diff options
-rw-r--r-- | CHANGELOG.md | 19 | ||||
-rw-r--r-- | db/software-eol.db | 150 | ||||
-rw-r--r-- | include/consts | 4 | ||||
-rw-r--r-- | include/data_upload | 15 | ||||
-rw-r--r-- | include/osdetection | 23 | ||||
-rw-r--r-- | include/profiles | 2 | ||||
-rw-r--r-- | include/tests_boot_services | 8 | ||||
-rw-r--r-- | include/tests_kernel | 5 | ||||
-rwxr-xr-x | lynis | 29 |
9 files changed, 163 insertions, 92 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c699f64..deaac158 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,28 @@ # Lynis Changelog -## Lynis 3.0.0 (not released yet) +## Lynis 3.0.1 (not released yet) + +### Changed +- BOOT-5122 - Presence check for grub.d added +- KRNL-5830 - Improved version detection for non-symlinked kernel +- Added Kali Linux +- Fix: language detection +- End-of-life database updated +- Small code enhancements + +--------------------------------------------------------------------------------- + +## Lynis 3.0.0 (2020-06-18) This is a major release of Lynis and includes several big changes. Some of these changes may break your current usage of the tool, so test before deployment! +### Security issues +This release resolves two security issues +* CVE-2020-13882 - Discovered by Sander Bos, code submission by Katarina Durechova +* CVE-2019-13033 - Discovered by Sander Bos + ### Breaking change: Non-interactive by default Lynis now runs non-interactive by default, to be more in line with the Unix philosophy. So the previously used '--quick' option is now default, and the tool diff --git a/db/software-eol.db b/db/software-eol.db index b3285487..a5a1101e 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -8,6 +8,7 @@ # 4) converted date (seconds since epoch) or -1 # # Date can be converted on Linux using: date "+%s" --date=2020-01-01 +# Seconds since epoch can be verified using: date -d @1467324000 +'%Y-%m-%d' # # Notes: # For rolling releases or releases that do not (currently have an EOL date, leave field three empty and set field four to -1. @@ -38,55 +39,72 @@ os:Debian 8:2020-06-30:1593468000: os:Debian 9:2022-01-01:1640991600: os:Debian 10:2022-01-01:1640991600: # +# Fedora - https://fedoraproject.org/wiki/End_of_life +# +os:Fedora release 25:2017-12-12:1513033200: +os:Fedora release 26:2018-05-29:1527544800: +os:Fedora release 27:2018-11-30:1543532400: +os:Fedora release 28:2019-05-28:1558994400: +os:Fedora release 29:2019-11-26:1574722800: +os:Fedora release 30:2020-05-26:1590444000: +# # FreeBSD - https://www.freebsd.org/security/unsupported.html # -os:FreeBSD 9.3:2014-12-31:0: -os:FreeBSD 10.0:2015-02-28:0: -os:FreeBSD 10.1:2016-12-31:0: -os:FreeBSD 10.2:2016-12-31:0: -os:FreeBSD 10.3:2018-04-30:0: -os:FreeBSD 10.4:2018-10-31:0: -os:FreeBSD 11.0:2017-11-30:0: -os:FreeBSD 11.1:2018-09-30:0: +os:FreeBSD 9.3:2014-12-31:1419980400: +os:FreeBSD 10.0:2015-02-28:1425078000: +os:FreeBSD 10.1:2016-12-31:1483138800: +os:FreeBSD 10.2:2016-12-31:1483138800: +os:FreeBSD 10.3:2018-04-30:1525039200: +os:FreeBSD 10.4:2018-10-31:1540940400: +os:FreeBSD 11.0:2017-11-30:1511996400: +os:FreeBSD 11.1:2018-09-30:1538258400: +os:FreeBSD 11.2:2019-10-31:1572476400: +os:FreeBSD 12.0:2020-02-29:1582930800: +# +# Linux Mint +# +os:Linux Mint 18:2021-04-01:1617228000: +os:Linux Mint 19:2023-04-01:1680300000: +os:Linux Mint 20:2025-04-01:1743458400: # # NetBSD - https://www.netbsd.org/support/security/release.html and # https://www.netbsd.org/releases/formal.html # -os:NetBSD 2.0:2008-01-19:0: -os:NetBSD 2.0.1:2008-01-19:0: -os:NetBSD 2.0.2:2008-01-19:0: -os:NetBSD 2.0.3:2008-01-19:0: -os:NetBSD 2.1:2008-01-19:0: -os:NetBSD 3.0:2009-09-29:0: -os:NetBSD 3.0.1:2009-09-29:0: -os:NetBSD 3.0.2:2009-09-29:0: -os:NetBSD 3.1:2009-09-29:0: -os:NetBSD 4.0:2012-11-17:0: -os:NetBSD 4.0.1:2012-11-17:0: -os:NetBSD 5.0:2015-11-17:0: -os:NetBSD 5.0.1:2015-10-17:0: -os:NetBSD 5.0.2:2015-10-17:0: -os:NetBSD 5.1:2015-10-17:0: -os:NetBSD 5.1.1:2015-10-17:0: -os:NetBSD 5.1.2:2015-10-17:0: -os:NetBSD 5.1.3:2015-10-17:0: -os:NetBSD 5.1.4:2015-10-17:0: -os:NetBSD 5.1.5:2015-10-17:0: -os:NetBSD 5.2.1:2015-10-17:0: -os:NetBSD 5.2.2:2015-10-17:0: -os:NetBSD 5.2.3:2015-10-17:0: -os:NetBSD 6.0:2017-09-17:0: -os:NetBSD 6.0.1:2017-09-17:0: -os:NetBSD 6.0.2:2017-09-17:0: -os:NetBSD 6.0.3:2017-09-17:0: -os:NetBSD 6.0.4:2017-09-17:0: -os:NetBSD 6.0.5:2017-09-17:0: -os:NetBSD 6.1:2017-09-17:0: -os:NetBSD 6.1.1:2017-09-17:0: -os:NetBSD 6.1.2:2017-09-17:0: -os:NetBSD 6.1.3:2017-09-17:0: -os:NetBSD 6.1.4:2017-09-17:0: -os:NetBSD 6.1.5:2017-09-17:0: +os:NetBSD 2.0:2008-01-19:1200697200: +os:NetBSD 2.0.1:2008-01-19:1200697200: +os:NetBSD 2.0.2:2008-01-19:1200697200: +os:NetBSD 2.0.3:2008-01-19:1200697200: +os:NetBSD 2.1:2008-01-19:1200697200: +os:NetBSD 3.0:2009-09-29:1254175200: +os:NetBSD 3.0.1:2009-09-29:1254175200: +os:NetBSD 3.0.2:2009-09-29:1254175200: +os:NetBSD 3.1:2009-09-29:1254175200: +os:NetBSD 4.0:2012-11-17:1353106800: +os:NetBSD 4.0.1:2012-11-17:1353106800: +os:NetBSD 5.0:2015-11-17:1447714800: +os:NetBSD 5.0.1:2015-10-17:1445032800: +os:NetBSD 5.0.2:2015-10-17:1445032800: +os:NetBSD 5.1:2015-10-17:1445032800: +os:NetBSD 5.1.1:2015-10-17:1445032800: +os:NetBSD 5.1.2:2015-10-17:1445032800: +os:NetBSD 5.1.3:2015-10-17:1445032800: +os:NetBSD 5.1.4:2015-10-17:1445032800: +os:NetBSD 5.1.5:2015-10-17:1445032800: +os:NetBSD 5.2.1:2015-10-17:1445032800: +os:NetBSD 5.2.2:2015-10-17:1445032800: +os:NetBSD 5.2.3:2015-10-17:1445032800: +os:NetBSD 6.0:2017-09-17:1505599200: +os:NetBSD 6.0.1:2017-09-17:1505599200: +os:NetBSD 6.0.2:2017-09-17:1505599200: +os:NetBSD 6.0.3:2017-09-17:1505599200: +os:NetBSD 6.0.4:2017-09-17:1505599200: +os:NetBSD 6.0.5:2017-09-17:1505599200: +os:NetBSD 6.1:2017-09-17:1505599200: +os:NetBSD 6.1.1:2017-09-17:1505599200: +os:NetBSD 6.1.2:2017-09-17:1505599200: +os:NetBSD 6.1.3:2017-09-17:1505599200: +os:NetBSD 6.1.4:2017-09-17:1505599200: +os:NetBSD 6.1.5:2017-09-17:1505599200: os:NetBSD 7.0:2020-03-14:1584162000: os:NetBSD 7.0.1:2020-03-14:1584162000: os:NetBSD 7.0.2:2020-03-14:1584162000: @@ -100,22 +118,22 @@ os:NetBSD 9.0::-1: # # OpenBSD - https://en.wikipedia.org/wiki/OpenBSD_version_history # -os:OpenBSD 5.8:2016-09-01:0: -os:OpenBSD 5.9:2017-04-11:0: +os:OpenBSD 5.8:2016-09-01:1472680800: +os:OpenBSD 5.9:2017-04-11:1491861600: +os:OpenBSD 6.0:2017-09-10:1505001600: +os:OpenBSD 6.1:2018-04-15:1523750400: +os:OpenBSD 6.2:2018-10-18:1539820800: +os:OpenBSD 6.3:2019-05-03:1556841600: +os:OpenBSD 6.4:2019-10-17:1571270400: +os:OpenBSD 6.5:2020-05-19:1589846400: +os:OpenBSD 6.6:2020-10-01:1601510400: +os:OpenBSD 6.7:2021-05-01:1619827200: # -# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack +# Red Hat Enterprise Linux - https://access.redhat.com/labs/plcc/ # -os:Ubuntu 14.04:2019-05-01:1556661600: -os:Ubuntu 14.10:2015-07-01:0: -os:Ubuntu 15.04:2016-01-01:0: -os:Ubuntu 15.10:2016-07-01:0: -os:Ubuntu 16.04:2021-05-01:1619820000: -os:Ubuntu 16.10:2017-07-01:1498860000: -os:Ubuntu 17.04:2018-01-01:1514761200: -os:Ubuntu 17.10:2018-07-01:1530396000: -os:Ubuntu 18.04:2023-05-01:1682892000: -os:Ubuntu 18.10:2019-07-18:1563400800: -os:Ubuntu 19.04:2020-01-01:1577833200: +os:Red Hat Enterprise Linux Server release 6:2020-11-30:1606690800: +os:Red Hat Enterprise Linux 7:2024-06-30:1719698400: +os:Red Hat Enterprise Linux 8:2029-05-07:1872799200: # # Slackware - https://en.wikipedia.org/wiki/Slackware#Releases # @@ -132,3 +150,21 @@ os:Slackware Linux 12.2:2013-12-09:1386540000: os:Slackware Linux 13.0:2018-07-05:1530738000: os:Slackware Linux 13.1:2018-07-05:1530738000: os:Slackware Linux 13.37:2018-07-05:1530738000: +# +# Ubuntu - https://wiki.ubuntu.com/Kernel/LTSEnablementStack and +# https://wiki.ubuntu.com/Releases +# +os:Ubuntu 14.04:2019-05-01:1556661600: +os:Ubuntu 14.10:2015-07-01:1435701600: +os:Ubuntu 15.04:2016-01-01:1451602800: +os:Ubuntu 15.10:2016-07-01:1467324000: +os:Ubuntu 16.04:2021-05-01:1619820000: +os:Ubuntu 16.10:2017-07-01:1498860000: +os:Ubuntu 17.04:2018-01-01:1514761200: +os:Ubuntu 17.10:2018-07-01:1530396000: +os:Ubuntu 18.04:2023-05-01:1682892000: +os:Ubuntu 18.10:2019-07-18:1563400800: +os:Ubuntu 19.04:2020-01-01:1577833200: +os:Ubuntu 20.04:2025-04-01:1743458400: +# +# EOF
\ No newline at end of file diff --git a/include/consts b/include/consts index 7968ef1f..1a75ae68 100644 --- a/include/consts +++ b/include/consts @@ -33,10 +33,6 @@ BIN_PATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin \ ETC_PATHS="/etc /usr/local/etc" -# Do not use specific language, fall back to default -# Some tools with translated strings are very hard to parse -unset LANG - # ################################################################################# # diff --git a/include/data_upload b/include/data_upload index 6718d6d3..eae2b5cc 100644 --- a/include/data_upload +++ b/include/data_upload @@ -77,6 +77,10 @@ ExitFatal else Output "License key = ${LICENSE_KEY}" + # Create a temporary file to use during upload (prevent license key being displayed in process table) + CreateTempFile || ExitFatal + LICENSE_KEY_FILE="${TEMP_FILE}" + echo "${LICENSE_KEY}" | ${TRBINARY} -cd '[a-f0-9-]' > ${LICENSE_KEY_FILE} fi @@ -129,8 +133,9 @@ # License check - LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null" - UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null) + LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null" + UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "collector_version=${PROGRAM_VERSION}" ${LICENSE_SERVER_URL} 2> /dev/null) + EXITCODE=$? LogText "Exit code: ${EXITCODE}" if [ ${EXITCODE} -gt 0 ]; then @@ -225,10 +230,10 @@ Output "${WHITE}Found hostid: ${HOSTID}${NORMAL}" # Try to connect Output "Uploading data.." - LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" - LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey=${LICENSE_KEY}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" + LogText "Command used: ${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" + LogText "Tip: try running ${CURLBINARY}${CURL_OPTIONS} --data-urlencode \"data@${REPORTFILE}\" --data-urlencode \"licensekey@${LICENSE_KEY_FILE}\" --data-urlencode \"hostid=${HOSTID}\" ${UPLOAD_URL}" LogText "Tip: to just retry an upload, use: lynis upload-only" - UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey=${LICENSE_KEY}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null) + UPLOAD=$(${CURLBINARY}${CURL_OPTIONS} -s -S --data-urlencode "data@${REPORTFILE}" --data-urlencode "licensekey@${LICENSE_KEY_FILE}" --data-urlencode "hostid=${HOSTID}" --data-urlencode "hostid2=${HOSTID2}" ${UPLOAD_URL} 2> /dev/null) EXITCODE=$? LogText "Exit code: ${EXITCODE}" if [ ${EXITCODE} -gt 0 ]; then diff --git a/include/osdetection b/include/osdetection index 7483664b..88aa8209 100644 --- a/include/osdetection +++ b/include/osdetection @@ -188,11 +188,10 @@ OS_NAME="Gentoo Linux" OS_VERSION="Rolling release" ;; - "pureos") - LINUX_VERSION="PureOS" - OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') - OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') - OS_NAME="PureOS" + "kali") + LINUX_VERSION="Kali" + OS_NAME="Kali Linux" + OS_VERSION="Rolling release" ;; "manjaro") LINUX_VERSION="Manjaro" @@ -217,11 +216,11 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_NAME="openSUSE" ;; - "ubuntu") - LINUX_VERSION="Ubuntu" + "pureos") + LINUX_VERSION="PureOS" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') - OS_NAME="Ubuntu" + OS_NAME="PureOS" ;; "raspbian") LINUX_VERSION="Raspbian" @@ -243,8 +242,14 @@ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "ubuntu") + LINUX_VERSION="Ubuntu" + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_NAME="Ubuntu" + ;; *) - ReportException "OS Detection" "Unknown OS found in /etc/os-release" + ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}" ;; esac fi diff --git a/include/profiles b/include/profiles index da2124f7..2b0885ce 100644 --- a/include/profiles +++ b/include/profiles @@ -50,6 +50,7 @@ Display --text " " Display --text "==================================================================================================" Display --text " " + LogText "Insight: Profile '${PROFILE}' contians one or more old-style configuration entries" ReportWarning "GEN-0020" "Your profile contains one or more old-style configuration entries" sleep 10 fi @@ -556,7 +557,6 @@ Display --indent 2 --text "- Checking profiles..." --result "DONE" --color GREEN -LogTextBreak #================================================================================ # Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com diff --git a/include/tests_boot_services b/include/tests_boot_services index 8ad83d7c..fe5707e4 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -332,8 +332,12 @@ if [ ${SKIPTEST} -eq 0 ]; then FOUND=0 - CONF_FILES=$(${FINDBINARY} /etc/grub.d -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') - CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}" + if [ "${ROOTDIR}etc/grub.d" ]; then + CONF_FILES=$(${FINDBINARY} "${ROOTDIR}etc/grub.d" -type f -name "[0-9][0-9]*" -print0 | ${TRBINARY} '\0' ' ' | ${TRBINARY} -d '[:cntrl:]') + CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg ${CONF_FILES}" + else + CONF_FILES="${GRUBCONFFILE} ${ROOTDIR}boot/grub/custom.cfg" + fi for FILE in ${CONF_FILES}; do if [ -f "${FILE}" ]; then diff --git a/include/tests_kernel b/include/tests_kernel index 72e5082b..d445bb65 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -674,7 +674,10 @@ LogText "Result: found a symlink, retrieving destination" FOUND_VMLINUZ=$(readlink "${FOUND_VMLINUZ}") LogText "Result: destination file is ${FOUND_VMLINUZ}" - VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's/^vmlinuz-//') + VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//') + LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" + elif [ -f "${FOUND_VMLINUZ}" ]; then + VERSION_ON_DISK=$(echo ${FOUND_VMLINUZ} | ${SEDBINARY} 's#^/boot/##' | ${SEDBINARY} 's/^vmlinuz-//') LogText "Result: version derived from file name is '${VERSION_ON_DISK}'" fi @@ -43,10 +43,10 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2020-03-20" - PROGRAM_RELEASE_TIMESTAMP=1584711965 + PROGRAM_RELEASE_DATE="2020-06-18" + PROGRAM_RELEASE_TIMESTAMP=1592477492 PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release - PROGRAM_VERSION="3.0.0" + PROGRAM_VERSION="3.0.1" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" @@ -241,6 +241,11 @@ echo "Could not find languages directory (file: ${DBDIR}/languages/en)" exit 1 fi + + # Now that we have determined the language, we unset it from shell + # Some tools with translated strings are very hard to parse + unset LANG + # ################################################################################# # @@ -267,21 +272,21 @@ # Disable logging if no alternative was provided if [ ${PRIVILEGED} -eq 0 ]; then if [ -z "${LOGFILE}" ]; then - # Try creating a log file in temporary directory - if [ ! -f /tmp/lynis.log ]; then - if [ -L /tmp/lynis.log ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi - touch /tmp/lynis.log - if [ $? -eq 0 ]; then LOGFILE="/tmp/lynis.log"; else LOGFILE="/dev/null"; fi + # Try creating a log file in home directory + if [ ! -f "$HOME/lynis.log" ]; then + if [ -L "$HOME/lynis.log" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi + touch "$HOME/lynis.log" + if [ $? -eq 0 ]; then LOGFILE="$HOME/lynis.log"; else LOGFILE="/dev/null"; fi else - LOGFILE="/tmp/lynis.log" + LOGFILE="$HOME/lynis.log" fi else if [ -L "${LOGFILE}" ]; then echo "Log file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi fi if [ -z "${REPORTFILE}" ]; then - touch /tmp/lynis-report.dat - if [ -L /tmp/lynis-report.dat ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi - if [ $? -eq 0 ]; then REPORTFILE="/tmp/lynis-report.dat"; else REPORTFILE="/dev/null"; fi + touch "$HOME/lynis-report.dat" + if [ -L "$HOME/lynis-report.dat" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi + if [ $? -eq 0 ]; then REPORTFILE="$HOME/lynis-report.dat"; else REPORTFILE="/dev/null"; fi else if [ -L "${REPORTFILE}" ]; then echo "Report file is symlinked, which can introduce the risk of a symlink attack."; exit 1; fi fi |