diff options
author | Michael Boelen <michael.boelen@cisofy.com> | 2020-10-02 12:05:04 +0300 |
---|---|---|
committer | Michael Boelen <michael.boelen@cisofy.com> | 2020-10-02 12:05:04 +0300 |
commit | c6bd185fd7321c6ae84263dbed6a320dc70f1225 (patch) | |
tree | df9b48ce1eb6b5677efb578f77ba8d9bc4281864 | |
parent | 11be8b03ae5c2e79625e6c6af1ca3c773f478132 (diff) | |
parent | 7df0b8618b5cce39961b245a3c582af4294276d7 (diff) |
Resolved merge conflict
-rw-r--r-- | CHANGELOG.md | 13 | ||||
-rw-r--r-- | db/tests.db | 1 | ||||
-rw-r--r-- | default.prf | 7 | ||||
-rw-r--r-- | include/tests_crypto | 19 | ||||
-rw-r--r-- | include/tests_time | 115 |
5 files changed, 94 insertions, 61 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 5a28590a..57a314b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Lynis 3.0.1 (not released yet) ### Added +- Detection of Alpine Linux - Detection of CloudLinux - Detection of Kali Linux - Detection of Linux Mint @@ -10,24 +11,30 @@ - Detection of Pop!_OS - Detection of PHP 7.4 - Malware detection tool: Microsoft Defender ATP +- New flag: --slow-warning to allow tests more time before showing a warning +- Test TIME-3185 to check systemd-timesyncd synchronized time +- rsh host file permissions ### Changed - AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions - BOOT-5122 - Presence check for grub.d added -- CRYP-7931 - Redirect errors +- CRYP-7902 - Added support for certificates in DER format - CRYP-7931 - Added data to report +- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) - FILE-6430 - Don't grep nonexistant modprobe.d files - FIRE-4535 - Set initial firewall state - INSE-8312 - Corrected text on screen - KRNL-5728 - Handle zipped kernel configuration correctly - KRNL-5830 - Improved version detection for non-symlinked kernel - MALW-3280 - Extended detection of BitDefender +- TIME-3104 - Find more time synchronization commands +- TIME-3182 - Corrected detection of time peers - Fix: hostid generation routine would sometimes show too short IDs -- Generic improvements for macOS - Fix: language detection +- Generic improvements for macOS - German translation updated - End-of-life database updated -- Small code enhancements +- Several minor code enhancements --------------------------------------------------------------------------------- diff --git a/db/tests.db b/db/tests.db index 32347102..26fc8f87 100644 --- a/db/tests.db +++ b/db/tests.db @@ -419,6 +419,7 @@ TIME-3170:test:security:time::Check configuration files: TIME-3180:test:security:time::Report if ntpctl cannot communicate with OpenNTPD: TIME-3181:test:security:time::Check status of OpenNTPD time synchronisation TIME-3182:test:security:time::Check OpenNTPD has working peers +TIME-3185:test:security:time::Check systemd-timesyncd synchronized time TOOL-5002:test:security:tooling::Checking for automation tools: TOOL-5102:test:security:tooling::Check for presence of Fail2ban: TOOL-5104:test:security:tooling::Enabled tests for Fail2ban: diff --git a/default.prf b/default.prf index ce01db60..efd8665e 100644 --- a/default.prf +++ b/default.prf @@ -93,7 +93,7 @@ skip-plugins=no #skip-upgrade-test=yes # Locations where to search for SSL certificates (separate paths with a colon) -ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www +ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive: ssl-certificate-include-packages=no @@ -303,6 +303,11 @@ permfile=/etc/motd:rw-r--r--:root:root:WARN: permfile=/etc/passwd:rw-r--r--:root:-:WARN: permfile=/etc/passwd-:rw-r--r--:root:-:WARN: permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN: +permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN: +permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN: +permfile=/root/.rhosts:rw-------:root:root:WARN: +permfile=/root/.rlogin:rw-------:root:root:WARN: +permfile=/root/.shosts:rw-------:root:root:WARN: # These permissions differ by OS #permfile=/etc/gshadow:---------:root:-:WARN: diff --git a/include/tests_crypto b/include/tests_crypto index 976ba7b1..d4a90cc2 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -54,7 +54,7 @@ LASTSUBDIR="" LogText "Result: found directory ${DIR}" # Search for certificate files - FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') + FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') for FILE in ${FILES}; do FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g') # See if we need to skip this path @@ -80,16 +80,23 @@ if [ ${CANREAD} -eq 1 ]; then # Only check the files that are not installed by a package, unless enabled by profile if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then + echo ${FILE} | ${EGREPBINARY} --quiet ".cer$|.der$" + CER_DER=$? OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") - if [ $? -eq 0 ]; then + if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then LogText "Result: file is a certificate file" - FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") + if [ ${CER_DER} -eq 0 ]; then + SSL_DER_OPT="-inform der" + else + SSL_DER_OPT= + fi + FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") if [ $? -eq 0 ]; then # Check certificate where 'end date' has been expired - FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null) + FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -checkend 0 -in "${FILE}" -enddate 2> /dev/null) EXIT_CODE=$? - CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') - CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') + CERT_CN=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') + CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|" if [ ${EXIT_CODE} -eq 0 ]; then LogText "Result: certificate ${FILE} seems to be correct and still valid" diff --git a/include/tests_time b/include/tests_time index 7c15d0a3..eda41a6f 100644 --- a/include/tests_time +++ b/include/tests_time @@ -86,9 +86,8 @@ # Reason: openntpd syncs only if large time corrections are not required or -s is passed. # This might be not intended by the administrator (-s is NOT the default!) FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" | ${GREPBINARY} -v "grep") - ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null # Status code 0 is when communication over the socket is successfull - if [ "$?" -eq 0 ]; then + if ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null; then FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd" LogText "result: found openntpd (method: ntpctl)" OPENNTPD_COMMUNICATION=1 @@ -101,7 +100,7 @@ LogText "result: running openntpd not found, but ntpctl is instaalled" fi - if [ "${NTP_DAEMON}" == "openntpd" ]; then + if [ "${NTP_DAEMON}" = "openntpd" ]; then Display --indent 2 --text "- NTP daemon found: OpenNTPD" --result "${STATUS_FOUND}" --color GREEN fi fi @@ -124,39 +123,30 @@ fi # Check timedate daemon (systemd) - if [ -n "${TIMEDATECTL}" ]; then - FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes") - if [ -n "${FIND}" ]; then - # Check for systemd-timesyncd - if [ -f ${ROOTDIR}etc/systemd/timesyncd.conf ]; then - LogText "Result: found ${ROOTDIR}etc/systemd/timesyncd.conf" - FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd" - Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN - SYSTEMD_NTP_ENABLED=1 - else - LogText "Result: ${ROOTDIR}etc/systemd/timesyncd.conf does not exist" - fi - else - LogText "Result: time synchronization not performed according timedatectl command" - fi - else - LogText "Result: timedatectl command not available on this system" + FIND=$(${PSBINARY} ax | ${GREPBINARY} "systemd-timesyncd" | ${GREPBINARY} -v "grep") + if [ -n "${FIND}" ]; then + FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd" + Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found running systemd-timesyncd in process list" fi # Check crontab for OpenBSD/FreeBSD # Check anacrontab for Linux CRONTAB_FILES="/etc/anacrontab /etc/crontab" + # Regex for matching multiple time synchronisation binaries + # Partial sanity check for sntp and ntpdig, but this does not consider all corner cases + CRONTAB_REGEX='ntpdate|rdate|sntp.+-(s|j|--adj)|ntpdig.+-(S|s)' for I in ${CRONTAB_FILES}; do if [ -f ${I} ]; then - LogText "Test: checking for ntpdate or rdate in crontab file ${I}" - FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#') + LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}" + FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#') if [ -n "${FIND}" ]; then FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1 Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN - LogText "Result: found ntpdate or rdate reference in crontab file ${I}" + LogText "Result: found ntpdate, rdate, sntp or ntpdig reference in crontab file ${I}" else #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_NOT_FOUND}" --color WHITE - LogText "Result: no ntpdate or rdate reference found in crontab file ${I}" + LogText "Result: no ntpdate, rdate, sntp or ntpdig reference found in crontab file ${I}" fi else LogText "Result: crontab file ${I} not found" @@ -169,31 +159,18 @@ # Check cron jobs for I in ${CRON_DIRS}; do - if [ -d ${I} ]; then - if FileIsReadable ${I}; then - FIND=$(${FINDBINARY} ${I} -type f -a ! -name ".placeholder" -print 2> /dev/null | ${SEDBINARY} 's/ /__space__/g' | ${TRBINARY} '\n' '\0' | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} '\0' ' ') + for J in "${I}"/*; do # iterate over folders in a safe way + # Check: regular file, readable and not called .placeholder + FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$') + if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then + LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}" + FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#") if [ -n "${FIND}" ]; then - for J in ${FIND}; do - # Place back spaces if needed - J=$(echo ${J} | ${SEDBINARY} 's/__space__/ /g') - LogText "Test: checking for ntpdate or rdate in ${J}" - if FileIsReadable ${J}; then - FIND2=$(${EGREPBINARY} "rdate|ntpdate" "${J}" | ${GREPBINARY} -v "^#") - if [ -n "${FIND2}" ]; then - LogText "Positive match found: ${FIND2}" - FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 - fi - else - LogText "Result: could not test in file '${J}' as it is not readable" - fi - done - else - LogText "Result: ${I} is empty, skipping search in directory" + FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 + LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}" fi - else - LogText "Result: could not search in directory due to permissions" fi - fi + done done if [ ${FOUND_IN_CRON} -eq 1 ]; then @@ -532,7 +509,7 @@ # # Test : TIME-3180 # Description : Report if ntpctl cannot communicate with OpenNTPD - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ]; then + if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ]; then PREQS_MET="YES" else PREQS_MET="NO" @@ -548,7 +525,7 @@ # # Test : TIME-3181 # Description : Check status of OpenNTPD time synchronisation - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then + if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then PREQS_MET="YES" else PREQS_MET="NO" @@ -567,7 +544,7 @@ # Test : TIME-3182 # Description : Check OpenNTPD has working peers - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then + if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then PREQS_MET="YES" else PREQS_MET="NO" @@ -576,11 +553,47 @@ Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers" if [ ${SKIPTEST} -eq 0 ]; then # Format is "xx/yy peers valid, ..." - FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o "[0-9]{1,4}/" | ${EGREPBINARY} -o "[0-9]{1,4}" ) - if [ -n "${FIND}" ] || [ "${FIND}" -eq 0 ]; then + FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1) + if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status" fi fi + +# +################################################################################# +# + + # Test : TIME-3185 + # Description : Check systemd-timesyncd synchronized time + + if [ "${NTP_DAEMON}" = "systemd-timesyncd" ]; then + PREQS_MET="YES" + else + PREQS_MET="NO" + fi + + + Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time" + SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized" + if [ ${SKIPTEST} -eq 0 ]; then + if [ -e "${SYNCHRONIZED_FILE}" ]; then + FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") )) + # Check if last sync was more than 2048 seconds (= the default of systemd) ago + if [ "${FIND}" -ge 2048 ]; then + COLOR=RED + ReportWarning "${TEST_NO}" "systemd-timesyncd did not synchronized the time recently." + else + COLOR=GREEN + fi + Display --indent 2 --text "- Last time synchronization" --result "${FIND}s" --color "${COLOR}" + LogText "Result: systemd-timesyncd synchronized time ${FIND} seconds ago." + else + Display --indent 2 --text "- Last time synchronization" --result "${STATUS_NOT_FOUND}" --color RED + ReportWarning "${TEST_NO}" "systemd-timesyncd never successfully synchronized time" + fi + fi + unset SYNCHRONIZED_FILE + # ################################################################################# # |