diff options
-rw-r--r-- | db/languages/en | 6 | ||||
-rw-r--r-- | db/languages/fr | 6 | ||||
-rw-r--r-- | db/software-eol.db | 3 | ||||
-rw-r--r-- | include/binaries | 1 | ||||
-rw-r--r-- | include/consts | 1 | ||||
-rw-r--r-- | include/osdetection | 12 | ||||
-rw-r--r-- | include/tests_accounting | 56 | ||||
-rw-r--r-- | include/tests_authentication | 8 | ||||
-rw-r--r-- | include/tests_boot_services | 9 | ||||
-rw-r--r-- | include/tests_filesystems | 4 | ||||
-rw-r--r-- | include/tests_firewalls | 2 | ||||
-rw-r--r-- | include/tests_nameservices | 2 | ||||
-rw-r--r-- | include/tests_time | 4 |
13 files changed, 103 insertions, 11 deletions
diff --git a/db/languages/en b/db/languages/en index 60be1f74..3fc11069 100644 --- a/db/languages/en +++ b/db/languages/en @@ -72,10 +72,14 @@ STATUS_DISABLED="DISABLED" STATUS_DONE="DONE" STATUS_ENABLED="ENABLED" STATUS_ERROR="ERROR" +STATUS_EXPOSED="EXPOSED" STATUS_FAILED="FAILED" STATUS_FILES_FOUND="FILES FOUND" STATUS_FOUND="FOUND" +STATUS_HARDENED="HARDENED" STATUS_INSTALLED="INSTALLED" +STATUS_LOCAL_ONLY="LOCAL ONLY" +STATUS_MEDIUM="MEDIUM" STATUS_NO="NO" STATUS_NO_UPDATE="NO UPDATE" STATUS_NON_DEFAULT="NON DEFAULT" @@ -88,11 +92,13 @@ STATUS_NOT_RUNNING="NOT RUNNING" STATUS_OFF="OFF" STATUS_OK="OK" STATUS_ON="ON" +STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED" STATUS_PROTECTED="PROTECTED" STATUS_RUNNING="RUNNING" STATUS_SKIPPED="SKIPPED" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="UNKNOWN" +STATUS_UNSAFE="UNSAFE" STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE" STATUS_WARNING="WARNING" STATUS_WEAK="WEAK" diff --git a/db/languages/fr b/db/languages/fr index 21355c0c..d85d643d 100644 --- a/db/languages/fr +++ b/db/languages/fr @@ -72,10 +72,14 @@ STATUS_DISABLED="DÉSACTIVÉ" STATUS_DONE="FAIT" STATUS_ENABLED="ACTIVÉ" STATUS_ERROR="ERREUR" +STATUS_EXPOSED="EXPOSÉ" STATUS_FAILED="ÉCHOUÉ" STATUS_FILES_FOUND="FICHIERS TROUVÉS" STATUS_FOUND="TROUVÉ" +STATUS_HARDENED="RENFORCÉ" STATUS_INSTALLED="INSTALLÉ" +STATUS_LOCAL_ONLY="LOCAL SEULEMENT" +STATUS_MEDIUM="MOYEN" STATUS_NO="NON" STATUS_NO_UPDATE="PAS DE MISE A JOUR" STATUS_NON_DEFAULT="PAS PAR DÉFAUT" @@ -88,11 +92,13 @@ STATUS_NOT_RUNNING="NON LANCÉ" STATUS_OFF="OFF" STATUS_OK="OK" STATUS_ON="ON" +STATUS_PARTIALLY_HARDENED="PARTIELLEMENT RENFORCÉ" STATUS_PROTECTED="PROTÉGÉ" STATUS_RUNNING="EN COURS" STATUS_SKIPPED="IGNORÉ" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="INCONNU" +STATUS_UNSAFE="RISQUÉ" STATUS_UPDATE_AVAILABLE="MISE A JOUR DISPONIBLE" STATUS_WARNING="AVERTISSEMENT" STATUS_WEAK="FAIBLE" diff --git a/db/software-eol.db b/db/software-eol.db index 0c89b74b..bebd4de8 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -14,8 +14,9 @@ # For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1. # Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching. # -# Alpine - https://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases +# Alpine - https://alpinelinux.org/releases/ # +os:Alpine 3.13:2022-11-01:1667275200 os:Alpine 3.12:2022-05-01:1651377600 os:Alpine 3.11:2021-11-01:1635739200 os:Alpine 3.10:2021-05-01:1619841600 diff --git a/include/binaries b/include/binaries index 7d6d38c8..95182a2f 100644 --- a/include/binaries +++ b/include/binaries @@ -152,6 +152,7 @@ clang) CLANGBINARY=${BINARY}; COMPILER_INSTALLED=1; LogText " Found known binary: clang (compiler) - ${BINARY}" ;; cfagent) CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; LogText " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;; chkrootkit) CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;; + cmd_daemon) CMDBINARY=${BINARY}; LogText " Found known binary: cmd (audit framework) - ${BINARY}" ;; comm) COMMBINARY="${BINARY}"; LogText " Found known binary: comm (file compare) - ${BINARY}" ;; cryptsetup) CRYPTSETUPBINARY="${BINARY}"; LogText " Found known binary: cryptsetup (block device encryption) - ${BINARY}" ;; csum) CSUMBINARY="${BINARY}"; LogText " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;; diff --git a/include/consts b/include/consts index 513515cd..fedc7bd7 100644 --- a/include/consts +++ b/include/consts @@ -70,6 +70,7 @@ ETC_PATHS="/etc /usr/local/etc" CLAMCONF_BINARY="" CLAMSCANBINARY="" CLANGBINARY="" + CMDBINARY="" COLORS=1 COMPLIANCE_ENABLE_CIS=0 COMPLIANCE_ENABLE_HIPAA=0 diff --git a/include/osdetection b/include/osdetection index 17bb28af..cf35d144 100644 --- a/include/osdetection +++ b/include/osdetection @@ -190,6 +190,12 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "devuan") + LINUX_VERSION="Devuan" + OS_NAME="Devuan" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "elementary") LINUX_VERSION="elementary OS" OS_NAME="elementary OS" @@ -214,6 +220,12 @@ OS_NAME="Flatcar Linux" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "garuda") + LINUX_VERSION="Garuda" + OS_FULLNAME="Garuda Linux" + OS_NAME="Garuda" + OS_VERSION="Rolling release" + ;; "gentoo") LINUX_VERSION="Gentoo" OS_NAME="Gentoo Linux" diff --git a/include/tests_accounting b/include/tests_accounting index 666576fb..6954b63f 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -24,7 +24,10 @@ # AUDITD_CONF_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/audit" AUDITD_CONF_FILE="" + CMD_CONF_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/cmd" + CMD_CONF_FILE="" LINUX_AUDITD_RUNNING=0 + LINUX_CMD_RUNNING=0 AUDIT_DAEMON_RUNNING=0 SOLARIS_AUDITD_RUNNING=0 # @@ -415,6 +418,59 @@ # ################################################################################# # + # Test : ACCT-9670 + # Description : Check cmd status + if [ -n "${CMDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no ACCT-9670 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for cmd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Check cmd status" + if IsRunning "cmd_daemon"; then + LogText "Result: cmd running" + Display --indent 2 --text "- Checking cmd" --result "${STATUS_ENABLED}" --color GREEN + LINUX_CMD_RUNNING=1 + AUDIT_DAEMON_RUNNING=1 + Report "audit_trail_tool[]=cmd" + Report "linux_cmd_running=1" + AddHP 4 4 + else + LogText "Result: cmd not active" + Display --indent 2 --text "- Checking cmd" --result "${STATUS_NOT_FOUND}" --color WHITE + if [ ! "${VMTYPE}" = "openvz" ]; then + ReportSuggestion "${TEST_NO}" "Install cmd to collect audit information" + fi + AddHP 0 1 + Report "linux_cmd_running=0" + fi + fi +# +################################################################################# +# + # Test : ACCT-9672 + # Description : Check cmd configuration file + if [ -n "${CMDBINARY}" -a ${LINUX_CMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no ACCT-9672 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for cmd configuration file" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking cmd configuration file" + for DIR in ${CMD_CONF_LOCS}; do + if [ -f ${DIR}/config.ini ]; then + CMD_CONF_FILE="${DIR}/config.ini" + LogText "Result: Found ${DIR}/config.ini" + else + LogText "Result: ${DIR}/config.ini not found" + fi + done + # Check if we discovered the configuration file. It should be there is the binaries are available and process is running + if [ -n "${CMD_CONF_FILE}" ]; then + Display --indent 4 --text "- Checking cmd configuration file" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: could not find cmd configuration file" + Display --indent 4 --text "- Checking cmd configuration file" --result "${STATUS_FOUND}" --color RED + ReportSuggestion "${TEST_NO}" "Determine the location of cmd configuration file" + fi + fi +# +################################################################################# +# Report "audit_daemon_running=${AUDIT_DAEMON_RUNNING}" # ################################################################################# diff --git a/include/tests_authentication b/include/tests_authentication index 3366bb9a..2712aa34 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -294,12 +294,12 @@ # disabled | shadowed | no password | locked account (can be literal *LOCK* or something like LOCKED) ;; *:\$5\$*| *:\$6\$*) - # sha256crypt | sha512crypt: check number of rounds, should be >5000 + # sha256crypt | sha512crypt: check number of rounds, should be >=5000 ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') if [ -z "${ROUNDS}" ]; then - echo 'sha256crypt/sha512crypt(default<=5000rounds)' - elif [ "${ROUNDS}" -le 5000 ]; then - echo 'sha256crypt/sha512crypt(<=5000rounds)' + echo 'sha256crypt/sha512crypt(default=5000rounds)' + elif [ "${ROUNDS}" -lt 5000 ]; then + echo 'sha256crypt/sha512crypt(<5000rounds)' fi ;; *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) diff --git a/include/tests_boot_services b/include/tests_boot_services index dce27ab4..c3431fbd 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -1068,23 +1068,28 @@ if [ "${UNIT}" = "UNIT" ]; then continue fi + STATUS="UNKNOWN" COLOR="BLACK" case ${PREDICATE} in PERFECT | SAFE | OK) + STATUS="${STATUS_PROTECTED}" COLOR=GREEN ;; MEDIUM) + STATUS="${STATUS_MEDIUM}" COLOR=WHITE ;; EXPOSED) + STATUS="${STATUS_EXPOSED}" COLOR=YELLOW ;; UNSAFE | DANGEROUS) + STATUS="${STATUS_UNSAFE}" COLOR=RED ;; esac - Display --indent 8 --text "- ${UNIT}:" --result "${PREDICATE}" --color "${COLOR}" - LogText "Result: ${UNIT}: ${EXPOSURE} ${PREDICATE}" + Display --indent 8 --text "- ${UNIT}:" --result "${STATUS}" --color "${COLOR}" + LogText "Result: ${UNIT}: ${EXPOSURE} ${STATUS}" done ReportSuggestion "${TEST_NO}" "Consider hardening system services" "Run '${SYSTEMDANALYZEBINARY} security SERVICE' for each service" fi diff --git a/include/tests_filesystems b/include/tests_filesystems index 08f8d001..d3a6eaab 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -606,11 +606,11 @@ done if [ ${FULLY_HARDENED} -eq 1 ]; then LogText "Result: marked ${FILESYSTEM} as fully hardened" - Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_HARDENED}" --color GREEN AddHP 5 5 elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then LogText "Result: marked ${FILESYSTEM} as partially hardened" - Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_PARTIALLY_HARDENED}" --color YELLOW AddHP 4 5 else # if diff --git a/include/tests_firewalls b/include/tests_firewalls index 06798ea7..44d6c441 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -506,7 +506,7 @@ Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration" if [ ${SKIPTEST} -eq 0 ]; then # Check for empty ruleset - NFT_RULES_LENGTH=$(${NFTBINARY} list ruleset --stateless 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l) + NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l) if [ ${NFT_RULES_LENGTH} -le 3 ]; then FIREWALL_EMPTY_RULESET=1 LogText "Result: this firewall set has 3 rules or less and is considered to be empty" diff --git a/include/tests_nameservices b/include/tests_nameservices index aadc0a91..8c483d08 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -578,7 +578,7 @@ else LogText "Found duplicate line: ${OUTPUT}" LogText "Result: found duplicate line" - Display --indent 4 --text "- Duplicate entries in hosts file" --result "$STATUS_FOUND}" --color YELLOW + Display --indent 4 --text "- Duplicate entries in hosts file" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion "${TEST_NO}" "Remove duplicate lines in ${ROOTDIR}etc/hosts" fi fi diff --git a/include/tests_time b/include/tests_time index 06a7cd45..df9a86b7 100644 --- a/include/tests_time +++ b/include/tests_time @@ -585,6 +585,10 @@ if [ ! -e "${SYNCHRONIZED_FILE}" ]; then SYNCHRONIZED_FILE="/var/lib/private/systemd/timesync/clock" fi + # Fix for debian stretch + if [ ! -e "${SYNCHRONIZED_FILE}" ]; then + SYNCHRONIZED_FILE="/var/lib/systemd/clock" + fi if [ -e "${SYNCHRONIZED_FILE}" ]; then FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") )) # Check if last sync was more than 2048 seconds (= the default of systemd) ago |