Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/CISOfy/lynis.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/osdetection5
-rw-r--r--include/tests_authentication2
-rw-r--r--include/tests_boot_services3
-rw-r--r--include/tests_filesystems15
-rw-r--r--include/tests_kernel120
-rw-r--r--include/tests_malware18
-rw-r--r--include/tests_networking4
-rw-r--r--include/tests_ports_packages2
-rw-r--r--include/tests_ssh2
9 files changed, 105 insertions, 66 deletions
diff --git a/include/osdetection b/include/osdetection
index a4d3aa41..c91c69ec 100644
--- a/include/osdetection
+++ b/include/osdetection
@@ -244,6 +244,11 @@
OS_NAME="Flatcar Linux"
OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"')
;;
+ "funtoo")
+ LINUX_VERSION="Funtoo"
+ OS_FULLNAME="Funtoo Linux"
+ OS_VERSION="Rolling release"
+ ;;
"garuda")
LINUX_VERSION="Garuda"
OS_FULLNAME="Garuda Linux"
diff --git a/include/tests_authentication b/include/tests_authentication
index 2712aa34..1718f99a 100644
--- a/include/tests_authentication
+++ b/include/tests_authentication
@@ -916,7 +916,7 @@
LogText "Result: found one or more accounts without password"
for I in ${FIND2}; do
LogText "Account without password: ${I}"
- Report "account_without_password=${I}"
+ Report "account_without_password[]=${I}"
done
Display --indent 2 --text "- Accounts without password" --result "${STATUS_WARNING}" --color RED
ReportWarning "${TEST_NO}" "Found accounts without password"
diff --git a/include/tests_boot_services b/include/tests_boot_services
index 42efc80d..4a5fb3df 100644
--- a/include/tests_boot_services
+++ b/include/tests_boot_services
@@ -112,6 +112,9 @@
runit)
SERVICE_MANAGER="runit"
;;
+ openrc-init)
+ SERVICE_MANAGER="openrc"
+ ;;
*)
CONTAINS_SYSTEMD=$(echo ${SHORTNAME} | ${GREPBINARY} "systemd")
if [ -n "${CONTAINS_SYSTEMD}" ]; then
diff --git a/include/tests_filesystems b/include/tests_filesystems
index ce93b018..480ba40a 100644
--- a/include/tests_filesystems
+++ b/include/tests_filesystems
@@ -619,7 +619,6 @@
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_PARTIALLY_HARDENED}" --color YELLOW
AddHP 4 5
else
- # if
if ContainsString "defaults" "${FOUND_FLAGS}"; then
LogText "Result: marked ${FILESYSTEM} options as default (not hardened)"
Display --indent 2 --text "- Mount options of ${FILESYSTEM}" --result "${STATUS_DEFAULT}" --color YELLOW
@@ -838,13 +837,13 @@
fi
FIND=$(${LSBINARY} ${ROOTDIR}etc/modprobe.d/* 2> /dev/null)
if [ -n "${FIND}" ]; then
- FIND1=$(${EGREPBINARY} "blacklist ${FS}" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
- FIND2=$(${EGREPBINARY} "install ${FS} /bin/true" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
- if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
- Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN
- LogText "Result: module ${FS} is blacklisted"
- fi
- fi
+ FIND1=$(${EGREPBINARY} "^blacklist \+${FS}$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
+ FIND2=$(${EGREPBINARY} "^install \+${FS} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/* | ${GREPBINARY} -v "#")
+ if [ -n "${FIND1}" ] || [ -n "${FIND2}" ]; then
+ Display --indent 4 --text "- Module $FS is blacklisted" --result "OK" --color GREEN
+ LogText "Result: module ${FS} is blacklisted"
+ fi
+ fi
done
if [ ${FOUND} -eq 1 ]; then
Display --indent 4 --text "- Discovered kernel modules: ${AVAILABLE_MODPROBE_FS}"
diff --git a/include/tests_kernel b/include/tests_kernel
index 610fd325..c1977985 100644
--- a/include/tests_kernel
+++ b/include/tests_kernel
@@ -368,14 +368,14 @@
#
# Test : KRNL-5788
# Description : Checking availability new kernel
- if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] ||
- [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
+ if [ "${LINUX_VERSION}" = "Debian" ] || [ "${LINUX_VERSION}" = "Ubuntu" ] || [ "${LINUX_VERSION_LIKE}" = "Debian" ] || [ "${LINUX_VERSION_LIKE}" = "Ubuntu" ]; then
PREQS_MET="YES"
else
PREQS_MET="NO"
fi
Register --test-no KRNL-5788 --os Linux --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Checking availability new Linux kernel"
if [ ${SKIPTEST} -eq 0 ]; then
+ FINDKERNEL=""
HAS_VMLINUZ=0
LogText "Test: Searching apt-cache, to determine if a newer kernel is available"
if [ -x ${ROOTDIR}usr/bin/apt-cache ]; then
@@ -384,62 +384,69 @@
if [ -f ${ROOTDIR}vmlinuz -o -f ${ROOTDIR}boot/vmlinuz ]; then
HAS_VMLINUZ=1
if [ -f ${ROOTDIR}vmlinuz ]; then
- FINDVMLINUZ=${ROOTDIR}vmlinuz
+ FINDVMLINUZ="${ROOTDIR}vmlinuz"
else
- FINDVMLINUZ=${ROOTDIR}boot/vmlinuz
+ FINDVMLINUZ="${ROOTDIR}boot/vmlinuz"
fi
LogText "Result: found ${FINDVMLINUZ}"
LogText "Test: checking readlink location of ${FINDVMLINUZ}"
FINDKERNFILE=$(readlink -f ${FINDVMLINUZ})
LogText "Output: readlink reported file ${FINDKERNFILE}"
- LogText "Test: checking package from dpkg -S"
+ LogText "Test: checking relevant package using output from dpkg -S"
FINDKERNEL=$(dpkg -S ${FINDKERNFILE} 2> /dev/null | ${AWKBINARY} -F : '{print $1}')
LogText "Output: dpkg -S reported package ${FINDKERNEL}"
elif [ -e ${ROOTDIR}dev/grsec ]; then
- FINDKERNEL=linux-image-$(uname -r)
+ FINDKERNEL="linux-image-$(uname -r)"
LogText "Result: ${ROOTDIR}vmlinuz missing due to grsecurity; assuming ${FINDKERNEL}"
elif [ -e ${ROOTDIR}etc/rpi-issue ]; then
- FINDKERNEL=raspberrypi-kernel
+ FINDKERNEL="raspberrypi-kernel"
LogText "Result: ${ROOTDIR}vmlinuz missing due to Raspbian"
- elif `${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf`; then
- FINDKERNEL=linux-image-$(uname -r)
+ elif $(${EGREPBINARY} -q 'do_symlinks.*=.*No' ${ROOTDIR}etc/kernel-img.conf); then
+ FINDKERNEL="linux-image-$(uname -r)"
LogText "Result: ${ROOTDIR}vmlinuz missing due to /etc/kernel-img.conf item do_symlinks = No"
else
- LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date."
+ LogText "This system is missing ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz. Unable to check whether kernel is up-to-date."
ReportSuggestion "${TEST_NO}" "Determine why ${ROOTDIR}vmlinuz or ${ROOTDIR}boot/vmlinuz is missing on this Debian/Ubuntu system." "/vmlinuz or /boot/vmlinuz"
fi
- LogText "Test: Using apt-cache policy to determine if there is an update available"
- FINDINST=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
- FINDCAND=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
- LogText "Kernel installed: ${FINDINST}"
- LogText "Kernel candidate: ${FINDCAND}"
- if IsEmpty "${FINDINST}"; then
- Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW
- LogText "Result: Exception occurred, no output from apt-cache policy"
- if [ ${HAS_VMLINUZ} -eq 1 ]; then
- ReportException "${TEST_NO}:01"
- ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty"
- fi
- LogText "Result: apt-cache policy did not return an installed kernel version"
+
+ if IsEmpty "${FINDKERNEL}"; then
+ LogText "Result: could not check kernel update status as kernel is unknown"
else
- if [ "${FINDINST}" = "${FINDCAND}" ]; then
- if [ -e /dev/grsec ]; then
- Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN
- LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available"
- ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch"
- else
- Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN
- LogText "Result: no kernel update available"
+ LogText "Result: found kernel '${FINDKERNEL}' which will be used for further testing"
+ LogText "Test: Using apt-cache policy to determine if there is an update available"
+ FINDINSTALLED=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Installed' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
+ FINDCANDIDATE=$(apt-cache policy ${FINDKERNEL} | ${EGREPBINARY} 'Candidate' | ${CUTBINARY} -d ':' -f2 | ${TRBINARY} -d ' ')
+ LogText "Kernel installed: ${FINDINSTALLED}"
+ LogText "Kernel candidate: ${FINDCANDIDATE}"
+ if IsEmpty "${FINDINSTALLED}"; then
+ Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_UNKNOWN}" --color YELLOW
+ LogText "Result: Exception occurred, no output from apt-cache policy"
+ if [ ${HAS_VMLINUZ} -eq 1 ]; then
+ ReportException "${TEST_NO}:01" "Found vmlinuz (${FINDVMLINUZ}) but could not determine the installed kernel using apt-cache policy"
+ ReportSuggestion "${TEST_NO}" "Check the output of apt-cache policy to determine why its output is empty"
fi
+ LogText "Result: apt-cache policy did not return an installed kernel version"
else
- Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
- LogText "Result: kernel update available according 'apt-cache policy'."
- ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update"
+ if [ "${FINDINSTALLED}" = "${FINDCANDIDATE}" ]; then
+ if [ -e /dev/grsec ]; then
+ Display --indent 2 --text "- Checking for available kernel update" --result GRSEC --color GREEN
+ LogText "Result: Grsecurity is installed; unable to determine if there's a newer kernel available"
+ ReportManual "Manually check to confirm you're using a recent kernel and grsecurity patch"
+ else
+ Display --indent 2 --text "- Checking for available kernel update" --result "${STATUS_OK}" --color GREEN
+ LogText "Result: no kernel update available"
+ fi
+ else
+ Display --indent 2 --text "- Checking for available kernel update" --result "UPDATE AVAILABLE" --color YELLOW
+ LogText "Result: kernel update available according 'apt-cache policy'."
+ ReportSuggestion "${TEST_NO}" "Determine priority for available kernel update"
+ fi
fi
fi
else
- LogText "Result: could NOT find /usr/bin/apt-cache, skipped other tests."
+ LogText "Result: could NOT find ${ROOTDIR}usr/bin/apt-cache, skipped other tests."
fi
+ unset FINDCANDIDATE FINDINSTALLED FINDKERNEL HAS_VMLINUZ
fi
#
#################################################################################
@@ -615,25 +622,29 @@
Register --test-no KRNL-5830 --os Linux --weight L --network NO --category security --description "Checking if system is running on the latest installed kernel"
if [ ${SKIPTEST} -eq 0 ]; then
REBOOT_NEEDED=2
- FILE="${ROOTDIR}var/run/reboot-required.pkgs"
- LogText "Test: Checking presence ${FILE}"
- if [ -f ${FILE} ]; then
- LogText "Result: file ${FILE} exists"
- FIND=$(${WCBINARY} -l < ${FILE})
- if [ "${FIND}" = "0" ]; then
- LogText "Result: No reboot needed (file empty)"
- REBOOT_NEEDED=0
+ for FILE in "${ROOTDIR}var/run/reboot-required.pkgs" "${ROOTDIR}var/run/needs_restarting"
+ do
+ LogText "Test: Checking presence ${FILE}"
+ if [ -f ${FILE} ]; then
+ LogText "Result: file ${FILE} exists"
+ FIND=$(${WCBINARY} -l < ${FILE})
+ if [ "${FIND}" = "0" ]; then
+ LogText "Result: No reboot needed (file empty)"
+ REBOOT_NEEDED=0
+ break
+ else
+ PKGSCOUNT=$(${WCBINARY} -l < ${FILE})
+ LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages"
+ for I in ${FIND}; do
+ LogText "Package: ${I}"
+ done
+ REBOOT_NEEDED=1
+ break
+ fi
else
- PKGSCOUNT=$(${WCBINARY} -l < ${FILE})
- LogText "Result: reboot is needed, related to ${PKGSCOUNT} packages"
- for I in ${FIND}; do
- LogText "Package: ${I}"
- done
- REBOOT_NEEDED=1
+ LogText "Result: file ${FILE} not found"
fi
- else
- LogText "Result: file ${FILE} not found"
- fi
+ done
# Check if /boot exists
if [ -d "${ROOTDIR}boot" ]; then
@@ -663,7 +674,10 @@
ReportException "${TEST_NO}:1" "Can't determine kernel version on disk, need debug data"
fi
elif [ -f ${ROOTDIR}boot/vmlinuz-linux ] || [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ] || [ -f "$(${LSBINARY} -t ${ROOTDIR}boot/vm[l0-9]* 2> /dev/null | ${HEADBINARY} -1)" ]; then
- if [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
+ if [ -f ${ROOTDIR}boot/vmlinuz ]; then
+ LogText "Result: found ${ROOTDIR}boot/vmlinuz"
+ FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz
+ elif [ -f ${ROOTDIR}boot/vmlinuz-linux ]; then
LogText "Result: found ${ROOTDIR}boot/vmlinuz-linux"
FOUND_VMLINUZ=${ROOTDIR}boot/vmlinuz-linux
elif [ -f ${ROOTDIR}boot/vmlinuz-linux-lts ]; then
diff --git a/include/tests_malware b/include/tests_malware
index cb13ca96..40336fa5 100644
--- a/include/tests_malware
+++ b/include/tests_malware
@@ -46,6 +46,24 @@
#
#################################################################################
#
+ # Test : MALW-3274
+ # Description : Check for installed tool (McAfee VirusScan for Command Line)
+ Register --test-no MALW-3274 --weight L --network NO --category security --description "Check for McAfee VirusScan Command Line"
+ if [ ${SKIPTEST} -eq 0 ]; then
+ LogText "Test: checking presence McAfee VirusScan for Command Line"
+ if [ -x /usr/local/uvscan/uvscan ]; then
+ Display --indent 2 --text "- ${GEN_CHECKING} McAfee VirusScan for Command Line" --result "${STATUS_FOUND}" --color GREEN
+ LogText "Result: Found ${MCAFEECLBINARY}"
+ MALWARE_SCANNER_INSTALLED=1
+ AddHP 2 2
+ Report "malware_scanner[]=mcafeecl"
+ else
+ LogText "Result: McAfee VirusScan for Command Line not found"
+ fi
+ fi
+#
+#################################################################################
+#
# Test : MALW-3275
# Description : Check for installed tool (chkrootkit)
Register --test-no MALW-3275 --weight L --network NO --category security --description "Check for chkrootkit"
diff --git a/include/tests_networking b/include/tests_networking
index c615e6d0..7faf7125 100644
--- a/include/tests_networking
+++ b/include/tests_networking
@@ -750,7 +750,7 @@
UNCOMMON_PROTOCOL_DISABLED=0
# First check modprobe.conf
if [ -f ${ROOTDIR}etc/modprobe.conf ]; then
- DATA=$(${GREPBINARY} "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.conf)
+ DATA=$(${GREPBINARY} "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.conf)
if [ -n "${DATA}" ]; then
LogText "Result: found ${P} module disabled via modprobe.conf"
UNCOMMON_PROTOCOL_DISABLED=1
@@ -759,7 +759,7 @@
# Then additional modprobe configuration files
if [ -d ${ROOTDIR}etc/modprobe.d ]; then
# Return file names (-l) and suppress errors (-s)
- DATA=$(${GREPBINARY} -l -s "^install ${P} /bin/true" ${ROOTDIR}etc/modprobe.d/*)
+ DATA=$(${GREPBINARY} -l -s "^install \+${P} \+/bin/true$" ${ROOTDIR}etc/modprobe.d/*)
if [ -n "${DATA}" ]; then
UNCOMMON_PROTOCOL_DISABLED=1
for F in ${DATA}; do
diff --git a/include/tests_ports_packages b/include/tests_ports_packages
index 2f0b98da..e757bd0a 100644
--- a/include/tests_ports_packages
+++ b/include/tests_ports_packages
@@ -296,7 +296,7 @@
#
# Test : PKGS-7320
# Description : Check available of arch-audit
- if [ "${OS_FULLNAME}" = "Arch Linux" ] || [ "${OS_FULLNAME}" = "Arch Linux 32" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="Test only applies to Arch Linux"; fi
+ if [ "${OS_FULLNAME}" = "Arch Linux" ] || [ "${OS_FULLNAME}" = "Arch Linux 32" ] || [ "${OS_FULLNAME}" = "Garuda Linux" ]; then PREQS_MET="YES"; SKIPREASON=""; else PREQS_MET="NO"; SKIPREASON="Test only applies to Arch Linux and Garuda Linux"; fi
Register --test-no PKGS-7320 --os "Linux" --preqs-met ${PREQS_MET} --skip-reason "${SKIPREASON}" --weight L --network NO --category security --description "Checking for arch-audit tooling"
if [ ${SKIPTEST} -eq 0 ]; then
if [ -z "${ARCH_AUDIT_BINARY}" ]; then
diff --git a/include/tests_ssh b/include/tests_ssh
index 7f31c348..de3209ee 100644
--- a/include/tests_ssh
+++ b/include/tests_ssh
@@ -74,7 +74,7 @@
LogText "Result: ${I}/sshd_config exists"
if [ ${FOUND} -eq 1 ]; then
ReportException "${TEST_NO}:01"
- LogText "Result: we already had found another sshd_config file. Using this new file then."
+ LogText "Result: we already found another sshd_config file. Using this new file instead of the previous one."
fi
FileIsReadable ${I}/sshd_config
if [ ${CANREAD} -eq 1 ]; then
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-22 22:47:35 +0300