diff options
Diffstat (limited to 'include/tests_ports_packages')
-rw-r--r-- | include/tests_ports_packages | 366 |
1 files changed, 183 insertions, 183 deletions
diff --git a/include/tests_ports_packages b/include/tests_ports_packages index 4306f3dc..3237f7e7 100644 --- a/include/tests_ports_packages +++ b/include/tests_ports_packages @@ -5,7 +5,7 @@ # Lynis # ------------------ # -# Copyright 2007-2015, Michael Boelen, CISOfy (michael.boelen@cisofy.com) +# Copyright 2007-2016, Michael Boelen, CISOfy (michael.boelen@cisofy.com) # Web site: https://cisofy.com # # Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are @@ -36,17 +36,17 @@ FIND=`pkg -N 2>&1; echo $?` if [ "${FIND}" = "0" ]; then Display --indent 4 --text "- Searching packages with pkg" --result FOUND --color GREEN - report "package_manager[]=pkg" + Report "package_manager[]=pkg" PACKAGE_MGR_PKG=1 - logtext "Result: Found pkg" - logtext "Test: Querying pkg to get package list" + LogText "Result: Found pkg" + LogText "Test: Querying pkg to get package list" Display --indent 6 --text "- Querying pkg for installed packages" - logtext "Output:"; logtext "-----" + LogText "Output:"; LogText "-----" SPACKAGES=`/usr/sbin/pkg query %n,%v` for J in ${SPACKAGES}; do sPKG_NAME=`echo ${J} | cut -d ',' -f1` sPKG_VERSION=`echo ${J} | cut -d ',' -f2` - logtext "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})" + LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" done fi @@ -61,20 +61,20 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 Display --indent 4 --text "- Checking pkg_info" --result FOUND --color GREEN - logtext "Result: Found pkg_info" - report "package_manager[]=pkg_info" - logtext "Test: Querying pkg_info to get package list" + LogText "Result: Found pkg_info" + Report "package_manager[]=pkg_info" + LogText "Test: Querying pkg_info to get package list" Display --indent 6 --text "- Querying pkg_info for installed packages" - logtext "Output:"; logtext "-----" + LogText "Output:"; LogText "-----" SPACKAGES=`/usr/sbin/pkg_info 2>&1 | sort | tr -s ' ' | cut -d ' ' -f1 | sed -e 's/^\(.*\)-\([0-9].*\)$/\1,\2/g'` for J in ${SPACKAGES}; do N=`expr ${N} + 1` sPKG_NAME=`echo ${J} | cut -d ',' -f1` sPKG_VERSION=`echo ${J} | cut -d ',' -f2` - logtext "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})" + LogText "Installed package: ${sPKG_NAME} (version: ${sPKG_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" done - report "installed_packages=${N}" + Report "installed_packages=${N}" fi # ################################################################################# @@ -85,18 +85,18 @@ Register --test-no PKGS-7304 --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Gentoo packages" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Searching emerge" --result FOUND --color GREEN - logtext "Result: Found Gentoo emerge" - report "package_manager[]=emerge" - logtext "Test: Querying portage to get package list" + LogText "Result: Found Gentoo emerge" + Report "package_manager[]=emerge" + LogText "Test: Querying portage to get package list" Display --indent 4 --text "- Querying portage for installed packages" - logtext "Output:"; logtext "-----" + LogText "Output:"; LogText "-----" GPACKAGES=`equery l '*' | sed -e 's/[.*]//g'` for J in ${GPACKAGES}; do - logtext "Found package ${J}" + LogText "Found package ${J}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0," done else - logtext "Result: emerge can NOT be found on this system" + LogText "Result: emerge can NOT be found on this system" fi # # @@ -108,19 +108,19 @@ Register --test-no PKGS-7306 --os Solaris --preqs-met ${PREQS_MET} --weight L --network NO --description "Querying Solaris packages" if [ ${SKIPTEST} -eq 0 ]; then Display --indent 4 --text "- Searching pkginfo" --result FOUND --color GREEN - logtext "Result: Found Solaris pkginfo" - report "package_manager[]=pkginfo" - logtext "Test: Querying pkginfo to get package list" + LogText "Result: Found Solaris pkginfo" + Report "package_manager[]=pkginfo" + LogText "Test: Querying pkginfo to get package list" Display --indent 4 --text "- Querying pkginfo for installed packages" - logtext "Output:"; logtext "-----" + LogText "Output:"; LogText "-----" # Strip SUNW from strings SPACKAGES=`/usr/bin/pkginfo -i | tr -s ' ' | cut -d ' ' -f2 | sed "s#^SUNW##"` for J in ${SPACKAGES}; do - logtext "Found package ${J}" + LogText "Found package ${J}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0," done else - logtext "Result: pkginfo can NOT be found on this system" + LogText "Result: pkginfo can NOT be found on this system" fi # ################################################################################# @@ -132,28 +132,28 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 Display --indent 4 --text "- Searching RPM package manager" --result FOUND --color GREEN - logtext "Result: Found rpm binary (${RPMBINARY})" - report "package_manager[]=rpm" - logtext "Test: Querying 'rpm -qa' to get package list" + LogText "Result: Found rpm binary (${RPMBINARY})" + Report "package_manager[]=rpm" + LogText "Test: Querying 'rpm -qa' to get package list" Display --indent 6 --text "- Querying RPM package manager" - logtext "Output:"; logtext "--------" + LogText "Output:"; LogText "--------" SPACKAGES=`${RPMBINARY} -qa --queryformat "%{NAME},%{VERSION}-%{RELEASE}.%{ARCH}\n" 2> /dev/null | sort` if [ "${SPACKAGES}" = "" ]; then - logtext "Result: RPM binary available, but package list seems to be empty" - logtext "Info: looks like the rpm binary is installed, but not used for package installation" + LogText "Result: RPM binary available, but package list seems to be empty" + LogText "Info: looks like the rpm binary is installed, but not used for package installation" ReportSuggestion "${TEST_NO}" "Check RPM database as RPM binary available but does not reveal any packages" else for J in ${SPACKAGES}; do N=`expr ${N} + 1` PACKAGE_NAME=`echo ${J} | awk -F, '{print $1}'` PACKAGE_VERSION=`echo ${J} | awk -F, '{print $2}'` - logtext "Found package: ${J}" + LogText "Found package: ${J}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}," done - report "installed_packages=${N}" + Report "installed_packages=${N}" fi else - logtext "Result: RPM binary NOT found on this system, test skipped" + LogText "Result: RPM binary NOT found on this system, test skipped" fi # ################################################################################# @@ -165,24 +165,24 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 Display --indent 4 --text "- Searching pacman package manager" --result FOUND --color GREEN - logtext "Result: Found pacman binary (${PACMANBINARY})" - report "package_manager[]=pacman" - logtext "Test: Querying 'pacman -Q' to get package list" + LogText "Result: Found pacman binary (${PACMANBINARY})" + Report "package_manager[]=pacman" + LogText "Test: Querying 'pacman -Q' to get package list" Display --indent 6 --text "- Querying pacman package manager" - logtext "Output:"; logtext "--------" + LogText "Output:"; LogText "--------" SPACKAGES=`${PACMANBINARY} -Q | sort | sed 's/ /,/g'` if [ "${SPACKAGES}" = "" ]; then - logtext "Result: pacman binary available, but package list seems to be empty" - logtext "Info: looks like the pacman binary is installed, but not used for package installation" + LogText "Result: pacman binary available, but package list seems to be empty" + LogText "Info: looks like the pacman binary is installed, but not used for package installation" else for J in ${SPACKAGES}; do N=`expr ${N} + 1` PACKAGE_NAME=`echo ${J} | awk -F, '{ print $1 }'` PACKAGE_VERSION=`echo ${J} | awk -F, '{ print $2 }'` - logtext "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" + LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J}" done - report "installed_packages=${N}" + Report "installed_packages=${N}" fi fi # @@ -198,8 +198,8 @@ if [ ! "${FIND}" = "" ]; then FIND=`checkupdates` for I in ${FIND}; do - logtext "Result: update available for ${I}" - report "available_update[]=${I}" + LogText "Result: update available for ${I}" + Report "available_update[]=${I}" FOUND=1 done if [ ${FOUND} -eq 1 ]; then @@ -209,10 +209,10 @@ Display --indent 4 --text "- Searching update status (checkupdates)" --result "UP-TO-DATE" --color GREEN fi else - logtext "Result: skipping this test, can't find checkupdates binary" + LogText "Result: skipping this test, can't find checkupdates binary" fi else - logtext "Result: pacman binary NOT found on this system, test skipped" + LogText "Result: pacman binary NOT found on this system, test skipped" fi # ################################################################################# @@ -225,23 +225,23 @@ if [ ${SKIPTEST} -eq 0 ]; then COUNT=0 # Check configuration options (options start with a capital) - logtext "Test: searching configured options in ${PACMANCONF}" + LogText "Test: searching configured options in ${PACMANCONF}" FIND=`grep "^[A-Z]" ${PACMANCONF} | sort -u | sed 's/ /:space:/g'` for I in ${FIND}; do PMOPTION=`echo ${I} | sed 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $1 }'` PMVALUE=`echo ${I} | sed 's/:space:/ /g' | ${AWKBINARY} -F= '{ print $2 }'` - logtext "Result: found option ${PMOPTION} configured with value ${PMVALUE}" - report "pacman_option[]=${PMOPTION}:${PMVALUE}:" + LogText "Result: found option ${PMOPTION} configured with value ${PMVALUE}" + Report "pacman_option[]=${PMOPTION}:${PMVALUE}:" done # Check software repositories - logtext "Test: checking available repositories" + LogText "Test: checking available repositories" FIND=`grep "^\[.*\]$" ${PACMANCONF} | tr -d '[]'` for I in ${FIND}; do COUNT=`expr ${COUNT} + 1` - report "package_repository[]=${I}" + Report "package_repository[]=${I}" done - logtext "Result: found ${COUNT} repositories" + LogText "Result: found ${COUNT} repositories" fi # ################################################################################# @@ -258,10 +258,10 @@ if [ ! "${FIND}" = "" ]; then for I in ${FIND}; do N=`expr ${N} + 1` - logtext "Installed package: ${I}" + LogText "Installed package: ${I}" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${J},0," done - report "installed_packages=${N}" + Report "installed_packages=${N}" else # Could not find any installed packages ReportException ${TEST_NO} "No installed packages found with Zypper" @@ -277,19 +277,19 @@ if [ ${SKIPTEST} -eq 0 ]; then FIND=`${ZYPPERBINARY} pchk | grep "(0 security patches)"` if [ ! "${FIND}" = "" ]; then - logtext "Result: No security updates found with Zypper" + LogText "Result: No security updates found with Zypper" Display --indent 2 --text "- Using Zypper to obtain vulnerable packages" --result NONE --color GREEN else Display --indent 2 --text "- Using Zypper to obtain vulnerabilities" --result WARNING --color RED - logtext "Result: Zypper found one or more installed packages which are vulnerable." + LogText "Result: Zypper found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "H" "Found one or more vulnerable packages installed" # Unfortunately zypper does not properly give back which package it is. Usually best guess is last word on the line FIND=`${ZYPPERBINARY} lp | ${AWKBINARY} '{ if ($5=="security" || $7=="security") { print $NF }}' | sed 's/:$//' | grep -v "^$" | sort -u` - logtext "List of vulnerable packages/version:" + LogText "List of vulnerable packages/version:" for I in ${FIND}; do VULNERABLE_PACKAGES_FOUND=1 - report "vulnerable_package[]=${I}" - logtext "Vulnerable package: ${I}" + Report "vulnerable_package[]=${I}" + LogText "Vulnerable package: ${I}" # Decrease hardening points for every found vulnerable package AddHP 1 2 done @@ -305,22 +305,22 @@ if [ ${SKIPTEST} -eq 0 ]; then N=0 Display --indent 4 --text "- Searching dpkg package manager" --result FOUND --color GREEN - logtext "Result: Found dpkg binary" - report "package_manager[]=dpkg" - logtext "Test: Querying dpkg -l to get package list" + LogText "Result: Found dpkg binary" + Report "package_manager[]=dpkg" + LogText "Test: Querying dpkg -l to get package list" Display --indent 6 --text "- Querying package manager" - logtext "Output:" + LogText "Output:" SPACKAGES=`dpkg -l 2>/dev/null | grep "^ii" | tr -s ' ' | tr ' ' ',' | sort` for J in ${SPACKAGES}; do N=`expr ${N} + 1` PACKAGE_NAME=`echo ${J} | cut -d ',' -f2` PACKAGE_VERSION=`echo ${J} | cut -d ',' -f3` - logtext "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" + LogText "Found package: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})" INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}" done - report "installed_packages=${N}" + Report "installed_packages=${N}" else - logtext "Result: dpkg can NOT be found on this system, test skipped" + LogText "Result: dpkg can NOT be found on this system, test skipped" fi # ################################################################################# @@ -332,23 +332,23 @@ Register --test-no PKGS-7346 --preqs-met ${PREQS_MET} --weight L --network NO --description "Search unpurged packages on system" if [ ${SKIPTEST} -eq 0 ]; then N=0 - logtext "Test: Querying dpkg -l to get unpurged packages" + LogText "Test: Querying dpkg -l to get unpurged packages" SPACKAGES=`dpkg -l 2>/dev/null | grep "^rc" | cut -d ' ' -f3 | sort` if [ "${SPACKAGES}" = "" ]; then Display --indent 4 --text "- Query unpurged packages" --result NONE --color GREEN - logtext "Result: no packages found with left overs" + LogText "Result: no packages found with left overs" else Display --indent 4 --text "- Query unpurged packages" --result FOUND --color YELLOW - logtext "Result: found one or more packages with left over configuration files, cron jobs etc" - logtext "Output:" + LogText "Result: found one or more packages with left over configuration files, cron jobs etc" + LogText "Output:" for J in ${SPACKAGES}; do N=`expr ${N} + 1` - logtext "Found unpurged package: ${J}" + LogText "Found unpurged package: ${J}" done ReportSuggestion ${TEST_NO} "Purge old/removed packages (${N} found) with aptitude purge or dpkg --purge command. This will cleanup old configuration files, cron jobs and startup scripts." fi else - logtext "Result: dpkg can NOT be found on this system, test skipped" + LogText "Result: dpkg can NOT be found on this system, test skipped" fi # ################################################################################# @@ -364,10 +364,10 @@ FIND=`/usr/local/sbin/portsclean -n -DD | grep 'Delete' | wc -l | tr -d ' '` if [ ${FIND} -eq 0 ]; then Display --indent 2 --text "- Checking presence old distfiles" --result OK --color GREEN - logtext "Result: no unused distfiles found" + LogText "Result: no unused distfiles found" else Display --indent 2 --text "- Checking presence old distfiles" --result WARNING --color YELLOW - logtext "Result: found ${FIND} unused distfiles" + LogText "Result: found ${FIND} unused distfiles" ReportSuggestion ${TEST_NO} "Unused distfiles found. Use portsclean to delete these files. For example: portsclean -DD." fi fi @@ -381,24 +381,24 @@ Register --test-no "PKGS-7366" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsecan utility" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${DEBSECANBINARY}" = "" ]; then - logtext "Result: debsecan utility is installed" + LogText "Result: debsecan utility is installed" Display --indent 4 --text "- debsecan utility" --result "FOUND" --color GREEN AddHP 3 3 PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="debsecan" FIND=`find /etc/cron* -name debsecan` if [ ! ${FIND} = "" ]; then - logtext "Result: cron job is configured for debsecan" + LogText "Result: cron job is configured for debsecan" Display --indent 6 --text "- debsecan cron job" --result "FOUND" --color GREEN AddHP 3 3 else - logtext "Result: no cron job is configured for debsecan" + LogText "Result: no cron job is configured for debsecan" Display --indent 4 --text "- debsecan cron job" --result "NOT FOUND" --color YELLOW AddHP 1 3 ReportSuggestion ${TEST_NO} "Check debsecan cron job and ensure it is enabled" fi else - logtext "Result: debsecan is not installed." + LogText "Result: debsecan is not installed." Display --indent 4 --text "- debsecan utility" --result "NOT FOUND" --color YELLOW AddHP 0 2 ReportSuggestion ${TEST_NO} "Install debsecan to check for vulnerabilities on installed packages." @@ -414,23 +414,23 @@ Register --test-no "PKGS-7370" --preqs-met ${PREQS_MET} --weight L --network NO --description "Checking for debsums utility" if [ ${SKIPTEST} -eq 0 ]; then if [ ! "${DEBSUMSBINARY}" = "" ]; then - logtext "Result: debsums utility is installed" + LogText "Result: debsums utility is installed" Display --indent 4 --text "- debsums utility" --result "FOUND" --color GREEN AddHP 1 1 # Check in /etc/cron.hourly, daily, weekly, monthly etc COUNT=`find /etc/cron* -name debsums | wc -l` if [ ${COUNT} -gt 0 ]; then - logtext "Result: Cron job is configured for debsums utility." + LogText "Result: Cron job is configured for debsums utility." Display --indent 6 --text "- Cron job for debsums" --result "FOUND" --color GREEN AddHP 3 3 else - logtext "Result: Cron job is not configured for debsums utility." + LogText "Result: Cron job is not configured for debsums utility." Display --indent 6 --text "- Cron job for debsums" --result "NOT FOUND" --color YELLOW AddHP 1 3 ReportSuggestion "${TEST_NO}" "Check debsums configuration and enable checking regurlarly via a cron job." fi else - logtext "Result: debsums utility is not installed." + LogText "Result: debsums utility is not installed." AddHP 0 2 ReportSuggestion ${TEST_NO} "Install debsums utility for the verification of packages with known good database." fi @@ -444,16 +444,16 @@ Register --test-no PKGS-7378 --preqs-met ${PREQS_MET} --weight L --network NO --description "Query portmaster for port upgrades" if [ ${SKIPTEST} -eq 0 ]; then N=0 - logtext "Test: Querying portmaster for possible port upgrades" + LogText "Test: Querying portmaster for possible port upgrades" UPACKAGES=`/usr/local/sbin/portmaster -L | grep "version available" | awk '{ print $5 }'` for J in ${UPACKAGES}; do N=`expr ${N} + 1` - logtext "Upgrade available (new version): ${J}" - report "upgrade_available[]=${J}" + LogText "Upgrade available (new version): ${J}" + Report "upgrade_available[]=${J}" done - report "upgrade_available_count=${N}" + Report "upgrade_available_count=${N}" if [ ${N} -eq 0 ]; then - logtext "Result: no upgrades found" + LogText "Result: no upgrades found" Display --indent 2 --text "- Checking portmaster for updates" --result NONE --color GREEN else Display --indent 2 --text "- Checking portmaster for updates" --result FOUND --color YELLOW @@ -472,18 +472,18 @@ if [ -f /var/db/pkg/pkgs-vulnerabilities ]; then FIND=`/usr/sbin/pkg_admin audit` if [ "${FIND}" = "" ]; then - logtext "Result: pkg audit results are clean" + LogText "Result: pkg audit results are clean" Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result NONE --color GREEN AddHP 2 2 else Display --indent 2 --text "- Checking pkg_admin audit to obtain vulnerable packages" --result WARNING --color RED - logtext "Result: pkg_admin audit found one or more installed packages which are vulnerable." + LogText "Result: pkg_admin audit found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." - logtext "List of vulnerable packages/version:" + LogText "List of vulnerable packages/version:" for I in `/usr/sbin/pkg_admin audit | awk '{ print $2 }' | sort -u`; do VULNERABLE_PACKAGES_FOUND=1 - report "vulnerable_package[]=${I}" - logtext "Vulnerable package: ${I}" + Report "vulnerable_package[]=${I}" + LogText "Vulnerable package: ${I}" # Decrease hardening points for every found vulnerable package AddHP 1 2 done @@ -495,7 +495,7 @@ fi else Display --indent 2 --text "- pkg_admin audit not installed" --result "NOT FOUND" --color WHITE - logtext "Result: pkg_admin audit not installed, skipping this vulnerability test." + LogText "Result: pkg_admin audit not installed, skipping this vulnerability test." fi fi # @@ -511,28 +511,28 @@ PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="pkg audit" if [ "${FIND}" = "" ]; then - logtext "Result: pkg audit results are clean" + LogText "Result: pkg audit results are clean" Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result NONE --color GREEN else - logtext "Result: ${FIND}" + LogText "Result: ${FIND}" VULNERABLE_PACKAGES_FOUND=1 Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result FOUND --color YELLOW ReportSuggestion ${TEST_NO} "Check output of pkg audit" #Display --indent 2 --text "- Checking pkg audit to obtain vulnerable packages" --result WARNING --color RED - #logtext "Result: pkg audit found one or more installed packages which are vulnerable." + #LogText "Result: pkg audit found one or more installed packages which are vulnerable." #ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." #ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" - #logtext "List of vulnerable packages/version:" + #LogText "List of vulnerable packages/version:" #for I in `/usr/sbin/pkg audit -F | grep "Affected package" | cut -d ' ' -f3 | sort -u`; do - # report "vulnerable_package[]=${I}" - # logtext "Vulnerable package: ${I}" + # Report "vulnerable_package[]=${I}" + # LogText "Vulnerable package: ${I}" # # Decrease hardening points for every found vulnerable package # AddHP 1 2 #done fi else Display --indent 2 --text "- pkg audit not installed" --result "NOT FOUND" --color WHITE - logtext "Result: pkg audit not installed, skipping this vulnerability test." + LogText "Result: pkg audit not installed, skipping this vulnerability test." fi fi # @@ -547,18 +547,18 @@ PACKAGE_AUDIT_TOOL_FOUND=1 FIND=`/usr/local/sbin/portaudit | grep 'problem(s) in your installed packages found' | grep -v '0 problem(s) in your installed packages found'` if [ "${FIND}" = "" ]; then - logtext "Result: Portaudit results are clean" + LogText "Result: Portaudit results are clean" Display --indent 2 --text "- Checking portaudit to obtain vulnerable packages" --result NONE --color GREEN else Display --indent 2 --text "- Checking portaudit to obtain vulnerabilities" --result WARNING --color RED - logtext "Result: Portaudit found one or more installed packages which are vulnerable." + LogText "Result: Portaudit found one or more installed packages which are vulnerable." ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." ReportSuggestion ${TEST_NO} "Update your system with portupgrade or other tools" - logtext "List of vulnerable packages/version:" + LogText "List of vulnerable packages/version:" for I in `/usr/local/sbin/portaudit | grep "Affected package" | cut -d ' ' -f3 | sort -u`; do VULNERABLE_PACKAGES_FOUND=1 - report "vulnerable_package[]=${I}" - logtext "Vulnerable package: ${I}" + Report "vulnerable_package[]=${I}" + LogText "Vulnerable package: ${I}" # Decrease hardening points for every found vulnerable package AddHP 1 2 done @@ -572,15 +572,15 @@ if [ ! "${YUMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7383 --preqs-met ${PREQS_MET} --os Linux --weight M --network NO --description "Check for YUM package Update management" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: YUM package update management" + LogText "Test: YUM package update management" sFIND=`${YUMBINARY} repolist 2>/dev/null | grep repolist | sed 's/ //g' | sed 's/[,.]//g' | awk -F ":" '{print $2}'` if [ "$(echo ${sFIND} | egrep "^[0-9]+$")" -a "${sFIND}" = "0" ]; then - logtext "Result: YUM package update management failed" + LogText "Result: YUM package update management failed" Display --indent 2 --text "- Checking YUM package management consistency" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "YUM is not properly configured or registered for this platform (no repolist found)" #ReportSuggestion ${TEST_NO} "Check YUM registration for repository configuration (repolist)" else - logtext "Result: YUM repository available (${sFIND})" + LogText "Result: YUM repository available (${sFIND})" Display --indent 2 --text "- Checking YUM package management consistency" --result OK --color GREEN fi fi @@ -593,35 +593,35 @@ Register --test-no PKGS-7384 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for YUM utils package" if [ ${SKIPTEST} -eq 0 ]; then if [ -x /usr/bin/package-cleanup ]; then - logtext "Result: found YUM utils package (/usr/bin/package-cleanup)" + LogText "Result: found YUM utils package (/usr/bin/package-cleanup)" # Check for duplicates - logtext "Test: Checking for duplicate packages" + LogText "Test: Checking for duplicate packages" FIND=`/usr/bin/package-cleanup -q --dupes > /dev/null; echo $?` if [ "${FIND}" = "0" ]; then - logtext "Result: No duplicate packages found" + LogText "Result: No duplicate packages found" Display --indent 2 --text "- Checking package database duplicates" --result OK --color GREEN else - logtext "Result: One or more duplicate packages found" + LogText "Result: One or more duplicate packages found" Display --indent 2 --text "- Checking package database duplicates" --result WARNING --color RED ReportWarning ${TEST_NO} "L" "Found one or more duplicate packages installed" ReportSuggestion ${TEST_NO} "Run package-cleanup to solve duplicate package problems" fi # Check for package database problems - logtext "Test: Checking for database problems" + LogText "Test: Checking for database problems" FIND=`/usr/bin/package-cleanup --problems > /dev/null; echo $?` if [ "${FIND}" = "0" ]; then - logtext "Result: No package database problems found" + LogText "Result: No package database problems found" Display --indent 2 --text "- Checking package database for problems" --result OK --color GREEN else - logtext "Result: One or more problems found in package database" + LogText "Result: One or more problems found in package database" Display --indent 2 --text "- Checking package database for problems" --result WARNING --color RED ReportWarning ${TEST_NO} "L" "Found one or more problems in the package database" ReportSuggestion ${TEST_NO} "Run package-cleanup to solve package problems" fi else Display --indent 2 --text "- yum-utils package not installed" --result SUGGESTION --color YELLOW - logtext "Result: YUM utils package not found" + LogText "Result: YUM utils package not found" ReportSuggestion ${TEST_NO} "Install package 'yum-utils' for better consistency checking of the package database" fi fi @@ -638,7 +638,7 @@ Register --test-no PKGS-7386 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --description "Check for YUM security package" if [ ${SKIPTEST} -eq 0 ]; then DO_TEST=0 - logtext "Test: Determining if yum-security package installed" + LogText "Test: Determining if yum-security package installed" # Check for built-in --security option if [ ${DO_TEST} -eq 0 ]; then @@ -647,9 +647,9 @@ SearchItem "\-\-security" "/usr/share/yum-cli/cli.py" if [ ${ITEM_FOUND} -eq 1 ]; then DO_TEST=1 - logtext "Result: found built-in security in yum" + LogText "Result: found built-in security in yum" else - logtext "Result: did not find --security in /usr/share/yum-cli/cli.py" + LogText "Result: did not find --security in /usr/share/yum-cli/cli.py" fi fi fi @@ -660,9 +660,9 @@ SearchItem "^enabled=1$" "/etc/yum/pluginconf.d/security.conf" if [ ${ITEM_FOUND} -eq 1 ]; then DO_TEST=1 - logtext "Result: found enabled plugin" + LogText "Result: found enabled plugin" else - logtext "Result: plugin NOT enabled in /etc/yum/pluginconf.d/security.conf" + LogText "Result: plugin NOT enabled in /etc/yum/pluginconf.d/security.conf" fi fi fi @@ -671,7 +671,7 @@ if [ ${DO_TEST} -eq 0 ]; then FIND=`rpm -q yum-security yum-plugin-security | grep -v "not installed"` if [ ! "${FIND}" = "" ]; then - logtext "Result: found yum-plugin-security package" + LogText "Result: found yum-plugin-security package" DO_TEST=1 fi fi @@ -680,25 +680,25 @@ if [ ${DO_TEST} -eq 1 ]; then PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="yum-security" - logtext "Test: Checking for vulnerable packages" + LogText "Test: Checking for vulnerable packages" FIND2=`/usr/bin/yum list-sec security | awk '{ if($2=="security" || $2~"Sec") print $3","$5 }'` if [ "${FIND2}" = "" ]; then - logtext "Result: no vulnerable packages found" + LogText "Result: no vulnerable packages found" Display --indent 2 --text "- Checking missing security packages" --result OK --color GREEN else - logtext "Result: found vulnerable package(s)" + LogText "Result: found vulnerable package(s)" Display --indent 2 --text "- Checking missing security packages" --result WARNING --color RED for I in ${FIND2}; do VULNERABLE_PACKAGES_FOUND=1 - report "vulnerable_package[]=${I}" - logtext "Vulnerable package: ${I}" + Report "vulnerable_package[]=${I}" + LogText "Vulnerable package: ${I}" AddHP 1 2 done ReportWarning ${TEST_NO} "M" "Found one or more vulnerable packages." ReportSuggestion ${TEST_NO} "Use 'yum --security update' to update your system" fi else - logtext "Result: yum-security package not found" + LogText "Result: yum-security package not found" Display --indent 2 --text "- Checking missing security packages" --result SKIPPED --color YELLOW ReportSuggestion ${TEST_NO} "Install package yum-plugin-security if possible, to maintain security updates easier (yum install yum-plugin-security)" fi @@ -717,7 +717,7 @@ SearchItem "^gpgenabled=1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi SearchItem "^gpgcheck=1$" "/etc/yum.conf"; if [ ${ITEM_FOUND} -eq 1 ]; then FOUND=1; fi if [ ${FOUND} -eq 1 ]; then - logtext "Result: GPG check is enabled" + LogText "Result: GPG check is enabled" Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result OK --color GREEN else Display --indent 2 --text "- Checking GPG checks (yum.conf)" --result DISABLED --color RED @@ -736,33 +736,33 @@ FOUND=0 if [ ! "${OPTION_DEBIAN_SKIP_SECURITY_REPOSITORY}" = "yes" ]; then if [ -f /etc/apt/sources.list ]; then - logtext "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file" + LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list file" FIND=`egrep "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list | grep -v '#' | sed 's/ /!space!/g'` if [ ! "${FIND}" = "" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list file" --result OK --color GREEN - logtext "Result: Found security repository in /etc/apt/sources.list" + LogText "Result: Found security repository in /etc/apt/sources.list" for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` - logtext "Output: ${I}" + LogText "Output: ${I}" done fi fi if [ -d /etc/apt/sources.list.d ]; then - logtext "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory" + LogText "Searching for security.debian.org/security.ubuntu.com or security repositories in /etc/apt/sources.list.d directory" FIND=`egrep -r "security.debian.org|security.ubuntu.com|-security " /etc/apt/sources.list.d | grep -v '#' | sed 's/ /!space!/g'` if [ ! "${FIND}" = "" ]; then FOUND=1 Display --indent 2 --text "- Checking security repository in sources.list.d directory" --result OK --color GREEN - logtext "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d" + LogText "Result: Found security repository in one or more files in directory /etc/apt/sources.list.d" for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` - logtext "Output: ${I}" + LogText "Output: ${I}" done fi fi if [ ${FOUND} -eq 1 ]; then - logtext "Result: security repository was found" + LogText "Result: security repository was found" AddHP 3 3 else Display --indent 2 --text "- Checking security repository in sources.list file or directory" --result WARNING --color RED @@ -770,7 +770,7 @@ AddHP 0 3 fi else - logtext "Skipped as option is set to ignore security repository" + LogText "Skipped as option is set to ignore security repository" fi fi # @@ -781,13 +781,13 @@ if [ "${LINUX_VERSION}" = "Ubuntu" -a -x /usr/bin/apt-get ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7390 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --description "Check Ubuntu database consistency" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: Package database consistency by running apt-get check" + LogText "Test: Package database consistency by running apt-get check" FIND=`/usr/bin/apt-get -q=2 check 2> /dev/null; echo $?` if [ "${FIND}" = "0" ]; then Display --indent 2 --text "- Checking APT package database" --result OK --color GREEN - logtext "Result: package database seems to be consistent." + LogText "Result: package database seems to be consistent." else - logtext "Result: package database is most likely NOT consistent" + LogText "Result: package database is most likely NOT consistent" Display --indent 2 --text "- Checking APT package database" --result WARNING --color RED ReportWarning ${TEST_NO} "M" "apt-get check returned a non successful exit code." ReportSuggestion ${TEST_NO} "Run apt-get to perform a manual package database consistency check." @@ -804,35 +804,35 @@ VULNERABLE_PACKAGES_FOUND=0 SCAN_PERFORMED=0 # Update the repository, outdated repositories don't give much information - logtext "Action: updating repository with apt-get" + LogText "Action: updating repository with apt-get" /usr/bin/apt-get -q=2 update - logtext "Result: apt-get finished" - logtext "Test: Checking if /usr/lib/update-notifier/apt-check exists" + LogText "Result: apt-get finished" + LogText "Test: Checking if /usr/lib/update-notifier/apt-check exists" if [ -x /usr/lib/update-notifier/apt-check ]; then PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="apt-check" - logtext "Result: found /usr/lib/update-notifier/apt-check" - logtext "Test: checking if any of the updates contain security updates" + LogText "Result: found /usr/lib/update-notifier/apt-check" + LogText "Test: checking if any of the updates contain security updates" # apt-check binary is a script and translated. Do not search for normal text strings, but use numbered output only FIND=`/usr/lib/update-notifier/apt-check 2>&1 | awk -F\; '{ print $2 }'` # Check if we get the proper line back and amount of security patches available if [ "${FIND}" = "" ]; then - logtext "Result: did not find security updates line" + LogText "Result: did not find security updates line" ReportSuggestion ${TEST_NO} "Check if system is up-to-date, security updates test (apt-check) gives an unexpected result" ReportException "${TEST_NO}:1" "Apt-check did not provide any result" else if [ "${FIND}" = "0" ]; then - logtext "Result: no vulnerable packages found via apt-check" + LogText "Result: no vulnerable packages found via apt-check" SCAN_PERFORMED=1 else VULNERABLE_PACKAGES_FOUND=1 SCAN_PERFORMED=1 - logtext "Result: found ${FIND} security updates via apt-check" + LogText "Result: found ${FIND} security updates via apt-check" AddHP 0 25 fi fi else - logtext "Result: apt-check (update-notifier-common) not found" + LogText "Result: apt-check (update-notifier-common) not found" fi # Trying also with apt-get directly (does not always work, as updates are distributed on both -security and -updates) @@ -841,12 +841,12 @@ if [ ! "${FIND}" = "" ]; then VULNERABLE_PACKAGES_FOUND=1 SCAN_PERFORMED=1 - logtext "Result: found vulnerable package(s) via apt-get (-security channel)" + LogText "Result: found vulnerable package(s) via apt-get (-security channel)" PACKAGE_AUDIT_TOOL="apt-get" PACKAGE_AUDIT_TOOL_FOUND=1 for I in ${FIND}; do - logtext "Found vulnerable package: ${I}" - report "vulnerable_package[]=${I}" + LogText "Found vulnerable package: ${I}" + Report "vulnerable_package[]=${I}" done fi if [ ${SCAN_PERFORMED} -eq 1 ]; then @@ -856,11 +856,11 @@ Display --indent 2 --text "- Checking vulnerable packages" --result WARNING --color RED else Display --indent 2 --text "- Checking vulnerable packages" --result OK --color GREEN - logtext "Result: no vulnerable packages found" + LogText "Result: no vulnerable packages found" fi else Display --indent 2 --text "- Checking vulnerable packages (apt-get only)" --result DONE --color GREEN - logtext "Result: test not fully executed (missing apt-check output)" + LogText "Result: test not fully executed (missing apt-check output)" fi fi # @@ -877,36 +877,36 @@ # Multiple ways to do this. Some require extra packages to be installed, # others require potential firewall ports to be open, outbound. This is the # "most friendly" way. - logtext "Action: updating portage with emerge-webrsync" + LogText "Action: updating portage with emerge-webrsync" /usr/bin/emerge-webrsync --quiet 2> /dev/null - logtext "Result: emerge-webrsync finished" - logtext "Test: checking if /usr/bin/glsa-check exists" + LogText "Result: emerge-webrsync finished" + LogText "Test: checking if /usr/bin/glsa-check exists" if [ -x /usr/bin/glsa-check ]; then PACKAGE_AUDIT_TOOL_FOUND=1 PACKAGE_AUDIT_TOOL="glsa-check" - logtext "Result: found /usr/bin/glsa-check" - logtext "Test: checking if there are any vulnerable packages" + LogText "Result: found /usr/bin/glsa-check" + LogText "Test: checking if there are any vulnerable packages" # glsa-check reports the GLSA date/ID string, not the vulnerable package. FIND=`/usr/bin/glsa-check -t all 2>&1 | grep -v "This system is affected by the following GLSAs:" | grep -v "This system is not affected by any of the listed GLSAs" | wc -l` if [ "${FIND}" = "" ]; then - logtext "Result: unexpected result: wc should report 0 if no vulnerable packages are found." - logtext "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result" + LogText "Result: unexpected result: wc should report 0 if no vulnerable packages are found." + LogText "Notes: Check if system is up-to-date, security updates check (glsa-check) gives and unexpected result" ReportException "${TEST_NO}:1" "glsa-check did not provide any result, which is unexpected" else if [ "${FIND}" = "0" ]; then - logtext "Result; no vulnerable packages found via glsa-check" + LogText "Result; no vulnerable packages found via glsa-check" Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result OK --color GREEN else VULNERABLE_PACKAGES_FOUND=1 Display --indent 2 --text "- Checking vulnerable packages (glsa-check)" --result FOUND --color RED - logtext "Result: found ${FIND} security updates with glsa-check" + LogText "Result: found ${FIND} security updates with glsa-check" ReportWarning "${TEST_NO}" "H" "Found ${FIND} security update(s) with glsa-check." - logtext "Notes: Run 'glsa-check -t all' to see which GLSA(s) were identified." + LogText "Notes: Run 'glsa-check -t all' to see which GLSA(s) were identified." AddHP 0 25 fi fi else - logtext "Result: glsa-check tool not found" + LogText "Result: glsa-check tool not found" ReportSuggestion ${TEST_NO} "Use Emerge to install the gentoolkit package, which includes glsa-check tool for additional security checks." fi fi @@ -918,26 +918,26 @@ if [ "${LINUX_VERSION}" = "Ubuntu" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi Register --test-no PKGS-7394 --os Linux --preqs-met ${PREQS_MET} --weight L --network YES --description "Check for Ubuntu updates" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking /usr/bin/apt-show-versions" + LogText "Test: checking /usr/bin/apt-show-versions" if [ -x /usr/bin/apt-show-versions ]; then - logtext "Result: found /usr/bin/apt-show-versions" - logtext "Test: Checking packages which can be upgraded via apt-show-versions" + LogText "Result: found /usr/bin/apt-show-versions" + LogText "Test: Checking packages which can be upgraded via apt-show-versions" FIND=`/usr/bin/apt-show-versions -u | sed 's/ /!space!/g'` if [ "${FIND}" = "" ]; then - logtext "Result: no packages found which can be upgraded" + LogText "Result: no packages found which can be upgraded" Display --indent 2 --text "- Checking upgradeable packages" --result NONE --color GREEN AddHP 3 3 else - logtext "Result: found one or more packages which can be upgraded" + LogText "Result: found one or more packages which can be upgraded" Display --indent 2 --text "- Checking upgradeable packages" --result FOUND --color YELLOW # output: program/repository upgradeable from version X to Y for I in ${FIND}; do I=`echo ${I} | sed 's/!space!/ /g'` - logtext "${I}" + LogText "${I}" done fi else - logtext "Result: /usr/bin/apt-show-versions not found" + LogText "Result: /usr/bin/apt-show-versions not found" Display --indent 2 --text "- Checking upgradeable packages" --result SKIPPED --color WHITE ReportSuggestion ${TEST_NO} "Install package apt-show-versions for patch management purposes" fi @@ -950,15 +950,15 @@ # Description : Check package audit tool Register --test-no PKGS-7398 --weight L --network YES --description "Check for package audit tool" if [ ${SKIPTEST} -eq 0 ]; then - logtext "Test: checking for package audit tool" + LogText "Test: checking for package audit tool" if [ ${PACKAGE_AUDIT_TOOL_FOUND} -eq 0 ]; then Display --indent 2 --text "- Checking package audit tool" --result NONE --color RED ReportSuggestion ${TEST_NO} "Install a package audit tool to determine vulnerable packages" - logtext "Result: no package audit tool found" + LogText "Result: no package audit tool found" else Display --indent 2 --text "- Checking package audit tool" --result INSTALLED --color GREEN Display --indent 4 --text "Found: ${PACKAGE_AUDIT_TOOL}" - logtext "Result: found package audit tool: ${PACKAGE_AUDIT_TOOL}" + LogText "Result: found package audit tool: ${PACKAGE_AUDIT_TOOL}" fi fi # @@ -980,17 +980,17 @@ if [ ${SKIPTEST} -eq 0 ]; then KERNELS=0 if [ ! "${RPMBINARY}" = "" ]; then - logtext "Test: Checking how many kernel packages are installed" + LogText "Test: Checking how many kernel packages are installed" KERNELS=`rpm -q kernel 2> /dev/null | wc -l` if [ ${KERNELS} -eq 0 ]; then - logtext "Result: found no kernels from rpm -q kernel output, which is unexpected" + LogText "Result: found no kernels from rpm -q kernel output, which is unexpected" ReportException "KRNL-5840:1" "Could not find any kernel packages from RPM output" elif [ ${KERNELS} -gt 5 ]; then - logtext "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" + LogText "Result: found more than 5 kernel packages on the system, which might indicate lack of regular cleanups" ReportSuggestion "${TEST_NO}" "Remove any unneeded kernel packages with package-cleanup utility (--old-kernels)" AddHP 4 5 else - logtext "Result: found ${KERNELS} on the system, which is fine" + LogText "Result: found ${KERNELS} on the system, which is fine" AddHP 1 1 fi fi @@ -1000,16 +1000,16 @@ # if [ ! "${INSTALLED_PACKAGES}" = "" ]; then - report "installed_packages_array=${INSTALLED_PACKAGES}" + Report "installed_packages_array=${INSTALLED_PACKAGES}" fi -report "package_audit_tool=${PACKAGE_AUDIT_TOOL}" -report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}" -report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}" +Report "package_audit_tool=${PACKAGE_AUDIT_TOOL}" +Report "package_audit_tool_found=${PACKAGE_AUDIT_TOOL_FOUND}" +Report "vulnerable_packages_found=${VULNERABLE_PACKAGES_FOUND}" wait_for_keypress # #================================================================================ -# Lynis - Copyright 2007-2015, Michael Boelen, CISOfy - https://cisofy.com +# Lynis - Copyright 2007-2016, Michael Boelen, CISOfy - https://cisofy.com |