Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--db/languages/en6
-rw-r--r--db/languages/fr6
-rw-r--r--db/software-eol.db3
-rw-r--r--include/binaries1
-rw-r--r--include/consts1
-rw-r--r--include/osdetection12
-rw-r--r--include/tests_accounting56
-rw-r--r--include/tests_authentication8
-rw-r--r--include/tests_boot_services9
-rw-r--r--include/tests_filesystems4
-rw-r--r--include/tests_firewalls2
-rw-r--r--include/tests_nameservices2
-rw-r--r--include/tests_time4
13 files changed, 103 insertions, 11 deletions
diff --git a/db/languages/en b/db/languages/en
index 60be1f74..3fc11069 100644
--- a/db/languages/en
+++ b/db/languages/en
@@ -72,10 +72,14 @@ STATUS_DISABLED="DISABLED"
STATUS_DONE="DONE"
STATUS_ENABLED="ENABLED"
STATUS_ERROR="ERROR"
+STATUS_EXPOSED="EXPOSED"
STATUS_FAILED="FAILED"
STATUS_FILES_FOUND="FILES FOUND"
STATUS_FOUND="FOUND"
+STATUS_HARDENED="HARDENED"
STATUS_INSTALLED="INSTALLED"
+STATUS_LOCAL_ONLY="LOCAL ONLY"
+STATUS_MEDIUM="MEDIUM"
STATUS_NO="NO"
STATUS_NO_UPDATE="NO UPDATE"
STATUS_NON_DEFAULT="NON DEFAULT"
@@ -88,11 +92,13 @@ STATUS_NOT_RUNNING="NOT RUNNING"
STATUS_OFF="OFF"
STATUS_OK="OK"
STATUS_ON="ON"
+STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED"
STATUS_PROTECTED="PROTECTED"
STATUS_RUNNING="RUNNING"
STATUS_SKIPPED="SKIPPED"
STATUS_SUGGESTION="SUGGESTION"
STATUS_UNKNOWN="UNKNOWN"
+STATUS_UNSAFE="UNSAFE"
STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE"
STATUS_WARNING="WARNING"
STATUS_WEAK="WEAK"
diff --git a/db/languages/fr b/db/languages/fr
index 21355c0c..d85d643d 100644
--- a/db/languages/fr
+++ b/db/languages/fr
@@ -72,10 +72,14 @@ STATUS_DISABLED="DÉSACTIVÉ"
STATUS_DONE="FAIT"
STATUS_ENABLED="ACTIVÉ"
STATUS_ERROR="ERREUR"
+STATUS_EXPOSED="EXPOSÉ"
STATUS_FAILED="ÉCHOUÉ"
STATUS_FILES_FOUND="FICHIERS TROUVÉS"
STATUS_FOUND="TROUVÉ"
+STATUS_HARDENED="RENFORCÉ"
STATUS_INSTALLED="INSTALLÉ"
+STATUS_LOCAL_ONLY="LOCAL SEULEMENT"
+STATUS_MEDIUM="MOYEN"
STATUS_NO="NON"
STATUS_NO_UPDATE="PAS DE MISE A JOUR"
STATUS_NON_DEFAULT="PAS PAR DÉFAUT"
@@ -88,11 +92,13 @@ STATUS_NOT_RUNNING="NON LANCÉ"
STATUS_OFF="OFF"
STATUS_OK="OK"
STATUS_ON="ON"
+STATUS_PARTIALLY_HARDENED="PARTIELLEMENT RENFORCÉ"
STATUS_PROTECTED="PROTÉGÉ"
STATUS_RUNNING="EN COURS"
STATUS_SKIPPED="IGNORÉ"
STATUS_SUGGESTION="SUGGESTION"
STATUS_UNKNOWN="INCONNU"
+STATUS_UNSAFE="RISQUÉ"
STATUS_UPDATE_AVAILABLE="MISE A JOUR DISPONIBLE"
STATUS_WARNING="AVERTISSEMENT"
STATUS_WEAK="FAIBLE"
diff --git a/db/software-eol.db b/db/software-eol.db
index 0c89b74b..bebd4de8 100644
--- a/db/software-eol.db
+++ b/db/software-eol.db
@@ -14,8 +14,9 @@
# For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1.
# Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching.
#
-# Alpine - https://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases
+# Alpine - https://alpinelinux.org/releases/
#
+os:Alpine 3.13:2022-11-01:1667275200
os:Alpine 3.12:2022-05-01:1651377600
os:Alpine 3.11:2021-11-01:1635739200
os:Alpine 3.10:2021-05-01:1619841600
diff --git a/include/binaries b/include/binaries
index 7d6d38c8..95182a2f 100644
--- a/include/binaries
+++ b/include/binaries
@@ -152,6 +152,7 @@
clang) CLANGBINARY=${BINARY}; COMPILER_INSTALLED=1; LogText " Found known binary: clang (compiler) - ${BINARY}" ;;
cfagent) CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; LogText " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;;
chkrootkit) CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;;
+ cmd_daemon) CMDBINARY=${BINARY}; LogText " Found known binary: cmd (audit framework) - ${BINARY}" ;;
comm) COMMBINARY="${BINARY}"; LogText " Found known binary: comm (file compare) - ${BINARY}" ;;
cryptsetup) CRYPTSETUPBINARY="${BINARY}"; LogText " Found known binary: cryptsetup (block device encryption) - ${BINARY}" ;;
csum) CSUMBINARY="${BINARY}"; LogText " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;;
diff --git a/include/consts b/include/consts
index 513515cd..fedc7bd7 100644
--- a/include/consts
+++ b/include/consts
@@ -70,6 +70,7 @@ ETC_PATHS="/etc /usr/local/etc"
CLAMCONF_BINARY=""
CLAMSCANBINARY=""
CLANGBINARY=""
+ CMDBINARY=""
COLORS=1
COMPLIANCE_ENABLE_CIS=0
COMPLIANCE_ENABLE_HIPAA=0
diff --git a/include/osdetection b/include/osdetection
index 17bb28af..cf35d144 100644
--- a/include/osdetection
+++ b/include/osdetection
@@ -190,6 +190,12 @@
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
+ "devuan")
+ LINUX_VERSION="Devuan"
+ OS_NAME="Devuan"
+ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
+ ;;
"elementary")
LINUX_VERSION="elementary OS"
OS_NAME="elementary OS"
@@ -214,6 +220,12 @@
OS_NAME="Flatcar Linux"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
+ "garuda")
+ LINUX_VERSION="Garuda"
+ OS_FULLNAME="Garuda Linux"
+ OS_NAME="Garuda"
+ OS_VERSION="Rolling release"
+ ;;
"gentoo")
LINUX_VERSION="Gentoo"
OS_NAME="Gentoo Linux"
diff --git a/include/tests_accounting b/include/tests_accounting
index 666576fb..6954b63f 100644
--- a/include/tests_accounting
+++ b/include/tests_accounting
@@ -24,7 +24,10 @@
#
AUDITD_CONF_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/audit"
AUDITD_CONF_FILE=""
+ CMD_CONF_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/cmd"
+ CMD_CONF_FILE=""
LINUX_AUDITD_RUNNING=0
+ LINUX_CMD_RUNNING=0
AUDIT_DAEMON_RUNNING=0
SOLARIS_AUDITD_RUNNING=0
#
@@ -415,6 +418,59 @@
#
#################################################################################
#
+ # Test : ACCT-9670
+ # Description : Check cmd status
+ if [ -n "${CMDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no ACCT-9670 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for cmd"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: Check cmd status"
+ if IsRunning "cmd_daemon"; then
+ LogText "Result: cmd running"
+ Display --indent 2 --text "- Checking cmd" --result "${STATUS_ENABLED}" --color GREEN
+ LINUX_CMD_RUNNING=1
+ AUDIT_DAEMON_RUNNING=1
+ Report "audit_trail_tool[]=cmd"
+ Report "linux_cmd_running=1"
+ AddHP 4 4
+ else
+ LogText "Result: cmd not active"
+ Display --indent 2 --text "- Checking cmd" --result "${STATUS_NOT_FOUND}" --color WHITE
+ if [ ! "${VMTYPE}" = "openvz" ]; then
+ ReportSuggestion "${TEST_NO}" "Install cmd to collect audit information"
+ fi
+ AddHP 0 1
+ Report "linux_cmd_running=0"
+ fi
+ fi
+#
+#################################################################################
+#
+ # Test : ACCT-9672
+ # Description : Check cmd configuration file
+ if [ -n "${CMDBINARY}" -a ${LINUX_CMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+ Register --test-no ACCT-9672 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for cmd configuration file"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: Checking cmd configuration file"
+ for DIR in ${CMD_CONF_LOCS}; do
+ if [ -f ${DIR}/config.ini ]; then
+ CMD_CONF_FILE="${DIR}/config.ini"
+ LogText "Result: Found ${DIR}/config.ini"
+ else
+ LogText "Result: ${DIR}/config.ini not found"
+ fi
+ done
+ # Check if we discovered the configuration file. It should be there is the binaries are available and process is running
+ if [ -n "${CMD_CONF_FILE}" ]; then
+ Display --indent 4 --text "- Checking cmd configuration file" --result "${STATUS_OK}" --color GREEN
+ else
+ LogText "Result: could not find cmd configuration file"
+ Display --indent 4 --text "- Checking cmd configuration file" --result "${STATUS_FOUND}" --color RED
+ ReportSuggestion "${TEST_NO}" "Determine the location of cmd configuration file"
+ fi
+ fi
+#
+#################################################################################
+#
Report "audit_daemon_running=${AUDIT_DAEMON_RUNNING}"
#
#################################################################################
diff --git a/include/tests_authentication b/include/tests_authentication
index 3366bb9a..2712aa34 100644
--- a/include/tests_authentication
+++ b/include/tests_authentication
@@ -294,12 +294,12 @@
# disabled | shadowed | no password | locked account (can be literal *LOCK* or something like LOCKED)
;;
*:\$5\$*| *:\$6\$*)
- # sha256crypt | sha512crypt: check number of rounds, should be >5000
+ # sha256crypt | sha512crypt: check number of rounds, should be >=5000
ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp')
if [ -z "${ROUNDS}" ]; then
- echo 'sha256crypt/sha512crypt(default<=5000rounds)'
- elif [ "${ROUNDS}" -le 5000 ]; then
- echo 'sha256crypt/sha512crypt(<=5000rounds)'
+ echo 'sha256crypt/sha512crypt(default=5000rounds)'
+ elif [ "${ROUNDS}" -lt 5000 ]; then
+ echo 'sha256crypt/sha512crypt(<5000rounds)'
fi
;;
*:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*)
diff --git a/include/tests_boot_services b/include/tests_boot_services
index dce27ab4..c3431fbd 100644
--- a/include/tests_boot_services
+++ b/include/tests_boot_services
@@ -1068,23 +1068,28 @@
if [ "${UNIT}" = "UNIT" ]; then
continue
fi
+ STATUS="UNKNOWN"
COLOR="BLACK"
case ${PREDICATE} in
PERFECT | SAFE | OK)
+ STATUS="${STATUS_PROTECTED}"
COLOR=GREEN
;;
MEDIUM)
+ STATUS="${STATUS_MEDIUM}"
COLOR=WHITE
;;
EXPOSED)
+ STATUS="${STATUS_EXPOSED}"
COLOR=YELLOW
;;
UNSAFE | DANGEROUS)
+ STATUS="${STATUS_UNSAFE}"
COLOR=RED
;;
esac
- Display --indent 8 --text "- ${UNIT}:" --result "${PREDICATE}" --color "${COLOR}"
- LogText "Result: ${UNIT}: ${EXPOSURE} ${PREDICATE}"
+ Display --indent 8 --text "- ${UNIT}:" --result "${STATUS}" --color "${COLOR}"
+ LogText "Result: ${UNIT}: ${EXPOSURE} ${STATUS}"
done
ReportSuggestion "${TEST_NO}" "Consider hardening system services" "Run '${SYSTEMDANALYZEBINARY} security SERVICE' for each service"
fi
diff --git a/include/tests_filesystems b/include/tests_filesystems
index 08f8d001..d3a6eaab 100644
--- a/include/tests_filesystems
+++ b/include/tests_filesystems
@@ -606,11 +606,11 @@
done
if [ ${FULLY_HARDENED} -eq 1 ]; then
LogText "Result: marked ${FILESYSTEM} as fully hardened"
- Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN
+ Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_HARDENED}" --color GREEN
AddHP 5 5
elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then
LogText "Result: marked ${FILESYSTEM} as partially hardened"
- Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW
+ Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_PARTIALLY_HARDENED}" --color YELLOW
AddHP 4 5
else
# if
diff --git a/include/tests_firewalls b/include/tests_firewalls
index 06798ea7..44d6c441 100644
--- a/include/tests_firewalls
+++ b/include/tests_firewalls
@@ -506,7 +506,7 @@
Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration"
if [ ${SKIPTEST} -eq 0 ]; then
# Check for empty ruleset
- NFT_RULES_LENGTH=$(${NFTBINARY} list ruleset --stateless 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
+ NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
if [ ${NFT_RULES_LENGTH} -le 3 ]; then
FIREWALL_EMPTY_RULESET=1
LogText "Result: this firewall set has 3 rules or less and is considered to be empty"
diff --git a/include/tests_nameservices b/include/tests_nameservices
index aadc0a91..8c483d08 100644
--- a/include/tests_nameservices
+++ b/include/tests_nameservices
@@ -578,7 +578,7 @@
else
LogText "Found duplicate line: ${OUTPUT}"
LogText "Result: found duplicate line"
- Display --indent 4 --text "- Duplicate entries in hosts file" --result "$STATUS_FOUND}" --color YELLOW
+ Display --indent 4 --text "- Duplicate entries in hosts file" --result "${STATUS_FOUND}" --color YELLOW
ReportSuggestion "${TEST_NO}" "Remove duplicate lines in ${ROOTDIR}etc/hosts"
fi
fi
diff --git a/include/tests_time b/include/tests_time
index 06a7cd45..df9a86b7 100644
--- a/include/tests_time
+++ b/include/tests_time
@@ -585,6 +585,10 @@
if [ ! -e "${SYNCHRONIZED_FILE}" ]; then
SYNCHRONIZED_FILE="/var/lib/private/systemd/timesync/clock"
fi
+ # Fix for debian stretch
+ if [ ! -e "${SYNCHRONIZED_FILE}" ]; then
+ SYNCHRONIZED_FILE="/var/lib/systemd/clock"
+ fi
if [ -e "${SYNCHRONIZED_FILE}" ]; then
FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") ))
# Check if last sync was more than 2048 seconds (= the default of systemd) ago
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-16 17:55:11 +0300