Hello community, here is the log from the commit of package lynis for openSUSE:Factory checked in at 2019-06-25 22:22:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lynis (Old) and /work/SRC/openSUSE:Factory/.lynis.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lynis" Tue Jun 25 22:22:06 2019 rev:36 rq:711811 version:2.7.5 Changes: -------- --- /work/SRC/openSUSE:Factory/lynis/lynis.changes 2019-06-06 18:16:56.988692573 +0200 +++ /work/SRC/openSUSE:Factory/.lynis.new.4615/lynis.changes 2019-06-25 22:22:07.765126485 +0200 @@ -1,0 +2,20 @@ +Tue Jun 25 07:32:29 UTC 2019 - Robert Frohl <[email protected]> + +- Update to 2.7.5 + Added: + * Danish translation + * Slackware end-of-life information + * Detect BSD-style (rc.d) init in Linux systems + * Detection of Bro and Suricata (IDS) + + Changed: + * Corrected end-of-life entries for CentOS 5 and 6 + * Change name to check in /etc/passwd file for QNAP devices + * AIX enhancement to use correct find statement + * Filter on correct field for AIX + * Set ss command as preferred option for Linux and changed output format + * List of PHP ini file locations has been extended + * Removed several pieces of the code as part of cleanup and code health + * Extended help + +------------------------------------------------------------------- Old: ---- lynis-2.7.4.tar.gz lynis-2.7.4.tar.gz.asc New: ---- lynis-2.7.5.tar.gz lynis-2.7.5.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lynis.spec ++++++ --- /var/tmp/diff_new_pack.H2V1iV/_old 2019-06-25 22:22:10.077129656 +0200 +++ /var/tmp/diff_new_pack.H2V1iV/_new 2019-06-25 22:22:10.109129700 +0200 @@ -23,7 +23,7 @@ %define _pluginsdir %{_datadir}/lynis/plugins %define _dbdir %{_datadir}/lynis/db Name: lynis -Version: 2.7.4 +Version: 2.7.5 Release: 0 Summary: Security and System auditing tool License: GPL-3.0-only ++++++ lynis-2.7.4.tar.gz -> lynis-2.7.5.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/CHANGELOG.md new/lynis/CHANGELOG.md --- old/lynis/CHANGELOG.md 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/CHANGELOG.md 2019-06-24 02:00:00.000000000 +0200 @@ -1,9 +1,30 @@ # Lynis Changelog +## Lynis 2.7.5 (2019-06-24) + +### Added +- Danish translation +- Slackware end-of-life information +- Detect BSD-style (rc.d) init in Linux systems +- Detection of Bro and Suricata (IDS) + +### Changed +- Corrected end-of-life entries for CentOS 5 and 6 +- AUTH-9204 - change name to check in /etc/passwd file for QNAP devices +- AUTH-9268 - AIX enhancement to use correct find statement +- FILE-6310 - Filter on correct field for AIX +- NETW-3012 - set ss command as preferred option for Linux and changed output format +- List of PHP ini file locations has been extended +- Removed several pieces of the code as part of cleanup and code health +- Extended help + +--------------------------------------------------------------------------------- + + ## Lynis 2.7.4 (2019-04-21) This is a bigger release than usual, including several new tests created by -Capashenn (GitHub). It is a coincidence that it is released exactly one more +Capashenn (GitHub). It is a coincidence that it is released exactly one month after the previous version and on Easter. No easter eggs, only improvements! ### Added diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/languages/da new/lynis/db/languages/da --- old/lynis/db/languages/da 1970-01-01 01:00:00.000000000 +0100 +++ new/lynis/db/languages/da 2019-06-24 02:00:00.000000000 +0200 @@ -0,0 +1,41 @@ +ERROR_NO_LICENSE="Ingen licensnøgle konfigureret" +ERROR_NO_UPLOAD_SERVER="Ingen upload server konfigureret" +GEN_CHECKING="Tjekker" +GEN_CURRENT_VERSION="Nuværende version" +GEN_DEBUG_MODE="Fejlfindingstilstand" +GEN_INITIALIZE_PROGRAM="Initialiserer program" +GEN_LATEST_VERSION="Seneste version" +GEN_PHASE="Fase" +GEN_PLUGINS_ENABLED="Plugins aktiverede" +GEN_UPDATE_AVAILABLE="opdatering tilgængelig" +GEN_VERBOSE_MODE="Detaljeret tilstand" +GEN_WHAT_TO_DO="At gøre" +NOTE_EXCEPTIONS_FOUND="Undtagelser fundet" +NOTE_EXCEPTIONS_FOUND_DETAILED="Nogle usædvanlige hændelser eller information var fundet" +NOTE_PLUGINS_TAKE_TIME="Bemærk: plugins har mere omfattende tests og kan tage flere minutter at fuldføre" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Sprang over tests på grund af ikke-privilegeret tilstand" +SECTION_CUSTOM_TESTS="Brugerdefinerede Tests" +SECTION_MALWARE="Malware" +SECTION_MEMORY_AND_PROCESSES="Hukommelse og Processer" +STATUS_DISABLED="DEAKTIVERET" +STATUS_DONE="FÆRDIG" +STATUS_ENABLED="AKTIVERET" +STATUS_NOT_ENABLED="IKKE AKTIVERET" +STATUS_ERROR="FEJL" +STATUS_FOUND="FUNDET" +STATUS_YES="JA" +STATUS_NO="NEJ" +STATUS_OFF="FRA" +STATUS_OK="OK" +STATUS_ON="TIL" +STATUS_NONE="INGEN" +STATUS_NOT_FOUND="IKKE FUNDET" +STATUS_NOT_RUNNING="KØRER IKKE" +STATUS_RUNNING="KØRER" +STATUS_SKIPPED="SPRUNGET OVER" +STATUS_SUGGESTION="FORSLAG" +STATUS_UNKNOWN="UKENDT" +STATUS_WARNING="ADVARSEL" +STATUS_WEAK="SVAG" +TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjælpe ved at bidrage med din logfil" +TEXT_UPDATE_AVAILABLE="opdatering tilgængelig" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/db/software-eol.db new/lynis/db/software-eol.db --- old/lynis/db/software-eol.db 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/db/software-eol.db 2019-06-24 02:00:00.000000000 +0200 @@ -11,8 +11,8 @@ # # CentOS # -os:CentOS Linux release 5:2017-03-31:1490911200: -os:CentOS Linux release 6:2020-11-30:1606690800: +os:CentOS release 5:2017-03-31:1490911200: +os:CentOS release 6:2020-11-30:1606690800: os:CentOS Linux release 7:2024-06-30:1719698400: # # FreeBSD - https://www.freebsd.org/security/unsupported.html @@ -43,4 +43,20 @@ os:Ubuntu 17.10:2018-07-01:1530396000: os:Ubuntu 18.04:2023-05-01:1682892000: os:Ubuntu 18.10:2019-07-01:1561932000: -os:Ubuntu 19.04:2020-01-01:1577833200: \ No newline at end of file +os:Ubuntu 19.04:2020-01-01:1577833200: +# +# Slackware - https://en.wikipedia.org/wiki/Slackware#Releases +# +os:Slackware Linux 8.1:2012-08-01:1343768400: +os:Slackware Linux 9.0:2012-08-01:1343768400: +os:Slackware Linux 9.1:2012-08-01:1343768400: +os:Slackware Linux 10.0:2012-08-01:1343768400: +os:Slackware Linux 10.1:2012-08-01:1343768400: +os:Slackware Linux 10.2:2012-08-01:1343768400: +os:Slackware Linux 11.0:2012-08-01:1343768400: +os:Slackware Linux 12.0:2012-08-01:1343768400: +os:Slackware Linux 12.1:2013-12-09:1386540000: +os:Slackware Linux 12.2:2013-12-09:1386540000: +os:Slackware Linux 13.0:2018-07-05:1530738000: +os:Slackware Linux 13.1:2018-07-05:1530738000: +os:Slackware Linux 13.37:2018-07-05:1530738000: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/binaries new/lynis/include/binaries --- old/lynis/include/binaries 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/include/binaries 2019-06-24 02:00:00.000000000 +0200 @@ -110,6 +110,7 @@ base64) BASE64BINARY="${BINARY}"; LogText " Found known binary: base64 (encoding tool) - ${BINARY}" ;; blkid) BLKIDBINARY="${BINARY}"; LogText " Found known binary: blkid (information about block devices) - ${BINARY}" ;; bootctl) BOOTCTLBINARY="${BINARY}"; LogText " Found known binary: bootctl (systemd-boot manager utility) - ${BINARY}" ;; + bro) BROBINARY="${BINARY}"; LogText " Found known binary: bro (IDS) - ${BINARY}" ;; cat) CAT_BINARY="${BINARY}"; LogText " Found known binary: cat (generic file handling) - ${BINARY}" ;; cc) CCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: cc (compiler) - ${BINARY}" ;; chkconfig) CHKCONFIGBINARY=${BINARY}; LogText " Found known binary: chkconfig (administration tool) - ${BINARY}" ;; @@ -227,6 +228,7 @@ sha1|sha1sum|shasum) SHA1SUMBINARY="${BINARY}"; LogText " Found known binary: sha1/sha1sum/shasum (crypto hashing) - ${BINARY}" ;; sha256|sha256sum) SHA256SUMBINARY="${BINARY}"; LogText " Found known binary: sha256/sha256sum (crypto hashing) - ${BINARY}" ;; ssh-keyscan) SSHKEYSCANBINARY="${BINARY}"; LogText " Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;; + suricata) SURICATABINARY="${BINARY}"; LogText " Found known binary: suricata (IDS) - ${BINARY}" ;; sysctl) SYSCTLBINARY="${BINARY}"; LogText " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;; syslog-ng) SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;; systemctl) SYSTEMCTLBINARY="${BINARY}"; LogText " Found known binary: systemctl (client to systemd) - ${BINARY}" ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/functions new/lynis/include/functions --- old/lynis/include/functions 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/include/functions 2019-06-24 02:00:00.000000000 +0200 @@ -2009,7 +2009,7 @@ for ITEM in ${VALUE}; do LogText "Result: found protocol ${ITEM}" case ${ITEM} in - "sslv2" | "sslv3") + "sslv2" | "sslv3" | "tlsv1") NGINX_WEAK_SSL_PROTOCOL_FOUND=1 ;; esac diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/helper_audit_dockerfile new/lynis/include/helper_audit_dockerfile --- old/lynis/include/helper_audit_dockerfile 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/include/helper_audit_dockerfile 2019-06-24 02:00:00.000000000 +0200 @@ -19,25 +19,14 @@ ################################################################################# if [ $# -eq 0 ]; then - Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}" + Display --indent 2 --text "${RED}Error: ${WHITE}Provide a file${NORMAL}" Display --text " "; Display --text " " ExitFatal else FILE=$(echo $1 | egrep "^http|https") if HasData "${FILE}"; then - CreateTempFile - TMP_FILE="${TEMP_FILE}" - Display --indent 2 --text "Downloading URL ${FILE} with wget" - wget -o ${TMP_FILE} ${FILE} - if [ $? -gt 0 ]; then - AUDIT_FILE="${TMP_FILE}" - else - if [ -f ${TMP_FILE} ]; then - rm -f ${TMP_FILE} - fi - Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}" - ExitFatal - fi + echo "Provide a file (not a URL)" + ExitFatal else if [ -f $1 ]; then AUDIT_FILE="$1" @@ -70,13 +59,12 @@ IS_ALPINE=$(echo ${IMAGE} | grep -i alpine) IS_LATEST=$(echo ${TAG} | grep -i latest) - if [ ! "${IS_DEBIAN}" = "" ]; then IMAGE="debian"; fi - if [ ! "${IS_FEDORA}" = "" ]; then IMAGE="fedora"; fi - if [ ! "${IS_UBUNTU}" = "" ]; then IMAGE="ubuntu"; fi - if [ ! "${IS_ALPINE}" = "" ]; then IMAGE="alpine"; fi - - if [ ! "${IS_LATEST}" = "" ]; then - ReportWarning "dockerfile" "latest TAG used. Specifying the version is better." + if [ ! -z "${IS_DEBIAN}" ]; then IMAGE="debian"; fi + if [ ! -z "${IS_FEDORA}" ]; then IMAGE="fedora"; fi + if [ ! -z "${IS_UBUNTU}" ]; then IMAGE="ubuntu"; fi + if [ ! -z "${IS_ALPINE}" ]; then IMAGE="alpine"; fi + if [ ! -z "${IS_LATEST}" ]; then + ReportWarning "dockerfile" "latest TAG used. Specifying a targeted OS image and version is better for reproducible results." fi case ${IMAGE} in @@ -110,14 +98,14 @@ #FIND=$(egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g') FIND=$(egrep -i "*MAINTAINER" ${AUDIT_FILE} | sed 's/=/ /g' | cut -d'"' -f 2) - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then ReportWarning "dockerfile" "No maintainer found. Unclear who created this file." else #MAINTAINER=$(echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}') MAINTAINER=$(echo ${FIND}) Display --indent 2 --text "Maintainer" --result "${MAINTAINER}" fi - + FIND=$(grep "^ENTRYPOINT" ${AUDIT_FILE} | cut -d' ' -f2 ) if [ "${FIND}" = "" ]; then ReportWarning "dockerfile" "No ENTRYPOINT defined in Dockerfile." @@ -127,7 +115,7 @@ fi FIND=$(grep "^CMD" ${AUDIT_FILE} | cut -d' ' -f2 ) - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then ReportWarning "dockerfile" "No CMD defines in Dockerfile." else CMD=$(echo ${FIND}) @@ -135,7 +123,7 @@ fi FIND=$(grep "^USER" ${AUDIT_FILE} | cut -d' ' -f2 ) - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then ReportWarning "dockerfile" "No user declared in Dockerfile. Container will execute command as root" else USER=$(echo ${FIND}) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/helper_show new/lynis/include/helper_show --- old/lynis/include/helper_show 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/include/helper_show 2019-06-24 02:00:00.000000000 +0200 @@ -28,7 +28,7 @@ # ###################################################################### -COMMANDS="audit configure show update upload-only" +COMMANDS="audit configure generate show update upload-only" HELPERS="audit configure show update" OPTIONS="--auditor\n--cronjob (--cron)\n--debug\n--developer\n--help (-h)\n--license-key\n--log-file\n--manpage (--man)\n--no-colors\n--no-log\n--pentest\n--profile\n--plugin-dir\n--quick (-Q)\n--quiet (-q)\n--report-file\n--reverse-colors\n--skip-plugins\n--tests\n--tests-from-category\n--tests-from-group\n--upload\n--verbose\n--version (-V)\n--wait\n--warnings-only" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/parameters new/lynis/include/parameters --- old/lynis/include/parameters 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/include/parameters 2019-06-24 02:00:00.000000000 +0200 @@ -36,12 +36,13 @@ if [ $# -gt 1 ]; then case $2 in "dockerfile") - if [ "$3" = "" ]; then + if [ $# = 2 ]; then echo "${RED}Error: ${WHITE}Missing file name or URL${NORMAL}" - echo "Example: $0 audit dockerfile /root/Dockerfile" + echo "Example: $0 audit dockerfile /path/to/Dockerfile" ExitFatal else shift; shift + CHECK_BINARIES=1 HELPER_PARAMS="$1" HELPER="audit_dockerfile" break diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/report new/lynis/include/report --- old/lynis/include/report 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/include/report 2019-06-24 02:00:00.000000000 +0200 @@ -22,55 +22,79 @@ # ################################################################################# # + + # Add data fields to report file + Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}" + Report "arpwatch_running=${ARPWATCH_RUNNING}" + + # Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks. + Report "firewall_active=${FIREWALL_ACTIVE}" + Report "firewall_empty_ruleset=${FIREWALL_EMPTY_RULESET}" + Report "firewall_installed=${FIREWALL_ACTIVE}" + + if [ ! -z "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi + + Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}" + Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}" + Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}" + + # Hardening Index - # Define approximately how strong a machine has been hardened - # If no hardening has been found, set value to 1 - if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi - HPINDEX=$((HPPOINTS * 100 / HPTOTAL)) - HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL)) - # Set color related to rating - if [ ${HPINDEX} -lt 50 ]; then - HPCOLOR="${RED}" - HIDESCRIPTION="System has not or a low amount been hardened" - elif [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then - HPCOLOR="${YELLOW}" - HIDESCRIPTION="System has been hardened, but could use additional hardening" - elif [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then - HPCOLOR="${GREEN}" - HIDESCRIPTION="System seem to be decent hardened" - elif [ ${HPINDEX} -gt 89 ]; then - HPCOLOR="${GREEN}" - HIDESCRIPTION="System seem to be well hardened" - fi - - case ${HPAOBLOCKS} in - 0) HPBLOCKS="#"; HPEMPTY=" " ;; - 1) HPBLOCKS="#"; HPEMPTY=" " ;; - 2) HPBLOCKS="##"; HPEMPTY=" " ;; - 3) HPBLOCKS="###"; HPEMPTY=" " ;; - 4) HPBLOCKS="####"; HPEMPTY=" " ;; - 5) HPBLOCKS="#####"; HPEMPTY=" " ;; - 6) HPBLOCKS="######"; HPEMPTY=" " ;; - 7) HPBLOCKS="#######"; HPEMPTY=" " ;; - 8) HPBLOCKS="########"; HPEMPTY=" " ;; - 9) HPBLOCKS="#########"; HPEMPTY=" " ;; - 10) HPBLOCKS="##########"; HPEMPTY=" " ;; - 11) HPBLOCKS="###########"; HPEMPTY=" " ;; - 12) HPBLOCKS="############"; HPEMPTY=" " ;; - 13) HPBLOCKS="#############"; HPEMPTY=" " ;; - 14) HPBLOCKS="##############"; HPEMPTY=" " ;; - 15) HPBLOCKS="###############"; HPEMPTY=" " ;; - 16) HPBLOCKS="################"; HPEMPTY=" " ;; - 17) HPBLOCKS="#################"; HPEMPTY=" " ;; - 18) HPBLOCKS="##################"; HPEMPTY=" " ;; - 19) HPBLOCKS="###################"; HPEMPTY=" " ;; - 20) HPBLOCKS="####################"; HPEMPTY="" ;; - esac - - HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]" - LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]" - LogText "Hardening strength: ${HIDESCRIPTION}" + # Goal: + # Provide a visual way to show how much the system is hardened + # + # Important: + # The index gives a simplified version of the measures taken on the system. + # It should be used to get a first impression about the state of the system or to compare similar systems. + # Getting the maximum score (100 or full bar) does not indicate that the system is fully secured. + + # If no hardening has been found, set value to 1 + if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi + HPINDEX=$((HPPOINTS * 100 / HPTOTAL)) + HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL)) + # Set color related to rating + if [ ${HPINDEX} -lt 50 ]; then + HPCOLOR="${RED}" + HIDESCRIPTION="System has not or a low amount been hardened" + elif [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then + HPCOLOR="${YELLOW}" + HIDESCRIPTION="System has been hardened, but could use additional hardening" + elif [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then + HPCOLOR="${GREEN}" + HIDESCRIPTION="System seem to be decent hardened" + elif [ ${HPINDEX} -gt 89 ]; then + HPCOLOR="${GREEN}" + HIDESCRIPTION="System seem to be well hardened" + fi + + case ${HPAOBLOCKS} in + 0) HPBLOCKS="#"; HPEMPTY=" " ;; + 1) HPBLOCKS="#"; HPEMPTY=" " ;; + 2) HPBLOCKS="##"; HPEMPTY=" " ;; + 3) HPBLOCKS="###"; HPEMPTY=" " ;; + 4) HPBLOCKS="####"; HPEMPTY=" " ;; + 5) HPBLOCKS="#####"; HPEMPTY=" " ;; + 6) HPBLOCKS="######"; HPEMPTY=" " ;; + 7) HPBLOCKS="#######"; HPEMPTY=" " ;; + 8) HPBLOCKS="########"; HPEMPTY=" " ;; + 9) HPBLOCKS="#########"; HPEMPTY=" " ;; + 10) HPBLOCKS="##########"; HPEMPTY=" " ;; + 11) HPBLOCKS="###########"; HPEMPTY=" " ;; + 12) HPBLOCKS="############"; HPEMPTY=" " ;; + 13) HPBLOCKS="#############"; HPEMPTY=" " ;; + 14) HPBLOCKS="##############"; HPEMPTY=" " ;; + 15) HPBLOCKS="###############"; HPEMPTY=" " ;; + 16) HPBLOCKS="################"; HPEMPTY=" " ;; + 17) HPBLOCKS="#################"; HPEMPTY=" " ;; + 18) HPBLOCKS="##################"; HPEMPTY=" " ;; + 19) HPBLOCKS="###################"; HPEMPTY=" " ;; + 20) HPBLOCKS="####################"; HPEMPTY="" ;; + esac + + HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]" + LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]" + LogText "Hardening strength: ${HIDESCRIPTION}" # Only show overview if not running in quiet mode diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_authentication new/lynis/include/tests_authentication --- old/lynis/include/tests_authentication 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/include/tests_authentication 2019-06-24 02:00:00.000000000 +0200 @@ -40,7 +40,12 @@ if [ ${SKIPTEST} -eq 0 ]; then # Search accounts with UID 0 LogText "Test: Searching accounts with UID 0" - FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') + # Check if device is a QNAP, as the root user is called admin, and not root + if [ ${QNAP_DEVICE} -eq 1 ]; then + FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') + else + FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') + fi if [ ! -z "${FIND}" ]; then Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED LogText "Result: Found more than one administrator accounts" @@ -669,8 +674,8 @@ if [ -d ${DIR} -a ! -L ${DIR} ]; then LogText "Result: directory ${DIR} exists" # Search in the specified directory - if [ "${OS}" = "Solaris" ]; then - # Solaris does not support -maxdepth + if [ "${OS}" = "AIX" -o "${OS}" = "Solaris" ]; then + # AIX/Solaris does not support -maxdepth FIND=$(find ${DIR} -type f -name "pam_*.so" -print | sort) else FIND=$(find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_boot_services new/lynis/include/tests_boot_services --- old/lynis/include/tests_boot_services 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/include/tests_boot_services 2019-06-24 02:00:00.000000000 +0200 @@ -96,7 +96,11 @@ ;; "init" | "initsplash") - SERVICE_MANAGER="SysV Init" + if [ -d ${ROOTDIR}etc/rc.d ]; then + SERVICE_MANAGER="bsdrc.d" + else + SERVICE_MANAGER="SysV Init" + fi ;; systemd) SERVICE_MANAGER="systemd" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_filesystems new/lynis/include/tests_filesystems --- old/lynis/include/tests_filesystems 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/include/tests_filesystems 2019-06-24 02:00:00.000000000 +0200 @@ -48,7 +48,11 @@ Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE elif [ -d ${I} ]; then LogText "Result: directory ${I} exists" - FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($3==MP) { print $3 }}') + case "${OS}" in + "AIX") FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($2==MP) { print $2 }}') ;; + *) FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($3==MP) { print $3 }}') ;; + esac + if IsEmpty "${FIND}"; then LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system" Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_SUGGESTION}" --color YELLOW diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_firewalls new/lynis/include/tests_firewalls --- old/lynis/include/tests_firewalls 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/include/tests_firewalls 2019-06-24 02:00:00.000000000 +0200 @@ -596,11 +596,6 @@ ################################################################################# # -# Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks. -Report "firewall_active=${FIREWALL_ACTIVE}" -Report "firewall_empty_ruleset=${FIREWALL_EMPTY_RULESET}" -Report "firewall_installed=${FIREWALL_ACTIVE}" - WaitForKeyPress # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_networking new/lynis/include/tests_networking --- old/lynis/include/tests_networking 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/include/tests_networking 2019-06-24 02:00:00.000000000 +0200 @@ -370,6 +370,7 @@ # Description : Check listening ports Register --test-no NETW-3012 --weight L --network NO --category security --description "Check listening ports" if [ ${SKIPTEST} -eq 0 ]; then + DATA="" FIND=""; FIND2="" COUNT=0 case ${OS} in @@ -381,24 +382,19 @@ FIND="" fi FIND2="" - ;; + ;; Linux) - if [ ! -z "${NETSTATBINARY}" ]; then + if [ -n "${SSBINARY}" ]; then + DATA=$(${SSBINARY} --query=udp,tcp -plnt | awk '{ if ($1!="Netid") { print "raw,ss,v1|"$1"|"$5"|"$7"|" }}' | sed 's/pid=[0-9]\{1,\},fd=[0-9]\{1,\}//g' | sed 's/users://' | sed 's/,)//g' | tr -d '()"') + elif [ -n "${NETSTATBINARY}" ]; then # UDP FIND=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:') # TCP FIND2=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:') else - if [ ! "${SSBINARY}" = "" ]; then - # UDP - FIND=$(${SSBINARY} -u -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local) - # TCP - FIND2=$(${SSBINARY} -t -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local) - else - ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports" - fi + ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports" fi - ;; + ;; macOS) if [ ! "${LSOFBINARY}" = "" ]; then @@ -409,9 +405,7 @@ fi # Not needed as we have a combined test FIND2="" - ;; - - + ;; NetBSD) if [ ! "${SOCKSTATBINARY}" = "" ]; then FIND=$(${SOCKSTATBINARY} 2> /dev/null | ${AWKBINARY} '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u) @@ -419,7 +413,7 @@ FIND="" fi FIND2="" - ;; + ;; OpenBSD) if [ ! "${NETSTATBINARY}" = "" ]; then # UDP @@ -429,13 +423,20 @@ else ReportException "${TEST_NO}:3" "netstat missing to gather listening ports" fi - ;; + ;; *) # Got this exception? Provide your details and output of netstat or any other tool to determine this information. ReportException "${TEST_NO}:2" "Unclear what method to use, to determine listening port information" - ;; + ;; esac + if HasData "${DATA}"; then + for ITEM in ${DATA}; do + COUNT=$((COUNT + 1)) + Report "network_listen[]=${ITEM}" + done + fi + # Retrieve information from sockstat, when available LogText "Test: Retrieving sockstat information to find listening ports" if HasData "${FIND}"; then @@ -453,11 +454,10 @@ Report "network_listen_port[]=${ITEM}" done fi - if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then + if [ -z "${DATA}" -a -z "${FIND}" ]; then Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_SKIPPED}" --color YELLOW else Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_DONE}" --color GREEN - Display --indent 6 --text "* Found ${COUNT} ports" fi fi # @@ -634,9 +634,6 @@ ################################################################################# # -Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}" -Report "arpwatch_running=${ARPWATCH_RUNNING}" - WaitForKeyPress # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_php new/lynis/include/tests_php --- old/lynis/include/tests_php 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/include/tests_php 2019-06-24 02:00:00.000000000 +0200 @@ -42,6 +42,9 @@ ${ROOTDIR}etc/php5/apache2/php.ini \ ${ROOTDIR}etc/php5/fpm/php.ini \ ${ROOTDIR}private/etc/php.ini \ + ${ROOTDIR}etc/php/7.2/apache2/php.ini \ + ${ROOTDIR}etc/php/7.1/apache2/php.ini \ + ${ROOTDIR}etc/php/7.0/apache2/php.ini \ ${ROOTDIR}etc/php/7.2/cli/php.ini ${ROOTDIR}etc/php/7.2/fpm/php.ini \ ${ROOTDIR}etc/php/7.1/cli/php.ini ${ROOTDIR}etc/php/7.1/fpm/php.ini \ ${ROOTDIR}etc/php/7.0/cli/php.ini ${ROOTDIR}etc/php/7.0/fpm/php.ini \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/include/tests_ports_packages new/lynis/include/tests_ports_packages --- old/lynis/include/tests_ports_packages 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/include/tests_ports_packages 2019-06-24 02:00:00.000000000 +0200 @@ -1340,13 +1340,6 @@ ################################################################################# # - -if [ ! -z "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi - -Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}" -Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}" -Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}" - WaitForKeyPress # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lynis/lynis new/lynis/lynis --- old/lynis/lynis 2019-04-21 02:00:00.000000000 +0200 +++ new/lynis/lynis 2019-06-24 02:00:00.000000000 +0200 @@ -35,10 +35,10 @@ PROGRAM_AUTHOR_CONTACT="[email protected]" # Version details - PROGRAM_RELEASE_DATE="2019-04-21" - PROGRAM_RELEASE_TIMESTAMP=1555856327 + PROGRAM_RELEASE_DATE="2019-06-24" + PROGRAM_RELEASE_TIMESTAMP=1561383761 PROGRAM_RELEASE_TYPE="final" # dev or final - PROGRAM_VERSION="2.7.4" + PROGRAM_VERSION="2.7.5" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis";
