Added support to require a detected and known package manager

5 files changed, 50 insertions, 14 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3edd55cc..f21bd306 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -159,6 +159,7 @@ Using the relevant options, the scan will change base on the intended goal.
 - Several code cleanups, simplification of commands, and code standardization
 - Tests using lsof may ignore individual threads (if supported)
 - Corrected end-of-life detection for CentOS 7 and CentOS 8
+- Tests can require detected package manager (--package-manager-required)
 - Do not show tool tips when quiet option is used
 - Improved screen output in several tests
 - Extended output of 'lynis update info'
diff --git a/include/consts b/include/consts
index 3969aad5..c1f65ea2 100644
--- a/include/consts
+++ b/include/consts
@@ -125,6 +125,7 @@ unset LANG
     GRSEC_FOUND=0
     GRUBCONFFILE=""
     GRUB2INSTALLBINARY=""
+    HAS_PACKAGE_MANAGER=0
     HAS_SYSTEMD=0
     HEADBINARY=""
     HELPER=""
@@ -222,6 +223,7 @@ unset LANG
     PGREPBINARY=""
     PIDFILE=""
     PKG_BINARY=""
+    PKGINFOBINARY=""
     PKGADMINBINARY=""
     PLUGINDIR=""
     PLUGIN_PHASE=0
@@ -324,6 +326,7 @@ unset LANG
     VULNERABLE_PACKAGES_FOUND=0
     WCBINARY=""
     XARGSBINARY=""
+    XBPSBINARY=""
     YUMBINARY=""
     ZYPPERBINARY=""
 
diff --git a/include/functions b/include/functions
index 492ade27..58ddabe9 100644
--- a/include/functions
+++ b/include/functions
@@ -2019,6 +2019,7 @@
     PackageIsInstalled() {
         exit_code=255
 
+        # First parameter is package name (or __dummy__ for initial test to see if package manager is available and works as expected)
         if [ $# -eq 1 ]; then
             package="$1"
         else
@@ -2056,7 +2057,21 @@
             output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii")
             exit_code=$?
         else
-            ReportException "PackageIsInstalled:01"
+            if [ "${package}" != "__dummy__" ]; then
+                ReportException "PackageIsInstalled:01 (test=${TEST_NO:-unknown})"
+            fi
+        fi
+
+        # Give thumbs up if dummy package is used during initial test for package manager availability
+        if [ "${package}" = "__dummy__" ]; then
+            # There should be no positive match on this dummy package
+            if [ ${exit_code} -eq 0 ]; then
+                exit_code=1
+            elif [ ${exit_code} -eq 255 ]; then
+                exit_code=1
+            else
+                exit_code=0
+            fi
         fi
 
         return ${exit_code}
@@ -2499,8 +2514,8 @@
     Register() {
         # Do not insert a log break, if previous test was not logged
         if [ ${SKIPLOGTEST} -eq 0 ]; then LogTextBreak; fi
-        ROOT_ONLY=0; SKIPTEST=0; SKIPLOGTEST=0; SKIPREASON=""; TEST_NEED_OS=""; PREQS_MET=""
-        TEST_CATEGORY=""; TEST_NEED_NETWORK=""; TEST_NEED_PLATFORM=""
+        ROOT_ONLY=0; SKIPTEST=0; SKIPLOGTEST=0; SKIPREASON=""; PREQS_MET=""
+        TEST_CATEGORY=""; TEST_NEED_NETWORK=""; TEST_NEED_OS=""; TEST_NEED_PKG_MGR=0; TEST_NEED_PLATFORM=""
         TOTAL_TESTS=$((TOTAL_TESTS + 1))
         while [ $# -ge 1 ]; do
             case $1 in
@@ -2524,6 +2539,9 @@
                     shift
                     TEST_NEED_OS=$1
                 ;;
+                --package-manager-required)
+                    TEST_NEED_PKG_MGR=1
+                ;;
                 --preqs-met)
                     shift
                     PREQS_MET=$1
@@ -2636,6 +2654,9 @@
         # Check for correct hardware platform
         if [ ${SKIPTEST} -eq 0 -a -n "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi
 
+        # Check for required (and discovered) package manager
+        if [ ${SKIPTEST} -eq 0 -a ${TEST_NEED_PKG_MGR} -eq 1 -a ${HAS_PACKAGE_MANAGER} -eq 0 ]; then SKIPTEST=1; SKIPREASON="Requires a known package manager to test presence of a particular package"; fi
+
         # Not all prerequisites met, like missing tool
         if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; if [ -z "${SKIPREASON}" ]; then SKIPREASON="Prerequisites not met (ie missing tool, other type of Linux distribution)"; fi; fi
 
diff --git a/include/tests_insecure_services b/include/tests_insecure_services
index 3bc8dfdf..5c8af1fc 100644
--- a/include/tests_insecure_services
+++ b/include/tests_insecure_services
@@ -37,7 +37,7 @@
 #
     # Test        : INSE-8000
     # Description : Check for installed inetd package
-    Register --test-no INSE-8000 --weight L --network NO --category security --description "Installed inetd package"
+    Register --test-no INSE-8000 --package-manager-required --weight L --network NO --category security --description "Installed inetd package"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check for installed inetd daemon
         LogText "Test: Checking if inetd is installed"
@@ -134,7 +134,7 @@
 #
     # Test        : INSE-8100
     # Description : Check for installed xinetd daemon
-    Register --test-no INSE-8100 --weight L --network NO --category security --description "Check for installed xinetd daemon"
+    Register --test-no INSE-8100 --package-manager-required --weight L --network NO --category security --description "Check for installed xinetd daemon"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check for installed xinetd daemon
         LogText "Test: Checking for installed xinetd daemon"
@@ -250,7 +250,7 @@
     # Test        : INSE-8200
     # Description : Check if tcp_wrappers is installed when inetd/xinetd is active
     if [ ${INETD_ACTIVE} -eq 1 -o ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
-    Register --test-no INSE-8200 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active"
+    Register --test-no INSE-8200 --package-manager-required --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking if tcp_wrappers is installed"
         FOUND=0
@@ -272,7 +272,7 @@
 #
     # Test        : INSE-8300
     # Description : Check if rsh client is installed
-    Register --test-no INSE-8300 --weight L --network NO --category security --description "Check if rsh client is installed"
+    Register --test-no INSE-8300 --package-manager-required --weight L --network NO --category security --description "Check if rsh client is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking if rsh client is installed"
         FOUND=0
@@ -328,7 +328,7 @@
 #
     # Test        : INSE-8304
     # Description : Check if rsh server is installed
-    Register --test-no INSE-8304 --weight L --network NO --category security --description "Check if rsh server is installed"
+    Register --test-no INSE-8304 --package-manager-required --weight L --network NO --category security --description "Check if rsh server is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check if rsh server is installed
         LogText "Test: Checking if rsh server is installed"
@@ -352,7 +352,7 @@
 #
     # Test        : INSE-8310
     # Description : Check if telnet client is installed
-    Register --test-no INSE-8310 --weight L --network NO --category security --description "Check if telnet client is installed"
+    Register --test-no INSE-8310 --package-manager-required --weight L --network NO --category security --description "Check if telnet client is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check if telnet client is installed
         LogText "Test: Checking if telnet client is installed"
@@ -373,7 +373,7 @@
 #
     # Test        : INSE-8312
     # Description : Check if telnet server is installed
-    Register --test-no INSE-8322 --weight L --network NO --category security --description "Check if telnet server is installed"
+    Register --test-no INSE-8322 --package-manager-required --weight L --network NO --category security --description "Check if telnet server is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         # Check if TFTP server is installed
         LogText "Test: Checking if telnet server is installed"
@@ -398,7 +398,7 @@
 #
     # Test        : INSE-8314
     # Description : Check if NIS client is installed
-    Register --test-no INSE-8314 --weight L --network NO --category security --description "Check if NIS client is installed"
+    Register --test-no INSE-8314 --package-manager-required --weight L --network NO --category security --description "Check if NIS client is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         FOUND=""
         LogText "Test: Checking if NIS client is installed"
@@ -422,7 +422,7 @@
 #
     # Test        : INSE-8316
     # Description : Check if NIS server is installed
-    Register --test-no INSE-8316 --weight L --network NO --category security --description "Check if NIS server is installed"
+    Register --test-no INSE-8316 --package-manager-required --weight L --network NO --category security --description "Check if NIS server is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         FOUND=""
         LogText "Test: Checking if NIS server is installed"
@@ -446,7 +446,7 @@
 #
     # Test        : INSE-8318
     # Description : Check if TFTP client is installed
-    Register --test-no INSE-8318 --weight L --network NO --category security --description "Check if TFTP client is installed"
+    Register --test-no INSE-8318 --package-manager-required --weight L --network NO --category security --description "Check if TFTP client is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking if TFTP client is installed"
         FOUND=""
@@ -470,7 +470,7 @@
 #
     # Test        : INSE-8320
     # Description : Check if TFTP server is installed
-    Register --test-no INSE-8320 --weight L --network NO --category security --description "Check if TFTP server is installed"
+    Register --test-no INSE-8320 --package-manager-required --weight L --network NO --category security --description "Check if TFTP server is installed"
     if [ ${SKIPTEST} -eq 0 ]; then
         LogText "Test: Checking if TFTP server is installed"
         FOUND=""
diff --git a/lynis b/lynis
index 881b8ade..d5dca003 100755
--- a/lynis
+++ b/lynis
@@ -524,6 +524,7 @@ ${NORMAL}
     if [ "${OS}" = "Linux" -a "${HOSTNAME}" = "${FQDN}" ]; then
         FQDN=$(hostname -f 2> /dev/null)
     fi
+
 #
 #################################################################################
 #
@@ -568,6 +569,7 @@ ${NORMAL}
     fi
     Report "test_category=${TEST_CATEGORY_TO_CHECK}"
     Report "test_group=${TEST_GROUP_TO_CHECK}"
+
 #
 #################################################################################
 #
@@ -630,6 +632,7 @@ ${NORMAL}
         echo "Make sure to execute ${PROGRAM_NAME} from untarred directory or check your installation."
         exit 1
     fi
+
 #
 #################################################################################
 #
@@ -817,6 +820,14 @@ ${NORMAL}
 #
 #################################################################################
 #
+    # Test if we have a package manager available by testing for a dummy package (should not exist)
+    if PackageIsInstalled "__dummy__"; then
+        HAS_PACKAGE_MANAGER=1
+        LogText "Informational: package manager is used"
+    else
+        LogText "Informational: no known package manager for this system"
+    fi
+
     # Use hardware detection capabilities
     IsVirtualMachine
     if IsContainer; then