code=$? + elif ! -z "${DPKGBINARY}" ]; then + output=$(${DPKGBINARY} -l ${package} 2> /dev/null) + exit_code=$? + elif [ ! -z "${ZYPPERBINARY}" ]; then + output=$(${ZYPPERBINARY} --quiet --non-interactive search --installed -i ${PACKAGE} 2> /dev/null | grep "^i") + if [ ! -z "${output}" ]; then exit_code=0; else exit_code=1; fi + else + ReportException "PackageIsInstalled:01" + fi + + return ${exit_code} + } + + + ################################################################################ # Name : ParseProfiles() # Description : Check file permissions and parse data from profiles # Returns : <nothing> @@ -2164,7 +2207,7 @@ if [ ${SKIPTEST} -eq 0 -a ! -z "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi # Not all prerequisites met, like missing tool - if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; if [ -z "${SKIPREASON}" ]; then SKIPREASON="Prerequisities not met (ie missing tool, other type of Linux distribution)"; fi; fi + if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; if [ -z "${SKIPREASON}" ]; then SKIPREASON="Prerequisites not met (ie missing tool, other type of Linux distribution)"; fi; fi # Skip if a test is root only and we are running a non-privileged test if [ ${SKIPTEST} -eq 0 -a ${ROOT_ONLY} -eq 1 -a ! ${MYID} = "0" ]; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/helper_show new/lynis/include/helper_show --- old/lynis/include/helper_show 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/helper_show 2018-06-26 02:00:00.000000000 +0200 @@ -99,11 +99,6 @@ Check version information - - ${CYAN}update release${NORMAL} - - Perform update of release - " UPLOAD_ONLY_HELP=" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/parameters new/lynis/include/parameters --- old/lynis/include/parameters 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/parameters 2018-06-26 02:00:00.000000000 +0200 @@ -279,22 +279,32 @@ # Define a custom profile file --profile) - shift - SEARCH_PROFILES=$1 + if [ $# -gt 1 ]; then + shift + SEARCH_PROFILES=$1 + else + echo "Specify the profile (lynis audit system --profile /home/michael/myprofile.prf)" + exit 1 + fi ;; # Define a custom plugin directory --plugindir | --plugin-dir | --plugins-dir) - shift - PLUGINDIR=$1 - LASTCHAR=$(echo $1 | awk '{ print substr($0, length($0))}') - if [ "${LASTCHAR}" = "/" ]; then - echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}" - ExitCustom 65 - fi - if [ ! -d ${PLUGINDIR} ]; then - echo "${RED}Error:${WHITE} invalid plugin directory ${PLUGINDIR}${NORMAL}" - ExitCustom 66 + if [ $# -gt 1 ]; then + shift + PLUGINDIR=$1 + LASTCHAR=$(echo $1 | awk '{ print substr($0, length($0))}') + if [ "${LASTCHAR}" = "/" ]; then + echo "${RED}Error:${WHITE} plugin directory path should not end with a slash${NORMAL}" + ExitCustom 65 + fi + if [ ! -d ${PLUGINDIR} ]; then + echo "${RED}Error:${WHITE} invalid plugin directory ${PLUGINDIR}${NORMAL}" + ExitCustom 66 + fi + else + echo "Specify the plugin directory (lynis audit system --plugindir /home/michael/plugins)" + exit 1 fi ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_accounting new/lynis/include/tests_accounting --- old/lynis/include/tests_accounting 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_accounting 2018-06-26 02:00:00.000000000 +0200 @@ -353,7 +353,7 @@ # ################################################################################# # - # Test : ACCT-9662 + # Test : ACCT-9660 # Description : Check location for audit events if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9660 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check location of audit events" @@ -386,7 +386,7 @@ # ################################################################################# # - # Test : ACCT-9672 + # Test : ACCT-9662 # Description : check auditstat if [ ${SOLARIS_AUDITD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no ACCT-9662 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Solaris auditing stats" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_authentication new/lynis/include/tests_authentication --- old/lynis/include/tests_authentication 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_authentication 2018-06-26 02:00:00.000000000 +0200 @@ -962,7 +962,7 @@ # Mark test as performed only when at least 1 target exists (e.g. Ubuntu 14.04 has limited systemd support) TEST_PERFORMED=1 LogText "Result: found target ${I}" - FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "/sulogin") + FIND=$(${EGREPBINARY} "^ExecStart=" ${FILE} | ${GREPBINARY} "sulogin") if [ "${FIND}" = "" ]; then LogText "Result: did not find sulogin specified, possible risk of getting into single user mode without authentication" else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_boot_services new/lynis/include/tests_boot_services --- old/lynis/include/tests_boot_services 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_boot_services 2018-06-26 02:00:00.000000000 +0200 @@ -71,7 +71,7 @@ case ${OS} in "Linux") if [ -f /proc/1/cmdline ]; then - FILENAME=$(${AWKBINARY} '/(^\/|init)/ { print $1 }' /proc/1/cmdline) + FILENAME=$(${AWKBINARY} '/(^\/|init)/ { print $1 }' /proc/1/cmdline | tr -d '\0') LogText "Result: cmdline found = ${FILENAME}" ISFILE=$(echo ${FILENAME} | ${GREPBINARY} "^/") if [ ! -z "${ISFILE}" ]; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_crypto new/lynis/include/tests_crypto --- old/lynis/include/tests_crypto 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_crypto 2018-06-26 02:00:00.000000000 +0200 @@ -53,24 +53,31 @@ if [ ${CANREAD} -eq 1 ]; then # Only check the files that are not installed by a package if ! FileInstalledByPackage "${FILE}"; then - LogText "Test: checking file and determining if it is certificate ${FILE}" - FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") + LogText "Test: test if file is a certificate" + OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") if [ $? -eq 0 ]; then - # Check certificate where 'end date' has been expired - FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null) - EXIT_CODE=$? - CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') - CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') - Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|" - if [ ${EXIT_CODE} -eq 0 ]; then - LogText "Result: certificate ${FILE} seems to be correct and still valid" + LogText "Result: file is a certificate" + LogText "Test: checking certificate details" + FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") + if [ $? -eq 0 ]; then + # Check certificate where 'end date' has been expired + FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null) + EXIT_CODE=$? + CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') + CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') + Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|" + if [ ${EXIT_CODE} -eq 0 ]; then + LogText "Result: certificate ${FILE} seems to be correct and still valid" + else + FOUNDPROBLEM=1 + COUNT_EXPIRED=$((COUNT_EXPIRED + 1)) + LogText "Result: certificate ${FILE} has been expired" + fi else - FOUNDPROBLEM=1 - COUNT_EXPIRED=$((COUNT_EXPIRED + 1)) - LogText "Result: certificate ${FILE} has been expired" + LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (a key file?)" fi else - LogText "Result: skipping tests for this file (${FILE}) as it is most likely not a certificate (a key file?)" + LogText "Result: skipping test for this file (${FILE}) as we could not find 'BEGIN CERT'" fi fi else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_databases new/lynis/include/tests_databases --- old/lynis/include/tests_databases 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_databases 2018-06-26 02:00:00.000000000 +0200 @@ -75,12 +75,15 @@ Register --test-no DBS-1816 --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking MySQL root password" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Trying to login to local MySQL server without password" - FIND=$(${MYSQLCLIENTBINARY} -u root --password= --silent --batch --execute="" 2> /dev/null; echo $?) + + # "-u root --password=" avoids ~/.my.cnf authentication settings + # "plugin = 'mysql_native_password' AND authentication_string = ''" avoids false positives when secure plugins are used + FIND=$(${MYSQLCLIENTBINARY} --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql 2>/dev/null; echo $?) if [ "${FIND}" = "0" ]; then - LogText "Result: Login succeeded, no MySQL root password set!" - ReportWarning ${TEST_NO} "No MySQL root password set" - Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED - AddHP 0 5 + LogText "Result: Login succeeded, no MySQL root password set!" + ReportWarning ${TEST_NO} "No MySQL root password set" + Display --indent 4 --text "- Checking empty MySQL root password" --result "${STATUS_WARNING}" --color RED + AddHP 0 5 else LogText "Result: Login did not succeed, so a MySQL root password is set" if IsVerbose; then Display --indent 4 --text "- Checking MySQL root password" --result "${STATUS_OK}" --color GREEN; fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_dns new/lynis/include/tests_dns --- old/lynis/include/tests_dns 1970-01-01 01:00:00.000000000 +0100 +++ new/lynis/include/tests_dns 2018-06-26 02:00:00.000000000 +0200 @@ -0,0 +1,73 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2013, Michael Boelen +# Copyright 2007-2018, CISOfy +# +# Website : https://cisofy.com +# Blog : http://linux-audit.com +# GitHub : https://github.com/CISOfy/lynis +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +################################################################################# +# +# DNS +# +################################################################################# +# +# # TODO create records on test domain +# # TODO after update even IP match can be checked to detect hijacking +# SIGOKDNS="sigok.example.org" # adress with good DNSSEC signature +# SIGFAILDNS="sigfail.example.org" # adress with bad DNSSEC signature +# TIMEOUT=";; connection timed out; no servers could be reached" +# +################################################################################# +# +# InsertSection "DNS" +# +################################################################################# +# +# # Test : DNS-1600 +# # Description : Validate DNSSEC signiture is checked +# Register --test-no DNS-1600 --weight L --network YES --category security --description "Validate DNSSEC igniture is checked" +# if [ "${SKIPTEST}" -eq 0 ]; then +# if [ ! -z "${DIGBINARY}" ]; then +# +# GOOD=$("${DIGBINARY}" +short +time=1 $SIGOKDNS) +# BAD=$("${DIGBINARY}" +short +time=1 $SIGFAILDNS) +# +# if [ "${GOOD}" = "${TIMEOUT}" -a "${BAD}" = "${TIMEOUT}" ]; then +# LogText "Result: received timeout, can't determine DNSSEC validation" +# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW +# #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout" +# elif [ -z "${GOOD}" -a ! -z "${BAD}" ]; then +# LogText "Result: good signature failed, yet bad signature was accepted" +# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW +# #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted" +# elif [ ! -z "${GOOD}" -a ! -z "${BAD}" ]; then +# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW +# LogText "Note: Using DNSSEC validation can protect from DNS hijacking" +# #ReportSuggestion "${TEST_NO}" "Altered DNS queries are accepted, configure DNSSEC valdating name servers" +# AddHP 2 2 +# elif [ ! -z "${GOOD}" -a -z "${BAD}" ]; then +# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_OK}" --color GREEN +# LogText "Result: altered DNS responses were ignored" +# AddHP 0 2 +# fi +# else +# Display --indent 4 --text "- DNSSEC validation" --result "${STATUS_SKIPPED}" --color YELLOW +# LogText "Result: dig not installed, test can't be fully performed" +# fi +# else +# LogText "Result: Test was skipped" +# fi +# +################################################################################# +# diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_firewalls new/lynis/include/tests_firewalls --- old/lynis/include/tests_firewalls 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_firewalls 2018-06-26 02:00:00.000000000 +0200 @@ -115,7 +115,7 @@ TABLES="filter" for TABLE in ${TABLES}; do LogText "Test: gathering information from table ${TABLE}" - FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') + FIND="$FIND""\n"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${EGREPBINARY} -z -o -w '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1') done echo "${FIND}" | while read line; do @@ -522,7 +522,7 @@ # # Test : FIRE-4594 # Description : Check for APF (Advanced Policy Firewall) - Register --test-no FIRE-4592 --weight L --network NO --category security --description "Check for APF presence" + Register --test-no FIRE-4594 --weight L --network NO --category security --description "Check for APF presence" if [ ! -z "${IPTABLESBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi if [ ${SKIPTEST} -eq 0 ]; then FILE="/etc/apf/conf.apf" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_hardening new/lynis/include/tests_hardening --- old/lynis/include/tests_hardening 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_hardening 2018-06-26 02:00:00.000000000 +0200 @@ -53,42 +53,31 @@ if [ ${COMPILER_INSTALLED} -eq 0 ]; then LogText "Result: no compilers found" else - # as - if [ ! -z "${ASBINARY}" ]; then - LogText "Test: Check file permissions for as (Assembler)" - if IsWorldExecutable ${ASBINARY}; then - LogText "Binary: found ${ASBINARY} (world executable)" - Report "compiler_world_executable[]=${ASBINARY}" - AddHP 2 3 - HARDEN_COMPILERS_NEEDED=1 - else - AddHP 3 3 + # TODO - c89 c99 cpp ld + TEST_BINARIES="${ASBINARY} ${GCCBINARY}" + for ITEM in ${TEST_BINARIES}; do + FILE="${ITEM}" + LogText "Test: Check file permissions for ${ITEM}" + ShowSymlinkPath ${ITEM} + if [ ! -z "${SYMLINK}" ]; then + FILE="${SYMLINK}" fi - fi - # gcc - if [ ! -z "${GCCBINARY}" ]; then - LogText "Test: Check file permissions for GCC compiler" - if IsWorldExecutable ${GCCBINARY}; then - LogText "Binary: found ${GCCBINARY} (world executable)" - Report "compiler_world_executable[]=${GCCBINARY}" + + if IsWorldExecutable ${FILE}; then + LogText "Binary: found ${FILE} (world executable)" + Report "compiler_world_executable[]=${FILE}" AddHP 2 3 HARDEN_COMPILERS_NEEDED=1 else AddHP 3 3 fi - fi + done + # Report suggestion is one or more compilers can be better hardened if [ ${HARDEN_COMPILERS_NEEDED} -eq 1 ]; then LogText "Result: at least one compiler could be better hardened by restricting executable access to root or group only" ReportSuggestion ${TEST_NO} "Harden compilers like restricting access to root user only" fi - - # TODO check if compilers have a specific group (like compiler, or NOT root/wheel) - # Display --indent 4 --text "- Installed compiler(s)" --result "${STATUS_FOUND}" --color RED - # /usr/bin/*cc* - # /usr/bin/*++* - # /usr/bin/ld - # (and 700 or 750 permissions) fi fi # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_logging new/lynis/include/tests_logging --- old/lynis/include/tests_logging 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_logging 2018-06-26 02:00:00.000000000 +0200 @@ -305,7 +305,7 @@ # # Test : LOGG-2152 # Description : Check for Solaris 'loghost' entry in /etc/inet/hosts, or - # succesful resolving via DNS or any other name service. + # successful resolving via DNS or any other name service. Register --test-no LOGG-2152 --weight L --os Solaris --network NO --category security --description "Checking loghost" if [ ${SKIPTEST} -eq 0 ]; then # Try local hosts file @@ -322,7 +322,7 @@ FIND=$(getent hosts loghost | ${GREPBINARY} loghost) if [ ! -z "${FIND}" ]; then SOLARIS_LOGHOST_FOUND=1 - LogText "Result: name resolving was succesful" + LogText "Result: name resolving was successful" LogText "Output: ${FIND}" else LogText "Result: name resolving didn't find results" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_mail_messaging new/lynis/include/tests_mail_messaging --- old/lynis/include/tests_mail_messaging 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_mail_messaging 2018-06-26 02:00:00.000000000 +0200 @@ -28,6 +28,7 @@ # DOVECOT_RUNNING=0 EXIM_RUNNING=0 + EXIM_TYPE="" IMAP_DAEMON="" OPENSMTPD_RUNNING=0 POP3_DAEMON="" @@ -58,6 +59,114 @@ # ################################################################################# # + # Test : MAIL-8804 + # Description : Exim configuration options + if [ ${EXIM_RUNNING} -eq 1 -a ! "${EXIMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no MAIL-8803 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Exim configuration options" + if [ ${SKIPTEST} -eq 0 -a ${EXIM_RUNNING} -eq 1 ]; then + LogText "Test: Exim configuration options" + + EXIM_ROUTERS=$(exim -bP router_list) + + unset FIND FIND2 FIND3 FIND4 + + # Local Only + FIND=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^nonlocal') + # Internet Host + FIND2=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^dnslookup_relay_to_domains') + # Smarthost or Satellite + FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost') + + if [ ! -z "${FIND}" ]; then + EXIM_TYPE="LOCAL ONLY" + elif [ ! -z "${FIND2}" ]; then + EXIM_TYPE="INTERNET HOST" + elif [ ! -z "${FIND3}" ]; then + FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^hub_user_smarthost') + if [ ! -z "${FIND4}" ]; then + EXIM_TYPE="SATELLITE" + else + EXIM_TYPE="SMARTHOST" + fi + fi + + if [ ! -z "${EXIM_TYPE}" ]; then + LogText "Result: Exim Type - ${EXIM_TYPE}" + Display --indent 4 --text "- Type" --result "${EXIM_TYPE}" --color GREEN + else + LogText "Result: Exim Type - Not Configured" + Display --indent 4 --text "- Type" --result "Not Configured" --color WHITE + fi + + if [ "${EXIM_TYPE}" = "INTERNET HOST" -o "${EXIM_TYPE}" = "SMARTHOST" ]; then + LogText "Test: Exim Public Interfaces" + EXIM_IP=$(exim -bP local_interfaces | cut -d '=' -f2 | sed -e 's/\s*<\s*\;\?//' -e 's/\s*::0\s*\;\?//' -e 's/\s*127.0.0.1\s*\;\?//' -e 's/^\s*//' -e 's/\s*$//') + if [ ! -z "${EXIM_IP}" ]; then + LogText "Result: ${EXIM_IP}" + Display --indent 4 --text "- Public Interface(s)" --result "${EXIM_IP}" --color GREEN + else + LogText "Result: None" + Display --indent 4 --text "- Public Interface(s)" --result "NONE" --color WHITE + fi + + LogText "Test: Exim TLS State" + EXIM_TLS=$(exim -bP tls_advertise_hosts | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//') + if [ ! -z "${EXIM_TLS}" ]; then + LogText "Result: Enabled" + Display --indent 4 --text "- TLS" --result "ENABLED" --color GREEN + else + LogText "Result: Not enabled" + Display --indent 4 --text "- TLS" --result "NOT ENABLED" --color WHITE + fi + fi + + if [ ! -z "${EXIM_TYPE}" -a "${EXIM_TYPE}" != "LOCAL ONLY" ]; then + LogText "Test: Exim Certificate and Private Key" + + case "${EXIM_TYPE}" in + "INTERNET HOST" | "SMARTHOST" ) + EXIM_CERTIFICATE=$(exim -bP tls_certificate | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//') + EXIM_PRIVATEKEY=$(exim -bP tls_privatekey | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//') + ;; + "SATELLITE" ) + EXIM_CERTIFICATE=$(exim -bP transport remote_smtp_smarthost | grep tls_certificate | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//') + EXIM_PRIVATEKEY=$(exim -bP transport remote_smtp_smarthost | grep tls_privatekey | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//') + ;; + esac + + if [ ! -z "${EXIM_CERTIFICATE}" ]; then + LogText "Result: ${EXIM_CERTIFICATE}" + if [ -f "${EXIM_CERTIFICATE}" ]; then + Display --indent 4 --text "- Certificate" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Certificate found." + else + Display --indent 4 --text "- Certificate" --result "${STATUS_NOT_FOUND}" --color YELLOW + LogText "Result: Certificate not found." + fi + else + LogText "Result: Certificate not set." + Display --indent 4 --text "- Certificate not set" --result "${STATUS_WARNING}" --color WHITE + fi + + if [ ! -z "${EXIM_PRIVATEKEY}" ]; then + LogText "Result: ${EXIM_PRIVATEKEY}" + if [ -f "${EXIM_PRIVATEKEY}" ]; then + LogText "Result: Private Key found." + Display --indent 4 --text "- Private Key" --result "${STATUS_FOUND}" --color GREEN + else + Display --indent 4 --text "- Private Key" --result "${STATUS_NOT_FOUND}" --color YELLOW + LogText "Result: Private Key not found." + fi + else + LogText "Result: Private Key not set." + Display --indent 4 --text "- Private Key not set" --result "${STATUS_WARNING}" --color WHITE + fi + fi + fi + +# +################################################################################# +# # Test : MAIL-8814 # Description : Check Postfix process # Notes : qmgr and pickup run under postfix uid, without full path to binary diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_nameservices new/lynis/include/tests_nameservices --- old/lynis/include/tests_nameservices 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_nameservices 2018-06-26 02:00:00.000000000 +0200 @@ -476,7 +476,7 @@ # ################################################################################# # - # Test : NAME-4302 + # Test : NAME-4304 # Description : Check NIS ypbind daemon status Register --test-no NAME-4304 --weight L --network NO --category security --description "Check NIS ypbind status" if [ ${SKIPTEST} -eq 0 ]; then @@ -573,19 +573,19 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: check duplicate line in ${ROOTDIR}etc/hosts" if [ -f ${ROOTDIR}etc/hosts ]; then - sFIND=$(${EGREPBINARY} -v '^(#|$)' ${ROOTDIR}etc/hosts | ${AWKBINARY} '{ print $1, $2 }' | ${SORTBINARY} | ${UNIQBINARY} -d) - if [ "${sFIND}" = "" ]; then + OUTPUT=$(${AWKBINARY} '{ print $1, $2 }' ${ROOTDIR}etc/hosts | ${EGREPBINARY} -v '^(#|$)' | ${EGREPBINARY} "[a-f0-9]" | ${SORTBINARY} | ${UNIQBINARY} -d) + if [ -z "${OUTPUT}" ]; then LogText "Result: OK, no duplicate lines found" Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts (duplicates)" --result "${STATUS_OK}" --color GREEN else - LogText "Found duplicate line: ${sFIND}" + LogText "Found duplicate line: ${OUTPUT}" LogText "Result: found duplicate line" Display --indent 4 --text "- Checking ${ROOTDIR}etc/hosts (duplicates)" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion "${TEST_NO}" "Remove duplicate lines in ${ROOTDIR}etc/hosts" fi else - LogText "Result: ${ROOTDIR}etc/hosts not found, test skipped" - Display --indent 4 --text "Searching duplicate line" --result "${STATUS_SKIPPED}" --color YELLOW + LogText "Result: ${ROOTDIR}etc/hosts not found, test skipped" + Display --indent 4 --text "Searching duplicate line" --result "${STATUS_SKIPPED}" --color YELLOW fi fi # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_networking new/lynis/include/tests_networking --- old/lynis/include/tests_networking 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_networking 2018-06-26 02:00:00.000000000 +0200 @@ -131,13 +131,13 @@ LogText "Found nameserver: ${I}" Report "nameserver[]=${I}" # Check if a local resolver is available (like DNSMasq) - if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "127.0.1.1" -o "${I}" = "0.0.0.0" ]; then + if [ "${I}" = "::1" -o "${I}" = "127.0.0.1" -o "${I}" = "127.0.0.53" -o "${I}" = "127.0.1.1" -o "${I}" = "0.0.0.0" ]; then LOCAL_DNSRESOLVER_FOUND=1 fi if [ ! -z "${DIGBINARY}" ]; then # See if we can query something at the nameserver # 0=good, other=bad - DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0 @${I} ${I} > /dev/null ; echo $?) + DNSRESPONSE=$(${DIGBINARY} +noall +time=3 +retry=0 @${I} ${FQDN} > /dev/null ; echo $?) if [ "${DNSRESPONSE}" = "0" ]; then Display --indent 8 --text "Nameserver: ${I}" --result "${STATUS_OK}" --color GREEN LogText "Nameserver ${I} seems to respond to queries from this host." @@ -163,7 +163,7 @@ # # Test : NETW-2705 # Description : Basic nameserver configuration tests (connectivity) - if [ ${LOCAL_DNSRESOLVER_FOUND} -eq 0 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ ${LOCAL_DNSRESOLVER_FOUND} -eq 0 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no NETW-2705 --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check availability two nameservers" if [ ${SKIPTEST} -eq 0 ]; then SKIP=0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_php new/lynis/include/tests_php --- old/lynis/include/tests_php 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_php 2018-06-26 02:00:00.000000000 +0200 @@ -42,6 +42,8 @@ ${ROOTDIR}etc/php5/apache2/php.ini \ ${ROOTDIR}etc/php5/fpm/php.ini \ ${ROOTDIR}private/etc/php.ini \ + ${ROOTDIR}etc/php/7.2/cli/php.ini ${ROOTDIR}etc/php/7.2/fpm/php.ini \ + ${ROOTDIR}etc/php/7.1/cli/php.ini ${ROOTDIR}etc/php/7.1/fpm/php.ini \ ${ROOTDIR}etc/php/7.0/cli/php.ini ${ROOTDIR}etc/php/7.0/fpm/php.ini \ ${ROOTDIR}var/www/conf/php.ini \ ${ROOTDIR}usr/local/etc/php.ini ${ROOTDIR}usr/local/lib/php.ini \ @@ -65,7 +67,11 @@ ${ROOTDIR}opt/alt/php55/etc/php.ini \ ${ROOTDIR}opt/alt/php56/etc/php.ini \ ${ROOTDIR}opt/alt/php70/etc/php.ini \ - ${ROOTDIR}opt/alt/php71/etc/php.ini" + ${ROOTDIR}opt/alt/php71/etc/php.ini \ + ${ROOTDIR}etc/opt/remi/php56/php.ini \ + ${ROOTDIR}etc/opt/remi/php70/php.ini \ + ${ROOTDIR}etc/opt/remi/php71/php.ini \ + ${ROOTDIR}etc/opt/remi/php72/php.ini" PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \ ${ROOTDIR}etc/php/7.0/cli/conf.d \ @@ -307,79 +313,80 @@ # ################################################################################# # + # - test disabled for time being, as newer suhosin7 work is not stable enough - # Test : PHP-2379 # Description : Check PHP suhosin extension status - if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no PHP-2379 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP suhosin extension status" + #if [ ! -z "${PHPINI_ALLFILES}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + #Register --test-no PHP-2379 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check PHP suhosin extension status" - if [ ${SKIPTEST} -eq 0 ]; then - FOUND=0 - SIMULATION=0 - MAJOR_VERSION=$(echo ${PHPVERSION} | ${EGREPBINARY} "^7") - if [ "${OS}" = "OpenBSD" ]; then - FOUND=1 # On OpenBSD, Suhosin is hard linked into PHP - SIMULATION=off - else - for I in ${PHPINI_ALLFILES}; do - LogText "Test: Checking for PHP suhosin extension status in file ${I}" - FIND=$(${GREPBINARY} -oP '^extension=.*?suhosin7?.so.*$' ${I}) - if [ -z "${FIND}" ]; then - LogText "Result: ${I}: suhosin is not enabled" - else - LogText "Result: ${I}: suhosin is enabled" - FOUND=1 - fi + #if [ ${SKIPTEST} -eq 0 ]; then + # FOUND=0 + # SIMULATION=0 + # MAJOR_VERSION=$(echo ${PHPVERSION} | ${EGREPBINARY} "^7") + # if [ "${OS}" = "OpenBSD" ]; then + # FOUND=1 # On OpenBSD, Suhosin is hard linked into PHP + # SIMULATION=off + # else + # for I in ${PHPINI_ALLFILES}; do + # LogText "Test: Checking for PHP suhosin extension status in file ${I}" + # FIND=$(${GREPBINARY} -oP '^extension=.*?suhosin7?.so.*$' ${I}) + # if [ -z "${FIND}" ]; then + # LogText "Result: ${I}: suhosin is not enabled" + # else + # LogText "Result: ${I}: suhosin is enabled" + # FOUND=1 + # fi - LogText "Test: Check Suhosin simulation mode status" - SIMULATION=$(${GREPBINARY} -oP '^suhosin.simulation.*$' ${I} | ${CUTBINARY} -d= -f2 | ${GREPBINARY} -io 'off' | ${TRBINARY} '[:upper:]' '[:lower:]') - if [ "${SIMULATION}" = "off" ]; then - LogText "Result: ${I}: suhosin simulation mode is not active" - else - LogText "Result: ${I}: suhosin simulation mode is active" - fi - done - fi + # LogText "Test: Check Suhosin simulation mode status" + # SIMULATION=$(${GREPBINARY} -oP '^suhosin.simulation.*$' ${I} | ${CUTBINARY} -d= -f2 | ${GREPBINARY} -io 'off' | ${TRBINARY} '[:upper:]' '[:lower:]') + # if [ "${SIMULATION}" = "off" ]; then + # LogText "Result: ${I}: suhosin simulation mode is not active" + # else + # LogText "Result: ${I}: suhosin simulation mode is active" + # fi + # done + # fi - # Check Suhosin for PHP 7 - if [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then - LogText "Test: Check Suhosin for PHP 7 is not enabled" - LogText "Result: Suhosin for PHP 7 is in alpha stage and should not be used in production" - ReportSuggestion ${TEST_NO} "Disable Suhosin for PHP 7" - Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED - Display --indent 6 --text "- Suhosin is enabled for PHP 7" --result "${STATUS_WARNING}" --color RED - AddHP 0 1 - elif [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then - LogText "Test: Check Suhosin for PHP 7 is not enabled" - LogText "Result: Suhosin for PHP 7 is not enabled" - Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN - Display --indent 6 --text "- Suhosin is not enabled for PHP 7" --result "${STATUS_OK}" --color GREEN - AddHP 1 1 - else - if [ ${FOUND} -eq 0 ]; then - LogText "Result: Suhosin extension is not enabled" - Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED - ReportSuggestion ${TEST_NO} "Harden PHP by enabling suhosin extension" - LogText "suhosin extension is not enabled" - AddHP 0 1 - else - LogText "Result: Suhosin extension is enabled" - Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN - AddHP 2 2 - fi + # # Check Suhosin for PHP 7 + # if [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 1 ]; then + # LogText "Test: Check Suhosin for PHP 7 is not enabled" + # LogText "Result: Suhosin for PHP 7 is in alpha stage and should not be used in production" + # ReportSuggestion ${TEST_NO} "Disable Suhosin for PHP 7" + # Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED + # Display --indent 6 --text "- Suhosin is enabled for PHP 7" --result "${STATUS_WARNING}" --color RED + # AddHP 0 1 + # elif [ ! -z "${MAJOR_VERSION}" -a ${FOUND} -eq 0 ]; then + # LogText "Test: Check Suhosin for PHP 7 is not enabled" + # LogText "Result: Suhosin for PHP 7 is not enabled" + # Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN + # Display --indent 6 --text "- Suhosin is not enabled for PHP 7" --result "${STATUS_OK}" --color GREEN + # AddHP 1 1 + # else + # if [ ${FOUND} -eq 0 ]; then + # LogText "Result: Suhosin extension is not enabled" + # Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_WARNING}" --color RED + # ReportSuggestion ${TEST_NO} "Harden PHP by enabling suhosin extension" + # LogText "suhosin extension is not enabled" + # AddHP 0 1 + # else + # LogText "Result: Suhosin extension is enabled" + # Display --indent 4 --text "- Checking PHP suhosin extension status" --result "${STATUS_OK}" --color GREEN + # AddHP 2 2 + # fi - if [ "${SIMULATION}" = "off" ]; then - LogText "Result: Suhosin simulation mode is not active" - Display --indent 6 --text "- Suhosin simulation mode status" --result "${STATUS_OK}" --color GREEN - AddHP 2 2 - else - LogText "Result: Suhosin simulation mode is active" - Display --indent 6 --text "- Suhosin simulation mode status" --result "${STATUS_WARNING}" --color RED - ReportSuggestion ${TEST_NO} "Harden PHP by deactivating suhosin simulation mode" - LogText "suhosin simulation mode is active" - AddHP 0 1 - fi - fi - fi + # if [ "${SIMULATION}" = "off" ]; then + # LogText "Result: Suhosin simulation mode is not active" + # Display --indent 6 --text "- Suhosin simulation mode status" --result "${STATUS_OK}" --color GREEN + # AddHP 2 2 + # else + # LogText "Result: Suhosin simulation mode is active" + # Display --indent 6 --text "- Suhosin simulation mode status" --result "${STATUS_WARNING}" --color RED + # ReportSuggestion ${TEST_NO} "Harden PHP by deactivating suhosin simulation mode" + # LogText "suhosin simulation mode is active" + # AddHP 0 1 + # fi + # fi + #fi # ################################################################################# # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_ports_packages new/lynis/include/tests_ports_packages --- old/lynis/include/tests_ports_packages 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_ports_packages 2018-06-26 02:00:00.000000000 +0200 @@ -826,11 +826,12 @@ if [ ! -z "${YUMBINARY}" -a -z "${DNFBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Check for YUM utils package" if [ ${SKIPTEST} -eq 0 ]; then - if [ -x ${ROOTDIR}usr/bin/package-cleanup ]; then - LogText "Result: found YUM utils package (${ROOTDIR}usr/bin/package-cleanup)" + # package-cleanup tool can be found in different locations + if [ -x ${ROOTDIR}bin/package-cleanup -o -x ${ROOTDIR}usr/bin/package-cleanup ]; then + LogText "Result: found YUM utils package (package-cleanup)" # Check for duplicates LogText "Test: Checking for duplicate packages" - FIND=$(${ROOTDIR}usr/bin/package-cleanup -q --dupes > /dev/null; echo $?) + FIND=$(package-cleanup -q --dupes > /dev/null; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: No duplicate packages found" Display --indent 2 --text "- Checking package database duplicates" --result "${STATUS_OK}" --color GREEN @@ -843,7 +844,7 @@ # Check for package database problems LogText "Test: Checking for database problems" - FIND=$(${ROOTDIR}usr/bin/package-cleanup --problems > /dev/null; echo $?) + FIND=$(package-cleanup --problems > /dev/null; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: No package database problems found" Display --indent 2 --text "- Checking package database for problems" --result "${STATUS_OK}" --color GREEN diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_printers_spools new/lynis/include/tests_printers_spools --- old/lynis/include/tests_printers_spools 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_printers_spools 2018-06-26 02:00:00.000000000 +0200 @@ -202,7 +202,7 @@ # ################################################################################# # - # Test : PRNT-2416 + # Test : PRNT-2316 # Description : Check /etc/qconfig file Register --test-no PRNT-2316 --os AIX --weight L --network NO --category security --description "Checking /etc/qconfig file" if [ ${SKIPTEST} -eq 0 ]; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_squid new/lynis/include/tests_squid --- old/lynis/include/tests_squid 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_squid 2018-06-26 02:00:00.000000000 +0200 @@ -302,7 +302,7 @@ # Test : SQD-3680 # Description : Check httpd_suppress_version_string if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppresion" + Register --test-no SQD-3680 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version suppression" if [ ${SKIPTEST} -eq 0 ]; then FIND=$(${GREPBINARY} "^httpd_suppress_version_string " ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} " on") if [ -z "${FIND}" ]; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_ssh new/lynis/include/tests_ssh --- old/lynis/include/tests_ssh 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_ssh 2018-06-26 02:00:00.000000000 +0200 @@ -46,7 +46,8 @@ # Store settings in a temporary file CreateTempFile SSH_DAEMON_OPTIONS_FILE="${TEMP_FILE}" - ${SSHDBINARY} -T 2> /dev/null > ${SSH_DAEMON_OPTIONS_FILE} + # Use a non-existing user, to ensure that systems that have a Match block configured, will be evaluated as well + ${SSHDBINARY} -T -C user=doesnotexist,host=none,addr=none 2> /dev/null > ${SSH_DAEMON_OPTIONS_FILE} else Display --indent 2 --text "- Checking running SSH daemon" --result "${STATUS_NOT_FOUND}" --color WHITE fi @@ -110,7 +111,7 @@ SSHOPS="AllowTcpForwarding:NO,LOCAL,YES:=\ ClientAliveCountMax:2,4,16:<\ ClientAliveInterval:300,600,900:<\ - Compression:(DELAYED|NO),,YES:=\ + Compression:NO,,YES:=\ FingerprintHash:SHA256,MD5,:=\ GatewayPorts:NO,,YES:=\ IgnoreRhosts:YES,,NO:=\ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_time new/lynis/include/tests_time --- old/lynis/include/tests_time 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/include/tests_time 2018-06-26 02:00:00.000000000 +0200 @@ -360,10 +360,10 @@ FIND=$(${NTPQBINARY} -p -n | ${EGREPBINARY} '^x') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_OK}" --color GREEN - LogText "Result: No falsetickers found (items preceeding with an 'x')" + LogText "Result: No falsetickers found (items preceding with an 'x')" else Display --indent 2 --text "- Checking falsetickers" --result "${STATUS_NONE}" --color YELLOW - LogText "Result: Found one or more falsetickers (items preceeding with an 'x')" + LogText "Result: Found one or more falsetickers (items preceding with an 'x')" for I in ${FIND}; do I=$(echo ${I} | ${SEDBINARY} 's/x//g') LogText "Falseticker found: ${I}" @@ -422,44 +422,47 @@ # Test : TIME-3160 # Description : Check empty NTP step-tickers # Notes : Mostly applies to Red Hat and clones - if [ "${NTPD_RUNNING}" -eq 1 -a ! -z "${NTPQBINARY}" -a ! -z "${CHKCONFIGBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + FILE="${ROOTDIR}etc/ntp/step-tickers" + if [ "${NTPD_RUNNING}" -eq 1 -a ! -z "${NTPQBINARY}" -a -f "${FILE}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no TIME-3160 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check empty NTP step-tickers" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - FILE="/etc/ntp/step-tickers" - if [ -f ${FILE} ]; then - if [ ! -s "${FILE}" ]; then + OUTPUT=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE}) + if [ -z "${OUTPUT}" ]; then + if [ ${OS_REDHAT_OR_CLONE} -eq 1 -a -f "${FILE}" ]; then + # On RedHat if step-ticker file exists but is empty, the ntpdate start script uses the servers listed in ntp.conf for the initial time synchronization + LogText "Result: ${FILE} exists and it is empty. On RedHat the initial time synchronization will be done with the servers listed in ntp.conf." + Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN + else LogText "Result: ${FILE} is empty. The step-tickers contain no configured NTP servers" Display --indent 2 --text "- Checking NTP step-tickers file" --result "EMPTY FILE" --color YELLOW ReportSuggestion ${TEST_NO} "Use step-tickers file for quicker time synchronization" - else - LogText "Result: /etc/ntp/step-tickers is not empty, which is fine" - Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN - sFIND=$(${AWKBINARY} '/^server/ { print $2 }' /etc/ntp.conf | ${GREPBINARY} -v '127.127.1.0') - for I in ${sFIND}; do - FIND=$(${GREPBINARY} ^${I} ${FILE} | wc -l) - if [ ${FIND} -gt 0 ]; then - LogText "Result: $I exist in ${FILE}" - else - LogText "Result: ${I} does NOT exist in ${FILE}" - FOUND=1 - fi - done - if [ ${FOUND} -eq 1 ]; then - Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "SOME MISSING" --color YELLOW - ReportSuggestion ${TEST_NO} "Some time servers missing in step-tickers file" - AddHP 3 4 + fi + else + LogText "Result: ${FILE} is not empty, which is fine" + Display --indent 2 --text "- Checking NTP step-tickers file" --result "${STATUS_OK}" --color GREEN + sFIND=$(${AWKBINARY} '/^[a-z0-9]/ { print $1 }' ${FILE} | ${EGREPBINARY} -v "^127." | ${EGREPBINARY} -v "^::1") + for I in ${sFIND}; do + FIND=$(${GREPBINARY} ^${I} ${FILE} | wc -l) + if [ ${FIND} -gt 0 ]; then + LogText "Result: $I exist in ${FILE}" else - Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "${STATUS_OK}" --color GREEN - LogText "Result: all time servers are in step-tickers file" - AddHP 4 4 + LogText "Result: ${I} does NOT exist in ${FILE}" + FOUND=1 fi + done + if [ ${FOUND} -eq 1 ]; then + Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "SOME MISSING" --color YELLOW + ReportSuggestion ${TEST_NO} "Some time servers missing in step-tickers file" + AddHP 3 4 + else + Display --indent 4 --text "- Checking step-tickers ntp servers entries" --result "${STATUS_OK}" --color GREEN + LogText "Result: all time servers are in step-tickers file" + AddHP 4 4 fi - LogText "Information: step-tickers is used by ntpdate where as ntp.conf is the configuration file for the ntpd daemon. ntpdate is initially run to set the clock before ntpd to make sure time is within 1000 sec." - LogText "Risk: ntp will not run at boot if the time difference between the server and client by more then 1000 sec." - else - LogText "Result: test skipped because ${FILE} not found" fi + LogText "Information: step-tickers is used by ntpdate where as ntp.conf is the configuration file for the ntpd daemon. ntpdate is initially run to set the clock before ntpd to make sure time is within 1000 sec." + LogText "Risk: ntp will not run at boot if the time difference between the server and client by more then 1000 sec." fi # ################################################################################# diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/lynis new/lynis/lynis --- old/lynis/lynis 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/lynis 2018-06-26 02:00:00.000000000 +0200 @@ -35,10 +35,10 @@ PROGRAM_AUTHOR_CONTACT="lynis-...@cisofy.com" # Version details - PROGRAM_RELEASE_DATE="2018-01-26" - PROGRAM_RELEASE_TIMESTAMP=1516968325 + PROGRAM_RELEASE_DATE="2018-06-26" + PROGRAM_RELEASE_TIMESTAMP=1530018697 PROGRAM_RELEASE_TYPE="final" # dev or final - PROGRAM_VERSION="2.6.1" + PROGRAM_VERSION="2.6.5" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" @@ -130,7 +130,7 @@ else MYID=$(id -u 2> /dev/null) fi - if [ -z "${MYID}" ]; then Display "Could not find user ID with id command. Want to help improving Lynis? Raise a ticket at ${PROGRAM_SOURCE}"; ExitFatal; fi + if [ -z "${MYID}" ]; then Display "Could not find user ID with id command. Want to help improve Lynis? Raise a ticket at ${PROGRAM_SOURCE}"; ExitFatal; fi # ################################################################################# # @@ -333,9 +333,9 @@ ${WARNING}Warning${NORMAL}: ${WHITE}PID file exists, probably another Lynis process is running.${NORMAL} ------------------------------------------------------------------------------ -If you are unsure another Lynis process is running currently, you are advised -to stop current process and check the process list first. If you cancelled -(by using CTRL+C) a previous instance, you can ignore this message. +If you are unsure if another Lynis process is running currently, you are advised +to stop the current process and check the process list first. If you cancelled +a previous instance (by using CTRL+C), you can ignore this message. You are advised to check for temporary files after program completion. ------------------------------------------------------------------------------ @@ -348,7 +348,7 @@ echo "Quitting, to prevent multiple cron jobs running at the same time" exit 1 # Manually exit, no cleanups to prevent deleting an active PID file else - wait_for_keypress + WaitForKeyPress fi # Deleting any stale PID files that might exist. Note: Display function does not work yet at this point @@ -416,7 +416,7 @@ ${GRAY}--version (-V)${NORMAL} : Display version number and quit ${WHITE}Enterprise options${NORMAL} - ${GRAY}--plugin-dir ${BROWN}\"<path>\"${NORMAL} : Define path of available plugins + ${GRAY}--plugindir ${BROWN}<path>${NORMAL} : Define path of available plugins ${GRAY}--upload${NORMAL} : Upload data to central node More options available. Run '$0 show options', or use the man page. @@ -555,7 +555,7 @@ Display --indent 2 --text "- Detecting language and localization" --result "${LANGUAGE}" --color WHITE if [ ! -f ${DBDIR}/languages/${LANGUAGE} ]; then Display --indent 4 --text "${YELLOW}Notice:${NORMAL} no language file found for '${LANGUAGE}' (tried: ${DBDIR}/languages/${LANGUAGE})" - if IsDeveloperVersion; then Display --indent 4 --text "See https://github.com/CISOfy/lynis-sdk/documentation/10-translations.md for more details to help translating Lynis"; fi + if IsDeveloperVersion; then Display --indent 4 --text "See https://github.com/CISOfy/lynis-sdk/documentation/10-translations.md for more details to help translate Lynis"; fi sleep 5 else LogText "Importing language file (${DBDIR}/languages/${LANGUAGE})" @@ -925,7 +925,7 @@ LogText "Info: perform tests from all categories" INCLUDE_TESTS="boot_services kernel memory_processes authentication shells \ - filesystems usb storage storage_nfs nameservices ports_packages networking printers_spools \ + filesystems usb storage storage_nfs nameservices dns ports_packages networking printers_spools \ mail_messaging firewalls webservers ssh snmp databases ldap php squid logging \ insecure_services banners scheduling accounting time crypto virtualization containers \ mac_frameworks file_integrity tooling malware file_permissions homedirs \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/plugins/custom_plugin.template new/lynis/plugins/custom_plugin.template --- old/lynis/plugins/custom_plugin.template 2018-01-26 01:00:00.000000000 +0100 +++ new/lynis/plugins/custom_plugin.template 2018-06-26 02:00:00.000000000 +0200 @@ -80,6 +80,6 @@ # # Wait for keypress (unless --quick is being used) -wait_for_keypress +WaitForKeyPress #EOF