diff options
63 files changed, 1418 insertions, 487 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index d252ffd4..951fb945 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,87 @@ # Lynis Changelog -## Lynis 3.0.0 (not released yet) +## Lynis 3.0.2 (not released yet) + +### Added +- AUTH-9284 - Scan for locked user accounts in /etc/passwd +- TOOL-5130 - Check for active Suricata daemon +- OS detection of Flatcar, IPFire, Mageia, NixOS, ROSA Linux, SLES (extended), Void Linux, Zorin OS +- OS detection of OpenIndiana (Hipster and Legacy), Shillix, SmartOS, Tribblix, and others +- EOL dates for Alpine, macOS, Mageia, OmniosCE, and Solaris 11 +- Support for Solaris svcs (service manager) +- Enumeration of Solaris services +- LOGG-2153 - Loghost configuration + +### Changed +- ACCT-9626 - Detect sysstat systemd unit +- BOOT-5184 - extended test with support for Solaris +- KRNL-5830 - Improved reboot test by ignoring known bad values +- KRNL-5830 - Ignore rescue kernel such as on CentOS systems +- KRNL-5830 - Detection of Alpine Linux kernel +- NETW-2400 - Compatibility change for hostname check +- NETW-3012 - Support for Solaris +- PKGS-7410 - Don't show exception if no kernels were found on the disk +- TIME-3185 - Supports now checking files at multiple locations (systemd) +- ParseNginx function: Support include on absolute paths +- ParseNginx function: Ignore empty included wildcards +- Set 'RHEL' as OS_NAME for Red Hat Enterprise Linux +- HostID: Use first e1000 interface and break after match +- Translations extended and updated +- Test if pgrep exists before using it +- Better support for busybox shell +- Small code enhancements + +--------------------------------------------------------------------------------- + +## Lynis 3.0.1 (2020-10-05) + +### Added +- Detection of Alpine Linux +- Detection of CloudLinux +- Detection of Kali Linux +- Detection of Linux Mint +- Detection of macOS Big Sur (11.0) +- Detection of Pop!_OS +- Detection of PHP 7.4 +- Malware detection tool: Microsoft Defender ATP +- New flag: --slow-warning to allow tests more time before showing a warning +- Test TIME-3185 to check systemd-timesyncd synchronized time +- rsh host file permissions + +### Changed +- AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash versions +- BOOT-5122 - Presence check for grub.d added +- CRYP-7902 - Added support for certificates in DER format +- CRYP-7931 - Added data to report +- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted) +- FILE-6430 - Don't grep nonexistent modprobe.d files +- FIRE-4535 - Set initial firewall state +- INSE-8312 - Corrected text on screen +- KRNL-5728 - Handle zipped kernel configuration correctly +- KRNL-5830 - Improved version detection for non-symlinked kernel +- MALW-3280 - Extended detection of BitDefender +- TIME-3104 - Find more time synchronization commands +- TIME-3182 - Corrected detection of time peers +- Fix: hostid generation routine would sometimes show too short IDs +- Fix: language detection +- Generic improvements for macOS +- German translation updated +- End-of-life database updated +- Several minor code enhancements + +--------------------------------------------------------------------------------- + +## Lynis 3.0.0 (2020-06-18) This is a major release of Lynis and includes several big changes. Some of these changes may break your current usage of the tool, so test before deployment! +### Security issues +This release resolves two security issues +* CVE-2020-13882 - Discovered by Sander Bos, code submission by Katarina Durechova +* CVE-2019-13033 - Discovered by Sander Bos + ### Breaking change: Non-interactive by default Lynis now runs non-interactive by default, to be more in line with the Unix philosophy. So the previously used '--quick' option is now default, and the tool @@ -96,13 +172,14 @@ Using the relevant options, the scan will change base on the intended goal. - AUTH-9268 - Perform test also on DragonFly, FreeBSD, and NetBSD - AUTH-9282 - fix: temporary variable was overwritten - AUTH-9408 - added support for pam_tally2 to log failed logins -- AUTH-9489 - test removedd as it is merged with AUTH-9218 +- AUTH-9489 - test removed as it is merged with AUTH-9218 - BANN-7126 - additional words for login banner are accepted - BOOT-5122 - check for defined password in all GRUB configuration files - CONT-8106 - support newer 'docker info' output - CRYP-7902 - optionally check also certificates provided by packages - CRYP-8002 - gather kernel entropy on Linux systems - FILE-6310 - support for HP-UX +- FILE-6330 - corrected description - FILE-6374 - changed log and allow root location to be changed - FILE-6374 - corrected condition to find 'defaults' flag in /etc/fstab - FILE-6430 - minor code improvements and show suggestion with more details @@ -382,7 +459,7 @@ Tests: * [AUTH-9308] - Made 'sulogin' more generic for systemd rescue shell * [DNS-1600] - Initial work on DNSSEC validation testing * [NETW-2704] - Added support for local resolver 127.0.0.53 -* [PHP-2379] - Suhosin test disbled +* [PHP-2379] - Suhosin test disabled * [SSH-7408] - Removed 'DELAYED' from OpenSSH Compression setting * [TIME-3160] - Improvements to detect step-tickers file and entries @@ -629,7 +706,7 @@ Changes: * Renamed some variables to better indicate their purpose (counting, data type) * Removal of unused code and comments * Deleted unused tests from database file -* Correct levels of identation +* Correct levels of indentation * Support for older mac OS X versions (Lion and Mountain Lion) * Initialized variables for more binaries * Additional sysctls are tested @@ -1290,7 +1367,7 @@ Functions * AddSetting - New function to store settings (lynis show settings) * ContainsString - New function to search for a string in another one * Display - Added --debug, showing details on screen in debug mode - - Reset identation for lines which are too long + - Reset indentation for lines which are too long * DisplayToolTip - New function to display tooltips * IsDebug - Check for usage of --debug * IsDeveloperMode - Status for development and debugging (--developer) @@ -1363,7 +1440,7 @@ release. ------------ The biggest change in this release is the optimization of several functions. It allows for better detection, and dealing with the quirks, of every single -operating system. Some functions were fortified to handle unexcepted results +operating system. Some functions were fortified to handle unexpected results better, like missing a particular binary, or not returning the hostname. This release also enables tests to be shorter, by adding new functions. Some @@ -1641,7 +1718,7 @@ Added tests for CSF's lfd utility for integrity monitoring on directories and files. Related tests are FINT-4334 and FINT-4336. Added support for Chrony time daemon and timesync daemon. Additionally NTP -sychronization status is checked when it is enabled. +synchronization status is checked when it is enabled. Improved single user mode protection on the rescue.service file. @@ -2223,7 +2300,7 @@ Lynis 1.4.2 (2014-02-19) Changes: - Ignore interfaces aliases for HostID - Extended umask tests with pam_umask entries [AUTH-9328] - - Check for supressed version on Squid [SQD-3680] + - Check for suppressed version on Squid [SQD-3680] --------------------------------------------------------------------------------- @@ -2236,7 +2313,7 @@ Lynis 1.4.1 (2014-02-15) - Added 64 bits locations for Apache modules - Add start of new category to logfile - Extended sysstat test with /etc/cron.d/sysstat [ACCT-9626] - - Extended cron job tests with entries start with asterix (*) [SCHD-7704] + - Extended cron job tests with entries start with asterisk (*) [SCHD-7704] - Additional check for multiple umask entries (like RHEL 6.x) [AUTH-9328] - Adjusted PHP test for register_globals (explicit test) [PHP-2368] - Small adjustments for upcoming plugin support @@ -2363,7 +2440,7 @@ Lynis 1.3.6 (2013-12-03) - Adjusted PHP check to find ini files [PHP-2211] - Skip Apache test for NetBSD [HTTP-6622] - Skip test http version check for NetBSD [HTTP-6624] - - Additional check to supress sort error [HTTP-6626] + - Additional check to suppress sort error [HTTP-6626] - Improved the way binaries are checked (less disk reads) - Adjusted ReportWarning() function to skip impact rating - Improved report on screen by leaving out date/time and type @@ -2399,7 +2476,7 @@ Lynis 1.3.5 (2013-11-19) - Added suggestion about BIND version [NAME-4210] - Merged test NTP daemon test TIME-3108 into TIME-3104 - Improved support for Arch Linux (output, detection) - - Extended common list of directories with SSL certifcates in profile + - Extended common list of directories with SSL certificates in profile - New function GetHostID() to determine an unique identifier of the machine - Added a tests_custom file template - Perform file permissions test on tests_custom file @@ -2442,7 +2519,7 @@ Lynis 1.3.3 (2013-10-24) Lynis 1.3.2 (2013-10-09) New: - - Test for PowerDNS authoritive servers (master/slave status) [NAME-4238] + - Test for PowerDNS authoritative servers (master/slave status) [NAME-4238] Changes: - CUPS test extended with hardening rules [PRNT-2308] @@ -2489,7 +2566,7 @@ Lynis 1.3.0 (2011-12-25) - Fixed incorrect warning for single user mode [AUTH-9308] - Improved output for stratum 16 time servers [TIME-3116] - Added suggestion and screen output for kernel hardening [KRNL-6000] - - Screen layout optimalizations and log file improvements + - Screen layout optimizations and log file improvements - Improved list/layout of scan options - Improved binary check for compilers - Added configuration option in scan profile (show_tool_tips, default true) @@ -3052,7 +3129,7 @@ Lynis 1.1.5 (2008-06-10) - Improved FreeBSD pkg_info output, logging output and report data [PKG-7302] - Changed shell history file test, searching files with maxdepth 1 [HOME-9310] - Extended iptables test, to check Linux kernel configuration file [FIRE-4511] - - Added report warning to promicuous test [NETW-3014] + - Added report warning to promiscuous test [NETW-3014] - Fixed yellow color when being used at text display - Several logging improvements and cleanups @@ -3121,11 +3198,11 @@ Lynis 1.1.2 (2008-05-11) - Improved LILO test and removed double message - Fixed incorrect message when using --help parameter - Improved portaudit test (FreeBSD) to show unique packages only - - Updated man page, FAQ, extended documention with plugin information + - Updated man page, FAQ, extended documentation with plugin information - Added several php.ini file locations (MacOS X, OpenBSD, OpenSuSE) ** Special release notes [package/ports]: ** - - Added several default paths to check for usuable an INCLUDE directory. This + - Added several default paths to check for usable INCLUDE directory. This should make packaging Lynis easier for downstream package providers. - When no profile is set, Lynis will check first /etc/lynis/default.prf, before setting default.prf (in current work directory) as profile to use. @@ -3184,7 +3261,7 @@ Lynis 1.0.9 (2008-03-24) - Added available shells from /etc/shells to report file - Updated man page - Fixed option in main help window for --man option - - Code improvement, splitting up sections to seperated files + - Code improvement, splitting up sections to separated files --------------------------------------------------------------------------------- @@ -3200,7 +3277,7 @@ Lynis 1.0.8 (2008-02-10) - Changed old temporary files check - Changed test to include ubuntu security repository - Moved UID check to avoid PID creation as non root user - - Moved most functions to seperated files and several code cleanups + - Moved most functions to separated files and several code cleanups - Improved logging output - Extended FreeBSD (Copyright file) test - Changed indentation for many tests @@ -3244,7 +3321,7 @@ Lynis 1.0.7 (2008-01-28) - Updated year number in program and support files - Added new function Display, to use indentation within lines - Added function RemovePIDFile before some exit routines, to clean up PID file - - Extracted profile support, parameter support to seperated files + - Extracted profile support, parameter support to separated files - Created file tests_ports_packages for Ports and Packages - Deleted lynis.spec file, since it was not working and will be rewritten later @@ -3397,7 +3474,7 @@ Lynis 1.0.0 (2007-11-08) - Test: query nameservers and test connectivity - Test: check promiscuous interfaces (FreeBSD) - Test: check sticky bit on /tmp directory - - Test: check debian.org security brance in /etc/apt/sources.list + - Test: check debian.org security branch in /etc/apt/sources.list - Test: check kernel update on Debian - Test: query default Linux run level - Test: query chkconfig to see which services start at boot diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 66a7b19b..5d9d4b00 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -27,7 +27,7 @@ To ensure all pull requests can be easily checked and merged, here are some tips ## Code Guidelines ### General -Identation should be 4 spaces (no tab character). +Indentation should be 4 spaces (no tab character). ### Comments Comments: use # sign followed by a space. When needed, create a comment block. @@ -68,6 +68,6 @@ software or computer software documentation in whole or in part, in any manner and for any purpose whatsoever, and to have or authorize others to do so. If you want to be named in as a contributor in the CONTRIBUTOR file, then include -this notition in your pull request. Preferred format: Full Name, and your e-mail +this notation in your pull request. Preferred format: Full Name, and your e-mail address). diff --git a/HAPPY_USERS.md b/HAPPY_USERS.md index 57c363a9..53677c52 100644 --- a/HAPPY_USERS.md +++ b/HAPPY_USERS.md @@ -33,3 +33,6 @@ installed on all my systems to uncover unexpected configuration issues. The valuable feedback and contributions give me the energy to continue to work on its development, even after 12+ years! +* Catalyst.net IT - January 2020 +Lynis gave us great insight in to the security state of our systems, as well as where we can improve. + diff --git a/db/languages/de b/db/languages/de index 34b909e2..5d3f5be1 100644 --- a/db/languages/de +++ b/db/languages/de @@ -1,38 +1,91 @@ -GEN_PHASE="Phase" +ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet" +ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet" GEN_CHECKING="Überprüfung" GEN_CURRENT_VERSION="Aktuelle Version" GEN_DEBUG_MODE="Debug-Modus" -GEN_INITIALIZE_PROGRAM="Initiiere Programm" +GEN_INITIALIZE_PROGRAM="Initialisiere Programm" +GEN_LATEST_VERSION="Aktuellste Version" +GEN_PHASE="Phase" GEN_PLUGINS_ENABLED="Plugins aktiviert" -GEN_VERBOSE_MODE="Ausführlicher Modus" GEN_UPDATE_AVAILABLE="Aktualisierung verfügbar" +GEN_VERBOSE_MODE="Ausführlicher Modus" GEN_WHAT_TO_DO="Was zu tun ist" NOTE_EXCEPTIONS_FOUND="Abweichungen gefunden" NOTE_EXCEPTIONS_FOUND_DETAILED="Einige außergewöhnliche Ereignisse oder Informationen wurden gefunden" NOTE_PLUGINS_TAKE_TIME="Beachte: Plugins beinhalten eingehendere Tests und können mehrere Minuten benötigen, bis sie abgeschlossen sind" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus" +SECTION_ACCOUNTING="Accounting" +SECTION_BANNERS_AND_IDENTIFICATION="Banner und Identifizierung" +SECTION_BASICS="Grundlegendes" +SECTION_BOOT_AND_SERVICES="Systemstart und Dienste" +SECTION_CONTAINERS="Container" +SECTION_CRYPTOGRAPHY="Kryptographie" SECTION_CUSTOM_TESTS="Benutzerdefinierte Tests" -SECTION_MALWARE="Malware" -SECTION_MEMORY_AND_PROCESSES="Speicher und Prozesse" +SECTION_DATA_UPLOAD="Daten hochladen" +SECTION_DATABASES="Datenbanken" +SECTION_DOWNLOADS="Downloads" +SECTION_EMAIL_AND_MESSAGING="Software: E-Mail und Messaging" +SECTION_FILE_INTEGRITY="Software: Dateintegrität" +SECTION_FILE_PERMISSIONS="Dateiberechtigungen" +SECTION_FILE_SYSTEMS="Dateisysteme" +SECTION_FIREWALLS="Software: Firewalls" +SECTION_GENERAL="Allgemein" +SECTION_HARDENING="Härtung" +SECTION_HOME_DIRECTORIES="Heimatverzeichnisse" +SECTION_IMAGE="Image" +SECTION_INITIALIZING_PROGRAM="Initialisiere Programm" +SECTION_INSECURE_SERVICES="Unsichere Dienste" +SECTION_KERNEL="Kernel" +SECTION_KERNEL_HARDENING="Kernelhärtung" +SECTION_LDAP_SERVICES="LDAP Dienste" +SECTION_LOGGING_AND_FILES="Logs und Logdateien" +SECTION_MALWARE="Software: Malware" +SECTION_MEMORY_AND_PROCESSES="Software: Speicher und Prozesse" +SECTION_NAME_SERVICES="Namensauflösung" +SECTION_NETWORKING="Netzwerk" +SECTION_PERMISSIONS="Berechtigungen" +SECTION_PORTS_AND_PACKAGES="Ports und Pakete" +SECTION_PRINTERS_AND_SPOOLS="Drucker und Warteschlange" +SECTION_PROGRAM_DETAILS="Programmdetails" +SECTION_SCHEDULED_TASKS="Geplante Aufgaben" +SECTION_SECURITY_FRAMEWORKS="Sicherheitsframeworks" +SECTION_SHELLS="Shells" +SECTION_SNMP_SUPPORT="SNMP Unterstützung" +SECTION_SOFTWARE="Software" +SECTION_SQUID_SUPPORT="Squid" +SECTION_SSH_SUPPORT="SSH" +SECTION_STORAGE="Speicher" +SECTION_SYSTEM_INTEGRITY="Software: Systemintegrität" +SECTION_SYSTEM_TOOLING="Software: Systemwerkzeuge" +SECTION_SYSTEM_TOOLS="Systemwerkzeuge" +SECTION_TIME_AND_SYNCHRONIZATION="Zeit und Zeitsynchronisierung" +SECTION_USB_DEVICES="USB Geräte" +SECTION_USERS_GROUPS_AND_AUTHENTICATION="Benutzer, Gruppen und Authentifizierung" +SECTION_VIRTUALIZATION="Virtualisierung" +SECTION_WEBSERVER="Software: Webserver" +STATUS_ACTIVE="AKTIV" +STATUS_DISABLED="DEAKTIVIERT" STATUS_DONE="FERTIG" +STATUS_ENABLED="AKTIVIERT" +STATUS_ERROR="FEHLER" +STATUS_FAILED="FEHLERHAFT" STATUS_FOUND="GEFUNDEN" -STATUS_YES="JA" +STATUS_INSTALLED="INSTALLIERT" STATUS_NO="NEIN" -STATUS_OFF="AUS" -STATUS_OK="OK" -STATUS_ON="AN" STATUS_NONE="NICHTS" +STATUS_NOT_CONFIGURED="NICHT KONFIGURIERT" +STATUS_NOT_ENABLED="NICHT AKTIVIERT" STATUS_NOT_FOUND="NICHT GEFUNDEN" STATUS_NOT_RUNNING="LÄUFT NICHT" +STATUS_OFF="AUS" +STATUS_OK="OK" +STATUS_ON="AN" STATUS_RUNNING="LÄUFT" STATUS_SKIPPED="ÜBERSPRUNGEN" STATUS_SUGGESTION="VORSCHLAG" STATUS_UNKNOWN="UNBEKANNT" STATUS_WARNING="WARNUNG" -TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen" +STATUS_WEAK="SCHWACH" +STATUS_YES="JA" TEXT_UPDATE_AVAILABLE="Aktualisierung verfügbar" -NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Übersprungene Tests aufgrund nicht privilegiertem Modus" -STATUS_DISABLED="DEAKTIVIERT" -STATUS_ENABLED="AKTIVIERT" -STATUS_ERROR="FEHLER" -ERROR_NO_LICENSE="Kein Lizenzschlüssel eingerichtet" -ERROR_NO_UPLOAD_SERVER="Kein Upload-Server eingerichtet" +TEXT_YOU_CAN_HELP_LOGFILE="Sie können durch Übermittlung Ihrer Logdatei helfen" diff --git a/db/languages/de-AT b/db/languages/de-AT new file mode 120000 index 00000000..c42e816f --- /dev/null +++ b/db/languages/de-AT @@ -0,0 +1 @@ +de
\ No newline at end of file diff --git a/db/languages/en b/db/languages/en index 716a584c..409b92d5 100644 --- a/db/languages/en +++ b/db/languages/en @@ -14,32 +14,86 @@ NOTE_EXCEPTIONS_FOUND="Exceptions found" NOTE_EXCEPTIONS_FOUND_DETAILED="Some exceptional events or information was found" NOTE_PLUGINS_TAKE_TIME="Note: plugins have more extensive tests and may take several minutes to complete" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Skipped tests due to non-privileged mode" +SECTION_ACCOUNTING="Accounting" +SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification" +SECTION_BASICS="Basics" +SECTION_BOOT_AND_SERVICES="Boot and services" +SECTION_CONTAINERS="Containers" +SECTION_CRYPTOGRAPHY="Cryptography" SECTION_CUSTOM_TESTS="Custom tests" SECTION_DATA_UPLOAD="Data upload" +SECTION_DATABASES="Databases" +SECTION_DOWNLOADS="Downloads" +SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging" +SECTION_FILE_INTEGRITY="Software: file integrity" +SECTION_FILE_PERMISSIONS="File Permissions" +SECTION_FILE_SYSTEMS="File systems" +SECTION_FIREWALLS="Software: firewalls" +SECTION_GENERAL="General" +SECTION_HARDENING="Hardening" +SECTION_HOME_DIRECTORIES="Home directories" +SECTION_IMAGE="Image" SECTION_INITIALIZING_PROGRAM="Initializing program" -SECTION_MALWARE="Malware" +SECTION_INSECURE_SERVICES="Insecure services" +SECTION_KERNEL="Kernel" +SECTION_KERNEL_HARDENING="Kernel Hardening" +SECTION_LDAP_SERVICES="LDAP Services" +SECTION_LOGGING_AND_FILES="Logging and files" +SECTION_MALWARE="Software: Malware" SECTION_MEMORY_AND_PROCESSES="Memory and Processes" +SECTION_NAME_SERVICES="Name services" +SECTION_NETWORKING="Networking" +SECTION_PERMISSIONS="Permissions" +SECTION_PORTS_AND_PACKAGES="Ports and packages" +SECTION_PRINTERS_AND_SPOOLS="Printers and Spools" +SECTION_PROGRAM_DETAILS="Program Details" +SECTION_SCHEDULED_TASKS="Scheduled tasks" +SECTION_SECURITY_FRAMEWORKS="Security frameworks" +SECTION_SHELLS="Shells" +SECTION_SNMP_SUPPORT="SNMP Support" +SECTION_SOFTWARE="Software" +SECTION_SQUID_SUPPORT="Squid Support" +SECTION_SSH_SUPPORT="SSH Support" +SECTION_STORAGE="Storage" +SECTION_SYSTEM_INTEGRITY="Software: System integrity" +SECTION_SYSTEM_TOOLING="Software: System tooling" SECTION_SYSTEM_TOOLS="System tools" +SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization" +SECTION_USB_DEVICES="USB Devices" +SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" +SECTION_VIRTUALIZATION="Virtualization" +SECTION_WEBSERVER="Software: webserver" +STATUS_ACTIVE="ACTIVE" +STATUS_DEBUG="DEBUG" +STATUS_DEFAULT="DEFAULT" +STATUS_DIFFERENT="DIFFERENT" STATUS_DISABLED="DISABLED" STATUS_DONE="DONE" STATUS_ENABLED="ENABLED" STATUS_ERROR="ERROR" STATUS_FAILED="FAILED" +STATUS_FILES_FOUND="FILES FOUND" STATUS_FOUND="FOUND" -STATUS_OFF="OFF" -STATUS_OK="OK" -STATUS_ON="ON" +STATUS_INSTALLED="INSTALLED" STATUS_NO="NO" +STATUS_NO_UPDATE="NO UPDATE" STATUS_NONE="NONE" STATUS_NOT_CONFIGURED="NOT CONFIGURED" +STATUS_NOT_DISABLED="NOT DISABLED" +STATUS_NOT_ENABLED="NOT ENABLED" STATUS_NOT_FOUND="NOT FOUND" STATUS_NOT_RUNNING="NOT RUNNING" +STATUS_OFF="OFF" +STATUS_OK="OK" +STATUS_ON="ON" +STATUS_PROTECTED="PROTECTED" STATUS_RUNNING="RUNNING" STATUS_SKIPPED="SKIPPED" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="UNKNOWN" +STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE" STATUS_WARNING="WARNING" STATUS_WEAK="WEAK" STATUS_YES="YES" -TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" TEXT_UPDATE_AVAILABLE="update available" +TEXT_YOU_CAN_HELP_LOGFILE="You can help by providing your log file" diff --git a/db/languages/fr b/db/languages/fr index 51b4da41..8b99e548 100644 --- a/db/languages/fr +++ b/db/languages/fr @@ -1,38 +1,99 @@ +ERROR_NO_LICENSE="Pas de clé de licence configurée" +ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré" GEN_CHECKING="Vérification" GEN_CURRENT_VERSION="Version actuelle" -GEN_DEBUG_MODE="mode debug" +GEN_DEBUG_MODE="mode débug" GEN_INITIALIZE_PROGRAM="Initialisation" +GEN_LATEST_VERSION="Dernière version" GEN_PHASE="phase" GEN_PLUGINS_ENABLED="Plugins activés" -GEN_VERBOSE_MODE="mode verbeux" GEN_UPDATE_AVAILABLE="mise à jour disponible" +GEN_VERBOSE_MODE="mode verbeux" GEN_WHAT_TO_DO="Que faire" NOTE_EXCEPTIONS_FOUND="Exceptions trouvées" NOTE_EXCEPTIONS_FOUND_DETAILED="Des événements ou informations exceptionnels ont été trouvés" -NOTE_PLUGINS_TAKE_TIME="Note: les plugins ont des tests plus poussés et peuvent prendre plusieurs minutes" +NOTE_PLUGINS_TAKE_TIME="Note : Les plugins ont des tests plus poussés qui peuvent prendre plusieurs minutes" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Tests ignorés faute de privilèges" -SECTION_CUSTOM_TESTS="Tests Personnalisés" -SECTION_MALWARE="Malware" -SECTION_MEMORY_AND_PROCESSES="Mémoire et Processus" +SECTION_ACCOUNTING="Comptes" +SECTION_BANNERS_AND_IDENTIFICATION="Bannières et identification" +SECTION_BASICS="Basics" +SECTION_BOOT_AND_SERVICES="Démarrage et services" +SECTION_CONTAINERS="Conteneurs" +SECTION_CRYPTOGRAPHY="Cryptographie" +SECTION_CUSTOM_TESTS="Tests personnalisés" +SECTION_DATA_UPLOAD="Téléchargement de données" +SECTION_DATABASES="Bases de données" +SECTION_DOWNLOADS="Téléchargements" +SECTION_EMAIL_AND_MESSAGING="Logiciel : Email et messagerie" +SECTION_FILE_INTEGRITY="Logiciel : Intégrité de fichier" +SECTION_FILE_PERMISSIONS="Permissions de fichier" +SECTION_FILE_SYSTEMS="Systèmes de fichier" +SECTION_FIREWALLS="Logiciel : Pare-feu" +SECTION_GENERAL="Général" +SECTION_HARDENING="Hardening" +SECTION_HOME_DIRECTORIES="Dossiers personnels" +SECTION_IMAGE="Image" +SECTION_INITIALIZING_PROGRAM="Initialisation du programme" +SECTION_INSECURE_SERVICES="Services non sécurisés" +SECTION_KERNEL="Noyau" +SECTION_KERNEL_HARDENING="Kernel Hardening" +SECTION_LDAP_SERVICES="Services LDAP" +SECTION_LOGGING_AND_FILES="Journalisation et fichiers" +SECTION_MALWARE="Logiciel : Malveillant" +SECTION_MEMORY_AND_PROCESSES="Mémoire et processus" +SECTION_NAME_SERVICES="Services de noms" +SECTION_NETWORKING="Mise en réseau" +SECTION_PERMISSIONS="Permissions" +SECTION_PORTS_AND_PACKAGES="Ports et packages" +SECTION_PRINTERS_AND_SPOOLS="Imprimantes et serveurs d'impression" +SECTION_PROGRAM_DETAILS="Détails du programme" +SECTION_SCHEDULED_TASKS="Tâches planifiées" +SECTION_SECURITY_FRAMEWORKS="Frameworks de sécurité" +SECTION_SHELLS="Shells" +SECTION_SNMP_SUPPORT="Prise en charge SNMP" +SECTION_SOFTWARE="Logiciel" +SECTION_SQUID_SUPPORT="Prise en charge Squid" +SECTION_SSH_SUPPORT="Prise en charge SSH" +SECTION_STORAGE="Stockage" +SECTION_SYSTEM_INTEGRITY="Logiciel : Intégrité du système" +SECTION_SYSTEM_TOOLING="Logiciel : System tooling" +SECTION_SYSTEM_TOOLS="Outils système" +SECTION_TIME_AND_SYNCHRONIZATION="Heure et synchronisation" +SECTION_USB_DEVICES="Périphériques USB" +SECTION_USERS_GROUPS_AND_AUTHENTICATION="Utilisateurs, groupes et authentification" +SECTION_VIRTUALIZATION="Virtualisation" +SECTION_WEBSERVER="Logiciel : Serveur web" +STATUS_ACTIVE="ACTIF" +STATUS_DEBUG="DÉBUG" +STATUS_DEFAULT="PAR DÉFAUT" +STATUS_DIFFERENT="DIFFÉRENT" +STATUS_DISABLED="DÉSACTIVÉ" STATUS_DONE="FAIT" +STATUS_ENABLED="ACTIVÉ" +STATUS_ERROR="ERREUR" +STATUS_FAILED="ÉCHOUÉ" +STATUS_FILES_FOUND="FICHIERS TROUVÉS" STATUS_FOUND="TROUVÉ" -STATUS_YES="OUI" +STATUS_INSTALLED="INSTALLÉ" STATUS_NO="NON" -STATUS_OFF="OFF" -STATUS_OK="OK" -STATUS_ON="ON" +STATUS_NO_UPDATE="PAS DE MISE A JOUR" STATUS_NONE="AUCUN" +STATUS_NOT_CONFIGURED="NON CONFIGURÉ" +STATUS_NOT_DISABLED="NON DESACTIVÉ" +STATUS_NOT_ENABLED="NON ACTIVÉ" STATUS_NOT_FOUND="NON TROUVÉ" STATUS_NOT_RUNNING="NON LANCÉ" -STATUS_RUNNING="EN COURS": +STATUS_OFF="OFF" +STATUS_OK="OK" +STATUS_ON="ON" +STATUS_PROTECTED="PROTÉGÉ" +STATUS_RUNNING="EN COURS" STATUS_SKIPPED="IGNORÉ" STATUS_SUGGESTION="SUGGESTION" STATUS_UNKNOWN="INCONNU" -STATUS_WARNING="ATTENTION" -TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal" +STATUS_UPDATE_AVAILABLE="MISE A JOUR DISPONIBLE" +STATUS_WARNING="AVERTISSEMENT" +STATUS_WEAK="FAIBLE" +STATUS_YES="OUI" TEXT_UPDATE_AVAILABLE="Mise à jour disponible" -STATUS_DISABLED="DÉSACTIVÉ" -STATUS_ENABLED="ACTIVÉ" -STATUS_ERROR="ERREUR" -ERROR_NO_LICENSE="Pas de clé de licence configurée" -ERROR_NO_UPLOAD_SERVER="Pas de serveur de transfert configuré" +TEXT_YOU_CAN_HELP_LOGFILE="Vous pouvez aider en envoyant votre fichier journal" diff --git a/db/languages/it b/db/languages/it index 4ff32699..e22b9837 100644 --- a/db/languages/it +++ b/db/languages/it @@ -1,38 +1,48 @@ +ERROR_NO_LICENSE="Nessuna chiave di licenza configurata" +ERROR_NO_UPLOAD_SERVER="Nessun server di upload configurato" GEN_CHECKING="Controllo" GEN_CURRENT_VERSION="Versione corrente" GEN_DEBUG_MODE="Modalità Debug" GEN_INITIALIZE_PROGRAM="Inizializzando il programma" +GEN_LATEST_VERSION="Versione ultima" GEN_PHASE="fase" GEN_PLUGINS_ENABLED="Plugin abilitati" -GEN_VERBOSE_MODE="Modalità Verbose" GEN_UPDATE_AVAILABLE="aggiornamento disponibile" +GEN_VERBOSE_MODE="Modalità Verbose" GEN_WHAT_TO_DO="Cosa fare" NOTE_EXCEPTIONS_FOUND="Trovate Eccezioni" NOTE_EXCEPTIONS_FOUND_DETAILED="Sono stati rilevati alcuni eventi o informazioni eccezionali" NOTE_PLUGINS_TAKE_TIME="Nota: i plugin sono sottoposti a test più estesi e possono richiedere alcuni minuti per il completamento" +NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Test saltati a causa della modalità di esecuzione non privilegiata" SECTION_CUSTOM_TESTS="Test su misura (Custom)" +SECTION_DOWNLOADS="Scaricamenti" +SECTION_GENERAL="Generale" +SECTION_INITIALIZING_PROGRAM="Inizializzando il programma" +SECTION_INSECURE_SERVICES="Service insicuri" SECTION_MALWARE="Malware" SECTION_MEMORY_AND_PROCESSES="Memoria e Processi" +SECTION_STORAGE="Spazio di archiviazione" +SECTION_TIME_AND_SYNCHRONIZATION="Tempo and Sincronizzazione" +STATUS_DISABLED="DISABILITATO" STATUS_DONE="FATTO" +STATUS_ENABLED="ABILITATO" +STATUS_ERROR="ERRORE" +STATUS_FAILED="FALLITO" STATUS_FOUND="TROVATO" -STATUS_YES="SI" STATUS_NO="NO" -STATUS_OFF="OFF" -STATUS_OK="OK" -STATUS_ON="ON" STATUS_NONE="NESSUNO" +STATUS_NOT_CONFIGURED="NON CONFIGURATO" STATUS_NOT_FOUND="NON TROVATO" STATUS_NOT_RUNNING="NON IN ESECUZIONE" +STATUS_OFF="OFF" +STATUS_OK="OK" +STATUS_ON="ON" STATUS_RUNNING="IN ESECUZIONE" STATUS_SKIPPED="SALTATO" STATUS_SUGGESTION="SUGGERIMENTO" STATUS_UNKNOWN="SCONOSCIUTO" STATUS_WARNING="ATTENZIONE" -TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log" +STATUS_WEAK="DEBOLE" +STATUS_YES="SI" TEXT_UPDATE_AVAILABLE="aggiornamento disponibile" -NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Test saltati a causa della modalità di esecuzione non privilegiata" -STATUS_DISABLED="DISABILITATO" -STATUS_ENABLED="ABILITATO" -STATUS_ERROR="ERRORE" -ERROR_NO_LICENSE="Nessuna chiave di licenza configurata" -ERROR_NO_UPLOAD_SERVER="Nessun server di upload configurato" +TEXT_YOU_CAN_HELP_LOGFILE="Puoi aiutare fornendoci il tuo file di log" diff --git a/db/software-eol.db b/db/software-eol.db index b3285487..0c89b74b 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -8,15 +8,25 @@ # 4) converted date (seconds since epoch) or -1 # # Date can be converted on Linux using: date "+%s" --date=2020-01-01 +# Seconds since epoch can be verified using: date -d @1467324000 +'%Y-%m-%d' # # Notes: # For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1. # Full string for CentOS can be something like 'CentOS Linux 8 (Core)'. As this does not correctly match, shorter string is used for matching. # +# Alpine - https://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases +# +os:Alpine 3.12:2022-05-01:1651377600 +os:Alpine 3.11:2021-11-01:1635739200 +os:Alpine 3.10:2021-05-01:1619841600 +os:Alpine 3.9:2020-11-01:1604203200 +os:Alpine 3.8:2020-05-01:1588305600 +# # Amazon Linux # -os:Amazon Linux:2020-06-30:1593468000: +# Note: shortest entry is listed at end due to regular expression matching being used os:Amazon Linux 2:2023-06-26:1687730400: +os:Amazon Linux:2020-06-30:1593468000: # # Arch Linux # @@ -38,55 +48,128 @@ os:Debian 8:2020-06-30:1593468000: os:Debian 9:2022-01-01:1640991600: os:Debian 10:2022-01-01:1640991600: # +# Fedora - https://fedoraproject.org/wiki/End_of_life +# +os:Fedora release 25:2017-12-12:1513033200: +os:Fedora release 26:2018-05-29:1527544800: +os:Fedora release 27:2018-11-30:1543532400: +os:Fedora release 28:2019-05-28:1558994400: +os:Fedora release 29:2019-11-26:1574722800: +os:Fedora release 30:2020-05-26:1590444000: +# # FreeBSD - https://www.freebsd.org/security/unsupported.html # -os:FreeBSD 9.3:2014-12-31:0: -os:FreeBSD 10.0:2015-02-28:0: -os:FreeBSD 10.1:2016-12-31:0: -os:FreeBSD 10.2:2016-12-31:0: -os:FreeBSD 10.3:2018-04-30:0: -os:FreeBSD 10.4:2018-10-31:0: -os:FreeBSD 11.0:2017-11-30:0: -os:FreeBSD 11.1:2018-09-30:0: +os:FreeBSD 9.3:2014-12-31:1419980400: +os:FreeBSD 10.0:2015-02-28:1425078000: +os:FreeBSD 10.1:2016-12-31:1483138800: +os:FreeBSD 10.2:2016-12-31:1483138800: +os:FreeBSD 10.3:2018-04-30:1525039200: +os:FreeBSD 10.4:2018-10-31:1540940400: +os:FreeBSD 11.0:2017-11-30:1511996400: +os:FreeBSD 11.1:2018-09-30:1538258400: +os:FreeBSD 11.2:2019-10-31:1572476400: +os:FreeBSD 12.0:2020-02-29:1582930800: +# +# Linux Mint +# +os:Linux Mint 18:2021-04-01:1617228000: +os:Linux Mint 19:2023-04-01:1680300000: +os:Linux Mint 20:2025-04-01:1743458400: +# +# macOS - https://support.apple.com/en_US/downloads/macos and +# https://apple.stackexchange.com/a/282788 and +# https://en.wikipedia.org/wiki/Category:MacOS_versions +# +os:Mac OS X 10.0 \(Cheetah\):2002-09-18:1032300000: +os:Mac OS X 10.1 \(Puma\):2003-11-10:1068418800: +os:Mac OS X 10.2 \(Jaguar\):2005-05-16:1116194400: +os:Mac OS X 10.3 \(Panther\):2007-11-15:1195081200: +os:Mac OS X 10.4 \(Tiger\):2009-09-10:1252533600: +os:Mac OS X 10.5 \(Leopard\):2011-06-23:1308780000: +os:Mac OS X 10.6 \(Snow Leopard\):2013-12-16:1387148400: +os:Mac OS X 10.7 \(Lion\):2014-11-17:1416178800: +os:Mac OS X 10.8 \(Mountain Lion\):2015-10-21:1445378400: +os:Mac OS X 10.9 \(Mavericks\):2016-10-24:1477260000: +os:Mac OS X 10.10 \(Yosemite\):2017-10-31:1509404400: +os:Mac OS X 10.11 \(El Capitan\):2018-10-30:1540854000: +os:macOS Sierra \(10.12\):2016-10-24:1477260000: +os:macOS Sierra \(10.12.1\):2016-12-13:1481583600: +os:macOS Sierra \(10.12.2\):2017-01-23:1485126000: +os:macOS Sierra \(10.12.3\):2017-03-27:1490565600: +os:macOS Sierra \(10.12.4\):2017-05-15:1494799200: +os:macOS Sierra \(10.12.5\):2017-07-19:1500415200: +os:macOS Sierra \(10.12.6\):2019-10-29:1572303600: +os:macOS High Sierra \(10.13\):2017-10-31:1509404400: +os:macOS High Sierra \(10.13.1\):2017-12-06:1512514800: +os:macOS High Sierra \(10.13.2\):2018-01-23:1516662000: +os:macOS High Sierra \(10.13.3\):2018-03-29:1522274400: +os:macOS High Sierra \(10.13.4\):2018-06-01:1527804000: +os:macOS High Sierra \(10.13.5\):2018-07-09:1531087200: +os:macOS High Sierra \(10.13.6\)::-1: +os:macOS Mojave \(10.14\):2018-10-30:1540854000: +os:macOS Mojave \(10.14.1\):2018-12-05:1543964400: +os:macOS Mojave \(10.14.2\):2019-01-22:1548111600: +os:macOS Mojave \(10.14.3\):2019-03-25:1553468400: +os:macOS Mojave \(10.14.4\):2019-05-13:1557698400: +os:macOS Mojave \(10.14.5\):2019-07-22:1563746400: +os:macOS Mojave \(10.14.6\)::-1: +os:macOS Catalina \(10.15\):2019-10-29:1572303600: +os:macOS Catalina \(10.15.1\):2019-12-10:1575932400: +os:macOS Catalina \(10.15.2\):2020-01-28:1580166000: +os:macOS Catalina \(10.15.3\):2020-03-24:1585004400: +os:macOS Catalina \(10.15.4\):2020-05-26:1590444000: +os:macOS Catalina \(10.15.5\):2020-07-15:1594764000: +os:macOS Catalina \(10.15.6\):2020-09-24:1600898400: +os:macOS Catalina \(10.15.7\)::-1: +# +# Mageia - https://www.mageia.org/en/support/ +# +os:Mageia 1:2012-12-01:1354316400 +os:Mageia 2:2013-11-22:1385074800 +os:Mageia 3:2014-11-26:1416956400 +os:Mageia 4:2015-09-19:1442613600 +os:Mageia 5:2017-12-31:1514674800 +os:Mageia 6:2019-09-30:1569794400 +os:Mageia 7:2020-12-30:1609282800 # # NetBSD - https://www.netbsd.org/support/security/release.html and # https://www.netbsd.org/releases/formal.html # -os:NetBSD 2.0:2008-01-19:0: -os:NetBSD 2.0.1:2008-01-19:0: -os:NetBSD 2.0.2:2008-01-19:0: -os:NetBSD 2.0.3:2008-01-19:0: -os:NetBSD 2.1:2008-01-19:0: -os:NetBSD 3.0:2009-09-29:0: -os:NetBSD 3.0.1:2009-09-29:0: -os:NetBSD 3.0.2:2009-09-29:0: -os:NetBSD 3.1:2009-09-29:0: -os:NetBSD 4.0:2012-11-17:0: -os:NetBSD 4.0.1:2012-11-17:0: -os:NetBSD 5.0:2015-11-17:0: -os:NetBSD 5.0.1:2015-10-17:0: -os:NetBSD 5.0.2:2015-10-17:0: -os:NetBSD 5.1:2015-10-17:0: -os:NetBSD 5.1.1:2015-10-17:0: -os:NetBSD 5.1.2:2015-10-17:0: -os:NetBSD 5.1.3:2015-10-17:0: -os:NetBSD 5.1.4:2015-10-17:0: -os:NetBSD 5.1.5:2015-10-17:0: -os:NetBSD 5.2.1:2015-10-17:0: -os:NetBSD 5.2.2:2015-10-17:0: -os:NetBSD 5.2.3:2015-10-17:0: -os:NetBSD 6.0:2017-09-17:0: -os:NetBSD 6.0.1:2017-09-17:0: -os:NetBSD 6.0.2:2017-09-17:0: -os:NetBSD 6.0.3:2017-09-17:0: -os:NetBSD 6.0.4:2017-09-17:0: -os:NetBSD 6.0.5:2017-09-17:0: -os:NetBSD 6.1:2017-09-17:0: -os:NetBSD 6.1.1:2017-09-17:0: -os:NetBSD 6.1.2:2017-09-17:0: -os:NetBSD 6.1.3:2017-09-17:0: -os:NetBSD 6.1.4:2017-09-17:0: -os:NetBSD 6.1.5:2017-09-17:0: +os:NetBSD 2.0:2008-01-19:1200697200: +os:NetBSD 2.0.1:2008-01-19:1200697200: +os:NetBSD 2.0.2:2008-01-19:1200697200: +os:NetBSD 2.0.3:2008-01-19:1200697200: +os:NetBSD 2.1:2008-01-19:1200697200: +os:NetBSD 3.0:2009-09-29:1254175200: +os:NetBSD 3.0.1:2009-09-29:1254175200: +os:NetBSD 3.0.2:2009-09-29:1254175200: +os:NetBSD 3.1:2009-09-29:1254175200: +os:NetBSD 4.0:2012-11-17:1353106800: +os:NetBSD 4.0.1:2012-11-17:1353106800: +os:NetBSD 5.0:2015-11-17:1447714800: +os:NetBSD 5.0.1:2015-10-17:1445032800: +os:NetBSD 5.0.2:2015-10-17:1445032800: +os:NetBSD 5.1:2015-10-17:1445032800: +os:NetBSD 5.1.1:2015-10-17:1445032800: +os:NetBSD 5.1.2:2015-10-17:1445032800: +os:NetBSD 5.1.3:2015-10-17:1445032800: +os:NetBSD 5.1.4:2015-10-17:1445032800: +os:NetBSD 5.1.5:2015-10-17:1445032800: +os:NetBSD 5.2.1:2015-10-17:1445032800: +os:NetBSD 5.2.2:2015-10-17:1445032800: +os:NetBSD 5.2.3:2015-10-17:1445032800: +os:NetBSD 6.0:2017-09-17:1505599200: +os:NetBSD 6.0.1:2017-09-17:1505599200: +os:NetBSD 6.0.2:2017-09-17:1505599200: +os:NetBSD 6.0.3:2017-09-17:1505599200: +os:NetBSD 6.0.4:2017-09-17:1505599200: +os:NetBSD 6.0.5:2017-09-17:1505599200: +os:NetBSD 6.1:2017-09-17:1505599200: +os:NetBSD 6.1.1:2017-09-17:1505599200: +os:NetBSD 6.1.2:2017-09-17:1505599200: +os:NetBSD 6.1.3:2017-09-17:1505599200: +os:NetBSD 6.1.4:2017-09-17:1505599200: +os:NetBSD 6.1.5:2017-09-17:1505599200: os:NetBSD 7.0:2020-03-14:1584162000: os:NetBSD 7.0.1:2020-03-14:1584162000: os:NetBSD 7.0.2:2020-03-14:1584162000: @@ -100,22 +183,22 @@ os:NetBSD 9.0::-1: # # OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history # -os:OpenBSD 5.8:2016-09-01:0: -os:OpenBSD 5.9:2017-04-11:0: +os:OpenBSD 5.8:2016-09-01:1472680800: +os:OpenBSD 5.9:2017-04-11:1491861600: +os:OpenBSD 6.0:2017-09-10:1505001600: +os:OpenBSD 6.1:2018-04-15:1523750400: +os:OpenBSD 6.2:2018-10-18:1539820800: +os:OpenBSD 6.3:2019-05-03:1556841600: +os:OpenBSD 6.4:2019-10-17:1571270400: +os:OpenBSD 6.5:2020-05-19:1589846400: +os:OpenBSD 6.6:2020-10-01:1601510400: +os:OpenBSD 6.7:2021-05-01:1619827200: # -# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack +# Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/ # -os:Ubuntu 14.04:2019-05-01:1556661600: -os:Ubuntu 14.10:2015-07-01:0: -os:Ubuntu 15.04:2016-01-01:0: -os:Ubuntu 15.10:2016-07-01:0: -os:Ubuntu 16.04:2021-05-01:1619820000: -os:Ubuntu 16.10:2017-07-01:1498860000: -os:Ubuntu 17.04:2018-01-01:1514761200: -os:Ubuntu 17.10:2018-07-01:1530396000: -os:Ubuntu 18.04:2023-05-01:1682892000: -os:Ubuntu 18.10:2019-07-18:1563400800: -os:Ubuntu 19.04:2020-01-01:1577833200: +os:Red Hat Enterprise Linux Server release 6:2020-11-30:1606690800: +os:Red Hat Enterprise Linux 7:2024-06-30:1719698400: +os:Red Hat Enterprise Linux 8:2029-05-07:1872799200: # # Slackware - https://en.wikipedia.org/wiki/Slackware#Releases # @@ -132,3 +215,42 @@ os:Slackware Linux 12.2:2013-12-09:1386540000: os:Slackware Linux 13.0:2018-07-05:1530738000: os:Slackware Linux 13.1:2018-07-05:1530738000: os:Slackware Linux 13.37:2018-07-05:1530738000: +# +# SuSE - https://www.suse.com/lifecycle/ +# +os:SUSE Linux Enterprise Server 12:2024-10-31:1730329200: +os:SUSE Linux Enterprise Server 15:2028-07-31:1848607200: +# +# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and +# https://wiki.ubuntu.com/Releases +# +os:Ubuntu 14.04:2019-05-01:1556661600: +os:Ubuntu 14.10:2015-07-01:1435701600: +os:Ubuntu 15.04:2016-01-01:1451602800: +os:Ubuntu 15.10:2016-07-01:1467324000: +os:Ubuntu 16.04:2021-05-01:1619820000: +os:Ubuntu 16.10:2017-07-01:1498860000: +os:Ubuntu 17.04:2018-01-01:1514761200: +os:Ubuntu 17.10:2018-07-01:1530396000: +os:Ubuntu 18.04:2023-05-01:1682892000: +os:Ubuntu 18.10:2019-07-18:1563400800: +os:Ubuntu 19.04:2020-01-01:1577833200: +os:Ubuntu 20.04:2025-04-01:1743458400: +# +# OmniosCE - https://omniosce.org/releasenotes.html +# +os:OmniOS Community Edition v11 r151022:2020-05-11:1589148000: +os:OmniOS Community Edition v11 r151024:2018-11-04:1541286000: +os:OmniOS Community Edition v11 r151026:2019-05-05:1557007200: +os:OmniOS Community Edition v11 r151028:2019-11-04:1572822000: +os:OmniOS Community Edition v11 r151030::-1: +os:OmniOS Community Edition v11 r151032:2020-11-03:1604358000: +os:OmniOS Community Edition v11 r151034::-1: +# +## Oracle Solaris - https://www.oracle.com/us/support/library/lifetime-support-hardware-301321.pdf (p. 34) +# The list below contains Premier Support End only +# +os:Oracle Solaris 11.3:2021-01-01:1609455600: +os:Oracle Solaris 11.4:2031-11-01:1951254000: +# +# EOF diff --git a/db/tests.db b/db/tests.db index 32347102..f9f8a3f7 100644 --- a/db/tests.db +++ b/db/tests.db @@ -37,6 +37,7 @@ AUTH-9268:test:security:authentication::Checking presence pam.d files: AUTH-9278:test:security:authentication::Checking LDAP pam status: AUTH-9282:test:security:authentication::Checking password protected account without expire date: AUTH-9283:test:security:authentication::Checking accounts without password: +AUTH-9284:test:security:authentication::Checking locked user accounts in /etc/passwd: AUTH-9286:test:security:authentication::Checking user password aging: AUTH-9288:test:security:authentication::Checking for expired passwords: AUTH-9304:test:security:authentication:Solaris:Check single user login configuration: @@ -70,9 +71,10 @@ BOOT-5142:test:security:boot_services::Check SPARC Improved boot loader (SILO): BOOT-5155:test:security:boot_services::Check for YABOOT boot loader configuration file: BOOT-5159:test:security:boot_services:OpenBSD:Check for OpenBSD boot loader presence: BOOT-5165:test:security:boot_services:FreeBSD:Check for FreeBSD boot services: +BOOT-5170:test:security:boot_services:Solaris:Check for Solaris boot daemons: BOOT-5177:test:security:boot_services:Linux:Check for Linux boot and running services: BOOT-5180:test:security:boot_services:Linux:Check for Linux boot services (Debian style): -BOOT-5184:test:security:boot_services:Linux:Check permissions for boot files/scripts: +BOOT-5184:test:security:boot_services::Check permissions for boot files/scripts: BOOT-5202:test:security:boot_services::Check uptime of system: BOOT-5260:test:security:boot_services::Check single user mode for systemd: BOOT-5261:test:security:boot_services:DragonFly:Check for DragonFly boot loader presence: @@ -228,6 +230,7 @@ LOGG-2146:test:security:logging::Checking logrotate.conf and logrotate.d: LOGG-2148:test:security:logging::Checking logrotated files: LOGG-2150:test:security:logging::Checking directories in logrotate configuration: LOGG-2152:test:security:logging::Checking loghost: +LOGG-2153:test:security:logging::Checking loghost is not localhost: LOGG-2154:test:security:logging::Checking syslog configuration file: LOGG-2160:test:security:logging::Checking /etc/newsyslog.conf: LOGG-2162:test:security:logging::Checking directories in /etc/newsyslog.conf: @@ -281,7 +284,7 @@ NAME-4210:test:security:nameservices::Check DNS banner: NAME-4230:test:security:nameservices::Check PowerDNS status: NAME-4232:test:security:nameservices::Search PowerDNS configuration file: NAME-4236:test:security:nameservices::Check PowerDNS backends: -NAME-4238:test:security:nameservices::Check PowerDNS authoritive status: +NAME-4238:test:security:nameservices::Check PowerDNS authoritative status: NAME-4304:test:security:nameservices::Check NIS ypbind status: NAME-4306:test:security:nameservices::Check NIS domain: NAME-4402:test:security:nameservices::Check duplicate line in /etc/hosts: @@ -419,11 +422,13 @@ TIME-3170:test:security:time::Check configuration files: TIME-3180:test:security:time::Report if ntpctl cannot communicate with OpenNTPD: TIME-3181:test:security:time::Check status of OpenNTPD time synchronisation TIME-3182:test:security:time::Check OpenNTPD has working peers +TIME-3185:test:security:time::Check systemd-timesyncd synchronized time TOOL-5002:test:security:tooling::Checking for automation tools: TOOL-5102:test:security:tooling::Check for presence of Fail2ban: TOOL-5104:test:security:tooling::Enabled tests for Fail2ban: TOOL-5120:test:security:tooling::Presence of Snort IDS: TOOL-5122:test:security:tooling::Snort IDS configuration file: +TOOL-5130:test:security:tooling::Check for active Suricata daemon: TOOL-5160:test:security:tooling::Check for active OSSEC daemon: TOOL-5190:test:security:tooling::Check presence of available IDS/IPS tooling: USB-1000:test:security:storage:Linux:Check if USB storage is disabled: diff --git a/default.prf b/default.prf index e5635147..aadc4495 100644 --- a/default.prf +++ b/default.prf @@ -93,7 +93,7 @@ skip-plugins=no #skip-upgrade-test=yes # Locations where to search for SSL certificates (separate paths with a colon) -ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www +ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive: ssl-certificate-include-packages=no @@ -152,7 +152,7 @@ plugin=users # # Kernel options # --------------- -# configdate=, followed by: +# config-data=, followed by: # # - Type = Set to 'sysctl' # - Setting = value of sysctl key (e.g. kernel.sysrq) @@ -310,6 +310,11 @@ permfile=/etc/motd:rw-r--r--:root:root:WARN: permfile=/etc/passwd:rw-r--r--:root:-:WARN: permfile=/etc/passwd-:rw-r--r--:root:-:WARN: permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN: +permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN: +permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN: +permfile=/root/.rhosts:rw-------:root:root:WARN: +permfile=/root/.rlogin:rw-------:root:root:WARN: +permfile=/root/.shosts:rw-------:root:root:WARN: # These permissions differ by OS #permfile=/etc/gshadow:---------:root:-:WARN: diff --git a/extras/bash_completion.d/lynis b/extras/bash_completion.d/lynis index 8732ede3..5c816aea 100644 --- a/extras/bash_completion.d/lynis +++ b/extras/bash_completion.d/lynis @@ -126,7 +126,7 @@ _lynis() report) return 0 ;; - settiings) + settings) return 0 ;; tests) @@ -179,7 +179,7 @@ _lynis() *) COMPREPLY=( $( compgen -W ' \ --auditor --cronjob --debug --quick --quiet --logfile --no-colors --no-log --pentest --reverse-colors \ - --tests --tests-from-category --tests-from-group --upload --verbose' -- "$cur" ) ) + --tests --tests-from-category --tests-from-group --upload --verbose --slow-warning' -- "$cur" ) ) ;; esac diff --git a/include/binaries b/include/binaries index 6bbea4af..95d56c3d 100644 --- a/include/binaries +++ b/include/binaries @@ -30,7 +30,7 @@ ################################################################################# # if [ ${CHECK_BINARIES} -eq 1 ]; then - InsertSection "System Tools" + InsertSection "${SECTION_SYSTEM_TOOLS}" Display --indent 2 --text "- Scanning available tools..." LogText "Start scanning for available audit binaries and tools..." @@ -119,11 +119,11 @@ COUNT=$((COUNT + 1)) BINARY="${SCANDIR}/${FILENAME}" DISCOVERED_BINARIES="${DISCOVERED_BINARIES}${BINARY} " - if [ -u ${BINARY} ]; then + if [ -u "${BINARY}" ]; then NSUID_BINARIES=$((NSUID_BINARIES + 1)) SUID_BINARIES="${SUID_BINARIES}${BINARY} " fi - if [ -g ${BINARY} ]; then + if [ -g "${BINARY}" ]; then NSGID_BINARIES=$((NSGID_BINARIES + 1)) SGID_BINARIES="${SGID_BINARIES}${BINARY} " fi @@ -219,6 +219,7 @@ maldet) LMDBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: maldet (Linux Malware Detect, malware scanner) - ${BINARY}" ;; md5) MD5BINARY="${BINARY}"; LogText " Found known binary: md5 (hash tool) - ${BINARY}" ;; md5sum) MD5BINARY="${BINARY}"; LogText " Found known binary: md5sum (hash tool) - ${BINARY}" ;; + mdatp) MDATPBINARY="${BINARY}"; MALWARE_SCANNER_INSTALLED=1; LogText " Found known binary: mdatp (Microsoft Defender ATP, malware scanner) - ${BINARY}" ;; modprobe) MODPROBEBINARY="${BINARY}"; LogText " Found known binary: modprobe (kernel modules) - ${BINARY}" ;; mount) MOUNTBINARY="${BINARY}"; LogText " Found known binary: mount (disk utility) - ${BINARY}" ;; mtree) MTREEBINARY="${BINARY}"; LogText " Found known binary: mtree (mapping directory tree) - ${BINARY}" ;; @@ -285,7 +286,9 @@ ssh-keyscan) SSHKEYSCANBINARY="${BINARY}"; LogText " Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;; suricata) SURICATABINARY="${BINARY}"; LogText " Found known binary: suricata (IDS) - ${BINARY}" ;; swapon) SWAPONBINARY="${BINARY}"; LogText " Found known binary: swapon (swap device tool) - ${BINARY}" ;; + svcs) SVCSBINARY="${BINARY}" ; LogText " Found known binary: svcs (service manager) - ${BINARY}" ;; swupd) SWUPDBINARY="${BINARY}"; LogText " Found known binary: swupd (package manager) - ${BINARY}" ;; + synoavd) SYNOAVDBINARY=${BINARY}; LogText " Found known binary: synoavd (Synology AV scanner) - ${BINARY}" ;; sysctl) SYSCTLBINARY="${BINARY}"; LogText " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;; syslog-ng) SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;; systemctl) SYSTEMCTLBINARY="${BINARY}"; LogText " Found known binary: systemctl (client to systemd) - ${BINARY}" ;; diff --git a/include/consts b/include/consts index 7968ef1f..bb1d63ff 100644 --- a/include/consts +++ b/include/consts @@ -33,10 +33,6 @@ BIN_PATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \ ETC_PATHS="/etc /usr/local/etc" -# Do not use specific language, fall back to default -# Some tools with translated strings are very hard to parse -unset LANG - # ################################################################################# # @@ -62,6 +58,7 @@ unset LANG APPLICATION_FIREWALL_ACTIVE=0 BINARY_SCAN_FINISHED=0 BLKIDBINARY="" + BOOTCTLBINARY="" CAT_BINARY="" CFAGENTBINARY="" CHECK=0 @@ -85,6 +82,7 @@ unset LANG CONTROL_URL_PROTOCOL="" CONTAINER_TYPE="" CREATE_REPORT_FILE=1 + CRYPTSETUPBINARY="" CSUMBINARY="" CURRENT_TS=0 CUSTOM_URL_APPEND="" @@ -103,12 +101,14 @@ unset LANG DISCOVERED_BINARIES="" DMIDECODEBINARY="" DNFBINARY="" + DNSDOMAINNAMEBINARY="" DOCKERBINARY="" DOCKER_DAEMON_RUNNING=0 DPKGBINARY="" ECHOCMD="" ERROR_ON_WARNINGS=0 EQUERYBINARY="" + EVMCTLBINARY="" EXIMBINARY="" FAIL2BANBINARY="" FILEBINARY="" @@ -134,6 +134,7 @@ unset LANG HTTPDBINARY="" IDS_IPS_TOOL_FOUND=0 IFCONFIGBINARY="" + INTEGRITYSETUPBINARY="" IPBINARY="" IPFBINARY="" IPTABLESBINARY="" @@ -152,6 +153,7 @@ unset LANG LOGDIR="" LOGROTATEBINARY="" LOGTEXT=1 + LSBLKBINARY="" LSMODBINARY="" LSOFBINARY="" LSOF_EXTRA_OPTIONS="" @@ -195,6 +197,7 @@ unset LANG NGINX_RETURN_FOUND=0 NGINX_ROOT_FOUND=0 NGINX_WEAK_SSL_PROTOCOL_FOUND=0 + NTPCTLBINARY="" NTPD_ROLE="" NTPQBINARY="" OPENSSLBINARY="" @@ -208,6 +211,7 @@ unset LANG OS_REDHAT_OR_CLONE=0 OSIRISBINARY="" PACMANBINARY="" + PAM_PASSWORD_PWHISTORY_AMOUNT="" PASSWORD_MAXIMUM_DAYS=-1 PASSWORD_MINIMUM_DAYS=-1 PAM_2F_AUTH_ENABLED=0 @@ -242,6 +246,7 @@ unset LANG REFRESH_REPOSITORIES=1 REMOTE_LOGGING_ENABLED=0 RESOLV_DOMAINNAME="" + RESOLVECTLBINARY="" RKHUNTERBINARY="" ROOTDIR="/" ROOTSHBINARY="" @@ -277,8 +282,10 @@ unset LANG SKIP_VM_DETECTION=0 SKIPREASON="" SKIPPED_TESTS_ROOTONLY="" + SLOW_TEST_THRESHOLD=10 SMTPCTLBINARY="" SNORTBINARY="" + SSBINARY="" SSHKEYSCANBINARY="" SSHKEYSCANFOUND=0 SSL_CERTIFICATE_INCLUDE_PACKAGES=0 @@ -288,6 +295,7 @@ unset LANG SWUPDBINARY="" SYSLOGNGBINARY="" SYSTEMCTLBINARY="" + SYSTEMDANALYZEBINARY="" SYSTEM_IS_NOTEBOOK=255 TEMP_FILE="" TEMP_FILES="" @@ -297,6 +305,7 @@ unset LANG TEST_GROUP_TO_CHECK="all" TESTS_EXECUTED="" TESTS_SKIPPED="" + TIMEDATECTL="" TMPFILE="" TOMOYOINITBINARY="" TOOLTIP_SHOWED=0 @@ -322,6 +331,7 @@ unset LANG USBGUARD_ROOT="" VALUE="" VERBOSE=0 + VERITYSETUPBINARY="" VGDISPLAYBINARY="" VMTYPE="" VULNERABLE_PACKAGES_FOUND=0 diff --git a/include/data_upload b/include/data_upload index 6718d6d3..eae2b5cc 100644 --- a/include/data_upload +++ b/include/data_upload @@ -77,6 +77,10 @@ ExitFatal else Output "License key = ${LICENSE_KEY}" + # Create a temporary file to use during upload (prevent license key being displayed in process table) + CreateTempFile || ExitFatal + LICENSE_KEY_FILE="${TEMP_FILE}" + echo "${LICENSE_KEY}" | ${TRBINARY} -cd '[a-f0-9-]' > ${LICENSE_KEY_FILE} fi @@ -129,8 +133,9 @@ # License check - LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null" - UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null) + LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null" + UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null) + EXITCODE=$? LogText "Exit code: ${EXITCODE}" if [ ${EXITCODE} -gt 0 ]; then @@ -225,10 +230,10 @@ Output "${WHITE}Found hostid: ${HOSTID}${NORMAL}" # Try to connect Output "Uploading data.." - LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" - LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" + LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" + LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" LogText "Tip: to just retry an upload, use: lynis upload-only" - UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null) + UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null) EXITCODE=$? LogText "Exit code: ${EXITCODE}" if [ ${EXITCODE} -gt 0 ]; then diff --git a/include/functions b/include/functions index 8d5a5ef8..c88674ba 100644 --- a/include/functions +++ b/include/functions @@ -38,7 +38,7 @@ # DigitsOnly Return only the digits from a string # DirectoryExists Check if a directory exists on the disk # DiscoverProfiles Determine available profiles on system -# Display Output text to screen with colors and identation +# Display Output text to screen with colors and indentation # DisplayError Show an error on screen # DisplayException Show an exception on screen # DisplayManual Output text to screen without any layout @@ -1089,12 +1089,13 @@ ;; "Solaris") - INTERFACES_TO_TEST="e1000g1 net0" + INTERFACES_TO_TEST="net0 e1000g1 e1000g0" FOUND=0 for I in ${INTERFACES_TO_TEST}; do FIND=$(${IFCONFIGBINARY} -a | grep "^${I}") if [ ! "${FIND}" = "" ]; then FOUND=1; LogText "Found interface ${I} on Solaris" + break fi done if [ ${FOUND} -eq 1 ]; then @@ -1107,7 +1108,7 @@ ReportException "GetHostID" "Can not find sha1/sha1sum or openssl" fi else - ReportException "GetHostID" "No interface found op Solaris to create HostID" + ReportException "GetHostID" "No interface found on Solaris to create HostID" fi ;; @@ -1290,7 +1291,8 @@ if [ -n "${STATBINARY}" ]; then case ${OS} in - *BSD) + *BSD | "macOS") + # BSD and macOS have no --format, only short notation DATA=$(${STATBINARY} -f "%OLp" ${CHECKFILE}) ;; *) @@ -1546,8 +1548,7 @@ if [ -z "${search}" ]; then ExitFatal "Missing process to search for when using IsRunning function"; fi RUNNING=0 - # AIX does not fully support pgrep options, so using ps instead - if [ "${OS}" != "AIX" ]; then + if [ -x "${PGREPBINARY}" ] && [ "${OS}" != "AIX" ]; then # When --user is used, perform a search using the -u option # Initialize users for strict mode if [ -n "${users:-}" ]; then @@ -2179,7 +2180,8 @@ for I in ${FIND}; do I=$(echo ${I} | sed 's/:space:/ /g' | sed 's/;$//' | sed 's/ #.*$//') OPTION=$(echo ${I} | awk '{ print $1 }') - VALUE=$(echo ${I}| cut -d' ' -f2-) + # Use quotes here to prevent wildcard expansion + VALUE=$(echo "${I}"| cut -d' ' -f2-) LogText "Result: found option ${OPTION} in ${CONFIG_FILE} with value '${VALUE}'" STORE_SETTING=1 case ${OPTION} in @@ -2302,9 +2304,25 @@ done if [ ${FOUND} -eq 0 ]; then NGINX_CONF_FILES_ADDITIONS="${NGINX_CONF_FILES_ADDITIONS} ${VALUE}"; fi # Check for additional config files included as follows - # "include sites-enabled/*.conf" - elif [ $(echo ${VALUE} | grep -F -c "*.conf") -gt 0 ]; then - for FOUND_CONF in $(ls ${CONFIG_FILE%nginx.conf}${VALUE%;*}); do + # "include sites-enabled/*.conf" (relative path) + # "include /etc/nginx/sites-enabled/*.conf" (absolute path) + elif [ $(echo "${VALUE}" | grep -F -c "*.conf") -gt 0 ]; then + # Check if path is absolute or relative + case $VALUE in + /*) + # Absolute path, so wildcard pattern is already correct + CONF_WILDCARD=${VALUE%;*} + ;; + *) + # Relative path, so construct absolute path for wildcard pattern + CONF_WILDCARD=${CONFIG_FILE%nginx.conf}${VALUE%;*} + ;; + esac + for FOUND_CONF in ${CONF_WILDCARD}; do + if [ "${FOUND_CONF}" = "${CONF_WILDCARD}" ]; then + LogText "Found no match for wildcard pattern: ${CONF_WILDCARD}" + break + fi FOUND=0 for CONF in ${NGINX_CONF_FILES}; do if [ "${CONF}" = "${FOUND_CONF}" ]; then FOUND=1; LogText "Found this file already in our configuration files array, not adding to queue"; fi @@ -2585,7 +2603,7 @@ CURRENT_TS=$(GetTimestamp) if [ ${PREVIOUS_TS} -gt 0 ]; then SLOW_TEST=0 - TIME_THRESHOLD=10 # seconds + TIME_THRESHOLD=$SLOW_TEST_THRESHOLD # seconds # Calculate timing and determine if we use seconds or nanoseconds (more precise) TIME_DIFF=$((CURRENT_TS - PREVIOUS_TS)) diff --git a/include/helper_audit_dockerfile b/include/helper_audit_dockerfile index 05d24c24..a71326ee 100644 --- a/include/helper_audit_dockerfile +++ b/include/helper_audit_dockerfile @@ -44,7 +44,7 @@ fi ################################################################################################## # - InsertSection "Image" + InsertSection "${SECTION_IMAGE}" PKGMGR="" FIND=$(grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g') @@ -93,7 +93,7 @@ fi # ################################################################################################## # - InsertSection "Basics" + InsertSection "${SECTION_BASICS}" MAINTAINER=$(grep -E -i "*MAINTAINER" ${AUDIT_FILE} | sed 's/=/ /g' | cut -d'"' -f 2) if [ -z "${MAINTAINER}" ]; then @@ -127,7 +127,7 @@ fi # ################################################################################################## # - InsertSection "Software" + InsertSection "${SECTION_SOFTWARE}" case $PKGMGR in "apt") @@ -166,7 +166,7 @@ fi # ################################################################################################## # - InsertSection "Downloads" + InsertSection "${SECTION_DOWNLOADS}" FILE_DOWNLOAD=0 @@ -217,7 +217,7 @@ fi # ################################################################################################## # - InsertSection "Permissions" + InsertSection "${SECTION_PERMISSIONS}" FIND=$(grep -i "chmod 777" ${AUDIT_FILE}) if HasData "${FIND}"; then diff --git a/include/helper_configure b/include/helper_configure index ebd7f706..029ab4f7 100644 --- a/include/helper_configure +++ b/include/helper_configure @@ -72,7 +72,7 @@ ExitFatal fi - FIND=$(echo ${HELPER_PARAMERS} | grep " ") + FIND=$(echo ${HELPER_PARAMS} | grep " ") if [ ! "${FIND}" = "" ]; then ${ECHOCMD} "Found invalid character (space) in configuration string"; ExitFatal; fi CONFIGURE_SETTINGS=$(echo $2 | sed 's/:/ /g') diff --git a/include/helper_generate b/include/helper_generate index 67b58b66..f3a8d909 100644 --- a/include/helper_generate +++ b/include/helper_generate @@ -51,8 +51,10 @@ if [ $# -gt 0 ]; then ;; *) # xxd does not exist on FreeBSD - HOSTID=$(head -c20 < /dev/urandom | hexdump -ve '"%.2x"') - HOSTID2=$(head -c32 < /dev/urandom | hexdump -ve '"%.2x"') + # Note: hexdump may omit leading or trailing zeroes. + # Take 100 characters as input, turn to hex, then take first 40/64. + HOSTID=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c40) + HOSTID2=$(head -c100 < /dev/urandom | hexdump -ve '"%.2x"' | head -c64) ;; esac diff --git a/include/osdetection b/include/osdetection index 7ad153d6..1596ed10 100644 --- a/include/osdetection +++ b/include/osdetection @@ -62,6 +62,7 @@ 10.13 | 10.13.[0-9]*) OS_FULLNAME="macOS High Sierra (${OS_VERSION})" ;; 10.14 | 10.14.[0-9]*) OS_FULLNAME="macOS Mojave (${OS_VERSION})" ;; 10.15 | 10.15.[0-9]*) OS_FULLNAME="macOS Catalina (${OS_VERSION})" ;; + 11.0 | 11.0[0-9]*) OS_FULLNAME="macOS Big Sur (${OS_VERSION})" ;; *) echo "Unknown macOS version. Do you know what version it is? Create an issue at ${PROGRAM_SOURCE}" ;; esac else @@ -143,6 +144,12 @@ OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') if [ -n "${OS_ID}" ]; then case ${OS_ID} in + "alpine") + LINUX_VERSION="Alpine Linux" + OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "amzn") LINUX_VERSION="Amazon Linux" OS_NAME="Amazon Linux" @@ -166,6 +173,12 @@ OS_REDHAT_OR_CLONE=1 OS_VERSION="Rolling release" ;; + "cloudlinux") + LINUX_VERSION="CloudLinux" + OS_NAME="CloudLinux" + OS_REDHAT_OR_CLONE=1 + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "coreos") LINUX_VERSION="CoreOS" OS_NAME="CoreOS Linux" @@ -177,17 +190,56 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "elementary") + LINUX_VERSION="elementary OS" + OS_NAME="elementary OS" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; + "endeavouros") + LINUX_VERSION="EndeavourOS" + OS_NAME="EndeavourOS" + OS_VERSION="Rolling release" + OS_VERSION_FULL="Rolling release" + ;; "fedora") LINUX_VERSION="Fedora" OS_NAME="Fedora Linux" OS_REDHAT_OR_CLONE=1 OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; - "pureos") - LINUX_VERSION="PureOS" + "flatcar") + LINUX_VERSION="Flatcar" + LINUX_VERSION_LIKE="CoreOS" + OS_NAME="Flatcar Linux" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; + "gentoo") + LINUX_VERSION="Gentoo" + OS_NAME="Gentoo Linux" + OS_VERSION="Rolling release" + ;; + "ipfire") + LINUX_VERSION="IPFire" + OS_NAME="IPFire" + OS_VERSION=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; + "kali") + LINUX_VERSION="Kali" + OS_NAME="Kali Linux" + OS_VERSION="Rolling release" + ;; + "linuxmint") + LINUX_VERSION="Linux Mint" + OS_NAME="Linux Mint" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; + "mageia") + LINUX_VERSION="Mageia" + OS_NAME="Mageia" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') - OS_NAME="PureOS" ;; "manjaro") LINUX_VERSION="Manjaro" @@ -195,6 +247,12 @@ OS_NAME="Manjaro" OS_VERSION="Rolling release" ;; + "nixos") + LINUX_VERSION="NixOS" + OS_NAME="NixOS" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; "ol") LINUX_VERSION="Oracle Linux" OS_NAME="Oracle Linux" @@ -212,11 +270,17 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="openSUSE" ;; - "ubuntu") - LINUX_VERSION="Ubuntu" + "pop") + LINUX_VERSION="Pop!_OS" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') - OS_NAME="Ubuntu" + OS_NAME="Pop!_OS" + ;; + "pureos") + LINUX_VERSION="PureOS" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_NAME="PureOS" ;; "raspbian") LINUX_VERSION="Raspbian" @@ -226,25 +290,57 @@ ;; "rhel") LINUX_VERSION="RHEL" - OS_NAME=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_NAME="RHEL" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_FULLNAME="${OS_NAME} ${OS_VERSION_FULL}" OS_REDHAT_OR_CLONE=1 ;; + "rosa") + LINUX_VERSION="ROSA Linux" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_NAME="ROSA Linux" + ;; "slackware") LINUX_VERSION="Slackware" OS_NAME="Slackware Linux" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "sles") + LINUX_VERSION="SLES" + OS_NAME="openSUSE" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; + "ubuntu") + LINUX_VERSION="Ubuntu" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_NAME="Ubuntu" + ;; + "void") + LINUX_VERSION="Void Linux" + OS_VERSION="Rolling release" + OS_NAME="Void Linux" + ;; + "zorin") + LINUX_VERSION="Zorin OS" + OS_NAME="Zorin OS" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; *) - ReportException "OS Detection" "Unknown OS found in /etc/os-release" + ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}" ;; esac fi fi + # Alpine + if [ -e "/etc/alpine-release" ]; then LINUX_VERSION="Alpine Linux"; OS_VERSION=$(cat /etc/alpine-release); fi + # Amazon if [ -z "${LINUX_VERSION}" -a -e "/etc/system-release" ]; then FIND=$(grep "^Amazon" /etc/system-release) @@ -346,13 +442,6 @@ LINUX_VERSION="Fedora" fi - # Mageia (has also /etc/megaia-release) - FIND=$(grep "Mageia" /etc/redhat-release) - if [ ! "${FIND}" = "" ]; then - OS_FULLNAME=$(grep "^Mageia" /etc/redhat-release) - OS_VERSION=$(grep "^Mageia" /etc/redhat-release | awk '{ if ($2=="release") { print $3 } }') - LINUX_VERSION="Mageia" - fi # Oracle Enterprise Linux FIND=$(grep "Enterprise Linux Enterprise Linux Server" /etc/redhat-release) @@ -490,12 +579,89 @@ SYSCTL_READKEY="" ;; - # Solaris / OpenSolaris + # Solaris / OpenSolaris / Ilumos ... SunOS) OS="Solaris" - OS_NAME="Sun Solaris" - OS_FULLNAME=$(uname -s -r) - OS_VERSION=$(uname -r) + OS_KERNELVERSION=$(uname -v) + OPENSOLARIS=0 + + if [ -f /etc/os-release ]; then + OS_ID=$(grep "^ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_FULLNAME=$(awk -F= '/^PRETTY_NAME=/ {print substr($2,2,length($2)-2)}' /etc/os-release) + case "${OS_ID}" in + "solaris") + OS_NAME="Oracle Solaris" + ;; + "omnios") + OS_NAME="OmniOS" + OPENSOLARIS=1 + ;; + "tribblix") + OS_NAME="Tribblix" + OS_FULLNAME="Tribblix ${OS_VERSION}" + OPENSOLARIS=1 + ;; + "*") + ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}" + ;; + esac + elif [ "$(uname -o 2> /dev/null)" == "illumos" ]; then + OPENSOLARIS=1 + + # Solaris has a free form text file with release information + if grep "OpenIndiana" /etc/release > /dev/null; then + OS_NAME="OpenIndiana" + if grep "Hipster" /etc/release > /dev/null; then + OS_VERSION="$(tr ' ' '\n' < /etc/release | grep '[[:digit:]]\.[[:digit:]]')" + OS_FULLNAME="OpenIndiana Hipster $OS_VERSION" + else + OS_VERSION="Unknown" + OS_FULLNAME="OpenIndiana (unknown edition)" + fi + elif grep "OmniOS" /etc/release > /dev/null; then + OS_NAME="OmniOS" + OS_VERSION="$(tr ' ' '\n' < /etc/release | grep 'r[[:digit:]]')" + if grep "Community Edition" /etc/release > /dev/null; then + OS_FULLNAME="OmniOS Community Edition v11 $OS_VERSION" + fi + elif grep "SmartOS" /etc/release > /dev/null; then + OS_NAME="SmartOS" + OS_VERSION="-" + OS_FULLNAME="SmartOS" + else + OS_NAME="Unknown Illumos" + fi + elif grep "SchilliX" /etc/release > /dev/null; then + OS_NAME="SchilliX" + OS_FULLNAME="$(head -n 1 /etc/release | xargs)" + OS_VERSION="$(echo "$OS_FULLNAME" | cut -d '-' -f 2)" + + OPENSOLARIS=1 + elif head -n 1 < /etc/release | grep "Oracle Solaris" > /dev/null; then + OS_NAME="Oracle Solaris" + OS_FULLNAME="$(head -n 1 /etc/release | xargs)" + OS_VERSION="$(head -n 1 < /etc/release | xargs | cut -d ' ' -f 3)" + elif head -n 1 < /etc/release | xargs | grep "^Solaris " > /dev/null; then + OS_NAME="Sun Solaris" + # Example of /etc/release: + # Solaris 10 5/08 + # ... + # Solaris 10 10/09 (Update 8) + # The first line does not contain the "Update" number, + # only if present. + if tail -1 < /etc/release | xargs | grep "^Solaris " > /dev/null; then + OS_FULLNAME=$(tail -1 < /etc/release | xargs) + else + OS_FULLNAME=$(head -1 < /etc/release | xargs) + fi + OS_VERSION=$(echo "$OS_FULLNAME" | cut -d ' ' -f 2,3) + else # Old behaviour + OS_NAME="Sun Solaris" + OS_FULLNAME=$(uname -s -r) + OS_VERSION=$(uname -r) + fi + HARDWARE=$(uname -m) if [ -x /usr/bin/isainfo ]; then # Returns 32, 64 diff --git a/include/parameters b/include/parameters index 8668b683..242899e6 100644 --- a/include/parameters +++ b/include/parameters @@ -423,6 +423,23 @@ QUIET=1 ;; + # Warning when test is slow + --slow-warning) + if [ $# -gt 1 ]; then + shift + + if [ "$1" -gt 0 ] 2>/dev/null; then + SLOW_TEST_THRESHOLD="$1" + else + echo "Argument has to be number." + exit 1 + fi + else + echo "Specify threshold as number of seconds above which should Lynis warn about long test." + exit 1 + fi + ;; + --tests-category | --tests-categories | --view-categories | --list-categories | --show-categories) echo "Error: Deprecated option ($1)" exit 1 diff --git a/include/profiles b/include/profiles index da2124f7..e7a25670 100644 --- a/include/profiles +++ b/include/profiles @@ -35,7 +35,7 @@ # Show deprecation message for old config entries such as 'config:' and 'apache:' FOUND=0 - DATA=$(grep -E "^[a-z-]{1,}:" ${PROFILE} | od -An -ta | sed 's/ /!space!/g') # od -An (no file offset), -ta (named character, to be on safe side) + DATA=$(grep -E "^[a-z-]{1,}:" ${PROFILE}) if ! IsEmpty "${DATA}"; then FOUND=1; fi if [ ${FOUND} -eq 1 ]; then @@ -50,17 +50,17 @@ Display --text " " Display --text "==================================================================================================" Display --text " " + LogText "Insight: Profile '${PROFILE}' contains one or more old-style configuration entries" ReportWarning "GEN-0020" "Your profile contains one or more old-style configuration entries" sleep 10 fi # Security check for unexpected and possibly harmful escape characters (hyphen should be listed as first or last character) - DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-' | od -An -ta | sed 's/ /!space!/g') + DATA=$(grep -Ev '^$|^ |^#|^config:' "${PROFILE}" | tr -d '[:alnum:]/\[\]\(\)_\|,\.:;= \n\r-') if ! IsEmpty "${DATA}"; then DisplayWarning "Your profile '${PROFILE}' contains unexpected characters. See the log file for more information." LogText "Found unexpected or possibly harmful characters in profile '${PROFILE}'. See which characters matched in the output below and compare them with your profile." - for I in ${DATA}; do - I=$(echo ${I} | sed 's/!space!/ /g') + for I in $(printf ${DATA} | od -An -ta); do LogText "Output: ${I}" done LogText "Suggestion: comment incorrect lines with a '#' and try again. Open a GitHub issue if valid characters are blocked" @@ -556,7 +556,6 @@ Display --indent 2 --text "- Checking profiles..." --result "DONE" --color GREEN -LogTextBreak #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com diff --git a/include/report b/include/report index 29f45643..3d0c7fdf 100644 --- a/include/report +++ b/include/report @@ -151,14 +151,14 @@ fi # Show suggestions from logfile - SSUGGESTIONS=$(${GREPBINARY} 'Suggestion: ' ${LOGFILE} | sed 's/ /!space!/g') + SUGGESTIONS=$(${GREPBINARY} 'Suggestion: ' ${LOGFILE} | sed 's/ /!space!/g') - if [ -z "${SSUGGESTIONS}" ]; then + if [ -z "${SUGGESTIONS}" ]; then echo " ${OK}No suggestions${NORMAL}"; echo "" else echo " ${YELLOW}Suggestions${NORMAL} (${TOTAL_SUGGESTIONS}):" echo " ${WHITE}----------------------------${NORMAL}" - for SUGGESTION in ${SSUGGESTIONS}; do + for SUGGESTION in ${SUGGESTIONS}; do SOLUTION="" SHOWSUGGESTION=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: //' | sed 's/\[details:\(.*\)\] \[solution:\(.*\)\]//' | sed 's/test://') ADDLINK=$(echo ${SUGGESTION} | sed 's/!space!/ /g' | sed 's/^.* Suggestion: \(.*\)\[test://' | sed 's/\]\(.*\)]//' | ${AWKBINARY} -F: '{print $1}') @@ -183,7 +183,7 @@ done fi # Show tip on how to continue (next steps) - if [ ! "${SWARNINGS}" = "" -o ! "${SSUGGESTIONS}" = "" ]; then + if [ ! "${SWARNINGS}" = "" -o ! "${SUGGESTIONS}" = "" ]; then echo " ${CYAN}Follow-up${NORMAL}:" echo " ${WHITE}----------------------------${NORMAL}" echo " ${WHITE}-${NORMAL} Show details of a test (lynis show details TEST-ID)" diff --git a/include/tests_accounting b/include/tests_accounting index 91fca1a0..dd1ef2a8 100644 --- a/include/tests_accounting +++ b/include/tests_accounting @@ -18,7 +18,7 @@ # ################################################################################# # - InsertSection "Accounting" + InsertSection "${SECTION_ACCOUNTING}" # ################################################################################# # @@ -123,8 +123,19 @@ Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (cron disabled)" fi + elif [ -f "${ROOTDIR}lib/systemd/system/sysstat.service" ] || [ -f "${ROOTDIR}etc/systemd/system/sysstat.service" ]; then + LogText "Result: sysstat systemd unit found" + if [ -L "${ROOTDIR}etc/systemd/system/multi-user.target.wants/sysstat.service" ]; then + # Assuming -collect.timer and -summary.timer are enabled as well, + # as they are usually in the install section. + LogText "Result: sysstat enabled via systemd" + Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_ENABLED}" --color GREEN + else + LogText "Result: sysstat disabled via systemd" + Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_DISABLED}" --color WHITE + fi else - LogText "Result: sysstat not found via ${ROOTDIR}etc/default/sysstat or ${ROOTDIR}etc/cron.d/sysstat" + LogText "Result: sysstat not found via ${ROOTDIR}etc/default/sysstat or ${ROOTDIR}etc/cron.d/sysstat or as a systemd unit" Display --indent 2 --text "- Checking sysstat accounting data" --result "${STATUS_NOT_FOUND}" --color YELLOW ReportSuggestion "${TEST_NO}" "Enable sysstat to collect accounting (no results)" fi diff --git a/include/tests_authentication b/include/tests_authentication index bf8cabe8..ce2205ca 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -31,7 +31,7 @@ # ################################################################################# # - InsertSection "Users, Groups and Authentication" + InsertSection "${SECTION_USERS_GROUPS_AND_AUTHENTICATION}" # Test : AUTH-9204 # Description : Check users with UID zero (0) @@ -286,50 +286,56 @@ # Description : Check password hashing methods vs. recommendations in crypt(5) # Notes : Applicable to all Unix-like OS # Requires read access to /etc/shadow (if it exists) + + ParsePasswordEntry() { + METHOD=$1 + case ${METHOD} in + 1:\* | 1:x | 0: | *:!* | *LOCK*) + # disabled | shadowed | no password | locked account (can be literal *LOCK* or something like LOCKED) + ;; + *:\$5\$*| *:\$6\$*) + # sha256crypt | sha512crypt: check number of rounds, should be >5000 + ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') + if [ -z "${ROUNDS}" ]; then + echo 'sha256crypt/sha512crypt(default<=5000rounds)' + elif [ "${ROUNDS}" -le 5000 ]; then + echo 'sha256crypt/sha512crypt(<=5000rounds)' + fi + ;; + *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) + # yescrypt | gost-yescrypt | bcrypt | scrypt + ;; + *:_*) + echo bsdicrypt + ;; + *:\$1\$*) + echo md5crypt + ;; + *:\$3\$*) + echo NT + ;; + *:\$md5*) + echo SunMD5 + ;; + *:\$sha1*) + echo sha1crypt + ;; + 13:* | 178:*) + echo bigcrypt/descrypt + ;; + *) + echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com" + ;; + esac + } + Register --test-no AUTH-9229 --root-only YES --weight L --network NO --category security --description "Check password hashing methods" if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: Checking password hashing methods" SHADOW=""; if [ -e ${ROOTDIR}etc/shadow ]; then SHADOW="${ROOTDIR}etc/shadow"; fi FIND=$(${CAT_BINARY} ${ROOTDIR}etc/passwd ${SHADOW} | ${AWKBINARY} -F : '{print length($2) ":" $2 }' | while read METHOD; do - case ${METHOD} in - 1:\* | 1:x | 0: | *:!*) - # disabled | shadowed | no password | locked account - ;; - *:\$5\$*| *:\$6\$*) - # sha256crypt | sha512crypt: check number of rounds, should be >5000 - ROUNDS=$(echo "${METHOD}" | sed -n 's/.*rounds=\([0-9]*\)\$.*/\1/gp') - if [ -z "${ROUNDS}" ]; then - echo 'sha256crypt/sha512crypt(default<=5000rounds)' - elif [ "${ROUNDS}" -le 5000 ]; then - echo 'sha256crypt/sha512crypt(<=5000rounds)' - fi - ;; - *:\$y\$* | *:\$gy\$* | *:\$2b\$* | *:\$7\$*) - # yescrypt | gost-yescrypt | bcrypt | scrypt - ;; - *:_*) - echo bsdicrypt - ;; - *:\$1\$*) - echo md5crypt - ;; - *:\$3\$*) - echo NT - ;; - *:\$md5*) - echo SunMD5 - ;; - *:\$sha1*) - echo sha1crypt - ;; - 13:* | 178:*) - echo bigcrypt/descrypt - ;; - *) - echo "Unknown password hashing method ${METHOD}. Please report to lynis-dev@cisofy.com" - ;; - esac + ParsePasswordEntry ${METHOD} done | ${SORTBINARY} -u | ${TRBINARY} '\n' ' ') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Password hashing methods" --result "${STATUS_OK}" --color GREEN @@ -496,7 +502,7 @@ FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nisplus") if [ -z "${FIND}" ]; then LogText "Result: NIS+ authentication not enabled" - Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE + Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE else FIND2=$(${EGREPBINARY} "^passwd_compat" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") FIND3=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "nisplus") @@ -505,7 +511,7 @@ Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: NIS+ authentication not enabled" - Display --indent 2 --text "- NIS+ authentication support" --result "NOT ENABLED" --color WHITE + Display --indent 2 --text "- NIS+ authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE fi fi else @@ -523,7 +529,7 @@ FIND=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${EGREPBINARY} "compat|nis" | ${GREPBINARY} -v "nisplus") if [ -z "${FIND}" ]; then LogText "Result: NIS authentication not enabled" - Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE + Display --indent 2 --text "- NIS authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE else FIND2=$(${EGREPBINARY} "^passwd_compat" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") FIND3=$(${EGREPBINARY} "^passwd" /etc/nsswitch.conf | ${GREPBINARY} "nis" | ${GREPBINARY} -v "nisplus") @@ -532,7 +538,7 @@ Display --indent 2 --text "- NIS authentication support" --result "${STATUS_ENABLED}" --color GREEN else LogText "Result: NIS authentication not enabled" - Display --indent 2 --text "- NIS authentication support" --result "NOT ENABLED" --color WHITE + Display --indent 2 --text "- NIS authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE fi fi else @@ -843,7 +849,7 @@ # ################################################################################# # - # Test : AUTH-9282 and AUTH-9283 + # Test : AUTH-9282, AUTH-9283, and AUTH-9284 # Note : Every Linux based operating system seem to have different passwd # options, so we have to check the version first. if [ "${OS}" = "Linux" ]; then @@ -853,25 +859,29 @@ PREQS_MET="YES" FIND_P=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }') FIND2=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }') + FIND3=$(passwd -a -S 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq) ;; *) PREQS_MET="YES" FIND_P=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="P" && $5=="99999") print $1 }') FIND2=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="NP") print $1 }') + FIND3=$(passwd --all --status 2> /dev/null | ${AWKBINARY} '{ if ($2=="L") print $1 }' | sort | uniq) ;; esac elif [ "${OS_REDHAT_OR_CLONE}" -eq 1 ]; then PREQS_MET="YES" FIND_P=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="PS" && $5=="99999") print $1 }' ; done) FIND2=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="NP") print $1 }' ; done) + FIND3=$(for I in $(${AWKBINARY} -F: '{print $1}' "${ROOTDIR}etc/passwd") ; do passwd -S "$I" | ${AWKBINARY} '{ if ($2=="L" || $2=="LK") print $1 }' | sort | uniq ; done) else LogText "Result: skipping test for this Linux version" ReportManual "AUTH-9282:01" PREQS_MET="NO" FIND_P="" FIND2="" + FIND3="" fi - else + else PREQS_MET="NO" fi @@ -892,11 +902,10 @@ ReportSuggestion "${TEST_NO}" "When possible set expire dates for all password protected accounts" fi fi -# -################################################################################# -# + # Test : AUTH-9283 # Description : Search passwordless accounts + # Notes : requires FIND2 variable Register --test-no AUTH-9283 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking accounts without password" if [ "${SKIPTEST}" -eq 0 ]; then LogText "Test: Checking passwordless accounts" @@ -913,6 +922,38 @@ ReportWarning "${TEST_NO}" "Found accounts without password" fi fi + + # Test : AUTH-9284 + # Description : Check locked user accounts in /etc/passwd + # Notes : requires FIND3 variable + Register --test-no AUTH-9284 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check locked user accounts in /etc/passwd" + if [ "${SKIPTEST}" -eq 0 ]; then + LogText "Test: Checking locked accounts" + NON_SYSTEM_ACCOUNTS=$(${AWKBINARY} -F : '$3 > 999 && $3 != 65534 {print $1}' ${ROOTDIR}etc/passwd | ${SORTBINARY} | ${UNIQBINARY}) + LOCKED_NON_SYSTEM_ACCOUNTS=0 + for account in ${FIND3}; do + if echo "${NON_SYSTEM_ACCOUNTS}" | ${GREPBINARY} -w "${account}" > /dev/null ; then + LOCKED_NON_SYSTEM_ACCOUNTS=$((LOCKED_NON_SYSTEM_ACCOUNTS + 1)) + fi + done + if [ ${LOCKED_NON_SYSTEM_ACCOUNTS} -eq 0 ]; then + LogText "Result: all accounts seem to be unlocked" + Display --indent 2 --text "- Locked accounts" --result "${STATUS_OK}" --color GREEN + else + LogText "Result: found one or more locked accounts" + for account in ${FIND3}; do + if echo "${NON_SYSTEM_ACCOUNTS}" | ${GREPBINARY} -w "${account}" > /dev/null ; then + LogText "Locked account: ${account}" + Report "locked_account[]=${account}" + fi + done + Display --indent 2 --text "- Locked accounts" --result "${STATUS_FOUND}" --color RED + ReportSuggestion "${TEST_NO}" "Look at the locked accounts and consider removing them" + fi + unset account LOCKED_NON_SYSTEM_ACCOUNTS NON_SYSTEM_ACCOUNTS + fi + + unset FIND1 FIND2 FIND3 # ################################################################################# # @@ -1027,7 +1068,7 @@ # Test : AUTH-9306 # Description : Check if authentication is needed to boot the system # Notes : :d_boot_authenticate: is a good option for production machines to - # avoid unauthorized booting of systems. Option :d_boot_autentication@: + # avoid unauthorized booting of systems. Option :d_boot_authentication@: # disabled a required login. Register --test-no AUTH-9306 --os HP-UX --weight L --network NO --category security --description "Check single boot authentication" if [ ${SKIPTEST} -eq 0 ]; then @@ -1434,7 +1475,7 @@ if [ ${FOUND} -eq 1 ]; then Display --indent 2 --text "- Checking account locking" --result "${STATUS_ENABLED}" --color GREEN else - Display --indent 2 --text "- Checking account locking" --result "NOT ENABLED" --color YELLOW + Display --indent 2 --text "- Checking account locking" --result "${STATUS_NOT_ENABLED}" --color YELLOW fi fi # @@ -1448,7 +1489,7 @@ FIND=$(${EGREPBINARY} "^passwd" ${ROOTDIR}etc/nsswitch.conf | ${GREPBINARY} "ldap") if [ "${FIND}" = "" ]; then LogText "Result: LDAP authentication not enabled" - Display --indent 2 --text "- LDAP authentication support" --result "NOT ENABLED" --color WHITE + Display --indent 2 --text "- LDAP authentication support" --result "${STATUS_NOT_ENABLED}" --color WHITE else LogText "Result: LDAP authentication enabled" Display --indent 2 --text "- LDAP authentication support" --result "${STATUS_ENABLED}" --color GREEN diff --git a/include/tests_banners b/include/tests_banners index 60fa3c2e..f7e4d7e9 100644 --- a/include/tests_banners +++ b/include/tests_banners @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Banners and identification" + InsertSection "${SECTION_BANNERS_AND_IDENTIFICATION}" # ################################################################################# # diff --git a/include/tests_boot_services b/include/tests_boot_services index 8ad83d7c..7d6feeec 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Boot and services" + InsertSection "${SECTION_BOOT_AND_SERVICES}" # ################################################################################# # @@ -139,6 +139,13 @@ SERVICE_MANAGER="launchd" fi ;; + "Solaris") + if [ -n "${ROOTDIR}usr/bin/svcs" ]; then + SERVICE_MANAGER="SMF (svcs)" + elif [ -d "${ROOTDIR}etc/init.d" ]; then + SERVICE_MANAGER="SysV Init" + fi + ;; *) LogText "Result: unknown service manager" ;; @@ -332,8 +339,12 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - CONF_FILES=$(${FINDBINARY} /etc/grub.d -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') - CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}" + if [ -d "${ROOTDIR}etc/grub.d" ]; then + CONF_FILES=$(${FINDBINARY} "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') + CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}" + else + CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg" + fi for FILE in ${CONF_FILES}; do if [ -f "${FILE}" ]; then @@ -583,6 +594,55 @@ # ################################################################################# # + # Test : BOOT-5170 + # Description : Check for Solaris boot daemons + Register --test-no BOOT-5170 --os Solaris --weight L --network NO --category security --description "Check for Solaris boot daemons" + if [ ${SKIPTEST} -eq 0 ]; then + if [ -n "${SVCSBINARY}" ]; then + LogText "Result: Using svcs binary to check for daemons" + LogText "SysV style services may be incorrectly counted as running." + + Report "running_service_tool=svcs" + + # For the documentation of the states (field $1) see + # "Managing System Services in Oracle Solaris 11.4" pp. 24, available + # at https://docs.oracle.com/cd/E37838_01/pdf/E60998.pdf + + FIND=$("${SVCSBINARY}" -Ha | ${AWKBINARY} '{ if ($1 == "online" || $1 == "legacy_run") print $3 }') + COUNT=0 + for ITEM in ${FIND}; do + LogText "Found running daemon: ${ITEM}" + Report "running_service[]=${ITEM}" + COUNT=$((COUNT + 1 )) + done + Display --indent 2 --text "- Check running daemons (svcs)" --result "${STATUS_DONE}" --color GREEN + Display --indent 8 --text "Result: found ${COUNT} running daemons" + LogText "Result: Found ${COUNT} running daemons" + + LogText "Searching for enabled daemons (svcs)" + Report "boot_service_tool=svcs" + + FIND=$("${SVCSBINARY}" -Ha | ${AWKBINARY} '{ if ($1 != "disabled" && $1 != "uninitialized") print $3 }') + COUNT=0 + for ITEM in ${FIND}; do + LogText "Found enabled daemon at boot: ${ITEM}" + Report "boot_service[]=${ITEM}" + COUNT=$((COUNT + 1 )) + done + LogText "Note: Run svcs -a see all services" + Display --indent 2 --text "- Check enabled daemons at boot (svcs)" --result "${STATUS_DONE}" --color GREEN + Display --indent 8 --text "Result: found ${COUNT} enabled daemons at boot" + LogText "Result: Found ${COUNT} enabled daemons at boot" + fi + fi +# +################################################################################# +# + # Test : BOOT-5171 + # Description : Check for services with errors on solaris +# +################################################################################# +# # Test : BOOT-5177 # Description : Check for Linux boot services (systemd and chkconfig) # Notes : We skip using chkconfig if systemd is being used. @@ -682,7 +742,7 @@ # # Test : BOOT-5184 # Description : Check world writable startup scripts - Register --test-no BOOT-5184 --os Linux --weight L --network NO --category security --description "Check permissions for boot files/scripts" + Register --test-no BOOT-5184 --os "Linux Solaris" --weight L --network NO --category security --description "Check permissions for boot files/scripts" if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 CHECKDIRS="${ROOTDIR}etc/init.d ${ROOTDIR}etc/rc.d ${ROOTDIR}etc/rcS.d" diff --git a/include/tests_containers b/include/tests_containers index a9a18836..78c12c50 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Containers" + InsertSection "${SECTION_CONTAINERS}" # ################################################################################# # diff --git a/include/tests_crypto b/include/tests_crypto index 02fa0a80..af63d21a 100644 --- a/include/tests_crypto +++ b/include/tests_crypto @@ -22,7 +22,11 @@ # ################################################################################# # - InsertSection "Cryptography" + RNG_FOUND=0 +# +################################################################################# +# + InsertSection "${SECTION_CRYPTOGRAPHY}" # ################################################################################# # @@ -50,7 +54,7 @@ LASTSUBDIR="" LogText "Result: found directory ${DIR}" # Search for certificate files - FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".crt$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') + FILES=$(${FINDBINARY} ${DIR} -type f 2> /dev/null | ${EGREPBINARY} ".cer$|.crt$|.der$|.pem$|^cert" | ${SORTBINARY} | ${SEDBINARY} 's/ /__space__/g') for FILE in ${FILES}; do FILE=$(echo ${FILE} | ${SEDBINARY} 's/__space__/ /g') # See if we need to skip this path @@ -76,16 +80,23 @@ if [ ${CANREAD} -eq 1 ]; then # Only check the files that are not installed by a package, unless enabled by profile if [ ${SSL_CERTIFICATE_INCLUDE_PACKAGES} -eq 1 ] || ! FileInstalledByPackage "${FILE}"; then + echo ${FILE} | ${EGREPBINARY} --quiet ".cer$|.der$" + CER_DER=$? OUTPUT=$(${GREPBINARY} -q 'BEGIN CERT' "${FILE}") - if [ $? -eq 0 ]; then + if [ $? -eq 0 -o ${CER_DER} -eq 0 ]; then LogText "Result: file is a certificate file" - FIND=$(${OPENSSLBINARY} x509 -noout -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") + if [ ${CER_DER} -eq 0 ]; then + SSL_DER_OPT="-inform der" + else + SSL_DER_OPT= + fi + FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -in "${FILE}" -enddate 2> /dev/null | ${GREPBINARY} "^notAfter") if [ $? -eq 0 ]; then # Check certificate where 'end date' has been expired - FIND=$(${OPENSSLBINARY} x509 -noout -checkend 0 -in "${FILE}" -enddate 2> /dev/null) + FIND=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -checkend 0 -in "${FILE}" -enddate 2> /dev/null) EXIT_CODE=$? - CERT_CN=$(${OPENSSLBINARY} x509 -noout -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') - CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') + CERT_CN=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -subject -in "${FILE}" 2> /dev/null | ${SEDBINARY} -e 's/^subject.*CN=\([a-zA-Z0-9\.\-\*]*\).*$/\1/') + CERT_NOTAFTER=$(${OPENSSLBINARY} x509 -noout ${SSL_DER_OPT} -enddate -in "${FILE}" 2> /dev/null | ${AWKBINARY} -F= '{if ($1=="notAfter") { print $2 }}') Report "certificate[]=${FILE}|${EXIT_CODE}|cn:${CERT_CN};notafter:${CERT_NOTAFTER};|" if [ ${EXIT_CODE} -eq 0 ]; then LogText "Result: certificate ${FILE} seems to be correct and still valid" @@ -181,20 +192,28 @@ if [ ${SKIPTEST} -eq 0 ]; then ENCRYPTED_SWAPS=0 UNENCRYPTED_SWAPS=0 - SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings) - for BLOCK_DEV in ${SWAPS}; do - if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then - LogText "Result: Found LUKS encrypted swap device: ${BLOCK_DEV}" - ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1)) - elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" | ${GREPBINARY} --quiet "cipher:"; then - LogText "Result: Found non-LUKS encrypted swap device: ${BLOCK_DEV}" - ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS +1)) - else - LogText "Result: Found unencrypted swap device: ${BLOCK_DEV}" - UNENCRYPTED_SWAPS=$((UNENCRYPTED_SWAPS +1)) - fi - done - Display --indent 2 --text "- Found ${ENCRYPTED_SWAPS} encrypted and ${UNENCRYPTED_SWAPS} unencrypted swap devices in use." --result OK --color WHITE + # Redirect errors, as RHEL 5/6 and others don't have the --show option + SWAPS=$(${SWAPONBINARY} --show=NAME --noheadings 2> /dev/null) + if [ $? -eq 0 ]; then + for BLOCK_DEV in ${SWAPS}; do + if ${CRYPTSETUPBINARY} isLuks "${BLOCK_DEV}" 2> /dev/null; then + LogText "Result: Found LUKS encrypted swap device: ${BLOCK_DEV}" + ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1)) + Report "encrypted_swap[]=${BLOCK_DEV},LUKS" + elif ${CRYPTSETUPBINARY} status "${BLOCK_DEV}" 2> /dev/null | ${GREPBINARY} --quiet "cipher:"; then + LogText "Result: Found non-LUKS encrypted swap device: ${BLOCK_DEV}" + ENCRYPTED_SWAPS=$((ENCRYPTED_SWAPS + 1)) + Report "encrypted_swap[]=${BLOCK_DEV},other" + else + LogText "Result: Found unencrypted swap device: ${BLOCK_DEV}" + UNENCRYPTED_SWAPS=$((UNENCRYPTED_SWAPS +1)) + Report "non_encrypted_swap[]=${BLOCK_DEV}" + fi + done + Display --indent 2 --text "- Found ${ENCRYPTED_SWAPS} encrypted and ${UNENCRYPTED_SWAPS} unencrypted swap devices in use." --result OK --color WHITE + else + LogText "Result: skipping testing as swapon returned an error." + fi fi # ################################################################################# @@ -226,12 +245,13 @@ if [ ${SKIPTEST} -eq 0 ]; then LogText "Test: looking for ${ROOTDIR}sys/class/misc/hw_random/rng_current" if [ -f "${ROOTDIR}sys/class/misc/hw_random/rng_current" ]; then - DATA=$(${HEADBINARY} --lines=1 ${ROOTDIR}sys/class/misc/hw_random/rng_current | ${TRBINARY} -d '[[:cntrl:]]') + DATA=$(${HEADBINARY} -n 1 ${ROOTDIR}sys/class/misc/hw_random/rng_current | ${TRBINARY} -d '[[:cntrl:]]') if [ "${DATA}" != "none" ]; then LogText "Result: positive match, found RNG: ${DATA}" if IsRunning "rngd"; then Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_YES}" --color GREEN LogText "Result: rngd is running" + RNG_FOUND=1 else Display --indent 2 --text "- HW RNG & rngd" --result "${STATUS_NO}" --color YELLOW # TODO - enable suggestion when website has listing for this control @@ -263,8 +283,9 @@ done if [ -z "${FOUND}" ]; then Display --indent 2 --text "- SW prng" --result "${STATUS_NO}" --color YELLOW - ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators" + # ReportSuggestion "${TEST_NO}" "Utilize software pseudo random number generators" else + RNG_FOUND=1 Display --indent 2 --text "- SW prng" --result "${STATUS_YES}" --color GREEN LogText "Result: found ${FOUND} running" fi @@ -272,6 +293,10 @@ # ################################################################################# # + Report "rng_found=${RNG_FOUND}" +# +################################################################################# +# WaitForKeyPress diff --git a/include/tests_databases b/include/tests_databases index ace3fd67..9c8e1de0 100644 --- a/include/tests_databases +++ b/include/tests_databases @@ -39,7 +39,7 @@ # ################################################################################# # - InsertSection "Databases" + InsertSection "${SECTION_DATABASES}" # Test : DBS-1804 # Description : Check if MySQL is being used @@ -86,7 +86,7 @@ # "-u root --password=" avoids ~/.my.cnf authentication settings # "plugin = 'mysql_native_password' AND authentication_string = ''" avoids false positives when secure plugins are used - FIND=$(${MYSQLCLIENTBINARY} --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql 2>/dev/null; echo $?) + FIND=$(${MYSQLCLIENTBINARY} --no-defaults -u root --password= --silent --batch --execute="SELECT count(*) FROM mysql.user WHERE user = 'root' AND plugin = 'mysql_native_password' AND authentication_string = ''" mysql > /dev/null 2>&1; echo $?) if [ "${FIND}" = "0" ]; then LogText "Result: Login succeeded, no MySQL root password set!" ReportWarning "${TEST_NO}" "No MySQL root password set" diff --git a/include/tests_dns b/include/tests_dns index e21a2aef..085168d4 100644 --- a/include/tests_dns +++ b/include/tests_dns @@ -45,11 +45,11 @@ # # if [ "${GOOD}" = "${TIMEOUT}" -a "${BAD}" = "${TIMEOUT}" ]; then # LogText "Result: received timeout, can't determine DNSSEC validation" -# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW +# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKNOWN}" --color YELLOW # #ReportException "${TEST_NO}" "Exception found, both query failed, due to connection timeout" # elif [ -z "${GOOD}" -a -n "${BAD}" ]; then # LogText "Result: good signature failed, yet bad signature was accepted" -# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKOWN}" --color YELLOW +# Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_UNKNOWN}" --color YELLOW # #ReportException "${TEST_NO}" "Exception found, OK failed, bad signature was accepted" # elif [ -n "${GOOD}" -a -n "${BAD}" ]; then # Display --indent 4 --text "- Checking DNSSEC validation" --result "${STATUS_SUGGESTION}" --color YELLOW diff --git a/include/tests_file_integrity b/include/tests_file_integrity index 728c2616..c06b1703 100644 --- a/include/tests_file_integrity +++ b/include/tests_file_integrity @@ -25,7 +25,7 @@ # ################################################################################# # - InsertSection "Software: file integrity" + InsertSection "${SECTION_FILE_INTEGRITY}" Display --indent 2 --text "- Checking file integrity tools" # ################################################################################# diff --git a/include/tests_file_permissions b/include/tests_file_permissions index e9e859fd..50ccdeee 100644 --- a/include/tests_file_permissions +++ b/include/tests_file_permissions @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "File Permissions" + InsertSection "${SECTION_FILE_PERMISSIONS}" # ################################################################################# # diff --git a/include/tests_filesystems b/include/tests_filesystems index aabdc2be..0de387f7 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -28,7 +28,7 @@ # ################################################################################# # - InsertSection "File systems" + InsertSection "${SECTION_FILE_SYSTEMS}" # ################################################################################# # @@ -212,10 +212,11 @@ ################################################################################# # # Test : FILE-6330 - # Description : Query all ZFS mounts from /etc/fstab + # Description : Query ZFS mounts + # Note : mount -p does not work under Linux Register --test-no FILE-6330 --os FreeBSD --weight L --network NO --category security --description "Checking ZFS file systems" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Query /etc/fstab for available ZFS mount points" + LogText "Test: Discover for available ZFS mount points" FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "zfs") { print $1":"$2":"$3":"$4":" }}') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Querying ZFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE @@ -236,7 +237,7 @@ # Description : Query all HAMMER PFS mounts from /etc/fstab Register --test-no FILE-6439 --os DragonFly --weight L --network NO --category security --description "Checking HAMMER PFS mounts" if [ ${SKIPTEST} -eq 0 ]; then - LogText "Test: Query /etc/fstab for available HAMMER PFS mount points" + LogText "Test: Query /etc/fstab for available HAMMER PFS mount points" FIND=$(${MOUNTBINARY} -p | ${AWKBINARY} '{ if ($3 == "null") { print $1":"$2":"$3":"$4":" }}') if [ -z "${FIND}" ]; then Display --indent 2 --text "- Querying HAMMER PFS mount points (mount -p)" --result "${STATUS_NONE}" --color WHITE @@ -628,11 +629,11 @@ fi done fi - NMOUNTS=$(mount | ${WCBINARY} --lines) - NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} --lines) - NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} --lines) - NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} --lines) - NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} --lines) + NMOUNTS=$(mount | ${WCBINARY} -l) + NDEVMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nodev | ${WCBINARY} -l) + NEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${WCBINARY} -l) + NSUIDMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v nosuid | ${WCBINARY} -l) + NWRITEANDEXECMOUNTS=$(mount | ${AWKBINARY} '{print $6}' | ${GREPBINARY} -v noexec | ${EGREPBINARY} -v '^\(ro[,)]' | ${WCBINARY} -l) LogText "Result: Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS}, of total ${NMOUNTS}" Display --indent 2 --text "- Total without nodev:${NDEVMOUNTS} noexec:${NEXECMOUNTS} nosuid:${NSUIDMOUNTS} ro or noexec (W^X): ${NWRITEANDEXECMOUNTS} of total ${NMOUNTS}" fi @@ -829,12 +830,15 @@ AddHP 3 3 if IsDebug; then Display --indent 6 --text "- Module ${FS} not present in the kernel" --result OK --color GREEN; fi fi - FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then - Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN - LogText "Result: module ${FS} is blacklisted" - fi + FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) + if [ -n "${FIND}" ]; then + FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then + Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN + LogText "Result: module ${FS} is blacklisted" + fi + fi done if [ ${FOUND} -eq 1 ]; then Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}" diff --git a/include/tests_firewalls b/include/tests_firewalls index 20f87e1e..685f2452 100644 --- a/include/tests_firewalls +++ b/include/tests_firewalls @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Software: firewalls" + InsertSection "${SECTION_FIREWALLS}" # ################################################################################# # @@ -407,6 +407,8 @@ Register --test-no FIRE-4534 --weight L --os "macOS" --network NO --category security --description "Check for presence of outbound firewalls on macOS" if [ ${SKIPTEST} -eq 0 ]; then + FOUND=0 + # Little Snitch Daemon (macOS) LogText "Test: checking process Little Snitch Daemon" if IsRunning --full "Little Snitch Daemon"; then @@ -537,7 +539,7 @@ Register --test-no FIRE-4590 --weight L --network NO --category security --description "Check firewall status" if [ ${SKIPTEST} -eq 0 ]; then if [ ${FIREWALL_ACTIVE} -eq 1 ]; then - Display --indent 2 --text "- Checking host based firewall" --result "ACTIVE" --color GREEN + Display --indent 2 --text "- Checking host based firewall" --result "${STATUS_ACTIVE}" --color GREEN LogText "Result: host based firewall or packet filter is active" Report "manual[]=Verify if there is a formal process for testing and applying firewall rules" Report "manual[]=Verify all traffic is filtered the right way between the different security zones" @@ -546,7 +548,7 @@ Report "manual[]=Make sure an explicit deny all is the default policy for all unmatched traffic" AddHP 5 5 else - Display --indent 2 --text "- Checking host based firewall" --result "NOT ACTIVE" --color YELLOW + Display --indent 2 --text "- Checking host based firewall" --result "${STATUS_NOT_ACTIVE}" --color YELLOW LogText "Result: no host based firewall/packet filter found or configured" ReportSuggestion "${TEST_NO}" "Configure a firewall/packet filter to filter incoming and outgoing traffic" AddHP 0 5 diff --git a/include/tests_hardening b/include/tests_hardening index 2f88b179..4feff7c6 100644 --- a/include/tests_hardening +++ b/include/tests_hardening @@ -18,7 +18,7 @@ # ################################################################################# # - InsertSection "Hardening" + InsertSection "${SECTION_HARDENING}" # COMPILER_INSTALLED is initialized before HARDEN_COMPILERS_NEEDED=0 diff --git a/include/tests_homedirs b/include/tests_homedirs index 09f4601c..c896bf86 100644 --- a/include/tests_homedirs +++ b/include/tests_homedirs @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Home directories" + InsertSection "${SECTION_HOME_DIRECTORIES}" # ################################################################################# # diff --git a/include/tests_insecure_services b/include/tests_insecure_services index 5c8af1fc..2ba308b3 100644 --- a/include/tests_insecure_services +++ b/include/tests_insecure_services @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Insecure services" + InsertSection "${SECTION_INSECURE_SERVICES}" # ################################################################################# # @@ -63,11 +63,11 @@ LogText "Test: Searching for active inet daemon" if IsRunning "inetd"; then LogText "Result: inetd is running" - Display --indent 4 --text "- inetd status" --result "ACTIVE" --color GREEN + Display --indent 4 --text "- inetd status" --result "${STATUS_ACTIVE}" --color GREEN INETD_ACTIVE=1 else LogText "Result: inetd is NOT running" - Display --indent 4 --text "- inetd status" --result "NOT ACTIVE" --color GREEN + Display --indent 4 --text "- inetd status" --result "${STATUS_NOT_ACTIVE}" --color GREEN fi fi # @@ -158,11 +158,11 @@ LogText "Test: Searching for active extended internet services daemon (xinetd)" if IsRunning "xinetd"; then LogText "Result: xinetd is running" - Display --indent 4 --text "- xinetd status" --result "ACTIVE" --color GREEN + Display --indent 4 --text "- xinetd status" --result "${STATUS_ACTIVE}" --color GREEN XINETD_ACTIVE=1 else LogText "Result: xinetd is NOT running" - Display --indent 4 --text "- xinetd status" --result "NOT ACTIVE" --color GREEN + Display --indent 4 --text "- xinetd status" --result "${STATUS_NOT_ACTIVE}" --color GREEN fi fi # @@ -385,7 +385,7 @@ if [ ${FOUND} -eq 1 ]; then LogText "Result: telnet server is installed" Display --indent 2 --text "- Installed telnet server package" --result "${STATUS_FOUND}" --color YELLOW - ReportSuggestion "${TEST_NO}" "Removing the ${FOUND} package and replace with SSH when possible" + ReportSuggestion "${TEST_NO}" "Removing the telnet server package and replace with SSH when possible" Report "insecure_service[]=telnet-server" else LogText "Result: telnet server is NOT installed" diff --git a/include/tests_kernel b/include/tests_kernel index 72e5082b..119b276e 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Kernel" + InsertSection "${SECTION_KERNEL}" # ################################################################################# # @@ -235,12 +235,13 @@ Register --test-no KRNL-5728 --os Linux --weight L --network NO --category security --description "Checking Linux kernel config" if [ ${SKIPTEST} -eq 0 ]; then CHECKFILE="${ROOTDIR}boot/config-$(uname -r)" + CHECKFILE_ZIPPED="${ROOTDIR}proc/config.gz" if [ -f ${CHECKFILE} ]; then LINUXCONFIGFILE="${CHECKFILE}" LogText "Result: found config (${LINUXCONFIGFILE})" Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN - elif [ -f ${ROOTDIR}proc/config.gz ]; then - LINUXCONFIGFILE="${CHECKFILE}" + elif [ -f ${CHECKFILE_ZIPPED} ]; then + LINUXCONFIGFILE="${CHECKFILE_ZIPPED}" LINUXCONFIGFILE_ZIPPED=1 LogText "Result: found config: ${ROOTDIR}proc/config.gz (compressed)" Display --indent 2 --text "- Checking Linux kernel configuration file" --result "${STATUS_FOUND}" --color GREEN @@ -484,13 +485,13 @@ ( [ ${SYSD_CORED_BASE_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ) || \ ( [ ${SYSD_CORED_BASE_STORAGE_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] ) || \ ( [ ${SYSD_CORED_SUB_PROCSIZEMAX_NR_ENABLED} -ge 1 ] && [ ${SYSD_CORED_SUB_STORAGE_NR_ENABLED} -ge 1 ] ); then - LogText "Result: core dumps are explicitely enabled in systemd configuration files" + LogText "Result: core dumps are explicitly enabled in systemd configuration files" ReportSuggestion "${TEST_NO}" "If not required, consider explicit disabling of core dump in ${ROOTDIR}etc/systemd/coredump.conf ('ProcessSizeMax=0', 'Storage=none')" Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_ENABLED}" --color RED AddHP 0 1 else LogText "Result: core dumps are not disabled in systemd configuration. Didn't find settings 'ProcessSizeMax=0' and 'Storage=none'" - Display --indent 4 --text "- configuration in systemd conf files" --result "DEFAULT" --color WHITE + Display --indent 4 --text "- configuration in systemd conf files" --result "${STATUS_DEFAULT}" --color WHITE AddHP 0 1 fi fi @@ -507,7 +508,7 @@ AddHP 1 1 elif [ -z "${ULIMIT_C_VALUE_SUB}" ] && [ -z "${ULIMIT_C_VALUE}" ]; then LogText "Result: core dumps are not disabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. Didn't find setting 'ulimit -c 0'" - Display --indent 4 --text "- configuration in etc/profile" --result "DEFAULT" --color WHITE + Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_DEFAULT}" --color WHITE AddHP 0 1 elif ( [ -n "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE_SUB}" = "unlimited" ] || [ "${ULIMIT_C_VALUE_SUB}" != "0" ] ) ) || ( [ -n "${ULIMIT_C_VALUE}" ] && [ -z "${ULIMIT_C_VALUE_SUB}" ] && ( [ "${ULIMIT_C_VALUE}" = "unlimited" ] || [ "${ULIMIT_C_VALUE}" != "0" ] ) ); then LogText "Result: core dumps are enabled in ${ROOTDIR}etc/profile or ${ROOTDIR}etc/profile.d/*.sh config files. A value higher than 0 is configured for 'ulimit -c'" @@ -515,7 +516,7 @@ AddHP 0 1 else LogText "Result: ERROR - something went wrong. Unexpected result during check of ${ROOTDIR}etc/profile and ${ROOTDIR}etc/profile.d/*.sh config files. Please report on Github!" - Display --indent 4 --text "- configuration in etc/profile" --result "ERROR" --color YELLOW + Display --indent 4 --text "- configuration in etc/profile" --result "${STATUS_ERROR}" --color YELLOW fi fi # Limits option @@ -537,8 +538,8 @@ FIND2="hard core enabled" fi - IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)" - IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} DEFAULT; fi)" + IS_SOFTCORE_DISABLED="$(if [ "${FIND1}" = "soft core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND1}" = "soft core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" + IS_HARDCORE_DISABLED="$(if [ "${FIND2}" = "hard core disabled" ]; then ${ECHOCMD} DISABLED; elif [ "${FIND2}" = "hard core enabled" ]; then ${ECHOCMD} ENABLED; else ${ECHOCMD} ${STATUS_DEFAULT}; fi)" if [ "${FIND2}" = "hard core disabled" ]; then LogText "Result: core dumps are hard disabled" @@ -586,18 +587,18 @@ fi if [ "${FIND}" = "2" ]; then LogText "Result: programs can dump core dump, but only readable by root (value 2, for debugging with file protection)" - Display --indent 4 --text "- Checking setuid core dumps configuration" --result PROTECTED --color WHITE + Display --indent 4 --text "- Checking setuid core dumps configuration" --result "${STATUS_PROTECTED}" --color WHITE AddHP 1 1 elif [ "${FIND}" = "1" ]; then LogText "Result: all programs can perform core dumps (value 1, for debugging)" - Display --indent 2 --text "- Checking setuid core dumps configuration" --result DEBUG --color YELLOW + Display --indent 2 --text "- Checking setuid core dumps configuration" --result "${STATUS_DEBUG}" --color YELLOW ReportSuggestion "${TEST_NO}" "Determine if all binaries need to be able to core dump" AddHP 0 1 else # 0 - (default) - traditional behaviour. Any process which has changed privilege levels or is execute only will not be dumped # https://www.kernel.org/doc/Documentation/sysctl/fs.txt LogText "Result: found default option (0), no execute only program or program with changed privilege levels can dump" - Display --indent 4 --text "- Checking setuid core dumps configuration" --result DISABLED --color GREEN + Display --indent 4 --text "- Checking setuid core dumps configuration" --result "${STATUS_DISABLED}" --color GREEN AddHP 1 1 fi fi @@ -663,9 +664,13 @@ elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux-lts" FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux-lts + elif [ -f ${ROOTDIR}boot/vmlinuz-lts ]; then + LogText "Result: found ${ROOTDIR}boot/vmlinuz-lts" + FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-lts else - # Match on /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default - FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1) + # Match on items like /boot/vm5.3.7 or /boot/vmlinuz-5.3.7-1-default. Get newest file (ls -t and pipe into head) + # Note: ignore a rescue kernel (e.g. CentOS) + FOUND_VMLINUZ=$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${GREPBINARY} -v '\-rescue\-' | ${HEADBINARY} -1) LogText "Result: found ${FOUND_VMLINUZ}" fi @@ -674,10 +679,24 @@ LogText "Result: found a symlink, retrieving destination" FOUND_VMLINUZ=$(readlink "${FOUND_VMLINUZ}") LogText "Result: destination file is ${FOUND_VMLINUZ}" - VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's/^vmlinuz-//') + VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//') + LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" + elif [ -f "${FOUND_VMLINUZ}" ]; then + VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//' | ${SEDBINARY} '$s/-\?\(linux\)\?-\?\(lts\)\?//') LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" + fi + # Data check: perform reset if we found a version but looks incomplete + # Example: Arch Linux will return only 'linux' as its version after it discovered /boot/vmlinuz-linux + case ${VERSION_ON_DISK} in + "linux" | "linux-lts") + LogText "Result: reset of version (${VERSION_ON_DISK}) as it looks incomplete" + VERSION_ON_DISK="" + ;; + esac + + # If we did not find the version yet, see if we can extract it from the magic data that 'file' returns if [ -z "${VERSION_ON_DISK}" ]; then LogText "Test: checking kernel version on disk" NEXTLINE=0 @@ -693,6 +712,7 @@ done fi + # Last check if we finally got a version or not if [ -z "${VERSION_ON_DISK}" ]; then LogText "Result: could not find the version on disk" ReportException "${TEST_NO}:4" "Could not find the kernel version" @@ -776,7 +796,7 @@ # Attempt to check for Raspbian if reboot is needed # This check searches for apt package "raspberrypi-kernel-[package-date]", trys to extract the date of packaging from the filename # and compares that date with the currently running kernel's build date (uname -v). - # Of course there can be a time difference between kernel build and kernel packaging, therefor a time difference of + # Of course there can be a time difference between kernel build and kernel packaging, therefore a time difference of # 3 days is accepted and it is assumed with only 3 days apart, this must be the same kernel version. if [ ${REBOOT_NEEDED} -eq 2 ] && [ -d "${APT_ARCHIVE_DIRECTORY}" ]; then LogText "Result: found folder ${APT_ARCHIVE_DIRECTORY}; assuming this is a debian based distribution" diff --git a/include/tests_kernel_hardening b/include/tests_kernel_hardening index 59a5f846..c0887078 100644 --- a/include/tests_kernel_hardening +++ b/include/tests_kernel_hardening @@ -22,13 +22,13 @@ # ################################################################################# # - InsertSection "Kernel Hardening" + InsertSection "${SECTION_KERNEL_HARDENING}" # ################################################################################# # # Test : KRNL-6000 # Description : Check sysctl parameters - # Sysctl : net.ipv4.icmp_ingore_bogus_error_responses (=1) + # Sysctl : net.ipv4.icmp_ignore_bogus_error_responses (=1) if [ ! "${SYSCTL_READKEY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no KRNL-6000 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check sysctl key pairs in scan profile" if [ ${SKIPTEST} -eq 0 ]; then @@ -89,7 +89,7 @@ AddHP ${tFINDhp} ${tFINDhp} else LogText "Result: sysctl key ${tFINDkey} has a different value than expected in scan profile. Expected=${tFINDexpvalue}, Real=${tFINDcurvalue}" - Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result DIFFERENT --color RED + Display --indent 4 --text "- ${tFINDkey} (exp: ${tFINDexpvalue})" --result "${STATUS_DIFFERENT}" --color RED AddHP 0 ${tFINDhp} FOUND=1 N=$((N + 1)) diff --git a/include/tests_ldap b/include/tests_ldap index 26d11965..7558d491 100644 --- a/include/tests_ldap +++ b/include/tests_ldap @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "LDAP Services" + InsertSection "${SECTION_LDAP_SERVICES}" # ################################################################################# # diff --git a/include/tests_logging b/include/tests_logging index 292940e3..acbbcf5b 100644 --- a/include/tests_logging +++ b/include/tests_logging @@ -28,7 +28,9 @@ METALOG_RUNNING=0 RFC3195D_RUNNING=0 RSYSLOG_RUNNING=0 + SOLARIS_LOGHOST="" SOLARIS_LOGHOST_FOUND=0 + SOLARIS_LOGHOST_LOCALHOST=0 SYSLOG_DAEMON_PRESENT=0 SYSLOG_DAEMON_RUNNING=0 SYSLOG_NG_RUNNING=0 @@ -36,7 +38,7 @@ # ################################################################################# # - InsertSection "Logging and files" + InsertSection "${SECTION_LOGGING_AND_FILES}" # Test : LOGG-2130 # Description : Check for a running syslog daemon @@ -305,6 +307,7 @@ LogText "Result: Checking for loghost in /etc/inet/hosts" FIND=$(${GREPBINARY} loghost /etc/inet/hosts | ${GREPBINARY} -v "^#") if [ -n "${FIND}" ]; then + SOLARIS_LOGHOST="${FIND}" SOLARIS_LOGHOST_FOUND=1 LogText "Result: Found loghost entry in /etc/inet/hosts" else @@ -314,6 +317,7 @@ LogText "Result: Checking for loghost via name resolving" FIND=$(getent hosts loghost | ${GREPBINARY} loghost) if [ -n "${FIND}" ]; then + SOLARIS_LOGHOST="${FIND}" SOLARIS_LOGHOST_FOUND=1 LogText "Result: name resolving was successful" LogText "Output: ${FIND}" @@ -335,6 +339,26 @@ # ################################################################################# # + # Test : LOGG-2153 + # Description : Check Solaris 'loghost' entry is not localhost, meaning + # remote logging is not configured. + if [ ${SOLARIS_LOGHOST_FOUND} -eq 1 ] && [ -n "${SOLARIS_LOGHOST}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no LOGG-2153 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking loghost is localhost" + if [ ${SKIPTEST} -eq 0 ]; then + FIND=$(echo "${SOLARIS_LOGHOST}" | ${AWKBINARY} '{ print $1 }' | ${EGREPBINARY} "::1|127.0.0.1|127.1") + if [ -n "${FIND}" ]; then + SOLARIS_LOGHOST_LOCALHOST=1 + LogText "Result: loghost entry is localhost (default)" + Display --indent 4 --text "- Checking loghost entry is localhost" --result "${STATUS_YES}" --color YELLOW + ReportSuggestion "${TEST_NO}" "Set loghost entry to a remote location to enable remote logging." + else + Display --indent 4 --text "- Checking loghost entry is localhost" --result "${STATUS_NO}" --color GREEN + fi + fi + +# +################################################################################# +# # Test : LOGG-2154 # Description : Check to see if remote logging is enabled # Notes : prevent lines showing up with commands in it (like |mail) @@ -402,8 +426,13 @@ LogText "Test: check if logs are also logged to a remote logging host" FIND=$(${EGREPBINARY} "@[a-zA-Z0-9]|destination\s.+(udp|tcp).+\sport" ${SYSLOGD_CONF} | ${GREPBINARY} -v "^#" | ${GREPBINARY} -v "[a-zA-Z0-9]@") if [ -n "${FIND}" ]; then - LogText "Result: remote logging enabled" - REMOTE_LOGGING_ENABLED=1 + FIND2=$(echo "${FIND}" | ${GREPBINARY} -v "@loghost") + if [ SOLARIS_LOGHOST_LOCALHOST -eq 1 ] && [ -z "${FIND2}" ]; then + LogText "Result: remote logging enabled to loghost, but loghost is localhost" + else + LogText "Result: remote logging enabled" + REMOTE_LOGGING_ENABLED=1 + fi else # Search for configured destinations with an IP address or hostname, then determine which ones are used as a log destination DESTINATIONS=$(${GREPBINARY} "^destination" ${SYSLOGD_CONF} | ${EGREPBINARY} "(udp|tcp)" | ${GREPBINARY} "port" | ${AWKBINARY} '{print $2}') @@ -423,7 +452,7 @@ LogText "Result: no remote logging found" ReportSuggestion "${TEST_NO}" "Enable logging to an external logging host for archiving purposes and additional protection" AddHP 1 3 - Display --indent 2 --text "- Checking remote logging" --result "NOT ENABLED" --color YELLOW + Display --indent 2 --text "- Checking remote logging" --result "${STATUS_NOT_ENABLED}" --color YELLOW else Report "remote_syslog_configured=1" AddHP 5 5 @@ -550,7 +579,7 @@ LogText "Found deleted file: ${I}" Report "deleted_file[]=${I}" done - Display --indent 2 --text "- Checking deleted files in use" --result "FILES FOUND" --color YELLOW + Display --indent 2 --text "- Checking deleted files in use" --result "${STATUS_FILES_FOUND}" --color YELLOW ReportSuggestion "${TEST_NO}" "Check what deleted files are still in use and why." else LogText "Result: no deleted files found" diff --git a/include/tests_mac_frameworks b/include/tests_mac_frameworks index 3f23c77e..5c55e8f5 100644 --- a/include/tests_mac_frameworks +++ b/include/tests_mac_frameworks @@ -24,7 +24,7 @@ SELINUXFOUND=0 TOMOYOFOUND=0 - InsertSection "Security frameworks" + InsertSection "${SECTION_SECURITY_FRAMEWORKS}" # ################################################################################# # @@ -76,7 +76,7 @@ Report "apparmor_policy_loaded=1" AddHP 3 3 # ignore kernel threads (Parent PID = 2 [kthreadd]) - NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} --lines) + NUNCONFINED=$(${PSBINARY} -N --ppid 2 -o label | ${GREPBINARY} '^unconfined' | ${WCBINARY} -l) Display --indent 8 --text "Found ${NUNCONFINED} unconfined processes" for PROCESS in $(${PSBINARY} -N --ppid 2 -o label:1,pid,comm | ${GREPBINARY} '^unconfined' | ${TRBINARY} ' ' ':'); do LogText "Result: Unconfined process: ${PROCESS}" @@ -159,13 +159,13 @@ fi Display --indent 8 --text "Current SELinux mode: ${FIND}" PERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${TRBINARY} '\n' ' ') - NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} --lines) + NPERMISSIVE=$(${SEMANAGEBINARY} permissive --list --noheading | ${WCBINARY} -l) Display --indent 8 --text "Found ${NPERMISSIVE} permissive SELinux object types" LogText "Permissive SELinux object types: ${PERMISSIVE}" UNCONFINED=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[u]nconfined_t' | ${TRBINARY} '\n' ' ') INITRC=$(${PSBINARY} -eo label,pid,command | ${GREPBINARY} '[i]nitrc_t' | ${TRBINARY} '\n' ' ') - NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} --lines) - NINITRC=$(${PSBINARY} -eo label | ${GREPBINARY} '[i]nitrc_t' | ${WCBINARY} --lines) + NUNCONFINED=$(${PSBINARY} -eo label | ${GREPBINARY} '[u]nconfined_t' | ${WCBINARY} -l) + NINITRC=$(${PSBINARY} -eo label | ${GREPBINARY} '[i]nitrc_t' | ${WCBINARY} -l) Display --indent 8 --text "Found ${NUNCONFINED} unconfined and ${NINITRC} initrc_t processes" LogText "Unconfined processes: ${UNCONFINED}" LogText "Processes with initrc_t type: ${INITRC}" @@ -207,7 +207,7 @@ Display --indent 4 --text "- Checking TOMOYO Linux status" --result "${STATUS_ENABLED}" --color GREEN Report "tomoyo_enabled=1" if [ ! -z ${TOMOYOPSTREEBINARY} ]; then - NUNCONFINED=$(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${WCBINARY} --lines) + NUNCONFINED=$(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${WCBINARY} -l) Display --indent 8 --text "Found ${NUNCONFINED} unconfined (not profile 3) processes" for PROCESS in $(${TOMOYOPSTREEBINARY} | ${GREPBINARY} -v '^ 3 ' | ${SEDBINARY} -e 's/+-//g' -e 's/^ *//g' -e 's/ \+/:/g' | ${SORTBINARY}); do LogText "Result: Unconfined process: ${PROCESS}" diff --git a/include/tests_mail_messaging b/include/tests_mail_messaging index 3a65765c..cbbde8a0 100644 --- a/include/tests_mail_messaging +++ b/include/tests_mail_messaging @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Software: e-mail and messaging" + InsertSection "${SECTION_EMAIL_AND_MESSAGING}" # ################################################################################# # diff --git a/include/tests_malware b/include/tests_malware index a5ed3e06..3c2cd72d 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Software: ${SECTION_MALWARE}" + InsertSection "${SECTION_MALWARE}" # ################################################################################# # @@ -39,6 +39,7 @@ MALWARE_SCANNER_INSTALLED=0 SOPHOS_SCANNER_RUNNING=0 SYMANTEC_SCANNER_RUNNING=0 + SYNOLOGY_DAEMON_RUNNING=0 # ################################################################################# # @@ -102,28 +103,6 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - # ESET security products - LogText "Test: checking process esets_daemon" - if IsRunning "esets_daemon"; then - FOUND=1 - ESET_DAEMON_RUNNING=1 - MALWARE_SCANNER_INSTALLED=1 - if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi - LogText "Result: found ESET security product" - Report "malware_scanner[]=eset" - fi - - # Bitdefender (macOS) - LogText "Test: checking process epagd" - if IsRunning "epagd"; then - FOUND=1 - BITDEFENDER_DAEMON_RUNNING=1 - MALWARE_SCANNER_INSTALLED=1 - if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi - LogText "Result: found Bitdefender security product" - Report "malware_scanner[]=bitdefender" - fi - # Avast (macOS) LogText "Test: checking process com.avast.daemon" if IsRunning "com.avast.daemon"; then @@ -146,6 +125,17 @@ Report "malware_scanner[]=avira" fi + # Bitdefender (macOS) + LogText "Test: checking process epagd" + if IsRunning "bdagentd" || IsRunning "epagd"; then + FOUND=1 + BITDEFENDER_DAEMON_RUNNING=1 + MALWARE_SCANNER_INSTALLED=1 + if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Bitdefender agent" --result "${STATUS_FOUND}" --color GREEN; fi + LogText "Result: found Bitdefender security product" + Report "malware_scanner[]=bitdefender" + fi + # CrowdStrike falcon-sensor LogText "Test: checking process falcon-sensor (CrowdStrike)" if IsRunning "falcon-sensor"; then @@ -168,6 +158,17 @@ Report "malware_scanner[]=cylance-protect" fi + # ESET security products + LogText "Test: checking process esets_daemon" + if IsRunning "esets_daemon"; then + FOUND=1 + ESET_DAEMON_RUNNING=1 + MALWARE_SCANNER_INSTALLED=1 + if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} ESET daemon" --result "${STATUS_FOUND}" --color GREEN; fi + LogText "Result: found ESET security product" + Report "malware_scanner[]=eset" + fi + # Kaspersky products LogText "Test: checking process wdserver or klnagent (Kaspersky)" # wdserver is too generic to match on, so we want to ensure that it is related to Kaspersky first @@ -239,6 +240,17 @@ Report "malware_scanner[]=symantec" fi + # Synology Antivirus Essential + LogText "Test: checking process synoavd" + if IsRunning "synoavd"; then + FOUND=1 + SYNOLOGY_DAEMON_RUNNING=1 + MALWARE_SCANNER_INSTALLED=1 + if IsVerbose; then Display --indent 2 --text "- ${GEN_CHECKING} Synology Antivirus Essential" --result "${STATUS_FOUND}" --color GREEN; fi + LogText "Result: found Synology Antivirus Essential" + Report "malware_scanner[]=synoavd" + fi + # TrendMicro (macOS) LogText "Test: checking process TmccMac to test for Trend Micro anti-virus (macOS)" if IsRunning "TmccMac"; then diff --git a/include/tests_nameservices b/include/tests_nameservices index df41fbc9..46f4f1fb 100644 --- a/include/tests_nameservices +++ b/include/tests_nameservices @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Name services" + InsertSection "${SECTION_NAME_SERVICES}" # ################################################################################# # diff --git a/include/tests_networking b/include/tests_networking index 83a7aae0..7a04305f 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -31,7 +31,7 @@ # ################################################################################# # - InsertSection "Networking" + InsertSection "${SECTION_NETWORKING}" # ################################################################################# # @@ -70,7 +70,7 @@ LogText "Result: hostnamed is defined and not longer than 63 characters" fi # Test valid characters (normally a dot should not be in the name, but we can't be 100% sure we have short name) - FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[a-z0-9\.\-]') + FIND=$(echo "${HOSTNAME}" | ${TRBINARY} -d '[:alnum:]\.\-') if [ -z "${FIND}" ]; then LogText "Result: good, no unexpected characters discovered in hostname" if IsVerbose; then Display --indent 2 --text "- Hostname (allowed characters)" --result "${STATUS_OK}" --color GREEN; fi @@ -140,7 +140,7 @@ Display --indent 2 --text "- Checking IPv6 configuration" --result "${STATUS_ENABLED}" --color WHITE STATUS=$(echo ${IPV6_MODE} | ${TRBINARY} '[:lower:]' '[:upper:]') Display --indent 6 --text "Configuration method" --result "${STATUS}" --color WHITE - if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="YES"; else STATUS="NO"; fi + if [ ${IPV6_ONLY} -eq 1 ]; then STATUS="${STATUS_YES}"; else STATUS="${STATUS_NO}"; fi LogText "Result: IPv6 only configuration: ${STATUS}" Display --indent 6 --text "IPv6 only" --result "${STATUS}" --color WHITE else @@ -512,6 +512,15 @@ ReportException "${TEST_NO}:3" "netstat missing to gather listening ports" fi ;; + Solaris) + if [ -n "${NETSTATBINARY}" ]; then + LogText "Test: Retrieving netstat information to find listening ports" + FIND=$(${NETSTATBINARY} -an -P udp | ${AWKBINARY} '{ if($7=="LISTEN") { print $1"|udp|LISTEN|" }}') + FIND2=$(${NETSTATBINARY} -an -P tcp | ${AWKBINARY} '{ if($7=="LISTEN") { print $1"|tcp|LISTEN|" }}') + else + ReportException "${TEST_NO}:4" "netstat missing to gather listening ports" + fi + ;; *) # Got this exception? Provide your details and output of netstat or any other tool to determine this information. ReportException "${TEST_NO}:2" "Unclear what method to use, to determine listening port information" @@ -683,7 +692,7 @@ Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_RUNNING}" --color WHITE DHCP_CLIENT_RUNNING=1 else - Display --indent 2 --text "- Checking status DHCP client" --result "NOT ACTIVE" --color WHITE + Display --indent 2 --text "- Checking status DHCP client" --result "${STATUS_NOT_ACTIVE}" --color WHITE fi fi # diff --git a/include/tests_php b/include/tests_php index 0f498fff..32211f1a 100644 --- a/include/tests_php +++ b/include/tests_php @@ -36,6 +36,7 @@ ${ROOTDIR}etc/php7.1/php.ini \ ${ROOTDIR}etc/php7.2/php.ini \ ${ROOTDIR}etc/php7.3/php.ini \ + ${ROOTDIR}etc/php7.4/php.ini \ ${ROOTDIR}etc/php/cgi-php5/php.ini \ ${ROOTDIR}etc/php/cli-php5/php.ini \ ${ROOTDIR}etc/php/apache2-php5/php.ini \ @@ -45,24 +46,29 @@ ${ROOTDIR}etc/php/apache2-php7.1/php.ini \ ${ROOTDIR}etc/php/apache2-php7.2/php.ini \ ${ROOTDIR}etc/php/apache2-php7.3/php.ini \ + ${ROOTDIR}etc/php/apache2-php7.4/php.ini \ ${ROOTDIR}etc/php/cgi-php5.5/php.ini \ ${ROOTDIR}etc/php/cgi-php5.6/php.ini \ ${ROOTDIR}etc/php/cgi-php7.0/php.ini \ ${ROOTDIR}etc/php/cgi-php7.1/php.ini \ ${ROOTDIR}etc/php/cgi-php7.2/php.ini \ ${ROOTDIR}etc/php/cgi-php7.3/php.ini \ + ${ROOTDIR}etc/php/cgi-php7.4/php.ini \ ${ROOTDIR}etc/php/cli-php5.5/php.ini \ ${ROOTDIR}etc/php/cli-php5.6/php.ini \ ${ROOTDIR}etc/php/cli-php7.0/php.ini \ ${ROOTDIR}etc/php/cli-php7.1/php.ini \ ${ROOTDIR}etc/php/cli-php7.2/php.ini \ ${ROOTDIR}etc/php/cli-php7.3/php.ini \ + ${ROOTDIR}etc/php/cli-php7.4/php.ini \ ${ROOTDIR}etc/php/embed-php5.5/php.ini \ ${ROOTDIR}etc/php/embed-php5.6/php.ini \ ${ROOTDIR}etc/php/embed-php7.0/php.ini \ ${ROOTDIR}etc/php/embed-php7.1/php.ini \ ${ROOTDIR}etc/php/embed-php7.2/php.ini \ ${ROOTDIR}etc/php/embed-php7.3/php.ini \ + ${ROOTDIR}etc/php/embed-php7.4/php.ini \ + ${ROOTDIR}etc/php/fpm-php7.4/php.ini \ ${ROOTDIR}etc/php/fpm-php7.3/php.ini \ ${ROOTDIR}etc/php/fpm-php7.2/php.ini \ ${ROOTDIR}etc/php/fpm-php7.1/php.ini \ @@ -71,7 +77,9 @@ ${ROOTDIR}etc/php/fpm-php5.6/php.ini \ ${ROOTDIR}etc/php5/cgi/php.ini \ ${ROOTDIR}etc/php5/cli/php.ini \ - ${ROOTDIR}etc/php5/cli-php5.4/php.ini ${ROOTDIR}etc/php5/cli-php5.5/php.ini ${ROOTDIR}etc/php5/cli-php5.6/php.ini \ + ${ROOTDIR}etc/php5/cli-php5.4/php.ini \ + ${ROOTDIR}etc/php5/cli-php5.5/php.ini \ + ${ROOTDIR}etc/php5/cli-php5.6/php.ini \ ${ROOTDIR}etc/php5/apache2/php.ini \ ${ROOTDIR}etc/php5/fpm/php.ini \ ${ROOTDIR}private/etc/php.ini \ @@ -79,12 +87,20 @@ ${ROOTDIR}etc/php/7.1/apache2/php.ini \ ${ROOTDIR}etc/php/7.2/apache2/php.ini \ ${ROOTDIR}etc/php/7.3/apache2/php.ini \ - ${ROOTDIR}etc/php/7.0/cli/php.ini ${ROOTDIR}etc/php/7.0/fpm/php.ini \ - ${ROOTDIR}etc/php/7.1/cli/php.ini ${ROOTDIR}etc/php/7.1/fpm/php.ini \ - ${ROOTDIR}etc/php/7.2/cli/php.ini ${ROOTDIR}etc/php/7.2/fpm/php.ini \ - ${ROOTDIR}etc/php/7.3/cli/php.ini ${ROOTDIR}etc/php/7.3/fpm/php.ini \ + ${ROOTDIR}etc/php/7.4/apache2/php.ini \ + ${ROOTDIR}etc/php/7.0/cli/php.ini \ + ${ROOTDIR}etc/php/7.0/fpm/php.ini \ + ${ROOTDIR}etc/php/7.1/cli/php.ini \ + ${ROOTDIR}etc/php/7.1/fpm/php.ini \ + ${ROOTDIR}etc/php/7.2/cli/php.ini \ + ${ROOTDIR}etc/php/7.2/fpm/php.ini \ + ${ROOTDIR}etc/php/7.3/cli/php.ini \ + ${ROOTDIR}etc/php/7.3/fpm/php.ini \ + ${ROOTDIR}etc/php/7.4/cli/php.ini \ + ${ROOTDIR}etc/php/7.4/fpm/php.ini \ ${ROOTDIR}var/www/conf/php.ini \ - ${ROOTDIR}usr/local/etc/php.ini ${ROOTDIR}usr/local/lib/php.ini \ + ${ROOTDIR}usr/local/etc/php.ini \ + ${ROOTDIR}usr/local/lib/php.ini \ ${ROOTDIR}usr/local/etc/php5/cgi/php.ini \ ${ROOTDIR}usr/local/php54/lib/php.ini \ ${ROOTDIR}usr/local/php56/lib/php.ini \ @@ -92,6 +108,7 @@ ${ROOTDIR}usr/local/php71/lib/php.ini \ ${ROOTDIR}usr/local/php72/lib/php.ini \ ${ROOTDIR}usr/local/php73/lib/php.ini \ + ${ROOTDIR}usr/local/php74/lib/php.ini \ ${ROOTDIR}usr/local/zend/etc/php.ini \ ${ROOTDIR}usr/pkg/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.ini \ @@ -101,6 +118,7 @@ ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.ini \ ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.ini \ + ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.ini \ ${ROOTDIR}opt/alt/php44/etc/php.ini \ ${ROOTDIR}opt/alt/php51/etc/php.ini \ ${ROOTDIR}opt/alt/php52/etc/php.ini \ @@ -112,27 +130,42 @@ ${ROOTDIR}opt/alt/php71/etc/php.ini \ ${ROOTDIR}opt/alt/php72/etc/php.ini \ ${ROOTDIR}opt/alt/php73/etc/php.ini \ + ${ROOTDIR}opt/alt/php74/etc/php.ini \ ${ROOTDIR}etc/opt/remi/php56/php.ini \ ${ROOTDIR}etc/opt/remi/php70/php.ini \ ${ROOTDIR}etc/opt/remi/php71/php.ini \ ${ROOTDIR}etc/opt/remi/php72/php.ini \ - ${ROOTDIR}etc/opt/remi/php73/php.ini" + ${ROOTDIR}etc/opt/remi/php73/php.ini \ + ${ROOTDIR}etc/opt/remi/php74/php.ini" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINILOCS="${PHPINILOCS} \ - ${ROOTDIR}etc/php-5.6.ini ${ROOTDIR}etc/php-7.0.ini ${ROOTDIR}etc/php-7.1.ini ${ROOTDIR}etc/php-7.2.ini ${ROOTDIR}etc/php-7.3.ini" + ${ROOTDIR}etc/php-5.6.ini \ + ${ROOTDIR}etc/php-7.0.ini \ + ${ROOTDIR}etc/php-7.1.ini \ + ${ROOTDIR}etc/php-7.2.ini \ + ${ROOTDIR}etc/php-7.3.ini \ + ${ROOTDIR}etc/php-7.4.ini" PHPINIDIRS="${ROOTDIR}etc/php5/conf.d \ ${ROOTDIR}etc/php/7.0/cli/conf.d \ ${ROOTDIR}etc/php/7.1/cli/conf.d \ ${ROOTDIR}etc/php/7.2/cli/conf.d \ ${ROOTDIR}etc/php/7.3/cli/conf.d \ + ${ROOTDIR}etc/php/7.4/cli/conf.d \ ${ROOTDIR}etc/php/7.0/fpm/conf.d \ ${ROOTDIR}etc/php/7.1/fpm/conf.d \ ${ROOTDIR}etc/php/7.2/fpm/conf.d \ ${ROOTDIR}etc/php/7.3/fpm/conf.d \ + ${ROOTDIR}etc/php/7.4/fpm/conf.d \ ${ROOTDIR}etc/php.d \ - ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \ - ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php54/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php55/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php56/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php70/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php71/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php72/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php73/root/etc/php.d \ + ${ROOTDIR}opt/cpanel/ea-php74/root/etc/php.d \ ${ROOTDIR}opt/alt/php44/etc/php.d.all \ ${ROOTDIR}opt/alt/php51/etc/php.d.all \ ${ROOTDIR}opt/alt/php52/etc/php.d.all \ @@ -144,14 +177,21 @@ ${ROOTDIR}opt/alt/php71/etc/php.d.all \ ${ROOTDIR}opt/alt/php72/etc/php.d.all \ ${ROOTDIR}opt/alt/php73/etc/php.d.all \ + ${ROOTDIR}opt/alt/php74/etc/php.d.all \ ${ROOTDIR}usr/local/lib/php.conf.d \ ${ROOTDIR}usr/local/php70/lib/php.conf.d \ ${ROOTDIR}usr/local/php71/lib/php.conf.d \ ${ROOTDIR}usr/local/php72/lib/php.conf.d \ - ${ROOTDIR}usr/local/php73/lib/php.conf.d" + ${ROOTDIR}usr/local/php73/lib/php.conf.d \ + ${ROOTDIR}usr/local/php74/lib/php.conf.d" # HEADS-UP: OpenBSD, last two releases are supported, and snapshots of -current PHPINIDIRS="${PHPINIDIRS} \ - ${ROOTDIR}etc/php-5.6 ${ROOTDIR}etc/php-7.0 ${ROOTDIR}etc/php-7.1 ${ROOTDIR}etc/php-7.2 ${ROOTDIR}etc/php-7.3" + ${ROOTDIR}etc/php-5.6 \ + ${ROOTDIR}etc/php-7.0 \ + ${ROOTDIR}etc/php-7.1 \ + ${ROOTDIR}etc/php-7.2 \ + ${ROOTDIR}etc/php-7.3 \ + ${ROOTDIR}etc/php-7.4" # ################################################################################# # diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 286da608..2e827813 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Ports and packages" + InsertSection "${SECTION_PORTS_AND_PACKAGES}" PACKAGE_MGR_PKG=0 PACKAGE_AUDIT_TOOL="" PACKAGE_AUDIT_TOOL_FOUND=0 @@ -1232,7 +1232,7 @@ ReportSuggestion "${TEST_NO}" "Install a package audit tool to determine vulnerable packages" LogText "Result: no package audit tool found" else - Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN + Display --indent 2 --text "- Checking package audit tool" --result "${STATUS_INSTALLED}" --color GREEN Display --indent 4 --text "Found: ${PACKAGE_AUDIT_TOOL}" LogText "Result: found package audit tool: ${PACKAGE_AUDIT_TOOL}" fi @@ -1289,7 +1289,7 @@ KERNELS=$(${ZYPPERBINARY} --non-interactive -n se --type package --match-exact --installed-only "kernel-default" 2> /dev/null | ${GREPBINARY} "kernel-default" | ${WCBINARY} -l) if [ ${KERNELS} -eq 0 ]; then LogText "Result: found no kernels from zypper output, which is unexpected." - ReportException "KRNL-5840:3" "Could not find any kernel packages via package manager. Maybe using a different kernel package?" + ReportException "${TEST_NO}" "Could not find any kernel packages via package manager. Maybe using a different kernel package?" elif [ ${KERNELS} -gt 3 ]; then LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages" @@ -1299,7 +1299,19 @@ fi if [ ${KERNELS} -eq 0 -a ${TESTED} -eq 1 ]; then - ReportException "KRNL-5840:1" "Could not find any kernel packages via package manager" + # Only report exception if there are kernels actually there. For example, LXC use the kernel of host system + case "${OS}" in + "Linux") + if [ -d "${ROOTDIR}boot" ]; then + if [ -z "$(${FINDBINARY} /boot -maxdepth 1 -type f -name 'vmlinuz*' -print -quit)" ]; then + ReportException "${TEST_NO}" "Could not find any kernel packages via package manager" + fi + fi + ;; + *) + ReportException "${TEST_NO}" "Could not find any kernel packages via package manager" + ;; + esac fi Report "installed_kernel_packages=${KERNELS}" diff --git a/include/tests_printers_spoolers b/include/tests_printers_spoolers index b8435493..61304f87 100644 --- a/include/tests_printers_spoolers +++ b/include/tests_printers_spoolers @@ -34,7 +34,7 @@ # ################################################################################# # - InsertSection "Printers and Spools" + InsertSection "${SECTION_PRINTERS_AND_SPOOLS}" # ################################################################################# # diff --git a/include/tests_scheduling b/include/tests_scheduling index a7b3f5c2..b461ba95 100644 --- a/include/tests_scheduling +++ b/include/tests_scheduling @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Scheduled tasks" + InsertSection "${SECTION_SCHEDULED_TASKS}" # ################################################################################# # diff --git a/include/tests_shells b/include/tests_shells index 6f39e1fd..89be9979 100644 --- a/include/tests_shells +++ b/include/tests_shells @@ -23,7 +23,7 @@ ################################################################################# # IDLE_TIMEOUT=0 - InsertSection "Shells" + InsertSection "${SECTION_SHELLS}" # ################################################################################# # diff --git a/include/tests_snmp b/include/tests_snmp index d8ce450d..0bf785f0 100644 --- a/include/tests_snmp +++ b/include/tests_snmp @@ -28,7 +28,7 @@ # ################################################################################# # - InsertSection "SNMP Support" + InsertSection "${SECTION_SNMP_SUPPORT}" # Test : SNMP-3302 # Description : Check for a running SNMP daemon diff --git a/include/tests_squid b/include/tests_squid index f94befa0..d62310a3 100644 --- a/include/tests_squid +++ b/include/tests_squid @@ -29,7 +29,7 @@ # ################################################################################# # - InsertSection "Squid Support" + InsertSection "${SECTION_SQUID_SUPPORT}" # ################################################################################# # diff --git a/include/tests_ssh b/include/tests_ssh index bd02440c..43c678b9 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -34,7 +34,7 @@ # ################################################################################# # - InsertSection "SSH Support" + InsertSection "${SECTION_SSH_SUPPORT}" # ################################################################################# # diff --git a/include/tests_storage b/include/tests_storage index 6de4f15d..6ee1a78a 100644 --- a/include/tests_storage +++ b/include/tests_storage @@ -18,7 +18,7 @@ # ################################################################################# # - InsertSection "Storage" + InsertSection "${SECTION_STORAGE}" # ################################################################################# # @@ -59,7 +59,7 @@ if [ ${FOUND} -eq 0 ]; then LogText "Result: firewire ohci driver is not explicitly disabled" - Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "NOT DISABLED" --color WHITE + Display --indent 2 --text "- Checking firewire ohci driver (modprobe config)" --result "${STATUS_NOT_DISABLED}" --color WHITE ReportSuggestion "${TEST_NO}" "Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft" # after blacklisting modules, make sure to remove them from the initram filesystem: update-initramfs -u AddHP 2 3 diff --git a/include/tests_system_integrity b/include/tests_system_integrity index 7a21925b..825f3d70 100644 --- a/include/tests_system_integrity +++ b/include/tests_system_integrity @@ -25,7 +25,7 @@ # ################################################################################# # - InsertSection "Software: system integrity" + InsertSection "${SECTION_SYSTEM_INTEGRITY}" Display --indent 2 --text "- Checking file integrity tools" # ################################################################################# diff --git a/include/tests_time b/include/tests_time index 7c15d0a3..0d1d65cb 100644 --- a/include/tests_time +++ b/include/tests_time @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Time and Synchronization" + InsertSection "${SECTION_TIME_AND_SYNCHRONIZATION}" # ################################################################################# # @@ -86,9 +86,8 @@ # Reason: openntpd syncs only if large time corrections are not required or -s is passed. # This might be not intended by the administrator (-s is NOT the default!) FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd: ntp engine" | ${GREPBINARY} -v "grep") - ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null - # Status code 0 is when communication over the socket is successfull - if [ "$?" -eq 0 ]; then + # Status code 0 is when communication over the socket is successful + if ${NTPCTLBINARY} -s status > /dev/null 2> /dev/null; then FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd" LogText "result: found openntpd (method: ntpctl)" OPENNTPD_COMMUNICATION=1 @@ -98,16 +97,16 @@ FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="openntpd" LogText "result: found openntpd (method: ps)" else - LogText "result: running openntpd not found, but ntpctl is instaalled" + LogText "result: running openntpd not found, but ntpctl is installed" fi - if [ "${NTP_DAEMON}" == "openntpd" ]; then + if [ "${NTP_DAEMON}" = "openntpd" ]; then Display --indent 2 --text "- NTP daemon found: OpenNTPD" --result "${STATUS_FOUND}" --color GREEN fi fi # Check running processes (ntpd from ntp.org) - # As checking by process name is ambigiouse (openntpd has the same process name), + # As checking by process name is ambiguous (openntpd has the same process name), # this check will be skipped if openntpd has been found. FIND=$(${PSBINARY} ax | ${GREPBINARY} "ntpd" | ${GREPBINARY} -v "dntpd" | ${GREPBINARY} -v "ntpd: " | ${GREPBINARY} -v "grep") if [ "${NTP_DAEMON}" != "openntpd" ] && [ -n "${FIND}" ]; then @@ -124,39 +123,30 @@ fi # Check timedate daemon (systemd) - if [ -n "${TIMEDATECTL}" ]; then - FIND=$(${TIMEDATECTL} status | ${EGREPBINARY} "(NTP|System clock) synchronized: yes") - if [ -n "${FIND}" ]; then - # Check for systemd-timesyncd - if [ -f ${ROOTDIR}etc/systemd/timesyncd.conf ]; then - LogText "Result: found ${ROOTDIR}etc/systemd/timesyncd.conf" - FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd" - Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN - SYSTEMD_NTP_ENABLED=1 - else - LogText "Result: ${ROOTDIR}etc/systemd/timesyncd.conf does not exist" - fi - else - LogText "Result: time synchronization not performed according timedatectl command" - fi - else - LogText "Result: timedatectl command not available on this system" + FIND=$(${PSBINARY} ax | ${GREPBINARY} "systemd-timesyncd" | ${GREPBINARY} -v "grep") + if [ -n "${FIND}" ]; then + FOUND=1; NTP_DAEMON_RUNNING=1; NTP_CONFIG_TYPE_DAEMON=1; NTP_DAEMON="systemd-timesyncd" + Display --indent 2 --text "- NTP daemon found: systemd (timesyncd)" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found running systemd-timesyncd in process list" fi # Check crontab for OpenBSD/FreeBSD # Check anacrontab for Linux CRONTAB_FILES="/etc/anacrontab /etc/crontab" + # Regex for matching multiple time synchronisation binaries + # Partial sanity check for sntp and ntpdig, but this does not consider all corner cases + CRONTAB_REGEX='ntpdate|rdate|sntp.+-(s|j|--adj)|ntpdig.+-(S|s)' for I in ${CRONTAB_FILES}; do if [ -f ${I} ]; then - LogText "Test: checking for ntpdate or rdate in crontab file ${I}" - FIND=$(${EGREPBINARY} "ntpdate|rdate" ${I} | ${GREPBINARY} -v '^#') + LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in crontab file ${I}" + FIND=$(${EGREPBINARY} "${CRONTAB_REGEX}" ${I} | ${GREPBINARY} -v '^#') if [ -n "${FIND}" ]; then FOUND=1; NTP_CONFIG_TYPE_SCHEDULED=1 Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_FOUND}" --color GREEN - LogText "Result: found ntpdate or rdate reference in crontab file ${I}" + LogText "Result: found ntpdate, rdate, sntp or ntpdig reference in crontab file ${I}" else #Display --indent 2 --text "- Checking NTP client in crontab file (${I})" --result "${STATUS_NOT_FOUND}" --color WHITE - LogText "Result: no ntpdate or rdate reference found in crontab file ${I}" + LogText "Result: no ntpdate, rdate, sntp or ntpdig reference found in crontab file ${I}" fi else LogText "Result: crontab file ${I} not found" @@ -169,31 +159,18 @@ # Check cron jobs for I in ${CRON_DIRS}; do - if [ -d ${I} ]; then - if FileIsReadable ${I}; then - FIND=$(${FINDBINARY} ${I} -type f -a ! -name ".placeholder" -print 2> /dev/null | ${SEDBINARY} 's/ /__space__/g' | ${TRBINARY} '\n' '\0' | ${TRBINARY} -cd '[:print:]\0' | ${TRBINARY} '\0' ' ') + for J in "${I}"/*; do # iterate over folders in a safe way + # Check: regular file, readable and not called .placeholder + FIND=$(echo "${J}" | ${EGREPBINARY} '/.placeholder$') + if [ -f "${J}" ] && [ -r "${J}" ] && [ -z "${FIND}" ]; then + LogText "Test: checking for ntpdate, rdate, sntp or ntpdig in ${J}" + FIND=$("${EGREPBINARY}" "${CRONTAB_REGEX}" "${J}" | "${GREPBINARY}" -v "^#") if [ -n "${FIND}" ]; then - for J in ${FIND}; do - # Place back spaces if needed - J=$(echo ${J} | ${SEDBINARY} 's/__space__/ /g') - LogText "Test: checking for ntpdate or rdate in ${J}" - if FileIsReadable ${J}; then - FIND2=$(${EGREPBINARY} "rdate|ntpdate" "${J}" | ${GREPBINARY} -v "^#") - if [ -n "${FIND2}" ]; then - LogText "Positive match found: ${FIND2}" - FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 - fi - else - LogText "Result: could not test in file '${J}' as it is not readable" - fi - done - else - LogText "Result: ${I} is empty, skipping search in directory" + FOUND=1; FOUND_IN_CRON=1; NTP_CONFIG_TYPE_SCHEDULED=1 + LogText "Result: found ntpdate, rdate, sntp or ntpdig in ${J}" fi - else - LogText "Result: could not search in directory due to permissions" fi - fi + done done if [ ${FOUND_IN_CRON} -eq 1 ]; then @@ -532,7 +509,7 @@ # # Test : TIME-3180 # Description : Report if ntpctl cannot communicate with OpenNTPD - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ]; then + if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ]; then PREQS_MET="YES" else PREQS_MET="NO" @@ -548,7 +525,7 @@ # # Test : TIME-3181 # Description : Check status of OpenNTPD time synchronisation - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then + if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then PREQS_MET="YES" else PREQS_MET="NO" @@ -567,7 +544,7 @@ # Test : TIME-3182 # Description : Check OpenNTPD has working peers - if [ "${NTPD_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" == "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then + if [ "${NTP_DAEMON_RUNNING}" -eq 1 ] && [ -n "${NTPCTLBINARY}" ] && [ "${NTP_DAEMON}" = "openntpd" ] && [ "${OPENNTPD_COMMUNICATION}" -eq 1 ]; then PREQS_MET="YES" else PREQS_MET="NO" @@ -576,11 +553,56 @@ Register --test-no TIME-3182 --preqs-met "${PREQS_MET}" --weight L --network NO --category security --description "Check OpenNTPD has working peers" if [ ${SKIPTEST} -eq 0 ]; then # Format is "xx/yy peers valid, ..." - FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o "[0-9]{1,4}/" | ${EGREPBINARY} -o "[0-9]{1,4}" ) - if [ -n "${FIND}" ] || [ "${FIND}" -eq 0 ]; then + FIND=$(${NTPCTLBINARY} -s status | ${EGREPBINARY} -o '[0-9]+/[0-9]+' | ${CUTBINARY} -d '/' -f 1) + if [ -z "${FIND}" ] || [ "${FIND}" -eq 0 ]; then ReportWarning "${TEST_NO}" "OpenNTPD has no peers" "${NTPCTLBINARY} -s status" fi fi + +# +################################################################################# +# + + # Test : TIME-3185 + # Description : Check systemd-timesyncd synchronized time + + if [ "${NTP_DAEMON}" = "systemd-timesyncd" ]; then + PREQS_MET="YES" + else + PREQS_MET="NO" + fi + + + Register --test-no TIME-3185 --preqs-met "${PREQS_MET}" --weight L --network NO --category "security" --description "Check systemd-timesyncd synchronized time" + SYNCHRONIZED_FILE="/run/systemd/timesync/synchronized" + + if [ ${SKIPTEST} -eq 0 ]; then + # On earlier systemd versions (237), '/run/systemd/timesync/synchronized' does not exist, so use '/var/lib/systemd/timesync/clock' + if [ ! -e "${SYNCHRONIZED_FILE}" ]; then + SYNCHRONIZED_FILE="/var/lib/systemd/timesync/clock" + fi + # DynamicUser=yes moves the clock file to '/var/lib/private/systemd/timesync/clock' + if [ ! -e "${SYNCHRONIZED_FILE}" ]; then + SYNCHRONIZED_FILE="/var/lib/private/systemd/timesync/clock" + fi + if [ -e "${SYNCHRONIZED_FILE}" ]; then + FIND=$(( $(date +%s) - $(${STATBINARY} -L --format %Y "${SYNCHRONIZED_FILE}") )) + # Check if last sync was more than 2048 seconds (= the default of systemd) ago + if [ "${FIND}" -ge 2048 ]; then + COLOR=RED + ReportWarning "${TEST_NO}" "systemd-timesyncd did not synchronized the time recently." + else + COLOR=GREEN + fi + Display --indent 2 --text "- Last time synchronization" --result "${FIND}s" --color "${COLOR}" + LogText "Result: systemd-timesyncd synchronized time ${FIND} seconds ago." + else + Display --indent 2 --text "- Last time synchronization" --result "${STATUS_NOT_FOUND}" --color RED + ReportWarning "${TEST_NO}" "systemd-timesyncd never successfully synchronized time" + fi + fi + unset SYNCHRONIZED_FILE + # ################################################################################# # diff --git a/include/tests_tooling b/include/tests_tooling index 7fed8460..15475c61 100644 --- a/include/tests_tooling +++ b/include/tests_tooling @@ -37,7 +37,7 @@ # ################################################################################# # - InsertSection "Software: System tooling" + InsertSection "${SECTION_SYSTEM_TOOLING}" # ################################################################################# # @@ -373,6 +373,33 @@ # ################################################################################# # + # Test : TOOL-5130 + # Description : Check for Suricata + Register --test-no TOOL-5130 --weight L --network NO --category security --description "Check for active Suricata daemon" + if [ ${SKIPTEST} -eq 0 ]; then + # Suricata presence + if [ -n "${SURICATABINARY}" ]; then + Report "ids_ips_tooling[]=suricata" + LogText "Result: Suricata is installed (${SURICATABINARY})" + # Suricata status + # Suricata sets its process name to Suricata-Main on Linux, but this might differ on other platforms, + # so fall back to checking the full commandline instead if the first test fails + if IsRunning "Suricata-Main" || IsRunning --full "${SURICATABINARY} "; then + # Only satisfy test TOOL-5190 if Suricata is actually running + IDS_IPS_TOOL_FOUND=1 + LogText "Result: Suricata daemon is active" + Display --indent 2 --text "- Checking Suricata status" --result "${STATUS_RUNNING}" --color GREEN + else + LogText "Result: Suricata daemon not active" + Display --indent 2 --text "- Checking Suricata status" --result "${STATUS_NOT_RUNNING}" --color YELLOW + fi + else + LogText "Result: Suricata not installed (suricata not found)" + fi + fi +# +################################################################################# +# # Test : TOOL-5160 # Description : Check for OSSEC Register --test-no TOOL-5126 --weight L --network NO --category security --description "Check for active OSSEC daemon" diff --git a/include/tests_usb b/include/tests_usb index 1c6cae6d..d99d5a66 100644 --- a/include/tests_usb +++ b/include/tests_usb @@ -19,7 +19,7 @@ # ################################################################################# # - InsertSection "USB Devices" + InsertSection "${SECTION_USB_DEVICES}" # ################################################################################# # @@ -73,7 +73,7 @@ fi if [ ${FOUND} -eq 0 ]; then LogText "Result: usb-storage driver is not explicitly disabled" - Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "NOT DISABLED" --color WHITE + Display --indent 2 --text "- Checking usb-storage driver (modprobe config)" --result "${STATUS_NOT_DISABLED}" --color WHITE if [ "${USBGUARD_FOUND}" -eq "0" ]; then ReportSuggestion "${TEST_NO}" "Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft" fi diff --git a/include/tests_virtualization b/include/tests_virtualization index 3902defc..e4df170e 100644 --- a/include/tests_virtualization +++ b/include/tests_virtualization @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Virtualization" + InsertSection "${SECTION_VIRTUALIZATION}" # ################################################################################# # diff --git a/include/tests_webservers b/include/tests_webservers index 188a6031..45588492 100644 --- a/include/tests_webservers +++ b/include/tests_webservers @@ -22,7 +22,7 @@ # ################################################################################# # - InsertSection "Software: webserver" + InsertSection "${SECTION_WEBSERVER}" # ################################################################################# # @@ -43,10 +43,10 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2020-03-20" - PROGRAM_RELEASE_TIMESTAMP=1584711965 + PROGRAM_RELEASE_DATE="2020-10-05" + PROGRAM_RELEASE_TIMESTAMP=1601896929 PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release - PROGRAM_VERSION="3.0.0" + PROGRAM_VERSION="3.0.2" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" @@ -216,7 +216,7 @@ # Extract the short notation of the language (first two characters). if [ -x "$(command -v locale 2> /dev/null)" ]; then - LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | egrep "^[a-z]{2}$") + LANGUAGE=$(locale | egrep "^LANG=" | cut -d= -f2 | cut -d_ -f1 | tr -d '"' | egrep "^[a-z]{2}$") # Try locale command if shell variable had no value if [ -z "${DISPLAY_LANG}" ]; then DISPLAY_LANG=$(locale | egrep "^LANG=" | cut -d= -f2) @@ -241,6 +241,11 @@ echo "Could not find languages directory (file: ${DBDIR}/languages/en)" exit 1 fi + + # Now that we have determined the language, we unset it from shell + # Some tools with translated strings are very hard to parse + unset LANG + # ################################################################################# # @@ -267,21 +272,21 @@ # Disable logging if no alternative was provided if [ ${PRIVILEGED} -eq 0 ]; then if [ -z "${LOGFILE}" ]; then - # Try creating a log file in temporary directory - if [ ! -f /tmp/lynis.log ]; then - if [ -L /tmp/lynis.log ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi - touch /tmp/lynis.log - if [ $? -eq 0 ]; then LOGFILE="/tmp/lynis.log"; else LOGFILE="/dev/null"; fi + # Try creating a log file in home directory + if [ ! -f "$HOME/lynis.log" ]; then + if [ -L "$HOME/lynis.log" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi + touch "$HOME/lynis.log" + if [ $? -eq 0 ]; then LOGFILE="$HOME/lynis.log"; else LOGFILE="/dev/null"; fi else - LOGFILE="/tmp/lynis.log" + LOGFILE="$HOME/lynis.log" fi else if [ -L "${LOGFILE}" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi fi if [ -z "${REPORTFILE}" ]; then - touch /tmp/lynis-report.dat - if [ -L /tmp/lynis-report.dat ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi - if [ $? -eq 0 ]; then REPORTFILE="/tmp/lynis-report.dat"; else REPORTFILE="/dev/null"; fi + touch "$HOME/lynis-report.dat" + if [ -L "$HOME/lynis-report.dat" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi + if [ $? -eq 0 ]; then REPORTFILE="$HOME/lynis-report.dat"; else REPORTFILE="/dev/null"; fi else if [ -L "${REPORTFILE}" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi fi @@ -448,6 +453,7 @@ ${YELLOW}Note: ${WHITE}Cancelling the program can leave temporary files behind${ ${GRAY}--verbose${NORMAL} : Show more details on screen ${GRAY}--version (-V)${NORMAL} : Display version number and quit ${GRAY}--wait${NORMAL} : Wait between a set of tests + ${GRAY}--slow-warning ${BROWN}<seconds>${NORMAL} : Threshold for slow test warning in seconds (default 10) ${WHITE}Enterprise options${NORMAL} ${GRAY}--plugindir ${BROWN}<path>${NORMAL} : Define path of available plugins @@ -505,7 +511,7 @@ ${NORMAL} # SafePerms ${INCLUDEDIR}/osdetection . ${INCLUDEDIR}/osdetection - Display --indent 2 --text "- Detecting OS... " --result DONE --color GREEN + Display --indent 2 --text "- Detecting OS... " --result "${STATUS_DONE}" --color GREEN # Check hostname case ${OS} in @@ -536,7 +542,7 @@ ${NORMAL} CDATE=$(date "+%Y-%m-%d %H:%M:%S") if [ ${LOGTEXT} -eq 1 ]; then echo "${CDATE} Starting ${PROGRAM_NAME} ${PROGRAM_VERSION} with PID ${OURPID}, build date ${PROGRAM_RELEASE_DATE}" > ${LOGFILE}; fi if [ $? -gt 0 ]; then - Display --indent 2 --text "- Clearing log file (${LOGFILE})... " --result WARNING --color RED + Display --indent 2 --text "- Clearing log file (${LOGFILE})... " --result "${STATUS_WARNING}" --color RED echo "${WARNING}Fatal error${NORMAL}: problem while writing to log file. Check location and permissions." RemovePIDFile exit 1 @@ -583,7 +589,7 @@ ${NORMAL} if [ ${SET_STRICT} -eq 0 ]; then set +u # Allow uninitialized variables else - set -u # Do not allow unitialized variables + set -u # Do not allow uninitialized variables fi # Import a different language when configured @@ -722,7 +728,7 @@ ${NORMAL} fi if [ -z "${PROGRAM_AC}" -o -z "${PROGRAM_LV}" ]; then - Display --indent 2 --text "- Program update status... " --result UNKNOWN --color YELLOW + Display --indent 2 --text "- Program update status... " --result "${STATUS_UNKNOWN}" --color YELLOW LogText "Result: Update check failed. No network connection?" LogText "Info: to perform an automatic update check, outbound DNS connections should be allowed (TXT record)." # Set both to safe values @@ -735,13 +741,13 @@ ${NORMAL} PROGRAM_MINVERSION=$((PROGRAM_LV - 10)) LogText "Minimum required version : ${PROGRAM_MINVERSION}" if [ ${PROGRAM_MINVERSION} -gt ${PROGRAM_AC} ]; then - Display --indent 2 --text "- Program update status... " --result "WARNING" --color RED + Display --indent 2 --text "- Program update status... " --result "${STATUS_WARNING}" --color RED LogText "Result: This version is VERY outdated. Newer ${PROGRAM_NAME} release available!" ReportWarning "LYNIS" "Version of Lynis is very old and should be updated" Report "lynis_update_available=1" UPDATE_AVAILABLE=1 else - Display --indent 2 --text "- Program update status... " --result "UPDATE AVAILABLE" --color YELLOW + Display --indent 2 --text "- Program update status... " --result "${STATUS_UPDATE_AVAILABLE}" --color YELLOW LogText "Result: newer ${PROGRAM_NAME} release available!" ReportSuggestion "LYNIS" "Version of Lynis outdated, consider upgrading to the latest version" Report "lynis_update_available=1" @@ -749,11 +755,11 @@ ${NORMAL} fi else if [ ${UPDATE_CHECK_SKIPPED} -eq 0 ]; then - Display --indent 2 --text "- Program update status... " --result "NO UPDATE" --color GREEN + Display --indent 2 --text "- Program update status... " --result "${STATUS_NO_UPDATE}" --color GREEN LogText "No ${PROGRAM_NAME} update available." Report "lynis_update_available=0" else - Display --indent 2 --text "- Program update status... " --result "SKIPPED" --color YELLOW + Display --indent 2 --text "- Program update status... " --result "${STATUS_SKIPPED}" --color YELLOW LogText "Update check skipped due to constraints (e.g. missing dig binary)" Report "lynis_update_available=-1" fi @@ -773,7 +779,7 @@ ${NORMAL} if [ ${NOW} -gt ${RELEASE_PLUS_TIMEDIFF} ]; then # Show if release is old, only if we didn't show it with normal update check if [ ${UPDATE_AVAILABLE} -eq 0 ]; then - ReportSuggestion "LYNIS" "This release is more than 4 months old. Consider upgrading" + ReportSuggestion "LYNIS" "This release is more than 4 months old. Check the website or GitHub to see if there is an update available." fi OLD_RELEASE=1 fi @@ -856,12 +862,12 @@ ${NORMAL} ################################################################################# # if IsVerbose; then - InsertSection "Program Details" - Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "YES" --color GREEN + InsertSection "${SECTION_PROGRAM_DETAILS}" + Display --indent 2 --text "- ${GEN_VERBOSE_MODE}" --result "${STATUS_YES}" --color GREEN if IsDebug; then - Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "YES" --color GREEN + Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "${STATUS_YES}" --color GREEN else - Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "NO" --color RED + Display --indent 2 --text "- ${GEN_DEBUG_MODE}" --result "${STATUS_NO}" --color RED fi fi # @@ -951,7 +957,7 @@ ${NORMAL} RunPlugins 1 if [ ${N_PLUGIN_ENABLED} -eq 0 ]; then - Display --indent 2 --text "- ${GEN_PLUGINS_ENABLED}" --result "NONE" --color WHITE + Display --indent 2 --text "- ${GEN_PLUGINS_ENABLED}" --result "${STATUS_NONE}" --color WHITE Report "plugins_enabled=0" else Report "plugins_enabled=1" @@ -1011,8 +1017,8 @@ ${NORMAL} LogText "Exception: skipping test category ${INCLUDE_TEST}, file ${INCLUDE_FILE} has bad permissions (should be 640, 600 or 400)" ReportWarning "NONE" "Invalid permissions on tests file tests_${INCLUDE_TEST}" # Insert a section and warn user also on screen - InsertSection "General" - Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "SKIPPED" --color RED + InsertSection "${SECTION_GENERAL}" + Display --indent 2 --text "- Running test category ${INCLUDE_TEST}... " --result "${STATUS_SKIPPED}" --color RED fi else echo "Error: Can't find file (category: ${INCLUDE_TEST})" @@ -1037,10 +1043,10 @@ ${NORMAL} else LogText "Exception: skipping custom tests, file has bad permissions (should be 640, 600 or 400)" ReportWarning "NONE" "Invalid permissions on custom tests file" - Display --indent 2 --text "- Running custom tests... " --result "WARNING" --color RED + Display --indent 2 --text "- Running custom tests... " --result "${STATUS_WARNING}" --color RED fi else - Display --indent 2 --text "- Running custom tests... " --result "NONE" --color WHITE + Display --indent 2 --text "- Running custom tests... " --result "${STATUS_NONE}" --color WHITE fi fi # @@ -1073,7 +1079,7 @@ ${NORMAL} if [ ${SKIP_PLUGINS} -eq 0 ]; then RunPlugins 2 if [ ${N_PLUGIN_ENABLED} -gt 1 ]; then - Display --indent 2 --text "- Plugins (phase 2)" --result "DONE" --color GREEN + Display --indent 2 --text "- Plugins (phase 2)" --result "${STATUS_DONE}" --color GREEN fi fi # |