diff options
-rw-r--r-- | CHANGELOG.md | 1 | ||||
-rw-r--r-- | include/consts | 3 | ||||
-rw-r--r-- | include/functions | 27 | ||||
-rw-r--r-- | include/tests_insecure_services | 22 | ||||
-rwxr-xr-x | lynis | 11 |
5 files changed, 50 insertions, 14 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 3edd55cc..f21bd306 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -159,6 +159,7 @@ Using the relevant options, the scan will change base on the intended goal. - Several code cleanups, simplification of commands, and code standardization - Tests using lsof may ignore individual threads (if supported) - Corrected end-of-life detection for CentOS 7 and CentOS 8 +- Tests can require detected package manager (--package-manager-required) - Do not show tool tips when quiet option is used - Improved screen output in several tests - Extended output of 'lynis update info' diff --git a/include/consts b/include/consts index 3969aad5..c1f65ea2 100644 --- a/include/consts +++ b/include/consts @@ -125,6 +125,7 @@ unset LANG GRSEC_FOUND=0 GRUBCONFFILE="" GRUB2INSTALLBINARY="" + HAS_PACKAGE_MANAGER=0 HAS_SYSTEMD=0 HEADBINARY="" HELPER="" @@ -222,6 +223,7 @@ unset LANG PGREPBINARY="" PIDFILE="" PKG_BINARY="" + PKGINFOBINARY="" PKGADMINBINARY="" PLUGINDIR="" PLUGIN_PHASE=0 @@ -324,6 +326,7 @@ unset LANG VULNERABLE_PACKAGES_FOUND=0 WCBINARY="" XARGSBINARY="" + XBPSBINARY="" YUMBINARY="" ZYPPERBINARY="" diff --git a/include/functions b/include/functions index 492ade27..58ddabe9 100644 --- a/include/functions +++ b/include/functions @@ -2019,6 +2019,7 @@ PackageIsInstalled() { exit_code=255 + # First parameter is package name (or __dummy__ for initial test to see if package manager is available and works as expected) if [ $# -eq 1 ]; then package="$1" else @@ -2056,7 +2057,21 @@ output=$(${XBPSBINARY} ${package} 2> /dev/null | ${GREPBINARY} "^ii") exit_code=$? else - ReportException "PackageIsInstalled:01" + if [ "${package}" != "__dummy__" ]; then + ReportException "PackageIsInstalled:01 (test=${TEST_NO:-unknown})" + fi + fi + + # Give thumbs up if dummy package is used during initial test for package manager availability + if [ "${package}" = "__dummy__" ]; then + # There should be no positive match on this dummy package + if [ ${exit_code} -eq 0 ]; then + exit_code=1 + elif [ ${exit_code} -eq 255 ]; then + exit_code=1 + else + exit_code=0 + fi fi return ${exit_code} @@ -2499,8 +2514,8 @@ Register() { # Do not insert a log break, if previous test was not logged if [ ${SKIPLOGTEST} -eq 0 ]; then LogTextBreak; fi - ROOT_ONLY=0; SKIPTEST=0; SKIPLOGTEST=0; SKIPREASON=""; TEST_NEED_OS=""; PREQS_MET="" - TEST_CATEGORY=""; TEST_NEED_NETWORK=""; TEST_NEED_PLATFORM="" + ROOT_ONLY=0; SKIPTEST=0; SKIPLOGTEST=0; SKIPREASON=""; PREQS_MET="" + TEST_CATEGORY=""; TEST_NEED_NETWORK=""; TEST_NEED_OS=""; TEST_NEED_PKG_MGR=0; TEST_NEED_PLATFORM="" TOTAL_TESTS=$((TOTAL_TESTS + 1)) while [ $# -ge 1 ]; do case $1 in @@ -2524,6 +2539,9 @@ shift TEST_NEED_OS=$1 ;; + --package-manager-required) + TEST_NEED_PKG_MGR=1 + ;; --preqs-met) shift PREQS_MET=$1 @@ -2636,6 +2654,9 @@ # Check for correct hardware platform if [ ${SKIPTEST} -eq 0 -a -n "${TEST_NEED_PLATFORM}" -a ! "${HARDWARE}" = "${TEST_NEED_PLATFORM}" ]; then SKIPTEST=1; SKIPREASON="Incorrect hardware platform"; fi + # Check for required (and discovered) package manager + if [ ${SKIPTEST} -eq 0 -a ${TEST_NEED_PKG_MGR} -eq 1 -a ${HAS_PACKAGE_MANAGER} -eq 0 ]; then SKIPTEST=1; SKIPREASON="Requires a known package manager to test presence of a particular package"; fi + # Not all prerequisites met, like missing tool if [ ${SKIPTEST} -eq 0 -a "${PREQS_MET}" = "NO" ]; then SKIPTEST=1; if [ -z "${SKIPREASON}" ]; then SKIPREASON="Prerequisites not met (ie missing tool, other type of Linux distribution)"; fi; fi diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 3bc8dfdf..5c8af1fc 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -37,7 +37,7 @@ # # Test : INSE-8000 # Description : Check for installed inetd package - Register --test-no INSE-8000 --weight L --network NO --category security --description "Installed inetd package" + Register --test-no INSE-8000 --package-manager-required --weight L --network NO --category security --description "Installed inetd package" if [ ${SKIPTEST} -eq 0 ]; then # Check for installed inetd daemon LogText "Test: Checking if inetd is installed" @@ -134,7 +134,7 @@ # # Test : INSE-8100 # Description : Check for installed xinetd daemon - Register --test-no INSE-8100 --weight L --network NO --category security --description "Check for installed xinetd daemon" + Register --test-no INSE-8100 --package-manager-required --weight L --network NO --category security --description "Check for installed xinetd daemon" if [ ${SKIPTEST} -eq 0 ]; then # Check for installed xinetd daemon LogText "Test: Checking for installed xinetd daemon" @@ -250,7 +250,7 @@ # Test : INSE-8200 # Description : Check if tcp_wrappers is installed when inetd/xinetd is active if [ ${INETD_ACTIVE} -eq 1 -o ${XINETD_ACTIVE} -eq 1 ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi - Register --test-no INSE-8200 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active" + Register --test-no INSE-8200 --package-manager-required --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check if tcp_wrappers is installed when inetd/xinetd is active" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if tcp_wrappers is installed" FOUND=0 @@ -272,7 +272,7 @@ # # Test : INSE-8300 # Description : Check if rsh client is installed - Register --test-no INSE-8300 --weight L --network NO --category security --description "Check if rsh client is installed" + Register --test-no INSE-8300 --package-manager-required --weight L --network NO --category security --description "Check if rsh client is installed" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if rsh client is installed" FOUND=0 @@ -328,7 +328,7 @@ # # Test : INSE-8304 # Description : Check if rsh server is installed - Register --test-no INSE-8304 --weight L --network NO --category security --description "Check if rsh server is installed" + Register --test-no INSE-8304 --package-manager-required --weight L --network NO --category security --description "Check if rsh server is installed" if [ ${SKIPTEST} -eq 0 ]; then # Check if rsh server is installed LogText "Test: Checking if rsh server is installed" @@ -352,7 +352,7 @@ # # Test : INSE-8310 # Description : Check if telnet client is installed - Register --test-no INSE-8310 --weight L --network NO --category security --description "Check if telnet client is installed" + Register --test-no INSE-8310 --package-manager-required --weight L --network NO --category security --description "Check if telnet client is installed" if [ ${SKIPTEST} -eq 0 ]; then # Check if telnet client is installed LogText "Test: Checking if telnet client is installed" @@ -373,7 +373,7 @@ # # Test : INSE-8312 # Description : Check if telnet server is installed - Register --test-no INSE-8322 --weight L --network NO --category security --description "Check if telnet server is installed" + Register --test-no INSE-8322 --package-manager-required --weight L --network NO --category security --description "Check if telnet server is installed" if [ ${SKIPTEST} -eq 0 ]; then # Check if TFTP server is installed LogText "Test: Checking if telnet server is installed" @@ -398,7 +398,7 @@ # # Test : INSE-8314 # Description : Check if NIS client is installed - Register --test-no INSE-8314 --weight L --network NO --category security --description "Check if NIS client is installed" + Register --test-no INSE-8314 --package-manager-required --weight L --network NO --category security --description "Check if NIS client is installed" if [ ${SKIPTEST} -eq 0 ]; then FOUND="" LogText "Test: Checking if NIS client is installed" @@ -422,7 +422,7 @@ # # Test : INSE-8316 # Description : Check if NIS server is installed - Register --test-no INSE-8316 --weight L --network NO --category security --description "Check if NIS server is installed" + Register --test-no INSE-8316 --package-manager-required --weight L --network NO --category security --description "Check if NIS server is installed" if [ ${SKIPTEST} -eq 0 ]; then FOUND="" LogText "Test: Checking if NIS server is installed" @@ -446,7 +446,7 @@ # # Test : INSE-8318 # Description : Check if TFTP client is installed - Register --test-no INSE-8318 --weight L --network NO --category security --description "Check if TFTP client is installed" + Register --test-no INSE-8318 --package-manager-required --weight L --network NO --category security --description "Check if TFTP client is installed" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if TFTP client is installed" FOUND="" @@ -470,7 +470,7 @@ # # Test : INSE-8320 # Description : Check if TFTP server is installed - Register --test-no INSE-8320 --weight L --network NO --category security --description "Check if TFTP server is installed" + Register --test-no INSE-8320 --package-manager-required --weight L --network NO --category security --description "Check if TFTP server is installed" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking if TFTP server is installed" FOUND="" @@ -524,6 +524,7 @@ ${NORMAL} if [ "${OS}" = "Linux" -a "${HOSTNAME}" = "${FQDN}" ]; then FQDN=$(hostname -f 2> /dev/null) fi + # ################################################################################# # @@ -568,6 +569,7 @@ ${NORMAL} fi Report "test_category=${TEST_CATEGORY_TO_CHECK}" Report "test_group=${TEST_GROUP_TO_CHECK}" + # ################################################################################# # @@ -630,6 +632,7 @@ ${NORMAL} echo "Make sure to execute ${PROGRAM_NAME} from untarred directory or check your installation." exit 1 fi + # ################################################################################# # @@ -817,6 +820,14 @@ ${NORMAL} # ################################################################################# # + # Test if we have a package manager available by testing for a dummy package (should not exist) + if PackageIsInstalled "__dummy__"; then + HAS_PACKAGE_MANAGER=1 + LogText "Informational: package manager is used" + else + LogText "Informational: no known package manager for this system" + fi + # Use hardware detection capabilities IsVirtualMachine if IsContainer; then |