Hello community, here is the log from the commit of package lynis for openSUSE:Factory checked in at 2019-04-24 13:57:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lynis (Old) and /work/SRC/openSUSE:Factory/.lynis.new.5536 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis" Wed Apr 24 13:57:03 2019 rev:34 rq:697112 version:2.7.4 Changes: -------- --- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2019-03-10 09:34:45.456185117 +0100 +++ /work/SRC/openSUSE:Factory/.lynis.new.5536/lynis.changes 2019-04-24 13:57:04.792000049 +0200 @@ -1,0 +2,50 @@ +Tue Apr 23 07:24:21 UTC 2019 - Robert Frohl <[email protected]> + +- Update to 2.7.4 + Added + * FILE-6324 - Discover XFS mount points + * INSE-8000 - Installed inetd package + * INSE-8100 - Installed xinetd package + * INSE-8102 - Status of xinet daemon + * INSE-8104 - xinetd configuration file + * INSE-8106 - xinetd configuration for inactive daemon + * INSE-8200 - Usage of TCP wrappers + * INSE-8300 - Presence of rsh client + * INSE-8302 - Presence of rsh server + * Detect equery binary detection + * New 'generate' command + + Changed + * AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems + * PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages + * PKGS-7420 - Detect toolkit to automatically download and apply upgrades + * PKGS-7328 - Added global Zypper option --non-interactive + * PKGS-7386 - Only show warning when vulnerable packages were discovered + * PKGS-7392 - Skip test for Zypper-based systems + * Minor changes to improve text output, test descriptions, and logging + * Changed CentOS identifiers in end-of-life database + * AIX enhancement for IsRunning function + * Extended PackageIsInstalled function + * Improve text output on AIX systems + * Corrected lsvg binary detection + +------------------------------------------------------------------- +Thu Mar 21 12:11:32 UTC 2019 - Robert Frohl <[email protected]> + +- update to 2.7.3 + Added + * Detection for Lynis being scheduled (e.g. cronjob) + + Changed + * HTTP-6624 - Improved logging for test + * KRNL-5820 - Changed color for default fs.suid_dumpable value + * LOGG-2154 - Adjusted test to search in configuration file correctly + * NETW-3015 - Added support for ip binary + * SQD-3610 - Description of test changed + * SQD-3613 - Corrected description in code + * SSH-7408 - Increased values for MaxAuthRetries + * Improvements to allow tailored tool tips in future + * Corrected detection of blkid binary + * Minor textual changes and cleanups + +------------------------------------------------------------------- Old: ---- lynis-2.7.2.tar.gz lynis-2.7.2.tar.gz.asc New: ---- lynis-2.7.4.tar.gz lynis-2.7.4.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lynis.spec ++++++ --- /var/tmp/diff_new_pack.b0qySC/_old 2019-04-24 13:57:05.535999583 +0200 +++ /var/tmp/diff_new_pack.b0qySC/_new 2019-04-24 13:57:05.539999581 +0200 @@ -23,12 +23,12 @@ %define _pluginsdir %{_datadir}/lynis/plugins %define _dbdir %{_datadir}/lynis/db Name: lynis -Version: 2.7.2 +Version: 2.7.4 Release: 0 Summary: Security and System auditing tool License: GPL-3.0-only Group: System/Monitoring -URL: https://cisofy.com/lynis/ +Url: https://cisofy.com/lynis/ Source0: https://cisofy.com/files/%{name}-%{version}.tar.gz Source2: tests_binary_rpath Source3: tests_file_permissionsDB ++++++ lynis-2.7.2.tar.gz -> lynis-2.7.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/CHANGELOG.md new/lynis/CHANGELOG.md --- old/lynis/CHANGELOG.md 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/CHANGELOG.md 2019-04-21 02:00:00.000000000 +0200 @@ -1,5 +1,60 @@ # Lynis Changelog +## Lynis 2.7.4 (2019-04-21) + +This is a bigger release than usual, including several new tests created by +Capashenn (GitHub). It is a coincidence that it is released exactly one more +after the previous version and on Easter. No easter eggs, only improvements! + +### Added +- FILE-6324 - Discover XFS mount points +- INSE-8000 - Installed inetd package +- INSE-8100 - Installed xinetd package +- INSE-8102 - Status of xinet daemon +- INSE-8104 - xinetd configuration file +- INSE-8106 - xinetd configuration for inactive daemon +- INSE-8200 - Usage of TCP wrappers +- INSE-8300 - Presence of rsh client +- INSE-8302 - Presence of rsh server +- Detect equery binary detection +- New 'generate' command + +### Changed +- AUTH-9278 - Test LDAP in all PAM components on Red Hat and other systems +- PKGS-7410 - Add support for DPKG-based systems to gather installed kernel packages +- PKGS-7420 - Detect toolkit to automatically download and apply upgrades +- PKGS-7328 - Added global Zypper option --non-interactive +- PKGS-7330 - Added global Zypper option --non-interactive +- PKGS-7386 - Only show warning when vulnerable packages were discovered +- PKGS-7392 - Skip test for Zypper-based systems +- Minor changes to improve text output, test descriptions, and logging +- Changed CentOS identifiers in end-of-life database +- AIX enhancement for IsRunning function +- Extended PackageIsInstalled function +- Improve text output on AIX systems +- Corrected lsvg binary detection + +--------------------------------------------------------------------------------- + +## Lynis 2.7.3 (2019-03-21) + +### Added +- Detection for Lynis being scheduled (e.g. cronjob) + +### Changed +- HTTP-6624 - Improved logging for test +- KRNL-5820 - Changed color for default fs.suid_dumpable value +- LOGG-2154 - Adjusted test to search in configuration file correctly +- NETW-3015 - Added support for ip binary +- SQD-3610 - Description of test changed +- SQD-3613 - Corrected description in code +- SSH-7408 - Increased values for MaxAuthRetries +- Improvements to allow tailored tool tips in future +- Corrected detection of blkid binary +- Minor textual changes and cleanups + +--------------------------------------------------------------------------------- + ## Lynis 2.7.2 (2019-03-07) ### Added @@ -23,7 +78,6 @@ - PKGS-7388 - Improve detection for security archive - RPi/Raspian path to PAM_FILE_LOCATIONS - --------------------------------------------------------------------------------- ## Lynis 2.7.1 (2019-01-30) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/software-eol.db new/lynis/db/software-eol.db --- old/lynis/db/software-eol.db 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/db/software-eol.db 2019-04-21 02:00:00.000000000 +0200 @@ -11,9 +11,9 @@ # # CentOS # -os:CentOS 5:2017-03-31:1490911200: -os:CentOS 6:2020-11-30:1606690800: -os:CentOS 7:2024-06-30:1719698400: +os:CentOS Linux release 5:2017-03-31:1490911200: +os:CentOS Linux release 6:2020-11-30:1606690800: +os:CentOS Linux release 7:2024-06-30:1719698400: # # FreeBSD - https://www.freebsd.org/security/unsupported.html # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/tests.db new/lynis/db/tests.db --- old/lynis/db/tests.db 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/db/tests.db 2019-04-21 02:00:00.000000000 +0200 @@ -169,11 +169,17 @@ HTTP-6714:test:security:webservers::Check for missing error logs in nginx: HTTP-6716:test:security:webservers::Check for debug mode on error log in nginx: HTTP-6720:test:security:webservers::Check Nginx log files: -INSE-8002:test:security:insecure_services::Check for enabled inet daemon: -INSE-8004:test:security:insecure_services::Check for enabled inet daemon: -INSE-8006:test:security:insecure_services::Check configuration of inetd when disabled: +INSE-8000:test:security:insecure_services::Installed inetd package: +INSE-8002:test:security:insecure_services::Status of inet daemon: +INSE-8004:test:security:insecure_services::Presence of inetd configuration file: +INSE-8006:test:security:insecure_services::Check configuration of inetd when it is disabled: INSE-8016:test:security:insecure_services::Check for telnet via inetd: INSE-8050:test:security:insecure_services:MacOS:Check for insecure services on macOS systems: +INSE-8100:test:security:insecure_services::Installed xinetd package: +INSE-8116:test:security:insecure_services::Insecure services enabled via xinetd: +INSE-8200:test:security:insecure_services::Usage of TCP wrappers: +INSE-8300:test:security:insecure_services::Presence of rsh client: +INSE-8302:test:security:insecure_services::Presence of rsh server: KRNL-5622:test:security:kernel:Linux:Determine Linux default run level: KRNL-5677:test:security:kernel:Linux:Check CPU options and support: KRNL-5695:test:security:kernel:Linux:Determine Linux kernel version and release number: @@ -319,6 +325,7 @@ PKGS-7394:test:security:ports_packages:Linux:Check for Ubuntu updates: PKGS-7398:test:security:ports_packages::Check for package audit tool: PKGS-7410:test:security:ports_packages::Count installed kernel packages: +PKGS-7420:test:security:ports_packages::Detect toolkit to automatically download and apply upgrades: PRNT-2302:test:security:printers_spools:FreeBSD:Check for printcap consistency: PRNT-2304:test:security:printers_spools::Check cupsd status: PRNT-2306:test:security:printers_spools::Check CUPSd configuration file: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/binaries new/lynis/include/binaries --- old/lynis/include/binaries 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/binaries 2019-04-21 02:00:00.000000000 +0200 @@ -99,6 +99,7 @@ afick.pl) AFICKBINARY=${BINARY}; LogText " Found known binary: afick (file integrity checker) - ${BINARY}" ;; aide) AIDEBINARY=${BINARY}; LogText " Found known binary: aide (file integrity checker) - ${BINARY}" ;; apache2) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;; + apt) APTBINARY=${BINARY}; LogText " Found known binary: apt (package manager) - ${BINARY}" ;; arch-audit) ARCH_AUDIT_BINARY="${BINARY}"; LogText " Found known binary: arch-audit (auditing utility to test for vulnerable packages) - ${BINARY}" ;; auditd) AUDITDBINARY=${BINARY}; LogText " Found known binary: auditd (audit framework) - ${BINARY}" ;; awk) AWKBINARY=${BINARY}; LogText " Found known binary: awk (string tool) - ${BINARY}" ;; @@ -107,14 +108,14 @@ auditctl) AUDITCTLBINARY="${BINARY}"; LogText " Found known binary: auditctl (control utility for audit daemon) - ${BINARY}" ;; autolog) AUTOLOGBINARY="${BINARY}"; IDLE_SESSION_KILLER_INSTALLED=1; LogText " Found known binary: autolog (idle session killer) - ${BINARY}" ;; base64) BASE64BINARY="${BINARY}"; LogText " Found known binary: base64 (encoding tool) - ${BINARY}" ;; - blkid) BLKDBINARY="${BINARY}"; LogText " Found known binary: blkid (information about block devices) - ${BINARY}" ;; - bootctl) BOOTCTLBINARY="${BINARY}"; LogText " Found known binary: bootctl (systemd-boot manager utility) - ${BINARY}" ;; + blkid) BLKIDBINARY="${BINARY}"; LogText " Found known binary: blkid (information about block devices) - ${BINARY}" ;; + bootctl) BOOTCTLBINARY="${BINARY}"; LogText " Found known binary: bootctl (systemd-boot manager utility) - ${BINARY}" ;; cat) CAT_BINARY="${BINARY}"; LogText " Found known binary: cat (generic file handling) - ${BINARY}" ;; - cc) CCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: cc (compiler) - ${BINARY}" ;; + cc) CCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: cc (compiler) - ${BINARY}" ;; chkconfig) CHKCONFIGBINARY=${BINARY}; LogText " Found known binary: chkconfig (administration tool) - ${BINARY}" ;; clamconf) CLAMCONF_BINARY=${BINARY}; LogText " Found known binary: clamconf (information about ClamAV) - ${BINARY}" ;; clamscan) CLAMSCANBINARY=${BINARY}; LogText " Found known binary: clamscan (AV scanner) - ${BINARY}" ;; - clang) CLANGBINARY=${BINARY}; COMPILER_INSTALLED=1; LogText " Found known binary: clang (compiler) - ${BINARY}" ;; + clang) CLANGBINARY=${BINARY}; COMPILER_INSTALLED=1; LogText " Found known binary: clang (compiler) - ${BINARY}" ;; cfagent) CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; LogText " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;; chkrootkit) CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;; comm) COMMBINARY="${BINARY}"; LogText " Found known binary: comm (file compare) - ${BINARY}" ;; @@ -131,7 +132,8 @@ domainname) DOMAINNAMEBINARY="${BINARY}"; LogText " Found known binary: domainname (NIS domain) - ${BINARY}" ;; dpkg) DPKGBINARY="${BINARY}"; LogText " Found known binary: dpkg (package management) - ${BINARY}" ;; egrep) EGREPBINARY=${BINARY}; LogText " Found known binary: egrep (text search) - ${BINARY}" ;; - exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText "Found ${BINARY} (version ${EXIMVERSION})" ;; + equery) EQUERYBINARY="${BINARY}"; LogText " Found known binary: query (package manager) - ${BINARY}" ;; + exim) EXIMBINARY="${BINARY}"; EXIMVERSION=$(${BINARY} -bV | grep 'Exim version' | awk '{ print $3 }' | xargs); LogText " Found known binary ${BINARY} (version ${EXIMVERSION})" ;; fail2ban-server) FAIL2BANBINARY="${BINARY}"; LogText " Found known binary: fail2ban (IPS tool) - ${BINARY}" ;; file) FILEBINARY="${BINARY}"; LogText " Found known binary: file (file type detection) - ${BINARY}" ;; find) FINDBINARY="${BINARY}"; LogText " Found known binary: find (search tool) - ${BINARY}" ;; @@ -164,7 +166,7 @@ lsattr) LSATTRBINARY="${BINARY}"; LogText " Found known binary: lsattr (file attributes) - ${BINARY}" ;; lsmod) LSMODBINARY="${BINARY}"; LogText " Found known binary: lsmod (kernel modules) - ${BINARY}" ;; lsof) LSOFBINARY="${BINARY}"; LogText " Found known binary: lsof (open files) - ${BINARY}" ;; - lsvg) LVSGBINARY=${BINARY}; LogText " Found known binary: lsvg (volume manager) - ${BINARY}" ;; + lsvg) LSVGBINARY=${BINARY}; LogText " Found known binary: lsvg (volume manager) - ${BINARY}" ;; lvdisplay) LVDISPLAYBINARY="${BINARY}"; LogText " Found known binary: lvdisplay (LVM tool) - ${BINARY}" ;; lynx) LYNXBINARY="${BINARY}"; LYNXVERSION=$(${BINARY} -version | grep "^Lynx Version" | cut -d ' ' -f3); LogText "Found known binary: lynx (browser) - ${BINARY} (version ${LYNXVERSION})" ;; maldet) LMDBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/consts new/lynis/include/consts --- old/lynis/include/consts 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/consts 2019-04-21 02:00:00.000000000 +0200 @@ -46,6 +46,7 @@ # # == Variable initializing == # + APTBINARY="" ARCH_AUDIT_BINARY="" AUDITORNAME="" AUDITCTLBINARY="" @@ -70,6 +71,7 @@ CHKCONFIGBINARY="" CLAMCONF_BINARY="" CLAMSCANBINARY="" + CLANGBINARY="" COLORS=1 COMPLIANCE_ENABLE_CIS=0 COMPLIANCE_ENABLE_HIPAA=0 @@ -99,8 +101,11 @@ DNFBINARY="" DOCKERBINARY="" DOCKER_DAEMON_RUNNING=0 + DPKGBINARY="" ECHOCMD="" ERROR_ON_WARNINGS=0 + EQUERYBINARY="" + EXIMBINARY="" FAIL2BANBINARY="" FILEBINARY="" FILEVALUE="" @@ -139,6 +144,7 @@ LOGTEXT=1 LSMODBINARY="" LSVGBINARY="" + LYNIS_CRONJOB="" MACHINEID="" MACHINE_ROLE="" MALWARE_SCANNER_INSTALLED=0 @@ -247,8 +253,10 @@ SHOW_REPORT_SOLUTION=1 SHOW_TOOL_TIPS=1 # Show inline tool tips (default true) SHOW_WARNINGS_ONLY=0 + SKIP_GETHOSTID=0 SKIP_PLUGINS=0 SKIP_TESTS="" + SKIP_VM_DETECTION=0 SKIPREASON="" SKIPPED_TESTS_ROOTONLY="" SMTPCTLBINARY="" @@ -269,6 +277,7 @@ TESTS_EXECUTED="" TESTS_SKIPPED="" TMPFILE="" + TOMOYOINITBINARY="" TOOLTIP_SHOWED=0 TOTAL_SUGGESTIONS=0 TOTAL_WARNINGS=0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/functions new/lynis/include/functions --- old/lynis/include/functions 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/functions 2019-04-21 02:00:00.000000000 +0200 @@ -805,15 +805,26 @@ # Name : GetHostID() # Description : Create an unique id for the system # - # Returns : optional value + # Returns : 0 = fetched or created IDs, 1 = failed, 2 = skipped # Usage : GetHostID ################################################################################ GetHostID() { + if [ ${SKIP_GETHOSTID} -eq 1 ]; then + return 2 + fi + if [ ! -z "${HOSTID}" -a ! -z "${HOSTID2}" ]; then Debug "Skipping creation of host identifiers, as they are already configured (via profile)" - return 1 + return 2 + fi + + if [ -f "${ROOTDIR}etc/lynis/hostids" ]; then + Debug "Used hostids file to fetch values" + HOSTID=$(grep "^hostid=" ${ROOTDIR}etc/lynis/hostids | awk -F= '{print $2}') + HOSTID2=$(grep "^hostid2=" ${ROOTDIR}etc/lynis/hostids | awk -F= '{print $2}') + return 0 fi FIND="" @@ -1110,8 +1121,9 @@ fi # Show an exception if no HostID could be created, to ensure each system (and scan) has one - if [ "${HOSTID}" = "" ]; then + if [ -z "${HOSTID}" ]; then ReportException "GetHostID" "No unique host identifier could be created." + return 1 elif [ ! -z "${HOSTID2}" ]; then return 0 fi @@ -1284,7 +1296,8 @@ if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi RUNNING=0 - if [ ! -z "${PGREPBINARY}" ]; then + # AIX does not fully support pgrep options, so using ps instead + if [ ! -z "${PGREPBINARY}" -a ! "${OS}" = "AIX" ]; then FIND=$(${PGREPBINARY} ${pgrep_options} "${search}" | ${TRBINARY} '\n' ' ') else if [ -z "${PSOPTIONS}" ]; then @@ -1392,6 +1405,10 @@ ISVIRTUALMACHINE=2; VMTYPE="unknown"; VMFULLTYPE="Unknown" SHORT="" + if [ ${SKIP_VM_DETECTION} -eq 1 ]; then + return 2 + fi + # lxc environ detection if [ -z "${SHORT}" ]; then if [ -f /proc/1/environ ]; then @@ -1699,7 +1716,7 @@ ################################################################################ # Name : PackageIsInstalled() - # Description : Add a separator to log file between sections, tests etc + # Description : Determines if a package is installed # Returns : exit code # Notes : this function is not used yet, but created in advance to allow # the addition of support for all operating systems @@ -1714,11 +1731,20 @@ Fatal "Incorrect usage of PackageIsInstalled function" fi - if [ ! -z "${RPMBINARY}" ]; then - output=$(${RPMBINARY} --quiet -q ${package} 2> /dev/null) + if [ ! -z "${DNFBINARY}" ]; then + output=$(${DNFBINARY} --quiet --cacheonly --noplugins --assumeno info --installed ${package} > /dev/null 2>&1) + exit_code=$? + elif [ ! -z "${DPKGBINARY}" ]; then + output=$(${DPKGBINARY} -l ${package} 2> /dev/null | ${GREPBINARY} "^ii") exit_code=$? - elif ! -z "${DPKGBINARY}" ]; then - output=$(${DPKGBINARY} -l ${package} 2> /dev/null) + elif [ ! -z "${EQUERYBINARY}" ]; then + output=$(${EQUERYBINARY} --quiet ${package} > /dev/null 2>&1) + exit_code=$? # 0=package installed, 3=package not installed + elif [ ! -z "${PKG_BINARY}" ]; then + output=$(${PKG_BINARY} -N info ${package} >/dev/null 2>&1) + exit_code=$? # 0=package installed, 70=invalid package + elif [ ! -z "${RPMBINARY}" ]; then + output=$(${RPMBINARY} --quiet -q ${package} > /dev/null 2>&1) exit_code=$? elif [ ! -z "${ZYPPERBINARY}" ]; then output=$(${ZYPPERBINARY} --quiet --non-interactive search --installed -i ${PACKAGE} 2> /dev/null | grep "^i") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/helper_generate new/lynis/include/helper_generate --- old/lynis/include/helper_generate 1970-01-01 01:00:00.000000000 +0100 +++ new/lynis/include/helper_generate 2019-04-21 02:00:00.000000000 +0200 @@ -0,0 +1,89 @@ +#!/bin/sh + +################################################################################# +# +# Lynis +# ------------------ +# +# Copyright 2007-2013, Michael Boelen +# Copyright 2007-2019, CISOfy +# +# Website : https://cisofy.com +# Blog : http://linux-audit.com +# GitHub : https://github.com/CISOfy/lynis +# +# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +###################################################################### +# +# Helper program to generate specific details such as host IDs +# +###################################################################### +# +# How to use: +# ------------ +# Run: lynis generate <option> +# +###################################################################### + +SAVEFILE=0 +GENERATE_ARGS="hostids" + +if [ $# -gt 0 ]; then + case $1 in + "hostids") + + if [ $# -gt 1 ]; then + shift + if [ $1 = "--save" ]; then + SAVEFILE=1 + fi + fi + + # Generate random host IDs + HOSTID=$(head -c20 < /dev/urandom | xxd -c 20 -p) + HOSTID2=$(head -c32 < /dev/urandom | xxd -c 32 -p) + + ${ECHOCMD} "Generated host identifiers" + ${ECHOCMD} "- hostid: ${HOSTID}" + ${ECHOCMD} "- hostid2: ${HOSTID2}" + + if [ ${SAVEFILE} -eq 1 ]; then + FILE="${ROOTDIR}etc/lynis/hostids" + if [ -f ${FILE} ]; then + ${ECHOCMD} "Error: hostids file already exists (${FILE})" + ${ECHOCMD} "Remove the file first and rerun command" + ExitFatal + else + OUTPUT=$(touch ${FILE} 2> /dev/null) + if [ $? -eq 0 ]; then + ${ECHOCMD} "Created hostids file (${FILE})" + echo "# generated using 'lynis generate hostids --save'" > ${FILE} + echo "hostid=${HOSTID}" >> ${FILE} + echo "hostid2=${HOSTID2}" >> ${FILE} + else + ExitFatal "Error: could not created hostids file (${FILE}). Issue with permissions?" + fi + fi + fi + + ExitClean + ;; + *) ${ECHOCMD} "Unknown argument '${RED}$1${NORMAL}' for lynis generate" ;; + esac +else + ${ECHOCMD} "\n ${WHITE}Provide an additional argument${NORMAL}\n\n" + for ITEM in ${GENERATE_ARGS}; do + ${ECHOCMD} " lynis generate ${BROWN}${ITEM}${NORMAL}" + done + ${ECHOCMD} "\n" + ${ECHOCMD} "" + ${ECHOCMD} "Extended help about the generate command can be provided with: $0 show commands generate" +fi + + +ExitClean + +# The End diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/helper_show new/lynis/include/helper_show --- old/lynis/include/helper_show 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/helper_show 2019-04-21 02:00:00.000000000 +0200 @@ -94,6 +94,17 @@ " +GENERATE_ARGS="( --save )" +GENERATE_HELP=" + Generate random value for hostid and hostid2 + ${WHITE}lynis generate hostids${NORMAL} + + Generate and save values + ${WHITE}lynis generate hostids --save${NORMAL} + +" + + UPDATE_ARGS="check info" UPDATE_HELP=" ${CYAN}update info${NORMAL} @@ -274,6 +285,7 @@ shift case $1 in "audit") ${ECHOCMD} "${AUDIT_HELP}" ;; + "generate") ${ECHOCMD} "${GENERATE_HELP}" ;; "show") ${ECHOCMD} "${SHOW_HELP}" ;; "update") ${ECHOCMD} "${UPDATE_HELP}" ;; "upload-only") ${ECHOCMD} "${UPLOAD_ONLY_HELP}" ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/osdetection new/lynis/include/osdetection --- old/lynis/include/osdetection 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/osdetection 2019-04-21 02:00:00.000000000 +0200 @@ -477,7 +477,7 @@ ECHONB="" case ${OS} in - "AIX") ECHOCMD="echo" ;; + "AIX") ECHOCMD="echo"; ECHONB="printf" ;; "DragonFly"|"FreeBSD"|"NetBSD") ECHOCMD="echo -e"; ECHONB="echo -n" ;; "macOS" | "Mac OS X") ECHOCMD="echo"; ECHONB="/bin/echo -n" ;; "Solaris") ECHOCMD="echo" ; test -f /usr/ucb/echo && ECHONB="/usr/ucb/echo -n" ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/parameters new/lynis/include/parameters --- old/lynis/include/parameters 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/parameters 2019-04-21 02:00:00.000000000 +0200 @@ -111,6 +111,24 @@ break ;; + # Generate data + generate) + CHECK_BINARIES=0 + HELPER="generate" + LOGTEXT=0 + QUIET=1 + RUN_HELPERS=1 + RUN_TESTS=0 + RUN_UPDATE_CHECK=0 + SKIP_GETHOSTID=1 + SKIP_PLUGINS=1 + SKIP_VM_DETECTION=1 + SHOW_PROGRAM_DETAILS=0 + SHOW_TOOL_TIPS=0 + shift; HELPER_PARAMS="$@" + break + ;; + # Show Lynis details show) CHECK_BINARIES=0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/report new/lynis/include/report --- old/lynis/include/report 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/report 2019-04-21 02:00:00.000000000 +0200 @@ -178,7 +178,11 @@ echo "" echo " ${CYAN}Hardening index${NORMAL} : ${WHITE}${HPINDEX}${NORMAL} ${HPGRAPH}" echo " ${CYAN}Tests performed${NORMAL} : ${WHITE}${CTESTS_PERFORMED}${NORMAL}" - if [ ${SKIP_PLUGINS} -eq 0 ]; then echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}"; fi + if [ ${SKIP_PLUGINS} -eq 0 ]; then + echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}${N_PLUGIN_ENABLED}${NORMAL}" + else + echo " ${CYAN}Plugins enabled${NORMAL} : ${WHITE}Skipped${NORMAL}" + fi echo "" echo " ${WHITE}Components${NORMAL}:" if [ ${FIREWALL_ACTIVE} -eq 1 ]; then FIREWALL="${GREEN}V"; else FIREWALL="${RED}X"; fi @@ -191,15 +195,15 @@ echo " - Malware scanner [${MALWARE}${NORMAL}]" echo "" - echo " ${SECTION}Lynis Modules${NORMAL}:" + echo " ${SECTION}Lynis modules${NORMAL}:" if [ ${COMPLIANCE_TESTS_PERFORMED} -eq 1 ]; then if [ ${COMPLIANCE_FINDINGS_FOUND} -eq 0 ]; then COMPLIANCE="${GREEN}V"; else COMPLIANCE="${RED}X"; fi else COMPLIANCE="${YELLOW}?" fi - echo " - Compliance Status [${COMPLIANCE}${NORMAL}]" - echo " - Security Audit [${GREEN}V${NORMAL}]" - echo " - Vulnerability Scan [${GREEN}V${NORMAL}]" + echo " - Compliance status [${COMPLIANCE}${NORMAL}]" + echo " - Security audit [${GREEN}V${NORMAL}]" + echo " - Vulnerability scan [${GREEN}V${NORMAL}]" echo "" echo " ${SECTION}Files${NORMAL}:" echo " - Test and debug information : ${WHITE}${LOGFILE}${NORMAL}" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_authentication new/lynis/include/tests_authentication --- old/lynis/include/tests_authentication 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_authentication 2019-04-21 02:00:00.000000000 +0200 @@ -698,25 +698,32 @@ # # Test : AUTH-9278 # Description : Search LDAP support in PAM files - Register --test-no AUTH-9278 --weight L --network NO --category security --description "Checking LDAP pam status" + Register --test-no AUTH-9278 --weight L --network NO --category security --description "Determine LDAP support in PAM files" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: checking presence /etc/pam.d/common-auth" - if [ -f /etc/pam.d/common-auth ]; then - LogText "Result: file /etc/pam.d/common-auth exists" - LogText "Test: checking presence LDAP module" - FIND=$(${GREPBINARY} "^auth.*ldap" /etc/pam.d/common-auth) - if [ ! "${FIND}" = "" ]; then - LogText "Result: LDAP module present" - LogText "Output: ${FIND}" - Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN - LDAP_AUTH_ENABLED=1 - LDAP_PAM_ENABLED=1 + AUTH_FILES="${ROOTDIR}etc/pam.d/common-auth ${ROOTDIR}etc/pam.d/system-auth" + for FILE in ${AUTH_FILES}; do + LogText "Test: checking presence ${FILE}" + if [ -f ${FILE} ]; then + LogText "Result: file ${FILE} exists" + LogText "Test: checking presence LDAP module" + FIND=$(${GREPBINARY} "^auth.*ldap" ${FILE}) + if [ ! -z "${FIND}" ]; then + LogText "Result: LDAP module present" + LogText "Output: ${FIND}" + LDAP_AUTH_ENABLED=1 + LDAP_PAM_ENABLED=1 + else + LogText "Result: LDAP module not found" + fi else - LogText "Result: LDAP module not found" - Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE + LogText "Result: file ${FILE} not found, skipping test" fi + done + + if [ ${LDAP_PAM_ENABLED} -eq 1 ]; then + Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_FOUND}" --color GREEN else - LogText "Result: file /etc/pam.d/common-auth not found, skipping test" + Display --indent 2 --text "- LDAP module in PAM" --result "${STATUS_NOT_FOUND}" --color WHITE fi fi # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_filesystems new/lynis/include/tests_filesystems --- old/lynis/include/tests_filesystems 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_filesystems 2019-04-21 02:00:00.000000000 +0200 @@ -158,7 +158,27 @@ done else LogText "Result: no EXT file systems found" - Report "file_systems_ext[]=none" + fi + fi +# +################################################################################# +# + # Test : FILE-6324 + # Description : Checking Linux XFS file systems + Register --test-no FILE-6324 --os Linux --weight L --network NO --category security --description "Checking XFS file systems" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking for Linux XFS file systems" + FIND=$(${MOUNTBINARY} -t xfs | ${AWKBINARY} '{ print $3","$5 }') + if [ ! -z "${FIND}" ]; then + LogText "Result: found one or more XFS file systems" + for I in ${FIND}; do + FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d ',' -f1) + FILETYPE=$(echo ${I} | ${CUTBINARY} -d ',' -f2) + LogText "File system: ${FILESYSTEM} (type: ${FILETYPE})" + Report "file_systems_xfs[]=${FILESYSTEM}|${FILETYPE}|" + done + else + LogText "Result: no XFS file systems found" fi fi # @@ -540,13 +560,13 @@ # --------------------------------------------------------- FILESYSTEMS_TO_CHECK="/boot:nodev,noexec,nosuid /dev/shm:nosuid,nodev,noexec /home:nodev,nosuid /tmp:nodev,noexec,nosuid /var:nosuid /var/log:nodev,noexec,nosuid /var/log/audit:nodev,noexec,nosuid /var/tmp:nodev,noexec,nosuid" - Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Checking /boot mount options" + Register --test-no FILE-6374 --os Linux --weight L --network NO --category security --description "Checking partitions mount options" if [ ${SKIPTEST} -eq 0 ]; then if [ -f /etc/fstab ]; then for I in ${FILESYSTEMS_TO_CHECK}; do FILESYSTEM=$(echo ${I} | ${CUTBINARY} -d: -f1) EXPECTED_FLAGS=$(echo ${I} | ${CUTBINARY} -d: -f2 | ${SEDBINARY} 's/,/ /g') - FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' /etc/fstab) + FS_FSTAB=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $3 } }' ${ROOTDIR}etc/fstab) if [ "${FS_FSTAB}" = "glusterfs" ]; then EXPECTED_FLAGS=$(echo ${EXPECTED_FLAGS} | ${SEDBINARY} 's/\<\(nodev\|nosuid\)\> *//g') if [ -z "${EXPECTED_FLAGS}" ]; then @@ -554,7 +574,7 @@ fi fi if [ ! -z "${FS_FSTAB}" ]; then - FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' /etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') + FOUND_FLAGS=$(${AWKBINARY} -v fs=${FILESYSTEM} '{ if ($2==fs) { print $4 } }' ${ROOTDIR}etc/fstab | ${SEDBINARY} 's/,/ /g' | ${TRBINARY} '\n' ' ') LogText "File system: ${FILESYSTEM}" LogText "Expected flags: ${EXPECTED_FLAGS}" LogText "Found flags: ${FOUND_FLAGS}" @@ -562,7 +582,7 @@ FULLY_HARDENED=1 for FLAG in ${EXPECTED_FLAGS}; do FLAG_AVAILABLE=$(echo ${FOUND_FLAGS} | ${GREPBINARY} ${FLAG}) - if [ "${FLAG_AVAILABLE}" = "" ]; then + if [ -z "${FLAG_AVAILABLE}" ]; then LogText "Result: Could not find mount option ${FLAG} on file system ${FILESYSTEM}" FULLY_HARDENED=0 else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_insecure_services new/lynis/include/tests_insecure_services --- old/lynis/include/tests_insecure_services 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_insecure_services 2019-04-21 02:00:00.000000000 +0200 @@ -18,7 +18,7 @@ # ################################################################################# # -# Unsecure services +# Insecure services # ################################################################################# # @@ -28,32 +28,55 @@ # INETD_ACTIVE=0 INETD_CONFIG_FILE="${ROOTDIR}etc/inetd.conf" + INETD_PACKAGE_INSTALLED=0 + XINETD_ACTIVE=0 + XINETD_CONFIG_FILE="${ROOTDIR}etc/xinetd.conf" + XINETD_CONFIG_DIR="${ROOTDIR}etc/xinetd.d" +# +################################################################################# +# + # Test : INSE-8000 + # Description : Check for installed inetd package + Register --test-no INSE-8000 --weight L --network NO --category security --description "Installed inetd package" + if [ ${SKIPTEST} -eq 0 ]; then + # Check for installed inetd daemon + LogText "Test: Checking if inetd is installed" + if PackageIsInstalled "inetd"; then + INETD_PACKAGE_INSTALLED=1 + LogText "Result: inetd is installed" + Display --indent 2 --text "- Installed inetd package" --result "${STATUS_FOUND}" --color YELLOW + #ReportSuggestion ${TEST_NO} "If there are no inetd services required, it is recommended that the daemon be removed" + else + LogText "Result: inetd is NOT installed" + Display --indent 2 --text "- Installed inetd package" --result "${STATUS_NOT_FOUND}" --color GREEN + fi + fi # ################################################################################# # # Test : INSE-8002 # Description : Check for inetd status - Register --test-no INSE-8002 --weight L --network NO --category security --description "Check for enabled inet daemon" + if [ ${INETD_PACKAGE_INSTALLED} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8002 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled inet daemon" if [ ${SKIPTEST} -eq 0 ]; then # Check running processes LogText "Test: Searching for active inet daemon" - IsRunning inetd - if [ ${RUNNING} -eq 1 ]; then + if IsRunning "inetd"; then LogText "Result: inetd is running" - Display --indent 2 --text "- Checking inetd status" --result "ACTIVE" --color GREEN + Display --indent 4 --text "- inetd status" --result "ACTIVE" --color GREEN INETD_ACTIVE=1 else LogText "Result: inetd is NOT running" - Display --indent 2 --text "- Checking inetd status" --result "NOT ACTIVE" --color GREEN + Display --indent 4 --text "- inetd status" --result "NOT ACTIVE" --color GREEN fi fi # ################################################################################# # # Test : INSE-8004 - # Description : Check for inetd configuration file + # Description : Check for inetd configuration file (inetd) if [ ${INETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled inet daemon" + Register --test-no INSE-8004 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Presence of inetd configuration file" if [ ${SKIPTEST} -eq 0 ]; then # Check configuration file LogText "Test: Searching for file ${INETD_CONFIG_FILE}" @@ -73,15 +96,15 @@ if [ ${INETD_ACTIVE} -eq 0 -a -f ${INETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no INSE-8006 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of inetd when disabled" if [ ${SKIPTEST} -eq 0 ]; then - # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test 8002) - LogText "Test: check if all services are disabled if inetd is disabled" + # Check if any service is enabled in /etc/inetd.conf (inetd is not active, see test INSE-8002) + LogText "Test: check if all services are disabled when inetd is disabled" FIND=$(${GREPBINARY} -v "^#" ${INETD_CONFIG_FILE} | ${GREPBINARY} -v "^$") if [ -z "${FIND}" ]; then LogText "Result: no services found in ${INETD_CONFIG_FILE}" - Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_OK}" --color GREEN + Display --indent 4 --text "- Checking enabled inetd services" --result "${STATUS_OK}" --color GREEN else LogText "Result: found services in inetd, even though inetd is not running" - Display --indent 4 --text "- Checking inetd.conf services" --result "${STATUS_SUGGESTION}" --color YELLOW + Display --indent 4 --text "- Checking enabled inetd services" --result "${STATUS_SUGGESTION}" --color YELLOW ReportSuggestion ${TEST_NO} "Although inetd is not running, make sure no services are enabled in ${INETD_CONFIG_FILE}, or remove inetd service" fi fi @@ -95,7 +118,7 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking telnet presence in inetd configuration" FIND=$(${GREPBINARY} "^telnet" ${INETD_CONFIG_FILE}) - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then LogText "Result: telnet not enabled in ${INETD_CONFIG_FILE}" Display --indent 2 --text "- Checking inetd (telnet)" --result "${STATUS_NOT_FOUND}" --color GREEN AddHP 3 3 @@ -107,6 +130,289 @@ fi fi # +################################################################################# +# + # Test : INSE-8100 + # Description : Check for installed xinetd daemon + Register --test-no INSE-8100 --weight L --network NO --category security --description "Check for installed xinetd daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Check for installed xinetd daemon + LogText "Test: Checking for installed xinetd daemon" + if PackageIsInstalled "xinetd"; then + LogText "Result: xinetd is installed" + Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_FOUND}" --color YELLOW + ReportSuggestion ${TEST_NO} "If there are no xinetd services required, it is recommended that the daemon be removed" + else + LogText "Result: xinetd is NOT installed" + Display --indent 2 --text "- Installed xinetd package" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8102 + # Description : Check for xinetd status + Register --test-no INSE-8102 --weight L --network NO --category security --description "Check for active xinet daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Check running processes + LogText "Test: Searching for active extended internet services daemon (xinetd)" + if IsRunning "xinetd"; then + LogText "Result: xinetd is running" + Display --indent 4 --text "- xinetd status" --result "ACTIVE" --color GREEN + XINETD_ACTIVE=1 + else + LogText "Result: xinetd is NOT running" + Display --indent 4 --text "- xinetd status" --result "NOT ACTIVE" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8104 + # Description : Check for xinetd configuration file + if [ ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8104 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for enabled xinet daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Check configuration file + LogText "Test: Searching for file ${XINETD_CONFIG_FILE}" + if [ -f "${XINETD_CONFIG_FILE}" ]; then + LogText "Result: ${XINETD_CONFIG_FILE} exists" + Display --indent 6 --text "- Configuration file (xinetd.conf)" --result "${STATUS_FOUND}" --color WHITE + else + LogText "Result: ${XINETD_CONFIG_FILE} does not exist" + Display --indent 6 --text "- Configuration file (xinetd.conf)" --result "${STATUS_NOT_FOUND}" --color WHITE + fi + fi +# +################################################################################# +# + # Test : INSE-8106 + # Description : Check for xinetd configuration file contents if xinetd is NOT active + if [ ${XINETD_ACTIVE} -eq 0 -a -f ${XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8106 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check configuration of xinetd when disabled" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if any service is enabled in /etc/xinetd.d (xinetd is not active, see test INSE-8102) + LogText "Test: check if all services are disabled if xinetd is disabled" + FIND=$(${GREPBINARY} -r "disable\s*=\s*no" ${XINETD_CONFIG_DIR}) + if [ -z "${FIND}" ]; then + LogText "Result: no services found in ${XINETD_CONFIG_DIR}" + Display --indent 6 --text "- Enabled xinetd.d services" --result "${STATUS_NOT_FOUND}" --color GREEN + else + LogText "Result: found services in ${XINETD_CONFIG_DIR}, even though xinetd is not running" + Display --indent 6 --text "- Enabled xinetd.d services" --result "${STATUS_FOUND}" --color YELLOW + ReportSuggestion ${TEST_NO} "Although xinetd is not running, make sure no services are enabled in ${XINETD_CONFIG_DIR}, or remove xinetd service" + fi + fi +# +################################################################################# +# + # Test : INSE-8116 + # Description : Check for insecure services enabled via xinetd + if [ ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8116 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Insecure services enabled via xinetd" + if [ ${SKIPTEST} -eq 0 ]; then + XINETD_INSECURE_SERVICE_FOUND=0 + + ITEMS="chargen chargen-dgram chargen-stream daytime daytime-dgram daytime-stream discard discard-dgram discard-stream echo echo-dgram echo-stream time time-dgram time-stream ntalk rexec rlogin rsh talk telnet tftp" + + for SERVICE in ${ITEMS}; do + LogText "Test: checking service ${SERVICE}" + if ! SkipAtomicTest "${TEST_NO}:${SERVICE}"; then + FILE="${XINETD_CONFIG_DIR}/${SERVICE}" + if [ -f "${FILE}" ]; then + LogText "Test: checking status in xinetd configuration file (${FILE})" + FIND=$(${GREPBINARY} "disable\s*=\s*no" ${FILE}) + if [ ! -z "${FIND}" ]; then + LogText "Result: found insecure service enabled: ${SERVICE}" + XINETD_INSECURE_SERVICE_FOUND=1 + ReportSuggestion "${TEST_NO}" "Disable or remove any insecure services in the xinetd configuration" "${SERVICE}" "text:See log file for more details" + Report "insecure_service[]=${SERVICE}" + fi + fi + else + LogText "Result: skipped, as this item is excluded using the profile" + fi + done + + if [ ${XINETD_INSECURE_SERVICE_FOUND} -eq 0 ]; then + LogText "Result: no insecure services found in xinetd configuration" + Display --indent 6 --text "- Checking xinetd (insecure services)" --result "${STATUS_OK}" --color GREEN + AddHP 3 3 + else + LogText "Result: one ore more insecure services discovered in xinetd configuration" + Display --indent 6 --text "- Checking xinetd (insecure services)" --result "${STATUS_WARNING}" --color RED + AddHP 0 3 + fi + fi +# +################################################################################# +# + # Test : INSE-8150 + # Description : Check for rsync enabled via xinetd + #RSYNC_XINETD_CONFIG_FILE="${XINETD_CONFIG_DIR}/rsync" + #if [ ${XINETD_ACTIVE} -eq 1 -a -f ${RSYNC_XINETD_CONFIG_FILE} ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + #Register --test-no INSE-8150 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for rsync via xinetd" + #if [ ${SKIPTEST} -eq 0 ]; then + # LogText "Test: checking rsync presence in xinetd configuration" + # FIND=$(${GREPBINARY} "disable\s*=\s*no" ${RSYNC_XINETD_CONFIG_FILE}) + # if [ "${FIND}" = "" ]; then + # LogText "Result: rsync not enabled in ${RSYNC_XINETD_CONFIG_FILE}" + # Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_DISABLED}" --color GREEN + # else + # LogText "Result: rsync enabled in ${RSYNC_XINETD_CONFIG_FILE}" + # Display --indent 6 --text "- Checking xinetd (rsync)" --result "${STATUS_ENABLED}" --color RED + # ReportSuggestion "${TEST_NO}" "Disable rsync in xinetd configuration" + # fi + #fi +# +################################################################################# +# + # Test : INSE-8200 + # Description : Check if tcp_wrappers is installed when inetd/xinetd is active + if [ ${INETD_ACTIVE} -eq 1 -o ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no INSE-8200 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking if tcp_wrappers is installed" + FOUND=0 + PACKAGES="tcp_wrappers tcpd" + for PACKAGE in ${PACKAGES}; do + if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi + done + if [ ${FOUND} -eq 1 ]; then + LogText "Result: tcp_wrappers is installed" + Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: tcp_wrappers is NOT installed" + Display --indent 2 --text "- Checking tcp_wrappers installation" --result "${STATUS_SUGGESTION}" --color YELLOW + #ReportSuggestion ${TEST_NO} "When network services are using the inetd/xinetd service, the tcp_wrappers package should be installed" + fi + fi +# +################################################################################# +# + # Test : INSE-8300 + # Description : Check if rsh client is installed + Register --test-no INSE-8300 --weight L --network NO --category security --description "Check if rsh client is installed" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking if rsh client is installed" + FOUND=0 + PACKAGES="rsh rsh-client rsh-redone-client" + for PACKAGE in ${PACKAGES}; do + if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi + done + if [ ${FOUND} -eq 1 ]; then + LogText "Result: rsh client is installed" + Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "Remove rsh client when it is not in use or replace with the more secure SSH package" + else + LogText "Result: rsh client is NOT installed" + Display --indent 2 --text "- Installed rsh client package" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8302 + # Description : Check presence of rsh Trust Files + #Register --test-no INSE-8302 --weight L --network NO --category security --description "Check presence of rsh Trust Files" + #if [ ${SKIPTEST} -eq 0 ]; then + # # Check presence of Rsh Trust Files + # FOUND=0 + # for LINE in $(${CAT_BINARY} /etc/passwd | ${EGREPBINARY} -v '^(root|halt|sync|shutdown)' | ${AWKBINARY} -F: '($7 !="/sbin/nologin" && $7 != "/bin/false") { print }'); do + # USER=$(echo ${LINE} | ${CUTBINARY} -d: -f1) + # DIR=$(echo ${LINE} | ${CUTBINARY} -d: -f6) + # if [ -d ${DIR} ]; then + # for RHOSTS in ${DIR}/.rhosts; do + # if [ ! -h ${RHOSTS} -a -f ${RHOSTS} ]; then + # LogText "FOUND .rhosts file in home directory ${DIR} of ${USER}" + # FOUND=1 + # fi + # done + # fi + # done + # if [ -f /etc/hosts.equiv ];then + # LogText "FOUND /etc/hosts.equiv" + # FOUND=1 + # fi + # if [ ${FOUND} -eq 1 ]; then + # LogText "Result: found one or more Rsh Trust Files" + # Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_SUGGESTION}" --color YELLOW + # ReportSuggestion ${TEST_NO} "Remove every Rsh Trust Files as they can allow unauthenticated access to a system" + # else + # LogText "Result: no Rsh Trust Files found" + # Display --indent 4 --text "- Checking presence of Rsh Trust Files" --result "${STATUS_OK}" --color GREEN + # fi + #fi +# +################################################################################# +# + # Test : INSE-8304 + # Description : Check if rsh server is installed + Register --test-no INSE-8342 --weight L --network NO --category security --description "Check if rsh server is installed" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if rsh server is installed + LogText "Test: Checking if rsh server is installed" + FOUND=0 + PACKAGES="rsh-server rsh-redone-server" + for PACKAGE in ${PACKAGES}; do + if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi + done + if [ ${FOUND} -eq 1 ]; then + LogText "Result: rsh server is installed" + Display --indent 2 --text "- Installed rsh server package" --result "${STATUS_SUGGESTION}" --color YELLOW + ReportSuggestion ${TEST_NO} "Remove the rsh-server package and replace with a more secure alternative like SSH" + Report "insecure_service[]=rsh-server" + else + LogText "Result: rsh server is NOT installed" + Display --indent 2 --text "- Installed rsh server package" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8310 + # Description : Check if telnet client is installed + Register --test-no INSE-8310 --weight L --network NO --category security --description "Check if telnet client is installed" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if telnet client is installed + LogText "Test: Checking if telnet client is installed" + if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi + + if [ ${FOUND} -eq 1 ]; then + LogText "Result: telnet client is installed" + Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_FOUND}" --color YELLOW + # Telnet client usage might be used for troubleshooting instead of system administration + #ReportSuggestion ${TEST_NO} "telnet client contain numerous security exposures and have been replaced with the more secure SSH package" + else + LogText "Result: telnet client is NOT installed" + Display --indent 2 --text "- Installed telnet client package" --result "${STATUS_OK}" --color GREEN + fi + fi +# +################################################################################# +# + # Test : INSE-8312 + # Description : Check if telnet server is installed + Register --test-no INSE-8322 --weight L --network NO --category security --description "Check if telnet server is installed" + if [ ${SKIPTEST} -eq 0 ]; then + # Check if TFTP server is installed + LogText "Test: Checking if telnet server is installed" + FOUND=0 + PACKAGES="telnetd telnet-server" + for PACKAGE in ${PACKAGES}; do + if PackageIsInstalled "${PACKAGE}"; then LogText "Package '${PACKAGE}' is installed"; FOUND=1; fi + done + if [ ${FOUND} -eq 1 ]; then + LogText "Result: telnet server is installed" + Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_FOUND}" --color YELLOW + ReportSuggestion ${TEST_NO} "Removing the ${FOUND} package and replace with SSH when possible" + Report "insecure_service[]=telnet-server" + else + LogText "Result: telnet server is NOT installed" + Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_NOT_FOUND}" --color GREEN + fi + fi +# ################################################################################# # if [ ! -z "${LAUNCHCTL_BINARY}" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="No launchctl binary on this system"; fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_kernel new/lynis/include/tests_kernel --- old/lynis/include/tests_kernel 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_kernel 2019-04-21 02:00:00.000000000 +0200 @@ -473,7 +473,7 @@ AddHP 0 1 else LogText "Result: found default option, some programs can dump (not processes which need to change credentials)" - Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color YELLOW + Display --indent 4 --text "- Checking setuid core dumps configuration" --result DEFAULT --color WHITE AddHP 1 1 fi else diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_logging new/lynis/include/tests_logging --- old/lynis/include/tests_logging 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_logging 2019-04-21 02:00:00.000000000 +0200 @@ -363,7 +363,7 @@ # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}') for DESTINATION in ${DESTINATIONS}; do - FIND2=$(${GREPBINARY} "log" | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)") + FIND2=$(${GREPBINARY} "log" ${SYSLOGD_CONF} | ${GREPBINARY} "source" | ${EGREPBINARY} "destination\(${DESTINATION}\)") if [ ! -z "${FIND2}" = "" ]; then LogText "Result: found destination ${DESTINATION} configured for remote logging" REMOTE_LOGGING_ENABLED=1 @@ -465,13 +465,11 @@ FIND=$(${LSOFBINARY} -n 2>&1 | ${GREPBINARY} "log$" | ${EGREPBINARY} -v "WARNING|Output information" | ${AWKBINARY} '{ if ($5=="REG") { print $9 } }' | ${SORTBINARY} -u | ${GREPBINARY} -v "^$") for I in ${FIND}; do LogText "Found logfile: ${I}" - Report "open_logfile[]=${I}" done Display --indent 2 --text "- Checking open log files" --result "${STATUS_DONE}" --color GREEN else LogText "Result: lsof not installed, skipping test" - Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color YELLOW - # Add suggestion + Display --indent 2 --text "- Checking open log files" --result "${STATUS_SKIPPED}" --color WHITE fi fi # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_networking new/lynis/include/tests_networking --- old/lynis/include/tests_networking 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_networking 2019-04-21 02:00:00.000000000 +0200 @@ -507,35 +507,54 @@ # # Test : NETW-3015 # Description : Checking promiscuous interfaces (Linux) - # Note : Need ifconfig binary at this moment (does not work on Arch Linux) - if [ ! "${IFCONFIGBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no NETW-3015 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)" + Register --test-no NETW-3015 --os Linux --weight L --network NO --category security --description "Checking promiscuous interfaces (Linux)" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Checking promiscuous interfaces (Linux)" - NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1) - if [ ! "${NETWORK}" = "" ]; then + FOUNDPROMISC=99 + NETWORK="" + USE_IP_INSTEAD_IFCONFIG=0 + + if [ ! -z "${IPBINARY}" ]; then + LogText "Test: Using ip binary to retrieve network interfaces" + NETWORK=$(${IPBINARY} -o link 2> /dev/null | ${GREPBINARY} "^[0-9]" | ${AWKBINARY} '{print $2 }' | ${TRBINARY} -d ':') + USE_IP_INSTEAD_IFCONFIG=1 + elif [ ! -z "${IFCONFIGBINARY}" ]; then + LogText "Test: Using ifconfig binary to retrieve network interfaces" + NETWORK=$(${IFCONFIGBINARY} 2> /dev/null | ${GREPBINARY} Link | ${TRBINARY} -s ' ' | ${CUTBINARY} -d ' ' -f1) + fi + + LogText "Test: Checking all interfaces to discover any with promiscuous mode enabled" + if [ ! -z "${NETWORK}" ]; then + FOUNDPROMISC=0 for I in ${NETWORK}; do - FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC) - if [ ! "${FIND}" = "" ]; then + if [ ${USE_IP_INSTEAD_IFCONFIG} -eq 1 ]; then + FIND=$(${IPBINARY} -o -d link show ${I} 2> /dev/null | ${GREPBINARY} 'promiscuity 1') + else + FIND=$(${IFCONFIGBINARY} ${I} 2> /dev/null | ${GREPBINARY} PROMISC) + fi + if [ ! -z "${FIND}" ]; then LogText "Result: Promiscuous interface: ${I}" ISWHITELISTED=$(${GREPBINARY} "^if_promisc:${I}:" ${PROFILE}) - if [ "${ISWHITELISTED}" = "" ]; then + if [ -z "${ISWHITELISTED}" ]; then FOUNDPROMISC=1 - ReportWarning ${TEST_NO} "Found promiscuous interface (${I})" + ReportWarning ${TEST_NO} "Found promiscuous interface" "${I}" "text:Determine if this mode is required or whitelist interface in profile" LogText "Note: some tools put an interface into promiscuous mode, to capture/log network traffic" else LogText "Result: Found promiscuous interface ${I} (*whitelisted via profile*)" fi fi done + else + LogText "Result: no network interfaces discovered, so nothing tested" fi # Show result if [ ${FOUNDPROMISC} -eq 0 ]; then Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_OK}" --color GREEN LogText "Result: No promiscuous interfaces found" - else + elif [ ${FOUNDPROMISC} -eq 1 ]; then Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_WARNING}" --color RED + else + Display --indent 2 --text "- Checking promiscuous interfaces" --result "${STATUS_UNKNOWN}" --color YELLOW fi fi # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_ports_packages new/lynis/include/tests_ports_packages --- old/lynis/include/tests_ports_packages 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_ports_packages 2019-04-21 02:00:00.000000000 +0200 @@ -344,7 +344,7 @@ COUNT=0 PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="zypper" - FIND=$(${ZYPPERBINARY} -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }') + FIND=$(${ZYPPERBINARY} --non-interactive -n se -t package -i | ${AWKBINARY} '{ if ($1=="i") { print $3 } }') if [ ! -z "${FIND}" ]; then for PKG in ${FIND}; do COUNT=$((COUNT + 1)) @@ -365,7 +365,7 @@ if [ ! -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7330 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying Zypper for vulnerable packages" if [ ${SKIPTEST} -eq 0 ]; then - FIND=$(${ZYPPERBINARY} -n pchk | ${GREPBINARY} "(0 security patches)") + FIND=$(${ZYPPERBINARY} --non-interactive pchk | ${GREPBINARY} "(0 security patches)") if [ ! -z "${FIND}" ]; then LogText "Result: No security updates found with Zypper" Display --indent 2 --text "- Using Zypper to find vulnerable packages" --result "${STATUS_NONE}" --color GREEN @@ -374,7 +374,7 @@ LogText "Result: Zypper found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "Found one or more vulnerable packages installed" # Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line - FIND=$(${ZYPPERBINARY} -n lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) + FIND=$(${ZYPPERBINARY} --non-interactive lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | ${SEDBINARY} 's/:$//' | ${GREPBINARY} -v "^$" | ${SORTBINARY} -u) LogText "List of vulnerable packages/version:" for PKG in ${FIND}; do VULNERABLE_PACKAGES_FOUND=1 @@ -930,7 +930,6 @@ AddHP 1 2 done ReportWarning ${TEST_NO} "Found one or more vulnerable packages." - ReportSuggestion ${TEST_NO} "Use 'yum --security update' to update your system" fi else LogText "Result: yum-security package not found" @@ -1055,7 +1054,8 @@ # # Test : PKGS-7392 # Description : Check Debian/Ubuntu vulnerable packages - if [ -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + # Note : Skip for zypper-based systems + if [ -x ${ROOTDIR}usr/bin/apt-get -a -z "${ZYPPERBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7392 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network YES --category security --description "Check for Debian/Ubuntu security updates" if [ ${SKIPTEST} -eq 0 ]; then VULNERABLE_PACKAGES_FOUND=0 @@ -1247,8 +1247,20 @@ Register --test-no PKGS-7410 --weight L --network NO --category security --description "Count installed kernel packages" if [ ${SKIPTEST} -eq 0 ]; then KERNELS=0 - if [ ! -z "${RPMBINARY}" ]; then - LogText "Test: Checking how many kernel packages are installed" + LogText "Test: Checking how many kernel packages are installed" + + if [ ! -z "${DPKGBINARY}" ]; then + KERNELS=$(${DPKGBINARY} -l 2> /dev/null | ${GREPBINARY} "linux-image-[0-9]" | ${WCBINARY} -l) + if [ ${KERNELS} -eq 0 ]; then + LogText "Result: found no kernels from dpkg -l output, which is unexpected" + ReportException "KRNL-5840:2" "Could not find any kernel packages from DPKG output" + elif [ ${KERNELS} -gt 5 ]; then + LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" + ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages" "${KERNELS} kernels" "text:validate dpkg -l output and perform cleanup with apt autoremove" + else + LogText "Result: found ${KERNELS} kernel packages on the system, which is fine" + fi + elif [ ! -z "${RPMBINARY}" ]; then KERNELS=$(${RPMBINARY} -q kernel 2> /dev/null | ${WCBINARY} -l) if [ ${KERNELS} -eq 0 ]; then LogText "Result: found no kernels from rpm -q kernel output, which is unexpected" @@ -1256,16 +1268,78 @@ elif [ ${KERNELS} -gt 5 ]; then LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)" - AddHP 4 5 else - LogText "Result: found ${KERNELS} on the system, which is fine" - AddHP 1 1 + LogText "Result: found ${KERNELS} kernel packages on the system, which is fine" fi fi + + Report "installed_kernel_packages=${KERNELS}" fi # ################################################################################# # + # Test : PKGS-7420 + # Description : Detect toolkit to automatically download and apply upgrades + Register --test-no PKGS-7420 --weight L --network NO --category security --description "Detect toolkit to automatically download and apply upgrades" + if [ ${SKIPTEST} -eq 0 ]; then + UNATTENDED_UPGRADES_TOOLKIT=0 + UNATTENDED_UPGRADES_TOOL="" + UNATTENDED_UPGRADES_OPTION_AVAILABLE=0 + + case "${OS}" in + "Linux") + case "${LINUX_VERSION}" in + "CentOS" | "Debian" | "Fedora" | "RHEL" | "Ubuntu") + + UNATTENDED_UPGRADES_OPTION_AVAILABLE=1 + # Test available tools for Linux + if [ -f "${ROOTDIR}bin/auter" ]; then + UNATTENDED_UPGRADES_TOOL="auter" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + if [ -f "${ROOTDIR}sbin/yum-cron" ]; then + UNATTENDED_UPGRADES_TOOL="yum-cron" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + if [ -f "${ROOTDIR}usr/bin/dnf-automatic" ]; then + UNATTENDED_UPGRADES_TOOL="dnf-automatic" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then + UNATTENDED_UPGRADES_TOOL="unattended-upgrade" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + ;; + esac + ;; + esac + + if [ ${UNATTENDED_UPGRADES_OPTION_AVAILABLE} -eq 1 ]; then + if [ ${UNATTENDED_UPGRADES_TOOLKIT} -eq 1 ]; then + AddHP 5 5 + Display --indent 2 --text "- Toolkit for automatic upgrades (${UNATTENDED_UPGRADES_TOOL})" --result "${STATUS_FOUND}" --color GREEN + else + AddHP 1 5 + Display --indent 2 --text "- Toolkit for automatic upgrades" --result "${STATUS_NOTFOUND}" --color YELLOW + LogText "Result: no toolkit for automatic updates discovered" + ReportSuggestion "${TEST_NO}" "Consider using a tool to automatically apply upgrades" + fi + fi + + Report "unattended_upgrade_option_available=${UNATTENDED_UPGRADES_OPTION_AVAILABLE}" + fi +# +################################################################################# +# + if [ ! -z "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_scheduling new/lynis/include/tests_scheduling --- old/lynis/include/tests_scheduling 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_scheduling 2019-04-21 02:00:00.000000000 +0200 @@ -61,6 +61,7 @@ CRONTAB_FILE="${ROOTDIR}etc/crontab" if [ -f ${CRONTAB_FILE} ]; then + ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:/etc/crontab" if IsWorldWritable ${CRONTAB_FILE}; then LogText "Result: insecure file permissions for cronjob file ${CRONTAB_FILE}"; Report "insecure_fileperms_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${CRONTAB_FILE}; then LogText "Result: incorrect owner found for cronjob file ${CRONTAB_FILE}"; Report "bad_fileowner_cronjob[]=${CRONTAB_FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi FindCronJob ${CRONTAB_FILE} @@ -85,6 +86,8 @@ for FILE in ${FIND}; do if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi + FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}') + if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi FindCronJob ${FILE} if HasData "${sCRONJOBS}"; then for K in ${sCRONJOBS}; do @@ -115,11 +118,13 @@ LogText "Result: no files found in ${I}" else LogText "Result: found one or more files in ${I}. Analyzing files.." - for J in ${FIND}; do - if IsWorldWritable ${J}; then LogText "Result: insecure file permissions for cronjob file ${J}"; Report "insecure_fileperms_cronjob[]=${J}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi - if ! IsOwnedByRoot ${J}; then LogText "Result: incorrect owner found for cronjob file ${J}"; Report "bad_fileowner_cronjob[]=${J}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi - LogText "Result: Found cronjob (${I}): ${J}" - Report "cronjob[]=${J}" + for FILE in ${FIND}; do + if IsWorldWritable ${FILE}; then LogText "Result: insecure file permissions for cronjob file ${FILE}"; Report "insecure_fileperms_cronjob[]=${FILE}"; BAD_FILE_PERMISSIONS=1; AddHP 0 5; fi + if ! IsOwnedByRoot ${FILE}; then LogText "Result: incorrect owner found for cronjob file ${FILE}"; Report "bad_fileowner_cronjob[]=${FILE}"; BAD_FILE_OWNERSHIP=1; AddHP 0 5; fi + FILENAME=$(echo ${FILE} | ${AWKBINARY} -F/ '{print $NF}') + if [ "${FILENAME}" = "lynis" ]; then ${EGREPBINARY} -q -s 'lynis audit system' ${CRONTAB_FILE} && LYNIS_CRONJOB="file:${FILE}"; fi + LogText "Result: Found cronjob (${I}): ${FILE}" + Report "cronjob[]=${FILE}" done LogText "Result: done with analyzing files in ${I}" fi @@ -137,21 +142,23 @@ FIND=$(${FINDBINARY} /var/spool/cron/crontabs -xdev -type f -print 2> /dev/null) for I in ${FIND}; do if FileIsReadable ${I}; then + ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" FindCronJob ${I} - for J in ${sCRONJOBS}; do - LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${J})" + for FILE in ${sCRONJOBS}; do + LogText "Found cronjob (/var/spool/cron/crontabs): ${I} (${FILE})" Report "cronjob[]=${I}" done fi done else - if [ -d /var/spool/cron ]; then - FIND=$(find /var/spool/cron -type f -print) + if [ -d ${ROOTDIR}var/spool/cron ]; then + FIND=$(find ${ROOTDIR}var/spool/cron -type f -print) for I in ${FIND}; do if FileIsReadable ${I}; then + ${EGREPBINARY} -q -s 'lynis audit system' ${I} && LYNIS_CRONJOB="file:${I}" FindCronJob ${I} - for J in ${sCRONJOBS}; do - LogText "Found cronjob (/var/spool/cron): ${I} (${J})" + for FILE in ${sCRONJOBS}; do + LogText "Found cronjob in ${ROOTDIR}var/spool/cron: ${I} (${FILE})" LogText "cronjob[]=${I}" done fi @@ -177,12 +184,12 @@ # Show warning when an issue shows up. Even if *both* the permissions and ownership are wrong, just show one (prevent overload of warnings). if [ ${BAD_FILE_PERMISSIONS} -eq 1 ]; then ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect file permissions (see log for details)" - Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED + Display --indent 2 --text "- Checking crontab and cronjobs files" --result "${STATUS_WARNING}" --color RED elif [ ${BAD_FILE_OWNERSHIP} -eq 1 ]; then ReportWarning "${TEST_NO}" "Found one or more cronjob files with incorrect ownership (see log for details)" - Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_WARNING}" --color RED + Display --indent 2 --text "- Checking crontab and cronjob files" --result "${STATUS_WARNING}" --color RED else - Display --indent 2 --text "- Checking crontab/cronjob" --result "${STATUS_DONE}" --color GREEN + Display --indent 2 --text "- Checking crontab and cronjob files" --result "${STATUS_DONE}" --color GREEN fi fi @@ -298,6 +305,12 @@ ################################################################################# # +if [ -z "${LYNIS_CRONJOB}" ]; then + LogText "Result: no scheduled Lynis execution found (e.g. crontab, cronjob)" +else + LogText "Result: found scheduled Lynis execution (${LYNIS_CRONJOB})" +fi + WaitForKeyPress # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_shells new/lynis/include/tests_shells --- old/lynis/include/tests_shells 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_shells 2019-04-21 02:00:00.000000000 +0200 @@ -31,9 +31,10 @@ # Files (interactive login shells): /etc/profile $HOME/.bash_profile # $HOME/.bash_login $HOME/.profile # Files (interactive non-login shells): $HOME/.bash_rc - + # # csh/tcsh # Files: /etc/csh.cshrc /etc/csh.login + # # zsh # Files: /etc/zshenv /etc/zsh/zshenv $HOME/.zshenv /etc/zprofile # /etc/zsh/zprofile $HOME/.zprofile /etc/zshrc /etc/zsh/zshrc @@ -68,8 +69,8 @@ ################################################################################# # # Test : SHLL-6211 - # Description : which shells are available according /etc/shells - Register --test-no SHLL-6211 --weight L --network NO --category security --description "Checking available and valid shells" + # Description : Determine available shell according /etc/shells + Register --test-no SHLL-6211 --weight L --network NO --category security --description "Available and valid shells" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching for ${ROOTDIR}etc/shells" if [ -f ${ROOTDIR}etc/shells ]; then @@ -98,8 +99,8 @@ ################################################################################# # # Test : SHLL-6220 - # Description : check for idle session killing tools or settings - Register --test-no SHLL-6220 --weight L --network NO --category security --description "Checking available and valid shells" + # Description : Check for idle session killing tools or settings + Register --test-no SHLL-6220 --weight L --network NO --category security --description "Idle session killing tools or settings" if [ ${SKIPTEST} -eq 0 ]; then IDLE_TIMEOUT_METHOD="" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_squid new/lynis/include/tests_squid --- old/lynis/include/tests_squid 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_squid 2019-04-21 02:00:00.000000000 +0200 @@ -111,7 +111,7 @@ # Test : SQD-3610 # Description : Check Squid configuration options if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid version" + Register --test-no SQD-3610 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Gather Squid settings" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking all specific defined options in ${SQUID_DAEMON_CONFIG}" FIND=$(${GREPBINARY} -v "^#" ${SQUID_DAEMON_CONFIG} | ${GREPBINARY} -v "^$" | ${AWKBINARY} '{gsub("\t"," ");print}' | ${SEDBINARY} 's/ /!space!/g') @@ -126,7 +126,7 @@ ################################################################################# # # Test : SQD-3613 - # Description : Check Squid configuration options + # Description : Check Squid configuration file permissions if [ ${SQUID_DAEMON_RUNNING} -eq 1 -a ! -z "${SQUID_DAEMON_CONFIG}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no SQD-3613 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Squid file permissions" if [ ${SKIPTEST} -eq 0 ]; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_ssh new/lynis/include/tests_ssh --- old/lynis/include/tests_ssh 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_ssh 2019-04-21 02:00:00.000000000 +0200 @@ -137,7 +137,7 @@ IgnoreRhosts:YES,,NO:=\ LoginGraceTime:120,240,480:<\ LogLevel:VERBOSE,INFO,:=\ - MaxAuthTries:2,4,6:<\ + MaxAuthTries:3,6,999:<\ MaxSessions:2,4,8:<\ PermitRootLogin:(NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD),,YES:=\ PermitUserEnvironment:NO,,YES:=\ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_webservers new/lynis/include/tests_webservers --- old/lynis/include/tests_webservers 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/tests_webservers 2019-04-21 02:00:00.000000000 +0200 @@ -113,9 +113,10 @@ Display --indent 6 --text "Info: Configuration file found (${APACHE_CONFIGFILE})" LogText "Result: Configuration file found (${APACHE_CONFIGFILE})" else - LogText "Result: File or directory ${APACHE_CONFIGFILE} does not exist" + LogText "Result: File or directory ${APACHE_TESTFILE} does not exist" Display --indent 6 --text "[Notice] possible directory/file parts found, but still unsure what the real configuration file is. Skipping some Apache related tests" ReportException "${TEST_NO}:1" "Found some unknown directory or file references in Apache configuration" + LogText "Note: if only the Apache binary package has been installed, then the configuration might be missing. Is the Apache package really needed?" fi fi fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tool_tips new/lynis/include/tool_tips --- old/lynis/include/tool_tips 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/include/tool_tips 2019-04-21 02:00:00.000000000 +0200 @@ -26,16 +26,41 @@ # Only show tips when enabled if [ ${SHOW_TOOL_TIPS} -eq 1 ]; then + LogText "Tool tips: enabled" + # * Regular security auditing + # + # If package is installed, then suggest users to schedule the audit daily + # How: confirm presence of directory /etc/lynis and check cronjobs + + + # * Check for duplicate items between default and custom profile + # + # This can be done by marking an item if it overwrites the default profile + # with the same value. + # + # Rationale: default profile should contain have sensible default and + # custom profile allows customization for the user or system. + + + # Suggest usage of plugins if none are enabled + + # Bash completion support - if [ ! "${ETC_PATHS}" = "" ]; then - for I in ${ETC_PATHS}; do - if [ -d ${I}/bash-completion.d ]; then - if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then - Display "This system has a bash_completion directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis" - fi - fi - done - fi + # + # Detect if bash is used for active user + #if [ ! -z "${ETC_PATHS}" ]; then + # for I in ${ETC_PATHS}; do + # if [ -d ${I}/bash_completion.d ]; then + # if [ ! -f ${ETC_PATHS}/bash_completion.d/lynis ]; then + # Display "This system has a bash_completion directory. Copy extras/bash_completion.d/lynis to ${I} to get completion support for Lynis" + # fi + # fi + # done + #fi + + else + LogText "Tool tips: enabled" + fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/lynis new/lynis/lynis --- old/lynis/lynis 2019-03-07 01:00:00.000000000 +0100 +++ new/lynis/lynis 2019-04-21 02:00:00.000000000 +0200 @@ -35,10 +35,10 @@ PROGRAM_AUTHOR_CONTACT="[email protected]" # Version details - PROGRAM_RELEASE_DATE="2019-03-07" - PROGRAM_RELEASE_TIMESTAMP=1551949337 + PROGRAM_RELEASE_DATE="2019-04-21" + PROGRAM_RELEASE_TIMESTAMP=1555856327 PROGRAM_RELEASE_TYPE="final" # dev or final - PROGRAM_VERSION="2.7.2" + PROGRAM_VERSION="2.7.4" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis"; @@ -76,7 +76,7 @@ tINCLUDE_TARGETS="/usr/local/include/lynis /usr/local/lynis/include /usr/share/lynis/include ./include" # Default paths to check (CWD as last option, in case we run from standalone) for I in ${tINCLUDE_TARGETS}; do if [ "${I}" = "./include" ]; then - if [ -d ${WORKDIR}/include ]; then INCLUDEDIR="${WORKDIR}/include"; fi + if [ -d "${WORKDIR}/include" ]; then INCLUDEDIR="${WORKDIR}/include"; fi elif [ -d ${I} -a -z "${INCLUDEDIR}" ]; then INCLUDEDIR=${I} fi @@ -95,7 +95,7 @@ DBDIR=""; tDB_TARGETS="/usr/local/share/lynis/db /usr/local/lynis/db /usr/share/lynis/db ./db" for I in ${tDB_TARGETS}; do if [ "${I}" = "./db" ]; then - if [ -d ${WORKDIR}/db ]; then DBDIR="${WORKDIR}/db"; fi + if [ -d "${WORKDIR}/db" ]; then DBDIR="${WORKDIR}/db"; fi elif [ -d ${I} -a -z "${DBDIR}" ]; then DBDIR="${I}" fi @@ -613,6 +613,9 @@ if [ ${EOL} -eq 1 ]; then echo " End-of-life: ${WARNING}YES${NORMAL}" ReportWarning "GEN-0010" "This version ${OS_VERSION} is marked end-of-life as of ${EOL_DATE}" + elif [ ${EOL} -eq 255 ]; then + # TODO - mark as item where community can provide help + LogText "Note: the end-of-life of '${OS_FULLNAME}' could not be checked. Entry missing in software-eol.db?" fi if [ ! -z "${OS_MODE}" ]; then echo " Operating system mode: ${OS_MODE}"; fi @@ -1035,7 +1038,7 @@ if [ -f ${INCLUDEDIR}/report ]; then SafePerms ${INCLUDEDIR}/report; . ${INCLUDEDIR}/report; fi # Show tool tips - if [ -f ${INCLUDEDIR}/hints_tips ]; then SafePerms ${INCLUDEDIR}/hints_tips; . ${INCLUDEDIR}/hints_tips; fi + if [ -f ${INCLUDEDIR}/tool_tips ]; then SafePerms ${INCLUDEDIR}/tool_tips; . ${INCLUDEDIR}/tool_tips; fi LogText "================================================================================" LogText "Tests performed: ${CTESTS_PERFORMED}"
