diff options
| -rw-r--r-- | CHANGELOG.md | 37 | ||||
| -rw-r--r-- | CONTRIBUTING.md | 11 | ||||
| -rw-r--r-- | HAPPY_USERS.md | 5 | ||||
| -rw-r--r-- | README.md | 7 | ||||
| -rw-r--r-- | db/languages/de | 35 | ||||
| l--------- | db/languages/de-AT | 1 | ||||
| -rw-r--r-- | db/languages/en | 8 | ||||
| -rw-r--r-- | db/languages/nl | 47 | ||||
| -rw-r--r-- | db/software-eol.db | 158 | ||||
| -rw-r--r-- | db/tests.db | 1 | ||||
| -rw-r--r-- | default.prf | 7 | ||||
| -rw-r--r-- | extras/bash_completion.d/lynis | 2 | ||||
| -rw-r--r-- | include/binaries | 1 | ||||
| -rw-r--r-- | include/consts | 5 | ||||
| -rw-r--r-- | include/data_upload | 15 | ||||
| -rw-r--r-- | include/functions | 9 | ||||
| -rw-r--r-- | include/helper_generate | 6 | ||||
| -rw-r--r-- | include/osdetection | 52 | ||||
| -rw-r--r-- | include/parameters | 17 | ||||
| -rw-r--r-- | include/profiles | 2 | ||||
| -rw-r--r-- | include/tests_authentication | 82 | ||||
| -rw-r--r-- | include/tests_boot_services | 8 | ||||
| -rw-r--r-- | include/tests_crypto | 2 | ||||
| -rw-r--r-- | include/tests_filesystems | 22 | ||||
| -rw-r--r-- | include/tests_firewalls | 2 | ||||
| -rw-r--r-- | include/tests_insecure_services | 2 | ||||
| -rw-r--r-- | include/tests_kernel | 10 | ||||
| -rw-r--r-- | include/tests_malware | 44 | ||||
| -rw-r--r-- | include/tests_networking | 2 | ||||
| -rw-r--r-- | include/tests_php | 64 | ||||
| -rw-r--r-- | include/tests_time | 115 | ||||
| -rwxr-xr-x | lynis | 34 |
32 files changed, 528 insertions, 285 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 6c3974a2..e2be50de 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,45 @@ # Lynis Changelog -## Lynis 3.0.0 (not released yet) +## Lynis 3.0.1 (not released yet) + +### Added +- Detection of Kali Linux +- Detection of Linux Mint +- Detection of macOS Big Sur (11.0) +- Detection of Pop!_OS +- Detection of PHP 7.4 +- Malware detection tool: Microsoft Defender ATP + +### Changed +- AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions +- BOOT-5122 - Presence check for grub.d added +- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) +- FILE-6430 - Don't grep nonexistant modprobe.d files +- FIRE-4535 - Set initial firewall state +- INSE-8312 - Corrected text on screen +- KRNL-5728 - Handle zipped kernel configuration correctly +- KRNL-5830 - Improved version detection for non-symlinked kernel +- MALW-3280 - Extended detection of BitDefender +- Fix: hostid generation routine would sometimes show too short IDs +- Generic improvements for macOS +- Fix: language detection +- German translation updated +- End-of-life database updated +- Small code enhancements + +--------------------------------------------------------------------------------- + +## Lynis 3.0.0 (2020-06-18) This is a major release of Lynis and includes several big changes. Some of these changes may break your current usage of the tool, so test before deployment! +### Security issues +This release resolves two security issues +* CVE-2020-13882 - Discovered by Sander Bos, code submission by Katarina Durechova +* CVE-2019-13033 - Discovered by Sander Bos + ### Breaking change: Non-interactive by default Lynis now runs non-interactive by default, to be more in line with the Unix philosophy. So the previously used '--quick' option is now default, and the tool @@ -104,6 +138,7 @@ Using the relevant options, the scan will change base on the intended goal. - CRYP-7902 - check also certificates in DER format - CRYP-8002 - gather kernel entropy on Linux systems - FILE-6310 - support for HP-UX +- FILE-6330 - corrected description - FILE-6374 - changed log and allow root location to be changed - FILE-6374 - corrected condition to find 'defaults' flag in /etc/fstab - FILE-6430 - minor code improvements and show suggestion with more details diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f31b9eb3..66a7b19b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,3 +1,4 @@ + # Contributions ## Helping out @@ -6,13 +7,13 @@ Run the tool in debug mode (use lynis audit system --profile developer.prf) and see if it shows any error. ### Report bugs -Create an GitHub issue on the issue tracker +Create a GitHub issue on the issue tracker. ### Suggest changes (pull request) When you find something that can be improved, fork the project and create a pull request. ### Translations -See the db/languages directory +See the db/languages directory. ## Developer Guidelines @@ -30,13 +31,13 @@ Identation should be 4 spaces (no tab character). ### Comments Comments: use # sign followed by a space. When needed, create a comment block. -Blank lines: allowed, one line maximum +Blank lines: allowed, one line maximum. ### Functions All functions use CamelCase to clearly show a difference between shell built-in commands, or external commands. ### Variables -Variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1) +Variables should be capitalized, with underscore as word separator (e.g. PROCESS_EXISTS=1). ## Pull Requests @@ -56,7 +57,7 @@ to this repository, you agree that you: 4. Allow the project the [Unlimited Rights](#Unlimited-Rights) to your contribution -If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com) +If you have questions regarding development, send us an e-mail at [lynis-dev](mailto:lynis-dev@cisofy.com). ## Unlimited Rights diff --git a/HAPPY_USERS.md b/HAPPY_USERS.md index 049a9689..53677c52 100644 --- a/HAPPY_USERS.md +++ b/HAPPY_USERS.md @@ -2,7 +2,7 @@ ## Community -Since 2007 the Lynis project helped many system administrators and security +Since 2007, the Lynis project helped many system administrators and security professionals to scan their systems and perform system hardening. Happy users and contributors are the foundation of a healthy project. @@ -33,3 +33,6 @@ installed on all my systems to uncover unexpected configuration issues. The valuable feedback and contributions give me the energy to continue to work on its development, even after 12+ years! +* Catalyst.net IT - January 2020 +Lynis gave us great insight in to the security state of our systems, as well as where we can improve. + @@ -1,4 +1,5 @@ + [](https://linuxsecurity.expert/tools/lynis/) [](https://travis-ci.org/CISOfy/lynis) [](https://bestpractices.coreinfrastructure.org/projects/96) @@ -14,7 +15,7 @@ Do you like this software? **Star the project** and become a [stargazer](https:/ > Lynis - Security auditing and hardening tool, for UNIX-based systems. -Lynis is a security auditing for system based on UNIX like Linux, macOS, BSD, and others. It performs an **in-depth security scan** and runs on the system itself. The primary goal is to test security defenses and **provide tips for further system hardening**. It will also scan for general system information, vulnerable software packages, and possible configuration issues. Lynis was commonly used by system administrators and auditors to assess the security defenses of their systems. Besides the "blue team", nowadays penetration testers also have Lynis in their toolkit. +Lynis is a security auditing tool for systems based on UNIX like Linux, macOS, BSD, and others. It performs an **in-depth security scan** and runs on the system itself. The primary goal is to test security defenses and **provide tips for further system hardening**. It will also scan for general system information, vulnerable software packages, and possible configuration issues. Lynis was commonly used by system administrators and auditors to assess the security defenses of their systems. Besides the "blue team," nowadays penetration testers also have Lynis in their toolkit. We believe software should be **simple**, **updated on a regular basis**, and **open**. You should be able to trust, understand, and have the option to change the software. Many agree with us, as the software is being used by thousands every day to protect their systems. @@ -57,7 +58,7 @@ If you want to run the software as `root`, we suggest changing the ownership of ### Software Package -For Linux, BSD, macOS, there is typically a package available. The Lynis project also provides packages in RPM or DEB format. The [CISOfy software repository](https://packages.cisofy.com) can be used to install Lynis on systems running: +For Linux, BSD, and macOS, there is typically a package available. The Lynis project also provides packages in RPM or DEB format. The [CISOfy software repository](https://packages.cisofy.com) can be used to install Lynis on systems running: `CentOS`, `Debian`, `Fedora`, `OEL`, `openSUSE`, `RHEL`, `Ubuntu`, and others. Some distributions may also have Lynis in their software repository: [](https://repology.org/project/lynis/versions) @@ -103,7 +104,7 @@ Lynis is collecting some awards and we are proud of that. > We love contributors. -Do you have something to share? Or help out with translating Lynis into your own language? Create an issue or pull request on GitHub, or send us an e-mail: lynis-dev@cisofy.com. +Do you have something to share? Want to help out with translating Lynis into your own language? Create an issue or pull request on GitHub, or send us an e-mail: lynis-dev@cisofy.com. More details can be found in the [Contributors Guide](https://github.com/CISOfy/lynis/blob/master/CONTRIBUTING.md). diff --git a/db/languages/de b/db/languages/de index 34b909e2..ef6711c8 100644 --- a/db/languages/de +++ b/db/languages/de @@ -1,38 +1,45 @@ -GEN_PHASE="Phase" +ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet" +ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet" GEN_CHECKING="Überprüfung" GEN_CURRENT_VERSION="Aktuelle Version" GEN_DEBUG_MODE="Debug-Modus" -GEN_INITIALIZE_PROGRAM="Initiiere Programm" +GEN_INITIALIZE_PROGRAM="Initialisiere Programm" +GEN_LATEST_VERSION="Aktuellste Version" +GEN_PHASE="Phase" GEN_PLUGINS_ENABLED="Plugins aktiviert" -GEN_VERBOSE_MODE="Ausführlicher Modus" GEN_UPDATE_AVAILABLE="Aktualisierung verfügbar" +GEN_VERBOSE_MODE="Ausführlicher Modus" GEN_WHAT_TO_DO="Was zu tun ist" NOTE_EXCEPTIONS_FOUND="Abweichungen gefunden" NOTE_EXCEPTIONS_FOUND_DETAILED="Einige außergewöhnliche Ereignisse oder Informationen wurden gefunden" NOTE_PLUGINS_TAKE_TIME="Beachte: Plugins beinhalten eingehendere Tests und können mehrere Minuten benötigen, bis sie abgeschlossen sind" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus" SECTION_CUSTOM_TESTS="Benutzerdefinierte Tests" +SECTION_DATA_UPLOAD="Daten hochladen" +SECTION_INITIALIZING_PROGRAM="Initialisiere Programm" SECTION_MALWARE="Malware" SECTION_MEMORY_AND_PROCESSES="Speicher und Prozesse" +SECTION_SYSTEM_TOOLS="Systemwerkzeuge" +STATUS_DISABLED="DEAKTIVIERT" STATUS_DONE="FERTIG" +STATUS_ENABLED="AKTIVIERT" +STATUS_ERROR="FEHLER" +STATUS_FAILED="FEHLERHAFT" STATUS_FOUND="GEFUNDEN" -STATUS_YES="JA" STATUS_NO="NEIN" -STATUS_OFF="AUS" -STATUS_OK="OK" -STATUS_ON="AN" STATUS_NONE="NICHTS" +STATUS_NOT_CONFIGURED="NICHT KONFIGURIERT" STATUS_NOT_FOUND="NICHT GEFUNDEN" STATUS_NOT_RUNNING="LÄUFT NICHT" +STATUS_OFF="AUS" +STATUS_OK="OK" +STATUS_ON="AN" STATUS_RUNNING="LÄUFT" STATUS_SKIPPED="ÜBERSPRUNGEN" STATUS_SUGGESTION="VORSCHLAG" STATUS_UNKNOWN="UNBEKANNT" STATUS_WARNING="WARNUNG" -TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen" +STATUS_WEAK="SCHWACH" +STATUS_YES="JA" TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar" -NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus" -STATUS_DISABLED="DEAKTIVIERT" -STATUS_ENABLED="AKTIVIERT" -STATUS_ERROR="FEHLER" -ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet" -ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet" +TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen" diff --git a/db/languages/de-AT b/db/languages/de-AT new file mode 120000 index 00000000..c42e816f --- /dev/null +++ b/db/languages/de-AT @@ -0,0 +1 @@ +de
\ No newline at end of file diff --git a/db/languages/en b/db/languages/en index 716a584c..7b697896 100644 --- a/db/languages/en +++ b/db/languages/en @@ -26,14 +26,14 @@ STATUS_ENABLED="ENABLED" STATUS_ERROR="ERROR" STATUS_FAILED="FAILED" STATUS_FOUND="FOUND" -STATUS_OFF="OFF" -STATUS_OK="OK" -STATUS_ON="ON" STATUS_NO="NO" STATUS_NONE="NONE" STATUS_NOT_CONFIGURED="NOT CONFIGURED" STATUS_NOT_FOUND="NOT FOUND" STATUS_NOT_RUNNING="NOT RUNNING" +STATUS_OFF="OFF" +STATUS_OK="OK" +STATUS_ON="ON" STATUS_RUNNING="RUNNING" STATUS_SKIPPED="SKIPPED" STATUS_SUGGESTION="SUGGESTION" @@ -41,5 +41,5 @@ STATUS_UNKNOWN="UNKNOWN" STATUS_WARNING="WARNING" STATUS_WEAK="WEAK" STATUS_YES="YES" -TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" TEXT_UPDATE_AVAILABLE="update available" +TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" diff --git a/db/languages/nl b/db/languages/nl index 21700617..31a694ee 100644 --- a/db/languages/nl +++ b/db/languages/nl @@ -1,38 +1,45 @@ +ERROR_NO_LICENSE="Geen licentiecode geconfigureerd" +ERROR_NO_UPLOAD_SERVER="Geen upload server geconfigureerd" GEN_CHECKING="Zoeken naar" +GEN_CURRENT_VERSION="Huidige versie" +GEN_DEBUG_MODE="Debug modus" +GEN_INITIALIZE_PROGRAM="Programma initialiseren" +GEN_LATEST_VERSION="Laatste versie" GEN_PHASE="fase" -GEN_INITIALIZE_PROGRAM="Initialiseren van programma" -NOTE_PLUGINS_TAKE_TIME="Plugins hebben uitgebreidere testen en kunnen derhalve enkele minuten duren" -NOTE_EXCEPTIONS_FOUND="Uitzonderingen gevonden" -SECTION_CUSTOM_TESTS="Eigen Testen" +GEN_PLUGINS_ENABLED="Plugins geactiveerd" +GEN_VERBOSE_MODE="Verbose modus" +GEN_UPDATE_AVAILABLE="Update beschikbaar" +GEN_WHAT_TO_DO="Wat te doen" +NOTE_EXCEPTIONS_FOUND="Bijzonderheden gevonden" +NOTE_EXCEPTIONS_FOUND_DETAILED="Enkele bijzondere gebeurtenissen of informatie gevonden" +NOTE_PLUGINS_TAKE_TIME="Let op: plugins hebben uitgebreidere testen en kunnen daardoor enkele minuten duren" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Overgeslagen testen vanwege beperkte rechten" +SECTION_CUSTOM_TESTS="Eigen testen" +SECTION_DATA_UPLOAD="Data upload" +SECTION_INITIALIZING_PROGRAM="Programma initialiseren" SECTION_MALWARE="Kwaadaardige software (malware)" SECTION_MEMORY_AND_PROCESSES="Geheugen en Processen" -STATUS_DONE="KLAAR" +SECTION_SYSTEM_TOOLS="Systeem gereedschap" STATUS_DISABLED="UITGESCHAKELD" +STATUS_DONE="KLAAR" STATUS_ENABLED="INGESCHAKELD" +STATUS_ERROR="FOUT" +STATUS_FAILED="MISLUKT" STATUS_FOUND="GEVONDEN" +STATUS_OFF="UIT" +STATUS_OK="OK" +STATUS_ON="AAN" STATUS_NO="NEE" STATUS_NONE="GEEN" +STATUS_NOT_CONFIGURED="NIET GECONFIGUREERD" STATUS_NOT_FOUND="NIET GEVONDEN" STATUS_NOT_RUNNING="NIET ACTIEF" -STATUS_OK="OK" -STATUS_ON="AAN" -STATUS_OFF="UIT" -STATUS_YES="JA" STATUS_RUNNING="ACTIEF" STATUS_SKIPPED="OVERGESLAGEN" STATUS_SUGGESTION="SUGGESTIE" STATUS_UNKNOWN="ONBEKEND" STATUS_WARNING="WAARSCHUWING" -GEN_CURRENT_VERSION="Huidige versie" -GEN_DEBUG_MODE="Debug mode" -GEN_PLUGINS_ENABLED="Plugins geactiveerd" -GEN_VERBOSE_MODE="Verbose mode" -GEN_UPDATE_AVAILABLE="update beschikbaar" -GEN_WHAT_TO_DO="Wat te doen" -NOTE_EXCEPTIONS_FOUND_DETAILED="Enkele uitzonderingen gevonden" -NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Overgeslagen testen vanwege beperkte rechten" +STATUS_WEAK="ZWAK" +STATUS_YES="JA" TEXT_YOU_CAN_HELP_LOGFILE="Help mee door je logbestand te delen" TEXT_UPDATE_AVAILABLE="update beschikbaar" -STATUS_ERROR="FOUT" -ERROR_NO_LICENSE="geen licentiecode configureerd" -ERROR_NO_UPLOAD_SERVER="geen server configureerd voor uploads" diff --git a/db/software-eol.db b/db/software-eol.db index b3285487..2412a203 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -8,6 +8,7 @@ # 4) converted date (seconds since epoch) or -1 # # Date can be converted on Linux using: date "+%s" --date=2020-01-01 +# Seconds since epoch can be verified using: date -d @1467324000 +'%Y-%m-%d' # # Notes: # For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1. @@ -15,8 +16,9 @@ # # Amazon Linux # -os:Amazon Linux:2020-06-30:1593468000: +# Note: shortest entry is listed at end due to regular expression matching being used os:Amazon Linux 2:2023-06-26:1687730400: +os:Amazon Linux:2020-06-30:1593468000: # # Arch Linux # @@ -38,55 +40,72 @@ os:Debian 8:2020-06-30:1593468000: os:Debian 9:2022-01-01:1640991600: os:Debian 10:2022-01-01:1640991600: # +# Fedora - https://fedoraproject.org/wiki/End_of_life +# +os:Fedora release 25:2017-12-12:1513033200: +os:Fedora release 26:2018-05-29:1527544800: +os:Fedora release 27:2018-11-30:1543532400: +os:Fedora release 28:2019-05-28:1558994400: +os:Fedora release 29:2019-11-26:1574722800: +os:Fedora release 30:2020-05-26:1590444000: +# # FreeBSD - https://www.freebsd.org/security/unsupported.html # -os:FreeBSD 9.3:2014-12-31:0: -os:FreeBSD 10.0:2015-02-28:0: -os:FreeBSD 10.1:2016-12-31:0: -os:FreeBSD 10.2:2016-12-31:0: -os:FreeBSD 10.3:2018-04-30:0: -os:FreeBSD 10.4:2018-10-31:0: -os:FreeBSD 11.0:2017-11-30:0: -os:FreeBSD 11.1:2018-09-30:0: +os:FreeBSD 9.3:2014-12-31:1419980400: +os:FreeBSD 10.0:2015-02-28:1425078000: +os:FreeBSD 10.1:2016-12-31:1483138800: +os:FreeBSD 10.2:2016-12-31:1483138800: +os:FreeBSD 10.3:2018-04-30:1525039200: +os:FreeBSD 10.4:2018-10-31:1540940400: +os:FreeBSD 11.0:2017-11-30:1511996400: +os:FreeBSD 11.1:2018-09-30:1538258400: +os:FreeBSD 11.2:2019-10-31:1572476400: +os:FreeBSD 12.0:2020-02-29:1582930800: +# +# Linux Mint +# +os:Linux Mint 18:2021-04-01:1617228000: +os:Linux Mint 19:2023-04-01:1680300000: +os:Linux Mint 20:2025-04-01:1743458400: # # NetBSD - https://www.netbsd.org/support/security/release.html and # https://www.netbsd.org/releases/formal.html # -os:NetBSD 2.0:2008-01-19:0: -os:NetBSD 2.0.1:2008-01-19:0: -os:NetBSD 2.0.2:2008-01-19:0: -os:NetBSD 2.0.3:2008-01-19:0: -os:NetBSD 2.1:2008-01-19:0: -os:NetBSD 3.0:2009-09-29:0: -os:NetBSD 3.0.1:2009-09-29:0: -os:NetBSD 3.0.2:2009-09-29:0: -os:NetBSD 3.1:2009-09-29:0: -os:NetBSD 4.0:2012-11-17:0: -os:NetBSD 4.0.1:2012-11-17:0: -os:NetBSD 5.0:2015-11-17:0: -os:NetBSD 5.0.1:2015-10-17:0: -os:NetBSD 5.0.2:2015-10-17:0: -os:NetBSD 5.1:2015-10-17:0: -os:NetBSD 5.1.1:2015-10-17:0: -os:NetBSD 5.1.2:2015-10-17:0: -os:NetBSD 5.1.3:2015-10-17:0: -os:NetBSD 5.1.4:2015-10-17:0: -os:NetBSD 5.1.5:2015-10-17:0: -os:NetBSD 5.2.1:2015-10-17:0: -os:NetBSD 5.2.2:2015-10-17:0: -os:NetBSD 5.2.3:2015-10-17:0: -os:NetBSD 6.0:2017-09-17:0: -os:NetBSD 6.0.1:2017-09-17:0: -os:NetBSD 6.0.2:2017-09-17:0: -os:NetBSD 6.0.3:2017-09-17:0: -os:NetBSD 6.0.4:2017-09-17:0: -os:NetBSD 6.0.5:2017-09-17:0: -os:NetBSD 6.1:2017-09-17:0: -os:NetBSD 6.1.1:2017-09-17:0: -os:NetBSD 6.1.2:2017-09-17:0: -os:NetBSD 6.1.3:2017-09-17:0: -os:NetBSD 6.1.4:2017-09-17:0: -os:NetBSD 6.1.5:2017-09-17:0: +os:NetBSD 2.0:2008-01-19:1200697200: +os:NetBSD 2.0.1:2008-01-19:1200697200: +os:NetBSD 2.0.2:2008-01-19:1200697200: +os:NetBSD 2.0.3:2008-01-19:1200697200: +os:NetBSD 2.1:2008-01-19:1200697200: +os:NetBSD 3.0:2009-09-29:1254175200: +os:NetBSD 3.0.1:2009-09-29:1254175200: +os:NetBSD 3.0.2:2009-09-29:1254175200: +os:NetBSD 3.1:2009-09-29:1254175200: +os:NetBSD 4.0:2012-11-17:1353106800: +os:NetBSD 4.0.1:2012-11-17:1353106800: +os:NetBSD 5.0:2015-11-17:1447714800: +os:NetBSD 5.0.1:2015-10-17:1445032800: +os:NetBSD 5.0.2:2015-10-17:1445032800: +os:NetBSD 5.1:2015-10-17:1445032800: +os:NetBSD 5.1.1:2015-10-17:1445032800: +os:NetBSD 5.1.2:2015-10-17:1445032800: +os:NetBSD 5.1.3:2015-10-17:1445032800: +os:NetBSD 5.1.4:2015-10-17:1445032800: +os:NetBSD 5.1.5:2015-10-17:1445032800: +os:NetBSD 5.2.1:2015-10-17:1445032800: +os:NetBSD 5.2.2:2015-10-17:1445032800: +os:NetBSD 5.2.3:2015-10-17:1445032800: +os:NetBSD 6.0:2017-09-17:1505599200: +os:NetBSD 6.0.1:2017-09-17:1505599200: +os:NetBSD 6.0.2:2017-09-17:1505599200: +os:NetBSD 6.0.3:2017-09-17:1505599200: +os:NetBSD 6.0.4:2017-09-17:1505599200: +os:NetBSD 6.0.5:2017-09-17:1505599200: +os:NetBSD 6.1:2017-09-17:1505599200: +os:NetBSD 6.1.1:2017-09-17:1505599200: +os:NetBSD 6.1.2:2017-09-17:1505599200: +os:NetBSD 6.1.3:2017-09-17:1505599200: +os:NetBSD 6.1.4:2017-09-17:1505599200: +os:NetBSD 6.1.5:2017-09-17:1505599200: os:NetBSD 7.0:2020-03-14:1584162000: os:NetBSD 7.0.1:2020-03-14:1584162000: os:NetBSD 7.0.2:2020-03-14:1584162000: @@ -100,22 +119,22 @@ os:NetBSD 9.0::-1: # # OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history # -os:OpenBSD 5.8:2016-09-01:0: -os:OpenBSD 5.9:2017-04-11:0: +os:OpenBSD 5.8:2016-09-01:1472680800: +os:OpenBSD 5.9:2017-04-11:1491861600: +os:OpenBSD 6.0:2017-09-10:1505001600: +os:OpenBSD 6.1:2018-04-15:1523750400: +os:OpenBSD 6.2:2018-10-18:1539820800: +os:OpenBSD 6.3:2019-05-03:1556841600: +os:OpenBSD 6.4:2019-10-17:1571270400: +os:OpenBSD 6.5:2020-05-19:1589846400: +os:OpenBSD 6.6:2020-10-01:1601510400: +os:OpenBSD 6.7:2021-05-01:1619827200: # -# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack +# Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/ # -os:Ubuntu 14.04:2019-05-01:1556661600: -os:Ubuntu 14.10:2015-07-01:0: -os:Ubuntu 15.04:2016-01-01:0: -os:Ubuntu 15.10:2016-07-01:0: -os:Ubuntu 16.04:2021-05-01:1619820000: -os:Ubuntu 16.10:2017-07-01:1498860000: -os:Ubuntu 17.04:2018-01-01:1514761200: -os:Ubuntu 17.10:2018-07-01:1530396000: -os:Ubuntu 18.04:2023-05-01:1682892000: -os:Ubuntu 18.10:2019-07-18:1563400800: -os:Ubuntu 19.04:2020-01-01:1577833200: +os:Red Hat Enterprise Linux Server release 6:2020-11-30:1606690800: +os:Red Hat Enterprise Linux 7:2024-06-30:1719698400: +os:Red Hat Enterprise Linux 8:2029-05-07:1872799200: # # Slackware - https://en.wikipedia.org/wiki/Slackware#Releases # @@ -132,3 +151,26 @@ os:Slackware Linux 12.2:2013-12-09:1386540000: os:Slackware Linux 13.0:2018-07-05:1530738000: os:Slackware Linux 13.1:2018-07-05:1530738000: os:Slackware Linux 13.37:2018-07-05:1530738000: +# +# SuSE - https://www.suse.com/lifecycle/ +# +os:SUSE Linux Enterprise Server 12:2024-10-31:1730329200: +os:SUSE Linux Enterprise Server 15:2028-07-31:1848607200: +# +# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and +# https://wiki.ubuntu.com/Releases +# +os:Ubuntu 14.04:2019-05-01:1556661600: +os:Ubuntu 14.10:2015-07-01:1435701600: +os:Ubuntu 15.04:2016-01-01:1451602800: +os:Ubuntu 15.10:2016-07-01:1467324000: +os:Ubuntu 16.04:2021-05-01:1619820000: +os:Ubuntu 16.10:2017-07-01:1498860000: +os:Ubuntu 17.04:2018-01-01:1514761200: +os:Ubuntu 17.10:2018-07-01:1530396000: +os:Ubuntu 18.04:2023-05-01:1682892000: +os:Ubuntu 18.10:2019-07-18:1563400800: +os:Ubuntu 19.04:2020-01-01:1577833200: +os:Ubuntu 20.04:2025-04-01:1743458400: +# +# EOF diff --git a/db/tests.db b/db/tests.db index 32347102..26fc8f87 100644 --- a/db/tests.db +++ b/db/tests.db @@ -419,6 +419,7 @@ TIME-3170:test:security:time::Check configuration files: TIME-3180:test:security:time::Report if ntpctl cannot communicate with OpenNTPD: TIME-3181:test:security:time::Check status of OpenNTPD time synchronisation TIME-3182:test:security:time::Check OpenNTPD has working peers +TIME-3185:test:security:time::Check systemd-timesyncd synchronized time TOOL-5002:test:security:tooling::Checking for automation tools: TOOL-5102:test:security:tooling::Check for presence of Fail2ban: TOOL-5104:test:security:tooling::Enabled tests for Fail2ban: diff --git a/default.prf b/default.prf index fff29512..efd8665e 100644 --- a/default.prf +++ b/default.prf @@ -152,7 +152,7 @@ plugin=users # # Kernel options # --------------- -# configdate=, followed by: +# config-data=, followed by: # # - Type = Set to 'sysctl' # - Setting = value of sysctl key (e.g. kernel.sysrq) @@ -303,6 +303,11 @@ permfile=/etc/motd:rw-r--r--:root:root:WARN: permfile=/etc/passwd:rw-r--r--:root:-:WARN: permfile=/etc/passwd-:rw-r--r--:root:-:WARN: permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN: +permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN: +permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN: +permfile=/root/.rhosts:rw-------:root:root:WARN: +permfile=/root/.rlogin:rw-------:root:root:WARN: +permfile=/root/.shosts:rw-------:root:root:WARN: # These permissions differ by OS #permfile=/etc/gshadow:---------:root:-:WARN: diff --git a/extras/bash_completion.d/lynis b/extras/bash_completion.d/lynis index 8732ede3..7eee7375 100644 --- a/extras/bash_completion.d/lynis +++ b/extras/bash_completion.d/lynis @@ -179,7 +179,7 @@ _lynis() *) COMPREPLY=( $( compgen -W ' \ --auditor --cronjob --debug --quick --quiet --logfile --no-colors --no-log --pentest --reverse-colors \ - --tests --tests-from-category --tests-from-group --upload --verbose' -- "$cur" ) ) + --tests --tests-from-category --tests-from-group --upload --verbose --slow-warning' -- "$cur" ) ) ;; esac diff --git a/include/binaries b/include/binaries index 6bbea4af..ae2c2824 100644 --- a/include/binaries +++ b/include/binaries @@ -219,6 +219,7 @@ maldet) LMDBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;; md5) MD5BINARY="${BINARY}"; LogText " Found known binary: md5 (hash tool) - ${BINARY}" ;; md5sum) MD5BINARY="${BINARY}"; LogText " Found known binary: md5sum (hash tool) - ${BINARY}" ;; + mdatp) MDATPBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: mdatp (Microsoft Defender ATP, malware scanner) - ${BINARY}" ;; modprobe) MODPROBEBINARY="${BINARY}"; LogText " Found known binary: modprobe (kernel modules) - ${BINARY}" ;; mount) MOUNTBINARY="${BINARY}"; LogText " Found known binary: mount (disk utility) - ${BINARY}" ;; mtree) MTREEBINARY="${BINARY}"; LogText " Found known binary: mtree (mapping directory tree) - ${BINARY}" ;; diff --git a/include/consts b/include/consts index 7968ef1f..053147a4 100644 --- a/include/consts +++ b/include/consts @@ -33,10 +33,6 @@ BIN_PATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \ ETC_PATHS="/etc /usr/local/etc" -# Do not use specific language, fall back to default -# Some tools with translated strings are very hard to parse -unset LANG - # ################################################################################# # @@ -277,6 +273,7 @@ unset LANG SKIP_VM_DETECTION=0 SKIPREASON="" SKIPPED_TESTS_ROOTONLY="" + SLOW_TEST_THRESHOLD=10 SMTPCTLBINARY="" SNORTBINARY="" SSHKEYSCANBINARY="" diff --git a/include/data_upload b/include/data_upload index 6718d6d3..eae2b5cc 100644 --- a/include/data_upload +++ b/include/data_upload @@ -77,6 +77,10 @@ ExitFatal else Output "License key = ${LICENSE_KEY}" + # Create a temporary file to use during upload (prevent license key being displayed in process table) + CreateTempFile || ExitFatal + LICENSE_KEY_FILE="${TEMP_FILE}" + echo "${LICENSE_KEY}" | ${TRBINARY} -cd '[a-f0-9-]' > ${LICENSE_KEY_FILE} fi @@ -129,8 +133,9 @@ # License check - LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null" - UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null) + LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null" + UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null) + EXITCODE=$? LogText "Exit code: ${EXITCODE}" if [ ${EXITCODE} -gt 0 ]; then @@ -225,10 +230,10 @@ Output "${WHITE}Found hostid: ${HOSTID}${NORMAL}" # Try to connect Output "Uploading data.." - LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" - LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" + LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" + LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" LogText "Tip: to just retry an upload, use: lynis upload-only" - UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null) + UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null) EXITCODE=$? LogText "Exit code: ${EXITCODE}" if [ ${EXITCODE} -gt 0 ]; then diff --git a/include/functions b/include/functions index 58ddabe9..e0f75a64 100644 --- a/include/functions +++ b/include/functions @@ -1286,11 +1286,12 @@ CHECK_PERMISSION=$(echo "${CHECK_PERMISSION}" | ${AWKBINARY} '{printf "%03d",$1}') # First try stat command - LogText "Test: checking if file ${CHECKFILE} is ${CHECK_PERMISSION}" + LogText "Test: checking if file ${CHECKFILE} has the permissions set to ${CHECK_PERMISSION} or more restrictive" if [ -n "${STATBINARY}" ]; then case ${OS} in - *BSD) + *BSD | "macOS") + # BSD and macOS have no --format, only short notation DATA=$(${STATBINARY} -f "%OLp" ${CHECKFILE}) ;; *) @@ -1344,7 +1345,7 @@ DATA=$(echo "${DATA}" | ${AWKBINARY} '{printf "%03d",$1}') if [ -n "${DATA}" ]; then - if [ "${DATA}" = "${CHECK_PERMISSION}" ]; then + if [ "${DATA}" -le "${CHECK_PERMISSION}" ]; then LogText "Outcome: correct permissions (${DATA})" return 0 fi @@ -2585,7 +2586,7 @@ CURRENT_TS=$(GetTimestamp) if [ ${PREVIOUS_TS} -gt 0 ]; then SLOW_TEST=0 - TIME_THRESHOLD=10 # seconds + TIME_THRESHOLD=$SLOW_TEST_THRESHOLD # seconds # Calculate timing and determine if we use seconds or nanoseconds (more precise) TIME_DIFF=$((CURRENT_TS - PREVIOUS_TS)) diff --git a/include/helper_generate b/include/helper_generate index 67b58b66..f3a8d909 100644 --- a/include/helper_generate +++ b/include/helper_generate @@ -51,8 +51,10 @@ if [ $# -gt 0 ]; then ;; *) # xxd does not exist on FreeBSD - HOSTID=$(head -c20 < /dev/urandom | hexdump -ve '"%.2x"') - HOSTID2=$(head -c32 < /dev/urandom | hexdump -ve '"%.2x"') + # Note: hexdump may omit leading or trailing zeroes. + # Take 100 characters as input, turn to hex, then take first 40/64. + HOSTID=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c40) + HOSTID2=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c64) ;; esac diff --git a/include/osdetection b/include/osdetection index 08fd931e..c2726d31 100644 --- a/include/osdetection +++ b/include/osdetection @@ -62,6 +62,7 @@ 10.13 | 10.13.[0-9]*) OS_FULLNAME="macOS High Sierra (${OS_VERSION})" ;; 10.14 | 10.14.[0-9]*) OS_FULLNAME="macOS Mojave (${OS_VERSION})" ;; 10.15 | 10.15.[0-9]*) OS_FULLNAME="macOS Catalina (${OS_VERSION})" ;; + 11.0 | 11.0[0-9]*) OS_FULLNAME="macOS Big Sur (${OS_VERSION})" ;; *) echo "Unknown macOS version. Do you know what version it is? Create an issue at ${PROGRAM_SOURCE}" ;; esac else @@ -143,6 +144,12 @@ OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') if [ -n "${OS_ID}" ]; then case ${OS_ID} in + "alpine") + LINUX_VERSION="Alpine Linux" + OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "amzn") LINUX_VERSION="Amazon Linux" OS_NAME="Amazon Linux" @@ -183,11 +190,21 @@ OS_REDHAT_OR_CLONE=1 OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; - "pureos") - LINUX_VERSION="PureOS" + "gentoo") + LINUX_VERSION="Gentoo" + OS_NAME="Gentoo Linux" + OS_VERSION="Rolling release" + ;; + "kali") + LINUX_VERSION="Kali" + OS_NAME="Kali Linux" + OS_VERSION="Rolling release" + ;; + "linuxmint") + LINUX_VERSION="Linux Mint" + OS_NAME="Linux Mint" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') - OS_NAME="PureOS" ;; "manjaro") LINUX_VERSION="Manjaro" @@ -195,6 +212,12 @@ OS_NAME="Manjaro" OS_VERSION="Rolling release" ;; + "ol") + LINUX_VERSION="Oracle Linux" + OS_NAME="Oracle Linux" + OS_REDHAT_OR_CLONE=1 + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "opensuse-tumbleweed") LINUX_VERSION="openSUSE Tumbleweed" # It's rolling release but has a snapshot version (the date of the snapshot) @@ -206,11 +229,17 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="openSUSE" ;; - "ubuntu") - LINUX_VERSION="Ubuntu" + "pop") + LINUX_VERSION="Pop!_OS" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') - OS_NAME="Ubuntu" + OS_NAME="Pop!_OS" + ;; + "pureos") + LINUX_VERSION="PureOS" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_NAME="PureOS" ;; "raspbian") LINUX_VERSION="Raspbian" @@ -232,13 +261,22 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "ubuntu") + LINUX_VERSION="Ubuntu" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_NAME="Ubuntu" + ;; *) - ReportException "OS Detection" "Unknown OS found in /etc/os-release" + ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}" ;; esac fi fi + # Alpine + if [ -e "/etc/alpine-release" ]; then LINUX_VERSION="Alpine Linux"; OS_VERSION=$(cat /etc/alpine-release); fi + # Amazon if [ -z "${LINUX_VERSION}" -a -e "/etc/system-release" ]; then FIND=$(grep "^Amazon" /etc/system-release) diff --git a/include/parameters b/include/parameters index 8668b683..242899e6 100644 --- a/include/parameters +++ b/include/parameters @@ -423,6 +423,23 @@ QUIET=1 ;; + # Warning when test is slow + --slow-warning) + if [ $# -gt 1 ]; then + shift + + if [ "$1" -gt 0 ] 2>/dev/null; then + SLOW_TEST_THRESHOLD="$1" + else + echo "Argument has to be number." + exit 1 + fi + else + echo "Specify threshold as number of seconds above which should Lynis warn about long test." + exit 1 + fi + ;; + --tests-category | --tests-categories | --view-categories | --list-categories | --show-categories) echo "Error: Deprecated option ($1)" exit 1 diff --git a/include/profiles b/include/profiles index da2124f7..2b0885ce 100644 --- a/include/profiles +++ b/include/profiles @@ -50,6 +50,7 @@ Display --text " " Display --text "==================================================================================================" Display --text " " + LogText "Insight: Profile '${PROFILE}' contians one or more old-style configuration entries" ReportWarning "GEN-0020" "Your profile contains one or more old-style configuration entries" sleep 10 fi @@ -556,7 +557,6 @@ Display --indent 2 --text "- Checking profiles..." --result "DONE" --color GREEN -LogTextBreak #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com diff --git a/include/tests_authentication b/include/tests_authentication index bf8cabe8..3dbe08f7 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -286,50 +286,56 @@ # Description : Check password hashing methods vs. recommendations in crypt(5) # Notes : Applicable to all Unix-like OS # Requires read access to /etc/shadow (if it exists) + + ParsePasswordEntry() { + METHOD=$1 + case ${METHOD} in + 1:\* | 1:x | 0: | *:!* | *LOCK*) + # disabled | shadowed | no password | locked account (can be literal *LOCK* or something like LOCKED) + ;; + *:\$5\$*| *:\$6\$*) + # sha256crypt | sha512crypt: check number of rounds, should be >5000 + ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') + if [ -z "${ROUNDS}" ]; then + echo 'sha256crypt/sha512crypt(default<=5000rounds)' + elif [ "${ROUNDS}" -le 5000 ]; then + echo 'sha256crypt/sha512crypt(<=5000rounds)' + fi + ;; + *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) + # yescrypt | gost-yescrypt | bcrypt | scrypt + ;; + *:_*) + echo bsdicrypt + ;; + *:\$1\$*) + echo md5crypt + ;; + *:\$3\$*) + echo NT + ;; + *:\$md5*) + echo SunMD5 + ;; + *:\$sha1*) + echo sha1crypt + ;; + 13:* | 178:*) + echo bigcrypt/descrypt + ;; + *) + echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com" + ;; + esac + } + Register --test-no AUTH-9229 --root-only YES --weight L --network NO --category security --description "Check password hashing methods" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking password hashing methods" SHADOW=""; if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW="${ROOTDIR}etc/shadow"; fi FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do - case ${METHOD} in - 1:\* | 1:x | 0: | *:!*) - # disabled | shadowed | no password | locked account - ;; - *:\$5\$*| *:\$6\$*) - # sha256crypt | sha512crypt: check number of rounds, should be >5000 - ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') - if [ -z "${ROUNDS}" ]; then - echo 'sha256crypt/sha512crypt(default<=5000rounds)' - elif [ "${ROUNDS}" -le 5000 ]; then - echo 'sha256crypt/sha512crypt(<=5000rounds)' - fi - ;; - *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) - # yescrypt | gost-yescrypt | bcrypt | scrypt - ;; - *:_*) - echo bsdicrypt - ;; - *:\$1\$*) - echo md5crypt - ;; - *:\$3\$*) - echo NT - ;; - *:\$md5*) - echo SunMD5 - ;; - *:\$sha1*) - echo sha1crypt - ;; - 13:* | 178:*) - echo bigcrypt/descrypt - ;; - *) - echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com" - ;; - esac + ParsePasswordEntry ${METHOD} done | ${SORTBINARY} -u | ${TRBINARY} '\n' ' ') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN diff --git a/include/tests_boot_services b/include/tests_boot_services index 8ad83d7c..fe5707e4 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -332,8 +332,12 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - CONF_FILES=$(${FINDBINARY} /etc/grub.d -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') - CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}" + if [ "${ROOTDIR}etc/grub.d" ]; then + CONF_FILES=$(${FINDBINARY} "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') + CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}" + else + CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg" + fi for FILE in ${CONF_FILES}; do if [ -f "${FILE}" ]; then diff --git a/include/tests_crypto b/include/tests_crypto index f1aa1bdf..437c9b54 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -193,7 +193,7 @@ if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then LogText "Result: Found LUKS encrypted swap device: ${BLOCK_DEV}" ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1)) - elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" | ${GREPBINARY} --quiet "cipher:"; then + elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" 2> /dev/null | ${GREPBINARY} --quiet "cipher:"; then LogText "Result: Found non-LUKS encrypted swap device: ${BLOCK_DEV}" ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1)) else diff --git a/include/tests_filesystems b/include/tests_filesystems index aabdc2be..bfe451ab 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -212,10 +212,11 @@ ################################################################################# # # Test : FILE-6330 - # Description : Query all ZFS mounts from /etc/fstab + # Description : Query ZFS mounts + # Note : mount -p does not work under Linux Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --category security --description "Checking ZFS file systems" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Query /etc/fstab for available ZFS mount points" + LogText "Test: Discover for available ZFS mount points" FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE @@ -236,7 +237,7 @@ # Description : Query all HAMMER PFS mounts from /etc/fstab Register --test-no FILE-6439 --os DragonFly --weight L --network NO --category security --description "Checking HAMMER PFS mounts" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Query /etc/fstab for available HAMMER PFS mount points" + LogText "Test: Query /etc/fstab for available HAMMER PFS mount points" FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "null") { print $1":"$2":"$3":"$4":" }}') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Querying HAMMER PFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE @@ -829,12 +830,15 @@ AddHP 3 3 if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi fi - FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then - Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN - LogText "Result: module ${FS} is blacklisted" - fi + FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) + if [ -n "${FIND}" ]; then + FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then + Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN + LogText "Result: module ${FS} is blacklisted" + fi + fi done if [ ${FOUND} -eq 1 ]; then Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}" diff --git a/include/tests_firewalls b/include/tests_firewalls index 20f87e1e..d3ff1e3d 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -407,6 +407,8 @@ Register --test-no FIRE-4534 --weight L --os "macOS" --network NO --category security --description "Check for presence of outbound firewalls on macOS" if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + # Little Snitch Daemon (macOS) LogText "Test: checking process Little Snitch Daemon" if IsRunning --full "Little Snitch Daemon"; then diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 5c8af1fc..d6d87245 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -385,7 +385,7 @@ if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet server is installed" Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_FOUND}" --color YELLOW - ReportSuggestion "${TEST_NO}" "Removing the ${FOUND} package and replace with SSH when possible" + ReportSuggestion "${TEST_NO}" "Removing the telnet server package and replace with SSH when possible" Report "insecure_service[]=telnet-server" else LogText "Result: telnet server is NOT installed" diff --git a/include/tests_kernel b/include/tests_kernel index 72e5082b..011d02c6 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -235,12 +235,13 @@ Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config" if [ ${SKIPTEST} -eq 0 ]; then CHECKFILE="${ROOTDIR}boot/config-$(uname -r)" + CHECKFILE_ZIPPED="${ROOTDIR}proc/config.gz" if [ -f ${CHECKFILE} ]; then LINUXCONFIGFILE="${CHECKFILE}" LogText "Result: found config (${LINUXCONFIGFILE})" Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN - elif [ -f ${ROOTDIR}proc/config.gz ]; then - LINUXCONFIGFILE="${CHECKFILE}" + elif [ -f ${CHECKFILE_ZIPPED} ]; then + LINUXCONFIGFILE="${CHECKFILE_ZIPPED}" LINUXCONFIGFILE_ZIPPED=1 LogText "Result: found config: ${ROOTDIR}proc/config.gz (compressed)" Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN @@ -674,7 +675,10 @@ LogText "Result: found a symlink, retrieving destination" FOUND_VMLINUZ=$(readlink "${FOUND_VMLINUZ}") LogText "Result: destination file is ${FOUND_VMLINUZ}" - VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's/^vmlinuz-//') + VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//') + LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" + elif [ -f "${FOUND_VMLINUZ}" ]; then + VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//') LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" fi diff --git a/include/tests_malware b/include/tests_malware index a5ed3e06..5e3c6fca 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -102,28 +102,6 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - # ESET security products - LogText "Test: checking process esets_daemon" - if IsRunning "esets_daemon"; then - FOUND=1 - ESET_DAEMON_RUNNING=1 - MALWARE_SCANNER_INSTALLED=1 - if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi - LogText "Result: found ESET security product" - Report "malware_scanner[]=eset" - fi - - # Bitdefender (macOS) - LogText "Test: checking process epagd" - if IsRunning "epagd"; then - FOUND=1 - BITDEFENDER_DAEMON_RUNNING=1 - MALWARE_SCANNER_INSTALLED=1 - if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi - LogText "Result: found Bitdefender security product" - Report "malware_scanner[]=bitdefender" - fi - # Avast (macOS) LogText "Test: checking process com.avast.daemon" if IsRunning "com.avast.daemon"; then @@ -146,6 +124,17 @@ Report "malware_scanner[]=avira" fi + # Bitdefender (macOS) + LogText "Test: checking process epagd" + if IsRunning "bdagentd" || IsRunning "epagd"; then + FOUND=1 + BITDEFENDER_DAEMON_RUNNING=1 + MALWARE_SCANNER_INSTALLED=1 + if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi + LogText "Result: found Bitdefender security product" + Report "malware_scanner[]=bitdefender" + fi + # CrowdStrike falcon-sensor LogText "Test: checking process falcon-sensor (CrowdStrike)" if IsRunning "falcon-sensor"; then @@ -168,6 +157,17 @@ Report "malware_scanner[]=cylance-protect" fi + # ESET security products + LogText "Test: checking process esets_daemon" + if IsRunning "esets_daemon"; then + FOUND=1 + ESET_DAEMON_RUNNING=1 + MALWARE_SCANNER_INSTALLED=1 + if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi + LogText "Result: found ESET security product" + Report "malware_scanner[]=eset" + fi + # Kaspersky products LogText "Test: checking process wdserver or klnagent (Kaspersky)" # wdserver is too generic to match on, so we want to ensure that it is related to Kaspersky first diff --git a/include/tests_networking b/include/tests_networking index 83a7aae0..420f26ea 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -70,7 +70,7 @@ LogText "Result: hostnamed is defined and not longer than 63 characters" fi # Test valid characters (normally a dot should not be in the name, but we can't be 100% sure we have short name) - FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[a-z0-9\.\-]') + FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[a-zA-Z0-9\.\-]') if [ -z "${FIND}" ]; then LogText "Result: good, no unexpected characters discovered in hostname" if IsVerbose; then Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_OK}" --color GREEN; fi diff --git a/include/tests_php b/include/tests_php index 0f498fff..32211f1a 100644 --- a/include/tests_php +++ b/include/tests_php @@ -36,6 +36,7 @@ ${ROOTDIR}etc/php7.1/php.ini \ ${ROOTDIR}etc/php7.2/php.ini \ ${ROOTDIR}etc/php7.3/php.ini \ + ${ROOTDIR}etc/php7.4/php.ini \ ${ROOTDIR}etc/php/cgi-php5/php.ini \ ${ROOTDIR}etc/php/cli-php5/php.ini \ ${ROOTDIR}etc/php/apache2-php5/php.ini \ @@ -45,24 +46,29 @@ ${ROOTDIR}etc/php/apache2-php7.1/php.ini \ ${ROOTDIR}etc/php/apache2-php7.2/php.ini \ ${ROOTDIR}etc/php/apache2-php7.3/php.ini \ + ${ROOTDIR}etc/php/apache2-php7.4/php.ini \ ${ROOTDIR}etc/php/cgi-php5.5/php.ini \ ${ROOTDIR}etc/php/cgi-php5.6/php.ini \ ${ROOTDIR}etc/php/cgi-php7.0/php.ini \ ${ROOTDIR}etc/php/cgi-php7.1/php.ini \ ${ROOTDIR}etc/php/cgi-php7.2/php.ini \ ${ROOTDIR}etc/php/cgi-php7.3/php.ini \ + ${ROOTDIR}etc/php/cgi-php7.4/php.ini \ ${ROOTDIR}etc/php/cli-php5.5/php.ini \ ${ROOTDIR}etc/php/cli-php5.6/php.ini \ ${ROOTDIR}etc/php/cli-php7.0/php.ini \ ${ROOTDIR}etc/php/cli-php7.1/php.ini \ ${ROOTDIR}etc/php/cli-php7.2/php.ini \ ${ROOTDIR}etc/php/cli-php7.3/php.ini \ + ${ROOTDIR}etc/php/cli-php7.4/php.ini \ ${ROOTDIR}etc/php/embed-php5.5/php.ini \ ${ROOTDIR}etc/php/embed-php5.6/php.ini \ ${ROOTDIR}etc/php/embed-php7.0/php.ini \ ${ROOTDIR}etc/php/embed-php7.1/php.ini \ ${ROOTDIR}etc/php/embed-php7.2/php.ini \ ${ROOTDIR}etc/php/embed-php7.3/php.ini \ + ${ROOTDIR}etc/php/embed-php7.4/php.ini \ + ${ROOTDIR}etc/php/fpm-php7.4/php.ini \ ${ROOTDIR}etc/php/fpm-php7.3/php.ini \ ${ROOTDIR}etc/php/fpm-php7.2/php.ini \ ${ROOTDIR}etc/php/fpm-php7.1/php.ini \ @@ -71,7 +77,9 @@ ${ROOTDIR}etc/php/fpm-php5.6/php.ini \ ${ROOTDIR}etc/php5/cgi/php.ini \ ${ROOTDIR}etc/php5/cli/php.ini \ - ${ROOTDIR}etc/php5/cli-php5.4/php.ini ${ROOTDIR}etc/php5/cli-php5.5/php.ini ${ROOTDIR}etc/php5/cli-php5.6/php.ini \ + ${ROOTDIR}etc/php5/cli-php5.4/php.ini \ + ${ROOTDIR}etc/php5/cli-php5.5/php.ini \ + ${ROOTDIR}etc/php5/cli-php5.6/php.ini \ ${ROOTDIR}etc/php5/apache2/php.ini \ ${ROOTDIR}etc/php5/fpm/php.ini \ ${ROOTDIR}private/etc/php.ini \ @@ -79,12 +87,20 @@ ${ROOTDIR}etc/php/7.1/apache2/php.ini \ ${ROOTDIR}etc/php/7.2/apache2/php.ini \ ${ROOTDIR}etc/php/7.3/apache2/php.ini \ - ${ROOTDIR}etc/php/7.0/cli/php.ini ${ROOTDIR}etc/php/7.0/fpm/php.ini \ - ${ROOTDIR}etc/php/7.1/cli/php.ini ${ROOTDIR}etc/php/7.1/fpm/php.ini \ - ${ROOTDIR}etc/php/7.2/cli/php.ini ${ROOTDIR}etc/php/7.2/fpm/php.ini \ - ${ROOTDIR}etc/php/7.3/cli/php.ini ${ROOTDIR}etc/php/7.3/fpm/php.ini \ + ${ROOTDIR}etc/php/7.4/apache2/php.ini \ + ${ROOTDIR}etc/php/7.0/cli/php.ini \ + ${ROOTDIR}etc/php/7.0/fpm/php.ini \ + ${ROOTDIR}etc/php/7.1/cli/php.ini \ + ${ROOTDIR}etc/php/7.1/fpm/php.ini \ + ${ROOTDIR}etc/php/7.2/cli/php.ini \ + ${ROOTDIR}etc/php/7.2/fpm/php.ini \ + ${ROOTDIR}etc/php/7.3/cli/php.ini \ + ${ROOTDIR}etc/php/7.3/fpm/php.ini \ + ${ROOTDIR}etc/php/7.4/cli/php.ini \ + ${ROOTDIR}etc/php/7.4/fpm/php.ini \ ${ROOTDIR}var/www/conf/php.ini \ - ${ROOTDIR}usr/local/etc/php.ini ${ROOTDIR}usr/local/lib/php.ini \ + ${ROOTDIR}usr/local/etc/php.ini \ + ${ROOTDIR}usr/local/lib/php.ini \ ${ROOTDIR}usr/local/etc/php5/cgi/php.ini \ ${ROOTDIR}usr/local/php54/lib/php.ini \ ${ROOTDIR}usr/local/php56/lib/php.ini \ @@ -92,6 +108,7 @@ ${ROOTDIR}usr/local/php71/lib/php.ini \ ${ROOTDIR}usr/local/php72/lib/php.ini \ ${ROOTDIR}usr/local/php73/lib/php.ini \ + ${ROOTDIR}usr/local/php74/lib/php.ini \ ${ROOTDIR}usr/local/zend/etc/php.ini \ ${ROOTDIR}usr/pkg/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \ @@ -101,6 +118,7 @@ ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \ + ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \ ${ROOTDIR}opt/alt/php44/etc/php.ini \ ${ROOTDIR}opt/alt/php51/etc/php.ini \ ${ROOTDIR}opt/alt/php52/etc/php.ini \ @@ -112,27 +130,42 @@ ${ROOTDIR}opt/alt/php71/etc/php.ini \ ${ROOTDIR}opt/alt/php72/etc/php.ini \ ${ROOTDIR}opt/alt/php73/etc/php.ini \ + ${ROOTDIR}opt/alt/php74/etc/php.ini \ ${ROOTDIR}etc/opt/remi/php56/php.ini \ ${ROOTDIR}etc/opt/remi/php70/php.ini \ ${ROOTDIR}etc/opt/remi/php71/php.ini \ ${ROOTDIR}etc/opt/remi/php72/php.ini \ - ${ROOTDIR}etc/opt/remi/php73/php.ini" + ${ROOTDIR}etc/opt/remi/php73/php.ini \ + ${ROOTDIR}etc/opt/remi/php74/php.ini" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINILOCS="${PHPINILOCS} \ - ${ROOTDIR}etc/php-5.6.ini ${ROOTDIR}etc/php-7.0.ini ${ROOTDIR}etc/php-7.1.ini ${ROOTDIR}etc/php-7.2.ini ${ROOTDIR}etc/php-7.3.ini" + ${ROOTDIR}etc/php-5.6.ini \ + ${ROOTDIR}etc/php-7.0.ini \ + ${ROOTDIR}etc/php-7.1.ini \ + ${ROOTDIR}etc/php-7.2.ini \ + ${ROOTDIR}etc/php-7.3.ini \ + ${ROOTDIR}etc/php-7.4.ini" PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \ ${ROOTDIR}etc/php/7.0/cli/conf.d \ ${ROOTDIR}etc/php/7.1/cli/conf.d \ ${ROOTDIR}etc/php/7.2/cli/conf.d \ ${ROOTDIR}etc/php/7.3/cli/conf.d \ + ${ROOTDIR}etc/php/7.4/cli/conf.d \ ${ROOTDIR}etc/php/7.0/fpm/conf.d \ ${ROOTDIR}etc/php/7.1/fpm/conf.d \ ${ROOTDIR}etc/php/7.2/fpm/conf.d \ ${ROOTDIR}etc/php/7.3/fpm/conf.d \ + ${ROOTDIR}etc/php/7.4/fpm/conf.d \ ${ROOTDIR}etc/php.d \ - ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \ - ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.d \ ${ROOTDIR}opt/alt/php44/etc/php.d.all \ ${ROOTDIR}opt/alt/php51/etc/php.d.all \ ${ROOTDIR}opt/alt/php52/etc/php.d.all \ @@ -144,14 +177,21 @@ ${ROOTDIR}opt/alt/php71/etc/php.d.all \ ${ROOTDIR}opt/alt/php72/etc/php.d.all \ ${ROOTDIR}opt/alt/php73/etc/php.d.all \ + ${ROOTDIR}opt/alt/php74/etc/php.d.all \ ${ROOTDIR}usr/local/lib/php.conf.d \ ${ROOTDIR}usr/local/php70/lib/php.conf.d \ ${ROOTDIR}usr/local/php71/lib/php.conf.d \ ${ROOTDIR}usr/local/php72/lib/php.conf.d \ - ${ROOTDIR}usr/local/php73/lib/php.conf.d" + ${ROOTDIR}usr/local/php73/lib/php.conf.d \ + ${ROOTDIR}usr/local/php74/lib/php.conf.d" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINIDIRS="${PHPINIDIRS} \ - ${ROOTDIR}etc/php-5.6 ${ROOTDIR}etc/php-7.0 ${ROOTDIR}etc/php-7.1 ${ROOTDIR}etc/php-7.2 ${ROOTDIR}etc/php-7.3" + ${ROOTDIR}etc/php-5.6 \ + ${ROOTDIR}etc/php-7.0 \ + ${ROOTDIR}etc/php-7.1 \ + ${ROOTDIR}etc/php-7.2 \ + ${ROOTDIR}etc/php-7.3 \ + ${ROOTDIR}etc/php-7.4" # ################################################################################# # diff --git a/include/tests_time b/include/tests_time index 7c15d0a3..eda41a6f 100644 --- a/include/tests_time +++ b/include/tests_time @@ -86,9 +86,8 @@ # Reason: openntpd syncs only if large time corrections are not required or -s is passed. # This might be not intended by the administrator (-s is NOT the default!) FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" | ${GREPBINARY} -v "grep") - ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null # Status code 0 is when communication over the socket is successfull - if [ "$?" -eq 0 ]; then + if ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null; then FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd" LogText "result: found openntpd (method: ntpctl)" OPENNTPD_COMMUNICATION=1 @@ -101,7 +100,7 @@ LogText "result: running openntpd not found, but ntpctl is instaalled" fi - if [ "${NTP_DAEMON}" == "openntpd" ]; then + if [ "${NTP_DAEMON}" = "openntpd" ]; then Display --indent 2 --text "- NTP daemon found: OpenNTPD" --result "${STATUS_FOUND}" --color GREEN fi fi @@ -124,39 +123,30 @@ fi # Check timedate daemon (systemd) - if [ -n "${TIMEDATECTL}" ]; then - FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes") - if [ -n "${FIND}" ]; then - # Check for systemd-timesyncd - if [ -f ${ROOTDIR}etc/systemd/timesyncd.conf ]; then - LogText "Result: found ${ROOTDIR}etc/systemd/timesyncd.conf" - FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd" - Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN - SYSTEMD_NTP_ENABLED=1 - else - LogText "Result: ${ROOTDIR}etc/systemd/timesyncd.conf does not exist" - fi - else - LogText "Result: time synchronization not performed according timedatectl command" - fi - else - LogText "Result: timedatectl command not available on this system" + FIND=$(${PSBINARY} ax | ${GREPBINARY} "systemd-timesyncd" | ${GREPBINARY} -v "grep") + if [ -n "${FIND}" ]; then + FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd" + Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found running systemd-timesyncd in process list" fi # Check crontab for OpenBSD/FreeBSD # Check anacrontab for Linux CRONTAB_FILES="/etc/anacrontab /etc/crontab" + # Regex for matching multiple time synchronisation binaries + # Partial sanity check for sntp and ntpdig, but this does not consider all corner cases + CRONTAB_REGEX='ntpdate|rdate|sntp.+-(s|j|--adj)|ntpdig.+-(S|s)' for I in ${CRONTAB_FILES}; do if [ -f ${I} ]; then - LogText "Test: checking for ntpdate or rdate in crontab file ${I}" - FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#') + LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}" + FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#') if [ -n "${FIND}" ]; then FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1 Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN - LogText "Result: found ntpdate or rdate reference in crontab file ${I}" + LogText "Result: found ntpdate, rdate, sntp or ntpdig reference in crontab file ${I}" else #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_NOT_FOUND}" --color WHITE - LogText "Result: no ntpdate or rdate reference found in crontab file ${I}" + LogText "Result: no ntpdate, rdate, sntp or ntpdig reference found in crontab file ${I}" fi else LogText "Result: crontab file ${I} not found" @@ -169,31 +159,18 @@ # Check cron jobs for I in ${CRON_DIRS}; do - if [ -d ${I} ]; then - if FileIsReadable ${I}; then - FIND=$(${FINDBINARY} ${I} -type f -a ! -name ".placeholder" -print 2> /dev/null | ${SEDBINARY} 's/ /__space__/g' | ${TRBINARY} '\n' '\0' | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} '\0' ' ') + for J in "${I}"/*; do # iterate over folders in a safe way + # Check: regular file, readable and not called .placeholder + FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$') + if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then + LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}" + FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#") if [ -n "${FIND}" ]; then - for J in ${FIND}; do - # Place back spaces if needed - J=$(echo ${J} | ${SEDBINARY} 's/__space__/ /g') - LogText "Test: checking for ntpdate or rdate in ${J}" - if FileIsReadable ${J}; then - FIND2=$(${EGREPBINARY} "rdate|ntpdate" "${J}" | ${GREPBINARY} -v "^#") - if [ -n "${FIND2}" ]; then - LogText "Positive match found: ${FIND2}" - FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 - fi - else - LogText "Result: could not test in file '${J}' as it is not readable" - fi - done - else - LogText "Result: ${I} is empty, skipping search in directory" + FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 + LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}" fi - else - LogText "Result: could not search in directory due to permissions" fi - fi + done done if [ ${FOUND_IN_CRON} -eq 1 ]; then @@ -532,7 +509,7 @@ # # Test : TIME-3180 # Description : Report if ntpctl cannot communicate with OpenNTPD - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ]; then + if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ]; then PREQS_MET="YES" else PREQS_MET="NO" @@ -548,7 +525,7 @@ # # Test : TIME-3181 # Description : Check status of OpenNTPD time synchronisation - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then + if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then PREQS_MET="YES" else PREQS_MET="NO" @@ -567,7 +544,7 @@ # Test : TIME-3182 # Description : Check OpenNTPD has working peers - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then + if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then PREQS_MET="YES" else PREQS_MET="NO" @@ -576,11 +553,47 @@ Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers" if [ ${SKIPTEST} -eq 0 ]; then # Format is "xx/yy peers valid, ..." - FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o "[0-9]{1,4}/" | ${EGREPBINARY} -o "[0-9]{1,4}" ) - if [ -n "${FIND}" ] || [ "${FIND}" -eq 0 ]; then + FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1) + if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status" fi fi + +# +################################################################################# +# + + # Test : TIME-3185 + # Description : Check systemd-timesyncd synchronized time + + if [ "${NTP_DAEMON}" = "systemd-timesyncd" ]; then + PREQS_MET="YES" + else + PREQS_MET="NO" + fi + + + Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time" + SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized" + if [ ${SKIPTEST} -eq 0 ]; then + if [ -e "${SYNCHRONIZED_FILE}" ]; then + FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") )) + # Check if last sync was more than 2048 seconds (= the default of systemd) ago + if [ "${FIND}" -ge 2048 ]; then + COLOR=RED + ReportWarning "${TEST_NO}" "systemd-timesyncd did not synchronized the time recently." + else + COLOR=GREEN + fi + Display --indent 2 --text "- Last time synchronization" --result "${FIND}s" --color "${COLOR}" + LogText "Result: systemd-timesyncd synchronized time ${FIND} seconds ago." + else + Display --indent 2 --text "- Last time synchronization" --result "${STATUS_NOT_FOUND}" --color RED + ReportWarning "${TEST_NO}" "systemd-timesyncd never successfully synchronized time" + fi + fi + unset SYNCHRONIZED_FILE + # ################################################################################# # @@ -43,10 +43,10 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2020-03-20" - PROGRAM_RELEASE_TIMESTAMP=1584711965 + PROGRAM_RELEASE_DATE="2020-06-26" + PROGRAM_RELEASE_TIMESTAMP=1593159916 PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release - PROGRAM_VERSION="3.0.0" + PROGRAM_VERSION="3.0.1" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" @@ -216,7 +216,7 @@ # Extract the short notation of the language (first two characters). if [ -x "$(command -v locale 2> /dev/null)" ]; then - LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | egrep "^[a-z]{2}$") + LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | egrep "^[a-z]{2}$") # Try locale command if shell variable had no value if [ -z "${DISPLAY_LANG}" ]; then DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2) @@ -241,6 +241,11 @@ echo "Could not find languages directory (file: ${DBDIR}/languages/en)" exit 1 fi + + # Now that we have determined the language, we unset it from shell + # Some tools with translated strings are very hard to parse + unset LANG + # ################################################################################# # @@ -267,21 +272,21 @@ # Disable logging if no alternative was provided if [ ${PRIVILEGED} -eq 0 ]; then if [ -z "${LOGFILE}" ]; then - # Try creating a log file in temporary directory - if [ ! -f /tmp/lynis.log ]; then - if [ -L /tmp/lynis.log ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi - touch /tmp/lynis.log - if [ $? -eq 0 ]; then LOGFILE="/tmp/lynis.log"; else LOGFILE="/dev/null"; fi + # Try creating a log file in home directory + if [ ! -f "$HOME/lynis.log" ]; then + if [ -L "$HOME/lynis.log" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi + touch "$HOME/lynis.log" + if [ $? -eq 0 ]; then LOGFILE="$HOME/lynis.log"; else LOGFILE="/dev/null"; fi else - LOGFILE="/tmp/lynis.log" + LOGFILE="$HOME/lynis.log" fi else if [ -L "${LOGFILE}" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi fi if [ -z "${REPORTFILE}" ]; then - touch /tmp/lynis-report.dat - if [ -L /tmp/lynis-report.dat ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi - if [ $? -eq 0 ]; then REPORTFILE="/tmp/lynis-report.dat"; else REPORTFILE="/dev/null"; fi + touch "$HOME/lynis-report.dat" + if [ -L "$HOME/lynis-report.dat" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi + if [ $? -eq 0 ]; then REPORTFILE="$HOME/lynis-report.dat"; else REPORTFILE="/dev/null"; fi else if [ -L "${REPORTFILE}" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi fi @@ -448,6 +453,7 @@ ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${ ${GRAY}--verbose${NORMAL} : Show more details on screen ${GRAY}--version (-V)${NORMAL} : Display version number and quit ${GRAY}--wait${NORMAL} : Wait between a set of tests + ${GRAY}--slow-warning ${BROWN}<seconds>${NORMAL} : Threshold for slow test warning in seconds (default 10) ${WHITE}Enterprise options${NORMAL} ${GRAY}--plugindir ${BROWN}<path>${NORMAL} : Define path of available plugins @@ -773,7 +779,7 @@ ${NORMAL} if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then # Show if release is old, only if we didn't show it with normal update check if [ ${UPDATE_AVAILABLE} -eq 0 ]; then - ReportSuggestion "LYNIS" "This release is more than 4 months old. Consider upgrading" + ReportSuggestion "LYNIS" "This release is more than 4 months old. Check the website or GitHub to see if there is an update available." fi OLD_RELEASE=1 fi |