diff options
| -rw-r--r-- | CHANGELOG.md | 9 | ||||
| -rw-r--r-- | include/binaries | 2 | ||||
| -rw-r--r-- | include/functions | 2 | ||||
| -rw-r--r-- | include/helper_audit_dockerfile | 38 | ||||
| -rw-r--r-- | include/parameters | 5 | ||||
| -rwxr-xr-x | lynis | 6 |
6 files changed, 30 insertions, 32 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index a6604115..039f8cd4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,14 +1,21 @@ # Lynis Changelog -## Lynis 2.7.5 (not released yet) +## Lynis 2.7.5 (2019-06-24) ### Added - Danish translation +- Slackware end-of-life information +- Detect BSD-style (rc.d) init in Linux systems +- Detection of Bro and Suricata (IDS) ### Changed - Corrected end-of-life entries for CentOS 5 and 6 +- AUTH-9204 - change name to check in /etc/passwd file for QNAP devices - AUTH-9268 - AIX enhancement to use correct find statement - FILE-6310 - Filter on correct field for AIX +- NETW-3012 - set ss command as preferred option for Linux and changed output format +- List of PHP ini file locations has been extended +- Removed several pieces of the code as part of cleanup and code health - Extended help --------------------------------------------------------------------------------- diff --git a/include/binaries b/include/binaries index 7bf0d233..89b29b07 100644 --- a/include/binaries +++ b/include/binaries @@ -110,6 +110,7 @@ base64) BASE64BINARY="${BINARY}"; LogText " Found known binary: base64 (encoding tool) - ${BINARY}" ;; blkid) BLKIDBINARY="${BINARY}"; LogText " Found known binary: blkid (information about block devices) - ${BINARY}" ;; bootctl) BOOTCTLBINARY="${BINARY}"; LogText " Found known binary: bootctl (systemd-boot manager utility) - ${BINARY}" ;; + bro) BROBINARY="${BINARY}"; LogText " Found known binary: bro (IDS) - ${BINARY}" ;; cat) CAT_BINARY="${BINARY}"; LogText " Found known binary: cat (generic file handling) - ${BINARY}" ;; cc) CCBINARY="${BINARY}"; COMPILER_INSTALLED=1; LogText " Found known binary: cc (compiler) - ${BINARY}" ;; chkconfig) CHKCONFIGBINARY=${BINARY}; LogText " Found known binary: chkconfig (administration tool) - ${BINARY}" ;; @@ -227,6 +228,7 @@ sha1|sha1sum|shasum) SHA1SUMBINARY="${BINARY}"; LogText " Found known binary: sha1/sha1sum/shasum (crypto hashing) - ${BINARY}" ;; sha256|sha256sum) SHA256SUMBINARY="${BINARY}"; LogText " Found known binary: sha256/sha256sum (crypto hashing) - ${BINARY}" ;; ssh-keyscan) SSHKEYSCANBINARY="${BINARY}"; LogText " Found known binary: ssh-keyscan (scanner for SSH keys) - ${BINARY}" ;; + suricata) SURICATABINARY="${BINARY}"; LogText " Found known binary: suricata (IDS) - ${BINARY}" ;; sysctl) SYSCTLBINARY="${BINARY}"; LogText " Found known binary: sysctl (kernel parameters) - ${BINARY}" ;; syslog-ng) SYSLOGNGBINARY="${BINARY}"; SYSLOGNGVERSION=$(${BINARY} -V 2>&1 | grep "^syslog-ng" | awk '{ print $2 }'); LogText "Found ${BINARY} (version ${SYSLOGNGVERSION})" ;; systemctl) SYSTEMCTLBINARY="${BINARY}"; LogText " Found known binary: systemctl (client to systemd) - ${BINARY}" ;; diff --git a/include/functions b/include/functions index 35cb6b00..6f067761 100644 --- a/include/functions +++ b/include/functions @@ -2009,7 +2009,7 @@ for ITEM in ${VALUE}; do LogText "Result: found protocol ${ITEM}" case ${ITEM} in - "sslv2" | "sslv3") + "sslv2" | "sslv3" | "tlsv1") NGINX_WEAK_SSL_PROTOCOL_FOUND=1 ;; esac diff --git a/include/helper_audit_dockerfile b/include/helper_audit_dockerfile index efe73d28..3d18556f 100644 --- a/include/helper_audit_dockerfile +++ b/include/helper_audit_dockerfile @@ -19,25 +19,14 @@ ################################################################################# if [ $# -eq 0 ]; then - Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}" + Display --indent 2 --text "${RED}Error: ${WHITE}Provide a file${NORMAL}" Display --text " "; Display --text " " ExitFatal else FILE=$(echo $1 | egrep "^http|https") if HasData "${FILE}"; then - CreateTempFile - TMP_FILE="${TEMP_FILE}" - Display --indent 2 --text "Downloading URL ${FILE} with wget" - wget -o ${TMP_FILE} ${FILE} - if [ $? -gt 0 ]; then - AUDIT_FILE="${TMP_FILE}" - else - if [ -f ${TMP_FILE} ]; then - rm -f ${TMP_FILE} - fi - Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}" - ExitFatal - fi + echo "Provide a file (not a URL)" + ExitFatal else if [ -f $1 ]; then AUDIT_FILE="$1" @@ -70,13 +59,12 @@ fi IS_ALPINE=$(echo ${IMAGE} | grep -i alpine) IS_LATEST=$(echo ${TAG} | grep -i latest) - if [ ! "${IS_DEBIAN}" = "" ]; then IMAGE="debian"; fi - if [ ! "${IS_FEDORA}" = "" ]; then IMAGE="fedora"; fi - if [ ! "${IS_UBUNTU}" = "" ]; then IMAGE="ubuntu"; fi - if [ ! "${IS_ALPINE}" = "" ]; then IMAGE="alpine"; fi - - if [ ! "${IS_LATEST}" = "" ]; then - ReportWarning "dockerfile" "latest TAG used. Specifying the version is better." + if [ ! -z "${IS_DEBIAN}" ]; then IMAGE="debian"; fi + if [ ! -z "${IS_FEDORA}" ]; then IMAGE="fedora"; fi + if [ ! -z "${IS_UBUNTU}" ]; then IMAGE="ubuntu"; fi + if [ ! -z "${IS_ALPINE}" ]; then IMAGE="alpine"; fi + if [ ! -z "${IS_LATEST}" ]; then + ReportWarning "dockerfile" "latest TAG used. Specifying a targeted OS image and version is better for reproducible results." fi case ${IMAGE} in @@ -110,14 +98,14 @@ InsertSection "Basics" #FIND=$(egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g') FIND=$(egrep -i "*MAINTAINER" ${AUDIT_FILE} | sed 's/=/ /g' | cut -d'"' -f 2) - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then ReportWarning "dockerfile" "No maintainer found. Unclear who created this file." else #MAINTAINER=$(echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}') MAINTAINER=$(echo ${FIND}) Display --indent 2 --text "Maintainer" --result "${MAINTAINER}" fi - + FIND=$(grep "^ENTRYPOINT" ${AUDIT_FILE} | cut -d' ' -f2 ) if [ "${FIND}" = "" ]; then ReportWarning "dockerfile" "No ENTRYPOINT defined in Dockerfile." @@ -127,7 +115,7 @@ InsertSection "Basics" fi FIND=$(grep "^CMD" ${AUDIT_FILE} | cut -d' ' -f2 ) - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then ReportWarning "dockerfile" "No CMD defines in Dockerfile." else CMD=$(echo ${FIND}) @@ -135,7 +123,7 @@ InsertSection "Basics" fi FIND=$(grep "^USER" ${AUDIT_FILE} | cut -d' ' -f2 ) - if [ "${FIND}" = "" ]; then + if [ -z "${FIND}" ]; then ReportWarning "dockerfile" "No user declared in Dockerfile. Container will execute command as root" else USER=$(echo ${FIND}) diff --git a/include/parameters b/include/parameters index f3845526..53eeecb3 100644 --- a/include/parameters +++ b/include/parameters @@ -36,12 +36,13 @@ if [ $# -gt 1 ]; then case $2 in "dockerfile") - if [ "$3" = "" ]; then + if [ $# = 2 ]; then echo "${RED}Error: ${WHITE}Missing file name or URL${NORMAL}" - echo "Example: $0 audit dockerfile /root/Dockerfile" + echo "Example: $0 audit dockerfile /path/to/Dockerfile" ExitFatal else shift; shift + CHECK_BINARIES=1 HELPER_PARAMS="$1" HELPER="audit_dockerfile" break @@ -35,9 +35,9 @@ PROGRAM_AUTHOR_CONTACT="lynis-dev@cisofy.com" # Version details - PROGRAM_RELEASE_DATE="2019-06-17" - PROGRAM_RELEASE_TIMESTAMP=1560766656 - PROGRAM_RELEASE_TYPE="dev" # dev or final + PROGRAM_RELEASE_DATE="2019-06-24" + PROGRAM_RELEASE_TIMESTAMP=1561383761 + PROGRAM_RELEASE_TYPE="final" # dev or final PROGRAM_VERSION="2.7.5" # Source, documentation and license |