diff options
-rw-r--r-- | CHANGELOG.md | 21 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | db/software-eol.db | 2 | ||||
-rw-r--r-- | db/tests.db | 1 | ||||
-rw-r--r-- | include/binaries | 1 | ||||
-rw-r--r-- | include/consts | 1 | ||||
-rw-r--r-- | include/functions | 19 | ||||
-rw-r--r-- | include/osdetection | 2 | ||||
-rw-r--r-- | include/tests_authentication | 4 | ||||
-rw-r--r-- | include/tests_kernel | 120 | ||||
-rw-r--r-- | include/tests_malware | 18 | ||||
-rw-r--r-- | include/tests_ports_packages | 63 | ||||
-rw-r--r-- | include/tests_printers_spoolers | 23 | ||||
-rw-r--r-- | include/tests_ssh | 2 | ||||
-rw-r--r-- | include/tests_webservers | 2 | ||||
-rwxr-xr-x | lynis | 6 |
16 files changed, 209 insertions, 78 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index ac435bd5..87dcb228 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,33 @@ # Lynis Changelog -## Lynis 3.0.7 (Not released yet) +## Lynis 3.0.8 (not released yet) + +### Added +- MALW-3274 - Detect McAfee VirusScan Command Line Scanner +- EOL for Alpine Linux 3.14 and 3.15 + +### Changed +- KRNL-5788 - Only run relevant tests and improved logging +- KRNL-5830 - Check for /var/run/needs_restarting (Slackware) +- KRNL-5830 - Add a presence check for /boot/vmlinuz + +--------------------------------------------------------------------------------- + +## Lynis 3.0.7 (2022-01-18) ### Added - MALW-3290 - Show status of malware components -- OS detection for RHEL 6 +- OS detection for RHEL 6 and Funtoo Linux +- Added service manager openrc ### Changed - DBS-1804 - Added alias for MariaDB - FINT-4316 - Support for newer Ubuntu versions - MALW-3280 - Added Trend Micro malware agent +- NETW-3200 - Allow unknown number of spaces in modprobe blacklists +- PKGS-7320 - Support for Garuda Linux and arch-audit - Several improvements for busybox shell +- Russian translation of Lynis extended --------------------------------------------------------------------------------- @@ -48,7 +48,7 @@ There are multiple options available to install Lynis. ### Software Package -For sytems running Linux, BSD, and macOS, there is typically a package available. This is the preferred method of obtaining Lynis, as it is quick to install and easy to update. The Lynis project itself also provides [packages](https://packages.cisofy.com/) in RPM or DEB format suitable for systems systems running: +For systems running Linux, BSD, and macOS, there is typically a package available. This is the preferred method of obtaining Lynis, as it is quick to install and easy to update. The Lynis project itself also provides [packages](https://packages.cisofy.com/) in RPM or DEB format suitable for systems systems running: `CentOS`, `Debian`, `Fedora`, `OEL`, `openSUSE`, `RHEL`, `Ubuntu`, and others. Some distributions may also have Lynis in their software repository: [![Repology](https://repology.org/badge/tiny-repos/lynis.svg)](https://repology.org/project/lynis/versions) diff --git a/db/software-eol.db b/db/software-eol.db index bebd4de8..f8242d35 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -16,6 +16,8 @@ # # Alpine - https://alpinelinux.org/releases/ # +os:Alpine 3.15:2023-11-01:1698793200 +os:Alpine 3.14:2023-05-01:1682899200 os:Alpine 3.13:2022-11-01:1667275200 os:Alpine 3.12:2022-05-01:1651377600 os:Alpine 3.11:2021-11-01:1635739200 diff --git a/db/tests.db b/db/tests.db index c9c4797f..522441f4 100644 --- a/db/tests.db +++ b/db/tests.db @@ -265,6 +265,7 @@ MAIL-8838:test:security:mail_messaging::Check dovecot process: MAIL-8860:test:security:mail_messaging::Check Qmail status: MAIL-8880:test:security:mail_messaging::Check Sendmail status: MAIL-8920:test:security:mail_messaging::Check OpenSMTPD status: +MALW-3274:test:security:malware::Check for McAfee VirusScan Command Line Scanner: MALW-3275:test:security:malware::Check for chkrootkit: MALW-3276:test:security:malware::Check for Rootkit Hunter: MALW-3278:test:security:malware::Check for LMD: diff --git a/include/binaries b/include/binaries index fb8147ce..7aabba42 100644 --- a/include/binaries +++ b/include/binaries @@ -134,6 +134,7 @@ aide) AIDEBINARY=${BINARY}; LogText " Found known binary: aide (file integrity checker) - ${BINARY}" ;; apache2) HTTPDBINARY=${BINARY}; LogText " Found known binary: apache2 (web server) - ${BINARY}" ;; apt) APTBINARY=${BINARY}; LogText " Found known binary: apt (package manager) - ${BINARY}" ;; + apk) APKBINARY=${BINARY}; LogText " Found known binary: apk (package manager) - ${BINARY}" ;; arch-audit) ARCH_AUDIT_BINARY="${BINARY}"; LogText " Found known binary: arch-audit (auditing utility to test for vulnerable packages) - ${BINARY}" ;; auditd) AUDITDBINARY=${BINARY}; LogText " Found known binary: auditd (audit framework) - ${BINARY}" ;; awk) AWKBINARY=${BINARY}; LogText " Found known binary: awk (string tool) - ${BINARY}" ;; diff --git a/include/consts b/include/consts index 1dc3f893..5d618429 100644 --- a/include/consts +++ b/include/consts @@ -43,6 +43,7 @@ ETC_PATHS="/etc /usr/local/etc" # == Variable initializing == # APTBINARY="" + APKBINARY="" ARCH_AUDIT_BINARY="" AUDITORNAME="" AUDITCTLBINARY="" diff --git a/include/functions b/include/functions index 6c4d76c7..5b211707 100644 --- a/include/functions +++ b/include/functions @@ -1306,6 +1306,11 @@ if [ $# -ne 2 ]; then Fatal "Incorrect usage of HasCorrectFilePermissions"; fi CHECKFILE="$1" CHECKPERMISSION_FULL="$2" + # Check for symlink + if [ -L ${CHECKFILE} ]; then + ShowSymlinkPath ${CHECKFILE} + if [ ! "${SYMLINK}" = "" ]; then CHECKFILE="${SYMLINK}"; fi + fi if [ ! -d ${CHECKFILE} -a ! -f ${CHECKFILE} ]; then return 2 else @@ -1320,9 +1325,8 @@ CHECK_PERMISSION=$(echo "${CHECK_PERMISSION}" | ${AWKBINARY} '{printf "%03d",$1}') # First try stat command - LogText "Test: checking if file ${CHECKFILE} has the permissions set to ${CHECK_PERMISSION} or more restrictive" + LogText "Test: checking if file ${CHECKFILE} has the permissions set to ${CHECK_PERMISSION} (${CHECKPERMISSION_FULL}) or more restrictive" if [ -n "${STATBINARY}" ]; then - case ${OS} in *BSD | "macOS") # BSD and macOS have no --format, only short notation @@ -1388,7 +1392,7 @@ fi done - LogText "Outcome: permissions of file ${CHECKFILE} are not matching expected value (${DATA} != ${CHECKPERMISSION_FULL})" + LogText "Outcome: permissions of file ${CHECKFILE} are not matching expected value (${DATA} != ${CHECK_PERMISSION})" # No match, return exit code 1 return 1 fi @@ -2002,7 +2006,11 @@ if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldWritable function"; fi sFILE=$1 FileIsWorldWritable="" - + # Check for symlink + if [ -L ${sFILE} ]; then + ShowSymlinkPath ${sFILE} + if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi + fi # Only check if target is a file or directory if [ -f ${sFILE} -o -d ${sFILE} ]; then FINDVAL=$(ls -ld ${sFILE} | cut -c 9) @@ -2090,6 +2098,9 @@ elif [ -n "${XBPSBINARY}" ]; then output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii") exit_code=$? + elif [ -n "${APKBINARY}" ]; then + output=$(${APKBINARY} search ${package} 2> /dev/null | ${GREPBINARY} ${package}) + exit_code=$? else if [ "${package}" != "__dummy__" ]; then ReportException "PackageIsInstalled:01 (test=${TEST_NO:-unknown})" diff --git a/include/osdetection b/include/osdetection index c91c69ec..d9b8a41c 100644 --- a/include/osdetection +++ b/include/osdetection @@ -678,7 +678,7 @@ ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}" ;; esac - elif [ "$(uname -o 2> /dev/null)" == "illumos" ]; then + elif [ "$(uname -o 2> /dev/null)" = "illumos" ]; then OPENSOLARIS=1 # Solaris has a free form text file with release information diff --git a/include/tests_authentication b/include/tests_authentication index 7d6546d6..46d1735b 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -25,7 +25,7 @@ LDAP_AUTH_ENABLED=0 LDAP_PAM_ENABLED=0 LDAP_CONF_LOCATIONS="${ROOTDIR}etc/ldap.conf ${ROOTDIR}etc/ldap/ldap.conf ${ROOTDIR}etc/openldap/ldap.conf ${ROOTDIR}usr/local/etc/ldap.conf ${ROOTDIR}usr/local/etc/openldap/ldap.conf" - PAM_FILE_LOCATIONS="${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security" + PAM_FILE_LOCATIONS="${ROOTDIR}usr/lib/aarch64-linux-gnu/security ${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security" SUDOERS_LOCATIONS="${ROOTDIR}etc/sudoers ${ROOTDIR}usr/local/etc/sudoers ${ROOTDIR}usr/pkg/etc/sudoers" SUDOERS_FILE="" # @@ -916,7 +916,7 @@ LogText "Result: found one or more accounts without password" for I in ${FIND2}; do LogText "Account without password: ${I}" - Report "account_without_password=${I}" + Report "account_without_password[]=${I}" done Display --indent 2 --text "- Accounts without password" --result "${STATUS_WARNING}" --color RED ReportWarning "${TEST_NO}" "Found accounts without password" diff --git a/include/tests_kernel b/include/tests_kernel index 610fd325..c1977985 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -368,14 +368,14 @@ # # Test : KRNL-5788 # Description : Checking availability new kernel - if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || - [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then + if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then PREQS_MET="YES" else PREQS_MET="NO" fi Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel" if [ ${SKIPTEST} -eq 0 ]; then + FINDKERNEL="" HAS_VMLINUZ=0 LogText "Test: Searching apt-cache, to determine if a newer kernel is available" if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then @@ -384,62 +384,69 @@ if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then HAS_VMLINUZ=1 if [ -f ${ROOTDIR}vmlinuz ]; then - FINDVMLINUZ=${ROOTDIR}vmlinuz + FINDVMLINUZ="${ROOTDIR}vmlinuz" else - FINDVMLINUZ=${ROOTDIR}boot/vmlinuz + FINDVMLINUZ="${ROOTDIR}boot/vmlinuz" fi LogText "Result: found ${FINDVMLINUZ}" LogText "Test: checking readlink location of ${FINDVMLINUZ}" FINDKERNFILE=$(readlink -f ${FINDVMLINUZ}) LogText "Output: readlink reported file ${FINDKERNFILE}" - LogText "Test: checking package from dpkg -S" + LogText "Test: checking relevant package using output from dpkg -S" FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}') LogText "Output: dpkg -S reported package ${FINDKERNEL}" elif [ -e ${ROOTDIR}dev/grsec ]; then - FINDKERNEL=linux-image-$(uname -r) + FINDKERNEL="linux-image-$(uname -r)" LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" elif [ -e ${ROOTDIR}etc/rpi-issue ]; then - FINDKERNEL=raspberrypi-kernel + FINDKERNEL="raspberrypi-kernel" LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian" - elif `${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf`; then - FINDKERNEL=linux-image-$(uname -r) + elif $(${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then + FINDKERNEL="linux-image-$(uname -r)" LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No" else - LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." + LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz" fi - LogText "Test: Using apt-cache policy to determine if there is an update available" - FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') - FINDCAND=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') - LogText "Kernel installed: ${FINDINST}" - LogText "Kernel candidate: ${FINDCAND}" - if IsEmpty "${FINDINST}"; then - Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW - LogText "Result: Exception occurred, no output from apt-cache policy" - if [ ${HAS_VMLINUZ} -eq 1 ]; then - ReportException "${TEST_NO}:01" - ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty" - fi - LogText "Result: apt-cache policy did not return an installed kernel version" + + if IsEmpty "${FINDKERNEL}"; then + LogText "Result: could not check kernel update status as kernel is unknown" else - if [ "${FINDINST}" = "${FINDCAND}" ]; then - if [ -e /dev/grsec ]; then - Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN - LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" - ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch" - else - Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN - LogText "Result: no kernel update available" + LogText "Result: found kernel '${FINDKERNEL}' which will be used for further testing" + LogText "Test: Using apt-cache policy to determine if there is an update available" + FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + LogText "Kernel installed: ${FINDINSTALLED}" + LogText "Kernel candidate: ${FINDCANDIDATE}" + if IsEmpty "${FINDINSTALLED}"; then + Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW + LogText "Result: Exception occurred, no output from apt-cache policy" + if [ ${HAS_VMLINUZ} -eq 1 ]; then + ReportException "${TEST_NO}:01" "Found vmlinuz (${FINDVMLINUZ}) but could not determine the installed kernel using apt-cache policy" + ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty" fi + LogText "Result: apt-cache policy did not return an installed kernel version" else - Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW - LogText "Result: kernel update available according 'apt-cache policy'." - ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update" + if [ "${FINDINSTALLED}" = "${FINDCANDIDATE}" ]; then + if [ -e /dev/grsec ]; then + Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN + LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" + ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch" + else + Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN + LogText "Result: no kernel update available" + fi + else + Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW + LogText "Result: kernel update available according 'apt-cache policy'." + ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update" + fi fi fi else - LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests." + LogText "Result: could NOT find ${ROOTDIR}usr/bin/apt-cache, skipped other tests." fi + unset FINDCANDIDATE FINDINSTALLED FINDKERNEL HAS_VMLINUZ fi # ################################################################################# @@ -615,25 +622,29 @@ Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel" if [ ${SKIPTEST} -eq 0 ]; then REBOOT_NEEDED=2 - FILE="${ROOTDIR}var/run/reboot-required.pkgs" - LogText "Test: Checking presence ${FILE}" - if [ -f ${FILE} ]; then - LogText "Result: file ${FILE} exists" - FIND=$(${WCBINARY} -l < ${FILE}) - if [ "${FIND}" = "0" ]; then - LogText "Result: No reboot needed (file empty)" - REBOOT_NEEDED=0 + for FILE in "${ROOTDIR}var/run/reboot-required.pkgs" "${ROOTDIR}var/run/needs_restarting" + do + LogText "Test: Checking presence ${FILE}" + if [ -f ${FILE} ]; then + LogText "Result: file ${FILE} exists" + FIND=$(${WCBINARY} -l < ${FILE}) + if [ "${FIND}" = "0" ]; then + LogText "Result: No reboot needed (file empty)" + REBOOT_NEEDED=0 + break + else + PKGSCOUNT=$(${WCBINARY} -l < ${FILE}) + LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" + for I in ${FIND}; do + LogText "Package: ${I}" + done + REBOOT_NEEDED=1 + break + fi else - PKGSCOUNT=$(${WCBINARY} -l < ${FILE}) - LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" - for I in ${FIND}; do - LogText "Package: ${I}" - done - REBOOT_NEEDED=1 + LogText "Result: file ${FILE} not found" fi - else - LogText "Result: file ${FILE} not found" - fi + done # Check if /boot exists if [ -d "${ROOTDIR}boot" ]; then @@ -663,7 +674,10 @@ ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data" fi elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then - if [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then + if [ -f ${ROOTDIR}boot/vmlinuz ]; then + LogText "Result: found ${ROOTDIR}boot/vmlinuz" + FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz + elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux" FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then diff --git a/include/tests_malware b/include/tests_malware index cb13ca96..40336fa5 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -46,6 +46,24 @@ # ################################################################################# # + # Test : MALW-3274 + # Description : Check for installed tool (McAfee VirusScan for Command Line) + Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking presence McAfee VirusScan for Command Line" + if [ -x /usr/local/uvscan/uvscan ]; then + Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found ${MCAFEECLBINARY}" + MALWARE_SCANNER_INSTALLED=1 + AddHP 2 2 + Report "malware_scanner[]=mcafeecl" + else + LogText "Result: McAfee VirusScan for Command Line not found" + fi + fi +# +################################################################################# +# # Test : MALW-3275 # Description : Check for installed tool (chkrootkit) Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit" diff --git a/include/tests_ports_packages b/include/tests_ports_packages index e757bd0a..54d849e2 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -468,6 +468,34 @@ ################################################################################# # # Test : PKGS-7346 + # Description : Check Alpine Package Keeper (apk) + if [ -x ${ROOTDIR}/sbin/apk ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Querying apk" + if [ ${SKIPTEST} -eq 0 ]; then + COUNT=0 + Display --indent 4 --text "- Searching apk package manager" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found apk binary" + Report "package_manager[]=apk" + PACKAGE_MGR_PKG=1 + LogText "Test: Querying apk info -v to get package list" + Display --indent 6 --text "- Querying package manager" + LogText "Output:" + SPACKAGES=$(apk info -v | ${SEDBINARY} -r -e 's/([a-z,A-Z,0-9,_,-,.]{1,250})-([a-z,A-Z,0-9,.]+-r[a-z,A-Z,0-9]+)/\1,\2/' | sort) + for J in ${SPACKAGES}; do + COUNT=$((COUNT + 1)) + PACKAGE_NAME=$(echo ${J} | ${CUTBINARY} -d ',' -f1) + PACKAGE_VERSION=$(echo ${J} | ${CUTBINARY} -d ',' -f2) + LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" + INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" + done + Report "installed_packages=${COUNT}" + else + LogText "Result: apk "${STATUS_NOT_FOUND}", test skipped" + fi +# +################################################################################# +# + # Test : PKGS-7346 # Description : Check packages which are removed, but still own configuration files, cron jobs etc # Notes : Cleanup: for pkg in $(dpkg -l | ${GREPBINARY} "^rc" | ${CUTBINARY} -d' ' -f3); do aptitude purge ${pkg}; done if [ -x ${ROOTDIR}usr/bin/dpkg ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi @@ -1236,6 +1264,41 @@ # ################################################################################# # + # Test : PKGS-7395 + # Description : Check Alpine upgradeable packages + if [ "${LINUX_VERSION}" = "Alpine Linux" ] && [ -x "${ROOTDIR}sbin/apk" ]; then + PREQS_MET="YES" + else + PREQS_MET="NO" + fi + + Register --test-no PKGS-7395 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --category security --description "Check for Alpine updates" + if [ ${SKIPTEST} -eq 0 ]; then + if [ ${REFRESH_REPOSITORIES} -eq 1 ]; then + LogText "Action: updating package repository with apk" + ${ROOTDIR}sbin/apk update + LogText "Result: apk finished" + else + LogText "Result: using a possibly outdated repository, as updating is disabled via configuration" + fi + LogText "Test: Checking packages which can be upgraded via apk version -l '<'" + FIND=$(${ROOTDIR}sbin/apk version -l '<' | ${GREPBINARY} '<' | ${SEDBINARY} 's/\s\+<\s/</g') + if [ -z "${FIND}" ]; then + LogText "Result: no packages found which can be upgraded" + Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_NONE}" --color GREEN + AddHP 3 3 + else + LogText "Result: found one or more packages which can be upgraded" + Display --indent 2 --text "- Checking upgradeable packages" --result "${STATUS_FOUND}" --color YELLOW + for ITEM in ${FIND}; do + ITEM=$(echo ${ITEM} | ${SEDBINARY} -r -e 's/([a-z,A-Z,0-9,_,-,.]{1,250})-([a-z,A-Z,0-9,.]+-r[a-z,A-Z,0-9]+)<([a-z,A-Z,0-9,-,.]+)/\1 from \2 to \3/') + LogText "${ITEM}" + done + fi + fi +# +################################################################################# +# # Test : PKGS-7398 # Description : Check package audit tool Register --test-no PKGS-7398 --weight L --network YES --category security --description "Check for package audit tool" diff --git a/include/tests_printers_spoolers b/include/tests_printers_spoolers index 18b88c0c..851b0edd 100644 --- a/include/tests_printers_spoolers +++ b/include/tests_printers_spoolers @@ -139,8 +139,18 @@ Register --test-no PRNT-2308 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check CUPSd network configuration" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - # Checking network addresses + PORT_FOUND=0 + LogText "Test: Checking CUPS daemon listening network addresses" + + # Search for Port statement + FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE}) + if [ -n "${FIND}" ]; then + LogText "Result: found CUPS listening on port 631 (most likely all interfaces)" + PORT_FOUND=1 + fi + + # Checking network addresses FIND=$(${EGREPBINARY} "^(SSL)?Listen" ${CUPSD_CONFIG_FILE} | ${GREPBINARY} -v "/" | ${AWKBINARY} '{ print $2 }') COUNT=0 for ITEM in ${FIND}; do @@ -149,17 +159,10 @@ FOUND=1 done - # Search for Port statement - FIND=$(${EGREPBINARY} "^Port 631" ${CUPSD_CONFIG_FILE}) - if [ -n "${FIND}" ]; then - LogText "Result: found CUPS listening on port 631 (most likely all interfaces)" - FOUND=1 - fi - # Check if daemon might be running on localhost - if [ ${FOUND} -eq 0 ]; then + if [ ${FOUND} -eq 0 -a ${PORT_FOUND} -eq 0 ]; then LogText "Result: CUPS does not look to be listening on a network port" - elif [ ${COUNT} -eq 1 ]; then + elif [ ${COUNT} -eq 1 -a ${PORT_FOUND} -eq 0 ]; then if [ "${FIND}" = "localhost:631" -o "${FIND}" = "127.0.0.1:631" ]; then LogText "Result: CUPS daemon only running on localhost" AddHP 2 2 diff --git a/include/tests_ssh b/include/tests_ssh index 7f31c348..de3209ee 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -74,7 +74,7 @@ LogText "Result: ${I}/sshd_config exists" if [ ${FOUND} -eq 1 ]; then ReportException "${TEST_NO}:01" - LogText "Result: we already had found another sshd_config file. Using this new file then." + LogText "Result: we already found another sshd_config file. Using this new file instead of the previous one." fi FileIsReadable ${I}/sshd_config if [ ${CANREAD} -eq 1 ]; then diff --git a/include/tests_webservers b/include/tests_webservers index 6e0a3b3d..e0ca5737 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -288,7 +288,7 @@ Register --test-no HTTP-6643 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Determining existence of specific Apache modules" if [ ${SKIPTEST} -eq 0 ]; then # Check modules, module - if CheckItem "apache_module" "/mod_security2.so"; then + if CheckItem "apache_module" "/mod_security(2|3).so" ; then Display --indent 10 --text "ModSecurity: web application firewall" --result "${STATUS_FOUND}" --color GREEN AddHP 3 3 else @@ -43,10 +43,10 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2021-07-27" - PROGRAM_RELEASE_TIMESTAMP=1627375518 + PROGRAM_RELEASE_DATE="2022-01-31" + PROGRAM_RELEASE_TIMESTAMP=1643632222 PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release - PROGRAM_VERSION="3.0.7" + PROGRAM_VERSION="3.0.8" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" |