diff options
-rw-r--r-- | CHANGELOG.md | 21 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | db/languages/ru | 140 | ||||
-rw-r--r-- | db/software-eol.db | 2 | ||||
-rw-r--r-- | db/tests.db | 1 | ||||
-rw-r--r-- | include/functions | 11 | ||||
-rw-r--r-- | include/osdetection | 7 | ||||
-rw-r--r-- | include/tests_authentication | 4 | ||||
-rw-r--r-- | include/tests_boot_services | 3 | ||||
-rw-r--r-- | include/tests_filesystems | 15 | ||||
-rw-r--r-- | include/tests_kernel | 120 | ||||
-rw-r--r-- | include/tests_malware | 18 | ||||
-rw-r--r-- | include/tests_networking | 4 | ||||
-rw-r--r-- | include/tests_ports_packages | 2 | ||||
-rw-r--r-- | include/tests_ssh | 2 | ||||
-rwxr-xr-x | lynis | 6 |
16 files changed, 213 insertions, 145 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index ac435bd5..87dcb228 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,33 @@ # Lynis Changelog -## Lynis 3.0.7 (Not released yet) +## Lynis 3.0.8 (not released yet) + +### Added +- MALW-3274 - Detect McAfee VirusScan Command Line Scanner +- EOL for Alpine Linux 3.14 and 3.15 + +### Changed +- KRNL-5788 - Only run relevant tests and improved logging +- KRNL-5830 - Check for /var/run/needs_restarting (Slackware) +- KRNL-5830 - Add a presence check for /boot/vmlinuz + +--------------------------------------------------------------------------------- + +## Lynis 3.0.7 (2022-01-18) ### Added - MALW-3290 - Show status of malware components -- OS detection for RHEL 6 +- OS detection for RHEL 6 and Funtoo Linux +- Added service manager openrc ### Changed - DBS-1804 - Added alias for MariaDB - FINT-4316 - Support for newer Ubuntu versions - MALW-3280 - Added Trend Micro malware agent +- NETW-3200 - Allow unknown number of spaces in modprobe blacklists +- PKGS-7320 - Support for Garuda Linux and arch-audit - Several improvements for busybox shell +- Russian translation of Lynis extended --------------------------------------------------------------------------------- @@ -48,7 +48,7 @@ There are multiple options available to install Lynis. ### Software Package -For sytems running Linux, BSD, and macOS, there is typically a package available. This is the preferred method of obtaining Lynis, as it is quick to install and easy to update. The Lynis project itself also provides [packages](https://packages.cisofy.com/) in RPM or DEB format suitable for systems systems running: +For systems running Linux, BSD, and macOS, there is typically a package available. This is the preferred method of obtaining Lynis, as it is quick to install and easy to update. The Lynis project itself also provides [packages](https://packages.cisofy.com/) in RPM or DEB format suitable for systems systems running: `CentOS`, `Debian`, `Fedora`, `OEL`, `openSUSE`, `RHEL`, `Ubuntu`, and others. Some distributions may also have Lynis in their software repository: [![Repology](https://repology.org/badge/tiny-repos/lynis.svg)](https://repology.org/project/lynis/versions) diff --git a/db/languages/ru b/db/languages/ru index bad4123a..c24603b6 100644 --- a/db/languages/ru +++ b/db/languages/ru @@ -4,7 +4,7 @@ GEN_CHECKING="Проверка" GEN_CURRENT_VERSION="Текущая версия" GEN_DEBUG_MODE="Режим отладки" GEN_INITIALIZE_PROGRAM="Инициализация программы" -#GEN_LATEST_VERSION="Latest version" +GEN_LATEST_VERSION="Последняя версия" GEN_PHASE="Стадия" GEN_PLUGINS_ENABLED="Плагины включены" GEN_UPDATE_AVAILABLE="доступно обновление" @@ -14,94 +14,94 @@ NOTE_EXCEPTIONS_FOUND_DETAILED="Были найдены некоторые ис NOTE_EXCEPTIONS_FOUND="Найдены исключения" NOTE_PLUGINS_TAKE_TIME="Примечание: плагины имеют более обширные тесты и могут занять несколько минут до завершения" NOTE_SKIPPED_TESTS_NON_PRIVILEGED="Тесты пропущены из-за использования непривилегированного режима" -#SECTION_ACCOUNTING="Accounting" -#SECTION_BANNERS_AND_IDENTIFICATION="Banners and identification" -#SECTION_BASICS="Basics" -#SECTION_BOOT_AND_SERVICES="Boot and services" -#SECTION_CONTAINERS="Containers" -#SECTION_CRYPTOGRAPHY="Cryptography" +SECTION_ACCOUNTING="Учёт" +SECTION_BANNERS_AND_IDENTIFICATION="Баннеры и идентификаторы" +SECTION_BASICS="Основное" +SECTION_BOOT_AND_SERVICES="Загрузка и сервисы" +SECTION_CONTAINERS="Контейнеры" +SECTION_CRYPTOGRAPHY="Криптография" SECTION_CUSTOM_TESTS="Пользовательские тесты" -#SECTION_DATABASES="Databases" -#SECTION_DATA_UPLOAD="Data upload" -#SECTION_DOWNLOADS="Downloads" -#SECTION_EMAIL_AND_MESSAGING="Software: e-mail and messaging" -#SECTION_FILE_INTEGRITY="Software: file integrity" -#SECTION_FILE_PERMISSIONS="File Permissions" -#SECTION_FILE_SYSTEMS="File systems" -#SECTION_FIREWALLS="Software: firewalls" -#SECTION_GENERAL="General" -#SECTION_HARDENING="Hardening" -#SECTION_HOME_DIRECTORIES="Home directories" -#SECTION_IMAGE="Image" -#SECTION_INITIALIZING_PROGRAM="Initializing program" -#SECTION_INSECURE_SERVICES="Insecure services" -#SECTION_KERNEL_HARDENING="Kernel Hardening" -#SECTION_KERNEL="Kernel" -#SECTION_LDAP_SERVICES="LDAP Services" -#SECTION_LOGGING_AND_FILES="Logging and files" +SECTION_DATABASES="Базы данных" +SECTION_DATA_UPLOAD="Отправка данных" +SECTION_DOWNLOADS="Загрузки" +SECTION_EMAIL_AND_MESSAGING="Программное обеспечение: e-mail и отправка сообщений" +SECTION_FILE_INTEGRITY="Программное обеспечение: целостность файлов" +SECTION_FILE_PERMISSIONS="Права доступа к файлам" +SECTION_FILE_SYSTEMS="Файловые системы" +SECTION_FIREWALLS="Программное обеспечение: firewall" +SECTION_GENERAL="Общее" +SECTION_HARDENING="Усиление" +SECTION_HOME_DIRECTORIES="Домашние директории" +SECTION_IMAGE="Образы" +SECTION_INITIALIZING_PROGRAM="Инициализация программы" +SECTION_INSECURE_SERVICES="Небезопасные сервисы" +SECTION_KERNEL_HARDENING="УСиления ядра" +SECTION_KERNEL="Ядро" +SECTION_LDAP_SERVICES="Сервисы LDAP" +SECTION_LOGGING_AND_FILES="Логирование и файлы" SECTION_MALWARE="Вредоносное ПО" SECTION_MEMORY_AND_PROCESSES="Память и процессы" -#SECTION_NAME_SERVICES="Name services" -#SECTION_NETWORKING="Networking" -#SECTION_PERMISSIONS="Permissions" -#SECTION_PORTS_AND_PACKAGES="Ports and packages" -#SECTION_PRINTERS_AND_SPOOLS="Printers and Spools" -#SECTION_PROGRAM_DETAILS="Program Details" -#SECTION_SCHEDULED_TASKS="Scheduled tasks" -#SECTION_SECURITY_FRAMEWORKS="Security frameworks" -#SECTION_SHELLS="Shells" -#SECTION_SNMP_SUPPORT="SNMP Support" -#SECTION_SOFTWARE="Software" -#SECTION_SQUID_SUPPORT="Squid Support" -#SECTION_SSH_SUPPORT="SSH Support" -#SECTION_STORAGE="Storage" -#SECTION_SYSTEM_INTEGRITY="Software: System integrity" -#SECTION_SYSTEM_TOOLING="Software: System tooling" -#SECTION_SYSTEM_TOOLS="System tools" -#SECTION_TIME_AND_SYNCHRONIZATION="Time and Synchronization" -#SECTION_USB_DEVICES="USB Devices" -#SECTION_USERS_GROUPS_AND_AUTHENTICATION="Users, Groups and Authentication" -#SECTION_VIRTUALIZATION="Virtualization" -#SECTION_WEBSERVER="Software: webserver" -#STATUS_ACTIVE="ACTIVE" -#STATUS_CHECK_NEEDED="CHECK NEEDED" -#STATUS_DEBUG="DEBUG" -#STATUS_DEFAULT="DEFAULT" -#STATUS_DIFFERENT="DIFFERENT" +SECTION_NAME_SERVICES="Серверы имён" +SECTION_NETWORKING="Сети" +SECTION_PERMISSIONS="Права доступа" +SECTION_PORTS_AND_PACKAGES="Пакеты" +SECTION_PRINTERS_AND_SPOOLS="Принтеры и спулеры" +SECTION_PROGRAM_DETAILS="Подробности о программе" +SECTION_SCHEDULED_TASKS="Запланированные задачи" +SECTION_SECURITY_FRAMEWORKS="Фреймворки" +SECTION_SHELLS="Командные оболочки" +SECTION_SNMP_SUPPORT="Поддержка SNMP" +SECTION_SOFTWARE="Программное обеспечение" +SECTION_SQUID_SUPPORT="Поддержка Squid" +SECTION_SSH_SUPPORT="Поддержка SSH" +SECTION_STORAGE="Хранилище" +SECTION_SYSTEM_INTEGRITY="Программное обеспечение: целостность системы" +SECTION_SYSTEM_TOOLING="SПрограммное обеспечение: системные инструменты" +SECTION_SYSTEM_TOOLS="Системные утилиты" +SECTION_TIME_AND_SYNCHRONIZATION="Время и его синхронизация" +SECTION_USB_DEVICES="USB Устройства" +SECTION_USERS_GROUPS_AND_AUTHENTICATION="Пользователи, группы и Аутентификация" +SECTION_VIRTUALIZATION="Виртуализация" +SECTION_WEBSERVER="Программное обеспечение: веб-серверы" +STATUS_ACTIVE="АКТИВЕН" +STATUS_CHECK_NEEDED="ТРЕБУЕТСЯ ПРОВЕРКА" +STATUS_DEBUG="ОТЛАДКА" +STATUS_DEFAULT="ПО УМОЛЧАНИЮ" +STATUS_DIFFERENT="ОТЛИЧАЕТСЯ" STATUS_DISABLED="ОТКЛЮЧЕНО" STATUS_DONE="Завершено" STATUS_ENABLED="ВКЛЮЧЕНО" STATUS_ERROR="ОШИБКА" -#STATUS_EXPOSED="EXPOSED" -#STATUS_FAILED="FAILED" -#STATUS_FILES_FOUND="FILES FOUND" +STATUS_EXPOSED="УЯЗВИМО" +STATUS_FAILED="ПРОВАЛЕНО" +STATUS_FILES_FOUND="ФАЙЛЫ НАЙДЕНЫ" STATUS_FOUND="Найдено" -#STATUS_HARDENED="HARDENED" -#STATUS_INSTALLED="INSTALLED" -#STATUS_LOCAL_ONLY="LOCAL ONLY" -#STATUS_MEDIUM="MEDIUM" -#STATUS_NON_DEFAULT="NON DEFAULT" +STATUS_HARDENED="УСИЛЕНО" +STATUS_INSTALLED="УСТАНОВЛЕНО" +STATUS_LOCAL_ONLY="ТОЛЬКО ЛОКАЛЬНО" +STATUS_MEDIUM="СРЕДНИЙ" +STATUS_NON_DEFAULT="НЕ ПО УМОЛЧАНИЮ" STATUS_NONE="Отсутствует" -#STATUS_NOT_CONFIGURED="NOT CONFIGURED" -#STATUS_NOT_DISABLED="NOT DISABLED" -#STATUS_NOT_ENABLED="NOT ENABLED" +STATUS_NOT_CONFIGURED="НЕ СКОНФИГУРИРОВАНО" +STATUS_NOT_DISABLED="НЕ ОТКЛЮЧЕНО" +STATUS_NOT_ENABLED="НЕ ВКЛЮЧЕНО" STATUS_NOT_FOUND="НЕ НАЙДЕНО" STATUS_NOT_RUNNING="НЕ ЗАПУЩЕНО" -#STATUS_NO_UPDATE="NO UPDATE" +STATUS_NO_UPDATE="ОБНОВЛЕНИЙ НЕТ" STATUS_NO="НЕТ" STATUS_OFF="Выключено" STATUS_OK="ОК" STATUS_ON="Включено" -#STATUS_PARTIALLY_HARDENED="PARTIALLY HARDENED" -#STATUS_PROTECTED="PROTECTED" +STATUS_PARTIALLY_HARDENED="ЧАСТИЧНО УСИЛЕНО" +STATUS_PROTECTED="ЗАЩИЩЕНО" STATUS_RUNNING="ЗАПУЩЕНО" STATUS_SKIPPED="ПРОПУЩЕНО" STATUS_SUGGESTION="ПРЕДЛОЖЕНИЕ" STATUS_UNKNOWN="НЕИЗВЕСТНО" -#STATUS_UNSAFE="UNSAFE" -#STATUS_UPDATE_AVAILABLE="UPDATE AVAILABLE" +STATUS_UNSAFE="НЕБЕЗОПАСНО" +STATUS_UPDATE_AVAILABLE="ДОСТУПНЫ ОБНОВЛЕНИЯ" STATUS_WARNING="ПРЕДУПРЕЖДЕНИЕ" -#STATUS_WEAK="WEAK" +STATUS_WEAK="СЛАБЫЙ" STATUS_YES="ДА" TEXT_UPDATE_AVAILABLE="доступно обновление" -TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь предоставив ваш лог-файл" +TEXT_YOU_CAN_HELP_LOGFILE="Вы можете помочь, предоставив ваш лог-файл" diff --git a/db/software-eol.db b/db/software-eol.db index bebd4de8..f8242d35 100644 --- a/db/software-eol.db +++ b/db/software-eol.db @@ -16,6 +16,8 @@ # # Alpine - https://alpinelinux.org/releases/ # +os:Alpine 3.15:2023-11-01:1698793200 +os:Alpine 3.14:2023-05-01:1682899200 os:Alpine 3.13:2022-11-01:1667275200 os:Alpine 3.12:2022-05-01:1651377600 os:Alpine 3.11:2021-11-01:1635739200 diff --git a/db/tests.db b/db/tests.db index c9c4797f..522441f4 100644 --- a/db/tests.db +++ b/db/tests.db @@ -265,6 +265,7 @@ MAIL-8838:test:security:mail_messaging::Check dovecot process: MAIL-8860:test:security:mail_messaging::Check Qmail status: MAIL-8880:test:security:mail_messaging::Check Sendmail status: MAIL-8920:test:security:mail_messaging::Check OpenSMTPD status: +MALW-3274:test:security:malware::Check for McAfee VirusScan Command Line Scanner: MALW-3275:test:security:malware::Check for chkrootkit: MALW-3276:test:security:malware::Check for Rootkit Hunter: MALW-3278:test:security:malware::Check for LMD: diff --git a/include/functions b/include/functions index 0ff661cf..de36ed11 100644 --- a/include/functions +++ b/include/functions @@ -1306,6 +1306,11 @@ if [ $# -ne 2 ]; then Fatal "Incorrect usage of HasCorrectFilePermissions"; fi CHECKFILE="$1" CHECKPERMISSION_FULL="$2" + # Check for symlink + if [ -L ${CHECKFILE} ]; then + ShowSymlinkPath ${CHECKFILE} + if [ ! "${SYMLINK}" = "" ]; then CHECKFILE="${SYMLINK}"; fi + fi if [ ! -d ${CHECKFILE} -a ! -f ${CHECKFILE} ]; then return 2 else @@ -2001,7 +2006,11 @@ if [ $# -eq 0 ]; then ExitFatal "Missing parameter when calling IsWorldWritable function"; fi sFILE=$1 FileIsWorldWritable="" - + # Check for symlink + if [ -L ${sFILE} ]; then + ShowSymlinkPath ${sFILE} + if [ ! "${SYMLINK}" = "" ]; then sFILE="${SYMLINK}"; fi + fi # Only check if target is a file or directory if [ -f ${sFILE} -o -d ${sFILE} ]; then FINDVAL=$(ls -ld ${sFILE} | cut -c 9) diff --git a/include/osdetection b/include/osdetection index a4d3aa41..d9b8a41c 100644 --- a/include/osdetection +++ b/include/osdetection @@ -244,6 +244,11 @@ OS_NAME="Flatcar Linux" OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ;; + "funtoo") + LINUX_VERSION="Funtoo" + OS_FULLNAME="Funtoo Linux" + OS_VERSION="Rolling release" + ;; "garuda") LINUX_VERSION="Garuda" OS_FULLNAME="Garuda Linux" @@ -673,7 +678,7 @@ ReportException "OS Detection" "Unknown OS found in /etc/os-release - Please create issue on GitHub project page: ${PROGRAM_SOURCE}" ;; esac - elif [ "$(uname -o 2> /dev/null)" == "illumos" ]; then + elif [ "$(uname -o 2> /dev/null)" = "illumos" ]; then OPENSOLARIS=1 # Solaris has a free form text file with release information diff --git a/include/tests_authentication b/include/tests_authentication index 2712aa34..504e76cc 100644 --- a/include/tests_authentication +++ b/include/tests_authentication @@ -25,7 +25,7 @@ LDAP_AUTH_ENABLED=0 LDAP_PAM_ENABLED=0 LDAP_CONF_LOCATIONS="${ROOTDIR}etc/ldap.conf ${ROOTDIR}etc/ldap/ldap.conf ${ROOTDIR}etc/openldap/ldap.conf ${ROOTDIR}usr/local/etc/ldap.conf ${ROOTDIR}usr/local/etc/openldap/ldap.conf" - PAM_FILE_LOCATIONS="${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security" + PAM_FILE_LOCATIONS="${ROOTDIR}usr/lib/aarch64-linux-gnu/security ${ROOTDIR}lib/arm-linux-gnueabihf/security ${ROOTDIR}lib/i386-linux-gnu/security ${ROOTDIR}lib/security ${ROOTDIR}lib/x86_64-linux-gnu/security ${ROOTDIR}lib64/security ${ROOTDIR}usr/lib /usr/lib/security" SUDOERS_LOCATIONS="${ROOTDIR}etc/sudoers ${ROOTDIR}usr/local/etc/sudoers ${ROOTDIR}usr/pkg/etc/sudoers" SUDOERS_FILE="" # @@ -916,7 +916,7 @@ LogText "Result: found one or more accounts without password" for I in ${FIND2}; do LogText "Account without password: ${I}" - Report "account_without_password=${I}" + Report "account_without_password[]=${I}" done Display --indent 2 --text "- Accounts without password" --result "${STATUS_WARNING}" --color RED ReportWarning "${TEST_NO}" "Found accounts without password" diff --git a/include/tests_boot_services b/include/tests_boot_services index 42efc80d..4a5fb3df 100644 --- a/include/tests_boot_services +++ b/include/tests_boot_services @@ -112,6 +112,9 @@ runit) SERVICE_MANAGER="runit" ;; + openrc-init) + SERVICE_MANAGER="openrc" + ;; *) CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd") if [ -n "${CONTAINS_SYSTEMD}" ]; then diff --git a/include/tests_filesystems b/include/tests_filesystems index ce93b018..480ba40a 100644 --- a/include/tests_filesystems +++ b/include/tests_filesystems @@ -619,7 +619,6 @@ Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_PARTIALLY_HARDENED}" --color YELLOW AddHP 4 5 else - # if if ContainsString "defaults" "${FOUND_FLAGS}"; then LogText "Result: marked ${FILESYSTEM} options as default (not hardened)" Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_DEFAULT}" --color YELLOW @@ -838,13 +837,13 @@ fi FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null) if [ -n "${FIND}" ]; then - FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") - if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then - Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN - LogText "Result: module ${FS} is blacklisted" - fi - fi + FIND1=$(${EGREPBINARY} "^blacklist \+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + FIND2=$(${EGREPBINARY} "^install \+${FS} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#") + if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then + Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN + LogText "Result: module ${FS} is blacklisted" + fi + fi done if [ ${FOUND} -eq 1 ]; then Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}" diff --git a/include/tests_kernel b/include/tests_kernel index 610fd325..c1977985 100644 --- a/include/tests_kernel +++ b/include/tests_kernel @@ -368,14 +368,14 @@ # # Test : KRNL-5788 # Description : Checking availability new kernel - if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || - [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then + if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then PREQS_MET="YES" else PREQS_MET="NO" fi Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel" if [ ${SKIPTEST} -eq 0 ]; then + FINDKERNEL="" HAS_VMLINUZ=0 LogText "Test: Searching apt-cache, to determine if a newer kernel is available" if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then @@ -384,62 +384,69 @@ if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then HAS_VMLINUZ=1 if [ -f ${ROOTDIR}vmlinuz ]; then - FINDVMLINUZ=${ROOTDIR}vmlinuz + FINDVMLINUZ="${ROOTDIR}vmlinuz" else - FINDVMLINUZ=${ROOTDIR}boot/vmlinuz + FINDVMLINUZ="${ROOTDIR}boot/vmlinuz" fi LogText "Result: found ${FINDVMLINUZ}" LogText "Test: checking readlink location of ${FINDVMLINUZ}" FINDKERNFILE=$(readlink -f ${FINDVMLINUZ}) LogText "Output: readlink reported file ${FINDKERNFILE}" - LogText "Test: checking package from dpkg -S" + LogText "Test: checking relevant package using output from dpkg -S" FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}') LogText "Output: dpkg -S reported package ${FINDKERNEL}" elif [ -e ${ROOTDIR}dev/grsec ]; then - FINDKERNEL=linux-image-$(uname -r) + FINDKERNEL="linux-image-$(uname -r)" LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}" elif [ -e ${ROOTDIR}etc/rpi-issue ]; then - FINDKERNEL=raspberrypi-kernel + FINDKERNEL="raspberrypi-kernel" LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian" - elif `${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf`; then - FINDKERNEL=linux-image-$(uname -r) + elif $(${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then + FINDKERNEL="linux-image-$(uname -r)" LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No" else - LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." + LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date." ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz" fi - LogText "Test: Using apt-cache policy to determine if there is an update available" - FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') - FINDCAND=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') - LogText "Kernel installed: ${FINDINST}" - LogText "Kernel candidate: ${FINDCAND}" - if IsEmpty "${FINDINST}"; then - Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW - LogText "Result: Exception occurred, no output from apt-cache policy" - if [ ${HAS_VMLINUZ} -eq 1 ]; then - ReportException "${TEST_NO}:01" - ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty" - fi - LogText "Result: apt-cache policy did not return an installed kernel version" + + if IsEmpty "${FINDKERNEL}"; then + LogText "Result: could not check kernel update status as kernel is unknown" else - if [ "${FINDINST}" = "${FINDCAND}" ]; then - if [ -e /dev/grsec ]; then - Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN - LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" - ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch" - else - Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN - LogText "Result: no kernel update available" + LogText "Result: found kernel '${FINDKERNEL}' which will be used for further testing" + LogText "Test: Using apt-cache policy to determine if there is an update available" + FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ') + LogText "Kernel installed: ${FINDINSTALLED}" + LogText "Kernel candidate: ${FINDCANDIDATE}" + if IsEmpty "${FINDINSTALLED}"; then + Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW + LogText "Result: Exception occurred, no output from apt-cache policy" + if [ ${HAS_VMLINUZ} -eq 1 ]; then + ReportException "${TEST_NO}:01" "Found vmlinuz (${FINDVMLINUZ}) but could not determine the installed kernel using apt-cache policy" + ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty" fi + LogText "Result: apt-cache policy did not return an installed kernel version" else - Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW - LogText "Result: kernel update available according 'apt-cache policy'." - ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update" + if [ "${FINDINSTALLED}" = "${FINDCANDIDATE}" ]; then + if [ -e /dev/grsec ]; then + Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN + LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available" + ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch" + else + Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN + LogText "Result: no kernel update available" + fi + else + Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW + LogText "Result: kernel update available according 'apt-cache policy'." + ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update" + fi fi fi else - LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests." + LogText "Result: could NOT find ${ROOTDIR}usr/bin/apt-cache, skipped other tests." fi + unset FINDCANDIDATE FINDINSTALLED FINDKERNEL HAS_VMLINUZ fi # ################################################################################# @@ -615,25 +622,29 @@ Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel" if [ ${SKIPTEST} -eq 0 ]; then REBOOT_NEEDED=2 - FILE="${ROOTDIR}var/run/reboot-required.pkgs" - LogText "Test: Checking presence ${FILE}" - if [ -f ${FILE} ]; then - LogText "Result: file ${FILE} exists" - FIND=$(${WCBINARY} -l < ${FILE}) - if [ "${FIND}" = "0" ]; then - LogText "Result: No reboot needed (file empty)" - REBOOT_NEEDED=0 + for FILE in "${ROOTDIR}var/run/reboot-required.pkgs" "${ROOTDIR}var/run/needs_restarting" + do + LogText "Test: Checking presence ${FILE}" + if [ -f ${FILE} ]; then + LogText "Result: file ${FILE} exists" + FIND=$(${WCBINARY} -l < ${FILE}) + if [ "${FIND}" = "0" ]; then + LogText "Result: No reboot needed (file empty)" + REBOOT_NEEDED=0 + break + else + PKGSCOUNT=$(${WCBINARY} -l < ${FILE}) + LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" + for I in ${FIND}; do + LogText "Package: ${I}" + done + REBOOT_NEEDED=1 + break + fi else - PKGSCOUNT=$(${WCBINARY} -l < ${FILE}) - LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages" - for I in ${FIND}; do - LogText "Package: ${I}" - done - REBOOT_NEEDED=1 + LogText "Result: file ${FILE} not found" fi - else - LogText "Result: file ${FILE} not found" - fi + done # Check if /boot exists if [ -d "${ROOTDIR}boot" ]; then @@ -663,7 +674,10 @@ ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data" fi elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then - if [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then + if [ -f ${ROOTDIR}boot/vmlinuz ]; then + LogText "Result: found ${ROOTDIR}boot/vmlinuz" + FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz + elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux" FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then diff --git a/include/tests_malware b/include/tests_malware index cb13ca96..40336fa5 100644 --- a/include/tests_malware +++ b/include/tests_malware @@ -46,6 +46,24 @@ # ################################################################################# # + # Test : MALW-3274 + # Description : Check for installed tool (McAfee VirusScan for Command Line) + Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line" + if [ ${SKIPTEST} -eq 0 ]; then + LogText "Test: checking presence McAfee VirusScan for Command Line" + if [ -x /usr/local/uvscan/uvscan ]; then + Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color GREEN + LogText "Result: Found ${MCAFEECLBINARY}" + MALWARE_SCANNER_INSTALLED=1 + AddHP 2 2 + Report "malware_scanner[]=mcafeecl" + else + LogText "Result: McAfee VirusScan for Command Line not found" + fi + fi +# +################################################################################# +# # Test : MALW-3275 # Description : Check for installed tool (chkrootkit) Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit" diff --git a/include/tests_networking b/include/tests_networking index c615e6d0..7faf7125 100644 --- a/include/tests_networking +++ b/include/tests_networking @@ -750,7 +750,7 @@ UNCOMMON_PROTOCOL_DISABLED=0 # First check modprobe.conf if [ -f ${ROOTDIR}etc/modprobe.conf ]; then - DATA=$(${GREPBINARY} "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.conf) + DATA=$(${GREPBINARY} "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.conf) if [ -n "${DATA}" ]; then LogText "Result: found ${P} module disabled via modprobe.conf" UNCOMMON_PROTOCOL_DISABLED=1 @@ -759,7 +759,7 @@ # Then additional modprobe configuration files if [ -d ${ROOTDIR}etc/modprobe.d ]; then # Return file names (-l) and suppress errors (-s) - DATA=$(${GREPBINARY} -l -s "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.d/*) + DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/*) if [ -n "${DATA}" ]; then UNCOMMON_PROTOCOL_DISABLED=1 for F in ${DATA}; do diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 2f0b98da..e757bd0a 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -296,7 +296,7 @@ # # Test : PKGS-7320 # Description : Check available of arch-audit - if [ "${OS_FULLNAME}" = "Arch Linux" ] || [ "${OS_FULLNAME}" = "Arch Linux 32" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="Test only applies to Arch Linux"; fi + if [ "${OS_FULLNAME}" = "Arch Linux" ] || [ "${OS_FULLNAME}" = "Arch Linux 32" ] || [ "${OS_FULLNAME}" = "Garuda Linux" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="Test only applies to Arch Linux and Garuda Linux"; fi Register --test-no PKGS-7320 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking for arch-audit tooling" if [ ${SKIPTEST} -eq 0 ]; then if [ -z "${ARCH_AUDIT_BINARY}" ]; then diff --git a/include/tests_ssh b/include/tests_ssh index 7f31c348..de3209ee 100644 --- a/include/tests_ssh +++ b/include/tests_ssh @@ -74,7 +74,7 @@ LogText "Result: ${I}/sshd_config exists" if [ ${FOUND} -eq 1 ]; then ReportException "${TEST_NO}:01" - LogText "Result: we already had found another sshd_config file. Using this new file then." + LogText "Result: we already found another sshd_config file. Using this new file instead of the previous one." fi FileIsReadable ${I}/sshd_config if [ ${CANREAD} -eq 1 ]; then @@ -43,10 +43,10 @@ PROGRAM_WEBSITE="https://cisofy.com/lynis/" # Version details - PROGRAM_RELEASE_DATE="2021-07-27" - PROGRAM_RELEASE_TIMESTAMP=1627375518 + PROGRAM_RELEASE_DATE="2022-01-31" + PROGRAM_RELEASE_TIMESTAMP=1643632222 PROGRAM_RELEASE_TYPE="pre-release" # pre-release or release - PROGRAM_VERSION="3.0.7" + PROGRAM_VERSION="3.0.8" # Source, documentation and license PROGRAM_SOURCE="https://github.com/CISOfy/lynis" |