diff options
| -rw-r--r-- | CHANGELOG.md | 14 | ||||
| -rw-r--r-- | db/languages/da | 41 | ||||
| -rw-r--r-- | db/software-eol.db | 22 | ||||
| -rw-r--r-- | include/helper_show | 2 | ||||
| -rw-r--r-- | include/report | 114 | ||||
| -rw-r--r-- | include/tests_authentication | 11 | ||||
| -rw-r--r-- | include/tests_boot_services | 6 | ||||
| -rw-r--r-- | include/tests_filesystems | 6 | ||||
| -rw-r--r-- | include/tests_firewalls | 5 | ||||
| -rw-r--r-- | include/tests_networking | 41 | ||||
| -rw-r--r-- | include/tests_ports_packages | 7 | ||||
| -rwxr-xr-x | lynis | 8 |
12 files changed, 185 insertions, 92 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index e9bfd2ac..a6604115 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,19 @@ # Lynis Changelog +## Lynis 2.7.5 (not released yet) + +### Added +- Danish translation + +### Changed +- Corrected end-of-life entries for CentOS 5 and 6 +- AUTH-9268 - AIX enhancement to use correct find statement +- FILE-6310 - Filter on correct field for AIX +- Extended help + +--------------------------------------------------------------------------------- + + ## Lynis 2.7.4 (2019-04-21) This is a bigger release than usual, including several new tests created by diff --git a/db/languages/da b/db/languages/da new file mode 100644 index 00000000..d26c1220 --- /dev/null +++ b/db/languages/da @@ -0,0 +1,41 @@ +ERROR_NO_LICENSE="Ingen licensnøgle konfigureret" +ERROR_NO_UPLOAD_SERVER="Ingen upload server konfigureret" +GEN_CHECKING="Tjekker" +GEN_CURRENT_VERSION="Nuværende version" +GEN_DEBUG_MODE="Fejlfindingstilstand" +GEN_INITIALIZE_PROGRAM="Initialiserer program" +GEN_LATEST_VERSION="Seneste version" +GEN_PHASE="Fase" +GEN_PLUGINS_ENABLED="Plugins aktiverede" +GEN_UPDATE_AVAILABLE="opdatering tilgængelig" +GEN_VERBOSE_MODE="Detaljeret tilstand" +GEN_WHAT_TO_DO="At gøre" +NOTE_EXCEPTIONS_FOUND="Undtagelser fundet" +NOTE_EXCEPTIONS_FOUND_DETAILED="Nogle usædvanlige hændelser eller information var fundet" +NOTE_PLUGINS_TAKE_TIME="Bemærk: plugins har mere omfattende tests og kan tage flere minutter at fuldføre" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Sprang over tests på grund af ikke-privilegeret tilstand" +SECTION_CUSTOM_TESTS="Brugerdefinerede Tests" +SECTION_MALWARE="Malware" +SECTION_MEMORY_AND_PROCESSES="Hukommelse og Processer" +STATUS_DISABLED="DEAKTIVERET" +STATUS_DONE="FÆRDIG" +STATUS_ENABLED="AKTIVERET" +STATUS_NOT_ENABLED="IKKE AKTIVERET" +STATUS_ERROR="FEJL" +STATUS_FOUND="FUNDET" +STATUS_YES="JA" +STATUS_NO="NEJ" +STATUS_OFF="FRA" +STATUS_OK="OK" +STATUS_ON="TIL" +STATUS_NONE="INGEN" +STATUS_NOT_FOUND="IKKE FUNDET" +STATUS_NOT_RUNNING="KØRER IKKE" +STATUS_RUNNING="KØRER" +STATUS_SKIPPED="SPRUNGET OVER" +STATUS_SUGGESTION="FORSLAG" +STATUS_UNKNOWN="UKENDT" +STATUS_WARNING="ADVARSEL" +STATUS_WEAK="SVAG" +TEXT_YOU_CAN_HELP_LOGFILE="Du kan hjælpe ved at bidrage med din logfil" +TEXT_UPDATE_AVAILABLE="opdatering tilgængelig" diff --git a/db/software-eol.db b/db/software-eol.db index df2ae36a..084a5815 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -11,8 +11,8 @@ # # CentOS # -os:CentOS Linux release 5:2017-03-31:1490911200: -os:CentOS Linux release 6:2020-11-30:1606690800: +os:CentOS release 5:2017-03-31:1490911200: +os:CentOS release 6:2020-11-30:1606690800: os:CentOS Linux release 7:2024-06-30:1719698400: # # FreeBSD - https://www.freebsd.org/security/unsupported.html @@ -43,4 +43,20 @@ os:Ubuntu 17.04:2018-01-01:1514761200: os:Ubuntu 17.10:2018-07-01:1530396000: os:Ubuntu 18.04:2023-05-01:1682892000: os:Ubuntu 18.10:2019-07-01:1561932000: -os:Ubuntu 19.04:2020-01-01:1577833200:
\ No newline at end of file +os:Ubuntu 19.04:2020-01-01:1577833200: +# +# Slackware - https://en.wikipedia.org/wiki/Slackware#Releases +# +os:Slackware Linux 8.1:2012-08-01:1343768400: +os:Slackware Linux 9.0:2012-08-01:1343768400: +os:Slackware Linux 9.1:2012-08-01:1343768400: +os:Slackware Linux 10.0:2012-08-01:1343768400: +os:Slackware Linux 10.1:2012-08-01:1343768400: +os:Slackware Linux 10.2:2012-08-01:1343768400: +os:Slackware Linux 11.0:2012-08-01:1343768400: +os:Slackware Linux 12.0:2012-08-01:1343768400: +os:Slackware Linux 12.1:2013-12-09:1386540000: +os:Slackware Linux 12.2:2013-12-09:1386540000: +os:Slackware Linux 13.0:2018-07-05:1530738000: +os:Slackware Linux 13.1:2018-07-05:1530738000: +os:Slackware Linux 13.37:2018-07-05:1530738000: diff --git a/include/helper_show b/include/helper_show index a696b0e7..874b3e1b 100644 --- a/include/helper_show +++ b/include/helper_show @@ -28,7 +28,7 @@ # ###################################################################### -COMMANDS="audit configure show update upload-only" +COMMANDS="audit configure generate show update upload-only" HELPERS="audit configure show update" OPTIONS="--auditor\n--cronjob (--cron)\n--debug\n--developer\n--help (-h)\n--license-key\n--log-file\n--manpage (--man)\n--no-colors\n--no-log\n--pentest\n--profile\n--plugin-dir\n--quick (-Q)\n--quiet (-q)\n--report-file\n--reverse-colors\n--skip-plugins\n--tests\n--tests-from-category\n--tests-from-group\n--upload\n--verbose\n--version (-V)\n--wait\n--warnings-only" diff --git a/include/report b/include/report index b200f6be..2df666e4 100644 --- a/include/report +++ b/include/report @@ -22,55 +22,79 @@ # ################################################################################# # + + # Add data fields to report file + Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}" + Report "arpwatch_running=${ARPWATCH_RUNNING}" + + # Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks. + Report "firewall_active=${FIREWALL_ACTIVE}" + Report "firewall_empty_ruleset=${FIREWALL_EMPTY_RULESET}" + Report "firewall_installed=${FIREWALL_ACTIVE}" + + if [ ! -z "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi + + Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}" + Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}" + Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}" + + # Hardening Index - # Define approximately how strong a machine has been hardened - # If no hardening has been found, set value to 1 - if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi - HPINDEX=$((HPPOINTS * 100 / HPTOTAL)) - HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL)) - # Set color related to rating - if [ ${HPINDEX} -lt 50 ]; then - HPCOLOR="${RED}" - HIDESCRIPTION="System has not or a low amount been hardened" - elif [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then - HPCOLOR="${YELLOW}" - HIDESCRIPTION="System has been hardened, but could use additional hardening" - elif [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then - HPCOLOR="${GREEN}" - HIDESCRIPTION="System seem to be decent hardened" - elif [ ${HPINDEX} -gt 89 ]; then - HPCOLOR="${GREEN}" - HIDESCRIPTION="System seem to be well hardened" - fi + # Goal: + # Provide a visual way to show how much the system is hardened + # + # Important: + # The index gives a simplified version of the measures taken on the system. + # It should be used to get a first impression about the state of the system or to compare similar systems. + # Getting the maximum score (100 or full bar) does not indicate that the system is fully secured. + + # If no hardening has been found, set value to 1 + if [ ${HPPOINTS} -eq 0 ]; then HPPOINTS=1; HPTOTAL=100; fi + HPINDEX=$((HPPOINTS * 100 / HPTOTAL)) + HPAOBLOCKS=$((HPPOINTS * 20 / HPTOTAL)) + # Set color related to rating + if [ ${HPINDEX} -lt 50 ]; then + HPCOLOR="${RED}" + HIDESCRIPTION="System has not or a low amount been hardened" + elif [ ${HPINDEX} -gt 49 -a ${HPINDEX} -lt 80 ]; then + HPCOLOR="${YELLOW}" + HIDESCRIPTION="System has been hardened, but could use additional hardening" + elif [ ${HPINDEX} -gt 79 -a ${HPINDEX} -lt 90 ]; then + HPCOLOR="${GREEN}" + HIDESCRIPTION="System seem to be decent hardened" + elif [ ${HPINDEX} -gt 89 ]; then + HPCOLOR="${GREEN}" + HIDESCRIPTION="System seem to be well hardened" + fi - case ${HPAOBLOCKS} in - 0) HPBLOCKS="#"; HPEMPTY=" " ;; - 1) HPBLOCKS="#"; HPEMPTY=" " ;; - 2) HPBLOCKS="##"; HPEMPTY=" " ;; - 3) HPBLOCKS="###"; HPEMPTY=" " ;; - 4) HPBLOCKS="####"; HPEMPTY=" " ;; - 5) HPBLOCKS="#####"; HPEMPTY=" " ;; - 6) HPBLOCKS="######"; HPEMPTY=" " ;; - 7) HPBLOCKS="#######"; HPEMPTY=" " ;; - 8) HPBLOCKS="########"; HPEMPTY=" " ;; - 9) HPBLOCKS="#########"; HPEMPTY=" " ;; - 10) HPBLOCKS="##########"; HPEMPTY=" " ;; - 11) HPBLOCKS="###########"; HPEMPTY=" " ;; - 12) HPBLOCKS="############"; HPEMPTY=" " ;; - 13) HPBLOCKS="#############"; HPEMPTY=" " ;; - 14) HPBLOCKS="##############"; HPEMPTY=" " ;; - 15) HPBLOCKS="###############"; HPEMPTY=" " ;; - 16) HPBLOCKS="################"; HPEMPTY=" " ;; - 17) HPBLOCKS="#################"; HPEMPTY=" " ;; - 18) HPBLOCKS="##################"; HPEMPTY=" " ;; - 19) HPBLOCKS="###################"; HPEMPTY=" " ;; - 20) HPBLOCKS="####################"; HPEMPTY="" ;; - esac + case ${HPAOBLOCKS} in + 0) HPBLOCKS="#"; HPEMPTY=" " ;; + 1) HPBLOCKS="#"; HPEMPTY=" " ;; + 2) HPBLOCKS="##"; HPEMPTY=" " ;; + 3) HPBLOCKS="###"; HPEMPTY=" " ;; + 4) HPBLOCKS="####"; HPEMPTY=" " ;; + 5) HPBLOCKS="#####"; HPEMPTY=" " ;; + 6) HPBLOCKS="######"; HPEMPTY=" " ;; + 7) HPBLOCKS="#######"; HPEMPTY=" " ;; + 8) HPBLOCKS="########"; HPEMPTY=" " ;; + 9) HPBLOCKS="#########"; HPEMPTY=" " ;; + 10) HPBLOCKS="##########"; HPEMPTY=" " ;; + 11) HPBLOCKS="###########"; HPEMPTY=" " ;; + 12) HPBLOCKS="############"; HPEMPTY=" " ;; + 13) HPBLOCKS="#############"; HPEMPTY=" " ;; + 14) HPBLOCKS="##############"; HPEMPTY=" " ;; + 15) HPBLOCKS="###############"; HPEMPTY=" " ;; + 16) HPBLOCKS="################"; HPEMPTY=" " ;; + 17) HPBLOCKS="#################"; HPEMPTY=" " ;; + 18) HPBLOCKS="##################"; HPEMPTY=" " ;; + 19) HPBLOCKS="###################"; HPEMPTY=" " ;; + 20) HPBLOCKS="####################"; HPEMPTY="" ;; + esac - HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]" - LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]" - LogText "Hardening strength: ${HIDESCRIPTION}" + HPGRAPH="[${HPCOLOR}${HPBLOCKS}${NORMAL}${HPEMPTY}]" + LogText "Hardening index : [${HPINDEX}] [${HPBLOCKS}${HPEMPTY}]" + LogText "Hardening strength: ${HIDESCRIPTION}" # Only show overview if not running in quiet mode diff --git a/include/tests_authentication b/include/tests_authentication index 2ede2b7d..6c867da6 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -40,7 +40,12 @@ if [ ${SKIPTEST} -eq 0 ]; then # Search accounts with UID 0 LogText "Test: Searching accounts with UID 0" - FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') + # Check if device is a QNAP, as the root user is called admin, and not root + if [ ${QNAP_DEVICE} -eq 1 ]; then + FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^admin:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') + else + FIND=$(${GREPBINARY} ':0:' ${ROOTDIR}etc/passwd | ${EGREPBINARY} -v '^#|^root:|^(\+:\*)?:0:0:::' | ${CUTBINARY} -d ":" -f1,3 | ${GREPBINARY} ':0') + fi if [ ! -z "${FIND}" ]; then Display --indent 2 --text "- Administrator accounts" --result "${STATUS_WARNING}" --color RED LogText "Result: Found more than one administrator accounts" @@ -669,8 +674,8 @@ if [ -d ${DIR} -a ! -L ${DIR} ]; then LogText "Result: directory ${DIR} exists" # Search in the specified directory - if [ "${OS}" = "Solaris" ]; then - # Solaris does not support -maxdepth + if [ "${OS}" = "AIX" -o "${OS}" = "Solaris" ]; then + # AIX/Solaris does not support -maxdepth FIND=$(find ${DIR} -type f -name "pam_*.so" -print | sort) else FIND=$(find ${DIR} -maxdepth 1 -type f -name "pam_*.so" -print | sort) diff --git a/include/tests_boot_services b/include/tests_boot_services index 5495938c..42b8dab1 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -96,7 +96,11 @@ ;; "init" | "initsplash") - SERVICE_MANAGER="SysV Init" + if [ -d ${ROOTDIR}etc/rc.d ]; then + SERVICE_MANAGER="bsdrc.d" + else + SERVICE_MANAGER="SysV Init" + fi ;; systemd) SERVICE_MANAGER="systemd" diff --git a/include/tests_filesystems b/include/tests_filesystems index 7dc61933..4e52ea5e 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -48,7 +48,11 @@ Display --indent 4 --text "- Checking ${I} mount point" --result SYMLINK --color WHITE elif [ -d ${I} ]; then LogText "Result: directory ${I} exists" - FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($3==MP) { print $3 }}') + case "${OS}" in + "AIX") FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($2==MP) { print $2 }}') ;; + *) FIND=$(${MOUNTBINARY} | ${AWKBINARY} -v MP=${I} '{ if ($3==MP) { print $3 }}') ;; + esac + if IsEmpty "${FIND}"; then LogText "Result: ${I} not found in mount list. Directory most likely stored on / file system" Display --indent 4 --text "- Checking ${I} mount point" --result "${STATUS_SUGGESTION}" --color YELLOW diff --git a/include/tests_firewalls b/include/tests_firewalls index 85f2b150..735059fe 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -596,11 +596,6 @@ ################################################################################# # -# Report firewall installed for now, if we found one active. Next step would be determining binaries first and apply additional checks. -Report "firewall_active=${FIREWALL_ACTIVE}" -Report "firewall_empty_ruleset=${FIREWALL_EMPTY_RULESET}" -Report "firewall_installed=${FIREWALL_ACTIVE}" - WaitForKeyPress # diff --git a/include/tests_networking b/include/tests_networking index 3986220b..b43970ce 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -370,6 +370,7 @@ # Description : Check listening ports Register --test-no NETW-3012 --weight L --network NO --category security --description "Check listening ports" if [ ${SKIPTEST} -eq 0 ]; then + DATA="" FIND=""; FIND2="" COUNT=0 case ${OS} in @@ -381,24 +382,19 @@ FIND="" fi FIND2="" - ;; + ;; Linux) - if [ ! -z "${NETSTATBINARY}" ]; then + if [ -n "${SSBINARY}" ]; then + DATA=$(${SSBINARY} --query=udp,tcp -plnt | awk '{ if ($1!="Netid") { print "raw,ss,v1|"$1"|"$5"|"$7"|" }}' | sed 's/pid=[0-9]\{1,\},fd=[0-9]\{1,\}//g' | sed 's/users://' | sed 's/,)//g' | tr -d '()"') + elif [ -n "${NETSTATBINARY}" ]; then # UDP FIND=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^udp" | ${AWKBINARY} '{ print $4"|"$1"|"$6"|" }' | ${SEDBINARY} 's:|[0-9]*/:|:') # TCP FIND2=$(${NETSTATBINARY} -nlp 2> /dev/null | ${GREPBINARY} "^tcp" | ${AWKBINARY} '{ if($6=="LISTEN") { print $4"|"$1"|"$7"|" }}' | ${SEDBINARY} 's:|[0-9]*/:|:') else - if [ ! "${SSBINARY}" = "" ]; then - # UDP - FIND=$(${SSBINARY} -u -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local) - # TCP - FIND2=$(${SSBINARY} -t -a -n 2> /dev/null | ${AWKBINARY} '{ print $4 }' | ${GREPBINARY} -v Local) - else - ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports" - fi + ReportException "${TEST_NO}:1" "netstat and ss binary missing to gather listening ports" fi - ;; + ;; macOS) if [ ! "${LSOFBINARY}" = "" ]; then @@ -409,9 +405,7 @@ fi # Not needed as we have a combined test FIND2="" - ;; - - + ;; NetBSD) if [ ! "${SOCKSTATBINARY}" = "" ]; then FIND=$(${SOCKSTATBINARY} 2> /dev/null | ${AWKBINARY} '{ if ($7 ~ /\*.\*/) print $5"|"$6"|"$2"|" }' | ${SORTBINARY} -u) @@ -419,7 +413,7 @@ FIND="" fi FIND2="" - ;; + ;; OpenBSD) if [ ! "${NETSTATBINARY}" = "" ]; then # UDP @@ -429,13 +423,20 @@ else ReportException "${TEST_NO}:3" "netstat missing to gather listening ports" fi - ;; + ;; *) # Got this exception? Provide your details and output of netstat or any other tool to determine this information. ReportException "${TEST_NO}:2" "Unclear what method to use, to determine listening port information" - ;; + ;; esac + if HasData "${DATA}"; then + for ITEM in ${DATA}; do + COUNT=$((COUNT + 1)) + Report "network_listen[]=${ITEM}" + done + fi + # Retrieve information from sockstat, when available LogText "Test: Retrieving sockstat information to find listening ports" if HasData "${FIND}"; then @@ -453,11 +454,10 @@ Report "network_listen_port[]=${ITEM}" done fi - if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then + if [ -z "${DATA}" -a -z "${FIND}" ]; then Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_SKIPPED}" --color YELLOW else Display --indent 2 --text "- Getting listening ports (TCP/UDP)" --result "${STATUS_DONE}" --color GREEN - Display --indent 6 --text "* Found ${COUNT} ports" fi fi # @@ -634,9 +634,6 @@ ################################################################################# # -Report "dhcp_client_running=${DHCP_CLIENT_RUNNING}" -Report "arpwatch_running=${ARPWATCH_RUNNING}" - WaitForKeyPress # diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 4bc75faa..2d8b997e 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -1340,13 +1340,6 @@ ################################################################################# # - -if [ ! -z "${INSTALLED_PACKAGES}" ]; then Report "installed_packages_array=${INSTALLED_PACKAGES}"; fi - -Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}" -Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}" -Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}" - WaitForKeyPress # @@ -35,10 +35,10 @@ PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com" # Version details - PROGRAM_RELEASE_DATE="2019-04-21" - PROGRAM_RELEASE_TIMESTAMP=1555856327 - PROGRAM_RELEASE_TYPE="final" # dev or final - PROGRAM_VERSION="2.7.4" + PROGRAM_RELEASE_DATE="2019-06-17" + PROGRAM_RELEASE_TIMESTAMP=1560766656 + PROGRAM_RELEASE_TYPE="dev" # dev or final + PROGRAM_VERSION="2.7.5" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" |