diff options
63 files changed, 340 insertions, 158 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 15ffd07d..24a77d17 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,13 +1,25 @@ # Lynis Changelog -## Lynis 3.0.3 (not released yet) +## Lynis 3.0.4 (not released yet) + +### Changed +- BOOT-5104 - Add service manager detection support for runit +- FILE-6430 - Report suggestion only when at least one kernel module is not in the blacklist +- Corrected issue when Lynis is not executed directly from lynis directory + +--------------------------------------------------------------------------------- + +## Lynis 3.0.3 (2021-01-07) ### Added +- HRDN-7231 - Check for registered non-native binary formats - OS detection of Parrot GNU/Linux ### Changed - +- DBS-1816 - Force test to check only password authentication +- KRNL-5677 - Support for NetBSD +- Bugfix: command 'configure settings' did not work as intended --------------------------------------------------------------------------------- @@ -98,4 +98,4 @@ ================================================================================ - Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com + Lynis - Copyright 2007-2021, Michael Boelen, CISOfy - https://cisofy.com @@ -48,4 +48,4 @@ ================================================================================ - Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com + Lynis - Copyright 2007-2021, Michael Boelen, CISOfy - https://cisofy.com diff --git a/db/languages/en b/db/languages/en index 409b92d5..3fc11069 100644 --- a/db/languages/en +++ b/db/languages/en @@ -64,6 +64,7 @@ SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" SECTION_VIRTUALIZATION="Virtualization" SECTION_WEBSERVER="Software: webserver" STATUS_ACTIVE="ACTIVE" +STATUS_CHECK_NEEDED="CHECK NEEDED" STATUS_DEBUG="DEBUG" STATUS_DEFAULT="DEFAULT" STATUS_DIFFERENT="DIFFERENT" @@ -71,12 +72,17 @@ STATUS_DISABLED="DISABLED" STATUS_DONE="DONE" STATUS_ENABLED="ENABLED" STATUS_ERROR="ERROR" +STATUS_EXPOSED="EXPOSED" STATUS_FAILED="FAILED" STATUS_FILES_FOUND="FILES FOUND" STATUS_FOUND="FOUND" +STATUS_HARDENED="HARDENED" STATUS_INSTALLED="INSTALLED" +STATUS_LOCAL_ONLY="LOCAL ONLY" +STATUS_MEDIUM="MEDIUM" STATUS_NO="NO" STATUS_NO_UPDATE="NO UPDATE" +STATUS_NON_DEFAULT="NON DEFAULT" STATUS_NONE="NONE" STATUS_NOT_CONFIGURED="NOT CONFIGURED" STATUS_NOT_DISABLED="NOT DISABLED" @@ -86,11 +92,13 @@ STATUS_NOT_RUNNING="NOT RUNNING" STATUS_OFF="OFF" STATUS_OK="OK" STATUS_ON="ON" +STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED" STATUS_PROTECTED="PROTECTED" STATUS_RUNNING="RUNNING" STATUS_SKIPPED="SKIPPED" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="UNKNOWN" +STATUS_UNSAFE="UNSAFE" STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE" STATUS_WARNING="WARNING" STATUS_WEAK="WEAK" diff --git a/db/languages/fr b/db/languages/fr index 8b99e548..d85d643d 100644 --- a/db/languages/fr +++ b/db/languages/fr @@ -39,7 +39,7 @@ SECTION_KERNEL="Noyau" SECTION_KERNEL_HARDENING="Kernel Hardening" SECTION_LDAP_SERVICES="Services LDAP" SECTION_LOGGING_AND_FILES="Journalisation et fichiers" -SECTION_MALWARE="Logiciel : Malveillant" +SECTION_MALWARE="Logiciel : Malveillants" SECTION_MEMORY_AND_PROCESSES="Mémoire et processus" SECTION_NAME_SERVICES="Services de noms" SECTION_NETWORKING="Mise en réseau" @@ -64,6 +64,7 @@ SECTION_USERS_GROUPS_AND_AUTHENTICATION="Utilisateurs, groupes et authentificati SECTION_VIRTUALIZATION="Virtualisation" SECTION_WEBSERVER="Logiciel : Serveur web" STATUS_ACTIVE="ACTIF" +STATUS_CHECK_NEEDED="VÉRIFICATION NÉCESSAIRE" STATUS_DEBUG="DÉBUG" STATUS_DEFAULT="PAR DÉFAUT" STATUS_DIFFERENT="DIFFÉRENT" @@ -71,12 +72,17 @@ STATUS_DISABLED="DÉSACTIVÉ" STATUS_DONE="FAIT" STATUS_ENABLED="ACTIVÉ" STATUS_ERROR="ERREUR" +STATUS_EXPOSED="EXPOSÉ" STATUS_FAILED="ÉCHOUÉ" STATUS_FILES_FOUND="FICHIERS TROUVÉS" STATUS_FOUND="TROUVÉ" +STATUS_HARDENED="RENFORCÉ" STATUS_INSTALLED="INSTALLÉ" +STATUS_LOCAL_ONLY="LOCAL SEULEMENT" +STATUS_MEDIUM="MOYEN" STATUS_NO="NON" STATUS_NO_UPDATE="PAS DE MISE A JOUR" +STATUS_NON_DEFAULT="PAS PAR DÉFAUT" STATUS_NONE="AUCUN" STATUS_NOT_CONFIGURED="NON CONFIGURÉ" STATUS_NOT_DISABLED="NON DESACTIVÉ" @@ -86,11 +92,13 @@ STATUS_NOT_RUNNING="NON LANCÉ" STATUS_OFF="OFF" STATUS_OK="OK" STATUS_ON="ON" +STATUS_PARTIALLY_HARDENED="PARTIELLEMENT RENFORCÉ" STATUS_PROTECTED="PROTÉGÉ" STATUS_RUNNING="EN COURS" STATUS_SKIPPED="IGNORÉ" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="INCONNU" +STATUS_UNSAFE="RISQUÉ" STATUS_UPDATE_AVAILABLE="MISE A JOUR DISPONIBLE" STATUS_WARNING="AVERTISSEMENT" STATUS_WEAK="FAIBLE" diff --git a/db/software-eol.db b/db/software-eol.db index 0c89b74b..bebd4de8 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -14,8 +14,9 @@ # For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1. # Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching. # -# Alpine - https://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases +# Alpine - https://alpinelinux.org/releases/ # +os:Alpine 3.13:2022-11-01:1667275200 os:Alpine 3.12:2022-05-01:1651377600 os:Alpine 3.11:2021-11-01:1635739200 os:Alpine 3.10:2021-05-01:1619841600 diff --git a/db/tests.db b/db/tests.db index 9ab2a9ca..c70feecc 100644 --- a/db/tests.db +++ b/db/tests.db @@ -14,6 +14,8 @@ ACCT-9654:test:security:accounting:Solaris:Check BSM auditing in /etc/system: ACCT-9656:test:security:accounting:Solaris:Check BSM auditing in module list: ACCT-9660:test:security:accounting:Solaris:Check location of audit events: ACCT-9662:test:security:accounting:Solaris:Check Solaris auditing stats: +ACCT-9670:test:security:accounting:Linux:Check for cmd tooling: +ACCT-9672:test:security:accounting:Linux:Check cmd configuration file: AUTH-9204:test:security:authentication::Check users with an UID of zero: AUTH-9208:test:security:authentication::Check non-unique accounts in passwd file: AUTH-9212:test:security:authentication::Test group file: @@ -172,6 +174,7 @@ HOME-9350:test:security:homedirs::Collecting information from home directories: HRDN-7220:test:security:hardening::Check if one or more compilers are installed: HRDN-7222:test:security:hardening::Check compiler permissions: HRDN-7230:test:security:hardening::Check for malware scanner: +HRDN-7231:test:security:hardening:Linux:Check for registered non-native binary formats: HTTP-6622:test:security:webservers::Checking Apache presence: HTTP-6624:test:security:webservers::Testing main Apache configuration file: HTTP-6626:test:security:webservers::Testing other Apache configuration file: diff --git a/include/binaries b/include/binaries index 95d56c3d..95182a2f 100644 --- a/include/binaries +++ b/include/binaries @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -152,6 +152,7 @@ clang) CLANGBINARY=${BINARY}; COMPILER_INSTALLED=1; LogText " Found known binary: clang (compiler) - ${BINARY}" ;; cfagent) CFAGENTBINARY="${BINARY}"; FILE_INT_TOOL_FOUND=1; LogText " Found known binary: cfengine agent (configuration tool) - ${BINARY}" ;; chkrootkit) CHKROOTKITBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: chkrootkit (malware scanner) - ${BINARY}" ;; + cmd_daemon) CMDBINARY=${BINARY}; LogText " Found known binary: cmd (audit framework) - ${BINARY}" ;; comm) COMMBINARY="${BINARY}"; LogText " Found known binary: comm (file compare) - ${BINARY}" ;; cryptsetup) CRYPTSETUPBINARY="${BINARY}"; LogText " Found known binary: cryptsetup (block device encryption) - ${BINARY}" ;; csum) CSUMBINARY="${BINARY}"; LogText " Found known binary: csum (hashing tool on AIX) - ${BINARY}" ;; diff --git a/include/consts b/include/consts index bb1d63ff..fedc7bd7 100644 --- a/include/consts +++ b/include/consts @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -60,6 +60,7 @@ ETC_PATHS="/etc /usr/local/etc" BLKIDBINARY="" BOOTCTLBINARY="" CAT_BINARY="" + CCBINARY="" CFAGENTBINARY="" CHECK=0 CHECK_BINARIES=1 @@ -69,6 +70,7 @@ ETC_PATHS="/etc /usr/local/etc" CLAMCONF_BINARY="" CLAMSCANBINARY="" CLANGBINARY="" + CMDBINARY="" COLORS=1 COMPLIANCE_ENABLE_CIS=0 COMPLIANCE_ENABLE_HIPAA=0 @@ -117,6 +119,7 @@ ETC_PATHS="/etc /usr/local/etc" FIREWALL_ACTIVE=0 FOUNDPATH=0 FORENSICS_MODE=0 + GCCBINARY="" GETENT_BINARY="" GRADMBINARY="" GREPBINARY="grep" @@ -145,6 +148,7 @@ ETC_PATHS="/etc /usr/local/etc" LICENSE_KEY="" LICENSE_SERVER="" LINUX_VERSION="" + LINUX_VERSION_LIKE="" LINUXCONFIGFILE="" LMDBINARY="" LMDFOUND=0 diff --git a/include/data_upload b/include/data_upload index eae2b5cc..c85a4140 100644 --- a/include/data_upload +++ b/include/data_upload @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/functions b/include/functions index 2bb82eae..62ffdfc5 100644 --- a/include/functions +++ b/include/functions @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -3693,4 +3693,4 @@ #================================================================================ # Lynis is part of Lynis Enterprise and released under GPLv3 license -# Copyright 2007-2020 - Michael Boelen, CISOfy - https://cisofy.com +# Copyright 2007-2021 - Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/helper_audit_dockerfile b/include/helper_audit_dockerfile index a71326ee..3ebbb7b2 100644 --- a/include/helper_audit_dockerfile +++ b/include/helper_audit_dockerfile @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/helper_configure b/include/helper_configure index 85c6dadf..315b92f3 100644 --- a/include/helper_configure +++ b/include/helper_configure @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/helper_generate b/include/helper_generate index f3a8d909..bbfbb8dc 100644 --- a/include/helper_generate +++ b/include/helper_generate @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/helper_show b/include/helper_show index e251aad0..70a066be 100644 --- a/include/helper_show +++ b/include/helper_show @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/helper_system_remote_scan b/include/helper_system_remote_scan index 8f9df294..5c54814a 100644 --- a/include/helper_system_remote_scan +++ b/include/helper_system_remote_scan @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/helper_update b/include/helper_update index cc5f672c..0453ffbd 100644 --- a/include/helper_update +++ b/include/helper_update @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/osdetection b/include/osdetection index 3c5932ce..459bc72e 100644 --- a/include/osdetection +++ b/include/osdetection @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -144,6 +144,13 @@ OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') if [ -n "${OS_ID}" ]; then case ${OS_ID} in + "almalinux") + LINUX_VERSION="AlmaLinux" + OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_REDHAT_OR_CLONE=1 + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "alpine") LINUX_VERSION="Alpine Linux" OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') @@ -190,6 +197,12 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "devuan") + LINUX_VERSION="Devuan" + OS_NAME="Devuan" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "elementary") LINUX_VERSION="elementary OS" OS_NAME="elementary OS" @@ -214,6 +227,12 @@ OS_NAME="Flatcar Linux" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "garuda") + LINUX_VERSION="Garuda" + OS_FULLNAME="Garuda Linux" + OS_NAME="Garuda" + OS_VERSION="Rolling release" + ;; "gentoo") LINUX_VERSION="Gentoo" OS_NAME="Gentoo Linux" @@ -226,11 +245,13 @@ ;; "kali") LINUX_VERSION="Kali" + LINUX_VERSION_LIKE="Debian" OS_NAME="Kali Linux" OS_VERSION="Rolling release" ;; "linuxmint") LINUX_VERSION="Linux Mint" + LINUX_VERSION_LIKE="Ubuntu" OS_NAME="Linux Mint" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') @@ -241,7 +262,7 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; - "manjaro") + "manjaro" | "manjaro-arm") LINUX_VERSION="Manjaro" OS_FULLNAME="Manjaro Linux" OS_NAME="Manjaro" @@ -278,18 +299,21 @@ ;; "pop") LINUX_VERSION="Pop!_OS" + LINUX_VERSION_LIKE="Ubuntu" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Pop!_OS" ;; "pureos") LINUX_VERSION="PureOS" + LINUX_VERSION_LIKE="Debian" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="PureOS" ;; "raspbian") LINUX_VERSION="Raspbian" + LINUX_VERSION_LIKE="Debian" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="Raspbian" @@ -378,31 +402,32 @@ # CPUBuilders Linux if [ -e "/etc/cpub-release" ]; then OS_FULLNAME=$(cat /etc/cpub-release); fi - # Debian/Ubuntu (***) - Set first to Debian - if [ -e "/etc/debian_version" ]; then + if [ -z "${LINUX_VERSION}" ] && [ -e "/etc/debian_version" ]; then + # Debian/Ubuntu (***) - Set first to Debian OS_VERSION=$(cat /etc/debian_version) OS_FULLNAME="Debian ${OS_VERSION}" LINUX_VERSION="Debian" - fi - # /etc/lsb-release does not exist on Debian - if [ -e "/etc/debian_version" -a -e /etc/lsb-release ]; then - OS_VERSION=$(cat /etc/debian_version) - FIND=$(grep "^DISTRIB_ID=" /etc/lsb-release | cut -d '=' -f2 | sed 's/"//g') - if [ "${FIND}" = "Ubuntu" ]; then - OS_VERSION=$(grep "^DISTRIB_RELEASE=" /etc/lsb-release | cut -d '=' -f2) - OS_FULLNAME="Ubuntu ${OS_VERSION}" - LINUX_VERSION="Ubuntu" - elif [ "${FIND}" = "elementary OS" ]; then - LINUX_VERSION="elementary OS" - OS_VERSION=$(grep "^DISTRIB_RELEASE=" /etc/lsb-release | cut -d '=' -f2) - OS_FULLNAME=$(grep "^DISTRIB_DESCRIPTION=" /etc/lsb-release | cut -d '=' -f2 | sed 's/"//g') - else - # Catch all, in case it's unclear what specific release this is. - OS_FULLNAME="Debian ${OS_VERSION}" - LINUX_VERSION="Debian" + # /etc/lsb-release does not exist on Debian + if [ -e /etc/lsb-release ]; then + OS_VERSION=$(cat /etc/debian_version) + FIND=$(grep "^DISTRIB_ID=" /etc/lsb-release | cut -d '=' -f2 | sed 's/"//g') + if [ "${FIND}" = "Ubuntu" ]; then + OS_VERSION=$(grep "^DISTRIB_RELEASE=" /etc/lsb-release | cut -d '=' -f2) + OS_FULLNAME="Ubuntu ${OS_VERSION}" + LINUX_VERSION="Ubuntu" + elif [ "${FIND}" = "elementary OS" ]; then + LINUX_VERSION="elementary OS" + LINUX_VERSION_LIKE="Ubuntu" + OS_VERSION=$(grep "^DISTRIB_RELEASE=" /etc/lsb-release | cut -d '=' -f2) + OS_FULLNAME=$(grep "^DISTRIB_DESCRIPTION=" /etc/lsb-release | cut -d '=' -f2 | sed 's/"//g') + else + # Catch all, in case it's unclear what specific release this is. + OS_FULLNAME="Debian ${OS_VERSION}" + LINUX_VERSION="Debian" + fi + # Ubuntu test (optional) $(grep "[Uu]buntu" /proc/version) fi - # Ubuntu test (optional) $(grep "[Uu]buntu" /proc/version) fi # Override for Linux Mint, as that is initially detected as Debian or Ubuntu @@ -410,6 +435,8 @@ FIND=$(lsb_release --id | awk -F: '{ print $2 }' | awk '{ print $1 }') if [ "${FIND}" = "LinuxMint" ]; then LINUX_VERSION="Linux Mint" + # LMDE (Linux Mint Debian Edition) should be detected as Debian + LINUX_VERSION_LIKE="Ubuntu" OS_VERSION=$(lsb_release --release | awk '{ print $2 }') OS_FULLNAME="Linux Mint ${OS_VERSION}" fi diff --git a/include/parameters b/include/parameters index 242899e6..90181927 100644 --- a/include/parameters +++ b/include/parameters @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/profiles b/include/profiles index e7a25670..6bf7758a 100644 --- a/include/profiles +++ b/include/profiles @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/report b/include/report index 3d0c7fdf..ec5f3f66 100644 --- a/include/report +++ b/include/report @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_accounting b/include/tests_accounting index dd1ef2a8..6954b63f 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -24,7 +24,10 @@ # AUDITD_CONF_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/audit" AUDITD_CONF_FILE="" + CMD_CONF_LOCS="${ROOTDIR}etc ${ROOTDIR}etc/cmd" + CMD_CONF_FILE="" LINUX_AUDITD_RUNNING=0 + LINUX_CMD_RUNNING=0 AUDIT_DAEMON_RUNNING=0 SOLARIS_AUDITD_RUNNING=0 # @@ -415,6 +418,59 @@ # ################################################################################# # + # Test : ACCT-9670 + # Description : Check cmd status + if [ -n "${CMDBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no ACCT-9670 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for cmd" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Check cmd status" + if IsRunning "cmd_daemon"; then + LogText "Result: cmd running" + Display --indent 2 --text "- Checking cmd" --result "${STATUS_ENABLED}" --color GREEN + LINUX_CMD_RUNNING=1 + AUDIT_DAEMON_RUNNING=1 + Report "audit_trail_tool[]=cmd" + Report "linux_cmd_running=1" + AddHP 4 4 + else + LogText "Result: cmd not active" + Display --indent 2 --text "- Checking cmd" --result "${STATUS_NOT_FOUND}" --color WHITE + if [ ! "${VMTYPE}" = "openvz" ]; then + ReportSuggestion "${TEST_NO}" "Install cmd to collect audit information" + fi + AddHP 0 1 + Report "linux_cmd_running=0" + fi + fi +# +################################################################################# +# + # Test : ACCT-9672 + # Description : Check cmd configuration file + if [ -n "${CMDBINARY}" -a ${LINUX_CMD_RUNNING} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no ACCT-9672 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for cmd configuration file" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Checking cmd configuration file" + for DIR in ${CMD_CONF_LOCS}; do + if [ -f ${DIR}/config.ini ]; then + CMD_CONF_FILE="${DIR}/config.ini" + LogText "Result: Found ${DIR}/config.ini" + else + LogText "Result: ${DIR}/config.ini not found" + fi + done + # Check if we discovered the configuration file. It should be there is the binaries are available and process is running + if [ -n "${CMD_CONF_FILE}" ]; then + Display --indent 4 --text "- Checking cmd configuration file" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: could not find cmd configuration file" + Display --indent 4 --text "- Checking cmd configuration file" --result "${STATUS_FOUND}" --color RED + ReportSuggestion "${TEST_NO}" "Determine the location of cmd configuration file" + fi + fi +# +################################################################################# +# Report "audit_daemon_running=${AUDIT_DAEMON_RUNNING}" # ################################################################################# @@ -424,4 +480,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2020, Michael Boelen / CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2021, Michael Boelen / CISOfy - https://cisofy.com diff --git a/include/tests_authentication b/include/tests_authentication index 88b95063..2712aa34 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -294,12 +294,12 @@ # disabled | shadowed | no password | locked account (can be literal *LOCK* or something like LOCKED) ;; *:\$5\$*| *:\$6\$*) - # sha256crypt | sha512crypt: check number of rounds, should be >5000 + # sha256crypt | sha512crypt: check number of rounds, should be >=5000 ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') if [ -z "${ROUNDS}" ]; then - echo 'sha256crypt/sha512crypt(default<=5000rounds)' - elif [ "${ROUNDS}" -le 5000 ]; then - echo 'sha256crypt/sha512crypt(<=5000rounds)' + echo 'sha256crypt/sha512crypt(default=5000rounds)' + elif [ "${ROUNDS}" -lt 5000 ]; then + echo 'sha256crypt/sha512crypt(<5000rounds)' fi ;; *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) diff --git a/include/tests_banners b/include/tests_banners index f7e4d7e9..cd148f30 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_boot_services b/include/tests_boot_services index c3a36307..42efc80d 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -63,6 +63,7 @@ # Description : Determine service manager # Notes : # initscripts - Used by Arch before + # runit - Used by Artix, Devuan, Dragora and Void # systemd - Common option with more Linux distros implementing it # upstart - Used by Debian/Ubuntu Register --test-no BOOT-5104 --weight L --network NO --category security --description "Determine service manager" @@ -71,7 +72,7 @@ case ${OS} in "Linux") if [ -f /proc/1/cmdline ]; then - OUTPUT=$(${AWKBINARY} '/(^\/|init)/ { print $1 }' /proc/1/cmdline | ${TRBINARY} '\0' ' ' | ${SEDBINARY} 's/ $//') + OUTPUT=$(${AWKBINARY} '/(^\/|init|runit)/ { print $1 }' /proc/1/cmdline | ${TRBINARY} '\0' ' ' | ${SEDBINARY} 's/ $//') LogText "Result: cmdline found = ${OUTPUT}" FILENAME=$(echo "${OUTPUT}" | ${AWKBINARY} '{print $1}') LogText "Result: file on disk = ${FILENAME}" @@ -108,6 +109,9 @@ upstart) SERVICE_MANAGER="upstart" ;; + runit) + SERVICE_MANAGER="runit" + ;; *) CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd") if [ -n "${CONTAINS_SYSTEMD}" ]; then @@ -731,7 +735,13 @@ # Test : BOOT-5180 # Description : Check for Linux boot services (Debian style) # Notes : Debian 8+ shows runlevel 5 - if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || + [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then + PREQS_MET="YES" + else + PREQS_MET="NO" + fi + Register --test-no BOOT-5180 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check for Linux boot services (Debian style)" if [ ${SKIPTEST} -eq 0 ]; then # Runlevel check @@ -1081,23 +1091,28 @@ if [ "${UNIT}" = "UNIT" ]; then continue fi + STATUS="UNKNOWN" COLOR="BLACK" case ${PREDICATE} in PERFECT | SAFE | OK) + STATUS="${STATUS_PROTECTED}" COLOR=GREEN ;; MEDIUM) + STATUS="${STATUS_MEDIUM}" COLOR=WHITE ;; EXPOSED) + STATUS="${STATUS_EXPOSED}" COLOR=YELLOW ;; UNSAFE | DANGEROUS) + STATUS="${STATUS_UNSAFE}" COLOR=RED ;; esac - Display --indent 8 --text "- ${UNIT}:" --result "${PREDICATE}" --color "${COLOR}" - LogText "Result: ${UNIT}: ${EXPOSURE} ${PREDICATE}" + Display --indent 8 --text "- ${UNIT}:" --result "${STATUS}" --color "${COLOR}" + LogText "Result: ${UNIT}: ${EXPOSURE} ${STATUS}" done ReportSuggestion "${TEST_NO}" "Consider hardening system services" "Run '${SYSTEMDANALYZEBINARY} security SERVICE' for each service" fi diff --git a/include/tests_containers b/include/tests_containers index 78c12c50..af10997d 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -226,4 +226,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2021, CISOfy - https://cisofy.com diff --git a/include/tests_crypto b/include/tests_crypto index af63d21a..d41a55ce 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_databases b/include/tests_databases index 9c8e1de0..5e71ee80 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -86,7 +86,7 @@ # "-u root --password=" avoids ~/.my.cnf authentication settings # "plugin = 'mysql_native_password' AND authentication_string = ''" avoids false positives when secure plugins are used - FIND=$(${MYSQLCLIENTBINARY} --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql > /dev/null 2>&1; echo $?) + FIND=$(${MYSQLCLIENTBINARY} --default-auth=mysql_native_password --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql > /dev/null 2>&1; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: Login succeeded, no MySQL root password set!" ReportWarning "${TEST_NO}" "No MySQL root password set" diff --git a/include/tests_dns b/include/tests_dns index 085168d4..5ef5a382 100644 --- a/include/tests_dns +++ b/include/tests_dns @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_file_integrity b/include/tests_file_integrity index c06b1703..68d02c5f 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -441,4 +441,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_file_permissions b/include/tests_file_permissions index 50ccdeee..32598f45 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -72,4 +72,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2021, CISOfy - https://cisofy.com diff --git a/include/tests_filesystems b/include/tests_filesystems index 0de387f7..d3a6eaab 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -327,7 +327,7 @@ Display --indent 2 --text "- Testing swap partitions" --result "${STATUS_OK}" --color GREEN LogText "Result: all swap partitions have correct options (sw or swap)" else - Display --indent 2 --text "- Testing swap partitions" --result "CHECK NEEDED" --color YELLOW + Display --indent 2 --text "- Testing swap partitions" --result "${STATUS_CHECK_NEEDED}" --color YELLOW LogText "Result: possible incorrect mount options used for mounting swap partition (${FIND})" #ReportWarning "${TEST_NO}" "Possible incorrect mount options used for swap partition (${FIND})" ReportSuggestion "${TEST_NO}" "Check your /etc/fstab file for swap partition mount options" @@ -535,7 +535,7 @@ if [ "${FIND}" = "defaults" ]; then Display --indent 2 --text "- Mount options of /" --result "${STATUS_OK}" --color GREEN else - Display --indent 2 --text "- Mount options of /" --result "NON DEFAULT" --color YELLOW + Display --indent 2 --text "- Mount options of /" --result "${STATUS_NON_DEFAULT}" --color YELLOW fi else LogText "Result: no mount point / or expected options found" @@ -606,21 +606,21 @@ done if [ ${FULLY_HARDENED} -eq 1 ]; then LogText "Result: marked ${FILESYSTEM} as fully hardened" - Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result HARDENED --color GREEN + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_HARDENED}" --color GREEN AddHP 5 5 elif [ ${PARTIALLY_HARDENED} -eq 1 ]; then LogText "Result: marked ${FILESYSTEM} as partially hardened" - Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "PARTIALLY HARDENED" --color YELLOW + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_PARTIALLY_HARDENED}" --color YELLOW AddHP 4 5 else # if if ContainsString "defaults" "${FOUND_FLAGS}"; then LogText "Result: marked ${FILESYSTEM} options as default (not hardened)" - Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result DEFAULT --color YELLOW + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_DEFAULT}" --color YELLOW AddHP 3 5 else LogText "Result: marked ${FILESYSTEM} options as non-default (unclear about hardening)" - Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "NON DEFAULT" --color YELLOW + Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_NON_DEFAULT}" --color YELLOW AddHP 4 5 fi fi @@ -653,7 +653,7 @@ Display --indent 2 --text "- /var/tmp is bound to /tmp" --result "${STATUS_OK}" --color GREEN LogText "Result : /var/tmp is bind to /tmp" else - Display --indent 2 --text "- /var/tmp is not bound to /tmp" --result "NON DEFAULT" --color YELLOW + Display --indent 2 --text "- /var/tmp is not bound to /tmp" --result "${STATUS_NON_DEFAULT}" --color YELLOW LogText "Result: /var/tmp is not bind to /tmp" fi else @@ -820,11 +820,11 @@ LogText "Result: module ${FS} is currently not loaded in the kernel." AddHP 2 3 if IsDebug; then Display --indent 6 --text "- Module ${FS} not loaded (lsmod)" --result OK --color GREEN; fi - FOUND=1 - AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} " else LogText "Result: module ${FS} is loaded in the kernel" Display --indent 4 --text "- Module $FS loaded in the kernel (lsmod)" --result "FOUND" --color WHITE + FOUND=1 + AVAILABLE_MODPROBE_FS="${AVAILABLE_MODPROBE_FS}${FS} " fi else AddHP 3 3 diff --git a/include/tests_firewalls b/include/tests_firewalls index 685f2452..44d6c441 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -506,7 +506,7 @@ Register --test-no FIRE-4540 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --root-only YES --category security --description "Check for empty nftables configuration" if [ ${SKIPTEST} -eq 0 ]; then # Check for empty ruleset - NFT_RULES_LENGTH=$(${NFTBINARY} list ruleset --stateless 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l) + NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${EGREPBINARY} -v "table|chain|;$|}$|^$" | ${WCBINARY} -l) if [ ${NFT_RULES_LENGTH} -le 3 ]; then FIREWALL_EMPTY_RULESET=1 LogText "Result: this firewall set has 3 rules or less and is considered to be empty" diff --git a/include/tests_hardening b/include/tests_hardening index 4feff7c6..130a4ddc 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -107,6 +107,27 @@ # ################################################################################# # + # Test : HRDN-7231 + # Description : Check for registered non-native binary formats + Register --test-no HRDN-7231 --os Linux --weight L --network NO --category security --description "Check for registered non-native binary formats" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: Check for registered non-native binary formats" + NFORMATS=0 + if [ -d /proc/sys/fs/binfmt_misc ]; then + NFORMATS=$(${FINDBINARY} /proc/sys/fs/binfmt_misc -type f -not -name register -not -name status | ${WCBINARY} --lines) + fi + if [ ${NFORMATS} -eq 0 ]; then + LogText "Result: no non-native binary formats found" + Display --indent 4 --text "- Non-native binary formats" --result "${STATUS_NOT_FOUND}" --color GREEN + else + FORMATS=$(${FINDBINARY} /proc/sys/fs/binfmt_misc -type f -not -name register -not -name status -printf '%f ') + LogText "Result: found ${NFORMATS} non-native binary formats registered: ${FORMATS}" + Display --indent 4 --text "- Non-native binary formats" --result "${STATUS_FOUND}" --color RED + fi + fi +# +################################################################################# +# # LogText "--------------------------------------------------------------------" # LogText "| System part | Preferred value | Actual value | Points |" # LogText "| [!] Compiler installed | 0 | [${COMPILER_INSTALLED}] | x |" diff --git a/include/tests_homedirs b/include/tests_homedirs index c896bf86..3e5f1b78 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 2ba308b3..f01966f2 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_kernel b/include/tests_kernel index 75f7bffc..19ed4dae 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -81,7 +81,7 @@ fi else LogText "Result: file ${ROOTDIR}etc/inittab not found" - if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then + if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then LogText "Test: Checking run level with who -r, for Debian based systems" FIND=$(who -r | ${AWKBINARY} '{ if ($1=="run-level") { print $2 } }') if HasData "${FIND}"; then @@ -368,7 +368,12 @@ # # Test : KRNL-5788 # Description : Checking availability new kernel - if [ "${LINUX_VERSION}" = "Debian" -o "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || + [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then + PREQS_MET="YES" + else + PREQS_MET="NO" + fi Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel" if [ ${SKIPTEST} -eq 0 ]; then HAS_VMLINUZ=0 @@ -914,4 +919,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2020, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2021, CISOfy - https://cisofy.com diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index c0887078..630c38d5 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_ldap b/include/tests_ldap index 7558d491..18cdc09c 100644 --- a/include/tests_ldap +++ b/include/tests_ldap @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_logging b/include/tests_logging index acbbcf5b..7b3c203b 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -177,14 +177,14 @@ # # Test : LOGG-2138 # Description : Check for kernel log daemon (klogd) presence on Linux systems - # Notes : * When using rsyslog or systemd (systemd-journal), this process is not needed. + # Notes : * When using metalog, rsyslog or systemd (systemd-journal), this process is not needed. # * In combination with syslog-ng, klogd is still an addition to it, since it # captures kernel related events and send them to syslog-ng. # * This test should be below all other logging daemons Register --test-no LOGG-2138 --os Linux --weight L --network NO --category security --description "Checking kernel logger daemon on Linux" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Searching kernel logger daemon (klogd)" - if [ ${RSYSLOG_RUNNING} -eq 0 -a ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ]; then + if [ ${RSYSLOG_RUNNING} -eq 0 ] && [ ${SYSTEMD_JOURNAL_RUNNING} -eq 0 ] && [ ${METALOG_RUNNING} -eq 0 ]; then # Search for klogd, but ignore other lines related to klogd (like dd with input/output file) #FIND=$(${PSBINARY} ax | ${GREPBINARY} "klogd" | ${GREPBINARY} -v "dd" | ${GREPBINARY} -v "grep") if IsRunning "klogd"; then @@ -427,7 +427,7 @@ FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@") if [ -n "${FIND}" ]; then FIND2=$(echo "${FIND}" | ${GREPBINARY} -v "@loghost") - if [ SOLARIS_LOGHOST_LOCALHOST -eq 1 ] && [ -z "${FIND2}" ]; then + if [ ${SOLARIS_LOGHOST_LOCALHOST} -eq 1 ] && [ -z "${FIND2}" ]; then LogText "Result: remote logging enabled to loghost, but loghost is localhost" else LogText "Result: remote logging enabled" diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 5c55e8f5..cda343ad 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index cbbde8a0..a8e9ec3b 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_malware b/include/tests_malware index 3c2cd72d..4f68b9aa 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_memory_processes b/include/tests_memory_processes index 2454f320..542400a2 100644 --- a/include/tests_memory_processes +++ b/include/tests_memory_processes @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_nameservices b/include/tests_nameservices index 46f4f1fb..8c483d08 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -578,7 +578,7 @@ else LogText "Found duplicate line: ${OUTPUT}" LogText "Result: found duplicate line" - Display --indent 4 --text "- Duplicate entries in hosts file" --result "$STATUS_FOUND}" --color YELLOW + Display --indent 4 --text "- Duplicate entries in hosts file" --result "${STATUS_FOUND}" --color YELLOW ReportSuggestion "${TEST_NO}" "Remove duplicate lines in ${ROOTDIR}etc/hosts" fi fi diff --git a/include/tests_networking b/include/tests_networking index 7a04305f..6a33451c 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_php b/include/tests_php index 32211f1a..23738198 100644 --- a/include/tests_php +++ b/include/tests_php @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 2e827813..61ccf945 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -600,8 +600,8 @@ # # Test : PKGS-7366 # Description : Checking if debsecan is installed and enabled on Debian systems - if [ -n "${DEBSECANBINARY}" -a "${OS}" = "Linux" -a "${LINUX_VERSION}" = "Debian" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking for debsecan utility" + if [ -n "${DEBSECANBINARY}" ] && ( [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] ); then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --category security --description "Checking for debsecan utility" if [ ${SKIPTEST} -eq 0 ]; then if [ -n "${DEBSECANBINARY}" ]; then LogText "Result: debsecan utility is installed" @@ -986,7 +986,9 @@ PREQS_MET="NO" if [ -f ${ROOTDIR}etc/apt/sources.list -a -d ${ROOTDIR}etc/apt/sources.list.d ]; then case "${LINUX_VERSION}" in - "Debian" | "Linux Mint" | "Ubuntu") + "Debian" | "Linux Mint" | "Ubuntu" | "Pop!_OS") + # Todo: PureOS (not rolling) has security repositories + # Todo: Debian sid does not have a security repository. PREQS_MET="YES" ;; *) @@ -1042,7 +1044,13 @@ # # Test : PKGS-7390 # Description : Check Ubuntu database consistency - if [ "${LINUX_VERSION}" = "Ubuntu" -a -x ${ROOTDIR}usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if ([ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || + [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]) && [ -x "${ROOTDIR}usr/bin/apt-get" ]; then + PREQS_MET="YES" + else + PREQS_MET="NO" + fi + Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --root-only YES --weight L --network NO --category security --description "Check Ubuntu database consistency" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Package database consistency by running apt-get check" @@ -1191,7 +1199,13 @@ # # Test : PKGS-7394 # Description : Check Ubuntu upgradeable packages - if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + if ([ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || + [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]) && [ -x "${ROOTDIR}usr/bin/apt-get" ]; then + PREQS_MET="YES" + else + PREQS_MET="NO" + fi + Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Ubuntu updates" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: checking ${ROOTDIR}usr/bin/apt-show-versions" @@ -1329,37 +1343,39 @@ case "${OS}" in "Linux") - case "${LINUX_VERSION}" in - "CentOS" | "Debian" | "Fedora" | "RHEL" | "Ubuntu") - + for DIST in CentOS Debian Fedora RHEL Ubuntu; do + if [ "${LINUX_VERSION}" = "${DIST}" ] || [ "${LINUX_VERSION_LIKE}" = "${DIST}" ]; then UNATTENDED_UPGRADES_OPTION_AVAILABLE=1 - # Test available tools for Linux - if [ -f "${ROOTDIR}bin/auter" ]; then - UNATTENDED_UPGRADES_TOOL="auter" - UNATTENDED_UPGRADES_TOOLKIT=1 - LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" - Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" - fi - if [ -f "${ROOTDIR}sbin/yum-cron" ]; then - UNATTENDED_UPGRADES_TOOL="yum-cron" - UNATTENDED_UPGRADES_TOOLKIT=1 - LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" - Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" - fi - if [ -f "${ROOTDIR}usr/bin/dnf-automatic" ]; then - UNATTENDED_UPGRADES_TOOL="dnf-automatic" - UNATTENDED_UPGRADES_TOOLKIT=1 - LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" - Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" - fi - if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then - UNATTENDED_UPGRADES_TOOL="unattended-upgrade" - UNATTENDED_UPGRADES_TOOLKIT=1 - LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" - Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" - fi - ;; - esac + fi + done + + if [ ${UNATTENDED_UPGRADES_OPTION_AVAILABLE} -eq 1 ]; then + # Test available tools for Linux + if [ -f "${ROOTDIR}bin/auter" ]; then + UNATTENDED_UPGRADES_TOOL="auter" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + if [ -f "${ROOTDIR}sbin/yum-cron" ]; then + UNATTENDED_UPGRADES_TOOL="yum-cron" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + if [ -f "${ROOTDIR}usr/bin/dnf-automatic" ]; then + UNATTENDED_UPGRADES_TOOL="dnf-automatic" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + if [ -f "${ROOTDIR}usr/bin/unattended-upgrade" ]; then + UNATTENDED_UPGRADES_TOOL="unattended-upgrade" + UNATTENDED_UPGRADES_TOOLKIT=1 + LogText "Result: found ${UNATTENDED_UPGRADES_TOOL}" + Report "unattended_upgrade_tool[]=${UNATTENDED_UPGRADES_TOOL}" + fi + fi ;; esac diff --git a/include/tests_printers_spoolers b/include/tests_printers_spoolers index 61304f87..18b88c0c 100644 --- a/include/tests_printers_spoolers +++ b/include/tests_printers_spoolers @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_scheduling b/include/tests_scheduling index b461ba95..196a2e77 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_shells b/include/tests_shells index 89be9979..9598cfbc 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -282,4 +282,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2020, CISOfy - http://cisofy.com +# Lynis - Copyright 2007-2021, CISOfy - http://cisofy.com diff --git a/include/tests_snmp b/include/tests_snmp index 0bf785f0..93755e80 100644 --- a/include/tests_snmp +++ b/include/tests_snmp @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -104,4 +104,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_squid b/include/tests_squid index d62310a3..c6b5174a 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -325,4 +325,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_ssh b/include/tests_ssh index 43c678b9..7f31c348 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_storage b/include/tests_storage index 6ee1a78a..ac60502c 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -77,4 +77,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2020, CISOfy, Michael Boelen - https://cisofy.com +# Lynis - Copyright 2007-2021, CISOfy, Michael Boelen - https://cisofy.com diff --git a/include/tests_storage_nfs b/include/tests_storage_nfs index 6aaafc79..fb236560 100644 --- a/include/tests_storage_nfs +++ b/include/tests_storage_nfs @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_system_integrity b/include/tests_system_integrity index 825f3d70..befe09a0 100644 --- a/include/tests_system_integrity +++ b/include/tests_system_integrity @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -51,4 +51,4 @@ WaitForKeyPress # #================================================================================ -# Lynis - Copyright 2007-2020 Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2021 Michael Boelen, CISOfy - https://cisofy.com diff --git a/include/tests_time b/include/tests_time index 0d1d65cb..df9a86b7 100644 --- a/include/tests_time +++ b/include/tests_time @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -585,6 +585,10 @@ if [ ! -e "${SYNCHRONIZED_FILE}" ]; then SYNCHRONIZED_FILE="/var/lib/private/systemd/timesync/clock" fi + # Fix for debian stretch + if [ ! -e "${SYNCHRONIZED_FILE}" ]; then + SYNCHRONIZED_FILE="/var/lib/systemd/clock" + fi if [ -e "${SYNCHRONIZED_FILE}" ]; then FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") )) # Check if last sync was more than 2048 seconds (= the default of systemd) ago diff --git a/include/tests_tooling b/include/tests_tooling index 15475c61..083f5045 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_virtualization b/include/tests_virtualization index e4df170e..bf985e7c 100644 --- a/include/tests_virtualization +++ b/include/tests_virtualization @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tests_webservers b/include/tests_webservers index 45588492..6e0a3b3d 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com diff --git a/include/tool_tips b/include/tool_tips index 6ff7534e..e380a5d5 100644 --- a/include/tool_tips +++ b/include/tool_tips @@ -6,7 +6,7 @@ # ------------------ # # Copyright 2007-2013, Michael Boelen -# Copyright 2007-2020, CISOfy +# Copyright 2007-2021, CISOfy # # Website : https://cisofy.com # Blog : http://linux-audit.com @@ -43,16 +43,16 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2020-12-26" - PROGRAM_RELEASE_TIMESTAMP=1608801742 - PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release + PROGRAM_RELEASE_DATE="2021-01-07" + PROGRAM_RELEASE_TIMESTAMP=1610029111 + PROGRAM_RELEASE_TYPE="release" # pre-release or release PROGRAM_VERSION="3.0.3" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" PROGRAM_PACKAGE="https://packages.cisofy.com/" PROGRAM_DOCUMENTATION="https://cisofy.com/docs/" - PROGRAM_COPYRIGHT="2007-2020, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}" + PROGRAM_COPYRIGHT="2007-2021, ${PROGRAM_AUTHOR} - ${PROGRAM_WEBSITE}" PROGRAM_LICENSE="${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under the terms of the GNU General Public License. See the LICENSE file for details about using this software." @@ -89,6 +89,7 @@ if [ -d "${WORKDIR}/include" ]; then INCLUDEDIR="${WORKDIR}/include"; fi elif [ -d ${I} -a -z "${INCLUDEDIR}" ]; then INCLUDEDIR=${I} + break fi done fi @@ -1149,4 +1150,4 @@ ${NORMAL} # #================================================================================ -# Lynis - Copyright 2007-2020, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2021, Michael Boelen, CISOfy - https://cisofy.com |